JoseMi
e811e169dc
Cambios en el exploit
2014-04-14 16:31:54 +01:00
JoseMi
da26a39634
Add CVE-2014-2219 exploit for windows XP SP3
2014-04-14 16:16:10 +01:00
Ken Smith
c99f6654e8
Added target 6.1 to module
2014-04-11 09:59:11 -04:00
jvazquez-r7
fe066ae944
Land #3207 , @7a69 MIPS BE support for Fritz Box's exploit
2014-04-09 23:20:45 -05:00
jvazquez-r7
fdda69d434
Align things
2014-04-09 23:19:41 -05:00
jvazquez-r7
386e2e3d29
Do final / minor cleanup
2014-04-09 23:19:12 -05:00
sinn3r
b69662fa42
Land #3233 - eScan Password Command Injection
2014-04-11 11:05:48 -05:00
jvazquez-r7
0c8f5e9b7d
Add @Firefart's feedback
2014-04-11 10:21:33 -05:00
jvazquez-r7
b0b979ce62
Meterpreter sessions won't get root in this way
2014-04-09 16:59:12 -05:00
jvazquez-r7
a2ce2bfa56
Fix disclosure date
2014-04-09 16:41:49 -05:00
jvazquez-r7
ff232167a6
Add module for eScan command injection
2014-04-09 16:39:06 -05:00
sinn3r
2de210f1c3
Land #3216 - Update @Meatballs1 and @FireFart in authors.rb
2014-04-09 16:38:10 -05:00
sinn3r
eb9d3520be
Land #3208 - Sophos Web Protection Appliance Interface Authenticated Exec
2014-04-09 11:30:59 -05:00
Tod Beardsley
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
Brandon Perry
8428b37e59
move file to .rb ext
2014-04-09 05:17:14 -07:00
Brandon Perry
82c9b539ac
Fix disclosure date, earlier than I thought
2014-04-08 21:43:49 -05:00
Brandon Perry
3013704c75
Create sophos_wpa_iface_exec
...
This module exploits both bugs in http://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-08 21:21:43 -05:00
sinn3r
f3086085b6
Land #3204 - MS14-017 Microsoft Word RTF Object Confusion
2014-04-08 18:47:53 -05:00
Joe Vennix
fc841331d2
Add a test on echo to check for hex support.
...
* This is much nicer than checking version on userAgent, which
is often changed when rendered in an embedded webview.
2014-04-08 17:58:31 -05:00
sinn3r
a2b709b20e
Land #3189 - Vtiger Install Unauthenticated Remote Command Execution
2014-04-08 14:58:34 -05:00
sinn3r
4012dd0acc
Fix everything that needs to be fixed
2014-04-08 14:57:42 -05:00
Fabian Bräunlein
8dce80fd30
Added Big Endianess, improved check()-Function
...
Some Fritz!Box devices also run in Big Endianess mode. However, since
"uname -a" always returns "mips" and the "file"-command is not
available, autodetection is not an easy task.
The check()-function now checks, whether the device is really
vulnerable.
Furthemore, it's possible to send 92 bytes.
2014-04-08 21:32:36 +02:00
Spencer McIntyre
3f6c8afbe3
Fix typo of MSCOMCTL not MCCOMCTL
2014-04-08 14:52:18 -04:00
Spencer McIntyre
85197dffe6
MS14-017 Word RTF listoverridecount memory corruption
2014-04-08 14:44:20 -04:00
Jeff Jarmoc
21b220321f
Fix typo.
...
This isn't a Linksys exploit. Left over wording from a previous exploit?
2014-04-07 18:06:59 -05:00
Tod Beardsley
17ddbccc34
Remove the broken lorcon module set
...
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.
I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.
Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.
````
msf auxiliary(wifun) > show options
Module options (auxiliary/dos/wifi/wifun):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL 11 yes The initial channel
DRIVER autodetect yes The name of the wireless driver
for lorcon
INTERFACE wlan0 yes The name of the wireless
interface
msf auxiliary(wifun) > run
[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
jvazquez-r7
fb1318b91c
Land #3193 , @m-1-k-3's exploit for the Fritzbox RCE vuln
2014-04-07 16:13:31 -05:00
jvazquez-r7
ceaa99e64e
Minor final cleanup
2014-04-07 16:12:54 -05:00
Michael Messner
b1a6b28af9
fixed disclosure date
2014-04-07 19:29:37 +02:00
Michael Messner
003310f18a
feedback included
2014-04-07 19:25:26 +02:00
Tod Beardsley
7572d6612e
Spelling and grammar on new release modules
2014-04-07 12:18:13 -05:00
Michael Messner
85de6ed0c9
feedback included
2014-04-07 18:20:15 +02:00
joev
2e4c2b1637
Disable Android 4.0, add arch detection.
...
Android 4.0, it turns out, has a different echo builtin than the other androids.
Until we can figure out how to drop a payload on a 4.0 shell, we cannot support it.
Arch detection allows mips/x86/arm ndkstagers to work, unfortunately
x86 ndkstager was not working, so it is disabled for now.
