27469f8fac
Land #8582 , Rogdham Hashdump fixes
...
Land's Rogdham's fixes to the Hashdump post module
to support Windows 10!
2017-06-19 13:40:40 -05:00
6d38dffbe1
convert conditionals to case statements
...
just a little tidying up by using case statements
2017-06-19 13:40:00 -05:00
681f9f37a6
updated check if powershell is available
2017-06-19 08:35:57 +01:00
096469a8ec
added PROCESS persistence method
2017-06-18 20:42:07 +01:00
a01796d114
Make hashdump module work on Windows 10, fix #7936
2017-06-18 16:35:17 +02:00
03116d7933
Land #8543 , add error handling to ARM linux reverse tcp stager
2017-06-18 15:38:16 +08:00
8c23769cbc
Updated module to use an instance variable for using HTTP session tokens across functions.
2017-06-18 12:59:34 +10:00
7fb36edd50
corrected msftidy warnings
2017-06-17 22:58:47 +02:00
31a5cc94b2
Easy File Sharing HTTP Server 7.2 - Post Overflow exploit
2017-06-17 22:35:21 +02:00
75fab600c5
Add iteration count to cachedump module, fix #8560
2017-06-17 22:23:41 +02:00
19ceb53304
Modified payload handling and uploaded documentation
2017-06-18 02:04:22 +10:00
6096e373cc
removed whitespace
2017-06-17 10:44:30 +01:00
85173f36f7
moved exploit method moved to top
...
added logon persistence option
fixed typo
cleaned up formatting
2017-06-17 10:30:38 +01:00
86f5f3f002
Fix AES key length in cachedump module, fix #8525
2017-06-17 11:20:29 +02:00
b82051757d
Add SurgeNews User Credentials scanner module
2017-06-17 01:49:47 +00:00
c9e000e379
add new version
2017-06-16 20:59:19 -04:00
07051d1f00
Removed whitespace
2017-06-17 09:59:46 +10:00
8eb59eac3f
Stuffed up regex.. left some random $ characters floating around and have now removed them.
2017-06-17 08:03:09 +10:00
6363a319d2
Fixed Typo
2017-06-17 07:32:17 +10:00
b34bf76fea
Adding GoAutoDial RCE module
2017-06-17 07:22:41 +10:00
652e237131
add missing .to_binary_s calls
2017-06-16 13:39:04 -05:00
f008f2aa8f
working code
2017-06-16 08:24:54 -04:00
e005e51f05
some edits finished
2017-06-16 06:48:31 -04:00
49d998f7d9
catch invalid tokens
2017-06-15 21:45:29 -04:00
53253bfa37
Land #8558 , Fix AMT scanner when parsing mangled HTML
2017-06-15 20:42:33 -05:00
f4ffade406
add ability to specify API token instead of password
2017-06-15 21:05:53 -04:00
5f74da9023
Move php_preamble before $ipaddr and $port
...
php_preamble contains a <?php tag now, so we need to move it to the top.
2017-06-15 19:50:57 -05:00
c634931f0d
Updated payload cached size after the python3 fix
2017-06-16 09:05:31 +10:00
9cf9d22bae
fix mmap return cmp
2017-06-16 06:26:40 +08:00
9d57197736
Land #8551 , Update processmaker_exec module with workspace support
2017-06-15 17:12:35 -05:00
0e38823a8f
Add NNTP Login Utility scanner module
2017-06-15 20:25:40 +00:00
49383f8f3a
Update and fix grammar to the CryptoLog module
...
After talking to the vendor, it appears that the PHP version of CryptoLog has been EOL'ed since 2009. It has since been replaced with an ASP.NET version, which, obviously, is no longer vulnerable to these PHP exposures.
2017-06-15 13:00:44 -05:00
46ffd250a0
module working and docs
2017-06-14 21:15:56 -04:00
549f9e74d8
Fix AMT scanner for mangled HTML (no </p>)
...
Also stores proof using the correct :info for report_vuln (not :proof).
2017-06-14 16:54:32 -05:00
c147779097
Add CVE number to the symantec-messaging-gateway-exec module
2017-06-14 23:07:58 +03:00
c1372456e2
Land #8326 , support LLMNR ANY responses
2017-06-14 14:01:44 -05:00
c35dffc648
first draft of oinkcode
2017-06-14 08:04:17 -04:00
55f0edb732
Land #8491 , fixes for service_persistence
2017-06-13 17:17:53 -05:00
0766f92013
Add option for workspace
2017-06-13 12:46:36 +00:00
cbbb57d1a5
Land #8526 , Refactor QNAP and airOS modules for creds
2017-06-12 14:46:11 -05:00
a40e7164d8
Refactor QNAP module for traditional creds
2017-06-12 14:41:58 -05:00
bb9d1a6768
Land #8507 , Riverbed SteelHead VCX file read
2017-06-12 10:39:48 -05:00
704a1218fa
Land #8498 , store more specific credential wordpress_directory_traversal_dos
2017-06-12 10:13:52 -05:00
80e91e9de2
Minor fixups.
