Commit Graph

9200 Commits (be8d6df09336a326d72b8a2fec15e9353bfb0ecb)

Author SHA1 Message Date
brent morris 5eff3e5637 Removed hard tabs 2015-10-02 14:34:00 -04:00
brent morris 4ee7ba05aa Removing hard tabs test 2015-10-02 14:31:46 -04:00
brent morris 6406a66bc0 Remove Ranking 2015-10-02 14:24:46 -04:00
brent morris 9f71fd9bfd Formatting ZPanel Exploit 2015-10-02 14:23:07 -04:00
brent morris 89a50c20d0 Added Zpanel Exploit 2015-10-02 13:29:53 -04:00
William Vu a773627d26
Land #5946, simple_backdoors_exec module 2015-10-02 11:18:29 -05:00
William Vu 5b8f98ee06
Land #6022, zemra_panel_rce module 2015-10-02 11:18:09 -05:00
Pedro Ribeiro 659a09f7d2 Create manageengine_sd_uploader.rb 2015-10-02 16:04:05 +01:00
jvazquez-r7 75d2a24a0a
Land #6019, @pedrib's Kaseya VSA ZDI-15-449 exploit 2015-10-02 08:51:28 -05:00
Pedro Ribeiro cbbeef0f53 Update kaseya_uploader.rb 2015-10-02 13:20:59 +01:00
JT 33916997a4 Update zemra_panel_rce.rb
revised the name and the description
2015-10-02 09:49:59 +08:00
JT fa1391de87 Update simple_backdoors_exec.rb
Updating the code as suggested
2015-10-02 07:53:15 +08:00
JT 501325d9f4 Update zemra_panel_rce.rb 2015-10-02 06:48:34 +08:00
jvazquez-r7 a88a6c5580
Add WebPges to the paths 2015-10-01 13:22:56 -05:00
jvazquez-r7 f9a9a45cf8
Do code cleanup 2015-10-01 13:20:40 -05:00
Hans-Martin Münch (h0ng10) 30101153fa Remove spaces 2015-10-01 18:56:37 +02:00
Hans-Martin Münch (h0ng10) 41cf0ef676 Add reference for CVE-2015-2342 - VMWare VCenter JMX RMI RCE 2015-10-01 18:43:21 +02:00
JT 2802b3ca43 Update zemra_panel_rce.rb
sticking res
2015-10-02 00:00:30 +08:00
William Vu 2ab779ad3d
Land #6010, capture_sendto fixes 2015-10-01 10:54:24 -05:00
JT 5c5f3a4e7f Update zemra_panel_rce.rb
called http_send_command right away :)
2015-10-01 23:39:36 +08:00
William Vu 0bacb3db67
Land #6029, Win10 support for bypassuac_injection 2015-10-01 10:17:34 -05:00
JT 66560d5339 Update zemra_panel_rce.rb 2015-10-01 19:16:23 +08:00
William Vu 2e2d27d53a
Land #5935, final creds refactor 2015-10-01 00:25:14 -05:00
OJ 7451cf390c Add Windows 10 "support" to bypassuac_injection 2015-10-01 11:16:18 +10:00
JT a7fa939fda Zemra Botnet C2 Web Panel Remote Code Execution
This module exploits the C2 web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
2015-09-30 19:24:21 +08:00
JT 2de6c77fa2 Update simple_backdoors_exec.rb 2015-09-30 18:11:05 +08:00
jakxx 47c79071eb fix indention and typo 2015-09-29 22:41:36 -04:00
jakxx f18e1d69a1 Add x64 ret address and add to buffer 2015-09-29 22:36:30 -04:00
Pedro Ribeiro 61c922c24d Create kaseya_uploader.rb 2015-09-29 11:56:34 +01:00
JT 46adceec8f Update simple_backdoors_exec.rb 2015-09-29 10:40:28 +08:00
JT dd650409e4 Update simple_backdoors_exec.rb 2015-09-29 08:05:13 +08:00
bigendian smalls a47557b9c1
Upd. multi/handler to include mainframe platform
Quick update to multi handler so it recognizes mainframe platform based
modules
2015-09-28 11:14:08 -05:00
Jon Hart 96e4e883ae
Fix #6008 for wireshark_lwres_getaddrbyname_loop 2015-09-27 14:56:11 -07:00
Jon Hart bd2f73f40a
Fix #6008 for wireshark_lwres_getaddrbyname 2015-09-27 14:55:19 -07:00
Jon Hart bbd08b84e5
Fix #6008 for snort_dce_rpc 2015-09-27 14:53:40 -07:00
jvazquez-r7 b206de7708
Land #5981, @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit 2015-09-27 00:42:17 -05:00
jvazquez-r7 55f573b4c9
Do code cleanup 2015-09-27 00:33:40 -05:00
jvazquez-r7 c8880e8ad6
Move local exploit to correct location 2015-09-25 11:37:38 -05:00
jvazquez-r7 6b46316a56
Do watchguard_local_privesc code cleaning 2015-09-25 11:35:21 -05:00
jvazquez-r7 c79671821d Update with master changes 2015-09-25 10:47:37 -05:00
jvazquez-r7 e87d99a65f
Fixing blocking option 2015-09-25 10:45:19 -05:00
jvazquez-r7 890ac92957
Warn about incorrect payload 2015-09-25 10:10:08 -05:00
jvazquez-r7 19b577b30a
Do some code style fixes to watchguard_cmd_exec 2015-09-25 09:51:00 -05:00
jvazquez-r7 b35da0d91d
Avoid USERNAME and PASSWORD datastore options collisions 2015-09-25 09:36:47 -05:00
jvazquez-r7 52c4be7e8e
Fix description 2015-09-25 09:35:30 -05:00
JT e185277ac5 Update simple_backdoors_exec.rb 2015-09-24 14:14:23 +08:00
JT 56a551313c Update simple_backdoors_exec.rb 2015-09-24 13:54:40 +08:00
JT 192369607d Update simple_backdoors_exec.rb
updated the string 'echo me' to a random text
2015-09-24 13:49:33 +08:00
Meatballs 66c9222968
Make web_delivery proxy aware 2015-09-23 20:45:51 +01:00
Daniel Jensen 3dd917fd56 Altered the module to use the primer callback, and refactored some code to remove useless functions etc 2015-09-24 00:20:13 +12:00
