26481d503e
one more payload size adjustment
2018-03-07 18:48:10 -06:00
b977b1c951
bump payload sizes
2018-03-07 17:41:58 -06:00
9a8f1ace2d
Add slowloris support for IPv6 and hostnames
...
Replace manual socket creation with `socket.create_connection` to get
auto-detection goodness.
2018-03-07 17:06:04 -06:00
611b208267
Adding ManageEngine Application Manager RCE
2018-03-07 23:54:01 +03:00
9ce6c2ae32
Remove redundant RPORT
2018-03-07 14:31:58 -06:00
15269ec3ce
Land #9678 , Add memcached UDP version scanner
2018-03-07 10:14:29 -06:00
86dd382e6a
Land #9554 , Eclipse Equinoxe OSGi console RCE
2018-03-07 08:41:31 -06:00
e8a227b1a6
Changes as requested by jhart-r7:
...
- Default Username / Password are now random
- Doc fixed
- REST typo fixed
2018-03-07 10:48:05 +01:00
a69c2e29d2
Correct comment
2018-03-06 18:16:22 -08:00
1e04fa009f
Fix style
2018-03-06 18:13:50 -08:00
74ec9f00e7
Add WIP memcached UDP version scanner
2018-03-06 17:54:00 -08:00
e72372d6d8
Add disclosure date and correct CVE for memcached amp
2018-03-06 16:04:00 -08:00
d6871f5733
Land #9614 , Juniper post enum module
2018-03-06 10:29:56 -06:00
4ace73a3f9
Added references, fixed code
2018-03-05 22:00:28 -06:00
e878e19bbd
Land #9665 , Add missing reverse_tcp_rc4 payload tests.
...
Merge branch 'land-9665' into upstream-master
2018-03-05 17:18:04 -06:00
176fb13c84
Fix #9650 , missed code from TelnetEnable refactor
...
1. Functionality was added incrementally, and I missed an opportunity to
consolidate a few methods under @do_exploit.
2. The Capture mixin can raise RuntimeError for a number of different
reasons, not just a lack of root privileges.
tl;dr Fix my incompetence and laziness. :-)
I don't think EDB and friends usually get these updates. :(
2018-03-05 14:46:27 -06:00
57118e1265
msftidy fix
2018-03-05 13:37:32 -06:00
a4f48eb80f
Add GitStack v2.3.10 RCE
2018-03-05 13:25:41 -06:00
3028dccd7a
Land #9644 , @xistence's memcached stats amplification scanner
2018-03-05 09:02:28 -08:00
d945734f43
Add 2017-8917 RCE for Joomla 3.0.7
2018-03-04 22:17:49 -05:00
eac7cc63fc
add missing payload tests
2018-03-04 17:54:52 -06:00
f2de2a7f21
Appease most of rubocop's concerns
2018-03-04 07:17:25 -08:00
2edb2dd8d0
Add CVE; clarify vuln name
2018-03-04 07:13:28 -08:00
ea62497385
Land #9658 spelling and grammar fixes
2018-03-04 06:24:59 -05:00
3925686173
Fixed error in my correction
...
Changed from `an username` to `a username`
2018-03-03 10:16:44 +05:30
6dbf9445c9
Add MAC address discovery
2018-03-02 19:18:30 -06:00
107512498c
Add check method
2018-03-02 19:16:37 -06:00
25f36fb926
Refactor code into new methods
2018-03-02 19:16:37 -06:00
109bc87ffb
Check for nil, EOFError, and zero-length response
2018-03-02 19:15:20 -06:00
bcdfebf93c
Add a vprint for creds we chose
2018-03-02 19:15:19 -06:00
4418a0de02
Enhance detection of telnetenabled vs. telnetd
2018-03-02 19:15:19 -06:00
fba30d47a2
Use default creds specific to protocol
2018-03-02 19:15:18 -06:00
1f40afea9c
Add automatic target for detection of TCP or UDP
2018-03-02 19:15:18 -06:00
a5e5b618fd
Add print statements I forgot
2018-03-02 19:15:17 -06:00
e87681f2c4
Add NETGEAR TelnetEnable
2018-03-02 19:15:17 -06:00
0d07d44b14
ReLand #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
...