2017-06-12 09:51:30 -05:00
93c4b3fffc
update CacheSize
2017-06-12 01:39:13 +09:00
1862900aae
add error handling
2017-06-12 01:36:13 +09:00
17d7bb0c64
add label and regster value to comment
2017-06-11 20:38:47 +09:00
a349eb9a0d
fixes per peer review
2017-06-10 14:29:53 -04:00
6ae540d889
Adding Symantec messaging gateway rce
2017-06-10 12:23:12 +03:00
c4288fb35a
Update branch to include chances from upstream/master
2017-06-09 17:18:57 +10:00
a3f3dc0a70
Upload payloads/mettle gems, update cache sizes
...
Updated both the metasploit-payload and metasploit-payload-mettle gems
to the versions that match for the session GUID pull requests. Updated
the payload cached sizes to match the new payloads.
2017-06-09 17:15:52 +10:00
a968a74ae0
Update ms17_010_eternalblue description and ranking.
...
The module has been noted to cause crashes, reboots, BSOD, etc, on
some systems.
2017-06-09 11:01:48 +12:00
aa00661fd0
Land #8518 , update CVE references where modules report_vuln
2017-06-08 13:38:12 -05:00
3e20296cf5
Add service_details for SSH
2017-06-08 13:28:29 -05:00
e22334343e
Use store_valid_credential in my modules
...
I used report_note because using the creds API was a pain in the ass.
2017-06-08 00:57:51 -05:00
eef82a501d
Add support for session GUIDs in mettle
2017-06-08 11:20:48 +10:00
99fa52e660
Land #8434 , Add Windows 10 Bypassuac fodhelper module
2017-06-07 11:15:01 -05:00
834e0eba95
Land #8340 , add exception handling for rev_tcp_ssl
2017-06-06 19:09:15 -04:00
d641058f75
Added module to exploit ActiveMQ CVE-2016-3088
2017-06-06 11:33:42 -07:00
b932aae82e
reference typo fix
2017-06-06 11:50:07 -05:00
bac17a8e80
Land #8053 , Add DC/OS Marathon UI Exploit
2017-06-06 09:29:26 -05:00
09e4974b99
removed whitespace at end of lines
2017-06-06 14:44:37 +01:00
1831056010
updated disclosure date
2017-06-06 14:32:19 +01:00
3ded57e1cd
Land #8516 , add verbose debug to ntds dumper
2017-06-06 07:26:54 -05:00
0830e4aaa5
Land #8503 , Linux x86 reverse_tcp error handling
2017-06-06 06:36:55 -05:00
37b9cd07a2
Add support for the session GUID in the UI
...
The Session GUID will identify active sessions, and is the beginning of
work that will allow for tracking of sessions that have come back alive
after failing or switching transports.
2017-06-06 17:15:57 +10:00
1558db375d
update CVE reference in where modules report_vuln
2017-06-05 16:36:44 -05:00
42aa2e5acf
add some attempts at debugging to ntds
...
add some logging and more status outputs to the
NTDS domain hasdump. Also force the encoding on
strings to UTF8
2017-06-05 15:21:50 -05:00
f47cc1a101
Rubocop readability changes
2017-06-05 14:32:45 -05:00
bc3b883758
Add docs, fix typo, add missing report mixin to avoid error.
2017-06-05 13:49:59 -05:00
a5805a55dc
make this a UDPScanner, rewrite
2017-06-05 12:39:48 -05:00
994995671e
added wmi_persistence module
2017-06-05 17:44:37 +01:00
8c39c92245
Add description and loop capability.
2017-06-05 11:27:13 -05:00
a571834c4d
Initial commit of rpcbomb DoS aux module.
...
This just brings the code in as-in, next step is to update to use our mixins and such.
2017-06-05 10:23:39 -05:00
de86c5d991
add storing creds and loot name consistency
2017-06-04 17:46:43 -04:00
737f7452ce
add my name to author
2017-06-04 04:42:45 +09:00
39cee481c1
Making changes similar to the reverse_tcp payload
2017-06-03 22:57:59 +05:30
ea5db9a039
working module
2017-06-02 23:09:19 -04:00
e7fa4c2d06
Land #8504 , print_good for ipmi_dumphashes
2017-06-02 18:49:41 -05:00
e175bcda08
update cachedSize
2017-06-03 08:37:18 +09:00
34e9b2c04b
Change ipmi_dumphashes to have non-verbose output, ever
2017-06-02 14:27:21 -06:00
2924318ca5
update java_rmi_server modules with CVE
2017-06-02 12:59:48 -05:00
d68365d8df
store more specific credential wordpress_directory_traversal_dos
2017-05-31 18:55:35 -05:00
218ec96009
Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module
2017-05-31 13:00:35 +00:00
361cc2dbeb
fix newline issue and service call
2017-05-30 22:37:26 -04:00
f98b40d038
adds check on service writing before running it
2017-05-30 22:14:49 -04:00
0e145573fc
more httpClient modules use store_valid_credential
2017-05-30 14:56:05 -05:00
d5e74ffdf3
Merge branch 'master' into feature/eternal_blue/rubysmb_refactor
2017-05-30 13:59:31 -05:00
a5f910ea63
move trans2 conditional to case statement
...
