8819674522
updated per feedback from PR
2015-07-11 21:03:02 -04:00
bff92f2304
Initial add
2015-07-10 21:13:12 -04:00
1d50bda609
initial add of blank file
2015-06-27 21:38:25 -04:00
a10fa02b00
Land #5606 , @wchen-r7's glassfish fixes
2015-06-26 14:12:50 -05:00
3b5e2a0c6e
Use TARGETURI
2015-06-26 14:02:17 -05:00
b46e1be22f
Land #5371 , Add file checking to the on_new_session cleanup
2015-06-26 13:33:57 -05:00
c70e38a14e
Do more reporting
2015-06-25 22:39:56 -05:00
5ef4cc2bb4
Save creds
2015-06-25 17:10:20 -05:00
1a371b11b0
Update description
2015-06-25 17:04:31 -05:00
c330d10403
Make SSL as a basic option
...
Also:
Fix #5558
2015-06-25 02:06:51 -05:00
5c98da05fb
This works for Glassfish 4.0 & 9.1
2015-06-25 01:58:24 -05:00
c826785ebb
Fix auth bypass
2015-06-24 19:49:04 -05:00
8e4fa80728
This looks good so far
2015-06-24 19:30:02 -05:00
380af29482
Progress?
2015-06-24 14:17:45 -05:00
6046994138
version does not return nil
2015-06-23 10:31:01 -05:00
ea49fd2fdc
Update sysaid_rdslogs_fle_upload.rb
2015-06-20 16:59:28 +01:00
3181d76e63
Update sysaid_auth_file_upload.rb
2015-06-20 16:53:33 +01:00
b994801172
Revert auto tab replacement
2015-06-19 11:22:40 -05:00
ce9481d2b7
Inconstancy - If datastore['VERBOSE'] vs vprint
2015-06-18 09:27:01 +01:00
d5b33a0074
Update sysaid_rdslogs_fle_upload.rb
2015-06-03 22:01:13 +01:00
37827be10f
Update sysaid_auth_file_upload.rb
2015-06-03 22:00:44 +01:00
62993c35d3
Create sysaid_rdslogs_fle_upload.rb
2015-06-03 21:45:14 +01:00
193b7bcd2e
Create sysaid_auth_file_upload.rb
2015-06-03 21:44:02 +01:00
0fb21af247
Verify deletion at on_new_session moment
2015-05-11 18:56:18 -05:00
71518ef613
Land #5303 , metasploit-payloads Java binaries
2015-05-07 22:39:54 -05:00
2f2169af90
Use single quotes consistently
2015-05-07 22:39:36 -05:00
a066105a86
prefer reading directly with MetasploitPayloads where possible
2015-05-07 16:59:02 -05:00
b8c7161819
Fix up NameError'd payload_exe
2015-05-06 11:34:05 -05:00
a0c806c213
Update java meterpreter and payload references to use metasploit-payloads
2015-05-05 15:01:00 -05:00
a531ad9ec2
Land #5096 , @pedrib's exploit for Novell ZCM CVE-2015-0779
2015-05-01 14:35:28 -05:00
0ff33572a7
Fix waiting loop
2015-05-01 14:34:43 -05:00
645f239d94
Change module filename
2015-05-01 14:18:34 -05:00
11a3f59b0b
Return false if there isn't a positive answer
2015-05-01 14:06:57 -05:00
093c2e3ace
Do minor style cleanup
2015-05-01 13:56:48 -05:00
d38adef5cc
Make TOMCAT_PATH optional
2015-05-01 13:54:39 -05:00
d2a7d83f71
Avoid long sleep times
2015-05-01 13:51:52 -05:00
8fcf0c558d
Use single quotes
2015-05-01 13:20:27 -05:00
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
4f903a604c
Fix #5103 , Revert unwanted URI encoding
...
Fix #5103 . By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
8c5890d506
more fixes
2015-04-16 21:56:42 +02:00
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
c6f062d49e
Ensure that local variable `upload_path` is defined
...
Merge `upload_payload` and `parse_upload_response` so that the
`upload_path` variable is defined for use in error messages in the event
of failure.
2015-04-10 10:58:20 +01:00
4808d61af3
Add OSVDB id and full disclosure URL
2015-04-09 16:32:22 +01:00
cf8b92b747
Create zcm_file_upload.rb
2015-04-07 16:05:51 +01:00
e1af495d21
Add extra release fixes
2015-04-06 13:08:40 -05:00
1e6d895975
Description fixes on #4784 , jboss exploit
...
Also, needed to run through msftidy.
[See #4784 ]
2015-04-06 12:34:49 -05:00
56dc7afea6
Land #5068 , @todb-r7's module author cleanup
2015-04-03 16:00:36 -05:00
0f7c644fff
Land #4784 , JBoss Seam 2 upload exec exploit
2015-04-02 22:32:35 -05:00
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
6532fad579
Remove credits to Alligator Security Team
...
All but one of these modules credits both a team name and individual
team members. We should just be crediting team members. The domain
persists in all the other credits.
The one that didn't was credited to dflah_ specifically, so merely
changed the author name.
Longer description, if needed, wrapped at 72 characters.
[See #5012 ]
2015-04-02 15:12:22 -05:00
127d07342e
Remove trailing space
2015-03-20 01:36:56 +00:00
7426e72317
Grammar - traq_plugin_exec
2015-03-20 01:31:01 +00:00
5709d49aae
Clean up traq_plugin_exec
2015-03-20 01:19:46 +00:00
b6146b1499
Use print_warning
2015-03-12 17:22:03 -05:00
fe822f8d33
Modify automatic file cleanup
2015-03-10 00:45:20 +01:00
0ef303cb6c
Fix Java payload
2015-03-10 00:01:27 +01:00
2eb0011a99
Autotrigger JSP shell at docBase
2015-03-07 20:41:08 +01:00
3be2bde5a2
Use bypass for bulletin S2-020
2015-03-07 19:14:20 +01:00
9f3f8bb727
Merging #3323 work
2015-03-05 15:44:15 -06:00
c388fd49c2
Fix print message
2015-03-05 15:43:54 -06:00
e1a4b046a0
Add support for tomcat 7 to struts_code_exec_classloader
2015-03-05 15:40:24 -06:00
8978b1d7b5
Add a version
2015-03-05 11:29:44 -06:00
32188f09d6
Update phpmoadmin_exec.rb
...
Changes:
Added required comment at the top of the file;
Changed Class name "Metasploit3" >> "Metasploit4";
Standard name/email format for public PoC author.
2015-03-05 12:56:08 +00:00
95962aab0d
Update phpmoadmin_exec.rb
...
