sinn3r
1e30cd55f7
Land #2740 - Real regex for MATCH and EXCLUDE
2013-12-09 03:05:08 -06:00
sinn3r
9c5991980a
Land #2733 - Disable meterpreter support because they're not stable
2013-12-09 02:50:36 -06:00
sinn3r
2f6a77861a
Land #2731 - vBulletin nodeid SQL injection (exploit)
2013-12-09 02:22:07 -06:00
sinn3r
feca3efafb
Land #2728 - vBulletin Password Collector via nodeid SQL Injection
2013-12-09 02:12:42 -06:00
sinn3r
92412279ae
Account for failed cred gathering attempts
...
Sometimes the SQL error doesn't contain the info we need.
2013-12-09 02:11:46 -06:00
Joe Vennix
cd66cca8a1
Make browser autopwn datastore use OptRegexp.
2013-12-08 17:46:33 -06:00
Joe Vennix
dea35252af
Kill unused method.
2013-12-08 14:35:49 -06:00
Joe Vennix
df76651834
Make sure loot is named correctly.
2013-12-08 14:31:18 -06:00
Joe Vennix
7f3ab14179
Make pipe part of /bin/bash cmd.
2013-12-08 14:27:28 -06:00
Joe Vennix
9b34a8f1ad
Supports 10.3
2013-12-08 14:26:16 -06:00
Joe Vennix
f981a04918
Fix MATCHUSER bug.
...
* Also add spacing and indentation for better readability.
* Refactors grab_shadow_blob method.
2013-12-08 14:21:48 -06:00
jiuweigui
2a0b503f06
Minor fix
2013-12-08 18:17:22 +02:00
Joe Vennix
eacab1b2ad
Fix description, kill dead constant.
2013-12-07 22:28:16 -06:00
Joe Vennix
969f45fd32
Refactor OSX hashdump post module.
...
* Adds support for MATCHUSER regex option
* Adds support for OSX 10.8 and 10.9 hashes (PBKDF2)
* DRYs up a bunch of older code, adds lots of helper fns
* Ends up shaving off ~20 lines
2013-12-07 22:22:23 -06:00
Joe Vennix
3066e62711
Fix typo, fix no-autologin users bug.
2013-12-07 19:27:36 -06:00
Joe Vennix
4cb788b9de
Adds osx autologin password post module.
2013-12-07 19:01:35 -06:00
Joe Vennix
c6eac67ab5
Kill meterpreter support for osx media modules.
...
There is some bug that I haven't been able to track down that causes the
osx call to run the event queue to just hang on latest OSX + Java/python
meterpreter. I tried rewriting these modules using OSX's new Media API,
but I run into the same problem. Until I find a solution, we should mark
these shell-only.
2013-12-07 17:46:26 -06:00
joev
c51e9036ae
Merge branch 'land_mipsbe_xor_encoder' into upstream-master
2013-12-07 17:28:57 -06:00
jvazquez-r7
75fb38fe8d
Land #2724 , @wchen-r7 and @jvennix-r7's module for CVE-2013-6414
2013-12-07 14:26:46 -06:00
jvazquez-r7
fdebfe3d2f
Add references
2013-12-07 14:25:58 -06:00
jvazquez-r7
f77784cd0d
Land #2723 , @denandz's module for OSVDB-100423
2013-12-06 17:32:07 -06:00
jvazquez-r7
3729c53690
Move uptime_file_upload to the correct location
2013-12-06 15:57:52 -06:00
jvazquez-r7
2ff9c31747
Do minor clean up on uptime_file_upload
2013-12-06 15:57:22 -06:00
sinn3r
adc241faf8
Last one, I say
2013-12-06 15:52:42 -06:00
sinn3r
17193e06a9
Last commit, I swear
2013-12-06 15:49:44 -06:00
sinn3r
58a70779ac
Final update
2013-12-06 15:48:59 -06:00
sinn3r
9f5768ae37
Another update
2013-12-06 14:53:35 -06:00
sinn3r
af16f11784
Another update
2013-12-06 14:39:26 -06:00
jvazquez-r7
d47292ba10
Add module for CVE-2013-3522
2013-12-06 13:50:12 -06:00
sinn3r
87e77b358e
Use the correct URI
2013-12-06 12:08:19 -06:00
sinn3r
5d4acfa274
Plenty of changes
2013-12-06 11:57:02 -06:00
bmerinofe
5e5fd6b01a
Unless replaced
2013-12-06 15:01:35 +01:00
Meatballs
6f02744d46
Land #2730 Typo in mswin_tiff_overflow
2013-12-06 12:32:37 +00:00
Meatballs
3aebe968bb
Land #2721 Reflective DLL Mixin
...
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
sinn3r
89ef1d4720
Fix a typo in mswin_tiff_overflow
2013-12-06 00:44:12 -06:00
DoI
3d327363af
uptime_file_upload code tidy-ups
2013-12-06 13:45:22 +13:00
sinn3r
c07686988c
random uri
2013-12-05 18:07:24 -06:00
OJ
73d3ea699f
Remove the last redundant error check
2013-12-06 09:32:21 +10:00
jvazquez-r7
e4c6413643
Land #2718 , @wchen-r7's deletion of @peer on HttpClient modules
2013-12-05 17:25:59 -06:00
jvazquez-r7
f2f8c08c8e
Use blank? method
2013-12-05 16:36:44 -06:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
jvazquez-r7
a380d9b4f2
Add aux module for CVE-2013-3522
2013-12-05 15:58:05 -06:00
William Vu
79e23a1e13
Land #2675 , @JonValt's forensics/browser_history
...
