Jay Smith
042278ed6a
Update code to reflect @OJ code suggestions
2014-07-23 11:01:43 -04:00
Jay Smith
534a5d964b
Add CVE-2014-4971 BthPan local privilege escalation
...
Add CVE-2014-4971 BthPan local privilege escalation for Windows XP SP3
2014-07-22 18:17:06 -04:00
Jay Smith
0db3a0ec97
Update code to reflect @jlee-r7's code review
2014-07-22 15:14:24 -04:00
Jay Smith
125b2df8f5
Update code to reflect @hdmoore code suggestions
2014-07-22 14:53:24 -04:00
Spencer McIntyre
7f79e58e7f
Lots and cleanups based on PR feed back
2014-07-22 14:45:00 -04:00
Spencer McIntyre
5d9c6bea9d
Fix a typo and use the execute_shellcode function
2014-07-22 13:06:57 -04:00
Spencer McIntyre
12904edf83
Remove unnecessary target info and add url reference
2014-07-22 11:20:07 -04:00
Spencer McIntyre
ca0dcf23b0
Add a simple check method for cve-2014-4971
2014-07-22 10:54:10 -04:00
Spencer McIntyre
6a545c2642
Clean up the mqac escalation module
2014-07-22 10:39:34 -04:00
Spencer McIntyre
da4eb0e08f
First commit of MQAC arbitrary write priv escalation
2014-07-22 10:04:12 -04:00
Meatballs
b0a596b4a1
Update newer modules
2014-07-20 21:59:10 +01:00
Meatballs
474ee81807
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-20 21:01:54 +01:00
Jay Smith
2be6eb16a2
Add in exploit check and version checks
...
Move the initial checking for the vboxguest device and os checks
into the MSF check routine.
2014-07-17 14:56:34 -04:00
Tod Beardsley
b050b5d1df
Rubocop -a on MS08-067
...
This reduces the number of style guide violations from 230ish to 36.
Nearly all of it has to do with errant parameters, element alignment,
and comment blocks.
Obviously, since this was all automatically fixed, some pretty severe
testing should occur before landing this.
I kind of don't like the automatic styling of the arrays for the
references, but maybe I can get used to it. It's open for discussion.
@jhart-r7 please take a look at this as well -- anything jumping out at
you on this that we should be avoiding for Rubocop?
2014-07-17 12:29:20 -05:00
Trevor Rosen
bebf11c969
Resolves some Login::Status migration issues
...
MSP-10730
2014-07-16 21:52:08 -05:00
William Vu
a07656fec6
Land #3536 , msftidy INFO messages aren't blockers
2014-07-16 17:57:48 -05:00
Tod Beardsley
58558e8dfa
Allow INFO msftidy messages
...
INFO level messages should not block commits or be complained about on
merges. They should merely inform the user.
2014-07-16 15:29:23 -05:00
sinn3r
8733dcb2f8
Land #3531 - Windows 2008 Update for HP AutoPass License
2014-07-16 15:13:05 -05:00
William Vu
ff6c8bd5de
Land #3479 , broken sock.get fix
2014-07-16 14:57:32 -05:00
William Vu
b6ded9813a
Remove EOL whitespace
2014-07-16 14:56:34 -05:00
William Vu
25f74b79b8
Land #3484 , bad pack/unpack specifier fix
2014-07-16 14:52:23 -05:00
Meatballs
7583ed4950
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-16 20:34:34 +01:00
Jay Smith
6d49f6ecdd
Update code to reflect hdmoore's code review.
2014-07-16 14:29:17 -04:00
Spencer McIntyre
82abe49754
Mark windows/misc/psh_web_delivery as deprecated
2014-07-16 14:02:05 -04:00
David Maloney
52a29856b3
Merge branch 'master' into staging/electro-release
...
Conflicts:
Gemfile
Gemfile.lock
2014-07-16 09:38:44 -05:00
Jay Smith
cef2c257dc
Add CVE-2014-2477 local privilege escalation
2014-07-16 05:49:19 -04:00
jvazquez-r7
6d05a24653
Add target information
2014-07-15 17:45:45 -05:00
jvazquez-r7
604a612393
Have into account differences between windows default installs
2014-07-15 15:03:07 -05:00
jvazquez-r7
8937fbb2f5
Fix email format
2014-07-11 12:45:23 -05:00
James Lee
62a2f1dc0a
Credential -> Model for realm key constants
2014-07-10 14:30:25 -05:00
David Maloney
aeda74f394
Merge branch 'master' into staging/electro-release
...