Changes:
"Check if vulnerable" code improvement;
Payload delivery code improvement;
Minor indent issues.
Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00
9530e15c81
Update phpmoadmin_exec.rb
...
Changes:
Changed description section;
Changed 'URL' to 'EDB' in references section;
Added newline at the end.
2015-03-04 21:59:08 +00:00
c19895ac85
Update phpmoadmin_exec.rb
...
Changes:
Added new URL;
Added CVE number;
Corrected the disclosure date;
Corrected the normalize_uri() function syntax.
2015-03-04 21:31:44 +00:00
4d67e0e1bb
Add PHPMoAdmin RCE
2015-03-04 18:17:31 +00:00
69b37976c1
Fix disclosure date.
2015-02-17 17:29:52 -08:00
a19a5328f1
Add JBoss Seam 2 upload execute module
...
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
sanitize inputs to some JBoss Expression Language expressions. As a
result, attackers can gain remote code execution through the
application server. This module leverages RCE to upload and execute
a meterpreter payload. CVE-2010-1871
2015-02-17 17:25:01 -08:00
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
a7156cf4a8
Fix zabbix_script_exec datastore
2015-02-05 02:53:22 -06:00
fbf32669c6
Use single quote
2015-02-04 09:47:27 -06:00
de09559cc8
Change HTTP requests to succeed when going through HTTP proxies
2015-02-04 15:32:14 +01:00
f983c8171e
Modify description to match both Struts 1.x and 2.x versions
2015-01-30 12:35:38 +01:00
1a11ae4021
Add new references about Struts 1
2015-01-29 23:27:52 +01:00
4cc5844baf
Add Struts 1 support
2015-01-29 23:12:34 +01:00
bae19405a7
Various grammar, spelling, word choice fixes
2015-01-26 11:00:07 -06:00
d8aa282482
Delete some double quotes
2015-01-22 18:21:25 -06:00
4c72b096b6
Switch variable from file_name to operation
2015-01-22 18:20:11 -06:00
b003d8f750
Do final cleanup
2015-01-22 18:17:14 -06:00
911485f536
Use easier key name
2015-01-22 18:11:48 -06:00
eff49b5fd3
Delete files with Rex::Java::Serialization
2015-01-22 17:59:43 -06:00
37bf66b994
Install instaget with Rex::Java::Serialization
2015-01-22 16:54:49 -06:00
20d7fe631e
Auto detect platform without raw streams
2015-01-22 15:15:08 -06:00
ad276f0d52
Retrieve version with Rex::Java::Serialization instead of binary streams
2015-01-22 14:52:19 -06:00
f7aaad1cf1
Delete some extraneous commas
2015-01-19 17:25:45 -06:00
dbc77a2857
Land #4517 , @pedrib's exploit for ManageEngine Multiple Products Authenticated File Upload
...
* CVE-2014-5301
2015-01-19 17:23:39 -06:00
6403098fbc
Avoid sleep(), survey instead
2015-01-19 17:22:04 -06:00
a6e351ef5d
Delete unnecessary request
2015-01-19 17:14:23 -06:00
ed26a2fd77
Avoid modify datastore options
2015-01-19 17:11:31 -06:00
3c0efe4a7e
Do minor style changes
2015-01-19 15:36:05 -06:00
ddda0b2f4b
Beautify metadata
2015-01-19 14:59:31 -06:00
3768cf0a69
Change version to int and add proper timestamp
2015-01-14 22:59:11 +00:00
c5cfc11d84
fix cookie regex by removing a space
2015-01-12 23:13:18 -05:00
c76aec60b0
Add OSVDB id and full disclosure URL
2015-01-08 23:29:38 +00:00
ea793802cc
Land #4528 , mantisbt_php_exec improvements
2015-01-08 04:50:00 -06:00
ef97d15158
Fix msftidy and make sure all print_*s in check() are vprint_*s
2015-01-07 12:12:25 -06:00
3e80efb5a8
Land #4521 , Pandora FMS upload
2015-01-07 11:13:57 -06:00
1ccef7dc3c
Shorter timeout so we get shell sooner
...
The request to execute our payload will never return, so waiting for the
default timeout (20 seconds) is pointless.
2015-01-07 11:11:33 -06:00
efe83a4f31
Whitespace
2015-01-07 10:19:17 -06:00
09bd0465cf
fix regex
2015-01-07 11:54:55 +01:00
b3def856fd
Applied changes recommended by jlee-r7
...
used Rex::ConnectionError
refactor begin/rescue blocks
removed ::URI::InvalidURIError
changed @peer with peer
used Exploit::CheckCode:Appears instead of Exploit::CheckCode::Vulnerable
2015-01-07 18:38:19 +08:00
eaad4e0bea
fix check method
2015-01-07 11:01:08 +01:00
862af074e9
fix bug
2015-01-07 09:10:50 +01:00
d007b72ab3
favor include? over =~
2015-01-07 07:33:16 +01:00
4277c20a83
use include?
2015-01-07 06:51:28 +01:00
39e33739ea
support for anonymous login
2015-01-07 00:08:04 +01:00
bf0bdd00df
added some links, use the res variable
2015-01-06 23:25:11 +01:00
f9f2bc07ac
some improvements to the mantis module
2015-01-06 11:33:45 +01:00
547b7f2752
Syntax and File Upload BugFix
...
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
2015-01-05 19:23:22 +08:00
c9b76a806a
Create manageengine_auth_upload.rb
2015-01-04 17:05:53 +00:00
c1718fa490
Land #4440 , git client exploit from @jhart-r7
...
Also fixes #4435 and makes progress against #4445 .
2015-01-01 13:18:43 -06:00
d7564f47cc
Move Mercurial option to advanced, update ref url
...
See #4440
2015-01-01 13:08:36 -06:00
914c724abe
Rename module
...