this is cleaner as a case statement
2017-05-30 13:52:29 -05:00
b65c959347
limited port of the trans2 exploit packets
...
ported some of the Trans2 packets for EternalBlue
over to RubySMB, but there is so much jacked up about these
packets I'm not sure we can do much more here
2017-05-30 13:49:27 -05:00
72ff4fbf48
Reword warning message, since it didn't make sense
2017-05-30 13:13:08 -05:00
890d35cc30
Fix warning placement to be more helpful
2017-05-30 13:06:23 -05:00
e9ac3fce5a
update credential mode for EB exploit
...
ExternalBlue can now just flat out take
credentials to authenticate with. If credentials
are not supplied then it will still do the
anonymous login.
2017-05-30 10:55:28 -05:00
9c93aae412
Removed self.class from register
2017-05-30 10:07:07 -04:00
bac23757a4
Updated based on busterb comments
2017-05-30 09:33:03 -04:00
beb1cef835
rescue connection failure for netbios, suggest how to fix it
2017-05-30 08:06:39 -05:00
ea6063138a
Land #8476 , Implement VerifyArch for ETERNALBLUE
2017-05-30 00:31:32 -05:00
a01a2ead1a
Land #8467 , Samba CVE-2017-7494 Improvements
2017-05-30 00:15:03 -05:00
28fb5cc7da
spelling
2017-05-30 00:14:33 -05:00
e31e3fc545
add additional architectures and targets
2017-05-30 00:07:37 -05:00
a781480e89
Add error handling to get_once
...
And check for specific ack result/reason for 32-bit.
2017-05-29 22:28:50 -05:00
6e253a5be7
Use Rex::Proto::DCERPC::Response
2017-05-29 21:58:03 -05:00
5698896672
Land #8323 wordpress pre4.6 dos
2017-05-29 07:59:43 -04:00
42b14a93b8
Add comments
2017-05-28 23:45:09 -05:00
7a2944d113
Implement VerifyArch for ETERNALBLUE
2017-05-28 23:26:59 -05:00
8d3eebf394
Land #8473 aux admin tool to get scadabr creds from db
2017-05-28 20:09:47 -04:00
c811c6a8c0
Add PASS_FILE option
2017-05-28 23:26:51 +00:00
72a5142e37
Update directory traversal DoS module and docs
2017-05-29 00:30:23 +02:00
66f06cd4e3
Fix small typos in comments
2017-05-28 14:40:33 -05:00
4e29b6e5fd
Land #8275 , add retry opts for py rev_tcp stager
2017-05-28 13:02:35 -04:00
e02d726213
Setting default values to the added options
2017-05-28 14:30:30 +05:30
965915eb19
Fix typo, thanks!
2017-05-27 22:22:34 -05:00
8fce94b3cd
Add ScadaBR Credentials Dumper module
2017-05-28 01:24:53 +00:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
f9ecdf2b4d
Add some bonus archs for interact mode
2017-05-27 17:26:50 -05:00
41253ab32b
Make msftidy happy
2017-05-27 17:17:20 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
018e544295
Add VICIdial user_authorization Unauthenticated Command Execution module
2017-05-27 05:09:38 +00:00
78d649232b
Remove obsolete module options
2017-05-26 21:21:05 -05:00
123a03fd21
Detect server-side path, work on Samba 3.x and 4.x
2017-05-26 17:02:18 -05:00
eebfd9b7f2
Switch to the mixin-provided SMB share enumeration methods
2017-05-26 17:02:06 -05:00
ee5f37d2f7
remove nt trans raw sock op
...
don't send the nt transact packet as raw
socket data, instead use the client send_recv
method
2017-05-26 15:50:18 -05:00
d4ba28a20b
Land #8457 , Update multi/fileformat/office_word_macro to allow custom templates
2017-05-26 15:09:23 -05:00
f0f99ad479
nttrans packet setup correctly,everything broken
...
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
2017-05-26 14:54:46 -05:00
9b9d2f2345
Final version of configurable depth
2017-05-26 16:23:22 +02:00
33ddef9303
Add documentation, add configurable depth path
2017-05-26 16:14:03 +02:00
162a660d45
Remove the old windows/fileformat/office_word_macro
...
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.
