Jonathan Claudius
0c5fb8c0c2
Fix bug in group enumeration regex
2014-04-17 10:31:05 -04:00
Christian Mehlmauer
71a650fe6e
Land #3259 , XMPP Hostname autodetect by @TomSellers
2014-04-17 08:54:15 +02:00
Tom Sellers
1f452aab48
Code cleanup
...
Changes requested by wvu-R7
2014-04-17 12:46:25 -05:00
Tom Sellers
9e2285619e
Additional cleanup
...
Whitespace cleanup
2014-04-17 10:46:33 -05:00
Joe Vennix
8920e0cc80
Use octal encoding and -e, so that echo always works.
2014-04-17 01:17:46 -05:00
Jonathan Claudius
f53e7f84b8
Adds Cisco SSL VPN Bruteforce Aux Mod
2014-04-16 22:47:58 -04:00
Tom Sellers
ee0d30a1f3
Whitespace fix
...
Removing extra line feeds
2014-04-16 17:27:39 -05:00
Tom Sellers
92eab6c54b
Attribution addition
...
Per comment from Firefart
2014-04-16 17:26:09 -05:00
Tom Sellers
1f3ec46b8a
Heartbleed - Add autodetection of XMPP hostname (round 2)
...
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
This version addresses issues that FireFart (Thanks!) brought up about code quality and connection reliability.
2014-04-16 08:49:45 -05:00
sinn3r
54346f3f92
Land #3265 - Windows Post Manage Change Password
2014-04-15 18:45:48 -05:00
sinn3r
d7a63003a3
Land #3266 - MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
2014-04-15 18:35:18 -05:00
sinn3r
23c2a071cd
Small name change
2014-04-15 18:35:00 -05:00
sinn3r
7a4e12976c
First little bit at Bug 8498
...
[FixRM #8489 ] rhost/rport modification
2014-04-15 18:20:16 -05:00
sinn3r
d7513b0eb2
Handle nil properly when no results are found
2014-04-15 18:19:29 -05:00
jvazquez-r7
abd76c5000
Add module for CVE-2014-0322
2014-04-15 17:55:24 -05:00
Meatballs
5bd9721d95
Redundant include
2014-04-15 21:34:21 +01:00
Meatballs
02b11afddc
Merge remote-tracking branch 'upstream/master' into netapi_change_passwd
...
Conflicts:
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
2014-04-15 21:23:45 +01:00
Meatballs
bd9b5add49
Dont report creds
...
We dont know if a DOMAIN or IP is specified etc.
2014-04-15 21:14:49 +01:00
Meatballs
fc018eb32e
Initial commit
2014-04-15 21:05:06 +01:00
Tod Beardsley
0b2737da7c
Two more java payloads that wanted to write RHOST
...
There are three total, and they're all copy-pasted from the original
module from 2009. I suspect this idiom isn't used at all any more -- I
can't detect a difference in the payload if I just declare a host being
cli.peerhost, rather than rewriting RHOST to be cli.peerhost.
[SeeRM #8498 ]
2014-04-14 22:22:30 -05:00
Tod Beardsley
775b0de3c0
Replace RHOST reassing with just host
...
This looks okay from debug (the host looks like it's generating okay)
but there may be some subtle thing I'm not seeing here. @wchen-r7 can
you glance at this please?
[SeeRM #8498 ]
2014-04-14 22:17:31 -05:00
Tod Beardsley
9db01770ec
Add custom rhost/rport, remove editorializing desc
...
Verification:
````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````
...etc.
2014-04-14 21:46:05 -05:00
Tod Beardsley
40a359f312
Include a vhost for Shodan or else it complains
...
Works now. The rhost option was not keeping the custom vhost option.
````
msf auxiliary(shodan_search) > rexploit
[*] Reloading module...
[*] Total: 13443 on 269 pages. Showing: 1
[*] Country Statistics:
[*] United States (US): 2006
[*] Germany (DE): 1787
[*] Korea, Republic of (KR): 1061
[*] Italy (IT): 916
[*] Hungary (HU): 604
[*] Collecting data, please WaitUntilAuthEmptyt...
IP Results
==========
````
2014-04-14 21:23:27 -05:00
Tod Beardsley
1436f68955
Fix shodan to not muck with datastore
2014-04-14 21:21:11 -05:00
Tod Beardsley
9035d1523d
Update wol.rb to specify rhost/rport directly
...
- [ ] Fire up tcpdump on the listening interface
- [ ] Run the module and see the pcap:
listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535
bytes
20:56:02.592331 IP 192.168.145.1.41547 > 255.255.255.255.9: UDP, length
102
2014-04-14 20:57:20 -05:00
Tom Sellers
0360d1177f
Heartbleed - Add autodetection of XMPP hostname
...
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
2014-04-14 20:09:21 -05:00
Thanat0s
07ed8d832a
Update db
2014-04-15 02:48:55 +02:00
David Chan
1a73206034
Add detection for GnuTLS with with multiple records
2014-04-14 17:09:25 -07:00
Thanat0s
fecdbd1781
F5 bigip cookie module
2014-04-15 01:11:17 +02:00
William Vu
66cc050876
Land #3256 , SMTP RFC compliance for Heartbleed
2014-04-14 17:52:56 -05:00
Thanat0s
176204d62d
With implemented remarks
2014-04-14 21:11:04 +02:00
Tod Beardsley
66a50b33fd
Errant whitespace
2014-04-14 13:34:39 -05:00
Tom Sellers
634a03a852
Update to openssl_heartbleed to deal with SMTP RFC
...
Added CR character in order to have the commands match SMTP RFC 5321 2.3.8 for line termination. Some SMTP services, such as the Symantec Mail Gateway, require strict compliance or the connection will be dropped with the response '550 esmtp: protocol deviation'
Reference:
http://www.symantec.com/business/support/index?page=content&id=TECH96829
http://tools.ietf.org/html/rfc5321#section-2.3.8
2014-04-14 13:27:33 -05:00
joev
5f0d723588
Adds history collection module for FF privileged JS.
2014-04-14 12:27:18 -05:00
sinn3r
61196b4793
Land #3246 - Firefox Gather Passwords from Privileged Javascript Shell
2014-04-14 11:37:55 -05:00
David Maloney
c537aebf0f
Land #3228 , JtR colon Seperation
2014-04-14 11:19:16 -05:00
JoseMi
e811e169dc
Cambios en el exploit
2014-04-14 16:31:54 +01:00
JoseMi
da26a39634
Add CVE-2014-2219 exploit for windows XP SP3
2014-04-14 16:16:10 +01:00
Thanat0s
dd7bceee56
fix threaded issues
2014-04-12 17:43:39 +02:00
Thanat0s
d493c48cc6
add thottling,notes insert and output to dns_rev_lookup
2014-04-12 16:36:18 +02:00
Ramon de C Valle
039946e8d1
Use the first cipher suite sent by the client
...
If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the
first cipher suite sent by the client. This complements the last commit
and makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282 ).
2014-04-12 05:05:14 -03:00
Ramon de C Valle
b95fcb9610
Use the protocol version sent by the client
...
Use the protocol version sent by the client. This should be the latest
version supported by the client, which may also be the only acceptable.
This makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282 ).
2014-04-12 04:21:35 -03:00
David Chan
6fafc10184
Add HeartBleed check functionality
2014-04-12 00:07:00 -07:00
joev
1715cf4650
Add base64 to prevent potential encoding issues.
2014-04-11 17:30:04 -05:00
joev
65d267032d
Fix wrong DisclosureDate.
2014-04-11 16:17:22 -05:00
joev
197a7e556b
Add password colletion post module for Firefox shells.
2014-04-11 16:15:48 -05:00
William Vu
6599999b8a
Land #3232 , Heartbleed memory dump filtering
2014-04-11 12:46:01 -05:00
Sebastiano Di Paola
a63f020a68
Fixing coding style
2014-04-11 19:39:57 +02:00
Sebastiano Di Paola
4acacb005d
Fixed a bug...referring to wrong variable after filtering with regexp
2014-04-11 19:33:23 +02:00
Sebastiano Di Paola
83fe1cec65
Cleaned up Array.join call
2014-04-11 19:24:32 +02:00
Sebastiano Di Paola
55ec969bd9
Renamed FILTER -> DUMPFILTER, more intuitive and coherent
2014-04-11 19:07:57 +02:00
Sebastiano Di Paola
8268009b36
Renamed PATTERN_FILTER -> FILTER
2014-04-11 19:03:25 +02:00
Sebastiano Di Paola
c378fe95c1
Added missing space in comment
2014-04-11 19:01:01 +02:00
Sebastiano Di Paola
f8f710547c
Fixed call to String.match with regexp pattern
2014-04-11 18:59:59 +02:00
Sebastiano Di Paola
638cb41a3f
Remove Spaces at EOL, fixed if test on pattern variable
2014-04-11 18:58:05 +02:00
Sebastiano Di Paola
34fa4e29d9
Restored FTP option
2014-04-11 18:16:19 +02:00
Sebastiano Di Paola
eb0e35bf25
Fixed store on file option
2014-04-11 18:07:14 +02:00
sinn3r
b69662fa42
Land #3233 - eScan Password Command Injection
2014-04-11 11:05:48 -05:00
jvazquez-r7
0c8f5e9b7d
Add @Firefart's feedback
2014-04-11 10:21:33 -05:00
Sebastiano Di Paola
c4029ea582
- Rubbish that was left dangling here around
2014-04-11 17:20:54 +02:00
Sebastiano Di Paola
1808fe470a
fixed conflicts, used OptRegexp for pattern
2014-04-11 17:16:06 +02:00
Sebastiano Di Paola
4315ad2987
Fixed conflict and used OptRegexp type for pattern
2014-04-11 17:15:39 +02:00
jvazquez-r7
813e0eab89
Land #3233 , @wvu-r7's improvements fort heartbleed modules
2014-04-11 09:33:57 -05:00
jvazquez-r7
e2ec53272e
Fix also negative numbers
2014-04-11 09:33:27 -05:00
Ken Smith
c99f6654e8
Added target 6.1 to module
2014-04-11 09:59:11 -04:00
jvazquez-r7
fb5881d8e2
Land #2324 , @sensepost and @Firefart's sftp support for heartbleed
2014-04-11 08:47:22 -05:00
jvazquez-r7
2134d676b4
Use verbose by default
2014-04-11 07:58:56 -05:00
Tod Beardsley
56662bd89b
Correct corpwatch_lookup_name datastore usage
...
