33ce74fe8c
Merge branch 'msftidy-1' of git://github.com/schierlm/metasploit-framework into schierlm-msftidy-1
2012-10-23 02:10:56 -05:00
e5ec51a780
Rename file for consistency
2012-10-23 02:05:55 -05:00
669d22c917
Final improvements
2012-10-23 02:05:08 -05:00
5072156df6
Designed specifically for Windows, so let's move to Windows
...
Plus additional fixes
2012-10-22 23:01:58 -05:00
2484bb02cf
Add the initial version of the module
...
From EDB.
2012-10-22 22:41:30 -05:00
b2db3e133d
Rescue when the service is crashed
...
Failed exploit attempts leave the service in a state where the port is
still open but login attmempts reset the connection. Rescue that and
give the user an indication of what's going on.
2012-10-22 17:57:30 -05:00
7437d9844b
standardizing author info
2012-10-22 17:01:58 -04:00
5b18a34ad4
References cleanup
...
Uppercase MSB, spaces in URLs.
2012-10-22 22:37:01 +02:00
f9ac55c221
Infohash key cleanups
...
Replace obvious typos in infohash keys. Note that this *does*
affect the behaviour as those keys have been ignored before.
2012-10-22 21:24:36 +02:00
e9f7873afc
Version cleanup
...
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
e769abc868
Platform cleanup: platform should be lowercase
2012-10-22 20:14:39 +02:00
657d527f8d
DisclosureDate cleanup: Try parsing all dates
...
Fix all dates unparsable by `Date.strptime(value, '%b %d %Y')`
2012-10-22 20:04:21 +02:00
70ac7c8345
Author cleanup: fix unmatched angle brackets
2012-10-22 19:45:27 +02:00
d337d5204b
Author cleanup: One module did not have an author
2012-10-22 18:38:18 +02:00
ad9946689e
Update description
2012-10-21 16:40:01 -05:00
1821c11369
Code cleanup
2012-10-21 16:40:01 -05:00
c404b72d08
Doesn't make a lot of sense setting DefaultTarget to an older one
2012-10-21 16:40:01 -05:00
c7d12d94b7
turboftp exploit
2012-10-21 16:40:00 -05:00
768d2c5921
Go back to old behavior for unknown versions
...
May not be correct, but it's what we used to do, so probably better than
just raising.
Also documents things a bit better.
2012-10-18 16:57:40 -05:00
1eccb24bf8
Raise if the version isn't what we expect
...
Also adds some clarifying commentation and adds todb to the list of
authors since he wrote the original module for windows upon which this
one is based.
2012-10-18 15:55:55 -05:00
3c5c1cd86e
Remove unnecessary version restrictions
...
Since the payload is now run in the .so constructor, there's no need to
be compatible with a particular Postgres API.
Also:
- report the service
- delete the payload in the payload itself to reduce forensics
footprint
- randomize the created function name instead of abusing
postgres_create_sys_exec
2012-10-18 15:40:27 -05:00
0221f75f39
Merge branch 'rapid7' into midnitesnake-postgres_payload
2012-10-18 13:57:25 -05:00
60dc83748c
Update modules/exploits/windows/browser/mozilla_mchannel.rb
2012-10-17 12:25:44 -03:00
52feae2dcd
Add missing require
...
[FixRM #7345 ]
2012-10-15 17:18:04 -05:00
9192a01803
All exploits need a disclosure date.
2012-10-15 16:29:12 -05:00
2acfb0537c
Merge branch 'ajaxplorer' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ajaxplorer
2012-10-15 08:30:08 +02:00
529f88c66d
Some msftidy fixes
2012-10-14 19:16:54 -05:00
97ac7fa184
Merge branch 'module-wle-service-permissions' of git://github.com/zeroSteiner/metasploit-framework
2012-10-14 18:27:32 -05:00
cedcace1a7
Forgot to change the output variable
...
Because the original script used match()
2012-10-14 11:43:33 -05:00
9c6fdbe9d7
Compile a .so instead of being version-specific
...
This makes it possible to use payloads for the appropriate architecture
NOTE: need to test windows and make sure I didn't break it
2012-10-13 15:18:25 -05:00
cc303665e8
Credit
2012-10-13 00:42:44 -05:00
5b2998a121
Add OSVDB-63552 AjaXplorer module (2010)
2012-10-13 00:35:48 -05:00
ad1870d819
Merge branch 'rapid7' into midnitesnake-postgres_payload
2012-10-12 14:18:34 -05:00
90ae5c1178
Add PhpEXE support to RateMyPet module
2012-10-12 04:53:01 -05:00
db12413b09
Convert vcms_upload to use PhpEXE
...