If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
04a701dba5
Check template file extension name
2017-05-26 07:31:34 -05:00
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
1582d3a902
support i386
2017-05-26 15:55:42 +08:00
2835c165d7
Land #8390 , Add module to execute powershell on Octopus Deploy server
2017-05-25 17:33:07 -05:00
330526af72
Update check method
2017-05-25 17:30:58 -05:00
ae22b4ccf4
Land #8450 , Samba is_known_pipename() exploit
2017-05-25 16:36:28 -05:00
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
0b0e2f64ca
update SMB1 "Freehole" packet
...
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
2017-05-25 13:43:16 -05:00
1a8961b5e3
fied typo
2017-05-25 19:14:59 +02:00
bc8ad811aa
remove old anonymous login packet
...
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
2017-05-25 10:49:42 -05:00
238052a18b
use RubySMB client echo
...
replaced the manually created echo packet
with the RubySMB client echo command
2017-05-25 10:47:14 -05:00
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
7077ac0523
Meterpreter Post-exploitation module to mount vmdk files
2017-05-25 11:47:04 +02:00
92a1a3ecf7
Adding for loop instead of while, removing 'counter'
2017-05-25 15:09:34 +05:30
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
4ffe666b52
improve the cred fallback
...
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
2017-05-24 17:36:07 -05:00
4c02b7b13a
added credentialed fallback
...
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00
dc67fcd5a8
use RubySMB for anonymous login
...
use the new anonymous login capabilities in
RubySMB
2017-05-24 15:40:05 -05:00
af4eafdf70
Updated module and doc
2017-05-24 06:33:08 +05:30
e4ea618edf
Land #8419 , ETERNALBLUE fixes (round two)
...
Hope I resolved the conflicts correctly.
2017-05-23 17:03:21 -05:00
46eb6bdf62
Land #8399 , ETERNALBLUE fixes (round one)
2017-05-23 16:51:19 -05:00
f80c3aa3f4
Correct absolute path
2017-05-23 16:50:25 -05:00
461649ed34
Land #8378 , Add check in archmigrate to prevent privdesc
2017-05-23 14:37:29 -05:00
c73e7673b1
Please the rubocop god
2017-05-23 15:13:55 -04:00
e945773576
Update archmigrate.rb
2017-05-23 14:40:42 -04:00
52363aec13
Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
...
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.
Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
2017-05-24 00:18:20 +12:00
d333077308
osx meterpreter
2017-05-23 14:23:22 +08:00
b7b1995238
Land #8274 , Wordpress admin upload `check`
2017-05-22 22:08:32 -05:00
5395d8f17c
update python stageless payload sizes
2017-05-22 18:21:13 -05:00
d69bfd509f
store the credential using the new store_valid_credential
2017-05-22 15:08:03 -05:00
93bb47d546
msftidy fix
2017-05-22 19:27:15 +01:00
092e7b96b8
typo
2017-05-22 17:27:50 +01:00
74c08cebee
Add bypassuac fodhelper module for Windows 10
2017-05-22 17:25:17 +01:00
467f1ce0ca
Land #8411 , Buffer overflow in VXSearch Enterprise v9.5.12
2017-05-22 07:37:31 -05:00
b5caeb29dd
only support for 32bit so far
2017-05-22 12:30:52 +02:00
036f063988
Fix a stack trace when no SMB response is received
2017-05-19 16:24:41 -05:00
a6f416e8df
Land #8290 , Hwbridge Automotive Fix and Extension Enhancements
2017-05-19 13:46:54 -05:00
b76229b5f7
removed unessessary line
2017-05-18 19:15:49 -07:00
7ca0fe5a68
Added make_junk function
2017-05-18 19:06:09 -07:00
4def7ce6cc
Land #8327 , Simplify storing credentials
2017-05-18 16:49:01 -05:00
c1624d0967
VX Search Enterprise GET Buffer Overflow
2017-05-18 17:12:47 +01:00
bdf121e1c0
x86 kernels will safely ret instead of BSOD
2017-05-17 23:48:14 -06:00
d944bdfab0
expect 0xC00000D
2017-05-17 23:05:20 -06:00
646ca14375
basic OS verification, ghetto socket read code
2017-05-17 22:48:45 -06:00
c0bf2cc6e7
Land #8401 , Buffer Overflow on Sync Breeze Enterprise 9.4.28
2017-05-17 23:39:50 -05:00
3360171977
Land #8319 , Add exploit module for Mediawiki SyntaxHighlight extension
2017-05-17 23:23:50 -05:00
b78749bc1b
Land #8221 , move autoroute
2017-05-17 15:17:45 -05:00
ad8788cc74
Update syncbreeze_bof.rb
2017-05-17 11:33:24 +01:00
5329ce56c4
Sync Breeze Enterprise GET Buffer Overflow
2017-05-17 10:53:28 +01:00
2f39daafc5
Updated module removing hardcoded binary payload strings
...
