Commit Graph

8124 Commits (6d5bcb93a8629bc3d4fcdeada30e54d2c937ed20)

Author SHA1 Message Date
Jay Smith e40772efe2
Fixed open device issue for non-priv users
Fixed the open_device call to work for users without Administrator
privileges
2015-02-18 12:44:58 -05:00
joev f8609ab0ba Add file format exploit for injecting code into unpackers. 2015-02-18 11:26:45 -06:00
sinn3r 6acbe64dbd The MSB reference in the title is wrong
It should be MS13-022.

MS12-022 is MSFT Expression Design.
2015-02-17 14:56:14 -06:00
William Vu be5a0ee9c2
Land #4777, @todb-r7's release fixes 2015-02-17 13:45:00 -06:00
sinn3r b90639fd66
Land #4726, X360 Software actvx buffer overflow 2015-02-17 11:41:23 -06:00
Matthew Hall 666b8e3e72 Add timeout to connection handler 2015-02-17 17:27:03 +00:00
Matthew Hall 728cfafe4d cleanups 2015-02-17 17:27:03 +00:00
Matthew Hall e4bab60007 Generic HTTP DLL Injection Exploit Module
This is an example implementation of using the
Msf::Exploit::Remote::SMBFileServer module to perform
arbitrary DLL injection over SMB.
2015-02-17 17:27:03 +00:00
Matthew Hall c86caacf95 Merge branch 'master' into module-exploitsmbdllserver
Conflicts:
	lib/msf/core/exploit/smb.rb
2015-02-17 17:16:09 +00:00
Matthew Hall 9f04e3bcf0 Merge branch 'master' into hp_dataprotector_dll_cmd_exec 2015-02-17 17:06:40 +00:00
Matthew Hall afca27dae5 Merge branch 'master' into cve-2014-0094 2015-02-17 17:06:21 +00:00
Brent Cook e08206d192
Land #4768, jvazquez-r7 reorganizes the SMB mixins 2015-02-17 10:36:19 -06:00
Tod Beardsley 6370c99755
Avoid version numbers in titles 2015-02-17 10:28:56 -06:00
Tod Beardsley 62a679ebb8
Avoid version numbers in titles
Usually, the versions are more of a range, and nearly always, the module
author never truly knows where the ranges are bounded. It's okay to
clarify in the description.
2015-02-17 10:26:40 -06:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
rastating 40c92f5fe3 Add URL reference 2015-02-14 13:09:37 +00:00
rastating 4dce589bbe Add WordPress Holding Pattern file upload module 2015-02-14 12:54:03 +00:00
jvazquez-r7 0372b08d83 Fix mixin usage on modules 2015-02-13 17:17:59 -06:00
sinn3r b197b98ab9
Land #4759, fix ms09_067_excel_featheader 2015-02-13 13:25:15 -06:00
jvazquez-r7 3ae3d56caa
Land #4745, fixes #4711, BrowserAutoPwn failing due to getpeername 2015-02-12 16:51:09 -06:00
jvazquez-r7 92422c7b9a Save the output file on local_directory 2015-02-12 16:16:21 -06:00
Christian Mehlmauer 55f57e0b9b
Land #4746, WordPress photo-gallery exploit 2015-02-12 22:24:12 +01:00
Christian Mehlmauer bce7211f86
added url and randomize upload directory 2015-02-12 22:16:37 +01:00
sinn3r 05d2703a98 Explain why obfuscation is disabled 2015-02-12 14:00:01 -06:00
William Vu 9b10cd5655
Land #4755, @todb-r7's release fixes 2015-02-12 13:16:08 -06:00
Tod Beardsley c156ed62a9
on, not of. 2015-02-12 12:56:53 -06:00
Tod Beardsley e35f603888
Comma fascism 2015-02-12 12:49:45 -06:00
