26b17d5556
Clean get_router_mac_filter_info
2015-01-23 17:18:07 -06:00
a63625ab51
Refactor response parsing
2015-01-23 17:09:01 -06:00
c9a13bda2f
Do a first easy clean up
2015-01-23 16:37:55 -06:00
dcf0d7f596
Make msftidy happy
2015-01-23 16:23:21 -06:00
f83b87f611
Rebase #3019
2015-01-23 16:14:01 -06:00
f3a2d6663f
Fix #4616 and Fix #3798 - Correctly use OptRegexp
...
This patch fixes a problem with OptRegexp. The OptRegexp class is
always forcing the value to be converted to a string first, which
causes the EXCLUDE option in browser_autopwn to kick in and match
every found autopwn module, so it ignores all of them and you load
nothing (#4616 ).
It is important to understand that nil actually represents an option
not being set, which is a completely different behavior than having
an empty value (technically "" is still a value, and if there's a
value, it means the option is set). We need to watcher for these
scenarios.
I am restoring the #default method to avoid forcing a to_s, which should
fix the browser autopwn loading problem. And then I changed scraper.rb's
default value for datastore option PATTERN to a string, because still
fixes #3798 . The way I see it, #3798 is actually a module-specific issue.
Fix #4616
Fix #3798
2015-01-23 02:38:26 -06:00
419fa93897
Add OSVDB and WPScan references
2015-01-23 09:27:42 +01:00
dfbbc79e0d
make retries a datastore option
2015-01-23 09:23:09 +01:00
11bf58e548
Use metasploit methods
2015-01-23 08:48:52 +01:00
d8aa282482
Delete some double quotes
2015-01-22 18:21:25 -06:00
4c72b096b6
Switch variable from file_name to operation
2015-01-22 18:20:11 -06:00
b003d8f750
Do final cleanup
2015-01-22 18:17:14 -06:00
911485f536
Use easier key name
2015-01-22 18:11:48 -06:00
eff49b5fd3
Delete files with Rex::Java::Serialization
2015-01-22 17:59:43 -06:00
37bf66b994
Install instaget with Rex::Java::Serialization
2015-01-22 16:54:49 -06:00
20d7fe631e
Auto detect platform without raw streams
2015-01-22 15:15:08 -06:00
ad276f0d52
Retrieve version with Rex::Java::Serialization instead of binary streams
2015-01-22 14:52:19 -06:00
980a010e15
Land #4627 , explicit rubygems require fix
...
And a couple extraneous comma fixes.
2015-01-22 13:49:31 -06:00
bd06b48b30
Extra commas.
2015-01-22 13:45:08 -06:00
2e606cd097
Don't require rubygems
2015-01-22 13:44:58 -06:00
e46395f592
Land #4596 , @pdeardorff-r7's memcached extractor
2015-01-22 08:00:19 -08:00
1cdcd3ccfa
Use a more consistent format in Rex table and loot for memcache
2015-01-22 07:59:48 -08:00
e7c21f3205
Land #4503 , @m7x's post module for extracting McAfee VSE hashes
2015-01-21 20:44:41 -08:00
9cc58a8d69
Lastly, rename the file so that it is specific to McAfee VSE
2015-01-21 20:44:34 -08:00
683a541064
Tighten up prints to make it specific to VSE, not McAfee in general
2015-01-21 20:33:54 -08:00
52be3d80b7
Minor ruby style cleanup
2015-01-21 20:27:38 -08:00
ceed293969
Remove unnecessary requires
2015-01-21 20:23:03 -08:00
b61538e980
Land #4291 , @headlesszeke's module for ARRIS VAP2500 command execution
2015-01-21 20:52:31 -06:00
33195caff2
Mark compatible payloads
2015-01-21 20:52:04 -06:00
500d7159f1
Use PAYLOAD instead of CMD
2015-01-21 20:49:05 -06:00
f37ac39b4c
Split exploit cmd vs exploit session
2015-01-21 20:46:37 -06:00
e1d1ff17fd
Change failure code
2015-01-21 20:38:33 -06:00
169052af5c
Use cookie option
2015-01-21 20:37:38 -06:00
f73052710d
Correct recent msftidy change in outlook gather
2015-01-21 13:27:48 -08:00
46a0ec8a68
Make timeout for Powershell scripts configurable
2015-01-21 13:24:43 -08:00
c866caac43
Randomize MLet name
2015-01-21 00:36:34 -06:00
37ed1b1e62
Delete default values for datastore options
2015-01-21 00:14:46 -06:00
a996efc807
Refactor exploit code
2015-01-21 00:07:00 -06:00
2de2e657f0
Refactor get_mbean_server
2015-01-20 23:44:33 -06:00
d90f856c00
Delete sock_server variable
2015-01-20 20:51:20 -06:00
b792c0a5bf
Create exploit_mbean_server method
2015-01-20 20:44:10 -06:00
0b2d65749b
Do better argument handling on Msf::Jmx::Mbean::ServerConnection
2015-01-20 18:46:09 -06:00
b97c0fe398
Add Msf::Jmx::Util#extract_unicast_ref
2015-01-20 17:46:42 -06:00
0d4d06fb83
Print table for all scans, add preview size option
2015-01-20 11:12:47 -08:00
f1bf607386
Minor Ruby style cleanup
2015-01-20 08:47:47 -08:00
ef89a3d323
Add protocol reference
2015-01-20 08:34:08 -08:00
9c97824d5c
Move MAXKEYS to advanced
2015-01-20 08:28:49 -08:00
9d430eb1d5
Use the simpler 'version' command to get the version
2015-01-20 08:16:22 -08:00
6588f92206
Move rex connection errors to vprint since this is a Scanner
2015-01-20 08:11:09 -08:00
10100df054
report_service
2015-01-20 08:09:35 -08:00
b0bbce1190
Include peer in most prints
2015-01-20 08:00:02 -08:00
bd0a20a717
Update outlook.rb execute_script time_out
...