Conflicts:
Gemfile
Gemfile.lock
2014-07-07 16:41:23 -05:00
Tod Beardsley
9fef2ca0f3
Description/whitespace changes (minor)
...
Four modules updated for the weekly release with minor cosmetic fixes.
- [ ] See all affected modules still load.
- [ ] See all affected modules have expected `info`
2014-07-07 12:39:05 -05:00
jvazquez-r7
cd6b83858b
Add new Yokogawa SCADA exploit
2014-07-07 11:20:49 -05:00
HD Moore
43d65cc93a
Merge branch 'master' into feature/recog
...
Resolves conflicts:
Gemfile
data/js/detect/os.js
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-07-06 09:17:44 -05:00
sinn3r
79c433e7ea
Land #3480 - Oracle Event Processing FileUploadServlet Arbitrary File Upload
2014-07-03 14:09:12 -05:00
sinn3r
c207d14d1f
Update description
2014-07-03 14:08:31 -05:00
jvazquez-r7
5e0211016d
Merge to solve conflicts
2014-07-03 09:16:04 -05:00
sinn3r
21f6e7bf6c
Change description
2014-07-01 10:44:21 -05:00
sinn3r
449fde5e7c
Description update
2014-07-01 10:26:52 -05:00
sinn3r
c43006f820
Update cogent module description, fix msftidy warnings
2014-07-01 10:06:33 -05:00
HD Moore
c9b6c05eab
Fix improper use of host-endian or signed pack/unpack
...
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.
When in doubt, please use:
```
ri pack
```
2014-06-30 02:50:10 -05:00
HD Moore
6e8415143c
Fix msftidy and tweak a few modules missing timeouts
2014-06-30 00:46:28 -05:00
jvazquez-r7
1acd5e76cb
Add check code for event processing 12
2014-06-29 15:47:57 -05:00
jvazquez-r7
a94396867c
Add module for ZDI-14-106, Oracle Event Processing
2014-06-29 15:44:20 -05:00
Spencer McIntyre
faa9c11450
Dont deregister an option that is in use
2014-06-28 18:22:17 -04:00
Spencer McIntyre
748589f56a
Make cmdstager flavor explicit or from info
...
Every module that uses cmdstager either passes the flavor
as an option to the execute_cmdstager function or relies
on the module / target info now.
2014-06-28 17:40:49 -04:00
HD Moore
e806222512
Fix bad copypast, sock.get usage, HTTP mistakes
2014-06-28 16:18:16 -05:00
HD Moore
baa877ef17
Switch to get_once for consistency
2014-06-28 16:10:49 -05:00
HD Moore
c8e44c341c
Fix use of sock.get vs sock.get_once
2014-06-28 16:10:18 -05:00
HD Moore
5e900a9f49
Correct sock.get() to sock.get_once() to prevent indefinite hangs/misuse
2014-06-28 16:06:46 -05:00
HD Moore
6e80481384
Fix bad use of sock.get() and check() implementations
...
Many of these modules uses sock.get() when they meant get_once()
and their HTTP-based checks were broken in some form. The response
to the sock.get() was not being checked against nil, which would
lead to stack traces when the service did not reply (a likely
case given how malformed the HTTP requests were).
2014-06-28 16:05:05 -05:00
HD Moore
3868348045
Fix incorrect use of sock.get that leads to indefinite hang
2014-06-28 15:48:58 -05:00
David Maloney
b680674b95
Merge branch 'master' into staging/electro-release
2014-06-27 11:55:57 -05:00
Spencer McIntyre
219153c887
Raise NotImplementedError and let :flavor be guessed
2014-06-27 08:34:56 -04:00
Spencer McIntyre
4d4c5e5d6e
Update two modules to use the new cmd stager
2014-06-27 08:34:56 -04:00
jvazquez-r7
45248dcdec
Add YARD documentation for methods
2014-06-27 08:34:56 -04:00
jvazquez-r7
870fa96bd4
Allow quotes in CmdStagerFlavor metadata
2014-06-27 08:34:56 -04:00
jvazquez-r7
91e2e63f42
Add CmdStagerFlavor to metadata
2014-06-27 08:34:55 -04:00
jvazquez-r7
d47994e009
Update modules to use the new generic CMDstager mixin
2014-06-27 08:34:55 -04:00
jvazquez-r7
7ced5927d8
Use One CMDStagermixin
2014-06-27 08:34:55 -04:00
Spencer McIntyre
ae25c300e5
Initial attempt to unify the command stagers.
