Commit Graph

4644 Commits (b05b2657bc2072fe40a69e5dff6f0c4f6db702cd)

Author SHA1 Message Date
Trevor Rosen 651871bd7a Resolve upstream conflict 2014-06-11 13:34:45 -05:00
David Maloney 9593422f9c
Merge branch 'master' into staging/electro-release 2014-06-11 10:23:56 -05:00
William Vu 6ca5cf6c26
Add Chromecast YouTube remote control 2014-06-11 00:08:08 -05:00
James Lee fb8c1f4c4b
Refactor ssh_login to use LoginScanner stuffs
Also, Metasploit::Credential::Creation stuffs.
2014-06-10 17:30:06 -05:00
David Maloney c06fd21fb1
refactor tomcat_mgr_login
uses the new Metasploit::Credential magic now
2014-06-10 15:59:00 -05:00
David Maloney 693c4aae66
make sure we capture realms
need to account for the possability of
realms in mssql_login
2014-06-10 14:41:45 -05:00
Luke Imhoff b05e7fb9ac
Fix require
MSP-10004

Change 'zip/zip' to 'zip' to match >= 1.0.0 rubyzip API.
2014-06-10 13:58:07 -05:00
David Maloney 74d376e387
refactor db2_auth module
you know what it is
2014-06-10 13:43:07 -05:00
Luke Imhoff 4d923a4809
Update to Rubyzip 1.X API
MSP-10004

`require 'zip'` instead of `'zip/zip'` and rename all classes to remove
redundant Zip prefix inside the Zip namespace.
2014-06-10 13:41:42 -05:00
Tod Beardsley 44540e6d00
Land #3437, CSS Injection MITM scanner 2014-06-10 13:36:35 -05:00
jvazquez-r7 4aa1fee398 Land #3326, @FireFart's Heartbleed - server response parsing 2014-06-10 13:27:28 -05:00
David Maloney 0c89d6cdce
refactor mssql_login
now uses all the Metasploit::Credential goodness
2014-06-10 11:49:08 -05:00
David Maloney 15ceb1e826
put calls in right place it helps 2014-06-10 11:17:19 -05:00
David Maloney 63ec83ea90
missing public
missing the public in the invalidate_login call
now fixed
2014-06-10 11:12:17 -05:00
David Maloney 6362eac0b0
add invalidate_login call 2014-06-10 11:11:22 -05:00
David Maloney e9d9806408
invalidate_login
added invalidate_login call
also made to_s on credential drop the @
if there is no realm present
2014-06-10 11:07:15 -05:00
David Maloney dc590008a7
add invalidate_login call
add the new invalidate login call to make sure
we update the status on failed logins appropriately
2014-06-10 10:58:27 -05:00
Tod Beardsley 521284253f
Be more clear about the vuln and impact 2014-06-10 10:29:23 -05:00
jvazquez-r7 9b55f5143a Add module for CVE-2014-0224 2014-06-09 17:38:11 -05:00
James Lee e629fdb47d
Report the realm, too
derp
2014-06-09 17:06:56 -05:00
David Maloney 32f87b985c
refactor mysql_login
refactor mysql_login to use the new
Metasploit::Credential apradigm
2014-06-09 14:20:58 -05:00
David Maloney 61fd962331
refactor vnc_login
refactor for new credential usage
2014-06-09 13:55:24 -05:00
Tod Beardsley 4103f2295b
Missing comma 2014-06-09 13:44:46 -05:00
Tod Beardsley 0e14d77dba
Minor fixup on DTLS module 2014-06-09 13:42:30 -05:00
jvazquez-r7 0e611b5d64
Land #3429, @jhart-r7's auxiliary module for CVE-2014-0195 2014-06-09 13:34:38 -05:00
jvazquez-r7 ed5d83a41b Add vulnerability discoverer 2014-06-09 13:25:33 -05:00
jvazquez-r7 daf662b3c0 Do minor cleanup 2014-06-09 13:23:56 -05:00
David Maloney a4e96d8f59
Merge branch 'master' into staging/electro-release 2014-06-09 13:07:22 -05:00
David Maloney f8f5691eee
refactor postgres_login module
postgres_login now uses all the new components
such as Metasploit::Credential and the LoginScanner
class
2014-06-09 12:59:05 -05:00
jvazquez-r7 1f33566033
Land #3432, @Meatballs1 sap_soap_rfc_brute_login's clean up 2014-06-09 11:39:52 -05:00
jvazquez-r7 b39b41e29f
Land #3371, @Meatballs1 fix for sap_mgmt_con_getprocessparameter 2014-06-09 11:25:01 -05:00
Jon Hart 06e45e8253 Clean up TLS fragment building 2014-06-09 08:39:30 -07:00
David Maloney 482aa2ea08
Merge branch 'master' into staging/electro-release 2014-06-09 10:27:22 -05:00
Christian Mehlmauer 099003708c
Land #3422, SAP Bruterforcer datastore cleanup 2014-06-08 08:42:27 +02:00
Brandon Perry 4367e8ef0c Update mongodb_js_inject_collection_enum.rb
Fix some logic bugs that caused incorrect results.
2014-06-07 21:03:28 -05:00
Brandon Perry dc89621d5c Update mongodb_js_inject_collection_enum.rb
No need to make extra requests. Off by one.
2014-06-07 20:09:00 -05:00
Brandon Perry 2663af986b Update mongodb_js_inject_collection_enum.rb
This adds a bit more error handling, and better decision making in regards to false responses.
2014-06-07 19:58:12 -05:00
Jon Hart a7a1a2bf3b Move dtls_fragment_overflow.rb under ssl where it belongs 2014-06-07 12:56:34 -07:00
Brandon Perry 4071fb332b Create mongodb_js_inject_collection_enum.rb
This module was tested against a small php application I wrote interfacing with MongoDB 2.2.7

