Commit Graph

17140 Commits (8bd2a691122fb39144f876ff1e4a2976c040a7c9)

Author SHA1 Message Date
jvazquez-r7 828301a6cc
Land #5050, @wchen-r7's exploit for Solarwinds Firewall Security Manager
* CVE-2015-2284
2015-04-03 13:45:30 -05:00
jvazquez-r7 7c9b19c6f8
Do minor cleanup 2015-04-03 11:53:50 -05:00
root 452ebcf9ad travis 2015-04-03 16:29:35 +05:00
root be829e77ba cravis error solve 2015-04-03 16:25:18 +05:00
root 4bd40fed7f yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00
Brent Cook 16cb334325
Land #5065: OJ fix missed merges for uri_checksum and others 2015-04-02 22:53:29 -05:00
OJ fd043d4842 Fix up build and missing uri_checksum stuff
Somehow this made it into a merge when it shouldn't have. This fix moves
the URI checksum module to where it needs to be and updates all the
references where required. This will result in a class with the dynamic
transport branch, but I can fix that after.
2015-04-03 13:42:25 +10:00
scriptjunkie 0f7c644fff
Land #4784, JBoss Seam 2 upload exec exploit 2015-04-02 22:32:35 -05:00
OJ 5b5dc3ef59 Merge branch 'upstream/master' into stageless-x64
Merge required adjustment of the proxy datastore names that were changed.
2015-04-03 08:53:09 +10:00
Tod Beardsley 3ff91d74ca
More cleanup, mostly abysssec
[See #5012]
2015-04-02 16:16:38 -05:00
Tod Beardsley 11057e5b3b
Fix up the last couple from Tenable, missed last
[See #5012]
2015-04-02 15:27:46 -05:00
Tod Beardsley 4bbec88882
Various other one-off nonhuman author credits
[See #5012]
2015-04-02 15:25:47 -05:00
Tod Beardsley 6d5bcb93a8
Normalize the SecurityXploded Team credits
[See #5012]
2015-04-02 15:15:37 -05:00
Tod Beardsley 6532fad579
Remove credits to Alligator Security Team
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.

The one that didn't was credited to dflah_ specifically, so merely
changed the author name.

Longer description, if needed, wrapped at 72 characters.

[See #5012]
2015-04-02 15:12:22 -05:00
HD Moore db5293eeee
Lands #5054, adds a module for the Ceragon mateidu SSH issue 2015-04-01 14:32:56 -05:00
Tod Beardsley b17727d244
Switching to privileged => false 2015-04-01 14:35:45 -05:00
sinn3r a592f645f0
Land #5039, Webdorado gallery wd 1.2.5 unauthenticated SQLi scanner 2015-04-01 14:34:58 -05:00
Tod Beardsley 0825534d2c
Fix reference 2015-04-01 14:16:45 -05:00
Tod Beardsley 8ec71e9daf
Add a module for R7-2015-05 2015-04-01 14:05:41 -05:00
jvazquez-r7 02a5730d92
Use calculate_interface_hash 2015-04-01 12:09:42 -05:00
sinn3r 0b14a18ad2 This is final 2015-04-01 12:00:49 -05:00
jvazquez-r7 f954ff78c0
Fix typo 2015-04-01 10:51:54 -05:00
nullbind 91aeef0a8a added startrid and endrid 2015-04-01 10:09:13 -05:00
sinn3r 0ee858cd65 Some useful messages 2015-04-01 01:41:31 -05:00
sinn3r 8ad07cdc0f This should be on the right track 2015-04-01 01:27:50 -05:00
OJ 24171a1a08
Land #5045 : Convert stageless proxy to new format 2015-04-01 12:06:57 +10:00
sinn3r 6795c90eac Some progress 2015-03-31 20:46:34 -05:00
sinn3r 97305629cb Add Solarwinds FSM module
starter
2015-03-31 16:21:52 -05:00
HD Moore 34ff94e0da Fix the proxy user/pass options 2015-03-31 15:49:43 -05:00
HD Moore df15892958 Convert stageless proxy settings to the new format 2015-03-31 15:46:15 -05:00
HD Moore a39ba05383 Functional Payload UUID embedding via PayloadUUIDSeed 2015-03-31 15:44:18 -05:00
David Maloney 63da27ece0
add missing HKLM root to regkey
the chevkm windows psot module had HKLM
missing from the front of one of it's reg key
paths. This was missed in Rails 3 due to the
error being swallowed unexpectedly. in rails 4
we actually see this cause a stack trace

MSP-12384
2015-03-31 14:17:18 -05:00
Tod Beardsley d1318d1b48
Fixups for release 2015-03-31 11:02:12 -05:00
OJ 633b46874d Merge branch 'upstream/master' 2015-03-31 14:53:48 +10:00
Brandon Perry e73286cfa5 update stale references 2015-03-30 17:17:48 -05:00
OJ 253e5d7dff Include correct module, remove specified encoder type 2015-03-31 07:23:51 +10:00
sinn3r 613f4777ce Land #5024, add joomla_ecommercewd_sqli_scanner.rb 2015-03-30 12:45:09 -05:00
sinn3r 8ea1ffc6ff
Land #5030, CVE-2015-0313 Flash Exploit 2015-03-30 11:31:53 -05:00
jvazquez-r7 ee404713f1
Land #5014, @wchen-r7's module for MS14-052
* As auxiliary module to gather info about existent local files
2015-03-30 11:02:56 -05:00
jvazquez-r7 8ff54ff98d
Add msb reference 2015-03-30 10:58:08 -05:00
sinn3r 9af1e76bf7 Obfuscate js 2015-03-30 10:52:01 -05:00
sinn3r c7fa01c5ae Rename file 2015-03-30 10:39:33 -05:00
OJ c28cc66398 Add x64 bind_tcp and reverse_ipv6_tcp
Also fix up a couple of modules to use Metasploit4 instead of
Metasploit3.
