infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
21,934 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

3698 Commits (b1dfed8577c45f9b1fccce5ecfb460caeb201a8c)

Author SHA1 Message Date
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir 
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
 2013-10-02 20:17:11 +01:00
sinn3r 23b0c3b723 Add Metasploit blog references 
These modules have blogs from the Rapid7 community, we should add them.
 2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport 
Because they're already defined in the HttpClient mixin
 2013-09-30 16:01:59 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free 
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
 2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file 
Fixes bugs with MSI::UAC option, invalid logic and typo...
 2013-09-29 17:09:03 +01:00
Meatballs 8b800cf5de Merge and resolve conflicts 2013-09-27 18:19:23 +01:00
jvazquez-r7 6381bbfd39 Clean up freeftpd_pass 2013-09-27 09:47:39 -05:00
Meatballs 353cd9aaf5 Check payload.arch 2013-09-27 11:13:19 +01:00
Meatballs d2fa7d84a9 Tidyup includes 2013-09-27 10:12:53 +01:00
Meatballs 5fa0eb32a9 Merge upstream 2013-09-27 10:11:10 +01:00
Meatballs c3c07b5fd7 Better arch checking 2013-09-27 09:39:29 +01:00
Meatballs dfac7b57d2 Fixup SysWOW64 2013-09-27 09:10:49 +01:00
Meatballs b8df7cc496 Initialize strings fool 2013-09-27 09:01:00 +01:00
TecR0c b02a2b9ce0 Added crash info and basic tidy up 2013-09-27 17:05:42 +10:00
TecR0c 7dbc3f4f87 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:37:52 +10:00
TecR0c 5fc98481a7 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:35:03 +10:00
TecR0c a6e1bc61ec updated version in exploit freeFTPd 1.0.10 2013-09-27 11:27:51 +10:00
TecR0c 3a3f1c0d05 updated requested comments for freeFTPd 1.0.10 2013-09-27 11:13:28 +10:00
Meatballs 3d812742f1 Merge upstream master 2013-09-26 21:27:44 +01:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Meatballs a25833e4d7 Fix %TEMP% path 2013-09-26 19:22:36 +01:00
TecR0c 0339c3ef48 added freeFTPd 1.0.10 (PASS Command) 2013-09-26 20:37:23 +10:00
FireFart 84ec2cbf11 remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:42:44 +02:00
Tod Beardsley d91cb85a31
Not actually a typo 
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
 2013-09-24 15:55:52 -05:00
Tod Beardsley ac1388368f
Typo in module name 2013-09-24 15:50:58 -05:00
Tod Beardsley 93486a627d Whoops on trailing commas 2013-09-24 15:14:11 -05:00
William Vu 52a92a55ce Land #2394, ms13_005_hwnd_broadcast require fix 2013-09-24 13:43:21 -05:00
Tod Beardsley 3906d4a2ca Fix caps that throw msftidy warnings 2013-09-24 13:03:16 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections 
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
 2013-09-24 12:33:31 -05:00
Tod Beardsley 081c279b61 Remove misleading comment 2013-09-24 11:42:31 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order 
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
 2013-09-23 16:52:23 -05:00
Tod Beardsley 2656c63459 Knock out a Unicode character 2013-09-23 14:22:11 -05:00
Tod Beardsley 99f145cbff Don't split the post requires 2013-09-23 14:02:43 -05:00
Tod Beardsley 4bff8f2cdc Update descriptions for clarity. 2013-09-23 13:48:23 -05:00
William Vu a46ac7533d Land #2407, require fix for current_user_psexec 2013-09-23 11:57:19 -05:00
jvazquez-r7 8417b916c7 Complete MS13-071 Information 2013-09-21 21:22:34 -05:00
darknight007 6b06ed0df1 Update current_user_psexec.rb 2013-09-22 03:07:17 +05:00
sinn3r 8381bf8646 Land #2404 - Add powershell support for current_user_psexec 2013-09-20 17:14:55 -05:00
sinn3r 96364c78f8 Need to catch RequestError too 
Because a meterpreter session may throw that
 2013-09-20 17:13:35 -05:00
Meatballs 6e69fe48bf Undo psexec changes 2013-09-20 22:30:00 +01:00
Meatballs 2591be503b Psh support 2013-09-20 22:07:42 +01:00