Tod Beardsley d89eda65fa
Moar fixes, thanks @wvu-r7
See #4755
2015-02-12 12:46:38 -06:00
Tod Beardsley e78d08e20d
Fix up titles, descriptions 2015-02-12 12:11:40 -06:00
sinn3r 50c72125a4 ::Errno::EINVAL, disable obfuscation, revoke ms14-064 2015-02-12 11:54:01 -06:00
jvazquez-r7 155651e187 Make filename shorter 2015-02-12 11:45:51 -06:00
jvazquez-r7 95bfe7a7de Do minor cleanup 2015-02-12 11:45:51 -06:00
rastating 30f310321d Added CVE reference 2015-02-12 11:45:51 -06:00
rastating 38ad960640 Add Maarch LetterBox file upload module 2015-02-12 11:45:51 -06:00
William Vu 309159d876
Land #4753, updated ms14_070_tcpip_ioctl info 2015-02-12 09:57:29 -06:00
Spencer McIntyre 8ab469d3bd Update ms14-070 module information and references 2015-02-12 09:51:01 -05:00
William Vu b894050bba Fix local/pxeexploit datastore 2015-02-11 12:19:56 -06:00
Brent Cook f99ef5c0f5 fix msftidy warnings about towelroot module 2015-02-11 11:17:44 -06:00
rastating cb1efa3edd Improved error handling, tidied up some code 2015-02-11 10:16:18 +00:00
rastating 80a086d5f6 Add WordPress Photo Gallery upload module 2015-02-11 01:03:51 +00:00
sinn3r d23c9b552f Trade MS12-004 for MS13-090 against Windows XP BrowserAutoPwn 2015-02-10 18:58:56 -06:00
jvazquez-r7 29c68ef1ec
End fixing namespaces 2015-02-10 11:55:14 -06:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
jvazquez-r7 5687028f09
Land #4671, @earthquake's exploit for achat buffer overflow 2015-02-09 17:50:09 -06:00
jvazquez-r7 6165d623ff
Change module filename 2015-02-09 17:39:55 -06:00
jvazquez-r7 eb0741d7a7
Modify reference 2015-02-09 17:39:18 -06:00
jvazquez-r7 86f3bcad11
Do minor cleanup 2015-02-09 17:33:05 -06:00
Balazs Bucsay ac6879cfe1 proper payload encoding from now on 2015-02-09 23:36:35 +01:00
Balazs Bucsay c7880ab4e1 hex strings related explanations 2015-02-09 23:21:38 +01:00
Balazs Bucsay 9891026d30 sleep changed to Rex::sleep 2015-02-09 22:33:41 +01:00
jvazquez-r7 81cad064ea
Land #4724, @wchen-r7's AllowWin32SEH's change on alpha encoders 2015-02-09 11:01:00 -06:00
Brent Cook af405eeb7d
Land #4287, @timwr's exploit form CVS-2014-3153 2015-02-09 10:33:14 -06:00
jvazquez-r7 831a1494ac Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumUpper 2015-02-08 18:29:25 -06:00
jvazquez-r7 3e7e9ae99b Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumMixed 2015-02-08 18:22:11 -06:00
Christian Mehlmauer 6d46182c2f
Land #4570, @rastating 's module for wp-easycart 2015-02-07 23:42:23 +01:00
Christian Mehlmauer f2b834cebe
remove check because the vuln is unpatched 2015-02-07 23:38:44 +01:00
Christian Mehlmauer d2421a2d75
wrong version 2015-02-07 23:34:19 +01:00
Christian Mehlmauer 56d2bc5adb
correct version number 2015-02-07 23:22:43 +01:00
rastating 345d5c5c08 Update version numbers to reflect latest release 2015-02-07 19:09:16 +00:00
jvazquez-r7 87775c6ee4 Fix description 2015-02-06 23:55:27 -06:00
jvazquez-r7 76387eebe0 Use File.open 2015-02-06 21:35:07 -06:00
