a7debd09fd
Fix broken YouTube link in firetv_youtube
...
Guess it's back to Epic Sax Guy. :-)
2016-12-25 20:22:07 -06:00
6bb0f3207d
Add reboot action to chromecast_reset
2016-12-25 15:20:46 -06:00
699da8df5b
Land #7746 , chromecast_wifi now uses Scanner
2016-12-25 11:36:31 -05:00
57e4bcbf71
Land #7454 , add CVE-2013-6282, put_user/get_user exploit for Android
2016-12-24 14:44:34 -06:00
81b310f928
Up to date
2016-12-23 17:24:01 -06:00
144f886e8b
Add LoginScanner module for BAVision IP cameras
2016-12-23 16:22:17 -06:00
0589948a73
Remove other rhost (oops) and fail_with
2016-12-23 16:10:21 -06:00
b4235835c8
rhost -> ip
2016-12-23 13:20:24 -08:00
60e602c371
Update chromecast wifi gather module to use Scanner for scanning in bulk
2016-12-23 11:34:19 -08:00
679ebf31bd
Minor fix to make dRuby great again
2016-12-23 15:12:22 +01:00
18e69b85af
Update the golden ticket module to work with new kiwi
2016-12-23 10:30:06 +10:00
5702bd6745
Land #7674 , Move migration stub generation code into msf
2016-12-22 17:53:00 -06:00
ea704211ca
incorporate payload stub generation changes
2016-12-22 17:50:43 -06:00
d69acd116d
Make dRuby great again
2016-12-22 15:37:16 +01:00
934b05e736
Land #7310 , at(1) persistence module
2016-12-22 03:33:58 -06:00
b65a62ba93
Clean up module
2016-12-22 03:33:08 -06:00
e646a8d5c2
Please the rubocop gods (unless they are dumb)
2016-12-21 16:13:53 -08:00
13ccfd7bb3
Update run_as_psh.rb
2016-12-21 09:44:57 +11:00
a9b78e37d2
Update typos
2016-12-21 09:43:18 +11:00
cc99aaafc6
Corrected as per reviews
2016-12-21 09:42:26 +11:00
b9fd1db5fa
Add module to runas ysing powershell
2016-12-20 14:38:19 +11:00
25a8283af3
fork early and use WfsDelay
2016-12-20 00:59:27 +08:00
f1efa760df
more fixes
2016-12-20 00:52:11 +08:00
7ac3859393
convert futex_requeue module to use targetting and core_loadlib
2016-12-20 00:52:11 +08:00
da9ea0b85c
Change the PCRE.
2016-12-16 15:41:10 -06:00
f74fd9e5dd
Land #7672 , support LOCKED_OUT and DISABLED login status
2016-12-16 15:11:05 -06:00
378d8aea36
Merge pull request #7697 from h00die/fix_colorado
...
Fix ftp traversal error conditions
2016-12-16 13:51:15 -06:00
9b678c2bdd
Land #7685 , Add mosule to change user passwords by editing SAM registry
2016-12-16 13:11:40 -06:00
52346c3fa8
fix renamed rex text
2016-12-15 15:31:00 -06:00
c2dc350378
better fix for session compatibility
2016-12-15 17:41:44 +08:00
fa016de78a
Land #7634 , Implement universal HTTP/S handlers for Meterpreter payloads
2016-12-13 18:13:22 -06:00
fe9972cc25
fork early and use WfsDelay
2016-12-13 17:02:23 +08:00
7b7deb0588
better library cleanup
2016-12-13 17:02:23 +08:00
96b01effa7
cleanup library after use
2016-12-13 17:02:23 +08:00
909773120c
typos
2016-12-13 17:02:23 +08:00
ebf7ae0739
add CVE-2013-6282, put_user/get_user exploit for Android
2016-12-13 17:02:23 +08:00
b5beb2eb93
throw errors
2016-12-12 21:48:08 -05:00
082a8949e4
Land #7694 , Initial stageless mettle payloads
2016-12-12 13:01:31 -06:00
7aa743b205
Land #7682 , @godinezj's improvements to #7604
2016-12-12 10:54:15 -08:00
deec6eccdf
Update hashcarve.rb
2016-12-12 17:09:04 +11:00
3e80ee1d6a
Better Error Handling
2016-12-12 17:07:47 +11:00
2dca7c871b
applying #7582 to all ftp aux traversals
2016-12-10 16:05:09 -05:00
ccba73b324
Add stageless mettle for Linux/zarch
2016-12-09 18:30:52 -06:00
24cf756f5b
Add stageless mettle for Linux/x86
2016-12-09 18:29:34 -06:00
62a9a31222
Add stageless mettle for Linux/x64
2016-12-09 18:28:29 -06:00
7d36d41b20
Add stageless mettle for Linux/ppc64le
2016-12-09 18:27:22 -06:00
ee7d5fc0c9
Add stageless mettle for Linux/ppc
2016-12-09 18:25:57 -06:00
