wchen-r7
be709ba370
Merge branch 'upstream-master' into bapv2
2015-06-04 10:33:07 -05:00
wchen-r7
78e4677bb1
Oops it blew up
2015-06-03 20:10:01 -05:00
wchen-r7
a0aa6135c5
Update ca_arcserve_rpc_authbypass to use the new cred API
2015-06-03 20:02:07 -05:00
OJ
a6467f49ec
Update description
2015-06-03 22:17:25 +10:00
OJ
455a3b6b9d
Add butchered version of CVE-2015-1701
2015-06-03 21:48:23 +10:00
James Lee
d03ee5667b
Remove assigned but unused local vars
2015-06-01 16:45:36 -05:00
James Lee
7133f0a68e
Fix typo in author's name
2015-06-01 16:45:09 -05:00
wchen-r7
e83677d29d
rm deprecated mod
2015-05-29 17:43:26 -05:00
wchen-r7
13779adab4
Merge branch 'upstream-master' into bapv2
2015-05-29 14:59:04 -05:00
wchen-r7
6be363d82a
Merge branch 'upstream-master' into bapv2
2015-05-29 14:58:38 -05:00
jvazquez-r7
8c7d41c50c
Land #5426 , @wchen-r7's adds more restriction on Windows 7 target for MS14-064
2015-05-29 14:35:44 -05:00
wchen-r7
c3fa52f443
Update description
2015-05-29 13:47:20 -05:00
jvazquez-r7
e9714bfc82
Solve conflics
2015-05-27 23:22:00 -05:00
wchen-r7
bcdae5fa1a
Forgot to add the datastore option
2015-05-27 18:12:38 -05:00
wchen-r7
4f0e908c8b
Never mind, Vista doesn't have powershell.
2015-05-27 18:08:58 -05:00
wchen-r7
d43706b65e
It doesn't look like Vista shows the powershell prompt
2015-05-27 18:04:35 -05:00
wchen-r7
53774fed56
Be more strict with Win 7 for MS14-064
...
The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
2015-05-27 18:01:40 -05:00
jvazquez-r7
e5d42850c1
Add support for Linux to CVE-2015-0336
2015-05-27 17:05:10 -05:00
wchen-r7
60cdf71e6c
Merge branch 'upstream-master' into bapv2
2015-05-26 15:56:48 -05:00
jvazquez-r7
5bceeb4f27
Land #5349 , @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation
2015-05-22 17:14:20 -05:00
wchen-r7
9600f6a30a
rm deprecated exploit
2015-05-22 17:14:08 -05:00
wchen-r7
eb5aadfb4e
Land #5401 , multi-platform CVE-2015-0311 - Flash uncompress() UAF
2015-05-22 16:50:13 -05:00
jvazquez-r7
3aa1ffb4f5
Do minor code cleanup
2015-05-22 16:20:36 -05:00
jvazquez-r7
03b70e3714
Land #5388 , @wchen-r7's fixes #5373 by add info to BrowserRequiements
2015-05-22 10:21:59 -05:00
jvazquez-r7
6da94b1dd5
Deprecate windows module
2015-05-21 15:01:41 -05:00
wchen-r7
2cadd5e658
Resolve #5373 , Add ActiveX info in BrowserRequirements
...
Resolve #5373
2015-05-20 16:34:09 -05:00
OJ
44f8cf4124
Add more size to stagers, adjust psexec payloads
...
This psexec payload size should be evaluated to make sure I'm not doing
anything stupid. i can't see a reason why increasing these sizes would
be bad. They seem to work fine.
2015-05-20 17:07:56 +10:00
OJ
a93565b5d1
Add 'Payload' section with 'Size' to psexec_psh
...
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.