William Vu d798ef0885
Land #5893, w3tw0rk/Pitbul RCE module 2015-09-23 02:41:01 -05:00
William Vu 8106bcc320 Clean up module 2015-09-21 14:37:54 -05:00
wchen-r7 fd190eb56b
Land #5882, Add Konica Minolta FTP Utility 1.00 CWD command module 2015-09-18 11:10:20 -05:00
wchen-r7 0aea4a8b00 An SEH? A SEH? 2015-09-18 11:09:52 -05:00
jvazquez-r7 ab8d12e1ac
Land #5943, @samvartaka's awesome improvement of poisonivy_bof 2015-09-16 16:35:04 -05:00
jvazquez-r7 af1cdd6dea
Return Appears 2015-09-16 16:34:43 -05:00
jvazquez-r7 402044a770
Delete comma 2015-09-16 16:23:43 -05:00
jvazquez-r7 75c6ace1d0
Use single quotes 2015-09-16 16:23:10 -05:00
jvazquez-r7 88fdc9f123
Clean exploit method 2015-09-16 16:14:21 -05:00
jvazquez-r7 d6a637bd15
Do code cleaning on the check method 2015-09-16 16:12:28 -05:00
wchen-r7 c7afe4f663
Land #5930, MS15-078 (atmfd.dll buffer overflow) 2015-09-16 15:33:38 -05:00
jvazquez-r7 37d42428bc
Land #5980, @xistence exploit for ManageEngine OpManager 2015-09-16 13:19:49 -05:00
jvazquez-r7 8f755db850
Update version 2015-09-16 13:19:16 -05:00
jvazquez-r7 1b50dfc367
Change module location 2015-09-16 11:43:09 -05:00
jvazquez-r7 122103b197
Do minor metadata cleanup 2015-09-16 11:41:23 -05:00
jvazquez-r7 aead0618c7
Avoid the WAIT option 2015-09-16 11:37:49 -05:00
jvazquez-r7 0010b418d0
Do minor code cleanup 2015-09-16 11:31:15 -05:00
jvazquez-r7 f3b6606709
Fix check method 2015-09-16 11:26:15 -05:00
Daniel Jensen 7985d0d7cb Removed privesc functionality, this has been moved to another module. Renamed module 2015-09-16 23:29:26 +12:00
Daniel Jensen bdd90655e4 Split off privesc into a seperate module 2015-09-16 23:11:32 +12:00
jvazquez-r7 24af3fa12e
Add rop chains 2015-09-15 14:46:45 -05:00
William Vu abe65cd400
Land #5974, java_jmx_server start order fix 2015-09-15 01:33:44 -05:00
xistence c99444a52e ManageEngine EventLog Analyzer Remote Code Execution 2015-09-15 07:29:16 +07:00
xistence 7bf2f158c4 ManageEngine OpManager Remote Code Execution 2015-09-15 07:24:32 +07:00
JT 9e6d3940b3 Update simple_backdoors_exec.rb 2015-09-13 23:30:14 +08:00
wchen-r7 ae5aa8f542 No FILE_CONTENTS option 2015-09-12 23:32:02 -05:00
Daniel Jensen 4e22fce7ef Switched to using Rex MD5 function 2015-09-13 16:23:23 +12:00
jvazquez-r7 0d52a0617c
Verify win32k 6.3.9600.17837 is working 2015-09-12 15:27:50 -05:00
jvazquez-r7 9626596f85
Clean template code 2015-09-12 13:43:05 -05:00
Hans-Martin Münch (h0ng10) 0c4604734e Webserver starts at the beginning, stops at the end 2015-09-12 19:42:31 +02:00
xistence dc8d1f6e6a Small changes 2015-09-12 13:08:58 +07:00
wchen-r7 01053095f9 Add MS15-100 Microsoft Windows Media Center MCL Vulnerability 2015-09-11 15:05:06 -05:00
jvazquez-r7 53f995b9c3
Do first prototype 2015-09-10 19:35:26 -05:00
wchen-r7 017832be88
Land #5953, Add Bolt CMS File Upload Vulnerability 2015-09-10 18:29:13 -05:00
wchen-r7 602a12a1af typo 2015-09-10 18:28:42 -05:00
Roberto Soares 68521da2ce Fix check method. 2015-09-10 04:40:12 -03:00
Roberto Soares 4566f47ac5 Fix check method. 2015-09-10 03:56:46 -03:00
Roberto Soares 0ba03f7a06 Fix words. 2015-09-09 21:27:57 -03:00
Roberto Soares bc3f5b43ab Removerd WordPress mixin. 2015-09-09 21:26:15 -03:00
Roberto Soares 4e31dd4e9f Add curesec team as vuln discovery. 2015-09-09 21:13:51 -03:00
Roberto Soares 6336301df3 Add Nibbleblog File Upload Vulnerability 2015-09-09 21:05:36 -03:00
Roberto Soares d3aa61d6a0 Move bolt_file_upload.rb to exploits/multi/http 2015-09-09 13:41:44 -03:00
Roberto Soares 2800ecae07 Fix alignment. 2015-09-09 01:21:08 -03:00
Roberto Soares 48bd2c72a0 Add fail_with method and other improvements 2015-09-09 01:11:35 -03:00
Roberto Soares f08cf97224 Check method implemented 2015-09-08 23:54:20 -03:00
Roberto Soares 6de0c9584d Fix some improvements 2015-09-08 23:15:42 -03:00
JT 31a8907385 Update simple_backdoors_exec.rb 2015-09-09 08:30:21 +08:00
jvazquez-r7 329e6f4633
Fix title 2015-09-08 15:31:14 -05:00
JT 4e23bba14c Update simple_backdoors_exec.rb
removing the parenthesis for the if statements
2015-09-08 15:47:38 +08:00
JT 002aada59d Update simple_backdoors_exec.rb
changed shell to res
2015-09-08 14:54:26 +08:00
JT 467f9a8353 Update simple_backdoors_exec.rb 2015-09-08 14:45:54 +08:00
JT 37c28ddefb Update simple_backdoors_exec.rb
Updated the description
2015-09-08 13:42:12 +08:00
JT 0f8123ee23 Simple Backdoor Shell Remote Code Execution 2015-09-08 13:08:47 +08:00
samvartaka 0a0e7ab4ba This is a modification to the original poisonivy_bof.rb exploit
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.