Meatballs 15885e4ef6 Change static x value 2013-09-20 20:31:14 +01:00
Meatballs ee365a6b64 Some liberal sleeping 2013-09-20 19:33:27 +01:00
Meatballs 7d1c5c732a Correct powershell 2013-09-20 18:36:24 +01:00
sinn3r bb7b57cad9 Land #2370 - PCMAN FTP Server post-auth stack buffer overflow 2013-09-20 12:29:10 -05:00
sinn3r feb76ea767 Modify check 
Since auth is required, check function needs to look into that too
 2013-09-20 12:28:21 -05:00
sinn3r 2d6c76d0ad Rename pcman module 
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
 2013-09-20 12:18:24 -05:00
sinn3r 6690e35761 Account for username length 
Username is part of the overflowing string, need to account for that
 2013-09-20 12:17:34 -05:00
sinn3r 9d67cbb4db Retabbed 2013-09-20 11:58:53 -05:00
Meatballs 9819566d94 Nearly 2013-09-20 17:18:14 +01:00
jvazquez-r7 6f5e528699 Remove author, all the credits go to corelanc0der and sinn3r 2013-09-20 10:27:37 -05:00
sinn3r 83f54d71ea Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free 
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure.  The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one.  Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
 2013-09-20 10:20:35 -05:00
Meatballs a00f3d8b8e initial 2013-09-20 13:40:28 +01:00
Rick Flores (nanotechz9l) 7d17eef7a7 Updated several msftidy [WARNING] Spaces at EOL issues. 2013-09-19 20:35:08 -07:00
sinn3r 955365d605 Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability 2013-09-19 22:21:09 -05:00
jvazquez-r7 9b486e1dbb Add comment about the smb_* methods 2013-09-19 13:23:46 -05:00
William Vu 628cfe8e67 Land #2393, tape_engine_8A filename disambiguation 2013-09-19 10:31:40 -05:00
Tod Beardsley ef72b30074 Include the post requires until #2354 lands 
Another one that needs the manual require. See #2354
 2013-09-19 09:47:01 -05:00
Tod Beardsley fb72e7f02a Disambiguate tape_engine_8A as tape_engine_0x8a 
This will reopen #2358 to avoid filename collisions on Windows, Rubymine
environments, etc.
 2013-09-19 09:35:31 -05:00
Rick Flores (nanotechz9l) 058e0fdd80 Changed ret to push esp C:\WINDOWS\system32\msvcrt.dll 2013-09-19 07:21:51 -07:00
James Lee 8fe9132159
Land #2358, deprecate funny names 2013-09-18 14:55:33 -05:00
Rick Flores (nanotechz9l) 766e96510d Added minor indentation updates 2013-09-18 12:12:35 -07:00
jvazquez-r7 60d448f600 Add minor cleanup 2013-09-18 14:10:13 -05:00
Rick Flores (nanotechz9l) db8881966e Merge remote-tracking branch 'upstream/master' 2013-09-18 12:02:01 -07:00
jvazquez-r7 68647c7363 Add module for MS13-071 2013-09-18 13:40:35 -05:00
Tod Beardsley 8728a9a3b7 Bumping out deprecation date 
Pray I don't alter the deprecation date further.
 2013-09-18 11:00:35 -05:00
Rick Flores (nanotechz9l) 6cbe371381 minor change 2013-09-17 20:33:46 -07:00
Rick Flores (nanotechz9l) 0052f9712b Updated hard tabs per new requirement 2013-09-17 17:42:01 -07:00
James Lee 9a555d8701 Fix the modules added since the branch 2013-09-17 18:25:12 -05:00
James Lee 150f0f644e Merge branch 'rapid7' into bug/osx-mods-load-order 
Conflicts:
	modules/post/windows/gather/enum_dirperms.rb
 2013-09-17 18:21:13 -05:00
Rick Flores (nanotechz9l) 52a1b5fa57 updated pcman_stor_msf.rb module with community feedback. 2013-09-16 17:43:10 -07:00
Rick Flores (nanotechz9l) 226a75b5da updated pcman_stor_msf.rb module with community feedback. 2013-09-16 17:37:29 -07:00
Tod Beardsley b4b7cecaf4 Various minor desc fixes, also killed some tabs. 2013-09-16 15:50:00 -05:00
Rick Flores (nanotechz9l) d4f2e72b9c updated module to include msftidy.rb 2013-09-16 12:46:13 -07:00
Rick Flores (nanotechz9l) 82e3910959 added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624) 2013-09-16 12:40:36 -07:00
Rick Flores (nanotechz9l) 92cf886e49 updated module to include msftidy.rb 2013-09-16 12:38:00 -07:00
Rick Flores 4c83336944 Delete pcman_stor_msf.rb 
delete because of commit issues.