jvazquez-r7 1ea4a326c1
Land #4656, @nanomebia's fixes for sugarcrm_unserialize_exec 2015-02-06 16:42:01 -06:00
jvazquez-r7 e511f72ab4 Delete final check
* A session is the best proof of success
2015-02-06 16:34:34 -06:00
jvazquez-r7 f6933ed02c Add module for EDB-35948 2015-02-06 11:05:29 -06:00
Tod Beardsley 036cb77dd0
Land #4709, fixed up some datastore mangling 2015-02-05 21:22:38 -06:00
Spencer McIntyre 4e0a62cb3a
Land #4664, MS14-070 Server 2003 tcpip.sys priv esc 2015-02-05 18:49:15 -05:00
Spencer McIntyre a359fe9acc Minor fixup on the ms14-070 module description 2015-02-05 18:41:58 -05:00
Spencer McIntyre dc13446536 Forgot to comment ret instruction 2015-02-05 14:09:01 -05:00
Spencer McIntyre 5a39ba32f6 Make the ret instruction for token stealing optional 2015-02-05 14:00:38 -05:00
Spencer McIntyre dabc163076 Modify the shellcode stub to save the process 2015-02-05 13:54:52 -05:00
Tod Beardsley c633c710bc
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 12:36:47 -06:00
William Vu b43522a2b8
Fix scadapro_cmdexe datastore 2015-02-05 02:54:03 -06:00
William Vu a12d1244b9
Fix zenworks_helplauncher_exec datastore 2015-02-05 02:53:47 -06:00
William Vu 148ffaf55f
Fix real_arcade_installerdlg datastore 2015-02-05 02:53:38 -06:00
William Vu a7156cf4a8
Fix zabbix_script_exec datastore 2015-02-05 02:53:22 -06:00
Spencer McIntyre aebf5056ac Dont compare a string to an integer 2015-02-04 16:55:43 -05:00
Tod Beardsley 47d4acd91d
Land #4605, Malwarebytes fake update exploit 2015-02-04 10:28:17 -06:00
jvazquez-r7 fbf32669c6 Use single quote 2015-02-04 09:47:27 -06:00
julianvilas de09559cc8 Change HTTP requests to succeed when going through HTTP proxies 2015-02-04 15:32:14 +01:00
jvazquez-r7 c366e7777d Delete ternary operators 2015-02-03 17:43:00 -06:00
jvazquez-r7 c0e1440572
Land #4685, @FireFart's module for Wordpress Platform Theme RCE 2015-02-03 17:35:59 -06:00
jvazquez-r7 28f303d431 Decrease timeout 2015-02-03 17:33:29 -06:00
jvazquez-r7 34717d166d Fix typo 2015-02-03 17:12:54 -06:00
jvazquez-r7 a1c157a4db
Land #4609, @h0ng10's module for Wordpress Pixabay Images PHP Code Upload 2015-02-03 17:01:32 -06:00
jvazquez-r7 eebee7c066 Do better session creation handling 2015-02-03 17:00:37 -06:00
jvazquez-r7 4ca4fd1be2 Allow to provide the traversal depth 2015-02-03 16:38:40 -06:00
jvazquez-r7 e62a5a4fff Make the calling payload code easier 2015-02-03 16:23:04 -06:00
jvazquez-r7 61cdb5dfc9 Change filename 2015-02-03 16:13:10 -06:00
jvazquez-r7 82be43ea58 Do minor cleanup 2015-02-03 16:07:27 -06:00
jvazquez-r7 82eeec0946 Delete comments 2015-02-03 15:25:52 -06:00
jvazquez-r7 52616a069a Add support for NTLMSSP 2015-02-03 15:25:02 -06:00
Tod Beardsley b5794db973
Spelling 2015-02-03 14:10:47 -06:00
Tod Beardsley edd5ec3b0d
Refactor and rename of @sgabe's module
Renamed because it's not just MBAM, and having malwarebytes in the name
is more memorable anyway.