2015-03-30 18:59:30 +10:00
Denis Kolegov 9d78aa96d9 Add output of API errors to console 2015-03-30 02:42:09 -04:00
OJ 26792975eb Refactor of code to reduce duplication
Add mixin for the stageless http preparation
2015-03-30 13:18:56 +10:00
OJ f8851551c5 Add initial x64 stageless meterrpeter module 2015-03-30 11:23:51 +10:00
OJ ce8f6d72e1 More work on x64 stageless
Testing with HD's new changes that allow for generation of larger x64
payloads
2015-03-30 09:51:04 +10:00
h00die 28b9e89963 removed duplicate "uses" from description 2015-03-29 19:40:31 -04:00
OJ 17dc2b184d Merging upstream/master 2015-03-30 09:12:20 +10:00
Meatballs c430e5fab1
@m7x forgot to put a reference in 2015-03-29 02:13:31 +01:00
Brandon Perry de2bf0181c add first pass at gallerywd sqli scanner 2015-03-28 16:15:51 -05:00
Brandon Perry 9f0483248c add TARGETURI datastore option 2015-03-28 15:46:41 -05:00
Meatballs 2ed9489f38 Delete load line 2015-03-28 20:31:35 +00:00
Meatballs 99f79e8533 Use incognito token stealing rather than process migration if we have
the privileges required for successful impersonation.
2015-03-28 20:31:35 +00:00
Meatballs f83f4ae764 Move hashdump to gather 2015-03-28 20:31:35 +00:00
Meatballs e2af15a0df Refactor MSSQL Post 2015-03-28 20:31:35 +00:00
root 1558190a9d Add module mssql_local_hashdump 2015-03-28 20:31:35 +00:00
Brandon Perry 6ede476423 Update joomla_ecommercewd_sqli_scanner.rb 2015-03-28 08:38:12 -05:00
William Vu ef8c0aac69
Land #5020, spelling fixes for some modules 2015-03-28 00:36:04 -05:00
Brandon Perry 0dbd8544b4 Update joomla_ecommercewd_sqli_scanner.rb 2015-03-27 21:20:59 -05:00
Brandon Perry 31be47d5bc Create joomla_ecommercewd_sqli_scanner.rb 2015-03-27 20:25:33 -05:00
jvazquez-r7 f84a46df63
Add module for CVE-2015-0313 2015-03-27 18:51:13 -05:00
sinn3r 9cfafdd8b8
Land #4649, improve post/windows/manage/run_as and as an exploit 2015-03-27 17:31:30 -05:00
C-P 4f4bf9debb paylod vs payload 2015-03-27 11:55:15 -07:00
C-P 0a8fe781d1 paylod vs payload 2015-03-27 11:54:14 -07:00
C-P 5ba614a325 payloda vs payload 2015-03-27 11:53:20 -07:00
C-P 2d81460583 Explot vs Exploit 2015-03-27 11:37:11 -07:00
C-P f129347b51 Filed vs Failed fix 2015-03-27 11:28:50 -07:00
C-P 48484c1f09 Filed vs Failed fix 2015-03-27 11:27:36 -07:00
Denis Kolegov 45f8738cfe Fix stdout errors 2015-03-27 07:53:59 -04:00
Denis Kolegov 3515a0a71f Initial commit for supporting SSL Labs API 2015-03-27 07:34:11 -04:00
Roberto Soares 3e104fd8e6
Add Directory Traversal for RIPS Scanner 2015-03-27 05:08:43 -03:00
sinn3r f996c5a888 Update description 2015-03-27 02:31:36 -05:00
sinn3r 67dc46791d Limit the module to IE 8 and IE9 2015-03-27 02:30:04 -05:00
sinn3r f88d9651b6 I don't think it's worth putting the js in ie_addons.js 2015-03-27 02:26:50 -05:00
sinn3r bd2763292a Properly credit Soroush Dalili 2015-03-26 23:36:16 -05:00
sinn3r 560f31c34d Minor changes 2015-03-26 23:29:44 -05:00
sinn3r 68624dd56e Final for ie_files_disclosure.rb 2015-03-26 22:49:22 -05:00
sinn3r b0b17775c2 First working version 2015-03-26 21:53:26 -05:00
Brent Cook e0568e95c2
Land #4978 @zerosteiner adds reverse https for python meterpreter 2015-03-26 19:16:46 -05:00
sinn3r 955c0557e0
Land #4988, Relative URL for ms14_064_ole_code_execution 2015-03-26 13:36:37 -05:00
m-1-k-3 d81a246660 target_uri 2015-03-26 12:16:20 +01:00
m-1-k-3 b7f469b747 feedback 2015-03-26 07:39:36 +01:00
Spencer McIntyre 10e8cefd6d Pymet dont validate ssl certs for 2.7.9/3.4.3 2015-03-25 19:49:42 -04:00
sinn3r 68cb766681
Land #5007, Ruby 1.9+ syntax 2015-03-25 16:11:53 -05:00
William Vu 632879ceb6