-Used only nessessary pointers needed for exploit to work removing junk/filler chars
-Repaced ROP chain with generic from msvcrt (even though original was beautiful and smaller, uses hardcoded pointers for leave instructions)
-Cannot use ropdb since 4 byte junk char during generation may result in InvalidByteSequenceError during UTF conversion
-It's been some years since my last pull request...so I might be a bit rusty to new Metasploit standards (please forgive me!)
2017-05-16 23:22:42 -07:00
7e2dab4ddc
Land #8303 , Buffer Overflow on Dupscout Enterprise v9.5.14
2017-05-17 01:04:59 -05:00
6fb4040d11
add core buffer dump for OS version
2017-05-16 23:18:39 -06:00
1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
...
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
11da7c7c81
Land #8394 , Add Moxa Credential Recovery Module
2017-05-16 16:45:22 -05:00
8025eb573a
Enforce check
...
Because we are not able to get our hands on the hardware for testing,
and that this module may trigger a backtrace if the UDP server isn't
Moxa, we force check to make sure that doesn't happen.
2017-05-16 16:43:22 -05:00
77a9676efb
Land #8347 , Add Serviio Media Server checkStreamUrl Command Execution
2017-05-16 16:20:39 -05:00
6d81ca4208
Fix Array/String TypeError in ms17_010_eternalblue
2017-05-16 15:53:34 -05:00
e24de5f110
Fix Class/String TypeError in ms17_010_eternalblue
2017-05-16 15:41:16 -05:00
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
2d7f7f9aec
Pass msftidy
2017-05-16 15:05:12 -05:00
29b7aa5b9b
Update fail_with for 200 (bad user?)
2017-05-16 15:03:42 -05:00
e62fc3e93c
Land #8376 , Add BuilderEngine 3.5 Arbitrary file upload & exec exploit
2017-05-16 14:53:32 -05:00
631267480d
Update module description
2017-05-16 14:48:46 -05:00
2ed8ae11b4
Add doc and make minor changes
2017-05-16 14:47:19 -05:00
7c1dea2f02
Refactor prestager to work with newer Exim
...
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
eff4914240
Land #8381 , ETERNALBLUE exploit (to be continued)
2017-05-16 12:19:45 -05:00
53bb5a8440
Update ms17_010_eternalblue.rb
2017-05-16 10:43:43 -06:00
7c2fb9acc1
Fix nil bug in Server header check
2017-05-16 10:43:04 -05:00
20b682b2e4
Land #8391 , fix a typo in vmware_enum_permissions module description
...
orts
2017-05-16 09:33:26 -05:00
4a0535c2d0
add moxa credential recovery module
2017-05-16 10:21:44 -04:00
5fd6cb0890
Remove nil case, since response might be nil
...
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
b41427412b
Improve fail_with granularity for 400 error
...
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
b2f69e9018
spelling
2017-05-15 21:11:19 -04:00
1a644cadc4
Add print_good to on_request_uri override
...
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
3c4dfee4f5
Module to execute powershell on Octopus Deploy server
...
This is not a bug, but a feature which gives users with the correct
permissions the ability to take over a host running Octopus Deploy.
During an automated deployment initiated by this module, a powershell
based payload is executed in the context of the Octopus Deploy server,
which is running as either Local System or a custom domain account.
This is done by creating a release that contains a single script step
that is run on the Octopus Deploy server. The said script step is
deleted after the deployment is started. Though the script step will
not be visible in the Octopus Deploy UI, it will remain in the server's
database (with lot's of other interesting data).
Options for authenticating with the Octopus Deploy server include
username and password combination or an api key. Accounts are handled
by Octopus Deploy (stored in database) or Active Directory.