2014-04-07 09:44:43 -05:00
jvazquez-r7
56bd35c8ce
Add module for WinRAR spoofing vulnerability
2014-04-07 09:21:49 -05:00
Michael Messner
11bbb7f429
fritzbox echo exploit
2014-04-07 09:12:22 +02:00
dummys
ca7dcc0781
cleanup with msftidy
2014-04-06 12:41:58 +02:00
jvazquez-r7
6d72860d58
Land #3004 , @m-1-k-3's linksys moon exploit
2014-04-04 14:04:48 -05:00
jvazquez-r7
0ae75860ea
Code clean up
2014-04-04 14:02:12 -05:00
sinn3r
ea1c6fe8a4
Land #3177 - JIRA Issues Collector Directory Traversal
2014-04-04 10:41:51 -05:00
dummys
c90c49e319
Add vtiger install rce 0 day
2014-04-04 10:16:55 +02:00
William Vu
48ef061c3c
Land #3046 , AIX ibtstat privesc exploit
2014-04-03 17:07:00 -05:00
William Vu
6c67f1881f
Normalize syntax and whitespace
2014-04-03 16:54:33 -05:00
Joe Vennix
55500ea2f3
Avoid the nullchar.
2014-04-02 21:53:12 -05:00
Joe Vennix
176cc84865
Remove BES and calculate the pid manually.
2014-04-02 17:21:13 -05:00
jvazquez-r7
577bd7c855
Land #3146 , @wchen-r7's flash version detection code
2014-04-02 15:13:41 -05:00
jvazquez-r7
a85d451904
Add module for CVE-2014-2314
2014-04-02 14:49:31 -05:00
agix
4a575d57ab
Try to fix Meatballs1 suggestions : optional service_description change call
2014-04-02 20:33:09 +01:00
agix
b636a679ae
Erf, sorry, fixed now
2014-04-02 20:33:08 +01:00
agix
631a7b9c48
Adapt to new psexec mixin (first try :D)
2014-04-02 20:33:08 +01:00
Florian Gaultier
978bdbb676
Custom Service Description
2014-04-02 20:33:07 +01:00
sinn3r
e3dda2e862
Land #3172 - CVE-2014-1510 to firefox_xpi_bootstrapped_addon
2014-04-02 14:07:37 -05:00
joev
ebcf972c08
Add initial firefox xpi prompt bypass.
2014-04-01 23:48:35 -05:00
Sagi Shahar
8611526a01
Fix more bugs and more syntax errors
2014-04-01 01:22:12 +02:00
Sagi Shahar
becefde52f
Fix bugs and syntax
2014-04-01 00:54:51 +02:00
Tod Beardsley
ffdca3bf42
Fixup on some modules for release
...
There may be more coming, but if not, this should cover
this week's minor style changes.
2014-03-31 12:42:19 -05:00
William Vu
cf2589ba8d
Land #3162 , Microsoft module name changes
2014-03-28 23:10:27 -05:00
sinn3r
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
sinn3r
466096f637
Add MSB number to name
2014-03-28 20:33:40 -05:00
sinn3r
a173fcf2fa
Flash detection for firefox_svg_plugin
...
Good test case
2014-03-28 15:39:25 -05:00
jvazquez-r7
f7b1874e7d
Land #3151 , @wchen-r7's use of BrowserExploitServer in ms13-59's exploit
2014-03-28 14:43:38 -05:00
jvazquez-r7
69369c04b3
Land #3126 , @xistence's exploit for SePortal
2014-03-28 13:52:59 -05:00
jvazquez-r7
7b56c9edac
Add references
2014-03-28 13:51:56 -05:00
Christian Mehlmauer
94494e38e7
Land #3152 - Use normalize_uri for module wp_property_upload_exec
2014-03-28 13:22:54 +01:00
sinn3r
0b3f49f22a
Land #3145 , Clean up firefox_svg_plugin, use FirefoxPrivilegeEscalation mixin
2014-03-27 12:59:49 -05:00
Kurt Grutzmacher
0b766cd412
changes per firefart
2014-03-27 10:08:44 -07:00
Kurt Grutzmacher
744308bd35
tab...
2014-03-27 05:24:55 -07:00
Kurt Grutzmacher
a8c96213f0
normalize_uri for wp_property_upload_exec
2014-03-27 05:22:56 -07:00
sinn3r
8ec10f7438
Use BrowserExploitServer for MS13-059 module
2014-03-26 17:49:01 -05:00
Michael Messner
4319885420
we do not need pieces ...
2014-03-26 20:45:30 +01:00
jvazquez-r7
19918e3207
Land #3143 , @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf
2014-03-26 14:16:35 -05:00
Joe Vennix
80808fc98c
Cleans up firefox SVG plugin.
2014-03-26 13:12:39 -05:00
sinn3r
fdc355147f
Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb
2014-03-25 18:41:47 -05:00
sinn3r
6c206e4ced
Add a comment about what this build version range is covering
2014-03-25 11:43:13 -05:00
sinn3r
7108d2b90a
Add ua_ver and mshtml_build requirements
...
