Julian Vilas
b9d8f75f59
Add breakpoint autohitting
2014-06-03 23:34:40 +02:00
Julian Vilas
6061e5e713
Fix suggestions
2014-06-03 23:13:14 +02:00
jakxx
62fe30798d
Tidy
2014-06-03 14:48:40 -04:00
jakxx
5ddbdb7dfd
Tidy
2014-06-03 14:23:04 -04:00
jakxx
fdfd7f410d
Tidy
2014-06-03 14:21:13 -04:00
jakxx
392b383c2c
Update
2014-06-03 14:07:04 -04:00
William Vu
6c7fd3642a
Land #3411 , Python 3.[34] Meterpreter support
2014-06-03 11:34:22 -05:00
Meatballs
0e3549ebc4
mc brute tidy
2014-06-03 17:27:46 +01:00
Spencer McIntyre
0e4177fb75
Pymeterpreter shorten stagers by 3 bytes
2014-06-03 12:03:20 -04:00
jakxx
166748a997
Add script_web_delivery
2014-06-03 11:53:32 -04:00
jvazquez-r7
43699b1dfb
Don't clean env variable before using it
2014-06-03 09:56:19 -05:00
jvazquez-r7
b8a2cf776b
Do test
2014-06-03 09:52:01 -05:00
jvazquez-r7
05ed2340dc
Use powershell
2014-06-03 09:29:04 -05:00
Spencer McIntyre
95376bf6d3
Pymeterpreter update stager and stage descriptions
2014-06-03 10:17:27 -04:00
jvazquez-r7
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
joev
04ac07a216
Compress and base64 data to save bytes.
...
Reduced file size from 43kb to 12kb, yay.
2014-06-02 23:06:46 -05:00
joev
cf6b181959
Revert change to trailer(). Kill dead method.
...
* I verified that changes to PDF mixin do not affect any older modules that
generate PDF. I did this by (on each branch) running in irb, then
running the module and diffing the pdf's generated by each branch. There were
no changes.
2014-06-02 22:26:14 -05:00
joev
9f5dfab9ea
Add better interface for specifying custom #eol.
2014-06-02 22:26:11 -05:00
joev
feca6c4700
Add exploit for ajsif vuln in Adobe Reader.
...
* This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb).
* Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways).
Conflicts:
lib/msf/core/exploit/mixins.rb
2014-06-02 22:25:55 -05:00
jvazquez-r7
7f4702b65e
Update from rapid7 master
2014-06-02 17:41:41 -05:00
Tod Beardsley
d0d389598a
Land #3086 , Android Java Meterpreter updates
...
w00t.
2014-06-02 17:28:38 -05:00
jvazquez-r7
4840a05ada
Update from rapid7 master
2014-06-02 17:17:00 -05:00
jakxx
52c33b7e79
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2014-06-02 17:32:51 -04:00
Spencer McIntyre
76c3aaf743
Pymeterpreter get type encoder from dict instead
2014-06-02 17:32:08 -04:00
Spencer McIntyre
aeca455a10
Pymeterpreter update pystagers for version 3.1/3.2
2014-06-02 17:18:13 -04:00
jvazquez-r7
9574a327f8
use the new check also in exploit()
2014-06-02 14:38:33 -05:00
jvazquez-r7
3c38c0d87c
Dont be confident about string comparision
2014-06-02 14:37:29 -05:00
Tod Beardsley
b136765ef7
Nuke extra space at EOL
2014-06-02 14:22:01 -05:00
Tod Beardsley
ea383b4139
Make print/descs/case consistent
2014-06-02 13:20:01 -05:00
Tod Beardsley
b7dc89f569
I prefer "bruteforce" to "brute force" for search
...
Just makes it easier to search for, since it's an industry term of art.
2014-06-02 13:09:46 -05:00
William Vu
8bd4e8d30a
Land #3406 , indeces_enum -> indices_enum
2014-06-02 11:06:33 -05:00
jvazquez-r7
d0241cf4c1
Add check method
2014-06-02 08:14:40 -05:00
jvazquez-r7
31af8ef07b
Check .NET version
2014-06-01 20:58:08 -05:00
Meatballs
3c5fae3706
Use correct include
2014-06-01 11:51:06 +01:00
Meatballs
4801a7fca0
Allow x86->x64 injection
2014-06-01 11:50:13 +01:00
Spencer McIntyre
77eac38b01
Pymeterpreter fix processes_via_proc for Python v3
2014-05-30 16:32:03 -04:00
RageLtMan
74400549a1
Resolve undefined method `get_cookies'
...
Anemone::Page is not a Rex HTTP request/response, and uses the
:cookies method to return an array of cookies.
This resolves the method naming error, though it does break with
Rex naming convention since Anemone still uses a lot non-Rex
methods for working with pages/traffic.
2014-05-30 14:39:51 -04:00
jvazquez-r7
3ae4a16717
Clean environment variables
2014-05-30 12:21:23 -05:00
jvazquez-r7
b99b577705
Clean environment variable
2014-05-30 12:20:00 -05:00
jvazquez-r7
b27a95c008
Delete unused code
2014-05-30 12:08:55 -05:00
jvazquez-r7
e215bd6e39
Delete unnecessary code and use get_env
2014-05-30 12:07:59 -05:00
jvazquez-r7
4a1fea7abb
Land #2948 , @juushya's PocketPAD login bruteforce module
2014-05-30 11:47:16 -05:00
jvazquez-r7
b0bdfa7680
Clean up code
2014-05-30 11:44:42 -05:00
jvazquez-r7
fb59221189
Land #2494 , @juushya's etherpadduo login module
2014-05-30 11:35:28 -05:00
jvazquez-r7
d92a7adc68
change module filename
2014-05-30 11:31:49 -05:00
jvazquez-r7
40a103967e
Minor code cleanup
2014-05-30 11:28:37 -05:00
Michael Messner
76ed9bcf86
hedwig.cgi - cookie bof - return to system
2014-05-30 17:49:37 +02:00
Michael Messner
1ddc2d4e87
hedwig.cgi - cookie bof - return to system
2014-05-30 17:32:49 +02:00
jvazquez-r7
1dbd36a3dd
Check for the .NET dfsvc and use %windir%
2014-05-30 09:02:43 -05:00
jvazquez-r7
ffbcbe8cc1
Use cmd_psh_payload
2014-05-29 18:12:18 -05:00
jvazquez-r7
03889ed31f
Use cmd_psh_payload
2014-05-29 18:11:22 -05:00
jvazquez-r7
6f330ea190
Add deprecation information
2014-05-29 17:38:01 -05:00
Julian Vilas
60c5307475
Fix msftidy
2014-05-30 00:14:59 +02:00
jvazquez-r7
0d07fb6c39
Land #2858 , @jiuweigui's post module to enumerate Enumerate MUICache
2014-05-29 17:08:50 -05:00
jvazquez-r7
a6229aedff
Rescue RequestError when downloading file
2014-05-29 17:07:22 -05:00
jvazquez-r7
f2a71a47ca
Use \&\& instead of and
2014-05-29 17:04:38 -05:00
jvazquez-r7
31c282153e
Avoid ntuser.dat md5 because is causing problems, even when data is extracted
2014-05-29 17:02:28 -05:00
Julian Vilas
9627bae98b
Add JDWP RCE for Windows and Linux
2014-05-29 23:45:44 +02:00
jvazquez-r7
95b71dee00
Try to fix crash while file_remote_digest
2014-05-29 16:12:51 -05:00
jvazquez-r7
cbbd7bfdf4
Refacotor code
2014-05-29 15:55:44 -05:00
jvazquez-r7
cdabb71d23
Make code cleanup
2014-05-29 14:51:10 -05:00
jvazquez-r7
aea0379451
Fix typos
2014-05-29 12:37:51 -05:00
sinn3r
3a3d038904
Land #3397 - ElasticSearch Dynamic Script Arbitrary Java Execution
2014-05-29 12:21:21 -05:00
sinn3r
dfa61b316e
A bit of description change
2014-05-29 12:20:40 -05:00
jvazquez-r7
e145298c13
Add module for CVE-2014-0257
2014-05-29 11:45:19 -05:00
jvazquez-r7
6e122e683a
Add module for CVE-2013-5045
2014-05-29 11:42:54 -05:00
William Vu
53ab2aefaa
Land #3386 , a few datastore msftidy error fixes
2014-05-29 10:44:37 -05:00
Spencer McIntyre
145776db4d
Add a DEBUGGING option to the python meterpreter
2014-05-29 10:52:49 -04:00
William Vu
8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings
2014-05-29 04:42:49 -05:00
Spencer McIntyre
15b1c79039
Adjust whitespace and set bytes to str for Python 2
2014-05-28 16:30:27 -04:00
William Vu
3f86aebabf
Land #3398 , CAPWAP DoS description cleanup
2014-05-28 14:55:22 -05:00
William Vu
785b53820e
Land #3399 , print_error instead of print_status
2014-05-28 14:53:00 -05:00
joev
c89cd24621
Rewire some snmp modules to use print_error instead of print_status.