This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
2015-05-19 22:11:29 +10:00
Hans-Martin Münch (h0ng10)
d99eedb1e4
Adding begin...ensure block
2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10)
acb053a2a7
CloseHandle cleanup
2015-05-17 20:39:10 +02:00
Hans-Martin Münch (h0ng10)
e075495a5b
string concatenation, clear \ handling
2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10)
94d39c5c75
remove hard coded pipe name
2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10)
bb4f5da6d9
replace client.sys.config.getenv with get_env
2015-05-15 06:33:57 +02:00
Hans-Martin Münch (h0ng10)
bba261a1cf
Initial version
2015-05-15 00:36:03 +02:00
jvazquez-r7
51bb4b5a9b
Add module for CVE-2015-0359
2015-05-07 17:00:00 -05:00
William Vu
134a674ef3
Land #5312 , @todb-r7's release fixes
2015-05-07 15:34:31 -05:00
Tod Beardsley
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
William Vu
b8c7161819
Fix up NameError'd payload_exe
2015-05-06 11:34:05 -05:00
William Vu
59ffe5d98f
Land #5306 , payload_exe NameError fix
2015-05-06 11:29:29 -05:00
wchen-r7
4b0f54f0aa
Land #5305 , CVE-2015-0336 Flash NetConnection Type Confusion
2015-05-06 11:26:22 -05:00
wchen-r7
97807e09ca
Lad #5125 , Group Policy startup exploit
2015-05-06 11:17:01 -05:00
wchen-r7
5b57e4e9ca
Add info about the waiting time
2015-05-06 11:15:11 -05:00
Sam Roth
5cb8b9a20a
Fix #5304
2015-05-05 22:25:06 -04:00
jvazquez-r7
582919acac
Add module for CVE-2015-0336
2015-05-05 17:25:19 -05:00
Darius Freamon
c988447c18
title enhancement, OSVDB ref
...
touch up title and add OSVDB reference
2015-05-05 13:21:36 -06:00
jvazquez-r7
b95be1b25f
Support information to include logon scripts
2015-05-04 15:49:19 -05:00
Darius Freamon
dc42a3ee1a
add OSVDB ref
...
add OSVDB ref
2015-05-04 14:27:44 -06:00
Darius Freamon
a5c10b7f10
Fix product name
...
Product name missing a letter in two locations
2015-05-03 13:11:22 -06:00
Darius Freamon
aa59b3acc6
title enhancement, description touch-up
...
Expanded title to be more precise and standardized use of vendor name
2015-04-30 17:23:15 -06:00
wchen-r7
89d026c900
Fix merge conflict
2015-04-30 12:33:45 -05:00
jvazquez-r7
d773f85dca
Add reference to malware
2015-04-29 17:53:29 -05:00
jvazquez-r7
dbba466b5b
Add module for CVE-2014-8440
2015-04-29 17:52:04 -05:00
William Vu
5defb50252
Fix #5267 , references fixes
2015-04-29 14:21:23 -05:00
William Vu
a4531e62a0
Clean up references
2015-04-29 14:21:08 -05:00
William Vu
b2d08251e4
Move reference
2015-04-29 14:18:45 -05:00
William Vu
fd567195e3
Fix punctuation and missing comma
2015-04-29 14:12:44 -05:00
Darius Freamon
5f0736fa4c
enhance title and description, add OSVDB reference, standardized JBoss
2015-04-29 11:39:40 -06:00
Darius Freamon
c01fc829ab
Title enhancement, OSVDB refs
2015-04-28 15:56:34 -06:00
jvazquez-r7
ab94f15a60
Take care of modules using the 'DEBUG' option
2015-04-21 12:13:40 -05:00
jvazquez-r7
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
wchen-r7
4f903a604c
Fix #5103 , Revert unwanted URI encoding
...
