Commit Graph

12410 Commits (bc8590dbb963db02ffcb4f3364f4bbb488d60866)

Author SHA1 Message Date
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs 1f08ad48a4 Fix payload_path method 2014-02-25 22:11:23 +00:00
Meatballs 6687ef80ee
Further bypassuac tidies
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney 23381ea2cb
code tidying
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
ribeirux 8f7f1d0497 Add module for CVE-2014-0050 2014-02-22 14:56:59 +01:00
Michael Messner ec8e1e3d6f small fixes 2014-02-21 21:59:45 +01:00
Michael Messner 1384150b7a make msftidy happy 2014-02-21 21:56:46 +01:00
Michael Messner c77fc034da linksys wrt120 admin reset exploit 2014-02-21 21:53:56 +01:00
jvazquez-r7 998fa06912
Land #2998, @bit4bit's fix for the vtigercrm exploit 2014-02-20 08:36:05 -06:00
jvazquez-r7 0b27cd13e8 Make module work 2014-02-20 08:35:37 -06:00
jvazquez-r7 e75a0ea948 Fix typo 2014-02-19 15:21:02 -06:00
jvazquez-r7 aa07065f67
Land #2959, reverse powershell payload by @Meatballs1 2014-02-19 15:14:54 -06:00
jvazquez-r7 9fad43da08 Add license information 2014-02-19 15:11:12 -06:00
sinn3r ed2ac95396 Always replace \ with / for Dexter exploit
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
sinn3r 2e7a56b4a7
Land #3001 - SUB Encoder 2014-02-19 01:54:01 -06:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
Meatballs 0480ad16aa
No common 2014-02-18 23:09:35 +00:00
William Vu e7c3b94e60
Land #3006, @todb-r7's pre-release fixes 2014-02-18 14:15:12 -06:00
Tod Beardsley 721e153c7f
Land #3005 to the fixup-release branch
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!

Conflicts:
	modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
Tod Beardsley a863d0a526
Pre-release fixes, including msftidy errors. 2014-02-18 14:02:37 -06:00
William Vu 28dc742bcf Fix references and disclosure date 2014-02-18 13:59:58 -06:00
jvazquez-r7 4f9ab0b99f
Land #2903, @Meatballs1 SPN gather post module 2014-02-18 13:53:32 -06:00
jvazquez-r7 4903b05214 Fix tabs 2014-02-18 13:51:40 -06:00
William Vu c216357815
Land #3000, audiotran_pls_1424 SEH exploit 2014-02-18 13:27:14 -06:00
Meatballs 8a68323cf0
Dont keep checking domain 2014-02-18 17:52:34 +00:00
jvazquez-r7 1bc94b8a9d Merge for retab 2014-02-17 19:19:47 -06:00
Meatballs e290529841
Sadly this url is dead 2014-02-17 22:07:19 +00:00
Meatballs 6c32848b10
Use correct post methods 2014-02-17 22:03:07 +00:00
Meatballs 83d9a1e7c2
Xp Compat? 2014-02-17 21:28:06 +00:00
Meatballs 5e52e48d16
Gather cached GPO 2014-02-17 20:45:56 +00:00
Philip OKeefe 98958bc7bc Making audiotran_pls_1424 more readable and adding comments 2014-02-17 13:40:03 -05:00
sinn3r 52ac85be11
Land #2931 - Oracle Forms and Reports RCE 2014-02-17 08:54:23 -06:00
sinn3r 110ffbf342 Indent looks off for this line 2014-02-17 08:53:29 -06:00
sinn3r 632ea05688 100 columns 2014-02-17 08:52:56 -06:00
sinn3r 8da7ba131b In case people actually don't know what RCE means 2014-02-17 08:51:48 -06:00
sinn3r 73459baefd Add OSVDB references 2014-02-17 08:50:34 -06:00
Mekanismen fb7b938f8e check func fixed 2014-02-17 15:11:56 +01:00
OJ b2d09ed0d1 Add the NULL byte to the list of valid chars
While rare, I guess it is a possibility that the NULL byte can be
used.
2014-02-17 16:40:56 +10:00
Philip OKeefe c60ea58257 added audiotran_pls_1424 fileformat for Windows 2014-02-16 16:20:50 -05:00
Mekanismen e27d98368e fixed local server issues 2014-02-16 18:26:08 +01:00
Mekanismen e40b9e5f37 updated and improved 2014-02-16 16:24:39 +01:00
OJ e134ec4691 Remove '*' from valid file system chars 2014-02-16 23:57:54 +10:00
OJ a808053c37 Add first pass of optimised sub encoder
Full details of the encoder are in the detailed description in the
source itself. But this is effectively an "optimised" SUB encoder
which is similar to the add_sub encoder except it doesn't bother to
use the ADD instructions at all, and it doesn't zero out EAX for
each 4-byte block unless absolutely necessary. This results in
payloads being MUCH smaller (in some cases 30% or more is saved).
2014-02-16 20:12:14 +10:00
Jovany Leandro G.C 74344d6c7e vtigerolservice.php to vtigerservice.php
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
Tod Beardsley f6be574453
Slightly better file checks on sqlmap.py 2014-02-15 09:58:03 -06:00
Tod Beardsley dacbf55fc1
Minor cleanup of title and desc on sqlmap 2014-02-15 09:55:06 -06:00
Mekanismen b7d69c168c bugfix and user supplied local path support 2014-02-15 16:24:59 +01:00
sinn3r 9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec 2014-02-14 17:16:27 -06:00
sinn3r 48199fec27 Change URL identifier, and make the user choose a target 2014-02-14 17:15:00 -06:00
Meatballs c39924188a
Clean up 2014-02-14 20:52:04 +00:00
Royce Davis 0e7074c139 Modififed output for smb_enumshares module 2014-02-14 13:39:13 -06:00
Royce Davis 6dc9840064 Modified output for smb_enumshares 2014-02-14 13:12:52 -06:00
jvazquez-r7 b2ea257204 Include Linux::System post mixin 2014-02-14 08:32:21 -06:00
Meatballs1 ad72ecaf84 Handle SPN array 2014-02-14 09:48:23 +00:00
Meatballs1 4b828e5d45 Dont parse empty SPNs 2014-02-14 09:41:37 +00:00
Meatballs1 2c12952112 Moar corrections 2014-02-14 09:37:00 +00:00
Meatballs1 9dd56d32de Corrections 2014-02-14 09:32:53 +00:00
Meatballs1 7ef68184e1 Handle SPNs differently 2014-02-13 23:24:55 +00:00
Meatballs1 95048b089e Dont search for made up fields 2014-02-13 22:51:55 +00:00
Russell Sim ee3f1fc25b Record successful passwordless access to mongodb 2014-02-14 08:52:17 +11:00
Tod Beardsley 745f313413
Remove @nmonkee as author per twitter convo 2014-02-13 14:41:10 -06:00
Tod Beardsley 371f23b265
Unbreak the URL refs add nmonkee as ref and author
While @nmonkee didn't actually contribute to #2942, he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.