Great job!
2013-12-05 09:35:53 -06:00
Joshua Harper PI GCFE GCFA GSEC
cd5172384f
Rename gather_browser_history.rb to browser_history.rb
2013-12-05 08:43:19 -06:00
Joshua Harper
3957bbc710
capitalization ("skype")
...
(https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r8120307 )
Removed some Chrome artifacts and renamed one to reflect "Archived History."
(https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r8120314 )
((Will include other doxxes in another module.))
2013-12-05 08:33:47 -06:00
jiuweigui
717f45ac09
Minor modification
2013-12-05 09:07:28 +02:00
jiuweigui
902d48efab
Delete debug prints
2013-12-05 09:03:42 +02:00
jiuweigui
492cd1ca07
Modifications how info is collected from pf files.
2013-12-05 08:56:26 +02:00
DoI
07294106cb
Removed redundant content-type parameter
2013-12-05 14:18:26 +13:00
sinn3r
8e9723788d
Correct description
2013-12-04 17:25:58 -06:00
sinn3r
fb2fcf429f
This one actually works
2013-12-04 17:22:42 -06:00
DoI
cfffd80d22
Added uptime_file_upload exploit module
2013-12-05 11:56:05 +13:00
OJ
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
sinn3r
d0071d7baa
Add CVE-2013-6414 Rails Action View DoS
2013-12-04 14:57:30 -06:00
Tod Beardsley
f5a45bfe52
@twitternames not supported for author fields
...
It's kind of a dumb reason but there are metasploit metadata parsers out
there that barf all over @names. They assume user@email.address . Should
be fixed some day.
2013-12-04 13:31:22 -06:00
bmerinofe
1833b6fd95
More changes. No admin privs check
2013-12-04 14:51:46 +01:00
OJ
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
bmerinofe
05479b2a19
Added new options
2013-12-04 11:45:37 +01:00
OJ
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
bmerinofe
5c266adfd7
added ie_proxypac post meterpreter module
2013-12-03 22:23:09 +01:00
sinn3r
bf3489203a
I missed this one
2013-12-03 13:13:14 -06:00
sinn3r
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
sinn3r
ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
...
Also [SeeRM #8140 ]
2013-12-03 10:51:58 -06:00
jvazquez-r7
2d77ed58d5
Land #2648 , @pnegry's exploit for Kaseya File Upload
2013-12-03 09:35:05 -06:00
jvazquez-r7
2606a6ff0e
Do minor clean up for kaseya_uploadimage_file_upload
2013-12-03 09:34:25 -06:00
sinn3r
99dc9f9e7e
Fix msftidy warning
2013-12-03 00:09:51 -06:00
Jonathan Claudius
e37f7d3643
Use send_request_cgi instead of send_request_raw
2013-12-03 00:57:26 -05:00
Jonathan Claudius
14e600a431
Clean up res nil checking
2013-12-03 00:51:19 -05:00
Jonathan Claudius
b796095582
Use peer vs. rhost and rport for prints
2013-12-03 00:49:05 -05:00
Jonathan Claudius
0480e01830
Account for nil res value
2013-12-03 00:45:57 -05:00
Jonathan Claudius
c91d190d39
Add Cisco ASA ASDM Login
2013-12-03 00:16:04 -05:00
Thomas Hibbert
21bb8fd25a
Update based on jvazquez's suggestions.
2013-12-03 13:49:31 +13:00
jvazquez-r7
47bff9a416
Land #2711 , @Mekanismen exploit for wordpress OptimizePress theme
2013-12-02 16:30:24 -06:00
jvazquez-r7
5c3ca1c8ec
Fix title
2013-12-02 16:30:01 -06:00
jvazquez-r7
c32b734680
Fix regex
2013-12-02 16:24:21 -06:00
Tod Beardsley
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
jvazquez-r7
79a6f8c2ea
Clean php_wordpress_optimizepress
2013-12-02 15:43:41 -06:00
sinn3r
19293d89dd
Land #2704 - rm script launcher and fix file_exists?
2013-12-02 15:05:01 -06:00
Peter Toth
44e37f1b98
Improved meterpreter compatibility
2013-12-02 21:43:58 +01:00
Joshua Harper
d1dd7c291b
cosmetic (indentation)
...