Incidentally adds a Linux x86 target
2012-10-12 04:29:57 -05:00
13a5892e95
Add a mixin for uploading/executing bins with PHP
...
And use it in three modules that had copy-paste versions of the same
idea.
2012-10-12 02:57:41 -05:00
3ab24cdbb9
added exploits/windows/local/service_permissions
2012-10-11 22:42:36 -04:00
0adabb1e06
Merge branch 'wchen-r7-projectpier' into rapid7
...
[Closes #889 ]
2012-10-11 18:32:04 -05:00
55c0cda86c
Merge branch 'fix_vprint_reduceright' of git://github.com/kernelsmith/metasploit-framework into kernelsmith-fix_vprint_reduceright
2012-10-11 16:55:52 -05:00
c911eeece2
change vprint_error to print_error
...
exploits/windows/browser/mozilla_reduceright does not tell you when an
incompatible browser connects like most other browser exploits do
(unless verbose is true). This change just changes the vprint to print
to be more consistent w/other browser exploits
2012-10-11 16:51:17 -05:00
9ea208d129
Oops, overwrote egypt's changes by accident
2012-10-11 16:40:52 -05:00
82eaa322fe
Make cleanup work better
2012-10-11 16:39:54 -05:00
3a66a07844
Proposed re-wording of description
...
[See #889 ]
2012-10-11 15:48:04 -05:00
24980e735b
I found an OSVDB ID
2012-10-11 15:28:07 -05:00
55128f5bb3
Make sure res has value before passing it on to exec_php
2012-10-11 14:43:38 -05:00
033a11eff5
Add Project Pier File Upload Vulnerability
2012-10-11 13:47:40 -05:00
1ea73b7bd2
Small description change and favor the use of print_error
2012-10-10 13:37:23 -05:00
f32ce87071
delete comment added by error
2012-10-10 19:32:25 +02:00
13e914d65e
added on_new_session handler to warn users about cleanup
2012-10-10 19:31:38 +02:00
37dc19951b
Added module for ZDI-12-169
2012-10-10 19:14:54 +02:00
22f7c42b85
Merge branch 'master' into feature/updated-mobile
2012-10-09 12:58:19 -05:00
4fa3631e34
avoiding the python support on the barracuda one if cannot be tested
2012-10-09 18:01:23 +02:00
f33411abd1
Merge branch 'python_payload_support' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-python_payload_support
2012-10-09 18:00:44 +02:00
a12aed7ffc
Don't really need these keywords
2012-10-09 00:49:05 -05:00
b657fd31cc
Merge branch 'php_include' of https://github.com/ethicalhack3r/metasploit-framework into ethicalhack3r-php_include
2012-10-09 00:45:46 -05:00
c094508119
Support Python payload
...
Pretty sure if the app is run on Unix/Apache, or supports perl and
ruby, chances are python works too.
2012-10-08 22:17:11 -05:00
b356b403b0
Merge branch 'phptax' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-phptax
2012-10-09 00:10:31 +02:00
06e2994b7e
connectiontype to find and python payload support
2012-10-08 15:13:27 -05:00
abb4bdd408
metadata formatting, and a little res gotcha
2012-10-08 15:00:51 -05:00
04aa69192d
Dang typo
2012-10-08 13:35:13 -05:00
ef9d627e13
Added module for ZDI-12-106
2012-10-08 20:04:01 +02:00
8ff4442f9e
Add PhpTax pfilez exec module
...
This module exploits a vuln found in PhpTax. When generating a
PDF, the icondrawpng() function in drawimage.php does not
properly handle the pfilez parameter, which will be used in a
exec() statement, and results in arbitrary code execution.
2012-10-08 12:46:56 -05:00
e9b70a3a4f
Merge branch 'avaya_winpmd_unihostrouter' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-avaya_winpmd_unihostrouter
2012-10-07 15:35:30 -05:00
0acd9e4eec
Merge branch 'ms10_002_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms10_002_ropdb_update
2012-10-07 17:49:45 +02:00
40983460bf
added module for avaya winpmd bof, osvdb 73269
2012-10-07 12:05:13 +02:00
bdb9b75e1e
Use RopDb, and print what target the module has selected.
