wchen-r7
01053095f9
Add MS15-100 Microsoft Windows Media Center MCL Vulnerability
2015-09-11 15:05:06 -05:00
jvazquez-r7
53f995b9c3
Do first prototype
2015-09-10 19:35:26 -05:00
jvazquez-r7
329e6f4633
Fix title
2015-09-08 15:31:14 -05:00
samvartaka
0a0e7ab4ba
This is a modification to the original poisonivy_bof.rb exploit
...
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.
See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.
## Console output
Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.
### Version 2.3.2 (unknown password)
```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```
### Version 2.2.0 (unknown password)
```
msf exploit(poisonivy_bof) > check
[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > show targets
Exploit targets:
Id Name
-- ----
0 Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
1 Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
2 Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1
msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0
msf exploit(poisonivy_bof) > exploit
[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
jvazquez-r7
ef6df5bc26
Use get_target_arch
2015-09-03 16:30:46 -05:00
jvazquez-r7
2588439246
Add references for the win32k info leak
2015-09-03 15:35:41 -05:00
jvazquez-r7
697a6cd335
Rescue the process execute
2015-09-03 13:03:36 -05:00
jvazquez-r7
80a1e32339
Set Manual Ranking
2015-09-03 12:24:45 -05:00
HD Moore
9b51352c62
Land #5639 , adds registry persistence
2015-09-03 11:26:38 -05:00
jvazquez-r7
dbe901915e
Improve version detection
2015-09-03 09:54:38 -05:00
jvazquez-r7
de25a6c23c
Add metadata
2015-09-02 18:32:45 -05:00
jvazquez-r7
8f70ec8256
Fix Disclosure date
2015-09-02 18:21:36 -05:00
jvazquez-r7
b912e3ce65
Add exploit template
2015-09-02 17:28:35 -05:00
HD Moore
4090c2c8ea
Land #5880 , adds ScriptHost UAC bypass for Win7/2008
2015-09-02 14:14:18 -05:00
Meatballs
582cc795ac
Remove newlines
2015-09-02 19:42:04 +01:00
HD Moore
43d3e69fb2
Land #5917 , update local exploit checks
2015-09-02 12:55:45 -05:00
Meatballs
8f25a006a8
Change to automatic target
2015-09-02 09:13:25 +01:00
wchen-r7
4275a65407
Update local exploit checks to follow the guidelines.
...
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs
27775fbe58
Restrict to 7 and 2k8
2015-09-01 22:23:37 +01:00
HD Moore
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
Christian Mehlmauer
bfc24aea16
change exitfunc to thread
2015-09-01 10:52:25 +02:00
Christian Mehlmauer
115f409fef
change exitfunc to thread
2015-09-01 10:48:07 +02:00
Christian Mehlmauer
5398bf78eb
change exitfunc to thread
2015-09-01 10:46:54 +02:00
Christian Mehlmauer
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
Christian Mehlmauer
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
Muhamad Fadzil Ramli
1b4f4fd225
remove url reference
2015-08-27 19:47:37 +08:00
jvazquez-r7
da4b360202
Fix typo
2015-08-26 15:29:34 -05:00
jvazquez-r7
5d0ed797a3
Update DLL
2015-08-26 15:15:32 -05:00
jvazquez-r7
dd529013f6
Update ruby side
2015-08-26 15:12:09 -05:00
Brent Cook
b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1
2015-08-24 09:26:00 -05:00
Muhamad Fadzil Ramli
03b1ad7491
add reference info
2015-08-24 11:18:26 +08:00
Muhamad Fadzil Ramli
73cb1383d2
amend banner info for check
2015-08-24 10:55:43 +08:00
Meatballs
1c91b126f1
X64 compat for payload_inject
2015-08-23 22:03:57 +01:00
Meatballs
228087dced
Initial working scripthost bypass uac
2015-08-23 20:16:15 +01:00