https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7977962
2013-12-02 13:16:48 -06:00
sinn3r
20e0a7dcfb
Land #2709 - ZyXEL GS1510-16 Password Extractor
2013-12-02 13:13:01 -06:00
Sven Vetsch / Disenchant
39fbb59ba9
re-added the reference I accidentally deleted
2013-12-02 19:06:19 +01:00
Sven Vetsch / Disenchant
cb98d68e47
added @wchen-r7's code to store the password into the database
2013-12-02 18:35:59 +01:00
jvazquez-r7
ba39a8e826
Land #2705 , @jjarmoc's user object configuration on rails_devise_pass_reset
2013-12-02 11:04:29 -06:00
sinn3r
bd5113c477
Land #2710 - Cisco Prime Data Center Network Manager Arbitrary File Upload
2013-12-02 11:01:53 -06:00
jvazquez-r7
7e379376dc
Land #2635 , @peto01 and @jvennix-r7's osx post module to manage volumes
2013-12-02 09:22:23 -06:00
jvazquez-r7
cc2b7950bf
Do minor cleanup to mount_share
2013-12-02 09:21:36 -06:00
jvazquez-r7
d18d30a35e
Land #2706 , @wchen-r7's enum_tomcat description update
2013-12-02 09:01:53 -06:00
jvazquez-r7
8d6a534582
Change title
2013-12-02 08:54:37 -06:00
jvazquez-r7
24d09f2085
Land #2700 , @juushya's Oracle ILO Brute Forcer login
2013-12-02 08:53:10 -06:00
jvazquez-r7
41f8a34683
Use attempts
2013-12-02 08:43:22 -06:00
jvazquez-r7
433d21730e
Add ATTEMPTS option
2013-12-02 08:42:25 -06:00
joev
040a629f34
Kill meterpreter support.
...
* Meterpreter seems to fall over on the cmd escaping, and dies if you
try to pass it an array of args (python/java meterpreter on various versions
of osx).
2013-12-01 20:17:43 -06:00
joev
2de9a4f3c1
Add support for 10.5 shares.
2013-12-01 20:13:54 -06:00
jvazquez-r7
b9192c64aa
Fix @wchen-r7's feedback
2013-12-01 19:55:53 -06:00
Sven Vetsch / Disenchant
8e73023baa
and now in the correct data structure
2013-12-01 17:38:35 +01:00
Sven Vetsch / Disenchant
ef77b7fbbf
added reference as requested at https://github.com/rapid7/metasploit-framework/pull/2709
2013-12-01 17:36:15 +01:00
Mekanismen
57b7d89f4d
Updated
2013-12-01 09:06:41 +01:00
Mekanismen
045b848a30
added exploit module for optimizepress
2013-11-30 21:51:56 +01:00
jvazquez-r7
3417c4442a
Make check really better
2013-11-30 09:47:34 -06:00
jvazquez-r7
749e6bd65b
Do better check method
2013-11-30 09:46:22 -06:00
jvazquez-r7
0a7c0eea78
Fix references
2013-11-29 23:13:07 -06:00
jvazquez-r7
691d47f3a3
Add module for ZDI-13-255
2013-11-29 23:11:44 -06:00
Sven Vetsch / Disenchant
aa62800184
added ZyXEL GS1510-16 Password Extractor
2013-11-29 10:42:17 +01:00
Karn Ganeshen
bc41120b75
Updated
2013-11-29 12:47:47 +05:30
sinn3r
8817c0eee0
Change description a bit
...
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
jvazquez-r7
807e2dfd31
Fix title
2013-11-28 10:53:12 -06:00
jvazquez-r7
7dee4ffd4d
Add module for ZDI-13-270
2013-11-28 10:47:04 -06:00
Karn Ganeshen
1109a1d157
Updated
2013-11-28 11:30:02 +05:30
Jeff Jarmoc
03838aaa79
Update rails_devise_pass_reset.rb
...
Fixed erroneous status if FLUSHTOKENS is false.
2013-11-27 22:27:45 -06:00
Thomas Hibbert
d1e4975f76
Use res.get_cookies instead of homebrew parse. Use _cgi
2013-11-28 16:35:36 +13:00
Joshua Harper
cdf6ffa70d
Complete refactor with lots of help from @kernelsmith and @OJ. Thank you guys so much.
2013-11-27 21:02:48 -06:00
sinn3r
a8af050c16
Update post module Apache Tomcat description
...
This module's description needs to be more descriptive, otherwise
you kind of have to pull the source code to see what it actually
does for you.
2013-11-27 19:21:27 -06:00
sinn3r
a02e0ee3e4
Land #2682 - Kimai v0.9.2 'db_restore.php' SQL Injection
2013-11-27 19:10:44 -06:00
OJ
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
Jeff Jarmoc
7f8baf979d
Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise.
...
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit
[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
2013-11-27 15:35:43 -06:00
Joshua Harper
1c17383eff
removed return file_loc
...
removed extra space
2013-11-27 15:04:31 -06:00
Joshua Harper
036cd8c5ad
couple cosmetic changes per wvu-r7
2013-11-27 14:44:39 -06:00
Peter Toth
95a98529c4
Removed script launcher wrapper and fixed the file_exists so that the module now detects input
2013-11-27 21:38:20 +01:00
jvazquez-r7
6c8df4be27
Land #2699 , @wvu fix for Linux download_exec post module
2013-11-27 10:22:35 -06:00
joev
6561f149a8
DRY up URL_REGEX constant.
2013-11-27 06:16:25 -06:00
joev
b0416b802d
Change the Recent shares implementation.
...
* Allows us to see protocol of Recent Shares
* Parses protocol from file share URL
2013-11-27 06:08:48 -06:00
joev
e876155e1a
More tweaks to mount_share.
...
* Adds some docs to some of the methods to further distinguish
the separate sets of shares.
2013-11-27 05:45:46 -06:00
joev
485e38ebca
Some code tweaks to post/osx/mount_share.
...
* Make PROTOCOL an Enum
* Move path override options to advanced section
* More Enumerable rework
* Move one-off regexes back to inline, pull out protocol list
2013-11-27 05:22:12 -06:00
OJ
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
William Vu
f3e71c2c9d
Be more specific
...