Also added a ref to @nmonkee's thing.

@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
jvazquez-r7 61563fb2af Do minor cleanup 2014-02-13 09:10:04 -06:00
jvazquez-r7 67367092b7 Solve conflicts 2014-02-13 08:42:53 -06:00
William Vu a4035252d6 Land #1910, DISCLAIMER for firefox_creds
Fixed conflict in Author.
2014-02-12 16:32:08 -06:00
jvazquez-r7 51896bcf74
land #2984, @wchen-r7's [FixRM #8765] NameError uninitialized constant in enum_ad_user_comments 2014-02-12 15:31:54 -06:00
sinn3r ce2de8f3bf Different way to write this 2014-02-12 15:08:20 -06:00
jvazquez-r7 ff267a64b1 Have into account the Content-Transfer-Encoding header 2014-02-12 12:40:11 -06:00
sinn3r 45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb 2014-02-12 11:14:25 -06:00
jvazquez-r7 a59ce95901
Land #2970, @sgabe exploit for CVE-2010-2343 2014-02-12 08:10:53 -06:00
jvazquez-r7 9845970e12 Use pop#ret to jump over the overwritten seh 2014-02-12 08:10:14 -06:00
sgabe 11513d94f5 Add Juan as author 2014-02-12 12:17:02 +01:00
sgabe 3283880d65 Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
This partially reverts commit 12471660e9.
2014-02-12 12:09:16 +01:00
sinn3r 0f620f5aba Fix Uninitialized Constant RequestError
[SeeRM #8765] NameError uninitialized constant
2014-02-12 00:23:23 -06:00
sgabe 7195416a04 Increase the size of the NOP sled 2014-02-12 02:35:53 +01:00
sgabe 3f09456ce8 Minor code formatting 2014-02-11 23:53:04 +01:00
sgabe 7fc3511ba9 Remove unnecessary NOPs 2014-02-11 23:48:54 +01:00
sgabe 12471660e9 Replace unnecessary NOP sled with random text 2014-02-11 23:48:04 +01:00
sgabe 184ccb9e1e Fix payload size 2014-02-11 23:42:58 +01:00
William Vu c67c0dde8f Land #2972, enum_system find/save logs/S[UG]ID 2014-02-11 15:45:27 -06:00
jvazquez-r7 1f0020a61c
Land #2946, @jlee-r7's optimization of the x86 block_api code 2014-02-11 15:00:00 -06:00
bwall 783e62ea85 Applied changes from @wchen-r7's comments 2014-02-11 10:14:52 -08:00
jvazquez-r7 3717374896 Fix and improve reliability 2014-02-11 10:44:58 -06:00
jvazquez-r7 51df2d8b51 Use the fixed API on the mediawiki exploit 2014-02-11 08:28:58 -06:00
Roberto Soares Espreto 68578c15a3 find command modified 2014-02-11 10:08:12 -02:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
Roberto Soares Espreto f181134ef8 Removed hard tabs 2014-02-10 23:16:04 -02:00
sgabe e8a3984c85 Fix ROP NOP address and reduce/remove NOPs 2014-02-11 00:29:37 +01:00
William Vu e6905837eb
Land #2960, rand_text_alpha for amaya_bdo 2014-02-10 16:44:11 -06:00
bwall 13fadffe7e Dexter panel (CasinoLoader) SQLi to PHP code exec - Initial 2014-02-10 13:44:30 -08:00
Meatballs a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-10 21:43:56 +00:00
Roberto Soares Espreto 2e720f8f0f Post::Linux - Added to search for files with setuid/setgid and logfiles 2014-02-10 19:24:51 -02:00
