9f3f8bb727
Merging #3323 work
2015-03-05 15:44:15 -06:00
c388fd49c2
Fix print message
2015-03-05 15:43:54 -06:00
e1a4b046a0
Add support for tomcat 7 to struts_code_exec_classloader
2015-03-05 15:40:24 -06:00
8978b1d7b5
Add a version
2015-03-05 11:29:44 -06:00
32188f09d6
Update phpmoadmin_exec.rb
...
Changes:
Added required comment at the top of the file;
Changed Class name "Metasploit3" >> "Metasploit4";
Standard name/email format for public PoC author.
2015-03-05 12:56:08 +00:00
95962aab0d
Update phpmoadmin_exec.rb
...
Changes:
"Check if vulnerable" code improvement;
Payload delivery code improvement;
Minor indent issues.
Thanks for your feedback guys :)
2015-03-05 12:46:53 +00:00
9530e15c81
Update phpmoadmin_exec.rb
...
Changes:
Changed description section;
Changed 'URL' to 'EDB' in references section;
Added newline at the end.
2015-03-04 21:59:08 +00:00
c19895ac85
Update phpmoadmin_exec.rb
...
Changes:
Added new URL;
Added CVE number;
Corrected the disclosure date;
Corrected the normalize_uri() function syntax.
2015-03-04 21:31:44 +00:00
4d67e0e1bb
Add PHPMoAdmin RCE
2015-03-04 18:17:31 +00:00
69b37976c1
Fix disclosure date.
2015-02-17 17:29:52 -08:00
a19a5328f1
Add JBoss Seam 2 upload execute module
...
Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly
sanitize inputs to some JBoss Expression Language expressions. As a
result, attackers can gain remote code execution through the
application server. This module leverages RCE to upload and execute
a meterpreter payload. CVE-2010-1871
2015-02-17 17:25:01 -08:00
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
a7156cf4a8
Fix zabbix_script_exec datastore
2015-02-05 02:53:22 -06:00
fbf32669c6
Use single quote
2015-02-04 09:47:27 -06:00
de09559cc8
Change HTTP requests to succeed when going through HTTP proxies
2015-02-04 15:32:14 +01:00
f983c8171e
Modify description to match both Struts 1.x and 2.x versions
2015-01-30 12:35:38 +01:00
1a11ae4021
Add new references about Struts 1
2015-01-29 23:27:52 +01:00
4cc5844baf
Add Struts 1 support
2015-01-29 23:12:34 +01:00
bae19405a7
Various grammar, spelling, word choice fixes
2015-01-26 11:00:07 -06:00
d8aa282482
Delete some double quotes
2015-01-22 18:21:25 -06:00
4c72b096b6
Switch variable from file_name to operation
2015-01-22 18:20:11 -06:00
b003d8f750
Do final cleanup
2015-01-22 18:17:14 -06:00
911485f536
Use easier key name
2015-01-22 18:11:48 -06:00
eff49b5fd3
Delete files with Rex::Java::Serialization
2015-01-22 17:59:43 -06:00
37bf66b994
Install instaget with Rex::Java::Serialization
2015-01-22 16:54:49 -06:00
20d7fe631e
Auto detect platform without raw streams
2015-01-22 15:15:08 -06:00
ad276f0d52
Retrieve version with Rex::Java::Serialization instead of binary streams
2015-01-22 14:52:19 -06:00
f7aaad1cf1
Delete some extraneous commas
2015-01-19 17:25:45 -06:00
dbc77a2857
Land #4517 , @pedrib's exploit for ManageEngine Multiple Products Authenticated File Upload
...
* CVE-2014-5301
2015-01-19 17:23:39 -06:00
6403098fbc
Avoid sleep(), survey instead
2015-01-19 17:22:04 -06:00
a6e351ef5d
Delete unnecessary request
2015-01-19 17:14:23 -06:00
ed26a2fd77
Avoid modify datastore options
2015-01-19 17:11:31 -06:00
3c0efe4a7e
Do minor style changes
2015-01-19 15:36:05 -06:00
ddda0b2f4b
Beautify metadata
2015-01-19 14:59:31 -06:00
3768cf0a69
Change version to int and add proper timestamp
2015-01-14 22:59:11 +00:00
c5cfc11d84
fix cookie regex by removing a space
2015-01-12 23:13:18 -05:00
c76aec60b0
Add OSVDB id and full disclosure URL
2015-01-08 23:29:38 +00:00
ea793802cc
Land #4528 , mantisbt_php_exec improvements
2015-01-08 04:50:00 -06:00
ef97d15158
Fix msftidy and make sure all print_*s in check() are vprint_*s
2015-01-07 12:12:25 -06:00
3e80efb5a8
Land #4521 , Pandora FMS upload
2015-01-07 11:13:57 -06:00
1ccef7dc3c
Shorter timeout so we get shell sooner
...
