554cd41403
added dns_cache_scraper and useful wordlists
2013-12-12 20:18:18 -06:00
ff9cb481fb
Land #2464 , fixes for llmnr_response and friends
...
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
e737b136cc
Minor grammar/caps fixup for release
2013-12-09 14:01:27 -06:00
37826688ce
Add cfme_manageiq_evm_pass_reset.rb
...
This module exploits a SQL injection vulnerability in the "explorer"
action of "miq_policy" controller of the Red Hat CloudForms Management
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier)
by changing the password of the target account to the specified
password.
2013-12-09 16:49:07 -02:00
c59b8fd7bc
Land #2741 , @russell TCP support for nfsmount
2013-12-09 09:46:34 -06:00
291a52712e
Allow the NFS protocol to be specified in the mount scanner
2013-12-09 21:26:29 +11:00
1e30cd55f7
Land #2740 - Real regex for MATCH and EXCLUDE
2013-12-09 03:05:08 -06:00
feca3efafb
Land #2728 - vBulletin Password Collector via nodeid SQL Injection
2013-12-09 02:12:42 -06:00
92412279ae
Account for failed cred gathering attempts
...
Sometimes the SQL error doesn't contain the info we need.
2013-12-09 02:11:46 -06:00
cd66cca8a1
Make browser autopwn datastore use OptRegexp.
2013-12-08 17:46:33 -06:00
75fb38fe8d
Land #2724 , @wchen-r7 and @jvennix-r7's module for CVE-2013-6414
2013-12-07 14:26:46 -06:00
fdebfe3d2f
Add references
2013-12-07 14:25:58 -06:00
adc241faf8
Last one, I say
2013-12-06 15:52:42 -06:00
17193e06a9
Last commit, I swear
2013-12-06 15:49:44 -06:00
58a70779ac
Final update
2013-12-06 15:48:59 -06:00
9f5768ae37
Another update
2013-12-06 14:53:35 -06:00
af16f11784
Another update
2013-12-06 14:39:26 -06:00
87e77b358e
Use the correct URI
2013-12-06 12:08:19 -06:00
5d4acfa274
Plenty of changes
2013-12-06 11:57:02 -06:00
c07686988c
random uri
2013-12-05 18:07:24 -06:00
f2f8c08c8e
Use blank? method
2013-12-05 16:36:44 -06:00
a380d9b4f2
Add aux module for CVE-2013-3522
2013-12-05 15:58:05 -06:00
8e9723788d
Correct description
2013-12-04 17:25:58 -06:00
fb2fcf429f
This one actually works
2013-12-04 17:22:42 -06:00
d0071d7baa
Add CVE-2013-6414 Rails Action View DoS
2013-12-04 14:57:30 -06:00
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
99dc9f9e7e
Fix msftidy warning
2013-12-03 00:09:51 -06:00
e37f7d3643
Use send_request_cgi instead of send_request_raw
2013-12-03 00:57:26 -05:00
14e600a431
Clean up res nil checking
2013-12-03 00:51:19 -05:00
b796095582
Use peer vs. rhost and rport for prints
2013-12-03 00:49:05 -05:00
0480e01830
Account for nil res value
2013-12-03 00:45:57 -05:00
c91d190d39
Add Cisco ASA ASDM Login
2013-12-03 00:16:04 -05:00
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
20e0a7dcfb
Land #2709 - ZyXEL GS1510-16 Password Extractor
2013-12-02 13:13:01 -06:00
39fbb59ba9
re-added the reference I accidentally deleted
2013-12-02 19:06:19 +01:00
cb98d68e47
added @wchen-r7's code to store the password into the database
2013-12-02 18:35:59 +01:00
ba39a8e826
Land #2705 , @jjarmoc's user object configuration on rails_devise_pass_reset
2013-12-02 11:04:29 -06:00
8d6a534582
Change title
2013-12-02 08:54:37 -06:00
24d09f2085
Land #2700 , @juushya's Oracle ILO Brute Forcer login
2013-12-02 08:53:10 -06:00
8e73023baa
and now in the correct data structure
2013-12-01 17:38:35 +01:00
ef77b7fbbf
added reference as requested at https://github.com/rapid7/metasploit-framework/pull/2709
2013-12-01 17:36:15 +01:00
aa62800184
added ZyXEL GS1510-16 Password Extractor
2013-11-29 10:42:17 +01:00
bc41120b75
Updated
2013-11-29 12:47:47 +05:30
1109a1d157
Updated
2013-11-28 11:30:02 +05:30
03838aaa79
Update rails_devise_pass_reset.rb
...
