jvazquez-r7
828301a6cc
Land #5050 , @wchen-r7's exploit for Solarwinds Firewall Security Manager
...
* CVE-2015-2284
2015-04-03 13:45:30 -05:00
jvazquez-r7
7c9b19c6f8
Do minor cleanup
2015-04-03 11:53:50 -05:00
root
452ebcf9ad
travis
2015-04-03 16:29:35 +05:00
root
be829e77ba
cravis error solve
2015-04-03 16:25:18 +05:00
root
4bd40fed7f
yard doc and comment corrections for auxiliary
2015-04-03 16:12:23 +05:00
Brent Cook
16cb334325
Land #5065 : OJ fix missed merges for uri_checksum and others
2015-04-02 22:53:29 -05:00
OJ
fd043d4842
Fix up build and missing uri_checksum stuff
...
Somehow this made it into a merge when it shouldn't have. This fix moves
the URI checksum module to where it needs to be and updates all the
references where required. This will result in a class with the dynamic
transport branch, but I can fix that after.
2015-04-03 13:42:25 +10:00
scriptjunkie
0f7c644fff
Land #4784 , JBoss Seam 2 upload exec exploit
2015-04-02 22:32:35 -05:00
OJ
5b5dc3ef59
Merge branch 'upstream/master' into stageless-x64
...
Merge required adjustment of the proxy datastore names that were changed.
2015-04-03 08:53:09 +10:00
Tod Beardsley
3ff91d74ca
More cleanup, mostly abysssec
...
[See #5012 ]
2015-04-02 16:16:38 -05:00
Tod Beardsley
11057e5b3b
Fix up the last couple from Tenable, missed last
...
[See #5012 ]
2015-04-02 15:27:46 -05:00
Tod Beardsley
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
Tod Beardsley
6d5bcb93a8
Normalize the SecurityXploded Team credits
...
[See #5012 ]
2015-04-02 15:15:37 -05:00
Tod Beardsley
6532fad579
Remove credits to Alligator Security Team
...
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.
The one that didn't was credited to dflah_ specifically, so merely
changed the author name.
Longer description, if needed, wrapped at 72 characters.
[See #5012 ]
2015-04-02 15:12:22 -05:00
HD Moore
db5293eeee
Lands #5054 , adds a module for the Ceragon mateidu SSH issue
2015-04-01 14:32:56 -05:00
Tod Beardsley
b17727d244
Switching to privileged => false
2015-04-01 14:35:45 -05:00
sinn3r
a592f645f0
Land #5039 , Webdorado gallery wd 1.2.5 unauthenticated SQLi scanner
2015-04-01 14:34:58 -05:00
Tod Beardsley
0825534d2c
Fix reference
2015-04-01 14:16:45 -05:00
Tod Beardsley
8ec71e9daf
Add a module for R7-2015-05
2015-04-01 14:05:41 -05:00
jvazquez-r7
02a5730d92
Use calculate_interface_hash
2015-04-01 12:09:42 -05:00
sinn3r
0b14a18ad2
This is final
2015-04-01 12:00:49 -05:00
jvazquez-r7
f954ff78c0
Fix typo
2015-04-01 10:51:54 -05:00
nullbind
91aeef0a8a
added startrid and endrid
2015-04-01 10:09:13 -05:00
sinn3r
0ee858cd65
Some useful messages
2015-04-01 01:41:31 -05:00
sinn3r
8ad07cdc0f
This should be on the right track
2015-04-01 01:27:50 -05:00
OJ
24171a1a08
Land #5045 : Convert stageless proxy to new format
2015-04-01 12:06:57 +10:00
sinn3r
6795c90eac
Some progress
2015-03-31 20:46:34 -05:00
sinn3r
97305629cb
Add Solarwinds FSM module
...
starter
2015-03-31 16:21:52 -05:00
HD Moore
34ff94e0da
Fix the proxy user/pass options
2015-03-31 15:49:43 -05:00
HD Moore
df15892958
Convert stageless proxy settings to the new format
2015-03-31 15:46:15 -05:00
HD Moore
a39ba05383
Functional Payload UUID embedding via PayloadUUIDSeed
2015-03-31 15:44:18 -05:00
David Maloney
63da27ece0
add missing HKLM root to regkey
...
the chevkm windows psot module had HKLM
missing from the front of one of it's reg key
paths. This was missed in Rails 3 due to the
error being swallowed unexpectedly. in rails 4
we actually see this cause a stack trace
MSP-12384
2015-03-31 14:17:18 -05:00
Tod Beardsley
d1318d1b48
Fixups for release
2015-03-31 11:02:12 -05:00
OJ
633b46874d
Merge branch 'upstream/master'
2015-03-31 14:53:48 +10:00
Brandon Perry
e73286cfa5
update stale references
2015-03-30 17:17:48 -05:00
OJ
253e5d7dff
Include correct module, remove specified encoder type
2015-03-31 07:23:51 +10:00
sinn3r
613f4777ce
Land #5024 , add joomla_ecommercewd_sqli_scanner.rb
2015-03-30 12:45:09 -05:00
sinn3r
8ea1ffc6ff
Land #5030 , CVE-2015-0313 Flash Exploit
2015-03-30 11:31:53 -05:00
jvazquez-r7
ee404713f1
Land #5014 , @wchen-r7's module for MS14-052
...
