Commit Graph

16384 Commits (70033576fefac82f0732d950b17a925f4517b71a)

Author SHA1 Message Date
jvazquez-r7 5d8167dca6 Beautify description 2015-01-10 00:02:42 -06:00
jvazquez-r7 9fb4cfb442 Do First callforward cleanup 2015-01-10 00:00:27 -06:00
jvazquez-r7 f7af0d9cf0
Test landing #4065 into up to date branch 2015-01-09 23:40:16 -06:00
jvazquez-r7 bedbffa377
Land #3700, @ringt fix for oracle_login
* Avoid retrying logins when connection cannot be stablished
2015-01-09 22:59:32 -06:00
jvazquez-r7 38c36b49fb Report when nothing is rescued 2015-01-09 22:58:19 -06:00
Jon Hart 5c12f9da75
More cleanup
Handle multiple versions
Better print_
Actually extract
2015-01-09 18:01:17 -08:00
sinn3r 3c8be9e36d Just x86 2015-01-09 19:12:51 -06:00
sinn3r 74e8e057dd Use RDL 2015-01-09 19:02:08 -06:00
Christian Mehlmauer d4d1a53533
fix invalid url 2015-01-09 21:57:52 +01:00
Christian Mehlmauer fd2307680d
Land #4550, wp-symposium file upload 2015-01-09 21:55:02 +01:00
Jon Hart 35fd17c4f1
Cleanup style 2015-01-09 11:00:25 -08:00
jvazquez-r7 d65ed54e0c Check STARTUP_FOLDER option 2015-01-09 12:21:01 -06:00
jvazquez-r7 2c633e403e Do code cleanup 2015-01-09 12:07:59 -06:00
jvazquez-r7 d52e9d4e21 Fix metadata again 2015-01-09 11:20:00 -06:00
jvazquez-r7 9dbf163fe7 Do minor style fixes 2015-01-09 11:17:16 -06:00
jvazquez-r7 8f09e0c20c Fix metadata by copying the mysql_mof data 2015-01-09 11:15:32 -06:00
jvazquez-r7 da6496fee1
Test landing #2156 into up to date branch 2015-01-09 11:04:47 -06:00
sinn3r ee5c249c89 Add EDB reference 2015-01-09 00:19:12 -06:00
sinn3r 75de792558 Add a basic check 2015-01-09 00:03:39 -06:00
sinn3r 4911127fe2 Match the title and change the description a little bit 2015-01-08 21:48:01 -06:00
sinn3r b7b3ae4d2a A little randomness 2015-01-08 21:25:55 -06:00
Jon Hart e4547eb474
Land #4537, @wchen-r7's fix for #4098 2015-01-08 17:57:16 -08:00
Jon Hart f13e56aef8
Handle bracketed and unbracketed results, add more useful logging 2015-01-08 17:51:31 -08:00
Jon Hart 14db112c32 Add logging to show executed Java and result 2015-01-08 16:53:12 -08:00
sinn3r b65013c5c5 Another update 2015-01-08 18:39:04 -06:00
sinn3r b2ff5425bc Some changes 2015-01-08 18:33:30 -06:00
sinn3r 53e6f42d99 This works 2015-01-08 17:57:14 -06:00
Pedro Ribeiro c76aec60b0 Add OSVDB id and full disclosure URL 2015-01-08 23:29:38 +00:00
sinn3r 7ed6b3117a Update 2015-01-08 17:18:14 -06:00
Brent Cook fb5170e8b3
Land #2766, Meatballs1's refactoring of ExtAPI services
- Many code duplications are eliminated from modules in favor of shared
   implementations in the framework.
 - Paths are properly quoted in shell operations and duplicate operations are
   squashed.
 - Various subtle bugs in error handling are fixed.
 - Error handling is simpler.
 - Windows services API is revised and modules are updated to use it.
 - various API docs added
 - railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
Brent Cook e447a17795 bump deprecated date 2015-01-08 16:20:06 -06:00
sinn3r 50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012 2015-01-08 16:19:55 -06:00
jvazquez-r7 fa5cd928a1 Refactor exploit to use the mixin 2015-01-08 16:04:56 -06:00
jvazquez-r7 ca765e2cc5 Refactor client mixin 2015-01-08 15:46:24 -06:00
rastating 82e6183136 Add Msf::Exploit::FileDropper mixin 2015-01-08 21:07:00 +00:00
rastating 93dc90d9d3 Tidied up some code with existing mixins 2015-01-08 20:53:56 +00:00
jvazquez-r7 873ade3b8a Refactor exploit module 2015-01-08 14:52:55 -06:00
jvazquez-r7 3debcef00b Fix call from aux module 2015-01-08 14:24:27 -06:00
sinn3r 0e6c7181b1 "Stash" it 2015-01-08 14:13:14 -06:00
jvazquez-r7 c205ef28d4 Refactor build_gc_call 2015-01-08 14:01:04 -06:00
Meatballs a9fee9c022
Fall back to runas if UAC disabled 2015-01-08 11:07:57 +00:00
William Vu ea793802cc
Land #4528, mantisbt_php_exec improvements 2015-01-08 04:50:00 -06:00
Meatballs 3c3d28b475
Land #4551, correct spelling in dns_bruteforce 2015-01-08 10:03:28 +00:00
jvazquez-r7 73e3cd19c3 Convert java_rmi_server aux mod to use new mixin 2015-01-08 00:29:50 -06:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
William Vu 0604b2ecc7
Land #4542, invalid splat URL fix 2015-01-07 22:54:22 -06:00
EricGershman 0496bb16bc Minor spelling fix 2015-01-07 23:43:59 -05:00
jvazquez-r7 d59805568e Do first module refactoring try 2015-01-07 19:06:09 -06:00
rastating 7b92c6c2df Add WP Symposium Shell Upload module 2015-01-07 22:02:39 +00:00
James Lee da2e088118
Land #4536, Ruby 2.2 compat fixes
Note that ActiveRecord 3.2.21 still has a similar warning that will
probably cause bugs, preventing full support for 2.2 until that's fixed.
2015-01-07 15:33:23 -06:00
Meatballs 0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
David Maloney 82d129bfc4
Merge branch 'master' into feature/jtr-korelogic-rules-update 2015-01-07 12:42:23 -06:00
David Maloney df70678762
tell suer KoreLogic rules have been applied
make sure to rpovide console feedback that we are
actually applying the KoreLogic rules to wordlist mode
2015-01-07 12:36:07 -06:00
David Maloney 4ad7021336
give user option to turn on KoreLogic rules
the cracker modules in framework now have a datastore option
to allow the user to select the KoreLogicRules
2015-01-07 12:32:26 -06:00
sinn3r ef97d15158 Fix msftidy and make sure all print_*s in check() are vprint_*s 2015-01-07 12:12:25 -06:00
rastating a5f48b23df Add use of Msf::ThreadManager 2015-01-07 17:27:06 +00:00
James Lee 3e80efb5a8
Land #4521, Pandora FMS upload 2015-01-07 11:13:57 -06:00
James Lee 1ccef7dc3c
Shorter timeout so we get shell sooner
The request to execute our payload will never return, so waiting for the
default timeout (20 seconds) is pointless.
2015-01-07 11:11:33 -06:00
rastating e90e98547b Add configurable timeout to WordPress login 2015-01-07 17:06:31 +00:00
sinn3r 4c240e8959 Fix #4098 - False negative check for script_mvel_rce
Fix #4098, thanks @arnaudsoullie
2015-01-07 10:40:58 -06:00
sinn3r c60b6969bc Oh so that's it 2015-01-07 10:39:46 -06:00
James Lee efe83a4f31
Whitespace 2015-01-07 10:19:17 -06:00
m7x 89699d1549 Typo workspace_id 2015-01-07 10:58:59 +00:00
Christian Mehlmauer 09bd0465cf
fix regex 2015-01-07 11:54:55 +01:00
rcnunez b3def856fd Applied changes recommended by jlee-r7
used Rex::ConnectionError
refactor begin/rescue blocks
removed ::URI::InvalidURIError
changed @peer with peer
used Exploit::CheckCode:Appears instead of Exploit::CheckCode::Vulnerable
2015-01-07 18:38:19 +08:00
Christian Mehlmauer eaad4e0bea
fix check method 2015-01-07 11:01:08 +01:00
dmooray 8c23e8c2e8 ruby 2.2 compatibility
Fix circular argument reference warnings for ruby 2.2
2015-01-07 12:00:50 +02:00
Christian Mehlmauer 862af074e9
fix bug 2015-01-07 09:10:50 +01:00
Christian Mehlmauer d007b72ab3
favor include? over =~ 2015-01-07 07:33:16 +01:00
Christian Mehlmauer 4277c20a83
use include? 2015-01-07 06:51:28 +01:00
Christian Mehlmauer 39e33739ea
support for anonymous login 2015-01-07 00:08:04 +01:00
Christian Mehlmauer bf0bdd00df
added some links, use the res variable 2015-01-06 23:25:11 +01:00
sinn3r 2ed05869b8 Make Msf::Exploit::PDF follow the Ruby method naming convention
Just changing method names.