https://gist.github.com/brandonprry/c2de8ac2be825007c4de
2014-06-07 11:20:34 -05:00
Jon Hart 8637a1fff1 OpenSSL DTLS CVE-2014-0195 POC 2014-06-06 19:24:47 -07:00
Meatballs fe20e6e1c4
Merge remote-tracking branch 'upstream/master' into soap_brute_fix
Conflicts:
	modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
2014-06-07 02:44:16 +01:00
Meatballs 8624ddfc3e
Clean up SAP SOAP RFC Brute Login
Honour the user supplied settings
Abort a host on connection error
Check a 200 response for some appropriate data
Let datastore validation handle things like options being present
Be more verbose if needed
Use the HTTPClient more appropriately
2014-06-07 02:34:49 +01:00
Meatballs b997c2ac1f
Further tidies 2014-06-07 02:00:35 +01:00
dmaloney-r7 ff8e6d2c50 Merge pull request #45 from rapid7/feature/MSP-9988/credential-collection
Add a CredCollection class and refactor WinRM bruteforce module
2014-06-06 11:53:28 -05:00
James Lee 2ee408e9db
Refactor winrm_login with Credentials 2014-06-05 14:26:29 -05:00
James Lee 8b6e188ba8
Add support for realm in CredentialCollection
MSP-9988
2014-06-04 17:03:52 -05:00
David Maloney 4960503a59
fix jtr_format
use raw-md5 as that sort of works
2014-06-04 14:10:28 -05:00
David Maloney 30c35907bf
refactor psotgres_hashdump
refactor psotgres_hashdump to now save
hashes as Metasploit::Credential objects
2014-06-04 12:21:49 -05:00
David Maloney d1f7f93e4b
refactor mysql_hashdump
mysql_hashdump now uses Metasploit::Credential to
save hashes.
2014-06-04 11:59:47 -05:00
David Maloney 201e6e9866
Merge branch 'feature/MSP-9750/MSSQL_hashdump' into feature/MSP-9751/mysql_hashdump 2014-06-04 11:58:58 -05:00
David Maloney 28bf29980e
Merge branch 'master' into staging/electro-release 2014-06-04 10:21:08 -05:00
David Maloney d3949b3d6c
refactor mssql_hashdump
refactor mssql_hashdump to use Metasploit:Credential
2014-06-03 15:02:59 -05:00
Meatballs 0e3549ebc4
mc brute tidy 2014-06-03 17:27:46 +01:00
Tod Beardsley b7dc89f569
I prefer "bruteforce" to "brute force" for search
Just makes it easier to search for, since it's an industry term of art.
2014-06-02 13:09:46 -05:00
David Maloney 34004908bb
Merge branch 'master' into staging/electro-release
Conflicts:
	.ruby-version
2014-06-02 11:10:33 -05:00
William Vu 8bd4e8d30a
Land #3406, indeces_enum -> indices_enum 2014-06-02 11:06:33 -05:00
RageLtMan 74400549a1 Resolve undefined method `get_cookies'
Anemone::Page is not a Rex HTTP request/response, and uses the
:cookies method to return an array of cookies.
This resolves the method naming error, though it does break with
Rex naming convention since Anemone still uses a lot non-Rex
methods for working with pages/traffic.
2014-05-30 14:39:51 -04:00
jvazquez-r7 4a1fea7abb
Land #2948, @juushya's PocketPAD login bruteforce module 2014-05-30 11:47:16 -05:00
jvazquez-r7 b0bdfa7680 Clean up code 2014-05-30 11:44:42 -05:00