The request to execute our payload will never return, so waiting for the
default timeout (20 seconds) is pointless.
2015-01-07 11:11:33 -06:00
efe83a4f31
Whitespace
2015-01-07 10:19:17 -06:00
09bd0465cf
fix regex
2015-01-07 11:54:55 +01:00
b3def856fd
Applied changes recommended by jlee-r7
...
used Rex::ConnectionError
refactor begin/rescue blocks
removed ::URI::InvalidURIError
changed @peer with peer
used Exploit::CheckCode:Appears instead of Exploit::CheckCode::Vulnerable
2015-01-07 18:38:19 +08:00
eaad4e0bea
fix check method
2015-01-07 11:01:08 +01:00
862af074e9
fix bug
2015-01-07 09:10:50 +01:00
d007b72ab3
favor include? over =~
2015-01-07 07:33:16 +01:00
4277c20a83
use include?
2015-01-07 06:51:28 +01:00
39e33739ea
support for anonymous login
2015-01-07 00:08:04 +01:00
bf0bdd00df
added some links, use the res variable
2015-01-06 23:25:11 +01:00
f9f2bc07ac
some improvements to the mantis module
2015-01-06 11:33:45 +01:00
547b7f2752
Syntax and File Upload BugFix
...
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
2015-01-05 19:23:22 +08:00
c9b76a806a
Create manageengine_auth_upload.rb
2015-01-04 17:05:53 +00:00
c1718fa490
Land #4440 , git client exploit from @jhart-r7
...
Also fixes #4435 and makes progress against #4445 .
2015-01-01 13:18:43 -06:00
d7564f47cc
Move Mercurial option to advanced, update ref url
...
See #4440
2015-01-01 13:08:36 -06:00
914c724abe
Rename module
...
See rapid7#4440
2015-01-01 13:03:17 -06:00
65977c9762
Add some more useful URLs
2014-12-31 10:54:04 -08:00
96fe693c54
update drupal regex
2014-12-30 09:12:39 +01:00
51049152b6
Use Rex::Text.rand_mail_address for more realistic fake commit
2014-12-26 10:39:52 -08:00
a692656ab7
Update comments to reflect reality, minor cleanup
2014-12-23 19:09:45 -08:00
59f75709ea
Print out malicious URLs that will be used by default
2014-12-23 10:10:31 -08:00
905f483915
Remove unused and commented URIPATH
2014-12-23 09:40:27 -08:00
8e57688f04
Use random URIs by default, different method for enabling/disabling Git/Mercurial
2014-12-23 09:39:39 -08:00
bd3dc8a5e7
Use fail_with rather than fail
2014-12-23 08:20:03 -08:00
015b96a24a
Add back perl and bash related payloads since Windows git will have these and OS X should
2014-12-23 08:13:00 -08:00
16302f752e
Enable generic command
2014-12-23 14:22:26 +00:00
a3b0b9de62
Configure module to target bash by default
2014-12-23 14:19:51 +00:00
313d6cc2f8
Add super call
2014-12-23 14:12:47 +00:00
43221d4cb0
Remove redundant debugging stuff
2014-12-23 14:09:12 +00:00
42a10d6d50
Add Powershell target
2014-12-23 14:07:57 +00:00
abec7c206b
Update description to describe current limitations
2014-12-22 20:32:45 -08:00
1505588bf6
Rename the file to reflect what it really is
2014-12-22 20:27:40 -08:00
ff440ed5a4
Describe vulns in more detail, add more URLs
2014-12-22 20:20:48 -08:00
b4f6d984dc
Minor style cleanup
2014-12-22 17:51:35 -08:00
421fc20964
Partial mercurial support. Still need to implement bundle format
2014-12-22 17:44:14 -08:00
fdd1d085ff
Don't encode the payload because this only complicates OS X
2014-12-22 13:36:38 -08:00
ea9f5ed6ca
Minor cleanup
2014-12-22 12:16:53 -08:00
dd73424bd1
Don't link to unused repositories
2014-12-22 12:04:55 -08:00
6c8cecf895
Make git/mercurial support toggle-able, default mercurial to off
2014-12-22 11:36:50 -08:00
574d3624a7
Clean up setup_git verbose printing
2014-12-22 11:09:08 -08:00
16543012d7
Correct planted clone commands
2014-12-22 10:56:33 -08:00
01055cd41e
Use a trigger to try to only start a handler after the malicious file has been requested
