a1190f4344
Land #6598 , add post module for setting wallpaper
2016-03-06 15:00:10 -06:00
86845222ef
add meterpreter platform workaround
2016-03-06 14:51:34 -06:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
c7f9fbcdfa
Change to enable/disable
2016-03-06 04:31:24 +00:00
6b510005da
Reverse os checks
2016-03-06 04:31:23 +00:00
0e52fda708
Initial tidy
2016-03-06 04:31:23 +00:00
b1e9f44ca2
IPv6 Neighbor Advertisement Enhancement
...
http://seclists.org/nmap-dev/2011/q2/79
1. Shorten router advertisement payload lifetime.
2. Randomize address prefix.
3. Prevent from getting into default router list.
2016-03-06 03:23:37 +08:00
71b034a566
Land #6627 , atutor_sqli regex fix
2016-03-03 16:54:38 -06:00
ba4e0d304b
Do regex \d+ instead
2016-03-03 11:05:16 -06:00
d355b0e8b7
update payload sizes
2016-03-02 13:55:32 -06:00
22b69c8dee
Land #6588 , Add AppLocker Execution Prevention Bypass module
2016-03-01 22:30:23 -06:00
a798581fa3
Update #get_dotnet_path
2016-03-01 22:25:40 -06:00
cda4c6b3b3
Update the regex for the number of students in ATutor
2016-03-01 09:41:17 -06:00
5d64346a63
Land #6623 , Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module
2016-02-29 19:33:25 -06:00
62a611a472
Adding PHP Utility Belt Remote Code Execution
2016-03-01 09:22:25 +08:00
274b9acb75
rm #push
2016-02-29 18:58:05 -06:00
f55835cceb
Merge new code changes from mr_me
2016-02-29 18:39:52 -06:00
638d91197e
Override print_* to always print the IP and port
2016-02-29 16:18:03 -06:00
54ede19150
Use FileDropper to cleanup
2016-02-29 16:15:50 -06:00
727a119e5b
Report cred
2016-02-29 16:06:31 -06:00
4cc690fd8d
Let the user specify username/password
2016-02-29 15:45:33 -06:00
726c1c8d1e
There is no http_send_command, so I guess the check should not work
2016-02-29 15:43:47 -06:00
c5a9d59455
Land #6612 , one final missing change
2016-02-29 15:08:42 -06:00
cb0493e5bb
Recreate Msf::Exploit::Remote::Fortinet
...
To match the path, even though it's kinda lame including it just for the
monkeypatch.
2016-02-29 15:04:02 -06:00
a3fa57c8f6
Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module
2016-02-29 14:59:26 -06:00
8c2ce9687a
Land #6620 , fix typo in jtr_linux
2016-02-29 14:58:58 -06:00
d955c6a8f6
style fixes
2016-02-29 14:06:49 -06:00
a6a37b3089
Land #6612 , missing commits included
2016-02-29 14:06:21 -06:00
f5ad1286d2
Fix #6615 , fix typo "format"
...
Fix #6615
2016-02-29 12:44:25 -06:00
300fdc87bb
Move Fortinet backdoor to module and library
2016-02-29 12:06:33 -06:00
2950996cb8
Land #6612 , Add aux module for Fortinet backdoor
2016-02-29 12:02:49 -06:00
53d703355f
Move Fortinet backdoor to module and library
2016-02-29 11:57:42 -06:00
53ff3051e1
Land #6531 , NETGEAR ProSafe Network Management System 300 auth'd File Download
2016-02-26 10:53:16 -06:00
bc050410a6
Allow max traversal depth as an option, and report cred
2016-02-26 10:52:30 -06:00
7731fbf48f
Land #6530 , NETGEAR ProSafe Network Management System 300 File Upload
2016-02-26 10:39:09 -06:00
89b0c8a27a
Land #6571 , use intent to unlock Android screens, support <= 4.3
2016-02-26 05:55:35 -06:00
6188da054d
Remove //
2016-02-25 22:20:48 -06:00
051506694f
Land #6574 , add Linknat Vos Manager Traversal aux module
2016-02-25 22:02:56 -06:00
f3cf5a8a41
Resolve merge conflict with upstream-master
...
