Commit Graph

4576 Commits (72d9587a50a300813b3aa15f0cb144e16fa66579)

Author SHA1 Message Date
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
William Vu 3f86aebabf
Land #3398, CAPWAP DoS description cleanup 2014-05-28 14:55:22 -05:00
William Vu 785b53820e
Land #3399, print_error instead of print_status 2014-05-28 14:53:00 -05:00
joev c89cd24621 Rewire some snmp modules to use print_error instead of print_status. 2014-05-28 13:31:00 -05:00
Tod Beardsley 4b5c62ba8d
Dress up CAPWAP DoS desc a little. 2014-05-28 12:19:17 -05:00
jvazquez-r7 55ef5dd484
Land #3115, @silascutler's module for elasticsearch indeces enumeration 2014-05-27 11:28:34 -05:00
jvazquez-r7 2271afc1a5 Change module filename 2014-05-27 11:25:39 -05:00
jvazquez-r7 3de8beb5fd Clean code 2014-05-27 11:22:40 -05:00
jvazquez-r7 69e8286838 Fix title 2014-05-27 10:29:32 -05:00
jvazquez-r7 1316365c2f Fix description 2014-05-27 10:22:39 -05:00
jvazquez-r7 abe1d6ffc7
Land #3190, @Karmanovskii's module to fingerprint MyBB database 2014-05-27 10:20:24 -05:00
jvazquez-r7 86221de10e Fix message 2014-05-27 10:18:27 -05:00
jvazquez-r7 b96c2dd0ca Change module filename 2014-05-27 10:15:39 -05:00
jvazquez-r7 1d8c46155b Do last code cleaning 2014-05-27 10:14:55 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
Karmanovskii eacf70af83 Update mybb_get_type_db.rb
26.05.2014  23:26
I deleted mimicking IE11
2014-05-26 23:26:28 +04:00
jvazquez-r7 217a14e4d7
Land #3366, @jholgui's module for CVE-2013-4074 2014-05-25 18:53:30 -05:00
jvazquez-r7 33ba134147 Clean msftidy warnings and metadata 2014-05-25 18:52:01 -05:00
jvazquez-r7 d3c17d8e3e Delete wireshark_capwap_dos 2014-05-25 18:39:53 -05:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
JoseMi 9f166b87f6 Changed the description 2014-05-24 18:58:36 +01:00
JoseMi 71e2d19040 Adapted to auxiliary modules structure 2014-05-24 18:53:10 +01:00
Tod Beardsley 1aee0f3305
Warn if it's not UPPERCASE method (@wchen-r7)
See the discussion on f7bfab5a26, PR #3386
2014-05-23 17:10:27 -05:00
Tod Beardsley 9f78bec457
Use normalize_uri (@wchen-r7)
Instead of editing the datastore['PATH'], use normalize_uri.