Muhamad Fadzil Ramli
7587319602
run rubocop & msftidy
2015-08-23 23:32:30 +08:00
Muhamad Fadzil Ramli
a5daa5c9be
added module descriptions
2015-08-23 23:12:41 +08:00
Muhamad Fadzil Ramli
91a7531af8
konica minolta ftp server post auth cwd command exploit
2015-08-23 21:49:26 +08:00
wchen-r7
45c7e4760a
Support x64 payloads
2015-08-20 02:09:58 -05:00
HD Moore
42e08cbe07
Fix bad use of get_profile (now browser_profile)
2015-08-14 19:50:42 -05:00
jvazquez-r7
c02df6b39d
Land #5800 , @bperry's Symantec Endpoint Protection Manager RCE module
2015-08-14 17:03:48 -05:00
jvazquez-r7
b33abd72ce
Complete description
2015-08-14 17:03:21 -05:00
jvazquez-r7
4aa3be7ba2
Do ruby fixing and use FileDropper
2015-08-14 17:00:27 -05:00
Spencer McIntyre
33f1324fa9
Land #5813 , @jakxx adds VideoCharge SEH file exploit
2015-08-13 18:01:25 -04:00
jakxx
e9d3289c23
EXITFUNC caps
2015-08-13 17:25:31 -04:00
jakxx
6e1c714b2b
Update to leverage auto-NOP generation
2015-08-13 17:24:18 -04:00
jakxx
361624161b
msftidy
2015-08-13 16:27:27 -04:00
jakxx
03eb2d71b2
Add watermark fileformat exploit
2015-08-13 16:26:17 -04:00
Tod Beardsley
02c6ea31bb
Use the more recent HD version as default target
2015-08-13 14:42:21 -05:00
Christian Mehlmauer
80a22412d9
use EXITFUNC instead of ExitFunction
2015-08-13 21:22:32 +02:00
Tod Beardsley
bb4116ed9d
Avoid msftidy.rb rule breaking on missing newline
2015-08-13 12:38:05 -05:00
jakxx
e7566d6aee
Adding print_status line
2015-08-12 16:08:04 -04:00
Christian Mehlmauer
979d7e6be3
improve module
2015-08-12 15:37:37 +02:00
jakxx
2b225b2e7e
Added changes per feedback
...
Updated to include and use seh mixin
changed offset and space for reliability
got rand_text buffer junk working
removed double spaces and stupid fillers in file data
2015-08-12 01:34:45 -04:00
jakxx
4c28cae5d1
updated to include recommendation from @zerosteiner
2015-08-10 18:38:23 -04:00
jakxx
23f51bf265
specify junk data
2015-08-07 18:04:11 -04:00
jakxx
28ad0fccbd
Added VideoCharge Studio File Format Exploit
2015-08-07 15:54:32 -04:00
Brandon Perry
74ed8cf0c9
actually that didn't work
2015-08-02 18:57:13 -05:00
Brandon Perry
06754c36a4
unless, not if not
2015-08-02 18:51:23 -05:00
Brandon Perry
527eaea6ec
single quotes and some error handling
2015-08-02 18:25:17 -05:00
Brandon Perry
a33724667c
small code cleanup
2015-08-02 16:36:41 -05:00
Brandon Perry
830aee8aa5
check if cookie is actually returned, and if not, fail
2015-08-02 15:22:40 -05:00
Brandon Perry
a534008ba6
add some status lines
2015-08-02 15:03:59 -05:00
Brandon Perry
fe20bc88ad
remove badchars
2015-08-02 11:37:06 -05:00
Brandon Perry
f7ceec36d0
set default RPORT and SSL
2015-08-02 08:59:36 -05:00
Brandon Perry
a33dff637d
exploit cve 2015-1489 to get SYSTEM
2015-08-02 08:31:03 -05:00
Brandon Perry
12ac6d81fa
add markus as the discoverer specifically
2015-08-02 08:17:12 -05:00
Brandon Perry
e70ec8c07b
no need to store res for the later requests
2015-08-01 18:00:35 -05:00
Brandon Perry
272d75e437
check res before calling get_cookies
2015-08-01 17:58:41 -05:00
Meatballs
6f31183904
Fix VSS Persistance to check integrity level
2015-08-01 23:13:05 +01:00
Brandon Perry
47e86000ee
randomize the file names
2015-08-01 16:50:06 -05:00
Brandon Perry
2bfc8e59be
remove printline
2015-08-01 16:43:31 -05:00
Brandon Perry
0067d25180
add the sepm auth bypass rce module
2015-08-01 16:40:03 -05:00
Meatballs
a6a8117e46
Revert "Land #5777 , fix #4558 vss_persistence"
...