2014-06-27 08:34:55 -04:00
sinn3r
a60dfdaacb
Land #3471 - HP AutoPass License Server File Upload
2014-06-26 14:34:32 -05:00
sinn3r
ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape
2014-06-26 13:48:28 -05:00
sinn3r
0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape
2014-06-26 11:45:47 -05:00
David Maloney
9cec330f05
Merge branch 'master' into staging/electro-release
2014-06-26 10:22:30 -05:00
Joshua Smith
3ed7050b67
Lands 3420 after wrapping most lines at 80
2014-06-24 17:37:43 -05:00
Joshua Smith
3fe162a8b1
wraps most lines at 80
2014-06-24 17:36:10 -05:00
jvazquez-r7
267642aa4b
Fix description
2014-06-23 09:20:47 -05:00
jvazquez-r7
cc3c06440f
Add module for ZDI-14-195, HP AutoPass License Traversal
2014-06-23 09:19:56 -05:00
jvazquez-r7
a081beacc2
Use Gem::Version for string versions comparison
2014-06-20 09:44:29 -05:00
David Maloney
2b0bb608b1
Merge branch 'master' into staging/electro-release
2014-06-18 10:49:58 -05:00
OJ
5879ca3340
Merge branch 'upstream/master' into meatballs x64_injection
2014-06-18 10:24:33 +10:00
Joshua Smith
bab1e30557
Land #3460 , Ericom AccessNow Server BOF exploit
2014-06-17 19:10:34 -05:00
Joshua Smith
9af9d2f5c2
slight cleanup
2014-06-17 19:08:31 -05:00
jvazquez-r7
1133332702
Finish module
2014-06-17 15:01:35 -05:00
jvazquez-r7
8f8af0e93a
Add draft version
2014-06-17 14:21:49 -05:00
Christian Mehlmauer
03fa858089
Added newline at EOF
2014-06-17 21:05:00 +02:00
Christian Mehlmauer
8e1949f3c8
Added newline at EOF
2014-06-17 21:03:18 +02:00
jvazquez-r7
2fe7593559
Land #3433 , @TecR0c's exploit for Easy File Management Web Server
2014-06-13 09:54:12 -05:00
David Maloney
96e492f572
Merge branch 'master' into staging/electro-release
2014-06-12 14:02:27 -05:00
William Vu
cb91b2b094
Fix broken table indent (s/Ident/Indent/ hash key)
2014-06-12 13:41:44 -05:00
HD Moore
d5b32e31f8
Fix a typo where platform was 'windows' not 'win'
...
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
David Maloney
9593422f9c
Merge branch 'master' into staging/electro-release
2014-06-11 10:23:56 -05:00
jvazquez-r7
34f98ddc50
Do minor cleanup
2014-06-11 09:20:22 -05:00
TecR0c
b27b00afbb
Added target 4.0 and cleaned up exploit
2014-06-11 06:22:47 -07:00
TecR0c
f1382af018
Added target 4.0 and cleaned up exploit
2014-06-11 06:20:49 -07:00
jvazquez-r7
a554b25855
Use EXITFUNC
2014-06-10 09:51:06 -05:00
TecR0c
3d33a82c1c
Changed to unless
2014-06-09 09:31:14 -07:00
TecR0c
1252eea4b9
Changed to unless
2014-06-09 09:26:03 -07:00
David Maloney
482aa2ea08
Merge branch 'master' into staging/electro-release
2014-06-09 10:27:22 -05:00
TecR0c
52d26f290f
Added check in exploit func
2014-06-09 03:23:14 -07:00
TecR0c
8ecafbc49e
Easy File Management Web Server v5.3 Stack Buffer Overflow
2014-06-08 04:21:14 -07:00
Brendan Coles
6bef6edb81
Update efs_easychatserver_username.rb
...
