7996c4b048
Warning about leaving files on disk.
2016-09-30 14:53:15 -04:00
3e4a23cdf6
Removed unnecessary require statement.
2016-09-30 14:51:43 -04:00
ac76c3591a
reference urls
2016-09-29 22:43:00 -05:00
5929d72266
CVE-2016-6415 - cisco_ike_benigncertain.rb
2016-09-29 22:25:57 -05:00
f7e588cdeb
Initial commit of module.
2016-09-28 14:55:32 -04:00
b9de73e803
Land #7334 , Add aux module to exploit WINDOWS based (java) Colorado
...
FTP server directory traversal
2016-09-26 14:15:23 -05:00
df28e2a85e
Add credit to wwebb-r7 for the initial module and ASA hacking notes
2016-09-24 05:48:31 -04:00
cd4299b3a2
Added offsets for version 9.2(4)14
...
This version of the ASA is patched and our offsets do not work currently. We may do more work on this to find a solution.
2016-09-23 16:57:08 -06:00
087e9461ce
Added offsets for version 9.2(4)13
2016-09-23 16:50:50 -06:00
3f985d94d7
Added offsets for version 8.4(6)5
2016-09-23 16:32:42 -06:00
352946d8f5
Added offsets for version 8.4(4)9
2016-09-23 16:19:36 -06:00
368fd1a77f
Added offsets for version 8.4(4)5
2016-09-23 16:07:42 -06:00
19fe09318a
Added offsets for version 8.4(4)3
2016-09-23 15:56:02 -06:00
8840af0e90
Added offsets for version 8.4(4)1
2016-09-23 15:44:39 -06:00
19caff2293
Added offsets for 8.3(2)40
2016-09-23 15:26:02 -06:00
ba4505bcce
Added offsets for version 8.3(2)39
2016-09-23 15:05:39 -06:00
64df7b0524
Added offsets for verion 8.3(2)-npe
...
We currently can't distinguish between 8.3(2) and 8.3(2)-npe versions from the SNMP strings. We've commented out the 8.3(2)-npe offsets, but in the future, we'd like to incorporate this version.
2016-09-23 14:49:57 -06:00
926e5fab9e
Added offsets for version 8.2(5)41
2016-09-23 14:00:23 -06:00
b4d3e8ea3e
Added offsets for version 9.2(1)
2016-09-23 13:52:13 -06:00
d36e16fc32
Added offsets for version 8.2(5)33
2016-09-23 13:15:39 -06:00
f19ed4376b
Adding new version offsets
2016-09-23 12:57:36 -06:00
2fab62b14d
Update profinet_siemens.rb
...
Removed unnecessary rescue, gave "timeout" variable a better name.
2016-09-23 18:05:45 +02:00
98cf5d8eb5
Changed 'build_offsets' to 'build_payload'
2016-09-23 09:32:17 -06:00
1868371ba7
fix merge conflicts
2016-09-23 14:49:36 +00:00
2591d0b7c6
numerous fixes as per @busterb
2016-09-23 14:46:40 +00:00
dda6b67928
Added basic error handling for unsupported ASA versions
2016-09-22 18:24:25 -06:00
cf070853e9
Moved required datastore option into constructor
2016-09-22 18:08:35 -06:00
df25f07b34
Replaced '+=' with '<<'
2016-09-22 17:53:28 -06:00
f525c24a9f
Added offsets for 8.4(7)
2016-09-22 17:16:37 -06:00
28a09c2d13
stupid comment
2016-09-22 22:57:42 +00:00
7762f42dfa
Added offsets for 8.3(1)
2016-09-22 16:17:37 -06:00
064aed858b
Added RiskSense contributor repo to references
2016-09-22 16:10:30 -06:00
961524d648
Adding offsets for 9.1(1)4
2016-09-22 16:04:44 -06:00
4e9459d876
Added offsets for 9.0(1)
2016-09-22 15:35:59 -06:00
5ca6563c8f
Fixed problem with 9.2(2)8 offsets
2016-09-22 15:24:49 -06:00
b77adc97f0
Removing redundant version check
2016-09-22 15:05:42 -06:00
c22a2a19e8
Added offsets for 9.2(2)8
2016-09-22 14:59:49 -06:00
e8d1f6d5a0
Added offsets for 8.2(3)
2016-09-22 14:38:52 -06:00
a0ba8b7401
Fix whitespace per msftidy
2016-09-22 14:25:04 -06:00
022189c075
Added offsets for 8.4(3)
2016-09-22 14:12:33 -06:00
4288c3fb46
added always_return_true variable
2016-09-22 19:44:55 +00:00
c18045128a
Replaced global vars, made 'patched_code' value static
2016-09-22 13:42:23 -06:00
3c7fc49788
Added module auxiliary/admin/cisco/cisco_asa_extrabacon
...
