8417b916c7
Complete MS13-071 Information
2013-09-21 21:22:34 -05:00
6b06ed0df1
Update current_user_psexec.rb
2013-09-22 03:07:17 +05:00
a08d195308
Add Node.js as a platform.
...
* Fix some whitespace issues in platform.rb
2013-09-20 18:14:01 -05:00
49f15fbea4
Removes PayloadType from exploit module.
2013-09-20 18:01:55 -05:00
8381bf8646
Land #2404 - Add powershell support for current_user_psexec
2013-09-20 17:14:55 -05:00
96364c78f8
Need to catch RequestError too
...
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
59a201a8d3
Land #2334 , @tkrpata and @jvennix-r7's patch for sudo_password_bypass
2013-09-20 17:01:19 -05:00
fb8d0dc887
Write the return
2013-09-20 17:00:07 -05:00
2591be503b
Psh support
2013-09-20 22:07:42 +01:00
29649b9a04
Land #2388 , @dummys's exploit for CVE-2013-5696
2013-09-20 13:03:01 -05:00
8922d0fc7f
Fix small bugs on glpi_install_rce
2013-09-20 13:01:41 -05:00
b24ae6e80c
Clean glpi_install_rce
2013-09-20 12:58:23 -05:00
bb7b57cad9
Land #2370 - PCMAN FTP Server post-auth stack buffer overflow
2013-09-20 12:29:10 -05:00
feb76ea767
Modify check
...
Since auth is required, check function needs to look into that too
2013-09-20 12:28:21 -05:00
2d6c76d0ad
Rename pcman module
...
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
2013-09-20 12:18:24 -05:00
6690e35761
Account for username length
...
Username is part of the overflowing string, need to account for that
2013-09-20 12:17:34 -05:00
9d67cbb4db
Retabbed
2013-09-20 11:58:53 -05:00
85152c4281
Land #2400 - Add OSVDB reference for openemr_sqli_privesc_upload
2013-09-20 10:39:06 -05:00
6f5e528699
Remove author, all the credits go to corelanc0der and sinn3r
2013-09-20 10:27:37 -05:00
83f54d71ea
Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
...
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.
The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure. The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one. Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
bad6f2279d
Add OSVDB reference for openemr_sqli_privesc_upload
2013-09-20 09:41:23 -05:00
032b9115a0
removed the old exploit
2013-09-20 10:53:52 +02:00
187ab16467
many change in the code and replace at the correct place the module
2013-09-20 10:45:10 +02:00
7d17eef7a7
Updated several msftidy [WARNING] Spaces at EOL issues.
2013-09-19 20:35:08 -07:00
955365d605
Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability
2013-09-19 22:21:09 -05:00
0eb838156b
Land #2390 - Use payload.encoded because BadChars are defined
2013-09-19 22:10:55 -05:00
9598853fee
Land #2389 - Fix use of Rex sockets from dlink modules
2013-09-19 22:09:53 -05:00
8d70a9d893
Add more refs
2013-09-19 22:05:23 -05:00
137b3bc6ea
Fix whitespace issues.
2013-09-19 17:29:11 -05:00
bd96c6c093
Adds module for CVE-2013-3568.