I have been using the script in real life cases which have bigger e-mailboxes then in the testing environment. Because of execute_script default time_out no results return, as the powershell scripts run longer then 15 seconds. Changed the timeout to 120.
2015-01-20 11:16:37 +01:00
f7aaad1cf1
Delete some extraneous commas
2015-01-19 17:25:45 -06:00
dbc77a2857
Land #4517 , @pedrib's exploit for ManageEngine Multiple Products Authenticated File Upload
...
* CVE-2014-5301
2015-01-19 17:23:39 -06:00
6403098fbc
Avoid sleep(), survey instead
2015-01-19 17:22:04 -06:00
a6e351ef5d
Delete unnecessary request
2015-01-19 17:14:23 -06:00
ed26a2fd77
Avoid modify datastore options
2015-01-19 17:11:31 -06:00
3c0efe4a7e
Do minor style changes
2015-01-19 15:36:05 -06:00
9d3397901b
Correct version numbers and code tidy up
2015-01-19 20:59:46 +00:00
ddda0b2f4b
Beautify metadata
2015-01-19 14:59:31 -06:00
43e0afeaed
Delete 's' typo
2015-01-19 12:55:35 -06:00
79a24f80b8
Use constant for play options
2015-01-19 12:50:40 -06:00
652400451e
Delete extra k
2015-01-19 12:35:26 -06:00
50d43f118b
Make URLs better
...
Removes YouTube logo, loops, hides video controls at bottom, disables keyboard controls, doesn't show info about the video on the top, hides video annotations, and doesn't show related videos at the end.
2015-01-19 12:27:18 -05:00
5813c639d1
Initial commit
2015-01-19 17:23:48 +01:00
354e952841
fix msftidy warnings
2015-01-18 23:55:57 +01:00
5b964bba6a
Land #4518 , Wordpress long password DoS
2015-01-18 23:55:06 +01:00
6014ff8a31
fix msftidy warnings
2015-01-18 23:54:16 +01:00
affc661524
Add module for CVE-2014-4936
2015-01-18 17:18:05 +01:00
7a2f0553a8
Update reverse_tcp.rb
...
prevent over-reading from socket
2015-01-18 17:32:53 +02:00
9c12fcc2f1
Update bind_tcp.rb
...
Read exactly l bytes
2015-01-18 15:42:09 +02:00
18e15a109a
Update bind_tcp.rb
...
Prevent over reading from socket
2015-01-18 15:35:56 +02:00
3a3e37ba6c
Refactor extract_mbean_server
2015-01-18 01:20:13 -06:00
4247747fc5
Refactor extract_object
2015-01-18 01:13:00 -06:00
84ecde30d1
Land #4586 , mcafee_epo_xxe aux module
2015-01-18 00:50:10 -06:00
57ca285f8a
Fix msftidy warnings
2015-01-18 00:49:52 -06:00
db3185231a
add maxkeys option, dont store loot if localhost and improve streaming
2015-01-17 09:25:32 -08:00
3a5d6b4717
Store password hash as loot
2015-01-17 14:17:41 +00:00
375a7e1fe9
Typo. Filtering.
2015-01-16 16:30:52 -06:00
8889f95920
Correct McAfee credential storage, prepare for store_loot
2015-01-16 12:10:01 -08:00
f1bcbb7d78
Merge remote-tracking branch 'live/master' into feature/memcached-module
2015-01-16 09:57:17 -08:00
a2a1a90678
Land #4316 , Meatballs1 streamlines payload execution for exploits/windows/local/wmi
...
also fixes a typo bug in WMIC
2015-01-16 11:16:22 -06:00
6a68888712
Land #4590 , jvennix-r7's fix for same-scheme URLs
...
made a trivial string formatting tweak
2015-01-16 09:10:56 -06:00
7ef721bdd6
Might as well format the url all at once.
2015-01-16 09:01:25 -06:00
488847cecc
Split smb_cmd_session_setup into with/without esn
...
Extended Security Negotiation
2015-01-16 07:05:10 -06:00
6b6a7e81c9
Style fixes
2015-01-16 06:39:21 -06:00
d9c6c56779
Refactor extract_rmi_connection_stub
2015-01-15 23:15:30 -06:00
2d2f26a0e3
Change method names for stream builders
2015-01-15 23:01:27 -06:00
273ba54a21
Fix server/capture/smb to use create_credential
2015-01-15 22:39:11 -06:00
00117fc963
Do first and ugly refactoring
2015-01-15 21:18:03 -06:00
4d35131f59
Provide description and authentication support
2015-01-15 17:57:35 -06:00
1929f36050
Update mcafee_epo_xxe.rb
2015-01-15 16:50:14 -06:00
2cd15d0155
Delete comments
2015-01-15 16:43:03 -06:00
cab4787172
Add initial JMX module
2015-01-15 16:41:37 -06:00
8c3d4c8d07
Spelling tweak.
2015-01-15 15:19:46 -06:00
35c9a13199
Handle the usage of // (same-scheme) URLs.