Fix #5103 . By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
wchen-r7
3927024f79
Land #5154 , CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)
...
sage aborts
2015-04-16 21:21:09 -05:00
Christian Mehlmauer
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
Christian Mehlmauer
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
jvazquez-r7
c1753672bf
Delete file_contents initialization
2015-04-15 17:58:32 -05:00
jvazquez-r7
28fac60c81
Add module for CVE-2015-0556
2015-04-15 14:08:16 -05:00
jvazquez-r7
656abac13c
Use keyword arguments
2015-04-10 18:03:45 -05:00
jvazquez-r7
1720d4cd83
Introduce get_file_contents
2015-04-10 17:34:00 -05:00
jvazquez-r7
ca6a5cad17
support changing files
2015-04-10 16:53:12 -05:00
jvazquez-r7
b2e17a61a9
Fix disclosure date
2015-04-10 13:09:24 -05:00
jvazquez-r7
ab944b1897
Add module to exploit dangerous group policy startup scripts
2015-04-10 13:01:50 -05:00
jvazquez-r7
91f5d0af5a
Add module for CVE-2014-0569
...
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
William Vu
e1af495d21
Add extra release fixes
2015-04-06 13:08:40 -05:00
Tod Beardsley
b62011121b
Minor word choice fix on Solarwinds exploit
...
Removing the second person pronoun usage.
[See #5050 ]
2015-04-06 12:40:22 -05:00
Tod Beardsley
5be5b6097c
Minor grammar on #5030 , Adobe Flash
...
[See #5030 ]
2015-04-06 12:36:25 -05:00
William Vu
56dc7afea6
Land #5068 , @todb-r7's module author cleanup
2015-04-03 16:00:36 -05:00
jvazquez-r7
7c9b19c6f8
Do minor cleanup
2015-04-03 11:53:50 -05:00
Tod Beardsley
3ff91d74ca
More cleanup, mostly abysssec
...
[See #5012 ]
2015-04-02 16:16:38 -05:00
Tod Beardsley
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
sinn3r
0b14a18ad2
This is final
2015-04-01 12:00:49 -05:00
sinn3r
0ee858cd65
Some useful messages
2015-04-01 01:41:31 -05:00
sinn3r
8ad07cdc0f
This should be on the right track
2015-04-01 01:27:50 -05:00
sinn3r
6795c90eac
Some progress
2015-03-31 20:46:34 -05:00
sinn3r
97305629cb
Add Solarwinds FSM module
...
starter
2015-03-31 16:21:52 -05:00
sinn3r
8ea1ffc6ff
Land #5030 , CVE-2015-0313 Flash Exploit
2015-03-30 11:31:53 -05:00
h00die
28b9e89963
removed duplicate "uses" from description
2015-03-29 19:40:31 -04:00
William Vu
ef8c0aac69
Land #5020 , spelling fixes for some modules
2015-03-28 00:36:04 -05:00
jvazquez-r7
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
sinn3r
9cfafdd8b8
Land #4649 , improve post/windows/manage/run_as and as an exploit
2015-03-27 17:31:30 -05:00
C-P
4f4bf9debb
paylod vs payload
2015-03-27 11:55:15 -07:00
C-P
0a8fe781d1
paylod vs payload
2015-03-27 11:54:14 -07:00
C-P
5ba614a325
payloda vs payload
2015-03-27 11:53:20 -07:00
C-P
2d81460583
Explot vs Exploit
2015-03-27 11:37:11 -07:00
C-P
f129347b51
Filed vs Failed fix
2015-03-27 11:28:50 -07:00
sinn3r
955c0557e0
Land #4988 , Relative URL for ms14_064_ole_code_execution
2015-03-26 13:36:37 -05:00
jvazquez-r7
d84c48cb7d
Use newer hash syntax
2015-03-25 13:39:34 -05:00
jvazquez-r7
72a0909e9b
Land #4992 , @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge
2015-03-25 13:30:36 -05:00
Tod Beardsley
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
sinn3r
8255e7a2dc
Fix #4987 - undef payload_exe for ams_xfr
...
Fix #4987
2015-03-24 00:42:22 -05:00
sinn3r
db243a8225
x360_video_player_set_text_bof actually uses SetText for ActiveX
2015-03-23 23:36:20 -05:00
sinn3r
3248f02c2c
These exploits use :activex, so I update the usage for them
2015-03-23 19:34:24 -05:00
andygoblins
89e27d98ab
Use relative URL to GET payload for WinXP
...