This reverts commit ba4b2fbbea
, reversing
changes made to affc86bfd9
.
2015-08-01 22:35:24 +01:00
wchen-r7
ba4b2fbbea
Land #5777 , fix #4558 vss_persistence
2015-07-31 16:46:01 -05:00
jvazquez-r7
1ec960d8f9
Make the time to write flush configurable
2015-07-31 16:43:43 -05:00
wchen-r7
672d83eaae
Land #5789 , Heroes of Might and Magic III .h3m Map File Buffer Overflow
2015-07-31 15:43:43 -05:00
aakerblom
7c5e5f0f22
add crc32 forging for Heroes III demo target
2015-08-01 04:53:49 -07:00
aakerblom
7af83a112d
fix unreliable address
2015-08-01 04:52:50 -07:00
aakerblom
908d6f946f
added target Heroes III Demo 1.0.0.0
2015-07-31 18:19:37 -07:00
aakerblom
16042cd45b
fix variable names in comment
2015-07-31 18:16:15 -07:00
aakerblom
66c92aae5d
fix documentation
2015-07-31 17:12:50 -07:00
aakerblom
6fdd2f91ce
rescue only Errno::ENOENT
2015-07-31 13:54:29 -07:00
aakerblom
6671df6672
add documentation
2015-07-31 13:53:56 -07:00
aakerblom
013201bd99
remove unneeded require
2015-07-31 13:49:27 -07:00
aakerblom
12a6bdb67b
Add Heroes of Might and Magic III .h3m map file Buffer Overflow module
2015-07-31 02:06:47 -07:00
aakerblom
d4c8d5884c
Fix a small typo
2015-07-31 11:47:46 -07:00
jvazquez-r7
bf6975c01a
Fix #4558 by restoring the old wmicexec
2015-07-27 14:04:10 -05:00
HD Moore
a7b5890dc5
Fix URIPATH=/ and stack trace on missing ntdll version match
2015-07-25 15:39:20 -07:00
wchen-r7
29defc979b
Fix #5740 , remove variable ROP for adobe_flashplayer_flash10o
2015-07-17 16:57:37 -05:00
William Vu
ea4a7d98b9
Land #5728 , Arch specification for psexec
2015-07-15 15:36:27 +00:00
Brent Cook
a7d866bc83
specify the 'Arch' values that psexec supports
2015-07-14 15:45:52 -06:00
wchen-r7
e638d85f30
Merge branch 'upstream-master' into bapv2
2015-07-12 02:01:09 -05:00
wchen-r7
c37b60de7b
Do some print_status with ms14_064
2015-07-07 00:57:37 -05:00
Donny Maasland
e355e56539
Add check
2015-07-02 10:54:44 +02:00
wchen-r7
8051a99f4a
Merge branch 'upstream-master' into bapv2
2015-07-01 18:45:42 -05:00
Donny Maasland
56c3102603
That's what you get for making edits on github.com..
2015-07-01 17:51:57 +02:00
Donny Maasland
4847fb9830
Add a neater powershell command
2015-07-01 17:47:47 +02:00
Donny Maasland
822a46fee6
Merge branch 'master' of github:dmaasland/metasploit-framework
2015-07-01 17:47:33 +02:00
Donny Maasland
4f72df3202
Create a neater powershell command
2015-07-01 17:47:08 +02:00
Donny Maasland
ffe710af2d
Update registry_persistence.rb
...