2015-01-15 15:09:50 -06:00
c1e604f201
Land #4562 : wchen-r7's CVE addition
2015-01-15 14:34:37 -06:00
bc895ab4d1
Land #4582 , jhart-r7's Apple Airport Authentication Avalanche
2015-01-15 14:07:18 -06:00
47cd5a3e59
Land #4562 , wchen-r7's Win8 NtApphelpCacheControl privilege escalation
2015-01-15 13:52:07 -06:00
09eaf80a90
Add CVE
2015-01-15 13:22:00 -06:00
68dc3ce876
Minor code formatting
2015-01-15 19:33:08 +01:00
507050b316
rescue from down memcached server or timeout
2015-01-15 09:51:42 -08:00
0e893cd772
Merge remote-tracking branch 'live/master' into feature/memcached-module
2015-01-15 09:40:21 -08:00
4d2ad8865f
remove debug line
2015-01-15 09:37:51 -08:00
154eb7956c
fix storing of loot and support localhost session
2015-01-15 09:36:15 -08:00
4e4ca15422
Update mcafee_epo_xxe.rb
2015-01-15 11:02:11 -06:00
e53522b64b
Update mcafee_epo_xxe.rb
2015-01-15 10:28:52 -06:00
57904773e7
Configurable resource
2015-01-15 10:28:03 -06:00
86d5358299
Update mcafee_epo_xxe.rb
2015-01-15 09:56:02 -06:00
ef0be946b1
Use HttpServer instead of TcpServer
2015-01-15 10:39:17 +01:00
53e1304afb
Update mcafee_epo_xxe.rb
2015-01-14 18:19:27 -06:00
f4f4787efe
Move run method
2015-01-14 23:54:02 +00:00
3768cf0a69
Change version to int and add proper timestamp
2015-01-14 22:59:11 +00:00
621cada2ac
Undo build_gc_call_data refactoring
2015-01-14 16:47:28 -06:00
da0fce1ea8
Add module for CVE-2014-2206
2015-01-14 22:04:30 +01:00
f42bda1a51
refactor parsing the results
...
moved the result parsing into its own method
cleaned up run method a bit more, added YARD docs
to the new methods
2015-01-14 14:15:57 -06:00
c687ecca2e
refactor filter building
...
move the filter_string into a seperate method
and use shovel oeprator to keep it a little cleaner
2015-01-14 14:04:28 -06:00
9b344a9605
move query fields to a constant
...
these fields should never change, so put the array
in a constant and freeze it to prevent accidental tampering
2015-01-14 13:20:00 -06:00
82939595f8
Merge branch 'master' into feature/metaballs1/enum_ad_users
2015-01-14 13:06:18 -06:00
1ed07bac32
Update mcafee_epo_xxe.rb
2015-01-14 11:01:14 -06:00
794bb65817
Create mcafee_epo_xxe.rb
2015-01-14 10:54:58 -06:00
8a89b3be28
Cleanup of various bits of code
2015-01-13 22:20:40 +00:00
b7eb4d24aa
Squash another rogue 5009
2015-01-13 10:36:43 -08:00
ac4eb3bb90
Land #4578 , @dlanner's fix for rails_secret_deserialization
2015-01-13 09:37:28 -08:00
c5cfc11d84
fix cookie regex by removing a space
2015-01-12 23:13:18 -05:00
69f03f5c5d
Move ACPP default port into Rex
2015-01-12 19:43:57 -08:00
01a9fb1483
Spelling
2015-01-12 19:29:41 -08:00
a076a9ab89
report_vuln
2015-01-12 19:23:08 -08:00
d5cdfe73ed
Big style cleanup
2015-01-12 19:11:14 -08:00
9721993b8f
Allow blank password, remote more unused opts, print private
2015-01-12 18:43:54 -08:00
99cf668441
add memcached extractor module
2015-01-12 16:40:06 -08:00
8246f4e0bb
Add ability to use both WP and EC attack vectors
2015-01-12 23:30:59 +00:00
44059a6e34
Disable more unused options
2015-01-12 14:15:40 -08:00
ec506af8ea
Make ACPP login work
2015-01-12 14:01:23 -08:00
e6f6acece9
Add a date hash to the post data
2015-01-12 21:21:50 +00:00
e9557ffe58
Simplify module in prep for some authbrute cleanups
2015-01-12 13:08:12 -08:00
97f5cbdf08
Add initial Airport ACPP login scanner
2015-01-12 13:08:12 -08:00
7876401419
Land #4476 - Lexmark MarkVision Enterprise Arbitrary File Upload
2015-01-12 10:44:23 -06:00
34bbc5be90
print error message about limitation
2015-01-11 20:12:40 -06:00
ea37e2e198
Add WP EasyCart file upload exploit module
2015-01-10 21:05:02 +00:00
52b929c5ca
Fix https://github.com/m7x/metasploit-framework/pull/1#issuecomment-69454590
2015-01-10 14:15:53 +00:00
46d1616994
Hello ARCH_X86_64
2015-01-10 06:16:22 -06:00
05d364180b
Beautify descriptions
2015-01-10 01:10:08 -06:00
a2d479a894
Refactor run method
2015-01-10 01:06:56 -06:00
cf9d7d583e
Do first code cleanup
2015-01-10 00:51:31 -06:00
000d7dd1eb
Minor beautification
2015-01-10 00:32:10 -06:00
1d0e9a2dca
Use snake_case filename
2015-01-10 00:29:28 -06:00
070e833d46
Use snake_case filename
2015-01-10 00:28:01 -06:00
59d602f37d
Refactor cisco_cucdm_callforward
2015-01-10 00:27:31 -06:00
511a7f8cca
send_request_cgi already URI encodes
2015-01-10 00:06:26 -06:00
5d8167dca6
Beautify description
2015-01-10 00:02:42 -06:00
9fb4cfb442
Do First callforward cleanup
2015-01-10 00:00:27 -06:00
f7af0d9cf0
Test landing #4065 into up to date branch
2015-01-09 23:40:16 -06:00
bedbffa377
Land #3700 , @ringt fix for oracle_login
...