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
sinn3r
156520338d
Making some changes to how BES handles ActiveX
2015-03-23 12:21:27 -05:00
Adam Ziaja
921b9eab8e
Update minishare_get_overflow.rb
...
set WfsDelay 30
2015-03-20 23:42:54 +01:00
Adam Ziaja
505ecd32fb
Update minishare_get_overflow.rb
...
Windows 2003 SP1 English, Windows 2003 SP2 English
2015-03-20 23:09:50 +01:00
sinn3r
0c2ed21e90
Land #4318 , Lateral movement through PSRemoting
2015-03-20 11:39:35 -05:00
sinn3r
23d8479683
Fix typo
2015-03-20 11:39:00 -05:00
sinn3r
0da79edb9c
Add a print_status to let the user know the module is over
...
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
g0tmi1k
72794e4c1a
Removed double spaces
2015-03-20 01:16:49 +00:00
Spencer McIntyre
076f15f933
Land #4792 @jakxx Publish It PUI file exploit
2015-03-18 20:59:54 -04:00
Spencer McIntyre
3f8ed56a9a
Add available space to the payload info
2015-03-18 20:57:58 -04:00
Meatballs
6ceab3d02d
Add a DisclosureDate
2015-03-18 23:51:18 +00:00
jakxx
b197b7aaf0
Additional Updates
...
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
2015-03-17 19:24:13 -04:00
jakxx
085e6cc815
Implemented Recommended Changes
...
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
jvazquez-r7
bb81107e51
Land #4927 , @wchen-r7's exploit for Flash PCRE CVE-2015-0318
2015-03-13 23:58:05 -05:00
sinn3r
3bfdfbc987
Small changes
2015-03-13 18:55:11 -05:00
jvazquez-r7
1ead57a80d
Land #4928 , @h0ng10's local exploit for iPass Mobile Client
2015-03-13 16:58:45 -05:00
jvazquez-r7
9894a3dc54
Change module filename
2015-03-13 16:53:17 -05:00
jvazquez-r7
b4de3ce42b
Do minor cleanup
2015-03-13 16:52:26 -05:00
Hans-Martin Münch (h0ng10)
b0e730d5ae
Typo
2015-03-13 20:41:14 +01:00
Hans-Martin Münch (h0ng10)
726f01b8cc
Initial version
2015-03-13 20:33:45 +01:00
sinn3r
182850df30
Stick to Win 7
2015-03-13 12:41:05 -05:00
sinn3r
2b199315d4
Final
2015-03-13 12:30:41 -05:00
jvazquez-r7
e035e6ce51
Land #4899 , @h0ng10's exploit for iPass Open Mobile CVE-2015-0925
2015-03-12 16:42:52 -05:00
jvazquez-r7
7b7ebc20d7
Fix indentation
2015-03-12 16:41:41 -05:00
jvazquez-r7
da47d368e8
Do minor style cleaning
2015-03-12 16:35:48 -05:00
jvazquez-r7
a77078b555
Add X86 target
2015-03-12 16:34:44 -05:00
HD Moore
b43893ad71
Lands #4903 , corrects the return value used for the script path
2015-03-12 14:05:22 -05:00
sinn3r
ac24652196
Land #4911 , CVE-2015-0096 (ms15_020_shortcut_icon_dllloader)
2015-03-12 10:51:56 -05:00
sinn3r
67d05f9354
Add the PR as a reference (how to guide)
2015-03-12 10:51:01 -05:00
jvazquez-r7
68d69177ad
Add smb module for MS15-020
2015-03-11 23:46:50 -05:00
HD Moore
24440b8c38
Lands #4913 , adds OSVDB reference to nvidia module
2015-03-11 23:32:22 -05:00
jvazquez-r7
a9fa2d25aa
Add SMB module for MS10-046
2015-03-11 23:23:56 -05:00
Tod Beardsley
99494328d2
Update Nvidia module with an OSVDB ref
...
