Commit Graph

6833 Commits (b55f425ec0d332796edf9df2f0b133d9c38fcb22)

Author SHA1 Message Date
sinn3r e3dda2e862
Land #3172 - CVE-2014-1510 to firefox_xpi_bootstrapped_addon 2014-04-02 14:07:37 -05:00
joev ebcf972c08 Add initial firefox xpi prompt bypass. 2014-04-01 23:48:35 -05:00
Sagi Shahar 8611526a01 Fix more bugs and more syntax errors 2014-04-01 01:22:12 +02:00
Sagi Shahar becefde52f Fix bugs and syntax 2014-04-01 00:54:51 +02:00
Tod Beardsley ffdca3bf42
Fixup on some modules for release
There may be more coming, but if not, this should cover
this week's minor style changes.
2014-03-31 12:42:19 -05:00
William Vu cf2589ba8d
Land #3162, Microsoft module name changes 2014-03-28 23:10:27 -05:00
sinn3r d7ca537a41 Microsoft module name changes
So after making changes for MSIE modules (see #3161), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
sinn3r 466096f637 Add MSB number to name 2014-03-28 20:33:40 -05:00
sinn3r a173fcf2fa Flash detection for firefox_svg_plugin
Good test case
2014-03-28 15:39:25 -05:00
jvazquez-r7 f7b1874e7d
Land #3151, @wchen-r7's use of BrowserExploitServer in ms13-59's exploit 2014-03-28 14:43:38 -05:00
jvazquez-r7 69369c04b3
Land #3126, @xistence's exploit for SePortal 2014-03-28 13:52:59 -05:00
jvazquez-r7 7b56c9edac Add references 2014-03-28 13:51:56 -05:00
Christian Mehlmauer 94494e38e7
Land #3152 - Use normalize_uri for module wp_property_upload_exec 2014-03-28 13:22:54 +01:00
sinn3r 0b3f49f22a
Land #3145, Clean up firefox_svg_plugin, use FirefoxPrivilegeEscalation mixin 2014-03-27 12:59:49 -05:00
Kurt Grutzmacher 0b766cd412 changes per firefart 2014-03-27 10:08:44 -07:00
Kurt Grutzmacher 744308bd35 tab... 2014-03-27 05:24:55 -07:00
Kurt Grutzmacher a8c96213f0 normalize_uri for wp_property_upload_exec 2014-03-27 05:22:56 -07:00
sinn3r 8ec10f7438 Use BrowserExploitServer for MS13-059 module 2014-03-26 17:49:01 -05:00
Michael Messner 4319885420 we do not need pieces ... 2014-03-26 20:45:30 +01:00
jvazquez-r7 19918e3207
Land #3143, @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf 2014-03-26 14:16:35 -05:00
Joe Vennix 80808fc98c Cleans up firefox SVG plugin. 2014-03-26 13:12:39 -05:00
sinn3r fdc355147f Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb 2014-03-25 18:41:47 -05:00
sinn3r 6c206e4ced Add a comment about what this build version range is covering 2014-03-25 11:43:13 -05:00
sinn3r 7108d2b90a Add ua_ver and mshtml_build requirements
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
sinn3r 0c3a535434
Land #3133 - LifeSize UVC Authenticated RCE via Ping 2014-03-24 21:16:10 -05:00
sinn3r 53b25c8c93 Fix header & author e-mail format 2014-03-24 21:15:27 -05:00
Brandon Perry d2a9a26bc8 real fix for sinn3r bug 2014-03-24 18:40:48 -05:00
Brandon Perry ec35f4b13f some bugs for sinn3r 2014-03-24 18:17:50 -05:00
Tod Beardsley cfdd64d5b1
Title, description grammar and spelling 2014-03-24 12:16:59 -05:00
jvazquez-r7 c7ba7e4d92
Land #3131, @xistence's exploit for CVE-2014-1903 2014-03-24 08:48:06 -05:00
jvazquez-r7 c3b753f92e Make PHPFUNC advanced option 2014-03-24 08:47:31 -05:00
jvazquez-r7 4f333d84c9 Clean up code 2014-03-24 08:15:54 -05:00
Tim 25ca0552e0 cleanup files after exploit 2014-03-23 17:00:29 +00:00
Tim f9972239cf randomize payload filename 2014-03-23 16:36:26 +00:00
Brandon Perry d6f397ab6d whoops that isn't how you EDB 2014-03-22 11:48:41 -05:00
Brandon Perry 291692d6e0 Update lifesize_uvc_ping_rce.rb 2014-03-22 11:30:00 -05:00
Brandon Perry 67a3a7227b Create lifesize_uvc_ping_rce.rb 2014-03-21 21:33:12 -05:00
xistence c4f0d8e179 FreePBX config.php RCE CVE-2014-1903 2014-03-21 10:29:15 +07:00
sinn3r b02337d8b6
Land #3123 - Horde Framework Unserialize PHP Code Execution 2014-03-20 12:32:14 -05:00
jvazquez-r7 a5afd929b4 Land #3120, @wchen-r7's exploit for CVE-2014-0307 2014-03-20 11:16:40 -05:00
jvazquez-r7 8cb7bc3cbe Fix typo 2014-03-20 11:13:57 -05:00
xistence 2845f834c6 changed cookie retrieval to res.get_cookies 2014-03-20 16:39:26 +07:00
xistence 7bfb8e95e6 minor changes to seportal module 2014-03-20 13:44:39 +07:00
xistence 5ef49ff64b SePortal 2.5 SQLi Remote Code Execution 2014-03-20 12:02:06 +07:00
sinn3r c5158a3ccc Update CVE 2014-03-19 22:13:23 -05:00
Tod Beardsley c1cbeff5f0
Land #3122, lots of Meterpreter updates
This lands the binaries built from Meterpreter as of:

rapid7/meterpreter#80 , also known as

commit 5addac75741fadfff35f4f7839cee6fd69705455

as well as the functional changes in:

rapid7/metasploit-framework#2782
rapid7/metasploit-framework#2889
rapid7/metasploit-framework#3061
rapid7/metasploit-framework#3085
2014-03-19 15:35:49 -05:00
jvazquez-r7 d6faf20981 Make title more accurate 2014-03-19 12:43:34 -05:00
jvazquez-r7 144b86fee3 Add reference 2014-03-19 12:17:53 -05:00
jvazquez-r7 27d142b387 Solve conflict by keeping file 2014-03-19 12:15:05 -05:00
jvazquez-r7 fb645b6692 Clean code 2014-03-19 12:06:20 -05:00
jvazquez-r7 0a795ab602
Land #3106, @xistence's exploit for Array Networks devices 2014-03-19 10:49:03 -05:00
jvazquez-r7 0e27d75e60 Code clean up 2014-03-19 10:48:25 -05:00
Tod Beardsley d27264b402
Land #2782, fix expand_path abuse 2014-03-19 08:41:28 -05:00
xistence 056ce5d097 removed file which did not belong in this pull request 2014-03-19 15:04:19 +07:00
sinn3r 2e76faa076 Add MS14-012 Internet Explorer Use-After-Free Exploit Module
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
jvazquez-r7 379c0efd5a Update POP chain documentation 2014-03-18 16:29:30 -05:00
jvazquez-r7 77c128fbc5 Fix disclosure date and add ref 2014-03-18 16:21:44 -05:00
jvazquez-r7 b6e8bb62bb Switch exploitation technique to use default available classes 2014-03-18 16:07:50 -05:00
William Vu dfd3a81566
Land #3111, hash rockets shouldn't be in refs 2014-03-18 14:25:04 -05:00
jvazquez-r7 38176ad67d
Land #3109, @xistence's Loadbalancer.org Enterprise VA applicance exploit 2014-03-18 06:53:26 -05:00
jvazquez-r7 ddd923793a Do minor clean up 2014-03-18 06:52:50 -05:00
jvazquez-r7 ad49df4301 Register RHOST 2014-03-18 06:17:41 -05:00
jvazquez-r7 600338bd29
Land #3108, @xistence's exploit for Quantum vmPRO shell-escape 2014-03-18 06:12:18 -05:00
jvazquez-r7 f656e5fedb Do minor clean up 2014-03-18 06:11:02 -05:00
jvazquez-r7 f86fd8af5d Delete debug print 2014-03-17 21:01:41 -05:00
jvazquez-r7 3bdd906aae Add module for CVE-2014-1691 2014-03-17 20:47:45 -05:00
Tod Beardsley 8f2124f5da
Minor updates for release
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
Tod Beardsley c916b62f47
Removes hash rockets from references.
