Commit Graph

24956 Commits (b1ff6b95b5254cf679f13e6329ddba1f4730eaf1)

Author SHA1 Message Date
Trevor Rosen 661abe65c4 Merge pull request #30 from rapid7/feature/MSP-9971/cred-creation
Feature/msp 9971/cred creation
2014-05-30 13:13:03 -05:00
David Maloney ba525c7b78
use metasploit-credential creation methods 2014-05-30 13:07:11 -05:00
Tod Beardsley 8f52133471
Land #3281, require latest Ruby 1.9.3
Note, this will cause developer environments to complain until Ruby is
reinstalled. It's probably a good idea to reinstall anyway, though,
since people who haven't in a while may have been linked against a
Heartbleed-vulnerable openssl library.
2014-05-30 12:55:54 -05:00
jvazquez-r7 4a1fea7abb
Land #2948, @juushya's PocketPAD login bruteforce module 2014-05-30 11:47:16 -05:00
jvazquez-r7 b0bdfa7680 Clean up code 2014-05-30 11:44:42 -05:00
jvazquez-r7 fb59221189
Land #2494, @juushya's etherpadduo login module 2014-05-30 11:35:28 -05:00
jvazquez-r7 d92a7adc68 change module filename 2014-05-30 11:31:49 -05:00
David Maloney 98a23881ee
remove cred creation methods
removed cred creation methods from framework
and include them from the metasploit-credential gem instead
2014-05-30 11:28:53 -05:00
jvazquez-r7 40a103967e Minor code cleanup 2014-05-30 11:28:37 -05:00
Spencer McIntyre e2cc2fece0 Pymeterpreter update win reg functions for python v3 2014-05-30 10:51:36 -04:00
jvazquez-r7 c1368dbb4c Use %windir% 2014-05-30 09:06:41 -05:00
jvazquez-r7 6f330ea190 Add deprecation information 2014-05-29 17:38:01 -05:00
jvazquez-r7 0d07fb6c39
Land #2858, @jiuweigui's post module to enumerate Enumerate MUICache 2014-05-29 17:08:50 -05:00
jvazquez-r7 a6229aedff Rescue RequestError when downloading file 2014-05-29 17:07:22 -05:00
jvazquez-r7 f2a71a47ca Use \&\& instead of and 2014-05-29 17:04:38 -05:00
jvazquez-r7 31c282153e Avoid ntuser.dat md5 because is causing problems, even when data is extracted 2014-05-29 17:02:28 -05:00
David Maloney e012d55d73
refactor mremote
mremote post module now refactored to
use new metasploit credentials
2014-05-29 16:27:41 -05:00
William Vu 3a9f7fb7f9
Land #3405, improved Nokogiri check for msftidy 2014-05-29 16:21:26 -05:00
jvazquez-r7 95b71dee00 Try to fix crash while file_remote_digest 2014-05-29 16:12:51 -05:00
David Maloney a1131092b7
fix open rescue
rescuing all exceptions bad
bad past dave bad
2014-05-29 16:05:16 -05:00
jvazquez-r7 cbbd7bfdf4 Refacotor code 2014-05-29 15:55:44 -05:00
David Maloney bf3bb63e4a
fix mremote to work on mremoteNG
fixed the mremote credential post module to work
against the newer mRemoteNG
2014-05-29 15:43:02 -05:00
Spencer McIntyre 04e94b0c07 Fix meterpreter and file tests for Python v3.4 on Win 2014-05-29 16:42:28 -04:00
Tod Beardsley 4b97418f07
Land todb-r7#8, better nested if 2014-05-29 15:19:04 -05:00
David Maloney f61aeb818a
smart hashdump refactor
refactor the windows smart hashdump post module
to use the new cred creation methods
2014-05-29 15:06:42 -05:00
jvazquez-r7 cdabb71d23 Make code cleanup 2014-05-29 14:51:10 -05:00
Spencer McIntyre 15dc33591b In pymeterpreter use a MeterpreterFile obj for Py v3 2014-05-29 15:09:09 -04:00
David Maloney e3c4745879
Windows Hashdump post module refactor
refactor the Hashdump post module for window
to use the new cred creation methods.
Also some extra methods to do db safe checks
for record ids that we need
2014-05-29 13:20:32 -05:00
William Vu 17fb48eaa3
Refactor check_nokogiri in msftidy 2014-05-29 13:20:23 -05:00
Spencer McIntyre d8dcfd8f41 Update pymeterpreter netlink to support python3 2014-05-29 13:48:15 -04:00
jvazquez-r7 aea0379451 Fix typos 2014-05-29 12:37:51 -05:00
David Maloney 696d2b7e6b
Merge branch 'master' into staging/electro-release 2014-05-29 12:30:32 -05:00
sinn3r 3a3d038904
Land #3397 - ElasticSearch Dynamic Script Arbitrary Java Execution 2014-05-29 12:21:21 -05:00
sinn3r dfa61b316e A bit of description change 2014-05-29 12:20:40 -05:00
Tod Beardsley 2ce6f325f5
Be more specific with Nokogiri check
There are still strong reservations about using Nokogiri to parse
untrusted XML data.