2014-05-28 13:31:00 -05:00
Tod Beardsley
4b5c62ba8d
Dress up CAPWAP DoS desc a little.
2014-05-28 12:19:17 -05:00
jvazquez-r7
7a29ae5f36
Add module for CVE-2014-3120
2014-05-27 18:01:16 -05:00
jvazquez-r7
55ef5dd484
Land #3115 , @silascutler's module for elasticsearch indeces enumeration
2014-05-27 11:28:34 -05:00
jvazquez-r7
2271afc1a5
Change module filename
2014-05-27 11:25:39 -05:00
jvazquez-r7
3de8beb5fd
Clean code
2014-05-27 11:22:40 -05:00
jvazquez-r7
69e8286838
Fix title
2014-05-27 10:29:32 -05:00
jvazquez-r7
1316365c2f
Fix description
2014-05-27 10:22:39 -05:00
jvazquez-r7
abe1d6ffc7
Land #3190 , @Karmanovskii's module to fingerprint MyBB database
2014-05-27 10:20:24 -05:00
jvazquez-r7
86221de10e
Fix message
2014-05-27 10:18:27 -05:00
jvazquez-r7
b96c2dd0ca
Change module filename
2014-05-27 10:15:39 -05:00
jvazquez-r7
1d8c46155b
Do last code cleaning
2014-05-27 10:14:55 -05:00
William Vu
352e14c21a
Land #3391 , all vars_get msftidy warning fixes
2014-05-26 23:41:46 -05:00
William Vu
936c29e69b
Land #3387 , some Set-Cookie msftidy warning fixes
2014-05-26 23:37:33 -05:00
Karmanovskii
eacf70af83
Update mybb_get_type_db.rb
...
26.05.2014 23:26
I deleted mimicking IE11
2014-05-26 23:26:28 +04:00
jvazquez-r7
217a14e4d7
Land #3366 , @jholgui's module for CVE-2013-4074
2014-05-25 18:53:30 -05:00
jvazquez-r7
33ba134147
Clean msftidy warnings and metadata
2014-05-25 18:52:01 -05:00
jvazquez-r7
d3c17d8e3e
Delete wireshark_capwap_dos
2014-05-25 18:39:53 -05:00
Spencer McIntyre
c559483176
Land #3392 , @TomSellers patch to use python constants
2014-05-25 16:18:42 -04:00
Tom Sellers
77f66f8510
Update reverse_tcp.rb
2014-05-25 14:04:54 -05:00
Tom Sellers
b5c567c462
Update bind_tcp.rb
2014-05-25 14:03:45 -05:00
Christian Mehlmauer
da0a9f66ea
Resolved all msftidy vars_get warnings
2014-05-25 19:29:39 +02:00
JoseMi
9f166b87f6
Changed the description
2014-05-24 18:58:36 +01:00
JoseMi
71e2d19040
Adapted to auxiliary modules structure
2014-05-24 18:53:10 +01:00
Christian Mehlmauer
df97c66ff5
Fixed check
2014-05-24 00:37:52 +02:00
Christian Mehlmauer
8d4d40b8ba
Resolved some Set-Cookie warnings
2014-05-24 00:34:46 +02:00
Tod Beardsley
1aee0f3305
Warn if it's not UPPERCASE method (@wchen-r7)
...
See the discussion on f7bfab5a26
, PR #3386
2014-05-23 17:10:27 -05:00
Tod Beardsley
9f78bec457
Use normalize_uri (@wchen-r7)
...
Instead of editing the datastore['PATH'], use normalize_uri.
Since the purpose of this module is quite fuzz-like, I didn't want to
apply the normalize_uri to the whole uri -- the original code merely
applied to datastore['PATH'] (which seems like it should be
datastore['URI'] really) and then added on a bunch of other stuff to
test for traversals.
2014-05-23 15:43:50 -05:00
Tod Beardsley
f7bfab5a26
HTTP traversal shouldnt upcase METHOD (@wchen-r7)
...
If the user wants to use downcased or mixed case HTTP methods, heck,
more power to them. If it doesn't work, it doesn't work. No other HTTP
module makes this call.
2014-05-23 15:32:04 -05:00
Tod Beardsley
7f59cf5035
Ora XID HTTP needn't edit DBUSER (@cellabosm)
...
Looks like copypasta artifacts. DBUSER and DBPASS aren't ever set as
options in the module, and the module doesn't include MC's
Exploit::ORACLE mixin. It's also from four years ago and doesn't
report_auth or anything useful like that, but that's out of scope for
this branch.
2014-05-23 15:20:46 -05:00
Tod Beardsley
efffbf751a
PHP module shouldnt zap CMD option (@wchen-r7)
...
As far as I can tell, there is no purpose for this cleanup. No other CMD
exec module takes pains to clear out CMD after run, and it looks like a
bad idea -- what happens when you rexploit?
2014-05-23 15:09:18 -05:00
Tod Beardsley
f189033e8a
OWA bruteforce shouldnt edit datastore (@wchen-r7)
...
This module was written in an era where the defaults for bruteforcing
included a lot of lock-inducing behavior, thus, it was quite serious
about setting datastore options directly. Also, there was apparently a
bug in USER_AS_PASS that this module attempted to avoid by setting the
datastore directly, rather than fixing the bug directly. As far as I
know, this bug has been long since resolved.
2014-05-23 15:08:19 -05:00
Michael Messner
b85c0b7543
rop to system with telnetd
2014-05-23 20:51:25 +02:00
joev
ae3c334232
Getting closer. Still something f'd with local answerer.html.
