infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
37,376 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

4992 Commits (9e7a330ac849a746b4e68798a9bacd44a829837c)

Author SHA1 Message Date
wchen-r7 3c72135a2f No to_i 
What happens here is it converts to a Fixnum, and then it converts
back to a String anway because it's in a String.
 2015-11-18 15:25:18 -06:00
sammbertram a484b318eb Update registry_persistence.rb 2015-11-18 16:13:18 +00:00
sammbertram 1fe8bc9cea Added a SLEEP_TIME option 
Added a SLEEP_TIME options which is the number of seconds to sleep prior to executing the initial IEX request. This is useful in cases where a machine would have to establish a VPN connection, initiated by the user, after a reboot. 

Alternatively, as opposed to a sleep time, it could have a loop that attempts to retry for a certain period of item.
 2015-11-18 11:17:57 +00:00
wchen-r7 8ea0a864db Add a reference for patching 2015-11-10 23:32:22 -06:00
wchen-r7 66f3582991 Add Oracle Beehive prepareAudioToPlay Exploit Module 2015-11-10 23:05:11 -06:00
Jon Hart 43229c16e7
Correct some authors with unbalanced angle brackets 2015-11-06 13:24:58 -08:00
Brent Cook ee6d6258a5
Land #6180, add PSH as a target for psexec directly, implement autodetect 2015-11-05 10:38:50 -06:00
William Vu 862dff964a Integrate psexec_psh into psexec 2015-11-04 17:31:33 -06:00
William Vu 6a01efa394 Deprecate psexec_psh 2015-10-30 17:41:58 -05:00
Louis Sato 2bd792f693
remove .rb file extension 2015-10-30 15:26:45 -05:00
wchen-r7 82e600a53a Suggest the correct replacement for the deprecated module 
The deprecated module has been suggesting the wrong replacement,
it should be exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
 2015-10-29 16:24:29 -05:00
wchen-r7 95920b7ff6 Bring back more working links 2015-10-29 15:57:16 -05:00
wchen-r7 da52c36687 Put back some links 2015-10-29 15:48:47 -05:00
wchen-r7 154fb585f4 Remove bad references (dead links) 
These links are no longer available. They are dead links.
 2015-10-27 12:41:32 -05:00
jvazquez-r7 b2e3ce1f8a
Allow to finish when deletion fails 2015-10-26 16:40:36 -05:00
Boumediene Kaddour e188bce4c9 Update minishare_get_overflow.rb 2015-10-21 16:48:31 +02:00
William Vu 8cb6cc57b5
Land #6094, refs for another ManageEngine module 2015-10-15 22:49:05 -05:00
William Vu 86dfbf23e8 Fix whitespace 2015-10-15 22:48:53 -05:00
xistence 018b515150 Add CVE/URL references to manageengine_eventlog_analyzer_rce 2015-10-16 10:41:39 +07:00
xistence b1f2e40b98 Add CVE/URL references to module manage_engine_opmanager_rce 2015-10-16 10:36:13 +07:00
HD Moore d67b55d195 Fix autofilter values for aggressive modules 2015-10-13 15:56:18 -07:00
HD Moore 6f3bd81b64 Enable 64-bit payloads for MSSQL modules 2015-10-11 12:52:46 -05:00
Tod Beardsley 94bb94d33a
Working URL for real 2015-10-09 15:07:44 -05:00
Tod Beardsley b04f947272
Fix blog post date, derp 2015-10-09 14:59:57 -05:00
Tod Beardsley 55ef6ebe91
HP SiteScope vuln, R7-2015-17 
On behalf of @l0gan, already reviewed once by @jvazquez-r7, reviewed
again by me.

For details, see:

https://community.rapid7.com/community/metasploit/blog/2017/10/09/r7-2015-17-hp-sitescope-dns-tool-command-injection
 2015-10-09 14:55:48 -05:00
Christian Mehlmauer eb597bb9f3
Land #5842, watermark fileformat exploit 2015-10-07 19:29:04 +02:00
jakxx c5237617f2 Update buffer size for reliability 2015-10-06 18:12:40 -04:00
jvazquez-r7 75d2a24a0a
Land #6019, @pedrib's Kaseya VSA ZDI-15-449 exploit 2015-10-02 08:51:28 -05:00
Pedro Ribeiro cbbeef0f53 Update kaseya_uploader.rb 2015-10-02 13:20:59 +01:00
jvazquez-r7 a88a6c5580
Add WebPges to the paths 2015-10-01 13:22:56 -05:00
jvazquez-r7 f9a9a45cf8
Do code cleanup 2015-10-01 13:20:40 -05:00
OJ 7451cf390c Add Windows 10 "support" to bypassuac_injection 2015-10-01 11:16:18 +10:00
jakxx 47c79071eb fix indention and typo 2015-09-29 22:41:36 -04:00
jakxx f18e1d69a1 Add x64 ret address and add to buffer 2015-09-29 22:36:30 -04:00
Pedro Ribeiro 61c922c24d Create kaseya_uploader.rb 2015-09-29 11:56:34 +01:00
jvazquez-r7 b206de7708
Land #5981, @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit 2015-09-27 00:42:17 -05:00
jvazquez-r7 55f573b4c9
Do code cleanup 2015-09-27 00:33:40 -05:00
wchen-r7 fd190eb56b
Land #5882, Add Konica Minolta FTP Utility 1.00 CWD command module 2015-09-18 11:10:20 -05:00
wchen-r7 0aea4a8b00 An SEH? A SEH? 2015-09-18 11:09:52 -05:00
jvazquez-r7 ab8d12e1ac
Land #5943, @samvartaka's awesome improvement of poisonivy_bof 2015-09-16 16:35:04 -05:00
jvazquez-r7 af1cdd6dea
Return Appears 2015-09-16 16:34:43 -05:00
jvazquez-r7 402044a770
Delete comma 2015-09-16 16:23:43 -05:00
jvazquez-r7 75c6ace1d0
Use single quotes 2015-09-16 16:23:10 -05:00
jvazquez-r7 88fdc9f123
Clean exploit method 2015-09-16 16:14:21 -05:00
jvazquez-r7 d6a637bd15
Do code cleaning on the check method 2015-09-16 16:12:28 -05:00
wchen-r7 c7afe4f663
Land #5930, MS15-078 (atmfd.dll buffer overflow) 2015-09-16 15:33:38 -05:00
jvazquez-r7 37d42428bc
Land #5980, @xistence exploit for ManageEngine OpManager 2015-09-16 13:19:49 -05:00
jvazquez-r7 8f755db850
Update version 2015-09-16 13:19:16 -05:00
jvazquez-r7 1b50dfc367
Change module location 2015-09-16 11:43:09 -05:00
jvazquez-r7 122103b197
Do minor metadata cleanup 2015-09-16 11:41:23 -05:00
jvazquez-r7 aead0618c7
Avoid the WAIT option 2015-09-16 11:37:49 -05:00
jvazquez-r7 0010b418d0
Do minor code cleanup 2015-09-16 11:31:15 -05:00
jvazquez-r7 f3b6606709
Fix check method 2015-09-16 11:26:15 -05:00
jvazquez-r7 24af3fa12e
Add rop chains 2015-09-15 14:46:45 -05:00
xistence c99444a52e ManageEngine EventLog Analyzer Remote Code Execution 2015-09-15 07:29:16 +07:00
xistence 7bf2f158c4 ManageEngine OpManager Remote Code Execution 2015-09-15 07:24:32 +07:00
wchen-r7 ae5aa8f542 No FILE_CONTENTS option 2015-09-12 23:32:02 -05:00
jvazquez-r7 0d52a0617c
Verify win32k 6.3.9600.17837 is working 2015-09-12 15:27:50 -05:00
jvazquez-r7 9626596f85
Clean template code 2015-09-12 13:43:05 -05:00
wchen-r7 01053095f9 Add MS15-100 Microsoft Windows Media Center MCL Vulnerability 2015-09-11 15:05:06 -05:00
jvazquez-r7 53f995b9c3
Do first prototype 2015-09-10 19:35:26 -05:00
jvazquez-r7 329e6f4633
Fix title 2015-09-08 15:31:14 -05:00
samvartaka 0a0e7ab4ba This is a modification to the original poisonivy_bof.rb exploit 
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.

See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.

## Console output

Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.

