Commit Graph

6799 Commits (6fd1ff687089770f9ceedc0aeacd9c86fd0d6364)

Author SHA1 Message Date
Julian Vilas 73536f2ac0 Add support Java 8 2014-06-07 22:43:14 +02:00
Brendan Coles 6bef6edb81 Update efs_easychatserver_username.rb
Add targets for versions 2.0 to 3.1.
Add install path detection for junk size calculation.
Add version detection for auto targeting.
2014-06-08 06:36:18 +10:00
Meatballs bf1a665259
Land #2657, Dynamic generation of windows service executable functions
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
Julian Vilas e7957bf999 Change GET request by random text 2014-06-05 01:33:00 +02:00
jvazquez-r7 c9bd0ca995 Add minor changes 2014-06-04 15:56:14 -05:00
jvazquez-r7 bb77327b09 Warn the user if the detected platform doesnt match target 2014-06-04 14:50:18 -05:00
jvazquez-r7 b76253f9ff Add context to the socket 2014-06-04 14:25:01 -05:00
jvazquez-r7 77eeb5209a Do small cleanups 2014-06-04 14:23:21 -05:00
jvazquez-r7 6c643f8837 Fix usage of Rex::Sockket::Tcp 2014-06-04 14:14:23 -05:00
jvazquez-r7 837668d083 use optiona argument for read_reply 2014-06-04 13:48:53 -05:00
jvazquez-r7 d184717e55 delete blank lines 2014-06-04 13:24:34 -05:00
jvazquez-r7 33a7bc64fa Do some easy cleaning 2014-06-04 13:18:59 -05:00
jvazquez-r7 1ff539fc73 No sense to check two times 2014-06-04 12:48:20 -05:00
jvazquez-r7 7a5b5d31f9 Avoid messages inside check 2014-06-04 12:43:39 -05:00
jvazquez-r7 3869fcb438 common http breakpoint event 2014-06-04 12:41:23 -05:00
jvazquez-r7 9ffe8d80b4 Do some metadata cleaning 2014-06-04 12:33:57 -05:00
jvazquez-r7 079fe8622a Add module for ZDI-14-136 2014-06-04 10:29:33 -05:00
Julian Vilas b9d8f75f59 Add breakpoint autohitting 2014-06-03 23:34:40 +02:00
Julian Vilas 6061e5e713 Fix suggestions 2014-06-03 23:13:14 +02:00
jvazquez-r7 43699b1dfb Don't clean env variable before using it 2014-06-03 09:56:19 -05:00
jvazquez-r7 b8a2cf776b Do test 2014-06-03 09:52:01 -05:00
jvazquez-r7 05ed2340dc Use powershell 2014-06-03 09:29:04 -05:00
jvazquez-r7 f918bcc631 Use powershell instead of mshta 2014-06-03 09:01:56 -05:00
joev 04ac07a216 Compress and base64 data to save bytes.
Reduced file size from 43kb to 12kb, yay.
2014-06-02 23:06:46 -05:00
joev cf6b181959 Revert change to trailer(). Kill dead method.
* I verified that changes to PDF mixin do not affect any older modules that
generate PDF. I did this by (on each branch) running  in irb, then
running the module and diffing the pdf's generated by each branch. There were
no changes.
2014-06-02 22:26:14 -05:00
joev 9f5dfab9ea Add better interface for specifying custom #eol. 2014-06-02 22:26:11 -05:00
joev feca6c4700 Add exploit for ajsif vuln in Adobe Reader.
* This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb).
* Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways).