2014-05-22 17:14:35 -05:00
mercd
28459299b2
Update ibstat_path.rb
...
Add interface detection, defaulting to en0.
2014-05-22 14:16:04 -07:00
Tod Beardsley
fa353e6bd9
Add CVE, IBM ref for SameTime modules
2014-05-22 11:34:04 -05:00
joev
14b796acbf
First stab at refactoring webrtc mixin.
2014-05-21 15:32:29 -05:00
Spencer McIntyre
e3630278ce
Land #3379 , [FixRM #8803 ] - Improve fb_cnct_group check
2014-05-21 11:39:10 -04:00
jvazquez-r7
b9464e626e
Delete unnecessary line
2014-05-21 10:18:03 -05:00
jvazquez-r7
af415c941b
[SeeRM #8803 ] Avoid false positives when checking fb_cnct_group
2014-05-20 18:44:28 -05:00
jvazquez-r7
8a9c005f13
Add URL
2014-05-20 17:43:07 -05:00
Jonas Vestberg
7cabfacfa3
Test adobe_flash_pixel_bender_bof on Safari 5.1.7
...
Added browser-requirement for Safari after successful test using Safari 5.1.7 with Adobe Flash Player 13.0.0.182 running on Windows 7 SP1.
2014-05-20 01:43:19 +02:00
Meatballs
52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom
2014-05-19 22:00:35 +01:00
Meatballs
b84379ab3b
Note about EXE::Custom
2014-05-19 22:00:09 +01:00
Karmanovskii
e26dee5e22
Update mybb_get_type_db.rb
...
19/05/2014
I deleted - #return Exploit::CheckCode::Unknown # necessary ????
2014-05-19 21:32:30 +04:00
William Vu
a30d6b1f2d
Quick cleanup for sap_icm_urlscan
2014-05-19 09:21:26 -05:00
William Vu
dc0e649a10
Clean up case statement
2014-05-19 09:21:07 -05:00
William Vu
bc64e47698
Land #3370 , cleanup for sap_icm_urlscan
2014-05-19 09:16:18 -05:00
Tod Beardsley
0ef2e07012
Minor desc and status updates, cosmetic
2014-05-19 08:59:54 -05:00
Meatballs
6b1e4c3a9d
Show loot and error code
2014-05-19 11:17:58 +01:00
Meatballs
848227e18a
401 should be a valid url
2014-05-19 10:59:38 +01:00
Meatballs
5d96f54410
Be verbose about 307
2014-05-19 10:52:06 +01:00
Meatballs
88b7dc3def
re-add content length
2014-05-19 10:46:47 +01:00
Meatballs
e59f104195
Use unless
2014-05-19 10:41:01 +01:00
sinn3r
bf52c0b888
Land #3364 - Symantec Workspace Streaming Arbitrary File Upload
2014-05-19 00:25:33 -05:00
jvazquez-r7
2fb0dbb7f8
Delete debug print_status
2014-05-18 23:34:04 -05:00
jvazquez-r7
975cdcb537
Allow exploitation also on FF
2014-05-18 23:24:01 -05:00
Jonas Vestberg
033757812d
Updates to adobe_flash_pixel_bender_bof:
...
1. Added embed-element to work with IE11 (and Firefox). Removed browser-requirements for ActiveX (clsid and method).
2. Added Cache-Control header on SWF-download to avoid AV-detection (no disk caching = no antivirus-analysis :).
Testing performed:
Successfully tested with Adobe Flash Player 13.0.0.182 with IE9, IE10 and IE11 running on Windows 7SP1. (Exploit will trigger on FF29, although sandboxed.)
2014-05-18 22:43:51 +02:00
William Vu
a97d9ed54f
Land #3148 , check_urlprefixes for sap_icm_urlscan
2014-05-17 16:10:52 -05:00
sappirate
dd1a47f31f
Modified sap_icm_urlscan to check for authentication of custom URLs
...
Fixed ruby coding style
2014-05-17 22:47:49 +02:00
Karmanovskii
06912ac2b6
Update mybb_get_type_db.rb
...
1.Changed "Rex::Proto::Http::Client" to "Msf::Exploit::Remote::HttpClient"
2.changed the name of the variable "_Version_server".
2014-05-17 16:30:29 +04:00
JoseMi
21cf0a162c
Added module to crash capwap dissector in wireshark tool
2014-05-17 11:31:43 +01:00
JoseMi
74b491e715
Delete wireshark_capwap_dos module
2014-05-17 11:25:38 +01:00
Christian Mehlmauer
488c3e6b93
Land #3358 , @jvazquez-r7 Advantech WebAccess 7.1 SQLI module
2014-05-16 21:26:41 +02:00
jvazquez-r7
2012d41b3d
Add origin of the user, and mark web users
2014-05-16 13:51:42 -05:00
jvazquez-r7
4143474da9
Add support for web databases
2014-05-16 11:47:01 -05:00
jvazquez-r7
883d2f14b5
delete debug print_status
2014-05-16 11:13:03 -05:00
jvazquez-r7
ea38a2c6e5
Handle ISO-8859-1 special chars
2014-05-16 11:11:58 -05:00
jvazquez-r7
c9465a8922
Rescue when the recovered info is in a format we can't understand
2014-05-16 08:57:59 -05:00
Tod Beardsley
3c1363b990
Add new SNMP enumeration modules
2014-05-16 08:32:46 -05:00
jvazquez-r7
7ec85c9d3a
Delete blank lines
2014-05-16 01:03:04 -05:00
jvazquez-r7
9091ce443a
Add suport to decode passwords
2014-05-16 00:59:27 -05:00
jvazquez-r7
1b68abe955
Add module for ZDI-14-127
2014-05-15 13:41:52 -05:00
William Vu
f9982752f3
Land #3362 , ax rank for aux/dos mods
2014-05-14 15:20:07 -05:00
Tod Beardsley
dc57e31be1
Aux modules don't respect Rank anyway
2014-05-14 15:03:10 -05:00
jvazquez-r7
5b3bb8fb3b
Fix @FireFart's review
2014-05-14 09:00:52 -05:00
Karmanovskii
cbb84e854c
Update mybb_get_type_db.rb
...
14.05.2014
Eliminated notes jvazquez-r7
2014-05-14 14:56:40 +04:00
William Vu
1ada4831e0
Land #3293 , module deprecation constants
2014-05-14 01:37:29 -05:00
William Vu
de49241195
Land #3185 , regex option validation
2014-05-14 01:27:18 -05:00
William Vu
750b6fc218
Land #3348 , some Ruby warning fixes
2014-05-14 01:25:10 -05:00
William Vu
c421b8e512
Change if not to unless
2014-05-14 01:24:29 -05:00
Christian Mehlmauer
df4b832019
Resolved some more Set-Cookie warnings
2014-05-13 22:56:12 +02:00
jvazquez-r7
a7075c7e08
Add module for ZDI-14-077
2014-05-13 14:17:59 -05:00
joev
827feaed9f
Land #3320 , @m-1-k-3's mips exec payload fixes to allow encoding.
2014-05-13 12:38:23 -05:00
agix
1a3b319262
rebase to use the mixin psexec
2014-05-13 16:04:40 +02:00
agix
d3f2414d09
Fix merging typo
2014-05-13 16:04:40 +02:00
Florian Gaultier
808f87d213
SERVICE_DESCRIPTION doesn't concern this PR
2014-05-13 16:04:39 +02:00
Florian Gaultier
6332957bd2
Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work...