See rapid7#4440
2015-01-01 13:03:17 -06:00
65977c9762
Add some more useful URLs
2014-12-31 10:54:04 -08:00
96fe693c54
update drupal regex
2014-12-30 09:12:39 +01:00
51049152b6
Use Rex::Text.rand_mail_address for more realistic fake commit
2014-12-26 10:39:52 -08:00
a692656ab7
Update comments to reflect reality, minor cleanup
2014-12-23 19:09:45 -08:00
59f75709ea
Print out malicious URLs that will be used by default
2014-12-23 10:10:31 -08:00
905f483915
Remove unused and commented URIPATH
2014-12-23 09:40:27 -08:00
8e57688f04
Use random URIs by default, different method for enabling/disabling Git/Mercurial
2014-12-23 09:39:39 -08:00
bd3dc8a5e7
Use fail_with rather than fail
2014-12-23 08:20:03 -08:00
015b96a24a
Add back perl and bash related payloads since Windows git will have these and OS X should
2014-12-23 08:13:00 -08:00
16302f752e
Enable generic command
2014-12-23 14:22:26 +00:00
a3b0b9de62
Configure module to target bash by default
2014-12-23 14:19:51 +00:00
313d6cc2f8
Add super call
2014-12-23 14:12:47 +00:00
43221d4cb0
Remove redundant debugging stuff
2014-12-23 14:09:12 +00:00
42a10d6d50
Add Powershell target
2014-12-23 14:07:57 +00:00
abec7c206b
Update description to describe current limitations
2014-12-22 20:32:45 -08:00
1505588bf6
Rename the file to reflect what it really is
2014-12-22 20:27:40 -08:00
ff440ed5a4
Describe vulns in more detail, add more URLs
2014-12-22 20:20:48 -08:00
b4f6d984dc
Minor style cleanup
2014-12-22 17:51:35 -08:00
421fc20964
Partial mercurial support. Still need to implement bundle format
2014-12-22 17:44:14 -08:00
fdd1d085ff
Don't encode the payload because this only complicates OS X
2014-12-22 13:36:38 -08:00
ea9f5ed6ca
Minor cleanup
2014-12-22 12:16:53 -08:00
dd73424bd1
Don't link to unused repositories
2014-12-22 12:04:55 -08:00
6c8cecf895
Make git/mercurial support toggle-able, default mercurial to off
2014-12-22 11:36:50 -08:00
574d3624a7
Clean up setup_git verbose printing
2014-12-22 11:09:08 -08:00
16543012d7
Correct planted clone commands
2014-12-22 10:56:33 -08:00
01055cd41e
Use a trigger to try to only start a handler after the malicious file has been requested
2014-12-22 10:43:54 -08:00
3bcd67ec2e
Unique URLs for public repo page and malicious git/mercurial repos
2014-12-22 10:03:30 -08:00
308eea0c2c
Make malicious hook file name be customizable
2014-12-22 08:28:55 -08:00
7f3cfd2207
Add a ranking
2014-12-22 07:51:47 -08:00
74783b1c78
Remove ruby and telnet requirement
2014-12-21 10:06:06 -08:00
31f320c901
Add mercurial debugging
2014-12-20 20:00:12 -08:00
3da1152743
Add better logging. Split out git support in prep for mercurial
2014-12-20 19:34:55 -08:00
58d5b15141
Add another useful URL. Use a more git-like URIPATH
2014-12-20 19:11:56 -08:00
f41d0fe3ac
Randomize most everything about the malicious commit
2014-12-19 19:31:00 -08:00
805241064a
Create a partially capitalized .git directory
2014-12-19 19:07:45 -08:00
f7630c05f8
Use payload.encoded
2014-12-19 18:52:34 -08:00
7f2247f86d
Add description and URL
2014-12-19 15:50:16 -08:00
9b815ea0df
Some style cleanup
2014-12-19 15:35:09 -08:00
4d0b5d1a50
Add some vprints and use a sane URIPATH
2014-12-19 15:33:26 -08:00
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
48444a27af
Remove debugging pp
2014-12-19 15:27:06 -08:00
1c7fb7cc7d
Mostly working exploit for CVE-2014-9390
2014-12-19 15:24:27 -08:00
4888ebe68d
Initial commit of POC module for CVE-2013-9390 ( #4435 )
2014-12-19 12:58:02 -08:00
223d6b7923
Merged with Fr330wn4g3's changes
2014-12-14 13:08:19 +08:00
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
21742b6469
Test #3729
2014-12-06 21:20:52 -06:00
28135bcb09
Land #4159 , MantisBT PHP code execution by @itseco
2014-11-15 07:49:54 +01:00
3faa48d810
small bugfix
2014-11-13 22:51:41 +01:00
7d6b6cba43
some changes
2014-11-13 22:46:53 +01:00
dd1920edd6
Minor typos and grammar fixes
2014-11-13 14:48:23 -06:00
17032b1eed
Fix issue reported by FireFart
2014-11-13 04:48:45 -05:00
ac17780f6d
Fix by @FireFart to recover communication with the application after a meterpreter session
2014-11-11 05:49:18 -05:00
6bf1f613b6
Fix issues reported by FireFart
2014-11-11 00:41:58 -05:00
d4bbf0fe39
Fix issues reported by wchen-r7 and mmetince
2014-11-10 15:27:10 -05:00
cd0dbc0e24
Missed another
2014-11-09 14:06:39 -06:00
9cce7643ab
update description and fix typos
2014-11-09 09:10:01 -05:00
5d17637038
Add CVE-2014-7146 PHP Code Execution for MantisBT
2014-11-09 08:00:44 -05:00
7510fb40aa
touch up visual_mining_netcharts_upload
2014-11-06 22:50:20 -06:00
79cabc6d68
Fix clean up
2014-11-05 15:46:33 -06:00
c08993a9c0
Add module for ZDI-14-372
2014-11-05 15:31:20 -06:00
400ef51897
Land #4076 , exploit for x7chat PHP application
2014-11-03 18:22:04 -06:00
3bf7473ac2
Add github pull request as reference
2014-11-03 18:18:42 -06:00
44a2f366cf
Switch ranking
2014-11-03 18:06:09 -06:00
039d3cf9ae
Do minor cleanup
2014-11-03 18:04:30 -06:00
7e4248b601
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04
2014-11-03 16:42:50 -05:00
51b96cb85b
Cosmetic title/desc updates
2014-11-03 13:37:45 -06:00
1a37a6638c
Fix splunk_upload_app_exec to work on new installs. Style
2014-10-30 18:28:56 -07:00
55f245f20f
Merge #3507 into local, recently updated branch of master for landing
2014-10-30 17:28:20 -07:00
2e53027bb6
Fix value of X7C2P cookie and typo
2014-10-29 08:32:36 -05:00
9f21ac8ba2
Fix issues reported by wchen-r7
2014-10-28 21:31:33 -05:00
71a6ec8b12
Land #4093 , cups_bash_env_exec CVE-2014-6278
2014-10-28 12:47:51 -05:00
57baf0f393
Add support for CVE-2014-6278
2014-10-28 17:10:19 +00:00
3de5c43cf4
Land #4050 , CUPS Shellshock
...
Bashbleeded!!!!!!!!!!!
