Commit Graph

5083 Commits (c23be2bb79d9b5e90b5171681c3371cd5c05e3d2)

Author SHA1 Message Date
wchen-r7 01053095f9 Add MS15-100 Microsoft Windows Media Center MCL Vulnerability 2015-09-11 15:05:06 -05:00
jvazquez-r7 53f995b9c3
Do first prototype 2015-09-10 19:35:26 -05:00
jvazquez-r7 329e6f4633
Fix title 2015-09-08 15:31:14 -05:00
samvartaka 0a0e7ab4ba This is a modification to the original poisonivy_bof.rb exploit
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.

See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.

## Console output

Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.

### Version 2.3.2 (unknown password)

```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```

### Version 2.2.0 (unknown password)

```
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.

msf exploit(poisonivy_bof) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
   1   Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
   2   Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1

msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0

msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
jvazquez-r7 ef6df5bc26
Use get_target_arch 2015-09-03 16:30:46 -05:00
jvazquez-r7 2588439246
Add references for the win32k info leak 2015-09-03 15:35:41 -05:00
jvazquez-r7 697a6cd335
Rescue the process execute 2015-09-03 13:03:36 -05:00
jvazquez-r7 80a1e32339
Set Manual Ranking 2015-09-03 12:24:45 -05:00
HD Moore 9b51352c62
Land #5639, adds registry persistence 2015-09-03 11:26:38 -05:00
jvazquez-r7 dbe901915e
Improve version detection 2015-09-03 09:54:38 -05:00
jvazquez-r7 de25a6c23c
Add metadata 2015-09-02 18:32:45 -05:00
jvazquez-r7 8f70ec8256
Fix Disclosure date 2015-09-02 18:21:36 -05:00
jvazquez-r7 b912e3ce65
Add exploit template 2015-09-02 17:28:35 -05:00
HD Moore 4090c2c8ea
Land #5880, adds ScriptHost UAC bypass for Win7/2008 2015-09-02 14:14:18 -05:00
Meatballs 582cc795ac
Remove newlines 2015-09-02 19:42:04 +01:00
HD Moore 43d3e69fb2
Land #5917, update local exploit checks 2015-09-02 12:55:45 -05:00
Meatballs 8f25a006a8
Change to automatic target 2015-09-02 09:13:25 +01:00
wchen-r7 4275a65407 Update local exploit checks to follow the guidelines.
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs 27775fbe58
Restrict to 7 and 2k8 2015-09-01 22:23:37 +01:00
HD Moore cd65478d29
Land #5826, swap ExitFunction -> EXITFUNC 2015-09-01 13:58:12 -05:00
Christian Mehlmauer bfc24aea16
change exitfunc to thread 2015-09-01 10:52:25 +02:00
Christian Mehlmauer 115f409fef
change exitfunc to thread 2015-09-01 10:48:07 +02:00
Christian Mehlmauer 5398bf78eb
change exitfunc to thread 2015-09-01 10:46:54 +02:00
Christian Mehlmauer 3e613dc333
change exitfunc to thread 2015-09-01 10:43:45 +02:00
Christian Mehlmauer 648c034d17
change exitfunc to thread 2015-09-01 10:42:15 +02:00
Muhamad Fadzil Ramli 1b4f4fd225
remove url reference 2015-08-27 19:47:37 +08:00
jvazquez-r7 da4b360202
Fix typo 2015-08-26 15:29:34 -05:00
