Commit Graph

11835 Commits (b3b04c4159baa5685d1fcd0e7d136cd628e818bf)

Author SHA1 Message Date
jvazquez-r7 57d60c66f9 Add masqform version as comment 2013-12-27 10:59:23 -06:00
jvazquez-r7 341e3c0370 Use rexml 2013-12-27 10:55:36 -06:00
jvazquez-r7 ee35f9ac30 Add module for zdi-13-274 2013-12-27 10:20:44 -06:00
Tod Beardsley d6a63433a6
Space at EOL 2013-12-26 10:37:18 -06:00
Tod Beardsley 5ce862a5b5
Add OSVDB 2013-12-26 10:33:46 -06:00
Tod Beardsley c34a5f3758
Unacronym the title on Poison Ivy C&C 2013-12-26 10:30:30 -06:00
Tod Beardsley 47765a1c4f
Fix chargen probe title, comment on the CVE 2013-12-26 10:29:11 -06:00
Tod Beardsley 056661e5dd
No at-signs in names please. 2013-12-26 10:26:01 -06:00
jvazquez-r7 b02e21a1d3
Land #2779, @wchen-r7's mod to raise Msf::OptionValidateError when PORTS is invalid 2013-12-26 09:27:27 -06:00
sinn3r 78db7429d0 Turns out the latest Safari is still vulnerable.
The version check is currently disabled because turns out the latest
Safari (6.1.1) is still vulnerable - I can still loot it in plain
text.
2013-12-24 19:27:45 -06:00
sinn3r a26e12b746 Updates descriiption and improves regex for safari_lastsession.rb
This updates two things for the safari_lastsession post module:

1. The description is updated: More information is added to describe
how Safari would end up storing the Gmail credential in the last
session state, and what it means to you as an attacker.

2. Regex update for the domain to search for: Before the module starts
extract the session data, it needs to know which domain to extract from.
Originally I only added mail.google.com, but turns out the sensitive info
can be found in accounts.google.com, so I added that one.
2013-12-24 14:00:55 -06:00
rbsec 86a94022c0 Fix lotus_domino_hashes not working.
Some Lotus Domino servers prefix the "dspHTTPPassword" with a dollar
sign. Updated regex to take this into account.
2013-12-24 11:57:13 +00:00
sinn3r 90ce761681
Land #2790 - RealNetworks RealPlayer Version Attribute Buffer Overflow 2013-12-24 00:39:54 -06:00
sinn3r 367dce505b Minor details 2013-12-24 00:39:15 -06:00
sgabe f687a14539 Added support for opening via menu. 2013-12-24 03:12:49 +01:00
sinn3r 213556761a
Land #2765 - Added Poison Ivy Command and Control Scanner 2013-12-23 17:36:18 -06:00
sinn3r 0a07bbdf2e Minor changes 2013-12-23 17:35:42 -06:00
jvazquez-r7 88b3b2c78e Switch RHOSTS to TARGETS and add validation 2013-12-23 11:58:26 -06:00
sinn3r 9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution 2013-12-23 02:34:01 -06:00
sinn3r 5b647ba6f8 Change description
Pre-auth is implied.
2013-12-23 02:33:17 -06:00
sgabe 287271cf98 Fixed date format. 2013-12-22 01:32:16 +01:00
sgabe 0ac495fef8 Replaced hex with plain text. 2013-12-22 01:31:37 +01:00
Bruno Morisson 94da642f5c fixed typo: innacurated -> inaccurate 2013-12-21 20:36:43 +00:00
Bruno Morisson c387a850ca Fixed default value for RESOLVE (local) 2013-12-21 19:21:57 +00:00
Meatballs bf8c0b10fa
Dont store n/a creds 2013-12-21 09:04:02 +00:00
Bruno Morisson 6ce0bab036 Cleanup, also split IP addresses separated by commas. 2013-12-21 00:15:00 +00:00
jvazquez-r7 f43bc02297 Land #2787, @mwulftange's exploit for CVE-2013-6955 2013-12-20 17:03:10 -06:00
jvazquez-r7 163a54f8b1 Do send_request_cgi final clean up 2013-12-20 17:00:57 -06:00
sgabe 44ab583611 Added newline to end of file. 2013-12-20 22:40:45 +01:00
sgabe 62f71f6282 Added module for CVE-2013-6877 2013-12-20 22:37:09 +01:00
SeawolfRN bf2dc97595 Merge branch 'poisonivyscanner' of github.com:SeawolfRN/metasploit-framework into poisonivyscanner 2013-12-20 18:46:35 +00:00
SeawolfRN ae7a0159e7 Changed to Puts and get_once - also forgot the timeout... 2013-12-20 18:44:42 +00:00
jvazquez-r7 8be481f324
Land #2681, @mcantoni and @todb-r7's support for chargen 2013-12-20 11:53:08 -06:00
jvazquez-r7 12efa99ce5 Fix udp_sweep 2013-12-20 11:47:48 -06:00
jvazquez-r7 2dc7ef4398 Fix udp_probe 2013-12-20 11:45:27 -06:00
jvazquez-r7 af13334c84 Revert gsub! 2013-12-20 11:39:49 -06:00
sinn3r ce8b8e8ef9
Land #2783 - OpenSIS 'modname' PHP Code Execution 2013-12-20 11:29:10 -06:00
sinn3r d0ef860f75 Strip default username/password
There isn't one. So force the user to supply one.
