brent morris
5eff3e5637
Removed hard tabs
2015-10-02 14:34:00 -04:00
brent morris
4ee7ba05aa
Removing hard tabs test
2015-10-02 14:31:46 -04:00
brent morris
6406a66bc0
Remove Ranking
2015-10-02 14:24:46 -04:00
brent morris
9f71fd9bfd
Formatting ZPanel Exploit
2015-10-02 14:23:07 -04:00
brent morris
89a50c20d0
Added Zpanel Exploit
2015-10-02 13:29:53 -04:00
William Vu
a773627d26
Land #5946 , simple_backdoors_exec module
2015-10-02 11:18:29 -05:00
William Vu
5b8f98ee06
Land #6022 , zemra_panel_rce module
2015-10-02 11:18:09 -05:00
Pedro Ribeiro
659a09f7d2
Create manageengine_sd_uploader.rb
2015-10-02 16:04:05 +01:00
jvazquez-r7
75d2a24a0a
Land #6019 , @pedrib's Kaseya VSA ZDI-15-449 exploit
2015-10-02 08:51:28 -05:00
Pedro Ribeiro
cbbeef0f53
Update kaseya_uploader.rb
2015-10-02 13:20:59 +01:00
JT
33916997a4
Update zemra_panel_rce.rb
...
revised the name and the description
2015-10-02 09:49:59 +08:00
JT
fa1391de87
Update simple_backdoors_exec.rb
...
Updating the code as suggested
2015-10-02 07:53:15 +08:00
JT
501325d9f4
Update zemra_panel_rce.rb
2015-10-02 06:48:34 +08:00
jvazquez-r7
a88a6c5580
Add WebPges to the paths
2015-10-01 13:22:56 -05:00
jvazquez-r7
f9a9a45cf8
Do code cleanup
2015-10-01 13:20:40 -05:00
Hans-Martin Münch (h0ng10)
30101153fa
Remove spaces
2015-10-01 18:56:37 +02:00
Hans-Martin Münch (h0ng10)
41cf0ef676
Add reference for CVE-2015-2342 - VMWare VCenter JMX RMI RCE
2015-10-01 18:43:21 +02:00
JT
2802b3ca43
Update zemra_panel_rce.rb
...
sticking res
2015-10-02 00:00:30 +08:00
William Vu
2ab779ad3d
Land #6010 , capture_sendto fixes
2015-10-01 10:54:24 -05:00
JT
5c5f3a4e7f
Update zemra_panel_rce.rb
...
called http_send_command right away :)
2015-10-01 23:39:36 +08:00
William Vu
0bacb3db67
Land #6029 , Win10 support for bypassuac_injection
2015-10-01 10:17:34 -05:00
JT
66560d5339
Update zemra_panel_rce.rb
2015-10-01 19:16:23 +08:00
William Vu
2e2d27d53a
Land #5935 , final creds refactor
2015-10-01 00:25:14 -05:00
OJ
7451cf390c
Add Windows 10 "support" to bypassuac_injection
2015-10-01 11:16:18 +10:00
JT
a7fa939fda
Zemra Botnet C2 Web Panel Remote Code Execution
...
This module exploits the C2 web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
2015-09-30 19:24:21 +08:00
JT
2de6c77fa2
Update simple_backdoors_exec.rb
2015-09-30 18:11:05 +08:00
jakxx
47c79071eb
fix indention and typo
2015-09-29 22:41:36 -04:00
jakxx
f18e1d69a1
Add x64 ret address and add to buffer
2015-09-29 22:36:30 -04:00
Pedro Ribeiro
61c922c24d
Create kaseya_uploader.rb
2015-09-29 11:56:34 +01:00
JT
46adceec8f
Update simple_backdoors_exec.rb
2015-09-29 10:40:28 +08:00
JT
dd650409e4
Update simple_backdoors_exec.rb
2015-09-29 08:05:13 +08:00
bigendian smalls
a47557b9c1
Upd. multi/handler to include mainframe platform
...
Quick update to multi handler so it recognizes mainframe platform based
modules
2015-09-28 11:14:08 -05:00
Jon Hart
96e4e883ae
Fix #6008 for wireshark_lwres_getaddrbyname_loop
2015-09-27 14:56:11 -07:00
Jon Hart
bd2f73f40a
Fix #6008 for wireshark_lwres_getaddrbyname
2015-09-27 14:55:19 -07:00
Jon Hart
bbd08b84e5
Fix #6008 for snort_dce_rpc
2015-09-27 14:53:40 -07:00
jvazquez-r7
b206de7708
Land #5981 , @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit
2015-09-27 00:42:17 -05:00
jvazquez-r7
55f573b4c9
Do code cleanup
2015-09-27 00:33:40 -05:00
jvazquez-r7
c8880e8ad6
Move local exploit to correct location
2015-09-25 11:37:38 -05:00
jvazquez-r7
6b46316a56
Do watchguard_local_privesc code cleaning
2015-09-25 11:35:21 -05:00
jvazquez-r7
c79671821d
Update with master changes
2015-09-25 10:47:37 -05:00
jvazquez-r7
e87d99a65f
Fixing blocking option
2015-09-25 10:45:19 -05:00
jvazquez-r7
890ac92957
Warn about incorrect payload
2015-09-25 10:10:08 -05:00
jvazquez-r7
19b577b30a
Do some code style fixes to watchguard_cmd_exec
2015-09-25 09:51:00 -05:00
jvazquez-r7
b35da0d91d
Avoid USERNAME and PASSWORD datastore options collisions
2015-09-25 09:36:47 -05:00
jvazquez-r7
52c4be7e8e
Fix description
2015-09-25 09:35:30 -05:00
JT
e185277ac5
Update simple_backdoors_exec.rb
2015-09-24 14:14:23 +08:00
JT
56a551313c
Update simple_backdoors_exec.rb
2015-09-24 13:54:40 +08:00
JT
192369607d
Update simple_backdoors_exec.rb
...