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
sinn3r
0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping
2014-03-24 21:16:10 -05:00
sinn3r
53b25c8c93
Fix header & author e-mail format
2014-03-24 21:15:27 -05:00
Brandon Perry
d2a9a26bc8
real fix for sinn3r bug
2014-03-24 18:40:48 -05:00
Brandon Perry
ec35f4b13f
some bugs for sinn3r
2014-03-24 18:17:50 -05:00
Tod Beardsley
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
jvazquez-r7
c7ba7e4d92
Land #3131 , @xistence's exploit for CVE-2014-1903
2014-03-24 08:48:06 -05:00
jvazquez-r7
c3b753f92e
Make PHPFUNC advanced option
2014-03-24 08:47:31 -05:00
jvazquez-r7
4f333d84c9
Clean up code
2014-03-24 08:15:54 -05:00
Tim
25ca0552e0
cleanup files after exploit
2014-03-23 17:00:29 +00:00
Tim
f9972239cf
randomize payload filename
2014-03-23 16:36:26 +00:00
Brandon Perry
d6f397ab6d
whoops that isn't how you EDB
2014-03-22 11:48:41 -05:00
Brandon Perry
291692d6e0
Update lifesize_uvc_ping_rce.rb
2014-03-22 11:30:00 -05:00
Brandon Perry
67a3a7227b
Create lifesize_uvc_ping_rce.rb
2014-03-21 21:33:12 -05:00
xistence
c4f0d8e179
FreePBX config.php RCE CVE-2014-1903
2014-03-21 10:29:15 +07:00
sinn3r
b02337d8b6
Land #3123 - Horde Framework Unserialize PHP Code Execution
2014-03-20 12:32:14 -05:00
jvazquez-r7
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
jvazquez-r7
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
xistence
2845f834c6
changed cookie retrieval to res.get_cookies
2014-03-20 16:39:26 +07:00
xistence
7bfb8e95e6
minor changes to seportal module
2014-03-20 13:44:39 +07:00
xistence
5ef49ff64b
SePortal 2.5 SQLi Remote Code Execution
2014-03-20 12:02:06 +07:00
sinn3r
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
Tod Beardsley
c1cbeff5f0
Land #3122 , lots of Meterpreter updates
...
This lands the binaries built from Meterpreter as of:
rapid7/meterpreter#80 , also known as
commit 5addac75741fadfff35f4f7839cee6fd69705455
as well as the functional changes in:
rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085
2014-03-19 15:35:49 -05:00
jvazquez-r7
d6faf20981
Make title more accurate
2014-03-19 12:43:34 -05:00
jvazquez-r7
144b86fee3
Add reference
2014-03-19 12:17:53 -05:00
jvazquez-r7
27d142b387
Solve conflict by keeping file
2014-03-19 12:15:05 -05:00
jvazquez-r7
fb645b6692
Clean code
2014-03-19 12:06:20 -05:00
jvazquez-r7
0a795ab602
Land #3106 , @xistence's exploit for Array Networks devices
2014-03-19 10:49:03 -05:00
jvazquez-r7
0e27d75e60
Code clean up
2014-03-19 10:48:25 -05:00
Tod Beardsley
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
xistence
056ce5d097
removed file which did not belong in this pull request
2014-03-19 15:04:19 +07:00
sinn3r
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
jvazquez-r7
379c0efd5a
Update POP chain documentation
2014-03-18 16:29:30 -05:00
jvazquez-r7
77c128fbc5
Fix disclosure date and add ref
2014-03-18 16:21:44 -05:00
jvazquez-r7
b6e8bb62bb
Switch exploitation technique to use default available classes
2014-03-18 16:07:50 -05:00
William Vu
dfd3a81566
Land #3111 , hash rockets shouldn't be in refs
2014-03-18 14:25:04 -05:00
jvazquez-r7
38176ad67d
Land #3109 , @xistence's Loadbalancer.org Enterprise VA applicance exploit
2014-03-18 06:53:26 -05:00
jvazquez-r7
ddd923793a
Do minor clean up
2014-03-18 06:52:50 -05:00
jvazquez-r7
ad49df4301
Register RHOST
2014-03-18 06:17:41 -05:00
jvazquez-r7
600338bd29
Land #3108 , @xistence's exploit for Quantum vmPRO shell-escape
2014-03-18 06:12:18 -05:00
jvazquez-r7
f656e5fedb
Do minor clean up
2014-03-18 06:11:02 -05:00
jvazquez-r7
f86fd8af5d
Delete debug print
2014-03-17 21:01:41 -05:00
jvazquez-r7
3bdd906aae
Add module for CVE-2014-1691
2014-03-17 20:47:45 -05:00
Tod Beardsley
8f2124f5da
Minor updates for release
...
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
Tod Beardsley
c916b62f47
Removes hash rockets from references.
...
