Jon Hart
ce73e32673
Doc and named captures
2014-11-17 09:01:14 -08:00
Jon Hart
bf05fe1389
Refactoring, simplification, better print_*
2014-11-17 09:01:14 -08:00
Jon Hart
6e1cdfde36
Rip out create_credential* stuff. Use what works
2014-11-17 09:01:14 -08:00
Jon Hart
e5bb13a609
If remmina config files are missing data for creds, tell me what
2014-11-17 09:01:14 -08:00
Jon Hart
875d1f9ea0
Convert Remmina credential gatherer to use new credentials model
2014-11-17 09:01:14 -08:00
Jon Hart
086f0c02d6
Remove excessive logging
2014-11-17 09:01:14 -08:00
Jon Hart
90e58e9e71
Binary encoding
2014-11-17 09:01:14 -08:00
Jon Hart
e76373340e
Correct some Rubocop things that I agree with
2014-11-17 09:01:14 -08:00
Jon Hart
f729a6cf02
Add Remmina RDP/SSH/VNC password gathering
2014-11-17 09:01:13 -08:00
Joe Vennix
cd61975966
Change puts to vprint_debug.
2014-11-17 10:13:13 -06:00
floyd
9243cfdbb7
Minor fixes to ruby style things
2014-11-17 17:12:17 +01:00
Joe Vennix
fc1635e80a
Fix BAP JS ref error.
2014-11-17 10:06:15 -06:00
Joe Vennix
2a24151fa8
Remove BAP target, payload is flaky. Add warning.
2014-11-17 02:02:37 -06:00
HD Moore
9fe4994492
Chris McNab has been working with MITRE to add these CVEs
...
These CVEs are not live yet, but have been confirmed by cve-assign
t
2014-11-16 18:42:53 -06:00
Spencer McIntyre
0bf93acf6b
Pymeterp http proxy and user agent support
2014-11-16 14:29:20 -05:00
Joe Vennix
5de69ab6a6
minor syntax fixes.
2014-11-15 21:39:37 -06:00
Joe Vennix
3fb6ee4f7d
Remove dead constant.
2014-11-15 21:38:11 -06:00
Joe Vennix
7a62b71839
Some URL fixes from @jduck and exploit ideas from Andre Moulu.
...
The exploit works with the URLs fixed, installs the APK, but hangs at the Installing...
screen and never actually launches. We tried opening the APK in a setTimeout() intent
URI, but the previously launched intent seemed unresponsive. Andre had the bright
idea of re-opening the previously launched intent with invalid args, crashing it and
allow us to launch the payload.
2014-11-15 21:33:16 -06:00
William Vu
a521d469ed
Land #4194 , Quake protocol support
2014-11-15 17:44:19 -06:00
Christian Mehlmauer
28135bcb09
Land #4159 , MantisBT PHP code execution by @itseco
2014-11-15 07:49:54 +01:00
Rich Lundeen
27d5ed624f
fix for IE9 exploit config
2014-11-14 17:21:59 -08:00
Rich Lundeen
17ab0cf96e
ADD winxpIE8 exploit for MS13-080
2014-11-14 17:16:51 -08:00
Spencer McIntyre
7c14e818f6
Patch pymeterp http settings
2014-11-14 17:12:23 -05:00
sinn3r
e194d5490d
See #4162 - Don't delay before deleting a file via SMB
...
So I was looking at issue #4162 , and on my box I was seeing this
problem of the exploit failing to delete the payload in C:\Windows,
and the error was "Rex::Proto::SMB::Exceptions::NoReply The SMB
server did not reply to our request". I ended up removing the sleep(),
and that got it to function properly again. The box was a Win 7 SP1.
I also tested other Winodws boxes such as Win XP SP3, Windows Server
2008 SP2 and not having the sleep() doesn't seem to break anything.
So I don't even know why someone had to add the sleep() in the first
place.
2014-11-14 15:45:37 -06:00
Spencer McIntyre
681ae8ce6b
Pymet reverse_http stager basic implementation
2014-11-14 14:15:46 -05:00
Jon Hart
57aef9a6f5
Land #4177 , @hmoore-r7's fix for #4169
2014-11-13 18:29:57 -08:00
Christian Mehlmauer
3faa48d810
small bugfix
2014-11-13 22:51:41 +01:00
Christian Mehlmauer
7d6b6cba43
some changes
2014-11-13 22:46:53 +01:00
Tod Beardsley
e2dc862121
Fix newly introduced typo.