updated the string 'echo me' to a random text
2015-09-24 13:49:33 +08:00
Meatballs
66c9222968
Make web_delivery proxy aware
2015-09-23 20:45:51 +01:00
Daniel Jensen
3dd917fd56
Altered the module to use the primer callback, and refactored some code to remove useless functions etc
2015-09-24 00:20:13 +12:00
William Vu
d798ef0885
Land #5893 , w3tw0rk/Pitbul RCE module
2015-09-23 02:41:01 -05:00
William Vu
8106bcc320
Clean up module
2015-09-21 14:37:54 -05:00
wchen-r7
fd190eb56b
Land #5882 , Add Konica Minolta FTP Utility 1.00 CWD command module
2015-09-18 11:10:20 -05:00
wchen-r7
0aea4a8b00
An SEH? A SEH?
2015-09-18 11:09:52 -05:00
jvazquez-r7
ab8d12e1ac
Land #5943 , @samvartaka's awesome improvement of poisonivy_bof
2015-09-16 16:35:04 -05:00
jvazquez-r7
af1cdd6dea
Return Appears
2015-09-16 16:34:43 -05:00
jvazquez-r7
402044a770
Delete comma
2015-09-16 16:23:43 -05:00
jvazquez-r7
75c6ace1d0
Use single quotes
2015-09-16 16:23:10 -05:00
jvazquez-r7
88fdc9f123
Clean exploit method
2015-09-16 16:14:21 -05:00
jvazquez-r7
d6a637bd15
Do code cleaning on the check method
2015-09-16 16:12:28 -05:00
wchen-r7
c7afe4f663
Land #5930 , MS15-078 (atmfd.dll buffer overflow)
2015-09-16 15:33:38 -05:00
jvazquez-r7
37d42428bc
Land #5980 , @xistence exploit for ManageEngine OpManager
2015-09-16 13:19:49 -05:00
jvazquez-r7
8f755db850
Update version
2015-09-16 13:19:16 -05:00
jvazquez-r7
1b50dfc367
Change module location
2015-09-16 11:43:09 -05:00
jvazquez-r7
122103b197
Do minor metadata cleanup
2015-09-16 11:41:23 -05:00
jvazquez-r7
aead0618c7
Avoid the WAIT option
2015-09-16 11:37:49 -05:00
jvazquez-r7
0010b418d0
Do minor code cleanup
2015-09-16 11:31:15 -05:00
jvazquez-r7
f3b6606709
Fix check method
2015-09-16 11:26:15 -05:00
Daniel Jensen
7985d0d7cb
Removed privesc functionality, this has been moved to another module. Renamed module
2015-09-16 23:29:26 +12:00
Daniel Jensen
bdd90655e4
Split off privesc into a seperate module
2015-09-16 23:11:32 +12:00
jvazquez-r7
24af3fa12e
Add rop chains
2015-09-15 14:46:45 -05:00
William Vu
abe65cd400
Land #5974 , java_jmx_server start order fix
2015-09-15 01:33:44 -05:00
xistence
c99444a52e
ManageEngine EventLog Analyzer Remote Code Execution
2015-09-15 07:29:16 +07:00
xistence
7bf2f158c4
ManageEngine OpManager Remote Code Execution
2015-09-15 07:24:32 +07:00
JT
9e6d3940b3
Update simple_backdoors_exec.rb
2015-09-13 23:30:14 +08:00
wchen-r7
ae5aa8f542
No FILE_CONTENTS option
2015-09-12 23:32:02 -05:00
Daniel Jensen
4e22fce7ef
Switched to using Rex MD5 function
2015-09-13 16:23:23 +12:00
jvazquez-r7
0d52a0617c
Verify win32k 6.3.9600.17837 is working
2015-09-12 15:27:50 -05:00
jvazquez-r7
9626596f85
Clean template code
2015-09-12 13:43:05 -05:00
Hans-Martin Münch (h0ng10)
0c4604734e
Webserver starts at the beginning, stops at the end
2015-09-12 19:42:31 +02:00
xistence
dc8d1f6e6a
Small changes
2015-09-12 13:08:58 +07:00
wchen-r7
01053095f9
Add MS15-100 Microsoft Windows Media Center MCL Vulnerability
2015-09-11 15:05:06 -05:00
jvazquez-r7
53f995b9c3
Do first prototype
2015-09-10 19:35:26 -05:00
wchen-r7
017832be88
Land #5953 , Add Bolt CMS File Upload Vulnerability
2015-09-10 18:29:13 -05:00
wchen-r7
602a12a1af
typo
2015-09-10 18:28:42 -05:00
Roberto Soares
68521da2ce
Fix check method.
2015-09-10 04:40:12 -03:00
Roberto Soares
4566f47ac5
Fix check method.
2015-09-10 03:56:46 -03:00
Roberto Soares
0ba03f7a06
Fix words.
2015-09-09 21:27:57 -03:00
Roberto Soares
bc3f5b43ab
Removerd WordPress mixin.
2015-09-09 21:26:15 -03:00
Roberto Soares
4e31dd4e9f
Add curesec team as vuln discovery.