Perl!
2013-11-27 01:03:41 -06:00
William Vu
b202b98a42
Anchor the scheme
2013-11-27 00:57:45 -06:00
William Vu
e8da97aa17
Fix extraneous use of which and cmdsub
...
I don't even.
2013-11-27 00:43:07 -06:00
William Vu
288476441f
Fix improper use of expand_path
...
I don't even.
2013-11-27 00:42:09 -06:00
Thomas Hibbert
bb0753fcdd
Updated module to comply with indentation standard and to use suggestions from reviewers
2013-11-27 16:00:00 +13:00
sinn3r
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
Matteo Cantoni
3111aee866
fix match and boolean expression
2013-11-26 21:42:09 +01:00
sinn3r
a914fbc400
Land #2693 - case sensitive
2013-11-26 11:16:57 -06:00
Tod Beardsley
671c0d9473
Fix nokogiri typo
...
[SeeRM #8730 ]
2013-11-26 10:54:31 -06:00
jonvalt
9dbeb55b9a
removed single quotes from inside %q{} on line 22 per https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7913331
...
removed empty advanced options registration on line 28 per https://github.com/rapid7/metasploit-framework/pull/2675#discussion_r7913342
2013-11-26 10:29:38 -06:00
jvazquez-r7
253719d70c
Fix title
2013-11-26 08:11:29 -06:00
sinn3r
f1c5ab95bf
Land #2690 - typo
2013-11-25 23:53:34 -06:00
William Vu
70139d05ea
Fix missed title
2013-11-25 22:46:35 -06:00
jvazquez-r7
6cb63cdad6
Land #2679 , @wchen-r7's exploit for cve-2013-3906
2013-11-25 22:04:26 -06:00
jvazquez-r7
0079413e81
Full revert the change
2013-11-25 22:04:02 -06:00
sinn3r
fa97c9fa7c
Revert this change
2013-11-25 20:54:39 -06:00
sinn3r
3247106626
Heap spray adjustment by @jvazquez-r7
2013-11-25 20:50:53 -06:00
jvazquez-r7
4c249bb6e9
Fix heap spray
2013-11-25 20:06:42 -06:00
sinn3r
385381cde2
Change target address
...
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
jvazquez-r7
a7e6a79b15
Land #2685 , @wchen-r7's update for the word injector description
2013-11-25 15:47:57 -06:00
jvazquez-r7
92807d0399
Land #2676 , @todb-r7 module for CVE-2013-4164
2013-11-25 15:40:33 -06:00
sinn3r
57f4f68559
Land #2652 - Apache Roller OGNL Injection
2013-11-25 15:14:35 -06:00
sinn3r
8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln
2013-11-25 13:06:09 -06:00
sinn3r
4773270ff0
Land #2677 - MS12-022 COALineDashStyleArray vuln
2013-11-25 12:58:45 -06:00
Tod Beardsley
23448b58e7
Remove timeout checkers that are rescued anyway
2013-11-25 12:37:23 -06:00
Tod Beardsley
f311b0cd1e
Add user-controlled verbs.
...
GET, HEAD, POST, and PROPFIND were tested on WebRick, all successful.
2013-11-25 12:29:05 -06:00
jvazquez-r7
cc60ca2e2a
Fix module title
2013-11-25 09:33:43 -06:00
jvazquez-r7
cc261d2c25
Land #2670 , @juushya's aux brute forcer mod for OpenMind
2013-11-25 09:29:41 -06:00
Karn Ganeshen
e157ff73d3
Oracle ILOM Login utility
2013-11-25 13:55:31 +05:30
bcoles
a03cfce74c
Add table prefix and doc root as fallback options
2013-11-25 17:44:26 +10:30
sinn3r
48578c3bc0
Update description about suitable targets
...
The same technique work for Microsoft Office 2013 as well. Tested.
2013-11-24 23:02:37 -06:00
jvazquez-r7
49441875f3
Land #2683 , @wchen-r7's module name consistency fix
2013-11-24 16:51:22 -06:00
Meatballs
b015dd4f1c
Land #2532 Enum LSA Secrets
...
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
sinn3r
ce8b63f240
Update module name to stay consistent
...
This module is under the windows/gather, so must be named the same
way like the rest.
2013-11-24 01:01:29 -06:00
sinn3r
fc14a6c149
Land #2576 - NETGEAR ReadyNAS Perl Code Evaluation Vulnerability
2013-11-24 00:47:14 -06:00
Matteo Cantoni
f3b907537c
Module to identifies open Chargen service
2013-11-23 17:17:24 +01:00
bcoles
d8700314e7
Add Kimai v0.9.2 'db_restore.php' SQL Injection module
2013-11-24 02:32:16 +10:30
sinn3r
9987ec0883
Hmm, change ranking
2013-11-23 00:51:58 -06:00
sinn3r
6ccc3e3c48
Make payload execution more stable
2013-11-23 00:47:45 -06:00
sinn3r
d748fd4003
Final commit
2013-11-22 23:35:26 -06:00
sinn3r
f871452b97
Slightly change the description
...
Because it isn't that slow
2013-11-22 19:27:00 -06:00
sinn3r
eddedd4746
Working version
2013-11-22 19:14:56 -06:00
jvazquez-r7
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
sinn3r
c8fd761c53
Progress
2013-11-22 16:57:29 -06:00
Tod Beardsley
6a28aa298e
Module for CVE-2013-4164
...