2014-12-22 10:43:54 -08:00
3bcd67ec2e
Unique URLs for public repo page and malicious git/mercurial repos
2014-12-22 10:03:30 -08:00
308eea0c2c
Make malicious hook file name be customizable
2014-12-22 08:28:55 -08:00
7f3cfd2207
Add a ranking
2014-12-22 07:51:47 -08:00
74783b1c78
Remove ruby and telnet requirement
2014-12-21 10:06:06 -08:00
31f320c901
Add mercurial debugging
2014-12-20 20:00:12 -08:00
3da1152743
Add better logging. Split out git support in prep for mercurial
2014-12-20 19:34:55 -08:00
58d5b15141
Add another useful URL. Use a more git-like URIPATH
2014-12-20 19:11:56 -08:00
f41d0fe3ac
Randomize most everything about the malicious commit
2014-12-19 19:31:00 -08:00
805241064a
Create a partially capitalized .git directory
2014-12-19 19:07:45 -08:00
f7630c05f8
Use payload.encoded
2014-12-19 18:52:34 -08:00
7f2247f86d
Add description and URL
2014-12-19 15:50:16 -08:00
9b815ea0df
Some style cleanup
2014-12-19 15:35:09 -08:00
4d0b5d1a50
Add some vprints and use a sane URIPATH
2014-12-19 15:33:26 -08:00
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
48444a27af
Remove debugging pp
2014-12-19 15:27:06 -08:00
1c7fb7cc7d
Mostly working exploit for CVE-2014-9390
2014-12-19 15:24:27 -08:00
4888ebe68d
Initial commit of POC module for CVE-2013-9390 ( #4435 )
2014-12-19 12:58:02 -08:00
223d6b7923
Merged with Fr330wn4g3's changes
2014-12-14 13:08:19 +08:00
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
21742b6469
Test #3729
2014-12-06 21:20:52 -06:00
28135bcb09
Land #4159 , MantisBT PHP code execution by @itseco
2014-11-15 07:49:54 +01:00
3faa48d810
small bugfix
2014-11-13 22:51:41 +01:00
7d6b6cba43
some changes
2014-11-13 22:46:53 +01:00
dd1920edd6
Minor typos and grammar fixes
2014-11-13 14:48:23 -06:00
17032b1eed
Fix issue reported by FireFart
2014-11-13 04:48:45 -05:00
ac17780f6d
Fix by @FireFart to recover communication with the application after a meterpreter session
2014-11-11 05:49:18 -05:00
6bf1f613b6
Fix issues reported by FireFart
2014-11-11 00:41:58 -05:00
d4bbf0fe39
Fix issues reported by wchen-r7 and mmetince
2014-11-10 15:27:10 -05:00
cd0dbc0e24
Missed another
2014-11-09 14:06:39 -06:00
9cce7643ab
update description and fix typos
2014-11-09 09:10:01 -05:00
5d17637038
Add CVE-2014-7146 PHP Code Execution for MantisBT
2014-11-09 08:00:44 -05:00
7510fb40aa
touch up visual_mining_netcharts_upload
2014-11-06 22:50:20 -06:00
79cabc6d68
Fix clean up
2014-11-05 15:46:33 -06:00
c08993a9c0
Add module for ZDI-14-372
2014-11-05 15:31:20 -06:00
400ef51897
Land #4076 , exploit for x7chat PHP application
2014-11-03 18:22:04 -06:00
3bf7473ac2
Add github pull request as reference
2014-11-03 18:18:42 -06:00
44a2f366cf
Switch ranking
2014-11-03 18:06:09 -06:00
039d3cf9ae
Do minor cleanup
2014-11-03 18:04:30 -06:00
7e4248b601
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04
2014-11-03 16:42:50 -05:00
51b96cb85b
Cosmetic title/desc updates
2014-11-03 13:37:45 -06:00
1a37a6638c
Fix splunk_upload_app_exec to work on new installs. Style
2014-10-30 18:28:56 -07:00
55f245f20f
Merge #3507 into local, recently updated branch of master for landing
2014-10-30 17:28:20 -07:00
2e53027bb6
Fix value of X7C2P cookie and typo
2014-10-29 08:32:36 -05:00
9f21ac8ba2
Fix issues reported by wchen-r7
2014-10-28 21:31:33 -05:00
71a6ec8b12
Land #4093 , cups_bash_env_exec CVE-2014-6278
2014-10-28 12:47:51 -05:00
57baf0f393
Add support for CVE-2014-6278
2014-10-28 17:10:19 +00:00
3de5c43cf4
Land #4050 , CUPS Shellshock
...