Since the purpose of this module is quite fuzz-like, I didn't want to
apply the normalize_uri to the whole uri -- the original code merely
applied to datastore['PATH'] (which seems like it should be
datastore['URI'] really) and then added on a bunch of other stuff to
test for traversals.
2014-05-23 15:43:50 -05:00
Tod Beardsley f7bfab5a26
HTTP traversal shouldnt upcase METHOD (@wchen-r7)
If the user wants to use downcased or mixed case HTTP methods, heck,
more power to them. If it doesn't work, it doesn't work. No other HTTP
module makes this call.
2014-05-23 15:32:04 -05:00
Tod Beardsley 7f59cf5035
Ora XID HTTP needn't edit DBUSER (@cellabosm)
Looks like copypasta artifacts. DBUSER and DBPASS aren't ever set as
options in the module, and the module doesn't include MC's
Exploit::ORACLE mixin. It's also from four years ago and doesn't
report_auth or anything useful like that, but that's out of scope for
this branch.
2014-05-23 15:20:46 -05:00
Tod Beardsley f189033e8a
OWA bruteforce shouldnt edit datastore (@wchen-r7)
This module was written in an era where the defaults for bruteforcing
included a lot of lock-inducing behavior, thus, it was quite serious
about setting datastore options directly. Also, there was apparently a
bug in USER_AS_PASS that this module attempted to avoid by setting the
datastore directly, rather than fixing the bug directly. As far as I
know, this bug has been long since resolved.
2014-05-23 15:08:19 -05:00
Tod Beardsley fa353e6bd9
Add CVE, IBM ref for SameTime modules 2014-05-22 11:34:04 -05:00
jvazquez-r7 8a9c005f13 Add URL 2014-05-20 17:43:07 -05:00
Karmanovskii e26dee5e22 Update mybb_get_type_db.rb
19/05/2014
I deleted      -     #return Exploit::CheckCode::Unknown  # necessary ????
2014-05-19 21:32:30 +04:00
William Vu a30d6b1f2d
Quick cleanup for sap_icm_urlscan 2014-05-19 09:21:26 -05:00
William Vu dc0e649a10
Clean up case statement 2014-05-19 09:21:07 -05:00
William Vu bc64e47698
Land #3370, cleanup for sap_icm_urlscan 2014-05-19 09:16:18 -05:00
Tod Beardsley 0ef2e07012
Minor desc and status updates, cosmetic 2014-05-19 08:59:54 -05:00
Meatballs 6b1e4c3a9d
Show loot and error code 2014-05-19 11:17:58 +01:00
Meatballs 848227e18a
401 should be a valid url 2014-05-19 10:59:38 +01:00
Meatballs 5d96f54410
Be verbose about 307 2014-05-19 10:52:06 +01:00
Meatballs 88b7dc3def
re-add content length 2014-05-19 10:46:47 +01:00
Meatballs e59f104195
Use unless 2014-05-19 10:41:01 +01:00
William Vu a97d9ed54f
Land #3148, check_urlprefixes for sap_icm_urlscan 2014-05-17 16:10:52 -05:00
sappirate dd1a47f31f Modified sap_icm_urlscan to check for authentication of custom URLs
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
Karmanovskii 06912ac2b6 Update mybb_get_type_db.rb
1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient"
2.changed the name of the variable "_Version_server".
2014-05-17 16:30:29 +04:00
JoseMi 21cf0a162c Added module to crash capwap dissector in wireshark tool 2014-05-17 11:31:43 +01:00
Christian Mehlmauer 488c3e6b93
Land #3358, @jvazquez-r7 Advantech WebAccess 7.1 SQLI module 2014-05-16 21:26:41 +02:00
jvazquez-r7 2012d41b3d Add origin of the user, and mark web users 2014-05-16 13:51:42 -05:00
jvazquez-r7 4143474da9 Add support for web databases 2014-05-16 11:47:01 -05:00
jvazquez-r7 883d2f14b5 delete debug print_status 2014-05-16 11:13:03 -05:00
jvazquez-r7 ea38a2c6e5 Handle ISO-8859-1 special chars 2014-05-16 11:11:58 -05:00
jvazquez-r7 c9465a8922 Rescue when the recovered info is in a format we can't understand 2014-05-16 08:57:59 -05:00
Tod Beardsley 3c1363b990
Add new SNMP enumeration modules 2014-05-16 08:32:46 -05:00
jvazquez-r7 7ec85c9d3a Delete blank lines 2014-05-16 01:03:04 -05:00
jvazquez-r7 9091ce443a Add suport to decode passwords 2014-05-16 00:59:27 -05:00
William Vu f9982752f3
Land #3362, ax rank for aux/dos mods 2014-05-14 15:20:07 -05:00
Tod Beardsley dc57e31be1
Aux modules don't respect Rank anyway 2014-05-14 15:03:10 -05:00
jvazquez-r7 5b3bb8fb3b Fix @FireFart's review 2014-05-14 09:00:52 -05:00
Karmanovskii cbb84e854c Update mybb_get_type_db.rb
14.05.2014
Eliminated notes jvazquez-r7
2014-05-14 14:56:40 +04:00
William Vu de49241195
Land #3185, regex option validation 2014-05-14 01:27:18 -05:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
jvazquez-r7 a7075c7e08 Add module for ZDI-14-077 2014-05-13 14:17:59 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
William Vu 92a9519fd9
Remove EOL spaces 2014-05-09 18:34:12 -05:00
jvazquez-r7 8c55858eae
Land #3309, @arnaudsoullie's changes for modblusclient 2014-05-08 10:45:19 -05:00
jvazquez-r7 25f13eac37 Clean a little response parsing 2014-05-08 10:44:53 -05:00
Arnaud SOULLIE 1f3466a3a3 Added Modbus error handling.
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
William Vu e8bc89af30
Land #3337, release fixes 2014-05-05 14:03:48 -05:00
jvazquez-r7 b81f94a229
Land #3336, @todb-r7's CVEs addition 2014-05-05 13:43:04 -05:00
Tod Beardsley c6affcd6d3
Fix caps, description on F5 module
The product name isn't "Load Balancer" as far as I can tell.
2014-05-05 13:38:53 -05:00
William Vu 353a50cdd0
Land #3316, Content-Length fix for http_ntlmrelay 2014-05-05 13:38:36 -05:00
Tod Beardsley 3072c2f08a
Update CVEs for RootedCon Yokogawa modules
Noticed they were nicely documented at

