Commit Graph

22015 Commits (819236c6eccc2b5c8e538e0b8d5989d9f2a2a62d)

Author SHA1 Message Date
jvazquez-r7 75aaded842
Land #2471, @pyoor's exploit for CVE-2013-5743 2013-10-14 14:03:28 -05:00
jvazquez-r7 a6f17c3ba0 Clean zabbix_sqli 2013-10-14 14:01:58 -05:00
William Vu 07772cebb0 Land #2519, undefined method fix for msfcli 2013-10-14 13:56:07 -05:00
joev 183940308b Add another nil check, just to be safe. 2013-10-14 13:55:54 -05:00
joev 20a145f1e7 Check for prop in prototype, not constructor. 2013-10-14 13:51:45 -05:00
joev 488ed5bd4a Add new feature detection logic for FF 23 and 24. 2013-10-14 13:41:26 -05:00
William Vu 35dd94f0ac Land #2518, uninitialized JavascriptOSDetect fix 2013-10-14 13:32:04 -05:00
sinn3r 5514736deb [FixRM 8489] undefined method `empty?' for nil:NilClass in msfcli
This fixes a undefined method `empty?' for nil:NilClass (NoMethodError)
in msfcli. [SeeRM 8489]
2013-10-14 13:13:56 -05:00
sinn3r e10dbf8a5d
Land #2508 - Add nodejs payloads 2013-10-14 12:23:31 -05:00
sinn3r da3081e1c8 [FixRM 8482] Fix uninit constant Rex::Exploitation::JavascriptOSDetect
This fixes an uninit constant Rex::Exploitation::JavascriptOSDetect
while using a module with js_os_detect. It was originally reported
by Metasploit user @viniciuskmax

[FixRM 8482]
2013-10-14 11:40:46 -05:00
MrXors fc62b4c4ed removed global var from file_on_target and useless code 2013-10-14 09:16:54 -07:00
William Vu eab90e1a2e Land #2491, missing platform info update 2013-10-14 10:38:25 -05:00
MrXors 17e5c63f7f removed debugging prompts 2013-10-14 00:29:24 -07:00
MrXors b505234bf6 cleand up code and add run function 2013-10-14 00:12:37 -07:00
root de156dc8da new exploit module for CVE-2008-2286, Altiris DS 2013-10-13 22:39:49 -04:00
sinn3r 698ce6ec34
Land #2516 - DLink xmlset_roodkcableoj28840ybtide user-agent backdoor module 2013-10-13 19:30:41 -05:00
sinn3r 2a1ade2541 Add disclosure date and some explanation about it 2013-10-13 19:29:51 -05:00
jvazquez-r7 e2c5e6c19f Fix email format 2013-10-13 18:28:35 -05:00
jvazquez-r7 008f787627 Add module for the dlink user-agent backdoor 2013-10-13 14:42:45 -05:00
sinn3r 74f37c58b2
Land #2514 - Update CVE reference for Joomla 2013-10-13 12:58:23 -05:00
joev e2a9339592 Add CVE to joomla media upload module. 2013-10-12 21:20:11 -05:00
joev ea9235c506 Better whitespace. 2013-10-12 20:53:16 -05:00
joev 78b29b5f20 Bring osx persistence module to the finish line. 2013-10-12 20:50:53 -05:00
jvazquez-r7 3dbdc9f848
Land #2510, @wchen-r7's exploit for cve-2013-3897 2013-10-12 20:06:41 -05:00
sinn3r 9725918be8 Remove junk variables/params 2013-10-12 18:51:57 -05:00
Meatballs fb858ae72c
Land #2506, Python Meterpreter - Fixes Registry Endianess 2013-10-12 23:41:26 +01:00
Spencer McIntyre 6f23e95c14 Fix an endianess issue in pymeterpreter registry_query_value. 2013-10-12 23:39:22 +01:00
sinn3r 2153dd26eb
Land #2501 - HP Data Protector Cell Request Service Buffer Overflow 2013-10-12 16:55:48 -05:00
joev 5a1b099570 Make osx persistence a local exploit. 2013-10-12 16:47:35 -05:00
sinn3r bc317760dc Make the GET params a little bit harder to read. 2013-10-12 16:37:49 -05:00
jvazquez-r7 172c6b9b8f Escape dots on regexs 2013-10-12 16:15:10 -05:00
joev 4fe407d7ee Move osx persistence to a local exploit. 2013-10-12 16:08:22 -05:00
Icewall f94b73a580 Adding persistence module for OSX 2013-10-12 16:06:19 -05:00
jvazquez-r7 0b7ec26dac
Land #2509, @darknight007's patch to handle ms12_020_maxchannelids exceptions while connecting 2013-10-12 15:52:35 -05:00
Meatballs 988ac68074
Dont define the NDR syntax 2013-10-12 19:56:52 +01:00
Meatballs 765b55182e
Randomize client variables
Also tidyup indents and use predefined UUID syntax.
2013-10-12 19:52:15 +01:00
sinn3r b139757021 Correct a typo in description 2013-10-12 13:24:36 -05:00
sinn3r 79c612cd67 Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
Meatballs cad717a186
Use NDR 32bit syntax.
Compatible with both x86 and x64 systems.
Tidy up the module...
2013-10-12 18:52:45 +01:00
Joe Barrett d929bdfaab Re-fixing 8419, consistency is important. 2013-10-12 08:09:19 -04:00
darknight007 7b82c64983 ms12-020 stack print resolve 2013-10-12 16:49:03 +05:00
darknight007 e1b9f1a3c4 modified ms12-020 module to resolve stack print 2013-10-12 16:36:37 +05:00
darknight007 291b90405d Merge branch 'master' of https://github.com/darknight007/metasploit-framework
Conflicts:
	modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
2013-10-12 16:23:09 +05:00
darknight007 602fd276bc using theirs 2013-10-12 16:20:26 +05:00
darknight007 4e50c574c5 Update ms12_020_maxchannelids.rb
ms12_020_maxchannelids.rb produces a call stack when the connection is timed out. 

To reproduct, just run the module against a system having no RDP enabled.
2013-10-12 15:39:13 +05:00
joev c7bcc97dff Add SSL support to #nodejs_reverse_tcp. 2013-10-12 03:32:52 -05:00
joev 6440a26f04 Move shared Node.js payload logic to mixin.
- this fixes the recursive loading issue when creating a payload
  inside the cmd payload
- also dries up some of the node cmd invocation logic.
2013-10-12 03:19:06 -05:00
Tod Beardsley 876d4e0aa8
Land #1420, WDS scanner 2013-10-11 16:53:25 -05:00
Tod Beardsley a1cf9619d9
Be clear this is 64-bit only in the desc. 2013-10-11 16:52:50 -05:00
Tod Beardsley 4d76e8e9ac
Add RPORT to the list of DCERPC ports to check
[FixRM #8479]
2013-10-11 16:23:38 -05:00