0dee5ae94d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-22 12:54:44 -05:00
ecb9d1d7fa
Landing #1848 - AdobeCollabSync Buffer Overflow on Adobe Reader X
2013-05-22 12:24:42 -05:00
53cb493bc9
Fix @jlee-r7's feedback
2013-05-20 18:44:21 -05:00
f4498c3916
Remove $Id tags
...
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
85ceaa1a62
Add module for CVE-2013-2730
2013-05-18 12:44:24 -05:00
0f3b13e21d
up to date
2013-05-16 15:02:41 -05:00
3009bdb57e
Add a few more references for those without
2013-05-16 14:32:02 -05:00
352a7afcd6
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-14 22:29:24 -05:00
e1111928c2
Adds patch info for ie_cgenericelement_uaf
...
This one is MS13-038
2013-05-14 14:55:02 -05:00
01ce751c51
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-12 17:08:14 -05:00
ce594a3ba2
Deprecate modules/exploits/windows/http/sap_mgmt_con_osexec_payload
2013-05-12 08:46:40 -05:00
7fcf20201b
Ranking should be the same (to GoodRanking)
2013-05-11 09:19:25 -05:00
823d89935a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-09 12:36:43 -05:00
95b0d4e5ec
move filename init up to remove dup code
...
as suggested by @jlee-r7
2013-05-09 13:29:21 -04:00
9043eeda66
A slight change for stability
...
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in #1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable. I did a few tests, seems better.
2013-05-08 20:02:55 -05:00
866fa167ab
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-08 16:29:52 -05:00
bdd2287daf
Land #1809 , @wchen-r7's modification for ie_cgenericelement_uaf
2013-05-08 16:21:11 -05:00
9a1400a75b
Forgot to remove this print_warning
2013-05-08 15:44:04 -05:00
075f6e8d45
Updates ROP chain and mstime_malloc usage
2013-05-08 15:42:45 -05:00
c7609ac7d1
Initial update
2013-05-08 14:24:52 -05:00
1aa80cd35e
Add module for CVE-2013-0726
2013-05-08 13:48:48 -05:00
71c68d09c1
Allow user ability to set filename for psexec service binary
...
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
bcdad23559
up to date
2013-05-06 23:09:32 -05:00
0fa65a6802
Merge branch 'sap_soap_rfc_sxpg_command_exec' of https://github.com/nmonkee/metasploit-framework
2013-05-06 18:50:31 -05:00
425a16c511
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-05 22:00:07 -05:00
8239998ada
Typo on URL for #1797 . Thx @Meatballs1
2013-05-05 12:26:06 -05:00
c9ea7e250e
Fix disclosure date, ref for #1897
2013-05-05 12:13:02 -05:00
a33510e821
Add MS IE8 DoL 0day exploit (CVE-2013-1347)
...
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
2384f34ada
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-03 15:39:16 -05:00
13202a3273
Add OSVDB reference
2013-05-03 09:46:29 -05:00
a95de101e7
Delete extra line
2013-05-02 22:04:27 -05:00
6210b42912
Port EDB 25141 to msf
2013-05-02 22:00:43 -05:00
796f7a39ac
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-02 20:04:48 -05:00
a2e1fbe7a9
Make msftidy happy
2013-05-02 19:46:26 -05:00
eb23b5feeb
Forgot to remove function ie8_smil. Don't need this anymore.
2013-05-02 14:04:15 -05:00
329e8228d1
Uses js_mstime_malloc to do the no-spray technique
2013-05-02 14:00:15 -05:00
a4632b773a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-28 12:59:16 -05:00
99b46202b9
Do final cleanup for sap_configservlet_exec_noauth
2013-04-26 08:45:34 -05:00
308b880d79
Land #1759 , @andrewkabai's exploit for SAP Portal Command Execution
2013-04-26 08:44:11 -05:00
5839e7bb16
simplify code
2013-04-26 12:14:42 +02:00
4aadd9363d
improve description
2013-04-26 12:13:45 +02:00
f3f60f3e02
Fixes P/P/R for target 0 (BadBlue 2.72b)
...
Target 1, which covers 2.72b, uses an invalid P/P/R from some unknown
DLL, and appears to be broken. Because 2.72b actually uses the same
ext.dll as BadBlue EE 2.7 (and that target 0 actually also works
against 2.72b), we might as well just use the same P/P/R again.
