Commit Graph

1091 Commits (bddf5edcf10de5a43654d9372e564e1ada01acb7)

Author SHA1 Message Date
sinn3r 4b06334455 Minor title change for mssql_enum_domain_accounts_sqli
We don't really do "-" for naming

Kind of stands up on a list
2014-12-05 11:42:08 -06:00
Pedro Ribeiro e5bdf225a9 Update netflow_file_download.rb 2014-12-04 21:32:19 +00:00
Tod Beardsley 79f2708a6e
Slight fixes to grammar/desc/whitespace
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
jvazquez-r7 ff30a272f3 Windows paths need 2 backslashes 2014-11-30 18:54:41 -06:00
jvazquez-r7 223bc340e4 Prepend peer 2014-11-30 18:46:15 -06:00
jvazquez-r7 5ad3cc6296 Make FILEPATH mandatory 2014-11-30 18:45:23 -06:00
jvazquez-r7 b1b10cf4e5 Use Rex::ConnectionError 2014-11-30 18:44:25 -06:00
jvazquez-r7 a549cbbef8 Beautify metadata 2014-11-30 18:44:03 -06:00
Pedro Ribeiro 26d9ef4edd Explain about Windows back slashes on option 2014-11-30 00:15:44 +00:00
Pedro Ribeiro 2fb38ec7bb Create exploit for CVE-2014-5445 2014-11-30 00:12:37 +00:00
jvazquez-r7 5f4760c58e Print final results in a table 2014-11-25 14:01:29 -06:00
jvazquez-r7 d998d97aaa Refactor build_user_sid 2014-11-25 13:58:47 -06:00
jvazquez-r7 aad860a310 Make conditional easier 2014-11-25 13:54:08 -06:00
jvazquez-r7 ba57bc55b0 Don't report service 2014-11-25 13:52:22 -06:00
jvazquez-r7 059b0e91da Don't report service
* The mssql could be in a third host, not rhost
2014-11-25 13:50:42 -06:00
jvazquez-r7 b467bda2d6 Reuse local variable 2014-11-25 13:49:24 -06:00
jvazquez-r7 31a84ef6ff Make ternary operator more readable 2014-11-25 13:44:50 -06:00
jvazquez-r7 be566e5ad3 Use a lower fuzz number by default 2014-11-25 13:42:47 -06:00
jvazquez-r7 cd43f83cd7 Delete unnecessary comments
* No need to comment every step, just relevant
comments to undrestad code.
2014-11-25 13:40:57 -06:00
jvazquez-r7 f93dbc6deb Use the target domain name 2014-11-25 13:36:48 -06:00
jvazquez-r7 7c87603b0e Add progress information 2014-11-25 13:23:36 -06:00
jvazquez-r7 8e5b37ea6e Fix reporting 2014-11-25 13:20:31 -06:00
jvazquez-r7 93539ae4c6 Use shorter variable name 2014-11-25 13:04:31 -06:00
jvazquez-r7 271f982f34 Use peer 2014-11-25 13:03:48 -06:00
jvazquez-r7 c549508abb Use vprint 2014-11-25 13:03:18 -06:00
jvazquez-r7 249fb79a21 Fix print_* calls 2014-11-25 13:02:53 -06:00
jvazquez-r7 87cfd7c321 Dont use disconnect 2014-11-25 13:00:53 -06:00
jvazquez-r7 fb8372f505 Fix metadata 2014-11-25 12:59:11 -06:00
jvazquez-r7 71f35f5cd6 Update from upstream master 2014-11-25 12:46:44 -06:00
nullbind 4bd579bc1c added mssql_enum_domain_accounts_sqli 2014-11-25 09:57:20 -06:00
jvazquez-r7 343a0d78bc Delete admin check 2014-11-24 12:28:19 -06:00
jvazquez-r7 7164c4e038 Use shorter filename 2014-11-24 12:10:08 -06:00
jvazquez-r7 021b27dd83 Clean reporting 2014-11-24 12:01:09 -06:00
jvazquez-r7 f74ab34881 Delente unnecessary check 2014-11-24 11:50:41 -06:00
jvazquez-r7 3c858c793a Use vprint 2014-11-24 11:49:36 -06:00
jvazquez-r7 4a169210ab Use vprint 2014-11-24 11:48:16 -06:00
jvazquez-r7 ecb74c543a Beautify description 2014-11-24 11:27:32 -06:00
jvazquez-r7 c52104e91d Beautify metadata 2014-11-24 11:24:41 -06:00
jvazquez-r7 fcb4bea3c1 Fix code comments 2014-11-24 11:23:27 -06:00
jvazquez-r7 10d0305cb2 Update from upstream master 2014-11-24 09:48:43 -06:00
jvazquez-r7 fb4b6543e2 Handle other rex exceptions 2014-11-18 15:57:41 -06:00