[SeeRM #8776]
2014-03-17 09:40:32 -05:00
xistence 9bb4e5cfc3 Loadbalancer.org Enterprise VA SSH privkey exposure 2014-03-17 14:22:51 +07:00
xistence c116697c70 Quantum vmPRO backdoor command 2014-03-17 14:19:27 +07:00
xistence ef4a019b20 Quantum DXi V1000 SSH private key exposure 2014-03-17 14:15:00 +07:00
xistence e261975c34 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:11:16 +07:00
xistence 1043d9d8b2 Array Networks vxAG and vAPV SSH key and privesc 2014-03-17 14:06:55 +07:00
David Maloney da0c37cee2
Land #2684, Meatballs PSExec refactor 2014-03-14 13:01:20 -05:00
OJ 409787346e
Bring build tools up to date, change some project settings
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
sinn3r 243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow 2014-03-13 14:13:17 -05:00
sinn3r e832be9eeb Update description and change ranking
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
sinn3r 6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell 2014-03-13 13:36:37 -05:00
Joe Vennix 952b50f8c1
Add priv escalation mixin to the firefox local exploit. 2014-03-13 11:49:44 -05:00
kyuzo 41720428e4 Refactoring exploit and adding build files for dll. 2014-03-12 10:25:52 +00:00
Joe Vennix facd743f1f Oops. Add missing dir to dalvikstager path. 2014-03-11 19:48:39 -05:00
William Vu 517f264000 Add last chunk of fixes 2014-03-11 12:46:44 -05:00
William Vu 25ebb05093 Add next chunk of fixes
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
Joe Vennix 5c2168513a Update path in #dalvikstager. 2014-03-11 11:03:36 -05:00
OJ 3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
Conflicts:
	lib/msf/core/post/windows/shadowcopy.rb
	modules/exploits/windows/local/bypassuac.rb
	modules/post/windows/gather/wmic_command.rb
	modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
Tim c76924e946 native jni stager 2014-03-10 21:50:00 -05:00
Tod Beardsley 2086224a4c
Minor fixes. Includes a test module. 2014-03-10 14:49:45 -05:00
Tod Beardsley 26be236896
Pass MSFTidy please 2014-03-10 14:45:56 -05:00
jvazquez-r7 bc8590dbb9 Change DoS module location 2014-03-10 16:12:20 +01:00
jvazquez-r7 1061036cb9 Use nick instead of name 2014-03-10 16:11:58 +01:00
Tod Beardsley 5485028501
Add 3 Yokogawa SCADA vulns
These represent our part for public disclosure of the issues listed
here:

http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf

Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:

YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4

@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:

https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities

Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
sinn3r c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack 2014-03-07 10:29:56 -06:00
Joe Vennix 9638bc7061 Allow a custom .app bundle.