More information about Octopus Deploy:
https://octopus.com
2017-05-15 18:57:38 -05:00
c4c55be444
Clarify why we're getting 400 and add fail_with
2017-05-15 18:53:36 -05:00
489d9a6032
Drop module to AverageRanking and note 400 error
2017-05-15 17:35:40 -05:00
2055bf8f65
Add note about PHPMailer being bundled
2017-05-15 14:29:11 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
5ee570bb9c
Fix non-uniform spelling and capitalization
2017-05-15 08:31:01 -04:00
cb4c700e62
fix typo
2017-05-14 21:52:36 -06:00
865a36068e
sleep fix and new shellcode
2017-05-14 21:45:19 -06:00
e3dcf0ab2d
added docs
2017-05-14 19:22:26 -06:00
9634f974dd
fix msftidy
2017-05-14 18:14:02 -06:00
fa79339432
eternalblue module
2017-05-14 18:11:41 -06:00
f39e378496
Land #8330 , fix ps_wmi_exec and psh staging
2017-05-13 14:26:47 -04:00
ce7b967a13
Update archmigrate.rb
2017-05-13 13:35:48 -04:00
78b0fb00da
I committed to the wrong branch
2017-05-13 13:35:13 -04:00
0bd11062e4
Ass SYSTEM check to archmigrate
2017-05-13 13:28:28 -04:00
3a1ed19a42
Making use of StagerRetryConnect
2017-05-13 17:49:53 +05:30
c622e3fc22
Deregister URIPATH because it's overridden by Path
2017-05-12 11:56:38 -05:00
84af5d071d
Deregister VHOST because it's overridden by Host
2017-05-12 11:44:10 -05:00
27e1de14b0
BuilderEngine 3.5 Arbitrary file upload and execution exploit
2017-05-12 18:37:08 +02:00
7bcaaf33c7
Land #8294 , gnome keyring post exploit credential dumper
2017-05-12 10:08:53 -05:00
e9fcc3c291
msftidy fixes
2017-05-12 10:08:26 -05:00
7355817329
Land #8371 , Fix msftidy warnings for the WNR2000 module
2017-05-11 22:51:11 -05:00
123462bdca
Land #8293 , add initial multi-platform railgun support
2017-05-11 22:32:23 -05:00
af4505a9de
land #8009 post module for jboss creds gather
2017-05-11 22:39:54 -04:00
285857c23f
remove req msfcore
2017-05-11 22:39:41 -04:00
6fa51aee8f
moving docs to correct folder
2017-05-11 22:33:00 -04:00
231510051c
Fix uri_str for exploit
2017-05-11 16:30:10 -05:00
bee36ca90f
Fix edge case
2017-05-11 16:22:21 -05:00
68f13808e7
Fix msftidy warnings for the WNR2000 module
2017-05-11 16:16:10 -05:00
2ae943d981
Use payload common case instead of general case
...
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
e414bdb876
don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules
2017-05-11 15:19:11 -05:00
30c48deeab
msftidy and misc. fixups for Quest BoF module
2017-05-11 08:07:39 -05:00
e8aed42ecd
Land #8223 , Quest Privilege Manager pmmasterd Buffer Overflow
2017-05-11 00:44:19 -05:00
843f148e62
One more yard doc function
2017-05-10 23:01:03 -05:00
e84765c1c6
All functions have yard doc like comments
2017-05-10 23:01:03 -05:00
c5391c2a64
Update cmd print to match core.rb
2017-05-10 23:01:03 -05:00
10c7c3893a
Add subnet check for Android payloads
2017-05-10 23:01:03 -05:00
c49bd9ee4e
Add session ready check
2017-05-10 23:01:03 -05:00
97eaa83114
Update delete all routes
2017-05-10 23:01:03 -05:00
f670fcddcb
Initial code cleanup and multi compatibility work
2017-05-10 23:01:02 -05:00
099fc0176a
move autoroute to a more sensible location
2017-05-10 23:01:02 -05:00
18d95b6625
Land #8346 , Templatize shims for external modules
2017-05-10 18:15:54 -05:00
09f6c21f94
Add note about Host header limitations
2017-05-10 15:17:20 -05:00
b446cbcfce
Add reference to Exim string expansions
2017-05-10 15:17:20 -05:00
8842764d95
Add some comments about badchars
2017-05-10 15:17:20 -05:00
ecb79f2f85
Use reduce instead of extracting twice
2017-05-10 15:17:20 -05:00
b5f25ab7ca
Use extract instead of doubling /bin/echo
2017-05-10 15:17:20 -05:00
9a64ecc9b0
Create a pure-Exim, one-shot HTTP client
2017-05-10 15:17:20 -05:00
0ce475dea3
Add WordPress 4.6 PHPMailer exploit
2017-05-10 15:17:20 -05:00
d00685a802
Don't run a DoS during wmap scans
2017-05-10 14:41:24 -05:00
42c7d64b28
Update style
2017-05-10 06:37:09 +00:00
faf01ed5ef
Land #8353 , add aux scanner for Intel AMT digest bypass
2017-05-09 18:45:21 -05:00
72388a957f
Land #8355 , IIS ScStoragePathFromUrl
...
See #8162
2017-05-09 11:06:01 -05:00
2b4ace9960
convert to "screaming snake"
2017-05-09 09:30:45 +02:00
cf487cc90c
reverse_ncat_ssl is stable
2017-05-08 17:43:34 -05:00
32dafb06af
Replace NoTarget with NotVulnerable
2017-05-08 22:29:44 +00:00
f70b402dd9
add comment
2017-05-09 00:17:00 +02:00
86365c89d1
Land #8352 , style updates for lotus_domino_hashes
2017-05-08 17:11:44 -05:00
806963359f
fix fail with condition
2017-05-08 23:47:48 +02:00
f62ac6327d
add @rwhitcroft
2017-05-08 23:20:12 +02:00
26373798fa
change rank
2017-05-08 23:07:12 +02:00
962a31f879
change minimum length
2017-05-08 23:01:17 +02:00
7dccb17834
auto extract values and implement brute forcing
2017-05-08 22:47:29 +02:00
841f63ad20
make office_word_hta backward compat with older Rubies
2017-05-08 15:10:48 -05:00
406a7f1ae2
Merge remote-tracking branch 'dmchell/dmchell-cve-2017-7269' into iis2
2017-05-08 21:51:51 +02:00
fede672a81
further revise templates
2017-05-08 14:26:24 -05:00
f7ff840ef0
Add missing return, thanks bperry!
