Commit Graph

12522 Commits (6c51e0fd0dd2ef725765835e8657e514d5448634)

Author SHA1 Message Date
jvazquez-r7 77c128fbc5 Fix disclosure date and add ref 2014-03-18 16:21:44 -05:00
jvazquez-r7 b6e8bb62bb Switch exploitation technique to use default available classes 2014-03-18 16:07:50 -05:00
William Vu dfd3a81566
Land #3111, hash rockets shouldn't be in refs 2014-03-18 14:25:04 -05:00
jvazquez-r7 38176ad67d
Land #3109, @xistence's Loadbalancer.org Enterprise VA applicance exploit 2014-03-18 06:53:26 -05:00
jvazquez-r7 ddd923793a Do minor clean up 2014-03-18 06:52:50 -05:00
jvazquez-r7 ad49df4301 Register RHOST 2014-03-18 06:17:41 -05:00
jvazquez-r7 600338bd29
Land #3108, @xistence's exploit for Quantum vmPRO shell-escape 2014-03-18 06:12:18 -05:00
jvazquez-r7 f656e5fedb Do minor clean up 2014-03-18 06:11:02 -05:00
jvazquez-r7 f86fd8af5d Delete debug print 2014-03-17 21:01:41 -05:00
jvazquez-r7 3bdd906aae Add module for CVE-2014-1691 2014-03-17 20:47:45 -05:00
Tod Beardsley 8f2124f5da
Minor updates for release
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
Tod Beardsley c916b62f47
Removes hash rockets from references.
[SeeRM #8776]
2014-03-17 09:40:32 -05:00
xistence 9bb4e5cfc3 Loadbalancer.org Enterprise VA SSH privkey exposure 2014-03-17 14:22:51 +07:00
xistence c116697c70 Quantum vmPRO backdoor command 2014-03-17 14:19:27 +07:00
xistence ef4a019b20 Quantum DXi V1000 SSH private key exposure 2014-03-17 14:15:00 +07:00
xistence e261975c34 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:11:16 +07:00
xistence 1043d9d8b2 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:06:55 +07:00
Daniel Miller 0b6a890137 Fix missing require in reverse_powershell
When initializing the db:

/opt/metasploit-framework/modules/payloads/singles/cmd/windows/reverse_powershell.rb:34:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
    from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
    from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:72:in `on_module_load'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:207:in `load_module'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:271:in `block in load_modules'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:58:in `block (2 levels) in each_module_reference_name'
    from /opt/metasploit-framework/lib/rex/file.rb:127:in `block in find'
    from /opt/metasploit-framework/lib/rex/file.rb:126:in `catch'
    from /opt/metasploit-framework/lib/rex/file.rb:126:in `find'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:45:in `block in each_module_reference_name'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `foreach'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `each_module_reference_name'
    from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:264:in `load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:118:in `block in load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `each'
    from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `load_modules'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:56:in `block in add_module_path'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `each'
    from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `add_module_path'
    from /opt/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:14:in `init_module_paths'
    from /opt/metasploit-framework/lib/msf/ui/console/driver.rb:228:in `initialize'
    from /opt/metasploit-framework/msfconsole:148:in `new'
    from /opt/metasploit-framework/msfconsole:148:in `<main>'
2014-03-14 19:28:00 +00:00
David Maloney da0c37cee2
Land #2684, Meatballs PSExec refactor 2014-03-14 13:01:20 -05:00
Brandon Perry a01dd48640 a bit better error message if injection works but no file 2014-03-13 13:38:43 -07:00
Brandon Perry b0688e0fca clarify LOAD_FILE perms in description 2014-03-13 13:11:27 -07:00
sinn3r 243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow 2014-03-13 14:13:17 -05:00
sinn3r e832be9eeb Update description and change ranking
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
sinn3r 6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell 2014-03-13 13:36:37 -05:00
Michael Messner 8db5d854c2 typo, null terminator 2014-03-13 18:38:27 +01:00
Joe Vennix 952b50f8c1
Add priv escalation mixin to the firefox local exploit. 2014-03-13 11:49:44 -05:00
Brandon Perry 2734b89062 update normalize_uri calls 2014-03-13 06:55:15 -07:00
William Vu 5aad8f2dc3
Land #3088, SNMP timestamp elements fix 2014-03-13 02:22:14 -05:00
Brandon Perry 7540dd83eb randomize markers 2014-03-12 20:11:55 -05:00
Brandon Perry 3fedafb530 whoops, extra char 2014-03-12 19:54:58 -05:00
Brandon Perry aa00a5d550 check method 2014-03-12 19:47:39 -05:00
Michael Messner f39e784d19 mipsle execve payload 2014-03-12 21:08:40 +01:00
Brandon Perry 9cb1c1a726 whoops, typoed the markers 2014-03-12 10:58:34 -07:00
Brandon Perry 6636d43dc5 initial module 2014-03-12 10:46:56 -07:00
Tod Beardsley 206660ddde
Recreate the intent of cfebdae from @parzamendi-r7
The idea was to rescue on a NoReply instead of just fail, and was part
of a fix in #2656.