[FixRM #7875 ]
2013-04-25 20:20:24 -05:00
9dd9b2d1ba
implement cleanup functionality
...
register DELETE_FILES advanced option to take control of the cleanup
functionality of CmdStagerVBS and FileDropper, implement the necessary
changes
2013-04-25 20:02:24 +02:00
a28ef1847b
update references
2013-04-25 18:26:13 +02:00
676f2f5f4a
implement "check" functionality
2013-04-25 07:47:30 +02:00
3b46d5d4cd
fix typos
2013-04-25 07:22:16 +02:00
2759ef073e
correction on error handling
2013-04-25 07:19:27 +02:00
6b14ac5e71
add rank to module
2013-04-25 07:07:35 +02:00
f22d19a10c
remove unused code block
...
ARCH_CMD was implemented in previous version of this code.
2013-04-24 21:51:35 +02:00
38e41f20fe
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-24 13:24:13 -05:00
0339be229a
implement dynamic timeout handling
2013-04-24 18:22:37 +02:00
6f8fc81497
improve error handling
2013-04-24 17:59:11 +02:00
57113bee80
fine correction
...
add license
remove one unnecessary tab to make msftidy happy
2013-04-24 15:07:32 +02:00
6485124cdf
fix module name
2013-04-24 10:54:52 +02:00
358b8934bf
clarify description
2013-04-24 10:31:40 +02:00
00e6eeca54
implement command line magick to prevent bad char usage
...
commas in the HTTP queries are not allowed but the VBS stager contains
some, therefore it was necessary to find a way to echo out commas
without directly use them.
thanks to Laszlo Toth to help me figure out this windows command line
trick.
2013-04-24 09:46:36 +02:00
783cca6c17
allow only ARCH_X86 payloads
2013-04-24 09:29:47 +02:00
cae30bec23
Clean up all the whitespace found
2013-04-23 18:27:11 -05:00
750638e4d6
note on bad characters
2013-04-22 17:24:08 +02:00
a1e52b5b27
command execution needs cmd /c
2013-04-22 10:20:45 +02:00
d26289e05a
proper output handling in case of CMD payloads
2013-04-20 17:38:58 +02:00
d59ba37e6d
resize linemax
2013-04-20 17:37:50 +02:00
e36b58169b
implement CmbStagerVBS payload execution
2013-04-20 16:37:47 +02:00
8244c4dcac
multiple payload types, different paths to execute payloads
2013-04-20 14:20:30 +02:00
7b6a784a84
basic payload execution through OS command execution
2013-04-20 13:02:22 +02:00
223556a4e6
switch to exploit module environment
...
switch to Msf::Exploit, change the necessary declarations, start to
change the exploitation process
2013-04-20 12:30:44 +02:00
cff47771a2
initial commit
...
the original aux module will be the base of the exploit module
2013-04-20 11:32:05 +02:00
088eb8618d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-16 21:11:55 -05:00
4e8d32a89a
cleanup for freefloatftp_user
2013-04-16 20:43:38 -05:00
eedeb37047
Landing #1731 , @dougsko's freefloat ftp server bof exploit
2013-04-16 20:42:01 -05:00
cc35591723
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-15 17:43:15 -05:00
a36c6d2434
Lands #1730 , adds a VERBOSE option checker
...
Also removes VERBOSE options from extant modules. There were only 5 of
them, and one was a commented option.