Omg spaces
2015-07-01 17:21:12 +02:00
Donny Maasland
26e3ec0a5f
Add a switch for creating a cleanup rc file
2015-07-01 17:06:16 +02:00
Donny Maasland
20708ebc82
Add a check to prevent accidental deletion of existing registry keys
2015-07-01 16:45:03 +02:00
Donny Maasland
2e48bae71c
fixes
2015-07-01 16:15:13 +02:00
Donny Maasland
335487afa0
fixes
2015-07-01 16:09:55 +02:00
Donny Maasland
d0845b8c66
msftidy fix
2015-07-01 12:50:34 +02:00
Donny Maasland
a3db6c6ae3
Msftidy fix
2015-07-01 12:47:10 +02:00
Donny Maasland
bd94f50fb0
add registry_persistence.rb
2015-07-01 12:26:46 +02:00
William Vu
3632cc44c5
Fix nil error when target not found
2015-06-30 11:48:41 -05:00
wchen-r7
9bd920b169
Merge branch 'upstream-master' into bapv2
2015-06-27 12:19:55 -05:00
jvazquez-r7
7ccc86d338
Use cmd_exec
2015-06-26 11:54:19 -05:00
Spencer McIntyre
2206a6af73
Support older targets x86 for MS15-051
2015-06-25 09:33:15 +10:00
William Vu
a149fb5710
Land #5554 , @g0tmi1k's persistence improvements
...
age aborts
age aborts
2015-06-24 14:37:25 -05:00
William Vu
e7e8135acd
Clean up module
2015-06-24 14:35:10 -05:00
wchen-r7
dedfca163d
Change check()
2015-06-22 15:05:12 -05:00
OJ
3686accadd
Merge branch 'upstream/master' into cve-2015-1701
2015-06-22 07:52:17 +10:00
Spencer McIntyre
efece12b40
Minor clean ups for ruby strings and check method
2015-06-21 16:07:44 -04:00
jvazquez-r7
74bc9f7a91
Land #5529 , @omarix's Windows 2003 SP1 & SP2 French targets for MS08-067
2015-06-19 16:57:07 -05:00
jvazquez-r7
61ad4ada7d
Delete commas
2015-06-19 16:03:16 -05:00
wchen-r7
9da99a8265
Merge branch 'upstream-master' into bapv2
2015-06-19 11:36:27 -05:00
jvazquez-r7
6ec8488929
Land #5560 , @wchen-r7 Changes ExcellentRanking to GoodRanking for MS14-064
2015-06-19 11:15:41 -05:00
jvazquez-r7
1c357e6b3c
Land #5478 , @wchen-r7 Updates ca_arcserve_rpc_authbypass to use the new cred API
2015-06-19 10:21:14 -05:00
jvazquez-r7
0f17f622c3
Report last_attempted_at
2015-06-19 10:20:47 -05:00
jvazquez-r7
357a3929a3
Trying to report more accurate status
2015-06-19 09:51:36 -05:00
wchen-r7
7e91121afc
Change to Metasploit::Model::Login::Status::SUCCESSFUL
2015-06-18 23:44:45 -05:00
g0tmi1k
0b55a889d3
persistence - better ruby/msf fu
2015-06-18 21:10:16 +01:00
wchen-r7
13a3f2781d
Change ExcellentRanking to GoodRanking for MS14-064
...
The ms14_064_ole_code_execution exploit's ranking is being lowered
to GoodRanking because of these two reasons:
1. The vulnerable component isn't in Internet Explorer. And BES can't
check it so the exploit still fires even if the target is patched.
2. Although rare, we've seen the exploit crashing IE, and since this
is a memory curruption type of bug, it should not be in Excellent
ranking anyway.
