2dff66aacb
Check nil
2018-07-26 11:23:16 -05:00
f5ccdcfcd2
Net SSH CommandStream fixes implemented
...
* Net::SSH::CommandStream typos fixed
* Net::SSH::CommandStream cleanup made more robust and refactored
* require 'net/ssh/command_stream' added to various modules
2018-07-25 11:22:28 -05:00
1a3a4ef5e4
Revised 88 aux and exploit modules to add CVEs / references
2018-07-12 17:34:52 -05:00
7d8a95de9f
Fixed requested changes for PR
2018-07-09 12:44:38 -05:00
5fc5a47cd2
Update CVE references for exploit modules
...
These are based on cross references by EDB, OSVDB, module short
name, blog post and BID.
2018-07-08 18:46:04 -05:00
b00f0e87e0
Add SonicWall XML-RPC Remote Code Execution exploit module
2018-07-05 12:06:13 -05:00
6d3c141553
Update patched version check
2018-06-22 15:08:19 +00:00
a71a5a10d5
Add Quest KACE Systems Management Command Injection
2018-06-22 08:07:18 +00:00
f4bb00b9a5
Remove stray PayloadType outside Compat
2018-06-12 14:59:29 -05:00
93e9c96a1c
Adjust link / name ordering to be alphabetical by key (not sorted by value)
2018-05-21 14:42:13 -04:00
c665a32eb9
Add privileged and fix PayloadType hash style
2018-05-19 19:06:50 -04:00
d9d226376c
Fix missing comma
2018-05-19 09:23:23 -04:00
4bf259e767
Add github and EDB ID number
2018-05-19 09:04:18 -04:00
b0f556639f
Change rand text length and remove disable nops
2018-05-19 09:02:00 -04:00
6d0c6a7051
Randomize the starting letter
2018-05-18 15:14:40 -04:00
1efa5c4061
Move to PayloadType instead of Compat
2018-05-18 14:55:33 -04:00
599979be37
Add AKA and remove filename
2018-05-18 14:49:12 -04:00
0951aca881
Fix require that’s included by mixin
2018-05-18 13:31:20 -04:00
35ee1b5fa1
Use https instead of http in the comments
2018-05-18 13:10:47 -04:00
8f0242344d
Fix style to use curly braces instead of pipes
2018-05-18 13:06:38 -04:00
f1b9088609
Fix msf/core include requirement
...
```
modules/exploits/unix/dhcp/rhel_dhcp_client_command_injection.rb - [WARNING] Explicitly requiring/loading msf/core is not necessary
```
removes `require msf/core`
2018-05-18 13:04:55 -04:00
164f3ef48d
Add CVE-2018-1111 exploit
2018-05-18 12:47:08 -04:00
5ed1bde65f
Removed unused FileDropper include
2018-05-08 18:10:29 +02:00
5038098efb
Remove need for writable directory when using xdebug exploit
...
By base64 encoding the exploit code and decoding it on the target the
need for writing a temporary file is removed.
See #9918
2018-05-07 22:11:21 +02:00
88f09dc302
Update a few stragglers in Drupalgeddon 2
...
1. I added a missed header and YARD to the Drupal mixin.
2. I decided to match discovered versions more liberally.
2018-05-03 18:35:25 -05:00
728d7bc065
Fix #9876 , second round of Drupalgeddon 2 updates
...
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
2018-05-03 17:38:32 -05:00
82fc4aba64
Land #9918 , XDebug Unauthenticated OS command execution
2018-04-27 17:08:58 -05:00
873cbcee27
Fix #9876 , minor updates to Drupalgeddon 2
...
1. Tested versions are already listed in the module doc, and we've
tested more than just 7.57 and 8.4.5 now. Removing a source of potential
inconsistency in the future.
2. No problem with ivars anymore. No idea what happened, but maybe I was
just too tired to code. Removing cleanup method.
2018-04-25 18:09:54 -05:00
b8eb7f2a86
Set target type instead of regexing names
...
We're no longer matching multiple targets like /In-Memory/ or /Dropper/,
so it makes sense to match on a specific value now.
Old matching in this commit: 1900aa2708
2018-04-25 11:53:26 -05:00
910e9337fb
Use print_good for patch level check, oops
2018-04-24 23:21:22 -05:00
b7ac16038b
Correct comment about PHP CLI (it's not our last!)
2018-04-24 23:18:51 -05:00
ec43801564
Add check for patch level in CHANGELOG.txt
...
Looks like 8.x has core/CHANGELOG.txt instead.
