Commit Graph

371 Commits (9040fcd5ae3fdaf8b7c3c607150a06f4f1089f1d)

Author SHA1 Message Date
sinn3r 530332b176 Apply evil-e's fix when port isn't 22
See #1130
2012-12-05 21:42:53 -06:00
sinn3r 32c5f12912 Hmm, I should change the target name 2012-12-05 21:38:31 -06:00
sinn3r d3c1fa842a Lots of improvements
Keyboard-interactive method isn't required to exploit Tectia SSH.
So this update will just go straight to password method. There's
also improvements for the check() method: Not only does it check
the SSH version (banner), it will also check and see if the server
is using password method to auth.
2012-12-05 21:34:33 -06:00
sinn3r 49999a56ea Added CVE & vendor advisory information 2012-12-05 10:13:44 -06:00
sinn3r e6c6133c90 must be password authentication 2012-12-04 09:56:51 -06:00
sinn3r 2467183c4f "Appears" is better
"Appears" is a more accureate way describing how much we think the
host is vulnerable.
2012-12-04 09:28:05 -06:00
sinn3r b5e7009283 Since we have included Tcp for check(), we don't need to reg rhost 2012-12-04 09:25:24 -06:00
sinn3r 3c59c2d5c0 This extra space must die. 2012-12-03 21:09:07 -06:00
sinn3r 211a1674f5 Add kingcope's Tectia SSH 0day 2012-12-03 21:07:32 -06:00
HD Moore 8b3d200986 Add a check for nil 2012-11-28 23:50:29 -06:00
HD Moore d4e873df07 Fix bad reference (thanks Daniel Moeller) 2012-11-22 23:51:57 -06:00
jvazquez-r7 959ea1f0c5 final cleanup 2012-11-20 12:52:00 +01:00
sinn3r a93fbfea32 Add Narcissus module (OSVDB-87410) 2012-11-19 15:12:57 -06:00
jvazquez-r7 09ec7dea95 fix check function after speak with egix 2012-11-15 01:34:17 +01:00
jvazquez-r7 3ba3e906d7 added improvements by egix 2012-11-15 01:20:32 +01:00
sinn3r af8ac2fbf6 There's a bug here, can you tell?
Need to be aware of what happens when no version is captured.
2012-11-14 11:54:59 -06:00
jvazquez-r7 88ea347e40 added cookie prefix check 2012-11-14 16:20:40 +01:00
James Lee bbb2f69b55 Add missing require for PhpExe 2012-11-13 10:17:42 -06:00
sinn3r 7d317e7863 Use PhpEXE, and a check() function
Uses the PhpEXE mixin for the payload. And then in the future
we can modify PhpEXE again to allow it to be space-free (problem
being a space is required when you use a function).  Also, this
commit has a new check function.
2012-11-13 01:41:26 -06:00
jvazquez-r7 42dd1ee3ff added module for CVE-2012-5692 2012-11-10 11:35:21 +01:00
Chris John Riley f88ec5cbc8 Add normalize_uri to modules that may have
been missed by PULL 1045.

Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)

ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
sinn3r 2c4273e478 Correct some modules with res nil 2012-10-29 04:41:30 -05:00
sinn3r 799c22554e Warn user if a file/permission is being modified during new session 2012-10-24 00:54:17 -05:00
sinn3r f1423bf0b4 If a message is clearly a warning, then use print_warning 2012-10-24 00:44:53 -05:00
Tod Beardsley be9a954405 Merge remote branch 'jlee-r7/cleanup/post-requires' 2012-10-23 15:08:25 -05:00
Michael Schierl 910644400d References EDB cleanup
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
James Lee 9c95c7992b Require's for all the include's 2012-10-23 13:24:05 -05:00
James Lee 13a5892e95 Add a mixin for uploading/executing bins with PHP
And use it in three modules that had copy-paste versions of the same
idea.
2012-10-12 02:57:41 -05:00
sinn3r 9ea208d129 Oops, overwrote egypt's changes by accident 2012-10-11 16:40:52 -05:00
sinn3r 82eaa322fe Make cleanup work better 2012-10-11 16:39:54 -05:00
James Lee 3a66a07844 Proposed re-wording of description
[See #889]
2012-10-11 15:48:04 -05:00
sinn3r 24980e735b I found an OSVDB ID 2012-10-11 15:28:07 -05:00
sinn3r 55128f5bb3 Make sure res has value before passing it on to exec_php 2012-10-11 14:43:38 -05:00
sinn3r 033a11eff5 Add Project Pier File Upload Vulnerability 2012-10-11 13:47:40 -05:00
jvazquez-r7 4fa3631e34 avoiding the python support on the barracuda one if cannot be tested 2012-10-09 18:01:23 +02:00
jvazquez-r7 f33411abd1 Merge branch 'python_payload_support' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-python_payload_support 2012-10-09 18:00:44 +02:00
sinn3r a12aed7ffc Don't really need these keywords 2012-10-09 00:49:05 -05:00
sinn3r c094508119 Support Python payload
Pretty sure if the app is run on Unix/Apache, or supports perl and
ruby, chances are python works too.
2012-10-08 22:17:11 -05:00
ethicalhack3r f4e442bcbd Added headers support to php_include module 2012-10-05 23:00:38 +02:00
sinn3r d515b3274d Apply wfsdelay and apply egypt's suggestions 2012-10-04 00:40:52 -05:00
bcoles e2276bfedb Add QNX QCOMM command execution module 2012-09-30 17:21:08 +09:30
Tod Beardsley c83b49ad58 Unix linefeeds, not windows
That's what I get for just committing willy-nilly with a fresh install
of Gvim for Windows.