2015-06-18 13:07:44 -05:00
g0tmi1k
a3debe1621
persistence - more options, more verbose
...
...and less bugs!
+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process
2015-06-17 13:57:06 +01:00
William Vu
8d640a0c8f
Land #5527 , multi/handler -> exploit/multi/handler
2015-06-15 10:23:26 -05:00
wchen-r7
17b8ddc68a
Land #5524 , adobe_flash_pixel_bender_bof in flash renderer
2015-06-15 02:42:16 -05:00
0xFFFFFF
c7cda25582
Empty lines removed at line 624 and line 721.
...
Empty lines removed at line 624 and line 721.
2015-06-13 14:54:10 +01:00
0xFFFFFF
7f0e334d78
Added Windows 2003 SP1 & SP2 French targets
...
msf exploit(ms08_067_netap) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows 2003 SP0 Universal
4 Windows XP SP2 English (AlwaysOn NX)
[...]
62 Windows 2003 SP1 French (NX)
63 Windows 2003 SP2 English (NO NX)
[...]
71 Windows 2003 SP2 French (NO NX)
72 Windows 2003 SP2 French (NX)
2015-06-13 13:30:02 +01:00
g0tmi1k
a53ca53a6a
Fix inconstancy - multi/handler
2015-06-12 21:23:51 +01:00
jvazquez-r7
8ed13b1d1b
Add linux support for CVE-2014-0515
2015-06-11 16:18:50 -05:00
wchen-r7
ae21b0c260
Land #5523 , adobe_flash_domain_memory_uaf in the flash renderer
2015-06-10 16:59:19 -05:00
wchen-r7
4c5b1fbcef
Land #5522 , adobe_flash_worker_byte_array_uaf in the flash renderer
2015-06-10 14:49:41 -05:00
jvazquez-r7
6c7ee10520
Update to use the new flash Exploiter
2015-06-10 13:52:43 -05:00
wchen-r7
d622c782ef
Land #5519 , adobe_flash_uncompress_zlib_uninitialized in the flash renderer
2015-06-10 11:52:47 -05:00
jvazquez-r7
fb531d0069
Update version coverage
2015-06-10 09:38:00 -05:00
jvazquez-r7
a6fe383852
Use AS Exploiter
2015-06-10 09:32:52 -05:00
jvazquez-r7
e5d6c9a3cb
Make last code cleanup
2015-06-09 16:01:57 -05:00
jvazquez-r7
cf8c6b510b
Debug version working
2015-06-09 15:46:21 -05:00
jvazquez-r7
b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code
2015-06-09 11:31:39 -05:00
wchen-r7
ee13a215e9
Merge branch 'upstream-master' into bapv2
2015-06-05 14:09:07 -05:00
jvazquez-r7
318f67fcda
update descriptions
2015-06-05 09:01:20 -05:00
wchen-r7
69968fc9f1
Merge branch 'upstream-master' into bapv2
2015-06-04 23:36:24 -05:00
jvazquez-r7
02181addc5
Update CVE-2014-0556
2015-06-04 18:23:50 -05:00
wchen-r7
be709ba370
Merge branch 'upstream-master' into bapv2
2015-06-04 10:33:07 -05:00
wchen-r7
78e4677bb1
Oops it blew up
2015-06-03 20:10:01 -05:00
wchen-r7
a0aa6135c5
Update ca_arcserve_rpc_authbypass to use the new cred API
2015-06-03 20:02:07 -05:00
OJ
a6467f49ec
Update description
2015-06-03 22:17:25 +10:00
OJ
455a3b6b9d
Add butchered version of CVE-2015-1701
2015-06-03 21:48:23 +10:00
James Lee
d03ee5667b
Remove assigned but unused local vars
2015-06-01 16:45:36 -05:00
James Lee
7133f0a68e
Fix typo in author's name
2015-06-01 16:45:09 -05:00
wchen-r7
e83677d29d
rm deprecated mod
2015-05-29 17:43:26 -05:00
wchen-r7
13779adab4
Merge branch 'upstream-master' into bapv2
2015-05-29 14:59:04 -05:00
wchen-r7
6be363d82a
Merge branch 'upstream-master' into bapv2
2015-05-29 14:58:38 -05:00
jvazquez-r7
8c7d41c50c
Land #5426 , @wchen-r7's adds more restriction on Windows 7 target for MS14-064
2015-05-29 14:35:44 -05:00
wchen-r7
c3fa52f443
Update description
2015-05-29 13:47:20 -05:00
jvazquez-r7
e9714bfc82
Solve conflics
2015-05-27 23:22:00 -05:00
wchen-r7
bcdae5fa1a
Forgot to add the datastore option
2015-05-27 18:12:38 -05:00
wchen-r7
4f0e908c8b
Never mind, Vista doesn't have powershell.