 2013-09-16 12:25:39 -07:00
Rick Flores (nanotechz9l) f657f4d145 added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624) 2013-09-16 09:57:27 -07:00
sinn3r 67cd62f306 Land #2366 - HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload 2013-09-16 01:44:23 -05:00
jvazquez-r7 54e9cd81f3 Add module for ZDI-13-226 2013-09-13 17:31:51 -05:00
jvazquez-r7 10303a8c2a Delete debug print_status 2013-09-13 17:05:23 -05:00
jvazquez-r7 dca4351303 Add check function 2013-09-13 16:51:14 -05:00
jvazquez-r7 f7c4e081bb Add module for ZDI-13-225 2013-09-13 16:40:28 -05:00
sinn3r 4847976995 Update information about original discovery 
Update info about original discovoery. See #2337 too.
 2013-09-13 10:42:11 -05:00
Tod Beardsley 76f27ecde8 Require the deprecation mixin in all modules 
Because rememberin to require it, and hoping against a race is not how we
roll any more.
 2013-09-12 15:49:33 -05:00
Tod Beardsley 761042f14b require the deprecated mixin 2013-09-12 15:42:01 -05:00
Tod Beardsley 968f299772 Deprecate A-PDF exploit for filename change 
See PT 56796034
See PT 56795804
 2013-09-12 15:30:26 -05:00
James Lee 58b634dd27 Remove unnecessary requires from post mods 2013-09-12 14:36:01 -05:00
Tod Beardsley d47de46d94 Deprecate brightstor/tape_engine_8A 
This module is getting renamed to 8a, instead of 8A.
 2013-09-12 13:59:44 -05:00
jvazquez-r7 9ad1be7318 Make junk easier 2013-09-11 09:33:01 -05:00
jvazquez-r7 825eb9d1ca Add module for OSVDB 96208 2013-09-11 00:11:00 -05:00
jvazquez-r7 4f1db80c24 Fix requires in new post modules 2013-09-10 11:13:07 -05:00
Tod Beardsley aff35a615b Grammar fixes in descriptions 2013-09-09 15:09:53 -05:00
jvazquez-r7 791b6f69c2 Land #2337, @wchen-r7's exploit for MS13-055 2013-09-09 11:12:03 -05:00
sinn3r 0ee0168556 Retabbed 
One kills a man, one is an assassin; one kills millions, one is a
conqueror; one kills a tab, one is a Metasploit dev.
 2013-09-09 10:01:01 -05:00
sinn3r 6ab905e9e0 Less alignment 2013-09-09 09:39:02 -05:00
sinn3r 992bdcf530 Not from the future 2013-09-09 00:36:28 -05:00
sinn3r c3db41334b Add MS13-055 Internet Explorer Use-After-Free Vulnerability 
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.

This bug is specific to Internet Explorer 8 only. It was originally discovered by
Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so
no CVE as of now.