2014-10-28 11:59:31 -05:00
78b199fe72
Remove CVE-2014-6278
2014-10-28 16:18:24 +00:00
a060fec760
Detect version in check()
2014-10-28 12:28:18 +00:00
2ba2388889
Fix issues reported by jvasquez
2014-10-27 19:15:39 -05:00
848f24a68c
update module description
2014-10-27 02:07:16 -05:00
d66dc88924
Add PHP Code Execution for X7 Chat 2.0.5
2014-10-27 01:01:31 -05:00
554935e60b
Add check() and support CVE-2014-6278
2014-10-26 18:11:36 +00:00
f886ab6f97
Land #4020 , Jenkins-CI CSRF token support
2014-10-20 19:03:24 -04:00
005baa7f7e
Retry the script page request to get the token
...
After logging in to Jenkins the script console page
needs to be requested again to get the CSRF token.
2014-10-19 14:04:16 -04:00
0ede70e7f6
Add exploit module for CUPS shellshock
2014-10-19 17:58:49 +00:00
10f3969079
Land #4043 , s/http/http:/ splat
...
What is a splat?
2014-10-17 13:41:07 -05:00
a514e3ea16
Fix bad indent (should be spaces)
...
msftidy is happy now.
2014-10-17 12:39:25 -05:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
353d2f79cc
tweak pw generation
2014-10-16 12:06:19 -07:00
5f8c0cb4f3
Merge branch 'drupal' of https://github.com/FireFart/metasploit-framework into drupageddon
2014-10-16 11:53:54 -07:00
c8dd08f605
password hashing
2014-10-17 15:52:47 +02:00
23b7b8e400
fix for version 7.0-7.31
2014-10-16 11:53:48 -07:00
9bab77ece6
add urls
2014-10-16 10:36:37 -07:00
b031ce4df3
Create drupal_drupageddon.rb
2014-10-16 16:42:47 -05:00
5c4ac48db7
update the drupal module a bit with error checking
2014-10-16 10:32:39 -07:00
4c2ae1a753
Fix jenkins when CSRF is enabled
2014-10-14 19:33:23 -05:00
63426793ef
Use vars_get instead of direct URI concatenation
2014-10-02 11:03:12 +02:00
0380c5e887
Add CVE-2014-6278 support, lands #3932
2014-10-01 18:25:41 -05:00
c1b0acf460
Add CVE-2014-6278 support to the exploit module
...
Same thing.
2014-10-01 17:58:25 -05:00
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
de65ab0519
Fix broken check in exploit module
...
See 71d6b37088
2014-09-29 23:03:09 -05:00
df44dfb01a
Add OSVDB and EDB references to Shellshock modules
2014-09-29 21:39:07 -05:00
8f3e03d4f2
Land #3903 - ManageEngine OpManager / Social IT Arbitrary File Upload
2014-09-29 17:53:43 -05:00
533b807bdc
Add OSVDB id
2014-09-29 21:52:44 +01:00
7125a9f047
Added YARD doc to the mixin
...
Also make a slight correction on jboss_deployementfilerepository.rb to
handle nil responses.
2014-09-28 19:44:37 +02:00
fe12ed02de
Support a user defined header in the exploit too
2014-09-27 18:58:53 -04:00
f20610a657
Added full disclosure URL
2014-09-27 21:34:57 +01:00
030aaa4723
Add exploit for CVE-2014-6034
2014-09-27 19:33:49 +01:00
0a3735fab4
Make it better
2014-09-26 16:01:10 -05:00
3538b84693
Try to make a better check
2014-09-26 15:55:26 -05:00
ad864cc94b
Delete unnecessary code
2014-09-25 16:18:01 -05:00
9245bedf58
Make it more generic, add X86_64 target
2014-09-25 15:54:20 -05:00
d8c03d612e
Avoid failures due to bad payload selection
2014-09-25 13:49:04 -05:00
91e5dc38bd
Use datastore timeout
2014-09-25 13:36:05 -05:00
8a43d635c3
Add exploit module for CVE-2014-6271
2014-09-25 13:26:57 -05:00
919eec250d
Refactor auto_target from Jboss mixin
...
Removed fail_with and targets from the mixin.
2014-09-24 22:15:32 +02:00
3e09283ce5
Land #3777 - Fix struts_code_exec_classloader on windows
2014-09-16 13:09:58 -05:00
158d4972d9
More references and pass msftidy
2014-09-16 12:54:27 -05:00
7a7b6cb443
Some refactoring
...
Use EDB instead of URL for Exploit-DB.
Remove peer variable as peer comes from HttpClient.
2014-09-16 17:49:45 +02:00
4c615ecf94
Module for CVE-2014-5519, phpwiki/ploticus RCE
2014-09-16 00:09:41 +02:00
373eb3dda0
Make struts_code_exec_classloader to work on windows
2014-09-10 18:00:16 -05:00
0a6ce1f305
Land #3727 - SolarWinds Storage Manager exploit AND Msf::Payload::JSP
2014-09-09 17:21:03 -05:00
75269fd0fa
Make sure we're not doing a 'negative' timeout
2014-09-09 11:26:49 -05:00
b8ba2dd703
Fix timeout with HEAD request in delete_file
2014-09-08 18:34:50 +02:00
cc5b852517
Fixed spec for lib/msf/http/jboss
...
Revert commit abdd72e8c6
2014-09-08 17:42:04 +02:00
283e83028f
Fix problem with HEAD requests
...
Split lib/msf/http/jboss/script into
lib/msf/http/jboss/deployment_file_repository_scripts.rb and
lib/msf/http/jboss/bean_shell_scripts.rb as
2014-09-08 14:02:15 +02:00
ded085f5cc
Add CVE ID
2014-09-03 07:22:10 +01:00
c672fad9ef
Add OSVDB ID, remove comma from Author field
2014-09-02 23:17:10 +01:00
d480a5e744
Credit h0ng10 properly
2014-09-01 07:58:26 +01:00
59847eb15b
Remove newline at the top
2014-09-01 07:56:53 +01:00
6a370a5f69
Add exploit for eventlog analyzer file upload
2014-09-01 07:56:01 +01:00
c05edd4b63
Delete debug print_status
2014-08-31 01:34:47 -05:00
559ec4adfe
Add module for ZDI-14-299
2014-08-31 01:11:46 -05:00
403eae3579
Jboss file deployment repository refactorization
...
Moved lib/msf/http/jboss/bean_shell_script.rb to
lib/msf/http/jboss/script.rb. Moved head_stager_jsp to script.rb.
Removed stager_jsp to use the function from the mixin.
2014-08-30 13:15:37 +02:00
33f90de7f6
Refactoring jboss module to work with the Mixin
...
Moved upload and delete methods of deploymentfilerepository to the
mixin. Removed call_uri_mtimes method as the module now uses deploy
from the mixin.