Out of date author field
2016-02-25 14:49:53 -06:00
d14ec657e2
Land #6564 , Add Apache Karaf Command Execution Module
2016-02-25 14:47:40 -06:00
1d2ec7a239
Rescue OpenSSL::Cipher::CipherError
...
Our current net/ssh library is out of date, so we need to rescue
OpenSSL::Cipher::CipherError.
2016-02-25 14:46:53 -06:00
2e268a25da
Land #6596 , Apache Karaf Login Utility
2016-02-25 14:39:51 -06:00
aa7c3f01a8
Update name and description
2016-02-25 14:39:19 -06:00
7e25c7b87b
Handle OpenSSL::Cipher::CipherError
...
Our current net/ssh is petty outdated, so it is possible not being
able to connect to certain SSH servers.
2016-02-25 14:35:37 -06:00
7d20e26a35
Move to aux/scanner/ssh
2016-02-25 11:22:50 -06:00
f52f44cde0
Remove session_setup, since we're not in a shell
...
A real shell. A real human bean.
2016-02-25 11:21:45 -06:00
ff3a554b4d
added an unless to wrap around the print and report_creds func for nas module to only execute if ftpuser and ftppass is non-blank
2016-02-24 13:53:30 -05:00
16d7b2e6ff
cleaned up unless code for nas module and setup ftpuser and ftppass to only if non blank
2016-02-23 17:37:47 -05:00
6aa6280eff
Try USERNAME before DEFAULTCRED
2016-02-23 13:44:44 -06:00
4eabe43273
fixed issues with capturing regex
2016-02-23 12:27:07 -05:00
c191e5b8e1
corrected authors file and cleaned up debug statements
2016-02-23 11:41:12 -05:00
c79eab2c7f
Land #6241 , @talos-arch3y's aux module for Dahua DVR CVE-2013-6117
2016-02-23 08:20:54 -08:00
5710c85a9e
Style changes
2016-02-23 15:15:57 +07:00
044b12d3a4
Made style changes requested by OJ and others
2016-02-23 15:14:04 +07:00
07ac13326e
Allow user to try other login credentials
2016-02-22 17:47:32 -06:00
27af59ea7c
minor tweaks
2016-02-20 08:35:56 +00:00
c8b28d90d1
Fix old comment.
2016-02-19 19:08:38 -06:00
8a15c36770
Land #6563 , VNC creds scraper uninstall location
2016-02-19 15:01:23 -06:00
bfd204ac50
Fix some cosmetic issues
2016-02-19 15:00:56 -06:00
c0180b23fa
Update description
2016-02-19 13:39:13 -06:00
873250dbec
Land #6557 , bug fix priv_migrate user migration
2016-02-19 12:03:30 -06:00
33aaeb4ac9
Update authors
2016-02-19 11:53:17 -06:00
b3e8cd4f51
Save some bytes on the padded string.
2016-02-18 20:36:52 -06:00
2b784a48b9
Include cached size.
2016-02-18 20:29:42 -06:00
e67e477362
Make x86/shell_reverse_tcp's shell path configurable.
...
Also removes shell_reverse_tcp2 shell.
2016-02-18 20:24:35 -06:00
bc7bf28872
Land #6591 , don't require username for wrt110 cmd exec module
2016-02-18 20:20:15 -06:00
45d1cd5111
Land #6572 , update play_youtube module with android support
2016-02-18 20:16:58 -06:00
b58166a9a8
add android platform to the hash
2016-02-18 20:13:39 -06:00
3b9502cb1d
Don't require username in wrt110 module.
2016-02-18 18:45:04 -06:00
a82ce40c40
Update ibm_tsm_dos name
...
