a3ae177347
echo stager, arch_cmd, echo module
2014-06-13 11:42:47 +02:00
894af92b22
echo stager, arch_cmd
2014-06-13 11:40:50 +02:00
cb91b2b094
Fix broken table indent (s/Ident/Indent/ hash key)
2014-06-12 13:41:44 -05:00
56efd82112
Correct the disclosure date.
2014-06-11 21:53:42 -05:00
88273f87db
Targets update
2014-06-11 21:50:16 -04:00
2296dea5ad
Clean and fix
2014-06-12 01:55:27 +02:00
4f67db60ed
Modify breakpoint approach by step into
2014-06-12 01:23:20 +02:00
0bac24778e
Fix the case statements to match platform
2014-06-11 15:22:55 -05:00
d5b32e31f8
Fix a typo where platform was 'windows' not 'win'
...
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
34f98ddc50
Do minor cleanup
2014-06-11 09:20:22 -05:00
b27b00afbb
Added target 4.0 and cleaned up exploit
2014-06-11 06:22:47 -07:00
f1382af018
Added target 4.0 and cleaned up exploit
2014-06-11 06:20:49 -07:00
a554b25855
Use EXITFUNC
2014-06-10 09:51:06 -05:00
3d33a82c1c
Changed to unless
2014-06-09 09:31:14 -07:00
1252eea4b9
Changed to unless
2014-06-09 09:26:03 -07:00
52d26f290f
Added check in exploit func
2014-06-09 03:23:14 -07:00
e4d14194bb
Add module for Rocket Servergraph ZDI-14-161 and ZDI-14-162
2014-06-08 11:07:10 -05:00
8ecafbc49e
Easy File Management Web Server v5.3 Stack Buffer Overflow
2014-06-08 04:21:14 -07:00
73536f2ac0
Add support Java 8
2014-06-07 22:43:14 +02:00
6bef6edb81
Update efs_easychatserver_username.rb
...
Add targets for versions 2.0 to 3.1.
Add install path detection for junk size calculation.
Add version detection for auto targeting.
2014-06-08 06:36:18 +10:00
bf1a665259
Land #2657 , Dynamic generation of windows service executable functions
...
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
e7957bf999
Change GET request by random text
2014-06-05 01:33:00 +02:00
c9bd0ca995
Add minor changes
2014-06-04 15:56:14 -05:00
bb77327b09
Warn the user if the detected platform doesnt match target
2014-06-04 14:50:18 -05:00
b76253f9ff
Add context to the socket
2014-06-04 14:25:01 -05:00
77eeb5209a
Do small cleanups
2014-06-04 14:23:21 -05:00
6c643f8837
Fix usage of Rex::Sockket::Tcp
2014-06-04 14:14:23 -05:00
837668d083
use optiona argument for read_reply
2014-06-04 13:48:53 -05:00
d184717e55
delete blank lines
2014-06-04 13:24:34 -05:00
33a7bc64fa
Do some easy cleaning
2014-06-04 13:18:59 -05:00
1ff539fc73
No sense to check two times
2014-06-04 12:48:20 -05:00
7a5b5d31f9
Avoid messages inside check
2014-06-04 12:43:39 -05:00
3869fcb438
common http breakpoint event
2014-06-04 12:41:23 -05:00
9ffe8d80b4
Do some metadata cleaning
2014-06-04 12:33:57 -05:00
079fe8622a
Add module for ZDI-14-136
2014-06-04 10:29:33 -05:00
b9d8f75f59
Add breakpoint autohitting
2014-06-03 23:34:40 +02:00
6061e5e713
Fix suggestions
2014-06-03 23:13:14 +02:00
62fe30798d
Tidy
2014-06-03 14:48:40 -04:00
5ddbdb7dfd
Tidy
2014-06-03 14:23:04 -04:00
fdfd7f410d
Tidy
2014-06-03 14:21:13 -04:00
392b383c2c
Update
2014-06-03 14:07:04 -04:00
166748a997
Add script_web_delivery
2014-06-03 11:53:32 -04:00
43699b1dfb
Don't clean env variable before using it
2014-06-03 09:56:19 -05:00
b8a2cf776b
Do test
2014-06-03 09:52:01 -05:00
05ed2340dc
Use powershell
2014-06-03 09:29:04 -05:00
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
04ac07a216
Compress and base64 data to save bytes.