So far, just a DoS. So far, just tested on recent Rails with Webrick and
Thin front ends -- would love to see some testing on ngix/apache with
passenger/mod_rails but I don't have it set up at the moment.
2013-11-22 16:51:02 -06:00
jvazquez-r7
a7ad107e88
Add ruby code for ms13-022
2013-11-22 16:41:56 -06:00
Karn Ganeshen
266de2d27f
Updated
2013-11-23 00:01:03 +03:00
jonvalt
b712c77413
capitalization
2013-11-22 14:37:54 -06:00
jonvalt
52a3b93f24
Hopefully final commit.
...
ALL issues mentioned by todb in https://github.com/rapid7/metasploit-framework/pull/2663/ have been fixed or erased.
Only exception is comment https://github.com/rapid7/metasploit-framework/pull/2663/#discussion_r7837036 which if omitted as recommended, breaks the module.
2013-11-22 14:17:20 -06:00
jonvalt
9addd37458
minor changes:
...
s/grab/gather/g
2013-11-22 14:03:54 -06:00
jonvalt
b742ed13b9
junk commit
2013-11-22 12:38:06 -06:00
sinn3r
953a96fc2e
This one looks promising
2013-11-22 12:27:10 -06:00
sinn3r
8476ca872e
More progress
2013-11-22 11:53:57 -06:00
Peter Toth
4a6511311d
Code improvements according to feedback
2013-11-22 15:35:45 +01:00
sinn3r
f1d181afc7
Progress
2013-11-22 04:51:55 -06:00
sinn3r
6d5c1c230c
Progress
2013-11-22 03:55:40 -06:00
sinn3r
4d2253fe35
Diet
2013-11-22 02:25:09 -06:00
sinn3r
8382d31f46
More progress
2013-11-21 18:48:12 -06:00
jvazquez-r7
885fedcc3b
Fix target name
2013-11-21 17:42:31 -06:00
Peter Toth
3afa21c721
Added favorite and recent shares to the output
2013-11-21 23:55:24 +01:00
sinn3r
22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2
2013-11-21 15:30:42 -06:00
sinn3r
56d1c545e7
Oh look, more code
2013-11-21 14:42:07 -06:00
jvazquez-r7
851cf6f0d1
Land #2650 , @pnegry's exploit for DesktopCentral 8
2013-11-21 09:30:17 -06:00
jvazquez-r7
77aa665385
Add Privileged flag
2013-11-21 09:28:28 -06:00
jvazquez-r7
2ab3ab8b66
Delete empty Payload metadata section
2013-11-21 09:27:25 -06:00
jvazquez-r7
6bd3c4c887
Fix target name
2013-11-21 09:07:25 -06:00
jvazquez-r7
4c2ad4ca9a
Fix metadata
2013-11-21 09:06:47 -06:00
jvazquez-r7
8e4c5dbb5e
improve upload_file response check
2013-11-21 09:02:11 -06:00
jvazquez-r7
8fdfeb73db
Fix use of FileDropper and improve check method
2013-11-21 09:01:41 -06:00
jvazquez-r7
4abf01c64c
Clean indentation
2013-11-21 08:32:54 -06:00
sinn3r
ddd5b0abb9
More progress
2013-11-21 04:27:41 -06:00
Karn Ganeshen
b5011891a0
corrected rport syntax
2013-11-21 08:57:45 +03:00
Karn Ganeshen
9539972340
Module for OpenMind Message-OS portal login
2013-11-21 06:33:05 +03:00
Tod Beardsley
3926617972
Land #2664 , clear EOL spaces
...
[SeeRM #8498 ]
2013-11-20 17:27:06 -06:00
joev
eea811b71a
Merge branch 'landing-2601-mipsle-encoders' into upstream-master
2013-11-20 17:14:45 -06:00
sinn3r
e13e457d8f
Progress
2013-11-20 17:11:13 -06:00
William Vu
9f45121b23
Remove EOL spaces
2013-11-20 15:08:13 -06:00
William Vu
e8eb983ae1
Resplat shell_bind_tcp_random_port
2013-11-20 14:48:53 -06:00
jvazquez-r7
cec4166766
Fix description
2013-11-20 12:49:22 -06:00
jvazquez-r7
18e69bee8c
Make OGNL expressions compatible with struts 2.0.11.2
2013-11-20 12:42:10 -06:00
sinn3r
94e13a0b8a
Initial commit of CVE-2013-3906
2013-11-19 23:10:32 -06:00
Thomas Hibbert
4cc20f163b
Update References field to be compliant.
2013-11-20 13:01:21 +13:00
Thomas Hibbert
c76fa32345
Fixed reference format
2013-11-20 12:53:21 +13:00
Thomas Hibbert
26a5e37266
Use MSF::Exploit:FileDropper to register the uploaded file for cleanup.
2013-11-20 12:27:22 +13:00
Thomas Hibbert
07c76fd3e6
Module cleaned for msftidy compliance.