It will actually also fix #4520
2015-01-06 12:42:06 -06:00
Christian Mehlmauer f9f2bc07ac
some improvements to the mantis module 2015-01-06 11:33:45 +01:00
William Vu 0bece137c1
Land #4494, Object.class.to_s fix 2015-01-06 02:27:35 -06:00
William Vu f2710f6ba7
Land #4443, BulletProof FTP client exploit 2015-01-06 02:10:42 -06:00
William Vu 482cfb8d59
Clean up some stuff 2015-01-06 02:10:25 -06:00
William Vu 46aa165ca5
Land #4481, enum_users_history improvements 2015-01-06 01:52:38 -06:00
William Vu 745bfb2f35
Clean things up 2015-01-06 01:48:18 -06:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
sinn3r 44dfa746eb Resolve #4513 - Change #inspect to #to_s
Resolve #4513
2015-01-05 11:50:51 -06:00
sinn3r 4257fef91b
Land #4101 - Konica MFP FTP and SMB credential gathering module 2015-01-05 10:31:28 -06:00
rcnunez 547b7f2752 Syntax and File Upload BugFix
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
2015-01-05 19:23:22 +08:00
jvazquez-r7 e7affb9048
Land #4493, @pedrib's module for ManageEngine Central Desktop create admin 2015-01-04 23:46:31 -06:00
jvazquez-r7 c5e72fb324 Change module filename 2015-01-04 23:14:12 -06:00
jvazquez-r7 4798f2328d Change module filename 2015-01-04 23:13:17 -06:00
jvazquez-r7 6bb3171328 Do minor cleanup 2015-01-04 23:12:42 -06:00
jvazquez-r7 711b97ecc5 Beautify metadata 2015-01-04 23:08:46 -06:00
rastating 92015ac124 Replace custom login with wordpress_login mixin 2015-01-04 23:07:07 +00:00
rastating 39412c4a48 Add WordPress long password DoS module 2015-01-04 18:50:23 +00:00
Pedro Ribeiro c9b76a806a Create manageengine_auth_upload.rb 2015-01-04 17:05:53 +00:00
Pedro Ribeiro 32d4bf03c3 Add OSVDB id and full disclosure URL 2015-01-04 12:36:51 +00:00
Tim c959d42a29 minor tweak 2015-01-03 10:15:52 +00:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
sinn3r 3c755a6dfa Template 2015-01-02 11:31:28 -06:00
root c348663204 Add McAfee Hashdump 2015-01-02 10:22:11 +00:00
Tod Beardsley c1718fa490
Land #4440, git client exploit from @jhart-r7
Also fixes #4435 and makes progress against #4445.
2015-01-01 13:18:43 -06:00
Tod Beardsley d7564f47cc
Move Mercurial option to advanced, update ref url
See #4440
2015-01-01 13:08:36 -06:00
Tod Beardsley 914c724abe
Rename module
See rapid7#4440
2015-01-01 13:03:17 -06:00
Jon Hart 65977c9762
Add some more useful URLs 2014-12-31 10:54:04 -08:00
Tod Beardsley 264d3f9faa
Minor grammar fixes on modules 2014-12-31 11:45:14 -06:00
Spencer McIntyre 6d966dbbcf
Land #4203, @jvazquez-r7's cleanup for java_rmi_server 2014-12-31 11:25:19 -05:00
Christian Mehlmauer 4f11dc009a
fixes #4490, class.to_s should not be used for checks 2014-12-31 10:46:24 +01:00
Pedro Ribeiro e81e68bdaf Create me_dc9_admin.rb 2014-12-31 02:02:52 +00:00
Brendan Coles cc75c33d60 Use user home directories
Replace hard-coded '/home/' and '/root/' with `~username` shorthand.
2014-12-31 09:12:35 +11:00
Brendan Coles 013e45e83d Add support for MongoDB history 2014-12-31 08:38:58 +11:00
Brendan Coles d2e6f90569 Use a list of users 2014-12-31 08:12:16 +11:00
sinn3r 48919eadb6
Land #4444 - i-FTP BoF 2014-12-30 12:38:28 -06:00
William Vu 4fd4d51d78
Land #4485, Drupageddon greedy regex fix 2014-12-30 10:16:57 -06:00
Christian Mehlmauer 96fe693c54
update drupal regex 2014-12-30 09:12:39 +01:00
sinn3r 555713b6ae
Land #4456 - MS14-068, Kerberos Checksum (plus krb protocol support) 2014-12-29 16:09:28 -06:00
sinn3r f2130311fa Add the MSF blog reference 2014-12-29 16:08:35 -06:00
Brendan Coles 897e993971 Update description 2014-12-30 08:05:53 +11:00
Brendan Coles 8719a36d84 DRY status messages 2014-12-30 08:03:40 +11:00
Brendan Coles 0de80e9c76 Minor changes to style 2014-12-30 07:58:54 +11:00
Brendan Coles 0085bcf075 Use `blank?' instead of `nil?' 2014-12-30 07:38:34 +11:00
Brendan Coles a50ac4050c Add support for PostgreSQL history 2014-12-30 07:33:22 +11:00
Brendan Coles 4ebe0fc0a8 Add support for different shells 2014-12-30 07:26:12 +11:00
jvazquez-r7 d2af956b16 Do minor cleanups 2014-12-29 10:39:51 -06:00
Tod Beardsley 1dd9d60e34
Land #4461, Android cookie database theft
`
Thanks @jvennix-r7!
2014-12-29 08:15:21 -06:00
Tod Beardsley d10222365b
Add Rafay's blog as a reference 2014-12-29 08:12:19 -06:00
Tod Beardsley 1236684954
Use get_uri instead, note lack of Rex::Text method
See rapid7#4461
2014-12-28 15:06:34 -06:00
Tod Beardsley 788e315fd4
Fix msftidy warnings 2014-12-28 14:53:29 -06:00
Borja Merino 9791acd0bf Add stager ipknock shellcode (PR 2) 2014-12-27 22:03:45 +01:00
jvazquez-r7 9f98fd4d87 Info leak webapp ROOT so we can cleanup 2014-12-27 08:47:51 -06:00
jvazquez-r7 5afd2d7f4b Add module for ZDI-14-410 2014-12-26 20:40:28 -06:00
jvazquez-r7 655cfdd416
Land #4321, @wchen-r7's fixes #4246 ms01_026_dbldecode undef method 2014-12-26 12:48:29 -06:00
Jon Hart 51049152b6
Use Rex::Text.rand_mail_address for more realistic fake commit 2014-12-26 10:39:52 -08:00
jvazquez-r7 c1b0385a4b
Land #4460, @Meatballs1's ssl cert validation bypass on powershell web delivery 2014-12-26 12:07:45 -06:00
jvazquez-r7 2bed52dcd5
Land #4459, @bcoles's ProjectSend Arbitrary File Upload module 2014-12-26 11:28:42 -06:00
jvazquez-r7 b5b0be9001 Do minor cleanup 2014-12-26 11:24:02 -06:00
jvazquez-r7 85ab11cf52 Use print_warning consistently 2014-12-26 09:54:38 -06:00
jvazquez-r7 f31a2e070e Use print_warning to print the Kerberos error 2014-12-26 09:22:09 -06:00
jvazquez-r7 d148848d31 Support Kerberos error codes 2014-12-24 18:05:48 -06:00
jvazquez-r7 121c0406e9 Beautify restart_command creation 2014-12-24 15:52:15 -06:00
jvazquez-r7 43ec8871bc Do minor c code cleanup 2014-12-24 15:45:38 -06:00
jvazquez-r7 92113a61ce Check payload 2014-12-24 15:43:49 -06:00
jvazquez-r7 36ac0e6279 Clean get_restart_commands 2014-12-24 14:55:18 -06:00
jvazquez-r7 92b3505119 Clean exploit method 2014-12-24 14:49:19 -06:00
jvazquez-r7 9c4d892f5e Use single quotes when possible 2014-12-24 14:37:39 -06:00
jvazquez-r7 bbbb917728 Do style cleaning on metadata 2014-12-24 14:35:35 -06:00
jvazquez-r7 af24e03879 Update from upstream 2014-12-24 14:25:25 -06:00
Gabor Seljan 0b85a81b01 Use REXML to generate exploit file 2014-12-24 19:23:28 +01:00
Mark Judice 30228bcfe7 Added underscore to user regex in smart_hashdump.rb to support usernames that contain underscores. Issue #4349. 2014-12-23 22:36:11 -06:00
Jon Hart a692656ab7
Update comments to reflect reality, minor cleanup 2014-12-23 19:09:45 -08:00
jvazquez-r7 ebb05a64ea
Land #4357, @Meatballs1 Kerberos Support for current_user_psexec 2014-12-23 20:38:31 -06:00
jvazquez-r7 89d0a0de8d Delete unnecessary connect 2014-12-23 19:35:59 -06:00
jvazquez-r7 265e0a7744 Upper case domain 2014-12-23 19:16:50 -06:00
jvazquez-r7 ed2d0cd07b Use USER_SID instead of DOMAIN_SID and USER_RID 2014-12-23 19:11:05 -06:00
Joe Vennix 8d73794cc8
Add hint for exploit on old devices. 2014-12-23 12:29:08 -06:00
Jon Hart 59f75709ea
Print out malicious URLs that will be used by default 2014-12-23 10:10:31 -08:00
Jon Hart 905f483915
Remove unused and commented URIPATH 2014-12-23 09:40:27 -08:00
Jon Hart 8e57688f04
