0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
7f8baf979d
Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise.
...
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit
[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
2013-11-27 15:35:43 -06:00
1c17383eff
removed return file_loc
...
removed extra space
2013-11-27 15:04:31 -06:00
036cd8c5ad
couple cosmetic changes per wvu-r7
2013-11-27 14:44:39 -06:00
95a98529c4
Removed script launcher wrapper and fixed the file_exists so that the module now detects input
2013-11-27 21:38:20 +01:00
6c8df4be27
Land #2699 , @wvu fix for Linux download_exec post module
2013-11-27 10:22:35 -06:00
6561f149a8
DRY up URL_REGEX constant.
2013-11-27 06:16:25 -06:00
b0416b802d
Change the Recent shares implementation.
...
* Allows us to see protocol of Recent Shares
* Parses protocol from file share URL
2013-11-27 06:08:48 -06:00
e876155e1a
More tweaks to mount_share.
...
* Adds some docs to some of the methods to further distinguish
the separate sets of shares.
2013-11-27 05:45:46 -06:00
485e38ebca
Some code tweaks to post/osx/mount_share.
...
* Make PROTOCOL an Enum
* Move path override options to advanced section
* More Enumerable rework
* Move one-off regexes back to inline, pull out protocol list
2013-11-27 05:22:12 -06:00
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
f3e71c2c9d
Be more specific
...
Perl!
2013-11-27 01:03:41 -06:00
b202b98a42
Anchor the scheme
2013-11-27 00:57:45 -06:00
e8da97aa17
Fix extraneous use of which and cmdsub
...
I don't even.
2013-11-27 00:43:07 -06:00
288476441f
Fix improper use of expand_path
...
I don't even.
2013-11-27 00:42:09 -06:00
bb0753fcdd
Updated module to comply with indentation standard and to use suggestions from reviewers
2013-11-27 16:00:00 +13:00
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
a914fbc400
Land #2693 - case sensitive
2013-11-26 11:16:57 -06:00
671c0d9473
Fix nokogiri typo
...
[SeeRM #8730 ]
2013-11-26 10:54:31 -06:00
9dbeb55b9a
removed single quotes from inside %q{} on line 22 per https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7913331
...
removed empty advanced options registration on line 28 per https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7913342
2013-11-26 10:29:38 -06:00
253719d70c
Fix title
2013-11-26 08:11:29 -06:00
f1c5ab95bf
Land #2690 - typo
2013-11-25 23:53:34 -06:00
70139d05ea
Fix missed title
2013-11-25 22:46:35 -06:00
6cb63cdad6
Land #2679 , @wchen-r7's exploit for cve-2013-3906
2013-11-25 22:04:26 -06:00
0079413e81
Full revert the change
2013-11-25 22:04:02 -06:00
fa97c9fa7c
Revert this change
2013-11-25 20:54:39 -06:00
3247106626
Heap spray adjustment by @jvazquez-r7
2013-11-25 20:50:53 -06:00
4c249bb6e9
Fix heap spray
2013-11-25 20:06:42 -06:00
385381cde2
Change target address
...
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
a7e6a79b15
Land #2685 , @wchen-r7's update for the word injector description
2013-11-25 15:47:57 -06:00
92807d0399
Land #2676 , @todb-r7 module for CVE-2013-4164
2013-11-25 15:40:33 -06:00
57f4f68559
Land #2652 - Apache Roller OGNL Injection
2013-11-25 15:14:35 -06:00
8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln
2013-11-25 13:06:09 -06:00
4773270ff0
Land #2677 - MS12-022 COALineDashStyleArray vuln
2013-11-25 12:58:45 -06:00
23448b58e7
Remove timeout checkers that are rescued anyway
2013-11-25 12:37:23 -06:00
f311b0cd1e
Add user-controlled verbs.
...
GET, HEAD, POST, and PROPFIND were tested on WebRick, all successful.
