Commit Graph

9510 Commits (9d13df3a2584364494c27348e63fd873fbeed6f7)

Author SHA1 Message Date
join-us 6a00f2fc5a mv exploits/linux/http/struts_dmi_exec.rb to exploits/multi/http/struts_dmi_exec.rb 2016-05-01 00:00:29 +08:00
join-us ec66410fab add java_stager / windows_stager | exploit with only one http request 2016-04-30 23:56:56 +08:00
wchen-r7 73ac6e6fef
Land #6831, Add CVE-2016-3081 Apache struts s2_032 DMI Code Exec 2016-04-29 11:53:47 -05:00
wchen-r7 d6a6577c5c Default payload to linux/x86/meterpreter/reverse_tcp_uuid
Default to linux/x86/meterpreter/reverse_tcp_uuid for now because
of issue #6833
2016-04-29 11:52:50 -05:00
join-us 288975a9ce rm modules/exploits/multi/http/struts_dmi_exec.rb 2016-04-30 00:44:31 +08:00
Security Corporation 9d279d2a74 Merge pull request #15 from wchen-r7/pr6831
Changes for Apache struts from @wchen-r7
2016-04-30 00:37:53 +08:00
join-us 15ffae4ae8 rename module name 2016-04-30 00:17:26 +08:00
join-us 1d95a8a76d rename struts_code_exec_dynamic_method_invocation.rb to struts_dmi_exec.rb 2016-04-30 00:13:34 +08:00
wchen-r7 97061c1b90 Update struts_dmi_exec.rb 2016-04-29 11:13:25 -05:00
join-us 9e56bb8358 send http request (get -> post) 2016-04-30 00:08:00 +08:00
wchen-r7 e9535dbc5b Address all @FireFart's feedback 2016-04-29 11:03:15 -05:00
wchen-r7 6f6558923b Rename module as struts_dmi_exec.rb 2016-04-29 10:34:48 -05:00
join-us 643591546e struts s2_032 rce - linux_stager 2016-04-29 10:49:56 +08:00
William Vu c16a02638c Add Oracle Application Testing Suite exploit 2016-04-26 15:41:27 -05:00
William Vu 0cb555f28d Fix typo 2016-04-26 15:26:22 -05:00
wchen-r7 4a435e8d13
Bring hp_dataprotector_install_service up to date w/ upstream-master 2016-04-22 13:42:41 -05:00
wchen-r7 db1d973ef0 Cosmetic changes for hp_dataprotector_install_service 2016-04-22 13:41:18 -05:00
dmohanty-r7 67968e912c
Land #6785 Add CVE-2016-0854 Advantech WebAccess Arbitrary File Upload 2016-04-21 12:02:04 -05:00
504137480 c08872144f Update advantech_webaccess_dashboard_file_upload.rb 2016-04-21 09:33:03 +08:00
504137480 dcb9c83f98 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-21 09:28:42 +08:00
Brent Cook 57cb8e49a2 remove overwritten keys from hashes 2016-04-20 07:43:57 -04:00
504137480 2400345fff Merge pull request #2 from open-security/advantech_webaccess_dashboard_file_upload
Advantech webaccess dashboard file upload
2016-04-19 12:59:32 +08:00
join-us 0407acc0ec add print_status with vuln_version? 2016-04-19 11:22:00 +08:00
join-us c88ddf1cc4 fix NilClass for res.body 2016-04-19 10:27:20 +08:00
thao doan fd603102db Land #6765, Fixed SQL error in lib/msf/core/exploit/postgres 2016-04-18 10:44:20 -07:00
xiaozhouzhou a895b452e6 fix 2016-04-19 00:21:26 +08:00
join-us ce9b692dd8 add print_status 2016-04-18 20:43:39 +08:00
join-us 7143668671 fix version_match 2016-04-18 20:31:32 +08:00