This reverts commit 7964868fcd
2018-03-02 16:09:52 -06:00
7964868fcd
Revert "Land #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm"
...
This reverts commit fcc579377f95cd149378
2018-03-02 08:29:48 -06:00
fcc579377f
Land #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
2018-03-02 07:34:45 -06:00
38c42f3b10
Fixed Typos
...
Fixed minor typing errors.
2018-03-02 17:38:19 +05:30
18a1593de7
Clean up registry and fix bug when cleaning the windows local file
2018-03-02 02:31:09 -05:00
d1e91dfdfd
Fix bug
2018-03-01 22:19:03 -05:00
2bb8fc7325
Fix bug
2018-03-01 22:16:59 -05:00
e7a7b557bc
Randomize and doc memcached stats probe; catch multi-packet responses
2018-03-01 16:56:34 -08:00
155f45fc28
Simplify memcached amplification scanner to use UDPScanner for most of the work
2018-03-01 15:37:23 -08:00
883654f0ea
Land #9653 , fix Y2k38 issue (until Jan 1, 2038)
2018-03-01 09:13:41 -06:00
27bd2a4a9f
workaround Y2k38 issues in java certificate generation
2018-03-01 08:41:28 -06:00
c84ece15a3
Update exodus.rb
2018-02-28 11:04:16 +00:00
c366f94017
Update exodus.rb
2018-02-28 10:35:05 +00:00
9e1a7c869c
Use drdos mixin for memcached amp module
2018-02-27 22:51:27 -08:00
05c99ffb5c
Add Memcached amplification scanner
2018-02-28 11:24:17 +07:00
35b66d0e60
added payload tests
2018-02-27 19:24:51 -07:00
174c47195a
Add options LocalExePath, StartupName, ServiceDescription
2018-02-27 05:32:07 -05:00
325ad7256e
if multi/handler is disabled, exit
2018-02-27 04:30:09 -06:00
fcd6e8acab
Add options LocalExePath, StartupName, ServiceDescription
2018-02-27 05:27:32 -05:00
2939695991
Add ARCH_CMD and general fixup
2018-02-26 16:59:36 -05:00
15bd45cee3
Exodus Module
2018-02-26 21:31:13 +00:00
553a82a408
Add options LEXEPATH, STARTUP_NAME, SERVICE_DESC
2018-02-26 02:39:11 -05:00
f786a1cfb9
Add options LEXEPATH, STARTUP_NAME, SERVICE_DESC
2018-02-26 01:59:49 -05:00
0c82b0a922
Support Windows 2008/7 and above
...
Probably about time that we supported versions less than 10 years old :)
2018-02-24 16:06:55 -05:00
a1587bcd68
Update smb_ms17_010.rb
2018-02-24 09:05:35 +05:30
46af6239df
Update smb_ms17_010.rb
2018-02-24 08:50:39 +05:30
9bae6246b2
Check for accessible named pipe on vuln targets
...
```
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.0.2:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.2:445 - Checking for accessible named pipes
[+] 192.168.0.2:445 - Found accessible named pipe: netlogon
[+] 192.168.0.2:445 - Found accessible named pipe: lsarpc
[+] 192.168.0.2:445 - Found accessible named pipe: samr
[+] 192.168.0.2:445 - Found accessible named pipe: browser
[+] 192.168.0.2:445 - Found accessible named pipe: atsvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
2018-02-24 03:20:34 +05:30
133b34827f
Fix false+ login in a few more places
2018-02-23 13:16:41 -06:00
cd728defed
Merge branch 'master' into land-9607-
2018-02-23 11:09:20 -06:00
c7bbc6eca4
juniper post enum module
2018-02-22 21:08:21 -05:00
e19a071910
add bind_named_pipe x86
2018-02-22 19:03:37 -07:00
7663e5c1f6
Land #9601 , ms17_010_eternalblue reliability fixes
2018-02-22 15:30:45 -06:00
5815b626d9
Dont save email addresses as valid
...