For some reason I actually modified the name, but I didn't mean
to.
2016-02-18 16:07:46 -06:00
adb175136e
Fix extra whitespace and unused vars in call
2016-02-18 15:18:29 -06:00
6d88c26474
Change title, and remove requires
2016-02-18 14:26:38 +10:00
2ae1e6df7d
Address concerns from @wvu-r7
2016-02-18 14:21:35 +10:00
2f4ec0af31
Add module for AppLocker bypass
...
This commit includes a new module that allows for payloads to be
uploaded and executed from disk while bypassing AppLocker in the
process. This module is useful for when you're attempting to generate
new shells on the target once you've already got a session. It is also
a handy way of switching between 32 and 64 bit sessions (in the case of
the InstallUtil technique).
The code is taken from Casey Smith's AppLocker bypass research (added in
the references), and includes just one technique at this point. This
technique uses the InstallUtil feature that comes with .NET. Other
techiques can be added at any time.
The code creates a C# file and uploads it to the target. The csc.exe
compiler is used to create a .NET assembly that contains an uninstaller
that gets invoked by InstallUtil behind the scenes. This function is
what contains the payload.
This was tested on Windows 7 x64. It supports running of both 32 and 64
bit payloads out of the box, and checks to make sure that .NET is
installed on the target as well as having a payload that is valid for
the machine (ie. don't run x64 on x86 OSes).
This appears to work fine with both staged and stageless payloads.
2016-02-18 13:46:32 +10:00
ffce1cc321
Update easyfilesharing_seh.rb
2016-02-15 22:43:28 -05:00
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
7ca0255ea1
Module should not be marked executable
2016-02-15 12:57:43 +08:00
f35230b908
add Linknat Vos Manager Traversal
2016-02-15 12:39:40 +08:00
3416a24dda
Adding vprint_status for loot path
...
Adding a vprint_status to show users the loot
path as per a comment on the pull request.
2016-02-14 11:19:20 -06:00
5c92076a1e
more cleanup
2016-02-14 09:15:25 +00:00
c9c4f49aca
Add get_file method and parse the server response
2016-02-13 17:20:37 -05:00
b2765a296f
Land #6547 , IBM Tivoli Storage Manager Fastback Denial of Service
2016-02-11 22:05:21 -06:00
3121093898
Update metadata, plus other minor changes
2016-02-11 22:04:05 -06:00
bc74ceb8c5
Handle errors when parsing interfaces.xml, add check for several locations
2016-02-11 15:56:58 +01:00
e738b5922d
fix play_youtube to work on Android
2016-02-11 07:16:40 +00:00
9791e66683
fix remove_lock to work with 4.3 devices
2016-02-11 07:10:05 +00:00
ff1cb4a2a4
update payload sizes
2016-02-10 22:44:17 -06:00
cdaa2a8c43
Adding Apache Karaf Command Execution Module
...
This module establishes an SSH session using default
credentials and then executes a user defined operating system
command. This is part of GitHub Issue #4358 .
2016-02-10 16:48:08 -06:00
8118198628
Add vprint of the exception message
2016-02-10 22:47:51 +01:00
1637891ece
Add check for the uninstall location in vnc post module
2016-02-10 20:30:41 +01:00
c874699b82
removed ranking
2016-02-10 11:45:09 -06:00
4c6cb03548
more build errors
2016-02-10 11:40:21 -06:00
72f5a33804
addressed CI errors
2016-02-10 11:34:05 -06:00
62dd82e653
Make fix easier to read
2016-02-10 11:24:45 -06:00
51604fa24a
made necessary inheritance changes
2016-02-10 10:59:11 -06:00
fc491ffa3e
Land #6555 , Content-Length fix for HP modules
2016-02-10 10:39:08 -06:00
5b3fb99231
Land #6549 , module option for X-Jenkins-CLI-Port
2016-02-10 10:34:33 -06:00
c67360f436
Remove extraneous whitespace
2016-02-10 09:44:01 -06:00
a93f200851
cosmetic fixes
2016-02-10 07:51:13 +00:00
8a3bc83c4d
Resolve #6553 , remove unnecessary content-length header
...