Use random URIs by default, different method for enabling/disabling Git/Mercurial 2014-12-23 09:39:39 -08:00
Jon Hart bd3dc8a5e7
Use fail_with rather than fail 2014-12-23 08:20:03 -08:00
Jon Hart 015b96a24a
Add back perl and bash related payloads since Windows git will have these and OS X should 2014-12-23 08:13:00 -08:00
Meatballs 16302f752e
Enable generic command 2014-12-23 14:22:26 +00:00
Meatballs a3b0b9de62
Configure module to target bash by default 2014-12-23 14:19:51 +00:00
Meatballs 313d6cc2f8
Add super call 2014-12-23 14:12:47 +00:00
Meatballs 43221d4cb0
Remove redundant debugging stuff 2014-12-23 14:09:12 +00:00
Meatballs 42a10d6d50
Add Powershell target 2014-12-23 14:07:57 +00:00
Meatballs 40c1fb814e
one line if statement 2014-12-23 11:20:24 +00:00
Meatballs b41e259252
Move it to a common method 2014-12-23 11:16:07 +00:00
Brendan Coles 5c82b8a827 Add ProjectSend Arbitrary File Upload module 2014-12-23 10:53:03 +00:00
jvazquez-r7 01cf14d44e Fix banner 2014-12-23 01:02:09 -06:00
jvazquez-r7 4928cd36e4
Land #4187, @BorjaMerino's post module to get output rules 2014-12-23 01:01:03 -06:00
jvazquez-r7 49fef9e514 Do minor module clean up 2014-12-23 01:00:21 -06:00
Jon Hart abec7c206b
Update description to describe current limitations 2014-12-22 20:32:45 -08:00
Jon Hart 1505588bf6
Rename the file to reflect what it really is 2014-12-22 20:27:40 -08:00
Jon Hart ff440ed5a4
Describe vulns in more detail, add more URLs 2014-12-22 20:20:48 -08:00
Jon Hart b4f6d984dc
Minor style cleanup 2014-12-22 17:51:35 -08:00
Jon Hart 421fc20964
Partial mercurial support. Still need to implement bundle format 2014-12-22 17:44:14 -08:00
jvazquez-r7 708cbd7b65 Allow to provide USER SID 2014-12-22 18:24:50 -06:00
jvazquez-r7 56eadc0d55 Delete default values from options 2014-12-22 18:11:43 -06:00
jvazquez-r7 787dab998d Fix description 2014-12-22 17:51:44 -06:00
jvazquez-r7 a7faf798bf Use explicit encryption algorithms 2014-12-22 15:51:17 -06:00
jvazquez-r7 f37cf555bb Use random subkey 2014-12-22 15:39:08 -06:00
Jon Hart fdd1d085ff
Don't encode the payload because this only complicates OS X 2014-12-22 13:36:38 -08:00
Joe Vennix 0bf3a9cd55
Fix duplicate :ua_maxver key. 2014-12-22 14:57:44 -06:00
jvazquez-r7 b0a178e0a3 Delete blank line 2014-12-22 14:40:32 -06:00
jvazquez-r7 5a6c915123 Clean options 2014-12-22 14:37:37 -06:00
jvazquez-r7 20ab14d7a3 Clean module code 2014-12-22 14:29:02 -06:00
Jon Hart ea9f5ed6ca
Minor cleanup 2014-12-22 12:16:53 -08:00
Jon Hart dd73424bd1
Don't link to unused repositories 2014-12-22 12:04:55 -08:00
Jon Hart 6c8cecf895
Make git/mercurial support toggle-able, default mercurial to off 2014-12-22 11:36:50 -08:00
Jon Hart 574d3624a7
Clean up setup_git verbose printing 2014-12-22 11:09:08 -08:00
Jon Hart 16543012d7
Correct planted clone commands 2014-12-22 10:56:33 -08:00
Jon Hart 01055cd41e
Use a trigger to try to only start a handler after the malicious file has been requested 2014-12-22 10:43:54 -08:00
jvazquez-r7 dabc890b2f Change module filename again 2014-12-22 12:35:15 -06:00
jvazquez-r7 2b46bdd929 Add references and authors 2014-12-22 12:34:31 -06:00
jvazquez-r7 4319dbaaef Change module filename 2014-12-22 12:29:28 -06:00
Jon Hart 3bcd67ec2e
Unique URLs for public repo page and malicious git/mercurial repos 2014-12-22 10:03:30 -08:00
William Vu 93be828738
Fix invalid URL in splat 2014-12-22 11:26:20 -06:00
William Vu f1b9862665
Align shellcode in bind_hidden_tcp 2014-12-22 11:17:14 -06:00
Jon Hart 308eea0c2c
Make malicious hook file name be customizable 2014-12-22 08:28:55 -08:00
root 9a7e431a4a New block_api applied 2014-12-22 17:21:13 +01:00
Peregrino Gris 42636fb3c0 Handler and block_hidden_bind_tcp deleted 2014-12-22 17:21:13 +01:00
root fa8e944e34 AHOST OptAddress moved to the payload 2014-12-22 17:21:11 +01:00
Peregrino Gris c0fa8c0e3f Add stager for hidden bind shell payload 2014-12-22 17:21:11 +01:00
Jon Hart 7f3cfd2207
Add a ranking 2014-12-22 07:51:47 -08:00
Jon Cave 44084b4ef6 Correct Microsoft security bulletin for ppr_flatten_rec 2014-12-22 10:40:23 +00:00
Gabor Seljan 9be95eacb8 Use %Q for double-quoted string 2014-12-22 07:37:32 +01:00
jvazquez-r7 60d4525632 Add specs for Msf::Kerberos::Client::Pac 2014-12-21 17:49:36 -06:00
sgabe bb33a91110 Update description to be a little more descriptive 2014-12-21 19:31:58 +01:00
Jon Hart 74783b1c78
Remove ruby and telnet requirement 2014-12-21 10:06:06 -08:00
sgabe cd02e61a57 Add module for OSVDB-114279 2014-12-21 17:00:45 +01:00
Jon Hart 31f320c901
Add mercurial debugging 2014-12-20 20:00:12 -08:00
Jon Hart 3da1152743
Add better logging. Split out git support in prep for mercurial 2014-12-20 19:34:55 -08:00
Jon Hart 58d5b15141
Add another useful URL. Use a more git-like URIPATH 2014-12-20 19:11:56 -08:00
jvazquez-r7 9f1403a63e Add initial specs for Msf::Kerberos::Client::TgsResponse 2014-12-20 20:29:00 -06:00
sgabe 9f97b55a4b Add module for CVE-2014-2973 2014-12-20 18:38:22 +01:00
Jon Hart f41d0fe3ac
Randomize most everything about the malicious commit 2014-12-19 19:31:00 -08:00
Jon Hart 805241064a
Create a partially capitalized .git directory 2014-12-19 19:07:45 -08:00
Jon Hart f7630c05f8
Use payload.encoded 2014-12-19 18:52:34 -08:00
jvazquez-r7 b0ac68fbc3 Create build_subkey method 2014-12-19 19:46:57 -06:00
jvazquez-r7 4a106089b9 Move options to build_tgs_request_body 2014-12-19 19:12:17 -06:00
jvazquez-r7 e6781fcbea Build AuthorizationData from the module 2014-12-19 18:59:39 -06:00
jvazquez-r7 9bd454d288 Build PAC extensions from the module 2014-12-19 18:47:41 -06:00
jvazquez-r7 def1695e80 Use options by call 2014-12-19 18:23:11 -06:00
jvazquez-r7 f332860c19 Clean creation of client and server principal names 2014-12-19 18:16:22 -06:00
jvazquez-r7 bd85723a9d Build pre auth array out of the mixin 2014-12-19 18:10:14 -06:00
Jon Hart 7f2247f86d
Add description and URL 2014-12-19 15:50:16 -08:00
Jon Hart 9b815ea0df
Some style cleanup 2014-12-19 15:35:09 -08:00
Jon Hart 4d0b5d1a50
Add some vprints and use a sane URIPATH 2014-12-19 15:33:26 -08:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart 48444a27af
Remove debugging pp 2014-12-19 15:27:06 -08:00
Jon Hart 1c7fb7cc7d
Mostly working exploit for CVE-2014-9390 2014-12-19 15:24:27 -08:00
jvazquez-r7 d058bd5259 Refact extraction of kerberos cache credentials 2014-12-19 15:53:24 -06:00
Jon Hart 4888ebe68d
Initial commit of POC module for CVE-2013-9390 (#4435) 2014-12-19 12:58:02 -08:00
HD Moore fffa8cfdd1
Lands #4426 by cleaning up the module description 2014-12-19 14:54:17 -06:00
HD Moore 9ede2c2ca5
Lands #4429 by fixing windows/messagebox with EXITFUNC=none 2014-12-19 14:51:57 -06:00
jvazquez-r7 fad08d7fca Add specs for Rex Kerberos client 2014-12-19 12:14:33 -06:00
Joe Vennix e45af903d9
Add patch discovery date. 2014-12-19 12:04:41 -06:00
sinn3r 2c0c732967 Fix #4414 & #4415 - exitfunc and proper null-terminated string
This patch fixes the following for messagebox.rb

Issue 1 (#4415)
When exitfunc is none, the payload will not be able to generate
due to an "invalid opcode" error.