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
Joe Vennix 5abb442757 Adds more descriptive explanation of 10.8+ settings. 2014-03-06 15:15:27 -06:00
kyuzo 257c121c75 Adding MS013-058 for Windows7 x86 2014-03-06 20:34:01 +00:00
Joe Vennix 43d315abd5 Hardcode the platform in the safari exploit. 2014-03-06 13:04:47 -06:00
kyuzo 2a1e96165c Adding MS013-058 for Windows7 x86 2014-03-06 18:39:34 +00:00
Brendan Coles df2bdad4f9 Include 'msf/core/exploit/powershell'
Prevent:

```
[-] 	/pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
Joe Vennix 38a2e6e436 Minor fixes. 2014-03-05 19:03:54 -06:00
Joe Vennix dca807abe9 Tweaks for BES. 2014-03-05 19:00:15 -06:00
Joe Vennix 12cf5a5138 Add BES, change extra_plist -> plist_extra. 2014-03-05 18:51:42 -06:00
sinn3r 9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write 2014-03-05 16:34:54 -06:00
bcoles 1ea35887db Add OSVDB reference 2014-03-06 01:40:15 +10:30
jvazquez-r7 4e9350a82b Add module for ZDI-14-008 2014-03-05 03:25:13 -06:00
Joe Vennix cd3c2f9979 Move osx-app format to EXE. 2014-03-04 22:54:00 -06:00
OJ a1aef92652
Land #2431 - In-memory bypass uac 2014-03-05 11:15:54 +10:00
Joe Vennix 32c27f6be0 Tweak timeouts. 2014-03-04 17:16:23 -06:00
Joe Vennix 40047f01d3 Adds Safari User Assisted download launch module. 2014-03-04 17:02:51 -06:00
William Vu e30238fe0d
Land #3062, unused arg fix for vmware_mount 2014-03-04 11:37:41 -06:00
James Lee 68205fa43c
Actually use the argument 2014-03-04 11:30:42 -06:00
sinn3r f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww 2014-03-04 11:29:52 -06:00
David Maloney db76962b4a
Land #2764, WMIC Post Mixin changes
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
sgabe 408fedef93 Add module for OSVDB-98283 2014-03-04 00:51:01 +01:00
Meatballs 32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post 2014-03-03 21:56:31 +00:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00
Sagi Shahar a005d69b16 Fix $PATH issues. Add FileDropper functionality 2014-03-02 20:43:17 +02:00
Sagi Shahar e6c1dd3f9e Switch post module to fixed exploit module. 2014-03-02 17:42:48 +02:00
bcoles f008c77f26 Write payload to startup for Vista+ 2014-03-02 18:10:10 +10:30
Sagi Shahar 17272acb27 Fix module code per recommendations 2014-03-01 00:53:24 +02:00
Meatballs 63751c1d1a
Small msftidies 2014-02-28 22:18:59 +00:00
Michael Messner 15345da9d8 remove the wget module, remove the cmd stuff, testing bind stuff ahead 2014-02-28 22:44:26 +01:00
sinn3r ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet 2014-02-28 14:10:55 -06:00
OJ 7117d50fa4
Land #3028 - bypassuac revamp 2014-02-28 09:12:02 +10:00
Sagi Shahar fd4457fce8 Add AIX 6.1/7.1 ibstat $PATH Local Privilege Escalation 2014-02-27 23:56:49 +02:00
sinn3r f531d61255
Land #3036 - Total Video Player buffer overflow 2014-02-27 14:28:53 -06:00
sinn3r 7625dc4880 Fix syntax error due to the missing , 2014-02-27 14:25:52 -06:00
sinn3r 49ded452a9 Add OSVDB reference 2014-02-27 14:22:56 -06:00
sinn3r e72250f08f Rename Total Video Player module
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
David Maloney b952b103bd
cleanup tior and .tmp files
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
David Maloney f66709b5bb
make bypassuac module clean itself up
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
jvazquez-r7 6c490af75e Add randomization to Rex::Zip::Jar and java_signed_applet 2014-02-27 12:38:52 -06:00
David Maloney a8e0c3c255
remove copypasta mistake 2014-02-27 10:05:53 -06:00
Fr330wn4g3 63f74bddae 2° update total_video_player_131_ini_bof 2014-02-27 16:41:35 +01:00
David Maloney 96b611104e cleanup methods in bypassuac module
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
Fr330wn4g3 b81642d8ad Update total_video_player_131_ini_bof 2014-02-26 11:37:04 +01:00
Fr330wn4g3 a7cacec0c3 Add module for EDB 29799 2014-02-25 23:07:28 +01:00
jvazquez-r7 96ffb1db47 Delete extra comma 2014-02-25 15:29:46 -06:00
jvazquez-r7 cb18639b66 Add small fixes and clean up 2014-02-25 15:25:01 -06:00
jvazquez-r7 1d4b2ea60d Add module for ZDI-14-015 2014-02-25 15:07:09 -06:00
jvazquez-r7 a45c8c2b4a
Land #3029, @xistence Symantec endpoint exploit 2014-02-25 07:59:35 -06:00
jvazquez-r7 bfe0fdb776 Move module 2014-02-25 07:58:00 -06:00
xistence ab167baf56 Added randomness instead of payload and xxe keywords 2014-02-25 15:23:10 +07:00
jvazquez-r7 4908d80d6c Clean up module 2014-02-24 16:00:54 -06:00
Michael Messner 2935f4f562 CMD target 2014-02-24 18:12:23 +01:00
jvazquez-r7 c981bbeab9
Land #3011, @wchen-r7's fix for Dexter exploit 2014-02-24 10:53:10 -06:00
jvazquez-r7 c9f0885c54 Apply @jlee-r7's feedback 2014-02-24 10:49:13 -06:00
bcoles a29c6cd2b4 Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write 2014-02-25 02:57:25 +10:30
xistence 5485759353 Added Symantec Endpoint Protection Manager RCE 2014-02-24 15:04:37 +07:00
xistence 8e3f70851d Added Symantec Endpoint Protection Manager RCE 2014-02-24 15:01:13 +07:00
Michael Messner 0126e3fcc8 cleanup 2014-02-23 21:17:32 +01:00
Michael Messner dbbd080fc1 a first try of the cmd stager, wget in a seperated module included 2014-02-23 20:59:17 +01:00
OJ fdd0d91817 Updated the Ultra Minit HTTP bof exploit
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:

* Correct use of alpha chars in the buffer leading up to the payload
  which results in bad chars being avoided. Bad chars muck with the
  offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
  of in the thread of the request handler. This prevents the session
  from being killed after the hard-coded 60-second timeout that is
  baked into the application.
* The handler thread terminates itself so that the process doesn't
  crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
Meatballs 2f7f344be3
Copy original sleep 2014-02-23 04:53:48 +00:00
Meatballs 6127ff92ce
Fix race condition
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs d396be963a
Use new cmd_exec_get_pid 2014-02-28 20:53:13 +00:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs e0fa1d532c
Dont think this works on vista/8 2014-02-26 23:14:17 +00:00
Meatballs 5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2014-02-25 23:15:47 +00:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs 1f08ad48a4 Fix payload_path method 2014-02-25 22:11:23 +00:00
Meatballs 6687ef80ee
Further bypassuac tidies
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney 23381ea2cb
code tidying
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
jakxx c8940c37f5 Updating References 2014-02-21 09:23:08 -05:00
jakxx ef51de3826 Updating References 2014-02-21 09:21:08 -05:00
jakxx b5bc3dd4fc Added py_web_delivery 2014-02-20 21:53:00 -05:00
jakxx 1834784b93 Added php_web_delivery 2014-02-20 13:41:26 -05:00
jakxx 45d554e6d9 Delete powershell_psexec.rb 2014-02-20 12:01:04 -05:00
jakxx 0a63b40572 Merge remote-tracking branch 'upstream/master' 2014-02-20 11:48:41 -05:00
jvazquez-r7 998fa06912
Land #2998, @bit4bit's fix for the vtigercrm exploit 2014-02-20 08:36:05 -06:00
jvazquez-r7 0b27cd13e8 Make module work 2014-02-20 08:35:37 -06:00
sinn3r ed2ac95396 Always replace \ with / for Dexter exploit
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
Joe Vennix 50fb9b247e Restructure some of the exploit methods. 2014-02-19 02:31:22 -06:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
Tod Beardsley 721e153c7f
Land #3005 to the fixup-release branch
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!

