Commit Graph

6810 Commits (a1bc48ebc28171734d9db18bf87015744f0dd421)

Author SHA1 Message Date
Tod Beardsley 75bbd1c48d Being slightly more clear on Browser Not Supported
With this and the rest of sinn3r's fixes, it looks like we can close the
Redmine bug.

[FixRM #7242]
2012-09-17 11:16:19 -05:00
sinn3r d77ab9d8bd Fix URIPATH and nil target
Allow random and '/' as URIPATh, also refuse serving the exploit
when the browser is unknown.
2012-09-17 10:54:12 -05:00
Tod Beardsley 48a46f3b94 Pack / Unpack should be V not L
Packing or unpacking to/from L, I, or S as pack types will cause
problems on big-endian builds of Metasloit, and are best avoided.
2012-09-17 09:52:43 -05:00
Tod Beardsley d77efd587a Merge remote branch 'wchen-r7/ie_0day_execcommand' 2012-09-17 08:48:22 -05:00
sinn3r 5eaefcf4c7 This is the right one, I promise 2012-09-17 08:41:25 -05:00
sinn3r 8f50a167bd This is the right module 2012-09-17 08:36:04 -05:00
sinn3r e43cae70a7 Add IE 0day exploiting the execcommand uaf 2012-09-17 08:28:33 -05:00
Tod Beardsley c83b49ad58 Unix linefeeds, not windows
That's what I get for just committing willy-nilly with a fresh install
of Gvim for Windows.

Also, this is an experiment to see if linefeeds are being respected in
this editor Window. I doubt it will be, given GitHub's resistence to
50/72 as a sensible default.
2012-09-16 18:10:35 -05:00
Tod Beardsley 2fc34e0073 Auth successful, not successfully
Just fixing up some adverb versus adjective grammar.
2012-09-16 17:51:00 -05:00
sinn3r b07b30839e Merge branch 'webmin_edit_html_fileaccess' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-webmin_edit_html_fileaccess 2012-09-16 03:17:09 -05:00
jvazquez-r7 63d2d60c68 delete don't needed line 2012-09-15 23:56:38 +02:00
jvazquez-r7 ff2e9fc157 add changes proposed by sinn3r 2012-09-15 23:55:55 +02:00
jvazquez-r7 cbc778cb47 add changes proposed by sinn3r 2012-09-15 23:53:09 +02:00
jvazquez-r7 0708ec72fc module moved to a more correct location 2012-09-15 15:31:21 +02:00
jvazquez-r7 0f67f8d08a target modified 2012-09-15 15:14:33 +02:00
jvazquez-r7 70ff7621d6 added module for CVE-2012-2983 2012-09-15 15:11:12 +02:00
jvazquez-r7 0061d23b37 Added module for CVE-2012-2982 2012-09-15 15:09:19 +02:00
jvazquez-r7 9a83c7c338 changes according to egypt review 2012-09-14 18:47:50 +02:00
jvazquez-r7 eae571592c Added rgod email 2012-09-14 17:45:16 +02:00
jvazquez-r7 a2649dc8d1 fix typo 2012-09-14 17:10:41 +02:00
jvazquez-r7 e27d5e2eb7 Description improved 2012-09-14 17:08:59 +02:00
jvazquez-r7 9c77c15cf5 Added module for osvdb 85087 2012-09-14 16:54:28 +02:00
James Lee caf7619b86 Remove extra comma, fixes syntax errors in 1.8
Thanks, Kanedaaa, for reporting
2012-09-13 12:07:34 -05:00
sinn3r 1f58458073 Merge branch 'udev_netlink' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-udev_netlink 2012-09-13 10:37:52 -05:00
sinn3r b31e8fd080 Merge branch 'qdpm_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-qdpm_upload_exec 2012-09-13 10:37:10 -05:00
sinn3r 71a0db9ae5 Make sure the user has a 'myAccount' page 2012-09-13 10:33:43 -05:00
jvazquez-r7 6771466cb7 Added module for CVE-2011-2750 2012-09-13 17:24:16 +02:00
sinn3r 658502d5ad Add OSVDB-82978
This module exploits a vuln in qdPM - a web-based project
management software. The user profile's photo upload feature can
be abused to upload any arbitrary file onto the victim server
machine, which allows remote code execution. However, note in
order to use this module, the attacker must have a valid cred
to sign.