2015-05-27 18:08:58 -05:00
wchen-r7
d43706b65e
It doesn't look like Vista shows the powershell prompt
2015-05-27 18:04:35 -05:00
wchen-r7
53774fed56
Be more strict with Win 7 for MS14-064
...
The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
2015-05-27 18:01:40 -05:00
jvazquez-r7
e5d42850c1
Add support for Linux to CVE-2015-0336
2015-05-27 17:05:10 -05:00
wchen-r7
60cdf71e6c
Merge branch 'upstream-master' into bapv2
2015-05-26 15:56:48 -05:00
jvazquez-r7
5bceeb4f27
Land #5349 , @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation
2015-05-22 17:14:20 -05:00
wchen-r7
9600f6a30a
rm deprecated exploit
2015-05-22 17:14:08 -05:00
wchen-r7
eb5aadfb4e
Land #5401 , multi-platform CVE-2015-0311 - Flash uncompress() UAF
2015-05-22 16:50:13 -05:00
jvazquez-r7
3aa1ffb4f5
Do minor code cleanup
2015-05-22 16:20:36 -05:00
jvazquez-r7
03b70e3714
Land #5388 , @wchen-r7's fixes #5373 by add info to BrowserRequiements
2015-05-22 10:21:59 -05:00
jvazquez-r7
6da94b1dd5
Deprecate windows module
2015-05-21 15:01:41 -05:00
wchen-r7
2cadd5e658
Resolve #5373 , Add ActiveX info in BrowserRequirements
...
Resolve #5373
2015-05-20 16:34:09 -05:00
OJ
44f8cf4124
Add more size to stagers, adjust psexec payloads
...
This psexec payload size should be evaluated to make sure I'm not doing
anything stupid. i can't see a reason why increasing these sizes would
be bad. They seem to work fine.
2015-05-20 17:07:56 +10:00
OJ
a93565b5d1
Add 'Payload' section with 'Size' to psexec_psh
...
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.
This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
2015-05-19 22:11:29 +10:00
Hans-Martin Münch (h0ng10)
d99eedb1e4
Adding begin...ensure block
2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10)
acb053a2a7
CloseHandle cleanup
2015-05-17 20:39:10 +02:00
Hans-Martin Münch (h0ng10)
e075495a5b
string concatenation, clear \ handling
2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10)
94d39c5c75
remove hard coded pipe name
2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10)
bb4f5da6d9
replace client.sys.config.getenv with get_env
2015-05-15 06:33:57 +02:00
Hans-Martin Münch (h0ng10)
bba261a1cf
Initial version
2015-05-15 00:36:03 +02:00
jvazquez-r7
51bb4b5a9b
Add module for CVE-2015-0359
2015-05-07 17:00:00 -05:00
William Vu
134a674ef3
Land #5312 , @todb-r7's release fixes
2015-05-07 15:34:31 -05:00
Tod Beardsley
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
William Vu
b8c7161819
Fix up NameError'd payload_exe
2015-05-06 11:34:05 -05:00
William Vu
59ffe5d98f
Land #5306 , payload_exe NameError fix
2015-05-06 11:29:29 -05:00
wchen-r7
4b0f54f0aa
Land #5305 , CVE-2015-0336 Flash NetConnection Type Confusion
2015-05-06 11:26:22 -05:00
wchen-r7
97807e09ca
Lad #5125 , Group Policy startup exploit
2015-05-06 11:17:01 -05:00
wchen-r7
5b57e4e9ca
Add info about the waiting time
2015-05-06 11:15:11 -05:00
Sam Roth
5cb8b9a20a
Fix #5304
2015-05-05 22:25:06 -04:00
jvazquez-r7
582919acac
Add module for CVE-2015-0336
2015-05-05 17:25:19 -05:00
Darius Freamon
c988447c18
title enhancement, OSVDB ref
...