4570a7198c
Add stageless mettle for Linux/mipsle
2016-12-09 18:24:12 -06:00
25b069f6b4
Add stageless mettle for Linux/mipsbe
2016-12-09 18:23:03 -06:00
7aec68c1fe
Add stageless mettle for Linux/mips64
2016-12-09 18:21:52 -06:00
7a654ca76c
Add stageless mettle for Linux/armle
2016-12-09 18:19:58 -06:00
b74482aa6e
Add stageless mettle for Linux/armbe
2016-12-09 18:18:22 -06:00
12b296ab1a
Add stageless mettle for Linux/aarch64
2016-12-09 18:05:34 -06:00
f0dca7abbf
Land #7692 , print_error for error_sql_injection
2016-12-09 17:09:52 -06:00
2b0bce6459
Land #7690 , drupal_views_user_enum user count fix
2016-12-09 16:55:01 -06:00
4e235be484
Ensure a trailing slash for base_uri
...
Technically, the GET parameters should be in vars_get, but we don't want
to refactor the entire module right now.
2016-12-09 16:53:58 -06:00
8780c325a7
Fixed issues #7691 , silent exit.
...
Add a print statement to alert user what is missing, user could be confused that "show missing" is empty yet something is missing.
2016-12-09 16:20:44 -06:00
77dd952370
Land #7592 , check nil return value when using redis_command
2016-12-09 16:07:12 -06:00
17c12a78f5
Fixed issue #7689 , count of found users not accurate
...
In module drupal_views_user_enum, the count of found users is not accurate.
Fixed it by doing flatten before doing counting.
2016-12-09 15:19:43 -06:00
50f95f9940
Land #7681 , Get ready for stageless mettle
2016-12-09 09:31:47 -06:00
7b4dce5e7e
One left!
2016-12-09 16:27:40 +11:00
74c48f5fa4
I'll get there!
2016-12-09 16:24:49 +11:00
c898e768f6
Struggling with tidyness
2016-12-09 16:00:32 +11:00
586b2d92e2
Corrected status prints
2016-12-09 15:45:30 +11:00
fb360e69c0
Initial Commit
...
This module "carves" a hash in the registries to set it as a user password.
The benefits are:
1/ It doesn't change the password last change field
2/ You can set a hash directly, so you can change a user's password and revert it without cracking its hash.
I have tested it in Windows 7, and 8.1. Should work on every version though.
Usage:
run post/windows/manage/hashcarve user=test pass=<password>
run post/windows/manage/hashcarve user=test pass=<nthash>
run post/windows/manage/hashcarve user=test pass=<lmhash:nthash>
This work is based on the hashdump implementation.
2016-12-09 15:41:01 +11:00
0d41160b03
Sanity checks, errors out with nil ptr if API call fails
2016-12-08 16:14:10 -08:00
a17d1a7e19
Added options for setting the PASSWORD and GROUPNAME
2016-12-08 16:13:31 -08:00
4614b7023d
Land #7604 , @godinezj's post module for creating AWS IAM accounts
2016-12-08 14:26:22 -08:00
aa29fcad80
Update docs and pretty print the loot
2016-12-08 14:25:07 -08:00
70668c289f
Use better loot args
2016-12-08 13:14:36 -08:00
7e0b224eb2
Make ABORT_ON_LOCKOUT non default
2016-12-08 15:07:53 -06:00
162204b338
Support creating a password for the user, etc
2016-12-08 12:56:00 -08:00
0110b97fa2
Fix #7671 , support LOCKED_OUT and DISABLED login status
...
This allows login scanner modules to skip a user if it is
locked out, or disabled.
Fix #7671
2016-12-07 16:49:16 -06:00
ba9ce3fcfb
Land #7665 , Add ABORT_ON_LOCKOUT option for smb_login
2016-12-07 15:52:50 -06:00
a9cb08a352
Token should be passed as nil if not set
2016-12-07 10:16:41 -08:00
b902b4c28a
Update payload sizes
2016-12-07 15:08:45 +10:00
d3a8409a49
prevent further lockouts in smb_login
2016-12-06 21:53:08 -05:00
1c3f0437ed
Move some options back to non-advanced
2016-12-06 17:39:37 -08:00
a13382c80b
Address most of rubocop's nits
2016-12-06 17:10:34 -08:00
8f21a1f68c
move most options to advance, since they never change
...