Also add module doc for owa_login module
2018-02-22 14:58:11 -06:00
e531dbc976
Fix bug causing all logins to appear valid
...
The headers we were looking for were a little too loose
and were incorrectly identifying all responses as successful
login attempts
2018-02-22 11:25:35 -06:00
4b8a8fa2b1
Land #9441 , Create exploit for AsusWRT LAN RCE
...
Merge branch 'land-9441' into upstream-master
2018-02-22 10:40:45 -06:00
738d6ab33a
Land #9604 , Fix logged errors when running without Python 3.6 / gmpy2
2018-02-22 08:11:30 -06:00
99e278fa29
Land #9584 , Fix reverse_php_ssl infinite loop
2018-02-22 07:03:52 -06:00
77b3673e38
Fix reverse_php_ssl infinite loop
2018-02-22 08:42:54 +00:00
f98b4b0540
require 'rubygems/package'
2018-02-22 04:28:56 +00:00
7e665ab287
check for extra libraries explicitly, fail gracefully
2018-02-21 21:54:58 -06:00
3880f6a65e
Finally fix "Unknown admin user ''" after 2yrs
...
The failed password auth was necessary after all. I misread the PoC. :'(
Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
2018-02-21 20:44:35 -06:00
cc2495dd9c
Explain fortinet-backdoor -> FortinetBackdoor
2018-02-21 17:05:30 -06:00
a5d78b82d4
Add require for Net::SSH::CommandStream
2018-02-21 15:51:53 -06:00
854ac67b8e
Use start_session in fortinet_backdoor
...
Still get "Unknown admin user ''" from a shell channel request,
@busterb's more complete implementation notwithstanding.
Hoping we fix this in a subsequent commit or related PR.
Please see #6612 and #9524 .
2018-02-21 15:33:34 -06:00
af45c1764b
Tweak exception handling and timing of `ms17_010_eternalblue`
2018-02-21 13:40:04 -06:00
78822fd799
Land #9524 , prefer 'shell' channels over 'exec' channels for ssh CommandStream
2018-02-21 06:59:09 -06:00
9cbc55ce40
Land #9593 , finger_users regex fix
2018-02-21 01:27:40 -06:00
bda7fefa7f
Land #9444 - `hsts_eraser` module and docs
2018-02-20 21:22:55 -06:00
b2cb4c425d
Land #9594 , CloudMe Sync v1.10.9 Buffer Overflow
2018-02-20 17:49:19 -06:00
6a62ca15e7
Remove NOPS
...
[ticket: #9594 ]
2018-02-20 17:40:33 -06:00
745ad4d727
CloudMe Sync Client BoF
2018-02-20 21:57:13 +00:00
d6206dc046
Better regex in finger_users
2018-02-20 15:48:00 -06:00
107a41a4ce
Land #9561 , Disk Savvy Enterprise v10.4.18 built-in server buffer overflow
2018-02-20 15:42:12 -06:00
d02bf40d69
Modified Exploit
...
Remove NOPS that weren't needed and freed up space for a larger payload.
[ticket: #9561 ]
2018-02-20 15:35:43 -06:00
4ce7468fbe
Added rid_hijack post module. Found at post/windows/manage
2018-02-20 22:29:23 +01:00
f10d58bc2d
upgrade osx shells to osx meterpreter
2018-02-21 02:54:38 +08:00
05e002e3c5
Land #9366 , Add x64 staged Meterpreter for macOS
2018-02-19 23:15:03 -06:00
69c7e83a55
Land #9164 , add OWA 2016 support
2018-02-19 23:12:27 -06:00
74c6e21f49
Lands #9504 , MagniComp SysInfo privilege escalation
2018-02-19 22:47:33 -06:00
56c00a8cb6
initial OWA 2016 support
2018-02-19 21:43:49 -06:00
9e3f12665e
Plaintext for console type to see what's going on.
2018-02-17 20:11:05 +01:00
e877151895
Attempt at clarifying network exchange using Telnet class IAC related constants.