[SeeRM #8498 ]
2014-04-10 16:56:55 -05:00
Tod Beardsley
06dedeec8f
Update corpwatch_lookup_id to run correctly
...
[SeeRM #8498 ]
2014-04-10 16:52:34 -05:00
William Vu
6675464c20
Fix a few things in the Heartbleed modules
2014-04-10 16:06:40 -05:00
Sebastiano Di Paola
9adf629ee7
Added feature to dump to file leaked memory
2014-04-10 22:51:07 +02:00
jvazquez-r7
fe066ae944
Land #3207 , @7a69 MIPS BE support for Fritz Box's exploit
2014-04-09 23:20:45 -05:00
jvazquez-r7
fdda69d434
Align things
2014-04-09 23:19:41 -05:00
jvazquez-r7
386e2e3d29
Do final / minor cleanup
2014-04-09 23:19:12 -05:00
Christian Mehlmauer
f115a7f6e1
Fix intendation
2014-04-10 02:52:05 +02:00
gigstorm
f1443c039e
Updated hash value to SSLv3
...
Tested and working on server that has SSLv3 only enabled
2014-04-11 14:01:28 -07:00
gigstorm
6ab3478c7e
Update to include SSL Version 3 protocol
...
SSL Version 3 will also respond to this and a server configured to respond to SSL version 3 but not TLS will show false negative without this option (proven). May need to update cipher suites to include this option.
2014-04-11 12:41:17 -07:00
James Lee
f54654a326
More refactor on jtr_linux
...
Reducing complexity in `run` makes modules easier to read
2014-04-09 19:26:34 -05:00
James Lee
7f900c2628
Micro optimizations for jtr_linux
2014-04-09 19:26:23 -05:00
James Lee
46038d58b7
Refactor jtr_linux copy pasta
...
Move it to a nifty method
2014-04-09 19:26:11 -05:00
Christian Mehlmauer
4fc272c0e9
Fix merge error
2014-04-10 00:53:14 +02:00
jvazquez-r7
f398924280
Land @Firefart's new fix for the jabber case
2014-04-09 17:52:53 -05:00
Christian Mehlmauer
98816c3a01
Added @sensepost FTP implemenation
2014-04-10 00:48:09 +02:00
singe
ccfcf2cedb
Added FTP STARTTLS support to heartbleed scanner.
2014-04-10 00:45:59 +02:00
jvazquez-r7
c0e682b518
Land #3225 , @wvu-r7's and @hmoore-r7's improvements for openssl_heartbeat_client_memory
2014-04-09 17:39:04 -05:00
jvazquez-r7
ccdc5bd281
Switch to get since @wvu-r7 also tested successfully with get
2014-04-09 17:30:00 -05:00
William Vu
b905aece38
Fix job not backgrounding
2014-04-09 17:03:57 -05:00
HD Moore
ed247498b6
Make TLS negotiation optional
2014-04-09 17:03:38 -05:00
jvazquez-r7
b0b979ce62
Meterpreter sessions won't get root in this way
2014-04-09 16:59:12 -05:00
jvazquez-r7
a2ce2bfa56
Fix disclosure date
2014-04-09 16:41:49 -05:00
jvazquez-r7
ff232167a6
Add module for eScan command injection
2014-04-09 16:39:06 -05:00
sinn3r
2de210f1c3
Land #3216 - Update @Meatballs1 and @FireFart in authors.rb
2014-04-09 16:38:10 -05:00
William Vu
f56f34fb69
Land #3212 , @hmoore-r7's client-side Heartbleed
2014-04-09 15:42:36 -05:00
Christian Mehlmauer
a86a8fed05
Changed heartbleed jabber implementation to match openssl s_client
...
see here for example implementation:
https://github.com/openssl/openssl/blob/master/apps/s_client.c#L1719
2014-04-09 22:20:32 +02:00
William Vu
2f9a400efa
vprint_status the other message message
2014-04-09 15:11:02 -05:00
William Vu
84ce72367b
Make the output less verbose
2014-04-09 14:57:51 -05:00
Christian Mehlmauer
856ad7e83d
heartbleed - Better output on wrong jabber domain and add. nil? check
2014-04-09 21:53:17 +02:00
Jeff Jarmoc
7a424784f8
Change default TLS Version to 1.0
...
Canonical testing shows this to be more widely supported, and yielding far more vulnerable hosts. Changing default to reflect that.
Experience of others in #metasploit seems similar.
2014-04-09 13:45:00 -05:00
Christian Mehlmauer
fec089d88d
Land #3219 , openssl_heartbleed XMPP fix from @natronkeltner
2014-04-09 20:42:55 +02:00
Christian Mehlmauer
e2b50d3709
fix openssl_heardbleed
...
-) XMPP Domain now configurable
-) Missing get_once to initiate the TLS connection
2014-04-09 20:39:33 +02:00
jvazquez-r7
5696e52fac
Fix jabber to field
2014-04-09 13:48:45 -05:00
jvazquez-r7
28a471e446
Land #3221 , @Firefart's fix for pop3 starttls
2014-04-09 13:31:45 -05:00
jvazquez-r7
bea810b5d6
Add jabber fix from @natronkeltner
2014-04-09 13:11:45 -05:00
jvazquez-r7
fdf4776142
Land #3217 , @todb-r7's title fix for Hearbleed module
2014-04-09 12:10:13 -05:00
jvazquez-r7
157fb5a905
Make title more searchable
2014-04-09 12:08:35 -05:00
jvazquez-r7
58f4a1c085
Usee loop do instead or while true
2014-04-09 11:48:45 -05:00
sinn3r
eb9d3520be
Land #3208 - Sophos Web Protection Appliance Interface Authenticated Exec
2014-04-09 11:30:59 -05:00
Tod Beardsley
76a9381b2a
Make the title of the Heartbleed module searchable
...
Right now, the title does not actually tie the Heartbeat check to the
Heartbleed attack, so people searching strictly on module title are not
going to get a hit for this module.
2014-04-09 11:03:01 -05:00
jvazquez-r7
bc36b9ebd6
Delete server side PoCs as referecences because don\'t apply here
2014-04-09 10:58:59 -05:00
jvazquez-r7
fd90203120
Change some variable names to make code reading easier
2014-04-09 10:56:50 -05:00
Christian Mehlmauer
899a7c9ea4
heartbleed bugfix for pop3
2014-04-09 17:51:44 +02:00
Tod Beardsley
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
Tod Beardsley
3849d1517f
Restore author credit
2014-04-09 09:42:39 -05:00
jvazquez-r7
e154d175e8
Add @hmoore-r7's heartbeat client side module
2014-04-09 09:38:11 -05:00
jvazquez-r7
8d38087a10
Fix case / when indention
2014-04-09 09:12:55 -05:00
Christian Mehlmauer
0e0fd20f88
Added RFC link
2014-04-09 15:19:29 +02:00
Christian Mehlmauer
a0a5b9faa1
Fix heartbleed module
...
-) incorrect length read
-) Parse TLS errors
2014-04-09 15:08:24 +02:00
Brandon Perry
8428b37e59
move file to .rb ext
2014-04-09 05:17:14 -07:00
jvazquez-r7
a93e22b5c0
Land #3209 , @Firefart's heartbleed's module fix
2014-04-09 06:38:06 -05:00
Christian Mehlmauer
9c159f0aa3
Land #3210 , typo in openssl_heartbleed
2014-04-09 09:53:06 +02:00
Meatballs
ae3ead6ef9
Land #2107 Post Enum Domain Users
2014-04-09 11:32:12 +01:00
julianvilas
4e7c675f3c
Fix typo, extraquote in message
2014-04-09 10:22:15 +02:00
Christian Mehlmauer
cdfe333572
updated heartbleed module
...
-) Heartbeat length was added twice
-) Use the current date for the TLS client_hello
2014-04-09 09:19:05 +02:00
joev
b4f5784ba2
Land #3147 , @m-1-k-3's mipsbe exec payload.
2014-04-08 22:32:21 -05:00
Brandon Perry
82c9b539ac
Fix disclosure date, earlier than I thought
2014-04-08 21:43:49 -05:00
Brandon Perry
3013704c75
Create sophos_wpa_iface_exec
...
This module exploits both bugs in http://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-08 21:21:43 -05:00
William Vu
dd69a9e5dd
Land #3206 , OpenSSL Heartbleed infoleak
2014-04-08 20:12:00 -05:00
William Vu
5e314f2a7c
Fix outstanding issues
2014-04-08 20:11:28 -05:00
sinn3r
f3086085b6
Land #3204 - MS14-017 Microsoft Word RTF Object Confusion
2014-04-08 18:47:53 -05:00
jvazquez-r7
a4e1d866e1
Favor nil?
2014-04-08 18:21:49 -05:00
jvazquez-r7
153e003e23
Do small fixes
2014-04-08 18:21:09 -05:00
Joe Vennix
fc841331d2
Add a test on echo to check for hex support.
...
* This is much nicer than checking version on userAgent, which
is often changed when rendered in an embedded webview.