2012-10-07 01:42:29 -05:00
64f29952dc
Merge branch 'master' into feature/updated-mobile
2012-10-07 00:32:02 -05:00
5b656087b5
Use RopDb in adobe_flash_otf_font, also cleaner code & output
2012-10-06 21:03:41 -05:00
874fe64343
Merge branch 'ms11_050_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_050_ropdb_update
2012-10-06 14:10:36 +02:00
e02adc1f35
Merge branch 'mubix-bypassuac_uac_check'
2012-10-06 02:09:16 -05:00
33429c37fd
Change print_error to print_debug as a warning
2012-10-06 02:08:19 -05:00
94d5eb7a8c
Use RopDb in MS11-050, and correct autopwninfo
2012-10-06 01:45:40 -05:00
55474dd8bf
add simple UAC checks to bypassuac
2012-10-06 00:59:54 -04:00
b984d33996
add RunAs ask module
2012-10-06 00:51:44 -04:00
769fa3743e
Explain why the user cannot modify the URIPATH
2012-10-05 17:24:06 -05:00
f4e442bcbd
Added headers support to php_include module
2012-10-05 23:00:38 +02:00
2aa59623d1
Merge branch 'ropdb_for_browsers' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ropdb_for_browsers
2012-10-05 15:43:18 -05:00
21ea77ff8b
Fix spaces
2012-10-05 15:40:37 -05:00
a60851e9d1
Merge branch 'mubix-bypassuac_localport'
2012-10-05 14:28:12 -05:00
6342c270f4
Merge branch 'bypassuac_localport' of https://github.com/mubix/metasploit-framework into mubix-bypassuac_localport
2012-10-05 14:16:16 -05:00
33db3d9610
RopDb for ntr_activex_check_bof.rb
2012-10-05 14:09:59 -05:00
f92843c96e
RopDb for ie_execcommand_uaf.rb
2012-10-05 13:49:17 -05:00
aba69d8438
fix indentation
2012-10-05 20:18:40 +02:00
4c646762a5
Added target debian squeeze
2012-10-05 20:12:09 +02:00
9a53a49625
RopDb for vlc_amv.rb
2012-10-05 12:54:16 -05:00
d9278d82f8
Adopt RopDb for msxml_get_definition_code_exec.rb
2012-10-05 12:20:41 -05:00
6fc8790dd7
Adopt RopDb for ms12_037_same_id.rb
2012-10-05 12:17:19 -05:00
1268614d54
Adopt RopDb for adobe_flash_mp4_cprt.rb
2012-10-05 11:15:53 -05:00
98931e339a
Adopt RopDb for adobe_flash_rtmp.rb
2012-10-05 11:05:19 -05:00
631a06f3bb
Adopt RopDb for adobe_flashplayer_flash10o.rb
2012-10-05 10:55:55 -05:00
0ae7756d26
fixed missing > on author
2012-10-05 11:13:40 -04:00
bcc56cb7cc
Merge branch 'bypassuac_localport' of https://github.com/mubix/metasploit-framework into mubix-bypassuac_localport
2012-10-05 01:05:30 -05:00
77438d2fc7
Make URI modification more obvious, and let the user know why
2012-10-04 17:52:04 -05:00
8520cbf218
fixes spotted by @jlee-r7
2012-10-04 17:34:35 -04:00
ae11c2ffc0
Merge branch 'rapid7' into kernelsmith-update-ms10_042-info
...
[Closes #860 ]
2012-10-04 15:29:32 -05:00
4400cb94b5
Removing trailing spaces
2012-10-04 14:58:53 -05:00
6ef87d1695
update info to reflect use of webdav
...
ms10_042_helpctr_xss_cmd_exec.rb doesn't tell you that it's going to
use webdav, and it's options dont' have the (Don't change) warning for
SRVPORT and URIPATH. This update fixes all that
2012-10-04 14:09:53 -05:00
3f2fe8d5b4
port bypassuac from post module to local exploit
2012-10-04 14:31:23 -04:00
d515b3274d
Apply wfsdelay and apply egypt's suggestions
2012-10-04 00:40:52 -05:00
9dad8b28ee
Merge branch 'qnx_qconn_exec' of https://github.com/bcoles/metasploit-framework into bcoles-qnx_qconn_exec
2012-10-03 22:09:14 -05:00
fbc3709774
Change the title and regex a bit
2012-10-03 12:16:25 -05:00
30846f4190
fix typo in comment
2012-10-03 16:06:00 +02:00
24037ac79a
Added module for CVE-2011-4051
2012-10-03 16:03:36 +02:00
e39472f7d4
Merge branch 'zeroSteiner-module-ms11-080'
2012-10-02 12:01:01 -05:00
e36507fc05
Code cleanup and make msftidy happy
2012-10-02 12:00:23 -05:00
21e832ac1c
add call to memory protect to fix DEP environments
2012-10-01 18:49:18 -04:00
e2276bfedb
Add QNX QCOMM command execution module
2012-09-30 17:21:08 +09:30
6679ff765a
remove extra commas
2012-09-28 12:21:59 +02:00
4087790cf7
Oops, forgot to update the check() function
2012-09-27 18:22:57 -05:00
9d3a1871a6
Added module for Samba CVE-2012-1182
2012-09-28 01:18:52 +02:00
c93692b06d
add a check to verify session is not already system for MS11-080
2012-09-27 08:36:13 -04:00
8648953747
added MS11-080 AFD JoinLeaf Windows Local Exploit
2012-09-26 11:01:30 -04:00
3ade5a07e7
Add exploit for phpmyadmin backdoor
2012-09-25 10:47:53 -05:00
1111de0197
Add OSVDB reference
2012-09-25 01:19:58 -05:00
2db2c780d6
Additional changes
...