* As auxiliary module to gather info about existent local files
2015-03-30 11:02:56 -05:00
jvazquez-r7
8ff54ff98d
Add msb reference
2015-03-30 10:58:08 -05:00
sinn3r
9af1e76bf7
Obfuscate js
2015-03-30 10:52:01 -05:00
sinn3r
c7fa01c5ae
Rename file
2015-03-30 10:39:33 -05:00
OJ
c28cc66398
Add x64 bind_tcp and reverse_ipv6_tcp
...
Also fix up a couple of modules to use Metasploit4 instead of
Metasploit3.
2015-03-30 18:59:30 +10:00
Denis Kolegov
9d78aa96d9
Add output of API errors to console
2015-03-30 02:42:09 -04:00
OJ
26792975eb
Refactor of code to reduce duplication
...
Add mixin for the stageless http preparation
2015-03-30 13:18:56 +10:00
OJ
f8851551c5
Add initial x64 stageless meterrpeter module
2015-03-30 11:23:51 +10:00
OJ
ce8f6d72e1
More work on x64 stageless
...
Testing with HD's new changes that allow for generation of larger x64
payloads
2015-03-30 09:51:04 +10:00
h00die
28b9e89963
removed duplicate "uses" from description
2015-03-29 19:40:31 -04:00
OJ
17dc2b184d
Merging upstream/master
2015-03-30 09:12:20 +10:00
Meatballs
c430e5fab1
@m7x forgot to put a reference in
2015-03-29 02:13:31 +01:00
Brandon Perry
de2bf0181c
add first pass at gallerywd sqli scanner
2015-03-28 16:15:51 -05:00
Brandon Perry
9f0483248c
add TARGETURI datastore option
2015-03-28 15:46:41 -05:00
Meatballs
2ed9489f38
Delete load line
2015-03-28 20:31:35 +00:00
Meatballs
99f79e8533
Use incognito token stealing rather than process migration if we have
...
the privileges required for successful impersonation.
2015-03-28 20:31:35 +00:00
Meatballs
f83f4ae764
Move hashdump to gather
2015-03-28 20:31:35 +00:00
Meatballs
e2af15a0df
Refactor MSSQL Post
2015-03-28 20:31:35 +00:00
root
1558190a9d
Add module mssql_local_hashdump
2015-03-28 20:31:35 +00:00
Brandon Perry
6ede476423
Update joomla_ecommercewd_sqli_scanner.rb
2015-03-28 08:38:12 -05:00
William Vu
ef8c0aac69
Land #5020 , spelling fixes for some modules
2015-03-28 00:36:04 -05:00
Brandon Perry
0dbd8544b4
Update joomla_ecommercewd_sqli_scanner.rb
2015-03-27 21:20:59 -05:00
Brandon Perry
31be47d5bc
Create joomla_ecommercewd_sqli_scanner.rb
2015-03-27 20:25:33 -05:00
jvazquez-r7
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
sinn3r
9cfafdd8b8
Land #4649 , improve post/windows/manage/run_as and as an exploit
2015-03-27 17:31:30 -05:00
C-P
4f4bf9debb
paylod vs payload
2015-03-27 11:55:15 -07:00
C-P
0a8fe781d1
paylod vs payload
2015-03-27 11:54:14 -07:00
C-P
5ba614a325
payloda vs payload
2015-03-27 11:53:20 -07:00
C-P
2d81460583
Explot vs Exploit
2015-03-27 11:37:11 -07:00
C-P
f129347b51
Filed vs Failed fix
2015-03-27 11:28:50 -07:00
C-P
48484c1f09
Filed vs Failed fix
2015-03-27 11:27:36 -07:00
Denis Kolegov
45f8738cfe
Fix stdout errors
2015-03-27 07:53:59 -04:00
Denis Kolegov
3515a0a71f
Initial commit for supporting SSL Labs API
2015-03-27 07:34:11 -04:00
Roberto Soares
3e104fd8e6
Add Directory Traversal for RIPS Scanner
2015-03-27 05:08:43 -03:00
sinn3r
f996c5a888
Update description
2015-03-27 02:31:36 -05:00
sinn3r
67dc46791d
Limit the module to IE 8 and IE9
2015-03-27 02:30:04 -05:00
sinn3r
f88d9651b6
I don't think it's worth putting the js in ie_addons.js
2015-03-27 02:26:50 -05:00
sinn3r
bd2763292a
Properly credit Soroush Dalili
2015-03-26 23:36:16 -05:00
sinn3r
560f31c34d
Minor changes
2015-03-26 23:29:44 -05:00
sinn3r
68624dd56e
Final for ie_files_disclosure.rb
2015-03-26 22:49:22 -05:00
sinn3r
b0b17775c2
First working version
2015-03-26 21:53:26 -05:00
Brent Cook
e0568e95c2
Land #4978 @zerosteiner adds reverse https for python meterpreter
2015-03-26 19:16:46 -05:00
sinn3r
955c0557e0
Land #4988 , Relative URL for ms14_064_ole_code_execution
2015-03-26 13:36:37 -05:00
m-1-k-3
d81a246660
target_uri
2015-03-26 12:16:20 +01:00
m-1-k-3
b7f469b747
feedback
2015-03-26 07:39:36 +01:00
Spencer McIntyre
10e8cefd6d
Pymet dont validate ssl certs for 2.7.9/3.4.3
2015-03-25 19:49:42 -04:00
sinn3r
68cb766681
Land #5007 , Ruby 1.9+ syntax
2015-03-25 16:11:53 -05:00
William Vu
632879ceb6
Land #5001 , wp_easycart_privilege_escalation CVE
2015-03-25 13:54:44 -05:00
jvazquez-r7
d84c48cb7d
Use newer hash syntax
2015-03-25 13:39:34 -05:00
jvazquez-r7
72a0909e9b
Land #4992 , @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge
2015-03-25 13:30:36 -05:00
jvazquez-r7
0540e25db2
Calculate the java/rmi/registry/RegistryImpl_Stub hash dinamically
2015-03-25 11:29:07 -05:00
jvazquez-r7
356e8c727c
Add specs for Msf::Java::Rmi::Client::Jmx::Server
2015-03-24 18:56:58 -05:00
rastating
7a0fe05803
Add CVE-ID to module references
2015-03-24 22:30:43 +00:00
Christian Mehlmauer
7bf00f8f47
Land #4789 , @rastating WPLMS wordpress module
2015-03-24 20:46:38 +01:00
jvazquez-r7
39e87f927a
Make code consistent
2015-03-24 11:44:26 -05:00
Tod Beardsley
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
William Vu
7c456f2ad8
Land #4993 , ams_xfr "payload_exe" NameError fix
2015-03-24 00:51:49 -05:00
sinn3r
8255e7a2dc
Fix #4987 - undef payload_exe for ams_xfr
...