2015-09-09 21:13:51 -03:00
Roberto Soares
6336301df3
Add Nibbleblog File Upload Vulnerability
2015-09-09 21:05:36 -03:00
Roberto Soares
d3aa61d6a0
Move bolt_file_upload.rb to exploits/multi/http
2015-09-09 13:41:44 -03:00
Roberto Soares
2800ecae07
Fix alignment.
2015-09-09 01:21:08 -03:00
Roberto Soares
48bd2c72a0
Add fail_with method and other improvements
2015-09-09 01:11:35 -03:00
Roberto Soares
f08cf97224
Check method implemented
2015-09-08 23:54:20 -03:00
Roberto Soares
6de0c9584d
Fix some improvements
2015-09-08 23:15:42 -03:00
JT
31a8907385
Update simple_backdoors_exec.rb
2015-09-09 08:30:21 +08:00
jvazquez-r7
329e6f4633
Fix title
2015-09-08 15:31:14 -05:00
JT
4e23bba14c
Update simple_backdoors_exec.rb
...
removing the parenthesis for the if statements
2015-09-08 15:47:38 +08:00
JT
002aada59d
Update simple_backdoors_exec.rb
...
changed shell to res
2015-09-08 14:54:26 +08:00
JT
467f9a8353
Update simple_backdoors_exec.rb
2015-09-08 14:45:54 +08:00
JT
37c28ddefb
Update simple_backdoors_exec.rb
...
Updated the description
2015-09-08 13:42:12 +08:00
JT
0f8123ee23
Simple Backdoor Shell Remote Code Execution
2015-09-08 13:08:47 +08:00
samvartaka
0a0e7ab4ba
This is a modification to the original poisonivy_bof.rb exploit
...
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.
See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.
## Console output
Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.
### Version 2.3.2 (unknown password)
```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```
### Version 2.2.0 (unknown password)
```
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > show targets
Exploit targets:
Id Name
-- ----
0 Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
1 Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
2 Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1
msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
xistence
1d492e4b25
Lots of X11 protocol changes
2015-09-06 15:55:16 +07:00
Ewerson Guimaraes (Crash)
944f47b064
Update
...
Check nil
Removed headers
Fixed url normalization
2015-09-05 10:07:58 +02:00
JT
2f8dc7fdab
Update w3tw0rk_exec.rb
...
changed response to res
2015-09-05 14:21:07 +08:00
jvazquez-r7
23ab702ec4
Land #5631 , @blincoln682F048A's module for Endian Firewall Proxy
...
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
jvazquez-r7
2abfcd00b1
Use snake_case
2015-09-04 16:27:09 -05:00
jvazquez-r7
15aa5de991
Use Rex::MIME::Message
2015-09-04 16:26:53 -05:00
jvazquez-r7
adcd3c1e29
Use static max length
2015-09-04 16:18:55 -05:00
Ewerson Guimaraes (Crash)
68d27acd69
Update
...
Add exploit-db references
nil check to version
2015-09-04 23:18:24 +02:00
jvazquez-r7
1ebc25092f
Delete some comments
2015-09-04 16:18:15 -05:00
Ewerson Guimaraes (Crash)
5b5e97f37a
Update
...
Add normalize_uri
Change print_status tp vprint_status
Removed unused http headers
an other minor changes
2015-09-04 22:12:42 +02:00
Roberto Soares
cc405957db
Add some improvements
2015-09-04 16:02:30 -03:00
Roberto Soares
4531d17cab
Added the rest of the code
2015-09-04 15:37:42 -03:00
Roberto Soares
b9ba12e42a
Added get_token method.
2015-09-04 15:27:28 -03:00
Ewerson Guimaraes (Crash)
5063acac3c
Poorly designed argument fixed
...
Poorly designed argument fixed
2015-09-04 19:43:49 +02:00
HD Moore
04d622b69b
Cleanup Jenkins-CI module titles and option descriptions
2015-09-04 10:25:51 -07:00
Ewerson Guimaraes (Crash)
cf8b34191d
Updates
...
Add Def for cgi request.
2015-09-04 19:19:02 +02:00
Roberto Soares
6f4f8e34b4
Added method bolt_login.
2015-09-04 10:45:15 -03:00
wchen-r7
d55757350d
Use the latest credential API, no more report_auth_info
2015-09-04 03:04:14 -05:00
Roberto Soares
a195f5bb9e
Initial commit - Skeleton
2015-09-04 04:09:16 -03:00
jvazquez-r7
ef6df5bc26
Use get_target_arch
2015-09-03 16:30:46 -05:00
jvazquez-r7
2588439246
Add references for the win32k info leak
2015-09-03 15:35:41 -05:00
James Lee
b2c401696b
Add certutil support.
...
Tested while landing #5736
2015-09-03 14:24:37 -05:00
James Lee
1e6a1f6d05
Revert "Fix spec like I shoulda done before landing #5736"
...
This reverts commit 956c8e550d
.
Conflicts:
spec/lib/rex/exploitation/cmdstager/certutil_spec.rb
2015-09-03 14:18:55 -05:00
Ewerson Guimaraes (Crash)
92aa09a586
Merge remote-tracking branch 'rapid7/master' into Uptime
2015-09-03 20:48:50 +02:00
Ewerson Guimaraes (Crash)
6250983fb4
Update
...
Update
2015-09-03 20:29:57 +02:00
James Lee
b4547711f3
Add certutil support.
...
