sinn3r
bc9c865c25
Land #2865 - js payload to firefox_svg_plugin & add BA support for FF JS exploits
2014-01-13 11:17:36 -06:00
jvazquez-r7
95a5d12345
Merge #2835 , #2836 , #2837 , #2838 , #2839 , #2840 , #2841 , #2842 into one branch
2014-01-13 10:57:09 -06:00
sgabe
e7cc3a2345
Removed unnecessary target
2014-01-13 13:17:16 +01:00
sgabe
26d17c03b1
Replaced ROP chain
2014-01-13 02:54:49 +01:00
Joe Vennix
b3b04c4159
Fix both firefox js exploits to use browser_autopwn.
2014-01-11 17:34:38 -06:00
sgabe
d657a2efd3
Added DEP Bypass
2014-01-11 20:31:28 +01:00
sgabe
72d15645df
Added more references
2014-01-11 20:30:50 +01:00
sgabe
8449005b2a
Fixed CVE identifier.
2014-01-10 23:45:34 +01:00
sinn3r
cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells
2014-01-10 14:29:32 -06:00
jvazquez-r7
9d14dd59eb
Delete parentheses
2014-01-09 15:17:13 -06:00
jvazquez-r7
85203c2f2a
Land #2823 , @mandreko's exploit module for OSVDB 101653
2014-01-09 10:27:44 -06:00
Matt Andreko
40d2299ab4
Added tested device
2014-01-09 10:46:14 -05:00
Matt Andreko
c50f7697a5
Merge branch 'review_2823' of https://github.com/jvazquez-r7/metasploit-framework into sercomm_exec
2014-01-09 10:39:12 -05:00
jvazquez-r7
bbaaecd648
Delete commas
2014-01-09 08:01:11 -06:00
jvazquez-r7
5e510dc64c
Add minor fixes, mainly formatting
2014-01-09 07:51:42 -06:00
Matt Andreko
ed6723655d
Code Review Feedback
...
Fixed some handling of errors and invalid hosts
2014-01-09 08:44:01 -05:00
William Vu
8414973746
Land #2833 , rm linksys_wrt110_cmd_exec_stager
2014-01-09 01:21:22 -06:00
Matt Andreko
d2458bcd2a
Code Review Feedback
...
Migrated the Sercomm module to use the CmdStager mixin to provide
uploading of the ELF binary.
Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in
this case, the device messed up when it was used, and would actually
write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-08 22:21:32 -05:00
Niel Nielsen
e79ccb08cb
Update rails_secret_deserialization.rb
...
When using aws-sdk with Ruby 2.1.0-rc1, many "Digest::Digest is deprecated; use Digest" warnings are printed.
Even in Ruby 1.8.7-p374, OpenSSL::Digest::Digest is only provided for backward compatibility.
2014-01-07 21:41:15 +01:00
jvazquez-r7
590547ebc7
Modify title to avoid versions
2014-01-07 13:01:10 -06:00
Joe Vennix
c34af35230
Add wrt100 to the description and title.
...
* The wrt110 and wrt100 share the same firmware, and are both vulnerable to this
bug.
2014-01-07 10:26:15 -06:00
Joe Vennix
1057cbafee
Remove deprecated linksys module.
2014-01-07 10:22:35 -06:00
Tod Beardsley
c0a82ec091
Avoid specific versions in module names
...
They tend to be a lie and give people the idea that only that version is
vulnerable.
2014-01-06 13:47:24 -06:00
sinn3r
1cdfbfeed5
Land #2820 - vTigerCRM SOAP AddEmailAttachment Arbitrary File Upload
2014-01-06 10:36:02 -06:00
Tod Beardsley
cd38f1ec5d
Minor touchups to recent modules.
2014-01-03 13:39:14 -06:00
Matt Andreko
41ac66b5e5
Removed stupid debug line I left in
2014-01-03 11:00:13 -05:00
Matt Andreko
aaa9fa4d68
Removed RequiredCmd options that didn't work successfully.
2014-01-03 10:56:01 -05:00
Matt Andreko
20b073006d
Code Review Feedback
...
Removed Payload size restriction. I tested with 10,000 characters and it
worked.
Removed handler for now, since it's unable to get a shell. It's
currently limited to issuing commands.