This refactor's @sgabe's original module to prefer if/else over
unless/else, clearly labelling variables, and wrapping up discrete
functionality into specific methods, and adds an OSVDB and the original
discoverer's URL.
2015-02-03 14:08:25 -06:00
William Vu d5c61c01f5
Land #4694, uninit Rex::OLE fix 2015-02-02 05:33:40 -06:00
sinn3r 9112e70187 Fix #4693 - Uninit Rex::OLE in MS14-064 exploits
Fix #4693
2015-02-02 00:20:34 -06:00
jvazquez-r7 d211488e5d Add Initial version 2015-02-01 19:47:58 -06:00
Christian Mehlmauer 2c956c0a0f
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00
Julian Vilas f983c8171e Modify description to match both Struts 1.x and 2.x versions 2015-01-30 12:35:38 +01:00
Julian Vilas 1a11ae4021 Add new references about Struts 1 2015-01-29 23:27:52 +01:00
Balazs Bucsay 64ab11c6ba Add Achat Beta v0.150 RCE for Win7/XPSP3 2015-01-29 23:20:31 +01:00
Julian Vilas 4cc5844baf Add Struts 1 support 2015-01-29 23:12:34 +01:00
Jay Smith 6c529f8f6b
Addressed feedback from @OJ and @zeroSteiner 2015-01-29 11:57:03 -05:00
Nanomebia d04fd3b978 Fixing Indentation
Small indentation fix
2015-01-29 13:03:19 +08:00
Jay Smith 064ca2d02e
Updated version checking 2015-01-28 18:25:30 -05:00
sinn3r 0f88d0ad75 Change print_* to vprint_*
According to our wiki doc, all print_* should be vprint_* for check()
2015-01-28 15:44:14 -06:00
James Lee 51764eb207
Add a check() for mssql_payload 2015-01-28 13:44:16 -06:00
Jay Smith 37c08128dc
Add in MS14-070 Priv Escalation for Windows 2003 2015-01-28 13:24:39 -05:00
Nanomebia af90c6482b Sanity Changes
Reverted failure behaviour on line 70
Removed a space that prevented line 98 from working as intended
2015-01-28 18:40:43 +08:00
Nanomebia 27c412341f Syntax Changes
Cleaned up this statement a tiny bit
2015-01-28 18:34:19 +08:00
Nanomebia fc3094ec9b Syntax changes
Fixed some more syntax - failures
2015-01-28 18:30:21 +08:00
Nanomebia 321eb452c5 Syntax Fixes
Fixed some or's to || - and's to &&.
Fixed failure if statement (fails using fail_with())
Fixed nested else (now and elsif)
Changed final execute logic - checks for success rather than failure.
2015-01-28 18:08:15 +08:00
Nanomebia fefc3d088c Cookie fix and success display
Added handling for if the server doesn't correctly assign a cookie using
Set-Cookie by changing the regex and doing an additional check.  Also
fixed the success display -  changed the if statement to match others in
this module and fixed the text output based on server response.
2015-01-28 17:11:05 +08:00
sinn3r bb9c961847 Change description a bit 2015-01-27 12:14:55 -06:00
sinn3r 2dedaee9ca Working version after the upgrade 2015-01-27 12:02:36 -06:00
Meatballs c9ca85fba8
Bail out as SYSTEM 2015-01-27 17:23:57 +00:00
Meatballs b7e9c69f72
Fix x64 injection 2015-01-27 16:34:06 +00:00
Meatballs 215a590940
Refactor and fixes for post module 2015-01-27 16:14:59 +00:00
Meatballs ea25869312
Refactor to common module 2015-01-27 10:47:02 +00:00
sinn3r 9e3388df34 Use BES for MS13-037 and default to ntdll 2015-01-27 00:18:36 -06:00
Tod Beardsley bae19405a7
Various grammar, spelling, word choice fixes 2015-01-26 11:00:07 -06:00
Meatballs 93537765d0
Add TODO 2015-01-26 15:59:22 +00:00
Meatballs 5ae65a723f
Initial 2015-01-26 15:57:52 +00:00
sinn3r f5916eba6d Move modules/exploits/windows/misc/psh_web_delivery.rb
This module was scheduled to be removed on 10/23/2014.