Land #5001, wp_easycart_privilege_escalation CVE 2015-03-25 13:54:44 -05:00
jvazquez-r7 d84c48cb7d
Use newer hash syntax 2015-03-25 13:39:34 -05:00
jvazquez-r7 72a0909e9b
Land #4992, @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge 2015-03-25 13:30:36 -05:00
jvazquez-r7 0540e25db2
Calculate the java/rmi/registry/RegistryImpl_Stub hash dinamically 2015-03-25 11:29:07 -05:00
jvazquez-r7 356e8c727c
Add specs for Msf::Java::Rmi::Client::Jmx::Server 2015-03-24 18:56:58 -05:00
rastating 7a0fe05803 Add CVE-ID to module references 2015-03-24 22:30:43 +00:00
Christian Mehlmauer 7bf00f8f47
Land #4789, @rastating WPLMS wordpress module 2015-03-24 20:46:38 +01:00
jvazquez-r7 39e87f927a
Make code consistent 2015-03-24 11:44:26 -05:00
Tod Beardsley 49a6057f74
Grammaring harder 2015-03-24 11:10:36 -05:00
William Vu 7c456f2ad8
Land #4993, ams_xfr "payload_exe" NameError fix 2015-03-24 00:51:49 -05:00
sinn3r 8255e7a2dc Fix #4987 - undef payload_exe for ams_xfr
Fix #4987
2015-03-24 00:42:22 -05:00
William Vu 3dac6377d0
Fix #4983, bad copy pasta'd deprecation year 2015-03-24 00:34:54 -05:00
William Vu fadac30f00 Fix deprecated year 2015-03-24 00:34:38 -05:00
William Vu 6353154865
Land #4983, renamed WordPress modules 2015-03-23 23:49:40 -05:00
William Vu e338b77389 Readd and deprecate renamed WordPress modules 2015-03-23 23:48:56 -05:00
sinn3r db243a8225 x360_video_player_set_text_bof actually uses SetText for ActiveX 2015-03-23 23:36:20 -05:00
sinn3r 3248f02c2c These exploits use :activex, so I update the usage for them 2015-03-23 19:34:24 -05:00
jvazquez-r7 04341bfc78
Support JMX_ROLE again 2015-03-23 17:32:26 -05:00
Brent Cook 1869977921
Land #4962: OJ adjusts MSF to new metsrv needs
bump meterpreter bins to 0.0.17
2015-03-23 17:18:06 -05:00
jvazquez-r7 d8d4c23d60
JMX code refactoring 2015-03-23 17:06:51 -05:00
OJ 24d74b26e3 Beginning work for stageless x64 meterpreter 2015-03-24 06:50:06 +10:00
jvazquez-r7 962bb670de
Remove old JMX mixin 2015-03-23 15:48:10 -05:00
andygoblins 89e27d98ab Use relative URL to GET payload for WinXP
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
Tod Beardsley 21a97c0926
Add exploit for R7-2015-04, Firefox Proxy RCE 2015-03-23 13:44:41 -05:00
sinn3r 156520338d Making some changes to how BES handles ActiveX 2015-03-23 12:21:27 -05:00
jvazquez-r7 79068c8ec2
Delete JMX discovery stream 2015-03-23 10:21:37 -05:00
aushack b191f92713 Renamed WordPress files to fit majority naming convention. 2015-03-23 18:15:04 +11:00
OJ 9c9d333a1b Create verify ssl mixin, adjust some formatting 2015-03-23 13:21:08 +10:00
jvazquez-r7 2d1adf6ef4
Land #4923, @m-1-k-3's exploit for overflow on belkin routers 2015-03-22 02:05:35 -05:00
jvazquez-r7 ee74bb3c5b
The default concat operator should be ok 2015-03-22 02:05:02 -05:00
jvazquez-r7 5499b68e02
Do code cleanup 2015-03-22 01:58:32 -05:00
Spencer McIntyre a407bc8d65 Fix the reverse_https stager CachedSize for the spec 2015-03-21 13:05:44 -04:00
Spencer McIntyre 7282968d8a Python reverse HTTPS stager 2015-03-21 12:43:14 -04:00
William Vu 07b82ec640
Land #4974, minishare_get_overflow WfsDelay change 2015-03-20 18:55:58 -05:00
William Vu 859b54f8a3
Land #4956, Qualys' Exim GHOST module 2015-03-20 18:44:30 -05:00
jvazquez-r7 8c3e39acf0
Land #4847 @rastating's module for WordPress WP EasyCart privilege escalation 2015-03-20 18:23:05 -05:00
jvazquez-r7 349d7cb9ee
Do minor cleanup 2015-03-20 18:20:45 -05:00
Adam Ziaja 921b9eab8e Update minishare_get_overflow.rb
set WfsDelay 30
2015-03-20 23:42:54 +01:00
William Vu 4004771aed
Land #4972, minishare_get_overflow targets
Windows 2003 SP1 English and Windows 2003 SP2 English.