[SeeRM #8776 ]
2014-03-17 09:40:32 -05:00
xistence
9bb4e5cfc3
Loadbalancer.org Enterprise VA SSH privkey exposure
2014-03-17 14:22:51 +07:00
xistence
c116697c70
Quantum vmPRO backdoor command
2014-03-17 14:19:27 +07:00
xistence
ef4a019b20
Quantum DXi V1000 SSH private key exposure
2014-03-17 14:15:00 +07:00
xistence
e261975c34
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:11:16 +07:00
xistence
1043d9d8b2
Array Networks vxAG and vAPV SSH key and privesc
2014-03-17 14:06:55 +07:00
David Maloney
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
OJ
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
sinn3r
243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow
2014-03-13 14:13:17 -05:00
sinn3r
e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
sinn3r
6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell
2014-03-13 13:36:37 -05:00
Joe Vennix
952b50f8c1
Add priv escalation mixin to the firefox local exploit.
2014-03-13 11:49:44 -05:00
kyuzo
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
Joe Vennix
facd743f1f
Oops. Add missing dir to dalvikstager path.
2014-03-11 19:48:39 -05:00
William Vu
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
William Vu
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
William Vu
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
Joe Vennix
5c2168513a
Update path in #dalvikstager.
2014-03-11 11:03:36 -05:00
OJ
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
Tim
c76924e946
native jni stager
2014-03-10 21:50:00 -05:00
Tod Beardsley
2086224a4c
Minor fixes. Includes a test module.
2014-03-10 14:49:45 -05:00
Tod Beardsley
26be236896
Pass MSFTidy please
2014-03-10 14:45:56 -05:00
jvazquez-r7
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
jvazquez-r7
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
Tod Beardsley
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
sinn3r
c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack
2014-03-07 10:29:56 -06:00
Joe Vennix
9638bc7061
Allow a custom .app bundle.
...
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
Joe Vennix
5abb442757
Adds more descriptive explanation of 10.8+ settings.
2014-03-06 15:15:27 -06:00
kyuzo
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
Joe Vennix
43d315abd5
Hardcode the platform in the safari exploit.
2014-03-06 13:04:47 -06:00
kyuzo
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
Brendan Coles
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
Joe Vennix
38a2e6e436
Minor fixes.
2014-03-05 19:03:54 -06:00
Joe Vennix
dca807abe9
Tweaks for BES.
2014-03-05 19:00:15 -06:00
Joe Vennix
12cf5a5138
Add BES, change extra_plist -> plist_extra.
2014-03-05 18:51:42 -06:00
sinn3r
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
bcoles
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
jvazquez-r7
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00
Joe Vennix
cd3c2f9979
Move osx-app format to EXE.
2014-03-04 22:54:00 -06:00
OJ
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
Joe Vennix
32c27f6be0
Tweak timeouts.
2014-03-04 17:16:23 -06:00
Joe Vennix
40047f01d3
Adds Safari User Assisted download launch module.
2014-03-04 17:02:51 -06:00
William Vu
e30238fe0d
Land #3062 , unused arg fix for vmware_mount
2014-03-04 11:37:41 -06:00
James Lee
68205fa43c
Actually use the argument
2014-03-04 11:30:42 -06:00
sinn3r
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
David Maloney
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
sgabe
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
Meatballs
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
Tod Beardsley
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
Sagi Shahar
a005d69b16
Fix $PATH issues. Add FileDropper functionality
2014-03-02 20:43:17 +02:00
Sagi Shahar
e6c1dd3f9e
Switch post module to fixed exploit module.
2014-03-02 17:42:48 +02:00
bcoles
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
Sagi Shahar
17272acb27
Fix module code per recommendations
2014-03-01 00:53:24 +02:00
Meatballs
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
Michael Messner
15345da9d8
remove the wget module, remove the cmd stuff, testing bind stuff ahead
2014-02-28 22:44:26 +01:00
sinn3r
ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet
2014-02-28 14:10:55 -06:00
OJ
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
Sagi Shahar
fd4457fce8
Add AIX 6.1/7.1 ibstat $PATH Local Privilege Escalation
2014-02-27 23:56:49 +02:00
sinn3r
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
sinn3r
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
sinn3r
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
sinn3r
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
David Maloney
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
David Maloney
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
jvazquez-r7
6c490af75e
Add randomization to Rex::Zip::Jar and java_signed_applet
2014-02-27 12:38:52 -06:00
David Maloney
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
Fr330wn4g3
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
David Maloney
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
Fr330wn4g3
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
Fr330wn4g3
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
jvazquez-r7
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
jvazquez-r7
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
jvazquez-r7
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
jvazquez-r7
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
jvazquez-r7
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
xistence
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
jvazquez-r7
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
Michael Messner
2935f4f562
CMD target
2014-02-24 18:12:23 +01:00
jvazquez-r7
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
jvazquez-r7
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
bcoles
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
xistence
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
xistence
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
Michael Messner
0126e3fcc8
cleanup
2014-02-23 21:17:32 +01:00
Michael Messner
dbbd080fc1
a first try of the cmd stager, wget in a seperated module included
2014-02-23 20:59:17 +01:00
OJ
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
Meatballs
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
Meatballs
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
Meatballs
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
Meatballs
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
Meatballs
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
Meatballs
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
jakxx
c8940c37f5
Updating References
2014-02-21 09:23:08 -05:00
jakxx
ef51de3826
Updating References
2014-02-21 09:21:08 -05:00
jakxx
b5bc3dd4fc
Added py_web_delivery
2014-02-20 21:53:00 -05:00
jakxx
1834784b93
Added php_web_delivery
2014-02-20 13:41:26 -05:00
jakxx
45d554e6d9
Delete powershell_psexec.rb
2014-02-20 12:01:04 -05:00
jakxx
0a63b40572
Merge remote-tracking branch 'upstream/master'
2014-02-20 11:48:41 -05:00
jvazquez-r7
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
jvazquez-r7
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
sinn3r
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
Joe Vennix
50fb9b247e
Restructure some of the exploit methods.