2013-09-19 17:26:30 -05:00
46a241b168
Fix my own cleanup
2013-09-19 14:51:22 -05:00
08c7b49be0
corrected too much if
2013-09-19 21:47:01 +02:00
31903be393
Land #2380 , @xistence exploit for EDB 28329
2013-09-19 14:42:27 -05:00
cb737525b1
Final cleanup for openemr_sqli_privesc_upload
2013-09-19 14:40:57 -05:00
76e170513d
Do first clean on openemr_sqli_privesc_upload
2013-09-19 14:36:25 -05:00
cf0375f7e6
Fix check return value
2013-09-19 14:17:45 -05:00
862a8fb8aa
corrected indentation bug again
2013-09-19 20:27:23 +02:00
9b486e1dbb
Add comment about the smb_* methods
2013-09-19 13:23:46 -05:00
ce8e94b5fe
corrected indentation bug
2013-09-19 20:14:07 +02:00
bf0f4a523f
Land #2381 , @xistence exploit for EDB 28330
2013-09-19 13:06:41 -05:00
c63423ad69
Update code comment
2013-09-19 13:03:55 -05:00
6073e6f2dc
Fix use of normalize_uri
2013-09-19 12:59:37 -05:00
b4fa535f2b
Fix usage of fail_with
2013-09-19 12:45:29 -05:00
1aba7550f9
Fix check indentation
2013-09-19 12:44:11 -05:00
1f7c3d82c1
Refactor easy methods
2013-09-19 12:42:38 -05:00
891a54aad7
Fix metadata
2013-09-19 12:41:13 -05:00
1a00cce8a9
Clean up
2013-09-19 11:51:07 -05:00
628cfe8e67
Land #2393 , tape_engine_8A filename disambiguation
2013-09-19 10:31:40 -05:00
ef72b30074
Include the post requires until #2354 lands
...
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
fb72e7f02a
Disambiguate tape_engine_8A as tape_engine_0x8a
...
This will reopen #2358 to avoid filename collisions on Windows, Rubymine
environments, etc.
2013-09-19 09:35:31 -05:00
058e0fdd80
Changed ret to push esp C:\WINDOWS\system32\msvcrt.dll
2013-09-19 07:21:51 -07:00
f9617e351d
corrected Integer()
2013-09-19 16:04:20 +02:00
926ddf35bc
Fix possible collisions on binding port and handle rex socket
2013-09-19 08:23:25 -05:00
8fe9132159
Land #2358 , deprecate funny names
2013-09-18 14:55:33 -05:00
766e96510d
Added minor indentation updates
2013-09-18 12:12:35 -07:00
60d448f600
Add minor cleanup
2013-09-18 14:10:13 -05:00
db8881966e
Merge remote-tracking branch 'upstream/master'
2013-09-18 12:02:01 -07:00
68647c7363
Add module for MS13-071
2013-09-18 13:40:35 -05:00
accad24f31
Use payload.encoded because BadChars are defined
2013-09-18 13:03:35 -05:00
61ab0e245c
Add Context to rex sockets plus track them with add_socket
2013-09-18 12:39:08 -05:00
1988085a94
Fix possible port conflict
2013-09-18 12:24:36 -05:00
8728a9a3b7
Bumping out deprecation date
...
Pray I don't alter the deprecation date further.
2013-09-18 11:00:35 -05:00
bc57c9c6ec
corrected some codes requested by Meatballs
2013-09-18 17:55:36 +02:00
3366c3aa77
CVE-2013-5696 RCE for GLPI
2013-09-18 16:11:32 +02:00
adc1bd9c65
changes made to astium_sqli_upload based on suggestions
2013-09-18 16:52:31 +07:00
65ee8c7d5c
changed openemr_sqli_privesc_upload according to suggestions
2013-09-18 12:38:20 +07:00
6cbe371381
minor change
2013-09-17 20:33:46 -07:00
d6a1182bd4
changes to arkeia_upload_exec to comply with r7 suggestions #2
2013-09-18 08:24:40 +07:00
24a671b530
changes to arkeia_upload_exec to comply with r7 suggestions
2013-09-18 08:10:58 +07:00
0052f9712b
Updated hard tabs per new requirement
2013-09-17 17:42:01 -07:00
9a555d8701
Fix the modules added since the branch
2013-09-17 18:25:12 -05:00
150f0f644e
Merge branch 'rapid7' into bug/osx-mods-load-order
...
Conflicts:
modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
82aa3f97b0
added Astium confweb 25399 RCE
2013-09-17 12:32:10 +07:00
5fc724bced
Kill explanatory comment.
2013-09-16 21:34:38 -05:00
2c47e56d90
Adds module for yaml code exec.
2013-09-16 21:33:57 -05:00
52a1b5fa57
updated pcman_stor_msf.rb module with community feedback.
2013-09-16 17:43:10 -07:00
226a75b5da
updated pcman_stor_msf.rb module with community feedback.