2014-08-29 20:08:35 +02:00
af9f3b83a7
Refactoring jboss module to work with the Mixin
...
Removed datastore USERNAME and PASSWORD which are provided by
Msf::Exploit::Remote::HttpClient. Removed datastore PATH and VERB which
are provided by the mixin (lib/msf/http/jboss). Moved target detection
to the mixin.
2014-08-27 22:54:40 +02:00
a8d03aeb59
Fix bug with PMP db paths
2014-08-26 12:54:31 +01:00
473341610c
Update name to mention DC; correct servlet name
2014-08-26 12:39:48 +01:00
0031913b34
Fix nil accesses
2014-08-22 16:19:11 -05:00
38e6576990
Update
2014-08-22 13:22:57 -05:00
cf147254ad
Use snake_case in the filename
2014-08-22 11:44:35 -05:00
823649dfa9
Clean exploit, just a little
2014-08-22 11:43:58 -05:00
9815b1638d
Refactor pick_target
2014-08-22 11:31:06 -05:00
ecace8beec
Refactor check method
2014-08-22 11:05:36 -05:00
ced65734e9
Make some datastore options advanced
2014-08-22 10:26:04 -05:00
b4e3e84f92
Use CamelCase for target keys
2014-08-22 10:23:36 -05:00
b58550fe00
Indent description and fix title
2014-08-22 10:21:08 -05:00
da752b0134
Add exploit for CVE-2014-3996
2014-08-21 15:30:28 +01:00
cad281494f
Minor caps, grammar, desc fixes
2014-08-18 13:35:34 -05:00
904c1b20b1
Land #3654 , update to 4.10-dev (electro)
2014-08-15 12:51:28 -05:00
149c3ecc63
Various merge resolutions from master <- staging
...
* --ask option ported to new location
* --version option now works
* MSF version updated
* All specs passing
2014-08-15 11:33:31 -05:00
4e0f6dfcc7
Do minor cleanup
2014-08-15 09:10:08 -05:00
5ed3e6005a
Implement suggestions
...
This commit addresses feedback such as adding a check
function and changing the login fail case by being
more specific on what is checked for. The failing
ARCH_CMD payloads were addressed by adding BadChars.
Last, an ARCH_PYTHON target was added based on
@zerosteiner's feedback.
2014-08-13 20:26:48 -04:00
4e6a04d3ad
Modifications for login and key addition
...
This commit adds additional support for logging in
on multiple versions of Gitlab as well as adding a
key to exploit the vulnerability.
2014-08-11 19:54:10 -04:00
a995bcf2ef
Fix URI building and failure cases
...
This update uses the normalize_uri method for building
URIs. Additionally, failure cases have been modified
for a less generic version.
2014-08-10 19:53:33 -04:00
48359faaaf
Add gitlab-shell command injection module
...
This request adds a module for gitlab-shell command
injection for versions prior to 1.7.4. This has been
tested by installing version 7.1.1 on Ubuntu and then
using information at http://intelligentexploit.com/view-details.html?id=17746
to modify the version of gitlab-shell to a vulnerable one. This
was done as I could not find a better method for downloading
and deploying an older, vulnerable version of Gitlab.
2014-08-05 23:21:57 -04:00
73ca8c0f6d
Work on jboss refactoring
2014-08-01 14:28:26 -05:00
9e9244830a
Added spec for lib/msf/http/jboss
...
Also renamed get_undeploy_bsh and get_undeploy_stager to
gen_undeploy_bsh and gen_undeploy_stager to be consistent
with the other functions
2014-07-29 01:57:04 +02:00
cd2ec0a863
Refactored jboss mixin and modules
...
Moved fail_with() from mixin to modules. Added PACKAGE datastore to
lib/msf/http/jboss/bsh.rb.
2014-07-24 22:58:58 +02:00
b526fc50f8
Refactored jboss mixin and modules
...
Moved VERB option to the mixin. Replaced "if datastore['VERBOSE']"
by vprint_status().
2014-07-22 23:08:42 +02:00
ae2cd63391
Refactored Jboss mixin
...
Moved TARGETURI option to the JBoss mixin. The mixin now includes
Msf::Exploit::Remote::HttpClient which provides USERNAME and PASSWORD
2014-07-21 23:41:58 +02:00
088f208c7c
Added auxiliary module jboss_bshdeployer
...
The module allows to deploy a WAR (a webshell for instance) using the
BSHDeployer.
Also refactored modules/exploits/multi/http/jboss_bshdeployer.rb to
use the new Mixin (lib/msf/http/jboss).
2014-07-18 11:51:46 +02:00
58adc350b5
Refactor: Creation of a JBoss mixin
...
The jboss_bsheployer as is does not allow to deploy a custom WAR file.
It is convenient when ports are blocked to be able to deploy a webshell
instead of just launching a payload. This will require a auxiliary
module which will use the JBoss mixin methods.
2014-07-18 00:56:32 +02:00
bea660ad4d
Added possibility to upload a custom WAR file
...
Added 2 options, one for uploading a custom WAR file. The other
to specify if you want or not to undeploy the war at the end of
the exploit.
The module as is does not allow to deploy a custom WAR file. It is
convenient when ports are blocked to be able to deploy a webshell
instead of just launching a payload.
2014-07-17 17:13:19 +02:00
755dec1629
msftidy up splunk_upload_app_exec
2014-07-10 00:24:48 -04:00
c14b96f02e
Add #3463 commits from @ghost
2014-07-09 17:56:06 -04:00
748589f56a
Make cmdstager flavor explicit or from info
...
Every module that uses cmdstager either passes the flavor
as an option to the execute_cmdstager function or relies
on the module / target info now.
2014-06-28 17:40:49 -04:00
219153c887
Raise NotImplementedError and let :flavor be guessed
2014-06-27 08:34:56 -04:00
870fa96bd4
Allow quotes in CmdStagerFlavor metadata
2014-06-27 08:34:56 -04:00
91e2e63f42
Add CmdStagerFlavor to metadata
2014-06-27 08:34:55 -04:00
9e413670e5
Include the CMDStager
2014-06-27 08:34:55 -04:00
d47994e009
Update modules to use the new generic CMDstager mixin
2014-06-27 08:34:55 -04:00
8bf36e5915
AutoDetection should work
2014-06-27 08:34:55 -04:00
7ced5927d8
Use One CMDStagermixin
2014-06-27 08:34:55 -04:00
2a442aac1f
No long needs to extend bourne, and specify a flavor.
2014-06-27 08:34:55 -04:00
1a392e2292
Multi-fy the hyperic_hq_script_console exploit.
2014-06-27 08:34:55 -04:00
ae25c300e5
Initial attempt to unify the command stagers.