* Avoid retrying logins when connection cannot be stablished
2015-01-09 22:59:32 -06:00
38c36b49fb
Report when nothing is rescued
2015-01-09 22:58:19 -06:00
5c12f9da75
More cleanup
...
Handle multiple versions
Better print_
Actually extract
2015-01-09 18:01:17 -08:00
3c8be9e36d
Just x86
2015-01-09 19:12:51 -06:00
74e8e057dd
Use RDL
2015-01-09 19:02:08 -06:00
d4d1a53533
fix invalid url
2015-01-09 21:57:52 +01:00
fd2307680d
Land #4550 , wp-symposium file upload
2015-01-09 21:55:02 +01:00
35fd17c4f1
Cleanup style
2015-01-09 11:00:25 -08:00
d65ed54e0c
Check STARTUP_FOLDER option
2015-01-09 12:21:01 -06:00
2c633e403e
Do code cleanup
2015-01-09 12:07:59 -06:00
d52e9d4e21
Fix metadata again
2015-01-09 11:20:00 -06:00
9dbf163fe7
Do minor style fixes
2015-01-09 11:17:16 -06:00
8f09e0c20c
Fix metadata by copying the mysql_mof data
2015-01-09 11:15:32 -06:00
da6496fee1
Test landing #2156 into up to date branch
2015-01-09 11:04:47 -06:00
ee5c249c89
Add EDB reference
2015-01-09 00:19:12 -06:00
75de792558
Add a basic check
2015-01-09 00:03:39 -06:00
4911127fe2
Match the title and change the description a little bit
2015-01-08 21:48:01 -06:00
b7b3ae4d2a
A little randomness
2015-01-08 21:25:55 -06:00
e4547eb474
Land #4537 , @wchen-r7's fix for #4098
2015-01-08 17:57:16 -08:00
f13e56aef8
Handle bracketed and unbracketed results, add more useful logging
2015-01-08 17:51:31 -08:00
14db112c32
Add logging to show executed Java and result
2015-01-08 16:53:12 -08:00
b65013c5c5
Another update
2015-01-08 18:39:04 -06:00
b2ff5425bc
Some changes
2015-01-08 18:33:30 -06:00
53e6f42d99
This works
2015-01-08 17:57:14 -06:00
c76aec60b0
Add OSVDB id and full disclosure URL
2015-01-08 23:29:38 +00:00
7ed6b3117a
Update
2015-01-08 17:18:14 -06:00
fb5170e8b3
Land #2766 , Meatballs1's refactoring of ExtAPI services
...
- Many code duplications are eliminated from modules in favor of shared
implementations in the framework.
- Paths are properly quoted in shell operations and duplicate operations are
squashed.
- Various subtle bugs in error handling are fixed.
- Error handling is simpler.
- Windows services API is revised and modules are updated to use it.
- various API docs added
- railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
e447a17795
bump deprecated date
2015-01-08 16:20:06 -06:00
50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012
2015-01-08 16:19:55 -06:00
fa5cd928a1
Refactor exploit to use the mixin
2015-01-08 16:04:56 -06:00
ca765e2cc5
Refactor client mixin
2015-01-08 15:46:24 -06:00
82e6183136
Add Msf::Exploit::FileDropper mixin
2015-01-08 21:07:00 +00:00
93dc90d9d3
Tidied up some code with existing mixins
2015-01-08 20:53:56 +00:00
873ade3b8a
Refactor exploit module
2015-01-08 14:52:55 -06:00
3debcef00b
Fix call from aux module
2015-01-08 14:24:27 -06:00
0e6c7181b1
"Stash" it
2015-01-08 14:13:14 -06:00
c205ef28d4
Refactor build_gc_call
2015-01-08 14:01:04 -06:00
a9fee9c022
Fall back to runas if UAC disabled
2015-01-08 11:07:57 +00:00
ea793802cc
Land #4528 , mantisbt_php_exec improvements
2015-01-08 04:50:00 -06:00
3c3d28b475
Land #4551 , correct spelling in dns_bruteforce
2015-01-08 10:03:28 +00:00
73e3cd19c3
Convert java_rmi_server aux mod to use new mixin
2015-01-08 00:29:50 -06:00
844460dd87
Update bypass UAC to work on 8.1 and 2012
...
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.
I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
0604b2ecc7
Land #4542 , invalid splat URL fix
2015-01-07 22:54:22 -06:00
0496bb16bc
Minor spelling fix
2015-01-07 23:43:59 -05:00
d59805568e
Do first module refactoring try
2015-01-07 19:06:09 -06:00
7b92c6c2df
Add WP Symposium Shell Upload module
2015-01-07 22:02:39 +00:00
da2e088118
Land #4536 , Ruby 2.2 compat fixes
...
Note that ActiveRecord 3.2.21 still has a similar warning that will
probably cause bugs, preventing full support for 2.2 until that's fixed.