jvazquez-r7 fb59221189
Land #2494, @juushya's etherpadduo login module 2014-05-30 11:35:28 -05:00
jvazquez-r7 d92a7adc68 change module filename 2014-05-30 11:31:49 -05:00
jvazquez-r7 40a103967e Minor code cleanup 2014-05-30 11:28:37 -05:00
jvazquez-r7 6f330ea190 Add deprecation information 2014-05-29 17:38:01 -05:00
jvazquez-r7 aea0379451 Fix typos 2014-05-29 12:37:51 -05:00
David Maloney 696d2b7e6b
Merge branch 'master' into staging/electro-release 2014-05-29 12:30:32 -05:00
dmaloney-r7 e669324366 Merge pull request #25 from rapid7/feature/MSP-9673/axis2-login-scanner
Add axis2 login scanner
2014-05-29 11:22:22 -05:00
William Vu 53ab2aefaa
Land #3386, a few datastore msftidy error fixes 2014-05-29 10:44:37 -05:00
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
William Vu 3f86aebabf
Land #3398, CAPWAP DoS description cleanup 2014-05-28 14:55:22 -05:00
William Vu 785b53820e
Land #3399, print_error instead of print_status 2014-05-28 14:53:00 -05:00
James Lee 05e24326a6
Style compliance 2014-05-28 14:31:34 -05:00
joev c89cd24621 Rewire some snmp modules to use print_error instead of print_status. 2014-05-28 13:31:00 -05:00
Tod Beardsley 4b5c62ba8d
Dress up CAPWAP DoS desc a little. 2014-05-28 12:19:17 -05:00
jvazquez-r7 55ef5dd484
Land #3115, @silascutler's module for elasticsearch indeces enumeration 2014-05-27 11:28:34 -05:00
jvazquez-r7 2271afc1a5 Change module filename 2014-05-27 11:25:39 -05:00
jvazquez-r7 3de8beb5fd Clean code 2014-05-27 11:22:40 -05:00
jvazquez-r7 69e8286838 Fix title 2014-05-27 10:29:32 -05:00
jvazquez-r7 1316365c2f Fix description 2014-05-27 10:22:39 -05:00
jvazquez-r7 abe1d6ffc7
Land #3190, @Karmanovskii's module to fingerprint MyBB database 2014-05-27 10:20:24 -05:00
jvazquez-r7 86221de10e Fix message 2014-05-27 10:18:27 -05:00
jvazquez-r7 b96c2dd0ca Change module filename 2014-05-27 10:15:39 -05:00
jvazquez-r7 1d8c46155b Do last code cleaning 2014-05-27 10:14:55 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
Karmanovskii eacf70af83 Update mybb_get_type_db.rb
26.05.2014  23:26
I deleted mimicking IE11
2014-05-26 23:26:28 +04:00
jvazquez-r7 217a14e4d7
Land #3366, @jholgui's module for CVE-2013-4074 2014-05-25 18:53:30 -05:00
jvazquez-r7 33ba134147 Clean msftidy warnings and metadata 2014-05-25 18:52:01 -05:00
jvazquez-r7 d3c17d8e3e Delete wireshark_capwap_dos 2014-05-25 18:39:53 -05:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
JoseMi 9f166b87f6 Changed the description 2014-05-24 18:58:36 +01:00
JoseMi 71e2d19040 Adapted to auxiliary modules structure 2014-05-24 18:53:10 +01:00
Tod Beardsley 1aee0f3305
Warn if it's not UPPERCASE method (@wchen-r7)
See the discussion on f7bfab5a26, PR #3386
2014-05-23 17:10:27 -05:00
Tod Beardsley 9f78bec457
Use normalize_uri (@wchen-r7)
Instead of editing the datastore['PATH'], use normalize_uri.