Bashbleeded!!!!!!!!!!!
2014-10-28 11:59:31 -05:00
78b199fe72
Remove CVE-2014-6278
2014-10-28 16:18:24 +00:00
a060fec760
Detect version in check()
2014-10-28 12:28:18 +00:00
2ba2388889
Fix issues reported by jvasquez
2014-10-27 19:15:39 -05:00
848f24a68c
update module description
2014-10-27 02:07:16 -05:00
d66dc88924
Add PHP Code Execution for X7 Chat 2.0.5
2014-10-27 01:01:31 -05:00
554935e60b
Add check() and support CVE-2014-6278
2014-10-26 18:11:36 +00:00
f886ab6f97
Land #4020 , Jenkins-CI CSRF token support
2014-10-20 19:03:24 -04:00
005baa7f7e
Retry the script page request to get the token
...
After logging in to Jenkins the script console page
needs to be requested again to get the CSRF token.
2014-10-19 14:04:16 -04:00
0ede70e7f6
Add exploit module for CUPS shellshock
2014-10-19 17:58:49 +00:00
10f3969079
Land #4043 , s/http/http:/ splat
...
What is a splat?
2014-10-17 13:41:07 -05:00
a514e3ea16
Fix bad indent (should be spaces)
...
msftidy is happy now.
2014-10-17 12:39:25 -05:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
353d2f79cc
tweak pw generation
2014-10-16 12:06:19 -07:00
5f8c0cb4f3
Merge branch 'drupal' of https://github.com/FireFart/metasploit-framework into drupageddon
2014-10-16 11:53:54 -07:00
c8dd08f605
password hashing
2014-10-17 15:52:47 +02:00
23b7b8e400
fix for version 7.0-7.31
2014-10-16 11:53:48 -07:00
9bab77ece6
add urls
2014-10-16 10:36:37 -07:00
b031ce4df3
Create drupal_drupageddon.rb
2014-10-16 16:42:47 -05:00
5c4ac48db7
update the drupal module a bit with error checking
2014-10-16 10:32:39 -07:00
4c2ae1a753
Fix jenkins when CSRF is enabled
2014-10-14 19:33:23 -05:00
63426793ef
Use vars_get instead of direct URI concatenation
2014-10-02 11:03:12 +02:00
0380c5e887
Add CVE-2014-6278 support, lands #3932
2014-10-01 18:25:41 -05:00
c1b0acf460
Add CVE-2014-6278 support to the exploit module
...
Same thing.
2014-10-01 17:58:25 -05:00
4fbab43f27
Release fixes, all titles and descs
2014-10-01 14:26:09 -05:00
de65ab0519
Fix broken check in exploit module
...
See 71d6b37088
2014-09-29 23:03:09 -05:00
df44dfb01a
Add OSVDB and EDB references to Shellshock modules
2014-09-29 21:39:07 -05:00
8f3e03d4f2
Land #3903 - ManageEngine OpManager / Social IT Arbitrary File Upload
2014-09-29 17:53:43 -05:00
533b807bdc
Add OSVDB id
2014-09-29 21:52:44 +01:00
7125a9f047
Added YARD doc to the mixin
...
Also make a slight correction on jboss_deployementfilerepository.rb to
handle nil responses.
2014-09-28 19:44:37 +02:00
fe12ed02de
Support a user defined header in the exploit too
2014-09-27 18:58:53 -04:00
f20610a657
Added full disclosure URL
2014-09-27 21:34:57 +01:00
030aaa4723
Add exploit for CVE-2014-6034
2014-09-27 19:33:49 +01:00
0a3735fab4
Make it better
2014-09-26 16:01:10 -05:00
3538b84693
Try to make a better check
2014-09-26 15:55:26 -05:00
ad864cc94b
Delete unnecessary code
2014-09-25 16:18:01 -05:00
9245bedf58
Make it more generic, add X86_64 target
2014-09-25 15:54:20 -05:00
d8c03d612e
Avoid failures due to bad payload selection
2014-09-25 13:49:04 -05:00
91e5dc38bd
Use datastore timeout
2014-09-25 13:36:05 -05:00
8a43d635c3
Add exploit module for CVE-2014-6271
2014-09-25 13:26:57 -05:00
919eec250d
Refactor auto_target from Jboss mixin
...
Removed fail_with and targets from the mixin.