Fixed erroneous status if FLUSHTOKENS is false.
2013-11-27 22:27:45 -06:00
7f8baf979d
Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise.
...
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit
[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
2013-11-27 15:35:43 -06:00
3111aee866
fix match and boolean expression
2013-11-26 21:42:09 +01:00
a7e6a79b15
Land #2685 , @wchen-r7's update for the word injector description
2013-11-25 15:47:57 -06:00
92807d0399
Land #2676 , @todb-r7 module for CVE-2013-4164
2013-11-25 15:40:33 -06:00
23448b58e7
Remove timeout checkers that are rescued anyway
2013-11-25 12:37:23 -06:00
f311b0cd1e
Add user-controlled verbs.
...
GET, HEAD, POST, and PROPFIND were tested on WebRick, all successful.
2013-11-25 12:29:05 -06:00
cc60ca2e2a
Fix module title
2013-11-25 09:33:43 -06:00
cc261d2c25
Land #2670 , @juushya's aux brute forcer mod for OpenMind
2013-11-25 09:29:41 -06:00
e157ff73d3
Oracle ILOM Login utility
2013-11-25 13:55:31 +05:30
48578c3bc0
Update description about suitable targets
...
The same technique work for Microsoft Office 2013 as well. Tested.
2013-11-24 23:02:37 -06:00
f3b907537c
Module to identifies open Chargen service
2013-11-23 17:17:24 +01:00
6a28aa298e
Module for CVE-2013-4164
...
So far, just a DoS. So far, just tested on recent Rails with Webrick and
Thin front ends -- would love to see some testing on ngix/apache with
passenger/mod_rails but I don't have it set up at the moment.
2013-11-22 16:51:02 -06:00
266de2d27f
Updated
2013-11-23 00:01:03 +03:00
b5011891a0
corrected rport syntax
2013-11-21 08:57:45 +03:00
9539972340
Module for OpenMind Message-OS portal login
2013-11-21 06:33:05 +03:00
9f45121b23
Remove EOL spaces
2013-11-20 15:08:13 -06:00
ded56f89c3
Fix caps in description
2013-11-18 16:15:50 -06:00
f963f960cb
Update title
2013-11-18 15:07:59 -06:00
274247bfcd
Land #2647 , @jvennix-r7's module for Gzip Memory Bomb DoS
2013-11-18 15:06:46 -06:00
589660872e
Kill FILEPATH datastore option.
2013-11-18 14:13:25 -06:00
f690667294
Land #2617 , @FireFart's mixin and login bruteforcer for TYPO3
2013-11-18 13:37:16 -06:00
0391ae2bc0
Delete general reference
2013-11-18 13:19:09 -06:00
1c4dabaf34
Beautify typo3_bruteforce module
2013-11-18 13:17:15 -06:00
b5fc0493a5
Land #2642 - Fix titles
2013-11-18 12:14:36 -06:00
8e889c61f7
Update description.
2013-11-17 15:48:27 -06:00
f7820139dc
Add a content_type datastore option.
2013-11-17 15:38:55 -06:00
43d2711b98
Default to 1 round compression.
2013-11-17 15:35:35 -06:00
1e3860d648
Add gzip bomb dos aux module.