Fix #4987
2015-03-24 00:42:22 -05:00
William Vu
3dac6377d0
Fix #4983 , bad copy pasta'd deprecation year
2015-03-24 00:34:54 -05:00
William Vu
fadac30f00
Fix deprecated year
2015-03-24 00:34:38 -05:00
William Vu
6353154865
Land #4983 , renamed WordPress modules
2015-03-23 23:49:40 -05:00
William Vu
e338b77389
Readd and deprecate renamed WordPress modules
2015-03-23 23:48:56 -05:00
sinn3r
db243a8225
x360_video_player_set_text_bof actually uses SetText for ActiveX
2015-03-23 23:36:20 -05:00
sinn3r
3248f02c2c
These exploits use :activex, so I update the usage for them
2015-03-23 19:34:24 -05:00
jvazquez-r7
04341bfc78
Support JMX_ROLE again
2015-03-23 17:32:26 -05:00
Brent Cook
1869977921
Land #4962 : OJ adjusts MSF to new metsrv needs
...
bump meterpreter bins to 0.0.17
2015-03-23 17:18:06 -05:00
jvazquez-r7
d8d4c23d60
JMX code refactoring
2015-03-23 17:06:51 -05:00
OJ
24d74b26e3
Beginning work for stageless x64 meterpreter
2015-03-24 06:50:06 +10:00
jvazquez-r7
962bb670de
Remove old JMX mixin
2015-03-23 15:48:10 -05:00
andygoblins
89e27d98ab
Use relative URL to GET payload for WinXP
...
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
Tod Beardsley
21a97c0926
Add exploit for R7-2015-04, Firefox Proxy RCE
2015-03-23 13:44:41 -05:00
sinn3r
156520338d
Making some changes to how BES handles ActiveX
2015-03-23 12:21:27 -05:00
jvazquez-r7
79068c8ec2
Delete JMX discovery stream
2015-03-23 10:21:37 -05:00
aushack
b191f92713
Renamed WordPress files to fit majority naming convention.
2015-03-23 18:15:04 +11:00
OJ
9c9d333a1b
Create verify ssl mixin, adjust some formatting
2015-03-23 13:21:08 +10:00
jvazquez-r7
2d1adf6ef4
Land #4923 , @m-1-k-3's exploit for overflow on belkin routers
2015-03-22 02:05:35 -05:00
jvazquez-r7
ee74bb3c5b
The default concat operator should be ok
2015-03-22 02:05:02 -05:00
jvazquez-r7
5499b68e02
Do code cleanup
2015-03-22 01:58:32 -05:00
Spencer McIntyre
a407bc8d65
Fix the reverse_https stager CachedSize for the spec
2015-03-21 13:05:44 -04:00
Spencer McIntyre
7282968d8a
Python reverse HTTPS stager
2015-03-21 12:43:14 -04:00
William Vu
07b82ec640
Land #4974 , minishare_get_overflow WfsDelay change
2015-03-20 18:55:58 -05:00
William Vu
859b54f8a3
Land #4956 , Qualys' Exim GHOST module
2015-03-20 18:44:30 -05:00
jvazquez-r7
8c3e39acf0
Land #4847 @rastating's module for WordPress WP EasyCart privilege escalation
2015-03-20 18:23:05 -05:00
jvazquez-r7
349d7cb9ee
Do minor cleanup
2015-03-20 18:20:45 -05:00
Adam Ziaja
921b9eab8e
Update minishare_get_overflow.rb
...
set WfsDelay 30
2015-03-20 23:42:54 +01:00
William Vu
4004771aed
Land #4972 , minishare_get_overflow targets
...
Windows 2003 SP1 English and Windows 2003 SP2 English.
2015-03-20 17:27:34 -05:00
William Vu
6f51946aa0
Land #4969 , GitLab module references
2015-03-20 17:26:51 -05:00
William Vu
99f3de0843
Clean up info hash formatting
2015-03-20 17:26:21 -05:00
Adam Ziaja
505ecd32fb
Update minishare_get_overflow.rb
...