jvazquez-r7 5d0ed797a3
Update DLL 2015-08-26 15:15:32 -05:00
jvazquez-r7 dd529013f6
Update ruby side 2015-08-26 15:12:09 -05:00
Brent Cook b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1 2015-08-24 09:26:00 -05:00
Muhamad Fadzil Ramli 03b1ad7491
add reference info 2015-08-24 11:18:26 +08:00
Muhamad Fadzil Ramli 73cb1383d2
amend banner info for check 2015-08-24 10:55:43 +08:00
Meatballs 1c91b126f1
X64 compat for payload_inject 2015-08-23 22:03:57 +01:00
Meatballs 228087dced
Initial working scripthost bypass uac 2015-08-23 20:16:15 +01:00
Muhamad Fadzil Ramli 7587319602
run rubocop & msftidy 2015-08-23 23:32:30 +08:00
Muhamad Fadzil Ramli a5daa5c9be
added module descriptions 2015-08-23 23:12:41 +08:00
Muhamad Fadzil Ramli 91a7531af8
konica minolta ftp server post auth cwd command exploit 2015-08-23 21:49:26 +08:00
wchen-r7 45c7e4760a Support x64 payloads 2015-08-20 02:09:58 -05:00
HD Moore 42e08cbe07 Fix bad use of get_profile (now browser_profile) 2015-08-14 19:50:42 -05:00
jvazquez-r7 c02df6b39d
Land #5800, @bperry's Symantec Endpoint Protection Manager RCE module 2015-08-14 17:03:48 -05:00
jvazquez-r7 b33abd72ce
Complete description 2015-08-14 17:03:21 -05:00
jvazquez-r7 4aa3be7ba2
Do ruby fixing and use FileDropper 2015-08-14 17:00:27 -05:00
Spencer McIntyre 33f1324fa9
Land #5813, @jakxx adds VideoCharge SEH file exploit 2015-08-13 18:01:25 -04:00
jakxx e9d3289c23 EXITFUNC caps 2015-08-13 17:25:31 -04:00
jakxx 6e1c714b2b Update to leverage auto-NOP generation 2015-08-13 17:24:18 -04:00
jakxx 361624161b msftidy 2015-08-13 16:27:27 -04:00
jakxx 03eb2d71b2 Add watermark fileformat exploit 2015-08-13 16:26:17 -04:00
Tod Beardsley 02c6ea31bb
Use the more recent HD version as default target 2015-08-13 14:42:21 -05:00
Christian Mehlmauer 80a22412d9 use EXITFUNC instead of ExitFunction 2015-08-13 21:22:32 +02:00
Tod Beardsley bb4116ed9d
Avoid msftidy.rb rule breaking on missing newline 2015-08-13 12:38:05 -05:00
jakxx e7566d6aee Adding print_status line 2015-08-12 16:08:04 -04:00
Christian Mehlmauer 979d7e6be3
improve module 2015-08-12 15:37:37 +02:00
jakxx 2b225b2e7e Added changes per feedback
Updated to include and use seh mixin
changed offset and space for reliability
got rand_text buffer junk working
removed double spaces and stupid fillers in file data
2015-08-12 01:34:45 -04:00
jakxx 4c28cae5d1 updated to include recommendation from @zerosteiner 2015-08-10 18:38:23 -04:00
jakxx 23f51bf265 specify junk data 2015-08-07 18:04:11 -04:00
jakxx 28ad0fccbd Added VideoCharge Studio File Format Exploit 2015-08-07 15:54:32 -04:00
Brandon Perry 74ed8cf0c9 actually that didn't work 2015-08-02 18:57:13 -05:00
Brandon Perry 06754c36a4 unless, not if not 2015-08-02 18:51:23 -05:00
Brandon Perry 527eaea6ec single quotes and some error handling 2015-08-02 18:25:17 -05:00
Brandon Perry a33724667c small code cleanup 2015-08-02 16:36:41 -05:00
Brandon Perry 830aee8aa5 check if cookie is actually returned, and if not, fail 2015-08-02 15:22:40 -05:00
