fa1391de87
Update simple_backdoors_exec.rb
...
Updating the code as suggested
2015-10-02 07:53:15 +08:00
501325d9f4
Update zemra_panel_rce.rb
2015-10-02 06:48:34 +08:00
a88a6c5580
Add WebPges to the paths
2015-10-01 13:22:56 -05:00
f9a9a45cf8
Do code cleanup
2015-10-01 13:20:40 -05:00
30101153fa
Remove spaces
2015-10-01 18:56:37 +02:00
41cf0ef676
Add reference for CVE-2015-2342 - VMWare VCenter JMX RMI RCE
2015-10-01 18:43:21 +02:00
2802b3ca43
Update zemra_panel_rce.rb
...
sticking res
2015-10-02 00:00:30 +08:00
2ab779ad3d
Land #6010 , capture_sendto fixes
2015-10-01 10:54:24 -05:00
5c5f3a4e7f
Update zemra_panel_rce.rb
...
called http_send_command right away :)
2015-10-01 23:39:36 +08:00
0bacb3db67
Land #6029 , Win10 support for bypassuac_injection
2015-10-01 10:17:34 -05:00
66560d5339
Update zemra_panel_rce.rb
2015-10-01 19:16:23 +08:00
2e2d27d53a
Land #5935 , final creds refactor
2015-10-01 00:25:14 -05:00
7451cf390c
Add Windows 10 "support" to bypassuac_injection
2015-10-01 11:16:18 +10:00
a7fa939fda
Zemra Botnet C2 Web Panel Remote Code Execution
...
This module exploits the C2 web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
2015-09-30 19:24:21 +08:00
2de6c77fa2
Update simple_backdoors_exec.rb
2015-09-30 18:11:05 +08:00
47c79071eb
fix indention and typo
2015-09-29 22:41:36 -04:00
f18e1d69a1
Add x64 ret address and add to buffer
2015-09-29 22:36:30 -04:00
61c922c24d
Create kaseya_uploader.rb
2015-09-29 11:56:34 +01:00
46adceec8f
Update simple_backdoors_exec.rb
2015-09-29 10:40:28 +08:00
dd650409e4
Update simple_backdoors_exec.rb
2015-09-29 08:05:13 +08:00
a47557b9c1
Upd. multi/handler to include mainframe platform
...
Quick update to multi handler so it recognizes mainframe platform based
modules
2015-09-28 11:14:08 -05:00
96e4e883ae
Fix #6008 for wireshark_lwres_getaddrbyname_loop
2015-09-27 14:56:11 -07:00
bd2f73f40a
Fix #6008 for wireshark_lwres_getaddrbyname
2015-09-27 14:55:19 -07:00
bbd08b84e5
Fix #6008 for snort_dce_rpc
2015-09-27 14:53:40 -07:00
b206de7708
Land #5981 , @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit
2015-09-27 00:42:17 -05:00
55f573b4c9
Do code cleanup
2015-09-27 00:33:40 -05:00
c8880e8ad6
Move local exploit to correct location
2015-09-25 11:37:38 -05:00
6b46316a56
Do watchguard_local_privesc code cleaning
2015-09-25 11:35:21 -05:00
c79671821d
Update with master changes
2015-09-25 10:47:37 -05:00
e87d99a65f
Fixing blocking option
2015-09-25 10:45:19 -05:00
890ac92957
Warn about incorrect payload
2015-09-25 10:10:08 -05:00
19b577b30a
Do some code style fixes to watchguard_cmd_exec
2015-09-25 09:51:00 -05:00
b35da0d91d
Avoid USERNAME and PASSWORD datastore options collisions
2015-09-25 09:36:47 -05:00
52c4be7e8e
Fix description
2015-09-25 09:35:30 -05:00
e185277ac5
Update simple_backdoors_exec.rb
2015-09-24 14:14:23 +08:00
56a551313c
Update simple_backdoors_exec.rb
2015-09-24 13:54:40 +08:00
192369607d
Update simple_backdoors_exec.rb
...
updated the string 'echo me' to a random text
2015-09-24 13:49:33 +08:00
66c9222968
Make web_delivery proxy aware
2015-09-23 20:45:51 +01:00
3dd917fd56
Altered the module to use the primer callback, and refactored some code to remove useless functions etc
2015-09-24 00:20:13 +12:00
d798ef0885
Land #5893 , w3tw0rk/Pitbul RCE module
2015-09-23 02:41:01 -05:00
8106bcc320
Clean up module
2015-09-21 14:37:54 -05:00
fd190eb56b
Land #5882 , Add Konica Minolta FTP Utility 1.00 CWD command module
2015-09-18 11:10:20 -05:00
0aea4a8b00
An SEH? A SEH?