Windows 2003 SP1 English, Windows 2003 SP2 English
2015-03-20 23:09:50 +01:00
jvazquez-r7
1226b3656f
Land #4945 , @wchen-r7's login scanner for Symantec web gateway
2015-03-20 14:44:05 -05:00
jvazquez-r7
2f35fcff99
Fix require
2015-03-20 14:43:42 -05:00
Meatballs
8ee520e749
Add reference
2015-03-20 19:17:34 +00:00
sinn3r
b19f766728
Land #4942 , Gitlab Login Scanner
2015-03-20 13:02:12 -05:00
sinn3r
a2ce14a31e
Land #4941 , Gitlab Unauth User Enumeration
2015-03-20 12:28:35 -05:00
sinn3r
235124a40a
Fix typo
2015-03-20 12:27:23 -05:00
sinn3r
84164b44b2
Should also rescue JSON::ParserError for banner parsing
2015-03-20 12:27:02 -05:00
sinn3r
0c2ed21e90
Land #4318 , Lateral movement through PSRemoting
2015-03-20 11:39:35 -05:00
sinn3r
23d8479683
Fix typo
2015-03-20 11:39:00 -05:00
sinn3r
0da79edb9c
Add a print_status to let the user know the module is over
...
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
sinn3r
1b67a06d35
No banner var
2015-03-20 02:26:59 -05:00
sinn3r
b55ffc9ff1
Change option to FORCE_EXPLOIT
2015-03-20 01:44:10 -05:00
oj@buffered.io
fd4ad9bd2e
Rework changes on top of HD's PR
...
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
OJ
7b4161bdb4
Update code to handle cert validation properly
...
This code contains duplication from HD's PR. Once his has been landed
this code can be fixed up a bit so that duplication is removed.
2015-03-20 12:52:47 +10:00
William Vu
7eec88c086
Land #4957 , glassfish_login symbol cleanup
2015-03-19 21:20:33 -05:00
jvazquez-r7
b839547dc3
Add documentation for Registry modules and methods
2015-03-19 17:57:21 -05:00
jvazquez-r7
a7f1244251
Finish the java_rmi_registry gather module
2015-03-19 17:33:45 -05:00
sinn3r
94ab2f94fd
Remove symbols that aren't used
...
These symbols belong to the AuthBrute mixin, but we are not using
AuthBrute for login testing.
2015-03-19 14:14:01 -05:00
sinn3r
d8539ef91a
Change datastore option's description
2015-03-19 12:22:42 -05:00
sinn3r
a2ba81f84f
This should be true (required)
2015-03-19 11:54:03 -05:00
sinn3r
d8c8bd1669
Move the details to a wiki
2015-03-19 11:52:17 -05:00
jvazquez-r7
5c3134a616
Add first support to gather information from RMI registries
2015-03-19 11:16:04 -05:00
OJ
7899881416
Update POSIX bins from master
2015-03-19 14:50:14 +10:00
OJ
1a2f35d806
Land #4951 : Dynamic URI generation for Java/Python reverse_http(s)
2015-03-19 12:41:20 +10:00
Spencer McIntyre
076f15f933
Land #4792 @jakxx Publish It PUI file exploit
2015-03-18 20:59:54 -04:00
Spencer McIntyre
3f8ed56a9a
Add available space to the payload info
2015-03-18 20:57:58 -04:00
Meatballs
6ceab3d02d
Add a DisclosureDate
2015-03-18 23:51:18 +00:00
sinn3r
968a8758ad
Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
...
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
joev
b33e7f477c
Land #4947 , h0ng10's TWiki exploit.
2015-03-18 17:17:34 -05:00
HD Moore
346b1d539f
Revert Java back to static size for cache purposes (less cpu usage on startup)
2015-03-18 16:24:01 -05:00
HD Moore
33bbf7cb7e
Dynamic URI generation for python/java http(s) stagers
2015-03-18 16:08:11 -05:00
jvazquez-r7
ae84c8ee30
Delete even more comments
2015-03-18 15:55:52 -05:00
jvazquez-r7
f956ba1a46
Do first JMX cleaning try
2015-03-18 15:37:07 -05:00
rwhitcroft
7ae97393e0
fix x64/reverse_https stager shellcode
2015-03-18 15:34:31 -04:00
OJ
e943cb550f
Land #4585 : CVE-2015-0975 XXE in OpenNMS
2015-03-18 22:34:52 +10:00
OJ
d1a2f58303
Fix of regex for file capture and format tweaks
2015-03-18 22:17:44 +10:00
Hans-Martin Münch (h0ng10)
5dd718e4fa
Better description
2015-03-18 09:51:51 +01:00
Hans-Martin Münch (h0ng10)
00de437918
Initial commit
2015-03-18 09:45:08 +01:00
OJ
fa7242388b
Move the module to the correct location
2015-03-18 18:18:54 +10:00
HD Moore
b62da42927
Merge branch 'master' into feature/add-proxies-to-wininet
2015-03-18 01:51:15 -05:00
HD Moore
c607cf7b11
Merging master
2015-03-18 01:45:44 -05:00
HD Moore
ef443c83b9
Fix overgreed search/replace
2015-03-18 01:21:53 -05:00
HD Moore
f7a06d8e44
Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax
2015-03-18 01:15:32 -05:00
HD Moore
87a489907c
Place an IPv6 proxy IP between brackets
2015-03-18 01:01:16 -05:00
HD Moore
259db269bd
Remove user/pass and invalid class from the options
2015-03-18 01:01:16 -05:00
HD Moore
2ab14e7e79
Adds IPv6 and option-related issues with the previous patch
2015-03-18 01:01:10 -05:00
HD Moore
0601946830
Don't mandate and default PROXY_HOST (miscopy from the proxy stager)
2015-03-18 01:00:04 -05:00
HD Moore
85fb534e63
Fix up the offset detection again, cleanup redundant code
2015-03-18 00:59:25 -05:00
HD Moore
2f13988d7b
Use OptPort vs OptInt and cleanup the description
2015-03-18 00:59:25 -05:00
HD Moore
a01be365b0
Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
...