2012-09-13 10:01:08 -05:00
jvazquez-r7 12f3ef9c7c added osvdb numbers 2012-09-13 14:00:12 +02:00
Tod Beardsley 39f2cbfc3c Older targets confirmed for CoolType SING 2012-09-12 16:51:51 -05:00
Tod Beardsley fba219532c Updating BID for openfiler 2012-09-12 14:13:21 -05:00
Tod Beardsley 32e2232de3 Disambiguating hkm from hdm
Having an author name of "hkm" really looks like a typo for "hdm," but
it's not.
2012-09-11 11:13:20 -05:00
sinn3r 83f4b38609 Merge branch 'winamp_maki_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-winamp_maki_bof 2012-09-10 16:19:14 -05:00
jvazquez-r7 61bf15114a deregistering FILENAME option 2012-09-10 23:14:14 +02:00
sinn3r 2259de3130 Merge branch 'winamp_maki_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-winamp_maki_bof 2012-09-10 16:10:22 -05:00
jvazquez-r7 199fbaf33d use a static filename 2012-09-10 23:08:21 +02:00
sinn3r 1c14c270bc Merge branch 'winamp_maki_bof' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-winamp_maki_bof 2012-09-10 15:53:16 -05:00
jvazquez-r7 cb975ce0a2 cleanup plus documentation for the maki template 2012-09-10 22:48:04 +02:00
sinn3r f5a0f74d27 Merge branch 'wanem_exec_improve' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-wanem_exec_improve 2012-09-10 13:35:48 -05:00
James Lee bbeb6cc97a Add a privilege escalation exploit for udev < 1.4.1
Also includes a new ```rm_f``` method for Post::File for deleting remote
files in a platform-independent way.
2012-09-10 12:32:14 -05:00
jvazquez-r7 607c0f023a added edb references 2012-09-10 17:30:31 +02:00
jvazquez-r7 b813e4e650 Added module for CVE-2009-1831 2012-09-10 16:46:16 +02:00
sinn3r 64b8696e3c Extra condition that's not actually needed
Don't actually need to check nil res, because no code will
actually try to access res when it's nil anyway. And the 'return'
at the of the function will catch it when the response times out.
2012-09-09 04:06:48 -05:00
bcoles cb95a7b520 Add openfiler_networkcard_exec exploit 2012-09-09 17:28:09 +09:30
jvazquez-r7 37c7f366f2 check function test vulnerability + minor improvements 2012-09-09 00:42:02 +02:00
bcoles f02659184a Add WANem v2.3 command execution 2012-09-08 16:01:45 +09:30
jvazquez-r7 caae54a7ca added osvdb reference 2012-09-07 16:56:37 +02:00
Tod Beardsley aaf7fcd5e9 Closing bracket doh 2012-09-07 08:57:27 -05:00
Tod Beardsley 53e4818c2e Humble-desser, not humble-dresser 2012-09-07 08:49:27 -05:00
jvazquez-r7 c572c20831 Description updated to explain conditions 2012-09-07 11:18:54 +02:00
sinn3r bd596a3f39 Merge branch 'sflog_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-sflog_upload_exec 2012-09-06 18:40:19 -05:00
sinn3r 86036737ca Apparently this app has two different names
People may either call the app "ActiveFax", or "ActFax". Include
both names in there to allow the module to be more searchable.
2012-09-06 18:38:03 -05:00
sinn3r 6a484cdbc5 Merge branch 'actfax_local_exploit' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-actfax_local_exploit 2012-09-06 18:35:08 -05:00
sinn3r b4270bb480 Add OSVDB-83767: SFlog Upload Exec Module
This module exploits multiiple flaws in SFlog!. By default, the
CMS has a default admin cred of "admin:secret", which can be
abused to access admin features such as blog management.  Through
the management interface, we can upload a backdoor that's accessible
by any remote user, and then we gain code execution.