2014-05-13 16:04:39 +02:00
Florian Gaultier
5ecebc3427
Add options `SERVICE_NAME` and `SERVICE_DISPLAYNAME` to psexec and correct service payload generation
2014-05-13 16:04:37 +02:00
Florian Gaultier
ca7a2c7a36
Add string_to_pushes to use non fixed size service_name
2014-05-13 16:04:37 +02:00
Florian Gaultier
513f3de0f8
new service exe creation refreshed
2014-05-13 16:04:36 +02:00
Christian Mehlmauer
3f3283ba06
Resolved some msftidy warnings (Set-Cookie)
2014-05-12 21:23:30 +02:00
Jeff Jarmoc
638ae477d9
Fix up spec. Rex::Proto::Http::ClientRequest handles & and = outside of Rex::Text::uri_encode, so mode doesn't affect them.
...
Fix erroneous typo char.
2014-05-12 12:10:30 -05:00
Jeff Jarmoc
5f523e8a04
Rex::Text::uri_encode - make 'hex-all' really mean all.
...
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
jvazquez-r7
b5ba261ffe
Land #3347 , @FireFart's change to allow configurable landing dir on struts_code_exec_parameters
2014-05-11 18:43:41 -05:00
Tom Sellers
2b8dd9139c
Fix cosmetic issue
...
Fix cosmetic issue /w email address when it is output via 'info' or the Rapid7 module page.
2014-05-11 16:14:51 -05:00
Christian Mehlmauer
557cd56d92
fixed some ruby warnings
2014-05-10 23:31:02 +02:00
Tim Wright
a60558061c
re-enable x86 stager
2014-05-10 19:58:19 +01:00
Tim Wright
ae0691c586
make string replacement more robust
2014-05-10 17:00:25 +01:00
William Vu
92a9519fd9
Remove EOL spaces
2014-05-09 18:34:12 -05:00
Christian Mehlmauer
dee6b53175
fix java payload struts module
2014-05-10 00:19:40 +02:00
jvazquez-r7
6f837715f9
Land #3343 , @FireFart's new uri encoding for struts_code_exec_parameters
2014-05-09 14:37:58 -05:00
jvazquez-r7
38f3a19673
Try to beautify description
2014-05-09 14:35:06 -05:00
Christian Mehlmauer
43a85fc645
additional GET parameters
2014-05-09 21:21:04 +02:00
Christian Mehlmauer
ad83921a85
additional GET parameters
2014-05-09 21:15:28 +02:00
jvazquez-r7
f56ea01988
Add module
2014-05-09 10:27:41 -05:00
Christian Mehlmauer
53fde675e7
randomize meh parameter
2014-05-09 10:38:19 +02:00
sinn3r
c9e356116f
Land #3340 - Adobe Flash Player Shader Buffer Overflow
2014-05-08 20:55:38 -05:00
Christian Mehlmauer
a3fff5401f
more code cleanup
2014-05-08 23:05:41 +02:00
Christian Mehlmauer
e7b7af2f75
fixed apache struts module
2014-05-08 22:15:52 +02:00
jvazquez-r7
8c55858eae
Land #3309 , @arnaudsoullie's changes for modblusclient
2014-05-08 10:45:19 -05:00
jvazquez-r7
25f13eac37
Clean a little response parsing
2014-05-08 10:44:53 -05:00
jvazquez-r7
6b41a4e2d9
Test Flash 13.0.0.182
2014-05-07 17:39:22 -05:00
jvazquez-r7
5fd732d24a
Add module for CVE-2014-0515
2014-05-07 17:13:16 -05:00
Arnaud SOULLIE
1f3466a3a3
Added Modbus error handling.
...
It now checks for error and displays the appropriate error message.
The only error simulated was "ILLEGAL ADDRESS", don't know how
to test for others.
2014-05-05 23:21:54 +02:00
William Vu
e8bc89af30
Land #3337 , release fixes
2014-05-05 14:03:48 -05:00
Tod Beardsley
c97c827140
Adjust desc and ranking on ms13-053
...
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
Tod Beardsley
3536ec9a74
Description update
2014-05-05 13:43:44 -05:00
jvazquez-r7
b81f94a229
Land #3336 , @todb-r7's CVEs addition
2014-05-05 13:43:04 -05:00
Tod Beardsley
c6affcd6d3
Fix caps, description on F5 module
...
The product name isn't "Load Balancer" as far as I can tell.
2014-05-05 13:38:53 -05:00
William Vu
353a50cdd0
Land #3316 , Content-Length fix for http_ntlmrelay
2014-05-05 13:38:36 -05:00
Tod Beardsley
3072c2f08a
Update CVEs for RootedCon Yokogawa modules
...
Noticed they were nicely documented at
http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html
We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
sinn3r
6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution
2014-05-05 10:39:26 -05:00
William Vu
a8915f0ed8
Land #3310 , OpenSSH timing attack improvements
2014-05-04 19:47:51 -05:00
Christian Mehlmauer
073adc759d
Land #3334 , fix author by @julianvilas
2014-05-04 21:30:53 +02:00
Julian Vilas
dd7705055b
Fix author
2014-05-04 19:31:53 +02:00
OJ
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
jvazquez-r7
5b150a04c6
Add testing information to description
2014-05-03 20:08:00 -05:00
jvazquez-r7
b4c7c5ed1f
Add module for CVE-2014-0497
2014-05-03 20:04:46 -05:00
Tom Sellers
a47b883083
Remove redundant simple.connect
...
Remove redundant simple.connect. Thanks @jlee-r7
2014-05-02 12:46:50 -05:00
julianvilas
36f9f342c1
Fix typo
2014-05-02 16:26:08 +02:00
Meatballs
56c5eac823
Message correction
2014-05-02 14:18:18 +01:00
Meatballs
69915c0de5
Message correction
2014-05-02 14:17:27 +01:00
Tom Sellers
b2eeaef475
Add admin check to smb_login
...
The attached updates changes smb_login to detect if the newly discovered user is an administrator. It is based on code from Brandon McCann "zeknox" submitted in PR #1373 , the associated changes, and the newer PR #2656 .
The changes should correct a few issues with PR #1373 and #2656 and address Redmine bug #8773 .