2014-04-08 17:58:31 -05:00
jvazquez-r7
39aecb140a
Use the datastore option
2014-04-08 16:55:08 -05:00
jvazquez-r7
496dd944e6
Add support for datastore TLSVERSION
2014-04-08 16:51:50 -05:00
jvazquez-r7
d51aa34437
Use Random generation Time as pointed by @Firefart
2014-04-08 16:46:15 -05:00
jvazquez-r7
d964243cc4
Move heartbeat length to a variable
2014-04-08 16:33:05 -05:00
jvazquez-r7
3d6c553efd
Fix endianess
2014-04-08 16:29:31 -05:00
jvazquez-r7
373b05c5aa
Minimize extensions in the Hello
2014-04-08 16:21:38 -05:00
jvazquez-r7
3254cce832
Align comment
2014-04-08 16:04:38 -05:00
jvazquez-r7
c20b71e7b6
Switch to vprint unless success
2014-04-08 16:03:38 -05:00
jvazquez-r7
7dbd690c99
Add new references
2014-04-08 16:01:06 -05:00
jvazquez-r7
a55579dd4a
Fix references
2014-04-08 15:56:56 -05:00
jvazquez-r7
4004cd8f9a
Allow hello data to grow dinamically
2014-04-08 15:52:39 -05:00
jvazquez-r7
b8e2c9fe42
Clean and fix @Firefart's code
2014-04-08 15:32:13 -05:00
jvazquez-r7
80bdbbed92
Solve conflict
2014-04-08 15:18:38 -05:00
Christian Mehlmauer
8c7debb81d
Added some comments and modified JABBER
2014-04-08 22:13:02 +02:00
jvazquez-r7
021da84459
Add authors and switch and's format
2014-04-08 15:10:27 -05:00
sinn3r
a2b709b20e
Land #3189 - Vtiger Install Unauthenticated Remote Command Execution
2014-04-08 14:58:34 -05:00
sinn3r
4012dd0acc
Fix everything that needs to be fixed
2014-04-08 14:57:42 -05:00
Christian Mehlmauer
9c053a5b91
Added additional protocols
2014-04-08 21:56:05 +02:00
Fabian Bräunlein
8dce80fd30
Added Big Endianess, improved check()-Function
...
Some Fritz!Box devices also run in Big Endianess mode. However, since
"uname -a" always returns "mips" and the "file"-command is not
available, autodetection is not an easy task.
The check()-function now checks, whether the device is really
vulnerable.
Furthemore, it's possible to send 92 bytes.
2014-04-08 21:32:36 +02:00
jvazquez-r7
5f29026cb2
Complete @Firefart's module
2014-04-08 14:13:56 -05:00
Spencer McIntyre
3f6c8afbe3
Fix typo of MSCOMCTL not MCCOMCTL
2014-04-08 14:52:18 -04:00
Spencer McIntyre
85197dffe6
MS14-017 Word RTF listoverridecount memory corruption
2014-04-08 14:44:20 -04:00
Jeff Jarmoc
21b220321f
Fix typo.
...
This isn't a Linksys exploit. Left over wording from a previous exploit?
2014-04-07 18:06:59 -05:00
Tod Beardsley
17ddbccc34
Remove the broken lorcon module set
...
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.
I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.
Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.
````
msf auxiliary(wifun) > show options
Module options (auxiliary/dos/wifi/wifun):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL 11 yes The initial channel
DRIVER autodetect yes The name of the wireless driver
for lorcon
INTERFACE wlan0 yes The name of the wireless
interface
msf auxiliary(wifun) > run
[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
jvazquez-r7
fb1318b91c
Land #3193 , @m-1-k-3's exploit for the Fritzbox RCE vuln
2014-04-07 16:13:31 -05:00
jvazquez-r7
ceaa99e64e
Minor final cleanup
2014-04-07 16:12:54 -05:00
Christian Mehlmauer
ac0cafcca6
Initial commit for openssl Heartbleed bug
2014-04-07 21:15:54 +02:00
coma
44640b126c
Add Oracle Demantra 2013-5795 (Database Credentials Retrieval)
2014-04-07 11:42:47 -07:00
silascutler
7b9b20a07e
Corrected Spaces Issues
...
Removed extra spaces on line 23&24
2014-04-07 14:30:52 -04:00
Michael Messner
b1a6b28af9
fixed disclosure date
2014-04-07 19:29:37 +02:00
Michael Messner
003310f18a
feedback included
2014-04-07 19:25:26 +02:00
Tod Beardsley
7572d6612e
Spelling and grammar on new release modules
2014-04-07 12:18:13 -05:00
Michael Messner
85de6ed0c9
feedback included
2014-04-07 18:20:15 +02:00
sinn3r
0c883723ba
Land #3149 - Oracle Demantra Arbitrary File Retrieval with auth bypass
2014-04-07 11:11:55 -05:00
sinn3r
31dfae3a01
Follow the 100 columns per line guideline
2014-04-07 11:10:20 -05:00
sinn3r
de242ecc00
Correct date format
...
Hmm weird, msftidy didn't pick this up
2014-04-07 11:09:27 -05:00
joev
2e4c2b1637
Disable Android 4.0, add arch detection.
...
Android 4.0, it turns out, has a different echo builtin than the other androids.
Until we can figure out how to drop a payload on a 4.0 shell, we cannot support it.
Arch detection allows mips/x86/arm ndkstagers to work, unfortunately
x86 ndkstager was not working, so it is disabled for now.
2014-04-07 09:44:43 -05:00
jvazquez-r7
56bd35c8ce
Add module for WinRAR spoofing vulnerability
2014-04-07 09:21:49 -05:00
Michael Messner
11bbb7f429
fritzbox echo exploit
2014-04-07 09:12:22 +02:00
dummys
ca7dcc0781
cleanup with msftidy
2014-04-06 12:41:58 +02:00
Karmanovskii
5dbd124ef9
Update mybb_get_type_db.rb
2014-04-05 02:53:43 -07:00
Karmanovskii
c035715a71
Update mybb_get_type_db.rb
...
Changed the name of the variable _Version_server on _version_server according to the recommendation of jvazquez-r7
2014-04-05 02:50:53 -07:00
jvazquez-r7
6d72860d58
Land #3004 , @m-1-k-3's linksys moon exploit
2014-04-04 14:04:48 -05:00
jvazquez-r7
0ae75860ea
Code clean up
2014-04-04 14:02:12 -05:00
sinn3r
ea1c6fe8a4
Land #3177 - JIRA Issues Collector Directory Traversal
2014-04-04 10:41:51 -05:00
Spencer McIntyre
395f5beef8
Land #3178 , http header scan module
2014-04-04 11:36:35 -04:00
Spencer McIntyre
2b6ae68cbf
Minor modifications for http_header
2014-04-04 10:46:03 -04:00
jvazquez-r7
e2cbcf3c5d
Land #3179 , @brandonprry AlienVault sqli aux module
2014-04-04 09:17:11 -05:00
jvazquez-r7
ff6105e55d
Add check codes
2014-04-04 09:13:43 -05:00
Brandon Perry
44db611845
defaultoptions, not option
2014-04-04 05:55:35 -07:00
dummys
c90c49e319
Add vtiger install rce 0 day
2014-04-04 10:16:55 +02:00
jvazquez-r7
6f14cd225d
Do minor clean up
2014-04-03 23:22:44 -05:00
William Vu
48ef061c3c
Land #3046 , AIX ibtstat privesc exploit
2014-04-03 17:07:00 -05:00
William Vu
6c67f1881f
Normalize syntax and whitespace
2014-04-03 16:54:33 -05:00
Christian Mehlmauer
253a1c1f87
Land #3180 , EMC Cloud Tiering Appliance Unauthed XXE with root perms
2014-04-03 22:02:13 +02:00
Brandon Perry
a57da00932
fix refs line
2014-04-03 14:07:00 -07:00
Brandon Perry
51f83fccde
add some checks in vase the file wasn't retrievable
2014-04-03 14:04:05 -07:00
sinn3r
03559dedcd
Land #3187 - Changed OptString to OptRegexp
2014-04-03 14:52:59 -05:00
William Vu
d69a9d3c45
Land #3186 , OptString should be OptRegexp
2014-04-03 13:07:23 -05:00
Christian Mehlmauer
d995d84e91
Changed OptString to OptRegexp
2014-04-03 19:40:07 +02:00
Christian Mehlmauer
b4aa08251f
changed option from string to regex
2014-04-03 19:34:40 +02:00
Brandon Perry
e2ded663a6
make more robust
2014-04-03 06:15:09 -07:00
Brandon Perry
53b8148438
make more random
2014-04-03 05:52:35 -07:00
Brandon Perry
77b64ee77d
make more random
2014-04-03 05:41:00 -07:00
Joe Vennix
55500ea2f3
Avoid the nullchar.
2014-04-02 21:53:12 -05:00
Joe Vennix
176cc84865
Remove BES and calculate the pid manually.
2014-04-02 17:21:13 -05:00
Christian Mehlmauer
4bf6481242
Added regex option to validate options
2014-04-02 23:51:33 +02:00
Christian Mehlmauer
a4adfac312
Added feedback for http_header module
2014-04-02 23:01:23 +02:00
Brandon Perry
75dc4c459b
msftidy
2014-04-02 13:22:21 -07:00
Brandon Perry
bb82277a41
msftidy
2014-04-02 13:20:13 -07:00
Brandon Perry
abc0b31f26
exploithub wat
2014-04-02 13:18:48 -07:00
jvazquez-r7
577bd7c855
Land #3146 , @wchen-r7's flash version detection code
2014-04-02 15:13:41 -05:00
Brandon Perry
765657d55a
alienvault module
2014-04-02 13:09:46 -07:00
Brandon Perry
d3f353118a
edb update
2014-04-02 13:06:54 -07:00
Brandon Perry
32cd846fe4
emc cta xxe module
2014-04-02 13:05:53 -07:00
Christian Mehlmauer
69192edd4b
Added new http_header module
2014-04-02 22:04:54 +02:00
jvazquez-r7
a85d451904
Add module for CVE-2014-2314
2014-04-02 14:49:31 -05:00
agix
4a575d57ab
Try to fix Meatballs1 suggestions : optional service_description change call
2014-04-02 20:33:09 +01:00
agix
b636a679ae
Erf, sorry, fixed now
2014-04-02 20:33:08 +01:00
agix
631a7b9c48
Adapt to new psexec mixin (first try :D)
2014-04-02 20:33:08 +01:00
Florian Gaultier
978bdbb676
Custom Service Description
2014-04-02 20:33:07 +01:00
sinn3r
e3dda2e862
Land #3172 - CVE-2014-1510 to firefox_xpi_bootstrapped_addon
2014-04-02 14:07:37 -05:00
joev
ebcf972c08
Add initial firefox xpi prompt bypass.