Tested while landing #5736
2015-09-03 13:27:10 -05:00
jvazquez-r7
697a6cd335
Rescue the process execute
2015-09-03 13:03:36 -05:00
jvazquez-r7
80a1e32339
Set Manual Ranking
2015-09-03 12:24:45 -05:00
HD Moore
9b51352c62
Land #5639 , adds registry persistence
2015-09-03 11:26:38 -05:00
jvazquez-r7
dbe901915e
Improve version detection
2015-09-03 09:54:38 -05:00
jvazquez-r7
de25a6c23c
Add metadata
2015-09-02 18:32:45 -05:00
jvazquez-r7
8f70ec8256
Fix Disclosure date
2015-09-02 18:21:36 -05:00
jvazquez-r7
b912e3ce65
Add exploit template
2015-09-02 17:28:35 -05:00
HD Moore
4090c2c8ea
Land #5880 , adds ScriptHost UAC bypass for Win7/2008
2015-09-02 14:14:18 -05:00
Meatballs
582cc795ac
Remove newlines
2015-09-02 19:42:04 +01:00
HD Moore
43d3e69fb2
Land #5917 , update local exploit checks
2015-09-02 12:55:45 -05:00
HD Moore
95b9208a63
Change recv to get_once to avoid indefinite hangs, cosmetic tweaks.
2015-09-02 10:30:19 -05:00
xistence
a81a9e0ef8
Added TIME_WAIT for GUI windows
2015-09-02 16:55:20 +07:00
Meatballs
8f25a006a8
Change to automatic target
2015-09-02 09:13:25 +01:00
wchen-r7
4275a65407
Update local exploit checks to follow the guidelines.
...
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs
27775fbe58
Restrict to 7 and 2k8
2015-09-01 22:23:37 +01:00
HD Moore
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
Christian Mehlmauer
bfc24aea16
change exitfunc to thread
2015-09-01 10:52:25 +02:00
Christian Mehlmauer
115f409fef
change exitfunc to thread
2015-09-01 10:48:07 +02:00
Christian Mehlmauer
5398bf78eb
change exitfunc to thread
2015-09-01 10:46:54 +02:00
Christian Mehlmauer
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
Christian Mehlmauer
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
Ewerson Guimaraes (Crash)
252e80e793
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
...
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
2015-08-31 23:57:39 +02:00
Brent Cook
d670a62000
Land #5822 , migrate obsolete payload compatibility options
2015-08-31 15:20:20 -05:00
wchen-r7
9364982467
Land #5665 , Add osx rootpipe entitlements exploit for 10.10.3
2015-08-28 13:33:16 -05:00
wchen-r7
e45347e745
Explain why vulnerable
2015-08-28 13:26:01 -05:00
wchen-r7
423d52476d
Normal options should be all caps
2015-08-28 13:24:23 -05:00
Muhamad Fadzil Ramli
1b4f4fd225
remove url reference
2015-08-27 19:47:37 +08:00
jvazquez-r7
da4b360202
Fix typo
2015-08-26 15:29:34 -05:00
jvazquez-r7
5d0ed797a3
Update DLL
2015-08-26 15:15:32 -05:00
jvazquez-r7
dd529013f6
Update ruby side
2015-08-26 15:12:09 -05:00
JT
ff868f9704
Update w3tw0rk_exec.rb
2015-08-26 23:51:09 +08:00
JT
3f6c04a445
Update w3tw0rk_exec.rb
2015-08-26 23:48:31 +08:00
JT
16341d34a2
Update w3tw0rk_exec.rb
2015-08-26 23:34:29 +08:00
JT
892f427664
Update w3tw0rk_exec.rb
...
removed w3tw0rk_login
2015-08-26 09:18:15 +08:00
JT
6edba2cdc8
Update w3tw0rk_exec.rb
2015-08-26 09:11:30 +08:00
JT
c77226c354
Update w3tw0rk_exec.rb
2015-08-26 01:28:07 +08:00
JT
25fb325410
w3tw0rk / Pitbul IRC Bot Remote Code Execution
2015-08-26 01:22:55 +08:00
Brent Cook
b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1
2015-08-24 09:26:00 -05:00
Muhamad Fadzil Ramli
03b1ad7491
add reference info
2015-08-24 11:18:26 +08:00
Muhamad Fadzil Ramli
73cb1383d2
amend banner info for check
2015-08-24 10:55:43 +08:00
Meatballs
1c91b126f1
X64 compat for payload_inject
2015-08-23 22:03:57 +01:00
Meatballs
228087dced
Initial working scripthost bypass uac
2015-08-23 20:16:15 +01:00
Muhamad Fadzil Ramli
7587319602
run rubocop & msftidy
2015-08-23 23:32:30 +08:00
Muhamad Fadzil Ramli
a5daa5c9be
added module descriptions
2015-08-23 23:12:41 +08:00
Muhamad Fadzil Ramli
91a7531af8
konica minolta ftp server post auth cwd command exploit
2015-08-23 21:49:26 +08:00
wchen-r7
dc1e7e02b6
Land #5853 , Firefox 35-36 RCE one-click exploi
2015-08-20 13:27:21 -05:00
wchen-r7
45c7e4760a
Support x64 payloads
2015-08-20 02:09:58 -05:00
Brent Cook
6b94513a37
Land #5860 , add tpwn OS X local kernel exploit ( https://github.com/kpwn/tpwn )
2015-08-17 17:41:04 -05:00
William Vu
26165ea93f
Add tpwn module
2015-08-17 17:11:11 -05:00
Brent Cook
b17d8f8d49
Land #5768 , update modules to use metasploit-credential
2015-08-17 17:08:58 -05:00
joev
98e2d074c3
Add disclosure date.