See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.

## Console output

Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.

### Version 2.3.2 (unknown password)

```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```

### Version 2.2.0 (unknown password)

```
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.

msf exploit(poisonivy_bof) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
   1   Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
   2   Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1

msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0

msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
xistence 1d492e4b25 Lots of X11 protocol changes 2015-09-06 15:55:16 +07:00
Ewerson Guimaraes (Crash) 944f47b064 Update
Check nil
Removed headers
Fixed url normalization
2015-09-05 10:07:58 +02:00
JT 2f8dc7fdab Update w3tw0rk_exec.rb
changed response to res
2015-09-05 14:21:07 +08:00
jvazquez-r7 23ab702ec4
Land #5631, @blincoln682F048A's module for Endian Firewall Proxy
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
jvazquez-r7 2abfcd00b1
Use snake_case 2015-09-04 16:27:09 -05:00
jvazquez-r7 15aa5de991
Use Rex::MIME::Message 2015-09-04 16:26:53 -05:00
jvazquez-r7 adcd3c1e29
Use static max length 2015-09-04 16:18:55 -05:00
Ewerson Guimaraes (Crash) 68d27acd69 Update
Add exploit-db references
nil check  to version
2015-09-04 23:18:24 +02:00
jvazquez-r7 1ebc25092f
Delete some comments 2015-09-04 16:18:15 -05:00
Ewerson Guimaraes (Crash) 5b5e97f37a Update
Add normalize_uri
Change print_status  tp vprint_status
Removed unused http headers
an other minor changes
2015-09-04 22:12:42 +02:00
Roberto Soares cc405957db Add some improvements 2015-09-04 16:02:30 -03:00
Roberto Soares 4531d17cab Added the rest of the code 2015-09-04 15:37:42 -03:00
Roberto Soares b9ba12e42a Added get_token method. 2015-09-04 15:27:28 -03:00
Ewerson Guimaraes (Crash) 5063acac3c Poorly designed argument fixed
Poorly designed argument fixed
2015-09-04 19:43:49 +02:00
HD Moore 04d622b69b Cleanup Jenkins-CI module titles and option descriptions 2015-09-04 10:25:51 -07:00
Ewerson Guimaraes (Crash) cf8b34191d Updates
Add Def for  cgi request.
2015-09-04 19:19:02 +02:00
Roberto Soares 6f4f8e34b4 Added method bolt_login. 2015-09-04 10:45:15 -03:00
wchen-r7 d55757350d Use the latest credential API, no more report_auth_info 2015-09-04 03:04:14 -05:00
Roberto Soares a195f5bb9e Initial commit - Skeleton 2015-09-04 04:09:16 -03:00
jvazquez-r7 ef6df5bc26
Use get_target_arch 2015-09-03 16:30:46 -05:00
jvazquez-r7 2588439246
Add references for the win32k info leak 2015-09-03 15:35:41 -05:00
James Lee b2c401696b
Add certutil support.
Tested while landing #5736
2015-09-03 14:24:37 -05:00
James Lee 1e6a1f6d05 Revert "Fix spec like I shoulda done before landing #5736"
This reverts commit 956c8e550d.