Conflicts:
	modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
Tod Beardsley a863d0a526
Pre-release fixes, including msftidy errors. 2014-02-18 14:02:37 -06:00
Michael Messner 3a8de6e124 replaced rhost by peer 2014-02-18 21:01:50 +01:00
William Vu 28dc742bcf Fix references and disclosure date 2014-02-18 13:59:58 -06:00
William Vu c216357815
Land #3000, audiotran_pls_1424 SEH exploit 2014-02-18 13:27:14 -06:00
Michael Messner 66e2148197 linksys themoon command execution exploit 2014-02-18 19:43:47 +01:00
Michael Messner 4dda7e6bad linksys themoon command execution exploit 2014-02-18 19:42:50 +01:00
Joe Vennix 57449ac719 Adds working shellcode exec local exploit. 2014-02-17 15:31:45 -06:00
Philip OKeefe 98958bc7bc Making audiotran_pls_1424 more readable and adding comments 2014-02-17 13:40:03 -05:00
sinn3r 52ac85be11
Land #2931 - Oracle Forms and Reports RCE 2014-02-17 08:54:23 -06:00
sinn3r 110ffbf342 Indent looks off for this line 2014-02-17 08:53:29 -06:00
sinn3r 632ea05688 100 columns 2014-02-17 08:52:56 -06:00
sinn3r 8da7ba131b In case people actually don't know what RCE means 2014-02-17 08:51:48 -06:00
sinn3r 73459baefd Add OSVDB references 2014-02-17 08:50:34 -06:00
Mekanismen fb7b938f8e check func fixed 2014-02-17 15:11:56 +01:00
Philip OKeefe c60ea58257 added audiotran_pls_1424 fileformat for Windows 2014-02-16 16:20:50 -05:00
Mekanismen e27d98368e fixed local server issues 2014-02-16 18:26:08 +01:00
Mekanismen e40b9e5f37 updated and improved 2014-02-16 16:24:39 +01:00
Jovany Leandro G.C 74344d6c7e vtigerolservice.php to vtigerservice.php
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
Mekanismen b7d69c168c bugfix and user supplied local path support 2014-02-15 16:24:59 +01:00
sinn3r 9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec 2014-02-14 17:16:27 -06:00
sinn3r 48199fec27 Change URL identifier, and make the user choose a target 2014-02-14 17:15:00 -06:00
Tod Beardsley 745f313413
Remove @nmonkee as author per twitter convo 2014-02-13 14:41:10 -06:00
Tod Beardsley 371f23b265
Unbreak the URL refs add nmonkee as ref and author
While @nmonkee didn't actually contribute to #2942, he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.

Also added a ref to @nmonkee's thing.

@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
jvazquez-r7 ff267a64b1 Have into account the Content-Transfer-Encoding header 2014-02-12 12:40:11 -06:00
sinn3r 45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb 2014-02-12 11:14:25 -06:00
jvazquez-r7 a59ce95901
Land #2970, @sgabe exploit for CVE-2010-2343 2014-02-12 08:10:53 -06:00
jvazquez-r7 9845970e12 Use pop#ret to jump over the overwritten seh 2014-02-12 08:10:14 -06:00
sgabe 11513d94f5 Add Juan as author 2014-02-12 12:17:02 +01:00
sgabe 3283880d65 Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
This partially reverts commit 12471660e9.
2014-02-12 12:09:16 +01:00
sgabe 7195416a04 Increase the size of the NOP sled 2014-02-12 02:35:53 +01:00
sgabe 3f09456ce8 Minor code formatting 2014-02-11 23:53:04 +01:00
sgabe 7fc3511ba9 Remove unnecessary NOPs 2014-02-11 23:48:54 +01:00
sgabe 12471660e9 Replace unnecessary NOP sled with random text 2014-02-11 23:48:04 +01:00
sgabe 184ccb9e1e Fix payload size 2014-02-11 23:42:58 +01:00
bwall 783e62ea85 Applied changes from @wchen-r7's comments 2014-02-11 10:14:52 -08:00
jvazquez-r7 3717374896 Fix and improve reliability 2014-02-11 10:44:58 -06:00
jvazquez-r7 51df2d8b51 Use the fixed API on the mediawiki exploit 2014-02-11 08:28:58 -06:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
sgabe e8a3984c85 Fix ROP NOP address and reduce/remove NOPs 2014-02-11 00:29:37 +01:00
William Vu e6905837eb
Land #2960, rand_text_alpha for amaya_bdo 2014-02-10 16:44:11 -06:00
bwall 13fadffe7e Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial 2014-02-10 13:44:30 -08:00
Meatballs a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-10 21:43:56 +00:00
Tod Beardsley 1236a4eb07
Fixup on description and some option descrips 2014-02-10 14:41:59 -06:00
jvazquez-r7 3d4d5a84b6
Land #2957, @zeroSteiner's exploit for CVE-2013-3881 2014-02-10 13:59:45 -06:00
jvazquez-r7 502dbb1370 Add references 2014-02-10 13:55:02 -06:00
sgabe 08b6f74fb4 Add module for CVE-2010-2343 2014-02-10 20:46:09 +01:00
jvazquez-r7 abb03d0bbe Fixing messages 2014-02-10 13:10:42 -06:00
jvazquez-r7 541bb6134e Change exploit filename 2014-02-10 13:06:23 -06:00
jvazquez-r7 2e130ce843 Make it work with Reader Sandbox 2014-02-10 13:04:13 -06:00
Tod Beardsley 7c43565ea8
Include missing require for powershell 2014-02-10 11:02:53 -06:00
jvazquez-r7 8ece4a7750 Delete debug print 2014-02-10 08:57:45 -06:00
jvazquez-r7 57320a59f1 Do small clean up for mediawiki_thumb pr 2014-02-10 08:57:09 -06:00
Spencer McIntyre 0ac1acda70 Upgrade toolchain to Visual Studio 2013 v120. 2014-02-10 09:35:07 -05:00
sinn3r c96116b193
Land #2949 - Add module Kloxo SQLi 2014-02-08 13:45:11 -06:00
David Maciejak 32c02dd56a Added some randomness 2014-02-08 11:27:25 +08:00
Meatballs dcff06eba1
More verbose failure messages 2014-02-07 23:59:28 +00:00
sinn3r 66cb97305c
Land #2953 - KingScada kxClientDownload.ocx ActiveX Remote Code Exec 2014-02-07 17:41:35 -06:00
sinn3r bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell) 2014-02-07 17:39:06 -06:00
Meatballs 783a986a19
Windows and auto target up and running 2014-02-07 23:26:57 +00:00
Meatballs a0f47f6b2b
Correct error check logic 2014-02-07 22:06:53 +00:00
Meatballs 443a51bbf5
Undo revert from merge 2014-02-07 21:28:04 +00:00
Meatballs 56359aa99f
Merge changes from other dev machine 2014-02-07 21:22:44 +00:00
Meatballs a4cc75bf98
Potential .pdf support 2014-02-07 20:37:44 +00:00
Meatballs e13520d7fb
Handle a blank filename 2014-02-07 20:15:32 +00:00
Meatballs 103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-07 20:07:04 +00:00
jvazquez-r7 c679b1001b Make pring_warning verbose 2014-02-07 10:23:07 -06:00
grimmlin 2d93b38e2a Fixed java_signed_applet for Java 7u51 2014-02-07 16:29:50 +01:00
Spencer McIntyre f686385349 Remove an unnecessary VS file and modify version check. 2014-02-07 08:45:51 -05:00
jvazquez-r7 a18de35fa7 Add module for ZDI-14-011 2014-02-06 18:25:36 -06:00
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
James Lee 4b37cc7243
Land #2927, PandoraFMS anyterm exploit 2014-02-06 15:22:23 -06:00
James Lee 4236abe282
Better SIGHUP handling 2014-02-06 15:21:54 -06:00
William Vu 19fff3c33e
Land #2942, @jvennix-r7's Android awesomesauce
Also, thanks to @jduck for testing!