2015-08-15 20:09:41 -05:00
joev
a133e98ba5
Adds a ff 35-36 RCE vector based off the recent ff bug.
2015-08-15 20:02:00 -05:00
HD Moore
42e08cbe07
Fix bad use of get_profile (now browser_profile)
2015-08-14 19:50:42 -05:00
jvazquez-r7
c02df6b39d
Land #5800 , @bperry's Symantec Endpoint Protection Manager RCE module
2015-08-14 17:03:48 -05:00
jvazquez-r7
b33abd72ce
Complete description
2015-08-14 17:03:21 -05:00
jvazquez-r7
4aa3be7ba2
Do ruby fixing and use FileDropper
2015-08-14 17:00:27 -05:00
Spencer McIntyre
33f1324fa9
Land #5813 , @jakxx adds VideoCharge SEH file exploit
2015-08-13 18:01:25 -04:00
jakxx
e9d3289c23
EXITFUNC caps
2015-08-13 17:25:31 -04:00
jakxx
6e1c714b2b
Update to leverage auto-NOP generation
2015-08-13 17:24:18 -04:00
jakxx
361624161b
msftidy
2015-08-13 16:27:27 -04:00
jakxx
03eb2d71b2
Add watermark fileformat exploit
2015-08-13 16:26:17 -04:00
William Vu
f19186adda
Land #5841 , homm3_h3m default target change
2015-08-13 14:54:58 -05:00
Tod Beardsley
02c6ea31bb
Use the more recent HD version as default target
2015-08-13 14:42:21 -05:00
Christian Mehlmauer
80a22412d9
use EXITFUNC instead of ExitFunction
2015-08-13 21:22:32 +02:00
William Vu
605a14350f
Land #5833 , sshexec improvements
2015-08-13 14:16:22 -05:00
William Vu
3bd6c4cee4
Add a comma
2015-08-13 14:16:09 -05:00
Mo Sadek
677ec341dd
Land #5839 , pre-bloggery cleanup edits
2015-08-13 13:43:57 -05:00
William Vu
c94a185610
Land #5697 , Werkzeug debug RCE
2015-08-13 13:32:27 -05:00
William Vu
d54ee19ce9
Clean up module
2015-08-13 13:32:22 -05:00
Tod Beardsley
bb4116ed9d
Avoid msftidy.rb rule breaking on missing newline
2015-08-13 12:38:05 -05:00
jakxx
e7566d6aee
Adding print_status line
2015-08-12 16:08:04 -04:00
Spencer McIntyre
28fbb7cdde
Update the description of the sshexec module
2015-08-12 16:05:09 -04:00
Spencer McIntyre
dfe2bbf1e9
Add a python target to the sshexec module
2015-08-12 15:46:47 -04:00
Christian Mehlmauer
979d7e6be3
improve module
2015-08-12 15:37:37 +02:00
jakxx
2b225b2e7e
Added changes per feedback
...
Updated to include and use seh mixin
changed offset and space for reliability
got rand_text buffer junk working
removed double spaces and stupid fillers in file data
2015-08-12 01:34:45 -04:00
jakxx
4c28cae5d1
updated to include recommendation from @zerosteiner
2015-08-10 18:38:23 -04:00
jvazquez-r7
203c231b74
Fix #5659 : Update CMD exploits payload compatibility options
2015-08-10 17:12:59 -05:00
jakxx
23f51bf265
specify junk data
2015-08-07 18:04:11 -04:00
jakxx
28ad0fccbd
Added VideoCharge Studio File Format Exploit
2015-08-07 15:54:32 -04:00
Brandon Perry
74ed8cf0c9
actually that didn't work
2015-08-02 18:57:13 -05:00
Brandon Perry
06754c36a4
unless, not if not
2015-08-02 18:51:23 -05:00
Brandon Perry
527eaea6ec
single quotes and some error handling
2015-08-02 18:25:17 -05:00
Brandon Perry
a33724667c
small code cleanup
2015-08-02 16:36:41 -05:00
Brandon Perry
830aee8aa5
check if cookie is actually returned, and if not, fail
2015-08-02 15:22:40 -05:00
Brandon Perry
a534008ba6
add some status lines
2015-08-02 15:03:59 -05:00
Brandon Perry
fe20bc88ad
remove badchars
2015-08-02 11:37:06 -05:00
Brandon Perry
f7ceec36d0
set default RPORT and SSL
2015-08-02 08:59:36 -05:00
Brandon Perry
a33dff637d
exploit cve 2015-1489 to get SYSTEM
2015-08-02 08:31:03 -05:00
Brandon Perry
12ac6d81fa
add markus as the discoverer specifically
2015-08-02 08:17:12 -05:00
Brandon Perry
e70ec8c07b
no need to store res for the later requests
2015-08-01 18:00:35 -05:00
Brandon Perry
272d75e437
check res before calling get_cookies
2015-08-01 17:58:41 -05:00
Meatballs
6f31183904
Fix VSS Persistance to check integrity level
2015-08-01 23:13:05 +01:00
Brandon Perry
47e86000ee
randomize the file names
2015-08-01 16:50:06 -05:00
Brandon Perry
2bfc8e59be
remove printline
2015-08-01 16:43:31 -05:00
Brandon Perry
0067d25180
add the sepm auth bypass rce module
2015-08-01 16:40:03 -05:00
Meatballs
a6a8117e46
Revert "Land #5777 , fix #4558 vss_persistence"
...