2017-05-08 14:08:59 -05:00
9392e48b72
Add a scanner for Intel AMT auth bypass (CVE-2017-5689)
2017-05-08 13:24:00 -05:00
a1efa30fa2
comments adjustments & enum better
2017-05-08 11:57:06 -05:00
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
af3f1fbc37
Land #8332 , Canprobe Module
2017-05-07 12:20:27 -05:00
c05e7b3b58
Minor corrections and a tweak to appease msftidy.
2017-05-07 11:55:20 -05:00
e3d3fa8e45
Tweak internal description formatting.
2017-05-07 11:31:36 -05:00
b965bdcdae
Appease msftidy and Travis.
2017-05-07 11:19:32 -05:00
ab245b5042
added note to description
2017-05-07 13:56:50 +01:00
4f12a1e271
added note to description
2017-05-07 13:54:28 +01:00
635a7a42e6
Update style lotus_domino_hashes
2017-05-07 16:37:48 +10:00
05bf16e91e
Land #8331 , Adding module CryptoLog Remote Code Execution
2017-05-05 18:24:14 -05:00
e2fe70d531
convert store_valid_credential to named params
2017-05-05 18:23:15 -05:00
720a02f5e2
Addressing Spaces at EOL issue reported by Travis
2017-05-05 11:05:17 +03:00
0eacf64324
Add Serviio Media Server checkStreamUrl Command Execution
2017-05-05 07:54:00 +00:00
58d2e818b1
Merging multiple sqli area as a func
2017-05-05 10:49:05 +03:00
63b6ab5355
simplify valid credential storage
2017-05-04 22:51:40 -05:00
81bcf2ca70
updating all LHOST to use the new opt type
2017-05-04 12:57:50 -05:00
97095ab311
Land #8338 , Fix msf/core and self.class msftidy warnings
2017-05-03 21:55:52 -05:00
2d93c8e2d6
merge, don't overwrite
2017-05-03 18:17:58 -05:00
0798923901
set the correct schema for linux meterpreter reverse_tcp stages
2017-05-03 16:12:45 -05:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
d04e7cba10
Rename the module as well as title
2017-05-03 19:18:46 +03:00
ae8035a30f
Fixing typo and using shorter sqli payload
2017-05-03 16:45:17 +03:00
cf74cb81a7
Removed unnecessary 'msf/core' include.
2017-05-03 09:02:05 -04:00
9877aa9ef9
Added documentation and cleand up how STOPID worked
2017-05-02 18:57:32 -07:00
db2a2ed289
Removing space at eof and self.class from register_options
2017-05-03 01:31:13 +03:00
77acbb8200
Adding cryptolog rce
2017-05-03 01:05:40 +03:00
3519adbaef
A basic CAN fuzzer. It probes the data regions of different CAN IDs.
...
The default is to use a set value but can iterate the full range. It can
also add padding if necessary. Not checks on returns or results of fuzzing.
2017-05-02 14:19:29 -07:00
494711ee65
Land #8307 , Add lib for writing Python modules
2017-05-02 15:53:13 -05:00
6870a48c48
Code suggestion from @jvoisin
2017-05-02 16:41:06 +02:00
012081eed2
Added support for ANY queries. Silently ignore unsupported queries instead of spamming stdout.
2017-05-01 17:28:56 -04:00
03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory
2017-05-01 16:23:14 -05:00
41ef1a4e90
Land #8325 , cmd/unix/reverse_ncat_ssl payload
2017-05-01 14:54:52 -05:00
772a16f4cd
fix style
2017-05-02 00:55:57 +08:00
9e06c3f07e
fix argument arrangement
2017-05-02 00:39:00 +08:00
5a2afbc364
Tidy payload
2017-05-01 21:38:34 +08:00
006ed42248
Added fix information
...
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/0002
09.html
2017-05-01 09:01:14 +02:00
cfa204b8e8
add reverse ncat ssl
2017-05-01 06:57:28 +08:00
0b62a6478a
Modification for Travis (remove require msf/core, and self.class in register)
2017-04-30 17:05:11 +02:00
3f348150c6
Modification of description
2017-04-30 16:38:39 +02:00
52ec448511
Add WordPress Directory Traversal DoS Module
2017-04-30 15:03:48 +02:00
673dbdc4b9
Code review feedback from h00die
2017-04-29 20:37:39 +02:00
fcf14212b4
Fixed disclosure date
2017-04-29 16:25:25 +02:00
f9e7715adb
Fixed formatting
2017-04-29 16:07:45 +02:00
1569d2cf8e
MediaWiki SyntaxHighlight extension exploit module
...
