OJ
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
William Vu
1a053909dc
Land #3044 , chargen_probe reported service fix
2014-02-27 14:33:06 -06:00
sinn3r
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
sinn3r
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
sinn3r
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
sinn3r
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
sinn3r
93ec12af43
Land #3035 - GE Proficy CIMPLICITY gefebt.exe Remote Code Execution
2014-02-27 14:13:28 -06:00
David Maloney
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
David Maloney
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
jgor
8be33f42fe
Define service as udp
2014-02-27 12:53:29 -06:00
jvazquez-r7
6c490af75e
Add randomization to Rex::Zip::Jar and java_signed_applet
2014-02-27 12:38:52 -06:00
David Maloney
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
Fr330wn4g3
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
David Maloney
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
jvazquez-r7
bfdefdb338
Land #3023 , @m-1-k-3's module for Linksys WRT120N bof reset password
2014-02-26 09:36:14 -06:00
jvazquez-r7
6ba26bf743
Use normalize_uri
2014-02-26 09:35:42 -06:00
jvazquez-r7
582372ec3e
Do minor cleanup
2014-02-26 09:32:11 -06:00
jvazquez-r7
0531abb691
Land #3026 , @ribeirux DoS module for CVE-2014-0050
2014-02-26 08:53:55 -06:00
jvazquez-r7
449d0d63d1
Do small clean up
2014-02-26 08:52:51 -06:00
Michael Messner
b79197b8ab
feedback included, cleanup, login check
2014-02-26 13:44:36 +01:00
Fr330wn4g3
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
Fr330wn4g3
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
jvazquez-r7
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
jvazquez-r7
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
jvazquez-r7
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
William Vu
63bbe7bef2
Land #3034 , 302 redirect for http_basic
2014-02-25 13:54:58 -06:00
William Vu
4cc91095de
Fix minor formatting issues
2014-02-25 13:48:37 -06:00
jvazquez-r7
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
jvazquez-r7
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
xistence
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
jvazquez-r7
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
kn0
6783e31c67
Used the builtin send_redirect method in Msf::Exploit::Remote::HttpServer instead of creating a redirect inline
2014-02-24 15:59:49 -06:00
ribeirux
ead7cbc692
Author and URI fixed
2014-02-24 22:20:34 +01:00
kn0
f1e71b709c
Added 301 Redirect option to Basic Auth module
2014-02-24 14:59:20 -06:00
William Vu
6f398f374e
Land #3032 , inside_workspace_boundary? typo fix
2014-02-24 14:55:09 -06:00
James Lee
d2945b55c1
Fix typo
...
inside_workspace_boundary() -> inside_workspace_boundary?()
2014-02-24 14:46:08 -06:00
sinn3r
a50b4e88be
Fix msftidy warning: Suspect capitalization in module title: 'encoder'
2014-02-24 11:25:46 -06:00
jvazquez-r7
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
jvazquez-r7
b2d4048f50
Land #3027 , @OJ's fix for ultraminihttp_bof
2014-02-24 10:50:08 -06:00
jvazquez-r7
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
sinn3r
5cdd9a2ff3
Land #2995 - sqlmap minor cleanup, description & file tests
2014-02-24 10:39:01 -06:00
bcoles
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
xistence
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
xistence
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
OJ
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
Meatballs
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
Meatballs
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
Meatballs
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
Meatballs
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
Meatballs
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
ribeirux
8f7f1d0497
Add module for CVE-2014-0050
2014-02-22 14:56:59 +01:00