2014-02-06 11:53:11 -06:00
Joe Vennix 362e937c8d Forgot to push local changes. 2014-02-06 11:47:35 -06:00
Joe Vennix 0dc2ec5c4d Use BrowserExploitServer mixin.
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
2014-02-06 11:32:42 -06:00
jvazquez-r7 fdb954fdfb Report credentials 2014-02-05 14:37:33 -06:00
jvazquez-r7 631559a2e8 Add module for Kloco SQLi 2014-02-05 14:18:56 -06:00
Joe Vennix 553616b6cc Add URL for browser exploit. 2014-02-04 17:04:06 -06:00
sinn3r 89e1bcc0ca Deprecate modules with date 2013-something
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
Joe Vennix 23fc73924e Msftidy it up. 2014-02-04 14:24:36 -06:00
William Vu a58698c177
Land #2922, multithreaded check command 2014-02-04 11:21:05 -06:00
Meatballs 0a3cb3377f
AppendEncoder 2014-02-04 15:41:10 +00:00
Meatballs 26c506da42
Naming of follow method 2014-02-04 15:25:51 +00:00
Meatballs f5fa3fb5ce
Windows compat, fixed PHP-CLI 2014-02-04 14:27:10 +00:00
Meatballs 64d11e58c2
Use semicolon for win compat 2014-02-04 13:53:33 +00:00
Joe Vennix 700e09f386 Wording tweak. 2014-02-04 02:55:10 -06:00
Joe Vennix bbabd72b0e Whitespace tweaks. 2014-02-04 02:52:52 -06:00
Joe Vennix eb6a5a4c19 Tweak checks. 2014-02-04 02:49:44 -06:00
Joe Vennix 4923a93974 Tweak description. 2014-02-04 02:47:49 -06:00
Joe Vennix 37479884a5 Add browserautopwn support. 2014-02-04 02:32:12 -06:00
Joe Vennix eba3a5aab0 More accurate description. 2014-02-04 01:44:39 -06:00
Joe Vennix 177bd35552 Add webview HTTP exploit. 2014-02-04 01:37:09 -06:00
Meatballs 2fd8257c7e
Use bperry's trigger 2014-02-04 00:51:34 +00:00
Meatballs a8ff6eb429
Refactor send_request_cgi_follow_redirect 2014-02-03 21:49:49 +00:00
Meatballs 83925da2f1
Refactor form_data code 2014-02-03 21:16:58 +00:00
Tod Beardsley 7e2a9a7072
More desc fixes, add a vprint to give a hint 2014-02-03 13:18:52 -06:00
Tod Beardsley d34020115a
Fix up on apache descs and print_* methods 2014-02-03 13:13:57 -06:00
Meatballs 08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
Conflicts:
	lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
xistence 50f860757b Changes made to pandora_fms_exec module as requested 2014-02-03 14:10:27 +07:00
Meatballs 67c18d8d2d
I had a problem, then I used regex. 2014-02-02 22:19:54 +00:00
Meatballs 95eb758642
Initial commit 2014-02-02 19:04:38 +00:00
Meatballs 57f4998568
Better failures and handle unconfigured server 2014-02-02 16:26:22 +00:00
Meatballs 9fa9402eb2
Better check and better follow redirect 2014-02-02 16:07:46 +00:00
Meatballs 0d3a40613e
Add auto 30x redirect to send_request_cgi 2014-02-02 15:03:44 +00:00
Meatballs 8b33ef1874
Not html its form-data... 2014-02-02 13:57:29 +00:00
Meatballs 7ddc6bcfa5
Final tidyup 2014-02-01 01:05:02 +00:00
Meatballs 486a9d5e19
Use msf branded djvu 2014-02-01 00:37:28 +00:00
Meatballs fd1a507fda
Rename file 2014-02-01 00:27:32 +00:00
Meatballs 700c6545f0
Polished 2014-02-01 00:26:55 +00:00
William Vu a5bff638c5 Remove EOL spaces 2014-01-31 15:01:03 -06:00
Mekanismen 5a883a4477 updated 2014-01-31 21:59:26 +01:00
Meatballs 7fa1522299
Initial commit 2014-01-31 18:51:18 +00:00
sinn3r b67ac39a33
Land #2921 - Apache Struts Developer Mode OGNL Execution 2014-01-31 12:06:58 -06:00
sinn3r 60ead5de43 Explain why we flag the vuln as "Appears" instead of vulnerable 2014-01-31 12:05:58 -06:00
jvazquez-r7 2fca2da9f7 Add an vprint message on check 2014-01-31 11:57:20 -06:00
jvazquez-r7 356692f2f5
Land #2923, @rangercha tomcat deploy module compatible with tomcat8 2014-01-31 10:53:53 -06:00
jvazquez-r7 a010748056
Land #2924, @xistence's exploit for CVE-2014-1683 2014-01-31 09:20:10 -06:00
jvazquez-r7 710902dc56 Move file location 2014-01-31 09:18:59 -06:00
jvazquez-r7 810605f0b7 Do final cleanup for the skybluecanvas exploit 2014-01-31 09:17:51 -06:00
jvazquez-r7 32c5d77ebd
Land #2918, @wvu's fix for long argument lists 2014-01-31 08:49:22 -06:00
Mekanismen f6291eb9a8 updated 2014-01-31 14:33:18 +01:00
xistence ffd8f7eee0 Changes as requested in SkyBlue Canvas RCE module 2014-01-31 12:52:48 +07:00
jvazquez-r7 93db1c59af Do small fixes 2014-01-30 17:16:43 -06:00
jvazquez-r7 9daacf8fb1 Clean exploit method 2014-01-30 16:58:17 -06:00
jvazquez-r7 4458dc80a5 Clean the find_csrf mehtod 2014-01-30 16:39:19 -06:00
jvazquez-r7 697a86aad7 Organize a little bit the code 2014-01-30 16:29:45 -06:00
jvazquez-r7 50317d44d3 Do more easy clean 2014-01-30 16:23:17 -06:00
jvazquez-r7 1a9e6dfb2a Allow check to detect platform and arch 2014-01-30 15:17:20 -06:00
jvazquez-r7 b2273dce2e Delete Automatic target
It isn't usefull at all, when auto targeting is done, the payload (java platform and arch)
has been already selected.