nullbind 8c34f35ca9 added mssql_enum_windows_domain_accounts.rb 2014-11-17 13:03:43 -06:00
Jon Hart 9e2513d4de Update solaris_kcms_readfile to gracefully handle RPC errors 2014-11-17 10:41:17 -08:00
Tod Beardsley e2dc862121
Fix newly introduced typo. 2014-11-13 14:53:57 -06:00
Tod Beardsley dd1920edd6
Minor typos and grammar fixes 2014-11-13 14:48:23 -06:00
jvazquez-r7 f081ede2aa Land #4155, @pedrib's module for CVE-2014-8499
* Password Manager Pro privesc + password disclosure
2014-11-12 23:56:26 -06:00
Pedro Ribeiro 9df31e950f Add OSVDB id 2014-11-12 21:32:33 +00:00
jvazquez-r7 70589668c2 Really land the #4130 module 2014-11-12 09:39:01 -06:00
jvazquez-r7 ece8013d7a Use #empty? 2014-11-12 09:35:06 -06:00
jvazquez-r7 f048463ed6 Do minor fixupts
* Delete peer method
* Make verifications more strict
2014-11-12 09:33:49 -06:00
jvazquez-r7 a5c87db65e Do minor cleanup
* Beautify description
* Use double quotes for interpolation
2014-11-12 09:29:53 -06:00
jvazquez-r7 e1164d3e14 Use snake_case on filename 2014-11-12 09:26:47 -06:00
jvazquez-r7 01fda27264 Fix title 2014-11-11 11:15:53 -06:00
jvazquez-r7 a588bfd31a Use single quotes 2014-11-11 09:56:46 -06:00
jvazquez-r7 77c8dc2b64 Dont return nil from 'run' 2014-11-11 09:39:08 -06:00
jvazquez-r7 fb309aae11 Use a Fixnum as FuzzInt default value 2014-11-11 09:36:53 -06:00
jvazquez-r7 f6762b41b6 Use random fake db name 2014-11-11 09:35:51 -06:00
jvazquez-r7 94c353222d Do small cosmetic changes 2014-11-11 09:31:57 -06:00
jvazquez-r7 e9e5869951 update from master 2014-11-11 09:24:33 -06:00
jvazquez-r7 091da05a86 update from master 2014-11-10 22:59:44 -06:00
jvazquez-r7 cac6494427 Use snake_case in filename 2014-11-10 16:58:46 -06:00
jvazquez-r7 2c33642de8 Do minor cleanup 2014-11-10 16:57:57 -06:00
jvazquez-r7 12ae8b3ec6 update from master 2014-11-10 16:19:26 -06:00
nullbind 493b81d874 cleanup 2014-11-10 15:22:21 -06:00
nullbind 31fa57fcb2 mssql_enum_sql_logins 2014-11-10 15:19:55 -06:00
Scott Sutherland d543b16cc1 Added mssql_enum_sql_logins.rb 2014-11-10 15:02:46 -06:00
Scott Sutherland ea226f7482 Update mssql_enum_sql_logins.rb 2014-11-10 15:02:14 -06:00
nullbind 74344e9295 added mssql_enum_sql_logins 2014-11-10 13:42:52 -06:00
jvazquez-r7 4b701700c1 Fix banner 2014-11-10 12:40:53 -06:00
jvazquez-r7 65dbb1a83f Do print_status 2014-11-10 11:26:53 -06:00
jvazquez-r7 7aed1e9581 Create loot_passwords method 2014-11-10 11:21:44 -06:00
jvazquez-r7 92df11baa7 Create report_super_admin_creds method 2014-11-10 11:16:25 -06:00
jvazquez-r7 8f17011909 do run clean up
* Reduce code complexity
* Don't report not valid administrator credentials
2014-11-10 11:12:04 -06:00
jvazquez-r7 635df2f233 Fail with NoAccess 2014-11-10 09:50:26 -06:00
jvazquez-r7 9c033492d2 Fix indentation 2014-11-10 09:48:22 -06:00
jvazquez-r7 2236518694 Check res.body before accessing #to_s 2014-11-10 09:47:05 -06:00
jvazquez-r7 8b8ab61e3d Favor && over and 2014-11-10 09:45:12 -06:00
jvazquez-r7 ee4924582a Use target_uri 2014-11-10 09:43:44 -06:00
jvazquez-r7 8ddd6a4655 Redefine RPORT having into account it is builtin 2014-11-10 09:42:30 -06:00
jvazquez-r7 eb36a36272 Change title 2014-11-10 09:40:22 -06:00
Pedro Ribeiro b3c27452cd Add full disclosure URL 2014-11-09 10:40:41 +00:00
Pedro Ribeiro f680b666c7 Add github adv URL 2014-11-08 11:29:36 +00:00