2013-11-17 14:44:33 -06:00
7d22312cd8
Fix redis communication
2013-11-15 19:36:18 -06:00
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
334a93af45
Land #2638 , refs for android_htmlfileprovider
2013-11-13 14:51:46 -06:00
0612f340f1
Commas are good.
2013-11-13 14:38:50 -06:00
ad5f82d211
Add missing refs to aux/gather/android_htmlfileprovider.
2013-11-13 14:36:18 -06:00
970e70a853
Land #2626 - Add wordpress scanner
2013-11-12 11:30:23 -06:00
6a28f1f2a7
Change 4-space tabs to 2-space tabs
2013-11-12 11:29:28 -06:00
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
48faa38c44
bugfix for wordpress_scanner
2013-11-11 00:24:32 +01:00
b472c2b195
added a wordpress scanner
2013-11-10 23:08:59 +01:00
bdd33d4daf
implement feedback from @jlee-r7
2013-11-07 23:07:58 +01:00
cc3ee5f97b
typo3_bruteforce: update msf license
2013-11-07 22:53:28 +01:00
e897c8379f
typo3_bruteforce: bugfix
2013-11-07 22:46:26 +01:00
9d616dbfe9
added typo3 bruteforcer
2013-11-07 22:38:27 +01:00
09c31f7582
Small nitpicks to catch bad http responses
2013-11-06 15:06:04 -06:00
91639dbb99
Trailing whitespace
2013-11-06 14:25:28 -06:00
079816777a
I kin spel
2013-11-06 14:22:41 -06:00
6b43d94c72
Rename, change titles/descriptions, fix minor bugs
2013-11-06 13:45:40 -06:00
b9caf091d4
Change supermicro_ipmi_traversal location
2013-11-06 12:47:50 -06:00
c132a60973
Move Supermicro web interface name to a constant
2013-11-06 12:47:50 -06:00
0609c5b290
Move private key to a constant
2013-11-06 12:47:50 -06:00
275fd5e2ba
Sort options by name
2013-11-06 12:47:50 -06:00
9f87fb33a7
Move digest calculation to a variable
2013-11-06 12:47:50 -06:00
46f0998903
Add URL refs
2013-11-06 12:47:50 -06:00
a973862c74
Add new modules
2013-11-06 12:47:50 -06:00
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
344413b74d
Reorder refs for some reason.
2013-10-30 12:25:55 -05:00
32794f9d37
Move OpenBravo to aux module land
2013-10-30 12:20:04 -05:00
9045eb06b0
Various title and description updates
2013-10-28 14:00:19 -05:00
9bb9f8b27b
Update descriptions on SMB file utils.
2013-10-28 13:48:25 -05:00
0f63420e9f
Be specific about the type of hash
...
See #2583 . Since there are several types of hashes, we need to be more
specific about this -- see modules/exploits/windows/smb/psexec.rb which
uses an "smb_hash" as a password type.
Also, the fixes in #2583 do not appear to address anything else reported
on the Redmine issue, namely, operating system and architecture
identification discovered with this module (assuming good credentials).
Therefore, the Redmine issue should not be considered resolved.