Michael Messner
ec8e1e3d6f
small fixes
2014-02-21 21:59:45 +01:00
Michael Messner
1384150b7a
make msftidy happy
2014-02-21 21:56:46 +01:00
Michael Messner
c77fc034da
linksys wrt120 admin reset exploit
2014-02-21 21:53:56 +01:00
jvazquez-r7
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
jvazquez-r7
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
jvazquez-r7
e75a0ea948
Fix typo
2014-02-19 15:21:02 -06:00
jvazquez-r7
aa07065f67
Land #2959 , reverse powershell payload by @Meatballs1
2014-02-19 15:14:54 -06:00
jvazquez-r7
9fad43da08
Add license information
2014-02-19 15:11:12 -06:00
sinn3r
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
sinn3r
2e7a56b4a7
Land #3001 - SUB Encoder
2014-02-19 01:54:01 -06:00
jvazquez-r7
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
Meatballs
0480ad16aa
No common
2014-02-18 23:09:35 +00:00
William Vu
e7c3b94e60
Land #3006 , @todb-r7's pre-release fixes
2014-02-18 14:15:12 -06:00
Tod Beardsley
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
Tod Beardsley
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
William Vu
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
jvazquez-r7
4f9ab0b99f
Land #2903 , @Meatballs1 SPN gather post module
2014-02-18 13:53:32 -06:00
jvazquez-r7
4903b05214
Fix tabs
2014-02-18 13:51:40 -06:00
William Vu
c216357815
Land #3000 , audiotran_pls_1424 SEH exploit
2014-02-18 13:27:14 -06:00
Meatballs
8a68323cf0
Dont keep checking domain
2014-02-18 17:52:34 +00:00
jvazquez-r7
1bc94b8a9d
Merge for retab
2014-02-17 19:19:47 -06:00
Meatballs
e290529841
Sadly this url is dead
2014-02-17 22:07:19 +00:00
Meatballs
6c32848b10
Use correct post methods
2014-02-17 22:03:07 +00:00
Meatballs
83d9a1e7c2
Xp Compat?
2014-02-17 21:28:06 +00:00
Meatballs
5e52e48d16
Gather cached GPO
2014-02-17 20:45:56 +00:00
Philip OKeefe
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
sinn3r
52ac85be11
Land #2931 - Oracle Forms and Reports RCE
2014-02-17 08:54:23 -06:00
sinn3r
110ffbf342
Indent looks off for this line
2014-02-17 08:53:29 -06:00
sinn3r
632ea05688
100 columns
2014-02-17 08:52:56 -06:00
sinn3r
8da7ba131b
In case people actually don't know what RCE means
2014-02-17 08:51:48 -06:00
sinn3r
73459baefd
Add OSVDB references
2014-02-17 08:50:34 -06:00
Mekanismen
fb7b938f8e
check func fixed
2014-02-17 15:11:56 +01:00
OJ
b2d09ed0d1
Add the NULL byte to the list of valid chars
...
While rare, I guess it is a possibility that the NULL byte can be
used.
2014-02-17 16:40:56 +10:00
Philip OKeefe
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
Mekanismen
e27d98368e
fixed local server issues
2014-02-16 18:26:08 +01:00
Mekanismen
e40b9e5f37
updated and improved
2014-02-16 16:24:39 +01:00
OJ
e134ec4691
Remove '*' from valid file system chars
2014-02-16 23:57:54 +10:00
OJ
a808053c37
Add first pass of optimised sub encoder
...
Full details of the encoder are in the detailed description in the
source itself. But this is effectively an "optimised" SUB encoder
which is similar to the add_sub encoder except it doesn't bother to
use the ADD instructions at all, and it doesn't zero out EAX for
each 4-byte block unless absolutely necessary. This results in
payloads being MUCH smaller (in some cases 30% or more is saved).
2014-02-16 20:12:14 +10:00
Jovany Leandro G.C
74344d6c7e
vtigerolservice.php to vtigerservice.php
...
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
Tod Beardsley
f6be574453
Slightly better file checks on sqlmap.py
2014-02-15 09:58:03 -06:00
Tod Beardsley
dacbf55fc1
Minor cleanup of title and desc on sqlmap
2014-02-15 09:55:06 -06:00
Mekanismen
b7d69c168c
bugfix and user supplied local path support
2014-02-15 16:24:59 +01:00
sinn3r
9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec
2014-02-14 17:16:27 -06:00
sinn3r
48199fec27
Change URL identifier, and make the user choose a target
2014-02-14 17:15:00 -06:00
Meatballs
c39924188a
Clean up
2014-02-14 20:52:04 +00:00