Pedro Ribeiro 143033f657 Rename manageengine_pmp_sadmin.rb to manageengine_pmp_privesc.rb 2014-11-08 11:28:04 +00:00
Pedro Ribeiro 2843437ca9 Create exploit for CVE-2014-8499 2014-11-08 11:24:50 +00:00
nullbind 56a02fdb4a added mssql_escalate_executeas_sqli.rb 2014-11-04 13:38:13 -06:00
nullbind 15119d2a0f comment fix-sorry 2014-11-04 09:07:08 -06:00
nullbind f108d7b20a fixed code comment 2014-11-04 08:51:27 -06:00
nullbind fbe3adcb4c added mssql_escalate_executeas module 2014-11-03 11:29:15 -06:00
jvazquez-r7 b990b14a65
Land #3771, @us3r777's deletion of jboss_bshdeployer STAGERNAME option 2014-10-27 18:09:35 -05:00
scriptjunkie 4dfbce425a use vprintf... 2014-10-26 09:20:32 -05:00
scriptjunkie c31fb0633d Merge branch 'wp-psexeccmd' of github.com:webstersprodigy/metasploit-framework into webstersprodigy-wp-psexeccmd 2014-10-26 09:05:25 -05:00
jvazquez-r7 00f137cdcf
Land #4040, @nullbind's MS SQL privilege escalation through SQLi 2014-10-20 16:23:50 -05:00
jvazquez-r7 acc590b59c Modify metadata 2014-10-20 16:22:10 -05:00
jvazquez-r7 1381c7fb37 Modify title 2014-10-20 16:17:47 -05:00
jvazquez-r7 323680c31a Clean code 2014-10-20 16:17:06 -05:00
HD Moore 935a23296d
Updates to NAT-PMP, lands #4041 2014-10-20 11:26:26 -05:00
nullbind 036d43ba37 fixed logic bug 2014-10-19 20:56:29 -05:00
nullbind 1e2f1eaee0 cleaning up 2014-10-18 12:00:11 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
nullbind bf92769ba2 added mssql_escalate_dbowner_sqli 2014-10-17 10:25:20 -05:00
Jon Hart 8fdae8fbfb Move protocol and lifetime to mixin, use correct map_target if CHOST 2014-10-16 13:24:17 -07:00
Jon Hart 07f2d4dafe
Further improvements to NAT-PMP. Faster, more useful, less not useful 2014-10-15 06:39:38 -07:00
Jon Hart ea6824c46f WIP of NAT-PMP rework 2014-10-14 14:20:24 -07:00
jvazquez-r7 3305b1e9c3
Land #3984, @nullbind's MSSQL privilege escalation module 2014-10-09 11:39:15 -05:00
jvazquez-r7 10b160bedd Do final cleanup 2014-10-09 11:38:45 -05:00
jvazquez-r7 bbe435f5c9 Don't rescue everything 2014-10-09 11:25:13 -05:00
jvazquez-r7 0cd7454a64 Use default value for doprint 2014-10-09 11:04:42 -05:00
jvazquez-r7 db6f6d4559 Reduce code complexity 2014-10-09 10:59:14 -05:00
jvazquez-r7 615b8e5f4a Make easy method comments 2014-10-09 10:48:00 -05:00
jvazquez-r7 dd03e5fd7d Make just one connection 2014-10-09 10:46:51 -05:00
nullbind 168f1e559c fixed status 2014-10-08 21:19:50 -05:00
nullbind 3ebcaa16a1 removed scanner 2014-10-08 21:18:56 -05:00
nullbind 031fb19153 requested updates 2014-10-06 23:52:30 -05:00
Christian Mehlmauer f45b89503d change WPVULNDBID to WPVDB 2014-10-03 17:13:18 +02:00
Christian Mehlmauer 33b37727c7 Added wpvulndb links 2014-10-02 23:03:31 +02:00
Tod Beardsley 4fbab43f27
Release fixes, all titles and descs 2014-10-01 14:26:09 -05:00
Christian Mehlmauer b266233e95 fix bug 2014-09-30 00:21:52 +02:00
Christian Mehlmauer c51c19ca88 bugfix 2014-09-27 14:56:34 +02:00
Christian Mehlmauer 9a424a81bc fixed bug 2014-09-27 13:46:55 +02:00
Christian Mehlmauer 1c30c35717 Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00
nullbind ebf4e5452e Added mssql_escalate_dbowner module 2014-09-26 10:29:35 -05:00
Thomas Ring 81406defed hopefully what you are looking for this time 2014-09-23 11:36:13 -05:00
sinn3r 2a714a7c4d Fix a typo
Downloading and deleting are two very different things. Thanks Dan.