Conflicts:
	lib/msf/core/exploit/mixins.rb
2014-06-02 22:25:55 -05:00
jvazquez-r7 7f4702b65e Update from rapid7 master 2014-06-02 17:41:41 -05:00
Tod Beardsley d0d389598a
Land #3086, Android Java Meterpreter updates
w00t.
2014-06-02 17:28:38 -05:00
jvazquez-r7 4840a05ada Update from rapid7 master 2014-06-02 17:17:00 -05:00
jvazquez-r7 9574a327f8 use the new check also in exploit() 2014-06-02 14:38:33 -05:00
jvazquez-r7 3c38c0d87c Dont be confident about string comparision 2014-06-02 14:37:29 -05:00
Tod Beardsley b136765ef7
Nuke extra space at EOL 2014-06-02 14:22:01 -05:00
Tod Beardsley ea383b4139
Make print/descs/case consistent 2014-06-02 13:20:01 -05:00
jvazquez-r7 d0241cf4c1 Add check method 2014-06-02 08:14:40 -05:00
jvazquez-r7 31af8ef07b Check .NET version 2014-06-01 20:58:08 -05:00
Meatballs 3c5fae3706
Use correct include 2014-06-01 11:51:06 +01:00
Meatballs 4801a7fca0
Allow x86->x64 injection 2014-06-01 11:50:13 +01:00
jvazquez-r7 3ae4a16717 Clean environment variables 2014-05-30 12:21:23 -05:00
jvazquez-r7 b99b577705 Clean environment variable 2014-05-30 12:20:00 -05:00
jvazquez-r7 b27a95c008 Delete unused code 2014-05-30 12:08:55 -05:00
jvazquez-r7 e215bd6e39 Delete unnecessary code and use get_env 2014-05-30 12:07:59 -05:00
Michael Messner 76ed9bcf86 hedwig.cgi - cookie bof - return to system 2014-05-30 17:49:37 +02:00
Michael Messner 1ddc2d4e87 hedwig.cgi - cookie bof - return to system 2014-05-30 17:32:49 +02:00
jvazquez-r7 1dbd36a3dd Check for the .NET dfsvc and use %windir% 2014-05-30 09:02:43 -05:00
jvazquez-r7 ffbcbe8cc1 Use cmd_psh_payload 2014-05-29 18:12:18 -05:00
jvazquez-r7 03889ed31f Use cmd_psh_payload 2014-05-29 18:11:22 -05:00
Julian Vilas 60c5307475 Fix msftidy 2014-05-30 00:14:59 +02:00
Julian Vilas 9627bae98b Add JDWP RCE for Windows and Linux 2014-05-29 23:45:44 +02:00
sinn3r 3a3d038904
Land #3397 - ElasticSearch Dynamic Script Arbitrary Java Execution 2014-05-29 12:21:21 -05:00
sinn3r dfa61b316e A bit of description change 2014-05-29 12:20:40 -05:00
jvazquez-r7 e145298c13 Add module for CVE-2014-0257 2014-05-29 11:45:19 -05:00
jvazquez-r7 6e122e683a Add module for CVE-2013-5045 2014-05-29 11:42:54 -05:00
William Vu 53ab2aefaa
Land #3386, a few datastore msftidy error fixes 2014-05-29 10:44:37 -05:00
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
jvazquez-r7 7a29ae5f36 Add module for CVE-2014-3120 2014-05-27 18:01:16 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
Christian Mehlmauer df97c66ff5
Fixed check 2014-05-24 00:37:52 +02:00
Christian Mehlmauer 8d4d40b8ba
Resolved some Set-Cookie warnings 2014-05-24 00:34:46 +02:00
Tod Beardsley efffbf751a
PHP module shouldnt zap CMD option (@wchen-r7)
As far as I can tell, there is no purpose for this cleanup. No other CMD
exec module takes pains to clear out CMD after run, and it looks like a
bad idea -- what happens when you rexploit?
2014-05-23 15:09:18 -05:00
Michael Messner b85c0b7543 rop to system with telnetd 2014-05-23 20:51:25 +02:00
mercd 28459299b2 Update ibstat_path.rb
Add interface detection, defaulting to en0.
2014-05-22 14:16:04 -07:00
jvazquez-r7 b9464e626e Delete unnecessary line 2014-05-21 10:18:03 -05:00
jvazquez-r7 af415c941b [SeeRM #8803] Avoid false positives when checking fb_cnct_group 2014-05-20 18:44:28 -05:00
Jonas Vestberg 7cabfacfa3 Test adobe_flash_pixel_bender_bof on Safari 5.1.7
Added browser-requirement for Safari after successful test using Safari 5.1.7 with Adobe Flash Player 13.0.0.182 running on Windows 7 SP1.
2014-05-20 01:43:19 +02:00
Meatballs 52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom 2014-05-19 22:00:35 +01:00
Meatballs b84379ab3b
Note about EXE::Custom 2014-05-19 22:00:09 +01:00
Tod Beardsley 0ef2e07012
Minor desc and status updates, cosmetic 2014-05-19 08:59:54 -05:00
sinn3r bf52c0b888
Land #3364 - Symantec Workspace Streaming Arbitrary File Upload 2014-05-19 00:25:33 -05:00
jvazquez-r7 2fb0dbb7f8 Delete debug print_status 2014-05-18 23:34:04 -05:00
jvazquez-r7 975cdcb537 Allow exploitation also on FF 2014-05-18 23:24:01 -05:00
Jonas Vestberg 033757812d Updates to adobe_flash_pixel_bender_bof:
1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method).
2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :).