Issue 2: (#4414)
After "user32.dll" is pushed onto the stack for the LoadLibrary
call, the payload does not actually ensure bl is a null byte, it
just assumes it is and uses it to modify the stack to get a
null-terminated string.

Fix #4414
Fix #4415
2014-12-19 03:19:06 -06:00
Joe Vennix 25313b1712
Use the hash to pass the script. 2014-12-19 02:30:37 -06:00
Jon Hart 8d2bd74d31
Add preliminary module to cover 'Misfortune Cookie', CVE-2014-9222 2014-12-18 17:21:26 -08:00
jvazquez-r7 f325d2f60e Add support for cache credentials in the mixin 2014-12-18 16:31:46 -06:00
Tod Beardsley c15bad44a6
Be clearer on backslash usage.
See #4282
2014-12-18 16:16:02 -06:00
jvazquez-r7 9a58617387 Add dummy test module 2014-12-17 19:57:10 -06:00
sinn3r 6b0a98b69c
Resolve #4408 - bad uncaught nil get_once 2014-12-17 14:02:42 -06:00
Meatballs 6a822cca61
Move code out of begin/rescue block 2014-12-17 06:45:00 +00:00
Meatballs dd63d793e5
Bring in @darkoperator's filters 2014-12-17 06:14:21 +00:00
Meatballs 8c7ff728ef
Gather some more info 2014-12-17 05:46:01 +00:00
Joe Vennix 84ea628284
Add Android cookie theft attack. 2014-12-16 19:12:01 -06:00
William Vu f6af86a06d
Land #4402, ms12_020_check NilClass fix 2014-12-16 15:34:25 -06:00
David Maloney f237c56a13
This oracle scheduler exploit hangs if not vuln
When this exploit gets run against a system that isn't vulnerable
it can hang for a signifigant ammount of time. This change uses the check
method on the exploit to see whether it should proceed. Don't try to exploit
the host if it's not vulnerable.
2014-12-16 09:42:42 -06:00
William Vu 2604746fb7
Land #4361, Kippo detector 2014-12-15 14:54:48 -06:00
William Vu 8394cc13a8
Perform final cleanup of detect_kippo 2014-12-15 14:38:38 -06:00
sinn3r c611249723 Take full advantage of the check command 2014-12-15 12:50:59 -06:00
sinn3r 9edb2b4fab Fix #4378 - Do exception handling
Fix #4378
2014-12-15 12:37:36 -06:00
Jon Hart effb5b966f
Land #4328, @bcoles' exploit for ActualAnalyzer < 2.81 'ant' code execution 2014-12-15 09:57:27 -08:00
Jon Hart 025c0771f8
Have exploit call check. Have check report_vuln 2014-12-15 09:53:11 -08:00
sinn3r 4c714b3eaf
Land #4386 - Fix issue #3852 (support for other languages for enable_rdp) 2014-12-15 11:37:05 -06:00
Jon Hart f521e7d234
Use newer Ruby hash syntax 2014-12-15 09:17:32 -08:00
Jon Hart c93dc04a52
Resolve address before storing the working cred 2014-12-15 09:11:12 -08:00
Brent Cook c24fdb81b5
Land #4389, Meatballs1's fix for enum_ad_* post module regressions
Fixes #4387 by adjusting for the new return type from ADSI queries.
2014-12-15 10:45:12 -06:00
Jon Hart 5ca8f187b3 Merge remote-tracking branch 'upstream/pr/4328' into temp 2014-12-15 08:15:51 -08:00
root 6480ae2c03 Show message at the end 2014-12-15 16:26:39 +01:00
root 288954afa0 recvfrom allocation changed 2014-12-14 18:58:48 +01:00
Sean Verity 9a0ed723d1 Adds error handling for drive letter enumeration 2014-12-14 12:56:20 -05:00
Brendan Coles 4530066187 return nil 2014-12-15 01:04:39 +11:00
Brendan Coles 55d9e9cff6 Use list of potential analytics hosts 2014-12-14 23:15:41 +11:00
Meatballs 00b802cc68
Reindent description 2014-12-14 10:04:18 +00:00
rcnunez 223d6b7923 Merged with Fr330wn4g3's changes 2014-12-14 13:08:19 +08:00
Sean Verity 0c5f4ce4ee Removed the handler-ish code 2014-12-13 22:18:41 -05:00
Sean Verity 2addd0fdc4 Fixed name, removed tabs, updated license 2014-12-13 20:37:19 -05:00
HD Moore e3943682a2
Improves linux/armle payloads, lands #3315 2014-12-13 18:27:14 -06:00
HD Moore 6ea5ed1a82
Shrinks windows payloads, lands #4391 2014-12-13 17:41:50 -06:00
HD Moore f67a32ef9c
Add missing commits from #3770, lands #4393 2014-12-13 17:36:26 -06:00
Meatballs 6ecf537f40
Grab user creds to database 2014-12-13 20:30:20 +00:00
Brandon Perry eb47ca593e update desc to include domain admin information 2014-12-13 13:01:41 -06:00
Brandon Perry 2e94280cba mv bmc to scanner/http 2014-12-13 12:58:16 -06:00
HD Moore 5a645c5eba Stagers updated from source 2014-12-13 12:50:47 -06:00
Meatballs e914061745
Gsub out funny character when storing to database 2014-12-13 18:35:31 +00:00
Meatballs 316710329b
Fix field.value 2014-12-13 18:31:29 +00:00
HD Moore 92490ab5e8 Singles updated from the source 2014-12-13 12:22:07 -06:00
Meatballs d3d744a7cb
Make sure we get the field :value 2014-12-13 18:13:36 +00:00
Brandon Perry 8c6b95c39c Merge branch 'landing-4359' of https://github.com/jhart-r7/metasploit-framework into bmc_trackit 2014-12-13 11:37:57 -06:00
Brandon Perry cd1e61a201 Merge branch 'master' into bmc_trackit 2014-12-13 11:36:30 -06:00
Andrew Morris 8dd5da9d64 added blog post reference 2014-12-12 18:53:26 -08:00
jvazquez-r7 b1453afb52
Land #4297, fixes #4293, Use OperatingSystems::Match::WINDOWS
* instead of Msf::OperatingSystems::WINDOWS
2014-12-12 18:19:58 -06:00
jvazquez-r7 5eb510f7bc Use the correct variable for the filename 2014-12-12 17:40:26 -06:00
jvazquez-r7 27323bcaa5 Fix #3852, make enable_rdp with other languages 2014-12-12 17:30:14 -06:00
HD Moore f676b72767
Add Kademlia scanner, lands #4210 2014-12-12 16:40:58 -06:00
HD Moore 338cce02c9 Downcase the service name for consistency 2014-12-12 16:40:42 -06:00
HD Moore 4fc4866fd8 Merge code in from #2395 2014-12-12 16:22:51 -06:00
Tod Beardsley 488f46c8a1
Land #4324, payload_exe rightening.