Updated get_target function, comment for original author, possible
bug in handling page redirection.
2012-09-24 17:38:19 -05:00
03815b47f8
Merge branch 'ie_uaf_js_spray_obfuscate' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ie_uaf_js_spray_obfuscate
2012-09-24 17:14:26 -05:00
25e6990dc7
added osvdb reference
2012-09-24 21:49:32 +02:00
2784a5ea2d
added js obfuscation for heap spray
2012-09-24 21:28:34 +02:00
0e94340967
Merge branch 'auxilium' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-auxilium
2012-09-24 10:22:18 -05:00
57b3aae9c0
Only JRE ROP is used
2012-09-24 10:21:02 -05:00
98f4190288
Add Auxilium RateMyPet module
2012-09-24 10:16:11 -05:00
d476ab75cc
fix comment
2012-09-24 10:03:31 +02:00
f3a64432e9
Added module for ZDI-12-170
2012-09-24 10:00:38 +02:00
cade078203
Update author info
2012-09-22 02:29:20 -05:00
d3611c3f99
Correct the tab
2012-09-21 12:29:24 -05:00
25f4e3ee1f
Update patch information for MS12-063
2012-09-21 12:28:41 -05:00
ed24154915
minor fixes
2012-09-21 11:36:58 +02:00
6ee2c32f08
add ZEN Load Balancer module
2012-09-21 17:25:20 +09:30
54b98b4175
Merge branch 'ntr_activex_check_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ntr_activex_check_bof
2012-09-20 16:43:20 -05:00
4ead0643a0
Correct target parameters
2012-09-20 16:41:54 -05:00
41449d8379
Merge branch 'ntr_activex_stopmodule' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-ntr_activex_stopmodule
2012-09-20 16:33:12 -05:00
a5ffe7297f
Touching up Kernelsmith's wording.
...
It is merely the ROP chain, not the vuln, that requires Java.
2012-09-20 14:52:52 -05:00
883dc26d73
Merge remote branch 'kernelsmith/ie_execcommand_uaf_info'
2012-09-20 14:48:36 -05:00
e98e3a1a28
added module for cve-2012-0266
2012-09-20 19:03:46 +02:00
b61c8b85b8
Added module for CVE-2012-02672
2012-09-20 19:02:20 +02:00
f75ff8987c
updated all my authour refs to use an alias
2012-09-19 21:46:14 -05:00
f1a39c76ed
update to ie_execcommand_uaf's info to add ROP info
...
This module requires the following dependencies on the target for the
ROP chain to function. For WinXP SP3 with IE8, msvcrt must be present
(which it is on default installs). For Vista/Win7 with IE8 or Win7
with IE9, ire 1.6.x or below must be installed.
2012-09-19 14:10:02 -05:00
11f82de098
Update author information
2012-09-19 14:00:51 -03:00
cc8102434a
CVE assigned for the IE '0day'
2012-09-18 16:13:27 -05:00
25475ffc93
Msftidy fixes.
...
Whitespace on ie_execcommand_uaf, and skipping a known-weird caps check
on a particular software name.
2012-09-18 11:25:00 -05:00
8b251b053e
initializing msghdr a little better
2012-09-18 12:12:27 +02:00
16c5df46fc
fix while testing ubuntu intrepid
2012-09-18 11:52:50 +02:00
5fbc4b836a
Add Microsoft advisory
2012-09-17 22:13:57 -05:00
75bbd1c48d
Being slightly more clear on Browser Not Supported
...
With this and the rest of sinn3r's fixes, it looks like we can close the
Redmine bug.
[FixRM #7242 ]
2012-09-17 11:16:19 -05:00
d77ab9d8bd
Fix URIPATH and nil target
...
Allow random and '/' as URIPATh, also refuse serving the exploit
when the browser is unknown.
2012-09-17 10:54:12 -05:00
48a46f3b94
Pack / Unpack should be V not L
...
Packing or unpacking to/from L, I, or S as pack types will cause
problems on big-endian builds of Metasloit, and are best avoided.