2014-11-13 14:53:57 -06:00
Tod Beardsley
dd1920edd6
Minor typos and grammar fixes
2014-11-13 14:48:23 -06:00
Juan Escobar
17032b1eed
Fix issue reported by FireFart
2014-11-13 04:48:45 -05:00
jvazquez-r7
31f3aa1f6d
Refactor create packager methods
2014-11-13 01:16:15 -06:00
jvazquez-r7
38a96e3cfc
Update target info
2014-11-13 00:56:42 -06:00
jvazquez-r7
e25b6145f9
Add module for MS14-064 bypassing UAC through python for windows
2014-11-13 00:56:10 -06:00
jvazquez-r7
f081ede2aa
Land #4155 , @pedrib's module for CVE-2014-8499
...
* Password Manager Pro privesc + password disclosure
2014-11-12 23:56:26 -06:00
Joe Vennix
ea6d8860a1
Not root, just arbitrary permissions.
2014-11-12 21:51:55 -06:00
Jon Hart
ebf6fe4e56
Minor style cleanup
2014-11-12 16:44:43 -08:00
sinn3r
a5009170e7
Land #4185 - Add CVE-2014-6352 (ms14-060 aka sandworm)
2014-11-12 17:11:43 -06:00
Jon Hart
07a1653e57
Add gather module for Quake servers
2014-11-12 13:32:56 -08:00
Pedro Ribeiro
9df31e950f
Add OSVDB id
2014-11-12 21:32:33 +00:00
Tod Beardsley
54158c8662
Land #4005 , TNS poison checker
2014-11-12 13:29:59 -06:00
Tod Beardsley
d242bc220b
Minor fixups and disclosure date for TNS module
2014-11-12 13:25:10 -06:00
Tod Beardsley
955a5142ca
Edit e-mail address for antispam
2014-11-12 13:19:04 -06:00
Joe Vennix
1895311911
Change URL to single line.
2014-11-12 10:56:51 -06:00
Joe Vennix
8689b0adef
Add module for samsung knox root exploit.
2014-11-12 09:53:20 -06:00
jvazquez-r7
70589668c2
Really land the #4130 module
2014-11-12 09:39:01 -06:00
jvazquez-r7
ece8013d7a
Use #empty?
2014-11-12 09:35:06 -06:00
jvazquez-r7
f048463ed6
Do minor fixupts
...
* Delete peer method
* Make verifications more strict
2014-11-12 09:33:49 -06:00
jvazquez-r7
a5c87db65e
Do minor cleanup
...
* Beautify description
* Use double quotes for interpolation
2014-11-12 09:29:53 -06:00
jvazquez-r7
e1164d3e14
Use snake_case on filename
2014-11-12 09:26:47 -06:00
jvazquez-r7
c35dc2e6b3
Add module for CVE-2014-6352
2014-11-12 01:10:49 -06:00
Tod Beardsley
7e05f88399
Reapply PR #4113 (removed via #4175 )
2014-11-11 15:06:43 -06:00
HD Moore
6b4eb9a8e2
Differentiate failed binds from connects, closes #4169
...
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:
1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.
Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Tod Beardsley
017a44c0ae
Revert errored merge of deea30d
...
Revert "Merge branch 'master' of https://github.com/farias-r7/metasploit-framework into upstream-master"
This reverts commit deea30ddb4
, reversing
changes made to 14514d7b8b
.
2014-11-11 14:38:47 -06:00
Jon Hart
9238d80a24
Use correct source port for NBNS spoofer
...
137 is only correct for systems that use this as their source port.
Systems running Samba, for example, don't use this. So use the port
taken from the original request, not 137 or 1337
2014-11-11 10:33:27 -08:00
HD Moore
96ba6da697
Add the UDP scanner template, lands #4113 .
...
There is some additional work to do regarding CHOST/CPORT, but this is not tied to the udp template changes.