2013-11-20 11:33:14 +13:00
sinn3r
a9de5e2846
Land #2634 - Opt browser autopwn load list
2013-11-19 15:10:29 -06:00
jvazquez-r7
14c6ab4ca5
Add module for CVE-2013-4212
2013-11-19 10:25:52 -06:00
Tod Beardsley
ded56f89c3
Fix caps in description
2013-11-18 16:15:50 -06:00
jvazquez-r7
f963f960cb
Update title
2013-11-18 15:07:59 -06:00
jvazquez-r7
274247bfcd
Land #2647 , @jvennix-r7's module for Gzip Memory Bomb DoS
2013-11-18 15:06:46 -06:00
joev
589660872e
Kill FILEPATH datastore option.
2013-11-18 14:13:25 -06:00
jvazquez-r7
f690667294
Land #2617 , @FireFart's mixin and login bruteforcer for TYPO3
2013-11-18 13:37:16 -06:00
jvazquez-r7
0391ae2bc0
Delete general reference
2013-11-18 13:19:09 -06:00
jvazquez-r7
1c4dabaf34
Beautify typo3_bruteforce module
2013-11-18 13:17:15 -06:00
sinn3r
b5fc0493a5
Land #2642 - Fix titles
2013-11-18 12:14:36 -06:00
William Vu
455934a545
Land #2645 , Redis spec conformity for redis_server
2013-11-18 12:00:38 -06:00
jvazquez-r7
9e46975a95
Land #2643 , @ChrisJohnRiley SkipVersionCheck for exim4_dovecot_bannercheck
2013-11-18 11:28:07 -06:00
jvazquez-r7
540b85df3f
Set SkipVersionCheck as not required
2013-11-18 11:27:32 -06:00
jvazquez-r7
f6f0d81149
Land #2632 , @peto01 OSX VPN Manager post module
2013-11-18 09:49:14 -06:00
jvazquez-r7
0a930ef6e1
Clean osx vpn post module
2013-11-18 09:47:52 -06:00
jvazquez-r7
bddb314073
Fix usage of Retries
2013-11-18 09:09:20 -06:00
jvazquez-r7
237bb22771
Disable auto migrate
2013-11-18 08:54:22 -06:00
Thomas Hibbert
960f7c9bbb
Add DesktopCentral arbitrary file upload exploit.
2013-11-18 16:11:28 +13:00
Thomas Hibbert
60a245b0c3
Fix the arch declaration in uploaded module.
2013-11-18 14:49:03 +13:00
Thomas Hibbert
636fdfe2d2
Added Kaseya uploadImage exploit.
2013-11-18 14:23:34 +13:00
joev
8e889c61f7
Update description.
2013-11-17 15:48:27 -06:00
joev
f7820139dc
Add a content_type datastore option.
2013-11-17 15:38:55 -06:00
joev
43d2711b98
Default to 1 round compression.
2013-11-17 15:35:35 -06:00
joev
1e3860d648
Add gzip bomb dos aux module.
2013-11-17 14:44:33 -06:00
jiuweigui
b2e7ff4587
Small change for filetime conversion
2013-11-17 22:26:30 +02:00
jiuweigui
b73260b74c
Add functionality to enum_prefetch post module
2013-11-17 22:10:55 +02:00
jvazquez-r7
7d22312cd8
Fix redis communication
2013-11-15 19:36:18 -06:00
Tod Beardsley
89d0b3c41c
Return the splat and require on a module.
2013-11-15 12:19:53 -06:00
Tod Beardsley
36db6a4d59
Land #2616 , SuperMicro close_window BOF
2013-11-15 11:34:53 -06:00
jvazquez-r7
cbb7eb192c
Add module for CVE-2013-3918
2013-11-15 10:38:52 -06:00
Chris John Riley
5bd5eacd77
Added option to ignore banner checks
2013-11-15 15:01:11 +01:00
William Vu
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
jvazquez-r7
4cf16cf360
Land #2633 , @OJ's port of Kitrap0d as local exploit
2013-11-14 09:27:10 -06:00
Peter Toth
7db42efdd4
Code restructure and more robust error handling
2013-11-14 13:44:49 +01:00
jvazquez-r7
fe2cd93a65
Delete ms13_037_svg_dashstyle from the browser_autopwn list
2013-11-13 23:46:50 -06:00
OJ
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
James Lee
5b96ad595f
Skip reg values with no secretes
...
Also update header comment to match new standard
2013-11-13 19:05:16 -06:00
James Lee
cb10b4783b
Mark XP hashes as mscash for JtR to recognize
2013-11-13 19:04:16 -06:00
James Lee
0aef145f64
Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa
2013-11-13 18:11:21 -06:00
James Lee
8471f74b75
Refactor ivar to a more reasonable method
...
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
James Lee
8bb72764ec
Rename credentials/lsa -> lsa_secrets
...
Secrets are not necessarily credentials
2013-11-13 15:23:15 -06:00
James Lee
16627c1bd3
Add spec for capture_lsa_key
2013-11-13 15:16:34 -06:00
William Vu
334a93af45
Land #2638 , refs for android_htmlfileprovider
2013-11-13 14:51:46 -06:00
joev
0612f340f1
Commas are good.
2013-11-13 14:38:50 -06:00
joev
ad5f82d211
Add missing refs to aux/gather/android_htmlfileprovider.
