4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
0e186fa617
first fail_with fixes
2015-04-16 21:08:33 +02:00
f0d6735332
Land #5165 , version number correction
2015-04-16 12:10:12 -05:00
26f2b350d2
Land #5168 , more fail_with fixes
2015-04-16 12:04:55 -05:00
904339f0d7
Fix #5130 , Correct use of fail_with in wp_worktheflow_upload.rb
2015-04-16 10:32:50 -05:00
5c98270f4d
Fix #5137 - Correct use of fail_with
2015-04-16 09:57:02 -05:00
418d8586a5
Land #5137 (again), WordPress N-Media Website File Upload
2015-04-16 16:24:41 +02:00
7f79acb996
Land #5137 , WordPress N-Media Website File Upload
2015-04-16 16:17:20 +02:00
517ad54617
Fix the correct version in check.
2015-04-16 10:56:43 -03:00
95310dbe4f
Fix 'if' condition.
2015-04-16 10:51:36 -03:00
626a9f0508
Fix the correct version in check.
2015-04-16 10:46:08 -03:00
6ef074cd28
Fix the correct version in check
2015-04-16 10:34:34 -03:00
d9f4c7548f
Land #5136 , WordPress Creative Contact Form upload
2015-04-16 15:17:14 +02:00
84c74b8d42
use correct version number
2015-04-16 15:01:54 +02:00
ee8dc49a25
Fix wrong version in check.
2015-04-16 09:45:18 -03:00
e16cc6fa82
Fix the correct version in check.
2015-04-16 09:38:42 -03:00
7dde7f6f7c
Land #5130 , WordPress WorkTheFlow Upload
2015-04-16 14:06:37 +02:00
dc7f161339
Add author, EDB, OSVDB and WPVDB.
2015-04-16 08:56:33 -03:00
1112a3b0ae
Add WordPress Reflex Gallery Plugin File Upload
2015-04-16 08:40:51 -03:00
4aa4f83372
Removed timeout 2.
2015-04-16 05:37:11 -03:00
39556c10c7
Rewrote check method.
2015-04-16 05:36:20 -03:00
ace316a54f
Added WPVDB and EDB references.
2015-04-16 05:29:21 -03:00
10c218319a
Rewrote response condition.
2015-04-16 05:26:48 -03:00
5cb9b1a44c
Removed timeout 2.
2015-04-16 05:21:59 -03:00
0e1b173d15
Renamed USER/PASSWORD to WP_USER/WP_PASSWORD.
2015-04-16 05:11:56 -03:00
13ded8abe7
Added WPVDB.
2015-04-16 05:08:45 -03:00
64923ffdc2
Fixed plugin name in check method
2015-04-16 05:06:36 -03:00
e9212c4d6b
wordpress_url_admin_ajax intead of wordpress_url_backend
2015-04-16 04:53:05 -03:00
81d898fd7e
Rewrote check code.
2015-04-16 04:51:40 -03:00
aeb0484889
Removed timeout 2.
2015-04-16 04:48:00 -03:00
e6e9c173e3
Rewrote res conditions.
2015-04-16 04:43:34 -03:00
d11db4edc7
Rewrote check code.
2015-04-16 04:37:30 -03:00
f13d31c7c2
Added WPVDB.
2015-04-16 04:31:23 -03:00
cccda4e851
Removed unnecessary line.
2015-04-16 04:27:15 -03:00
d3a6de761d
Removed timeout 2.
2015-04-16 04:09:02 -03:00
01625e3bba
Land #5148 , DRY BSD/OS X shellcode
...
Also fix a semi-regression in the Rootpipe exploit.
2015-04-16 02:08:18 -05:00
13da15e434
Add default PAYLOAD again
...
PrependSetreuid doesn't work with generic/shell_reverse_tcp.
2015-04-16 02:07:02 -05:00
1249f29ee8
Add JSON::ParserError exception handler.
2015-04-16 04:03:54 -03:00
c1753672bf
Delete file_contents initialization
2015-04-15 17:58:32 -05:00
28fac60c81
Add module for CVE-2015-0556
2015-04-15 14:08:16 -05:00
ef6bf54e2f
Fix metadata
2015-04-15 09:22:59 -05:00
1da6b32df7
Land #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
...