2014-11-11 11:59:30 -06:00
jvazquez-r7
01fda27264
Fix title
2014-11-11 11:15:53 -06:00
jvazquez-r7
a588bfd31a
Use single quotes
2014-11-11 09:56:46 -06:00
jvazquez-r7
77c8dc2b64
Dont return nil from 'run'
2014-11-11 09:39:08 -06:00
jvazquez-r7
fb309aae11
Use a Fixnum as FuzzInt default value
2014-11-11 09:36:53 -06:00
jvazquez-r7
f6762b41b6
Use random fake db name
2014-11-11 09:35:51 -06:00
jvazquez-r7
94c353222d
Do small cosmetic changes
2014-11-11 09:31:57 -06:00
jvazquez-r7
e9e5869951
update from master
2014-11-11 09:24:33 -06:00
Nikita
c0285067c9
Add new module to test TNS poison
...
msf auxiliary(tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker1):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 172.16.2.100, 172.16.2.24, 172.16.2.101 yes The target address range or CIDR identifier
RPORT 1521 yes The target port
THREADS 1 yes The number of concurrent threads
msf auxiliary(tnspoison_checker) > exploit
[+] 172.16.2.100:1521 is vulnerable
[*] Scanned 1 of 3 hosts (033% complete)
[-] 172.16.2.24:1521 is not vulnerable
[*] Scanned 2 of 3 hosts (066% complete)
[-] 172.16.2.101:1521 unable to connect to the server
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed
2014-11-11 17:29:27 +03:00
Juan Escobar
ac17780f6d
Fix by @FireFart to recover communication with the application after a meterpreter session
2014-11-11 05:49:18 -05:00
Juan Escobar
6bf1f613b6
Fix issues reported by FireFart
2014-11-11 00:41:58 -05:00
jvazquez-r7
091da05a86
update from master
2014-11-10 22:59:44 -06:00
jvazquez-r7
cac6494427
Use snake_case in filename
2014-11-10 16:58:46 -06:00
jvazquez-r7
2c33642de8
Do minor cleanup
2014-11-10 16:57:57 -06:00
jvazquez-r7
12ae8b3ec6
update from master
2014-11-10 16:19:26 -06:00
nullbind
493b81d874
cleanup
2014-11-10 15:22:21 -06:00
nullbind
31fa57fcb2
mssql_enum_sql_logins
2014-11-10 15:19:55 -06:00
Scott Sutherland
d543b16cc1
Added mssql_enum_sql_logins.rb
2014-11-10 15:02:46 -06:00
Scott Sutherland
ea226f7482
Update mssql_enum_sql_logins.rb
2014-11-10 15:02:14 -06:00
Juan Escobar
d4bbf0fe39
Fix issues reported by wchen-r7 and mmetince
2014-11-10 15:27:10 -05:00
nullbind
74344e9295
added mssql_enum_sql_logins
2014-11-10 13:42:52 -06:00
jvazquez-r7
4b701700c1
Fix banner
2014-11-10 12:40:53 -06:00
Jon Hart
7ed11ffd52
Check for INTERFACE or SMAC in dtp setup
2014-11-10 10:14:47 -08:00
jvazquez-r7
65dbb1a83f
Do print_status
2014-11-10 11:26:53 -06:00
jvazquez-r7
7aed1e9581
Create loot_passwords method
2014-11-10 11:21:44 -06:00
jvazquez-r7
92df11baa7
Create report_super_admin_creds method
2014-11-10 11:16:25 -06:00
jvazquez-r7
8f17011909
do run clean up
...
* Reduce code complexity
* Don't report not valid administrator credentials
2014-11-10 11:12:04 -06:00
jvazquez-r7
635df2f233
Fail with NoAccess
2014-11-10 09:50:26 -06:00
jvazquez-r7
9c033492d2
Fix indentation
2014-11-10 09:48:22 -06:00
jvazquez-r7
2236518694
Check res.body before accessing #to_s
2014-11-10 09:47:05 -06:00
jvazquez-r7
8b8ab61e3d
Favor && over and
2014-11-10 09:45:12 -06:00
jvazquez-r7
ee4924582a
Use target_uri
2014-11-10 09:43:44 -06:00
jvazquez-r7
8ddd6a4655
Redefine RPORT having into account it is builtin
2014-11-10 09:42:30 -06:00
jvazquez-r7
eb36a36272
Change title
2014-11-10 09:40:22 -06:00
floyd
9d848c8c3b
Adding tincd post-auth stack buffer overflow exploit module for several OS
...
Minor changes to comments
Updated URLs
Added Fedora ROP, cleaned up
Fixing URLs again, typos
Added support for Archlinux (new target)
Added support for OpenSuse (new target)
Tincd is now a separate file, uses the TCP mixin/REX sockets.