[SeeRM #8730]
2014-03-11 14:30:01 -05:00
sho-luv f7af9780dc
Rescue InvalidWordCount error
This is a cherry-pick of commit ea86da2 from PR #2656
2014-03-11 14:17:36 -05:00
William Vu 517f264000 Add last chunk of fixes 2014-03-11 12:46:44 -05:00
James Lee f51ee2d6b4
snmp_enum: Treat missing timestamp elements as 0
Timestamps don't always have all the elements we expect. This treats
them as zeroes to ensure that we don't raise silly exceptions in that
case.
2014-03-11 12:44:07 -05:00
William Vu 25ebb05093 Add next chunk of fixes
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
OJ 3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
Conflicts:
	lib/msf/core/post/windows/shadowcopy.rb
	modules/exploits/windows/local/bypassuac.rb
	modules/post/windows/gather/wmic_command.rb
	modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
joev 46c11ea2eb Small fixes to m-1-k-3's mipsle reboot shellcode. 2014-03-10 17:17:23 -05:00
joev 7da54eb9cf
Merge branch 'landing-3041' into upstream-master
Lands PR #3041, @m-1-k-3's reboot shellcode.
2014-03-10 17:11:06 -05:00
Tod Beardsley 2086224a4c
Minor fixes. Includes a test module. 2014-03-10 14:49:45 -05:00
Tod Beardsley 26be236896
Pass MSFTidy please 2014-03-10 14:45:56 -05:00
jvazquez-r7 8cfa5679f2 More nick instead of name 2014-03-10 16:12:44 +01:00
jvazquez-r7 bc8590dbb9 Change DoS module location 2014-03-10 16:12:20 +01:00
jvazquez-r7 1061036cb9 Use nick instead of name 2014-03-10 16:11:58 +01:00
Tod Beardsley 5485028501
Add 3 Yokogawa SCADA vulns
These represent our part for public disclosure of the issues listed
here:

http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf

Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:

YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4

@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:

https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities

Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
sinn3r e32ff7c775
Land #3077 - Allow TFTP server to take a host/port argument 2014-03-08 00:58:52 -06:00
Tod Beardsley 151e2287b8
OptPath, not OptString. 2014-03-07 10:52:45 -06:00
Tod Beardsley 5cf1f0ce4d
Since dirs are required, server will send/recv
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.

Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
2014-03-07 10:49:11 -06:00
Tod Beardsley 37fa4a73a1
Make the path options required and use /tmp
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
2014-03-07 10:41:18 -06:00
sinn3r c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack 2014-03-07 10:29:56 -06:00
Spencer McIntyre ebee365fce
Land #2742, report_vuln for MongoDB no auth 2014-03-06 19:34:45 -05:00
Spencer McIntyre 84f280d74f
Use a more descriptive MongoDB vulnerability title 2014-03-06 19:20:52 -05:00
Tod Beardsley 8a0531650c
Allow TFTP server to take a host/port argument
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.