2014-09-24 22:15:32 +02:00
3e09283ce5
Land #3777 - Fix struts_code_exec_classloader on windows
2014-09-16 13:09:58 -05:00
158d4972d9
More references and pass msftidy
2014-09-16 12:54:27 -05:00
7a7b6cb443
Some refactoring
...
Use EDB instead of URL for Exploit-DB.
Remove peer variable as peer comes from HttpClient.
2014-09-16 17:49:45 +02:00
4c615ecf94
Module for CVE-2014-5519, phpwiki/ploticus RCE
2014-09-16 00:09:41 +02:00
373eb3dda0
Make struts_code_exec_classloader to work on windows
2014-09-10 18:00:16 -05:00
0a6ce1f305
Land #3727 - SolarWinds Storage Manager exploit AND Msf::Payload::JSP
2014-09-09 17:21:03 -05:00
75269fd0fa
Make sure we're not doing a 'negative' timeout
2014-09-09 11:26:49 -05:00
b8ba2dd703
Fix timeout with HEAD request in delete_file
2014-09-08 18:34:50 +02:00
cc5b852517
Fixed spec for lib/msf/http/jboss
...
Revert commit abdd72e8c6
2014-09-08 17:42:04 +02:00
283e83028f
Fix problem with HEAD requests
...
Split lib/msf/http/jboss/script into
lib/msf/http/jboss/deployment_file_repository_scripts.rb and
lib/msf/http/jboss/bean_shell_scripts.rb as
2014-09-08 14:02:15 +02:00
ded085f5cc
Add CVE ID
2014-09-03 07:22:10 +01:00
c672fad9ef
Add OSVDB ID, remove comma from Author field
2014-09-02 23:17:10 +01:00
d480a5e744
Credit h0ng10 properly
2014-09-01 07:58:26 +01:00
59847eb15b
Remove newline at the top
2014-09-01 07:56:53 +01:00
6a370a5f69
Add exploit for eventlog analyzer file upload
2014-09-01 07:56:01 +01:00
c05edd4b63
Delete debug print_status
2014-08-31 01:34:47 -05:00
559ec4adfe
Add module for ZDI-14-299
2014-08-31 01:11:46 -05:00
403eae3579
Jboss file deployment repository refactorization
...
Moved lib/msf/http/jboss/bean_shell_script.rb to
lib/msf/http/jboss/script.rb. Moved head_stager_jsp to script.rb.
Removed stager_jsp to use the function from the mixin.
2014-08-30 13:15:37 +02:00
33f90de7f6
Refactoring jboss module to work with the Mixin
...
Moved upload and delete methods of deploymentfilerepository to the
mixin. Removed call_uri_mtimes method as the module now uses deploy
from the mixin.
2014-08-29 20:08:35 +02:00
af9f3b83a7
Refactoring jboss module to work with the Mixin
...
Removed datastore USERNAME and PASSWORD which are provided by
Msf::Exploit::Remote::HttpClient. Removed datastore PATH and VERB which
are provided by the mixin (lib/msf/http/jboss). Moved target detection
to the mixin.
2014-08-27 22:54:40 +02:00
a8d03aeb59
Fix bug with PMP db paths
2014-08-26 12:54:31 +01:00
473341610c
Update name to mention DC; correct servlet name
2014-08-26 12:39:48 +01:00
0031913b34
Fix nil accesses
2014-08-22 16:19:11 -05:00
38e6576990
Update
2014-08-22 13:22:57 -05:00
cf147254ad
Use snake_case in the filename
2014-08-22 11:44:35 -05:00
823649dfa9
Clean exploit, just a little
2014-08-22 11:43:58 -05:00
9815b1638d
Refactor pick_target
2014-08-22 11:31:06 -05:00
ecace8beec
Refactor check method
2014-08-22 11:05:36 -05:00
ced65734e9
Make some datastore options advanced
2014-08-22 10:26:04 -05:00
b4e3e84f92
Use CamelCase for target keys
2014-08-22 10:23:36 -05:00
b58550fe00
Indent description and fix title
2014-08-22 10:21:08 -05:00
jvazquez-r7
sinn3r
Ricardo Almeida
vulp1n3
William Vu
julianvilas
Tod Beardsley
Pedro Ribeiro
David Lanner
James Lee
Christian Mehlmauer
rcnunez
Jon Hart
Meatballs
Juan Escobar
Joshua Smith
Brendan Coles
root
Spencer McIntyre
URI Assassin
Brandon Perry
Brandon Perry
Fernando Munoz
Vincent Herbulot
HD Moore