Testing performed:
Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.)
2014-05-18 22:43:51 +02:00
jvazquez-r7 1b68abe955 Add module for ZDI-14-127 2014-05-15 13:41:52 -05:00
William Vu 750b6fc218
Land #3348, some Ruby warning fixes 2014-05-14 01:25:10 -05:00
William Vu c421b8e512
Change if not to unless 2014-05-14 01:24:29 -05:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
agix 1a3b319262 rebase to use the mixin psexec 2014-05-13 16:04:40 +02:00
agix d3f2414d09 Fix merging typo 2014-05-13 16:04:40 +02:00
Florian Gaultier 808f87d213 SERVICE_DESCRIPTION doesn't concern this PR 2014-05-13 16:04:39 +02:00
Florian Gaultier 6332957bd2 Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work... 2014-05-13 16:04:39 +02:00
Florian Gaultier 5ecebc3427 Add options `SERVICE_NAME` and `SERVICE_DISPLAYNAME` to psexec and correct service payload generation 2014-05-13 16:04:37 +02:00
Florian Gaultier ca7a2c7a36 Add string_to_pushes to use non fixed size service_name 2014-05-13 16:04:37 +02:00
Florian Gaultier 513f3de0f8 new service exe creation refreshed 2014-05-13 16:04:36 +02:00
Jeff Jarmoc 638ae477d9 Fix up spec. Rex::Proto::Http::ClientRequest handles & and = outside of Rex::Text::uri_encode, so mode doesn't affect them.
Fix erroneous typo char.
2014-05-12 12:10:30 -05:00
Jeff Jarmoc 5f523e8a04 Rex::Text::uri_encode - make 'hex-all' really mean all.
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes'  It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
Christian Mehlmauer 557cd56d92 fixed some ruby warnings 2014-05-10 23:31:02 +02:00
Tim Wright a60558061c
re-enable x86 stager 2014-05-10 19:58:19 +01:00
Christian Mehlmauer dee6b53175 fix java payload struts module 2014-05-10 00:19:40 +02:00
jvazquez-r7 6f837715f9
Land #3343, @FireFart's new uri encoding for struts_code_exec_parameters 2014-05-09 14:37:58 -05:00
jvazquez-r7 38f3a19673 Try to beautify description 2014-05-09 14:35:06 -05:00
Christian Mehlmauer 43a85fc645 additional GET parameters 2014-05-09 21:21:04 +02:00
Christian Mehlmauer ad83921a85 additional GET parameters 2014-05-09 21:15:28 +02:00
jvazquez-r7 f56ea01988 Add module 2014-05-09 10:27:41 -05:00
Christian Mehlmauer 53fde675e7 randomize meh parameter 2014-05-09 10:38:19 +02:00
Christian Mehlmauer a3fff5401f more code cleanup 2014-05-08 23:05:41 +02:00
Christian Mehlmauer e7b7af2f75 fixed apache struts module 2014-05-08 22:15:52 +02:00
jvazquez-r7 6b41a4e2d9 Test Flash 13.0.0.182 2014-05-07 17:39:22 -05:00
jvazquez-r7 5fd732d24a Add module for CVE-2014-0515 2014-05-07 17:13:16 -05:00
William Vu e8bc89af30
Land #3337, release fixes 2014-05-05 14:03:48 -05:00
Tod Beardsley c97c827140
Adjust desc and ranking on ms13-053
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
Tod Beardsley 3536ec9a74
Description update 2014-05-05 13:43:44 -05:00
Tod Beardsley 3072c2f08a
Update CVEs for RootedCon Yokogawa modules
Noticed they were nicely documented at