Add targets for versions 2.0 to 3.1.
Add install path detection for junk size calculation.
Add version detection for auto targeting.
2014-06-08 06:36:18 +10:00
Meatballs
936c7088ad
Merge branch 'master' into psexec_refactor_round2
...
Conflicts:
lib/msf/core/exploit/smb/psexec.rb
modules/exploits/windows/smb/psexec.rb
2014-06-07 13:38:30 +01:00
Meatballs
bf1a665259
Land #2657 , Dynamic generation of windows service executable functions
...
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
jvazquez-r7
079fe8622a
Add module for ZDI-14-136
2014-06-04 10:29:33 -05:00
jvazquez-r7
43699b1dfb
Don't clean env variable before using it
2014-06-03 09:56:19 -05:00
jvazquez-r7
b8a2cf776b
Do test
2014-06-03 09:52:01 -05:00
jvazquez-r7
05ed2340dc
Use powershell
2014-06-03 09:29:04 -05:00
jvazquez-r7
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
David Maloney
07093ada58
add realm handling to psexec
...
oops, forgot to create the realm when applicable
2014-06-02 14:53:40 -05:00
jvazquez-r7
9574a327f8
use the new check also in exploit()
2014-06-02 14:38:33 -05:00
jvazquez-r7
3c38c0d87c
Dont be confident about string comparision
2014-06-02 14:37:29 -05:00
David Maloney
361b9a1616
psexec credential refactor
...
refactor psexec credential reporting
to use Metasploit::Credential
2014-06-02 14:20:54 -05:00
jvazquez-r7
d0241cf4c1
Add check method
2014-06-02 08:14:40 -05:00
jvazquez-r7
31af8ef07b
Check .NET version
2014-06-01 20:58:08 -05:00
Meatballs
3c5fae3706
Use correct include
2014-06-01 11:51:06 +01:00
Meatballs
4801a7fca0
Allow x86->x64 injection
2014-06-01 11:50:13 +01:00
jvazquez-r7
3ae4a16717
Clean environment variables
2014-05-30 12:21:23 -05:00
jvazquez-r7
b99b577705
Clean environment variable
2014-05-30 12:20:00 -05:00
jvazquez-r7
b27a95c008
Delete unused code
2014-05-30 12:08:55 -05:00
jvazquez-r7
e215bd6e39
Delete unnecessary code and use get_env
2014-05-30 12:07:59 -05:00
jvazquez-r7
1dbd36a3dd
Check for the .NET dfsvc and use %windir%
2014-05-30 09:02:43 -05:00
jvazquez-r7
ffbcbe8cc1
Use cmd_psh_payload
2014-05-29 18:12:18 -05:00
jvazquez-r7
03889ed31f
Use cmd_psh_payload
2014-05-29 18:11:22 -05:00
jvazquez-r7
e145298c13
Add module for CVE-2014-0257
2014-05-29 11:45:19 -05:00
jvazquez-r7
6e122e683a
Add module for CVE-2013-5045
2014-05-29 11:42:54 -05:00
HD Moore
583dab62b2
Introduce and use OS matching constants
2014-05-28 14:35:22 -05:00
William Vu
352e14c21a
Land #3391 , all vars_get msftidy warning fixes
2014-05-26 23:41:46 -05:00
Christian Mehlmauer
da0a9f66ea
Resolved all msftidy vars_get warnings
2014-05-25 19:29:39 +02:00
Christian Mehlmauer
8d4d40b8ba
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
jvazquez-r7
b9464e626e
Delete unnecessary line
2014-05-21 10:18:03 -05:00
jvazquez-r7
af415c941b
[SeeRM #8803 ] Avoid false positives when checking fb_cnct_group
2014-05-20 18:44:28 -05:00
Jonas Vestberg
7cabfacfa3
Test adobe_flash_pixel_bender_bof on Safari 5.1.7
...
Added browser-requirement for Safari after successful test using Safari 5.1.7 with Adobe Flash Player 13.0.0.182 running on Windows 7 SP1.