The paper is really good, but could use a more traditional reference.
[See #4884 ]
2015-03-11 19:51:22 -05:00
jvazquez-r7
0e4e264325
Redo description
2015-03-11 18:19:28 -05:00
jvazquez-r7
4e6aca0209
refactor create_exploit_file
2015-03-11 18:13:09 -05:00
jvazquez-r7
5662e5c5a6
Add module for MS15-020
2015-03-11 17:29:02 -05:00
sinn3r
43b90610b1
Temp
2015-03-11 13:53:34 -05:00
sinn3r
2a9d6e64e2
Starting point for CVE-2015-0318
2015-03-11 09:58:41 -05:00
Sigurd Jervelund Hansen
c6cb1e840d
Fixes persistence module by revering changes to the value returned by the write_script_to_target function, which screws up the path that is used for startup. Currently an escaped path "C://Users//..." is being used instead of using windows standards "C:\Users\...".
2015-03-10 10:26:03 +01:00
jvazquez-r7
78167c3bb8
Use single quotes when possible
2015-03-09 16:55:21 -05:00
jvazquez-r7
cb72b26874
Add module for CVE-2014-0311
2015-03-09 16:52:23 -05:00
Hans-Martin Münch (h0ng10)
bba4223d68
Initial commit
2015-03-09 16:36:11 +01:00
jvazquez-r7
2134cc3d22
Modify description
2015-03-05 16:55:24 -06:00
jvazquez-r7
7b4776ee79
Deregister FOLDER_NAME
2015-03-05 16:42:07 -06:00
jvazquez-r7
1bc81ea723
Merge #4884 into updated master
2015-03-05 16:41:15 -06:00
Meatballs
33f089b1a5
Tidyup
2015-03-05 21:50:12 +00:00
jvazquez-r7
9f3f8bb727
Merging #3323 work
2015-03-05 15:44:15 -06:00
jvazquez-r7
dd2559b748
Favor new target over new module
2015-03-05 15:41:53 -06:00
Meatballs
c56679f33e
Modify for new SMB mixin
2015-03-05 21:26:13 +00:00
jvazquez-r7
de08d8247b
Do some module cleanup
2015-03-05 13:00:01 -06:00
jvazquez-r7
82659aba93
Populate metadata from code to make test easier
2015-03-05 12:40:20 -06:00
jvazquez-r7
dc02f8332f
Pass msftidy
2015-03-05 12:29:31 -06:00
jvazquez-r7
a06eb04d59
Deregister FOLDER_NAME on exploit modules
2015-03-05 12:27:12 -06:00
jvazquez-r7
e715eaba58
Update description
2015-03-04 16:39:27 -06:00
jvazquez-r7
e155f2998e
Change module filename
2015-03-04 16:38:08 -06:00
jvazquez-r7
77abd57397
Do code cleanup
2015-03-04 16:37:31 -06:00
jvazquez-r7
22ff4d0097
Update with master changes
2015-03-04 16:30:19 -06:00
jvazquez-r7
e7de09df29
Change module filename
2015-03-04 16:18:45 -06:00
jvazquez-r7
1337b7ace8
Clean module
2015-03-04 16:18:10 -06:00
jvazquez-r7
d4738d8c0a
Update #3076 branch
2015-03-04 15:51:00 -06:00
jvazquez-r7
5cc9ea3618
Update with master changes
2015-03-04 15:16:12 -06:00
jvazquez-r7
fa9d921138
Beautify description
2015-03-04 13:07:10 -06:00
jvazquez-r7
8fdb7a798e
Change module filename
2015-03-04 13:01:06 -06:00
jvazquez-r7
36375fab28
Fix downcase path handling
2015-03-04 12:58:41 -06:00
jvazquez-r7
62dde22d88
Clean packet building
2015-03-04 12:27:58 -06:00
jvazquez-r7
e04ff3ee24
Delete CMD option
2015-03-04 11:51:58 -06:00
jvazquez-r7
d4337ce1ae
Do minor metadata cleanup
2015-03-04 11:46:01 -06:00
jvazquez-r7
1371cfe025
Test landing #4451
2015-03-04 11:20:07 -06:00
jvazquez-r7
aaab4b401a
Fix indenting and use primer
2015-03-04 10:46:34 -06:00
jvazquez-r7
0e57277dc1
Do cleanup
2015-03-04 10:33:57 -06:00
jvazquez-r7
b9ed8178a9
Solve conflicts on ms13_071_theme
2015-03-04 10:28:52 -06:00
Matthew Hall
4757698c15
Modify primer to utilise file_contents macro.