2013-04-15 15:32:56 -05:00
29101bad41
Removing VERBOSE offenders
2013-04-15 15:29:56 -05:00
79620ed660
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-09 17:12:16 +02:00
e2b8d5ed23
Fix from David Kennedy, enable Windows 8 support
2013-04-09 02:07:40 -05:00
070fd399f2
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-31 20:23:08 +02:00
1d6184cd63
fixed author details
2013-03-30 12:41:31 +01:00
6cd6a7d6b9
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-28 12:16:18 +01:00
0109d81c95
fix typo
2013-03-27 17:39:18 +01:00
507692c660
SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXECUTE Function Command Execution
2013-03-27 15:20:18 +00:00
c225d8244e
Added module for CVE-2013-1493
2013-03-26 22:30:18 +01:00
393d5d8bf5
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-25 19:09:42 +01:00
56c07211a0
Merge branch 'actfax_raw_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-actfax_raw_bof
2013-03-25 11:56:15 -05:00
47e3d7de59
Merge branch 'bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue' of github.com:neinwechter/metasploit-framework into neinwechter-bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue
2013-03-25 11:46:37 -05:00
d54687cb37
fix typo
2013-03-25 00:58:47 +01:00
26b43d9ed2
Added module for ZDI-13-050
2013-03-25 00:54:30 +01:00
cb56b2de4b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-23 20:06:05 +01:00
89c0e8c27e
Fix add_resource call in adobe_flas_mp5_cprt
2013-03-22 19:27:02 -04:00
6eaf995642
cleaning exploiting string
2013-03-22 21:48:02 +01:00
fd63283524
make msftidy happy
2013-03-22 21:46:12 +01:00
051e31c19f
Merge branch 'kingview_kingmess_kvl' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-kingview_kingmess_kvl
2013-03-22 13:00:38 -05:00
7391bc0201
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-20 00:46:10 +01:00
26dec4eb8f
last cleanup for sami_ftpd_list
2013-03-19 21:32:05 +01:00
42efe5955b
Merge branch 'osvdb-90815' of https://github.com/dougsko/metasploit-framework into dougsko-osvdb-90815
2013-03-19 21:31:46 +01:00
80d218b284
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-19 19:55:51 +01:00
b19c51aa81
cleanup for sami_ftpd_list
2013-03-19 19:04:14 +01:00
e2a9245b08
Changed target to Windows XP
2013-03-19 13:20:23 -03:00
0c0d15024a
No tabs for these
2013-03-19 08:39:47 -05:00
fb90a1b497
Uses IP address length in offset calculation
2013-03-18 16:18:04 -03:00
4aab1cc5df
delete debug code
2013-03-18 16:28:39 +01:00
dffec1cd41
added module for cve-2012-4914
2013-03-17 21:12:40 +01:00
3d92d6e977
removed the handler call
2013-03-15 16:48:53 -04:00
a96283029e
made payload size a little smaller
2013-03-15 16:08:43 -04:00
8b5c782b54
changed Platform from Windows to win
2013-03-15 15:13:52 -04:00
8f4b3d073a
Explicitly set EXITFUNC to thread
2013-03-15 14:52:39 -04:00
e9af05a178
made recommended changes
2013-03-15 11:35:12 -04:00
dc94816650
Merge branch 'master' of https://github.com/dougsko/metasploit-framework
2013-03-14 22:53:03 +01:00
4bb64a0f41
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-14 16:10:10 -04:00
bbbf395659
got everything working and cleaned up
2013-03-14 16:02:41 -04:00
e21288481d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-14 16:36:04 +01:00
1f7b2a8e9f
minor edits
2013-03-13 17:48:37 -04:00
fa5c988110
got sami_ftpd_list.rb working
2013-03-13 17:27:02 -04:00
456e4449e5
definitely the free trial of 6.53 is also vulnerable
2013-03-13 20:29:07 +01:00
5345af87f2
better description according to advisory
2013-03-13 20:25:13 +01:00
5339c6f76e
better target description according to advisory
2013-03-13 20:23:22 +01:00
50083996ff
better target description
2013-03-13 20:13:09 +01:00
a2755820cb
Added module for CVE-2012-4711
2013-03-13 20:07:58 +01:00
458ffc1f19
Add a target for Firebird 2.1.4.18393
2013-03-13 13:44:28 -04:00
5312c58c72
Added BID for ms09_002_memory_corruption.
2013-03-12 16:57:47 +01:00
56bb907f9f
Fixed exceptions in ms05_054_onload exploit module.
2013-03-12 16:57:47 +01:00
8f9c4f62c8
up to date
2013-03-12 16:50:45 +01:00
74b58185cd
up to date
2013-03-12 16:48:11 +01:00
2f95d083e8
Updating URL for Honewell EBI exploit
2013-03-11 13:35:58 -05:00
23972fbebc
Merge branch 'release'
2013-03-11 13:08:30 -05:00
d81d9261e7
Adding Honeywell exploit.
2013-03-11 13:03:59 -05:00
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
64398d2b60
deleting some commas
2013-03-07 21:34:51 +01:00
ab44e3e643
cleanup for fb_cnct_group
2013-03-07 21:34:07 +01:00
398d13e053
Initial commit of the Firebird CNCT Group Number Buffer Overflow.
2013-03-07 09:51:05 -05:00
b65f410048
Updates the description
2013-03-06 16:37:41 -06:00
fee07678dd
Rename module to better describe the bug.
2013-03-06 16:33:41 -06:00
79d3597d31
That's not a real check...