Please use exploit/multi/script/web_delivery instead.
2015-01-26 00:28:40 -06:00
sinn3r bbcc2eb07d Move modules/exploits/windows/misc/pxecploit.rb
This module was scheduled to be removed on 10/31/2014.
Please use exploits/windows/local/pxeexploit instead.
2015-01-26 00:25:02 -06:00
sgabe dbe5dd77e3 Enforce update to real versions 2015-01-25 10:53:14 +01:00
Gabor Seljan 2680e76e26 Remove wrong references 2015-01-25 00:17:30 +01:00
Hans-Martin Münch (h0ng10) 419fa93897 Add OSVDB and WPScan references 2015-01-23 09:27:42 +01:00
Hans-Martin Münch (h0ng10) dfbbc79e0d make retries a datastore option 2015-01-23 09:23:09 +01:00
Hans-Martin Münch (h0ng10) 11bf58e548 Use metasploit methods 2015-01-23 08:48:52 +01:00
jvazquez-r7 d8aa282482 Delete some double quotes 2015-01-22 18:21:25 -06:00
jvazquez-r7 4c72b096b6 Switch variable from file_name to operation 2015-01-22 18:20:11 -06:00
jvazquez-r7 b003d8f750 Do final cleanup 2015-01-22 18:17:14 -06:00
jvazquez-r7 911485f536 Use easier key name 2015-01-22 18:11:48 -06:00
jvazquez-r7 eff49b5fd3 Delete files with Rex::Java::Serialization 2015-01-22 17:59:43 -06:00
jvazquez-r7 37bf66b994 Install instaget with Rex::Java::Serialization 2015-01-22 16:54:49 -06:00
jvazquez-r7 20d7fe631e Auto detect platform without raw streams 2015-01-22 15:15:08 -06:00
jvazquez-r7 ad276f0d52 Retrieve version with Rex::Java::Serialization instead of binary streams 2015-01-22 14:52:19 -06:00
jvazquez-r7 b61538e980
Land #4291, @headlesszeke's module for ARRIS VAP2500 command execution 2015-01-21 20:52:31 -06:00
jvazquez-r7 33195caff2 Mark compatible payloads 2015-01-21 20:52:04 -06:00
jvazquez-r7 500d7159f1 Use PAYLOAD instead of CMD 2015-01-21 20:49:05 -06:00
jvazquez-r7 f37ac39b4c Split exploit cmd vs exploit session 2015-01-21 20:46:37 -06:00
jvazquez-r7 e1d1ff17fd Change failure code 2015-01-21 20:38:33 -06:00
jvazquez-r7 169052af5c Use cookie option 2015-01-21 20:37:38 -06:00
jvazquez-r7 c866caac43 Randomize MLet name 2015-01-21 00:36:34 -06:00
jvazquez-r7 37ed1b1e62 Delete default values for datastore options 2015-01-21 00:14:46 -06:00
jvazquez-r7 a996efc807 Refactor exploit code 2015-01-21 00:07:00 -06:00
jvazquez-r7 2de2e657f0 Refactor get_mbean_server 2015-01-20 23:44:33 -06:00
jvazquez-r7 d90f856c00 Delete sock_server variable 2015-01-20 20:51:20 -06:00
jvazquez-r7 b792c0a5bf Create exploit_mbean_server method 2015-01-20 20:44:10 -06:00
jvazquez-r7 0b2d65749b Do better argument handling on Msf::Jmx::Mbean::ServerConnection 2015-01-20 18:46:09 -06:00
jvazquez-r7 b97c0fe398 Add Msf::Jmx::Util#extract_unicast_ref 2015-01-20 17:46:42 -06:00
jvazquez-r7 f7aaad1cf1