This also cleans up the windows reverse_https_proxy stager.
2015-03-18 00:59:13 -05:00
jvazquez-r7
14be07a2c4
Update java_rmi_server modules
2015-03-17 21:29:52 -05:00
jakxx
b197b7aaf0
Additional Updates
...
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
2015-03-17 19:24:13 -04:00
James Lee
bd4738b93e
Land #4827 , capture and nbns fixups
2015-03-17 17:37:55 -05:00
James Lee
d7fa0ec669
Let IPAddr#hton do the calculating
2015-03-17 17:36:45 -05:00
jakxx
085e6cc815
Implemented Recommended Changes
...
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
jvazquez-r7
1242404085
Delete comment
2015-03-17 14:18:07 -05:00
William Vu
d1d6378179
Land #4566 , Misfortune Cookie scanner improvements
2015-03-17 12:32:35 -05:00
sinn3r
f95b783193
I don't need these eitehr
2015-03-17 11:33:49 -05:00
jvazquez-r7
ebe7ad07b0
Add specs, plus modify java_rmi_server modules
2015-03-17 11:26:27 -05:00
jstnkndy
0490af8ba8
Added error checks, randomness, and uuid delimeter
2015-03-17 10:20:22 -04:00
jstnkndy
f3fc4003d0
typo
2015-03-17 10:19:40 -04:00
jstnkndy
b92d243c0e
Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975
2015-03-17 10:18:32 -04:00
jstnkndy
e0a7f531cc
Added error checking, randomness, uuid delimiters
2015-03-17 10:10:51 -04:00
Meatballs
e1ebc6c7fe
Update date, remove URL (will replace later)
2015-03-17 12:50:47 +00:00
Meatballs
0cd85cb052
Correct capitilzation of GitLab
2015-03-17 11:33:57 +00:00
Meatballs
d18224e3cb
Correct capitilzation of GitLab
2015-03-17 11:32:14 +00:00
Meatballs
f4a1e981ab
Add gitlab login scanner
2015-03-17 11:19:23 +00:00
Meatballs
878247f495
Small modifications
2015-03-17 10:03:32 +00:00
Meatballs
f1d5d8f1ce
Store to loot as well
2015-03-17 09:55:28 +00:00
Meatballs
9f40826f8e
Store creds in database
2015-03-17 09:17:08 +00:00
Meatballs
3830e71257
Catch 7.5 401
2015-03-17 09:17:08 +00:00
Meatballs
1b565b0290
Check revision
2015-03-17 09:17:07 +00:00
Meatballs
7216f2a971
Initial commit
2015-03-17 09:17:07 +00:00
sinn3r
14296826f7
A cleaner way to set datastore options
2015-03-17 03:07:49 -05:00
sinn3r
ff58f7d270
Add Symantec Web Gateway Login Module
2015-03-17 02:51:57 -05:00
jvazquez-r7
0a37df67a0
Add initial support for better RMI calls
2015-03-16 23:44:16 -05:00
Brent Cook
abb8a32e68
update spec for dynamic meterpreter payloads
2015-03-16 18:08:13 -05:00
Felix Wehnert
2a525958bd
fixed typo
...
Does no one tested this script on x64 yet ?
2015-03-16 20:15:26 +01:00
HD Moore
2ea984423b
while(true)->loop, use thread.join
2015-03-16 14:08:01 -05:00
William Vu
ac0e23d783
Land #4932 , hardcoded username fix
...
For mssql_escalate_execute_as_sqli.
2015-03-16 01:46:13 -05:00
HD Moore
7e89281485
Adds proxy (with authentication) support to reverse_http(s)
2015-03-16 00:03:31 -05:00
Scott Sutherland
00dbcc12ca
Removed imp_user var from escalate_privs func
2015-03-15 22:02:12 -07:00
nullbind
5bebabb005
fixed hardcoded username
2015-03-15 19:45:02 -05:00
Sven Vetsch
4d3a1a2f71
fix all duplicated keys in modules
2015-03-14 13:10:42 +01:00
jvazquez-r7
bb81107e51
Land #4927 , @wchen-r7's exploit for Flash PCRE CVE-2015-0318
2015-03-13 23:58:05 -05:00
sinn3r
3bfdfbc987
Small changes
2015-03-13 18:55:11 -05:00
jvazquez-r7
1ead57a80d
Land #4928 , @h0ng10's local exploit for iPass Mobile Client
2015-03-13 16:58:45 -05:00
jvazquez-r7
9894a3dc54
Change module filename
2015-03-13 16:53:17 -05:00
jvazquez-r7
b4de3ce42b
Do minor cleanup
2015-03-13 16:52:26 -05:00
Hans-Martin Münch (h0ng10)
b0e730d5ae
Typo
2015-03-13 20:41:14 +01:00
Hans-Martin Münch (h0ng10)
726f01b8cc
Initial version
2015-03-13 20:33:45 +01:00
sinn3r
182850df30
Stick to Win 7
2015-03-13 12:41:05 -05:00
sinn3r
2b199315d4
Final
2015-03-13 12:30:41 -05:00
Brent Cook
b68e05e536
Land #4914 , @hmoore-r7 and @BorjaMerino winhttp stagers
2015-03-13 08:24:11 -05:00
OJ
35cfdf051a
Add support for meterpreter_reverse_ipv6_tcp
...