Specifically it:
- Fixes the admin detection code by using simple.disconnect(<share>) instead of disconnect()
- Adds support for detecting if the remote host will allow connects using any domain name when one of the new status codes is returned
- Dealt with the issue in PR #2656 where the username was prefixed with a '\'
Verification
Be connected to a database
Run this against a machine with a known user and admin user
See that the admin user is reported correctly
See that the non-admin user is reported correctly
Check the output of creds
Select a target that requires a domain in order to authenticate
In the stored credentials, with CHECK_ADMIN enabled, see that the domain name is, in fact, preserved in the reporting
To validate that the remote domain ignores domain value use the following command from a windows system:
net use \\<hostip>\admin$ /user:<random_value>\<username> <password>
2014-05-02 06:16:21 -05:00
jvazquez-r7
150b89e290
Land #3314 , @julianvilas's exploit for Struts CVE-2014-0094
2014-05-01 18:09:10 -05:00
jvazquez-r7
3dd3ceb3a9
Refactor code
2014-05-01 18:04:37 -05:00
jvazquez-r7
b7ecf829d3
Do first refactor
2014-05-01 16:39:53 -05:00
jvazquez-r7
195005dd83
Do minor style changes
2014-05-01 15:25:55 -05:00
jvazquez-r7
140c8587e7
Fix metadata
2014-05-01 15:24:16 -05:00
Christian Mehlmauer
f7d8a5e3a3
rework the openssl_heartbleed module
2014-05-01 21:43:58 +02:00
Julian Vilas
e0ee31b388
Modify print_error by fail_with
2014-05-01 20:19:31 +02:00
Julian Vilas
3374af83ab
Fix typos
2014-05-01 19:44:07 +02:00
jvazquez-r7
d3045814a2
Add print_status messages
2014-05-01 11:05:55 -05:00
jvazquez-r7
cc2e680724
Refactor
2014-05-01 11:04:29 -05:00
jvazquez-r7
28e9057113
Refactor make_payload
2014-05-01 10:23:33 -05:00
jvazquez-r7
bd124c85cb
Use metadata format for actions
2014-05-01 09:52:55 -05:00
jvazquez-r7
1483f02f83
Land #3306 , @xistence's alienvault's exploit
2014-05-01 09:25:07 -05:00
jvazquez-r7
1b39712b73
Redo response check
2014-05-01 09:10:16 -05:00
jvazquez-r7
78cefae607
Use WfsDelay
2014-05-01 09:07:26 -05:00
xistence
5db24b8351
Fixes/Stability AlienVault module
2014-05-01 14:53:55 +07:00
xistence
c12d72b58c
Changes to alienvault module
2014-05-01 10:39:11 +07:00
xistence
9bcf5eadb7
Changes to alienvault module
2014-05-01 10:10:15 +07:00
Julian Vilas
bd39af3965
Fix target ARCH_JAVA and remove calls to sleep
2014-05-01 00:51:52 +02:00
William Vu
8b138b2d37
Fix unquoted path in cleanup script
2014-04-30 16:34:33 -05:00
kaospunk
6b740b727b
Changes PATH to proper case
...
This changes PATH to Path
2014-04-30 17:26:36 -04:00
kaospunk
fdc81b198f
Adds the ability to specify path
...
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
Michael Messner
111160147f
MIPS exec payload fixes for encoder
2014-04-30 20:37:54 +02:00
William Vu
7777202045
Deconflict #3310 and correct the description
2014-04-30 12:02:57 -05:00
jvazquez-r7
9cd6c5ef2b
Land #3297 , @Th4nat0s's F6 backends disclosure module
2014-04-30 09:31:37 -05:00
jvazquez-r7
4e80e1c239
Clean up pull request code
2014-04-30 09:31:07 -05:00
JoseMi
b0da032136
Modified the metadatas
2014-04-29 23:06:30 +01:00
JoseMi
55d8be8238
Add cve-2013-4074 module to crash dissector capwap
2014-04-29 22:55:14 +01:00
julianvilas
8e8fbfe583
Fix msf-staff comments
2014-04-29 17:36:04 +02:00
Tod Beardsley
a5983b5f57
Light touchup on FP checker
2014-04-29 16:14:41 +01:00
Tod Beardsley
88efeea378
Add a false positive check
2014-04-29 16:07:42 +01:00
Arnaud SOULLIE
e386855e0e
Add ACTIONS descriptions
2014-04-29 16:55:05 +02:00
Tod Beardsley
4d76128937
Merge upstream and deconflict #3310 whitespace
2014-04-29 15:32:32 +01:00
Arnaud SOULLIE
04f2632972
Implement jvazquez-r7 comments
2014-04-29 16:09:47 +02:00
julianvilas
b2c2245aff
Add comments
2014-04-29 11:24:17 +02:00
Julian Vilas
a78aae08cf
Add CVE-2014-0094 RCE for Struts 2
2014-04-29 03:58:04 +02:00
Julian Vilas
17a508af34
Add CVE-2014-0094 RCE for Struts 2
2014-04-29 03:50:45 +02:00
Rich Lundeen
60b9f855b4
Bug with HTTP POST requests (content type sent twice)
2014-04-28 18:44:02 -07:00
sinn3r
4c0a692678
Land #3312 - Update ms14-012
2014-04-28 18:48:20 -05:00
sinn3r
b1ac0cbdc7
Land #3239 - Added target 6.1 to module
2014-04-28 18:28:14 -05:00
jvazquez-r7
4caf03b92f
Land #3301 , @nodeofgithub's patch for sercomm module
2014-04-28 17:19:47 -05:00
Thanat0s
70314494ca
test nil of port & host
2014-04-28 23:33:01 +02:00
Thanat0s
fe3f7fd76a
Obey to reviewer.. code fix
2014-04-28 23:26:29 +02:00
jvazquez-r7
1c88dea7d6
Exploitation also works with flash 13
2014-04-28 16:23:05 -05:00
sinn3r
8a4c7b22ed
Land #3296 - Refactors firefox js usage into a mixin
2014-04-28 15:22:55 -05:00
sinn3r
d530c9c128
Land #3304 - Adobe Flash Player Type Confusion Remote Code Execution
2014-04-28 15:06:50 -05:00
Tod Beardsley
1b4fe90003
Fix msftidy warnings on wireshark exploits
2014-04-28 19:51:38 +01:00
Tod Beardsley
3bfdfb5cab
Grammar
2014-04-28 19:49:56 +01:00
Tod Beardsley
a5baea1a8e
Touch up print_ statements
2014-04-28 19:49:23 +01:00
Tod Beardsley
a6edd94c7f
Just fix refs and desc for release
2014-04-28 19:47:15 +01:00
Tod Beardsley
a7e110be9e
Add a peer method, elaborate desc and prints
2014-04-28 19:41:44 +01:00
sinn3r
829b9ff4ff
Land #3308 - Fix smb_login using error_reason
2014-04-28 12:33:24 -05:00
jvazquez-r7
9a1b216fdb
Move module to new location
2014-04-28 11:55:26 -05:00
jvazquez-r7
51a5a901a8
Fix typo
2014-04-28 11:55:06 -05:00
jvazquez-r7
887dfc5f40
Fix RequiredCmd
2014-04-28 11:54:56 -05:00
jvazquez-r7
245b591247
Do module clean up
2014-04-28 11:45:40 -05:00
Arnaud SOULLIE
a0add34a7d
Removed warning message and changed default unit number to 1
2014-04-28 15:47:10 +02:00
Pedro Laguna
ab913a533e
Update oracle_demantra_file_retrieval.rb
...
Fixed typo
2014-04-28 14:36:48 +01:00
Arnaud SOULLIE
a2ccbf9833
Add read/write capabilities to modbusclient
2014-04-28 15:29:55 +02:00
Zinterax
fb39e422aa
Fix smb_login calling nonexistent method
...
When a Rex::Proto::SMB::Exceptions::InvalidWordCount exception is thrown by this module, it attempts to call the nonexistent method error_reason and throws a NoMethodError:
Auxiliary failed: NoMethodError undefined method `error_reason' for #<Rex::Proto::SMB::Exceptions::InvalidWordCount:0x007f48fcda0e48>
This changes uses the built in method get_error to return an error code.