Started ARM exploiting
Style changes, improvements according to egyp7's comments
Style changes according to sane rubocop messages
RSA key length other than 256 supported. Different key lengths for client/server supported.
Drop location for binary can be customized
Refactoring: Replaced pop_inbuffer with slice
Refactoring: fail_with is called, renamed method to send_recv to match other protocol classes,
using rand_text_alpha instead of hardcoded \x90,
Fixed fail command usage
Version exploiting ARM with ASLR brute force
Cleaned up version with nicer program flow
More elegant solution for data too large for modulus
Minor changes in comments only (comment about firewalld)
Correct usage of the TCP mixin
Fixes module option so that the path to drop the binary on the server is not validated against the local filesystem
Added comments
Minor edits
Space removal at EOL according to msftidy
2014-11-10 12:03:17 +01:00
William Vu
0e772cc338
Land #4161 , "stop" NilClass fix
2014-11-09 19:37:32 -06:00
sinn3r
cd0dbc0e24
Missed another
2014-11-09 14:06:39 -06:00
Juan Escobar
9cce7643ab
update description and fix typos
2014-11-09 09:10:01 -05:00
Juan Escobar
5d17637038
Add CVE-2014-7146 PHP Code Execution for MantisBT
2014-11-09 08:00:44 -05:00
Pedro Ribeiro
b3c27452cd
Add full disclosure URL
2014-11-09 10:40:41 +00:00
jvazquez-r7
bc5529396f
Land #4137 , @pedrib's module for Eventlog CVE-2014-6038/6039
2014-11-08 08:12:11 -06:00
Pedro Ribeiro
f680b666c7
Add github adv URL
2014-11-08 11:29:36 +00:00
Pedro Ribeiro
143033f657
Rename manageengine_pmp_sadmin.rb to manageengine_pmp_privesc.rb
2014-11-08 11:28:04 +00:00
Pedro Ribeiro
2843437ca9
Create exploit for CVE-2014-8499
2014-11-08 11:24:50 +00:00
Pedro Ribeiro
e7b448537f
Add OSVDB ids
2014-11-08 11:05:34 +00:00
jvazquez-r7
9d6e0664a4
Guess service name and port
2014-11-07 20:56:01 -06:00
jvazquez-r7
a44640c9fc
Use single quotes
2014-11-07 20:48:04 -06:00
jvazquez-r7
7c1c08fc19
Use single quotes without interpolation
2014-11-07 20:46:47 -06:00
jvazquez-r7
0373156cce
Use unless over if not
2014-11-07 20:42:08 -06:00
jvazquez-r7
f5a920da99
Use || operator
2014-11-07 20:41:44 -06:00
jvazquez-r7
64754a5609
Delete unnecessary begin..end block
2014-11-07 20:38:36 -06:00
jvazquez-r7
0919f74a3d
Delete unused variable
2014-11-07 20:37:57 -06:00
jvazquez-r7
22b875d0f3
Reduce code complexity
2014-11-07 20:37:40 -06:00
jvazquez-r7
b1517e6ace
Delete unnecessary nil comparision
2014-11-07 20:34:13 -06:00
jvazquez-r7
aa1fec7f02
Use fail_with
2014-11-07 20:33:33 -06:00
jvazquez-r7
d630eac272
Reduce code complexity
2014-11-07 20:32:15 -06:00
jvazquez-r7
cea30b5427
Use built-in format for RPORT
2014-11-07 20:30:32 -06:00
jvazquez-r7
e99cc00a57
No more than 100 columns on description
2014-11-07 20:29:38 -06:00
Jon Hart
2b7d25950b
Land #4148 , @wchen-r7 fixed #4133
2014-11-07 08:26:29 -08:00
sinn3r
0dbfecba36
Better method name
...
Should be srvhost, not lhost
2014-11-07 02:23:34 -06:00
Pedro Ribeiro
c00a3ac9cd
Add full disclosure URL
2014-11-07 08:06:21 +00:00
Joshua Smith
7b25e3be75
Land #4139 , Visual Mining NetCharts
...
landed after some touch up
2014-11-06 22:52:41 -06:00
Joshua Smith
7510fb40aa
touch up visual_mining_netcharts_upload
2014-11-06 22:50:20 -06:00
Pedro Ribeiro
8a0249cdbf
Address Juan's points
2014-11-06 21:02:28 +00:00
sinn3r
579481e5f8
Explain why I did this
...