2014-06-27 08:34:55 -04:00
191c871e9b
[SeeRM #8815 ] Dont try to exploit when generate_payload_exe fails
2014-06-20 14:07:49 -05:00
8e1949f3c8
Added newline at EOF
2014-06-17 21:03:18 +02:00
b710014ece
Land #3435 -- Rocket Servergraph ZDI-14-161/162
2014-06-17 18:06:03 +10:00
0bac24778e
Fix the case statements to match platform
2014-06-11 15:22:55 -05:00
d5b32e31f8
Fix a typo where platform was 'windows' not 'win'
...
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
e4d14194bb
Add module for Rocket Servergraph ZDI-14-161 and ZDI-14-162
2014-06-08 11:07:10 -05:00
53ab2aefaa
Land #3386 , a few datastore msftidy error fixes
2014-05-29 10:44:37 -05:00
8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings
2014-05-29 04:42:49 -05:00
352e14c21a
Land #3391 , all vars_get msftidy warning fixes
2014-05-26 23:41:46 -05:00
da0a9f66ea
Resolved all msftidy vars_get warnings
2014-05-25 19:29:39 +02:00
df97c66ff5
Fixed check
2014-05-24 00:37:52 +02:00
8d4d40b8ba
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
efffbf751a
PHP module shouldnt zap CMD option (@wchen-r7)
...
As far as I can tell, there is no purpose for this cleanup. No other CMD
exec module takes pains to clear out CMD after run, and it looks like a
bad idea -- what happens when you rexploit?
2014-05-23 15:09:18 -05:00
df4b832019
Resolved some more Set-Cookie warnings
2014-05-13 22:56:12 +02:00
638ae477d9
Fix up spec. Rex::Proto::Http::ClientRequest handles & and = outside of Rex::Text::uri_encode, so mode doesn't affect them.
...
Fix erroneous typo char.
2014-05-12 12:10:30 -05:00
5f523e8a04
Rex::Text::uri_encode - make 'hex-all' really mean all.
...
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
dee6b53175
fix java payload struts module
2014-05-10 00:19:40 +02:00
38f3a19673
Try to beautify description
2014-05-09 14:35:06 -05:00
43a85fc645
additional GET parameters
2014-05-09 21:21:04 +02:00
ad83921a85
additional GET parameters
2014-05-09 21:15:28 +02:00
53fde675e7
randomize meh parameter
2014-05-09 10:38:19 +02:00
a3fff5401f
more code cleanup
2014-05-08 23:05:41 +02:00
e7b7af2f75
fixed apache struts module
2014-05-08 22:15:52 +02:00
3536ec9a74
Description update
2014-05-05 13:43:44 -05:00
073adc759d
Land #3334 , fix author by @julianvilas
2014-05-04 21:30:53 +02:00
dd7705055b
Fix author
2014-05-04 19:31:53 +02:00
36f9f342c1
Fix typo
2014-05-02 16:26:08 +02:00
3dd3ceb3a9
Refactor code
2014-05-01 18:04:37 -05:00
b7ecf829d3
Do first refactor
2014-05-01 16:39:53 -05:00
195005dd83
Do minor style changes
2014-05-01 15:25:55 -05:00
140c8587e7
Fix metadata
2014-05-01 15:24:16 -05:00
e0ee31b388
Modify print_error by fail_with
2014-05-01 20:19:31 +02:00
3374af83ab
Fix typos
2014-05-01 19:44:07 +02:00
bd39af3965
Fix target ARCH_JAVA and remove calls to sleep
2014-05-01 00:51:52 +02:00
8e8fbfe583
Fix msf-staff comments
2014-04-29 17:36:04 +02:00
b2c2245aff
Add comments
2014-04-29 11:24:17 +02:00
a78aae08cf
Add CVE-2014-0094 RCE for Struts 2
2014-04-29 03:58:04 +02:00
17a508af34
Add CVE-2014-0094 RCE for Struts 2
2014-04-29 03:50:45 +02:00
8f47edb899
JBoss_Maindeployer: improve feedback against CVE-2010-0738
...
The exploit against CVE-2010-0738 won't work when using GET or POST. In the existing code the request would fail and the function would return a nil. This would be passed to detect_platform without being checked and cause the module to crash ungracefully with the error:
Exploit failed: NoMethodError undefined method `body' for nil:NilClass
The first changes detect a 401 authentication message and provide useful feedback. Given that if, in any case, 'res' is not a valid or useful response the second change just terminates processing.
I've stayed with the module's coding style for consistency.
2014-04-24 12:37:14 -05:00
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
4012dd0acc
Fix everything that needs to be fixed
2014-04-08 14:57:42 -05:00
ca7dcc0781
cleanup with msftidy
2014-04-06 12:41:58 +02:00
c90c49e319
Add vtiger install rce 0 day
2014-04-04 10:16:55 +02:00
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
c916b62f47
Removes hash rockets from references.
...
[SeeRM #8776 ]
2014-03-17 09:40:32 -05:00
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
52ac85be11
Land #2931 - Oracle Forms and Reports RCE
2014-02-17 08:54:23 -06:00
110ffbf342
Indent looks off for this line
2014-02-17 08:53:29 -06:00
632ea05688
100 columns
2014-02-17 08:52:56 -06:00
8da7ba131b
In case people actually don't know what RCE means
2014-02-17 08:51:48 -06:00
73459baefd
Add OSVDB references
2014-02-17 08:50:34 -06:00
fb7b938f8e
check func fixed
2014-02-17 15:11:56 +01:00
e27d98368e
fixed local server issues
2014-02-16 18:26:08 +01:00
e40b9e5f37
updated and improved
2014-02-16 16:24:39 +01:00
74344d6c7e
vtigerolservice.php to vtigerservice.php
...