Brandon Perry a534008ba6 add some status lines 2015-08-02 15:03:59 -05:00
Brandon Perry fe20bc88ad remove badchars 2015-08-02 11:37:06 -05:00
Brandon Perry f7ceec36d0 set default RPORT and SSL 2015-08-02 08:59:36 -05:00
Brandon Perry a33dff637d exploit cve 2015-1489 to get SYSTEM 2015-08-02 08:31:03 -05:00
Brandon Perry 12ac6d81fa add markus as the discoverer specifically 2015-08-02 08:17:12 -05:00
Brandon Perry e70ec8c07b no need to store res for the later requests 2015-08-01 18:00:35 -05:00
Brandon Perry 272d75e437 check res before calling get_cookies 2015-08-01 17:58:41 -05:00
Meatballs 6f31183904
Fix VSS Persistance to check integrity level 2015-08-01 23:13:05 +01:00
Brandon Perry 47e86000ee randomize the file names 2015-08-01 16:50:06 -05:00
Brandon Perry 2bfc8e59be remove printline 2015-08-01 16:43:31 -05:00
Brandon Perry 0067d25180 add the sepm auth bypass rce module 2015-08-01 16:40:03 -05:00
Meatballs a6a8117e46 Revert "Land #5777, fix #4558 vss_persistence"
This reverts commit ba4b2fbbea, reversing
changes made to affc86bfd9.
2015-08-01 22:35:24 +01:00
wchen-r7 ba4b2fbbea
Land #5777, fix #4558 vss_persistence 2015-07-31 16:46:01 -05:00
jvazquez-r7 1ec960d8f9
Make the time to write flush configurable 2015-07-31 16:43:43 -05:00
wchen-r7 672d83eaae
Land #5789, Heroes of Might and Magic III .h3m Map File Buffer Overflow 2015-07-31 15:43:43 -05:00
aakerblom 7c5e5f0f22 add crc32 forging for Heroes III demo target 2015-08-01 04:53:49 -07:00
aakerblom 7af83a112d fix unreliable address 2015-08-01 04:52:50 -07:00
aakerblom 908d6f946f added target Heroes III Demo 1.0.0.0 2015-07-31 18:19:37 -07:00
aakerblom 16042cd45b fix variable names in comment 2015-07-31 18:16:15 -07:00
aakerblom 66c92aae5d fix documentation 2015-07-31 17:12:50 -07:00
aakerblom 6fdd2f91ce rescue only Errno::ENOENT 2015-07-31 13:54:29 -07:00
aakerblom 6671df6672 add documentation 2015-07-31 13:53:56 -07:00
aakerblom 013201bd99 remove unneeded require 2015-07-31 13:49:27 -07:00
aakerblom 12a6bdb67b Add Heroes of Might and Magic III .h3m map file Buffer Overflow module 2015-07-31 02:06:47 -07:00
aakerblom d4c8d5884c Fix a small typo 2015-07-31 11:47:46 -07:00
jvazquez-r7 bf6975c01a
Fix #4558 by restoring the old wmicexec 2015-07-27 14:04:10 -05:00
HD Moore a7b5890dc5 Fix URIPATH=/ and stack trace on missing ntdll version match 2015-07-25 15:39:20 -07:00
wchen-r7 29defc979b Fix #5740, remove variable ROP for adobe_flashplayer_flash10o 2015-07-17 16:57:37 -05:00
William Vu ea4a7d98b9
Land #5728, Arch specification for psexec 2015-07-15 15:36:27 +00:00
Brent Cook a7d866bc83 specify the 'Arch' values that psexec supports 2015-07-14 15:45:52 -06:00
wchen-r7 e638d85f30
Merge branch 'upstream-master' into bapv2 2015-07-12 02:01:09 -05:00
wchen-r7 c37b60de7b Do some print_status with ms14_064 2015-07-07 00:57:37 -05:00
Donny Maasland e355e56539 Add check 2015-07-02 10:54:44 +02:00
wchen-r7 8051a99f4a