New payload added, makes use of existing functionality.
2015-03-13 20:15:31 +10:00
William Vu
a32cd2ae9e
Land #4877 , CVE-2015-0240 (Samba) aux module
2015-03-13 00:03:53 -05:00
scriptjunkie
6011e8b3e1
Land #4918 , Rework how payload prepends work
2015-03-12 18:56:04 -05:00
jvazquez-r7
75b2ef81dc
Land #4890 , @julianvilas's improvements struts_code_exec_classloader
2015-03-12 17:25:00 -05:00
jvazquez-r7
b6146b1499
Use print_warning
2015-03-12 17:22:03 -05:00
jvazquez-r7
e035e6ce51
Land #4899 , @h0ng10's exploit for iPass Open Mobile CVE-2015-0925
2015-03-12 16:42:52 -05:00
jvazquez-r7
7b7ebc20d7
Fix indentation
2015-03-12 16:41:41 -05:00
jvazquez-r7
da47d368e8
Do minor style cleaning
2015-03-12 16:35:48 -05:00
jvazquez-r7
a77078b555
Add X86 target
2015-03-12 16:34:44 -05:00
jvazquez-r7
1b20bc9dca
Land #4919 , @wchen-r7's new reference for ie_uxss_injection
2015-03-12 15:30:37 -05:00
HD Moore
b43893ad71
Lands #4903 , corrects the return value used for the script path
2015-03-12 14:05:22 -05:00
m-1-k-3
819a49b28a
msftidy again
2015-03-12 19:09:52 +01:00
m-1-k-3
2eab258a76
msftidy
2015-03-12 19:07:56 +01:00
m-1-k-3
ccf7314c8f
msftidy
2015-03-12 19:05:21 +01:00
m-1-k-3
6fcab31997
ncc exploit CVE-2015-1187 - dir626l
2015-03-12 18:55:50 +01:00
sinn3r
220a26c5a4
Land #4907 , CVE-2015-1427, elasticsearch groovy code injection
2015-03-12 11:28:24 -05:00
sinn3r
ac24652196
Land #4911 , CVE-2015-0096 (ms15_020_shortcut_icon_dllloader)
2015-03-12 10:51:56 -05:00
sinn3r
67d05f9354
Add the PR as a reference (how to guide)
2015-03-12 10:51:01 -05:00
sinn3r
0d36115112
Update MS15-018 MSB reference
2015-03-12 10:13:37 -05:00
HD Moore
744b1a680e
Reworks how payload prepends work internally, see #1674
2015-03-12 02:30:06 -05:00
HD Moore
f676dc03c8
Lands #4849 , prevents the target from running out of memory during NTFS reads
2015-03-12 00:01:47 -05:00
jvazquez-r7
68d69177ad
Add smb module for MS15-020
2015-03-11 23:46:50 -05:00
HD Moore
24440b8c38
Lands #4913 , adds OSVDB reference to nvidia module
2015-03-11 23:32:22 -05:00
jvazquez-r7
a9fa2d25aa
Add SMB module for MS10-046
2015-03-11 23:23:56 -05:00
OJ
345b5cc8e1
Add stageless meterpreter support
...
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.
More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
HD Moore
c3f2536ef6
Make the stager clear in the payload descriptions
2015-03-11 21:30:02 -05:00
HD Moore
b105a88b95
Fix https convention
2015-03-11 21:26:31 -05:00
HD Moore
8bae58d631
Updated cache sizes
2015-03-11 21:25:12 -05:00
Tod Beardsley
99494328d2
Update Nvidia module with an OSVDB ref
...
The paper is really good, but could use a more traditional reference.
[See #4884 ]
2015-03-11 19:51:22 -05:00
jvazquez-r7
0e4e264325
Redo description
2015-03-11 18:19:28 -05:00
jvazquez-r7
4e6aca0209
refactor create_exploit_file
2015-03-11 18:13:09 -05:00
jvazquez-r7
5662e5c5a6
Add module for MS15-020
2015-03-11 17:29:02 -05:00
HD Moore
1135e5e073
First take on WinHTTP stagers, untested
2015-03-11 16:27:14 -05:00
HD Moore
7e3b4017f0
Rename and resynced with master, ready for refactoring
2015-03-11 14:36:27 -05:00
HD Moore
ea1bc69e2e
Merge branch 'master' into feature/add-reverse_winhttp-stagers
2015-03-11 14:29:34 -05:00
sinn3r
215c209f88
Land #4901 , CVE-2014-0311, Flash ByteArray Uncompress UAF
2015-03-11 14:04:17 -05:00
sinn3r
43b90610b1
Temp
2015-03-11 13:53:34 -05:00
Brent Cook
ceeee4446f
Land #4904 , @hmoore-r7 reworks reverse_http/s stagers
...
They are now assembled dynamically and support more flexible options,
such as long URLs.
2015-03-11 10:41:59 -05:00
sinn3r
2a9d6e64e2
Starting point for CVE-2015-0318
2015-03-11 09:58:41 -05:00
HD Moore
ad39adf9c2
Missing comma
2015-03-11 00:49:07 -05:00
HD Moore
a89926b663
Exclude vncinject from http stagers (depends on sockedi)
2015-03-11 00:46:04 -05:00
jvazquez-r7
8a452a7cba
Do somce cleanup
2015-03-10 17:10:44 -05:00
Brent Cook
9ade107325
disable reverse_http methods from upexec and shell payloads
...