http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html

We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
William Vu a8915f0ed8
Land #3310, OpenSSH timing attack improvements 2014-05-04 19:47:51 -05:00
Tom Sellers a47b883083 Remove redundant simple.connect
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
Tom Sellers b2eeaef475 Add admin check to smb_login
The attached updates changes smb_login to detect if the newly discovered user is an administrator.  It is based on code from Brandon McCann "zeknox" submitted in PR #1373, the associated changes, and the newer PR #2656.
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773.

Specifically it:

 - Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
 - Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
 - Dealt with the issue in PR #2656 where the username was prefixed with a '\'


Verification

Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting

To validate that the remote domain ignores domain value use the following command from a windows system:

net use \\<hostip>\admin$ /user:<random_value>\<username>   <password>
2014-05-02 06:16:21 -05:00
Christian Mehlmauer f7d8a5e3a3 rework the openssl_heartbleed module 2014-05-01 21:43:58 +02:00
jvazquez-r7 d3045814a2 Add print_status messages 2014-05-01 11:05:55 -05:00
jvazquez-r7 cc2e680724 Refactor 2014-05-01 11:04:29 -05:00
jvazquez-r7 28e9057113 Refactor make_payload 2014-05-01 10:23:33 -05:00
jvazquez-r7 bd124c85cb Use metadata format for actions 2014-05-01 09:52:55 -05:00
William Vu 7777202045
Deconflict #3310 and correct the description 2014-04-30 12:02:57 -05:00
jvazquez-r7 9cd6c5ef2b
Land #3297, @Th4nat0s's F6 backends disclosure module 2014-04-30 09:31:37 -05:00
jvazquez-r7 4e80e1c239 Clean up pull request code 2014-04-30 09:31:07 -05:00
Tod Beardsley a5983b5f57
Light touchup on FP checker 2014-04-29 16:14:41 +01:00
Tod Beardsley 88efeea378
Add a false positive check 2014-04-29 16:07:42 +01:00
Arnaud SOULLIE e386855e0e Add ACTIONS descriptions 2014-04-29 16:55:05 +02:00
Tod Beardsley 4d76128937
Merge upstream and deconflict #3310 whitespace 2014-04-29 15:32:32 +01:00
Arnaud SOULLIE 04f2632972 Implement jvazquez-r7 comments 2014-04-29 16:09:47 +02:00
Rich Lundeen 60b9f855b4 Bug with HTTP POST requests (content type sent twice) 2014-04-28 18:44:02 -07:00
jvazquez-r7 4caf03b92f
Land #3301, @nodeofgithub's patch for sercomm module 2014-04-28 17:19:47 -05:00
Thanat0s 70314494ca test nil of port & host 2014-04-28 23:33:01 +02:00
Thanat0s fe3f7fd76a Obey to reviewer.. code fix 2014-04-28 23:26:29 +02:00
Tod Beardsley a6edd94c7f
Just fix refs and desc for release 2014-04-28 19:47:15 +01:00
Tod Beardsley a7e110be9e
Add a peer method, elaborate desc and prints 2014-04-28 19:41:44 +01:00
sinn3r 829b9ff4ff
Land #3308 - Fix smb_login using error_reason 2014-04-28 12:33:24 -05:00
Arnaud SOULLIE a0add34a7d Removed warning message and changed default unit number to 1 2014-04-28 15:47:10 +02:00
Pedro Laguna ab913a533e Update oracle_demantra_file_retrieval.rb
Fixed typo
2014-04-28 14:36:48 +01:00
Arnaud SOULLIE a2ccbf9833 Add read/write capabilities to modbusclient 2014-04-28 15:29:55 +02:00
Zinterax fb39e422aa Fix smb_login calling nonexistent method
When a Rex::Proto::SMB::Exceptions::InvalidWordCount exception is thrown by this module, it attempts to call the nonexistent method error_reason and throws a NoMethodError:

Auxiliary failed: NoMethodError undefined method `error_reason' for #<Rex::Proto::SMB::Exceptions::InvalidWordCount:0x007f48fcda0e48>

This changes uses the built in method get_error to return an error code.