2014-01-30 15:04:08 -06:00
jvazquez-r7 cebbe71dba Do easy cleanup of exploit 2014-01-30 14:42:02 -06:00
jvazquez-r7 c336133a8e Do a first clean related to auto_target 2014-01-30 14:27:20 -06:00
jvazquez-r7 57b8b49744 Clean query_manager 2014-01-30 14:20:02 -06:00
jvazquez-r7 148e51a28b Clean metadata and use TARGETURI 2014-01-30 14:03:52 -06:00
William Vu 56287e308d Clean up unused variables 2014-01-30 11:20:21 -06:00
Mekanismen e7ab77c736 added module for Oracle Forms and Reports 2014-01-30 14:45:17 +01:00
xistence 9a929e75e4 Added Pandora FMS RCE 2014-01-29 12:46:23 +07:00
xistence bac6e2a3e1 added SkyBlueCanvas CMS 1.1 r248-03 RCE 2014-01-28 11:06:25 +07:00
jvazquez-r7 f086655075
Land #2913, @bcoles Exploit for Simple E-Document 2014-01-27 08:09:45 -06:00
jvazquez-r7 861126fdbd Clean exploit code 2014-01-27 08:09:18 -06:00
RangerCha a49473181c Added new module. Abuses tomcat manager upload page. Tested on tomcat 5.5.36, 6.0.37, 7.0.50, 8.0.0rc10 2014-01-27 09:04:59 -05:00
jvazquez-r7 8fe74629fe Allow send_request_cgi to take care of the uri encoding 2014-01-26 00:06:41 -06:00
jvazquez-r7 37adf1251c Delete privileged flag because is configuration dependant 2014-01-25 18:25:31 -06:00
jvazquez-r7 038cb7a981 Add module for CVE-2012-0394 2014-01-25 18:17:01 -06:00
sinn3r cc4dea7d49 Was playing with ms08_067 check and realized I forgot this print 2014-01-25 16:15:52 -06:00
William Vu 7c5229e2eb Use opts hash for glassfish_deployer
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:17:02 -06:00
William Vu 47b9bfaffc Use opts hash for adobe_pdf_embedded_exe
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:16:53 -06:00
sinn3r a7fa4e312b This module fails to load due to the missing end 2014-01-24 17:56:47 -06:00
jvazquez-r7 9db295769d
Land #2905, @wchen-r7's update of exploit checks 2014-01-24 16:49:33 -06:00
sinn3r cdc425e4eb Update some checks 2014-01-24 12:08:23 -06:00
sgabe 16b8b58a84 Fix the dwSize parameter 2014-01-24 11:38:57 +01:00
sgabe 8f6dcd7545 Add some randomization to the ROP chain 2014-01-24 10:28:59 +01:00
bcoles 32d6032893 Add Simple E-Document Arbitrary File Upload module 2014-01-24 19:19:25 +10:30
sgabe 021aa77f5f Add module for BID-46926 2014-01-24 01:48:21 +01:00
sinn3r c403c521b3 Change check code 2014-01-23 11:03:40 -06:00
sinn3r 0a10c1297c Address nil 2014-01-23 11:00:28 -06:00
sinn3r 333229ea7e Throw Unknown if connection times out 2014-01-23 10:54:45 -06:00
sinn3r 7f560a4b41 Oops, I broke this module 2014-01-22 11:23:18 -06:00
sinn3r c83053ba9b Progress 2014-01-22 11:20:10 -06:00
sinn3r 646f7835a3 Saving progress 2014-01-21 17:14:55 -06:00
sinn3r 85396b7af2 Saving progress
Progress group 4: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 14:10:35 -06:00
Tod Beardsley b3b51eb48c
Pre-release fixup
* Updated descriptions to be a little more descriptive.

  * Updated store_loot calls to inform the user where the
loot is stored.

  * Removed newlines in print_* statments -- these will screw
up Scanner output when dealing with multiple hosts.

Of the fixed newlines, I haven't see any output, so I'm not sure what
the actual message is going to look like -- I expect it's a whole bunch
of newlines in there so it'll be kinda ugly as is (not a blocker for
this but should clean up eventually)
2014-01-21 13:29:08 -06:00
sinn3r 689999c8b8 Saving progress
Progress group 3: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 13:03:36 -06:00
sinn3r fe767f3f64 Saving progress
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
sinn3r 7cc3c47349
Land #2891 - HP Data Protector Backup Client Service Directory Traversal 2014-01-20 20:08:01 -06:00
sinn3r e5dc6a9911 Update exploit checks
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
dukeBarman 88c283880a Fix bugs 2014-01-18 17:04:46 -05:00
dukeBarman 766c408d86 Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 11:07:11 -05:00
jvazquez-r7 e2fa581b8c Delete empty line 2014-01-17 22:05:14 -06:00
sinn3r 57318ef009 Fix nil bug in jboss_invoke_deploy.rb
If there is a connection timeout, the module shouldn't access the
"code" method because that does not exist.
2014-01-17 11:47:18 -06:00
jvazquez-r7 c670259539 Fix protocol handling 2014-01-17 00:49:44 -06:00
jvazquez-r7 eaf1b0caf6 Add minor clean up 2014-01-16 17:55:45 -06:00
jvazquez-r7 f3c912bd32 Add module for ZDI-14-003 2014-01-16 17:49:49 -06:00
jvazquez-r7 ac9e634cbb
Land #2874, @mandreko's sercomm exploit fixes 2014-01-16 16:35:32 -06:00
jvazquez-r7 272fe5ddfd Delete debug comments 2014-01-16 16:12:12 -06:00
jvazquez-r7 8213eed49f Delete Netgear N150 target, ist's a Netgear DGN1000 model 2014-01-16 15:14:31 -06:00
jvazquez-r7 139119d32c Add Manual targets to sercomm_exec 2014-01-16 12:44:26 -06:00
jvazquez-r7 0922aef8d1 Update module description 2014-01-16 11:16:11 -06:00
William Vu 5d387c96ec
Land #2879, minor code formatting missed in #2863 2014-01-14 11:22:09 -06:00
sgabe b4280f2876 Very minor code formatting 2014-01-14 13:35:00 +01:00
Matt Andreko b7b1ddf1e8 Sercomm Exploit module fixes
Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
Added functionality to the CmdStagerEcho mix-in to support encoding via
octal instead of hex based on the :enc_type option. This is because many
devices would not output hex encoded values properly.