...
Reduced file size from 43kb to 12kb, yay.
2014-06-02 23:06:46 -05:00
cf6b181959
Revert change to trailer(). Kill dead method.
...
* I verified that changes to PDF mixin do not affect any older modules that
generate PDF. I did this by (on each branch) running in irb, then
running the module and diffing the pdf's generated by each branch. There were
no changes.
2014-06-02 22:26:14 -05:00
9f5dfab9ea
Add better interface for specifying custom #eol.
2014-06-02 22:26:11 -05:00
feca6c4700
Add exploit for ajsif vuln in Adobe Reader.
...
* This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb).
* Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways).
Conflicts:
lib/msf/core/exploit/mixins.rb
2014-06-02 22:25:55 -05:00
7f4702b65e
Update from rapid7 master
2014-06-02 17:41:41 -05:00
d0d389598a
Land #3086 , Android Java Meterpreter updates
...
w00t.
2014-06-02 17:28:38 -05:00
4840a05ada
Update from rapid7 master
2014-06-02 17:17:00 -05:00
52c33b7e79
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2014-06-02 17:32:51 -04:00
9574a327f8
use the new check also in exploit()
2014-06-02 14:38:33 -05:00
3c38c0d87c
Dont be confident about string comparision
2014-06-02 14:37:29 -05:00
b136765ef7
Nuke extra space at EOL
2014-06-02 14:22:01 -05:00
ea383b4139
Make print/descs/case consistent
2014-06-02 13:20:01 -05:00
d0241cf4c1
Add check method
2014-06-02 08:14:40 -05:00
31af8ef07b
Check .NET version
2014-06-01 20:58:08 -05:00
3c5fae3706
Use correct include
2014-06-01 11:51:06 +01:00
4801a7fca0
Allow x86->x64 injection
2014-06-01 11:50:13 +01:00
3ae4a16717
Clean environment variables
2014-05-30 12:21:23 -05:00
b99b577705
Clean environment variable
2014-05-30 12:20:00 -05:00
b27a95c008
Delete unused code
2014-05-30 12:08:55 -05:00
e215bd6e39
Delete unnecessary code and use get_env
2014-05-30 12:07:59 -05:00
76ed9bcf86
hedwig.cgi - cookie bof - return to system
2014-05-30 17:49:37 +02:00
1ddc2d4e87
hedwig.cgi - cookie bof - return to system
2014-05-30 17:32:49 +02:00
1dbd36a3dd
Check for the .NET dfsvc and use %windir%
2014-05-30 09:02:43 -05:00
ffbcbe8cc1
Use cmd_psh_payload
2014-05-29 18:12:18 -05:00
03889ed31f
Use cmd_psh_payload
2014-05-29 18:11:22 -05:00
60c5307475
Fix msftidy
2014-05-30 00:14:59 +02:00
9627bae98b
Add JDWP RCE for Windows and Linux
2014-05-29 23:45:44 +02:00
3a3d038904
Land #3397 - ElasticSearch Dynamic Script Arbitrary Java Execution
2014-05-29 12:21:21 -05:00
dfa61b316e
A bit of description change
2014-05-29 12:20:40 -05:00
e145298c13
Add module for CVE-2014-0257
2014-05-29 11:45:19 -05:00
6e122e683a
Add module for CVE-2013-5045
2014-05-29 11:42:54 -05:00
53ab2aefaa
Land #3386 , a few datastore msftidy error fixes
2014-05-29 10:44:37 -05:00
8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings
2014-05-29 04:42:49 -05:00
7a29ae5f36
Add module for CVE-2014-3120
2014-05-27 18:01:16 -05:00
352e14c21a
Land #3391 , all vars_get msftidy warning fixes
2014-05-26 23:41:46 -05:00
da0a9f66ea
Resolved all msftidy vars_get warnings
2014-05-25 19:29:39 +02:00
df97c66ff5
Fixed check
2014-05-24 00:37:52 +02:00
8d4d40b8ba
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
efffbf751a
PHP module shouldnt zap CMD option (@wchen-r7)
...
As far as I can tell, there is no purpose for this cleanup. No other CMD
exec module takes pains to clear out CMD after run, and it looks like a
bad idea -- what happens when you rexploit?