2014-09-21 18:35:26 -05:00
us3r777 2ae23bbe99 Remove STAGERNAME option
This option wasn't really required, the stager can be removed as
soon as the WAR is deployed. This commit does the modifications needed
to remove the stager right after the WAR deployment.
2014-09-09 21:44:08 +02:00
Tod Beardsley 4abee39ab2
Fixup for release
Ack, a missing disclosure date on the GDB exploit. I'm deferring to the
PR itself for this as the disclosure and URL reference.
2014-09-08 14:00:34 -05:00
jvazquez-r7 c86d01a667 Fix win.ini signature 2014-09-07 01:46:38 -05:00
sinn3r 44b9dc9b28 Update tmlisten_traversal 2014-09-06 01:18:11 -05:00
sinn3r cb490fc00e [SeeRM #8836] Change boot.ini to win.ini 2014-09-04 17:03:21 -05:00
jvazquez-r7 185ce36859
Land #3701, @wchen-ru's AppleTV modules 2014-09-03 12:30:50 -05:00
jvazquez-r7 10dee28fbd Add http socket to the module sockets and allow the framework to cleanup 2014-09-03 12:01:48 -05:00
sinn3r 5acbcc80e2 no threading 2014-09-03 11:37:30 -05:00
Thomas Ring fbae68870c cleanup one stray comment 2014-08-29 10:57:51 -05:00
Thomas Ring 4c93cbc62c changes based on feedback, added timeout error message 2014-08-29 10:57:20 -05:00
sinn3r f7091d854e Add a timeout 2014-08-28 22:26:38 -05:00
Thomas Ring 67efa76fc4 changes based on feedback 2014-08-27 09:08:18 -05:00
Jon Hart 5c57f9b4eb Don't overload RPORT/LPORT for mapping external -> internal ports 2014-08-26 10:49:53 -07:00
Jon Hart 162508f532 Update NAT-PMP modules to use new/updated mixins 2014-08-26 10:49:53 -07:00
Jon Hart 816404bb88 Move common NAT-PMP functionality into a central place 2014-08-26 10:49:53 -07:00
sinn3r 463815d240 Add AppleTV modules (imge, video and login) 2014-08-25 15:24:41 -05:00
Thomas Ring e23acf8d82 fix for oracle_login not checking connection status and stopping on timeout 2014-08-25 14:57:45 -05:00
Tod Beardsley 6d9833e32b
Minor pre-release updates with descriptions 2014-08-25 13:34:45 -05:00
Tod Beardsley 03a1f4455d
No need to escape single quotes in %q{} strigns 2014-08-25 13:03:33 -05:00
jvazquez-r7 0737d0dbd5 Refactor auxiliary module 2014-08-22 17:05:45 -05:00
jvazquez-r7 9ef09a7725 Pass msftidy 2014-08-22 13:24:59 -05:00
jvazquez-r7 38e6576990 Update 2014-08-22 13:22:57 -05:00
Tod Beardsley 08bb815bd8
Add Yokogawa unauth admin module 2014-08-09 13:30:10 -05:00
jvazquez-r7 ed97751ead
Land #2999, @j0hnf's modifiction to check_dir_file to handle file: 2014-08-04 11:55:18 -05:00
jvazquez-r7 cd45ed0e0a Handle exceptions when connecting the SMBHSARE 2014-08-04 11:54:30 -05:00
jvazquez-r7 85b5c5a691 Refactor check_path 2014-08-04 11:48:13 -05:00
jvazquez-r7 1e29bef51b Fix msftidy warnings 2014-08-04 11:46:27 -05:00
jvazquez-r7 04bf0b4ab6 Fix forgotten comma 2014-08-04 11:34:12 -05:00
us3r777 cd2e225359 Refactored auxilliary jboss_bshdeployer
Switch modules/auxiliary/admin/http/jboss_bshdeployer.rb to use the
changes.
2014-08-02 11:10:49 +02:00
us3r777 9e9244830a Added spec for lib/msf/http/jboss
Also renamed get_undeploy_bsh and get_undeploy_stager to
gen_undeploy_bsh and gen_undeploy_stager to be consistent
with the other functions
2014-07-29 01:57:04 +02:00
us3r777 cd2ec0a863 Refactored jboss mixin and modules
Moved fail_with() from mixin to modules. Added PACKAGE datastore to
lib/msf/http/jboss/bsh.rb.
2014-07-24 22:58:58 +02:00
us3r777 b526fc50f8 Refactored jboss mixin and modules
Moved VERB option to the mixin. Replaced "if datastore['VERBOSE']"
by vprint_status().
2014-07-22 23:08:42 +02:00
us3r777 ae2cd63391 Refactored Jboss mixin
Moved TARGETURI option to the JBoss mixin. The mixin now includes
Msf::Exploit::Remote::HttpClient which provides USERNAME and PASSWORD
2014-07-21 23:41:58 +02:00
us3r777 088f208c7c Added auxiliary module jboss_bshdeployer
The module allows to deploy a WAR (a webshell for instance) using the
BSHDeployer.
