Commit Graph

9014 Commits (6c319469959f32ad4c542874de38e665db85622b)

Author SHA1 Message Date
Louis Sato 9a0f0a7843
Land #6142, uptime refactor 2015-11-12 16:58:55 -06:00
wchen-r7 ee25cb88b5
Land #6196, vBulletin 5.1.2 Unserialize Code Execution 2015-11-12 14:38:39 -06:00
wchen-r7 6077617bfd rm res var name
the res variable isn't used
2015-11-12 14:37:47 -06:00
wchen-r7 199ed9ed25 Move vbulletin_unserialize.rb to exploits/multi/http/
According to @all3g, this works on Windows too, so we will move
this to multi/http.
2015-11-12 14:36:01 -06:00
JT a0351133a6 Add more references to this exploit
Adding exploit-db doc about China Chopper webshell and details about this webshell in US-CERT.
2015-11-11 09:51:05 +08:00
HD Moore f86f427d54 Move Compat into Payload so that is actually used 2015-11-09 16:06:05 -06:00
jvoisin e2678af0fe The modules now works on 5.1.X and 5.0.X
- Added automatic targeting
- Added support for 5.0.X
2015-11-07 14:28:25 +01:00
wchen-r7 0cc8165b52 And I forgot to rm the test line 2015-11-06 18:11:27 -06:00
wchen-r7 8f2a716306 I don't really need to override fail_with 2015-11-06 18:11:08 -06:00
wchen-r7 0213da3810 Handle more NilClass bugs 2015-11-06 18:08:51 -06:00
Jon Hart 43229c16e7
Correct some authors with unbalanced angle brackets 2015-11-06 13:24:58 -08:00
William Vu 2df149b0a5
Land #6189, extraneous Content-Length fix 2015-11-06 14:36:40 -06:00
William Vu 3cae7999aa Prefer ctype over headers['Content-Type'] 2015-11-06 14:36:21 -06:00
wchen-r7 f957acf9ba Fix Framework Rspec Failure
Needs to do:
include Msf::Exploit::Remote::HTTP::Wordpress
2015-11-06 13:56:05 -06:00
wchen-r7 fb9a40f15c
Land #6103, Add WordPress Plugin Ajax Load More Auth File Upload Vuln 2015-11-06 13:18:48 -06:00
wchen-r7 73f630b25a Note default.php 2015-11-06 13:18:24 -06:00
jvoisin f93f3397ec Fix some mistakes pointed by @wchen-r7 2015-11-06 19:35:22 +01:00
jvoisin c540ca763c Add the EDB id 2015-11-06 17:21:28 +01:00
jvoisin 7998955b46 The double-quote character is a badchar 2015-11-06 16:43:53 +01:00
jvoisin 30e7a35452 Add the possibility to target non-default path 2015-11-06 15:33:30 +01:00
jvoisin bb0e64e541 Implement a module for the recent vBulletin RCE
This module implements the recent unserialize-powered RCE against
vBulletin 5.1.X

Step to reproduce:

1. Install vBulletin 5.1.X
2. Launch the exploit against it

```
msf exploit(vbulletin_unserialize) > check
[*] 192.168.1.25:80 - The target appears to be vulnerable.
msf exploit(vbulletin_unserialize) >
```

```
msf exploit(vbulletin) > run

[*] Started reverse handler on 192.168.1.11:4444
[*] Sending stage (33068 bytes) to 192.168.1.25
[*] Meterpreter session 1 opened (192.168.1.11:4444 -> 192.168.1.25:49642) at 2015-11-06 14:04:46 +0100

meterpreter > getuid
Server username: www-data (33)
```
2015-11-06 14:59:25 +01:00
wchen-r7 46fac897bd
Land #6144, China Chopper Web Shell (Backdoor) module 2015-11-05 18:29:36 -06:00
wchen-r7 ea22583ed1 Update title and description 2015-11-05 18:29:03 -06:00
wchen-r7 27be832c4c remove the fail_with because it's always triggering anyway 2015-11-05 18:19:46 -06:00
dmohanty-r7 a71d7ae2ae
Land #6089, @jvazquez-r7 Fix HTTP mixins namespaces 2015-11-05 16:56:41 -06:00
wchen-r7 038cb66937 Use the right module path 2015-11-05 16:16:46 -06:00
Brent Cook ee6d6258a5
Land #6180, add PSH as a target for psexec directly, implement autodetect 2015-11-05 10:38:50 -06:00
pyllyukko 4390fda513
Remove extra Content-Length HTTP header
The send_request_raw already sets the header and if it's set also in the
module, Metasploit sends the header twice.
2015-11-05 14:38:06 +02:00
William Vu 862dff964a Integrate psexec_psh into psexec 2015-11-04 17:31:33 -06:00
nixawk 109e9b6b6e remove debug info - require 'pry' 2015-11-03 06:52:11 +00:00
nixawk 46fe0c0899 base64 for evasion purposes 2015-11-03 06:42:52 +00:00
nixawk 6c16d2a1ca caidao's exploit module 2015-11-02 08:54:18 +00:00
William Vu 6a01efa394 Deprecate psexec_psh 2015-10-30 17:41:58 -05:00
Louis Sato 2bd792f693
remove .rb file extension 2015-10-30 15:26:45 -05:00
wchen-r7 82e600a53a Suggest the correct replacement for the deprecated module
The deprecated module has been suggesting the wrong replacement,
it should be exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
2015-10-29 16:24:29 -05:00
Louis Sato 57304a30a8
Land #6139, remove bad ref links 2015-10-29 16:00:43 -05:00
wchen-r7 95920b7ff6 Bring back more working links 2015-10-29 15:57:16 -05:00
wchen-r7 da52c36687 Put back some links 2015-10-29 15:48:47 -05:00
nixawk faf9be811a delete caidao_php_backdoor_exec from exploits 2015-10-29 02:18:30 +00:00
nixawk bc02993567 chinese caidao php backdoor command execution 2015-10-28 16:43:58 +00:00
wchen-r7 8757743821 Update description 2015-10-27 17:39:11 -05:00
wchen-r7 cfe9748962 Deprecate exploits/multi/http/uptime_file_upload
Please use uptime_file_upload_1.rb
2015-10-27 17:36:54 -05:00
wchen-r7 0c648eb210 Move to modules/exploits/multi/http/uptime_file_upload_2
This exploit is rather similiar to uptime_file_upload.rb, because
they both abuse post2file to upload. The difference is that this
module requires a priv escalation to be able to upload, and the
other one doesn't.
2015-10-27 17:31:31 -05:00
wchen-r7 592fdef93d Update uptime_code_exec 2015-10-27 17:29:55 -05:00
wchen-r7 5b86d2ef95 Fix #6133, update description, authors and references
Fix #6133

Thank you @japp-0xlabs
2015-10-27 14:38:18 -05:00
wchen-r7 154fb585f4 Remove bad references (dead links)
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
William Vu 74353686a3
Land #6136, rescue SMB error for psexec 2015-10-27 09:31:37 -05:00
jvazquez-r7 b2e3ce1f8a
Allow to finish when deletion fails 2015-10-26 16:40:36 -05:00
wchen-r7 9adfd296a0
Land #6128, Th3 MMA mma.php Backdoor Arbitrary File Upload 2015-10-26 15:26:06 -05:00
wchen-r7 0d9ebe13a1 Modify check 2015-10-26 15:25:38 -05:00