join-us 897238f3ec identify fingerpriint / make the code clear 2016-04-18 19:55:42 +08:00
504137480 7d1095bc08 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-18 11:24:03 +08:00
504137480 47b5398152 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-18 11:05:25 +08:00
504137480 ae23da39b8 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-17 21:23:45 +08:00
504137480 ab9e988dd4 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-17 21:15:03 +08:00
504137480 6c969b1c3b Update advantech_webaccess_dashboard_file_upload.rb 2016-04-17 18:49:56 +08:00
xiaozhouzhou 32192d3034 Advantech WebAccess Dashboard Viewer Arbitrary File Upload
Advantech WebAccess Dashboard Viewer Arbitrary File Upload
2016-04-17 11:29:06 +08:00
wchen-r7 a434622d21
Land #6769, Add CVE-2016-1593 Novell ServiceDesk Authenticated Upload 2016-04-15 18:59:37 -05:00
wchen-r7 92ef8f4ab3
Land #6751, Correct proftp version check at module runtime 2016-04-14 15:34:53 -05:00
Pedro Ribeiro 8dfe98d96c Add bugtraq reference 2016-04-14 10:23:53 +01:00
William Vu 252632a802 Use %w{} for a couple things
Why not? :)
2016-04-13 19:38:57 -05:00
William Vu de004d7da3 Line up some hash rockets 2016-04-13 19:32:35 -05:00
William Vu f8e4253e2f Add telnet to RequiredCmd
Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet.
2016-04-13 18:22:28 -05:00
William Vu 07ee18a62b Do something shady with the exploit method
Hat tip @acammack-r7.
2016-04-13 18:15:17 -05:00
William Vu 43e74fce9e Add Exim privesc 2016-04-13 17:51:20 -05:00
wchen-r7 1d1a495a93 Style check 2016-04-13 10:19:57 -05:00
Brendan Coles b61175c6b4 Add Dell Kace K1000 unauthenticated remote root exploit 2016-04-12 16:15:37 +00:00
Pedro Ribeiro 2dc4539d0d Change class name to MetasploitModule 2016-04-10 23:27:40 +01:00
Pedro Ribeiro 1fa7c83ca1 Create file for CVE-2016-1593 2016-04-10 23:17:07 +01:00
wchen-r7 6b4dd8787b Fix #6764, nil SQL error in lib/msf/core/exploit/postgres
Fix #6764
2016-04-08 15:20:04 -05:00
wchen-r7 28875313be Change class name to MetasploitModule 2016-04-08 14:27:52 -05:00
wchen-r7 ae46b5a688
Bring #6417 up to date with upstream-master 2016-04-08 13:41:40 -05:00
wchen-r7 c4aac2a54a Remove unwanted comments 2016-04-07 11:22:57 -05:00
James Lee 7658014fb7
Add CVEs 2016-04-07 08:39:29 -05:00
James Lee 87d59a9bfb
Add exploit for ExaGrid known credentials 2016-04-07 04:17:43 -05:00
William Vu 11bf1018aa Fix typo 2016-04-06 14:20:41 -05:00
William Vu a4ef9980f4
Land #6677, atutor_sqli update 2016-04-05 19:52:44 -05:00
William Vu d9d257cb1a Fix some things 2016-04-05 19:23:11 -05:00
greg.mikeska@rapid7.com 08736c798d
Correct proftp version check at module runtime 2016-04-05 13:06:10 -05:00
William Vu d23a1c4551 Bump deprecation date 2016-04-01 13:57:58 -05:00
William Vu 60bee16e8c Restore psexec_psh
See @jabra-'s comments on #6222.
2016-04-01 13:56:22 -05:00
wchen-r7 ae0aecdd03 Change class name for exploits/windows/ftp/pcman_put.rb 2016-03-31 19:36:02 -05:00