Fixes #4323, but /not/ #4246.
2014-12-12 15:04:57 -06:00
Tod Beardsley 9908e0e35b
Land #4384, fix typo. 2014-12-12 14:39:47 -06:00
HD Moore 50b734f996 Add Portuguese target, lands #3961 (also reorders targets) 2014-12-12 14:23:02 -06:00
Andrew Morris f5374d1552 Added report_service method for database support, added port number in the print_status output, removed arbitrary comments, fixed some spacing. Ready for another review from msf devs 2014-12-12 11:57:35 -08:00
jvazquez-r7 008c33ff51 Fix description 2014-12-12 13:36:28 -06:00
Tod Beardsley 183acb9582
Land #4383 to handle Dutch correctly. 2014-12-12 13:32:21 -06:00
Tod Beardsley 81460198b0 Add openssl payload to distcc exploit
This is required to test #4274
2014-12-12 13:25:55 -06:00
wez3 3b6e92726c Update outlook rb, "NL" to "nl_NL"
Update outlook rb, "NL" to "nl_NL"
2014-12-12 20:09:34 +01:00
jvazquez-r7 c683e7bc67
Fix banner 2014-12-12 13:01:51 -06:00
jvazquez-r7 b1f7682713 Make msftidy happy 2014-12-12 12:59:00 -06:00
jvazquez-r7 493034ad10 Land #3305, @claudijd Cisco SSL VPN Privilege Escalation exploit 2014-12-12 12:57:00 -06:00
jvazquez-r7 047bc3d752 Make msftidi happy 2014-12-12 12:49:12 -06:00
jvazquez-r7 a1876ce6fc
Land #4282, @pedrib's module for CVE-2014-5445, NetFlow Analyzer arbitrary download 2014-12-12 12:47:50 -06:00
jvazquez-r7 b334e7e0c6
Land #4322, @FireFart's wordpress exploit for download-manager plugin 2014-12-12 12:41:59 -06:00
jvazquez-r7 aaed7fe957 Make the timeout for the calling payload request lower 2014-12-12 12:41:06 -06:00
Jon Hart 00f66b6050
Correct named captures 2014-12-12 10:22:14 -08:00
jvazquez-r7 98dca6161c Delete unused variable 2014-12-12 12:03:32 -06:00
jvazquez-r7 810bf598b1 Use fail_with 2014-12-12 12:03:12 -06:00
Jon Hart 1e6bbc5be8
Use blank? 2014-12-12 09:51:08 -08:00
jvazquez-r7 4f3ac430aa
Land #4341, @EgiX's module for tuleap PHP Unserialize CVE-2014-8791 2014-12-12 11:48:25 -06:00
jvazquez-r7 64f529dcb0 Modify default timeout for the exploiting request 2014-12-12 11:47:49 -06:00
Jon Hart 24f1b916e0 Minor ruby style cleanup 2014-12-12 09:47:35 -08:00
Jon Hart 1d1aa5838f Use Gem::Version to compare versions in check 2014-12-12 09:47:01 -08:00
jvazquez-r7 d01a07b1c7 Add requirement to description 2014-12-12 11:42:45 -06:00
jvazquez-r7 fd09b5c2f6 Fix title 2014-12-12 10:52:18 -06:00
jvazquez-r7 4871228816 Do minor cleanup 2014-12-12 10:52:06 -06:00
jvazquez-r7 a0b181b698
Land #4335, @us3r777 JBoss DeploymentFileRepository aux module 2014-12-12 10:40:03 -06:00
jvazquez-r7 3059cafbcb Do minor cleanup 2014-12-12 10:37:50 -06:00
Jon Hart 751bc7a366 Revert "Move to a more appropriate location"
This reverts commit 6c82529266.
2014-12-12 07:42:22 -08:00
Jon Hart 6c82529266
Move to a more appropriate location 2014-12-12 07:40:37 -08:00
Christian Mehlmauer 0f27c63720
fix msftidy warnings 2014-12-12 13:16:21 +01:00
Jon Hart 65b316cd8c
Land #4372 2014-12-11 18:48:16 -08:00
Jon Hart e5e40307e6
Land #4373 2014-12-11 18:45:53 -08:00
Jon Hart 3c2a33a316
Allow new password to be specified as an option 2014-12-11 17:26:42 -08:00
Jon Hart a013dbf536
Correct and add more prints 2014-12-11 17:16:43 -08:00
Jon Hart 48dcfd9809
Use random security Q/A 2014-12-11 17:10:33 -08:00
Jon Hart f208f31a33
Use correct username/domain in report_vuln
It would be nice if 'vulns' showed this
2014-12-11 16:59:21 -08:00
Jon Hart 70fce0bb33
Report the changed password 2014-12-11 16:56:22 -08:00
Jon Hart f64a3be742
Avoid death by a thousand functions 2014-12-11 16:53:36 -08:00
Jon Hart 0627f708a2
Better handling of failed requests 2014-12-11 16:51:41 -08:00
Jon Hart f2bda05d42 Correct last of the print_ 2014-12-11 16:28:08 -08:00
Jon Hart 9486f67fbc report_vuln upon exploitation with more specific details 2014-12-11 16:28:08 -08:00
Jon Hart 37d0959fd6 Include info in report_vuln. More style 2014-12-11 16:28:08 -08:00
Jon Hart cfb02fe909 Add check support 2014-12-11 16:28:07 -08:00
Jon Hart 44818ba623 Minor style and usage updates as a result of Scanner 2014-12-11 16:28:07 -08:00
Jon Hart 0a29326ce7 Mixin Scanner. Yay speed! 2014-12-11 16:28:07 -08:00
Jon Hart c9acd7a233 Remove unnecessary RPORT, which comes from HttpClient 2014-12-11 16:28:07 -08:00
Jon Hart f8c25d83e5 Use get_cookies instead 2014-12-11 16:26:51 -08:00
Christian Mehlmauer 544f75e7be
fix invalid URI scheme, closes #4362 2014-12-11 23:34:10 +01:00
Christian Mehlmauer de88908493
code style 2014-12-11 23:30:20 +01:00
Tod Beardsley af9979d30b
Ruby style on methods please
Introduced in #4220. This ain't no JavaScript!
2014-12-11 15:24:30 -06:00
dmaloney-r7 47c38ed04e Merge pull request #4364 from todb-r7/bug/bruteforce-speed-3904
Modules should respect bruteforce_speed again
2014-12-11 13:19:42 -06:00
Tod Beardsley 51762e1194
Explicitly include the HTTP Login scanner
This should be the last commit that fixes #3904.
2014-12-11 11:08:08 -06:00
Tod Beardsley b533f74024
Add a bruteforce_speed option to all LoginScanners 2014-12-11 11:06:32 -06:00
Jon Hart 24dbc28521
Land #4356 2014-12-11 09:03:18 -08:00
Brandon Perry 54e8254a82 Update bmc_trackit_passwd_reset.rb 2014-12-11 10:59:43 -06:00
Andrew Morris 7afa87f168 screwed up formatting. updated indention at the end. ok seriously, going to bed now 2014-12-11 01:05:56 -08:00
Andrew Morris 291166e1ff forgot to run through msftidy.rb. made a few minor corrections 2014-12-11 00:47:39 -08:00
Andrew Morris a1624c15ae Addressed some recommendations made by wvu-r7. Need to remove some comments, add reporting, etc. 2014-12-11 00:40:20 -08:00
Andrew Morris 22c9db5818 added detect_kippo.rb 2014-12-10 19:37:35 -08:00
Brandon Perry 67cf3e74c0 Update bmc_trackit_passwd_reset.rb 2014-12-10 20:45:54 -06:00
Brandon Perry 90cc9a9bed Update bmc_trackit_passwd_reset.rb 2014-12-10 19:05:46 -06:00
Brandon Perry f37dc13a19 Create bmc_trackit_passwd_reset.rb 2014-12-10 18:54:37 -06:00
Tod Beardsley 0eea9a02a1
Land #3144, psexec refactoring 2014-12-10 17:30:39 -06:00
Meatballs c813c117db
Use DNS names 2014-12-10 22:25:44 +00:00
Marc Wickenden 245b76477e Fix issue with execution of perl due to gsub not matching across newlines 2014-12-10 21:38:04 +00:00
Spencer McIntyre 86ae104580
Land #4325, consistent mssql module names 2014-12-09 21:52:05 -05:00
sinn3r 87c83cbb1d Another round of name corrections 2014-12-09 20:16:24 -06:00
Jonathan Claudius e89a399f95 Merge remote-tracking branch 'upstream/master' into add_cisco_ssl_vpn_priv_esc 2014-12-09 20:55:01 -05:00
Tod Beardsley 09617f990b Implement BRUTEFORCE_SPEED respect (telnet)
This implements just for telnet, but assuming this strategy is kosher,
it's not too painful to add for the rest of the LoginScanner using the
old defaults used by `AuthBrute`.