This reverts commit ba4b2fbbea
, reversing
changes made to affc86bfd9
.
2015-08-01 22:35:24 +01:00
h00die
eab9b3bf5b
interpolation fix on secret
2015-08-01 14:39:12 -04:00
h00die
ceb49a51a6
thanks @espreto for help
2015-08-01 11:11:37 -04:00
wchen-r7
ba4b2fbbea
Land #5777 , fix #4558 vss_persistence
2015-07-31 16:46:01 -05:00
jvazquez-r7
1ec960d8f9
Make the time to write flush configurable
2015-07-31 16:43:43 -05:00
wchen-r7
672d83eaae
Land #5789 , Heroes of Might and Magic III .h3m Map File Buffer Overflow
2015-07-31 15:43:43 -05:00
aakerblom
7c5e5f0f22
add crc32 forging for Heroes III demo target
2015-08-01 04:53:49 -07:00
aakerblom
7af83a112d
fix unreliable address
2015-08-01 04:52:50 -07:00
aakerblom
908d6f946f
added target Heroes III Demo 1.0.0.0
2015-07-31 18:19:37 -07:00
aakerblom
16042cd45b
fix variable names in comment
2015-07-31 18:16:15 -07:00
aakerblom
66c92aae5d
fix documentation
2015-07-31 17:12:50 -07:00
aakerblom
6fdd2f91ce
rescue only Errno::ENOENT
2015-07-31 13:54:29 -07:00
aakerblom
6671df6672
add documentation
2015-07-31 13:53:56 -07:00
aakerblom
013201bd99
remove unneeded require
2015-07-31 13:49:27 -07:00
aakerblom
12a6bdb67b
Add Heroes of Might and Magic III .h3m map file Buffer Overflow module
2015-07-31 02:06:47 -07:00
aakerblom
d4c8d5884c
Fix a small typo
2015-07-31 11:47:46 -07:00
wchen-r7
54c5c6ea38
Another update
2015-07-29 14:31:35 -05:00
wchen-r7
768de00214
Automatically pass arch & platform from cmdstager
...
This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:
Fix #5727
Fix #5718
Fix #5761
2015-07-27 14:17:21 -05:00
jvazquez-r7
bf6975c01a
Fix #4558 by restoring the old wmicexec
2015-07-27 14:04:10 -05:00
wchen-r7
2d0a26ea8b
Land #5774 , Fix URIPATH=/ and stack trace on missing ntdll version match
2015-07-25 17:54:49 -05:00
HD Moore
a7b5890dc5
Fix URIPATH=/ and stack trace on missing ntdll version match
2015-07-25 15:39:20 -07:00
h00die
4561241609
updates per @jvazquez-r7 comments
2015-07-24 20:34:40 -04:00
jvazquez-r7
2c9183fa56
Return check code
2015-07-24 16:14:43 -05:00
jvazquez-r7
a163606513
Delete unused SLEEP option
2015-07-24 15:29:56 -05:00
jvazquez-r7
1b1ac09d2a
Merge to solve conflicts
2015-07-24 15:24:29 -05:00
William Vu
10783d60cd
Land #5763 , generate_payload_exe merged opts fix
2015-07-24 10:56:29 -05:00
William Vu
50c9293aab
Land #5758 , OS X DYLD_PRINT_TO_FILE privesc
2015-07-23 13:21:23 -05:00
William Vu
c1a9628332
Fix some fixes
...
So you can fix while you fix.
2015-07-23 12:59:20 -05:00
Tod Beardsley
6ededbd7a7
Un-ticking the output
2015-07-23 12:23:56 -05:00
Tod Beardsley
9d8dd2f8bd
FIxup pr #5758
2015-07-23 12:21:36 -05:00
wchen-r7
6720a57659
Fix #5761 , pass the correct arch and platform for exe generation
...
Fix #5761
2015-07-23 01:34:44 -05:00
joev
165cb195bf
Remove python dependency, add credit URL.
2015-07-21 22:48:23 -05:00
joev
3013ab4724
Add osx root privilege escalation.
2015-07-21 21:50:55 -05:00
William Vu
928c82c96e
Land #5745 , undefined variable "rop" fix
2015-07-21 11:01:49 -05:00
Tod Beardsley
cadb03bac0
Fix my own blasted typo, ty @wvu-r7
2015-07-20 17:14:34 -05:00
Tod Beardsley
2052b4ef56
Fixed the HT leak attribution a little
2015-07-20 16:36:47 -05:00
Tod Beardsley
f7c11d0852
More cleanups
...
Edited modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
first landed in #5678 , adobe_flash_hacking_team_uaf.rb
Edited
modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
first landed in #5698 , Adobe Flash CVE-2015-5122 opaqueBackground
Edited modules/exploits/multi/http/sysaid_auth_file_upload.rb first
landed in #5471 , @pedrib's module for SysAid CVE-2015-2994
Edited modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb first
landed in #5473 Correct spelling of sysaid module
2015-07-20 16:29:49 -05:00
Tod Beardsley
ab6204ca2e
Correct spelling of sysaid module
...
First landed in #5473 .
2015-07-20 16:21:50 -05:00
Pedro Ribeiro
3fe165a265
Remove whitespace at the end
2015-07-18 20:18:34 +01:00
Pedro Ribeiro
70a2247941
Pick target is not needed...