These don't work over http and don't appear to have ever, as far back as
I could test. They appear to be an accident perhaps.
2015-03-10 17:08:58 -05:00
jvazquez-r7
4a84693fb0
Support windows
2015-03-10 16:58:33 -05:00
jvazquez-r7
c26bea3429
Fix credits
2015-03-10 16:27:07 -05:00
jvazquez-r7
980c83cb70
Fix metadata
2015-03-10 16:25:02 -05:00
jvazquez-r7
9e17874389
Exploit CVE-2015-1427
2015-03-10 16:17:51 -05:00
HD Moore
db351317a5
Merge with PR branch
2015-03-10 14:08:35 -05:00
HD Moore
0f763c2cb3
First step to reworking the winhttp stagers
2015-03-10 14:07:25 -05:00
Borja Merino
991e72a4fa
HTTP stager based on WinHttp
2015-03-10 13:40:16 -05:00
HD Moore
966848127a
Refactor x86 Windows reverse_http and reverse_https stagers
2015-03-10 12:48:30 -05:00
m-1-k-3
64f769504b
encoding
2015-03-10 17:47:15 +01:00
m-1-k-3
6657c7d11d
Belkin - CVE-2014-1635
2015-03-10 16:49:51 +01:00
jvazquez-r7
f8f178b1db
Fix script_mvel_rce check
2015-03-10 09:39:02 -05:00
jvazquez-r7
9dc99e4207
Update check
2015-03-10 09:26:22 -05:00
Sigurd Jervelund Hansen
c6cb1e840d
Fixes persistence module by revering changes to the value returned by the write_script_to_target function, which screws up the path that is used for startup. Currently an escaped path "C://Users//..." is being used instead of using windows standards "C:\Users\...".
2015-03-10 10:26:03 +01:00
Brent Cook
97f09b6ab0
Land #4894 : hmoore-r7 cache payload sizes on start
...
Avoid the hit of regenerating all of the static-size payloads when
loading the framework. This will facilitate conversion of payloads to
use metasm later.
2015-03-09 23:06:55 -05:00
jvazquez-r7
fc4b312879
Add template
2015-03-09 23:04:32 -05:00
Julian Vilas
fe822f8d33
Modify automatic file cleanup
2015-03-10 00:45:20 +01:00
Julian Vilas
0ef303cb6c
Fix Java payload
2015-03-10 00:01:27 +01:00
HD Moore
618fbf075a
Update CachedSize for the fixed stager
2015-03-09 16:57:14 -05:00
HD Moore
746f18d9bb
Fallback to a localhost variant to make the length predictable
2015-03-09 16:56:25 -05:00
jvazquez-r7
78167c3bb8
Use single quotes when possible
2015-03-09 16:55:21 -05:00
HD Moore
6543c3c36f
Update CachedSize for the fixed stager
2015-03-09 16:54:57 -05:00
HD Moore
c676ac1499
Fallback to a localhost variant to make the length predictable
2015-03-09 16:53:28 -05:00
jvazquez-r7
cb72b26874
Add module for CVE-2014-0311
2015-03-09 16:52:23 -05:00
HD Moore
d0324e8ad3
Final cleanup, passing specs
2015-03-09 15:50:57 -05:00
HD Moore
da81f6b2a0
Correct the :dynamic cache sizes
2015-03-09 15:44:14 -05:00
HD Moore
02509d02e4
The result of running ./tools/update_payload_cached_sizes.rb
2015-03-09 15:31:04 -05:00
Hans-Martin Münch (h0ng10)
bba4223d68
Initial commit
2015-03-09 16:36:11 +01:00
Tod Beardsley
df80d56fda
Land #4898 , prefer URI to open-uri
2015-03-09 09:14:10 -05:00
William Vu
3075c56064
Fix "response HTML" message
...
In modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb.
2015-03-07 17:08:08 -06:00
Julian Vilas
2eb0011a99
Autotrigger JSP shell at docBase
2015-03-07 20:41:08 +01:00
Julian Vilas
3be2bde5a2
Use bypass for bulletin S2-020
2015-03-07 19:14:20 +01:00
root
5b25ba5df3
moved array definition to avoid error
2015-03-07 12:57:44 -05:00
root
fac777da3d
brocade_enable_login msftidy success
2015-03-06 20:33:09 -05:00
joev
ccd0712d43
Use ===, doh.
2015-03-06 12:29:34 -06:00
joev
fefd4e271a
Don't hardcode the hex.
2015-03-06 12:16:03 -06:00
root
591716e557
brocade enable command bruteforcer
2015-03-06 09:41:14 -05:00
joev
3fb4fbe8e6
Add 'not allowed' check instead of magic check.
2015-03-06 00:01:31 -06:00
joev
7db3277731
Actually hide the iframe.
2015-03-05 23:52:29 -06:00
joev
d7295959ca
Remove open-uri usage in msf.
2015-03-05 23:45:28 -06:00
joev
3c5d7b3ef0
Okay, putting source code in a quoted string is horrible.