2018-04-24 23:12:33 -05:00
2ff0e597a0
Add SA-CORE-2018-002 as an AKA ref
...
Makes sense to me. Even though it's technically the advisory.
2018-04-24 22:51:33 -05:00
8bc1417c8c
Use PHP_FUNC as a fallback in case assert() fails
...
Additionally drop a file in a writable directory in case CWD fails.
2018-04-24 22:29:27 -05:00
8ff4407ca6
Clarify version detection error message
...
This was supposed to imply that we couldn't configure the exploit for a
targetable version. Instead, it just read weirdly. I think it was
missing "to target" at the end. "Determine" is a much better word,
though, since we may be doing detection instead of mere configuration.
2018-04-24 20:51:51 -05:00
cfaca5baa3
Restore a return lost in the refactor :(
...
Also spiff up comments.
2018-04-24 11:25:55 -05:00
b507391f1b
Change back to vprint_status for the nth time
...
I really couldn't decide, especially once I got rid of CmdStager.
Also fully document the module options.
2018-04-24 04:23:52 -05:00
c8b6482ab0
Rewrite PHP targets to work with 7.x and 8.x
...
Win some, lose some. php -r spawns a new (obvious) command. :/
Check method and version detection also rewritten. :)
2018-04-24 03:38:05 -05:00
8be58d315c
Stop being lazy about badchar analysis
...
Badchars apply to all targets.
2018-04-20 19:30:38 -05:00
fcfe927b7a
Add PHP dropper functionality and targets
2018-04-19 05:11:21 -05:00
62aca93d8b
Cache version detection and print only once
...
Oops. This is the problem with overloading methods.
2018-04-19 04:59:07 -05:00
2670d06f99
Add in-memory PHP execution using assert()
2018-04-19 02:18:56 -05:00
7a2cc991ff
Refactor once more with feeling
...
Nested conditionals are the devil. Printing should be consistent now.
2018-04-18 23:59:14 -05:00
3d116d721d
Add version detection and automatic targeting
...
I also refactored error handling. Should be cleaner now.
2018-04-18 21:40:22 -05:00
86ffbc753e
Refactor clean URL handling and remove dead code
2018-04-18 19:56:42 -05:00
1900aa2708
Refactor module and address review comments
2018-04-17 19:05:45 -05:00
d8508b8d7d
Add Drupal Drupalgeddon 2
2018-04-14 00:22:30 -05:00
8c2138f13b
Land #9742 , QNX exploit improvements
2018-04-03 07:50:29 -05:00
0fa63ae7b3
Update documentation and module
...
Included Super User in the documentation.
Implemented changes h00die suggested.
Modified sqli to generate strings used in regex.
2018-03-28 10:57:28 -05:00
fdd2af2d2a
Update tested versions
2018-03-24 00:23:12 +00:00
9d28549e84
Update qnx_qconn_exec
2018-03-22 06:25:44 +00:00
dddad415a5
add Msf::Exploit::Remote::HTTP::Joomla
2018-03-11 07:59:26 -05:00
37bf4d118a
Changes suggested by h00die 0803
2018-03-09 09:55:50 -05:00
048d0d1fe4
Changes suggested by h00die
2018-03-08 20:13:01 -05:00
d945734f43
Add 2017-8917 RCE for Joomla 3.0.7
2018-03-04 22:17:49 -05:00
b1d0529161
prefer 'shell' channels over 'exec' channels for ssh
...
If a command is not specified to CommandStream, request a "shell"
session rather than running exec. This allows targets that do not have a
true "shell" which supports exec to instead return a raw shell session.
2018-02-08 02:21:16 -06:00
5684b9ed7c
Readd dropped return during refactoring
2018-01-23 10:12:15 -06:00
d3b3946669
Use Msf::Post::File#setuid? in setuid_nmap
2018-01-23 02:05:26 -06:00
2f9eebe28b
remove plugin dir
2018-01-15 14:48:59 +01:00
7e2c7837e5
Land #9325 , Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module
...
Land #9325
2018-01-10 17:39:50 -06:00
b1f3f471f3
Update phpcollab_upload_exec code (also module documentation)
2018-01-10 17:38:52 -06:00
dd737c3bc8
Land #9317 , remove multiple deprecated modules
...
Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
c9d6d0a7a7
-51
2018-01-04 12:25:31 -06:00
16d709f180
changes+filedropper
2018-01-03 14:09:30 -06:00
8f0e41e159
requested changes
2018-01-01 17:30:43 -06:00
c47d09717d
pfsense graph sploit
2018-01-01 03:18:51 -06:00
e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
...