Since the purpose of this module is quite fuzz-like, I didn't want to
apply the normalize_uri to the whole uri -- the original code merely
applied to datastore['PATH'] (which seems like it should be
datastore['URI'] really) and then added on a bunch of other stuff to
test for traversals.
2014-05-23 15:43:50 -05:00
Tod Beardsley f7bfab5a26
HTTP traversal shouldnt upcase METHOD (@wchen-r7)
If the user wants to use downcased or mixed case HTTP methods, heck,
more power to them. If it doesn't work, it doesn't work. No other HTTP
module makes this call.
2014-05-23 15:32:04 -05:00
Tod Beardsley 7f59cf5035
Ora XID HTTP needn't edit DBUSER (@cellabosm)
Looks like copypasta artifacts. DBUSER and DBPASS aren't ever set as
options in the module, and the module doesn't include MC's
Exploit::ORACLE mixin. It's also from four years ago and doesn't
report_auth or anything useful like that, but that's out of scope for
this branch.
2014-05-23 15:20:46 -05:00
Tod Beardsley f189033e8a
OWA bruteforce shouldnt edit datastore (@wchen-r7)
This module was written in an era where the defaults for bruteforcing
included a lot of lock-inducing behavior, thus, it was quite serious
about setting datastore options directly. Also, there was apparently a
bug in USER_AS_PASS that this module attempted to avoid by setting the
datastore directly, rather than fixing the bug directly. As far as I
know, this bug has been long since resolved.
2014-05-23 15:08:19 -05:00
Tod Beardsley fa353e6bd9
Add CVE, IBM ref for SameTime modules 2014-05-22 11:34:04 -05:00
jvazquez-r7 8a9c005f13 Add URL 2014-05-20 17:43:07 -05:00
Karmanovskii e26dee5e22 Update mybb_get_type_db.rb
19/05/2014
I deleted      -     #return Exploit::CheckCode::Unknown  # necessary ????
2014-05-19 21:32:30 +04:00
William Vu a30d6b1f2d
Quick cleanup for sap_icm_urlscan 2014-05-19 09:21:26 -05:00
William Vu dc0e649a10
Clean up case statement 2014-05-19 09:21:07 -05:00
William Vu bc64e47698
Land #3370, cleanup for sap_icm_urlscan 2014-05-19 09:16:18 -05:00
Tod Beardsley 0ef2e07012
Minor desc and status updates, cosmetic 2014-05-19 08:59:54 -05:00
Meatballs 6b1e4c3a9d
Show loot and error code 2014-05-19 11:17:58 +01:00
Meatballs 848227e18a
401 should be a valid url 2014-05-19 10:59:38 +01:00
Meatballs 5d96f54410
Be verbose about 307 2014-05-19 10:52:06 +01:00
Meatballs 88b7dc3def
re-add content length 2014-05-19 10:46:47 +01:00
Meatballs e59f104195
Use unless 2014-05-19 10:41:01 +01:00
William Vu a97d9ed54f
Land #3148, check_urlprefixes for sap_icm_urlscan 2014-05-17 16:10:52 -05:00
sappirate dd1a47f31f Modified sap_icm_urlscan to check for authentication of custom URLs
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
Karmanovskii 06912ac2b6 Update mybb_get_type_db.rb
1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient"
2.changed the name of the variable "_Version_server".
2014-05-17 16:30:29 +04:00
JoseMi 21cf0a162c Added module to crash capwap dissector in wireshark tool 2014-05-17 11:31:43 +01:00
Christian Mehlmauer 488c3e6b93
Land #3358, @jvazquez-r7 Advantech WebAccess 7.1 SQLI module 2014-05-16 21:26:41 +02:00
jvazquez-r7 2012d41b3d Add origin of the user, and mark web users 2014-05-16 13:51:42 -05:00
jvazquez-r7 4143474da9 Add support for web databases 2014-05-16 11:47:01 -05:00
jvazquez-r7 883d2f14b5 delete debug print_status 2014-05-16 11:13:03 -05:00
jvazquez-r7 ea38a2c6e5 Handle ISO-8859-1 special chars 2014-05-16 11:11:58 -05:00
jvazquez-r7 c9465a8922 Rescue when the recovered info is in a format we can't understand 2014-05-16 08:57:59 -05:00
Tod Beardsley 3c1363b990
Add new SNMP enumeration modules 2014-05-16 08:32:46 -05:00
jvazquez-r7 7ec85c9d3a Delete blank lines 2014-05-16 01:03:04 -05:00
jvazquez-r7 9091ce443a Add suport to decode passwords 2014-05-16 00:59:27 -05:00
William Vu f9982752f3
Land #3362, ax rank for aux/dos mods 2014-05-14 15:20:07 -05:00
Tod Beardsley dc57e31be1
Aux modules don't respect Rank anyway 2014-05-14 15:03:10 -05:00
jvazquez-r7 5b3bb8fb3b Fix @FireFart's review 2014-05-14 09:00:52 -05:00
Karmanovskii cbb84e854c Update mybb_get_type_db.rb
14.05.2014
Eliminated notes jvazquez-r7
2014-05-14 14:56:40 +04:00
William Vu de49241195
Land #3185, regex option validation 2014-05-14 01:27:18 -05:00
Christian Mehlmauer df4b832019
Resolved some more Set-Cookie warnings 2014-05-13 22:56:12 +02:00
jvazquez-r7 a7075c7e08 Add module for ZDI-14-077 2014-05-13 14:17:59 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
William Vu 92a9519fd9
Remove EOL spaces 2014-05-09 18:34:12 -05:00
jvazquez-r7 8c55858eae
Land #3309, @arnaudsoullie's changes for modblusclient 2014-05-08 10:45:19 -05:00
jvazquez-r7 25f13eac37 Clean a little response parsing 2014-05-08 10:44:53 -05:00
Arnaud SOULLIE 1f3466a3a3 Added Modbus error handling.
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
William Vu e8bc89af30
Land #3337, release fixes 2014-05-05 14:03:48 -05:00
jvazquez-r7 b81f94a229
Land #3336, @todb-r7's CVEs addition 2014-05-05 13:43:04 -05:00
Tod Beardsley c6affcd6d3
Fix caps, description on F5 module
The product name isn't "Load Balancer" as far as I can tell.
2014-05-05 13:38:53 -05:00
William Vu 353a50cdd0
Land #3316, Content-Length fix for http_ntlmrelay 2014-05-05 13:38:36 -05:00
Tod Beardsley 3072c2f08a
Update CVEs for RootedCon Yokogawa modules
Noticed they were nicely documented at