This module patches the authentication functions of a Cisco ASA
to allow uncredentialed logins. Uses improved shellcode for payload.
2016-09-22 18:06:03 +00:00
88cef32ea4
Land #7339 , SSH module fixes from net:ssh updates
2016-09-22 00:27:32 -05:00
a9a1146155
fix more ssh option hashes
2016-09-20 01:30:35 -05:00
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
06ff7303a6
make pubkey verifier work with old module
...
make the new pubkey verifier class and
the old identify_pubkeys aux module work
together
7321
2016-09-19 15:20:35 -05:00
3f5ed75198
Relocate Rex::Platform:Windows content (fixes MS-1714)
2016-09-19 14:34:44 -05:00
9c922d111f
colorado ftp
2016-09-18 20:03:16 -04:00
4ba1ed2e00
Fix formatting in fortinet_backdoor
...
Also add :config and :use_agent options.
2016-09-16 12:32:30 -05:00
26491eed1a
pass the public key in as a file instead of data
...
when using key_data it seems to assume it is a private
key now. the initial key parsing error can be bypassed
by doing this
7321
2016-09-16 11:48:51 -05:00
dfcd5742c1
some more minor fixes
...
some more minor fixes around broken
ssh modules
7321
2016-09-15 14:25:17 -05:00
e10c133eef
fix the exagrid exploit module
...
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used
7321
2016-09-15 11:44:19 -05:00
cac890a797
Land #7308 , disclosure date additions
2016-09-13 23:16:30 -05:00
e4e6f5daac
Fix indentation
2016-09-13 23:15:37 -05:00
d73531c0d3
added disclosure dates
2016-09-13 20:37:04 -04:00
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
245237d650
Land #7288 , Add LoginScannerfor Octopus Deploy server
2016-09-13 17:26:56 -05:00
4d49f7140c
update links and CVE on webnms_file_download
2016-09-13 18:50:53 +01:00
8b90df8b67
update links and CVE on webnms_cred_disclosure
2016-09-13 18:49:58 +01:00
8df8f7dda0
Initial commit of profinet_siemens.rb
2016-09-11 09:15:41 +02:00
a81f351cb3
Land #7274 , Remove deprecated modules
2016-09-09 12:01:59 -05:00
1d4b0de560
Land #6616 , Added an Outlook EWS NTLM login module.
2016-09-09 11:43:52 -05:00
a30711ddcd
Land #7279 , Use the rubyntlm gem (again)
2016-09-07 16:33:35 -05:00
7632c74aba
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2016-09-07 14:15:57 +10:00
6e21684ff7
Fix typo.
2016-09-07 14:08:46 +10:00
dcf0d74428
Adding module to scan for Octopus Deploy server
...
This module tries to log into one or more Octopus Deploy servers.
More information about Octopus Deploy:
https://octopus.com
2016-09-06 20:52:49 -05:00
fed2ed444f
Remove deprecated modules
...
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
81bc6bd672
Land #7228 , Create zabbix_toggleids_sqli auxiliary module
2016-09-01 16:33:17 -05:00
b0e45341e5
Update redis file_upload to optionally FLUSHALL before writing
...
This increases the chances that the uploaded file will be usable as-is
rather than being surround by the data in redis itself.
2016-08-31 14:27:18 -07:00
874fec4e31
Update zabbix_toggleids_sqli.rb
2016-08-31 17:23:16 -04:00
d43380330e
Update zabbix_toggleids_sqli.rb
2016-08-31 17:18:28 -04:00
b21ea2ba3f
Added code to assign CPORT value to the parent scanner object
2016-08-29 13:17:10 -05:00
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
cd858a149f
Add DETECT_ANY_AUTH to make bogus login optional
2016-08-23 23:05:47 -05:00
38a8d21e5b
Update zabbix_toggleids_sqli.rb
2016-08-22 18:57:25 -05:00
6b9635d7a5
Rename zabbix_toggleids_sqli to zabbix_toggleids_sqli.rb
2016-08-22 18:52:16 -05:00
20947cd6cd
remove old dependency on net-ssh moneykpatch
...
the ssh_login_pubkey scanner relied on functionality that
was monkeypatched into our vendored copy. this was an uneeded solution
in the first palce, and we now use a more sane method of accomplishing
the same thing
2016-08-22 10:54:09 -05:00
2abf71a3ac
Create zabbix_toggleids_sqli
2016-08-21 12:43:20 -05:00
5f8ef6682a
Fix #7202 , Make print_brute print ip:rport if available
...