 2013-09-08 20:02:23 -05:00
jvazquez-r7 7d4bf0c739 Retab changes for PR #2327 2013-09-05 23:25:41 -05:00
jvazquez-r7 34b499588b Merge for retab 2013-09-05 23:24:22 -05:00
Meatballs 473f08bbb6 Register cleanup and update check 2013-09-05 22:43:26 +01:00
Meatballs 400b433267 Sort out exception handling 2013-09-05 22:21:44 +01:00
Meatballs d4043a6646 Spaces and change to filedropper 2013-09-05 20:41:37 +01:00
Meatballs c5daf939d1 Stabs tabassassin 2013-09-05 20:36:52 +01:00
Tab Assassin d0360733d7 Retab changes for PR #2282 2013-09-05 14:05:34 -05:00
Tab Assassin 49dface180 Merge for retab 2013-09-05 14:05:28 -05:00
Tab Assassin 1460474a55 Retab changes for PR #2288 2013-09-05 13:58:24 -05:00
Tab Assassin e711a495eb Merge for retab 2013-09-05 13:58:19 -05:00
Meatballs 9787bb80e7 Address @jlee-r7's feedback 2013-09-05 19:57:05 +01:00
Tab Assassin 845bf7146b Retab changes for PR #2304 2013-09-05 13:41:25 -05:00
Tab Assassin adf9ff356c Merge for retab 2013-09-05 13:41:23 -05:00
jvazquez-r7 5c06a471f9 Get the call result 2013-09-05 08:33:35 -05:00
jvazquez-r7 3681955f68 Use Msf::Config.data_directory 2013-09-05 08:28:50 -05:00
jvazquez-r7 6b1d7545d6 Refactor, avoid duplicate code 2013-09-05 08:26:49 -05:00
jvazquez-r7 b6245eea72 Update target info 2013-09-04 16:43:26 -05:00
jvazquez-r7 34b3ee5e17 Update ranking and description 2013-09-04 16:10:15 -05:00
jvazquez-r7 94125a434b Add module for ZDI-13-205 2013-09-04 15:57:22 -05:00
Meatballs 3066e7e19d ReverseConnectRetries ftw 2013-09-04 00:16:19 +01:00
Meatballs a8e77c56bd Updates 2013-09-03 22:46:20 +01:00
Meatballs ac0c493cf9 Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring 2013-09-03 21:33:11 +01:00
Tab Assassin 84aaf2334a Retab new material 2013-09-03 11:47:26 -05:00
Tab Assassin 0c1e6546af Update from master 2013-09-03 11:45:39 -05:00
Tod Beardsley ca8dacb93b Minor module description updates for grammar. 2013-09-03 10:31:45 -05:00
sinn3r ac0b14e793 Add the missing CVE reference 
Was looking at all the 2013 exploit modules for missing CVE references
 2013-08-31 18:54:16 -05:00
sinn3r 0736677a01 Land #2299 - Add powershell support & removes ADODB.Stream requirement 2013-08-31 00:32:23 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
jvazquez-r7 5b32c63a42 Land #2308, @wchen-r7's exploit for MS13-059 2013-08-30 10:59:36 -05:00
jvazquez-r7 ea8cd2dc46 Update authors list 2013-08-30 10:52:39 -05:00
sinn3r a283f1d4fa Correct module title 2013-08-30 10:50:35 -05:00
sinn3r f4e09100bd Correct file name 2013-08-30 10:50:05 -05:00
sinn3r 38dbab9dd0 Fix typos 2013-08-30 10:43:26 -05:00
sinn3r 0a1b078bd8 Add CVE-2013-3184 (MS13-058) CFlatMarkupPointer Use After Free 
Please see module description for more info.