2012-09-17 09:52:43 -05:00
d77efd587a
Merge remote branch 'wchen-r7/ie_0day_execcommand'
2012-09-17 08:48:22 -05:00
5eaefcf4c7
This is the right one, I promise
2012-09-17 08:41:25 -05:00
8f50a167bd
This is the right module
2012-09-17 08:36:04 -05:00
e43cae70a7
Add IE 0day exploiting the execcommand uaf
2012-09-17 08:28:33 -05:00
c83b49ad58
Unix linefeeds, not windows
...
That's what I get for just committing willy-nilly with a fresh install
of Gvim for Windows.
Also, this is an experiment to see if linefeeds are being respected in
this editor Window. I doubt it will be, given GitHub's resistence to
50/72 as a sensible default.
2012-09-16 18:10:35 -05:00
2fc34e0073
Auth successful, not successfully
...
Just fixing up some adverb versus adjective grammar.
2012-09-16 17:51:00 -05:00
cbc778cb47
add changes proposed by sinn3r
2012-09-15 23:53:09 +02:00
0708ec72fc
module moved to a more correct location
2012-09-15 15:31:21 +02:00
0f67f8d08a
target modified
2012-09-15 15:14:33 +02:00
0061d23b37
Added module for CVE-2012-2982
2012-09-15 15:09:19 +02:00
9a83c7c338
changes according to egypt review
2012-09-14 18:47:50 +02:00
eae571592c
Added rgod email
2012-09-14 17:45:16 +02:00
a2649dc8d1
fix typo
2012-09-14 17:10:41 +02:00
e27d5e2eb7
Description improved
2012-09-14 17:08:59 +02:00
9c77c15cf5
Added module for osvdb 85087
2012-09-14 16:54:28 +02:00
caf7619b86
Remove extra comma, fixes syntax errors in 1.8
...
Thanks, Kanedaaa, for reporting
2012-09-13 12:07:34 -05:00
1f58458073
Merge branch 'udev_netlink' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-udev_netlink
2012-09-13 10:37:52 -05:00
b31e8fd080
Merge branch 'qdpm_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-qdpm_upload_exec
2012-09-13 10:37:10 -05:00
71a0db9ae5
Make sure the user has a 'myAccount' page
2012-09-13 10:33:43 -05:00
658502d5ad
Add OSVDB-82978
...
This module exploits a vuln in qdPM - a web-based project
management software. The user profile's photo upload feature can
be abused to upload any arbitrary file onto the victim server
machine, which allows remote code execution. However, note in
order to use this module, the attacker must have a valid cred
to sign.
2012-09-13 10:01:08 -05:00
12f3ef9c7c
added osvdb numbers
2012-09-13 14:00:12 +02:00
39f2cbfc3c
Older targets confirmed for CoolType SING
2012-09-12 16:51:51 -05:00
fba219532c
Updating BID for openfiler
2012-09-12 14:13:21 -05:00
c901002e75
Add ssh login module for cydia / ios defaults
2012-09-10 19:36:20 -05:00
fbbed2262b
Updated iOS modules
2012-09-10 17:42:17 -05:00
83f4b38609
Merge branch 'winamp_maki_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-winamp_maki_bof
2012-09-10 16:19:14 -05:00
61bf15114a
deregistering FILENAME option
2012-09-10 23:14:14 +02:00
2259de3130
Merge branch 'winamp_maki_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-winamp_maki_bof
2012-09-10 16:10:22 -05:00
199fbaf33d
use a static filename
2012-09-10 23:08:21 +02:00
1c14c270bc
Merge branch 'winamp_maki_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-winamp_maki_bof
2012-09-10 15:53:16 -05:00
cb975ce0a2
cleanup plus documentation for the maki template
2012-09-10 22:48:04 +02:00
f5a0f74d27
Merge branch 'wanem_exec_improve' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-wanem_exec_improve
2012-09-10 13:35:48 -05:00
bbeb6cc97a
Add a privilege escalation exploit for udev < 1.4.1
...
Also includes a new ```rm_f``` method for Post::File for deleting remote
files in a platform-independent way.
2012-09-10 12:32:14 -05:00
607c0f023a
added edb references
2012-09-10 17:30:31 +02:00
b813e4e650
Added module for CVE-2009-1831
2012-09-10 16:46:16 +02:00
64b8696e3c
Extra condition that's not actually needed
...
Don't actually need to check nil res, because no code will
actually try to access res when it's nil anyway. And the 'return'
at the of the function will catch it when the response times out.
2012-09-09 04:06:48 -05:00
cb95a7b520
Add openfiler_networkcard_exec exploit
2012-09-09 17:28:09 +09:30
37c7f366f2
check function test vulnerability + minor improvements
2012-09-09 00:42:02 +02:00
f02659184a
Add WANem v2.3 command execution
2012-09-08 16:01:45 +09:30
caae54a7ca
added osvdb reference
2012-09-07 16:56:37 +02:00
c572c20831
Description updated to explain conditions
2012-09-07 11:18:54 +02:00
bd596a3f39
Merge branch 'sflog_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-sflog_upload_exec
2012-09-06 18:40:19 -05:00
86036737ca
Apparently this app has two different names
...