2018-02-17 14:00:57 +01:00
ac7fe99a2b
specify a python encoding for the module
2018-02-16 16:17:52 -06:00
242f2d3117
Land #9512 , Add Claymore Dual GPU Miner<= 10.5 DoS module
2018-02-16 10:46:48 -06:00
354eb4092a
Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
...
To round out the work done by mihi for x86 stages back in the day,
this PR provides x64 Windows stage encryption in RC4 via assembly
written/modified by max3raza during adjacent work on DNS tunneled
transport.
Stage encryption differs from encoding in that there is no decoder
stub or key materiel carried with the stage which can be used by
defensive systems to decode and identify the contents. Persistence
payloads, oob-delivered stage0, and other contexts benefit heavily
from this as their subsequent stage is difficult to detect/identify,
and the chance of accidental execution of the wrong payload/stage
is drastically reduced if separate keys are in play for individual
targets - acquiring the wrong stage will result in decryption
failure and prevent further execution.
For historical context, all of the RC4 stagers implement in-place
decryption via stage0 for the contents of stage1 using the provided
passphrase converted to a key and embedded in stage0 as part of the
payload.
Testing:
In-house testing with Max - we got sessions, loaded extensions.
Notes:
All credit for the work goes to Max3raza - big ups for getting
this knocked out.
2018-02-16 05:15:05 -05:00
25d2b551d8
Land #9539 , add bind_named_pipe transport to Windows meterpreter
2018-02-15 17:39:32 -06:00
d28f6888b2
bump payloads, include bind_named_pipe support
2018-02-15 17:37:33 -06:00
b533ec6019
Land #9509 , Ulterius Server < v1.9.5.0 Directory Traversal
...
Land #9509
2018-02-15 16:34:31 -06:00
949b474a0a
Avoid target_uri.path
...
It doesn't look like target_uri.path is suitable for this scenario,
because it causes our input to be modified and hard to use.
2018-02-15 16:31:09 -06:00
38b03fdfff
Merge branch 'upstream-master' into land-9539-
2018-02-15 16:22:13 -06:00
5467f4c97e
Add header
2018-02-15 16:19:54 -06:00
e86169c217
Clean up Telnet IAC negotation and xplain obscure hex bytes.
2018-02-15 23:08:17 +01:00
c4c864f391
Land #9558 , Fix #9417 , map timeout exp to a var for telnet_encrypt_overflow
2018-02-15 15:54:23 -06:00
67dc579fd3
update magic numbers
2018-02-15 15:10:26 -06:00
651ddbb7eb
Disk Savvy Server Buffer Overflow
2018-02-15 10:09:07 +00:00
929027ab96
Disk Savvy Server Buffer Overflow
2018-02-14 20:35:32 +00:00
ef948ccc38
Fix #9417 , map timeout exp to a var for telnet_encrypt_overflow
...
Fix #9417
2018-02-14 09:19:28 -06:00
7cfc17860d
udp_probe is necessary for pivot scans
2018-02-14 08:45:46 -06:00
ef13f01820
Remove actually deprecated modules
2018-02-14 08:43:20 -06:00
234f5a316b
Revert "Remove old deprecated modules"
...
This reverts commit a2c5cc0ffb
2018-02-14 08:42:44 -06:00
5063415b79
Land #9552 , add private_type for stored tomcat pw
...
Fixes #9513
2018-02-13 19:25:27 -05:00
5fbeb74f0c
Remove osx platform and fix date.
2018-02-13 23:57:53 +01:00
0259e794ba
OSGi console remote command execution.
2018-02-13 23:38:18 +01:00
3811665b69
Land #7699 , Add UDP handlers and payloads (redux)
2018-02-13 14:50:09 -06:00
d56111a33c
update cache sizes from new tests
2018-02-13 14:34:21 -06:00
fbeba8bfd2
Fix #9513 , Add private_type to be able to store password for Tomcat
...
If there is no :private_type, the create_credential method in
Metasploit::Credential::Creation will quietly skip the password,
which makes it look like a bug when the user is trying to view
the password from the creds command.