http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html

We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
William Vu a8915f0ed8
Land #3310, OpenSSH timing attack improvements 2014-05-04 19:47:51 -05:00
Tom Sellers a47b883083 Remove redundant simple.connect
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
Tom Sellers b2eeaef475 Add admin check to smb_login
The attached updates changes smb_login to detect if the newly discovered user is an administrator.  It is based on code from Brandon McCann "zeknox" submitted in PR #1373, the associated changes, and the newer PR #2656.
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773.

Specifically it:

 - Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
 - Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
 - Dealt with the issue in PR #2656 where the username was prefixed with a '\'


Verification

Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting

To validate that the remote domain ignores domain value use the following command from a windows system:

net use \\<hostip>\admin$ /user:<random_value>\<username>   <password>
2014-05-02 06:16:21 -05:00
Christian Mehlmauer f7d8a5e3a3 rework the openssl_heartbleed module 2014-05-01 21:43:58 +02:00
jvazquez-r7 d3045814a2 Add print_status messages 2014-05-01 11:05:55 -05:00
jvazquez-r7 cc2e680724 Refactor 2014-05-01 11:04:29 -05:00
jvazquez-r7 28e9057113 Refactor make_payload 2014-05-01 10:23:33 -05:00
jvazquez-r7 bd124c85cb Use metadata format for actions 2014-05-01 09:52:55 -05:00
William Vu 7777202045
Deconflict #3310 and correct the description 2014-04-30 12:02:57 -05:00
jvazquez-r7 9cd6c5ef2b
Land #3297, @Th4nat0s's F6 backends disclosure module 2014-04-30 09:31:37 -05:00
jvazquez-r7 4e80e1c239 Clean up pull request code 2014-04-30 09:31:07 -05:00
Tod Beardsley a5983b5f57
Light touchup on FP checker 2014-04-29 16:14:41 +01:00
Tod Beardsley 88efeea378
Add a false positive check 2014-04-29 16:07:42 +01:00