[-] x.x.x.x:445 SMB - [1/1] - \\Domain - FAILED LOGIN (xxxxxxxx) xxxx : xxxxx [STATUS_WAIT_0]
2014-04-28 09:28:29 -04:00
Thanat0s
2396d497d8
move scanner to gather
2014-04-28 12:57:54 +02:00
Thanat0s
3bfa8ea707
Pass msftidy
2014-04-28 12:53:49 +02:00
Thanat0s
f34cfefb8f
Change hash to array
2014-04-28 12:52:46 +02:00
Thanat0s
6610977e86
add cookie.match and alway return
2014-04-28 12:39:32 +02:00
Thanat0s
d5fe8471ed
unless id
2014-04-28 12:16:49 +02:00
Thanat0s
328acc44fa
Start cleaning as requested
2014-04-28 11:32:46 +02:00
xistence
2e04bc9e4e
AlienVault OSSIM 4.3.1 unauthenticated SQLi RCE
2014-04-28 10:59:15 +07:00
jvazquez-r7
9ce5545034
Fix comments
2014-04-27 20:13:46 -05:00
jvazquez-r7
60e7e9f515
Add module for CVE-2013-5331
2014-04-27 10:40:46 -05:00
nodeofgithub
b80d366bb7
Add filter to output WPA-PSK password on Netgear DG834GT
2014-04-26 15:52:31 +02:00
William Vu
c2bb26590c
Land #3250 , version handling for Heartbleed server
2014-04-25 00:17:26 -05:00
Ramon de C Valle
fd232b1acd
Use the protocol version from the handshake
...
I used the protocol version from the record layer thinking I was using
the protocol version from the handshake. This commit fix this and uses
the protocol version from the handshake instead of from the record layer
as in https://gist.github.com/rcvalle/10335282 , which is how it should
have been initially.
Thanks to @wvu-r7 for finding this out!
2014-04-25 01:48:17 -03:00
joev
f94d1f6546
Refactors firefox js usage into a mixin.
2014-04-24 15:09:48 -05:00
sinn3r
1353c62967
Land #3295 - Fix NoMethodError undefined method `body' for nil:NilClass
2014-04-24 13:53:58 -05:00
sinn3r
ba4b507cc7
Land #3280 - Multiplatform WLAN Enumeration and Geolocation
2014-04-24 13:52:32 -05:00
sinn3r
5c0664fb3b
Land #3292 - Mac OS X NFS Mount Privilege Escalation Exploit
2014-04-24 13:43:20 -05:00
sinn3r
656e60c35c
Land #3254 - Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack BoF
2014-04-24 13:20:50 -05:00
sinn3r
cde9080a6a
Move module to fileformat
2014-04-24 13:17:08 -05:00
sinn3r
a39855e20d
Works for XP SP3 too
2014-04-24 13:16:24 -05:00
sinn3r
ba8d7801f4
Remove default target because there is no auto-select
2014-04-24 13:15:49 -05:00
sinn3r
2e76db01d7
Try to stick to the 100 columns per line rule
2014-04-24 13:15:12 -05:00
Tom Sellers
8f47edb899
JBoss_Maindeployer: improve feedback against CVE-2010-0738
...
The exploit against CVE-2010-0738 won't work when using GET or POST. In the existing code the request would fail and the function would return a nil. This would be passed to detect_platform without being checked and cause the module to crash ungracefully with the error:
Exploit failed: NoMethodError undefined method `body' for nil:NilClass
The first changes detect a 401 authentication message and provide useful feedback. Given that if, in any case, 'res' is not a valid or useful response the second change just terminates processing.
I've stayed with the module's coding style for consistency.
2014-04-24 12:37:14 -05:00
Christian Mehlmauer
ef815ca992
Land #3288 , Postgres support for Heartbleed scanner
2014-04-24 18:03:13 +02:00
Tom Sellers
d4c0d015c1
Update wlan_geolocate.rb
...
Updated based on feedback. Also added enumeration only support for BSD and Solaris.
2014-04-24 07:04:50 -05:00
Spencer McIntyre
ec1f7d644c
Support deprecation information from constants
2014-04-23 23:03:02 -04:00
Spencer McIntyre
9ccb9397e3
Land #3264 , throttl and csv output support for module
2014-04-23 19:00:28 -04:00
Spencer McIntyre
e2b92a824f
Change white space for authors in dns_reverse_lookup
2014-04-23 18:56:27 -04:00
JoseMi
fd95d9ef38
Added english windows xp sp2 target
2014-04-23 17:32:56 +01:00
William Vu
15bd92dd50
Fix OpenSSH timing attack module
2014-04-23 10:10:37 -05:00
William Vu
0a108acea3
Fix missing comma
...
Commas will be the death of me.
2014-04-23 10:10:12 -05:00
William Vu
6d7fde4302
Land #3157 , OpenSSH user enumeration timing attack
2014-04-23 10:01:10 -05:00
William Vu
1a2899d57b
Fix up whitespace 'n' stuff
2014-04-23 10:00:34 -05:00
Thanat0s
457c48b89b
Error on sleep
2014-04-23 11:38:23 +02:00
Joe Vennix
143aede19c
Add osx nfs_mount module.
2014-04-23 02:32:42 -05:00
Jonathan Claudius
d70aa4cdbb
Fix MSFTidy complaints
2014-04-22 22:07:25 -04:00
Jonathan Claudius
b3cabaaa28
Clean up some formatting concerns
2014-04-22 21:58:14 -04:00
Jonathan Claudius
f71ad111da
Change return values from nil to false
2014-04-22 21:48:16 -04:00
Jonathan Claudius
3d793fc6f1
Add default VPN group fall back
2014-04-22 21:45:04 -04:00
Jonathan Claudius
4d9ece2f9a
Add hyphens and digits to group regex
2014-04-22 21:34:08 -04:00
kenkeiras
96f042110f
return is not needed when it's the last lifunction line
2014-04-22 22:33:47 +02:00
kenkeiras
c9d8da991a
Use Rex.sleep instead of select
2014-04-22 22:33:19 +02:00
kenkeiras
d2a558dc85
Removed unused code
2014-04-22 22:33:02 +02:00
Wiesław Kielas
8f6567967d
Heartbleed PostgreSQL TLS support improvements
2014-04-22 17:36:06 +02:00
Wiesław Kielas
fbe392a896
Add PostgreSQL TLS support to the Heartbleed scanner
2014-04-21 23:27:40 +02:00
Tod Beardsley
e514ff3607
Description and print_status fixes for release
...
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
Ken Smith
66b1c79da9
Update rop chain for versions 6.2 and 6.1
2014-04-21 13:27:14 -04:00
JoseMi
e25ca64641
It's solved the crash when double-click on the pcap file
2014-04-21 17:49:40 +01:00
William Vu
1faf069130
Land #3284 , deprecated module cleanup
2014-04-20 23:10:55 -05:00
James Lee
ee413ac385
Remove previously deprecated modules
2014-04-20 22:15:44 -05:00
Tom Sellers
2fd004b69e
New module: Multiplatform Wireless LAN Geolocation
...
This is a new POST module that allows Windows, Linux, and OSX targets to be geolocated using Google services if the target has an active and functional wireless adapter.