2014-02-19 02:31:22 -06:00
jvazquez-r7
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
Tod Beardsley
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
Tod Beardsley
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
Michael Messner
3a8de6e124
replaced rhost by peer
2014-02-18 21:01:50 +01:00
William Vu
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
William Vu
c216357815
Land #3000 , audiotran_pls_1424 SEH exploit
2014-02-18 13:27:14 -06:00
Michael Messner
66e2148197
linksys themoon command execution exploit
2014-02-18 19:43:47 +01:00
Michael Messner
4dda7e6bad
linksys themoon command execution exploit
2014-02-18 19:42:50 +01:00
Joe Vennix
57449ac719
Adds working shellcode exec local exploit.
2014-02-17 15:31:45 -06:00
Philip OKeefe
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
sinn3r
52ac85be11
Land #2931 - Oracle Forms and Reports RCE
2014-02-17 08:54:23 -06:00
sinn3r
110ffbf342
Indent looks off for this line
2014-02-17 08:53:29 -06:00
sinn3r
632ea05688
100 columns
2014-02-17 08:52:56 -06:00
sinn3r
8da7ba131b
In case people actually don't know what RCE means
2014-02-17 08:51:48 -06:00
sinn3r
73459baefd
Add OSVDB references
2014-02-17 08:50:34 -06:00
Mekanismen
fb7b938f8e
check func fixed
2014-02-17 15:11:56 +01:00
Philip OKeefe
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
Mekanismen
e27d98368e
fixed local server issues
2014-02-16 18:26:08 +01:00
Mekanismen
e40b9e5f37
updated and improved
2014-02-16 16:24:39 +01:00
Jovany Leandro G.C
74344d6c7e
vtigerolservice.php to vtigerservice.php
...
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
Mekanismen
b7d69c168c
bugfix and user supplied local path support
2014-02-15 16:24:59 +01:00
sinn3r
9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec
2014-02-14 17:16:27 -06:00
sinn3r
48199fec27
Change URL identifier, and make the user choose a target
2014-02-14 17:15:00 -06:00
Tod Beardsley
745f313413
Remove @nmonkee as author per twitter convo
2014-02-13 14:41:10 -06:00
Tod Beardsley
371f23b265
Unbreak the URL refs add nmonkee as ref and author
...
While @nmonkee didn't actually contribute to #2942 , he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.
Also added a ref to @nmonkee's thing.
@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
jvazquez-r7
ff267a64b1
Have into account the Content-Transfer-Encoding header
2014-02-12 12:40:11 -06:00
sinn3r
45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb
2014-02-12 11:14:25 -06:00
jvazquez-r7
a59ce95901
Land #2970 , @sgabe exploit for CVE-2010-2343
2014-02-12 08:10:53 -06:00
jvazquez-r7
9845970e12
Use pop#ret to jump over the overwritten seh
2014-02-12 08:10:14 -06:00
sgabe
11513d94f5
Add Juan as author
2014-02-12 12:17:02 +01:00
sgabe
3283880d65
Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
...
This partially reverts commit 12471660e9
.