2014-05-23 15:09:18 -05:00
b85c0b7543
rop to system with telnetd
2014-05-23 20:51:25 +02:00
28459299b2
Update ibstat_path.rb
...
Add interface detection, defaulting to en0.
2014-05-22 14:16:04 -07:00
b9464e626e
Delete unnecessary line
2014-05-21 10:18:03 -05:00
af415c941b
[SeeRM #8803 ] Avoid false positives when checking fb_cnct_group
2014-05-20 18:44:28 -05:00
7cabfacfa3
Test adobe_flash_pixel_bender_bof on Safari 5.1.7
...
Added browser-requirement for Safari after successful test using Safari 5.1.7 with Adobe Flash Player 13.0.0.182 running on Windows 7 SP1.
2014-05-20 01:43:19 +02:00
52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom
2014-05-19 22:00:35 +01:00
b84379ab3b
Note about EXE::Custom
2014-05-19 22:00:09 +01:00
0ef2e07012
Minor desc and status updates, cosmetic
2014-05-19 08:59:54 -05:00
bf52c0b888
Land #3364 - Symantec Workspace Streaming Arbitrary File Upload
2014-05-19 00:25:33 -05:00
2fb0dbb7f8
Delete debug print_status
2014-05-18 23:34:04 -05:00
975cdcb537
Allow exploitation also on FF
2014-05-18 23:24:01 -05:00
033757812d
Updates to adobe_flash_pixel_bender_bof:
...
1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method).
2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :).
Testing performed:
Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.)
2014-05-18 22:43:51 +02:00
1b68abe955
Add module for ZDI-14-127
2014-05-15 13:41:52 -05:00
750b6fc218
Land #3348 , some Ruby warning fixes
2014-05-14 01:25:10 -05:00
c421b8e512
Change if not to unless
2014-05-14 01:24:29 -05:00
df4b832019
Resolved some more Set-Cookie warnings
2014-05-13 22:56:12 +02:00
1a3b319262
rebase to use the mixin psexec
2014-05-13 16:04:40 +02:00
d3f2414d09
Fix merging typo
2014-05-13 16:04:40 +02:00
808f87d213
SERVICE_DESCRIPTION doesn't concern this PR
2014-05-13 16:04:39 +02:00
6332957bd2
Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work...
2014-05-13 16:04:39 +02:00
5ecebc3427
Add options `SERVICE_NAME` and `SERVICE_DISPLAYNAME` to psexec and correct service payload generation
2014-05-13 16:04:37 +02:00
ca7a2c7a36
Add string_to_pushes to use non fixed size service_name
2014-05-13 16:04:37 +02:00
513f3de0f8
new service exe creation refreshed
2014-05-13 16:04:36 +02:00
638ae477d9
Fix up spec. Rex::Proto::Http::ClientRequest handles & and = outside of Rex::Text::uri_encode, so mode doesn't affect them.
...
Fix erroneous typo char.
2014-05-12 12:10:30 -05:00
5f523e8a04
Rex::Text::uri_encode - make 'hex-all' really mean all.
...
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
557cd56d92
fixed some ruby warnings
2014-05-10 23:31:02 +02:00
a60558061c
re-enable x86 stager
2014-05-10 19:58:19 +01:00
dee6b53175
fix java payload struts module
2014-05-10 00:19:40 +02:00
6f837715f9
Land #3343 , @FireFart's new uri encoding for struts_code_exec_parameters
2014-05-09 14:37:58 -05:00
38f3a19673
Try to beautify description
2014-05-09 14:35:06 -05:00
43a85fc645
additional GET parameters
2014-05-09 21:21:04 +02:00
ad83921a85
additional GET parameters
2014-05-09 21:15:28 +02:00
f56ea01988
Add module
2014-05-09 10:27:41 -05:00
53fde675e7
randomize meh parameter
2014-05-09 10:38:19 +02:00
a3fff5401f
more code cleanup
2014-05-08 23:05:41 +02:00
e7b7af2f75
fixed apache struts module
2014-05-08 22:15:52 +02:00
6b41a4e2d9
Test Flash 13.0.0.182
2014-05-07 17:39:22 -05:00
5fd732d24a
Add module for CVE-2014-0515
2014-05-07 17:13:16 -05:00
e8bc89af30
Land #3337 , release fixes
2014-05-05 14:03:48 -05:00
c97c827140
Adjust desc and ranking on ms13-053
...