Conflicts:
	spec/lib/rex/exploitation/cmdstager/certutil_spec.rb
2015-09-03 14:18:55 -05:00
Ewerson Guimaraes (Crash) 92aa09a586 Merge remote-tracking branch 'rapid7/master' into Uptime 2015-09-03 20:48:50 +02:00
Ewerson Guimaraes (Crash) 6250983fb4 Update
Update
2015-09-03 20:29:57 +02:00
James Lee b4547711f3
Add certutil support.
Tested while landing #5736
2015-09-03 13:27:10 -05:00
jvazquez-r7 697a6cd335
Rescue the process execute 2015-09-03 13:03:36 -05:00
jvazquez-r7 80a1e32339
Set Manual Ranking 2015-09-03 12:24:45 -05:00
HD Moore 9b51352c62
Land #5639, adds registry persistence 2015-09-03 11:26:38 -05:00
jvazquez-r7 dbe901915e
Improve version detection 2015-09-03 09:54:38 -05:00
jvazquez-r7 de25a6c23c
Add metadata 2015-09-02 18:32:45 -05:00
jvazquez-r7 8f70ec8256
Fix Disclosure date 2015-09-02 18:21:36 -05:00
jvazquez-r7 b912e3ce65
Add exploit template 2015-09-02 17:28:35 -05:00
HD Moore 4090c2c8ea
Land #5880, adds ScriptHost UAC bypass for Win7/2008 2015-09-02 14:14:18 -05:00
Meatballs 582cc795ac
Remove newlines 2015-09-02 19:42:04 +01:00
HD Moore 43d3e69fb2
Land #5917, update local exploit checks 2015-09-02 12:55:45 -05:00
HD Moore 95b9208a63 Change recv to get_once to avoid indefinite hangs, cosmetic tweaks. 2015-09-02 10:30:19 -05:00
xistence a81a9e0ef8 Added TIME_WAIT for GUI windows 2015-09-02 16:55:20 +07:00
Meatballs 8f25a006a8
Change to automatic target 2015-09-02 09:13:25 +01:00
wchen-r7 4275a65407 Update local exploit checks to follow the guidelines.
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs 27775fbe58
Restrict to 7 and 2k8 2015-09-01 22:23:37 +01:00
HD Moore cd65478d29
Land #5826, swap ExitFunction -> EXITFUNC 2015-09-01 13:58:12 -05:00
Christian Mehlmauer bfc24aea16
change exitfunc to thread 2015-09-01 10:52:25 +02:00
Christian Mehlmauer 115f409fef
change exitfunc to thread 2015-09-01 10:48:07 +02:00
Christian Mehlmauer 5398bf78eb
change exitfunc to thread 2015-09-01 10:46:54 +02:00
Christian Mehlmauer 3e613dc333
change exitfunc to thread 2015-09-01 10:43:45 +02:00
Christian Mehlmauer 648c034d17
change exitfunc to thread 2015-09-01 10:42:15 +02:00
Ewerson Guimaraes (Crash) 252e80e793 Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
2015-08-31 23:57:39 +02:00
Brent Cook d670a62000
Land #5822, migrate obsolete payload compatibility options 2015-08-31 15:20:20 -05:00
wchen-r7 9364982467
Land #5665, Add osx rootpipe entitlements exploit for 10.10.3 2015-08-28 13:33:16 -05:00
wchen-r7 e45347e745 Explain why vulnerable 2015-08-28 13:26:01 -05:00
wchen-r7 423d52476d Normal options should be all caps 2015-08-28 13:24:23 -05:00
Muhamad Fadzil Ramli 1b4f4fd225
remove url reference 2015-08-27 19:47:37 +08:00
jvazquez-r7 da4b360202
Fix typo 2015-08-26 15:29:34 -05:00
jvazquez-r7 5d0ed797a3
Update DLL 2015-08-26 15:15:32 -05:00
jvazquez-r7 dd529013f6
Update ruby side 2015-08-26 15:12:09 -05:00
JT ff868f9704 Update w3tw0rk_exec.rb 2015-08-26 23:51:09 +08:00
JT 3f6c04a445 Update w3tw0rk_exec.rb 2015-08-26 23:48:31 +08:00
JT 16341d34a2 Update w3tw0rk_exec.rb 2015-08-26 23:34:29 +08:00
JT 892f427664 Update w3tw0rk_exec.rb
removed w3tw0rk_login
2015-08-26 09:18:15 +08:00
JT 6edba2cdc8 Update w3tw0rk_exec.rb 2015-08-26 09:11:30 +08:00
JT c77226c354 Update w3tw0rk_exec.rb 2015-08-26 01:28:07 +08:00
JT 25fb325410 w3tw0rk / Pitbul IRC Bot Remote Code Execution 2015-08-26 01:22:55 +08:00
Brent Cook b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1 2015-08-24 09:26:00 -05:00
Muhamad Fadzil Ramli 03b1ad7491
add reference info 2015-08-24 11:18:26 +08:00
Muhamad Fadzil Ramli 73cb1383d2
amend banner info for check 2015-08-24 10:55:43 +08:00
Meatballs 1c91b126f1
X64 compat for payload_inject 2015-08-23 22:03:57 +01:00
Meatballs 228087dced
Initial working scripthost bypass uac 2015-08-23 20:16:15 +01:00
Muhamad Fadzil Ramli 7587319602
run rubocop & msftidy 2015-08-23 23:32:30 +08:00
Muhamad Fadzil Ramli a5daa5c9be
added module descriptions 2015-08-23 23:12:41 +08:00
Muhamad Fadzil Ramli 91a7531af8
konica minolta ftp server post auth cwd command exploit 2015-08-23 21:49:26 +08:00
wchen-r7 dc1e7e02b6
Land #5853, Firefox 35-36 RCE one-click exploi 2015-08-20 13:27:21 -05:00
wchen-r7 45c7e4760a Support x64 payloads 2015-08-20 02:09:58 -05:00
Brent Cook 6b94513a37
Land #5860, add tpwn OS X local kernel exploit (https://github.com/kpwn/tpwn) 2015-08-17 17:41:04 -05:00
William Vu 26165ea93f Add tpwn module 2015-08-17 17:11:11 -05:00
Brent Cook b17d8f8d49
Land #5768, update modules to use metasploit-credential 2015-08-17 17:08:58 -05:00
joev 98e2d074c3 Add disclosure date. 2015-08-15 20:09:41 -05:00
joev a133e98ba5 Adds a ff 35-36 RCE vector based off the recent ff bug. 2015-08-15 20:02:00 -05:00
HD Moore 42e08cbe07 Fix bad use of get_profile (now browser_profile) 2015-08-14 19:50:42 -05:00
jvazquez-r7 c02df6b39d
Land #5800, @bperry's Symantec Endpoint Protection Manager RCE module 2015-08-14 17:03:48 -05:00
jvazquez-r7 b33abd72ce
Complete description 2015-08-14 17:03:21 -05:00
jvazquez-r7 4aa3be7ba2