2013-12-20 11:28:18 -06:00
sinn3r 52a4e55804
Land #2781 - Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution 2013-12-20 11:25:50 -06:00
jvazquez-r7 1da961343a Do final (minor) cleanup 2013-12-20 11:20:29 -06:00
Tod Beardsley 2f34f8458b
Downcase chargen service name 2013-12-20 10:41:53 -06:00
Tod Beardsley 35c847da94
Add chargen to udp_probe and udp_sweep
This simplifies the checks considerably for PR #2681 from @mcantoni
2013-12-20 10:32:15 -06:00
jvazquez-r7 a043d384d4
Land #2738, @jiuweigui update to enum_prefetch 2013-12-20 10:26:54 -06:00
Markus Wulftange 929f3ea35c Turn Auxiliary module into Exploit module 2013-12-20 16:45:38 +01:00
jvazquez-r7 eba164d2e3 Clean chargen_probe 2013-12-20 09:10:15 -06:00
Markus Wulftange 15f6a62f90 Msf::Exploit::Remote::HttpClient already provides 'peer' 2013-12-20 15:10:10 +01:00
Markus Wulftange 0718c27f47 Use 'unless' instead of 'if not' 2013-12-20 15:09:32 +01:00
Markus Wulftange fe66d2437b Add module for CVE-2013-6955
Auxiliary module for Synology DiskStation Manager (DMS) SLICEUPLOAD
vulnerability, which allows unauthenticated remote command execution
under root privileges.
2013-12-20 11:50:02 +01:00
bcoles fb6cd9c149 add osvdb+url refs and module tidy up 2013-12-20 20:27:07 +10:30
sinn3r 2510580c19
Land #2784 - Remove EOL whitespace from OS X hashdump 2013-12-20 03:54:37 -06:00
OJ 0db062a1ce
Merge branch 'meatballs-vncdll-submodule' 2013-12-20 18:29:27 +10:00
OJ 34cdec5155
Update project VS 2013, clean CLI build
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
jvazquez-r7 4816abe63b Add module for ZDI-13-263 2013-12-19 17:48:52 -06:00
Bruno Morisson 6ac0aad38b Prevent report_* when RESOLVE is remote, since hostname may be unknown and local resolution fail, thus spitting out an error and failing 2013-12-19 23:37:13 +00:00
Bruno Morisson c881ef5472 Unreachable and time out error identification 2013-12-19 22:59:56 +00:00
Matteo Cantoni a199dc39af used the recvfrom timeout 2013-12-19 20:56:11 +01:00
Joe Vennix 8e27e87c81 Use the right disclosure date. 2013-12-19 12:58:52 -06:00
Joe Vennix 955dfe5d29 msftidy it up. 2013-12-19 12:53:58 -06:00
Joe Vennix b50bbc2f84 Update module to use sinn3r's beautiful browserexploitserver. 2013-12-19 12:49:24 -06:00
Bruno Morisson 773d4c5cd1 commented out response packet vprint 2013-12-19 18:35:11 +00:00
Bruno Morisson ad8a156263 RHOSTS can be a comma separated list of hostnames 2013-12-19 18:33:32 +00:00
Bruno Morisson 564601e083 msftidy - fixed 2013-12-19 17:30:34 +00:00
Bruno Morisson 2480f023b1 Dropped scanner mixin. Tried to maintain usage 2013-12-19 17:15:44 +00:00
William Vu 9434d60021 Remove EOL whitespace from OS X hashdump 2013-12-19 10:39:49 -06:00
bcoles fc2da15c87 Add OpenSIS 'modname' PHP Code Execution module for CVE-2013-1349 2013-12-19 19:10:48 +10:30
Joe Vennix eb08a30293 Update description with new version support. 2013-12-19 02:08:55 -06:00
Joe Vennix 5ee6c77901 Add a patch for 15.x support.