touch up title and add OSVDB reference
2015-05-05 13:21:36 -06:00
jvazquez-r7
b95be1b25f
Support information to include logon scripts
2015-05-04 15:49:19 -05:00
Darius Freamon
dc42a3ee1a
add OSVDB ref
...
add OSVDB ref
2015-05-04 14:27:44 -06:00
Darius Freamon
a5c10b7f10
Fix product name
...
Product name missing a letter in two locations
2015-05-03 13:11:22 -06:00
Darius Freamon
aa59b3acc6
title enhancement, description touch-up
...
Expanded title to be more precise and standardized use of vendor name
2015-04-30 17:23:15 -06:00
wchen-r7
89d026c900
Fix merge conflict
2015-04-30 12:33:45 -05:00
jvazquez-r7
d773f85dca
Add reference to malware
2015-04-29 17:53:29 -05:00
jvazquez-r7
dbba466b5b
Add module for CVE-2014-8440
2015-04-29 17:52:04 -05:00
William Vu
5defb50252
Fix #5267 , references fixes
2015-04-29 14:21:23 -05:00
William Vu
a4531e62a0
Clean up references
2015-04-29 14:21:08 -05:00
William Vu
b2d08251e4
Move reference
2015-04-29 14:18:45 -05:00
William Vu
fd567195e3
Fix punctuation and missing comma
2015-04-29 14:12:44 -05:00
Darius Freamon
5f0736fa4c
enhance title and description, add OSVDB reference, standardized JBoss
2015-04-29 11:39:40 -06:00
Darius Freamon
c01fc829ab
Title enhancement, OSVDB refs
2015-04-28 15:56:34 -06:00
jvazquez-r7
ab94f15a60
Take care of modules using the 'DEBUG' option
2015-04-21 12:13:40 -05:00
jvazquez-r7
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
wchen-r7
4f903a604c
Fix #5103 , Revert unwanted URI encoding
...
Fix #5103 . By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
wchen-r7
3927024f79
Land #5154 , CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)
...
sage aborts
2015-04-16 21:21:09 -05:00
Christian Mehlmauer
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
Christian Mehlmauer
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
jvazquez-r7
c1753672bf
Delete file_contents initialization
2015-04-15 17:58:32 -05:00
jvazquez-r7
28fac60c81
Add module for CVE-2015-0556
2015-04-15 14:08:16 -05:00
jvazquez-r7
656abac13c
Use keyword arguments
2015-04-10 18:03:45 -05:00
jvazquez-r7
1720d4cd83
Introduce get_file_contents
2015-04-10 17:34:00 -05:00
jvazquez-r7
ca6a5cad17
support changing files
2015-04-10 16:53:12 -05:00
jvazquez-r7
b2e17a61a9
Fix disclosure date
2015-04-10 13:09:24 -05:00
jvazquez-r7
ab944b1897
Add module to exploit dangerous group policy startup scripts
2015-04-10 13:01:50 -05:00
jvazquez-r7
91f5d0af5a
Add module for CVE-2014-0569
...