[-] x.x.x.x:445 SMB - [1/1] - \\Domain - FAILED LOGIN (xxxxxxxx) xxxx : xxxxx [STATUS_WAIT_0]
2014-04-28 09:28:29 -04:00
Thanat0s 2396d497d8 move scanner to gather 2014-04-28 12:57:54 +02:00
Thanat0s 3bfa8ea707 Pass msftidy 2014-04-28 12:53:49 +02:00
Thanat0s f34cfefb8f Change hash to array 2014-04-28 12:52:46 +02:00
Thanat0s 6610977e86 add cookie.match and alway return 2014-04-28 12:39:32 +02:00
Thanat0s d5fe8471ed unless id 2014-04-28 12:16:49 +02:00
Thanat0s 328acc44fa Start cleaning as requested 2014-04-28 11:32:46 +02:00
nodeofgithub b80d366bb7 Add filter to output WPA-PSK password on Netgear DG834GT 2014-04-26 15:52:31 +02:00
William Vu c2bb26590c
Land #3250, version handling for Heartbleed server 2014-04-25 00:17:26 -05:00
Ramon de C Valle fd232b1acd Use the protocol version from the handshake
I used the protocol version from the record layer thinking I was using
the protocol version from the handshake. This commit fix this and uses
the protocol version from the handshake instead of from the record layer
as in https://gist.github.com/rcvalle/10335282, which is how it should
have been initially.

Thanks to @wvu-r7 for finding this out!
2014-04-25 01:48:17 -03:00
Christian Mehlmauer ef815ca992
Land #3288, Postgres support for Heartbleed scanner 2014-04-24 18:03:13 +02:00
Spencer McIntyre 9ccb9397e3
Land #3264, throttl and csv output support for module 2014-04-23 19:00:28 -04:00
Spencer McIntyre e2b92a824f Change white space for authors in dns_reverse_lookup 2014-04-23 18:56:27 -04:00
William Vu 15bd92dd50
Fix OpenSSH timing attack module 2014-04-23 10:10:37 -05:00
William Vu 0a108acea3
Fix missing comma
Commas will be the death of me.
2014-04-23 10:10:12 -05:00
William Vu 6d7fde4302
Land #3157, OpenSSH user enumeration timing attack 2014-04-23 10:01:10 -05:00
William Vu 1a2899d57b
Fix up whitespace 'n' stuff 2014-04-23 10:00:34 -05:00
Thanat0s 457c48b89b Error on sleep 2014-04-23 11:38:23 +02:00
Jonathan Claudius d70aa4cdbb Fix MSFTidy complaints 2014-04-22 22:07:25 -04:00
Jonathan Claudius b3cabaaa28 Clean up some formatting concerns 2014-04-22 21:58:14 -04:00
Jonathan Claudius f71ad111da Change return values from nil to false 2014-04-22 21:48:16 -04:00
Jonathan Claudius 3d793fc6f1 Add default VPN group fall back 2014-04-22 21:45:04 -04:00
Jonathan Claudius 4d9ece2f9a Add hyphens and digits to group regex 2014-04-22 21:34:08 -04:00
kenkeiras 96f042110f return is not needed when it's the last lifunction line 2014-04-22 22:33:47 +02:00
kenkeiras c9d8da991a Use Rex.sleep instead of select 2014-04-22 22:33:19 +02:00
kenkeiras d2a558dc85 Removed unused code 2014-04-22 22:33:02 +02:00
Wiesław Kielas 8f6567967d Heartbleed PostgreSQL TLS support improvements 2014-04-22 17:36:06 +02:00
Wiesław Kielas fbe392a896 Add PostgreSQL TLS support to the Heartbleed scanner 2014-04-21 23:27:40 +02:00
Tod Beardsley e514ff3607
Description and print_status fixes for release
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
William Vu 1faf069130
Land #3284, deprecated module cleanup 2014-04-20 23:10:55 -05:00
James Lee ee413ac385
Remove previously deprecated modules 2014-04-20 22:15:44 -05:00
kenkeiras b8e0187647 Use OptPath for file path options 2014-04-18 21:56:17 +02:00
kenkeiras fb0af8a799 Remove unnecesary ssh_socket variable 2014-04-18 21:50:54 +02:00
kenkeiras c875bdadf5 Change THRESHOLD into a datastore option 2014-04-18 21:18:48 +02:00
kenkeiras 8a3329c891 Password made pseudo-random instead of a bunnch of A's 2014-04-18 21:10:34 +02:00
kenkeiras 47ff820a83 Remove unnecesary 'RHOST' deregister 2014-04-18 21:06:46 +02:00
kenkeiras cc2d4f9ed7 Remove unnecesary @good_credentials 2014-04-18 21:03:22 +02:00
William Vu 7d801e3acc
Land #3200, goodbye LORCON modules :( 2014-04-18 12:32:22 -05:00
jvazquez-r7 c4d4af031c
Land #3276, @todb-r7's "make msftidy happy"'s fix 2014-04-18 09:54:52 -05:00
jvazquez-r7 5083143971
Land #3238, @Zinterax's timeout addition in openssl_heartbleed 2014-04-18 09:28:04 -05:00
Tod Beardsley 2a729c84f6
Fix disclosure date 2014-04-18 09:27:41 -05:00
jvazquez-r7 8a011ec9f6
Land #3197, @0x3fcoma's module for CVE-2013-5795 and CVE-2013-5880 2014-04-18 08:58:54 -05:00
jvazquez-r7 f3299e3ced Do minor code cleanup 2014-04-18 08:58:11 -05:00
jvazquez-r7 2366f77226 Clean timeout handling code 2014-04-18 08:16:28 -05:00
Zinterax e38f4cbfa0 Apply response_timeout to get_once, code cleanup
Add response_timeout to get_once