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
3536ec9a74
Description update
2014-05-05 13:43:44 -05:00
3072c2f08a
Update CVEs for RootedCon Yokogawa modules
...
Noticed they were nicely documented at
http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html
We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution
2014-05-05 10:39:26 -05:00
073adc759d
Land #3334 , fix author by @julianvilas
2014-05-04 21:30:53 +02:00
dd7705055b
Fix author
2014-05-04 19:31:53 +02:00
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
5b150a04c6
Add testing information to description
2014-05-03 20:08:00 -05:00
b4c7c5ed1f
Add module for CVE-2014-0497
2014-05-03 20:04:46 -05:00
36f9f342c1
Fix typo
2014-05-02 16:26:08 +02:00
56c5eac823
Message correction
2014-05-02 14:18:18 +01:00
69915c0de5
Message correction
2014-05-02 14:17:27 +01:00
150b89e290
Land #3314 , @julianvilas's exploit for Struts CVE-2014-0094
2014-05-01 18:09:10 -05:00
3dd3ceb3a9
Refactor code
2014-05-01 18:04:37 -05:00
b7ecf829d3
Do first refactor
2014-05-01 16:39:53 -05:00
195005dd83
Do minor style changes
2014-05-01 15:25:55 -05:00
140c8587e7
Fix metadata
2014-05-01 15:24:16 -05:00
e0ee31b388
Modify print_error by fail_with
2014-05-01 20:19:31 +02:00
3374af83ab
Fix typos
2014-05-01 19:44:07 +02:00
1483f02f83
Land #3306 , @xistence's alienvault's exploit
2014-05-01 09:25:07 -05:00
1b39712b73
Redo response check
2014-05-01 09:10:16 -05:00
78cefae607
Use WfsDelay
2014-05-01 09:07:26 -05:00
5db24b8351
Fixes/Stability AlienVault module
2014-05-01 14:53:55 +07:00
c12d72b58c
Changes to alienvault module
2014-05-01 10:39:11 +07:00
9bcf5eadb7
Changes to alienvault module
2014-05-01 10:10:15 +07:00
bd39af3965
Fix target ARCH_JAVA and remove calls to sleep
2014-05-01 00:51:52 +02:00
8b138b2d37
Fix unquoted path in cleanup script
2014-04-30 16:34:33 -05:00
6b740b727b
Changes PATH to proper case
...
This changes PATH to Path
2014-04-30 17:26:36 -04:00
fdc81b198f
Adds the ability to specify path
...
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
8e8fbfe583
Fix msf-staff comments
2014-04-29 17:36:04 +02:00
b2c2245aff
Add comments
2014-04-29 11:24:17 +02:00
a78aae08cf
Add CVE-2014-0094 RCE for Struts 2
2014-04-29 03:58:04 +02:00
17a508af34
Add CVE-2014-0094 RCE for Struts 2
2014-04-29 03:50:45 +02:00
4c0a692678
Land #3312 - Update ms14-012
2014-04-28 18:48:20 -05:00
b1ac0cbdc7
Land #3239 - Added target 6.1 to module
2014-04-28 18:28:14 -05:00
1c88dea7d6
Exploitation also works with flash 13
2014-04-28 16:23:05 -05:00
8a4c7b22ed
Land #3296 - Refactors firefox js usage into a mixin
2014-04-28 15:22:55 -05:00
d530c9c128
Land #3304 - Adobe Flash Player Type Confusion Remote Code Execution
2014-04-28 15:06:50 -05:00
1b4fe90003
Fix msftidy warnings on wireshark exploits
2014-04-28 19:51:38 +01:00
3bfdfb5cab
Grammar
2014-04-28 19:49:56 +01:00
a5baea1a8e
Touch up print_ statements
2014-04-28 19:49:23 +01:00
9a1b216fdb
Move module to new location
2014-04-28 11:55:26 -05:00
51a5a901a8
Fix typo
2014-04-28 11:55:06 -05:00
887dfc5f40
Fix RequiredCmd
2014-04-28 11:54:56 -05:00
245b591247
Do module clean up
2014-04-28 11:45:40 -05:00
2e04bc9e4e
AlienVault OSSIM 4.3.1 unauthenticated SQLi RCE
2014-04-28 10:59:15 +07:00
9ce5545034
Fix comments
2014-04-27 20:13:46 -05:00
60e7e9f515
Add module for CVE-2013-5331
2014-04-27 10:40:46 -05:00
f94d1f6546
Refactors firefox js usage into a mixin.
