Commit Graph

605 Commits (84ce72367bf70b099804835c3c8e0606a62ffcd4)

Author SHA1 Message Date
jvazquez-r7 a85d451904 Add module for CVE-2014-2314 2014-04-02 14:49:31 -05:00
Tod Beardsley d27264b402
Land #2782, fix expand_path abuse 2014-03-19 08:41:28 -05:00
William Vu 517f264000 Add last chunk of fixes 2014-03-11 12:46:44 -05:00
William Vu 25ebb05093 Add next chunk of fixes
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
OJ 3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
Conflicts:
	lib/msf/core/post/windows/shadowcopy.rb
	modules/exploits/windows/local/bypassuac.rb
	modules/post/windows/gather/wmic_command.rb
	modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
jvazquez-r7 c9f0885c54 Apply @jlee-r7's feedback 2014-02-24 10:49:13 -06:00
OJ fdd0d91817 Updated the Ultra Minit HTTP bof exploit
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:

* Correct use of alpha chars in the buffer leading up to the payload
  which results in bad chars being avoided. Bad chars muck with the
  offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
  of in the thread of the request handler. This prevents the session
  from being killed after the hard-coded 60-second timeout that is
  baked into the application.
* The handler thread terminates itself so that the process doesn't
  crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
sinn3r 89e1bcc0ca Deprecate modules with date 2013-something
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
sinn3r cdc425e4eb Update some checks 2014-01-24 12:08:23 -06:00
sinn3r fe767f3f64 Saving progress
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
sinn3r e5dc6a9911 Update exploit checks
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
OJ 1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path 2014-01-03 08:14:02 +10:00
jvazquez-r7 7f9f4ba4db Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00
OJ 9fb081cb2d Add getenvs, update getenv, change extract_path use
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
Tod Beardsley 040619c373
Minor description changes
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
sinn3r 3a9ac303f0 Use rexml for XML data generation 2013-12-10 15:37:44 -06:00
jvazquez-r7 230fcd87a5 Add module for zdi-13-259 2013-12-10 08:45:08 -06:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
jvazquez-r7 2d77ed58d5
Land #2648, @pnegry's exploit for Kaseya File Upload 2013-12-03 09:35:05 -06:00
jvazquez-r7 2606a6ff0e Do minor clean up for kaseya_uploadimage_file_upload 2013-12-03 09:34:25 -06:00
Thomas Hibbert 21bb8fd25a Update based on jvazquez's suggestions. 2013-12-03 13:49:31 +13:00
Thomas Hibbert d1e4975f76 Use res.get_cookies instead of homebrew parse. Use _cgi 2013-11-28 16:35:36 +13:00
Thomas Hibbert bb0753fcdd Updated module to comply with indentation standard and to use suggestions from reviewers 2013-11-27 16:00:00 +13:00
jvazquez-r7 885fedcc3b Fix target name 2013-11-21 17:42:31 -06:00
jvazquez-r7 77aa665385 Add Privileged flag 2013-11-21 09:28:28 -06:00
jvazquez-r7 2ab3ab8b66 Delete empty Payload metadata section 2013-11-21 09:27:25 -06:00
jvazquez-r7 6bd3c4c887 Fix target name 2013-11-21 09:07:25 -06:00
jvazquez-r7 4c2ad4ca9a Fix metadata 2013-11-21 09:06:47 -06:00
jvazquez-r7 8e4c5dbb5e improve upload_file response check 2013-11-21 09:02:11 -06:00
jvazquez-r7 8fdfeb73db Fix use of FileDropper and improve check method 2013-11-21 09:01:41 -06:00
jvazquez-r7 4abf01c64c Clean indentation 2013-11-21 08:32:54 -06:00
Thomas Hibbert 4cc20f163b Update References field to be compliant. 2013-11-20 13:01:21 +13:00
Thomas Hibbert c76fa32345 Fixed reference format 2013-11-20 12:53:21 +13:00
Thomas Hibbert 26a5e37266 Use MSF::Exploit:FileDropper to register the uploaded file for cleanup. 2013-11-20 12:27:22 +13:00
Thomas Hibbert 07c76fd3e6 Module cleaned for msftidy compliance. 2013-11-20 11:33:14 +13:00
Thomas Hibbert 960f7c9bbb Add DesktopCentral arbitrary file upload exploit. 2013-11-18 16:11:28 +13:00
Thomas Hibbert 60a245b0c3 Fix the arch declaration in uploaded module. 2013-11-18 14:49:03 +13:00
Thomas Hibbert 636fdfe2d2 Added Kaseya uploadImage exploit. 2013-11-18 14:23:34 +13:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
sinn3r 4c14595525
Land #2535 - Use %PATH% for notepad 2013-10-21 13:14:44 -05:00
sinn3r d22e4ac2f1 Check timeout condition 2013-10-21 11:13:48 -05:00
jvazquez-r7 27078eb5a6 Add support for HP imc /BIMS 5.1 2013-10-20 18:18:34 -05:00
jvazquez-r7 b0d32a308a Update version information 2013-10-19 00:52:22 -05:00
jvazquez-r7 7d8a0fc06c Add BID reference 2013-10-19 00:29:43 -05:00
jvazquez-r7 cf239c2234 Add module for ZDI-13-238 2013-10-19 00:05:09 -05:00
Norbert Szetei 563bf4e639 Fix bug #8502, used %PATH% for notepad invocation
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00