2013-11-13 14:36:18 -06:00
jvazquez-r7
2594427999
Land #2631 , @peto01's osx screen capture post module
2013-11-13 13:58:03 -06:00
jvazquez-r7
2b19490095
Fix Exception handling
2013-11-13 13:57:15 -06:00
jvazquez-r7
95f371a1a6
Move screen_capture to the capture folder
2013-11-13 13:41:11 -06:00
jvazquez-r7
f65e82523b
Clean screen_capture
2013-11-13 13:40:41 -06:00
James Lee
3168359a82
Refactor lsa and add a spec for its crypto methods
2013-11-13 11:55:39 -06:00
Peter Toth
0c096c10fb
Submitting first version for pull request
2013-11-13 17:03:38 +01:00
Peter Toth
f5760d5e4c
Removed unnecessary delay
2013-11-13 16:25:47 +01:00
Peter Toth
c4a8bfb175
Tighter error handling
2013-11-13 16:19:38 +01:00
Peter Toth
78199409dd
Changes according to feedback
2013-11-13 14:13:40 +01:00
Peter Toth
92da6760ef
Modified module to use windows/screen_spy code
2013-11-13 13:30:20 +01:00
Peter Toth
3fdaf4de94
Work in progress
2013-11-13 13:11:27 +01:00
Peter Toth
76660b858c
In progress
2013-11-13 12:32:49 +01:00
Peter Toth
049111cd94
In progress
2013-11-13 11:21:39 +01:00
Peter Toth
d9c402c035
Fixed the module name
2013-11-13 08:57:50 +01:00
jvazquez-r7
8771b163f0
Solve conflicts with aladdin_choosefilepath_bof
2013-11-12 23:11:42 -06:00
Peter Toth
2d9e8e09e6
Minor bugfix
2013-11-13 02:07:06 +01:00
Peter Toth
1fed50c96a
General improvements according to feedback
2013-11-13 01:54:42 +01:00
OJ
e4fc361b37
Various tidies and fixes
...
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.
Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
Peter Toth
6e12553393
Changed option SNAP_FILETYPE to FILETYPE
2013-11-13 00:51:58 +01:00
Peter Toth
779cb48b76
General improvements addressing feedback
2013-11-13 00:42:00 +01:00
jvazquez-r7
ef6d9db48f
Land #2613 , @wchen-r7's BrowserExploitServer mixin
2013-11-12 17:33:12 -06:00
William Vu
da25785eba
Land #2350 , shell_bind_tcp_random_port for Linux
2013-11-12 16:06:37 -06:00
jvazquez-r7
004c1bac78
Reduce number of modules available on BrowserAutopwn
2013-11-12 12:37:29 -06:00
sinn3r
970e70a853
Land #2626 - Add wordpress scanner
2013-11-12 11:30:23 -06:00
sinn3r
6a28f1f2a7
Change 4-space tabs to 2-space tabs
2013-11-12 11:29:28 -06:00
OJ
40f58ce534
Finalise the local exploit for kitrap0d
...
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.
New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Peter Toth
c5f21ef463
added osx vpn module
2013-11-12 12:47:33 +01:00
Peter Toth
b722fee15c
added OSX module screen_capture
2013-11-12 12:32:30 +01:00
Tod Beardsley
65993704c3
Actually commit the mode change.
2013-11-11 22:16:29 -06:00
Tod Beardsley
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
jvazquez-r7
b01d8c50e0
Restore module crash documentation
2013-11-11 17:09:41 -06:00
jvazquez-r7
30de61168d
Support heap spray obfuscation
2013-11-11 17:05:54 -06:00
jvazquez-r7
922f0eb900
Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer
2013-11-11 17:01:09 -06:00
Geyslan G. Bem
28c5dd63fd
references fix
2013-11-11 17:14:50 -03:00
Geyslan G. Bem
8f6917a117
references fix
2013-11-11 17:12:45 -03:00
Geyslan G. Bem
e3641158d9
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-11-11 14:29:19 -03:00
Geyslan G. Bem
030fbba539
Merge branch 'master' of https://github.com/geyslan/metasploit-framework
2013-11-11 14:22:00 -03:00
Tod Beardsley
81a7b1a9bf
Fixes for #2350 , random bind shellcode
...
* Moved shortlink to a reference.
* Reformat e-mail address.
* Fixed whitespace
* Use multiline quote per most other module descriptions
Still need to resplat the modules, but it's no big thang to do that
after landing. Also, References do not seem to appear for post modules
in the normal msfconsole. This is a bug in the UI, not for these modules
-- many payloads would benefit from being explicit on their references,
so may as well start with these.
2013-11-11 10:33:15 -06:00
sinn3r
b887ed68b5
Land #2608 - Allow guest login option for psexec.
2013-11-11 10:09:41 -06:00
OJ
063da8a22e
Update reverse_https_proxy stager/handler
...