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
6019bbe0d2
Add ranking comment
2015-04-15 09:12:03 -05:00
ad465c4d5b
Do code cleanup
2015-04-15 09:10:18 -05:00
aca93cc86e
Add missing Rank
2015-04-14 13:33:37 -05:00
e114c85044
Land #5127 , x64 OS X prepend stubs 'n' stuff
2015-04-14 01:25:39 -05:00
a09e643a71
Add author, URL, WPVDB and disclosure date.
2015-04-13 22:54:05 -03:00
271a81778e
Add Module WP N-Media Website Contact Form Upload
2015-04-13 22:48:34 -03:00
7f10fb5bf0
Fix disclosure date
2015-04-13 18:53:20 -03:00
e94ca0bdd1
Add EDB, OSVDB and author.
2015-04-13 18:42:17 -03:00
d5d975c450
Add Module WordPress Creative Contact Form Upload
2015-04-13 18:38:43 -03:00
e324819feb
Add Privileged to info hash
...
Also remove default payload. Was set for CMD.
2015-04-13 15:23:30 -05:00
bd3b6514fa
Dubbed. Whump whump.
2015-04-13 10:52:32 -05:00
d87483b28d
Squashed commit of the following:
...
commit 49f480af8b9d27e676c02006ae8873a119e1aae6
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:42:13 2015 -0500
Fix funny punctuation on rootpipe exploit title
See #5119
commit 0b439671efd6dabcf1a69fd0b089c28badf5ccff
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:37:39 2015 -0500
Fix vendor caps
Trusting the github repo README at
https://github.com/embedthis/goahead
See #5101
2015-04-13 10:46:47 -05:00
7b57496501
Fix typo and add email addr.
2015-04-13 04:12:32 -03:00
abee3f17c4
Add author, CVE and EDB references
2015-04-13 04:08:34 -03:00
58c4042321
Add Module WP Slideshow Gallery Shell Upload
2015-04-13 03:56:59 -03:00
2d1f8c510e
Add author and references
2015-04-12 21:21:49 -03:00
9f06cee53d
Add Module WordPress WorkTheFlow Shell Upload
2015-04-12 21:09:44 -03:00
c132a3fb0a
Fix OSX prepends and implement x64 setreuid.
2015-04-11 20:04:21 -05:00
656abac13c
Use keyword arguments
2015-04-10 18:03:45 -05:00
1720d4cd83
Introduce get_file_contents
2015-04-10 17:34:00 -05:00
ca6a5cad17
support changing files
2015-04-10 16:53:12 -05:00
b2e17a61a9
Fix disclosure date
2015-04-10 13:09:24 -05:00
ab944b1897
Add module to exploit dangerous group policy startup scripts
2015-04-10 13:01:50 -05:00
3313dac30f
Land #5119 , @wvu's addition of the OSX rootpipe privesc exploit.
...
orts
borts
2015-04-10 12:38:25 -05:00
4419c1c728
Land #5120 , Adobe Flash Player casi32 Integer Overflow
2015-04-10 12:18:11 -05:00
fc814a17ae
Add admin check
...
Also break out version check.
2015-04-10 11:24:49 -05:00
41885133d8
Refactor and clean
...
Finally breaking free of some stubborn old habits. :)
2015-04-10 11:22:27 -05:00
a7601c1b9a
Use zsh to avoid dropping privs
...
Also add some configurable options.
2015-04-10 11:22:00 -05:00
4cc6ac6eaa
Clarify vulnerable versions
2015-04-10 11:22:00 -05:00
c4b7b32745
Add Rootpipe exploit
2015-04-10 11:22:00 -05:00
c6f062d49e
Ensure that local variable `upload_path` is defined
...
Merge `upload_payload` and `parse_upload_response` so that the
`upload_path` variable is defined for use in error messages in the event
of failure.
2015-04-10 10:58:20 +01:00
91f5d0af5a
Add module for CVE-2014-0569
...