wchen-r7 de0e02549c
Bring #6507 up to date with upstream-master 2016-03-31 19:30:45 -05:00
wchen-r7 f3336c7003 Update windows/http/easyfilesharing_seh 2016-03-31 19:24:06 -05:00
wchen-r7 dd83757966
Bring #6488 up to date with upstream-master 2016-03-31 19:11:11 -05:00
thao doan 82cec68606 Land #6427, removes the deprecated psexec_psh module; please use exploit/windows/smb/psexec instead 2016-03-30 12:58:43 -07:00
William Vu dee9adbc50 Remove deprecated psexec_psh module 2016-03-30 14:35:47 -05:00
wchen-r7 c7e63c3452
Land #6694, Add Apache Jetspeed exploit
CVE-2016-0710
CVE-2016-0709
2016-03-30 11:17:21 -05:00
wchen-r7 74f25f04bd Make sure to always print the target IP:Port 2016-03-30 11:16:41 -05:00
William Vu 2b90846268 Add Apache Jetspeed exploit 2016-03-23 19:22:32 -05:00
wchen-r7 102d28bda4 Update atutor_filemanager_traversal 2016-03-22 14:44:07 -05:00
wchen-r7 9cb43f2153 Update atutor_filemanager_traversal 2016-03-22 14:42:36 -05:00
Steven Seeley 3842009ffe Add ATutor 2.2.1 Directory Traversal Exploit Module 2016-03-22 12:17:32 -05:00
h00die ebc7316442 Spelling Fix
Fixed Thorugh to Through
2016-03-19 13:58:13 -04:00
wchen-r7 31279291c2 Resolve merge conflict for ie_unsafe_scripting.rb 2016-03-17 14:42:36 -05:00
wchen-r7 b1b68294bb Update class name 2016-03-17 14:41:23 -05:00
wchen-r7 7b2d717280 Change ranking to manual and restore BAP2 count to 21
Since the exploit requires the target to be configured manually,
it feel more appropriate to be ManualRanking.
2016-03-17 14:39:28 -05:00
James Lee 1375600780
Land #6644, datastore validation on assignment 2016-03-17 11:16:12 -05:00
James Lee af642379e6
Fix some OptInts 2016-03-16 14:13:18 -05:00
Brent Cook 1769bad762 fix FORCE logic 2016-03-16 09:53:09 -05:00
Brent Cook d70308f76e undo logic changes in adobe_flas_otf_font 2016-03-16 09:52:21 -05:00
wchen-r7 5ef8854186 Update ATutor - Remove Login Code 2016-03-15 17:37:37 -05:00
Adam Cammack 05f585157d
Land #6646, add SSL SNI and unify SSLVersion opts 2016-03-15 16:35:22 -05:00
l0gan e29fc5987f Add missing stream.raw for hp_sitescope_dns_tool
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
Brent Cook a50b21238e
Land #6669, remove debug code from apache_roller_ognl_injection that breaks Windows 2016-03-13 14:14:10 -05:00
Brent Cook 23eeb76294
update php_utility_belt_rce to use MetasploitModule 2016-03-13 13:59:47 -05:00
Brent Cook a6316d326e
Land #6662, update disclosure date for php_utility_belt_rce 2016-03-13 13:58:04 -05:00
Brent Cook dabe5c8465
Land #6655, use MetasploitModule as module class name 2016-03-13 13:48:31 -05:00
wchen-r7 b22a057165 Fix #6554, hardcoded File.open path in apache_roller_ognl_injection
The hardcoded File.open path was meant for debugging purposes during
development, but apparently we forgot to remove it. This line causes
the exploit to be unusable on Windows platform.