* Also add authors i forgot, oops
2013-12-19 02:05:45 -06:00
Joe Vennix 2add2acc8f Use a smaller key size, harder to spot. 2013-12-18 21:02:23 -06:00
Joe Vennix 8d183d8afc Update versions, 4.0.1 does not work on windows. 2013-12-18 20:57:47 -06:00
Joe Vennix cb390bee7d Move comment. 2013-12-18 20:37:33 -06:00
Joe Vennix 23b5254ea1 Fix include reference. 2013-12-18 20:35:43 -06:00
Joe Vennix 5255f8da12 Clean up code. Test version support.
* Using #get in Object#defineProperty call makes the payload execute immediately
on all supported browsers I tested.
* Moved Ranking to Excellent since it is now 100% reliable.
2013-12-18 20:30:08 -06:00
Bruno Morisson 21d959c58d RESOLVE option takes either "remote" or "local" 2013-12-19 00:38:47 +00:00
Bruno Morisson 1778a08e98 Keeping changes away from the "ip" variable 2013-12-19 00:19:58 +00:00
sinn3r d41f05e0b6
Land #2776 - Avoid having the same port twice 2013-12-18 18:09:43 -06:00
Bruno Morisson 7ebcd5a8c9 Option to perform host resolution on remote saprouter 2013-12-18 23:53:58 +00:00
jvazquez-r7 198667b650
Land #2774, @Mekanismen's module for CVE-2013-7091 2013-12-18 16:23:44 -06:00
jvazquez-r7 aec2e0c92c Change ranking 2013-12-18 16:23:14 -06:00
jvazquez-r7 f21d666631
Land #2744, @rcvalle module for CVE-2013-2050 2013-12-18 16:19:25 -06:00
jvazquez-r7 0eac17083a Clean cfme_manageiq_evm_pass_reset 2013-12-18 16:16:32 -06:00
jvazquez-r7 d4ec858051 Clean zimbra_lfi 2013-12-18 15:46:37 -06:00
sinn3r 8dfa2e6963
Land #2734 - OSX Gather Autologin Password as Root 2013-12-18 15:37:45 -06:00
sinn3r 5011c4d928 The "unless" Ruby nazi is in town 2013-12-18 15:28:31 -06:00
sinn3r 5ec3d5f3f6 Raise specific exceptions 2013-12-18 15:27:49 -06:00
sinn3r 4bddd077ec
Land #2762 - Use new ntdll railgun functions 2013-12-18 15:18:47 -06:00
sinn3r ee87f357b0 Raise Msf::OptionValidateError when the PORTS option is invalid
Instead of print_error for invalid ports, modules should be raising
Msf::OptionValidateError to warn the user about the invalid input.
2013-12-18 15:04:53 -06:00
sinn3r 4028dcede7 Add an input check for datastore option PORTS
If Rex::Socket.portspec_crack returns an empty array, we assume
there are no valid ports to test, so we raise an OptionValidateError
to warn the user about it.
2013-12-18 14:55:51 -06:00
Joe Vennix 64273fe41d Move addon datastore options into mixin. 2013-12-18 14:42:01 -06:00
Joe Vennix ca2de73879 It helps to actually commit the exploit. 2013-12-18 14:31:42 -06:00
Joe Vennix 1235615f5f Add firefox 15 chrome privilege exploit.
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Tod Beardsley c4b8178663
Correct camelCase of YouTube 2013-12-18 14:06:45 -06:00
Mekanismen 0c0e8c3a49 various updates 2013-12-18 20:54:35 +01:00
Ramon de C Valle b9a9b90088 Update module to use added bcrypt gem 2013-12-18 16:15:35 -02:00
Ramon de C Valle e20569181b Remove EzCrypto-related code as per review 2013-12-18 16:15:22 -02:00
jvazquez-r7 ab69454f89 Land #2745, @rcvalle's exploit for CVE-2013-2068 2013-12-18 12:06:27 -06:00
jvazquez-r7 ec64382efc Fix cfme_manageiq_evm_upload_exec according to chat with @rcvalle 2013-12-18 11:53:30 -06:00
Ramon de C Valle ef081cec49 Add missing disclosure date as per review 2013-12-18 15:47:23 -02:00
jvazquez-r7 a28ea18798 Clean pull request 2013-12-18 11:32:34 -06:00
OJ a4811bd0c3
Land #2760 2013-12-18 17:17:10 +10:00
OJ 5e4c395f86 Fix small spacing issue 2013-12-18 17:14:47 +10:00
sinn3r 10e16673a7 There must be read_file 2013-12-17 16:42:49 -06:00
sinn3r 21feae0bbc Make sure the file path is readable when it's ~/ 2013-12-17 16:38:58 -06:00
jvazquez-r7 345e1711b1
Land #2775, @wchen-r7's post module to Safari get LastSession.plist 2013-12-17 15:57:50 -06:00
jvazquez-r7 7ec96876d9 Delete unnecessary includes 2013-12-17 15:57:09 -06:00
sinn3r 374ef71c12 Favor read_file instead 2013-12-17 15:34:52 -06:00
jvazquez-r7 80eea97ccd ChrisJohnRiley fix for sap_service_discovery 2013-12-17 13:31:56 -06:00
sinn3r ea6ba2b159 Add post module to get LastSession.plist
LastSession.plist sometimes contains sensitive information such as
usernames and passwords. It'd be nice to keep this in loot.