2015-03-05 23:25:37 -06:00
jvazquez-r7
2134cc3d22
Modify description
2015-03-05 16:55:24 -06:00
jvazquez-r7
7b4776ee79
Deregister FOLDER_NAME
2015-03-05 16:42:07 -06:00
jvazquez-r7
1bc81ea723
Merge #4884 into updated master
2015-03-05 16:41:15 -06:00
Meatballs
33f089b1a5
Tidyup
2015-03-05 21:50:12 +00:00
jvazquez-r7
9f3f8bb727
Merging #3323 work
2015-03-05 15:44:15 -06:00
jvazquez-r7
c388fd49c2
Fix print message
2015-03-05 15:43:54 -06:00
jvazquez-r7
dd2559b748
Favor new target over new module
2015-03-05 15:41:53 -06:00
jvazquez-r7
e1a4b046a0
Add support for tomcat 7 to struts_code_exec_classloader
2015-03-05 15:40:24 -06:00
Meatballs
c56679f33e
Modify for new SMB mixin
2015-03-05 21:26:13 +00:00
Tod Beardsley
e429d4c04f
Add reference and description for PTH on Postgres
...
Dave and William did most of the work already over on PR #4871 , this
just points it out in the module.
2015-03-05 14:36:56 -06:00
sinn3r
16c86227e2
Change to OptBool and default to explicit
2015-03-05 13:07:03 -06:00
jvazquez-r7
de08d8247b
Do some module cleanup
2015-03-05 13:00:01 -06:00
jvazquez-r7
82659aba93
Populate metadata from code to make test easier
2015-03-05 12:40:20 -06:00
jvazquez-r7
dc02f8332f
Pass msftidy
2015-03-05 12:29:31 -06:00
jvazquez-r7
a06eb04d59
Deregister FOLDER_NAME on exploit modules
2015-03-05 12:27:12 -06:00
sinn3r
cb9922ad39
Land #4874 , Add PHPMoAdmin command injection
2015-03-05 11:30:44 -06:00
sinn3r
8978b1d7b5
Add a version
2015-03-05 11:29:44 -06:00
Ricardo Almeida
32188f09d6
Update phpmoadmin_exec.rb
...
Changes:
Added required comment at the top of the file;
Changed Class name "Metasploit3" >> "Metasploit4";
Standard name/email format for public PoC author.
2015-03-05 12:56:08 +00:00
Ricardo Almeida
95962aab0d
Update phpmoadmin_exec.rb
...
Changes:
"Check if vulnerable" code improvement;
Payload delivery code improvement;
Minor indent issues.
Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00
aushack
2f4df39dc9
Fixed typo
2015-03-05 17:40:51 +11:00
sinn3r
d40e7485dd
Add CVE-2015-0240 auxiliary module
2015-03-04 23:50:14 -06:00
jvazquez-r7
e715eaba58
Update description
2015-03-04 16:39:27 -06:00
jvazquez-r7
e155f2998e
Change module filename
2015-03-04 16:38:08 -06:00
jvazquez-r7
77abd57397
Do code cleanup
2015-03-04 16:37:31 -06:00
jvazquez-r7
22ff4d0097
Update with master changes
2015-03-04 16:30:19 -06:00
jvazquez-r7
e7de09df29
Change module filename
2015-03-04 16:18:45 -06:00
jvazquez-r7
1337b7ace8
Clean module
2015-03-04 16:18:10 -06:00
Ricardo Almeida
9530e15c81
Update phpmoadmin_exec.rb
...
Changes:
Changed description section;
Changed 'URL' to 'EDB' in references section;
Added newline at the end.
2015-03-04 21:59:08 +00:00
jvazquez-r7
d4738d8c0a
Update #3076 branch
2015-03-04 15:51:00 -06:00
Ricardo Almeida
c19895ac85
Update phpmoadmin_exec.rb
...
Changes:
Added new URL;
Added CVE number;
Corrected the disclosure date;
Corrected the normalize_uri() function syntax.
2015-03-04 21:31:44 +00:00
jvazquez-r7
5cc9ea3618
Update with master changes
2015-03-04 15:16:12 -06:00
William Vu
a64dd4a1af
Land #4871 , Postgres PTH support
...
MSP-12244
2015-03-04 15:08:57 -06:00
David Maloney
2d46c06b97
Merge branch 'master' into feature/MSP-12244/postgres-pass-the-hash
2015-03-04 13:56:10 -06:00
jvazquez-r7
fa9d921138
Beautify description
2015-03-04 13:07:10 -06:00
jvazquez-r7
8fdb7a798e
Change module filename
2015-03-04 13:01:06 -06:00
jvazquez-r7
36375fab28
Fix downcase path handling
2015-03-04 12:58:41 -06:00
jvazquez-r7
62dde22d88
Clean packet building
2015-03-04 12:27:58 -06:00
Ricardo Almeida
4d67e0e1bb
Add PHPMoAdmin RCE
2015-03-04 18:17:31 +00:00
jvazquez-r7
e04ff3ee24
Delete CMD option
2015-03-04 11:51:58 -06:00
jvazquez-r7
d4337ce1ae
Do minor metadata cleanup
2015-03-04 11:46:01 -06:00
jvazquez-r7
1371cfe025
Test landing #4451
2015-03-04 11:20:07 -06:00
jvazquez-r7
aaab4b401a
Fix indenting and use primer
2015-03-04 10:46:34 -06:00
jvazquez-r7
0e57277dc1
Do cleanup
2015-03-04 10:33:57 -06:00
jvazquez-r7
b9ed8178a9
Solve conflicts on ms13_071_theme
2015-03-04 10:28:52 -06:00
Matthew Hall
4757698c15
Modify primer to utilise file_contents macro.
2015-03-04 09:52:00 +00:00
Matthew Hall
a90ebfe9a7
Modify primer to utilise file_contents macro.
2015-03-04 09:51:32 +00:00