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
b7d69c168c
bugfix and user supplied local path support
2014-02-15 16:24:59 +01:00
48199fec27
Change URL identifier, and make the user choose a target
2014-02-14 17:15:00 -06:00
ff267a64b1
Have into account the Content-Transfer-Encoding header
2014-02-12 12:40:11 -06:00
783e62ea85
Applied changes from @wchen-r7's comments
2014-02-11 10:14:52 -08:00
51df2d8b51
Use the fixed API on the mediawiki exploit
2014-02-11 08:28:58 -06:00
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
13fadffe7e
Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial
2014-02-10 13:44:30 -08:00
8ece4a7750
Delete debug print
2014-02-10 08:57:45 -06:00
57320a59f1
Do small clean up for mediawiki_thumb pr
2014-02-10 08:57:09 -06:00
dcff06eba1
More verbose failure messages
2014-02-07 23:59:28 +00:00
783a986a19
Windows and auto target up and running
2014-02-07 23:26:57 +00:00
a0f47f6b2b
Correct error check logic
2014-02-07 22:06:53 +00:00
443a51bbf5
Undo revert from merge
2014-02-07 21:28:04 +00:00
56359aa99f
Merge changes from other dev machine
2014-02-07 21:22:44 +00:00
a4cc75bf98
Potential .pdf support
2014-02-07 20:37:44 +00:00
e13520d7fb
Handle a blank filename
2014-02-07 20:15:32 +00:00
103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-07 20:07:04 +00:00
0a3cb3377f
AppendEncoder
2014-02-04 15:41:10 +00:00
26c506da42
Naming of follow method
2014-02-04 15:25:51 +00:00
f5fa3fb5ce
Windows compat, fixed PHP-CLI
2014-02-04 14:27:10 +00:00
64d11e58c2
Use semicolon for win compat
2014-02-04 13:53:33 +00:00
2fd8257c7e
Use bperry's trigger
2014-02-04 00:51:34 +00:00
a8ff6eb429
Refactor send_request_cgi_follow_redirect
2014-02-03 21:49:49 +00:00
83925da2f1
Refactor form_data code
2014-02-03 21:16:58 +00:00
d34020115a
Fix up on apache descs and print_* methods
2014-02-03 13:13:57 -06:00
67c18d8d2d
I had a problem, then I used regex.
2014-02-02 22:19:54 +00:00
57f4998568
Better failures and handle unconfigured server
2014-02-02 16:26:22 +00:00
9fa9402eb2
Better check and better follow redirect
2014-02-02 16:07:46 +00:00
0d3a40613e
Add auto 30x redirect to send_request_cgi
2014-02-02 15:03:44 +00:00
8b33ef1874
Not html its form-data...
2014-02-02 13:57:29 +00:00
7ddc6bcfa5
Final tidyup
2014-02-01 01:05:02 +00:00
486a9d5e19
Use msf branded djvu
2014-02-01 00:37:28 +00:00
fd1a507fda
Rename file
2014-02-01 00:27:32 +00:00
700c6545f0
Polished
2014-02-01 00:26:55 +00:00
5a883a4477
updated
2014-01-31 21:59:26 +01:00
7fa1522299
Initial commit
2014-01-31 18:51:18 +00:00
b67ac39a33
Land #2921 - Apache Struts Developer Mode OGNL Execution
2014-01-31 12:06:58 -06:00
60ead5de43
Explain why we flag the vuln as "Appears" instead of vulnerable
2014-01-31 12:05:58 -06:00
2fca2da9f7
Add an vprint message on check
2014-01-31 11:57:20 -06:00
356692f2f5
Land #2923 , @rangercha tomcat deploy module compatible with tomcat8
2014-01-31 10:53:53 -06:00
f6291eb9a8
updated
2014-01-31 14:33:18 +01:00
93db1c59af
Do small fixes
2014-01-30 17:16:43 -06:00
9daacf8fb1
Clean exploit method
2014-01-30 16:58:17 -06:00
4458dc80a5
Clean the find_csrf mehtod
2014-01-30 16:39:19 -06:00
697a86aad7
Organize a little bit the code
2014-01-30 16:29:45 -06:00
50317d44d3
Do more easy clean
2014-01-30 16:23:17 -06:00
1a9e6dfb2a
Allow check to detect platform and arch
2014-01-30 15:17:20 -06:00
b2273dce2e
Delete Automatic target
...
It isn't usefull at all, when auto targeting is done, the payload (java platform and arch)
has been already selected.
2014-01-30 15:04:08 -06:00
cebbe71dba
Do easy cleanup of exploit
2014-01-30 14:42:02 -06:00
c336133a8e
Do a first clean related to auto_target
2014-01-30 14:27:20 -06:00
57b8b49744
Clean query_manager
2014-01-30 14:20:02 -06:00
148e51a28b
Clean metadata and use TARGETURI
2014-01-30 14:03:52 -06:00
56287e308d
Clean up unused variables
2014-01-30 11:20:21 -06:00
e7ab77c736
added module for Oracle Forms and Reports
2014-01-30 14:45:17 +01:00
a49473181c
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10
2014-01-27 09:04:59 -05:00
8fe74629fe
Allow send_request_cgi to take care of the uri encoding
2014-01-26 00:06:41 -06:00
37adf1251c
Delete privileged flag because is configuration dependant
2014-01-25 18:25:31 -06:00
038cb7a981
Add module for CVE-2012-0394
2014-01-25 18:17:01 -06:00
7c5229e2eb
Use opts hash for glassfish_deployer
...
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:17:02 -06:00
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
7f560a4b41
Oops, I broke this module
2014-01-22 11:23:18 -06:00
646f7835a3
Saving progress
2014-01-21 17:14:55 -06:00
85396b7af2
Saving progress
...
Progress group 4: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 14:10:35 -06:00
689999c8b8
Saving progress
...
Progress group 3: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 13:03:36 -06:00
e2fa581b8c
Delete empty line
2014-01-17 22:05:14 -06:00
57318ef009
Fix nil bug in jboss_invoke_deploy.rb
...
If there is a connection timeout, the module shouldn't access the
"code" method because that does not exist.
2014-01-17 11:47:18 -06:00
95a5d12345
Merge #2835 , #2836 , #2837 , #2838 , #2839 , #2840 , #2841 , #2842 into one branch
2014-01-13 10:57:09 -06:00
e79ccb08cb
Update rails_secret_deserialization.rb
...
When using aws-sdk with Ruby 2.1.0-rc1, many "Digest::Digest is deprecated; use Digest" warnings are printed.
Even in Ruby 1.8.7-p374, OpenSSL::Digest::Digest is only provided for backward compatibility.
2014-01-07 21:41:15 +01:00
1057cbafee
Remove deprecated linksys module.
2014-01-07 10:22:35 -06:00
c0a82ec091
Avoid specific versions in module names
...
They tend to be a lie and give people the idea that only that version is
vulnerable.
2014-01-06 13:47:24 -06:00
1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path
2014-01-03 08:14:02 +10:00
1b893a5c26
Add module for CVE-2013-3214, CVE-2013-3215
2014-01-02 11:25:52 -06:00
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
5b647ba6f8
Change description
...
Pre-auth is implied.