Fix #7202
2016-08-16 15:34:30 -05:00
1e7663c704
Land #7200 , Rex::Ui::Text cleanup
2016-08-12 16:22:55 -05:00
c2c05a820a
Force uripath and srvport options
2016-08-10 18:25:45 -05:00
e56e801c12
Update ie_sandbox_findfiles.rb
2016-08-10 18:09:58 -05:00
eb73a6914d
replace old rex::ui::text::table refs
...
everywhere we called the class we have now rewritten it
to use the new namespace
MS-1875
2016-08-10 13:30:09 -05:00
87b27951cf
Fixed some build errors
2016-08-09 20:46:49 +02:00
79a84fb320
Internet Explorer iframe sandbox local file name disclosure vulnerability
...
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
2016-08-09 20:35:42 +02:00
de16a6d536
Land #7182 , Nuuo / Netgear Surveillance admin password reset module
2016-08-08 16:10:30 -05:00
7ca7682d17
Fix whitespace error from msftidy
2016-08-08 17:57:03 +01:00
106f26587e
Add bugtraq reference
2016-08-05 21:52:46 +01:00
036d0502db
Add github link
2016-08-04 17:38:45 +01:00
ec67db03f1
add exploit for CVE 2016-5676
2016-08-04 16:56:16 +01:00
554a0c5ad7
Deprecate nbname_probe, which duplicate nbname as of 77cd6dbc8b
2016-08-02 17:36:22 -07:00
e699d3f05b
Fix empty output in nbns_response
...
Normally, the module prints nothing unless VERBOSE is true. In practice,
we at least want to see responded-to hosts. We leave details to be
printed when VERBOSE is set.
2016-07-31 09:47:19 -07:00
cce1ae6026
Fix #6989 , scanner modules printing RHOST in progress messages
...
Fix #6989
2016-07-25 23:15:59 -05:00
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
b6b52952f4
set ssh to non-interactive
...
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password
MS-1688
2016-07-14 11:12:03 -05:00
01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-14 09:48:28 -05:00
9862a2fc25
Land #7080 , Updated docs and made enhancements for Netgear soap password extractor
2016-07-13 14:30:46 -07:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
627fffdb08
Land #7089 , correct usage of OptPort and OptRegex
2016-07-11 22:13:27 -05:00
128f802928
use the regex source when generating or displaying a regex
2016-07-11 22:05:50 -05:00
963437d5e7
Land #7063 , Add module for WebNMS 5.2 Arbitrary File Download
2016-07-11 10:05:21 -07:00
c2a5da08af
Land #7064 , Add moule to steal creds from WebNMS 5.2
2016-07-11 06:38:50 -07:00
fdce5bc30c
add disclosure date
2016-07-09 09:30:00 -04:00
bbe4162320
Added error checking and some suggested style changes
2016-07-08 08:27:56 -07:00
cfb56211e7
Revert "Revert "Land #7009 , egypt's rubyntlm cleanup""
...
This reverts commit 1164c025a2
2016-07-07 15:00:41 -05:00
09dcd1dade
Added version check and error handling, changed regex to ruby syntax.
...
Also made a few syntax changes to placate rubocop.
2016-07-07 10:35:18 -07:00
892f354ece
give me some credit
2016-07-06 21:39:45 -04:00
47cf6d5edf
better docs, extract more data
2016-07-06 21:28:57 -04:00
1164c025a2
Revert "Land #7009 , egypt's rubyntlm cleanup"
...
This reverts commit d90f0779f8e3e360cc83
2016-07-05 15:22:44 -05:00
5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-05 10:48:38 -05:00
54dfcee665
Land #7055 , add netgear_soap_password_extractor docs
2016-07-04 23:59:10 -05:00
ec4769fade
Create exploit for WebNMS credential disclosure
2016-07-04 21:15:15 +01:00
05ef5316df
Create exploit for WebNMS arbitrary file download
2016-07-04 21:10:14 +01:00
844c13dc17
added new vuln device to netgear list, plus docs
2016-07-01 18:32:30 -04:00
159446ce92
Ensure http_login scanner module saves passwds.