Also tagging Fix #4133
2014-11-06 14:25:11 -06:00
sinn3r
f210ade253
Use SRVHOST for msvidctl_mpeg2
2014-11-06 14:23:21 -06:00
sinn3r
f7e308cae8
Land #4110 - Citrix Netscaler BoF
2014-11-06 00:04:17 -06:00
jvazquez-r7
54c1e13a98
Land #4140 , @wchen-r7's default template for adobe_pdf_embedded_exe
...
* Fixes #4134
* Adds a default PDF template
2014-11-05 20:21:14 -06:00
jvazquez-r7
adefb2326e
Land #4124 , @wchen-r7 fixes #4115 adding HTTP auth support to iis_webdav_upload_asp
2014-11-05 18:14:33 -06:00
sinn3r
1b2554bc0d
Add a default template for CVE-2010-1240 PDF exploit
2014-11-05 17:08:38 -06:00
jvazquez-r7
79cabc6d68
Fix clean up
2014-11-05 15:46:33 -06:00
jvazquez-r7
c08993a9c0
Add module for ZDI-14-372
2014-11-05 15:31:20 -06:00
Pedro Ribeiro
e71ba1ad4a
Push exploit for CVE-2014-6038/39
2014-11-05 20:12:03 +00:00
Tod Beardsley
cca30b536f
Land #4094 , fixes for OWA brute forcer
...
Fixes #4083
Thanks TONS to @jhart-r7 for doing most of the work on this!
2014-11-05 14:00:26 -06:00
Jon Hart
ff8d481eec
Update description to remove comments about defaults. Default to 2013
2014-11-04 21:21:19 -08:00
Jon Hart
2c028ca7a6
Move redirect check before body check -- a redirect won't have a body
2014-11-04 14:19:21 -08:00
Jon Hart
7855ede2de
Move userpass emptiness checking into setup
2014-11-04 14:07:39 -08:00
William Vu
ebb8b70472
Land #4015 , another Android < 4.4 UXSS module
2014-11-04 15:52:29 -06:00
Tod Beardsley
f8593ca1b5
Land #4109 , tnftp savefile exploit from @wvu-r7
2014-11-04 15:44:13 -06:00
Tod Beardsley
5fb268bbdf
Updates to better OWA fix
2014-11-04 14:32:54 -06:00
nullbind
56a02fdb4a
added mssql_escalate_executeas_sqli.rb
2014-11-04 13:38:13 -06:00
Jon Hart
b0e388f4c3
Land #3516 , @midnitesnake's snmp_enumusers fix for Solaris, OS X
2014-11-04 08:23:16 -08:00
nullbind
15119d2a0f
comment fix-sorry
2014-11-04 09:07:08 -06:00
nullbind
f108d7b20a
fixed code comment
2014-11-04 08:51:27 -06:00
jvazquez-r7
400ef51897
Land #4076 , exploit for x7chat PHP application
2014-11-03 18:22:04 -06:00
jvazquez-r7
3bf7473ac2
Add github pull request as reference
2014-11-03 18:18:42 -06:00
jvazquez-r7
44a2f366cf
Switch ranking
2014-11-03 18:06:09 -06:00
jvazquez-r7
039d3cf9ae
Do minor cleanup
2014-11-03 18:04:30 -06:00
William Vu
277fd5c7a1
Land #4123 , release fixes
2014-11-03 16:20:00 -06:00
Juan Escobar
7e4248b601
Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04
2014-11-03 16:42:50 -05:00
Tod Beardsley
0199e4d658
Land #3770 , resolve random stager bugs
2014-11-03 14:15:14 -06:00
sinn3r
9a27984ac1
switch from error to switch
2014-11-03 13:56:41 -06:00
sinn3r
a823ca6b2f
Add support for HTTP authentication. And more informative.