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
4808d61af3
Add OSVDB id and full disclosure URL
2015-04-09 16:32:22 +01:00
e03f2df691
Land #5002 , RMI/JMX improvements
2015-04-08 15:23:29 -05:00
cf8b92b747
Create zcm_file_upload.rb
2015-04-07 16:05:51 +01:00
7a2d3f5ebd
Land #5082 , firefox_proxy_prototype autopwn_info
2015-04-06 13:36:03 -05:00
e1af495d21
Add extra release fixes
2015-04-06 13:08:40 -05:00
b62011121b
Minor word choice fix on Solarwinds exploit
...
Removing the second person pronoun usage.
[See #5050 ]
2015-04-06 12:40:22 -05:00
5be5b6097c
Minor grammar on #5030 , Adobe Flash
...
[See #5030 ]
2015-04-06 12:36:25 -05:00
1e6d895975
Description fixes on #4784 , jboss exploit
...
Also, needed to run through msftidy.
[See #4784 ]
2015-04-06 12:34:49 -05:00
cd65e6f282
Add browser_autopwn info to firefox_proxy_prototype
2015-04-06 10:42:32 +05:00
56dc7afea6
Land #5068 , @todb-r7's module author cleanup
2015-04-03 16:00:36 -05:00
e3bbb7c297
Solve conflicts
2015-04-03 14:57:49 -05:00
828301a6cc
Land #5050 , @wchen-r7's exploit for Solarwinds Firewall Security Manager
...
* CVE-2015-2284
2015-04-03 13:45:30 -05:00
7c9b19c6f8
Do minor cleanup
2015-04-03 11:53:50 -05:00
0f7c644fff
Land #4784 , JBoss Seam 2 upload exec exploit
2015-04-02 22:32:35 -05:00
3ff91d74ca
More cleanup, mostly abysssec
...
[See #5012 ]
2015-04-02 16:16:38 -05:00
11057e5b3b
Fix up the last couple from Tenable, missed last
...
[See #5012 ]
2015-04-02 15:27:46 -05:00
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
6532fad579
Remove credits to Alligator Security Team
...
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.
The one that didn't was credited to dflah_ specifically, so merely
changed the author name.
Longer description, if needed, wrapped at 72 characters.
[See #5012 ]
2015-04-02 15:12:22 -05:00
b17727d244
Switching to privileged => false
2015-04-01 14:35:45 -05:00
0825534d2c
Fix reference
2015-04-01 14:16:45 -05:00
8ec71e9daf
Add a module for R7-2015-05
2015-04-01 14:05:41 -05:00
02a5730d92
Use calculate_interface_hash
2015-04-01 12:09:42 -05:00
0b14a18ad2
This is final
2015-04-01 12:00:49 -05:00
f954ff78c0
Fix typo
2015-04-01 10:51:54 -05:00
0ee858cd65
Some useful messages
2015-04-01 01:41:31 -05:00
8ad07cdc0f
This should be on the right track
2015-04-01 01:27:50 -05:00
6795c90eac
Some progress
2015-03-31 20:46:34 -05:00
97305629cb
Add Solarwinds FSM module
...
starter
2015-03-31 16:21:52 -05:00
8ea1ffc6ff
Land #5030 , CVE-2015-0313 Flash Exploit
2015-03-30 11:31:53 -05:00
28b9e89963
removed duplicate "uses" from description
2015-03-29 19:40:31 -04:00
ef8c0aac69
Land #5020 , spelling fixes for some modules
2015-03-28 00:36:04 -05:00
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
9cfafdd8b8
Land #4649 , improve post/windows/manage/run_as and as an exploit
2015-03-27 17:31:30 -05:00
4f4bf9debb
paylod vs payload
2015-03-27 11:55:15 -07:00
0a8fe781d1
paylod vs payload
2015-03-27 11:54:14 -07:00
5ba614a325
payloda vs payload
2015-03-27 11:53:20 -07:00
2d81460583
Explot vs Exploit
2015-03-27 11:37:11 -07:00
f129347b51
Filed vs Failed fix
2015-03-27 11:28:50 -07:00
48484c1f09
Filed vs Failed fix
2015-03-27 11:27:36 -07:00
955c0557e0
Land #4988 , Relative URL for ms14_064_ole_code_execution
2015-03-26 13:36:37 -05:00
d81a246660
target_uri
2015-03-26 12:16:20 +01:00
b7f469b747
feedback
2015-03-26 07:39:36 +01:00
d84c48cb7d
Use newer hash syntax
2015-03-25 13:39:34 -05:00
72a0909e9b
Land #4992 , @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge
2015-03-25 13:30:36 -05:00
356e8c727c
Add specs for Msf::Java::Rmi::Client::Jmx::Server
2015-03-24 18:56:58 -05:00
39e87f927a
Make code consistent
2015-03-24 11:44:26 -05:00
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
7c456f2ad8
Land #4993 , ams_xfr "payload_exe" NameError fix
2015-03-24 00:51:49 -05:00
8255e7a2dc
Fix #4987 - undef payload_exe for ams_xfr
...