2013-03-06 16:32:53 -06:00
16d7b625bc
Format cleanup
2013-03-06 16:31:39 -06:00
7219c7b4aa
Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb
2013-03-06 16:15:24 -06:00
aa5c9461ae
Fixed more styling issues, EOL, tabs and headers
2013-03-06 10:50:31 -08:00
437d6d6ba6
Fixed EOL, bad indent, added header, removed #!/usr/env/ruby
2013-03-06 10:44:29 -08:00
af9982e289
Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb
2013-03-06 12:11:58 -06:00
aa3a54fba0
Added CoDeSyS Gateway.exe Server remote execution via arbitrary file creation
2013-03-06 09:29:28 -08:00
c290bc565e
Merge branch 'master' into feature/http/authv2
2013-02-28 14:33:44 -06:00
2b65cfa5ab
Minor changes
2013-02-22 21:02:19 -06:00
1623877151
Merge branch 'MS13-009' of github.com:jjarmoc/metasploit-framework into jjarmoc-MS13-009
2013-02-22 20:58:42 -06:00
5b16e26f82
change module filename
2013-02-21 20:05:13 +01:00
b4f4cdabbc
cleanup for the module
2013-02-21 20:04:05 +01:00
0ae489b37b
last of revert-merge snaffu
2013-02-19 23:16:46 -06:00
5108e8ef1c
Correct tab
2013-02-19 11:44:41 -06:00
b2664e04fb
Merge branch 'bigant_server_dupf_upload' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-bigant_server_dupf_upload
2013-02-19 11:42:04 -06:00
9813c815ef
Minor changes
2013-02-19 11:40:06 -06:00
553d7abe43
Merge branch 'bigant_server_sch_dupf_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-bigant_server_sch_dupf_bof
2013-02-19 11:26:47 -06:00
416a7aeaa3
make msftidy happy for s4u_persistence
2013-02-18 15:23:06 +01:00
be0feecf8f
Merge branch 's4u_persistence' of https://github.com/smilingraccoon/metasploit-framework into smilingraccoon-s4u_persistence
2013-02-18 15:22:37 +01:00
25f8a7dcb9
Fix expire tag logic and slight clean up
...
Was a dumbass again and didn't fully understand how Optints worked when left blank at run time. If not 0 the expire tag will be inserted now. Also made it print the xpath if used because I believe it will be of value to the user for trouble shooting.
2013-02-17 22:35:52 -05:00
322fa53d49
fix typo
2013-02-17 20:29:41 +01:00
31a3a374c3
Added module for CVE-2012-6274
2013-02-17 20:25:39 +01:00
1a2a0bc38e
Added module for CVE-2012-6275
2013-02-17 20:21:45 +01:00
a8d574e4ce
Updated one print_status
2013-02-17 14:08:33 -05:00
ade2c9ef56
msftidy - fix line endings.
2013-02-14 11:42:02 -06:00
4c90cacffe
Send iframe when URIPATH isnt '/'
2013-02-14 11:23:08 -06:00
947aa24d44
MS13-009 / CVE-2013-0025 ie_slayout_uaf.rb by Scott Bell
2013-02-14 11:18:19 -06:00
7b2c1afadb
I'm an idiot, fix logon xpath
2013-02-14 09:16:47 -05:00
e78cbdd14d
missed one line
2013-02-13 18:17:38 -05:00
bbf8fe0213
Use Post::File methods and fail_with
2013-02-13 18:10:05 -05:00
4074a12fd7
Randomize some gadgets
2013-02-13 14:12:52 -06:00
f58cc6a2e0
more fix version info
2013-02-12 18:51:04 +01:00
96b1cb3cfb
fix version info
2013-02-12 18:50:36 +01:00
69267b82b0
Make stable #1318 foxit reader exploit
2013-02-12 18:44:19 +01:00
8ddc19e842
Unmerge #1476 and #1444
...
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.
First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.
FixRM #7752
2013-02-11 20:49:55 -06:00
9040fcd5ae
Merge branch 'darkoperator-post2localexploit' of https://github.com/darkoperator/metasploit-framework into darkoperator-darkoperator-post2localexploit
2013-02-12 01:52:05 +01:00
42a6d96ff4
using Post::File methods plus little more cleanup
2013-02-12 01:33:07 +01:00
97edbb7868
using always a vbs file to drop exe
2013-02-12 00:58:26 +01:00
5edb138a8f
fixed nil issue
2013-02-11 11:51:33 -04:00
3a499b1a6d
added s4u_persistence.rb
2013-02-10 14:22:36 -05:00
17b349ab50
added crash to comments
2013-02-09 17:49:57 +01:00
5b576c1ed0
fix ident and make happy msftidy
2013-02-09 17:40:45 +01:00
fea84cad10
Fix additional typos per recomendation
2013-02-08 14:47:16 -04:00
5b3b0a8b6d
Merge branch 'dmaloney-r7-http/auth_methods' into rapid7
2013-02-08 12:45:35 -06:00
b8f0a94c3f
Fixed typos mentioned by Egypt
2013-02-08 14:42:10 -04:00
0ad548a777
I expect people to know what a share is.