People may either call the app "ActiveFax", or "ActFax". Include
both names in there to allow the module to be more searchable.
2012-09-06 18:38:03 -05:00
6a484cdbc5
Merge branch 'actfax_local_exploit' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-actfax_local_exploit
2012-09-06 18:35:08 -05:00
b4270bb480
Add OSVDB-83767: SFlog Upload Exec Module
...
This module exploits multiiple flaws in SFlog!. By default, the
CMS has a default admin cred of "admin:secret", which can be
abused to access admin features such as blog management. Through
the management interface, we can upload a backdoor that's accessible
by any remote user, and then we gain code execution.
2012-09-06 18:30:45 -05:00
fc1c1c93ba
ZDI references fixed
2012-09-07 00:50:07 +02:00
4985cb0982
Added module for ActFac SYSTEM Local bof
2012-09-07 00:45:08 +02:00
65681dc3b6
added osvdb reference
2012-09-06 13:56:52 +02:00
b4113a2a38
hp_site_scope_uploadfileshandler is now multiplatform
2012-09-06 12:54:51 +02:00
9531c95627
Adding BID
2012-09-05 15:04:05 -05:00
43041e3a0a
Merge branch 'hp_sitescope_uploadfileshandler' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-hp_sitescope_uploadfileshandler
2012-09-05 14:03:24 -05:00
2f87af1c3a
add some checks while parsing the java serialization config file
2012-09-05 20:58:55 +02:00
b2116e2394
cleanup, test, add on_new_session handler and osvdb references
2012-09-05 20:54:25 +02:00
bbab206eac
Add CVE-2012-3579 - Symantec Messaging Gateway 9 Default SSH Pass
...
This module exploits a default misconfig flaw on Symantec Messaging
Gateway 9.5 (or older). The "support" user has a known default
password, which can be used to login to the SSH service, and then
gain privileged access from remote.
2012-09-05 13:21:10 -05:00
406202fc81
Added module for ZDI-12-174
2012-09-05 12:56:09 +02:00
99009da567
Merge branch 'mobilecartly_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-mobilecartly_upload_exec
2012-09-04 14:32:23 -05:00
e926bc16ba
Add MobileCartly 1.0 module
2012-09-04 14:23:16 -05:00
4a92cc4641
jboss_invoke_deploy module cleanup
2012-09-04 18:49:11 +02:00
cb40a0c362
Merge branch 'jboss-jmx-invoke-deploy' of https://github.com/h0ng10/metasploit-framework into h0ng10-jboss-jmx-invoke-deploy
2012-09-04 18:47:30 +02:00
783ffb13c2
Add Adobe security bulletin references
2012-09-04 00:07:53 -05:00
b3bfaec089
Add reference about the patch
2012-09-03 23:58:21 -05:00
9d97dc8327
Add Metasploit blogs as references, because they're useful.
2012-09-03 15:57:27 -05:00
2b6aa6bbdb
Added Exploit for deployfilerepository via JMX
2012-09-03 13:50:16 -04:00
9ab62de637
Fix a spelling error
2012-09-03 01:44:02 -05:00
943121dd61
Added module for CVE-2012-2611
2012-09-03 00:15:56 +02:00
d106a1150e
Be more clear that we dislike certain PDF templates
2012-08-31 14:07:58 -05:00
f48fbaccb0
Add Oracle's security alert
2012-08-30 14:04:16 -05:00
4758eb0dc3
Merge branch 'jvazquez-r7-taget_host_glassflish_deployer'
2012-08-30 12:18:02 -05:00
f99982a85e
added java as platform to avoid confussion between target and payload
2012-08-30 18:39:20 +02:00
4fd9f88304
avoid the redefinition of Module.target_host
2012-08-30 14:45:14 +02:00
f439f256b5
Debug line deleted on
2012-08-30 00:18:07 +02:00
c3159e369a
A lot gotcha
...
When res is nil, that condition can fall into the 'else' clause.
If that happens, we can trigger a bug when we try to read res.code.