2014-04-01 23:48:35 -05:00
coma
149948485a
Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra fixed issues
2014-04-01 12:28:41 -07:00
silascutler
3788f136d9
Update es_enum.rb
...
Updated based on comments.
2014-04-01 11:43:15 -04:00
Sagi Shahar
8611526a01
Fix more bugs and more syntax errors
2014-04-01 01:22:12 +02:00
Sagi Shahar
becefde52f
Fix bugs and syntax
2014-04-01 00:54:51 +02:00
William Vu
cf2589ba8d
Land #3162 , Microsoft module name changes
2014-03-28 23:10:27 -05:00
sinn3r
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
sinn3r
466096f637
Add MSB number to name
2014-03-28 20:33:40 -05:00
Karmanovskii
b11df0eaf0
Update and rename myBB_GetTypeDB.rb to mybb_get_type_db.rb
2014-03-28 16:47:49 -07:00
William Vu
c37dbd104a
Clean up perms and whitespace for owa_login
2014-04-02 01:45:15 -05:00
Tod Beardsley
2972220f60
Land #3047 for real.
...
Merge branch 'land-3047-really' into upstream-master
2014-04-01 13:16:13 -05:00
sinn3r
367652592c
Land #2964 - Powershell CMD Encoder
2014-04-01 10:26:38 -05:00
William Vu
f9a7cfaa67
Land #3168 , EICAR payload encoding
2014-04-01 09:17:10 -05:00
Spencer McIntyre
dfec2eb53f
Cleanup an expression and avoid fail_with
2014-03-31 18:05:20 -04:00
Spencer McIntyre
07e04717c2
Allow using a single URI and/or a list of URIs
2014-03-31 18:05:20 -04:00
Joshua Smith
b21d5c1801
use TARGET_URI if given, otherwise TARGET_URIS_FILE
2014-03-31 18:05:20 -04:00
Spencer McIntyre
5e9e7e15c8
Return whether result is nil or not.
2014-03-31 18:05:20 -04:00
Spencer McIntyre
0ac112b5e7
Support checking a single URI for ntlm information.
2014-03-31 18:05:19 -04:00
Tod Beardsley
fb20759fc2
Comment doc speelling
2014-03-31 16:42:50 -05:00
Tod Beardsley
6474c7be5c
Land #3166 and also #3167
...
[Closes #3167 ]
2014-03-31 16:21:07 -05:00
William Vu
3b6d73420e
Fix syntax error in dns_amp
2014-03-31 16:18:49 -05:00
William Vu
d9df2fbf08
Land #3158 , msftidy rank check for aux modules
2014-03-31 15:17:30 -05:00
Joshua Smith
159bc264a4
unretards the uri normalize loop
2014-03-31 15:58:21 -04:00
Joshua Smith
2290249a42
uses fail_with to bomb out on datastore probs
2014-03-31 15:52:05 -04:00
Joshua Smith
4f121e3e03
fixes if-logic for error condition
2014-03-31 15:38:05 -04:00
Tod Beardsley
894bbcae97
More fix-up on the DNS amplication scanner
2014-03-31 14:37:10 -05:00
Tod Beardsley
4d597174d0
Merge up from upstream/master
2014-03-31 14:33:28 -05:00
William Vu
387da26f8d
Land #3159 , HP LaserJet printer SNMP enumeration
2014-03-31 12:48:23 -05:00
William Vu
c6ceb8cdfd
Land #2929 , DNS recursion amplification scanner
2014-03-31 12:47:46 -05:00
William Vu
aaa15d13d9
Land #2928 , extended SMTP open relay checks
2014-03-31 12:47:10 -05:00
Tod Beardsley
ffdca3bf42
Fixup on some modules for release
...
There may be more coming, but if not, this should cover
this week's minor style changes.
2014-03-31 12:42:19 -05:00
Joshua Smith
2530fb9741
adds the return back in (forgot in prev commit)
2014-03-28 19:27:04 -04:00
Joshua Smith
dc4b8461e8
unbreaks & DRYs my previous change.
2014-03-28 19:15:38 -04:00
Matteo Cantoni
c559a6b39f
fix description
...
(cherry picked from commit 7c860b9553
)
2014-03-28 17:36:21 -05:00
Matteo Cantoni
ae53d75cdb
Module to HP LaserJet Printer SNMP Enumeration
...
(cherry picked from commit f18fef1864
)
2014-03-28 17:36:21 -05:00
William Vu
2344a9368e
Fix warnings generated by #3158
...
Keeping ManualRanking for DoS modules.
2014-03-31 12:35:15 -05:00
kenkeiras
3a4f983a6f
Add CVE 2006-5229 reference
2014-03-28 22:35:19 +01:00
jvazquez-r7
9374777da1
Land #2996 , @mcantoni's jboss status aux module
2014-03-28 16:07:08 -05:00
jvazquez-r7
7689751c10
Module module location
2014-03-28 16:05:37 -05:00
jvazquez-r7
e3ec0e7624
Clean up jboss_status module
2014-03-28 16:04:43 -05:00
sinn3r
a173fcf2fa
Flash detection for firefox_svg_plugin
...
Good test case
2014-03-28 15:39:25 -05:00
jvazquez-r7
f7b1874e7d
Land #3151 , @wchen-r7's use of BrowserExploitServer in ms13-59's exploit
2014-03-28 14:43:38 -05:00
jvazquez-r7
69369c04b3
Land #3126 , @xistence's exploit for SePortal
2014-03-28 13:52:59 -05:00
jvazquez-r7
7b56c9edac
Add references
2014-03-28 13:51:56 -05:00
Tod Beardsley
196e07c5b1
Touch up the EICAR stuff
2014-03-28 11:45:28 -05:00
kenkeiras
bca0d603ef
SSH user enumeration script
2014-03-28 16:23:52 +01:00
Christian Mehlmauer
94494e38e7
Land #3152 - Use normalize_uri for module wp_property_upload_exec
2014-03-28 13:22:54 +01:00
William Vu
5458200434
Fix a couple minor annoyances in PJL
2014-03-28 02:19:30 -05:00
William Vu
c1fdc4d945
Fix a couple things that were bugging me
2014-03-28 02:15:38 -05:00
Michael Messner
657b096be3
make msftidy happy
2014-03-27 19:24:25 +01:00
sinn3r
f4e62a8dcd
Land #3146 - Firefox Gather Cookies from Privileged Javascript Shell
2014-03-27 13:14:22 -05:00
sinn3r
0b3f49f22a
Land #3145 , Clean up firefox_svg_plugin, use FirefoxPrivilegeEscalation mixin
2014-03-27 12:59:49 -05:00
Kurt Grutzmacher
0b766cd412
changes per firefart
2014-03-27 10:08:44 -07:00
Michael Messner
ad94653fc0
feedback included
2014-03-27 16:12:34 +01:00
Kurt Grutzmacher
744308bd35
tab...
2014-03-27 05:24:55 -07:00
Kurt Grutzmacher
a8c96213f0
normalize_uri for wp_property_upload_exec
2014-03-27 05:22:56 -07:00
coma
107901b481
Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra msftidy fix
2014-03-26 22:37:21 -07:00
coma
30da3575e8
Add CVE-2013-5877+CVE-2013-5880 for Oracle Demantra
2014-03-26 21:53:12 -07:00
sinn3r
8ec10f7438
Use BrowserExploitServer for MS13-059 module
2014-03-26 17:49:01 -05:00
Michael Messner
4319885420
we do not need pieces ...
2014-03-26 20:45:30 +01:00
jvazquez-r7
19918e3207
Land #3143 , @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf
2014-03-26 14:16:35 -05:00
jvazquez-r7
7ce71445fe
Land #3140 , @wchen-r7's requirements for ms14_012_textrange
2014-03-26 14:07:05 -05:00
Joe Vennix
b7f1cee8d3
Remove targets from post module.
2014-03-26 13:55:02 -05:00
Joe Vennix
ed8bf6279b
Use #run, not #exploit, for post modules.
2014-03-26 13:51:05 -05:00
Joe Vennix
6c51e0fd0d
Add cookie gathering post module for FF privileged sessions.
2014-03-26 13:49:53 -05:00
Michael Messner
3fc114e265
exec payload - new try
2014-03-26 19:48:14 +01:00
Joe Vennix
80808fc98c
Cleans up firefox SVG plugin.
2014-03-26 13:12:39 -05:00
Tod Beardsley
5b8d8d8009
Get Pro and Framework back in sync.
2014-03-26 09:25:19 -05:00
sinn3r
fdc355147f
Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb
2014-03-25 18:41:47 -05:00
William Vu
cd448ba46c
Land #3132 , ntp_monlist improvements
2014-03-25 15:19:45 -05:00
Joe Vennix
33651d0753
Fix formatting of hash options.
2014-03-25 14:43:53 -05:00
Joe Vennix
c8784168d5
Fix references and whitespace in mips payloads.