2013-09-16 17:37:29 -07:00
b4b7cecaf4
Various minor desc fixes, also killed some tabs.
2013-09-16 15:50:00 -05:00
f89af79223
Correct OSVDB for sophos sblistpack exploit
2013-09-16 15:41:50 -05:00
d4f2e72b9c
updated module to include msftidy.rb
2013-09-16 12:46:13 -07:00
82e3910959
added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)
2013-09-16 12:40:36 -07:00
92cf886e49
updated module to include msftidy.rb
2013-09-16 12:38:00 -07:00
4c83336944
Delete pcman_stor_msf.rb
...
delete because of commit issues.
2013-09-16 12:25:39 -07:00
e1e1cab797
Module gets me a shell, yay
2013-09-16 13:37:16 -05:00
f657f4d145
added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)
2013-09-16 09:57:27 -07:00
c18c41d8ea
Don't hidde exceptions
2013-09-16 09:26:13 -05:00
86e5163cad
Fix Indentation and cleanup
2013-09-16 09:19:26 -05:00
62cf9cb07c
Retab changes for PR #2188
2013-09-16 09:09:16 -05:00
842dba20b9
Merge for retab
2013-09-16 09:08:36 -05:00
af873b7349
added OpenEMR 4.1.1 Patch 14 SQLi Privesc Upload RCE
2013-09-16 16:19:35 +07:00
b2b629f932
added WD Arkeia Appliance RCE
2013-09-16 14:38:50 +07:00
67cd62f306
Land #2366 - HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
2013-09-16 01:44:23 -05:00
54e9cd81f3
Add module for ZDI-13-226
2013-09-13 17:31:51 -05:00
10303a8c2a
Delete debug print_status
2013-09-13 17:05:23 -05:00
dca4351303
Add check function
2013-09-13 16:51:14 -05:00
f7c4e081bb
Add module for ZDI-13-225
2013-09-13 16:40:28 -05:00
b2ba4b445f
Land #2362 , update description
2013-09-13 12:56:04 -05:00
4847976995
Update information about original discovery
...
Update info about original discovoery. See #2337 too.
2013-09-13 10:42:11 -05:00
c665f41cd6
Fix description
2013-09-13 09:09:14 -05:00
76f27ecde8
Require the deprecation mixin in all modules
...
Because rememberin to require it, and hoping against a race is not how we
roll any more.
2013-09-12 15:49:33 -05:00
761042f14b
require the deprecated mixin
2013-09-12 15:42:01 -05:00
968f299772
Deprecate A-PDF exploit for filename change
...
See PT 56796034
See PT 56795804
2013-09-12 15:30:26 -05:00
ac90cd1263
Land #2248 - Fix dlink upnp exec noauth
2013-09-12 15:10:20 -05:00
58b634dd27
Remove unnecessary requires from post mods
2013-09-12 14:36:01 -05:00
34383661cb
Land #2351 - Agnitum Outpost Internet Security Local Privilege Escalation
2013-09-12 14:21:05 -05:00
5aa6a0dd6b
Land #2346 - Sophos Web Protection Appliance sblistpack Arbitrary Command Execution
2013-09-12 14:19:02 -05:00
f42e6e8bca
Land #2345 - Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation
2013-09-12 14:17:24 -05:00
8db66aeb98
Yes, clearly it is.
2013-09-12 14:16:34 -05:00
d781f447db
Merge branch 'pr2345' into upstream-master
2013-09-12 14:15:18 -05:00
d47de46d94
Deprecate brightstor/tape_engine_8A
...
This module is getting renamed to 8a, instead of 8A.
2013-09-12 13:59:44 -05:00
9ad1be7318
Make junk easier
2013-09-11 09:33:01 -05:00
825eb9d1ca
Add module for OSVDB 96208
2013-09-11 00:11:00 -05:00
4f1db80c24
Fix requires in new post modules
2013-09-10 11:13:07 -05:00
bf40dc02ce
Add module for CVE-2013-4984
2013-09-09 23:27:24 -05:00
c3ff9a03d8
Add module for CVE-2013-4983
2013-09-09 23:26:10 -05:00
aff35a615b
Grammar fixes in descriptions
2013-09-09 15:09:53 -05:00
791b6f69c2
Land #2337 , @wchen-r7's exploit for MS13-055
2013-09-09 11:12:03 -05:00
0ee0168556
Retabbed
...