2014-11-03 13:46:53 -06:00
Tod Beardsley
51b96cb85b
Cosmetic title/desc updates
2014-11-03 13:37:45 -06:00
nullbind
fbe3adcb4c
added mssql_escalate_executeas module
2014-11-03 11:29:15 -06:00
Jon Hart
8f197d4918
Move to build_probe
2014-11-03 08:41:51 -08:00
sinn3r
6f013cdcaf
Missed these
2014-10-31 18:48:48 -05:00
sinn3r
d6a830eb6e
Rescue the correct exception: Rex::HostUnreachable
2014-10-31 16:43:33 -05:00
Jon Hart
121ebdfef6
update_info
2014-10-31 13:17:50 -07:00
Jon Hart
b99e71dcdd
Example UDPScanner style cleanup, move most to UDPScanner
2014-10-31 12:14:04 -07:00
Jon Hart
ff0b52cffb
Example per-batch vprint, a useful default
2014-10-31 10:31:31 -07:00
Jon Hart
94d4388af9
Improvements to example UDPScanner
2014-10-31 09:53:10 -07:00
Joe Vennix
1e9f9ce425
Handle invalid JSON errors and fix typo.
2014-10-31 11:01:49 -05:00
Jon Hart
d9f0a10737
Add new example template for scanning UDP services
2014-10-31 08:06:31 -07:00
jvazquez-r7
40bf44bd05
Don't allow 127.0.0.1 as SRVHOST
2014-10-31 08:19:15 -05:00
jvazquez-r7
7d2fa9ee94
Delete unnecessary to_s
2014-10-30 22:59:22 -05:00
William Vu
953a642b0e
Finally write a decent description
2014-10-30 22:51:42 -05:00
sinn3r
64f4777407
Land #4091 - Xerox DLM injection
2014-10-30 22:15:16 -05:00
sinn3r
b7a1722b46
Pass msftidy, more descriptive name and description
2014-10-30 22:14:18 -05:00
William Vu
e3ed7905f1
Add tnftp_savefile exploit
...
Also add URI{HOST,PORT} and {,v}print_good to HttpServer.
2014-10-30 20:38:16 -05:00
jvazquez-r7
8fdea5f74c
Change module filename
2014-10-30 20:34:24 -05:00
jvazquez-r7
9404e24b24
Update module information
2014-10-30 20:33:38 -05:00
Jon Hart
1a37a6638c
Fix splunk_upload_app_exec to work on new installs. Style
2014-10-30 18:28:56 -07:00
Jon Hart
55f245f20f
Merge #3507 into local, recently updated branch of master for landing
2014-10-30 17:28:20 -07:00
OJ
cc7f7c9986
Land #4108 - Avoid local offsets in CVE-2014-4113
2014-10-31 09:08:51 +10:00
jvazquez-r7
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
sinn3r
92ad2c434d
Land #4081 - Xerox workcentre 5735 LDAP service redential extractor
2014-10-30 13:52:07 -05:00
sinn3r
470a067384
Final changes
2014-10-30 13:51:44 -05:00
sinn3r
912f6c8eee
Land #4085 - Xerox Administrator Console Password Extract
2014-10-30 13:37:32 -05:00
sinn3r
02b1c5c4bc
Final changes
2014-10-30 13:37:02 -05:00
sinn3r
127d1640da
Print password
2014-10-30 13:27:40 -05:00
Joe Vennix
6dc13f90cd
Update descriptions to mention Webview bugginess.
2014-10-30 10:55:56 -05:00
Joe Vennix
0ad9f95806
Remove stray alert() for debugging.
2014-10-30 10:52:06 -05:00
Joe Vennix
88040fbce0
Add another Android < 4.4 UXSS exploit.
2014-10-30 10:34:14 -05:00
Jon Hart
15e1c253fa
Numerous cleanups for snmp_enumusers
...
* Bring in line with Ruby standards
* More sane format for adding new OSs
* Better logging for use on larger networks
* Better error handling
2014-10-29 23:54:32 -07:00
jvazquez-r7
ac939325ce
Add module first version
2014-10-29 21:11:57 -05:00
Peter Arzamendi
9d56f0298a
Changed upper XXX to lower XXX.