Merge branch 'upstream-master' into bapv2 2015-07-01 18:45:42 -05:00
Donny Maasland 56c3102603 That's what you get for making edits on github.com.. 2015-07-01 17:51:57 +02:00
Donny Maasland 4847fb9830 Add a neater powershell command 2015-07-01 17:47:47 +02:00
Donny Maasland 822a46fee6 Merge branch 'master' of github:dmaasland/metasploit-framework 2015-07-01 17:47:33 +02:00
Donny Maasland 4f72df3202 Create a neater powershell command 2015-07-01 17:47:08 +02:00
Donny Maasland ffe710af2d Update registry_persistence.rb
Omg spaces
2015-07-01 17:21:12 +02:00
Donny Maasland 26e3ec0a5f Add a switch for creating a cleanup rc file 2015-07-01 17:06:16 +02:00
Donny Maasland 20708ebc82 Add a check to prevent accidental deletion of existing registry keys 2015-07-01 16:45:03 +02:00
Donny Maasland 2e48bae71c fixes 2015-07-01 16:15:13 +02:00
Donny Maasland 335487afa0 fixes 2015-07-01 16:09:55 +02:00
Donny Maasland d0845b8c66 msftidy fix 2015-07-01 12:50:34 +02:00
Donny Maasland a3db6c6ae3 Msftidy fix 2015-07-01 12:47:10 +02:00
Donny Maasland bd94f50fb0 add registry_persistence.rb 2015-07-01 12:26:46 +02:00
William Vu 3632cc44c5 Fix nil error when target not found 2015-06-30 11:48:41 -05:00
wchen-r7 9bd920b169
Merge branch 'upstream-master' into bapv2 2015-06-27 12:19:55 -05:00
jvazquez-r7 7ccc86d338
Use cmd_exec 2015-06-26 11:54:19 -05:00
Spencer McIntyre 2206a6af73 Support older targets x86 for MS15-051 2015-06-25 09:33:15 +10:00
William Vu a149fb5710
Land #5554, @g0tmi1k's persistence improvements
age aborts
age aborts
2015-06-24 14:37:25 -05:00
William Vu e7e8135acd Clean up module 2015-06-24 14:35:10 -05:00
wchen-r7 dedfca163d Change check() 2015-06-22 15:05:12 -05:00
OJ 3686accadd
Merge branch 'upstream/master' into cve-2015-1701 2015-06-22 07:52:17 +10:00
Spencer McIntyre efece12b40 Minor clean ups for ruby strings and check method 2015-06-21 16:07:44 -04:00
jvazquez-r7 74bc9f7a91
Land #5529, @omarix's Windows 2003 SP1 & SP2 French targets for MS08-067 2015-06-19 16:57:07 -05:00
jvazquez-r7 61ad4ada7d
Delete commas 2015-06-19 16:03:16 -05:00
wchen-r7 9da99a8265
Merge branch 'upstream-master' into bapv2 2015-06-19 11:36:27 -05:00
jvazquez-r7 6ec8488929
Land #5560, @wchen-r7 Changes ExcellentRanking to GoodRanking for MS14-064 2015-06-19 11:15:41 -05:00
jvazquez-r7 1c357e6b3c
Land #5478, @wchen-r7 Updates ca_arcserve_rpc_authbypass to use the new cred API 2015-06-19 10:21:14 -05:00
jvazquez-r7 0f17f622c3
Report last_attempted_at 2015-06-19 10:20:47 -05:00
jvazquez-r7 357a3929a3
Trying to report more accurate status 2015-06-19 09:51:36 -05:00
wchen-r7 7e91121afc Change to Metasploit::Model::Login::Status::SUCCESSFUL 2015-06-18 23:44:45 -05:00
g0tmi1k 0b55a889d3 persistence - better ruby/msf fu 2015-06-18 21:10:16 +01:00
wchen-r7 13a3f2781d Change ExcellentRanking to GoodRanking for MS14-064
The ms14_064_ole_code_execution exploit's ranking is being lowered
to GoodRanking because of these two reasons:

1. The vulnerable component isn't in Internet Explorer. And BES can't
   check it so the exploit still fires even if the target is patched.
2. Although rare, we've seen the exploit crashing IE, and since this
   is a memory curruption type of bug, it should not be in Excellent
   ranking anyway.
2015-06-18 13:07:44 -05:00
g0tmi1k a3debe1621 persistence - more options, more verbose
...and less bugs!

+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process
2015-06-17 13:57:06 +01:00
William Vu 8d640a0c8f
Land #5527, multi/handler -> exploit/multi/handler 2015-06-15 10:23:26 -05:00
wchen-r7 17b8ddc68a
Land #5524, adobe_flash_pixel_bender_bof in flash renderer 2015-06-15 02:42:16 -05:00
0xFFFFFF c7cda25582 Empty lines removed at line 624 and line 721.
Empty lines removed at line 624 and line 721.
2015-06-13 14:54:10 +01:00
0xFFFFFF 7f0e334d78 Added Windows 2003 SP1 & SP2 French targets
msf exploit(ms08_067_netap) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   [...]
   62  Windows 2003 SP1 French (NX)
   63  Windows 2003 SP2 English (NO NX)
   [...]
   71  Windows 2003 SP2 French (NO NX)
   72  Windows 2003 SP2 French (NX)
2015-06-13 13:30:02 +01:00
g0tmi1k a53ca53a6a Fix inconstancy - multi/handler 2015-06-12 21:23:51 +01:00
jvazquez-r7 8ed13b1d1b
Add linux support for CVE-2014-0515 2015-06-11 16:18:50 -05:00
wchen-r7 ae21b0c260
Land #5523, adobe_flash_domain_memory_uaf in the flash renderer 2015-06-10 16:59:19 -05:00
wchen-r7 4c5b1fbcef
Land #5522, adobe_flash_worker_byte_array_uaf in the flash renderer 2015-06-10 14:49:41 -05:00
jvazquez-r7 6c7ee10520 Update to use the new flash Exploiter 2015-06-10 13:52:43 -05:00
wchen-r7 d622c782ef
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash renderer 2015-06-10 11:52:47 -05:00
jvazquez-r7 fb531d0069
Update version coverage 2015-06-10 09:38:00 -05:00
jvazquez-r7 a6fe383852
Use AS Exploiter 2015-06-10 09:32:52 -05:00
jvazquez-r7 e5d6c9a3cb Make last code cleanup 2015-06-09 16:01:57 -05:00
jvazquez-r7 cf8c6b510b
Debug version working 2015-06-09 15:46:21 -05:00
jvazquez-r7 b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code 2015-06-09 11:31:39 -05:00
wchen-r7 ee13a215e9
Merge branch 'upstream-master' into bapv2 2015-06-05 14:09:07 -05:00
jvazquez-r7 318f67fcda
update descriptions 2015-06-05 09:01:20 -05:00
wchen-r7 69968fc9f1 Merge branch 'upstream-master' into bapv2 2015-06-04 23:36:24 -05:00
jvazquez-r7 02181addc5
Update CVE-2014-0556 2015-06-04 18:23:50 -05:00
wchen-r7 be709ba370
Merge branch 'upstream-master' into bapv2 2015-06-04 10:33:07 -05:00
wchen-r7 78e4677bb1 Oops it blew up 2015-06-03 20:10:01 -05:00
wchen-r7 a0aa6135c5 Update ca_arcserve_rpc_authbypass to use the new cred API 2015-06-03 20:02:07 -05:00
OJ a6467f49ec Update description 2015-06-03 22:17:25 +10:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
James Lee d03ee5667b
Remove assigned but unused local vars 2015-06-01 16:45:36 -05:00
James Lee 7133f0a68e
Fix typo in author's name 2015-06-01 16:45:09 -05:00
wchen-r7 e83677d29d rm deprecated mod 2015-05-29 17:43:26 -05:00
wchen-r7 13779adab4
Merge branch 'upstream-master' into bapv2 2015-05-29 14:59:04 -05:00
wchen-r7 6be363d82a
Merge branch 'upstream-master' into bapv2 2015-05-29 14:58:38 -05:00
jvazquez-r7 8c7d41c50c
Land #5426, @wchen-r7's adds more restriction on Windows 7 target for MS14-064 2015-05-29 14:35:44 -05:00
wchen-r7 c3fa52f443 Update description 2015-05-29 13:47:20 -05:00
jvazquez-r7 e9714bfc82
Solve conflics 2015-05-27 23:22:00 -05:00
wchen-r7 bcdae5fa1a Forgot to add the datastore option 2015-05-27 18:12:38 -05:00
wchen-r7 4f0e908c8b Never mind, Vista doesn't have powershell. 2015-05-27 18:08:58 -05:00
wchen-r7 d43706b65e It doesn't look like Vista shows the powershell prompt 2015-05-27 18:04:35 -05:00
wchen-r7 53774fed56 Be more strict with Win 7 for MS14-064
The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
2015-05-27 18:01:40 -05:00
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
wchen-r7 60cdf71e6c
Merge branch 'upstream-master' into bapv2 2015-05-26 15:56:48 -05:00
jvazquez-r7 5bceeb4f27
Land #5349, @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation 2015-05-22 17:14:20 -05:00
wchen-r7 9600f6a30a rm deprecated exploit 2015-05-22 17:14:08 -05:00
wchen-r7 eb5aadfb4e
Land #5401, multi-platform CVE-2015-0311 - Flash uncompress() UAF 2015-05-22 16:50:13 -05:00
jvazquez-r7 3aa1ffb4f5
Do minor code cleanup 2015-05-22 16:20:36 -05:00
jvazquez-r7 03b70e3714
Land #5388, @wchen-r7's fixes #5373 by add info to BrowserRequiements 2015-05-22 10:21:59 -05:00
jvazquez-r7 6da94b1dd5
Deprecate windows module 2015-05-21 15:01:41 -05:00
wchen-r7 2cadd5e658 Resolve #5373, Add ActiveX info in BrowserRequirements
Resolve #5373
2015-05-20 16:34:09 -05:00
OJ 44f8cf4124 Add more size to stagers, adjust psexec payloads
This psexec payload size should be evaluated to make sure I'm not doing
anything stupid. i can't see a reason why increasing these sizes would
be bad. They seem to work fine.
2015-05-20 17:07:56 +10:00
OJ a93565b5d1 Add 'Payload' section with 'Size' to psexec_psh
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.