### Version 2.3.2 (unknown password)

```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```

### Version 2.2.0 (unknown password)

```
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.

msf exploit(poisonivy_bof) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
   1   Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
   2   Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1

msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0

msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
 2015-09-07 17:48:28 +02:00
jvazquez-r7 ef6df5bc26
Use get_target_arch 2015-09-03 16:30:46 -05:00
jvazquez-r7 2588439246
Add references for the win32k info leak 2015-09-03 15:35:41 -05:00
jvazquez-r7 697a6cd335
Rescue the process execute 2015-09-03 13:03:36 -05:00
jvazquez-r7 80a1e32339
Set Manual Ranking 2015-09-03 12:24:45 -05:00
HD Moore 9b51352c62
Land #5639, adds registry persistence 2015-09-03 11:26:38 -05:00
jvazquez-r7 dbe901915e
Improve version detection 2015-09-03 09:54:38 -05:00
jvazquez-r7 de25a6c23c
Add metadata 2015-09-02 18:32:45 -05:00
jvazquez-r7 8f70ec8256
Fix Disclosure date 2015-09-02 18:21:36 -05:00
jvazquez-r7 b912e3ce65
Add exploit template 2015-09-02 17:28:35 -05:00
HD Moore 4090c2c8ea
Land #5880, adds ScriptHost UAC bypass for Win7/2008 2015-09-02 14:14:18 -05:00
Meatballs 582cc795ac
Remove newlines 2015-09-02 19:42:04 +01:00
HD Moore 43d3e69fb2
Land #5917, update local exploit checks 2015-09-02 12:55:45 -05:00
Meatballs 8f25a006a8
Change to automatic target 2015-09-02 09:13:25 +01:00
wchen-r7 4275a65407 Update local exploit checks to follow the guidelines. 
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
 2015-09-01 23:26:45 -05:00
Meatballs 27775fbe58
Restrict to 7 and 2k8 2015-09-01 22:23:37 +01:00
HD Moore cd65478d29
Land #5826, swap ExitFunction -> EXITFUNC 2015-09-01 13:58:12 -05:00
Christian Mehlmauer bfc24aea16
change exitfunc to thread 2015-09-01 10:52:25 +02:00
Christian Mehlmauer 115f409fef
change exitfunc to thread 2015-09-01 10:48:07 +02:00
Christian Mehlmauer 5398bf78eb
change exitfunc to thread 2015-09-01 10:46:54 +02:00
Christian Mehlmauer 3e613dc333
change exitfunc to thread 2015-09-01 10:43:45 +02:00
Christian Mehlmauer 648c034d17
change exitfunc to thread 2015-09-01 10:42:15 +02:00
Muhamad Fadzil Ramli 1b4f4fd225
remove url reference 2015-08-27 19:47:37 +08:00
jvazquez-r7 da4b360202
Fix typo 2015-08-26 15:29:34 -05:00
jvazquez-r7 5d0ed797a3
Update DLL 2015-08-26 15:15:32 -05:00
jvazquez-r7 dd529013f6
Update ruby side 2015-08-26 15:12:09 -05:00
Brent Cook b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1 2015-08-24 09:26:00 -05:00
Muhamad Fadzil Ramli 03b1ad7491
add reference info 2015-08-24 11:18:26 +08:00
Muhamad Fadzil Ramli 73cb1383d2
amend banner info for check 2015-08-24 10:55:43 +08:00
Meatballs 1c91b126f1
X64 compat for payload_inject 2015-08-23 22:03:57 +01:00
Meatballs 228087dced
Initial working scripthost bypass uac 2015-08-23 20:16:15 +01:00
Muhamad Fadzil Ramli 7587319602
run rubocop & msftidy 2015-08-23 23:32:30 +08:00
Muhamad Fadzil Ramli a5daa5c9be
added module descriptions 2015-08-23 23:12:41 +08:00
Muhamad Fadzil Ramli 91a7531af8
konica minolta ftp server post auth cwd command exploit 2015-08-23 21:49:26 +08:00
wchen-r7 45c7e4760a Support x64 payloads 2015-08-20 02:09:58 -05:00
HD Moore 42e08cbe07 Fix bad use of get_profile (now browser_profile) 2015-08-14 19:50:42 -05:00
jvazquez-r7 c02df6b39d
Land #5800, @bperry's Symantec Endpoint Protection Manager RCE module 2015-08-14 17:03:48 -05:00
jvazquez-r7 b33abd72ce
Complete description 2015-08-14 17:03:21 -05:00