Fix #9513
2018-02-13 14:31:56 -06:00
2221779ddd
update package namespaces
2018-02-13 13:33:36 -06:00
de24451035
Correct Typo
2018-02-13 15:57:09 +05:30
fe46f635db
Changes as requested by bcoles
2018-02-13 10:54:42 +01:00
ecb5fffb0b
Typo fix: "withint" --> "within"
2018-02-13 06:20:57 +13:00
bad1429989
reverted CachedSize values
2018-02-11 19:07:41 -07:00
8ae8a0d94b
added bind_named_pipe payload
2018-02-11 18:56:50 -07:00
285b329ee1
Land #9422 abrt race condition priv esc on linux
2018-02-11 11:58:39 -05:00
add7ae8fa1
Land #9536 , Add Ubuntu notes to documentation
2018-02-11 07:27:00 -06:00
321b78b0fe
Land #9408 , Add Juju-run Agent Privilege Escalation module (CVE-2017-9232)
2018-02-11 07:19:49 -06:00
4e5cbd68b9
Add Ubuntu notes to documentation
2018-02-11 06:52:36 +00:00
1177efef89
Update tested versions
2018-02-10 16:32:20 +00:00
0d573e1434
Support shell sessions
2018-02-09 16:15:04 -05:00
45249d582d
Add partition check
2018-02-09 16:15:04 -05:00
0ba37f8104
Add glibc $ORIGIN Expansion Privilege Escalation exploit
2018-02-09 16:15:04 -05:00
cb1b59545b
Land #9469 linux local exploit for glibc ld audit
2018-02-09 14:00:42 -05:00
f606773096
Add module for HP iLO CVE-2017-12542 authentication bypass
2018-02-09 11:14:20 +01:00
44b08feeb0
Land #9525 , Update mysql_hashdump for MySQL 5.7 and above
2018-02-08 13:56:26 -06:00
1bb5499fce
fix whitespace
2018-02-08 13:55:40 -06:00
c642d420c2
Land #9489 , Add scanner for the Bleichenbacker oracle (AKA: ROBOT)
2018-02-08 12:55:02 -06:00
c9a3894bdb
Removed require statements
2018-02-08 12:00:47 -06:00
00ead05237
Update for MySQL 5.7 and above
...
Starting from MySQL 5.7 the password column was changed to authentication_string. I've added a check to determine the version. Tested on both MySQL 5.6 and 5.7.
2018-02-08 13:40:35 +00:00
5b251ae672
Support shell sessions on Debian
2018-02-08 11:29:09 +00:00
b1d0529161
prefer 'shell' channels over 'exec' channels for ssh
...
If a command is not specified to CommandStream, request a "shell"
session rather than running exec. This allows targets that do not have a
true "shell" which supports exec to instead return a raw shell session.
2018-02-08 02:21:16 -06:00
ca4ad1d0c4
Land #9478 , Improve Dup Scout BOF exploit
2018-02-07 23:51:14 -06:00
724a0e29f6
Update Parsing, Added Rescue
2018-02-07 19:19:58 -06:00
1af1631ef6
bump cached payload sizes
2018-02-07 08:06:37 -06:00
1de8ec1073
Implemented Suggested Changes
...
Updated documentation headings and function/filename formatting.
Updated module options and formatting. Added check for file to parse.
2018-02-07 08:01:54 -06:00
0abee0303f
add change
2018-02-07 03:48:36 +08:00
278e9a92fc
add module and documentation
2018-02-06 20:30:34 +08:00
Jeffrey Martin
Brent Cook
Adam Cammack
Mehmet İnce
Jacob Robles
Fab
Jon Hart
bwatters-r7
William Vu
Luis Hernandez
h00die
Biswajit Roy
Green-m
Sonny Gonzalez
Daniel Teixeira
xistence
UserExistsError
attackdebris
Rob Fuller
Auxilus
James Barnett
Trevor Sibanda
Brendan Coles
Aaron Soto
James Lee
r4wd3r
Tim W
Chris Higgins
Quentin Kaiser
RageLtMan
Wei Chen
HD Moore
Spencer McIntyre
Agahlot
follower
UserExistsError
Pearce Barry
Osanda Malith Jayathissa
青鸟
bluebird