This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
2015-05-19 22:11:29 +10:00
Hans-Martin Münch (h0ng10) d99eedb1e4 Adding begin...ensure block 2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10) acb053a2a7 CloseHandle cleanup 2015-05-17 20:39:10 +02:00
Hans-Martin Münch (h0ng10) e075495a5b string concatenation, clear \ handling 2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10) 94d39c5c75 remove hard coded pipe name 2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10) bb4f5da6d9 replace client.sys.config.getenv with get_env 2015-05-15 06:33:57 +02:00
Hans-Martin Münch (h0ng10) bba261a1cf Initial version 2015-05-15 00:36:03 +02:00
jvazquez-r7 51bb4b5a9b
Add module for CVE-2015-0359 2015-05-07 17:00:00 -05:00
William Vu 134a674ef3
Land #5312, @todb-r7's release fixes 2015-05-07 15:34:31 -05:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
William Vu b8c7161819 Fix up NameError'd payload_exe 2015-05-06 11:34:05 -05:00
William Vu 59ffe5d98f
Land #5306, payload_exe NameError fix 2015-05-06 11:29:29 -05:00
wchen-r7 4b0f54f0aa
Land #5305, CVE-2015-0336 Flash NetConnection Type Confusion 2015-05-06 11:26:22 -05:00
wchen-r7 97807e09ca
Lad #5125, Group Policy startup exploit 2015-05-06 11:17:01 -05:00
wchen-r7 5b57e4e9ca Add info about the waiting time 2015-05-06 11:15:11 -05:00
Sam Roth 5cb8b9a20a Fix #5304 2015-05-05 22:25:06 -04:00
jvazquez-r7 582919acac
Add module for CVE-2015-0336 2015-05-05 17:25:19 -05:00
Darius Freamon c988447c18 title enhancement, OSVDB ref
touch up title and add OSVDB reference
2015-05-05 13:21:36 -06:00
jvazquez-r7 b95be1b25f
Support information to include logon scripts 2015-05-04 15:49:19 -05:00
Darius Freamon dc42a3ee1a add OSVDB ref
add OSVDB ref
2015-05-04 14:27:44 -06:00
Darius Freamon a5c10b7f10 Fix product name
Product name missing a letter in two locations
2015-05-03 13:11:22 -06:00
Darius Freamon aa59b3acc6 title enhancement, description touch-up
Expanded title to be more precise and standardized use of vendor name
2015-04-30 17:23:15 -06:00
wchen-r7 89d026c900 Fix merge conflict 2015-04-30 12:33:45 -05:00
jvazquez-r7 d773f85dca
Add reference to malware 2015-04-29 17:53:29 -05:00
jvazquez-r7 dbba466b5b
Add module for CVE-2014-8440 2015-04-29 17:52:04 -05:00
William Vu 5defb50252
Fix #5267, references fixes 2015-04-29 14:21:23 -05:00
William Vu a4531e62a0 Clean up references 2015-04-29 14:21:08 -05:00
William Vu b2d08251e4 Move reference 2015-04-29 14:18:45 -05:00
William Vu fd567195e3 Fix punctuation and missing comma 2015-04-29 14:12:44 -05:00
Darius Freamon 5f0736fa4c enhance title and description, add OSVDB reference, standardized JBoss 2015-04-29 11:39:40 -06:00
Darius Freamon c01fc829ab Title enhancement, OSVDB refs 2015-04-28 15:56:34 -06:00
jvazquez-r7 ab94f15a60
Take care of modules using the 'DEBUG' option 2015-04-21 12:13:40 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
wchen-r7 4f903a604c Fix #5103, Revert unwanted URI encoding
Fix #5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
wchen-r7 3927024f79
Land #5154, CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)
sage aborts
2015-04-16 21:21:09 -05:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
jvazquez-r7 c1753672bf
Delete file_contents initialization 2015-04-15 17:58:32 -05:00
jvazquez-r7 28fac60c81
Add module for CVE-2015-0556 2015-04-15 14:08:16 -05:00
jvazquez-r7 656abac13c Use keyword arguments 2015-04-10 18:03:45 -05:00
jvazquez-r7 1720d4cd83
Introduce get_file_contents 2015-04-10 17:34:00 -05:00
jvazquez-r7 ca6a5cad17
support changing files 2015-04-10 16:53:12 -05:00
jvazquez-r7 b2e17a61a9
Fix disclosure date 2015-04-10 13:09:24 -05:00
jvazquez-r7 ab944b1897
Add module to exploit dangerous group policy startup scripts 2015-04-10 13:01:50 -05:00
jvazquez-r7 91f5d0af5a
Add module for CVE-2014-0569
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
William Vu e1af495d21 Add extra release fixes 2015-04-06 13:08:40 -05:00
Tod Beardsley b62011121b
Minor word choice fix on Solarwinds exploit
Removing the second person pronoun usage.