Fix #6554
2016-03-11 18:48:17 -06:00
Jay Turla 8953952a8f correction for the DisclosureDate based on Exploit-DB 2016-03-11 14:05:26 +08:00
James Barnett 7009682100
Landing #6659, Fix bug in MS08-067 related to incorrect service pack identification when fingerprinting 2016-03-10 14:29:29 -06:00
William Vu 8d22358892
Land #6624, PHP Utility Belt exploit 2016-03-09 14:12:45 -06:00
William Vu 52d12b68ae Clean up module 2016-03-09 14:08:26 -06:00
wchen-r7 179d38b914 Fix #6658, MS08-067 unable to find the right target for W2k3SP0
Fix #6658.

When there is no service pack, the
Msf::Exploit::Remote::SMB#smb_fingerprint_windows_sp method returns
an empty string. But in the MS08-067 exploit, instead of check an
empty string, it checks for "No Service Pack", which causes it to
never detect the right target for Windows Server 2003 SP0.
2016-03-09 11:05:34 -06:00
Christian Mehlmauer 3123175ac7
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00
Brent Cook f703fa21d6 Revert "change Metasploit3 class names"
This reverts commit 666ae14259.
2016-03-07 13:19:55 -06:00
Brent Cook 44990e9721 Revert "change Metasploit4 class names"
This reverts commit 3da9535e22.
2016-03-07 13:19:48 -06:00
Christian Mehlmauer 3da9535e22
change Metasploit4 class names 2016-03-07 09:57:22 +01:00
Christian Mehlmauer 666ae14259
change Metasploit3 class names 2016-03-07 09:56:58 +01:00
Brent Cook eea8fa86dc unify the SSLVersion fields between modules and mixins
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
2016-03-06 22:06:27 -06:00
Brent Cook a2c3b05416
Land #6405, prefer default module base class of simply 'Metasploit' 2016-03-06 17:10:55 -06:00
Brent Cook c7c0e12bb3 remove various module hacks for the datastore defaults not preserving types 2016-03-05 23:11:39 -06:00
William Vu 71b034a566
Land #6627, atutor_sqli regex fix 2016-03-03 16:54:38 -06:00
wchen-r7 ba4e0d304b Do regex \d+ instead 2016-03-03 11:05:16 -06:00
wchen-r7 22b69c8dee
Land #6588, Add AppLocker Execution Prevention Bypass module 2016-03-01 22:30:23 -06:00
wchen-r7 a798581fa3 Update #get_dotnet_path 2016-03-01 22:25:40 -06:00
net-ninja cda4c6b3b3 Update the regex for the number of students in ATutor 2016-03-01 09:41:17 -06:00
Jay Turla 62a611a472 Adding PHP Utility Belt Remote Code Execution 2016-03-01 09:22:25 +08:00
wchen-r7 274b9acb75 rm #push 2016-02-29 18:58:05 -06:00
wchen-r7 f55835cceb Merge new code changes from mr_me 2016-02-29 18:39:52 -06:00
wchen-r7 638d91197e Override print_* to always print the IP and port 2016-02-29 16:18:03 -06:00
wchen-r7 54ede19150 Use FileDropper to cleanup 2016-02-29 16:15:50 -06:00
wchen-r7 727a119e5b Report cred 2016-02-29 16:06:31 -06:00
wchen-r7 4cc690fd8d Let the user specify username/password 2016-02-29 15:45:33 -06:00
wchen-r7 726c1c8d1e There is no http_send_command, so I guess the check should not work 2016-02-29 15:43:47 -06:00
net-ninja a3fa57c8f6 Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module 2016-02-29 14:59:26 -06:00
wchen-r7 7731fbf48f
Land #6530, NETGEAR ProSafe Network Management System 300 File Upload 2016-02-26 10:39:09 -06:00
wchen-r7 6188da054d Remove // 2016-02-25 22:20:48 -06:00
Pedro Ribeiro 044b12d3a4 Made style changes requested by OJ and others 2016-02-23 15:14:04 +07:00
nixawk 138e48b202 Fix vuln_version? 2016-02-22 00:39:44 +08:00
nixawk 53a52fafd5 make code to be readable / rebuild / testing 2016-02-22 00:34:49 +08:00
Micheal 3e22de116f Changes to fix peer and style as recommended by jhart-r7. 2016-02-20 13:53:32 -08:00
Brent Cook bc7bf28872
Land #6591, don't require username for wrt110 cmd exec module 2016-02-18 20:20:15 -06:00
joev 3b9502cb1d Don't require username in wrt110 module. 2016-02-18 18:45:04 -06:00
OJ 6d88c26474 Change title, and remove requires 2016-02-18 14:26:38 +10:00
OJ 2ae1e6df7d Address concerns from @wvu-r7 2016-02-18 14:21:35 +10:00
OJ 2f4ec0af31 Add module for AppLocker bypass
This commit includes a new module that allows for payloads to be
uploaded and executed from disk while bypassing AppLocker in the
process. This module is useful for when you're attempting to generate
new shells on the target once you've already got a session. It is also
a handy way of switching between 32 and 64 bit sessions (in the case of
the InstallUtil technique).

The code is taken from Casey Smith's AppLocker bypass research (added in
the references), and includes just one technique at this point. This
technique uses the InstallUtil feature that comes with .NET. Other
techiques can be added at any time.

