Commit Graph

6010 Commits (8fd517f9ef2c9866e2c0f4b915fbc1180543f4cf)

Author SHA1 Message Date
Ramon de C Valle 21661b168b Add cfme_manageiq_evm_upload_exec.rb
This module exploits a path traversal vulnerability in the "linuxpkgs"
action of "agent" controller of the Red Hat CloudForms Management Engine
5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier).
2013-12-09 16:18:12 -02:00
Mekanismen 67415808da added exploit module for CVE-2013-0632 2013-12-09 15:18:34 +01:00
sinn3r 2f6a77861a
Land #2731 - vBulletin nodeid SQL injection (exploit) 2013-12-09 02:22:07 -06:00
jvazquez-r7 f77784cd0d
Land #2723, @denandz's module for OSVDB-100423 2013-12-06 17:32:07 -06:00
jvazquez-r7 3729c53690 Move uptime_file_upload to the correct location 2013-12-06 15:57:52 -06:00
jvazquez-r7 2ff9c31747 Do minor clean up on uptime_file_upload 2013-12-06 15:57:22 -06:00
jvazquez-r7 d47292ba10 Add module for CVE-2013-3522 2013-12-06 13:50:12 -06:00
Meatballs 6f02744d46
Land #2730 Typo in mswin_tiff_overflow 2013-12-06 12:32:37 +00:00
Meatballs 3aebe968bb
Land #2721 Reflective DLL Mixin
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.

Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
sinn3r 89ef1d4720 Fix a typo in mswin_tiff_overflow 2013-12-06 00:44:12 -06:00
DoI 3d327363af uptime_file_upload code tidy-ups 2013-12-06 13:45:22 +13:00
jvazquez-r7 e4c6413643
Land #2718, @wchen-r7's deletion of @peer on HttpClient modules 2013-12-05 17:25:59 -06:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
DoI 07294106cb Removed redundant content-type parameter 2013-12-05 14:18:26 +13:00
DoI cfffd80d22 Added uptime_file_upload exploit module 2013-12-05 11:56:05 +13:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
Tod Beardsley f5a45bfe52
@twitternames not supported for author fields
It's kind of a dumb reason but there are metasploit metadata parsers out
there that barf all over @names. They assume user@email.address. Should
be fixed some day.
2013-12-04 13:31:22 -06:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
sinn3r bf3489203a I missed this one 2013-12-03 13:13:14 -06:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
sinn3r ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
Also [SeeRM #8140]
2013-12-03 10:51:58 -06:00
jvazquez-r7 2d77ed58d5
Land #2648, @pnegry's exploit for Kaseya File Upload 2013-12-03 09:35:05 -06:00
jvazquez-r7 2606a6ff0e Do minor clean up for kaseya_uploadimage_file_upload 2013-12-03 09:34:25 -06:00
Thomas Hibbert 21bb8fd25a Update based on jvazquez's suggestions. 2013-12-03 13:49:31 +13:00
jvazquez-r7 47bff9a416
Land #2711, @Mekanismen exploit for wordpress OptimizePress theme 2013-12-02 16:30:24 -06:00
jvazquez-r7 5c3ca1c8ec Fix title 2013-12-02 16:30:01 -06:00
jvazquez-r7 c32b734680 Fix regex 2013-12-02 16:24:21 -06:00
Tod Beardsley 55847ce074
Fixup for release
Notably, adds a description for the module landed in #2709.