http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html

We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
sinn3r 6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution 2014-05-05 10:39:26 -05:00
Christian Mehlmauer 073adc759d
Land #3334, fix author by @julianvilas 2014-05-04 21:30:53 +02:00
Julian Vilas dd7705055b Fix author 2014-05-04 19:31:53 +02:00
OJ 7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) 2014-05-04 16:41:17 +10:00
jvazquez-r7 5b150a04c6 Add testing information to description 2014-05-03 20:08:00 -05:00
jvazquez-r7 b4c7c5ed1f Add module for CVE-2014-0497 2014-05-03 20:04:46 -05:00
julianvilas 36f9f342c1 Fix typo 2014-05-02 16:26:08 +02:00
Meatballs 56c5eac823
Message correction 2014-05-02 14:18:18 +01:00
Meatballs 69915c0de5
Message correction 2014-05-02 14:17:27 +01:00
jvazquez-r7 150b89e290
Land #3314, @julianvilas's exploit for Struts CVE-2014-0094 2014-05-01 18:09:10 -05:00
jvazquez-r7 3dd3ceb3a9 Refactor code 2014-05-01 18:04:37 -05:00
jvazquez-r7 b7ecf829d3 Do first refactor 2014-05-01 16:39:53 -05:00
jvazquez-r7 195005dd83 Do minor style changes 2014-05-01 15:25:55 -05:00
jvazquez-r7 140c8587e7 Fix metadata 2014-05-01 15:24:16 -05:00
Julian Vilas e0ee31b388 Modify print_error by fail_with 2014-05-01 20:19:31 +02:00
Julian Vilas 3374af83ab Fix typos 2014-05-01 19:44:07 +02:00
jvazquez-r7 1483f02f83
Land #3306, @xistence's alienvault's exploit 2014-05-01 09:25:07 -05:00
jvazquez-r7 1b39712b73 Redo response check 2014-05-01 09:10:16 -05:00
jvazquez-r7 78cefae607 Use WfsDelay 2014-05-01 09:07:26 -05:00
xistence 5db24b8351 Fixes/Stability AlienVault module 2014-05-01 14:53:55 +07:00
xistence c12d72b58c Changes to alienvault module 2014-05-01 10:39:11 +07:00
xistence 9bcf5eadb7 Changes to alienvault module 2014-05-01 10:10:15 +07:00
Julian Vilas bd39af3965 Fix target ARCH_JAVA and remove calls to sleep 2014-05-01 00:51:52 +02:00
William Vu 8b138b2d37
Fix unquoted path in cleanup script 2014-04-30 16:34:33 -05:00
kaospunk 6b740b727b Changes PATH to proper case
This changes PATH to Path
2014-04-30 17:26:36 -04:00
kaospunk fdc81b198f Adds the ability to specify path
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
julianvilas 8e8fbfe583 Fix msf-staff comments 2014-04-29 17:36:04 +02:00
julianvilas b2c2245aff Add comments 2014-04-29 11:24:17 +02:00
Julian Vilas a78aae08cf Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:58:04 +02:00
Julian Vilas 17a508af34 Add CVE-2014-0094 RCE for Struts 2 2014-04-29 03:50:45 +02:00
sinn3r 4c0a692678
Land #3312 - Update ms14-012 2014-04-28 18:48:20 -05:00
sinn3r b1ac0cbdc7
Land #3239 - Added target 6.1 to module 2014-04-28 18:28:14 -05:00
jvazquez-r7 1c88dea7d6 Exploitation also works with flash 13 2014-04-28 16:23:05 -05:00
sinn3r 8a4c7b22ed
Land #3296 - Refactors firefox js usage into a mixin 2014-04-28 15:22:55 -05:00
sinn3r d530c9c128
Land #3304 - Adobe Flash Player Type Confusion Remote Code Execution 2014-04-28 15:06:50 -05:00
Tod Beardsley 1b4fe90003
Fix msftidy warnings on wireshark exploits 2014-04-28 19:51:38 +01:00
Tod Beardsley 3bfdfb5cab
Grammar 2014-04-28 19:49:56 +01:00
Tod Beardsley a5baea1a8e
Touch up print_ statements 2014-04-28 19:49:23 +01:00
jvazquez-r7 9a1b216fdb Move module to new location 2014-04-28 11:55:26 -05:00
jvazquez-r7 51a5a901a8 Fix typo 2014-04-28 11:55:06 -05:00
jvazquez-r7 887dfc5f40 Fix RequiredCmd 2014-04-28 11:54:56 -05:00
jvazquez-r7 245b591247 Do module clean up 2014-04-28 11:45:40 -05:00
xistence 2e04bc9e4e AlienVault OSSIM 4.3.1 unauthenticated SQLi RCE 2014-04-28 10:59:15 +07:00
jvazquez-r7 9ce5545034 Fix comments 2014-04-27 20:13:46 -05:00
jvazquez-r7 60e7e9f515 Add module for CVE-2013-5331 2014-04-27 10:40:46 -05:00
joev f94d1f6546 Refactors firefox js usage into a mixin. 2014-04-24 15:09:48 -05:00
sinn3r 1353c62967
Land #3295 - Fix NoMethodError undefined method `body' for nil:NilClass 2014-04-24 13:53:58 -05:00
sinn3r 5c0664fb3b
Land #3292 - Mac OS X NFS Mount Privilege Escalation Exploit 2014-04-24 13:43:20 -05:00
sinn3r 656e60c35c
Land #3254 - Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack BoF 2014-04-24 13:20:50 -05:00
sinn3r cde9080a6a Move module to fileformat 2014-04-24 13:17:08 -05:00
sinn3r a39855e20d Works for XP SP3 too 2014-04-24 13:16:24 -05:00
sinn3r ba8d7801f4 Remove default target because there is no auto-select 2014-04-24 13:15:49 -05:00
sinn3r 2e76db01d7 Try to stick to the 100 columns per line rule 2014-04-24 13:15:12 -05:00
Tom Sellers 8f47edb899 JBoss_Maindeployer: improve feedback against CVE-2010-0738
The exploit against CVE-2010-0738 won't work when using GET or POST.  In the existing code the request would fail and the function would return a nil.  This would be passed to detect_platform without being checked and cause the module to crash ungracefully with the error:

Exploit failed: NoMethodError undefined method `body' for nil:NilClass

The first changes detect a 401 authentication message and provide useful feedback.  Given that if, in any case, 'res' is not a valid or useful response the second change just terminates processing.

I've stayed with the module's coding style for consistency.
2014-04-24 12:37:14 -05:00
JoseMi fd95d9ef38 Added english windows xp sp2 target 2014-04-23 17:32:56 +01:00
Joe Vennix 143aede19c
Add osx nfs_mount module. 2014-04-23 02:32:42 -05:00
Tod Beardsley e514ff3607
Description and print_status fixes for release
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
Ken Smith 66b1c79da9 Update rop chain for versions 6.2 and 6.1 2014-04-21 13:27:14 -04:00
JoseMi e25ca64641 It's solved the crash when double-click on the pcap file 2014-04-21 17:49:40 +01:00
JoseMi 3861541204 Add more rand_text_alpha functions 2014-04-19 18:37:58 +01:00
JoseMi 7bc546e69a Add rand_text_alpha function 2014-04-19 17:45:28 +01:00
JoseMi feea4c1fa6 ROP chain changed 2014-04-18 19:05:53 +01:00
William Vu 7d801e3acc
Land #3200, goodbye LORCON modules :( 2014-04-18 12:32:22 -05:00
jvazquez-r7 acb12a8bef Beautify and fix both ruby an AS 2014-04-17 23:32:29 -05:00
jvazquez-r7 91d9f9ea7f Update from master 2014-04-17 15:32:49 -05:00
jvazquez-r7 749e141fc8 Do first clean up 2014-04-17 15:31:56 -05:00
Joe Vennix 8920e0cc80
Use octal encoding and -e, so that echo always works. 2014-04-17 01:17:46 -05:00
sinn3r d7a63003a3
Land #3266 - MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free 2014-04-15 18:35:18 -05:00
sinn3r 23c2a071cd Small name change 2014-04-15 18:35:00 -05:00
sinn3r 7a4e12976c
First little bit at Bug 8498
[FixRM #8489] rhost/rport modification
2014-04-15 18:20:16 -05:00
jvazquez-r7 abd76c5000 Add module for CVE-2014-0322 2014-04-15 17:55:24 -05:00
Tod Beardsley 0b2737da7c
Two more java payloads that wanted to write RHOST
There are three total, and they're all copy-pasted from the original
module from 2009. I suspect this idiom isn't used at all any more -- I
can't detect a difference in the payload if I just declare a host being
cli.peerhost, rather than rewriting RHOST to be cli.peerhost.