The code creates a C# file and uploads it to the target. The csc.exe
compiler is used to create a .NET assembly that contains an uninstaller
that gets invoked by InstallUtil behind the scenes. This function is
what contains the payload.

This was tested on Windows 7 x64. It supports running of both 32 and 64
bit payloads out of the box, and checks to make sure that .NET is
installed on the target as well as having a payload that is valid for
the machine (ie. don't run x64 on x86 OSes).

This appears to work fine with both staged and stageless payloads.
2016-02-18 13:46:32 +10:00
Starwarsfan2099 ffce1cc321 Update easyfilesharing_seh.rb 2016-02-15 22:43:28 -05:00
Brent Cook 3d1861b3f4 Land #6526, integrate {peer} string into logging by default 2016-02-15 15:19:26 -06:00
William Vu fc491ffa3e
Land #6555, Content-Length fix for HP modules 2016-02-10 10:39:08 -06:00
William Vu 5b3fb99231
Land #6549, module option for X-Jenkins-CLI-Port 2016-02-10 10:34:33 -06:00
William Vu c67360f436 Remove extraneous whitespace 2016-02-10 09:44:01 -06:00
wchen-r7 8a3bc83c4d Resolve #6553, remove unnecessary content-length header
Rex will always generate a content-length header, so the module
doesn't have to do this anymore.

Resolve #6553
2016-02-09 21:25:56 -06:00
Brent Cook c590fdd443
Land #6501, Added Dlink DCS Authenticated RCE Module 2016-02-09 17:19:33 -06:00
wchen-r7 1d6b782cc8 Change logic
I just can't deal with this "unless" syntax...
2016-02-08 18:40:48 -06:00
wchen-r7 d60dcf72f9 Resolve #6546, support manual config for X-Jenkins-CLI-Port
Resolve #6546
2016-02-08 18:16:48 -06:00
wchen-r7 4cea6c0236 Update ie_unsafe_scripting to use BrowserExploitServer
This patch updates the ie_unsafe_scripting exploit to use the
BrowserExploitServer mixin in order to implement a JavaScript check.
The JS check allows the exploit to determine whether or not it is
in the poorly configured zone before firing.

It also adds another datastore option to carefully avoid IEs that
come with Protected Mode enabled by default. This is even though
IE allows unsafe ActiveX, PM could still block the malicious VBS or
Powershell execution by showing a security prompt. This is not ideal
during BrowserAutopwn.

And finally, since BAP2 can automatically load this exploit, we
bump the MaxExploitCount to 22 to continue favoring the
adobe_flash_uncompress_zlib_uninitialized module to be on the
default list.