Also, doc empty username
2016-12-06 16:29:00 -08:00
c5641c9681
Factor out mettle configuration
...
Also cleans up some stuff: s/url/uri/ and base-64 encodes UUIDs
2016-12-06 18:28:48 -06:00
a4f681ae35
Add quoted hex encoding
2016-12-06 09:05:35 -06:00
7346223a65
update payloads
2016-12-06 07:16:44 -06:00
ffee0ff1b6
Fix payload cache size issue, fix shell/bind payloads
2016-12-06 11:12:02 +10:00
4a35f8449a
Fixed issue #7650 by matching Server header using regex as Wei suggested
...
The suggestion by Wei is simpler than the one I checked in which checks for presence of Server header before calling include method.
2016-12-02 20:26:38 -06:00
35fdf1473b
Fixed issue #7650 where etherpad_duo_login module may crash
...
Add check for presence of Server header.
2016-12-02 18:07:18 -06:00
d549c2793f
Fix module filename to be TR-064
2016-12-02 08:49:21 -06:00
9e4e9ae614
Add a reference to the TR-064 spec
2016-12-02 08:48:09 -06:00
ddac5600e3
Reference TR-064, not TR-069
2016-12-02 08:45:15 -06:00
ff8141c1b5
Land #7644 , cred fix for vbulletin_vote_sqli_exec
2016-12-01 15:47:31 -06:00
11906eb540
Fix issue #7645 where dolibarr_login module crashed
...
Add "res" (http response) when trying to retrieve the cookie
2016-12-01 15:38:26 -06:00
41355898fa
Remove extra def report_cred in vbulletin_vote_sqli_exec
2016-12-01 15:31:24 -06:00
9325ef8d8f
Land #7573 , Add WP Symposium Plugin SQLI aux mod to steal credentials
2016-12-01 14:56:30 -06:00
6b5dba72d4
Update description
2016-12-01 14:55:16 -06:00
64bc029106
Fix Ruby style
2016-12-01 14:53:55 -06:00
90ec367a99
Add method to save creds to database
2016-12-01 14:52:51 -06:00
174cd74900
Land #7532 , Add bypass UAC local exploit via Event Viewer module
2016-12-01 11:16:49 -06:00
1e9d80c998
Fix another typo
2016-12-01 11:16:06 -06:00
b8243b5d10
Fix a typo
2016-12-01 11:15:26 -06:00
54684d31bd
Land #7641 , check_conn? fix for cisco_ssl_vpn
2016-11-30 21:14:19 -06:00
032312d40b
Properly check res
2016-11-30 21:03:29 -06:00
72a20ce464
Merge timwr's changes that fix android/reverse_http
2016-12-01 09:59:41 +10:00
1d6ee7192a
Land #7427 , new options for nagios_xi_chained_rce
2016-11-30 17:11:02 -06:00
3e8cdd1f36
Polish up USER_ID and API_TOKEN options
2016-11-30 17:10:52 -06:00
ec83a861c8
Fix issue #7640 where cisco SSL VPN not move despite server responded
...
Add the "return true" statement that was missing.
2016-11-30 16:25:13 -06:00
ebf5121359
Merge branch 'upstream/master' into add-bypassuac-eventvwr
2016-12-01 07:58:16 +10:00
6890e56b30
Remove call to missing function
2016-12-01 07:57:54 +10:00
56505d2cc1
Resolve merge conflict
2016-11-30 14:33:23 -06:00
c70c3701c5
Fix #7628 , concrete5_member_list HTML parser
...
Fix #7628
2016-11-30 14:20:36 -06:00
b6bb1995ad
Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master
2016-11-30 12:00:45 -06:00
c31758e0ea
Land #7627 , Fix typo in payloads/linux/armle/mettle
2016-11-30 11:58:47 -06:00
530e9a9bc6
Land #7633 , fix dell_idrac to stop trying on a user after a valid login
2016-11-30 11:46:31 -06:00
d1be2d735f
Land #7578 , pdf-shaper exploit
...