Also refactored modules/exploits/multi/http/jboss_bshdeployer.rb to
use the new Mixin (lib/msf/http/jboss).
2014-07-18 11:51:46 +02:00
William Vu ff6c8bd5de
Land #3479, broken sock.get fix 2014-07-16 14:57:32 -05:00
William Vu b6ded9813a
Remove EOL whitespace 2014-07-16 14:56:34 -05:00
jvazquez-r7 8937fbb2f5 Fix email format 2014-07-11 12:45:23 -05:00
HD Moore 90eccefcc8 Fix sock.get use and some minor bugs 2014-06-28 16:17:15 -05:00
HD Moore 5e900a9f49 Correct sock.get() to sock.get_once() to prevent indefinite hangs/misuse 2014-06-28 16:06:46 -05:00
HD Moore 3868348045 Fix incorrect use of sock.get that leads to indefinite hang 2014-06-28 15:48:58 -05:00
Tod Beardsley 0219c4974a
Release fixups, word choice, refs, etc. 2014-06-23 11:17:00 -05:00
Spencer McIntyre 61f4c769eb
Land #3461, Chromecast factory reset module 2014-06-21 17:43:31 -04:00
William Vu 79bf80e6bf
Add generic error handling
Just in case a factory reset happens to fail.
2014-06-21 15:35:03 -05:00
William Vu 075eec39e1
Add Chromecast factory reset module 2014-06-18 10:04:17 -05:00
j0hnf 1a82a20c09 re-added incorrectly removed SMBSHARE option 2014-06-16 20:10:11 +01:00
William Vu cb91b2b094
Fix broken table indent (s/Ident/Indent/ hash key) 2014-06-12 13:41:44 -05:00
Tod Beardsley 1aa029dbed
Avoid double quotes in the initialize/elewhere
There is no need to have double quotes there for uninterpolated strings,
and every other module uses single quotes.
2014-06-12 13:20:59 -05:00
William Vu 6ca5cf6c26
Add Chromecast YouTube remote control 2014-06-11 00:08:08 -05:00
jvazquez-r7 8a9c005f13 Add URL 2014-05-20 17:43:07 -05:00
Tod Beardsley 0ef2e07012
Minor desc and status updates, cosmetic 2014-05-19 08:59:54 -05:00
jvazquez-r7 2012d41b3d Add origin of the user, and mark web users 2014-05-16 13:51:42 -05:00
jvazquez-r7 4143474da9 Add support for web databases 2014-05-16 11:47:01 -05:00
jvazquez-r7 883d2f14b5 delete debug print_status 2014-05-16 11:13:03 -05:00
jvazquez-r7 ea38a2c6e5 Handle ISO-8859-1 special chars 2014-05-16 11:11:58 -05:00
jvazquez-r7 c9465a8922 Rescue when the recovered info is in a format we can't understand 2014-05-16 08:57:59 -05:00
jvazquez-r7 7ec85c9d3a Delete blank lines 2014-05-16 01:03:04 -05:00
jvazquez-r7 9091ce443a Add suport to decode passwords 2014-05-16 00:59:27 -05:00
jvazquez-r7 5b3bb8fb3b Fix @FireFart's review 2014-05-14 09:00:52 -05:00
jvazquez-r7 a7075c7e08 Add module for ZDI-14-077 2014-05-13 14:17:59 -05:00
Christian Mehlmauer 3f3283ba06
Resolved some msftidy warnings (Set-Cookie) 2014-05-12 21:23:30 +02:00
nodeofgithub b80d366bb7 Add filter to output WPA-PSK password on Netgear DG834GT 2014-04-26 15:52:31 +02:00
Tod Beardsley 9035d1523d
Update wol.rb to specify rhost/rport directly
- [ ] Fire up tcpdump on the listening interface
 - [ ] Run the module and see the pcap:

listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535
bytes
20:56:02.592331 IP 192.168.145.1.41547 > 255.255.255.255.9: UDP, length
102
2014-04-14 20:57:20 -05:00
jvazquez-r7 d83f665466 Delete commas 2014-03-25 13:34:02 -05:00
Ramon de C Valle e27adf6366 Fix msftidy warnings 2014-03-25 10:39:40 -03:00
Ramon de C Valle 473f745c3c Add katello_satellite_priv_esc.rb
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat
Satellite (Katello 1.5.0-14 and earlier) by changing the specified
account to an administrator account.