2015-03-04 09:52:00 +00:00
Matthew Hall
a90ebfe9a7
Modify primer to utilise file_contents macro.
2015-03-04 09:51:32 +00:00
Matthew Hall
dfb6711ad7
Modify primer to utilise file_contents macro.
2015-03-04 09:51:01 +00:00
Matthew Hall
a5d748d19e
Modify primer to utilise file_contents macro.
2015-03-04 09:50:28 +00:00
Matthew Hall
0d56f5b6e6
Modify primer to utilise file_contents macro.
2015-03-04 09:49:17 +00:00
jvazquez-r7
80b76436bb
Land #4831 , @wchen-r7's update for MS14-064 exploit
...
* Support Windows XP with VBScript technique
2015-03-03 19:19:49 -06:00
sinn3r
7591e9ece3
Unbreak the comment
2015-03-03 19:14:18 -06:00
sinn3r
79e7bf7f9c
Update comments and description
2015-03-03 19:13:15 -06:00
William Vu
aa1e1a5269
Fix duplicate hash key "Platform"
...
In modules/exploits/windows/mssql/mssql_linkcrawler.rb.
2015-02-24 05:19:56 -06:00
William Vu
57642377cc
Fix duplicate hash key "MinNops"
...
In modules/exploits/windows/backupexec/name_service.rb.
2015-02-24 05:19:55 -06:00
William Vu
f2c96b4fdd
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/browser/ntr_activex_stopmodule.rb.
2015-02-24 05:19:54 -06:00
William Vu
b671c9b496
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/browser/oracle_autovue_setmarkupmode.rb.
2015-02-24 05:19:53 -06:00
William Vu
2e90f266fa
Fix duplicate hash key "massage_array"
...
In modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb.
2015-02-24 05:19:52 -06:00
William Vu
e618c2f112
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb.
2015-02-24 05:19:51 -06:00
William Vu
2ffa368c18
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/browser/ntr_activex_check_bof.rb.
2015-02-24 05:19:50 -06:00
William Vu
a8f0af4409
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/browser/cisco_playerpt_setsource.rb.
2015-02-24 05:19:49 -06:00
William Vu
ff73b4d51a
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/local/pxeexploit.rb.
2015-02-24 05:19:48 -06:00
William Vu
53e45498ca
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/http/hp_pcm_snac_update_certificates.rb.
2015-02-24 05:19:47 -06:00
William Vu
943ff2da75
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/http/hp_pcm_snac_update_domain.rb.
2015-02-24 05:19:46 -06:00
William Vu
6aa3952c91
Fix duplicate hash key "Platform"
...
In modules/exploits/windows/scada/winlog_runtime_2.rb.
2015-02-24 05:19:45 -06:00
sinn3r
8d17aa04ee
Update the title too
2015-02-24 00:46:35 -06:00
sinn3r
578a545b22
Update MS14-064 for Windows XP
2015-02-23 23:08:13 -06:00
William Vu
933c4a05b4
Land #4814 , ms04_011_pct improved error messages
2015-02-22 23:51:14 -06:00
sinn3r
aa8a82f44f
Update MS15-001 reference
2015-02-21 08:39:21 -06:00
jvazquez-r7
ef62e1fc04
Land #4798 , @wchen-r7's deletion of x64 support on ms13_022_silverlight_script_object
...