2015-03-20 17:27:34 -05:00
William Vu 6f51946aa0
Land #4969, GitLab module references 2015-03-20 17:26:51 -05:00
William Vu 99f3de0843 Clean up info hash formatting 2015-03-20 17:26:21 -05:00
Adam Ziaja 505ecd32fb Update minishare_get_overflow.rb
Windows 2003 SP1 English, Windows 2003 SP2 English
2015-03-20 23:09:50 +01:00
jvazquez-r7 1226b3656f
Land #4945, @wchen-r7's login scanner for Symantec web gateway 2015-03-20 14:44:05 -05:00
jvazquez-r7 2f35fcff99
Fix require 2015-03-20 14:43:42 -05:00
Meatballs 8ee520e749
Add reference 2015-03-20 19:17:34 +00:00
sinn3r b19f766728
Land #4942, Gitlab Login Scanner 2015-03-20 13:02:12 -05:00
sinn3r a2ce14a31e
Land #4941, Gitlab Unauth User Enumeration 2015-03-20 12:28:35 -05:00
sinn3r 235124a40a Fix typo 2015-03-20 12:27:23 -05:00
sinn3r 84164b44b2 Should also rescue JSON::ParserError for banner parsing 2015-03-20 12:27:02 -05:00
sinn3r 0c2ed21e90
Land #4318, Lateral movement through PSRemoting 2015-03-20 11:39:35 -05:00
sinn3r 23d8479683 Fix typo 2015-03-20 11:39:00 -05:00
sinn3r 0da79edb9c Add a print_status to let the user know the module is over
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
sinn3r 1b67a06d35 No banner var 2015-03-20 02:26:59 -05:00
sinn3r b55ffc9ff1 Change option to FORCE_EXPLOIT 2015-03-20 01:44:10 -05:00
oj@buffered.io fd4ad9bd2e Rework changes on top of HD's PR
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
OJ 7b4161bdb4 Update code to handle cert validation properly
This code contains duplication from HD's PR. Once his has been landed
this code can be fixed up a bit so that duplication is removed.
2015-03-20 12:52:47 +10:00
William Vu 7eec88c086
Land #4957, glassfish_login symbol cleanup 2015-03-19 21:20:33 -05:00
jvazquez-r7 b839547dc3 Add documentation for Registry modules and methods 2015-03-19 17:57:21 -05:00
jvazquez-r7 a7f1244251
Finish the java_rmi_registry gather module 2015-03-19 17:33:45 -05:00
sinn3r 94ab2f94fd Remove symbols that aren't used
These symbols belong to the AuthBrute mixin, but we are not using
AuthBrute for login testing.
2015-03-19 14:14:01 -05:00
sinn3r d8539ef91a Change datastore option's description 2015-03-19 12:22:42 -05:00
sinn3r a2ba81f84f This should be true (required) 2015-03-19 11:54:03 -05:00
sinn3r d8c8bd1669 Move the details to a wiki 2015-03-19 11:52:17 -05:00
jvazquez-r7 5c3134a616
Add first support to gather information from RMI registries 2015-03-19 11:16:04 -05:00
OJ 7899881416 Update POSIX bins from master 2015-03-19 14:50:14 +10:00
OJ 1a2f35d806
Land #4951: Dynamic URI generation for Java/Python reverse_http(s) 2015-03-19 12:41:20 +10:00
Spencer McIntyre 076f15f933
Land #4792 @jakxx Publish It PUI file exploit 2015-03-18 20:59:54 -04:00
Spencer McIntyre 3f8ed56a9a
Add available space to the payload info 2015-03-18 20:57:58 -04:00
Meatballs 6ceab3d02d
Add a DisclosureDate 2015-03-18 23:51:18 +00:00
sinn3r 968a8758ad Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
joev b33e7f477c
Land #4947, h0ng10's TWiki exploit. 2015-03-18 17:17:34 -05:00
HD Moore 346b1d539f Revert Java back to static size for cache purposes (less cpu usage on startup) 2015-03-18 16:24:01 -05:00
HD Moore 33bbf7cb7e Dynamic URI generation for python/java http(s) stagers 2015-03-18 16:08:11 -05:00
jvazquez-r7 ae84c8ee30
Delete even more comments 2015-03-18 15:55:52 -05:00
jvazquez-r7 f956ba1a46 Do first JMX cleaning try 2015-03-18 15:37:07 -05:00
rwhitcroft 7ae97393e0 fix x64/reverse_https stager shellcode 2015-03-18 15:34:31 -04:00
OJ e943cb550f
Land #4585 : CVE-2015-0975 XXE in OpenNMS 2015-03-18 22:34:52 +10:00
OJ d1a2f58303 Fix of regex for file capture and format tweaks 2015-03-18 22:17:44 +10:00
Hans-Martin Münch (h0ng10) 5dd718e4fa Better description 2015-03-18 09:51:51 +01:00
Hans-Martin Münch (h0ng10) 00de437918 Initial commit 2015-03-18 09:45:08 +01:00
OJ fa7242388b Move the module to the correct location 2015-03-18 18:18:54 +10:00
HD Moore b62da42927 Merge branch 'master' into feature/add-proxies-to-wininet 2015-03-18 01:51:15 -05:00
HD Moore c607cf7b11 Merging master 2015-03-18 01:45:44 -05:00
HD Moore ef443c83b9 Fix overgreed search/replace 2015-03-18 01:21:53 -05:00
HD Moore f7a06d8e44 Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax 2015-03-18 01:15:32 -05:00
HD Moore 87a489907c Place an IPv6 proxy IP between brackets 2015-03-18 01:01:16 -05:00
HD Moore 259db269bd Remove user/pass and invalid class from the options 2015-03-18 01:01:16 -05:00
HD Moore 2ab14e7e79 Adds IPv6 and option-related issues with the previous patch 2015-03-18 01:01:10 -05:00
HD Moore 0601946830 Don't mandate and default PROXY_HOST (miscopy from the proxy stager) 2015-03-18 01:00:04 -05:00
HD Moore 85fb534e63 Fix up the offset detection again, cleanup redundant code 2015-03-18 00:59:25 -05:00
HD Moore 2f13988d7b Use OptPort vs OptInt and cleanup the description 2015-03-18 00:59:25 -05:00
HD Moore a01be365b0 Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
This also cleans up the windows reverse_https_proxy stager.