2015-01-07 15:33:23 -06:00
0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
82d129bfc4
Merge branch 'master' into feature/jtr-korelogic-rules-update
2015-01-07 12:42:23 -06:00
df70678762
tell suer KoreLogic rules have been applied
...
make sure to rpovide console feedback that we are
actually applying the KoreLogic rules to wordlist mode
2015-01-07 12:36:07 -06:00
4ad7021336
give user option to turn on KoreLogic rules
...
the cracker modules in framework now have a datastore option
to allow the user to select the KoreLogicRules
2015-01-07 12:32:26 -06:00
ef97d15158
Fix msftidy and make sure all print_*s in check() are vprint_*s
2015-01-07 12:12:25 -06:00
a5f48b23df
Add use of Msf::ThreadManager
2015-01-07 17:27:06 +00:00
3e80efb5a8
Land #4521 , Pandora FMS upload
2015-01-07 11:13:57 -06:00
1ccef7dc3c
Shorter timeout so we get shell sooner
...
The request to execute our payload will never return, so waiting for the
default timeout (20 seconds) is pointless.
2015-01-07 11:11:33 -06:00
e90e98547b
Add configurable timeout to WordPress login
2015-01-07 17:06:31 +00:00
4c240e8959
Fix #4098 - False negative check for script_mvel_rce
...
Fix #4098 , thanks @arnaudsoullie
2015-01-07 10:40:58 -06:00
c60b6969bc
Oh so that's it
2015-01-07 10:39:46 -06:00
efe83a4f31
Whitespace
2015-01-07 10:19:17 -06:00
89699d1549
Typo workspace_id
2015-01-07 10:58:59 +00:00
09bd0465cf
fix regex
2015-01-07 11:54:55 +01:00
b3def856fd
Applied changes recommended by jlee-r7
...
used Rex::ConnectionError
refactor begin/rescue blocks
removed ::URI::InvalidURIError
changed @peer with peer
used Exploit::CheckCode:Appears instead of Exploit::CheckCode::Vulnerable
2015-01-07 18:38:19 +08:00
eaad4e0bea
fix check method
2015-01-07 11:01:08 +01:00
8c23e8c2e8
ruby 2.2 compatibility
...
Fix circular argument reference warnings for ruby 2.2
2015-01-07 12:00:50 +02:00
862af074e9
fix bug
2015-01-07 09:10:50 +01:00
d007b72ab3
favor include? over =~
2015-01-07 07:33:16 +01:00
4277c20a83
use include?
2015-01-07 06:51:28 +01:00
39e33739ea
support for anonymous login
2015-01-07 00:08:04 +01:00
bf0bdd00df
added some links, use the res variable
2015-01-06 23:25:11 +01:00
2ed05869b8
Make Msf::Exploit::PDF follow the Ruby method naming convention
...
Just changing method names.
It will actually also fix #4520
2015-01-06 12:42:06 -06:00
f9f2bc07ac
some improvements to the mantis module
2015-01-06 11:33:45 +01:00
0bece137c1
Land #4494 , Object.class.to_s fix
2015-01-06 02:27:35 -06:00
f2710f6ba7
Land #4443 , BulletProof FTP client exploit
2015-01-06 02:10:42 -06:00
482cfb8d59
Clean up some stuff
2015-01-06 02:10:25 -06:00
46aa165ca5
Land #4481 , enum_users_history improvements
2015-01-06 01:52:38 -06:00
745bfb2f35
Clean things up
2015-01-06 01:48:18 -06:00
dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2015-01-05 22:18:44 +00:00
44dfa746eb
Resolve #4513 - Change #inspect to #to_s
...
Resolve #4513
2015-01-05 11:50:51 -06:00
4257fef91b
Land #4101 - Konica MFP FTP and SMB credential gathering module
2015-01-05 10:31:28 -06:00
547b7f2752
Syntax and File Upload BugFix
...
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
2015-01-05 19:23:22 +08:00
e7affb9048
Land #4493 , @pedrib's module for ManageEngine Central Desktop create admin
2015-01-04 23:46:31 -06:00
c5e72fb324
Change module filename
2015-01-04 23:14:12 -06:00
4798f2328d
Change module filename
2015-01-04 23:13:17 -06:00
6bb3171328
Do minor cleanup
2015-01-04 23:12:42 -06:00
711b97ecc5
Beautify metadata
2015-01-04 23:08:46 -06:00
92015ac124
Replace custom login with wordpress_login mixin
2015-01-04 23:07:07 +00:00
39412c4a48
Add WordPress long password DoS module
2015-01-04 18:50:23 +00:00
c9b76a806a
Create manageengine_auth_upload.rb
2015-01-04 17:05:53 +00:00
32d4bf03c3
Add OSVDB id and full disclosure URL
2015-01-04 12:36:51 +00:00
c959d42a29
minor tweak
2015-01-03 10:15:52 +00:00
d45cdd61aa
Resolve #4507 - respond_to? + send = evil
...
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve #4507
2015-01-02 13:29:17 -06:00
3c755a6dfa
Template
2015-01-02 11:31:28 -06:00
c348663204
Add McAfee Hashdump
2015-01-02 10:22:11 +00:00
c1718fa490
Land #4440 , git client exploit from @jhart-r7
...
Also fixes #4435 and makes progress against #4445 .
2015-01-01 13:18:43 -06:00
d7564f47cc
Move Mercurial option to advanced, update ref url
...
See #4440
2015-01-01 13:08:36 -06:00
914c724abe
Rename module
...