2013-02-07 19:16:44 -06:00
9415e55211
Merge branch 'feature/rm5455-patch-smb_relay' of github.com:lmercer-r7/metasploit-framework into lmercer-r7-feature/rm5455-patch-smb_relay
2013-02-07 19:12:58 -06:00
c131b7ef0e
Added exception handing and return checking as requested by Sinn3r
2013-02-07 21:06:05 -04:00
19e989dff9
Initial commit fo the migrated module
2013-02-07 19:11:44 -04:00
1095fe198b
Merge branch 'rapid7' into dmaloney-r7-http/auth_methods
2013-02-06 16:57:50 -06:00
0186e290d3
Merge branch 'ovftool_format_string_fileformat' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_fileformat
2013-02-05 15:13:51 -06:00
b706af54a0
Merge branch 'ovftool_format_string_browser' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_browser
2013-02-05 15:12:24 -06:00
92ef462c34
This commit completes powershell based psexec
...
The original module suffered from a small problem - interactive
process notification from Desktop 0 for users currently logged in.
Although acheiving full AV evasion, we were setting off UserAlert.
This commit updates the module itself to match #1379 in R7's repo.
The size of powershell payloads has been reduced, and a wrapper
added to hide the actual payload process entirely.
2013-02-04 20:39:05 -05:00
44d4e298dc
Attempting to cleanup winrm auth
2013-02-04 15:48:31 -06:00
4c1e630bf3
BasicAuth datastore cleanup
...
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
2c3de43f4b
datastore opts cleanup
...
cleanuo digestauth datastore options in modules
2013-02-04 12:10:44 -06:00
9ce5f39bc6
added migrate as initial script
2013-02-04 16:42:56 +01:00
e0d4bb5799
Added module for cve-2012-3569, browser version
2013-02-04 16:37:42 +01:00
135718a97b
Added module for cve-2012-3569, fileformat version
2013-02-04 16:36:33 +01:00
e8def29b4f
Dropping all twitter handles
...
Also adds "pbot" as an accepted lowercase word. This will come up pretty
routinley for functions and stuff.
2013-02-01 16:33:52 -06:00
1a01d6d033
Fix scrutinizer checks
2013-01-31 14:48:54 -06:00
5332e80ae9
Fix errant use of .to_s instead of .path
2013-01-31 14:18:42 -06:00
4de5e475c3
Fix check
2013-01-31 02:15:50 -06:00
c174e6a208
Correctly use normalize_uri()
...
normalize_uri() should be used when you're joining URIs. Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
6ba85d4c06
add libs from #1379 and allow psh 1.0 exec against older hosts
2013-01-30 12:38:53 -05:00
aaf18f0257
EOL whitespace, yo.
2013-01-29 14:22:30 -06:00
deb9385181
Patch for smb_relay.rb to allow the share written to, to be defined in an option
...
As described in Redmine Feature #5455
2013-01-29 15:19:35 -05:00
690ef85ac1
Fix trailing slash problem
...
These modules require the target URI to be a directory path. So
if you remove the trailing slash, the web server might return a
301 or 404 instead of 200.
Related to: [SeeRM: #7727 ]
2013-01-28 13:19:31 -06:00
61cd3b55fc
hide window
2013-01-24 14:43:07 -05:00
3faf4b3aca
adding sinn3r as author
2013-01-24 18:13:30 +01:00
2cedcad810
Check PID
2013-01-24 10:46:23 -06:00
ad108900d5
Why yes I know it's a module
2013-01-23 16:23:41 -06:00
22f7619892
Improve Carlos' payload injection module - See #1201
...
Lots of changes, mainly:
* Description update
* Avoid accessing protected methods
* More careful exception & return value handling
2013-01-23 16:15:14 -06:00
e93b7ffcaf
Add Carlos Perez's payload injection module
...
See #1201
2013-01-23 14:07:48 -06:00
e6ebf772de
allow psh to run in background via cmd start
2013-01-21 08:12:56 -05:00
43a5322bd4
psexec_psh cleanup
2013-01-20 22:15:55 -05:00
cae0362aa3
Add disk-less AV bypass PSExec module using PSH
...