2013-11-25 12:29:05 -06:00
cc60ca2e2a
Fix module title
2013-11-25 09:33:43 -06:00
cc261d2c25
Land #2670 , @juushya's aux brute forcer mod for OpenMind
2013-11-25 09:29:41 -06:00
e157ff73d3
Oracle ILOM Login utility
2013-11-25 13:55:31 +05:30
a03cfce74c
Add table prefix and doc root as fallback options
2013-11-25 17:44:26 +10:30
48578c3bc0
Update description about suitable targets
...
The same technique work for Microsoft Office 2013 as well. Tested.
2013-11-24 23:02:37 -06:00
49441875f3
Land #2683 , @wchen-r7's module name consistency fix
2013-11-24 16:51:22 -06:00
b015dd4f1c
Land #2532 Enum LSA Secrets
...
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
ce8b63f240
Update module name to stay consistent
...
This module is under the windows/gather, so must be named the same
way like the rest.
2013-11-24 01:01:29 -06:00
fc14a6c149
Land #2576 - NETGEAR ReadyNAS Perl Code Evaluation Vulnerability
2013-11-24 00:47:14 -06:00
d8700314e7
Add Kimai v0.9.2 'db_restore.php' SQL Injection module
2013-11-24 02:32:16 +10:30
9987ec0883
Hmm, change ranking
2013-11-23 00:51:58 -06:00
6ccc3e3c48
Make payload execution more stable
2013-11-23 00:47:45 -06:00
d748fd4003
Final commit
2013-11-22 23:35:26 -06:00
f871452b97
Slightly change the description
...
Because it isn't that slow
2013-11-22 19:27:00 -06:00
eddedd4746
Working version
2013-11-22 19:14:56 -06:00
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
c8fd761c53
Progress
2013-11-22 16:57:29 -06:00
6a28aa298e
Module for CVE-2013-4164
...
So far, just a DoS. So far, just tested on recent Rails with Webrick and
Thin front ends -- would love to see some testing on ngix/apache with
passenger/mod_rails but I don't have it set up at the moment.
2013-11-22 16:51:02 -06:00
a7ad107e88
Add ruby code for ms13-022
2013-11-22 16:41:56 -06:00
266de2d27f
Updated
2013-11-23 00:01:03 +03:00
b712c77413
capitalization
2013-11-22 14:37:54 -06:00
52a3b93f24
Hopefully final commit.
...
ALL issues mentioned by todb in https://github.com/rapid7/metasploit-framework/pull/2663/ have been fixed or erased.
Only exception is comment https://github.com/rapid7/metasploit-framework/pull/2663/#discussion_r7837036 which if omitted as recommended, breaks the module.
2013-11-22 14:17:20 -06:00
9addd37458
minor changes:
...
s/grab/gather/g
2013-11-22 14:03:54 -06:00
b742ed13b9
junk commit
2013-11-22 12:38:06 -06:00
953a96fc2e
This one looks promising
2013-11-22 12:27:10 -06:00
8476ca872e
More progress
2013-11-22 11:53:57 -06:00
4a6511311d
Code improvements according to feedback
2013-11-22 15:35:45 +01:00
f1d181afc7
Progress
2013-11-22 04:51:55 -06:00
6d5c1c230c
Progress
2013-11-22 03:55:40 -06:00
4d2253fe35
Diet
2013-11-22 02:25:09 -06:00
8382d31f46
More progress
2013-11-21 18:48:12 -06:00
885fedcc3b
Fix target name
2013-11-21 17:42:31 -06:00
3afa21c721
Added favorite and recent shares to the output
2013-11-21 23:55:24 +01:00
22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2
2013-11-21 15:30:42 -06:00
56d1c545e7
Oh look, more code
2013-11-21 14:42:07 -06:00
851cf6f0d1
Land #2650 , @pnegry's exploit for DesktopCentral 8
2013-11-21 09:30:17 -06:00
77aa665385
Add Privileged flag
2013-11-21 09:28:28 -06:00
2ab3ab8b66
Delete empty Payload metadata section
2013-11-21 09:27:25 -06:00
6bd3c4c887
Fix target name
2013-11-21 09:07:25 -06:00
4c2ad4ca9a
Fix metadata
2013-11-21 09:06:47 -06:00
8e4c5dbb5e
improve upload_file response check
2013-11-21 09:02:11 -06:00
8fdfeb73db
Fix use of FileDropper and improve check method
2013-11-21 09:01:41 -06:00
4abf01c64c
Clean indentation
2013-11-21 08:32:54 -06:00
ddd5b0abb9
More progress
2013-11-21 04:27:41 -06:00
b5011891a0
corrected rport syntax
2013-11-21 08:57:45 +03:00
9539972340
Module for OpenMind Message-OS portal login
2013-11-21 06:33:05 +03:00
3926617972
Land #2664 , clear EOL spaces
...