2013-12-17 13:07:30 -06:00
Mekanismen 2de15bdc8b added module for Zimbra Collaboration Server CVE-2013-7091 2013-12-17 19:32:04 +01:00
William Vu 252909a609
Land #2448, @OJ's ReverseListenerBindPort :) 2013-12-17 11:24:09 -06:00
bmerinofe 89ffafad0e Changes to Service mixin 2013-12-17 13:10:27 +01:00
sinn3r ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader 2013-12-16 20:32:27 -06:00
jvazquez-r7 52cb43e6a8 Fix typo 2013-12-16 20:28:49 -06:00
zeknox 2eee34babf added timeout options and rescue timeout 2013-12-16 20:00:13 -06:00
zeknox fe34d0e36e fixed syntax 2013-12-16 19:26:40 -06:00
zeknox 7b8de95f6b fixed database overwriting issues 2013-12-16 19:16:12 -06:00
zeknox 07f686bb1a added ResolverArgumentError rescue statement 2013-12-16 18:46:14 -06:00
jvazquez-r7 84759a552a Save one variable 2013-12-16 16:49:44 -06:00
jvazquez-r7 042bd4f80b Fix ms_ndproxy to work under a sandboxed Reader 2013-12-16 16:19:17 -06:00
SeawolfRN 24bc10905e Added Spaces and removed Interrupt 2013-12-16 22:12:35 +00:00
Tod Beardsley f88a3a55b6
More slight updates. 2013-12-16 15:05:39 -06:00
sinn3r afcee93309
Land #2771 - Fix description 2013-12-16 15:01:32 -06:00
sinn3r 04b7e8b174 Fix module title and add vendor patch information 2013-12-16 14:59:00 -06:00
Tod Beardsley 040619c373
Minor description changes
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
jvazquez-r7 533accaa87 Add module for CVE-2013-3346 2013-12-16 14:13:47 -06:00
jiuweigui 446db78818 Minor fix to gather_pf_info function 2013-12-16 21:33:07 +02:00
SeawolfRN bf561fef95 Corrected Extraneous Whitespace\Newlines 2013-12-16 16:38:49 +00:00
SeawolfRN 79022c2e29 Probably should have checked it worked... 2013-12-16 11:33:08 +00:00
SeawolfRN 59003a9842 Updated Poison Ivy Scanner 2013-12-15 22:02:14 +00:00
SeawolfRN 226cd241bf Added Poison Ivy Command and Control Scanner\n Auxiliary module to scan for Poison Ivy C&C on ports 80,8080,443 and 3460 2013-12-15 14:34:50 +00:00
Meatballs 3dec7f61a5 Check in sysnative if wow64 2013-12-15 01:12:52 +00:00
Meatballs 2dc4faad72 Resplat license 2013-12-15 01:12:51 +00:00
Meatballs 8203274256 Small fixes
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ f2e2147065 Change unless with else to if with else 2013-12-15 01:12:50 +00:00
OJ cff7008500 Fix final issues with merge
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ 41c538856a Re-add RDI mixin changes 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs 6916f7c5d2 Fixup description 2013-12-15 01:12:47 +00:00
Meatballs 3d1646d18e Exit process when complete 2013-12-15 01:12:47 +00:00
Meatballs dd32c2b0b8 Spawn 32bit process 2013-12-15 01:12:46 +00:00
Meatballs 819ba30a33 msftidy
Conflicts:
	lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs 5eca4714c2 Renamed module 2013-12-15 01:12:46 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
Matteo Cantoni 999006e037 fixed some things, as suggested by jvazquez-r7 2013-12-14 19:41:31 +01:00
bmerinofe f185c2deb1 added driver_loaded post meterpreter module 2013-12-14 00:07:04 +01:00
jvazquez-r7 e8396dc37a Delete redefinition of ntdll functions on railgun 2013-12-13 16:02:47 -06:00
sinn3r ba1a70b72e Update Microsoft patch information 2013-12-13 15:59:15 -06:00
jvazquez-r7 1ab3e891c9 Modify ms_ndproxy to use railgun additions 2013-12-13 15:54:34 -06:00
sinn3r 14a3d76410
Land #2755 - Microsoft Windows ndproxy.sys Local Privilege Escalation 2013-12-13 15:18:13 -06:00
zeknox e6f1f648be modified wordlist path, modified report_goods to log udp or tcp, made wordlist not required 2013-12-13 10:49:44 -06:00