2014-05-20 01:43:19 +02:00
Meatballs
52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom
2014-05-19 22:00:35 +01:00
Meatballs
b84379ab3b
Note about EXE::Custom
2014-05-19 22:00:09 +01:00
HD Moore
ddc8a4f103
Merge branch 'master' of github.com:rapid7/metasploit-framework into feature/recog
2014-05-19 11:42:30 -05:00
Tod Beardsley
0ef2e07012
Minor desc and status updates, cosmetic
2014-05-19 08:59:54 -05:00
sinn3r
bf52c0b888
Land #3364 - Symantec Workspace Streaming Arbitrary File Upload
2014-05-19 00:25:33 -05:00
jvazquez-r7
2fb0dbb7f8
Delete debug print_status
2014-05-18 23:34:04 -05:00
jvazquez-r7
975cdcb537
Allow exploitation also on FF
2014-05-18 23:24:01 -05:00
Jonas Vestberg
033757812d
Updates to adobe_flash_pixel_bender_bof:
...
1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method).
2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :).
Testing performed:
Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.)
2014-05-18 22:43:51 +02:00
HD Moore
a844b5c30a
Merge branch 'master' of github.com:hmoore-r7/metasploit-framework into feature/recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
2014-05-18 10:50:32 -05:00
jvazquez-r7
1b68abe955
Add module for ZDI-14-127
2014-05-15 13:41:52 -05:00
William Vu
750b6fc218
Land #3348 , some Ruby warning fixes
2014-05-14 01:25:10 -05:00
William Vu
c421b8e512
Change if not to unless
2014-05-14 01:24:29 -05:00
agix
1a3b319262
rebase to use the mixin psexec
2014-05-13 16:04:40 +02:00
agix
d3f2414d09
Fix merging typo
2014-05-13 16:04:40 +02:00
Florian Gaultier
808f87d213
SERVICE_DESCRIPTION doesn't concern this PR
2014-05-13 16:04:39 +02:00
Florian Gaultier
6332957bd2
Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work...
2014-05-13 16:04:39 +02:00
Florian Gaultier
5ecebc3427
Add options `SERVICE_NAME` and `SERVICE_DISPLAYNAME` to psexec and correct service payload generation
2014-05-13 16:04:37 +02:00
Florian Gaultier
ca7a2c7a36
Add string_to_pushes to use non fixed size service_name
2014-05-13 16:04:37 +02:00
Florian Gaultier
513f3de0f8
new service exe creation refreshed
2014-05-13 16:04:36 +02:00
Jeff Jarmoc
5f523e8a04
Rex::Text::uri_encode - make 'hex-all' really mean all.
...
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
Christian Mehlmauer
557cd56d92
fixed some ruby warnings
2014-05-10 23:31:02 +02:00
jvazquez-r7
f56ea01988
Add module
2014-05-09 10:27:41 -05:00
jvazquez-r7
6b41a4e2d9
Test Flash 13.0.0.182
2014-05-07 17:39:22 -05:00
jvazquez-r7
5fd732d24a
Add module for CVE-2014-0515
2014-05-07 17:13:16 -05:00
William Vu
e8bc89af30
Land #3337 , release fixes
2014-05-05 14:03:48 -05:00
Tod Beardsley
c97c827140
Adjust desc and ranking on ms13-053
...
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
Tod Beardsley
3072c2f08a
Update CVEs for RootedCon Yokogawa modules
...
Noticed they were nicely documented at
http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html
We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
sinn3r
6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution
2014-05-05 10:39:26 -05:00
OJ
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
jvazquez-r7
5b150a04c6
Add testing information to description
2014-05-03 20:08:00 -05:00
jvazquez-r7
b4c7c5ed1f
Add module for CVE-2014-0497
2014-05-03 20:04:46 -05:00
Meatballs
56c5eac823
Message correction
2014-05-02 14:18:18 +01:00
Meatballs
69915c0de5
Message correction
2014-05-02 14:17:27 +01:00
William Vu
8b138b2d37
Fix unquoted path in cleanup script
2014-04-30 16:34:33 -05:00
kaospunk
6b740b727b
Changes PATH to proper case
...
This changes PATH to Path
2014-04-30 17:26:36 -04:00
kaospunk
fdc81b198f
Adds the ability to specify path
...