Added options on a per-target basis for the PackFormat (endian pack()
values for communication), UploadPath (because /tmp wasn't always
writable), and PayloadEncode (previously mentioned octal encoding
option)
Note for some reason, some devices communicate over one endianness, but
then require a payload for the other endianess. I'm not sure what's
causing this, but if those specific combinations are not used, the
exploit fails. More research may be required for this.
2014-01-13 16:58:32 -05:00
jvazquez-r7 24c57b34a7 Have into account endianess 2014-01-13 15:04:23 -06:00
Tod Beardsley 671027a126
Pre-release title/desc fixes 2014-01-13 13:57:34 -06:00
sinn3r 771bd039a0
Land #2863 - Update realplayer_ver_attribute_bof.rb
Refs & ROP
2014-01-13 11:29:52 -06:00
sinn3r bc9c865c25
Land #2865 - js payload to firefox_svg_plugin & add BA support for FF JS exploits 2014-01-13 11:17:36 -06:00
jvazquez-r7 95a5d12345 Merge #2835, #2836, #2837, #2838, #2839, #2840, #2841, #2842 into one branch 2014-01-13 10:57:09 -06:00
sgabe e7cc3a2345 Removed unnecessary target 2014-01-13 13:17:16 +01:00
sgabe 26d17c03b1 Replaced ROP chain 2014-01-13 02:54:49 +01:00
Joe Vennix b3b04c4159 Fix both firefox js exploits to use browser_autopwn. 2014-01-11 17:34:38 -06:00
sgabe d657a2efd3 Added DEP Bypass 2014-01-11 20:31:28 +01:00
sgabe 72d15645df Added more references 2014-01-11 20:30:50 +01:00
sgabe 8449005b2a Fixed CVE identifier. 2014-01-10 23:45:34 +01:00
sinn3r cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells 2014-01-10 14:29:32 -06:00
jvazquez-r7 9d14dd59eb Delete parentheses 2014-01-09 15:17:13 -06:00
jvazquez-r7 85203c2f2a
Land #2823, @mandreko's exploit module for OSVDB 101653 2014-01-09 10:27:44 -06:00
Matt Andreko 40d2299ab4 Added tested device 2014-01-09 10:46:14 -05:00
Matt Andreko c50f7697a5 Merge branch 'review_2823' of https://github.com/jvazquez-r7/metasploit-framework into sercomm_exec 2014-01-09 10:39:12 -05:00
jvazquez-r7 bbaaecd648 Delete commas 2014-01-09 08:01:11 -06:00
jvazquez-r7 5e510dc64c Add minor fixes, mainly formatting 2014-01-09 07:51:42 -06:00
Matt Andreko ed6723655d Code Review Feedback
Fixed some handling of errors and invalid hosts
2014-01-09 08:44:01 -05:00
William Vu 8414973746
Land #2833, rm linksys_wrt110_cmd_exec_stager 2014-01-09 01:21:22 -06:00
Matt Andreko d2458bcd2a Code Review Feedback
Migrated the Sercomm module to use the CmdStager mixin to provide
uploading of the ELF binary.
Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in
this case, the device messed up when it was used, and would actually
write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-08 22:21:32 -05:00
Niel Nielsen e79ccb08cb Update rails_secret_deserialization.rb
When using aws-sdk with Ruby 2.1.0-rc1, many "Digest::Digest is deprecated; use Digest" warnings are printed.
Even in Ruby 1.8.7-p374, OpenSSL::Digest::Digest is only provided for backward compatibility.
2014-01-07 21:41:15 +01:00
jvazquez-r7 590547ebc7 Modify title to avoid versions 2014-01-07 13:01:10 -06:00
Joe Vennix c34af35230 Add wrt100 to the description and title.
* The wrt110 and wrt100 share the same firmware, and are both vulnerable to this
bug.
2014-01-07 10:26:15 -06:00
Joe Vennix 1057cbafee Remove deprecated linksys module. 2014-01-07 10:22:35 -06:00
Tod Beardsley c0a82ec091
Avoid specific versions in module names
They tend to be a lie and give people the idea that only that version is
vulnerable.
2014-01-06 13:47:24 -06:00
sinn3r 1cdfbfeed5
Land #2820 - vTigerCRM SOAP AddEmailAttachment Arbitrary File Upload 2014-01-06 10:36:02 -06:00
Tod Beardsley cd38f1ec5d
Minor touchups to recent modules. 2014-01-03 13:39:14 -06:00
Matt Andreko 41ac66b5e5 Removed stupid debug line I left in 2014-01-03 11:00:13 -05:00
Matt Andreko aaa9fa4d68 Removed RequiredCmd options that didn't work successfully. 2014-01-03 10:56:01 -05:00
Matt Andreko 20b073006d Code Review Feedback
Removed Payload size restriction. I tested with 10,000 characters and it
worked.
Removed handler for now, since it's unable to get a shell. It's
currently limited to issuing commands.
2014-01-03 10:54:16 -05:00
Matt Andreko 570e7f87d3 Moved to more appropriate folder 2014-01-02 20:58:46 -05:00
Matt Andreko b24e927c1a Added module to execute commands on certain Sercomm devices through
backdoor
See more: https://github.com/elvanderb/TCP-32764
2014-01-02 20:54:02 -05:00
William Vu 2d25781cf0
Land #2804 for real (thanks, @jvazquez-r7!)
It was the wrong time to mess with my workflow.
2014-01-02 16:39:02 -06:00
OJ 1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path 2014-01-03 08:14:02 +10:00
William Vu 67a796021d
Land #2804, IBM Forms Viewer 4.0 exploit 2014-01-02 16:10:02 -06:00
jvazquez-r7 eaeb457d5e Fix disclosure date and newline as pointed by @wvu-r7 2014-01-02 16:08:44 -06:00
Joe Vennix 06fb2139b0 Digging around to get shell_command_token to work. 2014-01-02 14:05:06 -06:00
jvazquez-r7 1b893a5c26 Add module for CVE-2013-3214, CVE-2013-3215 2014-01-02 11:25:52 -06:00
Joe Vennix 1b0e99b448 Update proto_crmfrequest module. 2014-01-02 10:48:28 -06:00
Joe Vennix 694cb11025 Add firefox platform, architecture, and payload.