[SeeRM #4398 ]
2013-10-28 13:40:07 -05:00
1fee3ce952
Land #2584 , reporting for energizer_duo_detect
2013-10-28 10:48:20 -05:00
efcfc9eef7
Land #2273 , @kaospunk's enum domain feature for owa_login
2013-10-28 09:47:54 -05:00
71a1ccf771
Clean owa_login enum_domain feature
2013-10-28 09:46:41 -05:00
e0aec13ce1
[FixRM #4397 ] Add reporting for energizer_duo_detect
2013-10-25 16:51:44 -05:00
9276a839d4
[FixRM #4398 ] Report credentials to database
2013-10-25 16:19:47 -05:00
7d788fbf76
Land #2571 - HP Intelligent Management SOM FileDownloadServlet Arbitrary Download
2013-10-24 14:15:26 -05:00
7ee615223d
Land #2570 - HP Intelligent Management SOM Account Creation
2013-10-24 14:14:06 -05:00
ea80c15c3b
Land #2383 , @jamcut's aux module for jenkins enum
2013-10-24 11:31:36 -05:00
8428671f32
Land #2455 , @juushya's aux module for radware
2013-10-24 10:54:02 -05:00
1673b66cbe
Delete some white lines
2013-10-24 10:50:14 -05:00
b589e9aa6e
Use the peer method
2013-10-24 10:45:02 -05:00
b5f26455a3
Land #2545 , javascript library overhaul
2013-10-23 16:12:49 -05:00
255cd18868
Use peer helper
2013-10-23 16:08:40 -05:00
69da39ad52
Add module for ZDI-13-240
2013-10-23 16:01:01 -05:00
d1e1968cb9
Land #2566 - Download and delete a file via SMB
2013-10-23 12:28:57 -05:00
9a51dd5fc4
Do exception handling and stuff
2013-10-23 12:28:25 -05:00
0500842625
Do some exception handling
2013-10-23 12:22:49 -05:00
83a4ac17e8
Make sure fd is closed to avoid a possible resource leak
2013-10-23 12:16:18 -05:00
af02fd0355
Use store_loot, sorry mubix
2013-10-23 12:13:05 -05:00
55e3f36589
Add module for ZDI-13-242
2013-10-23 11:24:29 -05:00
8f3228d191
chage author but basic copied from hdms upload_file
2013-10-22 21:13:30 -04:00
dc0d9ae21d
Land #2560 , ZDI references
...
[FixRM #8513 ]
2013-10-22 15:58:21 -05:00
b2b8824e2e
add delete and download modules for smb
2013-10-22 16:31:56 -04:00
6989f16661
Land #2548 , @titanous's aux module for CVE-2013-4450
2013-10-22 15:02:54 -05:00
bdf07456ba
Last cleanup for nodejs_pipelining
2013-10-22 15:00:58 -05:00
db447b65f9
Add exploit for Node.js HTTP Pipelining DoS
2013-10-22 15:12:14 -04:00
a4dd53f650
Chane module filename
2013-10-22 11:16:14 -05:00
cdd183f43a
Add reporting
2013-10-22 11:15:16 -05:00
0d73275c3f
Delete not necessary check
2013-10-22 10:39:54 -05:00
c50e7c73b6
Make parsing easier
2013-10-22 10:30:03 -05:00
0cc7be0138
Use snake_case
2013-10-22 10:04:32 -05:00
e4a340b7f1
Fix small issues
2013-10-22 10:02:32 -05:00
a425e2be78
Fix typo
2013-10-22 09:28:43 -05:00
111c12ef0d
Do cosmetic changes
2013-10-22 09:28:15 -05:00
f46cdb8970
Add the correct plate
2013-10-22 09:27:37 -05:00
de0d09886c
Retab changes for PR #2383
2013-10-22 09:26:44 -05:00
0214501891
Merge for retab
2013-10-22 09:22:10 -05:00
afcce8a511
Merge osdetect and addonsdetect
2013-10-22 01:11:11 -05:00
9a3e719233
Rework the naming style
2013-10-21 20:16:37 -05:00
5613cfb249
Retab changes for PR #2455
2013-10-21 15:57:23 -05:00
39d38e598d
Merge for retab
2013-10-21 15:55:48 -05:00
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
58a43e87dd
Added fixes suggested by jlee-r7
...
additional code clean up
2013-10-21 14:18:12 -04:00
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
6430fa3354
Land #2539 - Support Windows CMD generic payload
...
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
zeknox
William Vu
Tod Beardsley
Ramon de C Valle
jvazquez-r7
Russell Sim
sinn3r
Joe Vennix
Jonathan Claudius
Sven Vetsch / Disenchant
Karn Ganeshen
Jeff Jarmoc
Jeff Jarmoc
Matteo Cantoni
FireFart
HD Moore
jvazquez-r7
Rob Fuller
Jonathan Rudenberg
jamcut