* Ungenuine support, well deleted
2015-02-21 01:11:09 -06:00
jvazquez-r7
ef990223d5
Move arch out of target
2015-02-21 01:10:35 -06:00
sinn3r
441c301fd3
Fix #4458 , more informative errors for ms04_011
...
Fix #4458
2015-02-21 00:32:20 -06:00
Brent Cook
b624278f9d
Merge branch 'master' into land-4706-smb_reflector
2015-02-20 10:26:04 -06:00
Matthew Hall
e6ecdde451
Modify SMB generation code to use primer based on #3074 changes to
...
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:35:22 +00:00
Matthew Hall
4963992b17
Modify SMB generation code to use primer based on #3074 changes to
...
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:31:15 +00:00
Matthew Hall
da829d9ea9
Modify SMB generation code to use primer based on #3074 changes to
...
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:29:09 +00:00
Matthew Hall
9aef561fd3
Modify SMB generation code to use primer based on #3074 changes to
...
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:28:35 +00:00
Matthew Hall
34f4ae782d
Modify SMB generation code to use primer based on #3074 changes to
...
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:26:19 +00:00
Matthew Hall
1751921ede
Modify SMB generation code to use primer based on #3074 changes to
...
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
2015-02-20 11:01:38 +00:00
sinn3r
036a6089eb
Drop ungenuine x64 support in ms13_022_silverlight_script_object
...
The MS13-022 exploit does not actually run as x64. IE by default
still runs x86 so BES will always automatically select that target.
If IE forces x64 (which can be done manually), the BES detection
code will see it as ARCH_X86_64, and the payload generator will
still end up generating a x86 payload anyway.
If the user actually chooses a x64 payload, such as
windows/x64/meterpreter/reverse_tcp, the exploit is going to crash
because you can't run x64 shellcode on an x86 architecture.
2015-02-19 10:39:43 -06:00
jakxx
44a7e7e4bc
publish-it fileformat exploit
2015-02-18 13:22:54 -05:00
Jay Smith
e40772efe2
Fixed open device issue for non-priv users
...
Fixed the open_device call to work for users without Administrator
privileges
2015-02-18 12:44:58 -05:00
sinn3r
6acbe64dbd
The MSB reference in the title is wrong
...
It should be MS13-022.
MS12-022 is MSFT Expression Design.
2015-02-17 14:56:14 -06:00
sinn3r
b90639fd66
Land #4726 , X360 Software actvx buffer overflow
2015-02-17 11:41:23 -06:00
Matthew Hall
666b8e3e72
Add timeout to connection handler
2015-02-17 17:27:03 +00:00
Matthew Hall
728cfafe4d
cleanups
2015-02-17 17:27:03 +00:00
Matthew Hall
e4bab60007
Generic HTTP DLL Injection Exploit Module
...
This is an example implementation of using the
Msf::Exploit::Remote::SMBFileServer module to perform
arbitrary DLL injection over SMB.
2015-02-17 17:27:03 +00:00
Matthew Hall
c86caacf95
Merge branch 'master' into module-exploitsmbdllserver
...
Conflicts:
lib/msf/core/exploit/smb.rb
2015-02-17 17:16:09 +00:00
Matthew Hall
9f04e3bcf0
Merge branch 'master' into hp_dataprotector_dll_cmd_exec
2015-02-17 17:06:40 +00:00
Matthew Hall
afca27dae5
Merge branch 'master' into cve-2014-0094
2015-02-17 17:06:21 +00:00
jvazquez-r7
0372b08d83
Fix mixin usage on modules
2015-02-13 17:17:59 -06:00
sinn3r
b197b98ab9
Land #4759 , fix ms09_067_excel_featheader
2015-02-13 13:25:15 -06:00
jvazquez-r7
3ae3d56caa
Land #4745 , fixes #4711 , BrowserAutoPwn failing due to getpeername
2015-02-12 16:51:09 -06:00
jvazquez-r7
92422c7b9a
Save the output file on local_directory
2015-02-12 16:16:21 -06:00
sinn3r
05d2703a98
Explain why obfuscation is disabled
2015-02-12 14:00:01 -06:00
Tod Beardsley
c156ed62a9
on, not of.