Also, this is an experiment to see if linefeeds are being respected in
this editor Window. I doubt it will be, given GitHub's resistence to
50/72 as a sensible default.
2012-09-16 18:10:35 -05:00
Tod Beardsley 2fc34e0073 Auth successful, not successfully
Just fixing up some adverb versus adjective grammar.
2012-09-16 17:51:00 -05:00
jvazquez-r7 cbc778cb47 add changes proposed by sinn3r 2012-09-15 23:53:09 +02:00
jvazquez-r7 0708ec72fc module moved to a more correct location 2012-09-15 15:31:21 +02:00
jvazquez-r7 e27f736e95 BID reference added 2012-08-24 17:29:12 +02:00
jvazquez-r7 0e535e6485 added module for XODA file upload RCE 2012-08-22 00:54:13 +02:00
jvazquez-r7 c2cc4b3b15 juan author name updated 2012-08-06 18:59:16 +02:00
Tod Beardsley d5b165abbb Msftidy.rb cleanup on recent modules.
Notably, DisclosureDate is required for other module parsers, so let's
not ignore those, even if you have to guess at the disclosure or call
the module's publish date the disclosure date.
2012-08-04 12:18:00 -05:00
Daniel Miller 31510167e6 Make setuid_nmap more robust
Squashed commit of the following:

commit e1a1f84f9b1ce6466e82c72e39070c34607d6769
Author: James Lee <egypt@metasploit.com>
Date:   Fri Aug 3 14:13:33 2012 -0600

    Fix 1.8 compat

commit 26533219896b6e874b2f2113e7cbc6d5d7d1ac79
Author: Daniel Miller <bonsaiviking@gmail.com>
Date:   Thu Aug 2 09:50:38 2012 -0500

    Handle early Nmap versions that don't take absolute paths

commit 00db80131deba1f4a3bcc289b394feb5057fbbe9
Author: Daniel Miller <bonsaiviking@gmail.com>
Date:   Fri Jul 27 11:58:36 2012 -0500

    Add compatibility args to setuid_nmap command

    Nmap before 4.75 would not run a script without a port scan being
    performed. Example: 4.53 installed on Metasploitable would not work.
    Added "-p80 localhost" to the command to ensure it works with these
    older versions.

[Closes #649]
2012-08-03 14:15:09 -06:00
jvazquez-r7 2f66aa7c4f Added module for OSVDB 83891 2012-07-21 12:14:29 +02:00
James Lee efe478f847 Merge branch 'master' into omg-post-exploits 2012-07-16 09:20:23 -06:00
HD Moore a57e712630 Be less verbose 2012-07-15 22:19:12 -05:00
HD Moore b133428bc1 Better error handling in two web app modules 2012-07-15 21:56:00 -05:00
jvazquez-r7 4af75ff7ed Added module for CVE-2011-4542 2012-07-10 18:40:18 +02:00
James Lee 6d6b4bfa92 Merge remote branch 'rapid7/master' into omg-post-exploits 2012-07-08 17:32:39 -06:00
Steve Tornio 44290c2c89 add osvdb ref 2012-07-07 08:40:25 -05:00
sinn3r 1e6c4301b6 We worked on it, so we got credit 2012-07-06 02:12:10 -05:00
sinn3r f8123ef316 Add a "#" in the end after the payload 2012-07-06 02:09:31 -05:00
sinn3r 187731f2cb Add a check function to detect the vuln 2012-07-06 01:58:01 -05:00
sinn3r dcddc712d2 Missing a "&" 2012-07-06 01:50:18 -05:00
sinn3r 3c8a836091 Add lcashdol's module from #568
Initial version being worked on by sinn3r & juan
2012-07-06 01:41:34 -05:00
sinn3r 850242e733 Remove the extra comma and a tab char 2012-07-05 14:05:23 -05:00
jvazquez-r7 aee7d1a966 Added module for CVE-2012-0911 2012-07-05 20:58:27 +02:00
sinn3r e5dd6fc672 Update milw0rm references.
milw0rm.com is long gone, so all milw0rm references are just
a bunch of broken links.  Change to exploit-db instead.
2012-06-28 14:27:12 -05:00
sinn3r f63a3959e0 Update web app module references 2012-06-28 00:37:37 -05:00
sinn3r 8927c8ae57 Make it more verbose, and do some exception handling for cleanup 2012-06-25 17:27:33 -05:00
jvazquez-r7 7b0f3383d2 delete default credentials 2012-06-25 23:53:56 +02:00
jvazquez-r7 7dc1a572e5 trying to fix serialization issues 2012-06-25 23:25:38 +02:00
jvazquez-r7 4c453f9b87 Added module for CVE-2012-0694 2012-06-25 17:21:03 +02:00
James Lee 815d80a2cc Merge branch 'rapid7' into omg-post-exploits 2012-06-21 17:02:55 -06:00
HD Moore d40e39b71b Additional exploit fail_with() changes to remove raise calls 2012-06-19 19:43:41 -05:00
HD Moore fb7f6b49f0 This mega-diff adds better error classification to existing modules 2012-06-19 12:59:15 -05:00
James Lee 96c16a498a Add a check for distcc_exec
Just executes the exploit with an "echo <random>" payload to see if it
works.
2012-06-18 14:34:02 -06:00
James Lee c39a42da3d No need to alter time out 2012-06-12 23:58:20 -06:00
James Lee 0e8fb0fe98 Add a post-exploitation exploit for suid nmap
Tested on Ubuntu with nmap 6.00 and nmap 5.00
2012-06-12 23:58:20 -06:00
jvazquez-r7 4ae786590a php_wordpress_foxypress from patrick updated. Related to Pull Request #475 2012-06-12 17:39:05 +02:00
Christian Mehlmauer 3752c10ccf Adding FireFart's RPORT(80) cleanup
This was tested by creating a resource script to load every changed
module and displaying the options, like so:

````
use auxiliary/admin/2wire/xslt_password_reset
show options
use auxiliary/admin/http/contentkeeper_fileaccess
show options
````