2015-03-18 00:59:13 -05:00
jvazquez-r7 14be07a2c4
Update java_rmi_server modules 2015-03-17 21:29:52 -05:00
jakxx b197b7aaf0 Additional Updates
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
2015-03-17 19:24:13 -04:00
James Lee bd4738b93e
Land #4827, capture and nbns fixups 2015-03-17 17:37:55 -05:00
James Lee d7fa0ec669
Let IPAddr#hton do the calculating 2015-03-17 17:36:45 -05:00
jakxx 085e6cc815 Implemented Recommended Changes
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
jvazquez-r7 1242404085
Delete comment 2015-03-17 14:18:07 -05:00
William Vu d1d6378179
Land #4566, Misfortune Cookie scanner improvements 2015-03-17 12:32:35 -05:00
sinn3r f95b783193 I don't need these eitehr 2015-03-17 11:33:49 -05:00
jvazquez-r7 ebe7ad07b0 Add specs, plus modify java_rmi_server modules 2015-03-17 11:26:27 -05:00
jstnkndy 0490af8ba8 Added error checks, randomness, and uuid delimeter 2015-03-17 10:20:22 -04:00
jstnkndy f3fc4003d0 typo 2015-03-17 10:19:40 -04:00
jstnkndy b92d243c0e Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975 2015-03-17 10:18:32 -04:00
jstnkndy e0a7f531cc Added error checking, randomness, uuid delimiters 2015-03-17 10:10:51 -04:00
Meatballs e1ebc6c7fe
Update date, remove URL (will replace later) 2015-03-17 12:50:47 +00:00
Meatballs 0cd85cb052
Correct capitilzation of GitLab 2015-03-17 11:33:57 +00:00
Meatballs d18224e3cb
Correct capitilzation of GitLab 2015-03-17 11:32:14 +00:00
Meatballs f4a1e981ab
Add gitlab login scanner 2015-03-17 11:19:23 +00:00
Meatballs 878247f495
Small modifications 2015-03-17 10:03:32 +00:00
Meatballs f1d5d8f1ce
Store to loot as well 2015-03-17 09:55:28 +00:00
Meatballs 9f40826f8e Store creds in database 2015-03-17 09:17:08 +00:00
Meatballs 3830e71257 Catch 7.5 401 2015-03-17 09:17:08 +00:00
Meatballs 1b565b0290 Check revision 2015-03-17 09:17:07 +00:00
Meatballs 7216f2a971 Initial commit 2015-03-17 09:17:07 +00:00
sinn3r 14296826f7 A cleaner way to set datastore options 2015-03-17 03:07:49 -05:00
sinn3r ff58f7d270 Add Symantec Web Gateway Login Module 2015-03-17 02:51:57 -05:00
jvazquez-r7 0a37df67a0 Add initial support for better RMI calls 2015-03-16 23:44:16 -05:00
Brent Cook abb8a32e68 update spec for dynamic meterpreter payloads 2015-03-16 18:08:13 -05:00
Felix Wehnert 2a525958bd fixed typo
Does no one tested this script on x64 yet ?
2015-03-16 20:15:26 +01:00
HD Moore 2ea984423b while(true)->loop, use thread.join 2015-03-16 14:08:01 -05:00
William Vu ac0e23d783
Land #4932, hardcoded username fix
For mssql_escalate_execute_as_sqli.
2015-03-16 01:46:13 -05:00
HD Moore 7e89281485 Adds proxy (with authentication) support to reverse_http(s) 2015-03-16 00:03:31 -05:00
Scott Sutherland 00dbcc12ca Removed imp_user var from escalate_privs func 2015-03-15 22:02:12 -07:00
nullbind 5bebabb005 fixed hardcoded username 2015-03-15 19:45:02 -05:00
Sven Vetsch 4d3a1a2f71 fix all duplicated keys in modules 2015-03-14 13:10:42 +01:00
jvazquez-r7 bb81107e51 Land #4927, @wchen-r7's exploit for Flash PCRE CVE-2015-0318 2015-03-13 23:58:05 -05:00
sinn3r 3bfdfbc987 Small changes 2015-03-13 18:55:11 -05:00
jvazquez-r7 1ead57a80d
Land #4928, @h0ng10's local exploit for iPass Mobile Client 2015-03-13 16:58:45 -05:00
jvazquez-r7 9894a3dc54 Change module filename 2015-03-13 16:53:17 -05:00
jvazquez-r7 b4de3ce42b Do minor cleanup 2015-03-13 16:52:26 -05:00
Hans-Martin Münch (h0ng10) b0e730d5ae Typo 2015-03-13 20:41:14 +01:00
Hans-Martin Münch (h0ng10) 726f01b8cc Initial version 2015-03-13 20:33:45 +01:00
sinn3r 182850df30 Stick to Win 7 2015-03-13 12:41:05 -05:00
sinn3r 2b199315d4 Final 2015-03-13 12:30:41 -05:00
Brent Cook b68e05e536
Land #4914, @hmoore-r7 and @BorjaMerino winhttp stagers 2015-03-13 08:24:11 -05:00
OJ 35cfdf051a Add support for meterpreter_reverse_ipv6_tcp
New payload added, makes use of existing functionality.