2012-09-06 18:30:45 -05:00
jvazquez-r7 fc1c1c93ba ZDI references fixed 2012-09-07 00:50:07 +02:00
jvazquez-r7 4985cb0982 Added module for ActFac SYSTEM Local bof 2012-09-07 00:45:08 +02:00
jvazquez-r7 65681dc3b6 added osvdb reference 2012-09-06 13:56:52 +02:00
jvazquez-r7 b4113a2a38 hp_site_scope_uploadfileshandler is now multiplatform 2012-09-06 12:54:51 +02:00
jvazquez-r7 270fa1b87b updated descriptions for hp sitescope modules tested over linux 2012-09-05 23:25:08 +02:00
Tod Beardsley 9531c95627 Adding BID 2012-09-05 15:04:05 -05:00
Tod Beardsley ff97b1da00 Whitespace EOL 2012-09-05 14:04:20 -05:00
sinn3r 43041e3a0a Merge branch 'hp_sitescope_uploadfileshandler' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-hp_sitescope_uploadfileshandler 2012-09-05 14:03:24 -05:00
sinn3r 6705f5405e Merge branch 'symantec_smg_ssh_pass' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-symantec_smg_ssh_pass 2012-09-05 14:00:55 -05:00
sinn3r bed3c7bbac Merge branch 'hp_sitescope_loadfilecontent_fileaccess' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-hp_sitescope_loadfilecontent_fileaccess 2012-09-05 13:59:49 -05:00
jvazquez-r7 2f87af1c3a add some checks while parsing the java serialization config file 2012-09-05 20:58:55 +02:00
sinn3r 598fdb5c50 Merge branch 'hp_sitescope_getsitescopeconfiguration' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-hp_sitescope_getsitescopeconfiguration 2012-09-05 13:58:39 -05:00
sinn3r 41904891c9 Merge branch 'hp_sitescope_getfileinternal_fileaccess' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-hp_sitescope_getfileinternal_fileaccess 2012-09-05 13:57:39 -05:00
jvazquez-r7 b2116e2394 cleanup, test, add on_new_session handler and osvdb references 2012-09-05 20:54:25 +02:00
sinn3r bbab206eac Add CVE-2012-3579 - Symantec Messaging Gateway 9 Default SSH Pass
This module exploits a default misconfig flaw on Symantec Messaging
Gateway 9.5 (or older).  The "support" user has a known default
password, which can be used to login to the SSH service, and then
gain privileged access from remote.
2012-09-05 13:21:10 -05:00
jvazquez-r7 20655232d7 cleanup, tested and added osvdb reference 2012-09-05 20:03:46 +02:00
jvazquez-r7 c6f5b1f072 cleanup, test, osvdb reference 2012-09-05 19:56:04 +02:00
jvazquez-r7 ea2eb046c3 cleanup, final test, osvdb reference 2012-09-05 19:45:50 +02:00
jvazquez-r7 406202fc81 Added module for ZDI-12-174 2012-09-05 12:56:09 +02:00
jvazquez-r7 166f68b194 added module for ZDI-12-177 2012-09-05 12:54:30 +02:00
jvazquez-r7 534ab55e5c Added module for ZDI-12-173 2012-09-05 12:53:03 +02:00
jvazquez-r7 8a50ca2f47 Added module for ZDI-12-176 2012-09-05 12:51:25 +02:00
Cristiano Maruti 8fce975593 Aux module raise an error because Report module is not included in the source 2012-09-05 10:38:36 +02:00
Tod Beardsley c7de73e7bf Clean up SVN metadata 2012-09-04 19:36:10 -05:00
Tod Beardsley 7b8ab53661 Use :unique_data option for dns.enum reporting
Otherwise, you will only report the last thing that comes through on
that host for the dns.enum note type.
2012-09-04 19:32:29 -05:00
Tod Beardsley 2edf4a676a Merge remote branch 'bonsaiviking/axfr' into bonsai-afxr 2012-09-04 16:16:41 -05:00
Tod Beardsley b8132cae5c Add the redistribution comment splat 2012-09-04 15:58:43 -05:00
Tod Beardsley 15f1dd8525 Moving greetz to Author fields 2012-09-04 15:58:43 -05:00
Tod Beardsley 6e7cbe793c Spamguard e-mail addresses, make auth name consistent 2012-09-04 15:58:43 -05:00
Tod Beardsley a925eef070 Removed meterpreter reference from desc
This post module relies on meterpreter as a SessionType, but the
description shouldn't call this out specifically.