2013-12-02 16:19:05 -06:00
jvazquez-r7 79a6f8c2ea Clean php_wordpress_optimizepress 2013-12-02 15:43:41 -06:00
jvazquez-r7 41f8a34683 Use attempts 2013-12-02 08:43:22 -06:00
jvazquez-r7 433d21730e Add ATTEMPTS option 2013-12-02 08:42:25 -06:00
jvazquez-r7 b9192c64aa Fix @wchen-r7's feedback 2013-12-01 19:55:53 -06:00
Mekanismen 57b7d89f4d Updated 2013-12-01 09:06:41 +01:00
Mekanismen 045b848a30 added exploit module for optimizepress 2013-11-30 21:51:56 +01:00
jvazquez-r7 3417c4442a Make check really better 2013-11-30 09:47:34 -06:00
jvazquez-r7 749e6bd65b Do better check method 2013-11-30 09:46:22 -06:00
jvazquez-r7 0a7c0eea78 Fix references 2013-11-29 23:13:07 -06:00
jvazquez-r7 691d47f3a3 Add module for ZDI-13-255 2013-11-29 23:11:44 -06:00
sinn3r 8817c0eee0 Change description a bit
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
jvazquez-r7 807e2dfd31 Fix title 2013-11-28 10:53:12 -06:00
jvazquez-r7 7dee4ffd4d Add module for ZDI-13-270 2013-11-28 10:47:04 -06:00
Thomas Hibbert d1e4975f76 Use res.get_cookies instead of homebrew parse. Use _cgi 2013-11-28 16:35:36 +13:00
sinn3r a02e0ee3e4
Land #2682 - Kimai v0.9.2 'db_restore.php' SQL Injection 2013-11-27 19:10:44 -06:00
OJ 0b879d8f39 Comments for WfsDelay, adjustment to injection
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.

This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Thomas Hibbert bb0753fcdd Updated module to comply with indentation standard and to use suggestions from reviewers 2013-11-27 16:00:00 +13:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
sinn3r a914fbc400
Land #2693 - case sensitive 2013-11-26 11:16:57 -06:00
Tod Beardsley 671c0d9473
Fix nokogiri typo
[SeeRM #8730]
2013-11-26 10:54:31 -06:00
jvazquez-r7 253719d70c Fix title 2013-11-26 08:11:29 -06:00
jvazquez-r7 6cb63cdad6
Land #2679, @wchen-r7's exploit for cve-2013-3906 2013-11-25 22:04:26 -06:00
jvazquez-r7 0079413e81 Full revert the change 2013-11-25 22:04:02 -06:00
sinn3r fa97c9fa7c Revert this change 2013-11-25 20:54:39 -06:00
sinn3r 3247106626 Heap spray adjustment by @jvazquez-r7 2013-11-25 20:50:53 -06:00
jvazquez-r7 4c249bb6e9 Fix heap spray 2013-11-25 20:06:42 -06:00
sinn3r 385381cde2 Change target address
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
sinn3r 57f4f68559
Land #2652 - Apache Roller OGNL Injection 2013-11-25 15:14:35 -06:00
sinn3r 8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln 2013-11-25 13:06:09 -06:00
sinn3r 4773270ff0
Land #2677 - MS12-022 COALineDashStyleArray vuln 2013-11-25 12:58:45 -06:00
bcoles a03cfce74c Add table prefix and doc root as fallback options 2013-11-25 17:44:26 +10:30
sinn3r fc14a6c149
Land #2576 - NETGEAR ReadyNAS Perl Code Evaluation Vulnerability 2013-11-24 00:47:14 -06:00
bcoles d8700314e7 Add Kimai v0.9.2 'db_restore.php' SQL Injection module 2013-11-24 02:32:16 +10:30
sinn3r 9987ec0883 Hmm, change ranking 2013-11-23 00:51:58 -06:00
sinn3r 6ccc3e3c48 Make payload execution more stable 2013-11-23 00:47:45 -06:00
sinn3r d748fd4003 Final commit 2013-11-22 23:35:26 -06:00
sinn3r f871452b97 Slightly change the description
Because it isn't that slow
2013-11-22 19:27:00 -06:00
sinn3r eddedd4746 Working version 2013-11-22 19:14:56 -06:00
jvazquez-r7 7e4487b93b Update description 2013-11-22 17:37:23 -06:00
sinn3r c8fd761c53 Progress 2013-11-22 16:57:29 -06:00
jvazquez-r7 a7ad107e88 Add ruby code for ms13-022 2013-11-22 16:41:56 -06:00
sinn3r 953a96fc2e This one looks promising 2013-11-22 12:27:10 -06:00
sinn3r 8476ca872e More progress 2013-11-22 11:53:57 -06:00