2014-03-24 23:44:44 -03:00
David Maloney da0c37cee2
Land #2684, Meatballs PSExec refactor 2014-03-14 13:01:20 -05:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00
jvazquez-r7 bfdefdb338
Land #3023, @m-1-k-3's module for Linksys WRT120N bof reset password 2014-02-26 09:36:14 -06:00
jvazquez-r7 6ba26bf743 Use normalize_uri 2014-02-26 09:35:42 -06:00
jvazquez-r7 582372ec3e Do minor cleanup 2014-02-26 09:32:11 -06:00
Michael Messner b79197b8ab feedback included, cleanup, login check 2014-02-26 13:44:36 +01:00
James Lee d2945b55c1
Fix typo
inside_workspace_boundary() -> inside_workspace_boundary?()
2014-02-24 14:46:08 -06:00
Michael Messner ec8e1e3d6f small fixes 2014-02-21 21:59:45 +01:00
Michael Messner 1384150b7a make msftidy happy 2014-02-21 21:56:46 +01:00
Michael Messner c77fc034da linksys wrt120 admin reset exploit 2014-02-21 21:53:56 +01:00
j0hnf c62fa83a70 msf recommended changes + tweaked exception handling 2014-02-19 22:20:24 +00:00
j0hnf 4b247e2b9f altered check_dir_file.rb so that it can check for the presence of a list of files/directories supplied using file:/ format rather than being limited to just the one file, handy for checking for indicators of compromise 2014-02-16 03:22:11 +00:00
sinn3r 89e1bcc0ca Deprecate modules with date 2013-something
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
sinn3r 7faa41dac0 Change Unknown to Safe because it's just a banner check 2014-01-23 15:36:19 -06:00
sinn3r 81a3b2934e Fix prints 2014-01-23 15:33:24 -06:00
sinn3r 5025736d87 Fix check for modicon_password_recovery 2014-01-19 17:20:20 -06:00
jvazquez-r7 0b1671f1b8 Undo debugging comment 2014-01-14 17:02:30 -06:00
jvazquez-r7 6372ae6121 Save some parsing 2014-01-14 17:00:00 -06:00
Matt Andreko 2d40f936e3 Added some additional creds that were useful 2014-01-13 23:15:51 -05:00
Matt Andreko 42fb8c48d1 Fixed the credential parsing and made output consistent
So in the previous refactor, we made the dedicated method to parse
usernames and passwords from the split up config values. However, that
didn't work, because on a single iteration of the loop, you only have
access to a possible username OR password. The other matching key will
be another iteration of the loop. Because of this, no credential pairs
were being reported.

The only way I can see around this (maybe because I'm a ruby newb) would
be to iterate over configs, and if the user or password regex matches,
add the matching value to a hash, which is identified by a key for both
user & pass. Then upon completion of the loop, it'd iterate over the
hash, finding keys that had both user & pass values.
2014-01-13 22:57:25 -05:00
Tod Beardsley 207e9c413d
Add the test info for sercomm_dump_config 2014-01-13 14:27:03 -06:00
Tod Beardsley 671027a126
Pre-release title/desc fixes 2014-01-13 13:57:34 -06:00
jvazquez-r7 95a5d12345 Merge #2835, #2836, #2837, #2838, #2839, #2840, #2841, #2842 into one branch 2014-01-13 10:57:09 -06:00
jvazquez-r7 410302d6d1 Fix indentation 2014-01-09 15:14:52 -06:00
Matt Andreko b1073b3dbb Code Review Feedback
Removed the parameters from get() since it works without them
2014-01-09 15:54:23 -05:00
Matt Andreko 2a0f2acea4 Made fixes from the PR from jvazquez-r7
The get_once would *only* return "MMcS", and stop. I
modified it to be a get(3, 3). Additionally, the command
length was set to 0x01 when it needed to be 0x00.
2014-01-09 15:33:04 -05:00
jvazquez-r7 be6958c965 Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00
Matt Andreko 01c5585d44 Moved auxiliary module to a more appropriate folder 2014-01-09 10:17:26 -05:00
Matt Andreko d9e737c3ab Code Review Feedback
Refactored the configuration settings so that creds could be reported to
the database more easily, while still being able to print general
configuration settings separately.