Delete some extraneous commas 2015-01-19 17:25:45 -06:00
jvazquez-r7 dbc77a2857
Land #4517, @pedrib's exploit for ManageEngine Multiple Products Authenticated File Upload
* CVE-2014-5301
2015-01-19 17:23:39 -06:00
jvazquez-r7 6403098fbc Avoid sleep(), survey instead 2015-01-19 17:22:04 -06:00
jvazquez-r7 a6e351ef5d Delete unnecessary request 2015-01-19 17:14:23 -06:00
jvazquez-r7 ed26a2fd77 Avoid modify datastore options 2015-01-19 17:11:31 -06:00
jvazquez-r7 3c0efe4a7e Do minor style changes 2015-01-19 15:36:05 -06:00
rastating 9d3397901b Correct version numbers and code tidy up 2015-01-19 20:59:46 +00:00
jvazquez-r7 ddda0b2f4b Beautify metadata 2015-01-19 14:59:31 -06:00
Hans-Martin Münch (h0ng10) 5813c639d1 Initial commit 2015-01-19 17:23:48 +01:00
sgabe affc661524 Add module for CVE-2014-4936 2015-01-18 17:18:05 +01:00
jvazquez-r7 3a3e37ba6c Refactor extract_mbean_server 2015-01-18 01:20:13 -06:00
jvazquez-r7 4247747fc5 Refactor extract_object 2015-01-18 01:13:00 -06:00
Brent Cook a2a1a90678
Land #4316, Meatballs1 streamlines payload execution for exploits/windows/local/wmi
also fixes a typo bug in WMIC
2015-01-16 11:16:22 -06:00
jvazquez-r7 d9c6c56779 Refactor extract_rmi_connection_stub 2015-01-15 23:15:30 -06:00
jvazquez-r7 2d2f26a0e3 Change method names for stream builders 2015-01-15 23:01:27 -06:00
jvazquez-r7 00117fc963 Do first and ugly refactoring 2015-01-15 21:18:03 -06:00
jvazquez-r7 4d35131f59 Provide description and authentication support 2015-01-15 17:57:35 -06:00
jvazquez-r7 2cd15d0155 Delete comments 2015-01-15 16:43:03 -06:00
jvazquez-r7 cab4787172 Add initial JMX module 2015-01-15 16:41:37 -06:00
Brent Cook c1e604f201
Land #4562: wchen-r7's CVE addition 2015-01-15 14:34:37 -06:00
Brent Cook 47cd5a3e59
Land #4562, wchen-r7's Win8 NtApphelpCacheControl privilege escalation 2015-01-15 13:52:07 -06:00
sinn3r 09eaf80a90 Add CVE 2015-01-15 13:22:00 -06:00
sgabe 68dc3ce876 Minor code formatting 2015-01-15 19:33:08 +01:00
sinn3r 57904773e7 Configurable resource 2015-01-15 10:28:03 -06:00
Gabor Seljan ef0be946b1 Use HttpServer instead of TcpServer 2015-01-15 10:39:17 +01:00
Pedro Ribeiro 3768cf0a69 Change version to int and add proper timestamp 2015-01-14 22:59:11 +00:00
jvazquez-r7 621cada2ac Undo build_gc_call_data refactoring 2015-01-14 16:47:28 -06:00
sgabe da0fce1ea8 Add module for CVE-2014-2206 2015-01-14 22:04:30 +01:00
rastating 8a89b3be28 Cleanup of various bits of code 2015-01-13 22:20:40 +00:00
Jon Hart ac4eb3bb90
Land #4578, @dlanner's fix for rails_secret_deserialization 2015-01-13 09:37:28 -08:00
David Lanner c5cfc11d84 fix cookie regex by removing a space 2015-01-12 23:13:18 -05:00