2015-02-12 12:56:53 -06:00
Tod Beardsley
d89eda65fa
Moar fixes, thanks @wvu-r7
...
See #4755
2015-02-12 12:46:38 -06:00
Tod Beardsley
e78d08e20d
Fix up titles, descriptions
2015-02-12 12:11:40 -06:00
sinn3r
50c72125a4
::Errno::EINVAL, disable obfuscation, revoke ms14-064
2015-02-12 11:54:01 -06:00
William Vu
309159d876
Land #4753 , updated ms14_070_tcpip_ioctl info
2015-02-12 09:57:29 -06:00
Spencer McIntyre
8ab469d3bd
Update ms14-070 module information and references
2015-02-12 09:51:01 -05:00
William Vu
b894050bba
Fix local/pxeexploit datastore
2015-02-11 12:19:56 -06:00
sinn3r
d23c9b552f
Trade MS12-004 for MS13-090 against Windows XP BrowserAutoPwn
2015-02-10 18:58:56 -06:00
jvazquez-r7
5687028f09
Land #4671 , @earthquake's exploit for achat buffer overflow
2015-02-09 17:50:09 -06:00
jvazquez-r7
6165d623ff
Change module filename
2015-02-09 17:39:55 -06:00
jvazquez-r7
eb0741d7a7
Modify reference
2015-02-09 17:39:18 -06:00
jvazquez-r7
86f3bcad11
Do minor cleanup
2015-02-09 17:33:05 -06:00
Balazs Bucsay
ac6879cfe1
proper payload encoding from now on
2015-02-09 23:36:35 +01:00
Balazs Bucsay
c7880ab4e1
hex strings related explanations
2015-02-09 23:21:38 +01:00
Balazs Bucsay
9891026d30
sleep changed to Rex::sleep
2015-02-09 22:33:41 +01:00
jvazquez-r7
831a1494ac
Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumUpper
2015-02-08 18:29:25 -06:00
jvazquez-r7
3e7e9ae99b
Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumMixed
2015-02-08 18:22:11 -06:00
jvazquez-r7
87775c6ee4
Fix description
2015-02-06 23:55:27 -06:00
jvazquez-r7
76387eebe0
Use File.open
2015-02-06 21:35:07 -06:00
jvazquez-r7
f6933ed02c
Add module for EDB-35948
2015-02-06 11:05:29 -06:00
Tod Beardsley
036cb77dd0
Land #4709 , fixed up some datastore mangling
2015-02-05 21:22:38 -06:00
Spencer McIntyre
4e0a62cb3a
Land #4664 , MS14-070 Server 2003 tcpip.sys priv esc
2015-02-05 18:49:15 -05:00
Spencer McIntyre
a359fe9acc
Minor fixup on the ms14-070 module description
2015-02-05 18:41:58 -05:00
Spencer McIntyre
dc13446536
Forgot to comment ret instruction
2015-02-05 14:09:01 -05:00
Spencer McIntyre
5a39ba32f6
Make the ret instruction for token stealing optional
2015-02-05 14:00:38 -05:00
Spencer McIntyre
dabc163076
Modify the shellcode stub to save the process
2015-02-05 13:54:52 -05:00
Tod Beardsley
c633c710bc
Mostly caps/grammar/spelling, GoodRanking on MBAM
2015-02-05 12:36:47 -06:00
William Vu
b43522a2b8
Fix scadapro_cmdexe datastore
2015-02-05 02:54:03 -06:00