See #3904, @dmaloney-r7 or @jlee-r7
2014-12-09 15:40:43 -06:00
HD Moore 176296681a
Fix heartbleed cert parsing, lands #4338, closes #4309 2014-12-09 14:58:27 -06:00
sinn3r bb8dfdb15f Ensure consistency for mssql modules 2014-12-09 10:28:45 -06:00
EgiX 700ccc71e7 Create tuleap_unserialize_exec.rb 2014-12-09 10:15:46 +01:00
Christian Mehlmauer 916503390d
use get_data 2014-12-08 22:49:02 +01:00
Christian Mehlmauer fb9724e89d
fix heartbleed cert parsing, fix #4309 2014-12-08 21:58:38 +01:00
us3r777 4abfb84cfc Upload WAR through Jboss DeploymentFileRepository 2014-12-08 19:02:51 +01:00
Tod Beardsley 909971e0bf
Margins on description, PowerShell not Powershell 2014-12-08 10:57:49 -06:00
Tod Beardsley 80dc781625
Email over E-mail
While I believe "e-mail" is the actually correct spelling, we tend to
say "email" everywhere else. See:

````
todb@mazikeen:~/git/rapid7/metasploit-framework$ grep -ri "print.*email"
modules/ | wc -l
19
[ruby-2.1.5@metasploit-framework](fixup-grammar)
todb@mazikeen:~/git/rapid7/metasploit-framework$ grep -ri
"print.*e-mail" modules/ | wc -l
1
````
2014-12-08 10:55:26 -06:00
Christian Mehlmauer 738fc78883
Land #4220, outlook gather post module 2014-12-07 22:41:28 +01:00
Pedro Ribeiro 98e416f6ec Correct OSVDB id 2014-12-07 17:54:31 +00:00
Pedro Ribeiro e474ecc9cf Add OSVDB id 2014-12-07 17:41:35 +00:00
jvazquez-r7 54705eee48 Fix option parsing 2014-12-06 21:50:54 -06:00
jvazquez-r7 21742b6469 Test #3729 2014-12-06 21:20:52 -06:00
Brendan Coles 42744e5650 Add actualanalyzer_ant_cookie_exec exploit 2014-12-06 19:09:20 +00:00
Christian Mehlmauer cc63d435c7
another whitespace 2014-12-06 09:32:22 +01:00
Christian Mehlmauer f0a47f98bc
final formatting 2014-12-06 00:38:05 +01:00
Christian Mehlmauer f1f743804e
more formatting 2014-12-06 00:31:38 +01:00
Christian Mehlmauer 9187a409ec
outlook post module fixes 2014-12-06 00:28:44 +01:00
William Vu 2f98a46241
Land #4314, @todb-r7's module cleanup 2014-12-05 14:05:09 -06:00
sinn3r 4b06334455 Minor title change for mssql_enum_domain_accounts_sqli
We don't really do "-" for naming

Kind of stands up on a list
2014-12-05 11:42:08 -06:00
sinn3r 7ae786a53b Add a comment as an excuse to tag the issue
Fix #4246

... so it will automatically close the ticket.
2014-12-05 11:26:26 -06:00
sinn3r f25e3ebaaf Fix #4246 - More undef 'payload_exe' in other modules
Root cause: payload_exe is an accessor in the TFPT command stager
mixin, you need stager_instance in order to retreive that info.
2014-12-05 11:19:58 -06:00
headlesszeke 8d1ca872d8 Now with logging of command response output 2014-12-05 10:58:40 -06:00
Christian Mehlmauer 5ea062bb9c
fix bug 2014-12-05 11:30:45 +01:00
Christian Mehlmauer 55b8d6720d
add wordpress download-manager exploit 2014-12-05 11:17:54 +01:00
sinn3r e3f7398acd Fix #4246 - Access payload_exe information correctly
This fixes an undef method 'payload_exe' error. We broke this when
all modules started using Msf::Exploit::CmdStager as the only source
to get a command stager payload. The problem with that is "payload_exe"
is an accessor in CmdStagerTFTP, not in CmdStager, so when the module
wants to access that, we trigger the undef method error.

To be exact, this is the actual commit that broke it:
7ced5927d8

Fix #4246
2014-12-05 02:08:13 -06:00
Jon Hart 85e0d72711
Land #4229, @tatehansen's module for CVE-2014-7992 2014-12-04 17:20:49 -08:00
Jon Hart f0cfcd4faf
Update dlsw_leak_capture name and print_
This makes it more obvious exactly what is being scanned for
2014-12-04 17:20:01 -08:00
Pedro Ribeiro e5bdf225a9 Update netflow_file_download.rb 2014-12-04 21:32:19 +00:00
Jon Hart 52851d59c0
Update GATEWAY to GATEWAY_PROBE_HOST, add GATEWAY_PROBE_PORT 2014-12-04 13:26:16 -08:00
Jon Hart 6bd56ac225
Update any modules that deregistered NETMASK 2014-12-04 13:22:06 -08:00
Meatballs e471271231
Move comment 2014-12-04 20:24:37 +00:00
Meatballs c14ba11e79
If extapi dont stage payload 2014-12-04 20:17:48 +00:00
Tod Beardsley 79f2708a6e
Slight fixes to grammar/desc/whitespace
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
wez3 7c62fa5c95 Add Windows post module for reading/searching Outlook e-mail #8 2014-12-04 14:28:40 +01:00
tate 3aecd3a10e added DLSw v1 and v2 check, added check for \x00 in leak segment 2014-12-03 23:27:11 -07:00
sinn3r 2fcbcc0c26 Resolve merge conflict for ie_setmousecapture_uaf (#4213)
Conflicts:
	modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
2014-12-03 14:12:15 -06:00
wez3 3cadcb942a Add Windows post module for reading/searching Outlook e-mail #7 2014-12-03 18:30:22 +01:00
William Vu 3a978e1147
Land #4280, frontpage_login improvements 2014-12-02 14:56:57 -06:00
sinn3r a631ee65f6 Fix #4293 - Use OperatingSystems::Match::WINDOWS
Fix #4293. Modules should use OperatingSystems::Match::WINDOWS
instead of Msf::OperatingSystems::WINDOWS, because the second
won't match anything anymore.
2014-12-02 13:46:27 -06:00
HD Moore b29e53984e Merge master with merge of PR #4225 2014-12-02 11:58:30 -06:00
HD Moore fc96d011ab
Python reverse_http stager, lands #4225 2014-12-02 11:47:31 -06:00
HD Moore 7fe72fd118 Cosmetic tweaks for #4225 2014-12-02 11:47:14 -06:00
wez3 611e8c72eb Add Windows post module for reading/searching Outlook e-mail #6 2014-12-02 14:05:08 +01:00
sinn3r a88ee0911a Fix os detection
See #3373
2014-12-02 01:15:55 -06:00
sinn3r a42c7a81e7 Fix os detection
See #4283
2014-12-02 01:13:51 -06:00
headlesszeke 564488acb4 Changed and to && 2014-12-02 00:02:53 -06:00
headlesszeke 280e10db55 Add module for Arris VAP2500 Remote Command Execution 2014-12-01 23:07:56 -06:00
William Vu 394d132d33
Land #2756, tincd post-auth BOF exploit 2014-12-01 12:13:37 -06:00
jvazquez-r7 0ab2e99419
Delete version from title 2014-12-01 10:24:12 -06:00
jvazquez-r7 d1e8b160c7
Land #4271, @espreto's module for CVE-2014-7816 WildFly's Traversal
* Issue in the web server JBoss Undertow
2014-12-01 10:22:47 -06:00
jvazquez-r7 f4e20284a4 Change mixin include order 2014-12-01 10:22:20 -06:00
jvazquez-r7 d85aabfed9 Use vprint by default 2014-12-01 10:20:12 -06:00
jvazquez-r7 e0cb0f7966 Fix description 2014-12-01 10:19:14 -06:00
jvazquez-r7 fa07b466d6 Use single quote and minor cosmetic changes 2014-12-01 09:57:29 -06:00
jvazquez-r7 d5888a7f6f Fix module options 2014-12-01 09:55:36 -06:00
jvazquez-r7 47acf3487d Do minor cleanup
* Prepend peer
* Use print_good when file downloaded
2014-12-01 09:53:00 -06:00
sinn3r 0f973fdf2b Fix #4284 - Typo "neline" causing the exploit to break
"neline" isn't supposed to be there at all.