This commit rewires the existing work on PSExec performed by R3dy,
HDM, and countless others, to execute a powershell command instead
of a binary written to the disk. This particular iteration uses
PSH to call .NET, which pull in WINAPI functions to execute the
shellcode in memory. The entire PSH script is compressed with ZLIB,
given a decompressor stub, encoded in base64 and executed directly
from the command-line with powershell -EncodedCommand.
In practice, this prevents us from having to write binaries with
shellcode to the target drive, deal with removal, or AV detection
at all. Moreover, the powershell wrapper can be quickly modified
to loop execution (included), or perform other obfu/delay in order
to confuse and evade sandboxing and other HIDS mechanisms.
This module has been tested with x86/x64 reverse TCP against win6,
win7 (32 and 64), and Server 2008r2. Targets tested were using
current AV with heuristic analysis and high identification rates.
In particular, this system evaded Avast, KAV current, and MS' own
offerings without any issue. In fact, none of the tested AVs did
anything to prevent execution or warn the user.
Lastly, please note that powershell must be running in the same
architecture as the payload being executed, since it pulls system
libraries and their functions from unmanaged memory. This means
that when executing x86 payloads on x64 targets, one must set the
RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-20 21:46:26 -05:00
51ba500b9f
msftidy compliant
2013-01-16 12:28:09 +01:00
0f24671cf7
Changes how the usernames are loaded.
...
Allows usernames to be loaded as a file (wordlist), that way the
it's much easier to manage. It defaults to unix_users.txt,
because these usernames are common in any SSH hosts out there.
If the user only wants to try a specific user (which is better,
because you reduce traffic noise that way), then he/she can set
the USERNAME option, and that should be the only one tried --
similar to how AuthBrute behaves.
I also fixed the regex in check().
2013-01-16 02:14:52 -06:00
04b35a38ff
Update MSB ref
2013-01-14 14:59:32 -06:00
c6c59ace46
final cleanup
2013-01-14 20:53:19 +01:00
5ecb0701ea
Merge branch 'freesshd_authbypass' of https://github.com/danielemartini/metasploit-framework into danielemartini-freesshd_authbypass
2013-01-14 20:52:45 +01:00
04fe1dae11
Added module for Freesshd Authentication Bypass (CVE-2012-6066)
...
This module works against FreeSSHD <= 1.2.6. Tested against
password and public key authentication methods. It will generate
a random key and password.
To use it you need to know a valid username. The module contains
a basic bruteforce methods, so you can specify more than one to try.
2013-01-13 17:08:04 +01:00
5901058a61
Merge branch 'ms11_081' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_081
2013-01-09 23:24:14 +01:00
fe8b9c24cf
Merge branch 'jvazquez-r7-honeywell_tema_exec'
2013-01-09 16:08:19 -06:00
f3b88d34c1
Add MS11-081
2013-01-09 15:52:33 -06:00
736f8db6c0
Deleting from browser autopwn
2013-01-09 09:58:20 +01:00
377905be7f
Avoid FileDropper in this case
2013-01-09 09:15:38 +01:00
52982c0785
Added BrowserAutopwn info
2013-01-08 19:53:34 +01:00
0e475dfce1
improvements and testing
2013-01-08 19:43:58 +01:00
b2575f0526
Added module for OSVDB 76681
2013-01-08 17:46:31 +01:00
5bc1066c69
Change how modules use the mysql login functions
2013-01-07 16:12:10 -06:00
a59c474e3e
Merge branch 'jvazquez-r7-ibm_cognos_tm1admsd_bof'
2013-01-07 13:34:52 -06:00
33751c7ce4
Merges and resolves CJR's normalize_uri fixes
...
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules
Note that this trips all kinds of msftidy warnings, but that's for another
day.
Conflicts:
modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
883b3446f3
license text
2013-01-05 08:03:25 +01:00
0a13f01f23
Added module for ZDI-12-101
2013-01-05 07:40:32 +01:00
6654faf55e
Msftidy fixes
2013-01-04 09:29:34 +01:00
6d4abe947d
Merge branch 'id_revision' of github.com:FireFart/metasploit-framework into FireFart-id_revision
2013-01-04 00:23:03 -06:00
38de5d63d8
Merge branch 'master' of github.com:rapid7/metasploit-framework
2013-01-03 17:49:24 -06:00
8f2dd8e2ce
msftidy: Remove $Revision$
2013-01-04 00:48:10 +01:00
b061a0f9c1
Merge branch 'enterasys_netsight_syslog_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-enterasys_netsight_syslog_bof
2013-01-03 17:45:24 -06:00
25aaf7a676
msftidy: Remove $Id$
2013-01-04 00:41:44 +01:00
a0b4045b4b
trying to fix the variable offset length
2013-01-04 00:25:34 +01:00
724fa62019
Merge branch 'enterasys_netsight_syslog_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-enterasys_netsight_syslog_bof
2013-01-03 15:35:29 -06:00
6fd35482cc
This exploit should be in browser auto pwn
2013-01-03 14:45:00 -06:00
9cea2d9af9
reference updated
2013-01-03 19:39:18 +01:00
45808a3a44
Added module for ZDI-11-350
2013-01-03 19:17:45 +01:00
06b937ec11
Implements WTFUzz's no-spray technique
...