...
Fixes #6983 . When the auxiliary/scanner/http/http_login module discovers a successful basic auth user+password combination, make sure we properly store the password by specifically telling the credentials gem that the private data we're storing is a :password.
2016-06-30 16:58:39 -05:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
4e63591ce8
Use the proper Author key, not Authors
2016-06-28 15:21:19 -05:00
ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-06-28 15:00:35 -05:00
97f9ca4028
Merge branch 'master' into egypt/ruby-ntlm
2016-06-28 14:14:56 -05:00
409e26351b
remove test module
...
sponge left in patient
2016-06-24 15:12:47 -05:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
5bc513d6cd
get ssh sessions working properly
...
ssh sessions now working correctly
MD-1688
2016-06-24 12:14:48 -05:00
9f280d714e
Land #6994 , NetBIOS Name Brute Force Spoofing modules
2016-06-23 17:54:51 -05:00
048741660c
Land #6980 , Add ClamAV Remote Command Transmitter
2016-06-22 15:50:45 -05:00
3e94abe555
put net:ssh::commandstream back
...
this was apparently our own creation for doing
ssh sessions
MD-1688
2016-06-22 15:02:36 -05:00
6072697126
continued
2016-06-22 14:54:00 -05:00
140621ad9b
start to move to canonical net-ssh
...
removed vendored net::ssh
pulled in net:ssh gem
made Rex::Socket::SSHFactory clas to bridge rex sockets in
Renamed getpeername to getpeername-as_array to not override
core socket behaviour
MS-1688
2016-06-22 14:52:33 -05:00
07f7e5e148
Convert non-loginscanner MSSQL to rubyntlm
2016-06-22 10:15:22 -05:00
3f9d0630ce
Merge remote-tracking branch 'upstream/pr/6955' into land-6955
2016-06-20 13:14:37 -05:00
c816af1e4d
Merge remote-tracking branch 'upstream/pr/6955' into land-6955
2016-06-20 12:00:19 -05:00
856a4c7684
Reference BadTunnel (appropriate for the nat module)
2016-06-19 20:50:12 -05:00
a84614f2c0
Whitespace only
2016-06-19 18:44:32 -05:00
ce7c6496dd
Rework to clarify that this a brute force spoof, unrelated to BadTunnel
2016-06-19 13:36:39 -05:00
0fa1fc50f8
Fixed false positive bug
...
Checking for "(ERROR_STACK=(ERROR=" is not enough to mark a target as vulnerable. TNS response packet bytes for "Accept" and "Refuse" are required to be sure.
Reference: https://thesprawl.org/research/oracle-tns-protocol/
2016-06-19 17:33:05 +05:30
6507e520c7
Cleanups, addition of a 'direct' module
2016-06-18 15:37:54 -05:00
d8f6be0a3f
Silly typo [cosmetic]
2016-06-18 14:34:49 -05:00
b4af7eb039
Remove useless include
2016-06-18 01:31:55 -05:00
3aff0050ee
Whitespace
2016-06-18 01:24:45 -05:00
01a951d5aa
Add references & credit
2016-06-18 01:23:49 -05:00
5405b0f3db
clarified attack failure error message
2016-06-18 04:31:58 +02:00
c02a05f913
Removed code that was already commented out
2016-06-17 15:47:15 -05:00
1225a93179
Moved ClamAV scanner to scanning module
...
s
2016-06-17 15:40:33 -05:00
c130495968
Updated logging, but still probably wrong.
2016-06-17 13:31:24 -05:00
813777a8e4
Cleaned up the code a little after trying to fix ip printing issues.
2016-06-17 13:09:03 -05:00
fee54b4a5a
Changed the module to support scanning
2016-06-17 13:03:28 -05:00
0af2fa7164
Add a module for the 'BadTunnel' vulnerability
2016-06-17 03:06:04 -05:00
050b604e77
Fixed the syntax error
2016-06-15 21:45:52 -05:00
0e5c5559cf
Updated documentation and printing per suggestions
2016-06-15 21:32:53 -05:00
Stephen Haywood
nixawk
Brendan
Brent Cook
TheNaterz
Tijl Deneut
zerosum0x0
Jenna Magius
David Maloney
Pearce Barry
h00die
William Vu
wchen-r7
Pedro Ribeiro
aushack
james-otten
Jon Hart
Brandon Perry
Yorick Koster
Yorick Koster
James Lee
thao doan
h00die
William Webb
HD Moore
Interference Security
samvartaka