2015-07-18 20:12:49 +01:00
Pedro Ribeiro
7483e77bba
Fix Linux target by trying again if exploit fails
2015-07-18 20:12:13 +01:00
wchen-r7
29defc979b
Fix #5740 , remove variable ROP for adobe_flashplayer_flash10o
2015-07-17 16:57:37 -05:00
wchen-r7
7113c801b1
Land #5732 , reliability update for adobe_flash_hacking_team_uaf
2015-07-17 16:43:39 -05:00
wchen-r7
837eb9ea38
Land #5742 , better quality coverage for adobe_flash_opaque_background_uaf
2015-07-17 16:25:14 -05:00
wchen-r7
f77f7d6916
Bump rank
2015-07-17 16:23:27 -05:00
wchen-r7
0bd1dc017e
Update coverage information
2015-07-17 16:23:00 -05:00
jvazquez-r7
4e6b00fe31
Land #5473 , @pedrib's exploit for Sysaid CVE-2015-2994
...
* sysaid rdslogs arbitrary file upload
2015-07-17 12:10:40 -05:00
jvazquez-r7
00adbd7f64
Fix quotes
2015-07-17 12:09:54 -05:00
jvazquez-r7
57c4a3387b
Fix paths for windows and cleanup
2015-07-17 12:09:18 -05:00
jvazquez-r7
46ffb97c1c
Land #5471 , @pedrib's module for SysAid CVE-2015-2994
...
* sysaid arbitrary file upload
2015-07-17 11:27:22 -05:00
jvazquez-r7
309a86ec57
Do code cleanup
2015-07-17 11:26:54 -05:00
jvazquez-r7
255d8ed096
Improve adobe_flash_opaque_background_uaf
2015-07-16 14:56:32 -05:00
jvazquez-r7
b504f0be8e
Update adobe_flash_hacking_team_uaf
2015-07-15 18:18:04 -05:00
William Vu
ea4a7d98b9
Land #5728 , Arch specification for psexec
2015-07-15 15:36:27 +00:00
jvazquez-r7
886ca47dfb
Land #5650 , @wchen-r7's browser autopwn 2
2015-07-15 10:21:44 -05:00
Christian Mehlmauer
b31c637c1b
Land #5533 , DSP-W110 cookie command injection
2015-07-15 11:22:33 +02:00
Christian Mehlmauer
21375edcb2
final cleanup
2015-07-15 11:21:39 +02:00
Brent Cook
a7d866bc83
specify the 'Arch' values that psexec supports
2015-07-14 15:45:52 -06:00
h00die
57f62ffa76
changed URI to TARGETURI as per comments
2015-07-13 20:18:45 -04:00
William Vu
405261df4f
Land #5710 , php_wordpress_total_cache removal
...
Deprecated.
2015-07-13 18:33:12 +00:00
William Vu
3feef639b9
Land #5711 , php_wordpress_optimizepress removal
...
Deprecated.
2015-07-13 18:32:37 +00:00
William Vu
6e12cbf98f
Land #5712 , php_wordpress_lastpost removal
...
Deprecated.
2015-07-13 18:31:31 +00:00
William Vu
dd188b1943
Land #5713 , php_wordpress_infusionsoft removal
...
Deprecated.
2015-07-13 18:31:01 +00:00
wchen-r7
4960e64597
Remove php_wordpress_foxypress, use wp_foxypress_upload
...
Please use exploit/unix/webapp/wp_foxypress_upload instead.
2015-07-13 12:53:34 -05:00
wchen-r7
dfbeb24a8f
Remove php_wordpress_infusionsoft, use wp_infusionsoft_upload
...
Please use exploit/unix/webapp/wp_infusionsoft_upload instead.
2015-07-13 12:51:48 -05:00
wchen-r7
b80427aed2
Remove php_wordpress_lastpost, use wp_lastpost_exec instead.
...
Please use exploit/unix/webapp/wp_lastpost_exec instead
2015-07-13 12:49:27 -05:00
wchen-r7
90cc3f7891
Remove php_wordpress_optimizepress, use wp_optimizepress_upload
...
Please use exploit/unix/webapp/wp_optimizepress_upload instead.
2015-07-13 12:45:39 -05:00
wchen-r7
4177cdacd6
Remove php_wordpress_total_cache, please use wp_total_cache_exec
...
The time is up for exploit/unix/webapp/php_wordpress_total_cache,
please use exploit/unix/webapp/wp_total_cache_exec instead.
2015-07-13 12:41:29 -05:00
wchen-r7
e638d85f30
Merge branch 'upstream-master' into bapv2
2015-07-12 02:01:09 -05:00
h00die
8819674522
updated per feedback from PR
2015-07-11 21:03:02 -04:00
wchen-r7
f7ce6dcc9f
We agreed to Normal
2015-07-11 02:07:18 -05:00
wchen-r7
0ff7333090
Lower the ranking for CVE-2015-5122
...
As an initial release we forgot to lower it.
2015-07-11 02:05:56 -05:00
wchen-r7
1289ec8863
authors
2015-07-11 01:38:21 -05:00
wchen-r7
6eabe5d48c
Update description
2015-07-11 01:36:26 -05:00
wchen-r7
54fc712131
Update Win 8.1 checks
2015-07-11 01:33:23 -05:00
jvazquez-r7
6f0b9896e1
Update description
2015-07-11 00:56:18 -05:00
jvazquez-r7
115549ca75
Delete old check
2015-07-11 00:42:59 -05:00
jvazquez-r7
63005a3b92
Add module for flash CVE-2015-5122
...