[See #5050]
2015-04-06 12:40:22 -05:00
Tod Beardsley 5be5b6097c
Minor grammar on #5030, Adobe Flash
[See #5030]
2015-04-06 12:36:25 -05:00
William Vu 56dc7afea6
Land #5068, @todb-r7's module author cleanup 2015-04-03 16:00:36 -05:00
jvazquez-r7 7c9b19c6f8
Do minor cleanup 2015-04-03 11:53:50 -05:00
Tod Beardsley 3ff91d74ca
More cleanup, mostly abysssec
[See #5012]
2015-04-02 16:16:38 -05:00
Tod Beardsley 4bbec88882
Various other one-off nonhuman author credits
[See #5012]
2015-04-02 15:25:47 -05:00
sinn3r 0b14a18ad2 This is final 2015-04-01 12:00:49 -05:00
sinn3r 0ee858cd65 Some useful messages 2015-04-01 01:41:31 -05:00
sinn3r 8ad07cdc0f This should be on the right track 2015-04-01 01:27:50 -05:00
sinn3r 6795c90eac Some progress 2015-03-31 20:46:34 -05:00
sinn3r 97305629cb Add Solarwinds FSM module
starter
2015-03-31 16:21:52 -05:00
sinn3r 8ea1ffc6ff
Land #5030, CVE-2015-0313 Flash Exploit 2015-03-30 11:31:53 -05:00
h00die 28b9e89963 removed duplicate "uses" from description 2015-03-29 19:40:31 -04:00
William Vu ef8c0aac69
Land #5020, spelling fixes for some modules 2015-03-28 00:36:04 -05:00
jvazquez-r7 f84a46df63
Add module for CVE-2015-0313 2015-03-27 18:51:13 -05:00
sinn3r 9cfafdd8b8
Land #4649, improve post/windows/manage/run_as and as an exploit 2015-03-27 17:31:30 -05:00
C-P 4f4bf9debb paylod vs payload 2015-03-27 11:55:15 -07:00
C-P 0a8fe781d1 paylod vs payload 2015-03-27 11:54:14 -07:00
C-P 5ba614a325 payloda vs payload 2015-03-27 11:53:20 -07:00
C-P 2d81460583 Explot vs Exploit 2015-03-27 11:37:11 -07:00
C-P f129347b51 Filed vs Failed fix 2015-03-27 11:28:50 -07:00
sinn3r 955c0557e0
Land #4988, Relative URL for ms14_064_ole_code_execution 2015-03-26 13:36:37 -05:00
jvazquez-r7 d84c48cb7d
Use newer hash syntax 2015-03-25 13:39:34 -05:00
jvazquez-r7 72a0909e9b
Land #4992, @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge 2015-03-25 13:30:36 -05:00
Tod Beardsley 49a6057f74
Grammaring harder 2015-03-24 11:10:36 -05:00
sinn3r 8255e7a2dc Fix #4987 - undef payload_exe for ams_xfr
Fix #4987
2015-03-24 00:42:22 -05:00
sinn3r db243a8225 x360_video_player_set_text_bof actually uses SetText for ActiveX 2015-03-23 23:36:20 -05:00
sinn3r 3248f02c2c These exploits use :activex, so I update the usage for them 2015-03-23 19:34:24 -05:00
andygoblins 89e27d98ab Use relative URL to GET payload for WinXP
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
sinn3r 156520338d Making some changes to how BES handles ActiveX 2015-03-23 12:21:27 -05:00
Adam Ziaja 921b9eab8e Update minishare_get_overflow.rb
set WfsDelay 30
2015-03-20 23:42:54 +01:00