 2013-08-30 03:16:28 -05:00
jvazquez-r7 657be3a3d9 Fix typo 2013-08-29 14:42:59 -05:00
jvazquez-r7 4a6bf1da7f Add module for ZDI-13-207 2013-08-29 14:09:45 -05:00
James Lee 63adde2429 Fix load order in posts, hopefully forever 2013-08-29 13:37:50 -05:00
Meatballs a12f5092dd Encode the powershell cmd 2013-08-28 22:37:11 +01:00
Meatballs aa0563244b Update unsafe scripting module 2013-08-28 22:30:46 +01:00
sinn3r b0226cab79 Land #2290 - HP LoadRunner lrFileIOService ActiveX Vulnerability 2013-08-27 11:19:43 -05:00
jvazquez-r7 997c5e5516 Land #2291, @todb-r7's patch for oracle_endeca_exec's requires 2013-08-27 11:01:21 -05:00
Tod Beardsley 15b741bb5f Require the powershell mixin explicitly 2013-08-27 10:36:51 -05:00
jvazquez-r7 f59f57e148 Randomize object id 2013-08-27 10:35:06 -05:00
jvazquez-r7 66fa1b41aa Fix logic to spray correctly IE9 2013-08-27 09:57:55 -05:00
sinn3r 7a4d781538 Land #2274 - Firefox XMLSerializer Use After Free 2013-08-26 20:53:42 -05:00
Meatballs ff5cf396ab Remove large file and rename payload.dll 2013-08-27 00:30:27 +01:00
violet 4cbdf38377 updated contact info 
MASTER OF DISASTER

ULTRA LASER

:::::::-.  :::::::..        :::::::-.      ...         ...     .        :
 ;;,   `';,;;;;``;;;;        ;;,   `';, .;;;;;;;.   .;;;;;;;.  ;;,.    ;;;
 `[[     [[ [[[,/[[['        `[[     [[,[[     \[[,,[[     \[[,[[[[, ,[[[[,
  $$,    $$ $$$$$$c           $$,    $$$$$,     $$$$$$,     $$$$$$$$$$$"$$$
  888_,o8P' 888b "88bo,d8b    888_,o8P'"888,_ _,88P"888,_ _,88P888 Y88" 888o
  MMMMP"`   MMMM   "W" YMP    MMMMP"`    "YMMMMMP"   "YMMMMMP" MMM  M'  "MMM
 2013-08-26 16:14:49 -07:00
Meatballs 035e97523b In memory bypassuac 2013-08-27 00:13:19 +01:00
Tod Beardsley 6b15a079ea Update for grammar in descriptions on new modules. 2013-08-26 14:52:51 -05:00
Meatballs 05f1622fcb Fix require 2013-08-26 16:21:18 +01:00
Meatballs 3b9ded5a8e BypassUAC now checks if the process is LowIntegrityLevel 
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
 2013-08-26 13:54:55 +01:00
jvazquez-r7 f8d1d29648 Add module for ZDI-13-182 2013-08-25 23:07:08 -05:00
jvazquez-r7 82cf812311 Switch to PrependMigrate 2013-08-24 10:46:04 -05:00
sinn3r 7b5e98d57e Land #2269 - Oracle Endeca Server Remote Command Execution 2013-08-23 15:40:31 -05:00
jvazquez-r7 ad214da3de Switch to powershell to exec payload 2013-08-23 14:39:29 -05:00
jvazquez-r7 a45f49e3b7 Use a new Ranking 2013-08-23 08:49:58 -05:00
jvazquez-r7 ff6ad30be0 Add module for ZDI-13-006 2013-08-22 18:15:35 -05:00
jvazquez-r7 965e2d88fe Use normalize_uri 2013-08-21 16:49:24 -05:00
jvazquez-r7 b72566b8aa Add module for ZDI-13-190 2013-08-21 12:47:47 -05:00
Tod Beardsley ca313806ae Trivial grammar and word choice fixes for modules 2013-08-19 13:24:42 -05:00
Steve Tornio abd4fb778f add osvdb ref for chasys overflow 2013-08-18 06:35:28 -05:00
sinn3r a75a4906f2 Description update 2013-08-16 23:28:24 -05:00
jvazquez-r7 a8cc15db20 Add module for ZDI-13-178 2013-08-16 18:13:18 -05:00
HD Moore 6c1ba9c9c9 Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00
sinn3r 98e0053dc6 Fix indent level 2013-08-14 13:07:01 -05:00
bcoles 7145a85fb4 Add MiniWeb (Build 300) Arbitrary File Upload 2013-08-15 01:01:46 +09:30
jvazquez-r7 31cbc270fd Favor unless over if for negative condition 2013-08-13 08:46:12 -05:00
jvazquez-r7 bc9a26d4ee Fix condition 2013-08-12 23:05:26 -05:00