2015-03-13 20:15:31 +10:00
William Vu a32cd2ae9e
Land #4877, CVE-2015-0240 (Samba) aux module 2015-03-13 00:03:53 -05:00
scriptjunkie 6011e8b3e1
Land #4918, Rework how payload prepends work 2015-03-12 18:56:04 -05:00
jvazquez-r7 75b2ef81dc
Land #4890, @julianvilas's improvements struts_code_exec_classloader 2015-03-12 17:25:00 -05:00
jvazquez-r7 b6146b1499 Use print_warning 2015-03-12 17:22:03 -05:00
jvazquez-r7 e035e6ce51
Land #4899, @h0ng10's exploit for iPass Open Mobile CVE-2015-0925 2015-03-12 16:42:52 -05:00
jvazquez-r7 7b7ebc20d7 Fix indentation 2015-03-12 16:41:41 -05:00
jvazquez-r7 da47d368e8 Do minor style cleaning 2015-03-12 16:35:48 -05:00
jvazquez-r7 a77078b555
Add X86 target 2015-03-12 16:34:44 -05:00
jvazquez-r7 1b20bc9dca
Land #4919, @wchen-r7's new reference for ie_uxss_injection 2015-03-12 15:30:37 -05:00
HD Moore b43893ad71
Lands #4903, corrects the return value used for the script path 2015-03-12 14:05:22 -05:00
m-1-k-3 819a49b28a msftidy again 2015-03-12 19:09:52 +01:00
m-1-k-3 2eab258a76 msftidy 2015-03-12 19:07:56 +01:00
m-1-k-3 ccf7314c8f msftidy 2015-03-12 19:05:21 +01:00
m-1-k-3 6fcab31997 ncc exploit CVE-2015-1187 - dir626l 2015-03-12 18:55:50 +01:00
sinn3r 220a26c5a4
Land #4907, CVE-2015-1427, elasticsearch groovy code injection 2015-03-12 11:28:24 -05:00
sinn3r ac24652196
Land #4911, CVE-2015-0096 (ms15_020_shortcut_icon_dllloader) 2015-03-12 10:51:56 -05:00
sinn3r 67d05f9354 Add the PR as a reference (how to guide) 2015-03-12 10:51:01 -05:00
sinn3r 0d36115112 Update MS15-018 MSB reference 2015-03-12 10:13:37 -05:00
HD Moore 744b1a680e Reworks how payload prepends work internally, see #1674 2015-03-12 02:30:06 -05:00
HD Moore f676dc03c8
Lands #4849, prevents the target from running out of memory during NTFS reads 2015-03-12 00:01:47 -05:00
jvazquez-r7 68d69177ad Add smb module for MS15-020 2015-03-11 23:46:50 -05:00
HD Moore 24440b8c38
Lands #4913, adds OSVDB reference to nvidia module 2015-03-11 23:32:22 -05:00
jvazquez-r7 a9fa2d25aa Add SMB module for MS10-046 2015-03-11 23:23:56 -05:00
OJ 345b5cc8e1 Add stageless meterpreter support
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.

More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
HD Moore c3f2536ef6 Make the stager clear in the payload descriptions 2015-03-11 21:30:02 -05:00
HD Moore b105a88b95 Fix https convention 2015-03-11 21:26:31 -05:00
HD Moore 8bae58d631 Updated cache sizes 2015-03-11 21:25:12 -05:00
Tod Beardsley 99494328d2
Update Nvidia module with an OSVDB ref
The paper is really good, but could use a more traditional reference.

[See #4884]
2015-03-11 19:51:22 -05:00
jvazquez-r7 0e4e264325 Redo description 2015-03-11 18:19:28 -05:00
jvazquez-r7 4e6aca0209 refactor create_exploit_file 2015-03-11 18:13:09 -05:00
jvazquez-r7 5662e5c5a6 Add module for MS15-020 2015-03-11 17:29:02 -05:00
HD Moore 1135e5e073 First take on WinHTTP stagers, untested 2015-03-11 16:27:14 -05:00
HD Moore 7e3b4017f0 Rename and resynced with master, ready for refactoring 2015-03-11 14:36:27 -05:00
HD Moore ea1bc69e2e Merge branch 'master' into feature/add-reverse_winhttp-stagers 2015-03-11 14:29:34 -05:00
sinn3r 215c209f88
Land #4901, CVE-2014-0311, Flash ByteArray Uncompress UAF 2015-03-11 14:04:17 -05:00
sinn3r 43b90610b1 Temp 2015-03-11 13:53:34 -05:00
Brent Cook ceeee4446f
Land #4904, @hmoore-r7 reworks reverse_http/s stagers
They are now assembled dynamically and support more flexible options,
such as long URLs.
2015-03-11 10:41:59 -05:00
sinn3r 2a9d6e64e2 Starting point for CVE-2015-0318 2015-03-11 09:58:41 -05:00
HD Moore ad39adf9c2 Missing comma 2015-03-11 00:49:07 -05:00
HD Moore a89926b663 Exclude vncinject from http stagers (depends on sockedi) 2015-03-11 00:46:04 -05:00
jvazquez-r7 8a452a7cba Do somce cleanup 2015-03-10 17:10:44 -05:00
Brent Cook 9ade107325 disable reverse_http methods from upexec and shell payloads
These don't work over http and don't appear to have ever, as far back as
I could test. They appear to be an accident perhaps.