2014-10-29 20:09:02 -05:00
Peter Arzamendi
b35a8935db
Updated get_once for get_once undefined method and EOFError
2014-10-29 13:47:07 -05:00
Deral Heiland
64a59e805c
Fix a simple typo
2014-10-29 12:40:24 -04:00
Deral Heiland
1bf1be0e46
Updated to module based feedback from wchen-r7
2014-10-29 11:42:07 -04:00
Juan Escobar
2e53027bb6
Fix value of X7C2P cookie and typo
2014-10-29 08:32:36 -05:00
Peter Arzamendi
2bc8767751
Updated rescue to catch other errors from the socket API
2014-10-29 08:03:28 -05:00
Juan Escobar
9f21ac8ba2
Fix issues reported by wchen-r7
2014-10-28 21:31:33 -05:00
Jon Hart
ba5035c7ef
Prevent calling match when there is no WWW-auth header
2014-10-28 17:13:57 -07:00
Jon Hart
a5d883563d
Abort if 2013 desired but redirect didn't happen
2014-10-28 15:59:22 -07:00
Jon Hart
7ca4ba26b0
Show more helpful vprint messages when login fails
2014-10-28 15:48:04 -07:00
Jon Hart
bce8f34a71
Set proper Cookie header from built cookie string
2014-10-28 15:41:36 -07:00
Jon Hart
a3e1e11987
Ensure necessary cookies are present in OWA 2010 login response
2014-10-28 15:40:15 -07:00
Peter Arzamendi
604cad9fbb
Updated timeout to default to 45 seconds to wait for the print job to finish.
2014-10-28 15:45:28 -05:00
Peter Arzamendi
b17d6a661d
Moved module to auxiliary/gather and updated timeout to wait for the printer job to complete before we try to grab the creds.
2014-10-28 15:23:47 -05:00
Peter Arzamendi
0e42cf25d1
Updated per wchen-r7's recommendations. Still waiting to hear on Nokogiri
2014-10-28 15:13:16 -05:00
Tod Beardsley
9c028c1435
Fixes #4083 , make the split nil-safe
...
In the reported case, the expected cookies were not present on the
response, thus, the second split was trying to split a `nil`. This
solves the immediately problem by a) splitting up the splits into
discrete sections, and b) `NilClass#to_s`'ing the result of the first
split.
This makes the split safe. Now, there may be a larger issue here where
you're not getting the expected cookies -- it sounds like the target in
this case is responding differently, which implies that the module isn't
going to be effective against that particular target. But, at least it
won't crash. It may merely try fruitlessly the entire run, though. I
can't know without looking at a pcap, and in the reported case, a pcap
seems unlikely since this was a bug found in the field.
2014-10-28 14:59:20 -05:00
William Vu
71a6ec8b12
Land #4093 , cups_bash_env_exec CVE-2014-6278
2014-10-28 12:47:51 -05:00
Brendan Coles
57baf0f393
Add support for CVE-2014-6278
2014-10-28 17:10:19 +00:00
William Vu
3de5c43cf4
Land #4050 , CUPS Shellshock
...
Bashbleeded!!!!!!!!!!!
2014-10-28 11:59:31 -05:00
Peter Arzamendi
1012cd8d6b
Updated based on wchen-r7 feedback.
2014-10-28 11:38:50 -05:00
Brendan Coles
78b199fe72
Remove CVE-2014-6278
2014-10-28 16:18:24 +00:00
Joe Vennix
c6bbc5bccf
Merge branch 'landing-4055' into upstream-master
2014-10-28 11:18:20 -05:00
Deral Heiland
9021e4dae6
Xerox Workcentre firmware injection exploit
2014-10-28 11:15:43 -04:00
jvazquez-r7
5e0993d756
Add OJ as author
2014-10-28 09:58:34 -05:00
Tod Beardsley
dade6b97ba
Land #4088 , wget exploit
...
Fixes #4077 as well.
2014-10-28 09:03:07 -05:00
Brendan Coles
a060fec760
Detect version in check()
2014-10-28 12:28:18 +00:00
sinn3r
e31c9f579d
Land #3987 - Buffalo Linkstation NAS Login Scanner
2014-10-28 01:45:57 -05:00
HD Moore
64c206fa62
Add module for CVE-2014-4877 (Wget)
2014-10-27 23:37:41 -05:00
Peter Arzamendi
0b225d94b1
Xerox Admin password extractor.
2014-10-27 19:26:40 -05:00
Juan Escobar
2ba2388889
Fix issues reported by jvasquez
2014-10-27 19:15:39 -05:00
jvazquez-r7
b990b14a65
Land #3771 , @us3r777's deletion of jboss_bshdeployer STAGERNAME option
2014-10-27 18:09:35 -05:00
parzamendi-r7
f7f6cff327
Update xerox_workcentre_5XXX_ldap.rb
2014-10-27 17:23:47 -05:00
Peter Arzamendi
f119abbf8c
Xerox workcentre 5735 LDAP credential extractor
2014-10-27 15:52:12 -05:00
jvazquez-r7
373ce8d340
Use perl encoding
2014-10-27 15:30:02 -05:00
Luke Imhoff
216360d664
Add missing require
...