2015-09-18 11:09:52 -05:00
ab8d12e1ac
Land #5943 , @samvartaka's awesome improvement of poisonivy_bof
2015-09-16 16:35:04 -05:00
af1cdd6dea
Return Appears
2015-09-16 16:34:43 -05:00
402044a770
Delete comma
2015-09-16 16:23:43 -05:00
75c6ace1d0
Use single quotes
2015-09-16 16:23:10 -05:00
88fdc9f123
Clean exploit method
2015-09-16 16:14:21 -05:00
d6a637bd15
Do code cleaning on the check method
2015-09-16 16:12:28 -05:00
c7afe4f663
Land #5930 , MS15-078 (atmfd.dll buffer overflow)
2015-09-16 15:33:38 -05:00
37d42428bc
Land #5980 , @xistence exploit for ManageEngine OpManager
2015-09-16 13:19:49 -05:00
8f755db850
Update version
2015-09-16 13:19:16 -05:00
1b50dfc367
Change module location
2015-09-16 11:43:09 -05:00
122103b197
Do minor metadata cleanup
2015-09-16 11:41:23 -05:00
aead0618c7
Avoid the WAIT option
2015-09-16 11:37:49 -05:00
0010b418d0
Do minor code cleanup
2015-09-16 11:31:15 -05:00
f3b6606709
Fix check method
2015-09-16 11:26:15 -05:00
7985d0d7cb
Removed privesc functionality, this has been moved to another module. Renamed module
2015-09-16 23:29:26 +12:00
bdd90655e4
Split off privesc into a seperate module
2015-09-16 23:11:32 +12:00
24af3fa12e
Add rop chains
2015-09-15 14:46:45 -05:00
abe65cd400
Land #5974 , java_jmx_server start order fix
2015-09-15 01:33:44 -05:00
c99444a52e
ManageEngine EventLog Analyzer Remote Code Execution
2015-09-15 07:29:16 +07:00
7bf2f158c4
ManageEngine OpManager Remote Code Execution
2015-09-15 07:24:32 +07:00
9e6d3940b3
Update simple_backdoors_exec.rb
2015-09-13 23:30:14 +08:00
ae5aa8f542
No FILE_CONTENTS option
2015-09-12 23:32:02 -05:00
4e22fce7ef
Switched to using Rex MD5 function
2015-09-13 16:23:23 +12:00
0d52a0617c
Verify win32k 6.3.9600.17837 is working
2015-09-12 15:27:50 -05:00
9626596f85
Clean template code
2015-09-12 13:43:05 -05:00
0c4604734e
Webserver starts at the beginning, stops at the end
2015-09-12 19:42:31 +02:00
dc8d1f6e6a
Small changes
2015-09-12 13:08:58 +07:00
01053095f9
Add MS15-100 Microsoft Windows Media Center MCL Vulnerability
2015-09-11 15:05:06 -05:00
53f995b9c3
Do first prototype
2015-09-10 19:35:26 -05:00
017832be88
Land #5953 , Add Bolt CMS File Upload Vulnerability
2015-09-10 18:29:13 -05:00
602a12a1af
typo
2015-09-10 18:28:42 -05:00
68521da2ce
Fix check method.
2015-09-10 04:40:12 -03:00
4566f47ac5
Fix check method.
2015-09-10 03:56:46 -03:00
0ba03f7a06
Fix words.
2015-09-09 21:27:57 -03:00
bc3f5b43ab
Removerd WordPress mixin.
2015-09-09 21:26:15 -03:00
4e31dd4e9f
Add curesec team as vuln discovery.
2015-09-09 21:13:51 -03:00
6336301df3
Add Nibbleblog File Upload Vulnerability
2015-09-09 21:05:36 -03:00
d3aa61d6a0
Move bolt_file_upload.rb to exploits/multi/http
2015-09-09 13:41:44 -03:00
2800ecae07
Fix alignment.
2015-09-09 01:21:08 -03:00
48bd2c72a0
Add fail_with method and other improvements
2015-09-09 01:11:35 -03:00
f08cf97224
Check method implemented
2015-09-08 23:54:20 -03:00
6de0c9584d
Fix some improvements
2015-09-08 23:15:42 -03:00
31a8907385
Update simple_backdoors_exec.rb
2015-09-09 08:30:21 +08:00
329e6f4633
Fix title
2015-09-08 15:31:14 -05:00
4e23bba14c
Update simple_backdoors_exec.rb
...
removing the parenthesis for the if statements
2015-09-08 15:47:38 +08:00
002aada59d
Update simple_backdoors_exec.rb
...
changed shell to res
2015-09-08 14:54:26 +08:00
467f9a8353
Update simple_backdoors_exec.rb
2015-09-08 14:45:54 +08:00
37c28ddefb
Update simple_backdoors_exec.rb
...
Updated the description
2015-09-08 13:42:12 +08:00
0f8123ee23
Simple Backdoor Shell Remote Code Execution
2015-09-08 13:08:47 +08:00
0a0e7ab4ba
This is a modification to the original poisonivy_bof.rb exploit
...
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.
See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.
## Console output
Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.
### Version 2.3.2 (unknown password)
```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```
### Version 2.2.0 (unknown password)
```
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > show targets
Exploit targets:
Id Name
-- ----
0 Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
1 Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
2 Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1
msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
1d492e4b25
Lots of X11 protocol changes
2015-09-06 15:55:16 +07:00
2f8dc7fdab
Update w3tw0rk_exec.rb
...
changed response to res
2015-09-05 14:21:07 +08:00
23ab702ec4
Land #5631 , @blincoln682F048A's module for Endian Firewall Proxy
...
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
2abfcd00b1
Use snake_case
2015-09-04 16:27:09 -05:00
15aa5de991
Use Rex::MIME::Message
2015-09-04 16:26:53 -05:00
adcd3c1e29
Use static max length
2015-09-04 16:18:55 -05:00
1ebc25092f
Delete some comments
2015-09-04 16:18:15 -05:00
JT
jvazquez-r7
Hans-Martin Münch (h0ng10)
William Vu
OJ
jakxx
Pedro Ribeiro
bigendian smalls
Jon Hart
Meatballs
Daniel Jensen
wchen-r7
xistence
Roberto Soares
samvartaka