2015-03-10 17:08:58 -05:00
jvazquez-r7 4a84693fb0 Support windows 2015-03-10 16:58:33 -05:00
jvazquez-r7 c26bea3429 Fix credits 2015-03-10 16:27:07 -05:00
jvazquez-r7 980c83cb70 Fix metadata 2015-03-10 16:25:02 -05:00
jvazquez-r7 9e17874389 Exploit CVE-2015-1427 2015-03-10 16:17:51 -05:00
HD Moore db351317a5 Merge with PR branch 2015-03-10 14:08:35 -05:00
HD Moore 0f763c2cb3 First step to reworking the winhttp stagers 2015-03-10 14:07:25 -05:00
Borja Merino 991e72a4fa HTTP stager based on WinHttp 2015-03-10 13:40:16 -05:00
HD Moore 966848127a Refactor x86 Windows reverse_http and reverse_https stagers 2015-03-10 12:48:30 -05:00
m-1-k-3 64f769504b encoding 2015-03-10 17:47:15 +01:00
m-1-k-3 6657c7d11d Belkin - CVE-2014-1635 2015-03-10 16:49:51 +01:00
jvazquez-r7 f8f178b1db Fix script_mvel_rce check 2015-03-10 09:39:02 -05:00
jvazquez-r7 9dc99e4207 Update check 2015-03-10 09:26:22 -05:00
Sigurd Jervelund Hansen c6cb1e840d Fixes persistence module by revering changes to the value returned by the write_script_to_target function, which screws up the path that is used for startup. Currently an escaped path "C://Users//..." is being used instead of using windows standards "C:\Users\...". 2015-03-10 10:26:03 +01:00
Brent Cook 97f09b6ab0
Land #4894: hmoore-r7 cache payload sizes on start
Avoid the hit of regenerating all of the static-size payloads when
loading the framework. This will facilitate conversion of payloads to
use metasm later.
2015-03-09 23:06:55 -05:00
jvazquez-r7 fc4b312879 Add template 2015-03-09 23:04:32 -05:00
Julian Vilas fe822f8d33 Modify automatic file cleanup 2015-03-10 00:45:20 +01:00
Julian Vilas 0ef303cb6c Fix Java payload 2015-03-10 00:01:27 +01:00
HD Moore 618fbf075a Update CachedSize for the fixed stager 2015-03-09 16:57:14 -05:00
HD Moore 746f18d9bb Fallback to a localhost variant to make the length predictable 2015-03-09 16:56:25 -05:00
jvazquez-r7 78167c3bb8 Use single quotes when possible 2015-03-09 16:55:21 -05:00
HD Moore 6543c3c36f Update CachedSize for the fixed stager 2015-03-09 16:54:57 -05:00
HD Moore c676ac1499 Fallback to a localhost variant to make the length predictable 2015-03-09 16:53:28 -05:00
jvazquez-r7 cb72b26874 Add module for CVE-2014-0311 2015-03-09 16:52:23 -05:00
HD Moore d0324e8ad3 Final cleanup, passing specs 2015-03-09 15:50:57 -05:00
HD Moore da81f6b2a0 Correct the :dynamic cache sizes 2015-03-09 15:44:14 -05:00
HD Moore 02509d02e4 The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 15:31:04 -05:00
Hans-Martin Münch (h0ng10) bba4223d68 Initial commit 2015-03-09 16:36:11 +01:00
Tod Beardsley df80d56fda
Land #4898, prefer URI to open-uri 2015-03-09 09:14:10 -05:00
William Vu 3075c56064 Fix "response HTML" message
In modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb.
2015-03-07 17:08:08 -06:00
Julian Vilas 2eb0011a99 Autotrigger JSP shell at docBase 2015-03-07 20:41:08 +01:00
Julian Vilas 3be2bde5a2 Use bypass for bulletin S2-020 2015-03-07 19:14:20 +01:00
root 5b25ba5df3 moved array definition to avoid error 2015-03-07 12:57:44 -05:00
root fac777da3d brocade_enable_login msftidy success 2015-03-06 20:33:09 -05:00
joev ccd0712d43 Use ===, doh. 2015-03-06 12:29:34 -06:00
joev fefd4e271a Don't hardcode the hex. 2015-03-06 12:16:03 -06:00
root 591716e557 brocade enable command bruteforcer 2015-03-06 09:41:14 -05:00
joev 3fb4fbe8e6 Add 'not allowed' check instead of magic check. 2015-03-06 00:01:31 -06:00
joev 7db3277731 Actually hide the iframe. 2015-03-05 23:52:29 -06:00
joev d7295959ca Remove open-uri usage in msf. 2015-03-05 23:45:28 -06:00
joev 3c5d7b3ef0 Okay, putting source code in a quoted string is horrible. 2015-03-05 23:25:37 -06:00
jvazquez-r7 2134cc3d22
Modify description 2015-03-05 16:55:24 -06:00
jvazquez-r7 7b4776ee79 Deregister FOLDER_NAME 2015-03-05 16:42:07 -06:00
jvazquez-r7 1bc81ea723
Merge #4884 into updated master 2015-03-05 16:41:15 -06:00
Meatballs 33f089b1a5
Tidyup 2015-03-05 21:50:12 +00:00
jvazquez-r7 9f3f8bb727
Merging #3323 work 2015-03-05 15:44:15 -06:00
jvazquez-r7 c388fd49c2 Fix print message 2015-03-05 15:43:54 -06:00
jvazquez-r7 dd2559b748 Favor new target over new module 2015-03-05 15:41:53 -06:00
jvazquez-r7 e1a4b046a0 Add support for tomcat 7 to struts_code_exec_classloader 2015-03-05 15:40:24 -06:00
Meatballs c56679f33e
Modify for new SMB mixin 2015-03-05 21:26:13 +00:00
Tod Beardsley e429d4c04f Add reference and description for PTH on Postgres
Dave and William did most of the work already over on PR #4871, this
just points it out in the module.