Do not try to bend the spoon, that is impossible. Instead, only
try to realize the truth: there is no spoon.
2013-01-03 11:57:47 -06:00
38157b86a9
Merge branch 'master' of git://github.com/rapid7/metasploit-framework
2012-12-31 11:15:44 -06:00
f7543e18fe
Your def of commit apparently is a little different than mine, git.
2012-12-31 00:35:13 -06:00
2b3f7c4430
Module rename
...
Sorry, Tod, this must be done.
2012-12-31 00:29:19 -06:00
5703274bc4
Merge branch 'master' of git://github.com/rapid7/metasploit-framework
2012-12-30 20:34:57 -06:00
1084334d5e
Randomness
2012-12-30 20:34:14 -06:00
7cb42a5eb4
Add BID ref
2012-12-30 18:14:22 -06:00
cc52e2c533
Where's Juan's name?
2012-12-30 12:58:16 -06:00
14f21c0a29
using the rop as expected
2012-12-30 16:13:48 +01:00
eed5a74f32
description updated and reference added
2012-12-30 16:08:01 +01:00
f7d6594314
re-deleted comma
2012-12-30 13:39:14 +01:00
6be8ed6168
readd fix for #1219
2012-12-30 13:25:42 +01:00
cd58cc73d9
fixed rop chain for w2003
2012-12-30 13:12:55 +01:00
cab84b5c27
Fix for issue #1219
2012-12-30 13:02:13 +01:00
dcf018c339
Comma
2012-12-30 12:54:44 +01:00
14d197eeb2
Added Windows Server 2003
2012-12-30 11:35:29 +01:00
6cb9106218
Added module for CVE-2012-4792
2012-12-30 01:46:56 +01:00
eb2037bdba
Merge branch 'inotes_dwa85w_bof' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-inotes_dwa85w_bof
2012-12-28 12:16:06 -06:00
9ffb0dcf79
switch to some random data
2012-12-28 12:48:36 +01:00
8f62cd5561
swith to some random data
2012-12-28 12:47:20 +01:00
af61438b0b
added module for zdi-12-132
2012-12-28 11:45:32 +01:00
8ea5c993a2
added module for zdi-12-134
2012-12-28 11:44:30 +01:00
771460fa4c
Merge branch 'master' of git://github.com/rapid7/metasploit-framework
2012-12-26 11:35:52 -06:00
d2dc7ebc2d
Merge branch 'feature/windows-postgres-payload-dll' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/windows-postgres-payload-dll
2012-12-26 11:18:21 -06:00
8223df375d
Avoid making the title sound too generic.
2012-12-26 11:15:37 -06:00
0b2ea3e55e
Fix weird tabs vs spaces prob
2012-12-26 11:14:48 -06:00
e895ccb6b1
added random string functions
2012-12-25 18:13:02 +01:00
fec989026f
Added module for CVE-2012-5691
2012-12-25 18:05:10 +01:00
6a3bf6a2a6
Merge branch 'master' of git://github.com/rapid7/metasploit-framework
2012-12-24 17:57:02 -06:00
38f0886058
James has more modules that need to be updated.
...
e-mail update.
2012-12-24 17:51:58 -06:00
076c8aa995
Merge branch 'nullbind-mssql_linkcrawler'
2012-12-24 11:14:28 -06:00
677b9718da
Finalizing module
2012-12-24 11:13:51 -06:00
4c897c5181
added module for ZDI-12-154
2012-12-24 16:23:19 +01:00
20cc2fa38d
Make Windows postgres_payload more generic
...
* Adds Exploit::EXE to windows/postgres/postgres_payload. This gives us
the ability to use generate_payload_dll() which generates a generic dll
that spawns rundll32 and runs the shellcode in that process. This is
basically what the linux version accomplishes by compiling the .so on
the fly. On major advantage of this is that the resulting DLL will
work on pretty much any version of postgres
* Adds Exploit::FileDropper to windows version as well. This gives us
the ability to delete the dll via the resulting session, which works
because the template dll contains code to shove the shellcode into a
new rundll32 process and exit, thus leaving the file closed after
Postgres calls FreeLibrary.