Rex will always generate a content-length header, so the module
doesn't have to do this anymore.
Resolve #6553
2016-02-09 21:25:56 -06:00
4653c27167
Fix minor grammar error in description
2016-02-09 21:24:40 -06:00
08a41b0a31
Fix issue when target PID not owned by session
2016-02-09 21:22:50 -06:00
c590fdd443
Land #6501 , Added Dlink DCS Authenticated RCE Module
2016-02-09 17:19:33 -06:00
5f0add2a8b
Land #6541 , typo fix for cisco_ssl_vpn
2016-02-09 17:13:24 -06:00
240cbb91be
s/resp/res/
2016-02-09 17:12:09 -06:00
eadbb6b582
moved module to modules/auxiliary/dos/misc
2016-02-09 11:44:01 -06:00
1d6b782cc8
Change logic
...
I just can't deal with this "unless" syntax...
2016-02-08 18:40:48 -06:00
d60dcf72f9
Resolve #6546 , support manual config for X-Jenkins-CLI-Port
...
Resolve #6546
2016-02-08 18:16:48 -06:00
54566823f5
Add IBM TSM Fastback denial of service module
2016-02-08 14:36:14 -06:00
c0a8b01c2b
Addition of multiple read/write to auxiliary/scanner/scada/modbusclient.rb
2016-02-08 13:13:51 +01:00
cd7046f233
Change method name "method" to "http_method" for http_traversal.rb
...
We accidentally override "#method", which is bad.
2016-02-07 23:15:46 -06:00
40633ea7cd
Check filepath length
2016-02-08 01:11:18 +00:00
df825913b8
Use default timeout
2016-02-07 07:11:47 +00:00
e0e67f5507
Remove unnecessary check for FILEPATH
2016-02-07 02:05:15 +00:00
2171c344e5
Fix #6539 , correct a typo in report_cred
...
Fix #6539
2016-02-06 13:23:21 -06:00
4cea6c0236
Update ie_unsafe_scripting to use BrowserExploitServer
...
This patch updates the ie_unsafe_scripting exploit to use the
BrowserExploitServer mixin in order to implement a JavaScript check.
The JS check allows the exploit to determine whether or not it is
in the poorly configured zone before firing.
It also adds another datastore option to carefully avoid IEs that
come with Protected Mode enabled by default. This is even though
IE allows unsafe ActiveX, PM could still block the malicious VBS or
Powershell execution by showing a security prompt. This is not ideal
during BrowserAutopwn.
And finally, since BAP2 can automatically load this exploit, we
bump the MaxExploitCount to 22 to continue favoring the
adobe_flash_uncompress_zlib_uninitialized module to be on the
default list.
Resolves #6341 for the purpose of better user experience.
2016-02-04 15:12:57 -06:00
b64294abc9
Create file for CERT VU 777024 (auth download)
2016-02-04 07:57:48 +08:00
1f4324f686
Create file for CERT VU 777024
2016-02-04 07:54:16 +08:00
b979128a2e
Added OSVBD ID thanks to @shipcod3
2016-02-01 17:11:46 -06:00
47c0a3b4a7
Get some stragglers that had a different format
2016-02-01 16:21:10 -06:00
8094eb631b
Do the same for aux modules
2016-02-01 16:06:34 -06:00
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
f5ee6ce2f3
Better service reporting for snmp_login
...
Report the snmp string and update the module title & description
to better clarify what the module really does.