2015-03-05 14:36:56 -06:00
sinn3r 16c86227e2 Change to OptBool and default to explicit 2015-03-05 13:07:03 -06:00
jvazquez-r7 de08d8247b Do some module cleanup 2015-03-05 13:00:01 -06:00
jvazquez-r7 82659aba93 Populate metadata from code to make test easier 2015-03-05 12:40:20 -06:00
jvazquez-r7 dc02f8332f Pass msftidy 2015-03-05 12:29:31 -06:00
jvazquez-r7 a06eb04d59 Deregister FOLDER_NAME on exploit modules 2015-03-05 12:27:12 -06:00
sinn3r cb9922ad39
Land #4874, Add PHPMoAdmin command injection 2015-03-05 11:30:44 -06:00
sinn3r 8978b1d7b5 Add a version 2015-03-05 11:29:44 -06:00
Ricardo Almeida 32188f09d6 Update phpmoadmin_exec.rb
Changes:
Added required comment at the top of the file;
Changed Class name "Metasploit3" >> "Metasploit4";
Standard name/email format for public PoC author.
2015-03-05 12:56:08 +00:00
Ricardo Almeida 95962aab0d Update phpmoadmin_exec.rb
Changes:
"Check if vulnerable" code improvement;
Payload delivery code improvement;
Minor indent issues.

Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00
aushack 2f4df39dc9 Fixed typo 2015-03-05 17:40:51 +11:00
sinn3r d40e7485dd Add CVE-2015-0240 auxiliary module 2015-03-04 23:50:14 -06:00
jvazquez-r7 e715eaba58 Update description 2015-03-04 16:39:27 -06:00
jvazquez-r7 e155f2998e Change module filename 2015-03-04 16:38:08 -06:00
jvazquez-r7 77abd57397 Do code cleanup 2015-03-04 16:37:31 -06:00
jvazquez-r7 22ff4d0097 Update with master changes 2015-03-04 16:30:19 -06:00
jvazquez-r7 e7de09df29 Change module filename 2015-03-04 16:18:45 -06:00
jvazquez-r7 1337b7ace8 Clean module 2015-03-04 16:18:10 -06:00
Ricardo Almeida 9530e15c81 Update phpmoadmin_exec.rb
Changes:
Changed description section;
Changed 'URL' to 'EDB' in references section;
Added newline at the end.
2015-03-04 21:59:08 +00:00
jvazquez-r7 d4738d8c0a
Update #3076 branch 2015-03-04 15:51:00 -06:00
Ricardo Almeida c19895ac85 Update phpmoadmin_exec.rb
Changes:
Added new URL;
Added CVE number;
Corrected the disclosure date;
Corrected the normalize_uri() function syntax.
2015-03-04 21:31:44 +00:00
jvazquez-r7 5cc9ea3618 Update with master changes 2015-03-04 15:16:12 -06:00
William Vu a64dd4a1af
Land #4871, Postgres PTH support
MSP-12244
2015-03-04 15:08:57 -06:00
David Maloney 2d46c06b97
Merge branch 'master' into feature/MSP-12244/postgres-pass-the-hash 2015-03-04 13:56:10 -06:00
jvazquez-r7 fa9d921138 Beautify description 2015-03-04 13:07:10 -06:00
jvazquez-r7 8fdb7a798e Change module filename 2015-03-04 13:01:06 -06:00
jvazquez-r7 36375fab28 Fix downcase path handling 2015-03-04 12:58:41 -06:00
jvazquez-r7 62dde22d88 Clean packet building 2015-03-04 12:27:58 -06:00
Ricardo Almeida 4d67e0e1bb Add PHPMoAdmin RCE 2015-03-04 18:17:31 +00:00
jvazquez-r7 e04ff3ee24 Delete CMD option 2015-03-04 11:51:58 -06:00
jvazquez-r7 d4337ce1ae Do minor metadata cleanup 2015-03-04 11:46:01 -06:00
jvazquez-r7 1371cfe025 Test landing #4451 2015-03-04 11:20:07 -06:00
jvazquez-r7 aaab4b401a Fix indenting and use primer 2015-03-04 10:46:34 -06:00
jvazquez-r7 0e57277dc1 Do cleanup 2015-03-04 10:33:57 -06:00
jvazquez-r7 b9ed8178a9 Solve conflicts on ms13_071_theme 2015-03-04 10:28:52 -06:00
Matthew Hall 4757698c15 Modify primer to utilise file_contents macro. 2015-03-04 09:52:00 +00:00
Matthew Hall a90ebfe9a7 Modify primer to utilise file_contents macro. 2015-03-04 09:51:32 +00:00