[SeeRM #8498]
2014-04-14 22:22:30 -05:00
Tod Beardsley 775b0de3c0
Replace RHOST reassing with just host
This looks okay from debug (the host looks like it's generating okay)
but there may be some subtle thing I'm not seeing here. @wchen-r7 can
you glance at this please?

[SeeRM #8498]
2014-04-14 22:17:31 -05:00
JoseMi e811e169dc Cambios en el exploit 2014-04-14 16:31:54 +01:00
JoseMi da26a39634 Add CVE-2014-2219 exploit for windows XP SP3 2014-04-14 16:16:10 +01:00
Ken Smith c99f6654e8 Added target 6.1 to module 2014-04-11 09:59:11 -04:00
jvazquez-r7 fe066ae944
Land #3207, @7a69 MIPS BE support for Fritz Box's exploit 2014-04-09 23:20:45 -05:00
jvazquez-r7 fdda69d434 Align things 2014-04-09 23:19:41 -05:00
jvazquez-r7 386e2e3d29 Do final / minor cleanup 2014-04-09 23:19:12 -05:00
sinn3r b69662fa42
Land #3233 - eScan Password Command Injection 2014-04-11 11:05:48 -05:00
jvazquez-r7 0c8f5e9b7d Add @Firefart's feedback 2014-04-11 10:21:33 -05:00
jvazquez-r7 b0b979ce62 Meterpreter sessions won't get root in this way 2014-04-09 16:59:12 -05:00
jvazquez-r7 a2ce2bfa56 Fix disclosure date 2014-04-09 16:41:49 -05:00
jvazquez-r7 ff232167a6 Add module for eScan command injection 2014-04-09 16:39:06 -05:00
sinn3r 2de210f1c3
Land #3216 - Update @Meatballs1 and @FireFart in authors.rb 2014-04-09 16:38:10 -05:00
sinn3r eb9d3520be
Land #3208 - Sophos Web Protection Appliance Interface Authenticated Exec 2014-04-09 11:30:59 -05:00
Tod Beardsley 062175128b
Update @Meatballs and @FireFart in authors.rb 2014-04-09 10:46:10 -05:00
Brandon Perry 8428b37e59 move file to .rb ext 2014-04-09 05:17:14 -07:00
Brandon Perry 82c9b539ac Fix disclosure date, earlier than I thought 2014-04-08 21:43:49 -05:00
Brandon Perry 3013704c75 Create sophos_wpa_iface_exec
This module exploits both bugs in http://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-08 21:21:43 -05:00
sinn3r f3086085b6
Land #3204 - MS14-017 Microsoft Word RTF Object Confusion 2014-04-08 18:47:53 -05:00
Joe Vennix fc841331d2 Add a test on echo to check for hex support.
* This is much nicer than checking version on userAgent, which
is often changed when rendered in an embedded webview.
2014-04-08 17:58:31 -05:00
sinn3r a2b709b20e
Land #3189 - Vtiger Install Unauthenticated Remote Command Execution 2014-04-08 14:58:34 -05:00
sinn3r 4012dd0acc Fix everything that needs to be fixed 2014-04-08 14:57:42 -05:00
Fabian Bräunlein 8dce80fd30 Added Big Endianess, improved check()-Function
Some Fritz!Box devices also run in Big Endianess mode. However, since
"uname -a" always returns "mips" and the "file"-command is not
available, autodetection is not an easy task.

The check()-function now checks, whether the device is really
vulnerable.

Furthemore, it's possible to send 92 bytes.
2014-04-08 21:32:36 +02:00
Spencer McIntyre 3f6c8afbe3 Fix typo of MSCOMCTL not MCCOMCTL 2014-04-08 14:52:18 -04:00
Spencer McIntyre 85197dffe6 MS14-017 Word RTF listoverridecount memory corruption 2014-04-08 14:44:20 -04:00