2014-03-25 14:39:27 -05:00
William Vu
1c4797337f
Clean up rapid7/metasploit-framework#3132
2014-03-25 14:04:43 -05:00
jvazquez-r7
c72c96f0e0
Land #3138 , @rcvalle's exploit for CVE-2013-2143
2014-03-25 13:36:03 -05:00
jvazquez-r7
d83f665466
Delete commas
2014-03-25 13:34:02 -05:00
sinn3r
6c206e4ced
Add a comment about what this build version range is covering
2014-03-25 11:43:13 -05:00
sinn3r
7108d2b90a
Add ua_ver and mshtml_build requirements
...
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
joev
1ac3944627
Merge branch 'landing-pr-3095' into upstream-master
2014-03-25 10:56:42 -05:00
joev
1680f9cc5d
Land PR #3127 , @m-1-k-3's mipsbe reboot payload, into master
2014-03-25 10:44:37 -05:00
Ramon de C Valle
e27adf6366
Fix msftidy warnings
2014-03-25 10:39:40 -03:00
Michael Messner
50efd0b5d0
change name and filename and file included
2014-03-25 09:13:04 +01:00
Michael Messner
a9952fa294
change name and filename
2014-03-25 09:11:16 +01:00
Michael Messner
fca4425f95
feedback
2014-03-25 09:09:13 +01:00
Ramon de C Valle
473f745c3c
Add katello_satellite_priv_esc.rb
...
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat
Satellite (Katello 1.5.0-14 and earlier) by changing the specified
account to an administrator account.
2014-03-24 23:44:44 -03:00
sinn3r
0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping
2014-03-24 21:16:10 -05:00
sinn3r
53b25c8c93
Fix header & author e-mail format
2014-03-24 21:15:27 -05:00
Brandon Perry
d2a9a26bc8
real fix for sinn3r bug
2014-03-24 18:40:48 -05:00
Brandon Perry
ec35f4b13f
some bugs for sinn3r
2014-03-24 18:17:50 -05:00
Karmanovskii
0b51e7459c
Update myBB_GetTypeDB.rb
...
I have added detection MyBB forum.
2014-03-24 12:19:51 -07:00
Brandon Turner
460a1f551c
Fix for R7-2014-05
2014-03-24 14:12:12 -05:00
Tod Beardsley
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
Tod Beardsley
cd9182c77f
Msftidy warning fix on Joomla module.
...
Pre-commit hooks people.
2014-03-24 12:03:12 -05:00
jvazquez-r7
c7ba7e4d92
Land #3131 , @xistence's exploit for CVE-2014-1903
2014-03-24 08:48:06 -05:00
jvazquez-r7
c3b753f92e
Make PHPFUNC advanced option
2014-03-24 08:47:31 -05:00
jvazquez-r7
4f333d84c9
Clean up code
2014-03-24 08:15:54 -05:00
Tim
25ca0552e0
cleanup files after exploit
2014-03-23 17:00:29 +00:00
Tim
f9972239cf
randomize payload filename
2014-03-23 16:36:26 +00:00
Brandon Perry
d6f397ab6d
whoops that isn't how you EDB
2014-03-22 11:48:41 -05:00
Brandon Perry
291692d6e0
Update lifesize_uvc_ping_rce.rb
2014-03-22 11:30:00 -05:00
Brandon Perry
67a3a7227b
Create lifesize_uvc_ping_rce.rb
2014-03-21 21:33:12 -05:00
Joshua Smith
312f117262
updates file read to close file more quickly
2014-03-21 14:53:15 -04:00
sinn3r
13f5c22536
Land #3129 - Fix 2782 with 2961 and stop stack-tracing download_exec
2014-03-21 11:36:59 -05:00
Matteo Cantoni
4b2a2d4dea
Improve NTP monlist auxiliary module
2014-03-21 16:39:53 +01:00
Matteo Cantoni
fbcd661504
removed snmp_enum_hp_laserjet from this pull request
2014-03-21 15:58:53 +01:00
xistence
c4f0d8e179
FreePBX config.php RCE CVE-2014-1903
2014-03-21 10:29:15 +07:00
Spencer McIntyre
aa26405c23
Cleanup an expression and avoid fail_with
2014-03-20 17:33:09 -04:00
sinn3r
b02337d8b6
Land #3123 - Horde Framework Unserialize PHP Code Execution
2014-03-20 12:32:14 -05:00
Tod Beardsley
3d3681801a
Fix linux download_exec for #2961
...
Note! This module already seems pretty broken, in that it doesn't appear
to correctly locate curl or wget. Will open another bug on that.
[See RM #8777 ]
2014-03-20 12:09:38 -05:00
sinn3r
0c4b71c8bf
Land #3094 - Joomla weblinks-categories Unauth SQLI Arbitrary File Read
2014-03-20 12:08:18 -05:00
sinn3r
93ad818358
Fix header and e-mail format for author
2014-03-20 12:07:50 -05:00
jvazquez-r7
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
jvazquez-r7
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
Spencer McIntyre
74398c4b6e
Allow using a single URI and/or a list of URIs
2014-03-20 09:54:02 -04:00
Michael Messner
4f1404eecc
reboot payload for mipsbe
2014-03-20 12:37:58 +01:00
xistence
2845f834c6
changed cookie retrieval to res.get_cookies
2014-03-20 16:39:26 +07:00
xistence
7bfb8e95e6
minor changes to seportal module
2014-03-20 13:44:39 +07:00
xistence
5ef49ff64b
SePortal 2.5 SQLi Remote Code Execution
2014-03-20 12:02:06 +07:00
Joshua Smith
a8d919feb0
use TARGET_URI if given, otherwise TARGET_URIS_FILE
2014-03-19 23:32:04 -05:00
sinn3r
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
Brandon Perry
9b2cfb6c84
change default targeturi to something more universal
2014-03-19 21:03:50 -05:00
Brandon Perry
b52a535609
add official url
2014-03-19 20:41:32 -05:00
Brandon Perry
ab42cb1bff
better error handling for the user
2014-03-19 18:46:57 -05:00
William Vu
b79920ba8f
Land #3089 , InvalidWordCount fix for smb_login
...
[FixRM #8730 ]
2014-03-19 16:12:56 -05:00
Tod Beardsley
c1cbeff5f0
Land #3122 , lots of Meterpreter updates
...
This lands the binaries built from Meterpreter as of:
rapid7/meterpreter#80 , also known as
commit 5addac75741fadfff35f4f7839cee6fd69705455
as well as the functional changes in:
rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085
2014-03-19 15:35:49 -05:00
sinn3r
fe0b76e24e
Land #2994 - OWA 2013 support
2014-03-19 13:16:37 -05:00
jvazquez-r7
d6faf20981
Make title more accurate
2014-03-19 12:43:34 -05:00
jvazquez-r7
144b86fee3
Add reference
2014-03-19 12:17:53 -05:00
jvazquez-r7
27d142b387
Solve conflict by keeping file
2014-03-19 12:15:05 -05:00
jvazquez-r7
fb645b6692
Clean code
2014-03-19 12:06:20 -05:00
jvazquez-r7
0a795ab602
Land #3106 , @xistence's exploit for Array Networks devices
2014-03-19 10:49:03 -05:00
jvazquez-r7
0e27d75e60
Code clean up
2014-03-19 10:48:25 -05:00
Brandon Perry
2ef2f9b47c
use vars_get
2014-03-19 07:51:34 -07:00
Brandon Perry
920b2da720
Merge branch 'master' into joomla_sqli
2014-03-19 07:43:32 -07:00
Tod Beardsley
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
xistence
056ce5d097
removed file which did not belong in this pull request
2014-03-19 15:04:19 +07:00
sinn3r
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
jvazquez-r7
379c0efd5a
Update POP chain documentation
2014-03-18 16:29:30 -05:00
jvazquez-r7
77c128fbc5
Fix disclosure date and add ref
2014-03-18 16:21:44 -05:00
jvazquez-r7
b6e8bb62bb
Switch exploitation technique to use default available classes
2014-03-18 16:07:50 -05:00
William Vu
dfd3a81566
Land #3111 , hash rockets shouldn't be in refs
2014-03-18 14:25:04 -05:00
silascutler
d361597104
Update es_enum.rb
2014-03-18 09:20:04 -04:00
jvazquez-r7
38176ad67d
Land #3109 , @xistence's Loadbalancer.org Enterprise VA applicance exploit
2014-03-18 06:53:26 -05:00
jvazquez-r7
ddd923793a
Do minor clean up
2014-03-18 06:52:50 -05:00
jvazquez-r7
ad49df4301
Register RHOST
2014-03-18 06:17:41 -05:00
jvazquez-r7
600338bd29
Land #3108 , @xistence's exploit for Quantum vmPRO shell-escape
2014-03-18 06:12:18 -05:00
jvazquez-r7
f656e5fedb
Do minor clean up
2014-03-18 06:11:02 -05:00
jvazquez-r7
f86fd8af5d
Delete debug print
2014-03-17 21:01:41 -05:00
jvazquez-r7
3bdd906aae
Add module for CVE-2014-1691
2014-03-17 20:47:45 -05:00
Tod Beardsley
8f2124f5da
Minor updates for release
...
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
silascutler
ad4c354460
Update es_enum.rb
...
Corrected changes from dev module
2014-03-17 13:38:33 -04:00
Silas Cutler
975c2adbad
Fixed spaces issues
2014-03-17 13:34:45 -04:00
Silas Cutler
b032f2c270
Added Elastic Search Enum
2014-03-17 13:31:24 -04:00
Tod Beardsley
c916b62f47
Removes hash rockets from references.
...