...etc. This was run in both the master branch and FireFart's branch
while spooling out the results of msfconsole, then diffing those
results. All modules loaded successfully, and there were no changes to
the option sets, so it looks like a successful fix.

Thanks FireFart!

Squashed commit of the following:

commit 7c1eea53fe3743f59402e445cf34fab84cf5a4b7
Author: Christian Mehlmauer <FireFart@gmail.com>
Date:   Fri May 25 22:09:42 2012 +0200

    Cleanup Opt::RPORT(80) since it is already registered by Msf::Exploit::Remote::HttpClient
2012-06-02 09:53:19 -05:00
David Maloney 54fb6d2f7a Fixes unreal ircd race condition
Handler would exit before finishing staging
2012-05-29 17:16:07 -05:00
jvazquez-r7 e774df5c32 target info plus relocation 2012-05-25 20:16:13 +02:00
jvazquez-r7 c4fad0dea5 module added for OSVDB-73609 2012-05-25 17:18:09 +02:00
HD Moore d668e2321d Rename this to a more suitable location 2012-05-04 09:59:40 -05:00
HD Moore 6cf6a9548d Fix up the PHP CGI exploit, remove debug lines 2012-05-04 09:58:10 -05:00
sinn3r 9a36017271 no unicode 2012-05-04 00:01:03 -05:00
James Lee 2d1f4d4f3e Add hdm's better check method 2012-05-03 19:00:40 -06:00
James Lee 40ec3d9d40 Add an exploit module for the recent php cgi bug (CVE-2012-1823) 2012-05-03 18:51:54 -06:00
sinn3r a8eada6016 This module should be able to support more payloads 2012-04-16 14:43:36 -05:00
sinn3r edadc19757 This module should be able to support more payloads than it should be 2012-04-16 14:41:11 -05:00
Tod Beardsley 56404f5edd Fixing EDB reference 2012-03-28 14:33:25 -06:00
Tod Beardsley 2bcf259301 Setting correct LFs on freepbx_callmenum.rb 2012-03-23 16:29:42 -05:00
wchen-r7 71462bc73d Merging in freepbx_callmenum.rb and ricoh_dl_bof.rb
[Closes #266]
2012-03-23 16:23:36 -05:00
Tod Beardsley 47493af103 Merge pull request #259 from todb-r7/edb-2
Convert Exploit-DB references to first-tier "EDB-12345" references
2012-03-23 12:09:07 -07:00
James Lee 17a044db89 Print the full URI
Makes everything obvious from output alone, don't need to show options
to see what RHOST is.
2012-03-22 18:44:55 -06:00
Tod Beardsley 7d12a3ad3a Manual fixup on remaining exploit-db references 2012-03-21 16:43:21 -05:00
Tod Beardsley 2f3bbdc00c Sed replacement of exploit-db links with EDB refs
This is the result of:

find modules/ -name \*.rb -exec sed -i -e 's#\x27URL\x27,
\x27http://www.exploit-db.com/exploits/\([0-9]\+\).*\x27#\x27EDB\x27,
\1#' modules/*.rb {} \
2012-03-21 16:43:21 -05:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
James Lee 70162fde73 A few more author typos 2012-03-05 13:28:46 -07:00
James Lee 5e6c40edfd Remove unnecessary space restrictions.
This allows using the full range of PHP payloads
2012-02-21 23:21:07 -07:00
James Lee 7ca573a1b4 Give these two old modules a chance to work by setting a proper arch
These must have been broken for quite some time.  =/  They should
probably both be ARCH_PHP but I'm reluctant to make that big of a change
without having the target software to test.
2012-02-21 22:59:20 -07:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00