2014-04-19 17:31:48 -05:00
JoseMi
3861541204
Add more rand_text_alpha functions
2014-04-19 18:37:58 +01:00
JoseMi
7bc546e69a
Add rand_text_alpha function
2014-04-19 17:45:28 +01:00
kenkeiras
b8e0187647
Use OptPath for file path options
2014-04-18 21:56:17 +02:00
kenkeiras
fb0af8a799
Remove unnecesary ssh_socket variable
2014-04-18 21:50:54 +02:00
kenkeiras
c875bdadf5
Change THRESHOLD into a datastore option
2014-04-18 21:18:48 +02:00
kenkeiras
8a3329c891
Password made pseudo-random instead of a bunnch of A's
2014-04-18 21:10:34 +02:00
kenkeiras
47ff820a83
Remove unnecesary 'RHOST' deregister
2014-04-18 21:06:46 +02:00
kenkeiras
cc2d4f9ed7
Remove unnecesary @good_credentials
2014-04-18 21:03:22 +02:00
JoseMi
feea4c1fa6
ROP chain changed
2014-04-18 19:05:53 +01:00
William Vu
7d801e3acc
Land #3200 , goodbye LORCON modules :(
2014-04-18 12:32:22 -05:00
jvazquez-r7
c4d4af031c
Land #3276 , @todb-r7's "make msftidy happy"'s fix
2014-04-18 09:54:52 -05:00
jvazquez-r7
5083143971
Land #3238 , @Zinterax's timeout addition in openssl_heartbleed
2014-04-18 09:28:04 -05:00
Tod Beardsley
2a729c84f6
Fix disclosure date
2014-04-18 09:27:41 -05:00
jvazquez-r7
8a011ec9f6
Land #3197 , @0x3fcoma's module for CVE-2013-5795 and CVE-2013-5880
2014-04-18 08:58:54 -05:00
jvazquez-r7
f3299e3ced
Do minor code cleanup
2014-04-18 08:58:11 -05:00
jvazquez-r7
2366f77226
Clean timeout handling code
2014-04-18 08:16:28 -05:00
Zinterax
e38f4cbfa0
Apply response_timeout to get_once, code cleanup
...
Add response_timeout to get_once
Change timeout output in establish_connect()
Add disconnect ater timeout output
Made establish_connect timeout check more readable
2014-04-18 07:57:33 -04:00
Zinterax
fab091ca88
Fix Action => DUMP
...
Fix for when Action is set to DUMP. Modifed the check to use action.name.
Console output:
msf auxiliary(openssl_heartbleed) > set action DUMP
action => DUMP
msf auxiliary(openssl_heartbleed) > run
[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Heartbeat data stored in /root/.msf4/loot/20140418070745_default_192.168.1.3_openssl.heartble_135938.bin
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:08:12 -04:00
Zinterax
1cf1616341
Rebase. Add timeout option support
...
Rebase to account for the KEYS merge.
Modify bleed() to work with timeout option.
Modify establish_connect() to work with timeout option.
Modify loot_and_report() to work with timeout option.
---Test Console Output---
Client Hello Timeout:
msf auxiliary(openssl_heartbleed) > run
[*] 127.0.0.1:443 - Sending Client Hello...
[-] 127.0.0.1:443 - No Client Hello response after 10 seconds...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Patched Apache:
msf auxiliary(openssl_heartbleed) > run
[*] 127.0.0.1:443 - Sending Client Hello...
[*] 127.0.0.1:443 - Sending Heartbeat...
[-] 127.0.0.1:443 - No Heartbeat response...
[-] 127.0.0.1:443 - Looks like there isn't leaked information...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Vulnerable Server:
msf auxiliary(openssl_heartbleed) > run
[*] 192.168.1.3:443 - Sending Client Hello...
[*] 192.168.1.3:443 - Sending Heartbeat...
[*] 192.168.1.3:443 - Heartbeat response, 17403 bytes
[+] 192.168.1.3:443 - Heartbeat response with leak
[*] 192.168.1.3:443 - Printable info leaked: STUFF STUFF STUFF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2014-04-18 07:04:05 -04:00
Zinterax
021ac53911
remove me
2014-04-18 07:03:36 -04:00
Christian Mehlmauer
bbed9f4c66
Land #3274 , @jjarmoc heartbleed private key extraction
2014-04-18 06:59:10 +02:00
jvazquez-r7
b0e4648d66
Land #2895 , @dukebarman's exploit for Flash CVE-2013-0634
2014-04-17 23:35:05 -05:00
jvazquez-r7
acb12a8bef
Beautify and fix both ruby an AS
2014-04-17 23:32:29 -05:00
Jonathan Claudius
01d843f78f
Handle certificate auth nuances
2014-04-17 20:24:19 -04:00
Jonathan Claudius
6daae961cb
Add parameterized requests for detection/enumeration
2014-04-17 19:40:27 -04:00
Tod Beardsley
845108acf6
Looks like an autocorrect ran wild on TLS_CALLBACK
...
Whoops.
2014-04-17 17:47:47 -05:00
Tod Beardsley
2aa2cb17f3
Reimplement a check.
2014-04-17 17:10:54 -05:00
Tod Beardsley
d40ab039e4
Clean up whitespace. Protip: use commit hooks
2014-04-17 16:28:07 -05:00
Tod Beardsley
c34d548e50
First, undo #3252 . Sorry about that.
...
undo #3252 completely. This means a reimplementation of @dchan's work,
but his intent was simply to implement a check_host() that doesn't
actually pull memory, so that should be pretty straight forward with the
new structure of the module.
2014-04-17 16:25:15 -05:00
Jeff Jarmoc
e3daf6daf7
Singular 'TLS_CALLBACK' option
2014-04-17 15:51:37 -05:00
Jeff Jarmoc
6c832e22d6
rename scan to loot_and_report
2014-04-17 15:47:57 -05:00
Jeff Jarmoc
c12eae66b3
Error and return if public key wasn't retrieved.
2014-04-17 15:44:40 -05:00
Jeff Jarmoc
578002e016
KEYS action gets it's own function
2014-04-17 15:39:05 -05:00
Tod Beardsley
5b0b5d9476
Land #3252 , check() functionality for Heartbleed
2014-04-17 15:34:35 -05:00
Tod Beardsley
a2d6c58374
Changing << to + per @jlee-r7
2014-04-17 15:34:13 -05:00
jvazquez-r7
91d9f9ea7f
Update from master
2014-04-17 15:32:49 -05:00
jvazquez-r7
749e141fc8
Do first clean up
2014-04-17 15:31:56 -05:00
Jeff Jarmoc
9f30976b83
Heartbleed RSA Keydump
...
Flattened, merge conflicts resolved, etc.
2014-04-17 14:30:47 -05:00
Jonathan Claudius
7ddd93cf5d
Add redirect support to #is_app_ssl_vpn?
2014-04-17 12:06:29 -04:00
Jonathan Claudius
0c5fb8c0c2
Fix bug in group enumeration regex
2014-04-17 10:31:05 -04:00
Christian Mehlmauer
71a650fe6e
Land #3259 , XMPP Hostname autodetect by @TomSellers
2014-04-17 08:54:15 +02:00
Tom Sellers
1f452aab48
Code cleanup
...
Changes requested by wvu-R7
2014-04-17 12:46:25 -05:00
Tom Sellers
9e2285619e
Additional cleanup
...
Whitespace cleanup
2014-04-17 10:46:33 -05:00
Joe Vennix
8920e0cc80
Use octal encoding and -e, so that echo always works.