Tod Beardsley 1236a4eb07
Fixup on description and some option descrips 2014-02-10 14:41:59 -06:00
jvazquez-r7 3d4d5a84b6
Land #2957, @zeroSteiner's exploit for CVE-2013-3881 2014-02-10 13:59:45 -06:00
jvazquez-r7 502dbb1370 Add references 2014-02-10 13:55:02 -06:00
sinn3r 8a8bc74687
Land #2940 - DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials 2014-02-10 13:49:02 -06:00
sinn3r 306b31eee3
Small changes before merging 2014-02-10 13:47:31 -06:00
sgabe 08b6f74fb4 Add module for CVE-2010-2343 2014-02-10 20:46:09 +01:00
jvazquez-r7 abb03d0bbe Fixing messages 2014-02-10 13:10:42 -06:00
jvazquez-r7 541bb6134e Change exploit filename 2014-02-10 13:06:23 -06:00
jvazquez-r7 2e130ce843 Make it work with Reader Sandbox 2014-02-10 13:04:13 -06:00
Tod Beardsley 7c43565ea8
Include missing require for powershell 2014-02-10 11:02:53 -06:00
jvazquez-r7 5672a4dae5
Land #2962, @Meatballs1 RequiredCmd property for ARCH_CMD win payloads 2014-02-10 09:51:08 -06:00
jvazquez-r7 8ece4a7750 Delete debug print 2014-02-10 08:57:45 -06:00
jvazquez-r7 57320a59f1 Do small clean up for mediawiki_thumb pr 2014-02-10 08:57:09 -06:00
Spencer McIntyre 0ac1acda70 Upgrade toolchain to Visual Studio 2013 v120. 2014-02-10 09:35:07 -05:00
sinn3r c96116b193
Land #2949 - Add module Kloxo SQLi 2014-02-08 13:45:11 -06:00
Meatballs 9f04e0081d
Stick with command let encoder handle encoding 2014-02-08 19:28:03 +00:00
Meatballs 93b07b0e48
Add missing RequiredCmds 2014-02-08 12:24:49 +00:00
David Maciejak 32c02dd56a Added some randomness 2014-02-08 11:27:25 +08:00
Meatballs 80814adaf9
Credit where credits due 2014-02-08 01:42:45 +00:00
Meatballs efe4d6b41a
Tidyup 2014-02-08 01:03:02 +00:00
Meatballs 2d1a0c3a01
Windows CMD love too 2014-02-08 01:00:31 +00:00
Meatballs dcff06eba1
More verbose failure messages 2014-02-07 23:59:28 +00:00
sinn3r 66cb97305c
Land #2953 - KingScada kxClientDownload.ocx ActiveX Remote Code Exec 2014-02-07 17:41:35 -06:00
sinn3r bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell) 2014-02-07 17:39:06 -06:00
Meatballs 783a986a19
Windows and auto target up and running 2014-02-07 23:26:57 +00:00
Meatballs a0f47f6b2b
Correct error check logic 2014-02-07 22:06:53 +00:00
Meatballs 443a51bbf5
Undo revert from merge 2014-02-07 21:28:04 +00:00
Meatballs 56359aa99f
Merge changes from other dev machine 2014-02-07 21:22:44 +00:00
Meatballs a4cc75bf98
Potential .pdf support 2014-02-07 20:37:44 +00:00
Meatballs e13520d7fb
Handle a blank filename 2014-02-07 20:15:32 +00:00
Meatballs 103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-07 20:07:04 +00:00
James Lee f0fd2f0598
Land #2944, add platforms to encoders
This allows encoders to advertise compatibility with a particular
platform (or more accurately, non-compatibility with everything that
isn't that platform).