2014-02-12 12:09:16 +01:00
sgabe
7195416a04
Increase the size of the NOP sled
2014-02-12 02:35:53 +01:00
sgabe
3f09456ce8
Minor code formatting
2014-02-11 23:53:04 +01:00
sgabe
7fc3511ba9
Remove unnecessary NOPs
2014-02-11 23:48:54 +01:00
sgabe
12471660e9
Replace unnecessary NOP sled with random text
2014-02-11 23:48:04 +01:00
sgabe
184ccb9e1e
Fix payload size
2014-02-11 23:42:58 +01:00
bwall
783e62ea85
Applied changes from @wchen-r7's comments
2014-02-11 10:14:52 -08:00
jvazquez-r7
3717374896
Fix and improve reliability
2014-02-11 10:44:58 -06:00
jvazquez-r7
51df2d8b51
Use the fixed API on the mediawiki exploit
2014-02-11 08:28:58 -06:00
jvazquez-r7
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
sgabe
e8a3984c85
Fix ROP NOP address and reduce/remove NOPs
2014-02-11 00:29:37 +01:00
William Vu
e6905837eb
Land #2960 , rand_text_alpha for amaya_bdo
2014-02-10 16:44:11 -06:00
bwall
13fadffe7e
Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial
2014-02-10 13:44:30 -08:00
Meatballs
a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-10 21:43:56 +00:00
Tod Beardsley
1236a4eb07
Fixup on description and some option descrips
2014-02-10 14:41:59 -06:00
jvazquez-r7
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00
jvazquez-r7
502dbb1370
Add references
2014-02-10 13:55:02 -06:00
sgabe
08b6f74fb4
Add module for CVE-2010-2343
2014-02-10 20:46:09 +01:00
jvazquez-r7
abb03d0bbe
Fixing messages
2014-02-10 13:10:42 -06:00
jvazquez-r7
541bb6134e
Change exploit filename
2014-02-10 13:06:23 -06:00
jvazquez-r7
2e130ce843
Make it work with Reader Sandbox
2014-02-10 13:04:13 -06:00
Tod Beardsley
7c43565ea8
Include missing require for powershell
2014-02-10 11:02:53 -06:00
jvazquez-r7
8ece4a7750
Delete debug print
2014-02-10 08:57:45 -06:00
jvazquez-r7
57320a59f1
Do small clean up for mediawiki_thumb pr
2014-02-10 08:57:09 -06:00
Spencer McIntyre
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
sinn3r
c96116b193
Land #2949 - Add module Kloxo SQLi
2014-02-08 13:45:11 -06:00
David Maciejak
32c02dd56a
Added some randomness
2014-02-08 11:27:25 +08:00
Meatballs
dcff06eba1
More verbose failure messages
2014-02-07 23:59:28 +00:00
sinn3r
66cb97305c
Land #2953 - KingScada kxClientDownload.ocx ActiveX Remote Code Exec
2014-02-07 17:41:35 -06:00
sinn3r
bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell)
2014-02-07 17:39:06 -06:00
Meatballs
783a986a19
Windows and auto target up and running
2014-02-07 23:26:57 +00:00
Meatballs
a0f47f6b2b
Correct error check logic
2014-02-07 22:06:53 +00:00
Meatballs
443a51bbf5
Undo revert from merge
2014-02-07 21:28:04 +00:00
Meatballs
56359aa99f
Merge changes from other dev machine
2014-02-07 21:22:44 +00:00
Meatballs
a4cc75bf98
Potential .pdf support
2014-02-07 20:37:44 +00:00
Meatballs
e13520d7fb
Handle a blank filename
2014-02-07 20:15:32 +00:00
Meatballs
103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-07 20:07:04 +00:00
jvazquez-r7
c679b1001b
Make pring_warning verbose
2014-02-07 10:23:07 -06:00
grimmlin
2d93b38e2a
Fixed java_signed_applet for Java 7u51
2014-02-07 16:29:50 +01:00
Spencer McIntyre
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
jvazquez-r7
a18de35fa7
Add module for ZDI-14-011
2014-02-06 18:25:36 -06:00
Spencer McIntyre
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
James Lee
4b37cc7243
Land #2927 , PandoraFMS anyterm exploit
2014-02-06 15:22:23 -06:00
James Lee
4236abe282
Better SIGHUP handling
2014-02-06 15:21:54 -06:00
William Vu
19fff3c33e
Land #2942 , @jvennix-r7's Android awesomesauce
...
Also, thanks to @jduck for testing!
2014-02-06 11:53:11 -06:00
Joe Vennix
362e937c8d
Forgot to push local changes.
2014-02-06 11:47:35 -06:00
Joe Vennix
0dc2ec5c4d
Use BrowserExploitServer mixin.
...
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
2014-02-06 11:32:42 -06:00
jvazquez-r7
fdb954fdfb
Report credentials
2014-02-05 14:37:33 -06:00
jvazquez-r7
631559a2e8
Add module for Kloco SQLi
2014-02-05 14:18:56 -06:00
Joe Vennix
553616b6cc
Add URL for browser exploit.
2014-02-04 17:04:06 -06:00
sinn3r
89e1bcc0ca
Deprecate modules with date 2013-something
...
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
Joe Vennix
23fc73924e
Msftidy it up.
2014-02-04 14:24:36 -06:00
William Vu
a58698c177
Land #2922 , multithreaded check command
2014-02-04 11:21:05 -06:00
Meatballs
0a3cb3377f
AppendEncoder
2014-02-04 15:41:10 +00:00
Meatballs
26c506da42
Naming of follow method
2014-02-04 15:25:51 +00:00
Meatballs
f5fa3fb5ce
Windows compat, fixed PHP-CLI
2014-02-04 14:27:10 +00:00
Meatballs
64d11e58c2
Use semicolon for win compat
2014-02-04 13:53:33 +00:00
Joe Vennix
700e09f386
Wording tweak.
2014-02-04 02:55:10 -06:00
Joe Vennix
bbabd72b0e
Whitespace tweaks.
2014-02-04 02:52:52 -06:00
Joe Vennix
eb6a5a4c19
Tweak checks.
2014-02-04 02:49:44 -06:00
Joe Vennix
4923a93974
Tweak description.