* Adds pre-auth fingerprints for 9.1.5 and 9.1.6 on Ubuntu and 9.2.1 on
Windows
* Adds a check method to both Windows and Linux versions that simply
makes sure that the given credentials work against the target service.
* Replaces the version-specific lo_create method with a generic
technique that works on both 9.x and 8.x
* Fixes a bug when targeting 9.x; "language C" in the UDF creation query
gets downcased and subsequently causes postgres to error out before
opening the DLL
* Cleans up lots of rdoc in Exploit::Postgres
2012-12-22 00:30:09 -06:00
9b768a2c62
Merge branch 'cleanup/post-windows-services' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-cleanup/post-windows-services
2012-12-21 23:42:17 -06:00
02782258eb
fix eol for ms12_004_midi
2012-12-21 21:01:39 +01:00
3c398d0e62
Final cleanup
2012-12-21 10:46:36 -06:00
4c58991c89
Cleanup ROP a little
2012-12-21 10:35:28 -06:00
e95f0267c6
Update for some leaky icky
2012-12-21 10:03:38 -06:00
b3c0c6175d
FixRM #3398 by removing double user-agent headers
2012-12-20 14:45:18 -06:00
f820ffb32d
update authors
2012-12-18 23:57:29 +01:00
8a07d2e53d
Added module for ZDI-12-168
2012-12-18 23:48:53 +01:00
0344c568fd
Merge branch 'smb_fixes' of git://github.com/alexmaloteaux/metasploit-framework into alexmaloteaux-smb_fixes
2012-12-18 11:38:14 -06:00
88f02e0016
Merge branch 'jvazquez-r7-crystal_reports_printcontrol'
2012-12-17 13:52:11 -06:00
10511e8281
Merge remote branch 'origin/bug/fix-double-slashes'
...
Ran the new normalize_uri() specs, all passes, so I'm quite confident in
this change.
2012-12-17 13:29:19 -06:00
3ed36bd66a
trying to fix stability issues on w7
2012-12-17 19:17:36 +01:00
bce7d48931
comment updated
2012-12-14 23:55:12 +01:00
0a0b26dc2c
after study the crash after the overflow...
2012-12-14 23:54:44 +01:00
53a2fda608
Merge branch 'mssql_linkcrawler' of git://github.com/nullbind/metasploit-framework into nullbind-mssql_linkcrawler
2012-12-14 15:23:25 -06:00
3e3f35419b
Added module for CVE-2010-2590
2012-12-14 12:50:29 +01:00
d2885d9045
Correct US Cert references
2012-12-13 14:19:53 -06:00
67829756f8
fixed errors
2012-12-12 17:45:02 -06:00
a69a4fbbce
Extra spaces, be gone.
2012-12-12 14:38:00 -06:00
3a481c8e42
Merge branch 'feature/winrm_compat_mode' of git://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-feature/winrm_compat_mode
2012-12-12 14:31:04 -06:00
5856874cea
Login check fixes for exploit
2012-12-12 14:18:41 -06:00
b465d20d61
Merge branch 'feature/winrm_compat_mode' of git://github.com/dmaloney-r7/metasploit-framework into dmaloney-r7-feature/winrm_compat_mode
2012-12-12 11:59:23 -06:00
5e8b9a20a4
Fix boneheaded mistake
2012-12-12 09:18:03 -06:00
343a785420
Add OSVDB references
2012-12-11 12:47:08 -06:00
2eb4de815d
added c# code by Nicolas Gregoire
2012-12-11 16:33:41 +01:00
44633c4f5b
deleted incorrect cve ref
2012-12-11 12:16:47 +01:00
fdb457d82b
Merge branch 'refs_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-refs_update
2012-12-11 12:16:06 +01:00
b315a4eee4
Grammar
2012-12-11 00:19:15 -06:00
jvazquez-r7
sinn3r
James Lee
Rob Fuller
Tod Beardsley
Andras Kabai
Tod Beardsley
HD Moore
m-1-k-3
nmonkee
sinn3r
Nathan Einwechter
dougsko
Spencer McIntyre
Patrick Webster
Enrique A. Sanchez Montellano
David Maloney
Thomas McCarthy
Jeff Jarmoc
smilingraccoon
Carlos Perez
RageLtMan
lmercer
Daniele Martini
Christian Mehlmauer
nullbind