This is almost never correct.
2014-03-06 16:13:20 -06:00
Joe Vennix 9638bc7061 Allow a custom .app bundle.
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
Joe Vennix 5abb442757 Adds more descriptive explanation of 10.8+ settings. 2014-03-06 15:15:27 -06:00
Joe Vennix 43d315abd5 Hardcode the platform in the safari exploit. 2014-03-06 13:04:47 -06:00
Brendan Coles df2bdad4f9 Include 'msf/core/exploit/powershell'
Prevent:

```
[-] 	/pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
Joe Vennix 38a2e6e436 Minor fixes. 2014-03-05 19:03:54 -06:00
Joe Vennix dca807abe9 Tweaks for BES. 2014-03-05 19:00:15 -06:00
Joe Vennix 12cf5a5138 Add BES, change extra_plist -> plist_extra. 2014-03-05 18:51:42 -06:00
sinn3r 9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write 2014-03-05 16:34:54 -06:00
bcoles 1ea35887db Add OSVDB reference 2014-03-06 01:40:15 +10:30
jvazquez-r7 4e9350a82b Add module for ZDI-14-008 2014-03-05 03:25:13 -06:00
Joe Vennix cd3c2f9979 Move osx-app format to EXE. 2014-03-04 22:54:00 -06:00
OJ a1aef92652
Land #2431 - In-memory bypass uac 2014-03-05 11:15:54 +10:00
sinn3r 7cb6e7e261
Land #3057 - MantisBT Admin SQL Injection Arbitrary File Read 2014-03-04 17:52:29 -06:00
sinn3r f0e97207b7 Fix email format 2014-03-04 17:51:24 -06:00
Joe Vennix 32c27f6be0 Tweak timeouts. 2014-03-04 17:16:23 -06:00
Joe Vennix 40047f01d3 Adds Safari User Assisted download launch module. 2014-03-04 17:02:51 -06:00
sinn3r caaa419ef8
Land #3054 - Fix crash in osx/x64/exec on 10.9 Mavericks 2014-03-04 15:24:02 -06:00
Brandon Perry c86764d414 update default password to root 2014-03-04 11:55:30 -08:00
Brandon Perry 2b06791ea6 updates regarding PR comments 2014-03-04 10:08:31 -08:00
William Vu e30238fe0d
Land #3062, unused arg fix for vmware_mount 2014-03-04 11:37:41 -06:00
James Lee 68205fa43c
Actually use the argument 2014-03-04 11:30:42 -06:00
sinn3r f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww 2014-03-04 11:29:52 -06:00
David Maloney db76962b4a
Land #2764, WMIC Post Mixin changes
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
Brandon Perry a3523bdcb9 Update mantisbt_admin_sqli.rb
remove extra new line and fix author line
2014-03-04 08:44:53 -06:00
OJ f0868c35bf
Land #3050 - Fix tained perl payloads 2014-03-04 10:05:47 +10:00
sgabe 408fedef93 Add module for OSVDB-98283 2014-03-04 00:51:01 +01:00
Meatballs 32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post 2014-03-03 21:56:31 +00:00
Brandon Perry 98b59c4103 update desc 2014-03-03 12:40:58 -08:00
Brandon Perry c5d1071456 add mantisbt aux module 2014-03-03 12:36:38 -08:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00
Joe Vennix 6a02a2e3b3 NULL out envp pointer before execve call.
This was causing a crash on 10.9.
2014-03-03 08:56:52 -06:00
Sagi Shahar 8c4b663643 Fix payloads to bypass Perl's Taint mode. 2014-03-02 18:39:05 +02:00
bcoles f008c77f26 Write payload to startup for Vista+ 2014-03-02 18:10:10 +10:30
Meatballs 63751c1d1a
Small msftidies 2014-02-28 22:18:59 +00:00
David Maloney 42a730745e
Land #2418, Use meterpreter hostname resolution 2014-02-28 14:45:39 -06:00
sinn3r ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet 2014-02-28 14:10:55 -06:00
David Maloney e99e668a12 Merge branch 'master' of github.com:rapid7/metasploit-framework 2014-02-28 10:12:03 -06:00
David Maloney 2b5e4bea2b
Landing Pull Request 3003 2014-02-28 10:10:12 -06:00
William Vu fd1586ee6a
Land #2515, plaintext creds fix for John
[FixRM #8481]
2014-02-28 09:53:47 -06:00
OJ 7117d50fa4
Land #3028 - bypassuac revamp 2014-02-28 09:12:02 +10:00
William Vu 1a053909dc
Land #3044, chargen_probe reported service fix 2014-02-27 14:33:06 -06:00
sinn3r f531d61255
Land #3036 - Total Video Player buffer overflow 2014-02-27 14:28:53 -06:00
sinn3r 7625dc4880 Fix syntax error due to the missing , 2014-02-27 14:25:52 -06:00