Fix #4987
2015-03-24 00:42:22 -05:00
3dac6377d0
Fix #4983 , bad copy pasta'd deprecation year
2015-03-24 00:34:54 -05:00
fadac30f00
Fix deprecated year
2015-03-24 00:34:38 -05:00
6353154865
Land #4983 , renamed WordPress modules
2015-03-23 23:49:40 -05:00
e338b77389
Readd and deprecate renamed WordPress modules
2015-03-23 23:48:56 -05:00
db243a8225
x360_video_player_set_text_bof actually uses SetText for ActiveX
2015-03-23 23:36:20 -05:00
3248f02c2c
These exploits use :activex, so I update the usage for them
2015-03-23 19:34:24 -05:00
04341bfc78
Support JMX_ROLE again
2015-03-23 17:32:26 -05:00
d8d4c23d60
JMX code refactoring
2015-03-23 17:06:51 -05:00
962bb670de
Remove old JMX mixin
2015-03-23 15:48:10 -05:00
89e27d98ab
Use relative URL to GET payload for WinXP
...
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
21a97c0926
Add exploit for R7-2015-04, Firefox Proxy RCE
2015-03-23 13:44:41 -05:00
156520338d
Making some changes to how BES handles ActiveX
2015-03-23 12:21:27 -05:00
79068c8ec2
Delete JMX discovery stream
2015-03-23 10:21:37 -05:00
b191f92713
Renamed WordPress files to fit majority naming convention.
2015-03-23 18:15:04 +11:00
2d1adf6ef4
Land #4923 , @m-1-k-3's exploit for overflow on belkin routers
2015-03-22 02:05:35 -05:00
ee74bb3c5b
The default concat operator should be ok
2015-03-22 02:05:02 -05:00
5499b68e02
Do code cleanup
2015-03-22 01:58:32 -05:00
07b82ec640
Land #4974 , minishare_get_overflow WfsDelay change
2015-03-20 18:55:58 -05:00
859b54f8a3
Land #4956 , Qualys' Exim GHOST module
2015-03-20 18:44:30 -05:00
921b9eab8e
Update minishare_get_overflow.rb
...
set WfsDelay 30
2015-03-20 23:42:54 +01:00
505ecd32fb
Update minishare_get_overflow.rb
...
Windows 2003 SP1 English, Windows 2003 SP2 English
2015-03-20 23:09:50 +01:00
0c2ed21e90
Land #4318 , Lateral movement through PSRemoting
2015-03-20 11:39:35 -05:00
23d8479683
Fix typo
2015-03-20 11:39:00 -05:00
0da79edb9c
Add a print_status to let the user know the module is over
...
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
1b67a06d35
No banner var
2015-03-20 02:26:59 -05:00
b55ffc9ff1
Change option to FORCE_EXPLOIT
2015-03-20 01:44:10 -05:00
d8539ef91a
Change datastore option's description
2015-03-19 12:22:42 -05:00
Christian Mehlmauer
William Vu
sinn3r
Roberto Soares
jvazquez-r7
Tod Beardsley
joev
Jon Cave
Pedro Ribeiro
Brent Cook
root
scriptjunkie
h00die
C-P
m-1-k-3
andygoblins
aushack
Adam Ziaja