rastating 8246f4e0bb Add ability to use both WP and EC attack vectors 2015-01-12 23:30:59 +00:00
rastating e6f6acece9 Add a date hash to the post data 2015-01-12 21:21:50 +00:00
sinn3r 7876401419
Land #4476 - Lexmark MarkVision Enterprise Arbitrary File Upload 2015-01-12 10:44:23 -06:00
sinn3r 34bbc5be90 print error message about limitation 2015-01-11 20:12:40 -06:00
rastating ea37e2e198 Add WP EasyCart file upload exploit module 2015-01-10 21:05:02 +00:00
sinn3r 46d1616994 Hello ARCH_X86_64 2015-01-10 06:16:22 -06:00
sinn3r 3c8be9e36d Just x86 2015-01-09 19:12:51 -06:00
sinn3r 74e8e057dd Use RDL 2015-01-09 19:02:08 -06:00
Christian Mehlmauer d4d1a53533
fix invalid url 2015-01-09 21:57:52 +01:00
Christian Mehlmauer fd2307680d
Land #4550, wp-symposium file upload 2015-01-09 21:55:02 +01:00
jvazquez-r7 d65ed54e0c Check STARTUP_FOLDER option 2015-01-09 12:21:01 -06:00
jvazquez-r7 2c633e403e Do code cleanup 2015-01-09 12:07:59 -06:00
jvazquez-r7 d52e9d4e21 Fix metadata again 2015-01-09 11:20:00 -06:00
jvazquez-r7 9dbf163fe7 Do minor style fixes 2015-01-09 11:17:16 -06:00
jvazquez-r7 8f09e0c20c Fix metadata by copying the mysql_mof data 2015-01-09 11:15:32 -06:00
jvazquez-r7 da6496fee1
Test landing #2156 into up to date branch 2015-01-09 11:04:47 -06:00
sinn3r ee5c249c89 Add EDB reference 2015-01-09 00:19:12 -06:00
sinn3r 75de792558 Add a basic check 2015-01-09 00:03:39 -06:00
sinn3r 4911127fe2 Match the title and change the description a little bit 2015-01-08 21:48:01 -06:00
sinn3r b7b3ae4d2a A little randomness 2015-01-08 21:25:55 -06:00
Jon Hart e4547eb474
Land #4537, @wchen-r7's fix for #4098 2015-01-08 17:57:16 -08:00
Jon Hart f13e56aef8
Handle bracketed and unbracketed results, add more useful logging 2015-01-08 17:51:31 -08:00
Jon Hart 14db112c32 Add logging to show executed Java and result 2015-01-08 16:53:12 -08:00
sinn3r b65013c5c5 Another update 2015-01-08 18:39:04 -06:00
sinn3r b2ff5425bc Some changes 2015-01-08 18:33:30 -06:00
sinn3r 53e6f42d99 This works 2015-01-08 17:57:14 -06:00
Pedro Ribeiro c76aec60b0 Add OSVDB id and full disclosure URL 2015-01-08 23:29:38 +00:00
sinn3r 7ed6b3117a Update 2015-01-08 17:18:14 -06:00
Brent Cook fb5170e8b3
Land #2766, Meatballs1's refactoring of ExtAPI services
- Many code duplications are eliminated from modules in favor of shared
   implementations in the framework.
 - Paths are properly quoted in shell operations and duplicate operations are
   squashed.
 - Various subtle bugs in error handling are fixed.
 - Error handling is simpler.
 - Windows services API is revised and modules are updated to use it.