jvazquez-r7 568181de84 Add sthetic spaces 2013-08-12 22:33:34 -05:00
jvazquez-r7 6d70d4924e Land #2206, @PsychoSpy module for OSVDB 94097 2013-08-12 22:27:03 -05:00
jvazquez-r7 7981601eb8 Do final cleanup on intrasrv_bof 2013-08-12 22:24:53 -05:00
sinn3r 2d3c2c1c87 Set default target to 0 because there's only one 2013-08-12 20:01:23 -05:00
sinn3r c0335cee26 Land #2214 - CVE-2013-3928: Chasys Draw IES Buffer Overflow 2013-08-12 19:16:02 -05:00
sinn3r 7562324d96 Land #2210 - CVE-2013-5019: Ultra Mini HTTPD Stack Buffer Overflow 2013-08-12 19:13:58 -05:00
sinn3r 51d9c59dcd Extra tabs, bye 2013-08-12 19:13:20 -05:00
Nathan Einwechter db78ffcc46 ... 2013-08-12 18:21:10 -04:00
Nathan Einwechter 49bcec5c92 Additional cleanup 2013-08-12 18:20:03 -04:00
jvazquez-r7 b3f229ff59 Add module for CVE-2013-3928 2013-08-12 17:18:30 -05:00
Nathan Einwechter 7014322dfd Code cleanup 2013-08-12 18:16:00 -04:00
Nathan Einwechter 264fe32705 Added new badchars 2013-08-12 18:08:49 -04:00
Nathan Einwechter bbc93b2a58 msftidy 2013-08-12 15:14:01 -04:00
Nathan Einwechter 28f030494e Use tcp mixin/clean corrupt bytes 2013-08-12 15:12:15 -04:00
jvazquez-r7 8ac01d3b8e Fix description and make it aggressive 2013-08-12 11:19:25 -05:00
Nathan Einwechter 7854c452d2 Added more payload padding 2013-08-12 11:10:10 -04:00
Nathan Einwechter 9f33a59dc2 Fix target ret 2013-08-12 11:04:55 -04:00
Nathan Einwechter 6f96445b42 Change target ret/cleanup 2013-08-12 10:13:48 -04:00
Nathan Einwechter a35d548979 Use HttpClient 2013-08-12 10:01:01 -04:00
bcoles d63d7bc7da Add Open-FTPD 1.2 Writable Directory Traversal Execution 2013-08-12 08:49:49 +09:30
Nathan Einwechter 896320ed42 fix typo 2013-08-11 16:48:43 -04:00
Nathan Einwechter 4b14fa53e0 tidy debugs 2013-08-11 16:39:41 -04:00
Nathan Einwechter 90ef224c46 Implement CVE-2012-5019 2013-08-11 16:33:40 -04:00
Nathan Einwechter 185ef2ecae msftidy 2013-08-10 16:01:44 -04:00
Nathan Einwechter 6fe4e3dd0e Added Intrasrv 1.0 BOF 2013-08-10 15:56:07 -04:00
sinn3r 5128458c90 Land #2201 - Better check for ppr_flatten_rec 2013-08-09 14:44:23 -05:00
sinn3r 021c358159 Land #2203 - Fix regex for x64 detection 2013-08-09 13:23:38 -05:00
Sagi Shahar 7178633140 Fixed architecture detection in bypassuac modules 2013-08-09 03:42:02 +02:00
Meatballs 318280fea7 Add 7/2k8 RTM versions 2013-08-08 20:02:14 +01:00
Meatballs d64352652f Adds unsupported Vista versions 2013-08-08 19:58:40 +01:00
Meatballs 08c32c250f File versions 2013-08-08 19:42:14 +01:00
sinn3r a03d71d60e Land #2181 - More targets for hp_sys_mgmt_exec 
Thanks mwulftange!
 2013-08-08 13:35:33 -05:00
jvazquez-r7 0f975da5f4 Update target info and something else... 2013-08-07 16:00:06 -05:00
jvazquez-r7 d1beb313f6 Add module for 2013-1690 2013-08-07 15:36:54 -05:00
jvazquez-r7 9790181dd2 Land #2176, @wchen-r7's fix for [TestRM #8272] 2013-08-05 13:10:25 -05:00
Tod Beardsley 40f015f596 Avoid require race with powershell 2013-08-05 09:56:32 -05:00
Tod Beardsley a885ff9bcc Use consistent caps for 'PowerShell' 2013-08-05 09:33:49 -05:00
Tod Beardsley 5ea67586c8 Rewrite description for MS13-005 
The first part of the description was copy-pasted from

http://packetstormsecurity.com/files/122588/ms13_005_hwnd_broadcast.rb.txt

which contained some grammatical errors. Please try to avoid cribbing
other researchers' descriptions directly for Metasploit modules.