These cover several of the CVEs mentioned in
https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
8b0f2214b1
few more updates
2017-12-23 03:04:11 +05:30
038119d9df
Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more
2017-12-23 00:14:27 +05:30
b29948412e
Correct permissions, fixing warning
2017-12-22 07:27:11 -08:00
a86abb0297
Implemented get_cookies_parsed
2017-12-22 05:36:36 +05:30
86ce3c8781
Made suggested changes and added documentation
2017-12-20 15:54:16 -05:00
ce457db1e3
fixed spaces at EOL
2017-12-20 09:24:30 -05:00
d6024277fc
fixed missing quote
2017-12-20 09:03:32 -05:00
139afe45a9
Add phpCollab 2.5.1 exploit module
2017-12-20 08:36:58 -05:00
a4098803b3
Remove OSVDB reference
2017-12-20 13:10:42 +01:00
a2c5cc0ffb
Remove old deprecated modules
2017-12-19 07:56:16 -08:00
d3638d0487
Land #9154 , Tuleap PHP object injection exploit
2017-12-18 03:19:42 -06:00
0e2a158abd
Fix global var $is_check (make ivar @is_check)
2017-12-18 03:15:33 -06:00
37514eec17
Land #9234 , Add exploit for ClickJacking vuln for pfSense
...
Land #9234
2017-12-12 14:56:21 -06:00
c7019e5aee
Only load files once
2017-12-12 14:54:49 -06:00
b335cacfc1
Update wp_slideshowgallery_upload.rb
...
Variable on line 67 needs to be changed to "user" from "username" which was undefined and causing error during exploit execution.
[-] Exploit failed: NameError undefined local variable or method `username' for #<Msf::Modules::Mod6578706c6f69742f756e69782f7765626170702f77705f736c69646573686f7767616c6c6572795f75706c6f6164::MetasploitModule:0x0055c61ab093f8>
After changing the incorrect variable name from "username" to "user", the exploit completes.
2017-12-12 00:33:28 -05:00
f83e9815dd
Land #9210 , Add a Polycom HDX RCE
2017-12-04 12:49:35 -06:00
7edab268f5
handle case-insensitive password, fix received
2017-12-04 12:47:40 -06:00
06334aa2bd
Update polycom_hdx_traceroute_exec.rb
2017-12-04 11:05:01 -05:00
942e44ceae
Added local copies of the static content
2017-12-02 10:14:14 +01:00
676a08b849
Update polycom_hdx_traceroute_exec.rb
2017-11-28 22:01:41 -05:00
a02a02cb0c
Fixed URL...
2017-11-22 11:31:23 +01:00
d21d3c140e
Fixed date
2017-11-22 11:15:34 +01:00
916ee05cce
Add exploit module for Clickjacking vulnerability in CSRF error page pfSense
2017-11-22 11:06:22 +01:00
dd8238d146
rubocop got a donut
2017-11-20 20:08:28 -05:00
579d012fa2
spelling
2017-11-19 08:36:27 -05:00
b7f7afb3be
version detect, 2.2.6 handling
2017-11-19 08:28:07 -05:00
f8891952c6
pfsense group member exec module
2017-11-15 21:00:58 -05:00
829a7a53db
verbose response.
2017-11-15 12:27:40 -05:00
4918e5856d
Update polycom_hdx_traceroute_exec.rb
2017-11-15 10:41:51 -05:00
d93120e2ac
Create polycom_hdx_traceroute_exec.rb
2017-11-15 10:40:57 -05:00
2f6da89674
Change author name to nick.
2017-11-09 03:00:24 +11:00
a15b61a218
Fix #9160 , exploit method from TcpServer
...
It already starts the server and waits for us. This is what was called
when the module was still auxiliary.
2017-11-01 19:26:00 -05:00
87934b8194
Convert tnftp_savefile from auxiliary to exploit
...
This has been a long time coming. Fixes #4109 .
2017-11-01 17:37:41 -05:00
Wei Chen
Sonny Gonzalez
asoto-r7
flandini
Brendan Coles
William Vu
Kevin Kirsche
Kevin Kirsche
miluxsec
Brent Cook
Jacob Robles
Luis Hernandez
Christian Mehlmauer
wetw0rk
Tod Beardsley
juushya
Jon Hart
Nick Marcoccio
EgiX
securekomodo
Austin
Yorick Koster
h00die
Patrick Webster