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
William Vu d291cd92d7
Land #2817, icofx_bof random things 2014-01-01 22:01:48 -06:00
jvazquez-r7 b4439a263b Make things random 2013-12-31 16:06:25 -06:00
sinn3r 184bd1e0b2
Land #2815 - Change gsub hardtabs 2013-12-31 15:58:21 -06:00
jvazquez-r7 2252a037a5 Fix disclosure date 2013-12-31 14:51:43 -06:00
jvazquez-r7 3775b6ce91 Add module for CVE-2013-4988 2013-12-31 14:43:45 -06:00
jvazquez-r7 841f67d392 Make adobe_reader_u3d also compliant 2013-12-31 11:07:31 -06:00
jvazquez-r7 7f9f4ba4db Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00
William Vu 80a1e85235 Add :config => false to sysax_ssh_username 2013-12-30 18:13:49 -06:00
David Maloney c3fd657bde Missing config false flag
the sshexec exploit was missing the flag
that tells net:ssh to not use the user's
local config . This can cuase ugly problem

MSP-9262
2013-12-30 14:28:15 -06:00
jvazquez-r7 57d60c66f9 Add masqform version as comment 2013-12-27 10:59:23 -06:00
jvazquez-r7 341e3c0370 Use rexml 2013-12-27 10:55:36 -06:00
jvazquez-r7 ee35f9ac30 Add module for zdi-13-274 2013-12-27 10:20:44 -06:00
Tod Beardsley 5ce862a5b5
Add OSVDB 2013-12-26 10:33:46 -06:00
sinn3r 90ce761681
Land #2790 - RealNetworks RealPlayer Version Attribute Buffer Overflow 2013-12-24 00:39:54 -06:00
sinn3r 367dce505b Minor details 2013-12-24 00:39:15 -06:00
sgabe f687a14539 Added support for opening via menu. 2013-12-24 03:12:49 +01:00
sinn3r 9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution 2013-12-23 02:34:01 -06:00
sinn3r 5b647ba6f8 Change description
Pre-auth is implied.
2013-12-23 02:33:17 -06:00
sgabe 287271cf98 Fixed date format. 2013-12-22 01:32:16 +01:00
sgabe 0ac495fef8 Replaced hex with plain text. 2013-12-22 01:31:37 +01:00
jvazquez-r7 f43bc02297 Land #2787, @mwulftange's exploit for CVE-2013-6955 2013-12-20 17:03:10 -06:00
jvazquez-r7 163a54f8b1 Do send_request_cgi final clean up 2013-12-20 17:00:57 -06:00
sgabe 44ab583611 Added newline to end of file. 2013-12-20 22:40:45 +01:00
sgabe 62f71f6282 Added module for CVE-2013-6877 2013-12-20 22:37:09 +01:00
jvazquez-r7 af13334c84 Revert gsub! 2013-12-20 11:39:49 -06:00
sinn3r ce8b8e8ef9
Land #2783 - OpenSIS 'modname' PHP Code Execution 2013-12-20 11:29:10 -06:00
sinn3r d0ef860f75 Strip default username/password
There isn't one. So force the user to supply one.
2013-12-20 11:28:18 -06:00
sinn3r 52a4e55804
Land #2781 - Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution 2013-12-20 11:25:50 -06:00
jvazquez-r7 1da961343a Do final (minor) cleanup 2013-12-20 11:20:29 -06:00
Markus Wulftange 929f3ea35c Turn Auxiliary module into Exploit module 2013-12-20 16:45:38 +01:00
bcoles fb6cd9c149 add osvdb+url refs and module tidy up 2013-12-20 20:27:07 +10:30
jvazquez-r7 4816abe63b Add module for ZDI-13-263 2013-12-19 17:48:52 -06:00
Joe Vennix 8e27e87c81 Use the right disclosure date. 2013-12-19 12:58:52 -06:00
Joe Vennix 955dfe5d29 msftidy it up. 2013-12-19 12:53:58 -06:00
Joe Vennix b50bbc2f84 Update module to use sinn3r's beautiful browserexploitserver. 2013-12-19 12:49:24 -06:00
bcoles fc2da15c87 Add OpenSIS 'modname' PHP Code Execution module for CVE-2013-1349 2013-12-19 19:10:48 +10:30
Joe Vennix eb08a30293 Update description with new version support. 2013-12-19 02:08:55 -06:00
Joe Vennix 5ee6c77901 Add a patch for 15.x support.
* Also add authors i forgot, oops
2013-12-19 02:05:45 -06:00
Joe Vennix 2add2acc8f Use a smaller key size, harder to spot. 2013-12-18 21:02:23 -06:00
Joe Vennix 8d183d8afc Update versions, 4.0.1 does not work on windows. 2013-12-18 20:57:47 -06:00
Joe Vennix cb390bee7d Move comment. 2013-12-18 20:37:33 -06:00
Joe Vennix 23b5254ea1 Fix include reference. 2013-12-18 20:35:43 -06:00
Joe Vennix 5255f8da12 Clean up code. Test version support.
* Using #get in Object#defineProperty call makes the payload execute immediately
on all supported browsers I tested.
* Moved Ranking to Excellent since it is now 100% reliable.
2013-12-18 20:30:08 -06:00
OJ 9fb081cb2d Add getenvs, update getenv, change extract_path use
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
jvazquez-r7 198667b650
Land #2774, @Mekanismen's module for CVE-2013-7091 2013-12-18 16:23:44 -06:00
jvazquez-r7 aec2e0c92c Change ranking 2013-12-18 16:23:14 -06:00
jvazquez-r7 d4ec858051 Clean zimbra_lfi 2013-12-18 15:46:37 -06:00
sinn3r 4bddd077ec
Land #2762 - Use new ntdll railgun functions 2013-12-18 15:18:47 -06:00
Joe Vennix 64273fe41d Move addon datastore options into mixin. 2013-12-18 14:42:01 -06:00
Joe Vennix ca2de73879 It helps to actually commit the exploit. 2013-12-18 14:31:42 -06:00
Joe Vennix 1235615f5f Add firefox 15 chrome privilege exploit.
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Mekanismen 0c0e8c3a49 various updates 2013-12-18 20:54:35 +01:00
jvazquez-r7 ab69454f89 Land #2745, @rcvalle's exploit for CVE-2013-2068 2013-12-18 12:06:27 -06:00
jvazquez-r7 ec64382efc Fix cfme_manageiq_evm_upload_exec according to chat with @rcvalle 2013-12-18 11:53:30 -06:00