Change timeout output in establish_connect()

Add disconnect ater timeout output

Made establish_connect timeout check more readable
2014-04-18 07:57:33 -04:00
Zinterax fab091ca88 Fix Action => DUMP
Fix for when Action is set to DUMP. Modifed the check to use action.name.

Console output:

msf auxiliary(openssl_heartbleed) > set action DUMP
action => DUMP
msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Heartbeat data stored in /root/.msf4/loot/20140418070745_default_192.168.1.3_openssl.heartble_135938.bin
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:08:12 -04:00
Zinterax 1cf1616341 Rebase. Add timeout option support
Rebase to account for the KEYS merge.

Modify bleed() to work with timeout option.

Modify establish_connect() to work with timeout option.

Modify loot_and_report() to work with timeout option.

---Test Console Output---

Client Hello Timeout:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[-] 127.0.0.1:443 - No Client Hello response after 10 seconds...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Patched Apache:

msf auxiliary(openssl_heartbleed) > run

[*] 127.0.0.1:443 - Sending Client Hello...
[*] 127.0.0.1:443 - Sending Heartbeat...
[-] 127.0.0.1:443 - No Heartbeat response...
[-] 127.0.0.1:443 - Looks like there isn't leaked information...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Vulnerable Server:

msf auxiliary(openssl_heartbleed) > run

[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:04:05 -04:00
Zinterax 021ac53911 remove me 2014-04-18 07:03:36 -04:00
Jonathan Claudius 01d843f78f Handle certificate auth nuances 2014-04-17 20:24:19 -04:00
Jonathan Claudius 6daae961cb Add parameterized requests for detection/enumeration 2014-04-17 19:40:27 -04:00
Tod Beardsley 845108acf6
Looks like an autocorrect ran wild on TLS_CALLBACK
Whoops.
2014-04-17 17:47:47 -05:00
Tod Beardsley 2aa2cb17f3
Reimplement a check. 2014-04-17 17:10:54 -05:00
Tod Beardsley d40ab039e4
Clean up whitespace. Protip: use commit hooks 2014-04-17 16:28:07 -05:00
Tod Beardsley c34d548e50
First, undo #3252. Sorry about that.
undo #3252 completely. This means a reimplementation of @dchan's work,
but his intent was simply to implement a check_host() that doesn't
actually pull memory, so that should be pretty straight forward with the
new structure of the module.
2014-04-17 16:25:15 -05:00
Jeff Jarmoc e3daf6daf7 Singular 'TLS_CALLBACK' option 2014-04-17 15:51:37 -05:00