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
h00die
bff92f2304
Initial add
2015-07-10 21:13:12 -04:00
jvazquez-r7
5a045677bc
Add waiting message
2015-07-10 18:48:46 -05:00
jvazquez-r7
8d52c265d9
Delete wfsdelay
2015-07-10 18:46:27 -05:00
jvazquez-r7
63e91fa50f
Add reference
2015-07-10 18:46:06 -05:00
jvazquez-r7
677cd97cc2
Update information
2015-07-10 18:39:11 -05:00
jvazquez-r7
6c6a778218
Modify arkeia_agent_exec title
2015-07-10 18:38:25 -05:00
jvazquez-r7
4995728459
Modify arkeia_agent_exec ranking
2015-07-10 18:37:24 -05:00
jvazquez-r7
858f63cdbf
Land #5693 , @xistence VNC Keyboard EXEC module
2015-07-10 18:35:44 -05:00
jvazquez-r7
1326a26be5
Do code cleanup
2015-07-10 18:35:13 -05:00
jvazquez-r7
917282a1f1
Fix ranking
2015-07-10 17:49:15 -05:00
jvazquez-r7
e063e26627
Land #5689 , @xistence's module for Western Digital Arkeia command injection
2015-07-10 17:11:35 -05:00
jvazquez-r7
bdd8b56336
fix comment
2015-07-10 16:28:20 -05:00
jvazquez-r7
95ae7d8cae
Fix length limitation
2015-07-10 16:24:49 -05:00
Mo Sadek
3347b90db7
Land #5676 , print_status with ms14_064
2015-07-10 14:40:49 -05:00
jvazquez-r7
29a497a616
Read header as 6 bytes
2015-07-10 14:25:57 -05:00
jvazquez-r7
bed3257a3f
Change default HTTP_DELAY
2015-07-10 12:50:26 -05:00
jvazquez-r7
c9d2ab58d3
Use HttpServer::HTML
...
* And make the exploit Aggressive
2015-07-10 12:48:21 -05:00
jvazquez-r7
e1192c75a9
Fix network communication on `communicate`
...
* Some protocol handling just to not read amounts of data blindly
2015-07-10 11:57:48 -05:00
Tod Beardsley
9206df077f
Land #5694 , R7-2015-08
2015-07-10 11:42:57 -05:00
jvazquez-r7
9ba515f185
Fix network communication on `check`
...
* Some protocol handling just to not read amounts of data blindly
2015-07-10 11:32:49 -05:00
jvazquez-r7
c70be64517
Fix version check
2015-07-10 10:57:55 -05:00
jvazquez-r7
34a6984c1d
Fix variable name
2015-07-10 10:44:38 -05:00
jvazquez-r7
2c7cc83e38
Use single quotes
2015-07-10 10:34:47 -05:00
jvazquez-r7
f66cf91676
Fix metadata
2015-07-10 10:33:02 -05:00
xistence
b916a9d267
VNC Keyboard Exec
2015-07-10 14:08:32 +07:00
xistence
13a69e4011
X11 Keyboard Exec
2015-07-10 13:57:54 +07:00
xistence
52d41c8309
Western Digital Arkeia 'ARKFS_EXEC_CMD' <= v11.0.12 Remote Code Execution
2015-07-10 09:51:28 +07:00
Michael Messner
d7beb1a685
feedback included
2015-07-09 08:31:11 +02:00
HD Moore
25e0f888dd
Initial commit of R7-2015-08 coverage
2015-07-08 13:42:11 -05:00
wchen-r7
a3ec56c4cb
Do it in on_request_exploit because it's too specific
2015-07-08 12:32:38 -05:00
wchen-r7
cefbdbb8d3
Avoid unreliable targets
...
If we can't garantee GreatRanking on specific targets, avoid them.
2015-07-08 12:12:53 -05:00
wchen-r7
6a33807d80
No Chrome for now
2015-07-07 15:56:58 -05:00
jvazquez-r7
f8b668e894
Update ranking and References
2015-07-07 15:43:02 -05:00
Tod Beardsley
116c3f0be1
Add CVE as a real ref, too
2015-07-07 14:46:44 -05:00
Tod Beardsley
3d630de353
Replace with a real CVE number
2015-07-07 14:44:12 -05:00
wchen-r7
fdb715c9dd
Merge branch 'upstream-master' into bapv2
2015-07-07 13:45:39 -05:00
jvazquez-r7
829b08b2bf
Complete authors list
2015-07-07 12:49:54 -05:00
wchen-r7
49effdf3d1
Update description
2015-07-07 12:46:02 -05:00
wchen-r7
d885420aff
This changes the version requirement for adobe_flash_hacking_team_uaf.rb
...
Because it works for Win 8.1 + IE11 too
2015-07-07 12:42:56 -05:00
wchen-r7
d30688b116
Add more requirement info
2015-07-07 12:33:47 -05:00
jvazquez-r7
d9aacf2d41
Add module for hacking team flash exploit
2015-07-07 11:19:48 -05:00
wchen-r7
c37b60de7b
Do some print_status with ms14_064
2015-07-07 00:57:37 -05:00
Michael Messner
5b6ceff339
mime message
2015-07-06 15:00:12 +02:00
joev
133e221dcd
Remove unnecessary steps.
2015-07-05 19:00:58 -05:00
joev
c993c70006
Remove sleep(), clean up WritableDir usage.
2015-07-05 18:59:00 -05:00
joev
72a1e9ad99
Add module for rootpipe+entitlements exploit for 10.10.3.
2015-07-05 18:19:46 -05:00
Ben Lincoln
6e9a477367
Removed reference URL for the report to the vendor, as it is no
...
longer valid.
2015-07-03 13:48:24 -07:00