[SeeRM #8776 ]
2014-03-17 09:40:32 -05:00
xistence
8fdb5250d4
changes to smtp relay aux module
2014-03-17 15:09:29 +07:00
xistence
9bb4e5cfc3
Loadbalancer.org Enterprise VA SSH privkey exposure
2014-03-17 14:22:51 +07:00
xistence
c116697c70
Quantum vmPRO backdoor command
2014-03-17 14:19:27 +07:00
xistence
ef4a019b20
Quantum DXi V1000 SSH private key exposure
2014-03-17 14:15:00 +07:00
xistence
e261975c34
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:11:16 +07:00
xistence
1043d9d8b2
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:06:55 +07:00
Daniel Miller
0b6a890137
Fix missing require in reverse_powershell
...
When initializing the db:
/opt/metasploit-framework/modules/payloads/singles/cmd/windows/reverse_powershell.rb:34:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)
from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `new'
from /opt/metasploit-framework/lib/msf/core/payload_set.rb:198:in `add_module'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:72:in `on_module_load'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:207:in `load_module'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:271:in `block in load_modules'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:58:in `block (2 levels) in each_module_reference_name'
from /opt/metasploit-framework/lib/rex/file.rb:127:in `block in find'
from /opt/metasploit-framework/lib/rex/file.rb:126:in `catch'
from /opt/metasploit-framework/lib/rex/file.rb:126:in `find'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:45:in `block in each_module_reference_name'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `foreach'
from /opt/metasploit-framework/lib/msf/core/modules/loader/directory.rb:29:in `each_module_reference_name'
from /opt/metasploit-framework/lib/msf/core/modules/loader/base.rb:264:in `load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:118:in `block in load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `each'
from /opt/metasploit-framework/lib/msf/core/module_manager/loading.rb:116:in `load_modules'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:56:in `block in add_module_path'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `each'
from /opt/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:55:in `add_module_path'
from /opt/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:14:in `init_module_paths'
from /opt/metasploit-framework/lib/msf/ui/console/driver.rb:228:in `initialize'
from /opt/metasploit-framework/msfconsole:148:in `new'
from /opt/metasploit-framework/msfconsole:148:in `<main>'
2014-03-14 19:28:00 +00:00
David Maloney
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
OJ
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
Brandon Perry
a01dd48640
a bit better error message if injection works but no file
2014-03-13 13:38:43 -07:00
Brandon Perry
b0688e0fca
clarify LOAD_FILE perms in description
2014-03-13 13:11:27 -07:00
sinn3r
243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow
2014-03-13 14:13:17 -05:00
sinn3r
e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
sinn3r
6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell
2014-03-13 13:36:37 -05:00
Michael Messner
8db5d854c2
typo, null terminator
2014-03-13 18:38:27 +01:00
Joe Vennix
952b50f8c1
Add priv escalation mixin to the firefox local exploit.
2014-03-13 11:49:44 -05:00
Brandon Perry
2734b89062
update normalize_uri calls
2014-03-13 06:55:15 -07:00
William Vu
5aad8f2dc3
Land #3088 , SNMP timestamp elements fix
2014-03-13 02:22:14 -05:00
Brandon Perry
7540dd83eb
randomize markers
2014-03-12 20:11:55 -05:00
Brandon Perry
3fedafb530
whoops, extra char
2014-03-12 19:54:58 -05:00
Brandon Perry
aa00a5d550
check method
2014-03-12 19:47:39 -05:00
Michael Messner
f39e784d19
mipsle execve payload
2014-03-12 21:08:40 +01:00
Brandon Perry
9cb1c1a726
whoops, typoed the markers
2014-03-12 10:58:34 -07:00
Brandon Perry
6636d43dc5
initial module
2014-03-12 10:46:56 -07:00
kyuzo
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
Joe Vennix
facd743f1f
Oops. Add missing dir to dalvikstager path.
2014-03-11 19:48:39 -05:00
Tod Beardsley
206660ddde
Recreate the intent of cfebdae from @parzamendi-r7
...
The idea was to rescue on a NoReply instead of just fail, and was part
of a fix in #2656 .
[SeeRM #8730 ]
2014-03-11 14:30:01 -05:00
sho-luv
f7af9780dc
Rescue InvalidWordCount error
...
This is a cherry-pick of commit ea86da2 from PR #2656
2014-03-11 14:17:36 -05:00
William Vu
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
James Lee
f51ee2d6b4
snmp_enum: Treat missing timestamp elements as 0
...
Timestamps don't always have all the elements we expect. This treats
them as zeroes to ensure that we don't raise silly exceptions in that
case.
2014-03-11 12:44:07 -05:00
William Vu
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
Joe Vennix
15b1a5931c
Remove extra resources from android reverse_http(s).
2014-03-11 11:56:05 -05:00
William Vu
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
Joe Vennix
5c2168513a
Update path in #dalvikstager.
2014-03-11 11:03:36 -05:00
OJ
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
Tim
c76924e946
native jni stager
2014-03-10 21:50:00 -05:00
Tim
4f31eba7f4
android payload golf
2014-03-10 21:50:00 -05:00
AnwarMohamed
ad8b0ef3d1
using http(s)://LHOST:LPORT
2014-03-10 21:50:00 -05:00
AnwarMohamed
b45524ecdd
generate cert @ payload/dalvik.rb
2014-03-10 21:50:00 -05:00
AnwarMohamed
99cc94e6fc
moving string_sub() to payload/dalvik.rb
2014-03-10 21:49:59 -05:00
AnwarMohamed
dc8992924f
android reverse_http/s
2014-03-10 21:49:59 -05:00
joev
46c11ea2eb
Small fixes to m-1-k-3's mipsle reboot shellcode.
2014-03-10 17:17:23 -05:00
joev
7da54eb9cf
Merge branch 'landing-3041' into upstream-master
...
Lands PR #3041 , @m-1-k-3's reboot shellcode.
2014-03-10 17:11:06 -05:00
Tod Beardsley
2086224a4c
Minor fixes. Includes a test module.
2014-03-10 14:49:45 -05:00
Tod Beardsley
26be236896
Pass MSFTidy please
2014-03-10 14:45:56 -05:00
jvazquez-r7
8cfa5679f2
More nick instead of name
2014-03-10 16:12:44 +01:00
jvazquez-r7
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
jvazquez-r7
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
Tod Beardsley
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
root
3c95c021d0
Reference added
2014-03-10 12:17:20 +01:00
root
1fda6b86a1
Changed cmp eax by inc eax. Saved one byte
2014-03-10 12:13:10 +01:00
sinn3r
e32ff7c775
Land #3077 - Allow TFTP server to take a host/port argument
2014-03-08 00:58:52 -06:00
Karmanovskii
6d748f49d3
Update myBB_GetTypeDB.rb
...
1.I added comment header;
2.I made a link to your account as a comment;
3.I added a link https://github.com/rapid7/metasploit-framework/pull/3070
Items 2 and 3 on the advice wchen-r7
2014-03-07 10:49:30 -08:00
Tod Beardsley
151e2287b8
OptPath, not OptString.
2014-03-07 10:52:45 -06:00
Tod Beardsley
5cf1f0ce4d
Since dirs are required, server will send/recv
...
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.
Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
2014-03-07 10:49:11 -06:00
Tod Beardsley
37fa4a73a1
Make the path options required and use /tmp
...
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
2014-03-07 10:41:18 -06:00
sinn3r
c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack
2014-03-07 10:29:56 -06:00
Spencer McIntyre
ebee365fce
Land #2742 , report_vuln for MongoDB no auth
2014-03-06 19:34:45 -05:00
Spencer McIntyre
84f280d74f
Use a more descriptive MongoDB vulnerability title
2014-03-06 19:20:52 -05:00
Tod Beardsley
8a0531650c
Allow TFTP server to take a host/port argument
...
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.
This is almost never correct.
2014-03-06 16:13:20 -06:00
Joe Vennix
9638bc7061
Allow a custom .app bundle.
...
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
Joe Vennix
5abb442757
Adds more descriptive explanation of 10.8+ settings.
2014-03-06 15:15:27 -06:00
kyuzo
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
Joe Vennix
43d315abd5
Hardcode the platform in the safari exploit.
2014-03-06 13:04:47 -06:00
kyuzo
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
Karmanovskii
162527c0e4
Update and rename modules/auxiliary/analyze/myBB_GetTypeDB.rb to modules/auxiliary/gather/myBB_GetTypeDB.rb
...
Minor changes and bug: "Msf :: Auxiliary" - forgot to change
2014-03-06 09:43:23 -08:00
Brendan Coles
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
Joe Vennix
38a2e6e436
Minor fixes.
2014-03-05 19:03:54 -06:00
Joe Vennix
dca807abe9
Tweaks for BES.
2014-03-05 19:00:15 -06:00
Joe Vennix
12cf5a5138
Add BES, change extra_plist -> plist_extra.
2014-03-05 18:51:42 -06:00
sinn3r
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
bcoles
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
jvazquez-r7
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00
Joe Vennix
cd3c2f9979
Move osx-app format to EXE.
2014-03-04 22:54:00 -06:00
OJ
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
sinn3r
7cb6e7e261
Land #3057 - MantisBT Admin SQL Injection Arbitrary File Read
2014-03-04 17:52:29 -06:00
sinn3r
f0e97207b7
Fix email format
2014-03-04 17:51:24 -06:00
Joe Vennix
32c27f6be0
Tweak timeouts.
2014-03-04 17:16:23 -06:00
Joe Vennix
40047f01d3
Adds Safari User Assisted download launch module.