2012-09-04 15:58:42 -05:00
Tod Beardsley ba0de5acd9 Retitled for consistency and accuracy 2012-09-04 15:58:42 -05:00
Tod Beardsley f80abaf0d1 Dropping trailing whitespace 2012-09-04 15:58:42 -05:00
nullbind 69b2f95a6f small update 2012-09-04 15:58:42 -05:00
nullbind cac1e0a585 small update 2012-09-04 15:58:42 -05:00
nullbind e1da14f786 access database with local os admin privs 2012-09-04 15:58:42 -05:00
nullbind a08d2359d7 access database with local os admin privs 2012-09-04 15:58:42 -05:00
nullbind 114ade6bea applied todb requested fixes, and added sql 2k support 2012-09-04 15:58:42 -05:00
nullbind 6cd6f9d5d1 minor comment updates 2012-09-04 15:58:42 -05:00
nullbind 7e168f2e5c Modified module to write query results to a file with report/loot options 2012-09-04 15:58:42 -05:00
nullbind 522fb401e9 Find data on a SQL Server, sample it, and write it to a CSV file. 2012-09-04 15:58:42 -05:00
sinn3r 99009da567 Merge branch 'mobilecartly_upload_exec' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-mobilecartly_upload_exec 2012-09-04 14:32:23 -05:00
sinn3r e926bc16ba Add MobileCartly 1.0 module 2012-09-04 14:23:16 -05:00
jvazquez-r7 4a92cc4641 jboss_invoke_deploy module cleanup 2012-09-04 18:49:11 +02:00
jvazquez-r7 cb40a0c362 Merge branch 'jboss-jmx-invoke-deploy' of https://github.com/h0ng10/metasploit-framework into h0ng10-jboss-jmx-invoke-deploy 2012-09-04 18:47:30 +02:00
James Lee 828f37701d Fix linux shell_bind_tcp payload
It was calling bind(2) with a family of 0x02ff, which makes no sense and
causes execution to fall off the end and segfault.  Fix it by replacing
0x02ff with the appropriate 0x0002, or AF_INET.

[Fixrm #7216]
2012-09-04 04:23:48 -05:00
sinn3r 783ffb13c2 Add Adobe security bulletin references 2012-09-04 00:07:53 -05:00
sinn3r b3bfaec089 Add reference about the patch 2012-09-03 23:58:21 -05:00
sinn3r 9d97dc8327 Add Metasploit blogs as references, because they're useful. 2012-09-03 15:57:27 -05:00
h0ng10 2b6aa6bbdb Added Exploit for deployfilerepository via JMX 2012-09-03 13:50:16 -04:00
sinn3r 9ab62de637 Fix a spelling error 2012-09-03 01:44:02 -05:00
jvazquez-r7 943121dd61 Added module for CVE-2012-2611 2012-09-03 00:15:56 +02:00
sinn3r 53a9a8afce Awww, typo! Nice catch, @Agarri_FR! :-) 2012-08-31 14:23:51 -05:00
sinn3r d106a1150e Be more clear that we dislike certain PDF templates 2012-08-31 14:07:58 -05:00
sinn3r f48fbaccb0 Add Oracle's security alert 2012-08-30 14:04:16 -05:00
sinn3r 4758eb0dc3 Merge branch 'jvazquez-r7-taget_host_glassflish_deployer' 2012-08-30 12:18:02 -05:00
jvazquez-r7 f99982a85e added java as platform to avoid confussion between target and payload 2012-08-30 18:39:20 +02:00
jvazquez-r7 4fd9f88304 avoid the redefinition of Module.target_host 2012-08-30 14:45:14 +02:00
jvazquez-r7 f439f256b5 Debug line deleted on 2012-08-30 00:18:07 +02:00
sinn3r c3159e369a A lot gotcha
When res is nil, that condition can fall into the 'else' clause.
If that happens, we can trigger a bug when we try to read res.code.