This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00
OJ
82739c0315
Add extra URL for exploit detail
2013-11-11 22:07:36 +10:00
OJ
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
FireFart
48faa38c44
bugfix for wordpress_scanner
2013-11-11 00:24:32 +01:00
FireFart
b472c2b195
added a wordpress scanner
2013-11-10 23:08:59 +01:00
jvazquez-r7
40f8e80775
Fix jlee-r7's feedback
2013-11-08 14:28:19 -06:00
jvazquez-r7
d419c73488
Land #2517 , @3v0lver's exploit for cve-2008-2286
2013-11-08 08:41:04 -06:00
jvazquez-r7
fddb69edb3
Use instance variables for 1-time injections
2013-11-08 08:30:35 -06:00
jvazquez-r7
69b261a9f2
Clean post exploitation code
2013-11-07 18:11:54 -06:00
jvazquez-r7
9f51268d21
Make xp_shell_enable instance variable
2013-11-07 17:53:28 -06:00
jvazquez-r7
aa1000df72
Clean check method
2013-11-07 17:44:22 -06:00
jvazquez-r7
c2662d28e0
Move module to the misc folder
2013-11-07 17:34:22 -06:00
jvazquez-r7
b068e4beb5
Fix indentation and refactor send_update_computer
2013-11-07 17:33:35 -06:00
FireFart
bdd33d4daf
implement feedback from @jlee-r7
2013-11-07 23:07:58 +01:00
FireFart
cc3ee5f97b
typo3_bruteforce: update msf license
2013-11-07 22:53:28 +01:00
FireFart
e897c8379f
typo3_bruteforce: bugfix
2013-11-07 22:46:26 +01:00
FireFart
9d616dbfe9
added typo3 bruteforcer
2013-11-07 22:38:27 +01:00
jvazquez-r7
b7e360922d
Update ranking
2013-11-07 15:10:26 -06:00
jvazquez-r7
decf6ff6a0
Add module for CVE-2013-3623
2013-11-07 14:59:40 -06:00
jvazquez-r7
bdba80c05c
Land #2569 , @averagesecurityguy and others exploit for CVE-2013-4468, CVE-2013-4467
2013-11-07 12:20:42 -06:00
scriptjunkie
7615264b17
Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix
2013-11-07 10:35:00 -06:00
root
944528e633
Updated for temporal pathing with TEMP variable
2013-11-07 01:34:55 -05:00
jvazquez-r7
2d4090d9c3
Make option astGUIclient credentials
2013-11-06 20:33:47 -06:00
jvazquez-r7
24d22c96a5
Improve exploitation
2013-11-06 20:15:40 -06:00
jvazquez-r7
2b2ec1a576
Change module location
2013-11-06 15:53:45 -06:00
jvazquez-r7
b9cb8e7930
Add new options
2013-11-06 15:53:12 -06:00
HD Moore
09c31f7582
Small nitpicks to catch bad http responses
2013-11-06 15:06:04 -06:00
Tod Beardsley
7ec7248500
Land #2610 , new Supermicro modules
2013-11-06 14:26:19 -06:00
Tod Beardsley
91639dbb99
Trailing whitespace
2013-11-06 14:25:28 -06:00
Tod Beardsley
079816777a
I kin spel
2013-11-06 14:22:41 -06:00
HD Moore
6b43d94c72
Rename, change titles/descriptions, fix minor bugs
2013-11-06 13:45:40 -06:00
jvazquez-r7
b9caf091d4
Change supermicro_ipmi_traversal location
2013-11-06 12:47:50 -06:00
jvazquez-r7
c132a60973
Move Supermicro web interface name to a constant
2013-11-06 12:47:50 -06:00
jvazquez-r7
0609c5b290
Move private key to a constant
2013-11-06 12:47:50 -06:00
jvazquez-r7
275fd5e2ba
Sort options by name
2013-11-06 12:47:50 -06:00
jvazquez-r7
9f87fb33a7
Move digest calculation to a variable
2013-11-06 12:47:50 -06:00
Tod Beardsley
46f0998903
Add URL refs
2013-11-06 12:47:50 -06:00
Tod Beardsley
a973862c74
Add new modules
2013-11-06 12:47:50 -06:00
scriptjunkie
61e4700832
Allow guest login option.
...
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
OJ
7dcb071f11
Remote shebang and fix pxexeploit
2013-11-06 07:10:25 +10:00
James Lee
faf6be4529
Missed an errant require
...
Wasn't even using it anyway
2013-11-05 14:00:55 -06:00
James Lee
9e30c58495
Blow away remnants of Local::Unix
2013-11-05 13:51:45 -06:00
James Lee
36f96d343e
Revert "Revert "Land #2505" to resolve new rspec fails"
...
This reverts commit e7d3206dc9
.
2013-11-05 13:45:00 -06:00
OJ
f62247e731
Fix comments, indenting and pxexploit module
...
Updated the comments and indentation so they're not blatantly wrong.
Adjusted the pxexploit module so that it doesn't break any more as
a result of the refactoring.
2013-11-05 06:35:50 +10:00
Tod Beardsley
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
jvazquez-r7
79e59b2066
Fix metasm data
2013-11-02 10:37:57 -05:00
jvazquez-r7
b077b0accf
Add byte xori mipsle encoder
2013-11-02 10:22:41 -05:00
jvazquez-r7
594ee42398
Add byte xori mipsbe encoder
2013-11-02 10:10:51 -05:00
root
5c923757e8
Removed generic command execution capability
2013-10-30 21:35:24 -04:00
William Vu
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
jvazquez-r7
c92e8ff98d
Delete extra space
2013-10-30 19:34:54 -05:00
Tod Beardsley
e488a54a06
Resplat new WMI module
2013-10-30 15:14:16 -05:00
Tod Beardsley
98224ee89f
CVE update for vtiger issue
2013-10-30 13:48:35 -05:00
Tod Beardsley
344413b74d
Reorder refs for some reason.
2013-10-30 12:25:55 -05:00
Tod Beardsley
32794f9d37
Move OpenBravo to aux module land
2013-10-30 12:20:04 -05:00
Tod Beardsley
17d796296c
Un-dupe References for ispconfig
2013-10-30 12:03:35 -05:00