2014-03-04 17:02:51 -06:00
sinn3r
caaa419ef8
Land #3054 - Fix crash in osx/x64/exec on 10.9 Mavericks
2014-03-04 15:24:02 -06:00
Brandon Perry
c86764d414
update default password to root
2014-03-04 11:55:30 -08:00
Brandon Perry
2b06791ea6
updates regarding PR comments
2014-03-04 10:08:31 -08:00
William Vu
e30238fe0d
Land #3062 , unused arg fix for vmware_mount
2014-03-04 11:37:41 -06:00
James Lee
68205fa43c
Actually use the argument
2014-03-04 11:30:42 -06:00
sinn3r
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
David Maloney
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
Brandon Perry
a3523bdcb9
Update mantisbt_admin_sqli.rb
...
remove extra new line and fix author line
2014-03-04 08:44:53 -06:00
OJ
f0868c35bf
Land #3050 - Fix tained perl payloads
2014-03-04 10:05:47 +10:00
sgabe
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
Meatballs
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
Brandon Perry
98b59c4103
update desc
2014-03-03 12:40:58 -08:00
Brandon Perry
c5d1071456
add mantisbt aux module
2014-03-03 12:36:38 -08:00
Tod Beardsley
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
Joe Vennix
6a02a2e3b3
NULL out envp pointer before execve call.
...
This was causing a crash on 10.9.
2014-03-03 08:56:52 -06:00
Sagi Shahar
a005d69b16
Fix $PATH issues. Add FileDropper functionality
2014-03-02 20:43:17 +02:00
Sagi Shahar
8c4b663643
Fix payloads to bypass Perl's Taint mode.
2014-03-02 18:39:05 +02:00
Sagi Shahar
e6c1dd3f9e
Switch post module to fixed exploit module.
2014-03-02 17:42:48 +02:00
Sagi Shahar
1d9e788649
Switch post module to fixed exploit module.
2014-03-02 17:24:22 +02:00
bcoles
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
Sagi Shahar
2870c89b78
Switch exploit module with post module.
2014-03-01 13:49:42 +02:00
Sagi Shahar
17272acb27
Fix module code per recommendations
2014-03-01 00:53:24 +02:00
Meatballs
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
Michael Messner
15345da9d8
remove the wget module, remove the cmd stuff, testing bind stuff ahead
2014-02-28 22:44:26 +01:00
David Maloney
42a730745e
Land #2418 , Use meterpreter hostname resolution
2014-02-28 14:45:39 -06:00
sinn3r
ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet
2014-02-28 14:10:55 -06:00
David Maloney
e99e668a12
Merge branch 'master' of github.com:rapid7/metasploit-framework
2014-02-28 10:12:03 -06:00
David Maloney
2b5e4bea2b
Landing Pull Request 3003
2014-02-28 10:10:12 -06:00
William Vu
fd1586ee6a
Land #2515 , plaintext creds fix for John
...
[FixRM #8481 ]
2014-02-28 09:53:47 -06:00
Spencer McIntyre
12e4e0e36d
Return whether result is nil or not.
2014-02-28 10:17:37 -05:00
Spencer McIntyre
dfa91310c2
Support checking a single URI for ntlm information.
2014-02-28 08:47:29 -05:00
OJ
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
Sagi Shahar
fd4457fce8
Add AIX 6.1/7.1 ibstat $PATH Local Privilege Escalation
2014-02-27 23:56:49 +02:00
William Vu
1a053909dc
Land #3044 , chargen_probe reported service fix
2014-02-27 14:33:06 -06:00
sinn3r
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
sinn3r
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
sinn3r
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
sinn3r
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
sinn3r
93ec12af43
Land #3035 - GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
2014-02-27 14:13:28 -06:00
David Maloney
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
David Maloney
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
jgor
8be33f42fe
Define service as udp
2014-02-27 12:53:29 -06:00
jvazquez-r7
6c490af75e
Add randomization to Rex::Zip::Jar and java_signed_applet
2014-02-27 12:38:52 -06:00
David Maloney
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
Fr330wn4g3
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
Peter Arzamendi
ea5fe9ec0a
Updated to use get_cookie
2014-02-27 08:52:54 -06:00
Peter Arzamendi
9e52a10f2d
Set SSL to default to true and removed SSL from register_options. Updated Author to include full name
2014-02-26 20:49:03 -06:00
Michael Messner
d6b28e3b74
mipsel reboot payload
2014-02-26 20:34:35 +01:00
David Maloney
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
jvazquez-r7
bfdefdb338
Land #3023 , @m-1-k-3's module for Linksys WRT120N bof reset password
2014-02-26 09:36:14 -06:00
jvazquez-r7
6ba26bf743
Use normalize_uri
2014-02-26 09:35:42 -06:00
jvazquez-r7
582372ec3e
Do minor cleanup
2014-02-26 09:32:11 -06:00
jvazquez-r7
0531abb691
Land #3026 , @ribeirux DoS module for CVE-2014-0050
2014-02-26 08:53:55 -06:00
jvazquez-r7
449d0d63d1
Do small clean up
2014-02-26 08:52:51 -06:00
Michael Messner
b79197b8ab
feedback included, cleanup, login check
2014-02-26 13:44:36 +01:00
Fr330wn4g3
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
Fr330wn4g3
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
jvazquez-r7
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
jvazquez-r7
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
jvazquez-r7
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
William Vu
63bbe7bef2
Land #3034 , 302 redirect for http_basic
2014-02-25 13:54:58 -06:00
William Vu
4cc91095de
Fix minor formatting issues
2014-02-25 13:48:37 -06:00
jvazquez-r7
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
jvazquez-r7
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
xistence
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
jvazquez-r7
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
kn0
6783e31c67
Used the builtin send_redirect method in Msf::Exploit::Remote::HttpServer instead of creating a redirect inline
2014-02-24 15:59:49 -06:00
ribeirux
ead7cbc692
Author and URI fixed
2014-02-24 22:20:34 +01:00
kn0
f1e71b709c
Added 301 Redirect option to Basic Auth module
2014-02-24 14:59:20 -06:00
William Vu
6f398f374e
Land #3032 , inside_workspace_boundary? typo fix
2014-02-24 14:55:09 -06:00
James Lee
d2945b55c1
Fix typo
...
inside_workspace_boundary() -> inside_workspace_boundary?()
2014-02-24 14:46:08 -06:00
sinn3r
a50b4e88be
Fix msftidy warning: Suspect capitalization in module title: 'encoder'
2014-02-24 11:25:46 -06:00
Michael Messner
2935f4f562
CMD target
2014-02-24 18:12:23 +01:00
jvazquez-r7
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
jvazquez-r7
b2d4048f50
Land #3027 , @OJ's fix for ultraminihttp_bof
2014-02-24 10:50:08 -06:00
jvazquez-r7
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
sinn3r
5cdd9a2ff3
Land #2995 - sqlmap minor cleanup, description & file tests
2014-02-24 10:39:01 -06:00
bcoles
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
xistence
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
xistence
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
Michael Messner
0126e3fcc8
cleanup
2014-02-23 21:17:32 +01:00
Michael Messner
dbbd080fc1
a first try of the cmd stager, wget in a seperated module included
2014-02-23 20:59:17 +01:00
OJ
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
Meatballs
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
Meatballs
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
Meatballs
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
Meatballs
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
Meatballs
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
Meatballs
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
ribeirux
8f7f1d0497
Add module for CVE-2014-0050
2014-02-22 14:56:59 +01:00
staaldraad
0dfa53840a
Add @Meatballs1 to authors
...
Add @Meatballs1 to author list, awesome changes and fixes to the code (almost complete rewrite)
2014-02-22 12:24:56 +02:00
Michael Messner
ec8e1e3d6f
small fixes
2014-02-21 21:59:45 +01:00
Michael Messner
1384150b7a
make msftidy happy
2014-02-21 21:56:46 +01:00
Michael Messner
c77fc034da
linksys wrt120 admin reset exploit
2014-02-21 21:53:56 +01:00
root
b4a22aa25d
hidden bind shell payload
2014-02-20 16:19:40 +01:00
jvazquez-r7
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
jvazquez-r7
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
jvazquez-r7
e75a0ea948
Fix typo
2014-02-19 15:21:02 -06:00
jvazquez-r7
aa07065f67
Land #2959 , reverse powershell payload by @Meatballs1
2014-02-19 15:14:54 -06:00
jvazquez-r7
9fad43da08
Add license information
2014-02-19 15:11:12 -06:00
Karmanovskii
396ff8adaa
Rename modules/auxiliary/analyse/myBB_GetTypeDB.rb to modules/auxiliary/analyze/myBB_GetTypeDB.rb
...
Sorry again :(
2014-02-19 11:33:57 -08:00
Karmanovskii
81e89eadba
Rename modules/exploits/multi/http/myBB_GetTypeDB to modules/auxiliary/analyse/myBB_GetTypeDB.rb
...
On the advice of "wvu-r7" moved module.
2014-02-19 10:21:05 -08:00
sinn3r
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
Joe Vennix
50fb9b247e
Restructure some of the exploit methods.
2014-02-19 02:31:22 -06:00
sinn3r
2e7a56b4a7
Land #3001 - SUB Encoder
2014-02-19 01:54:01 -06:00
jvazquez-r7
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
Meatballs
ff4e91bb1b
Check domain return value
2014-02-18 23:34:17 +00:00
Meatballs
e4aedfad43
Fixup netapi call
2014-02-18 23:30:29 +00:00
Meatballs
0480ad16aa
No common
2014-02-18 23:09:35 +00:00
Meatballs
c06f86cc2b
Updates
2014-02-18 20:31:31 +00:00
William Vu
e7c3b94e60
Land #3006 , @todb-r7's pre-release fixes
2014-02-18 14:15:12 -06:00
Tod Beardsley
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
Meatballs
6f988209ab
Merge remote-tracking branch 'upstream/master' into enum_domain_users_update
2014-02-18 20:02:39 +00:00
Tod Beardsley
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
Michael Messner
3a8de6e124
replaced rhost by peer
2014-02-18 21:01:50 +01:00
William Vu
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
jvazquez-r7
4f9ab0b99f
Land #2903 , @Meatballs1 SPN gather post module
2014-02-18 13:53:32 -06:00
jvazquez-r7
4903b05214
Fix tabs
2014-02-18 13:51:40 -06:00
William Vu
c216357815
Land #3000 , audiotran_pls_1424 SEH exploit
2014-02-18 13:27:14 -06:00
Michael Messner
66e2148197
linksys themoon command execution exploit
2014-02-18 19:43:47 +01:00
Michael Messner
4dda7e6bad
linksys themoon command execution exploit
2014-02-18 19:42:50 +01:00
Meatballs
8a68323cf0
Dont keep checking domain
2014-02-18 17:52:34 +00:00
jvazquez-r7
1bc94b8a9d
Merge for retab
2014-02-17 19:19:47 -06:00
Meatballs
e290529841
Sadly this url is dead
2014-02-17 22:07:19 +00:00
Meatballs
6c32848b10
Use correct post methods
2014-02-17 22:03:07 +00:00
Joe Vennix
57449ac719
Adds working shellcode exec local exploit.