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
2017-04-29 14:29:56 +02:00
c4b3ba0d14
Actually removing msf/core this time... ><
...
Helps to actually remove the bits that were failing. Now with even more
removal of msf/core!
2017-04-28 21:42:06 -04:00
ff263812fc
Fix msftidy warnings
...
Remove explicitly loading msf/core and self.class from the register_
functions.
2017-04-28 21:26:53 -04:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
f8fb03682a
Fix issue in ps_wmi_exec and powershell staging
...
The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.
Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.
2017-04-28 03:31:56 -04:00
18fa411189
Updated with Egypt's suggestion, also changed the target name to include other versions
2017-04-27 13:19:44 +01:00
cd73bd137a
Making use of while loop and solving StagerRetryWait issue
2017-04-27 11:50:13 +05:30
1a402ed1d8
Add arch to smb_ms17_010 DOUBLEPULSAR detection
2017-04-26 20:59:13 -05:00
037fdf854e
move common json-rpc bits to a library
2017-04-26 18:08:08 -05:00
480a0b4273
update payload sizes
2017-04-26 18:02:14 -05:00
a60e5789ed
update mettle->meterpreter references in modules
2017-04-26 17:55:10 -05:00
078ba66e5f
remove unneeded msf/core requires
2017-04-26 17:17:20 -05:00
353191992f
move mettle payloads to meterpreter, add reverse_http/s stageless
2017-04-26 17:06:34 -05:00
f8792956ee
fix one module for testing
2017-04-26 16:21:13 -05:00
a3a4ba7605
Buffer Overflow on Dup Scout Enterprise v9.5.14
2017-04-26 15:19:00 +01:00
da6c03d13f
Fix function names to always be snake_case
2017-04-26 09:30:29 -04:00
bbee7f86b5
Land #8263 , Mercurial SSH exec module
2017-04-26 01:38:01 -05:00
f60807113b
Clean up module
2017-04-26 01:37:49 -05:00
56685bbfaa
Update office_word_hta.rb
2017-04-26 11:05:21 +08:00
a3bcd20b26
Minor cleanups for multi-platform railgun
2017-04-25 17:45:07 -04:00
5476f6066c
Land #8271 , DOUBLEPULSAR detection for MS17-010
2017-04-25 16:31:39 -05:00
4019a14865
The local HWBridge now does not print out status for each URI request per default. This can be enabled by setting verbose to true.
...
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
5537348e28
Addes Statistics support from the API. When typing status in a hardware bridge it will also print packet statistics.
...
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
320898697a
Land #8266 , Add Buffer Overflow Exploit on Disk Sorter Enterprise
2017-04-24 17:17:30 -05:00
1d86905fca
Land #8288 , Minor changes to WiPG-1000 module
2017-04-24 17:09:25 -05:00
e333cb65e5
Restore require 'msf/core'
2017-04-24 17:09:02 -05:00
c573628e10
Fix header
2017-04-24 17:01:35 -05:00
e775f9ccbd
Land #8259 , Add post module to upload and execute a file
2017-04-24 17:00:55 -05:00
d3aba846b9
Make minor changes
2017-04-24 23:35:36 +02:00
5bbb4d755a
Land #8254 , Add CVE-2017-0199 - Office Word HTA Module
2017-04-24 16:05:00 -05:00
6029a9ee2b
Use a built-in HTA server and update doc
2017-04-24 16:04:27 -05:00
55f01d3fc7
made the plugin less spammy with more vprintf
2017-04-24 13:33:05 -06:00
453ca6e3bf
added OS printing on vulnerable systems
2017-04-24 13:20:44 -06:00
47898717c9
Minor documentation improvements
...
Space after ,
2017-04-24 14:47:25 +01:00
David Maloney
NickTyrer
Rogdham
Tim
mccurls
Mzack9999
Brendan Coles
h00die
William Webb
thesubtlety
Brent Cook
William Vu
OJ
Pearce Barry
Tod Beardsley
Mehmet Ince
James Lee
Jeffrey Martin
tkmru
Stephen Shkardoon (ss23)
bwatters-r7
Spencer McIntyre
Anderson
itsmeroy2012
Dylan Davis
wolfthefallen
Brent Cook
root
HD Moore
wchen-r7
nks
Borja Merino
juushya
Carter
Matthew Daley
amaloteaux
Christian Mehlmauer
lincoln
Daniel Teixeira
zerosum0x0
zerosum0x0
Patrick DeSantis
james-otten
Josh Hale
Adam Cammack
Bryan Chu
m0t
darkbushido
Joe Testa
Craig Smith
Yorick Koster
C_Sto
Yorick Koster
reanar
Brandon Knight
Sara Perez
anhilo
Matthias Brun