2014-01-03 10:54:16 -05:00
Matt Andreko
570e7f87d3
Moved to more appropriate folder
2014-01-02 20:58:46 -05:00
Matt Andreko
b24e927c1a
Added module to execute commands on certain Sercomm devices through
...
backdoor
See more: https://github.com/elvanderb/TCP-32764
2014-01-02 20:54:02 -05:00
William Vu
2d25781cf0
Land #2804 for real (thanks, @jvazquez-r7!)
...
It was the wrong time to mess with my workflow.
2014-01-02 16:39:02 -06:00
William Vu
67a796021d
Land #2804 , IBM Forms Viewer 4.0 exploit
2014-01-02 16:10:02 -06:00
jvazquez-r7
eaeb457d5e
Fix disclosure date and newline as pointed by @wvu-r7
2014-01-02 16:08:44 -06:00
Joe Vennix
06fb2139b0
Digging around to get shell_command_token to work.
2014-01-02 14:05:06 -06:00
jvazquez-r7
1b893a5c26
Add module for CVE-2013-3214, CVE-2013-3215
2014-01-02 11:25:52 -06:00
Joe Vennix
1b0e99b448
Update proto_crmfrequest module.
2014-01-02 10:48:28 -06:00
Joe Vennix
694cb11025
Add firefox platform, architecture, and payload.
...
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
William Vu
d291cd92d7
Land #2817 , icofx_bof random things
2014-01-01 22:01:48 -06:00
jvazquez-r7
b4439a263b
Make things random
2013-12-31 16:06:25 -06:00
sinn3r
184bd1e0b2
Land #2815 - Change gsub hardtabs
2013-12-31 15:58:21 -06:00
jvazquez-r7
2252a037a5
Fix disclosure date
2013-12-31 14:51:43 -06:00
jvazquez-r7
3775b6ce91
Add module for CVE-2013-4988
2013-12-31 14:43:45 -06:00
jvazquez-r7
841f67d392
Make adobe_reader_u3d also compliant
2013-12-31 11:07:31 -06:00
jvazquez-r7
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
William Vu
80a1e85235
Add :config => false to sysax_ssh_username
2013-12-30 18:13:49 -06:00
David Maloney
c3fd657bde
Missing config false flag
...
the sshexec exploit was missing the flag
that tells net:ssh to not use the user's
local config . This can cuase ugly problem
MSP-9262
2013-12-30 14:28:15 -06:00
jvazquez-r7
57d60c66f9
Add masqform version as comment
2013-12-27 10:59:23 -06:00
jvazquez-r7
341e3c0370
Use rexml
2013-12-27 10:55:36 -06:00
jvazquez-r7
ee35f9ac30
Add module for zdi-13-274
2013-12-27 10:20:44 -06:00
Tod Beardsley
5ce862a5b5
Add OSVDB
2013-12-26 10:33:46 -06:00
sinn3r
90ce761681
Land #2790 - RealNetworks RealPlayer Version Attribute Buffer Overflow
2013-12-24 00:39:54 -06:00
sinn3r
367dce505b
Minor details
2013-12-24 00:39:15 -06:00
sgabe
f687a14539
Added support for opening via menu.
2013-12-24 03:12:49 +01:00
sinn3r
9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution
2013-12-23 02:34:01 -06:00
sinn3r
5b647ba6f8
Change description
...
Pre-auth is implied.
2013-12-23 02:33:17 -06:00
sgabe
287271cf98
Fixed date format.
2013-12-22 01:32:16 +01:00
sgabe
0ac495fef8
Replaced hex with plain text.
2013-12-22 01:31:37 +01:00
jvazquez-r7
f43bc02297
Land #2787 , @mwulftange's exploit for CVE-2013-6955
2013-12-20 17:03:10 -06:00
jvazquez-r7
163a54f8b1
Do send_request_cgi final clean up
2013-12-20 17:00:57 -06:00
sgabe
44ab583611
Added newline to end of file.
2013-12-20 22:40:45 +01:00
sgabe
62f71f6282
Added module for CVE-2013-6877
2013-12-20 22:37:09 +01:00
jvazquez-r7
af13334c84
Revert gsub!
2013-12-20 11:39:49 -06:00
sinn3r
ce8b8e8ef9
Land #2783 - OpenSIS 'modname' PHP Code Execution
2013-12-20 11:29:10 -06:00
sinn3r
d0ef860f75
Strip default username/password
...
There isn't one. So force the user to supply one.