sinn3r f1d181afc7 Progress 2013-11-22 04:51:55 -06:00
sinn3r 6d5c1c230c Progress 2013-11-22 03:55:40 -06:00
sinn3r 4d2253fe35 Diet 2013-11-22 02:25:09 -06:00
sinn3r 8382d31f46 More progress 2013-11-21 18:48:12 -06:00
jvazquez-r7 885fedcc3b Fix target name 2013-11-21 17:42:31 -06:00
sinn3r 22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2 2013-11-21 15:30:42 -06:00
sinn3r 56d1c545e7 Oh look, more code 2013-11-21 14:42:07 -06:00
jvazquez-r7 851cf6f0d1
Land #2650, @pnegry's exploit for DesktopCentral 8 2013-11-21 09:30:17 -06:00
jvazquez-r7 77aa665385 Add Privileged flag 2013-11-21 09:28:28 -06:00
jvazquez-r7 2ab3ab8b66 Delete empty Payload metadata section 2013-11-21 09:27:25 -06:00
jvazquez-r7 6bd3c4c887 Fix target name 2013-11-21 09:07:25 -06:00
jvazquez-r7 4c2ad4ca9a Fix metadata 2013-11-21 09:06:47 -06:00
jvazquez-r7 8e4c5dbb5e improve upload_file response check 2013-11-21 09:02:11 -06:00
jvazquez-r7 8fdfeb73db Fix use of FileDropper and improve check method 2013-11-21 09:01:41 -06:00
jvazquez-r7 4abf01c64c Clean indentation 2013-11-21 08:32:54 -06:00
sinn3r ddd5b0abb9 More progress 2013-11-21 04:27:41 -06:00
sinn3r e13e457d8f Progress 2013-11-20 17:11:13 -06:00
William Vu 9f45121b23 Remove EOL spaces 2013-11-20 15:08:13 -06:00
jvazquez-r7 cec4166766 Fix description 2013-11-20 12:49:22 -06:00
jvazquez-r7 18e69bee8c Make OGNL expressions compatible with struts 2.0.11.2 2013-11-20 12:42:10 -06:00
sinn3r 94e13a0b8a Initial commit of CVE-2013-3906 2013-11-19 23:10:32 -06:00
Thomas Hibbert 4cc20f163b Update References field to be compliant. 2013-11-20 13:01:21 +13:00
Thomas Hibbert c76fa32345 Fixed reference format 2013-11-20 12:53:21 +13:00
Thomas Hibbert 26a5e37266 Use MSF::Exploit:FileDropper to register the uploaded file for cleanup. 2013-11-20 12:27:22 +13:00
Thomas Hibbert 07c76fd3e6 Module cleaned for msftidy compliance. 2013-11-20 11:33:14 +13:00
sinn3r a9de5e2846
Land #2634 - Opt browser autopwn load list 2013-11-19 15:10:29 -06:00
jvazquez-r7 14c6ab4ca5 Add module for CVE-2013-4212 2013-11-19 10:25:52 -06:00
sinn3r b5fc0493a5
Land #2642 - Fix titles 2013-11-18 12:14:36 -06:00
jvazquez-r7 9e46975a95
Land #2643, @ChrisJohnRiley SkipVersionCheck for exim4_dovecot_bannercheck 2013-11-18 11:28:07 -06:00
jvazquez-r7 540b85df3f Set SkipVersionCheck as not required 2013-11-18 11:27:32 -06:00
jvazquez-r7 bddb314073 Fix usage of Retries 2013-11-18 09:09:20 -06:00
jvazquez-r7 237bb22771 Disable auto migrate 2013-11-18 08:54:22 -06:00
Thomas Hibbert 960f7c9bbb Add DesktopCentral arbitrary file upload exploit. 2013-11-18 16:11:28 +13:00
Thomas Hibbert 60a245b0c3 Fix the arch declaration in uploaded module. 2013-11-18 14:49:03 +13:00
Thomas Hibbert 636fdfe2d2 Added Kaseya uploadImage exploit. 2013-11-18 14:23:34 +13:00
Tod Beardsley 89d0b3c41c
Return the splat and require on a module. 2013-11-15 12:19:53 -06:00
Tod Beardsley 36db6a4d59
Land #2616, SuperMicro close_window BOF 2013-11-15 11:34:53 -06:00
jvazquez-r7 cbb7eb192c Add module for CVE-2013-3918 2013-11-15 10:38:52 -06:00
Chris John Riley 5bd5eacd77 Added option to ignore banner checks 2013-11-15 15:01:11 +01:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
jvazquez-r7 fe2cd93a65 Delete ms13_037_svg_dashstyle from the browser_autopwn list 2013-11-13 23:46:50 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
jvazquez-r7 8771b163f0 Solve conflicts with aladdin_choosefilepath_bof 2013-11-12 23:11:42 -06:00
OJ e4fc361b37 Various tidies and fixes
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.

Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
jvazquez-r7 004c1bac78 Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Tod Beardsley 65993704c3
Actually commit the mode change. 2013-11-11 22:16:29 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
jvazquez-r7 b01d8c50e0 Restore module crash documentation 2013-11-11 17:09:41 -06:00
jvazquez-r7 30de61168d Support heap spray obfuscation 2013-11-11 17:05:54 -06:00
jvazquez-r7 922f0eb900 Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer 2013-11-11 17:01:09 -06:00
sinn3r b887ed68b5
Land #2608 - Allow guest login option for psexec. 2013-11-11 10:09:41 -06:00
OJ 82739c0315 Add extra URL for exploit detail 2013-11-11 22:07:36 +10:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
jvazquez-r7 40f8e80775 Fix jlee-r7's feedback 2013-11-08 14:28:19 -06:00
jvazquez-r7 d419c73488
Land #2517, @3v0lver's exploit for cve-2008-2286 2013-11-08 08:41:04 -06:00
jvazquez-r7 fddb69edb3 Use instance variables for 1-time injections 2013-11-08 08:30:35 -06:00
jvazquez-r7 69b261a9f2 Clean post exploitation code 2013-11-07 18:11:54 -06:00
jvazquez-r7 9f51268d21 Make xp_shell_enable instance variable 2013-11-07 17:53:28 -06:00
jvazquez-r7 aa1000df72 Clean check method 2013-11-07 17:44:22 -06:00
jvazquez-r7 c2662d28e0 Move module to the misc folder 2013-11-07 17:34:22 -06:00
jvazquez-r7 b068e4beb5 Fix indentation and refactor send_update_computer 2013-11-07 17:33:35 -06:00
jvazquez-r7 b7e360922d Update ranking 2013-11-07 15:10:26 -06:00
jvazquez-r7 decf6ff6a0 Add module for CVE-2013-3623 2013-11-07 14:59:40 -06:00
jvazquez-r7 bdba80c05c
Land #2569, @averagesecurityguy and others exploit for CVE-2013-4468, CVE-2013-4467 2013-11-07 12:20:42 -06:00
scriptjunkie 7615264b17 Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix 2013-11-07 10:35:00 -06:00
root 944528e633 Updated for temporal pathing with TEMP variable 2013-11-07 01:34:55 -05:00
jvazquez-r7 2d4090d9c3 Make option astGUIclient credentials 2013-11-06 20:33:47 -06:00
jvazquez-r7 24d22c96a5 Improve exploitation 2013-11-06 20:15:40 -06:00
jvazquez-r7 2b2ec1a576 Change module location 2013-11-06 15:53:45 -06:00
jvazquez-r7 b9cb8e7930 Add new options 2013-11-06 15:53:12 -06:00
scriptjunkie 61e4700832
Allow guest login option.
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
OJ 7dcb071f11 Remote shebang and fix pxexeploit 2013-11-06 07:10:25 +10:00
James Lee 9e30c58495 Blow away remnants of Local::Unix 2013-11-05 13:51:45 -06:00
James Lee 36f96d343e Revert "Revert "Land #2505" to resolve new rspec fails"
This reverts commit e7d3206dc9.
2013-11-05 13:45:00 -06:00