2014-12-01 01:24:30 -06:00
Tim 5c50a07c0f futex_requeue 2014-12-01 03:49:22 +00:00
jvazquez-r7 7a2c9c4c0d
Land #4263, @jvennix-r7's OSX Mavericks root privilege escalation
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
jvazquez-r7 b357fd88a7 Add comment 2014-11-30 21:08:38 -06:00
jvazquez-r7 0ab99549bd Change ranking 2014-11-30 21:08:12 -06:00
jvazquez-r7 7772da5e3f Change paths, add makefile and compile 2014-11-30 21:06:11 -06:00
Roberto Soares Espreto e4b3ee2811 Changed the module name. 2014-12-01 01:00:14 -02:00
Roberto Soares Espreto ecbce679a8 Remove timeout on line 59. 2014-12-01 00:51:12 -02:00
Roberto Soares Espreto f3957ea428 FILEPATH changed from false to true. 2014-12-01 00:48:47 -02:00
Roberto Soares Espreto 97ee975235 Deleted checking on line 48. 2014-12-01 00:46:58 -02:00
jvazquez-r7 d7d1b72bce Rename local_variables 2014-11-30 20:40:55 -06:00
Roberto Soares Espreto 84ce573227 Deleted line 61 which returns the server status code. 2014-12-01 00:39:05 -02:00
jvazquez-r7 d77c02fe43 Delete unnecessary metadata 2014-11-30 20:37:34 -06:00
jvazquez-r7 ff30a272f3 Windows paths need 2 backslashes 2014-11-30 18:54:41 -06:00
jvazquez-r7 223bc340e4 Prepend peer 2014-11-30 18:46:15 -06:00
jvazquez-r7 5ad3cc6296 Make FILEPATH mandatory 2014-11-30 18:45:23 -06:00
jvazquez-r7 b1b10cf4e5 Use Rex::ConnectionError 2014-11-30 18:44:25 -06:00
jvazquez-r7 a549cbbef8 Beautify metadata 2014-11-30 18:44:03 -06:00
Deral Heiland 0887127264 Fixed several recommended changes by jvazquez-r7 and jlee-r7 2014-11-30 00:53:24 -05:00
Pedro Ribeiro 26d9ef4edd Explain about Windows back slashes on option 2014-11-30 00:15:44 +00:00
Pedro Ribeiro 2fb38ec7bb Create exploit for CVE-2014-5445 2014-11-30 00:12:37 +00:00
Tiago Sintra 6f6274735f Update frontpage_login.rb
Vhost is now used if specified.
Added X-Vermeer-Content-Type header, which seems to be required for the RPC service otherwise server responds with:
method=
status=

    status=262147
    osstatus=0
    msg=No "CONTENT_TYPE" on CGI environment.
    osmsg=
2014-11-28 17:21:47 +00:00
sinn3r f7f4a191c1
Land #4255 - CVE-2014-6332 Internet Explorer 2014-11-28 10:12:27 -06:00
sinn3r 2a7d4ed963 Touchup 2014-11-28 10:12:05 -06:00
OJ 48904c2d63
Land #4277 - vmware-mount configurable directory 2014-11-28 08:05:42 +10:00
Rasta Mouse 985838e999 Suggestions from OJ 2014-11-27 21:38:50 +00:00
HD Moore 10a05a393c
Add format_all_drives payload, lands #4268 2014-11-27 11:44:44 -06:00
HackSys Team 4a4608adbc Add format_all_drives shellcode for Windows x86_x64 2014-11-27 23:06:54 +05:30
Rasta Mouse 25ecf73d7d Add configurable directory, rather than relying on the session working
directory.
2014-11-27 17:12:37 +00:00
HackSys Team 8473ed144a Add format_all_drives shellcode for Windows x86_x64 2014-11-27 14:13:49 +05:30
Roberto Soares Espreto d75ffc36da Changed the description of FILEPATH 2014-11-27 00:50:34 -02:00
Roberto Soares Espreto f8dc366f42 Add CVE-2014-7816 Directory Traversal for WildFly 8 Application 2014-11-27 00:13:29 -02:00
peregrino 84bb5b5215 Rex::Socket.to_sockaddr changed 2014-11-26 17:51:38 +01:00
peregrino 16b64ff42a Rex::Socket.to_sockaddr changed 2014-11-26 17:51:05 +01:00
Joe Vennix cc33566ca8
Land #4265, @shuckins-r7 fix for RPORT error on UDP sweep. 2014-11-26 10:27:15 -06:00
Jon Hart 79b2b5e231 RPORT is required by UDPScanner; deregister instead 2014-11-26 07:39:14 -08:00
HackSys Team f5633ba3c3 Add format_all_drives shellcode for Windows x86_x64 2014-11-26 20:29:25 +05:30
peregrino 16a9450d43 session.tunnel_peer changed by session.session_host. Other minor changes 2014-11-26 12:08:54 +01:00
OJ 75e5553cd4 Change to in exploit 2014-11-26 16:53:30 +10:00
jvazquez-r7 9524efa383 Fix banner 2014-11-25 23:14:20 -06:00
jvazquez-r7 16ed90db88 Delete return keyword 2014-11-25 23:11:53 -06:00
jvazquez-r7 85926e1a07 Improve check 2014-11-25 23:11:32 -06:00
jvazquez-r7 5a2d2914a9 Fail on upload errors 2014-11-25 22:48:57 -06:00
jvazquez-r7 b24e641e97 Modify exploit logic 2014-11-25 22:11:43 -06:00
jvazquez-r7 4bbadc44d6 Use Msf::Exploit::FileDropper 2014-11-25 22:00:42 -06:00
jvazquez-r7 7fbd5b63b1 Delete the Rex::MIME::Message gsub 2014-11-25 21:54:50 -06:00
jvazquez-r7 eaa41e9a94 Added reference 2014-11-25 21:37:04 -06:00
jvazquez-r7 2c207597dc Use single quotes 2014-11-25 18:30:25 -06:00
jvazquez-r7 674ceeed40 Do minor cleanup 2014-11-25 18:26:41 -06:00
jvazquez-r7 6ceb47619a Change module filename 2014-11-25 18:09:15 -06:00
jvazquez-r7 1305d56901 Update from upstream master 2014-11-25 18:07:13 -06:00
jvazquez-r7 5615d65aee Do minor cleanup 2014-11-25 17:35:07 -06:00
jvazquez-r7 d4e5cd25e1 Report credentials for new login level 15 2014-11-25 16:35:16 -06:00
jvazquez-r7 dc253efa19 Use Rex::Text.rand_text* 2014-11-25 16:35:06 -06:00
jvazquez-r7 f20afff1a8 Do return instead of abort 2014-11-25 16:34:57 -06:00
jvazquez-r7 d876efaa0f Delete ssh_socket attribute 2014-11-25 16:34:47 -06:00
jvazquez-r7 5091bc76ad Do minor cleanup 2014-11-25 16:34:22 -06:00
jvazquez-r7 c92a26e967 Update from upstream master 2014-11-25 16:30:45 -06:00
jvazquez-r7 5f4760c58e Print final results in a table 2014-11-25 14:01:29 -06:00
jvazquez-r7 d998d97aaa Refactor build_user_sid 2014-11-25 13:58:47 -06:00
jvazquez-r7 aad860a310 Make conditional easier 2014-11-25 13:54:08 -06:00
jvazquez-r7 ba57bc55b0 Don't report service 2014-11-25 13:52:22 -06:00
jvazquez-r7 059b0e91da Don't report service
* The mssql could be in a third host, not rhost
2014-11-25 13:50:42 -06:00
jvazquez-r7 b467bda2d6 Reuse local variable 2014-11-25 13:49:24 -06:00
jvazquez-r7 31a84ef6ff Make ternary operator more readable 2014-11-25 13:44:50 -06:00
jvazquez-r7 be566e5ad3 Use a lower fuzz number by default 2014-11-25 13:42:47 -06:00
jvazquez-r7 cd43f83cd7 Delete unnecessary comments
* No need to comment every step, just relevant
comments to undrestad code.