Resolves #6341 for the purpose of better user experience.
2016-02-04 15:12:57 -06:00
Pedro Ribeiro 1f4324f686 Create file for CERT VU 777024 2016-02-04 07:54:16 +08:00
Chris Higgins b979128a2e Added OSVBD ID thanks to @shipcod3 2016-02-01 17:11:46 -06:00
James Lee 12256a6423
Remove now-redundant peer
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
wchen-r7 110a4840e9
Land #6491, Shrink the size of ms08_067 so that it again works w/ bind_tcp 2016-01-29 11:03:03 -06:00
Micheal b049debef0 Fixes as recommended in the PR discussion. 2016-01-28 23:29:01 -08:00
Nicholas Starke d51be6e3da Fixing typo
This commit fixes a typo in the word "service"
2016-01-28 16:44:42 -06:00
Nicholas Starke 1ef7aef996 Fixing User : Pass delimiter
As per the PR comments, this commit replaces the user and
pass delimiter from "/" to ":"
2016-01-27 17:20:58 -06:00
Louis Sato f6f2e1403b
Land #6496, specify scripting language - elastic search 2016-01-27 15:42:47 -06:00
wchen-r7 51efb2daee
Land #6422, Add support for native target in Android webview exploit 2016-01-27 14:27:41 -06:00
Chris Higgins 2df458c359 Few updates per OJ and wvu 2016-01-26 23:19:18 -06:00
Chris Higgins 3cab27086f Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00
Nicholas Starke 4560d553b5 Fixing more issues from comments
This commit includes more minor fixes from the github
comments for this PR.
2016-01-24 19:43:02 -06:00
Nicholas Starke d877522ea5 Fixing various issues from comments
This commit fixes issues with specifying "rhost:rport",
replacing them instead with "peer".  Also, a couple of
"Unknown" errors were replaced with "UnexpectedReply".
2016-01-23 13:43:09 -06:00
Nicholas Starke a5a2e7c06b Fixing Disclosure Date
Disclosure date was in incorrect format, this commit
fixes the issue
2016-01-23 11:41:05 -06:00
Nicholas Starke 8c8cdd9912 Adding Dlink DCS Authenticated RCE Module
This module takes advantage of an authenticated HTTP RCE
vulnerability to start telnet on a random port. The module
then connects to that telnet session and returns a shell.
This vulnerability is present in version 2.01 of the firmware
and resolved by version 2.12.
2016-01-23 11:15:23 -06:00
William Vu d6facbe339
Land #6421, ADB protocol and exploit 2016-01-22 20:45:44 -06:00
William Vu 1b386fa7f1 Add targets to avoid ARCH_ALL payload confusion 2016-01-22 16:45:10 -06:00
Christian Mehlmauer 51eb79adc7 first try in changing class names 2016-01-22 23:36:37 +01:00
Starwarsfan2099 ad93d11868 Delete easyfilesharing_seh.rb 2016-01-22 13:04:14 -05:00
Starwarsfan2099 45c88d3189 Create easyfilesharing_seh.rb 2016-01-22 13:04:03 -05:00
Starwarsfan2099 76a8899d59 Delete EasyFileSharing_SEH.rb 2016-01-22 12:39:44 -05:00
wchen-r7 b02c762b93 Grab zeroSteiner's module/jenkins-cmd branch 2016-01-22 10:17:32 -06:00
Lutz Wolf 99de466a4d Bugfix: specify scripting language 2016-01-22 15:00:10 +01:00
Brent Cook dc6dd55fe4 Shrink the size of ms08_067 so that it again works with bind_tcp
In #6283, we discovered that ms08_067 was busted with reverse_tcp. The
solution was to bump the amount of space needed to help with encoding.
However, we flew a little too close to the sun, and introduced a
regression with bind_tcp on Windows XP SP2 EN where the payload stages
but does not run.

This shrinks the payload just enough to make bind_tcp work again, but
reverse_tcp also continues to work as expected.
2016-01-21 19:37:09 -06:00
Starwarsfan2099 1a80878054 Create easyfilesharing_seh.rb 2016-01-21 13:46:43 -05:00
Starwarsfan2099 9b43876270 Create EasyFileSharing_SEH.rb 2016-01-20 18:18:00 -05:00
rastating a7cd5991ac Add encoding of the upload path into the module 2016-01-17 22:44:41 +00:00
rastating 5660c1238b Fix problem causing upload to fail on versions 1.2 and 1.3 of theme 2016-01-17 18:44:00 +00:00
William Vu fec75c1daa
Land #6457, FileDropper for axis2_deployer 2016-01-14 15:10:05 -06:00
Brent Cook 37178cda06
Land #6449, properly handle HttpServer resource collisions 2016-01-14 12:15:18 -06:00
William Vu 7e1446d8fa
Land #6400, iis_webdav_upload_asp improvements 2016-01-14 12:12:33 -06:00
Rory McNamara 0216d027f9 Use OptEnum instead of OptString 2016-01-14 09:06:45 +00:00
Rory McNamara 564b4807a2 Add METHOD to simple_backdoors_exec 2016-01-13 14:42:11 +00:00
Rory McNamara 889a5d40a1 Add VAR to simple_backdoors_exec 2016-01-13 13:46:26 +00:00
wchen-r7 315d079ae8
Land #6402, Add Post Module for Windows Priv Based Meterpreter Migration
We are also replacing smart_migrate with this.
2016-01-13 01:21:32 -06:00
wchen-r7 6deb57dca3 Deprecate post/windows/manage/smart_migrate and other things
This includes:

* Give credit to thelightcosine in priv_migrate
* Deprecate smart_migrate
* Update InitialAutoRunScript for winrm_script_exec
2016-01-12 23:14:13 -06:00
wchen-r7 514199e88f Register early so the cleanup can actually rm the file 2016-01-12 15:22:03 -06:00
benpturner c5773b1a02 Removal of spaces found with msftidy 2016-01-12 17:04:50 +00:00
benpturner 9d64edc16f New module to exploit the Install Service vulnerability inside data protector. I released this vulnearbility on exploit DB some years back but Metasploit didnt support setting up a SMB server at the time. I have re-submitted this module to exploit the vulnerability. I have tested this on Windows Server 2003 and it works without fail. 2016-01-12 16:53:26 +00:00
wchen-r7 78bc394f80 Fix #6268, Use FileDropper for axis2_deployer
Fix #6268
2016-01-08 17:09:09 -06:00
wchen-r7 6a2b4c2530 Fix #6445, Unexpected HttpServer terminations
Fix #6445

Problem:
When an HttpServer instance is trying to register a resource that
is already taken, it causes all HttpServers to terminate, which
is not a desired behavior.

Root Cause:
It appears the Msf::Exploit::Remote::TcpServer#stop_service method
is causing the problem. When the service is being detected as an
HttpServer, the #stop method used actually causes all servers to
stop, not just for a specific one. This stopping route was
introduced in 04772c8946, when Juan
noticed that the java_rmi_server exploit could not be run again
after the first time.

Solution:
Special case the stopping routine on the module's level, and not
universal.
2016-01-07 16:55:41 -06:00
joev 22a0d970da Don't delete the payload after running. 2016-01-07 02:26:01 -06:00
joev fb99c61089 Remove print_status statement. 2016-01-07 01:17:49 -06:00
joev 210f065427 Add a background option for the echo cmdstager. 2016-01-07 01:16:08 -06:00
Micheal 436ea85b18 Further cleanup and fixes 2016-01-05 21:11:08 -08:00
g0tmi1k d7061e8110 OCD fixes 2016-01-05 23:28:56 +00:00
wchen-r7 7259d2a65c Use unless instead of if ! 2016-01-05 13:05:01 -06:00
Brendan Coles 7907c93047 Add D-Link DCS-931L File Upload module 2016-01-05 04:15:38 +00:00
joev 00dc6364b5 Add support for native target in addjsif exploit. 2016-01-03 01:07:36 -06:00
joev 0436375c6f Change require to module level. 2016-01-02 23:06:23 -06:00
joev 3a14620dba Update linemax to match max packet size. 2016-01-02 23:00:46 -06:00
joev d64048cd48 Rename to match gdb_server_exec module. 2016-01-02 22:45:27 -06:00
joev dcd36b74db Last mile polish and tweaks. 2016-01-02 22:41:38 -06:00
joev 22aae81006 Rename to exec_payload. 2016-01-02 14:13:54 -06:00
joev 6575f4fe4a Use the cmdstager mixin. 2016-01-02 14:09:56 -06:00
joev a88471dc8d Add ADB client and module for obtaining shell. 2016-01-02 01:13:53 -06:00
Micheal 5c9c27691e Execute commands on postgres through built-in functionality 2016-01-01 04:26:20 -08:00
Micheal 2fd796a699 Execute commands on postgres through built-in functionality 2016-01-01 03:51:00 -08:00
Micheal 814bf2a102 Execute commands on postgres through built-in functionality 2016-01-01 02:43:56 -08:00
Micheal fa3431c732 Pushing now. Still working on it. 2015-12-26 17:53:52 -05:00
g0tmi1k 9120a6aa76 iis_webdav_upload_asp: Add COPY and a few other tricks 2015-12-26 16:01:46 +00:00
Jon Hart 283cf5b869
Update msftidy to catch more potential URL vs PACKETSTORM warnings
Fix the affected modules
2015-12-24 09:12:24 -08:00
Jon Hart 27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL 2015-12-24 09:05:02 -08:00
Jon Hart efdb6a8885
Land #6392, @wchen-r7's 'def peer' cleanup, fixing #6362 2015-12-24 08:53:32 -08:00
Jon Hart 0f2f2a3d08
Remove peer; included via Exploit::Remote::Tcp in lib/msf/core/exploit/mysql.rb 2015-12-24 07:46:55 -08:00