2014-02-04 02:47:49 -06:00
Joe Vennix
37479884a5
Add browserautopwn support.
2014-02-04 02:32:12 -06:00
Joe Vennix
eba3a5aab0
More accurate description.
2014-02-04 01:44:39 -06:00
Joe Vennix
177bd35552
Add webview HTTP exploit.
2014-02-04 01:37:09 -06:00
Meatballs
2fd8257c7e
Use bperry's trigger
2014-02-04 00:51:34 +00:00
Meatballs
a8ff6eb429
Refactor send_request_cgi_follow_redirect
2014-02-03 21:49:49 +00:00
Meatballs
83925da2f1
Refactor form_data code
2014-02-03 21:16:58 +00:00
Tod Beardsley
7e2a9a7072
More desc fixes, add a vprint to give a hint
2014-02-03 13:18:52 -06:00
Tod Beardsley
d34020115a
Fix up on apache descs and print_* methods
2014-02-03 13:13:57 -06:00
Meatballs
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
xistence
50f860757b
Changes made to pandora_fms_exec module as requested
2014-02-03 14:10:27 +07:00
Meatballs
67c18d8d2d
I had a problem, then I used regex.
2014-02-02 22:19:54 +00:00
Meatballs
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
Meatballs
57f4998568
Better failures and handle unconfigured server
2014-02-02 16:26:22 +00:00
Meatballs
9fa9402eb2
Better check and better follow redirect
2014-02-02 16:07:46 +00:00
Meatballs
0d3a40613e
Add auto 30x redirect to send_request_cgi
2014-02-02 15:03:44 +00:00
Meatballs
8b33ef1874
Not html its form-data...
2014-02-02 13:57:29 +00:00
Meatballs
7ddc6bcfa5
Final tidyup
2014-02-01 01:05:02 +00:00
Meatballs
486a9d5e19
Use msf branded djvu
2014-02-01 00:37:28 +00:00
Meatballs
fd1a507fda
Rename file
2014-02-01 00:27:32 +00:00
Meatballs
700c6545f0
Polished
2014-02-01 00:26:55 +00:00
William Vu
a5bff638c5
Remove EOL spaces
2014-01-31 15:01:03 -06:00
Mekanismen
5a883a4477
updated
2014-01-31 21:59:26 +01:00
Meatballs
7fa1522299
Initial commit
2014-01-31 18:51:18 +00:00
sinn3r
b67ac39a33
Land #2921 - Apache Struts Developer Mode OGNL Execution
2014-01-31 12:06:58 -06:00
sinn3r
60ead5de43
Explain why we flag the vuln as "Appears" instead of vulnerable
2014-01-31 12:05:58 -06:00
jvazquez-r7
2fca2da9f7
Add an vprint message on check
2014-01-31 11:57:20 -06:00
jvazquez-r7
356692f2f5
Land #2923 , @rangercha tomcat deploy module compatible with tomcat8
2014-01-31 10:53:53 -06:00
jvazquez-r7
a010748056
Land #2924 , @xistence's exploit for CVE-2014-1683
2014-01-31 09:20:10 -06:00
jvazquez-r7
710902dc56
Move file location
2014-01-31 09:18:59 -06:00
jvazquez-r7
810605f0b7
Do final cleanup for the skybluecanvas exploit
2014-01-31 09:17:51 -06:00
jvazquez-r7
32c5d77ebd
Land #2918 , @wvu's fix for long argument lists
2014-01-31 08:49:22 -06:00
Mekanismen
f6291eb9a8
updated
2014-01-31 14:33:18 +01:00
xistence
ffd8f7eee0
Changes as requested in SkyBlue Canvas RCE module
2014-01-31 12:52:48 +07:00
jvazquez-r7
93db1c59af
Do small fixes
2014-01-30 17:16:43 -06:00
jvazquez-r7
9daacf8fb1
Clean exploit method
2014-01-30 16:58:17 -06:00
jvazquez-r7
4458dc80a5
Clean the find_csrf mehtod
2014-01-30 16:39:19 -06:00
jvazquez-r7
697a86aad7
Organize a little bit the code
2014-01-30 16:29:45 -06:00
jvazquez-r7
50317d44d3
Do more easy clean
2014-01-30 16:23:17 -06:00
jvazquez-r7
1a9e6dfb2a
Allow check to detect platform and arch
2014-01-30 15:17:20 -06:00
jvazquez-r7
b2273dce2e
Delete Automatic target
...
It isn't usefull at all, when auto targeting is done, the payload (java platform and arch)
has been already selected.