2013-12-20 11:28:18 -06:00
sinn3r
52a4e55804
Land #2781 - Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
2013-12-20 11:25:50 -06:00
jvazquez-r7
1da961343a
Do final (minor) cleanup
2013-12-20 11:20:29 -06:00
Markus Wulftange
929f3ea35c
Turn Auxiliary module into Exploit module
2013-12-20 16:45:38 +01:00
bcoles
fb6cd9c149
add osvdb+url refs and module tidy up
2013-12-20 20:27:07 +10:30
jvazquez-r7
4816abe63b
Add module for ZDI-13-263
2013-12-19 17:48:52 -06:00
Joe Vennix
8e27e87c81
Use the right disclosure date.
2013-12-19 12:58:52 -06:00
Joe Vennix
955dfe5d29
msftidy it up.
2013-12-19 12:53:58 -06:00
Joe Vennix
b50bbc2f84
Update module to use sinn3r's beautiful browserexploitserver.
2013-12-19 12:49:24 -06:00
bcoles
fc2da15c87
Add OpenSIS 'modname' PHP Code Execution module for CVE-2013-1349
2013-12-19 19:10:48 +10:30
Joe Vennix
eb08a30293
Update description with new version support.
2013-12-19 02:08:55 -06:00
Joe Vennix
5ee6c77901
Add a patch for 15.x support.
...
* Also add authors i forgot, oops
2013-12-19 02:05:45 -06:00
Joe Vennix
2add2acc8f
Use a smaller key size, harder to spot.
2013-12-18 21:02:23 -06:00
Joe Vennix
8d183d8afc
Update versions, 4.0.1 does not work on windows.
2013-12-18 20:57:47 -06:00
Joe Vennix
cb390bee7d
Move comment.
2013-12-18 20:37:33 -06:00
Joe Vennix
23b5254ea1
Fix include reference.
2013-12-18 20:35:43 -06:00
Joe Vennix
5255f8da12
Clean up code. Test version support.
...
* Using #get in Object#defineProperty call makes the payload execute immediately
on all supported browsers I tested.
* Moved Ranking to Excellent since it is now 100% reliable.
2013-12-18 20:30:08 -06:00
jvazquez-r7
198667b650
Land #2774 , @Mekanismen's module for CVE-2013-7091
2013-12-18 16:23:44 -06:00
jvazquez-r7
aec2e0c92c
Change ranking
2013-12-18 16:23:14 -06:00
jvazquez-r7
d4ec858051
Clean zimbra_lfi
2013-12-18 15:46:37 -06:00
sinn3r
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
Joe Vennix
64273fe41d
Move addon datastore options into mixin.
2013-12-18 14:42:01 -06:00
Joe Vennix
ca2de73879
It helps to actually commit the exploit.
2013-12-18 14:31:42 -06:00
Joe Vennix
1235615f5f
Add firefox 15 chrome privilege exploit.
...
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Mekanismen
0c0e8c3a49
various updates
2013-12-18 20:54:35 +01:00
jvazquez-r7
ab69454f89
Land #2745 , @rcvalle's exploit for CVE-2013-2068
2013-12-18 12:06:27 -06:00
jvazquez-r7
ec64382efc
Fix cfme_manageiq_evm_upload_exec according to chat with @rcvalle
2013-12-18 11:53:30 -06:00
jvazquez-r7
a28ea18798
Clean pull request
2013-12-18 11:32:34 -06:00
Mekanismen
2de15bdc8b
added module for Zimbra Collaboration Server CVE-2013-7091
2013-12-17 19:32:04 +01:00
sinn3r
ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 20:32:27 -06:00
jvazquez-r7
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
jvazquez-r7
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
jvazquez-r7
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
Tod Beardsley
f88a3a55b6
More slight updates.