One kills a man, one is an assassin; one kills millions, one is a
conqueror; one kills a tab, one is a Metasploit dev.
2013-09-09 10:01:01 -05:00
6ab905e9e0
Less alignment
2013-09-09 09:39:02 -05:00
992bdcf530
Not from the future
2013-09-09 00:36:28 -05:00
c3db41334b
Add MS13-055 Internet Explorer Use-After-Free Vulnerability
...
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.
This bug is specific to Internet Explorer 8 only. It was originally discovered by
Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so
no CVE as of now.
2013-09-08 20:02:23 -05:00
3da9c4a685
Cleans up timeouts, wait before dropping payload, actually call #cleanup#super to kill the dropped file
2013-09-06 13:05:17 -05:00
2aed293d9a
Handle locked date and time preference pane
...
If the date and time preference pane is locked, effects are:
1. systemsetup takes 30 seconds to return
added a 30-second timeout to cmd_exec
2. Unable to change system date and time settings
added additional check to see if date change was successful
2013-09-06 10:17:09 -04:00
7d4bf0c739
Retab changes for PR #2327
2013-09-05 23:25:41 -05:00
34b499588b
Merge for retab
2013-09-05 23:24:22 -05:00
473f08bbb6
Register cleanup and update check
2013-09-05 22:43:26 +01:00
400b433267
Sort out exception handling
2013-09-05 22:21:44 +01:00
07060e4e69
Add return in check
2013-09-05 16:57:47 -04:00
d4043a6646
Spaces and change to filedropper
2013-09-05 20:41:37 +01:00
c5daf939d1
Stabs tabassassin
2013-09-05 20:36:52 +01:00
f780a41f87
Retab changes for PR #2248
2013-09-05 14:12:24 -05:00
554d1868ce
Merge for retab
2013-09-05 14:12:18 -05:00
f5a4c05dbc
Retab changes for PR #2267
2013-09-05 14:11:03 -05:00
4703a10b64
Merge for retab
2013-09-05 14:10:58 -05:00
9787bb80e7
Address @jlee-r7's feedback
2013-09-05 19:57:05 +01:00
206b52ea30
Land #2325 , @jlee-r7's Linux PrependFork addition
2013-09-05 13:50:59 -05:00
845bf7146b
Retab changes for PR #2304
2013-09-05 13:41:25 -05:00
adf9ff356c
Merge for retab
2013-09-05 13:41:23 -05:00
86ceadc53d
Fix target description
2013-09-05 13:37:01 -05:00
d43326d0f4
Check 302 while checking too
2013-09-05 13:36:35 -05:00
ab83a12354
Check 302 on anonymous access too
2013-09-05 13:35:52 -05:00
896bb129cd
Retab changes for PR #2325
2013-09-05 13:24:09 -05:00
5ff25d8b96
Merge for retab
2013-09-05 13:23:25 -05:00
c9c6f84668
Retab changes for PR #2328
2013-09-05 13:16:15 -05:00
9bdc274904
Merge for retab
2013-09-05 13:15:07 -05:00
50c6f26329
Don't deregister PrependFork
2013-09-05 10:50:36 -05:00
5c06a471f9
Get the call result
2013-09-05 08:33:35 -05:00
3681955f68
Use Msf::Config.data_directory
2013-09-05 08:28:50 -05:00
6b1d7545d6
Refactor, avoid duplicate code
2013-09-05 08:26:49 -05:00
84e4b42f6b
allow 302 redirects
2013-09-04 16:59:42 -05:00
jvazquez-r7
darknight007
Joe Vennix
sinn3r
Meatballs
dummys
Rick Flores (nanotechz9l)
William Vu
Tod Beardsley
James Lee
xistence
Tyler Krpata
Tab Assassin
jgor