http://www.wireharbor.com/hidden-security-risks-of-xml-parsing-xxe-attack/

It is also believed that many desktop operating systems are still
shipping out-of-date and vulnerable libxml2 libraries, which become
exposed via Nokogiri. For example:

http://stackoverflow.com/questions/18627075/nokogiri-1-6-0-still-pulls-in-wrong-version-of-libxml-on-os-x

While this isn't a problem for binary builds of Metasploit (Metasploit
Community, Express, or Pro) it can be a problem for development
versions or Kali's / Backtrack's version.

So, the compromise here is to allow for modules that don't directly
expose XML parsing. I can't say for sure that the various libxml2
vulnerabilities (current and future) aren't also exposed via
`Nokogiri::HTML` but I also can't come up with a reasonable demo.

Metasploit committers should still look at any module that relies on
Nokogiri very carefully, and suggest alternatives if there are any. But,
it's sometimes going to be required for complex HTML parsing.

tl;dr: Use REXML for XML parsing, and Nokogiri for HTML parsing if you
absolutely must.
2014-05-29 11:52:17 -05:00
jvazquez-r7 75777cb3f9 Add IE11SandboxEscapes source 2014-05-29 11:38:43 -05:00
dmaloney-r7 e669324366 Merge pull request #25 from rapid7/feature/MSP-9673/axis2-login-scanner
Add axis2 login scanner
2014-05-29 11:22:22 -05:00
David Maloney 2c6f89a58d
add sane default for connection timeout 2014-05-29 11:12:59 -05:00
David Maloney d95b0497a7
add more specs
added more specs around telnet specific validations
2014-05-29 11:11:19 -05:00
William Vu 53ab2aefaa
Land #3386, a few datastore msftidy error fixes 2014-05-29 10:44:37 -05:00
David Maloney eb04a3774a
fixes for telnet wierdness
had to work around the way the old
Auxiliary::Login mixin worked. Scanner
now works properly
2014-05-29 10:43:00 -05:00
William Vu 325e75b72f
Land #3380, datastore msftidy errors set to INFO
[SeeRM #8498]
2014-05-29 10:19:59 -05:00
Spencer McIntyre 145776db4d Add a DEBUGGING option to the python meterpreter 2014-05-29 10:52:49 -04:00
Tom Sellers aa85cb8195 Update powershell.rb 2014-05-29 05:46:32 -05:00
Christian Mehlmauer 21d5e630f4
Land #3400, last msftody set-cookie warnings 2014-05-29 12:07:37 +02:00
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
James Lee dcc4d25f15
Merge branch 'feature/MSP-9640/cred_creation' into staging/electro-release 2014-05-28 16:44:51 -05:00
James Lee 572e4f2bdf
Fix dumb missing options and add spec 2014-05-28 16:32:38 -05:00
Spencer McIntyre 15b1c79039 Adjust whitespace and set bytes to str for Python 2 2014-05-28 16:30:27 -04:00
William Vu 3f86aebabf
Land #3398, CAPWAP DoS description cleanup 2014-05-28 14:55:22 -05:00