2013-12-16 15:05:39 -06:00
sinn3r
afcee93309
Land #2771 - Fix description
2013-12-16 15:01:32 -06:00
sinn3r
04b7e8b174
Fix module title and add vendor patch information
2013-12-16 14:59:00 -06:00
Tod Beardsley
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
jvazquez-r7
533accaa87
Add module for CVE-2013-3346
2013-12-16 14:13:47 -06:00
Meatballs
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
Meatballs
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
Meatballs
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
OJ
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
OJ
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
Meatballs
6916f7c5d2
Fixup description
2013-12-15 01:12:47 +00:00
Meatballs
3d1646d18e
Exit process when complete
2013-12-15 01:12:47 +00:00
Meatballs
dd32c2b0b8
Spawn 32bit process
2013-12-15 01:12:46 +00:00
Meatballs
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs
5eca4714c2
Renamed module
2013-12-15 01:12:46 +00:00
Meatballs
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
jvazquez-r7
e8396dc37a
Delete redefinition of ntdll functions on railgun
2013-12-13 16:02:47 -06:00
sinn3r
ba1a70b72e
Update Microsoft patch information
2013-12-13 15:59:15 -06:00
jvazquez-r7
1ab3e891c9
Modify ms_ndproxy to use railgun additions
2013-12-13 15:54:34 -06:00
jvazquez-r7
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
jvazquez-r7
eb4e3f8a32
Fix os detection
2013-12-12 07:39:19 -06:00
jvazquez-r7
8b518776bc
Dont fail_with on check
2013-12-11 22:08:36 -06:00
jvazquez-r7
02915c751c
Favor unless over if not and add reference
2013-12-11 16:28:09 -06:00
jvazquez-r7
b6fa3f28b1
Modify description
2013-12-11 08:56:31 -06:00
jvazquez-r7
c4721de4a0
Add module for CVE-2013-5065
2013-12-11 08:52:35 -06:00
sinn3r
930a907531
Land #2748 - HP LoadRunner EmulationAdmin Web Service Directory Traversal
2013-12-10 16:29:12 -06:00
sinn3r
3a9ac303f0
Use rexml for XML data generation
2013-12-10 15:37:44 -06:00
William Vu
ff9cb481fb
Land #2464 , fixes for llmnr_response and friends
...
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
jvazquez-r7
3d5501326b
Land #2743 , @Mekanismen's exploit for CVE-2013-0632
2013-12-10 10:00:30 -06:00
jvazquez-r7
30960e973f
Do minor cleanup on coldfusion_rds
2013-12-10 09:59:36 -06:00
jvazquez-r7
230fcd87a5
Add module for zdi-13-259
2013-12-10 08:45:08 -06:00
Mekanismen
9a6e504bfe
fixed path error and description
2013-12-10 09:05:34 +01:00
Mekanismen
313a98b084
moved coldfusion_rds to multi directory and fixed a bug
2013-12-10 08:45:27 +01:00
Mekanismen
0845e3ce37
updated
2013-12-10 00:45:34 +01:00
Mekanismen
bca2212f7e
updated
2013-12-09 23:28:17 +01:00
Mekanismen
60d32be7d9
updated
2013-12-09 23:10:13 +01:00
Tod Beardsley
e737b136cc
Minor grammar/caps fixup for release
2013-12-09 14:01:27 -06:00
Mekanismen
14d12a2ce3
updated
2013-12-09 20:22:26 +01:00
Ramon de C Valle
21661b168b
Add cfme_manageiq_evm_upload_exec.rb
...
This module exploits a path traversal vulnerability in the "linuxpkgs"
action of "agent" controller of the Red Hat CloudForms Management Engine
5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier).
2013-12-09 16:18:12 -02:00
Mekanismen
67415808da
added exploit module for CVE-2013-0632
2013-12-09 15:18:34 +01:00
sinn3r
2f6a77861a
Land #2731 - vBulletin nodeid SQL injection (exploit)
2013-12-09 02:22:07 -06:00
jvazquez-r7
f77784cd0d
Land #2723 , @denandz's module for OSVDB-100423
2013-12-06 17:32:07 -06:00
jvazquez-r7
3729c53690
Move uptime_file_upload to the correct location
2013-12-06 15:57:52 -06:00
jvazquez-r7
2ff9c31747
Do minor clean up on uptime_file_upload
2013-12-06 15:57:22 -06:00
jvazquez-r7
d47292ba10
Add module for CVE-2013-3522
2013-12-06 13:50:12 -06:00
Meatballs
6f02744d46
Land #2730 Typo in mswin_tiff_overflow
2013-12-06 12:32:37 +00:00
Meatballs
3aebe968bb
Land #2721 Reflective DLL Mixin
...
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
sinn3r
89ef1d4720
Fix a typo in mswin_tiff_overflow
2013-12-06 00:44:12 -06:00
DoI
3d327363af
uptime_file_upload code tidy-ups
2013-12-06 13:45:22 +13:00
jvazquez-r7
e4c6413643
Land #2718 , @wchen-r7's deletion of @peer on HttpClient modules
2013-12-05 17:25:59 -06:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00