2012-08-29 14:46:35 -05:00
b70e205a7e
Merge branch 'sap_host_control_cmd_exec' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-sap_host_control_cmd_exec
2012-08-29 14:45:46 -05:00
5f64c55112
Update description
2012-08-29 11:10:35 -05:00
6a24e042f9
fixing indentation
2012-08-29 16:17:56 +02:00
2ed712949e
Added check function
2012-08-29 16:12:11 +02:00
72cb39925a
Added exploit for OSVDB 84821
2012-08-29 12:17:44 +02:00
363c0913ae
changed dir names according to CVE
2012-08-28 16:33:01 +02:00
34b12c4f55
Update CVE/OSVDB refs
2012-08-28 01:21:32 -05:00
6e2369680b
Safari added
2012-08-28 02:04:03 +02:00
30fd2cf256
Description updated
2012-08-28 02:01:26 +02:00
7e579db705
Add AlienVault reference
2012-08-27 13:29:27 -05:00
15a87a79f8
Add mihi's analysis
2012-08-27 13:24:43 -05:00
52ca1083c2
Added java_jre17_exec
2012-08-27 11:25:04 +02:00
8e56d4f2eb
This reference is too damn useful, must add
2012-08-25 16:05:58 -05:00
25ee8fd357
Run postgres.rb & postgres_payload through msftidy, and cleaned up the files
2012-08-25 01:44:49 +01:00
d51f8cad25
Change title and description
2012-08-24 15:39:56 -05:00
ea7d7b847a
Merge branch 'master' of github.com:rapid7/metasploit-framework
2012-08-24 11:17:14 -05:00
179e816194
Merge branch 'esva_bid' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-esva_bid
2012-08-24 17:37:25 +02:00
8f748d833a
Added BID reference
2012-08-24 17:30:52 +02:00
e27f736e95
BID reference added
2012-08-24 17:29:12 +02:00
e461d542ac
added Windows 2003 SP1 Spanish targets
2012-08-24 12:50:30 +02:00
54ce7268ad
modules/exploits/windows/smb/ms08_067_netapi.rb
2012-08-24 11:30:23 +02:00
1a60abc7a7
Added W2003 SP2 Spanish targets
2012-08-24 11:16:08 +02:00
261a17d28a
Added module for CVE-2009-4498
2012-08-23 18:29:39 +02:00
57c6385279
heap spray from flash works pretty well on ie9 too
2012-08-22 20:47:11 +02:00
730c0e9368
added windows vista and w7 targets
2012-08-22 20:13:10 +02:00
22051c9c2c
Merge branch 'flash_exploit_r2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-flash_exploit_r2
2012-08-22 10:00:34 -05:00
1b6fe22359
Give proper credit to Craig plus additional references
...
Craig first found the buffer overflow. But Matt found a more
reliable way to exploit the flaw.
2012-08-21 22:48:15 -05:00
d0b1fa33af
swapped out OptString for OptEnum
2012-08-22 02:20:13 +01:00
f715527423
Improve CVE-2012-1535
2012-08-21 19:58:21 -05:00
8218a60b32
other corrections
2012-08-22 00:08:59 +01:00
5cf7f22a13
corrections following on from jlee-r7 comments
2012-08-21 23:57:07 +01:00
0e535e6485
added module for XODA file upload RCE
2012-08-22 00:54:13 +02:00
7ddcc787bd
Merge branch 'jboss-exploits-revision2' of https://github.com/h0ng10/metasploit-framework into h0ng10-jboss-exploits-revision2
2012-08-21 14:37:09 -05:00
3106f87687
badchars fixed
2012-08-21 13:30:15 +02:00
e21ea6999c
added module for ESVA Command Injection Vulnerability
2012-08-21 13:25:03 +02:00
3da8a59cf0
a little cleanup plus complete metadata
2012-08-20 22:42:54 +02:00
d226135986
Code Review Feedback
...
Removed trailing spaces and fixed indenting.
2012-08-20 10:41:42 -04:00
d82493a658
Code Review Feedback
...
Added 'Space' payload option, which in turn also required 'DisableNops'
Added/Corrected documentation for return addresses
2012-08-19 22:09:08 -04:00
bd249d1f28
Fixed exploit and made code review changes
...
The exploit was not working due to the user's root path causing
the EIP offset to change. To correct this, I was able to get
the server to disclose the root path in an error message (fixed in
5.67). I also radically refactored the exploit due to the feedback
I received from Juan Vazquez.
2012-08-19 10:01:03 -04:00
6dfe706860
Merge remote-tracking branch 'upstream/master' into sysax_create_folder
2012-08-19 09:58:04 -04:00
d1370c0f33
Alexander Gavrun gets a cookie
2012-08-17 12:23:49 -05:00
53a835dc85
Imply that we only garantee 11.3
2012-08-17 12:18:45 -05:00
13df1480c8
Add exploit for CVE-2012-1535
2012-08-17 12:16:54 -05:00
a228e42630
Add new target thanks for cabetux
2012-08-15 16:06:09 -05:00
c6b9121f8b
Added support for CVE-2010-0738
2012-08-15 15:47:44 -04:00
ac2e3dd44e
Merge branch 'master' of github.com:rapid7/metasploit-framework
2012-08-15 14:47:22 -05:00
6965431389
Added support for CVE-2010-0738, msftidy
2012-08-15 15:47:14 -04:00
54146b8e99
Add another ref about the technique
2012-08-15 14:46:51 -05:00
e5498e3e1d
Added fix for CVE-2010-0738, corrections
2012-08-15 15:46:34 -04:00
f325d47659
Fix up description a little
2012-08-15 13:57:24 -05:00
586d937161
Msftidy fix and adding OSVDB
2012-08-15 13:43:50 -05:00
d56ac81a57
Recapitalizing GlobalSCAPE
...