2012-08-29 14:46:35 -05:00
sinn3r b70e205a7e Merge branch 'sap_host_control_cmd_exec' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-sap_host_control_cmd_exec 2012-08-29 14:45:46 -05:00
sinn3r 5f64c55112 Update description 2012-08-29 11:10:35 -05:00
jvazquez-r7 6a24e042f9 fixing indentation 2012-08-29 16:17:56 +02:00
jvazquez-r7 2ed712949e Added check function 2012-08-29 16:12:11 +02:00
jvazquez-r7 72cb39925a Added exploit for OSVDB 84821 2012-08-29 12:17:44 +02:00
jvazquez-r7 363c0913ae changed dir names according to CVE 2012-08-28 16:33:01 +02:00
sinn3r 34b12c4f55 Update CVE/OSVDB refs 2012-08-28 01:21:32 -05:00
jvazquez-r7 6e2369680b Safari added 2012-08-28 02:04:03 +02:00
jvazquez-r7 30fd2cf256 Description updated 2012-08-28 02:01:26 +02:00
sinn3r 7e579db705 Add AlienVault reference 2012-08-27 13:29:27 -05:00
sinn3r 15a87a79f8 Add mihi's analysis 2012-08-27 13:24:43 -05:00
jvazquez-r7 52ca1083c2 Added java_jre17_exec 2012-08-27 11:25:04 +02:00
Rob Fuller b0661a33a3 Update modules/post/windows/gather/tcpnetstat.rb
forgot to change table name with table code reuse
'connection table' is a better table header than
'routing table'.
2012-08-26 02:34:54 -03:00
sinn3r 8e56d4f2eb This reference is too damn useful, must add 2012-08-25 16:05:58 -05:00
sinn3r 638d9d1095 Fix nil res bug, change action name, etc 2012-08-25 02:41:50 -05:00
sinn3r 6341260e13 Merge branch 'patch-1' of https://github.com/crashbrz/metasploit-framework into crashbrz-patch-1 2012-08-25 02:36:36 -05:00
sinn3r d51f8cad25 Change title and description 2012-08-24 15:39:56 -05:00
Ewerson Guimaraes (Crash) cad590488d Update modules/auxiliary/scanner/http/http_traversal.rb 2012-08-24 15:47:07 -03:00
sinn3r 3036f7725d Merge branch 'webdav_fix' of https://github.com/mubix/metasploit-framework into mubix-webdav_fix 2012-08-24 11:18:50 -05:00
sinn3r ea7d7b847a Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-08-24 11:17:14 -05:00
jvazquez-r7 179e816194 Merge branch 'esva_bid' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-esva_bid 2012-08-24 17:37:25 +02:00
jvazquez-r7 8f748d833a Added BID reference 2012-08-24 17:30:52 +02:00
jvazquez-r7 e27f736e95 BID reference added 2012-08-24 17:29:12 +02:00
jvazquez-r7 e461d542ac added Windows 2003 SP1 Spanish targets 2012-08-24 12:50:30 +02:00
jvazquez-r7 54ce7268ad modules/exploits/windows/smb/ms08_067_netapi.rb 2012-08-24 11:30:23 +02:00
jvazquez-r7 1a60abc7a7 Added W2003 SP2 Spanish targets 2012-08-24 11:16:08 +02:00
Rob Fuller d0558218ee Add non-authed OPTION response to support WebDAV 2012-08-23 15:11:10 -04:00
Tod Beardsley a93c7836bd Fixes load order with reverse http
This was originally intended to fix #664.

SEERM #7141 also.
2012-08-23 12:16:47 -05:00
jvazquez-r7 261a17d28a Added module for CVE-2009-4498 2012-08-23 18:29:39 +02:00
James Lee aac56fc29b Fix load order issue
[See #664][SeeRM #7141]
2012-08-23 10:54:23 -05:00
jvazquez-r7 57c6385279 heap spray from flash works pretty well on ie9 too 2012-08-22 20:47:11 +02:00
jvazquez-r7 730c0e9368 added windows vista and w7 targets 2012-08-22 20:13:10 +02:00
sinn3r 22051c9c2c Merge branch 'flash_exploit_r2' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-flash_exploit_r2 2012-08-22 10:00:34 -05:00
sinn3r 1b6fe22359 Give proper credit to Craig plus additional references
Craig first found the buffer overflow. But Matt found a more
reliable way to exploit the flaw.
2012-08-21 22:48:15 -05:00
sinn3r f715527423 Improve CVE-2012-1535 2012-08-21 19:58:21 -05:00
jvazquez-r7 0e535e6485 added module for XODA file upload RCE 2012-08-22 00:54:13 +02:00
Tod Beardsley 8d187b272d Some error handling on ntlm relayer
Instead of a cryptic exception, let the user know if the HTTP target
isn't actually asking for WWW-Authenticate.

There are likely many more opportunities to catch errors, but this is
the most obvious.
2012-08-21 16:13:00 -05:00