 - various API docs added
 - railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
sinn3r 50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012 2015-01-08 16:19:55 -06:00
jvazquez-r7 fa5cd928a1 Refactor exploit to use the mixin 2015-01-08 16:04:56 -06:00
rastating 82e6183136 Add Msf::Exploit::FileDropper mixin 2015-01-08 21:07:00 +00:00
rastating 93dc90d9d3 Tidied up some code with existing mixins 2015-01-08 20:53:56 +00:00
jvazquez-r7 873ade3b8a Refactor exploit module 2015-01-08 14:52:55 -06:00
sinn3r 0e6c7181b1 "Stash" it 2015-01-08 14:13:14 -06:00
Meatballs a9fee9c022
Fall back to runas if UAC disabled 2015-01-08 11:07:57 +00:00
William Vu ea793802cc
Land #4528, mantisbt_php_exec improvements 2015-01-08 04:50:00 -06:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
rastating 7b92c6c2df Add WP Symposium Shell Upload module 2015-01-07 22:02:39 +00:00
Meatballs 0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
sinn3r ef97d15158 Fix msftidy and make sure all print_*s in check() are vprint_*s 2015-01-07 12:12:25 -06:00
James Lee 3e80efb5a8
Land #4521, Pandora FMS upload 2015-01-07 11:13:57 -06:00
James Lee 1ccef7dc3c
Shorter timeout so we get shell sooner
The request to execute our payload will never return, so waiting for the
default timeout (20 seconds) is pointless.
2015-01-07 11:11:33 -06:00
sinn3r 4c240e8959 Fix #4098 - False negative check for script_mvel_rce
Fix #4098, thanks @arnaudsoullie
2015-01-07 10:40:58 -06:00
sinn3r c60b6969bc Oh so that's it 2015-01-07 10:39:46 -06:00
James Lee efe83a4f31
Whitespace 2015-01-07 10:19:17 -06:00
Christian Mehlmauer 09bd0465cf
fix regex 2015-01-07 11:54:55 +01:00
rcnunez b3def856fd Applied changes recommended by jlee-r7
used Rex::ConnectionError
refactor begin/rescue blocks
removed ::URI::InvalidURIError
changed @peer with peer
used Exploit::CheckCode:Appears instead of Exploit::CheckCode::Vulnerable
2015-01-07 18:38:19 +08:00
Christian Mehlmauer eaad4e0bea
fix check method 2015-01-07 11:01:08 +01:00
Christian Mehlmauer 862af074e9
fix bug 2015-01-07 09:10:50 +01:00
Christian Mehlmauer d007b72ab3
favor include? over =~ 2015-01-07 07:33:16 +01:00
Christian Mehlmauer 4277c20a83
use include? 2015-01-07 06:51:28 +01:00
Christian Mehlmauer 39e33739ea
support for anonymous login 2015-01-07 00:08:04 +01:00
Christian Mehlmauer bf0bdd00df
added some links, use the res variable 2015-01-06 23:25:11 +01:00
sinn3r 2ed05869b8 Make Msf::Exploit::PDF follow the Ruby method naming convention
Just changing method names.

It will actually also fix #4520
2015-01-06 12:42:06 -06:00
Christian Mehlmauer f9f2bc07ac
some improvements to the mantis module 2015-01-06 11:33:45 +01:00
William Vu f2710f6ba7
Land #4443, BulletProof FTP client exploit 2015-01-06 02:10:42 -06:00
William Vu 482cfb8d59
Clean up some stuff 2015-01-06 02:10:25 -06:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
sinn3r 44dfa746eb Resolve #4513 - Change #inspect to #to_s
Resolve #4513
2015-01-05 11:50:51 -06:00
rcnunez 547b7f2752 Syntax and File Upload BugFix
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
2015-01-05 19:23:22 +08:00
Pedro Ribeiro c9b76a806a Create manageengine_auth_upload.rb 2015-01-04 17:05:53 +00:00
Tim c959d42a29 minor tweak 2015-01-03 10:15:52 +00:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
sinn3r 3c755a6dfa Template 2015-01-02 11:31:28 -06:00
Tod Beardsley c1718fa490
Land #4440, git client exploit from @jhart-r7
Also fixes #4435 and makes progress against #4445.
2015-01-01 13:18:43 -06:00
Tod Beardsley d7564f47cc
Move Mercurial option to advanced, update ref url
See #4440
2015-01-01 13:08:36 -06:00
Tod Beardsley 914c724abe
Rename module
See rapid7#4440
2015-01-01 13:03:17 -06:00