 2013-08-05 09:29:29 -05:00
Tod Beardsley e7206af5b5 OSVDB and comment doc fixes 2013-08-05 09:08:17 -05:00
Markus Wulftange 8cc07cc571 Merge Linux and Windows exploit in multi platform exploit 2013-08-02 18:49:03 +02:00
Ruslaideemin f927d1d7d3 Increase exploit reliability 
From some limited testing, it appears that this exploit is
missing \x0d\x0a in the bad chars. If the generated payload / hunter
or egg contain that combination, it seems to cause reliability issues
and exploitation fails.

The home page for this software can be found at
http://www.leighb.com/intrasrv.htm
 2013-08-02 09:06:20 +10:00
Markus Wulftange 4a127c2ed2 Add hp_sys_mgmt_exec module for Linux and enhance module for Windows 
The hp_sys_mgmt_exec module for Linux is a port of the Windows module with minor changes due to the requirement of quotes. It also uses Perl instead of PHP as PHP may not always be in the environment PATH. Although the Windows module works perfectly, it now uses the same technique to encode the command (thankfully, PHP adopted major syntax characteristics and functions from Perl).
 2013-07-31 22:05:25 +02:00
sinn3r 8c47f1df2d We don't need this option anymore 2013-07-31 03:30:34 -05:00
sinn3r af0046658b Change the way file is stored 2013-07-31 03:28:24 -05:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff 
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
 2013-07-29 21:47:52 -05:00
jvazquez-r7 05be76ecb7 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-29 16:41:22 -05:00
sinn3r ab75d00f8a Land #2169 - Description update 2013-07-29 14:24:57 -05:00
Meatballs 7801eadbc2 psh description 2013-07-29 19:14:12 +01:00
jvazquez-r7 455569aee8 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-29 12:10:12 -05:00
jvazquez-r7 3a05993f16 Make msftidy happy and warn user about long times 2013-07-29 11:45:30 -05:00
Tod Beardsley 37312f2aa9 Module, singular 2013-07-29 10:58:36 -05:00
Tod Beardsley 11e9cca855 Spelling and description touch ups. 2013-07-29 10:57:19 -05:00
Meatballs 234e49d982 Add type technique 2013-07-26 23:33:16 +01:00
jvazquez-r7 805a9675a7 Modify the check for Integrity Level and Allow dropt o fs 2013-07-26 14:54:50 -05:00
Meatballs 12a58c730a Small fix 2013-07-26 10:15:47 +01:00
Meatballs 6a13ed0371 Missing include 2013-07-26 03:18:17 +01:00
Meatballs 72b8891ba3 Check for low integrity 2013-07-26 03:16:45 +01:00
Meatballs 030640d5bc back to cmd 2013-07-26 03:00:36 +01:00
Meatballs d3f3e5d63e Working with psh download 2013-07-26 02:29:55 +01:00
Meatballs b99ad41a64 Add api constants and tidy 2013-07-26 01:48:39 +01:00
Meatballs 0235e6803d Initial working 2013-07-25 23:24:11 +01:00
jvazquez-r7 5014919198 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-25 09:02:20 -05:00
Sean Verity dff35c0820 Minor update to Target Selection. Refer to comments on #2128. 2013-07-24 19:02:47 -04:00
Sean Verity d478df520f Merge remote-tracking branch 'rapid7/master' 
Starting fresh.
 2013-07-24 18:31:53 -04:00
jvazquez-r7 e9a4f6d5da Merge branch 'dll_fix' of https://github.com/Meatballs1/metasploit-framework 2013-07-24 14:00:52 -05:00
Meatballs 44cae75af1 Cleanup 2013-07-24 19:52:59 +01:00
jvazquez-r7 dbad1a5e4c Clean up description 2013-07-24 12:02:33 -05:00
jvazquez-r7 18dbdb828f Land #2133, @Meatballs1's exploit for PSH Web Delivery 2013-07-24 12:01:37 -05:00
Meatballs f79d3f7591 Shorten cmd 2013-07-24 17:48:03 +01:00
jvazquez-r7 47c21dfe85 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-24 11:42:11 -05:00
Meatballs 8103baf21a Update title 2013-07-24 17:29:23 +01:00
Meatballs 18ac83bec1 Final updates and tidy 2013-07-24 17:28:19 +01:00