2014-01-09 10:14:34 -05:00
Matt Andreko 81adff2bff Code Review Feedback
Changed datastore['rhost'] to rhost
Made the array storing configuration values into a class const
Moved superfluous array look-over to not be executed unless in verbose
mode
2014-01-09 09:19:13 -05:00
Niel Nielsen 1479ef3903 Update typo3_winstaller_default_enc_keys.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:08:10 +01:00
Matt Andreko c5a3a0b5b7 Cleanup 2014-01-02 20:44:18 -05:00
Matt Andreko 6effdd42fa Added module to enumerate certain Sercomm devices through backdoor
See more: https://github.com/elvanderb/TCP-32764
2014-01-02 20:42:42 -05:00
jvazquez-r7 7f9f4ba4db Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00
jvazquez-r7 0eac17083a Clean cfme_manageiq_evm_pass_reset 2013-12-18 16:16:32 -06:00
Ramon de C Valle b9a9b90088 Update module to use added bcrypt gem 2013-12-18 16:15:35 -02:00
Ramon de C Valle e20569181b Remove EzCrypto-related code as per review 2013-12-18 16:15:22 -02:00
Ramon de C Valle ef081cec49 Add missing disclosure date as per review 2013-12-18 15:47:23 -02:00
Ramon de C Valle 37826688ce Add cfme_manageiq_evm_pass_reset.rb
This module exploits a SQL injection vulnerability in the "explorer"
action of "miq_policy" controller of the Red Hat CloudForms Management
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier)
by changing the password of the target account to the specified
password.
2013-12-09 16:49:07 -02:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
Tod Beardsley 55847ce074
Fixup for release
Notably, adds a description for the module landed in #2709.
2013-12-02 16:19:05 -06:00
sinn3r 20e0a7dcfb
Land #2709 - ZyXEL GS1510-16 Password Extractor 2013-12-02 13:13:01 -06:00
Sven Vetsch / Disenchant 39fbb59ba9 re-added the reference I accidentally deleted 2013-12-02 19:06:19 +01:00
Sven Vetsch / Disenchant cb98d68e47 added @wchen-r7's code to store the password into the database 2013-12-02 18:35:59 +01:00
Sven Vetsch / Disenchant 8e73023baa and now in the correct data structure 2013-12-01 17:38:35 +01:00
Sven Vetsch / Disenchant ef77b7fbbf added reference as requested at https://github.com/rapid7/metasploit-framework/pull/2709 2013-12-01 17:36:15 +01:00
Sven Vetsch / Disenchant aa62800184 added ZyXEL GS1510-16 Password Extractor 2013-11-29 10:42:17 +01:00
Jeff Jarmoc 03838aaa79 Update rails_devise_pass_reset.rb
Fixed erroneous status if FLUSHTOKENS is false.
2013-11-27 22:27:45 -06:00
Jeff Jarmoc 7f8baf979d Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise.
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit

[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
2013-11-27 15:35:43 -06:00
Meatballs dd9bb459bf
PSEXEC Refactor
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
Tod Beardsley 84572c58a8
Minor fixup for release
* Adds some new refs.
  * Fixes a typo in a module desc.
  * Fixes a weird slash continuation for string building (See #2589)
2013-11-04 12:10:38 -06:00
Rich Lundeen c3113f796e Incorporating a few more cleanup items from jvazquez 2013-10-31 21:32:58 -07:00
Rich Lundeen cbfef6ec7a incoporating jvazquez feedback 2013-10-31 00:17:50 -07:00
Tod Beardsley 344413b74d
Reorder refs for some reason. 2013-10-30 12:25:55 -05:00
Tod Beardsley 32794f9d37
Move OpenBravo to aux module land 2013-10-30 12:20:04 -05:00
Tod Beardsley 9bb9f8b27b
Update descriptions on SMB file utils. 2013-10-28 13:48:25 -05:00
Tod Beardsley 0f63420e9f
Be specific about the type of hash
See #2583. Since there are several types of hashes, we need to be more
specific about this -- see modules/exploits/windows/smb/psexec.rb which
uses an "smb_hash" as a password type.

Also, the fixes in #2583 do not appear to address anything else reported
on the Redmine issue, namely, operating system and architecture
identification discovered with this module (assuming good credentials).
Therefore, the Redmine issue should not be considered resolved.