Do ruby fixing and use FileDropper 2015-08-14 17:00:27 -05:00
Spencer McIntyre 33f1324fa9
Land #5813, @jakxx adds VideoCharge SEH file exploit 2015-08-13 18:01:25 -04:00
jakxx e9d3289c23 EXITFUNC caps 2015-08-13 17:25:31 -04:00
jakxx 6e1c714b2b Update to leverage auto-NOP generation 2015-08-13 17:24:18 -04:00
jakxx 361624161b msftidy 2015-08-13 16:27:27 -04:00
jakxx 03eb2d71b2 Add watermark fileformat exploit 2015-08-13 16:26:17 -04:00
William Vu f19186adda
Land #5841, homm3_h3m default target change 2015-08-13 14:54:58 -05:00
Tod Beardsley 02c6ea31bb
Use the more recent HD version as default target 2015-08-13 14:42:21 -05:00
Christian Mehlmauer 80a22412d9 use EXITFUNC instead of ExitFunction 2015-08-13 21:22:32 +02:00
William Vu 605a14350f
Land #5833, sshexec improvements 2015-08-13 14:16:22 -05:00
William Vu 3bd6c4cee4 Add a comma 2015-08-13 14:16:09 -05:00
Mo Sadek 677ec341dd
Land #5839, pre-bloggery cleanup edits 2015-08-13 13:43:57 -05:00
William Vu c94a185610
Land #5697, Werkzeug debug RCE 2015-08-13 13:32:27 -05:00
William Vu d54ee19ce9 Clean up module 2015-08-13 13:32:22 -05:00
Tod Beardsley bb4116ed9d
Avoid msftidy.rb rule breaking on missing newline 2015-08-13 12:38:05 -05:00
jakxx e7566d6aee Adding print_status line 2015-08-12 16:08:04 -04:00
Spencer McIntyre 28fbb7cdde Update the description of the sshexec module 2015-08-12 16:05:09 -04:00
Spencer McIntyre dfe2bbf1e9 Add a python target to the sshexec module 2015-08-12 15:46:47 -04:00
Christian Mehlmauer 979d7e6be3
improve module 2015-08-12 15:37:37 +02:00
jakxx 2b225b2e7e Added changes per feedback
Updated to include and use seh mixin
changed offset and space for reliability
got rand_text buffer junk working
removed double spaces and stupid fillers in file data
2015-08-12 01:34:45 -04:00
jakxx 4c28cae5d1 updated to include recommendation from @zerosteiner 2015-08-10 18:38:23 -04:00
jvazquez-r7 203c231b74
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00
jakxx 23f51bf265 specify junk data 2015-08-07 18:04:11 -04:00
jakxx 28ad0fccbd Added VideoCharge Studio File Format Exploit 2015-08-07 15:54:32 -04:00
Brandon Perry 74ed8cf0c9 actually that didn't work 2015-08-02 18:57:13 -05:00
Brandon Perry 06754c36a4 unless, not if not 2015-08-02 18:51:23 -05:00
Brandon Perry 527eaea6ec single quotes and some error handling 2015-08-02 18:25:17 -05:00
Brandon Perry a33724667c small code cleanup 2015-08-02 16:36:41 -05:00
Brandon Perry 830aee8aa5 check if cookie is actually returned, and if not, fail 2015-08-02 15:22:40 -05:00
Brandon Perry a534008ba6 add some status lines 2015-08-02 15:03:59 -05:00
Brandon Perry fe20bc88ad remove badchars 2015-08-02 11:37:06 -05:00
Brandon Perry f7ceec36d0 set default RPORT and SSL 2015-08-02 08:59:36 -05:00
Brandon Perry a33dff637d exploit cve 2015-1489 to get SYSTEM 2015-08-02 08:31:03 -05:00
Brandon Perry 12ac6d81fa add markus as the discoverer specifically 2015-08-02 08:17:12 -05:00
Brandon Perry e70ec8c07b no need to store res for the later requests 2015-08-01 18:00:35 -05:00
Brandon Perry 272d75e437 check res before calling get_cookies 2015-08-01 17:58:41 -05:00
Meatballs 6f31183904
Fix VSS Persistance to check integrity level 2015-08-01 23:13:05 +01:00
Brandon Perry 47e86000ee randomize the file names 2015-08-01 16:50:06 -05:00
Brandon Perry 2bfc8e59be remove printline 2015-08-01 16:43:31 -05:00
Brandon Perry 0067d25180 add the sepm auth bypass rce module 2015-08-01 16:40:03 -05:00
Meatballs a6a8117e46 Revert "Land #5777, fix #4558 vss_persistence"
This reverts commit ba4b2fbbea, reversing
changes made to affc86bfd9.
2015-08-01 22:35:24 +01:00
h00die eab9b3bf5b interpolation fix on secret 2015-08-01 14:39:12 -04:00
h00die ceb49a51a6 thanks @espreto for help 2015-08-01 11:11:37 -04:00
wchen-r7 ba4b2fbbea
Land #5777, fix #4558 vss_persistence 2015-07-31 16:46:01 -05:00
jvazquez-r7 1ec960d8f9
Make the time to write flush configurable 2015-07-31 16:43:43 -05:00
wchen-r7 672d83eaae
Land #5789, Heroes of Might and Magic III .h3m Map File Buffer Overflow 2015-07-31 15:43:43 -05:00
aakerblom 7c5e5f0f22 add crc32 forging for Heroes III demo target 2015-08-01 04:53:49 -07:00
aakerblom 7af83a112d fix unreliable address 2015-08-01 04:52:50 -07:00
aakerblom 908d6f946f added target Heroes III Demo 1.0.0.0 2015-07-31 18:19:37 -07:00
aakerblom 16042cd45b fix variable names in comment 2015-07-31 18:16:15 -07:00
aakerblom 66c92aae5d fix documentation 2015-07-31 17:12:50 -07:00
aakerblom 6fdd2f91ce rescue only Errno::ENOENT 2015-07-31 13:54:29 -07:00
aakerblom 6671df6672 add documentation 2015-07-31 13:53:56 -07:00
aakerblom 013201bd99 remove unneeded require 2015-07-31 13:49:27 -07:00
aakerblom 12a6bdb67b Add Heroes of Might and Magic III .h3m map file Buffer Overflow module 2015-07-31 02:06:47 -07:00
aakerblom d4c8d5884c Fix a small typo 2015-07-31 11:47:46 -07:00
wchen-r7 54c5c6ea38 Another update 2015-07-29 14:31:35 -05:00
wchen-r7 768de00214 Automatically pass arch & platform from cmdstager
This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:

Fix #5727
Fix #5718
Fix #5761
2015-07-27 14:17:21 -05:00
jvazquez-r7 bf6975c01a
Fix #4558 by restoring the old wmicexec 2015-07-27 14:04:10 -05:00
wchen-r7 2d0a26ea8b
Land #5774, Fix URIPATH=/ and stack trace on missing ntdll version match 2015-07-25 17:54:49 -05:00
HD Moore a7b5890dc5 Fix URIPATH=/ and stack trace on missing ntdll version match 2015-07-25 15:39:20 -07:00
h00die 4561241609 updates per @jvazquez-r7 comments 2015-07-24 20:34:40 -04:00
jvazquez-r7 2c9183fa56
Return check code 2015-07-24 16:14:43 -05:00
jvazquez-r7 a163606513
Delete unused SLEEP option 2015-07-24 15:29:56 -05:00
jvazquez-r7 1b1ac09d2a Merge to solve conflicts 2015-07-24 15:24:29 -05:00
William Vu 10783d60cd
Land #5763, generate_payload_exe merged opts fix 2015-07-24 10:56:29 -05:00
William Vu 50c9293aab
Land #5758, OS X DYLD_PRINT_TO_FILE privesc 2015-07-23 13:21:23 -05:00
William Vu c1a9628332 Fix some fixes
So you can fix while you fix.
2015-07-23 12:59:20 -05:00
Tod Beardsley 6ededbd7a7
Un-ticking the output 2015-07-23 12:23:56 -05:00
Tod Beardsley 9d8dd2f8bd
FIxup pr #5758 2015-07-23 12:21:36 -05:00
wchen-r7 6720a57659 Fix #5761, pass the correct arch and platform for exe generation
Fix #5761
2015-07-23 01:34:44 -05:00
joev 165cb195bf Remove python dependency, add credit URL. 2015-07-21 22:48:23 -05:00
joev 3013ab4724 Add osx root privilege escalation. 2015-07-21 21:50:55 -05:00
William Vu 928c82c96e
Land #5745, undefined variable "rop" fix 2015-07-21 11:01:49 -05:00
Tod Beardsley cadb03bac0
Fix my own blasted typo, ty @wvu-r7 2015-07-20 17:14:34 -05:00
Tod Beardsley 2052b4ef56
Fixed the HT leak attribution a little 2015-07-20 16:36:47 -05:00
Tod Beardsley f7c11d0852
More cleanups
Edited modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
first landed in #5678, adobe_flash_hacking_team_uaf.rb