2013-12-23 02:33:17 -06:00
4816abe63b
Add module for ZDI-13-263
2013-12-19 17:48:52 -06:00
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
3d5501326b
Land #2743 , @Mekanismen's exploit for CVE-2013-0632
2013-12-10 10:00:30 -06:00
30960e973f
Do minor cleanup on coldfusion_rds
2013-12-10 09:59:36 -06:00
9a6e504bfe
fixed path error and description
2013-12-10 09:05:34 +01:00
313a98b084
moved coldfusion_rds to multi directory and fixed a bug
2013-12-10 08:45:27 +01:00
f77784cd0d
Land #2723 , @denandz's module for OSVDB-100423
2013-12-06 17:32:07 -06:00
3729c53690
Move uptime_file_upload to the correct location
2013-12-06 15:57:52 -06:00
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
9d50a7da85
Pandora Authentication Bypass and File Upload Exec
2013-12-03 21:23:56 +08:00
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
41f8a34683
Use attempts
2013-12-02 08:43:22 -06:00
433d21730e
Add ATTEMPTS option
2013-12-02 08:42:25 -06:00
b9192c64aa
Fix @wchen-r7's feedback
2013-12-01 19:55:53 -06:00
3417c4442a
Make check really better
2013-11-30 09:47:34 -06:00
749e6bd65b
Do better check method
2013-11-30 09:46:22 -06:00
0a7c0eea78
Fix references
2013-11-29 23:13:07 -06:00
691d47f3a3
Add module for ZDI-13-255
2013-11-29 23:11:44 -06:00
57f4f68559
Land #2652 - Apache Roller OGNL Injection
2013-11-25 15:14:35 -06:00
cec4166766
Fix description
2013-11-20 12:49:22 -06:00
18e69bee8c
Make OGNL expressions compatible with struts 2.0.11.2
2013-11-20 12:42:10 -06:00
14c6ab4ca5
Add module for CVE-2013-4212
2013-11-19 10:25:52 -06:00
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
98224ee89f
CVE update for vtiger issue
2013-10-30 13:48:35 -05:00
344413b74d
Reorder refs for some reason.
2013-10-30 12:25:55 -05:00
32794f9d37
Move OpenBravo to aux module land
2013-10-30 12:20:04 -05:00
17d796296c
Un-dupe References for ispconfig
2013-10-30 12:03:35 -05:00
0d480f3a7d
Typo fix
2013-10-30 11:38:04 -05:00
97a4ca0752
Update references for FOSS modules
2013-10-30 11:36:16 -05:00
78381316a2
Add @brandonprry's seven new modules
...
Already reviewed privately, no associated PR.
2013-10-30 11:04:21 -05:00
5b76947767
Add a few more modules.
2013-10-30 10:25:48 -05:00
c4c171d63f
Clean processmaker_exec
2013-10-29 09:53:39 -05:00
3eed800b85
Add ProcessMaker Open Source Authenticated PHP Code Execution
2013-10-29 23:27:29 +10:30
2e8c369c69
Land #2559 - remove content-length
2013-10-22 16:03:42 -05:00
71fab72e06
Delete duplicate content-length from axis2_deployer
2013-10-21 15:35:51 -05:00
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
10a4ff41de
Delete Content-Length duplicate header
2013-10-21 15:11:37 -05:00
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
eab90e1a2e
Land #2491 , missing platform info update
2013-10-14 10:38:25 -05:00
0b93996b05
Clean and add Automatic target
2013-10-11 13:19:10 -05:00
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
276ea22db3
Add VMware Hyperic HQ Groovy Script-Console Java Execution
2013-10-11 05:07:23 +10:30
0acb170ee8
Bug #8419 - Added platform info missing on exploits
2013-10-08 22:41:50 -04:00
4ba001d6dd
Put my short name to prevent conflicts.
2013-10-07 14:10:47 -05:00
ec6516d87c
Deprecate misnamed module.
...
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
113f89e40f
First set of fixes for gestioip_exec
2013-10-04 13:29:27 -05:00
9b79bb99e0
Add references, correct disclosure date
2013-10-04 09:59:26 -05:00
ab786d1466
Imply authentication when a password is set
2013-10-04 09:54:04 -05:00
0112d6253c
add gestio ip module
2013-10-04 06:39:30 -07:00
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
7ba846ca24
Find and replace
2013-09-26 20:34:48 +01:00
84ec2cbf11
remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient
2013-09-25 23:42:44 +02:00
93486a627d
Whoops on trailing commas
2013-09-24 15:14:11 -05:00
3906d4a2ca
Fix caps that throw msftidy warnings
2013-09-24 13:03:16 -05:00
c547e84fa7
Prefer Ruby style for single word collections
...
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
4bff8f2cdc
Update descriptions for clarity.
2013-09-23 13:48:23 -05:00
29649b9a04
Land #2388 , @dummys's exploit for CVE-2013-5696
2013-09-20 13:03:01 -05:00
8922d0fc7f
Fix small bugs on glpi_install_rce
2013-09-20 13:01:41 -05:00
b24ae6e80c
Clean glpi_install_rce
2013-09-20 12:58:23 -05:00
187ab16467
many change in the code and replace at the correct place the module
2013-09-20 10:45:10 +02:00
8d70a9d893
Add more refs
2013-09-19 22:05:23 -05:00
137b3bc6ea
Fix whitespace issues.
2013-09-19 17:29:11 -05:00
bd96c6c093
Adds module for CVE-2013-3568.
2013-09-19 17:26:30 -05:00
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
0037ccceed
add osvdb ref for openx backdoor
2013-08-18 06:34:50 -05:00
6c1ba9c9c9
Switch to Failure vs Exploit::Failure
2013-08-15 14:14:46 -05:00
6c0b067d7c
Land #2163 , known secret session cookie for RoR
...
From @joernchen, leverages an infoleak to gain a shell on rails
applications. There is no patch, since you are expected to keep your
secrets, well, secret.
2013-08-09 12:30:37 -05:00
969b380d71
More explicit title, grammar check on description
2013-08-09 12:27:45 -05:00
h00die
jvazquez-r7
wchen-r7
Pedro Ribeiro
William Vu
g0tmi1k
Brent Cook
Christian Mehlmauer
Jon Cave
Tod Beardsley
scriptjunkie
Julian Vilas
Ricardo Almeida
vulp1n3
David Lanner
James Lee
rcnunez
Jon Hart
Meatballs
Juan Escobar
Joshua Smith
Brendan Coles
root
Spencer McIntyre
URI Assassin
Brandon Perry
Brandon Perry
Fernando Munoz
Vincent Herbulot
HD Moore
Samuel Huckins
kaospunk
Rob Fuller
Gary Blosser
OJ
Jeff Jarmoc
Tom Sellers
dummys
Mekanismen
Jovany Leandro G.C
bwall
RangerCha
Niel Nielsen
Joe Vennix
jvazquez-r7
Winterspite
Joe Vennix
Steve Tornio