2014-04-24 15:09:48 -05:00
1353c62967
Land #3295 - Fix NoMethodError undefined method `body' for nil:NilClass
2014-04-24 13:53:58 -05:00
5c0664fb3b
Land #3292 - Mac OS X NFS Mount Privilege Escalation Exploit
2014-04-24 13:43:20 -05:00
656e60c35c
Land #3254 - Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack BoF
2014-04-24 13:20:50 -05:00
cde9080a6a
Move module to fileformat
2014-04-24 13:17:08 -05:00
a39855e20d
Works for XP SP3 too
2014-04-24 13:16:24 -05:00
ba8d7801f4
Remove default target because there is no auto-select
2014-04-24 13:15:49 -05:00
2e76db01d7
Try to stick to the 100 columns per line rule
2014-04-24 13:15:12 -05:00
8f47edb899
JBoss_Maindeployer: improve feedback against CVE-2010-0738
...
The exploit against CVE-2010-0738 won't work when using GET or POST. In the existing code the request would fail and the function would return a nil. This would be passed to detect_platform without being checked and cause the module to crash ungracefully with the error:
Exploit failed: NoMethodError undefined method `body' for nil:NilClass
The first changes detect a 401 authentication message and provide useful feedback. Given that if, in any case, 'res' is not a valid or useful response the second change just terminates processing.
I've stayed with the module's coding style for consistency.
2014-04-24 12:37:14 -05:00
fd95d9ef38
Added english windows xp sp2 target
2014-04-23 17:32:56 +01:00
143aede19c
Add osx nfs_mount module.
2014-04-23 02:32:42 -05:00
e514ff3607
Description and print_status fixes for release
...
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
66b1c79da9
Update rop chain for versions 6.2 and 6.1
2014-04-21 13:27:14 -04:00
e25ca64641
It's solved the crash when double-click on the pcap file
2014-04-21 17:49:40 +01:00
3861541204
Add more rand_text_alpha functions
2014-04-19 18:37:58 +01:00
7bc546e69a
Add rand_text_alpha function
2014-04-19 17:45:28 +01:00
feea4c1fa6
ROP chain changed
2014-04-18 19:05:53 +01:00
7d801e3acc
Land #3200 , goodbye LORCON modules :(
2014-04-18 12:32:22 -05:00
acb12a8bef
Beautify and fix both ruby an AS
2014-04-17 23:32:29 -05:00
91d9f9ea7f
Update from master
2014-04-17 15:32:49 -05:00
749e141fc8
Do first clean up
2014-04-17 15:31:56 -05:00
8920e0cc80
Use octal encoding and -e, so that echo always works.
2014-04-17 01:17:46 -05:00
d7a63003a3
Land #3266 - MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
2014-04-15 18:35:18 -05:00
23c2a071cd
Small name change
2014-04-15 18:35:00 -05:00
7a4e12976c
First little bit at Bug 8498
...
[FixRM #8489 ] rhost/rport modification
2014-04-15 18:20:16 -05:00
abd76c5000
Add module for CVE-2014-0322
2014-04-15 17:55:24 -05:00
0b2737da7c
Two more java payloads that wanted to write RHOST
...
There are three total, and they're all copy-pasted from the original
module from 2009. I suspect this idiom isn't used at all any more -- I
can't detect a difference in the payload if I just declare a host being
cli.peerhost, rather than rewriting RHOST to be cli.peerhost.
[SeeRM #8498 ]
2014-04-14 22:22:30 -05:00
775b0de3c0
Replace RHOST reassing with just host
...
This looks okay from debug (the host looks like it's generating okay)
but there may be some subtle thing I'm not seeing here. @wchen-r7 can
you glance at this please?
[SeeRM #8498 ]
2014-04-14 22:17:31 -05:00
Michael Messner
William Vu
joev
jakxx
Julian Vilas
HD Moore
jvazquez-r7
TecR0c
Brendan Coles
Meatballs
Tod Beardsley
sinn3r
Christian Mehlmauer
mercd
Jonas Vestberg
agix
Florian Gaultier
Jeff Jarmoc
Tim Wright
OJ
xistence
kaospunk
Tom Sellers
JoseMi
Ken Smith