[SeeRM #8498 ]
2013-11-20 17:27:06 -06:00
eea811b71a
Merge branch 'landing-2601-mipsle-encoders' into upstream-master
2013-11-20 17:14:45 -06:00
e13e457d8f
Progress
2013-11-20 17:11:13 -06:00
9f45121b23
Remove EOL spaces
2013-11-20 15:08:13 -06:00
e8eb983ae1
Resplat shell_bind_tcp_random_port
2013-11-20 14:48:53 -06:00
cec4166766
Fix description
2013-11-20 12:49:22 -06:00
18e69bee8c
Make OGNL expressions compatible with struts 2.0.11.2
2013-11-20 12:42:10 -06:00
94e13a0b8a
Initial commit of CVE-2013-3906
2013-11-19 23:10:32 -06:00
4cc20f163b
Update References field to be compliant.
2013-11-20 13:01:21 +13:00
c76fa32345
Fixed reference format
2013-11-20 12:53:21 +13:00
26a5e37266
Use MSF::Exploit:FileDropper to register the uploaded file for cleanup.
2013-11-20 12:27:22 +13:00
07c76fd3e6
Module cleaned for msftidy compliance.
2013-11-20 11:33:14 +13:00
a9de5e2846
Land #2634 - Opt browser autopwn load list
2013-11-19 15:10:29 -06:00
14c6ab4ca5
Add module for CVE-2013-4212
2013-11-19 10:25:52 -06:00
ded56f89c3
Fix caps in description
2013-11-18 16:15:50 -06:00
f963f960cb
Update title
2013-11-18 15:07:59 -06:00
274247bfcd
Land #2647 , @jvennix-r7's module for Gzip Memory Bomb DoS
2013-11-18 15:06:46 -06:00
589660872e
Kill FILEPATH datastore option.
2013-11-18 14:13:25 -06:00
f690667294
Land #2617 , @FireFart's mixin and login bruteforcer for TYPO3
2013-11-18 13:37:16 -06:00
0391ae2bc0
Delete general reference
2013-11-18 13:19:09 -06:00
1c4dabaf34
Beautify typo3_bruteforce module
2013-11-18 13:17:15 -06:00
b5fc0493a5
Land #2642 - Fix titles
2013-11-18 12:14:36 -06:00
455934a545
Land #2645 , Redis spec conformity for redis_server
2013-11-18 12:00:38 -06:00
9e46975a95
Land #2643 , @ChrisJohnRiley SkipVersionCheck for exim4_dovecot_bannercheck
2013-11-18 11:28:07 -06:00
540b85df3f
Set SkipVersionCheck as not required
2013-11-18 11:27:32 -06:00
f6f0d81149
Land #2632 , @peto01 OSX VPN Manager post module
2013-11-18 09:49:14 -06:00
0a930ef6e1
Clean osx vpn post module
2013-11-18 09:47:52 -06:00
bddb314073
Fix usage of Retries
2013-11-18 09:09:20 -06:00
237bb22771
Disable auto migrate
2013-11-18 08:54:22 -06:00
960f7c9bbb
Add DesktopCentral arbitrary file upload exploit.