2014-02-17 15:31:45 -06:00
Meatballs
83d9a1e7c2
Xp Compat?
2014-02-17 21:28:06 +00:00
Meatballs
5e52e48d16
Gather cached GPO
2014-02-17 20:45:56 +00:00
Philip OKeefe
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
sinn3r
52ac85be11
Land #2931 - Oracle Forms and Reports RCE
2014-02-17 08:54:23 -06:00
sinn3r
110ffbf342
Indent looks off for this line
2014-02-17 08:53:29 -06:00
sinn3r
632ea05688
100 columns
2014-02-17 08:52:56 -06:00
sinn3r
8da7ba131b
In case people actually don't know what RCE means
2014-02-17 08:51:48 -06:00
sinn3r
73459baefd
Add OSVDB references
2014-02-17 08:50:34 -06:00
Mekanismen
fb7b938f8e
check func fixed
2014-02-17 15:11:56 +01:00
OJ
b2d09ed0d1
Add the NULL byte to the list of valid chars
...
While rare, I guess it is a possibility that the NULL byte can be
used.
2014-02-17 16:40:56 +10:00
xistence
1864089085
removed rport definition
2014-02-17 11:32:24 +07:00
Philip OKeefe
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
Mekanismen
e27d98368e
fixed local server issues
2014-02-16 18:26:08 +01:00
Mekanismen
e40b9e5f37
updated and improved
2014-02-16 16:24:39 +01:00
OJ
e134ec4691
Remove '*' from valid file system chars
2014-02-16 23:57:54 +10:00
OJ
a808053c37
Add first pass of optimised sub encoder
...
Full details of the encoder are in the detailed description in the
source itself. But this is effectively an "optimised" SUB encoder
which is similar to the add_sub encoder except it doesn't bother to
use the ADD instructions at all, and it doesn't zero out EAX for
each 4-byte block unless absolutely necessary. This results in
payloads being MUCH smaller (in some cases 30% or more is saved).
2014-02-16 20:12:14 +10:00
Jovany Leandro G.C
74344d6c7e
vtigerolservice.php to vtigerservice.php
...
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
Matteo Cantoni
8a24da9eea
Module to query Jboss status servlet
2014-02-15 17:46:52 +01:00
Tod Beardsley
f6be574453
Slightly better file checks on sqlmap.py
2014-02-15 09:58:03 -06:00
Tod Beardsley
dacbf55fc1
Minor cleanup of title and desc on sqlmap
2014-02-15 09:55:06 -06:00
Mekanismen
b7d69c168c
bugfix and user supplied local path support
2014-02-15 16:24:59 +01:00
sinn3r
9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec
2014-02-14 17:16:27 -06:00
sinn3r
48199fec27
Change URL identifier, and make the user choose a target
2014-02-14 17:15:00 -06:00
Karmanovskii
f9f2c401ca
Create myBB_GetTypeDB
...
This exploit allows you to specify the type of database forum Mybb.
Works by the operator wrongly used REGEXP. Which is not supported in postgreSQL and SQLite databases.
2014-02-14 13:12:43 -08:00
Meatballs
c39924188a
Clean up
2014-02-14 20:52:04 +00:00
Royce Davis
0e7074c139
Modififed output for smb_enumshares module
2014-02-14 13:39:13 -06:00
Royce Davis
6dc9840064
Modified output for smb_enumshares
2014-02-14 13:12:52 -06:00
jvazquez-r7
b2ea257204
Include Linux::System post mixin
2014-02-14 08:32:21 -06:00
Meatballs1
ad72ecaf84
Handle SPN array
2014-02-14 09:48:23 +00:00
Meatballs1
4b828e5d45
Dont parse empty SPNs
2014-02-14 09:41:37 +00:00
Meatballs1
2c12952112
Moar corrections
2014-02-14 09:37:00 +00:00
Meatballs1
9dd56d32de
Corrections
2014-02-14 09:32:53 +00:00
Meatballs1
7ef68184e1
Handle SPNs differently
2014-02-13 23:24:55 +00:00
Meatballs1
95048b089e
Dont search for made up fields
2014-02-13 22:51:55 +00:00
Russell Sim
ee3f1fc25b
Record successful passwordless access to mongodb
2014-02-14 08:52:17 +11:00
Tod Beardsley
745f313413
Remove @nmonkee as author per twitter convo
2014-02-13 14:41:10 -06:00
Tod Beardsley
371f23b265
Unbreak the URL refs add nmonkee as ref and author
...
While @nmonkee didn't actually contribute to #2942 , he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.
Also added a ref to @nmonkee's thing.
@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
Matteo Cantoni
7c860b9553
fix description
2014-02-13 21:11:50 +01:00
jvazquez-r7
61563fb2af
Do minor cleanup
2014-02-13 09:10:04 -06:00
jvazquez-r7
67367092b7
Solve conflicts
2014-02-13 08:42:53 -06:00
William Vu
a4035252d6
Land #1910 , DISCLAIMER for firefox_creds
...
Fixed conflict in Author.
2014-02-12 16:32:08 -06:00
jvazquez-r7
51896bcf74
land #2984 , @wchen-r7's [FixRM #8765 ] NameError uninitialized constant in enum_ad_user_comments
2014-02-12 15:31:54 -06:00
sinn3r
ce2de8f3bf
Different way to write this
2014-02-12 15:08:20 -06:00
Peter Arzamendi
5ef40e3844
Removed bad sets on datastore['USERNAME'] and datastore['PASSWORD']
2014-02-12 13:31:03 -06:00
jvazquez-r7
ff267a64b1
Have into account the Content-Transfer-Encoding header
2014-02-12 12:40:11 -06:00
sinn3r
45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb
2014-02-12 11:14:25 -06:00
Peter Arzamendi
2b8a8259f9
Updates to support OWA 2013 and some syntax changes
2014-02-12 09:40:49 -06:00
jvazquez-r7
a59ce95901
Land #2970 , @sgabe exploit for CVE-2010-2343
2014-02-12 08:10:53 -06:00
jvazquez-r7
9845970e12
Use pop#ret to jump over the overwritten seh
2014-02-12 08:10:14 -06:00
sgabe
11513d94f5
Add Juan as author
2014-02-12 12:17:02 +01:00
sgabe
3283880d65
Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
...
This partially reverts commit 12471660e9
.
2014-02-12 12:09:16 +01:00
xistence
6944c54d13
Added EXTENDED option to smtp_relay
2014-02-12 15:44:53 +07:00
sinn3r
0f620f5aba
Fix Uninitialized Constant RequestError
...
[SeeRM #8765 ] NameError uninitialized constant
2014-02-12 00:23:23 -06:00
sgabe
7195416a04
Increase the size of the NOP sled
2014-02-12 02:35:53 +01:00
sgabe
3f09456ce8
Minor code formatting
2014-02-11 23:53:04 +01:00
sgabe
7fc3511ba9
Remove unnecessary NOPs
2014-02-11 23:48:54 +01:00
sgabe
12471660e9
Replace unnecessary NOP sled with random text
2014-02-11 23:48:04 +01:00
sgabe
184ccb9e1e
Fix payload size
2014-02-11 23:42:58 +01:00
William Vu
c67c0dde8f
Land #2972 , enum_system find/save logs/S[UG]ID
2014-02-11 15:45:27 -06:00
jvazquez-r7
1f0020a61c
Land #2946 , @jlee-r7's optimization of the x86 block_api code
2014-02-11 15:00:00 -06:00
bwall
783e62ea85
Applied changes from @wchen-r7's comments
2014-02-11 10:14:52 -08:00
jvazquez-r7
3717374896
Fix and improve reliability
2014-02-11 10:44:58 -06:00
jvazquez-r7
51df2d8b51
Use the fixed API on the mediawiki exploit
2014-02-11 08:28:58 -06:00
Roberto Soares Espreto
68578c15a3
find command modified
2014-02-11 10:08:12 -02:00
jvazquez-r7
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
Roberto Soares Espreto
f181134ef8
Removed hard tabs
2014-02-10 23:16:04 -02:00
sgabe
e8a3984c85
Fix ROP NOP address and reduce/remove NOPs
2014-02-11 00:29:37 +01:00
Meatballs
39be214413
Dont use quotes and start in a console
2014-02-10 23:15:59 +00:00
William Vu
e6905837eb
Land #2960 , rand_text_alpha for amaya_bdo
2014-02-10 16:44:11 -06:00
bwall
13fadffe7e
Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial
2014-02-10 13:44:30 -08:00
Meatballs
a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-10 21:43:56 +00:00
Roberto Soares Espreto
2e720f8f0f
Post::Linux - Added to search for files with setuid/setgid and logfiles
2014-02-10 19:24:51 -02:00
Tod Beardsley
1236a4eb07
Fixup on description and some option descrips
2014-02-10 14:41:59 -06:00
jvazquez-r7
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00