According to
http://kb.globalscape.com/Search.aspx?Keywords=globalscape
this seems to be the preferred capitalization.
2012-08-15 13:25:35 -05:00
dc5f8b874d
Found a bug with retrying.
2012-08-14 17:04:17 -05:00
6a0271fb11
Correct OSX naming. See ticket #7182
2012-08-14 15:29:21 -05:00
0e4e7dc903
Indentation fix
2012-08-14 12:27:27 -05:00
6597d25726
Shortening an over-200 long line for readability
...
It's a contrived fix, but scrolling over is a hassle. This comes up a
lot in long regexes, not sure the best way to address these.
2012-08-14 12:27:27 -05:00
bfe2ed0737
Minor title update
2012-08-14 12:14:13 -05:00
ad2b457fda
Added linux port for postgres payload
2012-08-14 17:46:35 +01:00
1ec7f03352
Changes proposed by todb: description, author email, zip data random
2012-08-14 18:45:05 +02:00
3c79509780
Added module for BID 46375
2012-08-14 18:15:29 +02:00
3e0e5a1a75
No manual stuff, probably prones to failure anyway.
2012-08-14 10:58:57 -05:00
612848df6f
Add priv escalation mod for exploiting trusted service path
2012-08-14 01:55:03 -05:00
bd408fc27e
Updating msft links to psexec
...
Thanks for the spot @shuckins-r7 !
2012-08-13 15:28:04 -05:00
d6b28dc44d
ranking changed plus on_new_session handler added
2012-08-13 19:29:13 +02:00
468030786f
small fixes, mainly check res agains nil, res.code and use send_request_cgi
2012-08-13 18:57:59 +02:00
29c48be2ed
Merge branch 'testlink_upload_exec' of https://github.com/bcoles/metasploit-framework into bcoles-testlink_upload_exec
2012-08-13 18:54:33 +02:00
6059bb5710
Merge branch 'cyclope' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-cyclope
2012-08-13 11:40:46 -05:00
dfa00ac499
Merge branch 'zenworks_assetmgmt_uploadservlet' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-zenworks_assetmgmt_uploadservlet
2012-08-13 11:39:15 -05:00
8bb3181f68
Add TestLink v1.9.3 arbitrary file upload module
2012-08-13 16:30:10 +09:30
f72f334124
Fix an odd issue with search due to use of the builtin Proxies option
2012-08-12 23:22:38 -05:00
f9b5f321cb
ADD OSVDB-84517
2012-08-12 17:56:18 -05:00
3711297719
dd Opt::Proxies and opthash[:proxies] to exploits
2012-08-12 16:29:39 -04:00
bf04e2dded
Added module for CVE-2011-2653
2012-08-12 18:27:56 +02:00
67cdea1788
Fix load order issues (again)
...
This is getting annoying. Some day we'll have autoload and never have
to deal with this.
2012-08-10 13:52:54 -06:00
b4b860f356
Correct MC's name
2012-08-08 14:16:02 -05:00
8587ff535a
Added exploit module for CVE-2009-1730
2012-08-08 16:28:03 +02:00
b46fb260a6
Comply with msftidy
...
*Knock, knock!* Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
7221420267
When it hangs, it's actually the correct behavior, not a failure.
2012-08-07 15:00:08 -05:00
955a5af8cf
Adding OSVDB ref
2012-08-07 12:56:29 -05:00
ddcee6fee0
And the war between spaces and tabs goes on....
2012-08-07 12:36:53 -05:00
540f6253ef
Merge branch 'pbot_exec' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-pbot_exec
2012-08-07 12:26:07 -05:00
57c32c9c7b
Slip Plixer's name in there, because it's their product.
2012-08-07 12:20:44 -05:00
sinn3r
James Lee
Rob Fuller
Michael Schierl
lincoln@corelan.be
sput-nick
Tod Beardsley
jvazquez-r7
Spencer McIntyre
kernelsmith
HD Moore
ethicalhack3r
bcoles
David Maloney
Ramon de C Valle
h0ng10
midnitesnake
Matt Andreko
RageLtMan