2013-11-18 16:11:28 +13:00
60a245b0c3
Fix the arch declaration in uploaded module.
2013-11-18 14:49:03 +13:00
636fdfe2d2
Added Kaseya uploadImage exploit.
2013-11-18 14:23:34 +13:00
8e889c61f7
Update description.
2013-11-17 15:48:27 -06:00
f7820139dc
Add a content_type datastore option.
2013-11-17 15:38:55 -06:00
43d2711b98
Default to 1 round compression.
2013-11-17 15:35:35 -06:00
1e3860d648
Add gzip bomb dos aux module.
2013-11-17 14:44:33 -06:00
7d22312cd8
Fix redis communication
2013-11-15 19:36:18 -06:00
89d0b3c41c
Return the splat and require on a module.
2013-11-15 12:19:53 -06:00
36db6a4d59
Land #2616 , SuperMicro close_window BOF
2013-11-15 11:34:53 -06:00
cbb7eb192c
Add module for CVE-2013-3918
2013-11-15 10:38:52 -06:00
5bd5eacd77
Added option to ignore banner checks
2013-11-15 15:01:11 +01:00
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
4cf16cf360
Land #2633 , @OJ's port of Kitrap0d as local exploit
2013-11-14 09:27:10 -06:00
7db42efdd4
Code restructure and more robust error handling
2013-11-14 13:44:49 +01:00
fe2cd93a65
Delete ms13_037_svg_dashstyle from the browser_autopwn list
2013-11-13 23:46:50 -06:00
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
5b96ad595f
Skip reg values with no secretes
...
Also update header comment to match new standard
2013-11-13 19:05:16 -06:00
cb10b4783b
Mark XP hashes as mscash for JtR to recognize
2013-11-13 19:04:16 -06:00
0aef145f64
Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa
2013-11-13 18:11:21 -06:00
8471f74b75
Refactor ivar to a more reasonable method
...
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
8bb72764ec
Rename credentials/lsa -> lsa_secrets
...
Secrets are not necessarily credentials
2013-11-13 15:23:15 -06:00
16627c1bd3
Add spec for capture_lsa_key
2013-11-13 15:16:34 -06:00
334a93af45
Land #2638 , refs for android_htmlfileprovider
2013-11-13 14:51:46 -06:00
0612f340f1
Commas are good.
2013-11-13 14:38:50 -06:00
ad5f82d211
Add missing refs to aux/gather/android_htmlfileprovider.
2013-11-13 14:36:18 -06:00
2594427999
Land #2631 , @peto01's osx screen capture post module
2013-11-13 13:58:03 -06:00
2b19490095
Fix Exception handling
2013-11-13 13:57:15 -06:00
95f371a1a6
Move screen_capture to the capture folder
2013-11-13 13:41:11 -06:00
f65e82523b
Clean screen_capture
2013-11-13 13:40:41 -06:00
3168359a82
Refactor lsa and add a spec for its crypto methods
2013-11-13 11:55:39 -06:00
0c096c10fb
Submitting first version for pull request
2013-11-13 17:03:38 +01:00
f5760d5e4c
Removed unnecessary delay
2013-11-13 16:25:47 +01:00
c4a8bfb175
Tighter error handling
2013-11-13 16:19:38 +01:00
78199409dd
Changes according to feedback
2013-11-13 14:13:40 +01:00
92da6760ef
Modified module to use windows/screen_spy code
2013-11-13 13:30:20 +01:00
3fdaf4de94
Work in progress
2013-11-13 13:11:27 +01:00
76660b858c
In progress
2013-11-13 12:32:49 +01:00
049111cd94
In progress
2013-11-13 11:21:39 +01:00
OJ
Jeff Jarmoc
Joshua Harper
Peter Toth
jvazquez-r7
joev
William Vu
Thomas Hibbert
sinn3r
Tod Beardsley
jonvalt
Karn Ganeshen
bcoles
Meatballs
Chris John Riley
James Lee