See rapid7#4440
2015-01-01 13:03:17 -06:00
65977c9762
Add some more useful URLs
2014-12-31 10:54:04 -08:00
264d3f9faa
Minor grammar fixes on modules
2014-12-31 11:45:14 -06:00
6d966dbbcf
Land #4203 , @jvazquez-r7's cleanup for java_rmi_server
2014-12-31 11:25:19 -05:00
4f11dc009a
fixes #4490 , class.to_s should not be used for checks
2014-12-31 10:46:24 +01:00
e81e68bdaf
Create me_dc9_admin.rb
2014-12-31 02:02:52 +00:00
cc75c33d60
Use user home directories
...
Replace hard-coded '/home/' and '/root/' with `~username` shorthand.
2014-12-31 09:12:35 +11:00
013e45e83d
Add support for MongoDB history
2014-12-31 08:38:58 +11:00
d2e6f90569
Use a list of users
2014-12-31 08:12:16 +11:00
48919eadb6
Land #4444 - i-FTP BoF
2014-12-30 12:38:28 -06:00
4fd4d51d78
Land #4485 , Drupageddon greedy regex fix
2014-12-30 10:16:57 -06:00
96fe693c54
update drupal regex
2014-12-30 09:12:39 +01:00
555713b6ae
Land #4456 - MS14-068, Kerberos Checksum (plus krb protocol support)
2014-12-29 16:09:28 -06:00
f2130311fa
Add the MSF blog reference
2014-12-29 16:08:35 -06:00
897e993971
Update description
2014-12-30 08:05:53 +11:00
8719a36d84
DRY status messages
2014-12-30 08:03:40 +11:00
0de80e9c76
Minor changes to style
2014-12-30 07:58:54 +11:00
0085bcf075
Use `blank?' instead of `nil?'
2014-12-30 07:38:34 +11:00
a50ac4050c
Add support for PostgreSQL history
2014-12-30 07:33:22 +11:00
4ebe0fc0a8
Add support for different shells
2014-12-30 07:26:12 +11:00
d2af956b16
Do minor cleanups
2014-12-29 10:39:51 -06:00
1dd9d60e34
Land #4461 , Android cookie database theft
...
`
Thanks @jvennix-r7!
2014-12-29 08:15:21 -06:00
d10222365b
Add Rafay's blog as a reference
2014-12-29 08:12:19 -06:00
1236684954
Use get_uri instead, note lack of Rex::Text method
...
See rapid7#4461
2014-12-28 15:06:34 -06:00
788e315fd4
Fix msftidy warnings
2014-12-28 14:53:29 -06:00
9791acd0bf
Add stager ipknock shellcode (PR 2)
2014-12-27 22:03:45 +01:00
9f98fd4d87
Info leak webapp ROOT so we can cleanup
2014-12-27 08:47:51 -06:00
5afd2d7f4b
Add module for ZDI-14-410
2014-12-26 20:40:28 -06:00
655cfdd416
Land #4321 , @wchen-r7's fixes #4246 ms01_026_dbldecode undef method
2014-12-26 12:48:29 -06:00
51049152b6
Use Rex::Text.rand_mail_address for more realistic fake commit
2014-12-26 10:39:52 -08:00
c1b0385a4b
Land #4460 , @Meatballs1's ssl cert validation bypass on powershell web delivery
2014-12-26 12:07:45 -06:00
2bed52dcd5
Land #4459 , @bcoles's ProjectSend Arbitrary File Upload module
2014-12-26 11:28:42 -06:00
b5b0be9001
Do minor cleanup
2014-12-26 11:24:02 -06:00
85ab11cf52
Use print_warning consistently
2014-12-26 09:54:38 -06:00
f31a2e070e
Use print_warning to print the Kerberos error
2014-12-26 09:22:09 -06:00
d148848d31
Support Kerberos error codes
2014-12-24 18:05:48 -06:00
121c0406e9
Beautify restart_command creation
2014-12-24 15:52:15 -06:00
43ec8871bc
Do minor c code cleanup
2014-12-24 15:45:38 -06:00
92113a61ce
Check payload
2014-12-24 15:43:49 -06:00
36ac0e6279
Clean get_restart_commands
2014-12-24 14:55:18 -06:00
92b3505119
Clean exploit method
2014-12-24 14:49:19 -06:00
9c4d892f5e
Use single quotes when possible
2014-12-24 14:37:39 -06:00
bbbb917728
Do style cleaning on metadata
2014-12-24 14:35:35 -06:00
af24e03879
Update from upstream
2014-12-24 14:25:25 -06:00
0b85a81b01
Use REXML to generate exploit file
2014-12-24 19:23:28 +01:00
30228bcfe7
Added underscore to user regex in smart_hashdump.rb to support usernames that contain underscores. Issue #4349 .
2014-12-23 22:36:11 -06:00
a692656ab7
Update comments to reflect reality, minor cleanup
2014-12-23 19:09:45 -08:00
ebb05a64ea
Land #4357 , @Meatballs1 Kerberos Support for current_user_psexec
2014-12-23 20:38:31 -06:00
89d0a0de8d
Delete unnecessary connect
2014-12-23 19:35:59 -06:00
265e0a7744
Upper case domain
2014-12-23 19:16:50 -06:00
ed2d0cd07b
Use USER_SID instead of DOMAIN_SID and USER_RID
2014-12-23 19:11:05 -06:00
8d73794cc8
Add hint for exploit on old devices.