[SeeRM #4398]
2013-10-28 13:40:07 -05:00
jvazquez-r7 9276a839d4 [FixRM #4398] Report credentials to database 2013-10-25 16:19:47 -05:00
sinn3r 7ee615223d
Land #2570 - HP Intelligent Management SOM Account Creation 2013-10-24 14:14:06 -05:00
jvazquez-r7 69da39ad52 Add module for ZDI-13-240 2013-10-23 16:01:01 -05:00
sinn3r d1e1968cb9
Land #2566 - Download and delete a file via SMB 2013-10-23 12:28:57 -05:00
sinn3r 9a51dd5fc4 Do exception handling and stuff 2013-10-23 12:28:25 -05:00
sinn3r 0500842625 Do some exception handling 2013-10-23 12:22:49 -05:00
sinn3r 83a4ac17e8 Make sure fd is closed to avoid a possible resource leak 2013-10-23 12:16:18 -05:00
sinn3r af02fd0355 Use store_loot, sorry mubix 2013-10-23 12:13:05 -05:00
Rob Fuller 8f3228d191 chage author but basic copied from hdms upload_file 2013-10-22 21:13:30 -04:00
Rob Fuller b2b8824e2e add delete and download modules for smb 2013-10-22 16:31:56 -04:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
sinn3r 6430fa3354
Land #2539 - Support Windows CMD generic payload
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
jvazquez-r7 be1d6ee0d3 Support Windows CMD generic payload 2013-10-17 14:07:27 -05:00
Tod Beardsley 07ab53ab39
Merge from master to clear conflict
Conflicts:
	modules/exploits/windows/brightstor/tape_engine_8A.rb
	modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
Tod Beardsley 2833d58387
Add OSVDB for vbulletin exploit 2013-10-16 15:01:28 -05:00
Tod Beardsley 3c2dddd7aa
Update reference with a non-plagarised source 2013-10-16 14:44:18 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
Tod Beardsley cad7329f2d
Minor updates to vbulletin admin exploit 2013-10-10 22:09:38 -05:00
jvazquez-r7 4f3bbaffd1 Clean module and add reporting 2013-10-09 13:54:28 -05:00
jvazquez-r7 5c36533742 Add module for the vbulletin exploit in the wild 2013-10-09 13:12:57 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
FireFart 09fa7b7692 remove rport methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:50:34 +02:00
sinn3r d006ee52b1 Land #2344 - Sophos Web Protection Appliance patience.cgi Directory Traversal 2013-09-12 14:13:32 -05:00
jvazquez-r7 02a073a8fe Change module filename 2013-09-09 23:30:37 -05:00
jvazquez-r7 64348dc020 Update information 2013-09-09 23:29:48 -05:00
jvazquez-r7 2252aee398 Fix ltype on store_loot 2013-09-09 14:02:28 -05:00
jvazquez-r7 ce769b0c78 Add module for CVE-2013-2641 2013-09-09 13:56:45 -05:00
jvazquez-r7 3d48ba5cda Escape dot on regex 2013-09-08 20:26:20 -05:00
jvazquez-r7 be9b0da595 Update print message 2013-09-06 16:09:38 -05:00
jvazquez-r7 830bc2ae64 Update OSVDB reference 2013-09-06 13:01:39 -05:00
jvazquez-r7 4e3d4994c3 Update description 2013-09-06 12:58:54 -05:00
jvazquez-r7 45821a505b Add module for CVE-2013-0653 2013-09-06 12:42:34 -05:00
Tab Assassin 6b330ad39f Retab changes for PR #2134 2013-09-05 14:24:37 -05:00
Tab Assassin 52ce6afd99 Merge for retab 2013-09-05 14:24:31 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
jvazquez-r7 b9360b9de6 Land #2286, @wchen-r7's patch for undefined method errors 2013-08-26 20:46:05 -05:00
sinn3r 7fad26968c More fix to jboss_seam_exec 2013-08-26 17:16:15 -05:00
Tod Beardsley 5b4890f5b9 Fix caps on typo3_winstaller module 2013-08-26 14:47:42 -05:00
sinn3r 37eaa62096 Fix undefined method error
[FixRM #8346]
2013-08-21 00:42:33 -05:00
sinn3r 9ca7a727e1 Fix undefined method error
[FixRM #8347]
2013-08-21 00:41:49 -05:00
sinn3r 5993cbe3a8 Fix undefined method error
[FixRM #8348]
2013-08-21 00:40:38 -05:00
sinn3r 9f98d4afe6 Fix undefined method error
[FixRM #8349]
2013-08-21 00:38:35 -05:00
sinn3r ea78e8309d Fix undefined method error
[FixRM #8350]
2013-08-21 00:35:36 -05:00
jvazquez-r7 586ae8ded3 Land #2249, @wchen-r7's patch for [SeeRM #8314] 2013-08-20 10:32:47 -05:00
jvazquez-r7 4790d8de50 Land #2256, @wchen-r7's patch for [FixRM #8316] 2013-08-19 23:23:57 -05:00
sinn3r 5366453031 [FixRM #8316] - Escape characters correctly
dots need to be escaped
2013-08-19 16:51:19 -05:00
sinn3r 7fc37231e0 Fix email format
Correct email format
2013-08-19 16:34:14 -05:00
sinn3r 17b5e57280 Typo 2013-08-19 15:32:19 -05:00
sinn3r fb5ded1472 [FixRM #8314] - Use OptPath instead of OptString
These modules need to use OptPath to make sure the path is validated.
2013-08-19 15:30:33 -05:00
jvazquez-r7 f42797fc5c Fix indentation 2013-08-16 14:19:37 -05:00
Tod Beardsley f7339f4f77 Cleanup various style issues
* Unset default username and password
  * Register SSL as a DefaultOption instead of redefining it
  * Use the HttpClient mixin `ssl` instead of datastore.
  * Unless is better than if !
  * Try to store loot even if you can't cleanup the site ID.
2013-08-16 14:03:59 -05:00