2016-02-01 12:24:19 -06:00
d544bf9311
android set wallpaper
2016-02-01 01:16:17 +00:00
96ab598835
set wallpaper
2016-02-01 01:01:24 +00:00
cd56470759
Land #6493 , move SSL to the default options, other fixes
2016-01-29 11:09:51 -06:00
110a4840e9
Land #6491 , Shrink the size of ms08_067 so that it again works w/ bind_tcp
2016-01-29 11:03:03 -06:00
6fb27a3da9
Undo path and move the out of bound check
2016-01-28 23:49:50 -06:00
d51be6e3da
Fixing typo
...
This commit fixes a typo in the word "service"
2016-01-28 16:44:42 -06:00
1ef7aef996
Fixing User : Pass delimiter
...
As per the PR comments, this commit replaces the user and
pass delimiter from "/" to ":"
2016-01-27 17:20:58 -06:00
8af751be41
Land #6470 , Telisca IPS Lock (and Unlock)
2016-01-27 16:41:25 -06:00
86c025de25
Title and description fixes for #6470
2016-01-27 16:40:06 -06:00
f6f2e1403b
Land #6496 , specify scripting language - elastic search
2016-01-27 15:42:47 -06:00
51efb2daee
Land #6422 , Add support for native target in Android webview exploit
2016-01-27 14:27:41 -06:00
115c63e4ba
karaf default credential scanner PoC
2016-01-27 03:27:48 -05:00
2df458c359
Few updates per OJ and wvu
2016-01-26 23:19:18 -06:00
3cab27086f
Added PCMan FTP PUT Buffer Overflow Exploit
2016-01-26 17:09:31 -06:00
4560d553b5
Fixing more issues from comments
...
This commit includes more minor fixes from the github
comments for this PR.
2016-01-24 19:43:02 -06:00
d877522ea5
Fixing various issues from comments
...
This commit fixes issues with specifying "rhost:rport",
replacing them instead with "peer". Also, a couple of
"Unknown" errors were replaced with "UnexpectedReply".
2016-01-23 13:43:09 -06:00
a5a2e7c06b
Fixing Disclosure Date
...
Disclosure date was in incorrect format, this commit
fixes the issue
2016-01-23 11:41:05 -06:00
8c8cdd9912
Adding Dlink DCS Authenticated RCE Module
...
This module takes advantage of an authenticated HTTP RCE
vulnerability to start telnet on a random port. The module
then connects to that telnet session and returns a shell.
This vulnerability is present in version 2.01 of the firmware
and resolved by version 2.12.
2016-01-23 11:15:23 -06:00
6187354392
Land #6226 , Add Wordpress XML-RPC system.multicall Credential BF
2016-01-23 00:12:46 -06:00
064af0d670
Remove unwanted comment
2016-01-23 00:11:58 -06:00
ad3eed525b
Handing newer version of WP, fallback CHUNKSIE to 1
2016-01-23 08:06:27 +03:00
d6facbe339
Land #6421 , ADB protocol and exploit
2016-01-22 20:45:44 -06:00
53e9bd7f51
This line does nothing
2016-01-22 18:55:45 -06:00
0f9cf812b7
Bring wordpress_xmlrpc_login back, make wordpress_multicall as new
2016-01-22 18:54:20 -06:00
1b386fa7f1
Add targets to avoid ARCH_ALL payload confusion
2016-01-22 16:45:10 -06:00
51eb79adc7
first try in changing class names
2016-01-22 23:36:37 +01:00
a3cafc3bae
Update PHP meterpreter size
2016-01-22 15:14:18 -06:00
Brent Cook
Meatballs
Fakhri Zulkifli
William Vu
wchen-r7
net-ninja
Jay Turla
Tyler Bennett
dmohanty-r7
Jon Hart
Pedro Ribeiro
Tim
joev
Louis Sato
James Lee
OJ
Starwarsfan2099
nixawk
Nicholas Starke
Spencer McIntyre
nk
William Webb
Josh Hale
alexandrinetorrents
Brendan Coles
Chris Higgins
Tod Beardsley
KINGSABRI
Christian Mehlmauer