2014-11-25 13:40:57 -06:00
jvazquez-r7 f93dbc6deb Use the target domain name 2014-11-25 13:36:48 -06:00
jvazquez-r7 7c87603b0e Add progress information 2014-11-25 13:23:36 -06:00
jvazquez-r7 8e5b37ea6e Fix reporting 2014-11-25 13:20:31 -06:00
jvazquez-r7 93539ae4c6 Use shorter variable name 2014-11-25 13:04:31 -06:00
jvazquez-r7 271f982f34 Use peer 2014-11-25 13:03:48 -06:00
jvazquez-r7 c549508abb Use vprint 2014-11-25 13:03:18 -06:00
jvazquez-r7 249fb79a21 Fix print_* calls 2014-11-25 13:02:53 -06:00
jvazquez-r7 87cfd7c321 Dont use disconnect 2014-11-25 13:00:53 -06:00
jvazquez-r7 fb8372f505 Fix metadata 2014-11-25 12:59:11 -06:00
jvazquez-r7 71f35f5cd6 Update from upstream master 2014-11-25 12:46:44 -06:00
Joe Vennix 3a5de9970f
Update description, rename xnu_ver -> osx_ver. 2014-11-25 12:38:29 -06:00
Joe Vennix 7a3fb12124
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 12:34:16 -06:00
nullbind 4bd579bc1c added mssql_enum_domain_accounts_sqli 2014-11-25 09:57:20 -06:00
wez3 5294594379 dd Windows post module for reading/searching Outlook e-mail #5 Add DE 2014-11-25 14:36:14 +01:00
William Vu 64f2b45ef4
Land #4258, release fixes 2014-11-24 21:44:14 -06:00
jvazquez-r7 71669b9f9e Change module filename 2014-11-24 20:34:12 -06:00
jvazquez-r7 5c4b1b0283 Output some information 2014-11-24 20:31:26 -06:00
jvazquez-r7 6e9cd331b3 Modify description 2014-11-24 20:28:38 -06:00
jvazquez-r7 261da9306e Use store_loot 2014-11-24 20:22:21 -06:00
jvazquez-r7 cf52dd895f Refactor search 2014-11-24 20:20:37 -06:00
jvazquez-r7 2fa5223d3b move check out of the begin block 2014-11-24 19:28:53 -06:00
jvazquez-r7 90bdc770b5 Use literal creation notation 2014-11-24 19:27:50 -06:00
jvazquez-r7 2c4caeed29 Clean metadata 2014-11-24 19:26:12 -06:00
jvazquez-r7 443dd7b6c0 Use constants 2014-11-24 19:04:02 -06:00
jvazquez-r7 250250beb0 Fix indentation 2014-11-24 18:58:07 -06:00
jvazquez-r7 88ccffacb4 Update from upstream master 2014-11-24 18:32:35 -06:00
Jon Hart 0ed356f71c
Move Kademlia stuff to a more OO model, etc, per reviews
All of the work is done in rex.  The msf mixin just prevents the
desire to call rex directly from the module
2014-11-24 14:03:43 -08:00
Tod Beardsley bd948eb346
Normalize author name
From #4061, please don't decorate author names with URLs.
2014-11-24 13:03:42 -06:00
jvazquez-r7 343a0d78bc Delete admin check 2014-11-24 12:28:19 -06:00
jvazquez-r7 7164c4e038 Use shorter filename 2014-11-24 12:10:08 -06:00
jvazquez-r7 021b27dd83 Clean reporting 2014-11-24 12:01:09 -06:00
jvazquez-r7 f74ab34881 Delente unnecessary check 2014-11-24 11:50:41 -06:00
jvazquez-r7 3c858c793a Use vprint 2014-11-24 11:49:36 -06:00
spdfire 583494c0db use BrowserExploitServer 2014-11-24 18:49:27 +01:00
jvazquez-r7 4a169210ab Use vprint 2014-11-24 11:48:16 -06:00
jvazquez-r7 ecb74c543a Beautify description 2014-11-24 11:27:32 -06:00
jvazquez-r7 c52104e91d Beautify metadata 2014-11-24 11:24:41 -06:00
jvazquez-r7 fcb4bea3c1 Fix code comments 2014-11-24 11:23:27 -06:00
Tod Beardsley 77b1f2d2f0
Fixup for release
Fixes the grammar on the SMTP enumeration module and the Cisco CDP
module, and adds a more informative description and reference for the
CDP module introduced on PR #4061.
2014-11-24 10:50:43 -06:00
jvazquez-r7 10d0305cb2 Update from upstream master 2014-11-24 09:48:43 -06:00
Jon Hart e9750e2df8
Minor style/usability cleanups 2014-11-24 06:57:31 -08:00
spdfire 08a67d78c5 module for CVE-2014-6332. 2014-11-24 08:25:18 +01:00
sinn3r 57419bb0fc Fix #4253 - Print access level for snmp_login
Fix #4253 - module should print the access level
2014-11-22 23:09:15 -06:00
tate 9828598cb7 removing timeout method and option 2014-11-22 00:28:56 -07:00
tate 57b04f96a7 working with DLSw protocol check 2014-11-21 23:54:00 -07:00
tate b9a274f869 improving DLSw detection 2014-11-21 18:58:02 -07:00
wez3 53b69583f4 Add Windows post module for reading/searching Outlook e-mail #4 2014-11-21 20:00:30 +01:00
jvazquez-r7 3ac1f7d4fb
Land #4242, @Meatballs1 fix for sap_service_discovery report_note
* I cannot reproduce @Meatballs1 issue
* But I noticed report_note should :update with :unique_data
* Fixed the :update
2014-11-21 10:16:08 -06:00
jvazquez-r7 e30ee9fee2 Update with :unique_data 2014-11-21 10:14:39 -06:00
HD Moore 99a23ada5c Module cleanup, error handling, and reporting 2014-11-20 16:18:20 -06:00
Jon Hart e255db9429
Partial commit 2014-11-20 13:49:36 -08:00
Jon Hart 94e5ba13a4 YARD and spec cleanup 2014-11-20 13:28:01 -08:00
Jon Hart df36ac910d Mostly complete Kademlia PING / BOOTSTRAP scanner 2014-11-20 13:28:01 -08:00
Jon Hart ab49d01a1b Add beginnings of Kademlia gather module and protocol support 2014-11-20 13:28:00 -08:00
HD Moore 2f6c4a9ba4 Slight tweak to description/author email formatting 2014-11-20 14:53:52 -06:00
Meatballs ee15179441
Fix service discovery errors 2014-11-20 18:22:33 +00:00
Rich Whitcroft 8306d739e3 add scanner module to extract domain from NTLM challenge 2014-11-20 11:02:21 -05:00
Mark Schloesser 8e7e5590c9 rename SHELLARG to ARGV0 because that's really what it is 2014-11-19 22:14:24 +01:00
mschloesser-r7 ac4c11ca39 work on linux/armle/shell_bind/tcp
same changes as to shell_reverse_tcp
2014-11-19 21:53:23 +01:00
mschloesser-r7 fd7248b3c0 work on linux/armle/shell_reverse_tcp
shorten the execve code, remove exit, grow argv[0] space
2014-11-19 21:53:23 +01:00
Mark Schloesser 9e9954e831 fix placeholder to show the firmware version I used 2014-11-19 21:23:39 +01:00
Mark Schloesser a718e6f83e add exploit for r7-2014-18 / CVE-2014-4880 2014-11-19 21:07:02 +01:00
Tod Beardsley 6a58774dd6
Land #4234, crediting @jduck 2014-11-19 12:43:04 -06:00
tate a4a1048f95 modified to get data collection off sock working 2014-11-19 11:17:58 -07:00
Jon Hart 684975a315 Use correct target address for fake As 2014-11-19 08:28:56 -08:00
Jon Hart 3777e78a85 Sanitize creation of target host. Return minimal for SRV 2014-11-19 08:28:56 -08:00
Jon Hart 52e004d8ab Use less conflicting name for SRV record port 2014-11-19 08:28:56 -08:00
Jon Hart ee90e4353b Add more consistent logging for fakedns types that support fake vs bypass 2014-11-19 08:28:55 -08:00
Jon Hart 0910275fac Don't artificially insert additional records when BYPASS 2014-11-19 08:28:55 -08:00
Fatih Ozavci a38cb3ee53 @jhart-r7 commits are accepted and conflicts fixed. 2014-11-19 08:28:55 -08:00
Fatih Ozavci ab7f6866f5 FAKE and BYPASS actions are implemented for SRV queries 2014-11-19 08:28:55 -08:00