2014-12-23 12:29:08 -06:00
59f75709ea
Print out malicious URLs that will be used by default
2014-12-23 10:10:31 -08:00
905f483915
Remove unused and commented URIPATH
2014-12-23 09:40:27 -08:00
8e57688f04
Use random URIs by default, different method for enabling/disabling Git/Mercurial
2014-12-23 09:39:39 -08:00
bd3dc8a5e7
Use fail_with rather than fail
2014-12-23 08:20:03 -08:00
015b96a24a
Add back perl and bash related payloads since Windows git will have these and OS X should
2014-12-23 08:13:00 -08:00
16302f752e
Enable generic command
2014-12-23 14:22:26 +00:00
a3b0b9de62
Configure module to target bash by default
2014-12-23 14:19:51 +00:00
313d6cc2f8
Add super call
2014-12-23 14:12:47 +00:00
43221d4cb0
Remove redundant debugging stuff
2014-12-23 14:09:12 +00:00
42a10d6d50
Add Powershell target
2014-12-23 14:07:57 +00:00
40c1fb814e
one line if statement
2014-12-23 11:20:24 +00:00
b41e259252
Move it to a common method
2014-12-23 11:16:07 +00:00
5c82b8a827
Add ProjectSend Arbitrary File Upload module
2014-12-23 10:53:03 +00:00
01cf14d44e
Fix banner
2014-12-23 01:02:09 -06:00
4928cd36e4
Land #4187 , @BorjaMerino's post module to get output rules
2014-12-23 01:01:03 -06:00
49fef9e514
Do minor module clean up
2014-12-23 01:00:21 -06:00
abec7c206b
Update description to describe current limitations
2014-12-22 20:32:45 -08:00
1505588bf6
Rename the file to reflect what it really is
2014-12-22 20:27:40 -08:00
ff440ed5a4
Describe vulns in more detail, add more URLs
2014-12-22 20:20:48 -08:00
b4f6d984dc
Minor style cleanup
2014-12-22 17:51:35 -08:00
421fc20964
Partial mercurial support. Still need to implement bundle format
2014-12-22 17:44:14 -08:00
708cbd7b65
Allow to provide USER SID
2014-12-22 18:24:50 -06:00
56eadc0d55
Delete default values from options
2014-12-22 18:11:43 -06:00
787dab998d
Fix description
2014-12-22 17:51:44 -06:00
a7faf798bf
Use explicit encryption algorithms
2014-12-22 15:51:17 -06:00
f37cf555bb
Use random subkey
2014-12-22 15:39:08 -06:00
fdd1d085ff
Don't encode the payload because this only complicates OS X
2014-12-22 13:36:38 -08:00
0bf3a9cd55
Fix duplicate :ua_maxver key.
2014-12-22 14:57:44 -06:00
b0a178e0a3
Delete blank line
2014-12-22 14:40:32 -06:00
5a6c915123
Clean options
2014-12-22 14:37:37 -06:00
20ab14d7a3
Clean module code
2014-12-22 14:29:02 -06:00
ea9f5ed6ca
Minor cleanup
2014-12-22 12:16:53 -08:00
dd73424bd1
Don't link to unused repositories
2014-12-22 12:04:55 -08:00
6c8cecf895
Make git/mercurial support toggle-able, default mercurial to off
2014-12-22 11:36:50 -08:00
574d3624a7
Clean up setup_git verbose printing
2014-12-22 11:09:08 -08:00
16543012d7
Correct planted clone commands
2014-12-22 10:56:33 -08:00
01055cd41e
Use a trigger to try to only start a handler after the malicious file has been requested
2014-12-22 10:43:54 -08:00
dabc890b2f
Change module filename again
2014-12-22 12:35:15 -06:00
2b46bdd929
Add references and authors
2014-12-22 12:34:31 -06:00
4319dbaaef
Change module filename
2014-12-22 12:29:28 -06:00
3bcd67ec2e
Unique URLs for public repo page and malicious git/mercurial repos
2014-12-22 10:03:30 -08:00
93be828738
Fix invalid URL in splat
2014-12-22 11:26:20 -06:00
f1b9862665
Align shellcode in bind_hidden_tcp
2014-12-22 11:17:14 -06:00
308eea0c2c
Make malicious hook file name be customizable
2014-12-22 08:28:55 -08:00
9a7e431a4a
New block_api applied
2014-12-22 17:21:13 +01:00
42636fb3c0
Handler and block_hidden_bind_tcp deleted
2014-12-22 17:21:13 +01:00
fa8e944e34
AHOST OptAddress moved to the payload
2014-12-22 17:21:11 +01:00
c0fa8c0e3f
Add stager for hidden bind shell payload
2014-12-22 17:21:11 +01:00
7f3cfd2207
Add a ranking
2014-12-22 07:51:47 -08:00
44084b4ef6
Correct Microsoft security bulletin for ppr_flatten_rec
2014-12-22 10:40:23 +00:00
9be95eacb8
Use %Q for double-quoted string
2014-12-22 07:37:32 +01:00
60d4525632
Add specs for Msf::Kerberos::Client::Pac
2014-12-21 17:49:36 -06:00
bb33a91110
Update description to be a little more descriptive
2014-12-21 19:31:58 +01:00
74783b1c78
Remove ruby and telnet requirement
2014-12-21 10:06:06 -08:00
cd02e61a57
Add module for OSVDB-114279
2014-12-21 17:00:45 +01:00
31f320c901
Add mercurial debugging
2014-12-20 20:00:12 -08:00
3da1152743
Add better logging. Split out git support in prep for mercurial
2014-12-20 19:34:55 -08:00
58d5b15141
Add another useful URL. Use a more git-like URIPATH