Edited
modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
first landed in #5698, Adobe Flash CVE-2015-5122 opaqueBackground

Edited modules/exploits/multi/http/sysaid_auth_file_upload.rb first
landed in #5471, @pedrib's module for SysAid CVE-2015-2994

Edited modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb first
landed in #5473 Correct spelling of sysaid module
2015-07-20 16:29:49 -05:00
Tod Beardsley ab6204ca2e
Correct spelling of sysaid module
First landed in #5473.
2015-07-20 16:21:50 -05:00
Pedro Ribeiro 3fe165a265 Remove whitespace at the end 2015-07-18 20:18:34 +01:00
Pedro Ribeiro 70a2247941 Pick target is not needed... 2015-07-18 20:12:49 +01:00
Pedro Ribeiro 7483e77bba Fix Linux target by trying again if exploit fails 2015-07-18 20:12:13 +01:00
wchen-r7 29defc979b Fix #5740, remove variable ROP for adobe_flashplayer_flash10o 2015-07-17 16:57:37 -05:00
wchen-r7 7113c801b1
Land #5732, reliability update for adobe_flash_hacking_team_uaf 2015-07-17 16:43:39 -05:00
wchen-r7 837eb9ea38
Land #5742, better quality coverage for adobe_flash_opaque_background_uaf 2015-07-17 16:25:14 -05:00
wchen-r7 f77f7d6916 Bump rank 2015-07-17 16:23:27 -05:00
wchen-r7 0bd1dc017e Update coverage information 2015-07-17 16:23:00 -05:00
jvazquez-r7 4e6b00fe31
Land #5473, @pedrib's exploit for Sysaid CVE-2015-2994
* sysaid rdslogs arbitrary file upload
2015-07-17 12:10:40 -05:00
jvazquez-r7 00adbd7f64 Fix quotes 2015-07-17 12:09:54 -05:00
jvazquez-r7 57c4a3387b
Fix paths for windows and cleanup 2015-07-17 12:09:18 -05:00
jvazquez-r7 46ffb97c1c
Land #5471, @pedrib's module for SysAid CVE-2015-2994
* sysaid arbitrary file upload
2015-07-17 11:27:22 -05:00
jvazquez-r7 309a86ec57
Do code cleanup 2015-07-17 11:26:54 -05:00
jvazquez-r7 255d8ed096
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
jvazquez-r7 b504f0be8e
Update adobe_flash_hacking_team_uaf 2015-07-15 18:18:04 -05:00
William Vu ea4a7d98b9
Land #5728, Arch specification for psexec 2015-07-15 15:36:27 +00:00
jvazquez-r7 886ca47dfb
Land #5650, @wchen-r7's browser autopwn 2 2015-07-15 10:21:44 -05:00
Christian Mehlmauer b31c637c1b
Land #5533, DSP-W110 cookie command injection 2015-07-15 11:22:33 +02:00
Christian Mehlmauer 21375edcb2
final cleanup 2015-07-15 11:21:39 +02:00
Brent Cook a7d866bc83 specify the 'Arch' values that psexec supports 2015-07-14 15:45:52 -06:00
h00die 57f62ffa76 changed URI to TARGETURI as per comments 2015-07-13 20:18:45 -04:00
William Vu 405261df4f
Land #5710, php_wordpress_total_cache removal
Deprecated.
2015-07-13 18:33:12 +00:00
William Vu 3feef639b9
Land #5711, php_wordpress_optimizepress removal
Deprecated.
2015-07-13 18:32:37 +00:00
William Vu 6e12cbf98f
Land #5712, php_wordpress_lastpost removal
Deprecated.
2015-07-13 18:31:31 +00:00
William Vu dd188b1943
Land #5713, php_wordpress_infusionsoft removal
Deprecated.
2015-07-13 18:31:01 +00:00
wchen-r7 4960e64597 Remove php_wordpress_foxypress, use wp_foxypress_upload
Please use exploit/unix/webapp/wp_foxypress_upload instead.
2015-07-13 12:53:34 -05:00
wchen-r7 dfbeb24a8f Remove php_wordpress_infusionsoft, use wp_infusionsoft_upload
Please use exploit/unix/webapp/wp_infusionsoft_upload instead.
2015-07-13 12:51:48 -05:00
wchen-r7 b80427aed2 Remove php_wordpress_lastpost, use wp_lastpost_exec instead.
Please use exploit/unix/webapp/wp_lastpost_exec instead
2015-07-13 12:49:27 -05:00
wchen-r7 90cc3f7891 Remove php_wordpress_optimizepress, use wp_optimizepress_upload
Please use exploit/unix/webapp/wp_optimizepress_upload instead.
2015-07-13 12:45:39 -05:00
wchen-r7 4177cdacd6 Remove php_wordpress_total_cache, please use wp_total_cache_exec
The time is up for exploit/unix/webapp/php_wordpress_total_cache,
please use exploit/unix/webapp/wp_total_cache_exec instead.
2015-07-13 12:41:29 -05:00
wchen-r7 e638d85f30
Merge branch 'upstream-master' into bapv2 2015-07-12 02:01:09 -05:00
h00die 8819674522 updated per feedback from PR 2015-07-11 21:03:02 -04:00
wchen-r7 f7ce6dcc9f We agreed to Normal 2015-07-11 02:07:18 -05:00
wchen-r7 0ff7333090 Lower the ranking for CVE-2015-5122
As an initial release we forgot to lower it.
2015-07-11 02:05:56 -05:00
wchen-r7 1289ec8863 authors 2015-07-11 01:38:21 -05:00
wchen-r7 6eabe5d48c Update description 2015-07-11 01:36:26 -05:00