See also #2939
2014-02-07 13:38:05 -06:00
sinn3r 63305025aa
Land #2615 - Add Windows Gather Active Directory User Comments 2014-02-07 12:23:43 -06:00
sinn3r 9c76e7fb00 Handle multiple exceptions 2014-02-07 12:23:10 -06:00
sinn3r 40188e1eda
RuntimeError exception should be handled. 2014-02-07 12:16:15 -06:00
jvazquez-r7 c679b1001b Make pring_warning verbose 2014-02-07 10:23:07 -06:00
grimmlin 2d93b38e2a Fixed java_signed_applet for Java 7u51 2014-02-07 16:29:50 +01:00
Spencer McIntyre f686385349 Remove an unnecessary VS file and modify version check. 2014-02-07 08:45:51 -05:00
jvazquez-r7 a18de35fa7 Add module for ZDI-14-011 2014-02-06 18:25:36 -06:00
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
James Lee 4b37cc7243
Land #2927, PandoraFMS anyterm exploit 2014-02-06 15:22:23 -06:00
James Lee 4236abe282
Better SIGHUP handling 2014-02-06 15:21:54 -06:00
William Vu 19fff3c33e
Land #2942, @jvennix-r7's Android awesomesauce
Also, thanks to @jduck for testing!
2014-02-06 11:53:11 -06:00
Joe Vennix 362e937c8d Forgot to push local changes. 2014-02-06 11:47:35 -06:00
Joe Vennix 0dc2ec5c4d Use BrowserExploitServer mixin.
This prevents drive-by users on other browsers from ever receiving
the exploit contents.
2014-02-06 11:32:42 -06:00
jvazquez-r7 ac52edabd5
Land #2801, Land @kicks4kittens IBM Sametime modules 2014-02-06 10:17:03 -06:00
jvazquez-r7 30c325c22e Make better json check 2014-02-06 10:16:26 -06:00
kicks4kittens 564f9bccc8 Correct print output
Printing the room details is the purpose of the module.
Reinstated printing the table in non-verbose mode (users won't know it's there otherwise)
2014-02-05 22:00:02 +01:00
kicks4kittens 445cd7be5a remove "on {peer}
line already includes {peer} info
2014-02-05 21:57:58 +01:00
kicks4kittens 4c0c9101aa Correct check, reinstate print
Corrected JSON check (response is empty, but valid JSON on check success)
Reinstated print to warn user (not only in VERBOSE)
2014-02-05 21:56:56 +01:00
kicks4kittens 60cf68f899 added default SSL 2014-02-05 21:54:02 +01:00
kicks4kittens 3560b41eb2 correct variable name
body isn't valid, replaced with res.body and tested
2014-02-05 21:51:55 +01:00
kicks4kittens 38add0ab50 alter print_status
Altered print_status to print_good to differentiate when user is online easier
2014-02-05 21:49:39 +01:00
jvazquez-r7 fdb954fdfb Report credentials 2014-02-05 14:37:33 -06:00
jvazquez-r7 631559a2e8 Add module for Kloco SQLi 2014-02-05 14:18:56 -06:00
James Lee 14aa8ffd5c
Apply blockapi changes to bind_tcp and bind_tcp_rc4 2014-02-04 17:45:18 -06:00
Joe Vennix 553616b6cc Add URL for browser exploit. 2014-02-04 17:04:06 -06:00
Tod Beardsley 3a6626761b
Land #2945, obsolete old modules
Obsoletes:

modules/auxiliary/admin/scada/igss_exec_17.rb
modules/exploits/windows/http/sap_mgmt_con_osexec_payload.rb
modules/post/windows/gather/resolve_hosts.rb
modules/post/windows/manage/persistence.rb
2014-02-04 15:11:25 -06:00