2014-01-30 15:04:08 -06:00
jvazquez-r7
cebbe71dba
Do easy cleanup of exploit
2014-01-30 14:42:02 -06:00
jvazquez-r7
c336133a8e
Do a first clean related to auto_target
2014-01-30 14:27:20 -06:00
jvazquez-r7
57b8b49744
Clean query_manager
2014-01-30 14:20:02 -06:00
jvazquez-r7
148e51a28b
Clean metadata and use TARGETURI
2014-01-30 14:03:52 -06:00
William Vu
56287e308d
Clean up unused variables
2014-01-30 11:20:21 -06:00
Mekanismen
e7ab77c736
added module for Oracle Forms and Reports
2014-01-30 14:45:17 +01:00
xistence
9a929e75e4
Added Pandora FMS RCE
2014-01-29 12:46:23 +07:00
xistence
bac6e2a3e1
added SkyBlueCanvas CMS 1.1 r248-03 RCE
2014-01-28 11:06:25 +07:00
jvazquez-r7
f086655075
Land #2913 , @bcoles Exploit for Simple E-Document
2014-01-27 08:09:45 -06:00
jvazquez-r7
861126fdbd
Clean exploit code
2014-01-27 08:09:18 -06:00
RangerCha
a49473181c
Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10
2014-01-27 09:04:59 -05:00
jvazquez-r7
8fe74629fe
Allow send_request_cgi to take care of the uri encoding
2014-01-26 00:06:41 -06:00
jvazquez-r7
37adf1251c
Delete privileged flag because is configuration dependant
2014-01-25 18:25:31 -06:00
jvazquez-r7
038cb7a981
Add module for CVE-2012-0394
2014-01-25 18:17:01 -06:00
sinn3r
cc4dea7d49
Was playing with ms08_067 check and realized I forgot this print
2014-01-25 16:15:52 -06:00
William Vu
7c5229e2eb
Use opts hash for glassfish_deployer
...
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:17:02 -06:00
William Vu
47b9bfaffc
Use opts hash for adobe_pdf_embedded_exe
...
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:16:53 -06:00
sinn3r
a7fa4e312b
This module fails to load due to the missing end
2014-01-24 17:56:47 -06:00
jvazquez-r7
9db295769d
Land #2905 , @wchen-r7's update of exploit checks
2014-01-24 16:49:33 -06:00
sinn3r
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
sgabe
16b8b58a84
Fix the dwSize parameter
2014-01-24 11:38:57 +01:00
sgabe
8f6dcd7545
Add some randomization to the ROP chain
2014-01-24 10:28:59 +01:00
bcoles
32d6032893
Add Simple E-Document Arbitrary File Upload module
2014-01-24 19:19:25 +10:30
sgabe
021aa77f5f
Add module for BID-46926
2014-01-24 01:48:21 +01:00
sinn3r
c403c521b3
Change check code
2014-01-23 11:03:40 -06:00
sinn3r
0a10c1297c
Address nil
2014-01-23 11:00:28 -06:00
sinn3r
333229ea7e
Throw Unknown if connection times out
2014-01-23 10:54:45 -06:00
sinn3r
7f560a4b41
Oops, I broke this module
2014-01-22 11:23:18 -06:00
sinn3r
c83053ba9b
Progress
2014-01-22 11:20:10 -06:00
sinn3r
646f7835a3
Saving progress
2014-01-21 17:14:55 -06:00
sinn3r
85396b7af2
Saving progress
...
Progress group 4: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 14:10:35 -06:00
Tod Beardsley
b3b51eb48c
Pre-release fixup
...
* Updated descriptions to be a little more descriptive.
* Updated store_loot calls to inform the user where the
loot is stored.
* Removed newlines in print_* statments -- these will screw
up Scanner output when dealing with multiple hosts.
Of the fixed newlines, I haven't see any output, so I'm not sure what
the actual message is going to look like -- I expect it's a whole bunch
of newlines in there so it'll be kinda ugly as is (not a blocker for
this but should clean up eventually)
2014-01-21 13:29:08 -06:00
sinn3r
689999c8b8
Saving progress
...
Progress group 3: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 13:03:36 -06:00
sinn3r
fe767f3f64
Saving progress
...
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
sinn3r
7cc3c47349
Land #2891 - HP Data Protector Backup Client Service Directory Traversal
2014-01-20 20:08:01 -06:00
sinn3r
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
dukeBarman
88c283880a
Fix bugs
2014-01-18 17:04:46 -05:00
dukeBarman
766c408d86
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption
2014-01-18 11:07:11 -05:00
jvazquez-r7
e2fa581b8c
Delete empty line
2014-01-17 22:05:14 -06:00
sinn3r
57318ef009
Fix nil bug in jboss_invoke_deploy.rb
...
If there is a connection timeout, the module shouldn't access the
"code" method because that does not exist.
2014-01-17 11:47:18 -06:00
jvazquez-r7
c670259539
Fix protocol handling
2014-01-17 00:49:44 -06:00
jvazquez-r7
eaf1b0caf6
Add minor clean up
2014-01-16 17:55:45 -06:00
jvazquez-r7
f3c912bd32
Add module for ZDI-14-003
2014-01-16 17:49:49 -06:00
jvazquez-r7
ac9e634cbb
Land #2874 , @mandreko's sercomm exploit fixes
2014-01-16 16:35:32 -06:00
jvazquez-r7
272fe5ddfd
Delete debug comments
2014-01-16 16:12:12 -06:00
jvazquez-r7
8213eed49f
Delete Netgear N150 target, ist's a Netgear DGN1000 model
2014-01-16 15:14:31 -06:00