MSP-11145
2014-10-27 15:19:59 -05:00
jvazquez-r7
9da83b6782
Update master changes
2014-10-27 14:35:30 -05:00
Spencer McIntyre
04a99f09bb
Land #4064 , Win32k.sys NULL Pointer Dereference
2014-10-27 14:01:07 -04:00
William Vu
090d9b95d1
Land #4078 , pureftpd_bash_env_exec desc. update
2014-10-27 12:12:09 -05:00
William Vu
950fc46e4b
Normalize description
2014-10-27 12:09:39 -05:00
Jon Hart
b8c9ef96ca
Land #4003 , @nstarke's Login Scanner for WD MyBook Live NAS
2014-10-27 09:57:43 -07:00
Spencer McIntyre
830f631da4
Make the check routine less strict
2014-10-27 12:51:20 -04:00
sinn3r
aa5dc0a354
100 columns per line
2014-10-27 10:24:11 -05:00
sinn3r
7e56948191
Update description about pureftpd_bash_env_exec
...
Make exploitable requirements more obvious
2014-10-27 10:23:06 -05:00
Spencer McIntyre
46b1abac4a
More robust check routine for cve-2014-4113
2014-10-27 11:19:12 -04:00
jvazquez-r7
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
Juan Escobar
848f24a68c
update module description
2014-10-27 02:07:16 -05:00
root
d66dc88924
Add PHP Code Execution for X7 Chat 2.0.5
2014-10-27 01:01:31 -05:00
jvazquez-r7
c319ea91b3
Delete verbose print
2014-10-26 17:31:19 -05:00
jvazquez-r7
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
Spencer McIntyre
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
Brendan Coles
554935e60b
Add check() and support CVE-2014-6278
2014-10-26 18:11:36 +00:00
scriptjunkie
4dfbce425a
use vprintf...
2014-10-26 09:20:32 -05:00
scriptjunkie
c31fb0633d
Merge branch 'wp-psexeccmd' of github.com:webstersprodigy/metasploit-framework into webstersprodigy-wp-psexeccmd
2014-10-26 09:05:25 -05:00
jvazquez-r7
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
sinn3r
7cb4320a76
Land #3561 - unix cmd generic_sh encoder
2014-10-23 15:48:00 -05:00
sinn3r
13fd6a3374
Land #4046 - Centreon SQL and Command Injection
2014-10-23 13:17:00 -05:00
sinn3r
ce841e57e2
Rephrase about centreon.session
2014-10-23 13:15:55 -05:00
sinn3r
889045d1b6
Change failure message
2014-10-23 12:55:27 -05:00
Jon Hart
83df08aaa7
Properly encode body and catch invalid configs
2014-10-22 22:43:06 -07:00
Jon Hart
c765100efd
Land #4004 , @martinvigo's LastPass master password extraction module
2014-10-22 16:34:54 -07:00
Jon Hart
29b61984c5
Update to use correctly joined path
2014-10-22 16:34:17 -07:00
sinn3r
42cd288bc0
Land #4057 - Bring back TCP::max_send_size and TCP::send_delay options
...
Fix #3967
2014-10-22 16:23:15 -05:00
sinn3r
0ea03c00a5
Use print_brute instead of print_good for format consistency
2014-10-22 16:14:45 -05:00
Tim Wright
b8c3fadb9e
python 3 is supported now too :)
2014-10-22 20:10:48 +01:00
Tim Wright
8c3c73a72d
inline the error message
2014-10-22 20:08:14 +01:00
Tim Wright
2ab73688dc
use framework.threads to launch cleanup thread
2014-10-22 19:40:29 +01:00
Tim Wright
22fc6496ac
Merge branch 'pr/3401' into landing-3401
2014-10-22 19:23:01 +01:00
Jon Hart
ce8a9941ea
Cleanup. Sanity check in setup. vprint
2014-10-22 10:36:24 -07:00
James Lee
46acf08e2d
Merge remote-tracking branch 'upstream/master' into bug/msp-11497/loginscanner-tcp-evasions
2014-10-22 09:09:34 -05:00