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
sinn3r
4c0a692678
Land #3312 - Update ms14-012
2014-04-28 18:48:20 -05:00
sinn3r
b1ac0cbdc7
Land #3239 - Added target 6.1 to module
2014-04-28 18:28:14 -05:00
jvazquez-r7
1c88dea7d6
Exploitation also works with flash 13
2014-04-28 16:23:05 -05:00
sinn3r
d530c9c128
Land #3304 - Adobe Flash Player Type Confusion Remote Code Execution
2014-04-28 15:06:50 -05:00
Tod Beardsley
1b4fe90003
Fix msftidy warnings on wireshark exploits
2014-04-28 19:51:38 +01:00
jvazquez-r7
9ce5545034
Fix comments
2014-04-27 20:13:46 -05:00
jvazquez-r7
60e7e9f515
Add module for CVE-2013-5331
2014-04-27 10:40:46 -05:00
sinn3r
656e60c35c
Land #3254 - Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack BoF
2014-04-24 13:20:50 -05:00
sinn3r
cde9080a6a
Move module to fileformat
2014-04-24 13:17:08 -05:00
sinn3r
a39855e20d
Works for XP SP3 too
2014-04-24 13:16:24 -05:00
sinn3r
ba8d7801f4
Remove default target because there is no auto-select
2014-04-24 13:15:49 -05:00
sinn3r
2e76db01d7
Try to stick to the 100 columns per line rule
2014-04-24 13:15:12 -05:00
JoseMi
fd95d9ef38
Added english windows xp sp2 target
2014-04-23 17:32:56 +01:00
Meatballs
d73854ff17
Fix wmi and add automatic target
2014-04-22 14:28:27 +01:00
Tod Beardsley
e514ff3607
Description and print_status fixes for release
...
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
Ken Smith
66b1c79da9
Update rop chain for versions 6.2 and 6.1
2014-04-21 13:27:14 -04:00
JoseMi
e25ca64641
It's solved the crash when double-click on the pcap file
2014-04-21 17:49:40 +01:00
Meatballs
5d9bc71e97
Update hp_dataprotector
2014-04-19 19:16:17 +01:00
Meatballs
3019cb99c1
Update cmd_upgrade module
2014-04-19 19:13:48 +01:00
Meatballs
00234aeec3
Remove powershell remoting
2014-04-19 19:03:18 +01:00
Meatballs
67f44072ca
Merge remote-tracking branch 'upstream/master' into pr2075
2014-04-19 18:45:55 +01:00
JoseMi
3861541204
Add more rand_text_alpha functions
2014-04-19 18:37:58 +01:00
JoseMi
7bc546e69a
Add rand_text_alpha function
2014-04-19 17:45:28 +01:00
JoseMi
feea4c1fa6
ROP chain changed
2014-04-18 19:05:53 +01:00
William Vu
7d801e3acc
Land #3200 , goodbye LORCON modules :(
2014-04-18 12:32:22 -05:00
jvazquez-r7
acb12a8bef
Beautify and fix both ruby an AS
2014-04-17 23:32:29 -05:00
RageLtMan
5c3289bbc6
merge fix
2014-04-17 21:26:04 -04:00
jvazquez-r7
91d9f9ea7f
Update from master
2014-04-17 15:32:49 -05:00
jvazquez-r7
749e141fc8
Do first clean up
2014-04-17 15:31:56 -05:00
sinn3r
23c2a071cd
Small name change
2014-04-15 18:35:00 -05:00
jvazquez-r7
abd76c5000
Add module for CVE-2014-0322
2014-04-15 17:55:24 -05:00
Meatballs
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
JoseMi
e811e169dc
Cambios en el exploit
2014-04-14 16:31:54 +01:00
JoseMi
da26a39634
Add CVE-2014-2219 exploit for windows XP SP3
2014-04-14 16:16:10 +01:00
Ken Smith
c99f6654e8
Added target 6.1 to module
2014-04-11 09:59:11 -04:00
Tod Beardsley
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
Spencer McIntyre
3f6c8afbe3
Fix typo of MSCOMCTL not MCCOMCTL
2014-04-08 14:52:18 -04:00
Spencer McIntyre
85197dffe6
MS14-017 Word RTF listoverridecount memory corruption
2014-04-08 14:44:20 -04:00
Tod Beardsley
17ddbccc34
Remove the broken lorcon module set
...
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.
I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.
Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.
````
msf auxiliary(wifun) > show options
Module options (auxiliary/dos/wifi/wifun):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL 11 yes The initial channel
DRIVER autodetect yes The name of the wireless driver
for lorcon
INTERFACE wlan0 yes The name of the wireless
interface
msf auxiliary(wifun) > run
[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
Tod Beardsley
7572d6612e
Spelling and grammar on new release modules
2014-04-07 12:18:13 -05:00
jvazquez-r7
56bd35c8ce
Add module for WinRAR spoofing vulnerability
2014-04-07 09:21:49 -05:00
Meatballs
2c9209f8b1
Auto persist
2014-04-05 18:50:49 +01:00
Meatballs
410b1c607f
Refactor to new psexec style
2014-04-02 21:16:19 +01:00
Meatballs
ca2fb3da65
Merge branch 'master' into psexec_refactor_round2
...
Conflicts:
lib/msf/core/exploit/smb/psexec.rb
modules/exploits/windows/smb/psexec.rb
2014-04-02 21:01:45 +01:00
jvazquez-r7
a85d451904
Add module for CVE-2014-2314
2014-04-02 14:49:31 -05:00
agix
4a575d57ab
Try to fix Meatballs1 suggestions : optional service_description change call
2014-04-02 20:33:09 +01:00
agix
b636a679ae
Erf, sorry, fixed now
2014-04-02 20:33:08 +01:00
agix
631a7b9c48
Adapt to new psexec mixin (first try :D)
2014-04-02 20:33:08 +01:00
Florian Gaultier
978bdbb676
Custom Service Description
2014-04-02 20:33:07 +01:00
HD Moore
a7a0a306f9
Fix usage of os_flavor for target matching
2014-04-02 07:23:30 -07:00
HD Moore
55d9928186
Fix use of os_flavor to ensure correct target matching
2014-04-02 07:21:54 -07:00
HD Moore
be4a366eab
Fix up two modules using the old os_flavor definition
2014-04-02 07:19:47 -07:00
HD Moore
7e227581a7
Rework OS fingerprinting to match Recog changes
...
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.
This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
William Vu
cf2589ba8d
Land #3162 , Microsoft module name changes
2014-03-28 23:10:27 -05:00
sinn3r
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
sinn3r
466096f637
Add MSB number to name
2014-03-28 20:33:40 -05:00
jvazquez-r7
f7b1874e7d
Land #3151 , @wchen-r7's use of BrowserExploitServer in ms13-59's exploit
2014-03-28 14:43:38 -05:00
sinn3r
8ec10f7438
Use BrowserExploitServer for MS13-059 module
2014-03-26 17:49:01 -05:00
jvazquez-r7
19918e3207
Land #3143 , @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf
2014-03-26 14:16:35 -05:00
sinn3r
fdc355147f
Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb
2014-03-25 18:41:47 -05:00
sinn3r
6c206e4ced
Add a comment about what this build version range is covering
2014-03-25 11:43:13 -05:00
sinn3r
7108d2b90a
Add ua_ver and mshtml_build requirements
...
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
Tod Beardsley
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
Meatballs
b524507e4e
Merge remote-tracking branch 'upstream/master' into land_2551
...
Conflicts:
modules/exploits/windows/local/ask.rb
2014-03-22 18:14:45 +00:00
Meatballs
7b2f0a64fc
Tidy up
2014-03-22 18:07:57 +00:00
Meatballs
04506d76f3
Dont check for admin
2014-03-22 17:57:27 +00:00
jvazquez-r7
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
jvazquez-r7
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
sinn3r
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
Tod Beardsley
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
Meatballs
8082c19469
Allow servicename/displayname to be set
...
Tidyup psexec some more
2014-03-19 13:16:14 +00:00
sinn3r
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
Tod Beardsley
8f2124f5da
Minor updates for release
...
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
David Maloney
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
OJ
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
sinn3r
243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow
2014-03-13 14:13:17 -05:00
sinn3r
e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
kyuzo
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
William Vu
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
William Vu
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
OJ
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
jvazquez-r7
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
jvazquez-r7
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
Tod Beardsley
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
kyuzo
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
kyuzo
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
Brendan Coles
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
sinn3r
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
bcoles
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
jvazquez-r7
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00