Land lsato's work on the pdf-shaper buffer overflow
exploit
2016-11-30 11:13:12 -06:00
43cd788350
Switch back to echo as cmdstager flavor
2016-11-30 10:18:09 -06:00
b75fbd454a
Add missing peer in vprint_error
2016-11-30 07:59:41 -06:00
657d52951b
Linemax 63, switch to printf
2016-11-30 07:51:36 -06:00
78480e31e7
remove AutoLoadAndroid
2016-11-30 21:23:14 +08:00
92751714c1
fix android/meterpreter/reverse_http
2016-11-30 20:12:00 +08:00
bdc2e7c3cd
Fix missing stager_config functions, payload sizes
2016-11-30 16:11:51 +10:00
3fad75641d
Final touches to make MSF happy with all refactorings
2016-11-30 11:30:59 +10:00
08b9684c1a
Add a FORCE_EXPLOIT option for @FireFart
2016-11-29 16:37:13 -06:00
57d156a5e2
Revert "XML encode the command passed"
...
This reverts commit 9952c0ac6f
2016-11-29 16:24:26 -06:00
b7904fe0cc
Oh silly delimiters and lack thereof
2016-11-29 15:53:05 -06:00
9952c0ac6f
XML encode the command passed
2016-11-29 15:49:55 -06:00
851aae3f15
Oops, wrong module
...
This reverts commit d55d2099c5
2016-11-29 15:15:18 -06:00
d55d2099c5
Just one platform thanks
2016-11-29 15:08:45 -06:00
4d6b2dfb46
Use CmdStager instead
...
Oh, and this is totally untested as of this commit.
2016-11-29 15:03:38 -06:00
afed1f465e
Fix issue 7632 where MSF keeps trying after success.
...
Thanks to Wei who suggested adding "return :next_user" after success.
2016-11-29 14:57:15 -06:00
8de17981c3
Get rid of the WiFi key stealer
2016-11-29 14:48:04 -06:00
75bcf82a09
Never set DefaultPaylod, reverse target options
2016-11-29 14:43:10 -06:00
f55f578f8c
Title, desc, authors, refs
2016-11-29 14:39:38 -06:00
3c9ebb97be
Land #7624 , Wvu's style fixes
...
land's wvu's style and text fixes for the
OS X archived messages module
2016-11-29 14:05:05 -06:00
497e02955b
Fixed checking for access keys being retrieved
2016-11-29 11:08:55 -08:00
1beeb99d44
Fix issue 7628, username extracted became garbled
...
Make the regular expression less aggressive.
2016-11-29 12:52:57 -06:00
878779e14c
Fix typo in payloads/linux/armle/mettle
2016-11-29 10:12:17 -06:00
d691b86443
First commit of Kenzo's original exploit
...
This is a work in progress, and is merely the copy-paste
of the original PoC exploit from:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
2016-11-29 09:13:52 -06:00
834756c337
Rework android structure to function with the multi arch payload
2016-11-29 17:55:31 +10:00
bdfaaf01b2
Make multi work with https
2016-11-29 15:51:38 +10:00
bd8f8fd6cb
More rework of payload structure to handle multi arch handlers
2016-11-29 15:21:13 +10:00
beca63645e
Revamp of java payload structure
2016-11-29 11:54:30 +10:00
cb0313642b
Fixed setting IAM_USERNAME
2016-11-29 00:54:49 +00:00
46ce1dfaab
Now using random string as IAM_USERNAME unless specified
2016-11-28 16:32:53 -08:00
f8789fef38
Moved METADATA_IP to advanced options
2016-11-28 16:32:26 -08:00
b6fe6c1d38
Fix #7597 , minor changes to enum_messages
2016-11-28 17:37:32 -06:00
c39c53b102
Prefer DefaultOptions to reregistering SSL option
2016-11-28 14:29:02 -06:00
8c54b0e5f4
Land #7622 , Fix check_conn? method in cisco_ironport_enum
2016-11-28 14:19:02 -06:00
777d5c1820
Fix check_conn? method in cisco_ironport_enum
2016-11-28 14:02:39 -06:00
f0b5b5a153
call store_loot once at the end
2016-11-28 20:28:36 +01:00
a7fa2941a8
Land #7597 , Added post module for accessing OSX messages database
2016-11-28 11:43:06 -06:00
4eb109b22f
Land #7609 , set SSL to true by default for cisco_nac_manager_traversal
2016-11-28 11:30:41 -06:00
William Vu
h00die
Brent Cook
wchen-r7
Jon Hart
joernchen of Phenoelit
OJ
William Webb
bwatters_r7
p3nt4
Tim
Jin Qian
dmohanty-r7
jinq102030
Adam Cammack
Javier Godinez
Rich Whitcroft
Tod Beardsley
David Maloney
Pearce Barry
Cantoni Matteo