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
William Vu
e1af495d21
Add extra release fixes
2015-04-06 13:08:40 -05:00
Tod Beardsley
b62011121b
Minor word choice fix on Solarwinds exploit
...
Removing the second person pronoun usage.
[See #5050 ]
2015-04-06 12:40:22 -05:00
Tod Beardsley
5be5b6097c
Minor grammar on #5030 , Adobe Flash
...
[See #5030 ]
2015-04-06 12:36:25 -05:00
William Vu
56dc7afea6
Land #5068 , @todb-r7's module author cleanup
2015-04-03 16:00:36 -05:00
jvazquez-r7
7c9b19c6f8
Do minor cleanup
2015-04-03 11:53:50 -05:00
Tod Beardsley
3ff91d74ca
More cleanup, mostly abysssec
...
[See #5012 ]
2015-04-02 16:16:38 -05:00
Tod Beardsley
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
sinn3r
0b14a18ad2
This is final
2015-04-01 12:00:49 -05:00
sinn3r
0ee858cd65
Some useful messages
2015-04-01 01:41:31 -05:00
sinn3r
8ad07cdc0f
This should be on the right track
2015-04-01 01:27:50 -05:00
sinn3r
6795c90eac
Some progress
2015-03-31 20:46:34 -05:00
sinn3r
97305629cb
Add Solarwinds FSM module
...
starter
2015-03-31 16:21:52 -05:00
sinn3r
8ea1ffc6ff
Land #5030 , CVE-2015-0313 Flash Exploit
2015-03-30 11:31:53 -05:00
h00die
28b9e89963
removed duplicate "uses" from description
2015-03-29 19:40:31 -04:00
William Vu
ef8c0aac69
Land #5020 , spelling fixes for some modules
2015-03-28 00:36:04 -05:00
jvazquez-r7
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
sinn3r
9cfafdd8b8
Land #4649 , improve post/windows/manage/run_as and as an exploit
2015-03-27 17:31:30 -05:00
C-P
4f4bf9debb
paylod vs payload
2015-03-27 11:55:15 -07:00
C-P
0a8fe781d1
paylod vs payload
2015-03-27 11:54:14 -07:00
C-P
5ba614a325
payloda vs payload
2015-03-27 11:53:20 -07:00
C-P
2d81460583
Explot vs Exploit
2015-03-27 11:37:11 -07:00
C-P
f129347b51
Filed vs Failed fix
2015-03-27 11:28:50 -07:00
sinn3r
955c0557e0
Land #4988 , Relative URL for ms14_064_ole_code_execution
2015-03-26 13:36:37 -05:00
jvazquez-r7
d84c48cb7d
Use newer hash syntax
2015-03-25 13:39:34 -05:00
jvazquez-r7
72a0909e9b
Land #4992 , @wchen-r7's support for multiple ActiveX controls on BrowserExploitServerMerge
2015-03-25 13:30:36 -05:00
Tod Beardsley
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
sinn3r
8255e7a2dc
Fix #4987 - undef payload_exe for ams_xfr
...
Fix #4987
2015-03-24 00:42:22 -05:00
sinn3r
db243a8225
x360_video_player_set_text_bof actually uses SetText for ActiveX
2015-03-23 23:36:20 -05:00
sinn3r
3248f02c2c
These exploits use :activex, so I update the usage for them
2015-03-23 19:34:24 -05:00
andygoblins
89e27d98ab
Use relative URL to GET payload for WinXP
...
Relative URLs are simpler, and allow the exploit to work on attack machines in NAT environments. Example: attack machine is NATed and does not have a DNS hostname. SRVHOST must be 0.0.0.0 but the victim cannot access the attacker from Rex::Socket.source_address
2015-03-23 14:40:06 -05:00
sinn3r
156520338d
Making some changes to how BES handles ActiveX
2015-03-23 12:21:27 -05:00
Adam Ziaja
921b9eab8e
Update minishare_get_overflow.rb
...
set WfsDelay 30
2015-03-20 23:42:54 +01:00