wchen-r7 54fc712131 Update Win 8.1 checks 2015-07-11 01:33:23 -05:00
jvazquez-r7 6f0b9896e1
Update description 2015-07-11 00:56:18 -05:00
jvazquez-r7 115549ca75
Delete old check 2015-07-11 00:42:59 -05:00
jvazquez-r7 63005a3b92
Add module for flash CVE-2015-5122
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
h00die bff92f2304 Initial add 2015-07-10 21:13:12 -04:00
jvazquez-r7 5a045677bc
Add waiting message 2015-07-10 18:48:46 -05:00
jvazquez-r7 8d52c265d9
Delete wfsdelay 2015-07-10 18:46:27 -05:00
jvazquez-r7 63e91fa50f
Add reference 2015-07-10 18:46:06 -05:00
jvazquez-r7 677cd97cc2
Update information 2015-07-10 18:39:11 -05:00
jvazquez-r7 6c6a778218
Modify arkeia_agent_exec title 2015-07-10 18:38:25 -05:00
jvazquez-r7 4995728459
Modify arkeia_agent_exec ranking 2015-07-10 18:37:24 -05:00
jvazquez-r7 858f63cdbf
Land #5693, @xistence VNC Keyboard EXEC module 2015-07-10 18:35:44 -05:00
jvazquez-r7 1326a26be5
Do code cleanup 2015-07-10 18:35:13 -05:00
jvazquez-r7 917282a1f1
Fix ranking 2015-07-10 17:49:15 -05:00
jvazquez-r7 e063e26627
Land #5689, @xistence's module for Western Digital Arkeia command injection 2015-07-10 17:11:35 -05:00
jvazquez-r7 bdd8b56336
fix comment 2015-07-10 16:28:20 -05:00
jvazquez-r7 95ae7d8cae
Fix length limitation 2015-07-10 16:24:49 -05:00
Mo Sadek 3347b90db7 Land #5676, print_status with ms14_064 2015-07-10 14:40:49 -05:00
jvazquez-r7 29a497a616
Read header as 6 bytes 2015-07-10 14:25:57 -05:00
jvazquez-r7 bed3257a3f
Change default HTTP_DELAY 2015-07-10 12:50:26 -05:00
jvazquez-r7 c9d2ab58d3
Use HttpServer::HTML
* And make the exploit Aggressive
2015-07-10 12:48:21 -05:00
jvazquez-r7 e1192c75a9
Fix network communication on `communicate`
* Some protocol handling just to not read amounts of data blindly
2015-07-10 11:57:48 -05:00
Tod Beardsley 9206df077f
Land #5694, R7-2015-08 2015-07-10 11:42:57 -05:00
jvazquez-r7 9ba515f185
Fix network communication on `check`
* Some protocol handling just to not read amounts of data blindly
2015-07-10 11:32:49 -05:00
jvazquez-r7 c70be64517
Fix version check 2015-07-10 10:57:55 -05:00
jvazquez-r7 34a6984c1d
Fix variable name 2015-07-10 10:44:38 -05:00
jvazquez-r7 2c7cc83e38
Use single quotes 2015-07-10 10:34:47 -05:00
jvazquez-r7 f66cf91676
Fix metadata 2015-07-10 10:33:02 -05:00
xistence b916a9d267 VNC Keyboard Exec 2015-07-10 14:08:32 +07:00
xistence 13a69e4011 X11 Keyboard Exec 2015-07-10 13:57:54 +07:00
xistence 52d41c8309 Western Digital Arkeia 'ARKFS_EXEC_CMD' <= v11.0.12 Remote Code Execution 2015-07-10 09:51:28 +07:00
Michael Messner d7beb1a685 feedback included 2015-07-09 08:31:11 +02:00
HD Moore 25e0f888dd Initial commit of R7-2015-08 coverage 2015-07-08 13:42:11 -05:00
wchen-r7 a3ec56c4cb Do it in on_request_exploit because it's too specific 2015-07-08 12:32:38 -05:00
wchen-r7 cefbdbb8d3 Avoid unreliable targets
If we can't garantee GreatRanking on specific targets, avoid them.
2015-07-08 12:12:53 -05:00
wchen-r7 6a33807d80 No Chrome for now 2015-07-07 15:56:58 -05:00
jvazquez-r7 f8b668e894
Update ranking and References 2015-07-07 15:43:02 -05:00
Tod Beardsley 116c3f0be1
Add CVE as a real ref, too 2015-07-07 14:46:44 -05:00
Tod Beardsley 3d630de353
Replace with a real CVE number 2015-07-07 14:44:12 -05:00
wchen-r7 fdb715c9dd
Merge branch 'upstream-master' into bapv2 2015-07-07 13:45:39 -05:00
jvazquez-r7 829b08b2bf
Complete authors list 2015-07-07 12:49:54 -05:00
wchen-r7 49effdf3d1 Update description 2015-07-07 12:46:02 -05:00
wchen-r7 d885420aff This changes the version requirement for adobe_flash_hacking_team_uaf.rb
Because it works for Win 8.1 + IE11 too
2015-07-07 12:42:56 -05:00
wchen-r7 d30688b116 Add more requirement info 2015-07-07 12:33:47 -05:00
jvazquez-r7 d9aacf2d41
Add module for hacking team flash exploit 2015-07-07 11:19:48 -05:00
wchen-r7 c37b60de7b Do some print_status with ms14_064 2015-07-07 00:57:37 -05:00
Michael Messner 5b6ceff339 mime message 2015-07-06 15:00:12 +02:00
joev 133e221dcd Remove unnecessary steps. 2015-07-05 19:00:58 -05:00
joev c993c70006 Remove sleep(), clean up WritableDir usage. 2015-07-05 18:59:00 -05:00
joev 72a1e9ad99 Add module for rootpipe+entitlements exploit for 10.10.3. 2015-07-05 18:19:46 -05:00
Ben Lincoln 6e9a477367 Removed reference URL for the report to the vendor, as it is no
longer valid.
2015-07-03 13:48:24 -07:00