2014-04-17 01:17:46 -05:00
Jonathan Claudius
f53e7f84b8
Adds Cisco SSL VPN Bruteforce Aux Mod
2014-04-16 22:47:58 -04:00
Tom Sellers
ee0d30a1f3
Whitespace fix
...
Removing extra line feeds
2014-04-16 17:27:39 -05:00
Tom Sellers
92eab6c54b
Attribution addition
...
Per comment from Firefart
2014-04-16 17:26:09 -05:00
Tom Sellers
1f3ec46b8a
Heartbleed - Add autodetection of XMPP hostname (round 2)
...
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
This version addresses issues that FireFart (Thanks!) brought up about code quality and connection reliability.
2014-04-16 08:49:45 -05:00
sinn3r
54346f3f92
Land #3265 - Windows Post Manage Change Password
2014-04-15 18:45:48 -05:00
sinn3r
d7a63003a3
Land #3266 - MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free
2014-04-15 18:35:18 -05:00
sinn3r
23c2a071cd
Small name change
2014-04-15 18:35:00 -05:00
sinn3r
7a4e12976c
First little bit at Bug 8498
...
[FixRM #8489 ] rhost/rport modification
2014-04-15 18:20:16 -05:00
sinn3r
d7513b0eb2
Handle nil properly when no results are found
2014-04-15 18:19:29 -05:00
jvazquez-r7
abd76c5000
Add module for CVE-2014-0322
2014-04-15 17:55:24 -05:00
Meatballs
5bd9721d95
Redundant include
2014-04-15 21:34:21 +01:00
Meatballs
02b11afddc
Merge remote-tracking branch 'upstream/master' into netapi_change_passwd
...
Conflicts:
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
2014-04-15 21:23:45 +01:00
Meatballs
bd9b5add49
Dont report creds
...
We dont know if a DOMAIN or IP is specified etc.
2014-04-15 21:14:49 +01:00
Meatballs
fc018eb32e
Initial commit
2014-04-15 21:05:06 +01:00
Tod Beardsley
0b2737da7c
Two more java payloads that wanted to write RHOST
...
There are three total, and they're all copy-pasted from the original
module from 2009. I suspect this idiom isn't used at all any more -- I
can't detect a difference in the payload if I just declare a host being
cli.peerhost, rather than rewriting RHOST to be cli.peerhost.
[SeeRM #8498 ]
2014-04-14 22:22:30 -05:00
Tod Beardsley
775b0de3c0
Replace RHOST reassing with just host
...
This looks okay from debug (the host looks like it's generating okay)
but there may be some subtle thing I'm not seeing here. @wchen-r7 can
you glance at this please?
[SeeRM #8498 ]
2014-04-14 22:17:31 -05:00
Tod Beardsley
9db01770ec
Add custom rhost/rport, remove editorializing desc
...
Verification:
````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````
...etc.
2014-04-14 21:46:05 -05:00
Tod Beardsley
40a359f312
Include a vhost for Shodan or else it complains
...
Works now. The rhost option was not keeping the custom vhost option.
````
msf auxiliary(shodan_search) > rexploit
[*] Reloading module...
[*] Total: 13443 on 269 pages. Showing: 1
[*] Country Statistics:
[*] United States (US): 2006
[*] Germany (DE): 1787
[*] Korea, Republic of (KR): 1061
[*] Italy (IT): 916
[*] Hungary (HU): 604
[*] Collecting data, please WaitUntilAuthEmptyt...
IP Results
==========
````
2014-04-14 21:23:27 -05:00
Tod Beardsley
1436f68955
Fix shodan to not muck with datastore
2014-04-14 21:21:11 -05:00
Tod Beardsley
9035d1523d
Update wol.rb to specify rhost/rport directly
...
- [ ] Fire up tcpdump on the listening interface
- [ ] Run the module and see the pcap:
listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535
bytes
20:56:02.592331 IP 192.168.145.1.41547 > 255.255.255.255.9: UDP, length
102
2014-04-14 20:57:20 -05:00
Tom Sellers
0360d1177f
Heartbleed - Add autodetection of XMPP hostname
...
Add the ability to scrape the hostname from the XMPP error message when connecting to an XMPP (Jabber) server. This allows the connection to get far enough to negotiate a TLS tunnel with STARTTLS. The manually specified domain, if present, will be used first and then the hostname autodetection will kick in if that fails.
2014-04-14 20:09:21 -05:00
Thanat0s
07ed8d832a
Update db
2014-04-15 02:48:55 +02:00
David Chan
1a73206034
Add detection for GnuTLS with with multiple records
2014-04-14 17:09:25 -07:00
Thanat0s
fecdbd1781
F5 bigip cookie module
2014-04-15 01:11:17 +02:00
William Vu
66cc050876
Land #3256 , SMTP RFC compliance for Heartbleed
2014-04-14 17:52:56 -05:00
Thanat0s
176204d62d
With implemented remarks
2014-04-14 21:11:04 +02:00
Tod Beardsley
66a50b33fd
Errant whitespace
2014-04-14 13:34:39 -05:00
Tom Sellers
634a03a852
Update to openssl_heartbleed to deal with SMTP RFC
...
Added CR character in order to have the commands match SMTP RFC 5321 2.3.8 for line termination. Some SMTP services, such as the Symantec Mail Gateway, require strict compliance or the connection will be dropped with the response '550 esmtp: protocol deviation'
Reference:
http://www.symantec.com/business/support/index?page=content&id=TECH96829
http://tools.ietf.org/html/rfc5321#section-2.3.8
2014-04-14 13:27:33 -05:00
joev
5f0d723588
Adds history collection module for FF privileged JS.
2014-04-14 12:27:18 -05:00
sinn3r
61196b4793
Land #3246 - Firefox Gather Passwords from Privileged Javascript Shell
2014-04-14 11:37:55 -05:00
David Maloney
c537aebf0f
Land #3228 , JtR colon Seperation
2014-04-14 11:19:16 -05:00
JoseMi
e811e169dc
Cambios en el exploit
2014-04-14 16:31:54 +01:00
JoseMi
da26a39634
Add CVE-2014-2219 exploit for windows XP SP3
2014-04-14 16:16:10 +01:00
Thanat0s
dd7bceee56
fix threaded issues
2014-04-12 17:43:39 +02:00
Thanat0s
d493c48cc6
add thottling,notes insert and output to dns_rev_lookup
2014-04-12 16:36:18 +02:00
Ramon de C Valle
039946e8d1
Use the first cipher suite sent by the client
...
If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the
first cipher suite sent by the client. This complements the last commit
and makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282 ).
2014-04-12 05:05:14 -03:00
Ramon de C Valle
b95fcb9610
Use the protocol version sent by the client
...
Use the protocol version sent by the client. This should be the latest
version supported by the client, which may also be the only acceptable.
This makes this module work with SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
when NEGOTIATE_TLS is not enabled (see
https://gist.github.com/rcvalle/10335282 ).
2014-04-12 04:21:35 -03:00
David Chan
6fafc10184
Add HeartBleed check functionality
2014-04-12 00:07:00 -07:00
joev
1715cf4650
Add base64 to prevent potential encoding issues.
2014-04-11 17:30:04 -05:00
joev
65d267032d
Fix wrong DisclosureDate.
2014-04-11 16:17:22 -05:00