2014-12-20 19:11:56 -08:00
9f1403a63e
Add initial specs for Msf::Kerberos::Client::TgsResponse
2014-12-20 20:29:00 -06:00
9f97b55a4b
Add module for CVE-2014-2973
2014-12-20 18:38:22 +01:00
f41d0fe3ac
Randomize most everything about the malicious commit
2014-12-19 19:31:00 -08:00
805241064a
Create a partially capitalized .git directory
2014-12-19 19:07:45 -08:00
f7630c05f8
Use payload.encoded
2014-12-19 18:52:34 -08:00
b0ac68fbc3
Create build_subkey method
2014-12-19 19:46:57 -06:00
4a106089b9
Move options to build_tgs_request_body
2014-12-19 19:12:17 -06:00
e6781fcbea
Build AuthorizationData from the module
2014-12-19 18:59:39 -06:00
9bd454d288
Build PAC extensions from the module
2014-12-19 18:47:41 -06:00
def1695e80
Use options by call
2014-12-19 18:23:11 -06:00
f332860c19
Clean creation of client and server principal names
2014-12-19 18:16:22 -06:00
bd85723a9d
Build pre auth array out of the mixin
2014-12-19 18:10:14 -06:00
7f2247f86d
Add description and URL
2014-12-19 15:50:16 -08:00
9b815ea0df
Some style cleanup
2014-12-19 15:35:09 -08:00
4d0b5d1a50
Add some vprints and use a sane URIPATH
2014-12-19 15:33:26 -08:00
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
48444a27af
Remove debugging pp
2014-12-19 15:27:06 -08:00
1c7fb7cc7d
Mostly working exploit for CVE-2014-9390
2014-12-19 15:24:27 -08:00
d058bd5259
Refact extraction of kerberos cache credentials
2014-12-19 15:53:24 -06:00
4888ebe68d
Initial commit of POC module for CVE-2013-9390 ( #4435 )
2014-12-19 12:58:02 -08:00
fffa8cfdd1
Lands #4426 by cleaning up the module description
2014-12-19 14:54:17 -06:00
9ede2c2ca5
Lands #4429 by fixing windows/messagebox with EXITFUNC=none
2014-12-19 14:51:57 -06:00
fad08d7fca
Add specs for Rex Kerberos client
2014-12-19 12:14:33 -06:00
e45af903d9
Add patch discovery date.
2014-12-19 12:04:41 -06:00
2c0c732967
Fix #4414 & #4415 - exitfunc and proper null-terminated string
...
This patch fixes the following for messagebox.rb
Issue 1 (#4415 )
When exitfunc is none, the payload will not be able to generate
due to an "invalid opcode" error.
Issue 2: (#4414 )
After "user32.dll" is pushed onto the stack for the LoadLibrary
call, the payload does not actually ensure bl is a null byte, it
just assumes it is and uses it to modify the stack to get a
null-terminated string.
Fix #4414
Fix #4415
2014-12-19 03:19:06 -06:00
25313b1712
Use the hash to pass the script.
2014-12-19 02:30:37 -06:00
8d2bd74d31
Add preliminary module to cover 'Misfortune Cookie', CVE-2014-9222
2014-12-18 17:21:26 -08:00
f325d2f60e
Add support for cache credentials in the mixin
2014-12-18 16:31:46 -06:00
c15bad44a6
Be clearer on backslash usage.
...
See #4282
2014-12-18 16:16:02 -06:00
9a58617387
Add dummy test module
2014-12-17 19:57:10 -06:00
6b0a98b69c
Resolve #4408 - bad uncaught nil get_once
2014-12-17 14:02:42 -06:00
6a822cca61
Move code out of begin/rescue block
2014-12-17 06:45:00 +00:00
dd63d793e5
Bring in @darkoperator's filters
2014-12-17 06:14:21 +00:00
8c7ff728ef
Gather some more info
2014-12-17 05:46:01 +00:00
84ea628284
Add Android cookie theft attack.
2014-12-16 19:12:01 -06:00
f6af86a06d
Land #4402 , ms12_020_check NilClass fix
2014-12-16 15:34:25 -06:00
f237c56a13
This oracle scheduler exploit hangs if not vuln
...
When this exploit gets run against a system that isn't vulnerable
it can hang for a signifigant ammount of time. This change uses the check
method on the exploit to see whether it should proceed. Don't try to exploit
the host if it's not vulnerable.
2014-12-16 09:42:42 -06:00
2604746fb7
Land #4361 , Kippo detector
2014-12-15 14:54:48 -06:00
8394cc13a8
Perform final cleanup of detect_kippo
2014-12-15 14:38:38 -06:00
c611249723
Take full advantage of the check command
2014-12-15 12:50:59 -06:00
9edb2b4fab
Fix #4378 - Do exception handling
...
Fix #4378
2014-12-15 12:37:36 -06:00
effb5b966f
Land #4328 , @bcoles' exploit for ActualAnalyzer < 2.81 'ant' code execution
2014-12-15 09:57:27 -08:00
jvazquez-r7
sinn3r
Hans-Martin Münch (h0ng10)
William Vu
Tod Beardsley
Jon Hart
pdeardorff-r7
wez3
rastating
IMcPwn
Christian Mehlmauer
sgabe
eyalgr
root
Brent Cook
James Lee
Brandon Perry
Joe Vennix
Pedro Ribeiro
David Maloney
David Lanner
Meatballs
OJ
EricGershman
m7x
rcnunez
dmooray
Tim
Spencer McIntyre
Brendan Coles
Borja Merino
Mark Judice
root
Peregrino Gris
Jon Cave
HD Moore