aae7c25603
Add WordPress Ninja Forms unauthenticated file upload module
2016-05-23 23:47:41 +01:00
6581fbd294
Add note about "mf" malware
...
This is the malware I found upon shelling my friend's device.
2016-05-20 23:09:10 -05:00
506356e15d
Land #6889 , check #nil? and #empty? instead of #empty?
2016-05-19 19:23:04 -05:00
99a573a013
Do unless instead "if !" to follow the Ruby guideline
2016-05-19 19:21:45 -05:00
a16f4b5167
Return nil properly in rescue
...
Missed this because I copypasta'd myself.
2016-05-19 15:35:38 -05:00
d018bba301
Store SSH key as a note
...
I know, I know, it should use the creds model. >:[
2016-05-19 15:12:58 -05:00
9f738c3e41
Add note about overwritten files
2016-05-19 15:07:27 -05:00
8fccb26446
Add Ubiquiti airOS exploit
...
Thanks to my friend wolf359 for providing a test device!
2016-05-19 14:50:20 -05:00
31bbcfca49
Fix ms13_081_track_popup_menu
2016-05-19 17:22:47 +09:00
b5284375a7
osb_uname_jlist - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:16:53 -05:00
11fedd7353
ca_totaldefense_regeneratereports - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:15:28 -05:00
a6405beeda
ams_hndlrsvc - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:13:40 -05:00
41bcdcce61
fix struts_code_exec_exception_delegator - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:11:57 -05:00
bc257ea628
fix struts_code_exec - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:10:32 -05:00
68b83c6e3a
datastore['CMD'].blank?
2016-05-17 23:56:59 -05:00
a4e7e373f3
fix ams_xfr.rb - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-17 17:55:18 -05:00
e8ac568352
doesn't look like we're using the tcp mixin
2016-05-17 03:15:26 -05:00
08394765df
Fix #6879 , REXML::ParseException No close tag for /div
2016-05-17 03:14:00 -05:00
cf0176e68b
Land #6867 , Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-16 19:00:10 -05:00
8e85e8f9d7
Land #6859 , Add TP-Link sc2020n Module
2016-05-15 12:33:54 -05:00
21d74a64fe
Land #6874 , Improve exploit for CVE-2016-0854
2016-05-14 11:08:17 -05:00
0d176f2c92
remove a couple of unnecessary ternary ops
2016-05-14 11:07:43 -05:00
a940481f62
Land #6834 , Authorized FTP JCL exploit for z/OS
2016-05-13 21:29:45 -05:00
5c494480e6
handle failure more gracefully
2016-05-13 21:29:25 -05:00
3b5db26ff5
Fix #6872 , change upload action for CVE-2016-0854 exploit
...
This patch includes the following changes:
* Instead of the uploadFile action, this patch uses uploadImageCommon
to be able to support both Advantech WebAccess builds: 2014 and
2015.
* It uses an explicit check instead of the passive version check.
* It cleans up the malicious file after getting a session.
* Added module documentation to explain the differences between
different builds of Advantech WebAccess 8.0s, and 8.1.
Fix #6872
2016-05-13 19:47:18 -05:00
2d5cf6cfe4
Authorized FTP JCL exploit for z/OS
...
This exploit module allows a user with credentials to execute JCL on a
vulnerable mainframe system running z/OS and an appropriately configured
FTP server.
2016-05-12 14:46:31 -05:00
8f9762a3e5
Fix some comments
2016-05-12 00:19:18 -05:00
da293081a9
Fix a typo
2016-05-11 22:48:23 -05:00
9d128cfd9f
Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-11 22:27:18 -05:00
4b23d2dc58
Adjusting exception handling
...
This commit adjusts the error handling to close the socket before
calling fail_with and adds specific exceptions to catch
2016-05-11 17:18:51 -05:00
32e1a19875
Fix up the disclosure date
2016-05-11 00:18:22 -05:00
ded79ce1ff
Fix CVE syntax
2016-05-10 23:18:45 -05:00
4a5d150716
Fixups to continue supporting Rails 4.2.x
2016-05-10 23:12:48 -05:00
04bb493ccb
Small typo fixed
2016-05-10 23:07:51 -05:00
32ae3e881e
Adding save_cred and exception handling to module
...
This commit adds a save_cred method for saving off the credentials
upon a successful login attempt. Also, exception handling surrounding
the opening of the telnet socket has been added to avoid any accidental
resource leaking.
2016-05-10 20:54:44 -05:00
7c6958bbd8
Rework rails_web_console_v2_code_exec to support CVE-2015-3224
2016-05-10 11:08:02 -05:00
3db72e9b4b
Land #6853 , use send_request_cgi! for CVE-2016-0854 exploit
2016-05-09 16:10:04 -05:00
8eb3193941
Adding TP-Link sc2020n Module
...
This module exploits a command injection vulnerability in
TP-Link sc2020n network video cameras in order to start the
telnet daemon on a random port. The module then connects to
the telnet daemon, which returns a root shell on the device.
2016-05-08 14:02:50 -05:00
2abb062070
Clean up module
2016-05-06 11:51:29 -05:00
e4e6246692
Merge branch 'master' of github.com:rapid7/metasploit-framework
2016-05-06 10:55:52 -05:00
8dc7de5b84
Land #6838 , add Rails web-console module
2016-05-05 15:53:52 -05:00
1bc2ec9c11
Update vulnerable versions to include 6.x (legacy)
2016-05-05 14:18:42 -05:00
26b749ff5a
Add default LHOST
...
This is a massive workaround and probably shouldn't be done. :-)
2016-05-05 14:18:42 -05:00
5c713d9f75
Set default payload
...
Land #6849 for this to be effective.
2016-05-05 14:18:42 -05:00
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
f32c7ba569
Add template generation details
2016-05-05 14:18:42 -05:00
23a0517a01
Update description
2016-05-05 14:18:42 -05:00
d7b76c3ab4
Add more references
2016-05-05 14:18:42 -05:00
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
35a780c6a8
fix send_request_cgi redirection issues #6806
2016-05-05 09:55:32 -05:00
779a7c0f68
Switch to the default rails server port
2016-05-03 02:06:58 -05:00
8b04eaaa60
Clean up various whitespace
2016-05-03 02:06:37 -05:00
df44dc9c1c
Deprecate exploits/linux/http/struts_dmi_exec
...
Please use exploits/multi/http/struts_dmi_exec, which supports
Windows and Java targets.
2016-05-02 15:03:25 -05:00
3300bcc5cb
Make msftidy happier
2016-05-02 02:33:06 -05:00
67c9f6a1cf
Add rails_web_console_v2_code_exec, abuse of a debug feature
2016-05-02 02:31:14 -05:00
6a00f2fc5a
mv exploits/linux/http/struts_dmi_exec.rb to exploits/multi/http/struts_dmi_exec.rb
2016-05-01 00:00:29 +08:00
ec66410fab
add java_stager / windows_stager | exploit with only one http request
2016-04-30 23:56:56 +08:00
73ac6e6fef
Land #6831 , Add CVE-2016-3081 Apache struts s2_032 DMI Code Exec
2016-04-29 11:53:47 -05:00
d6a6577c5c
Default payload to linux/x86/meterpreter/reverse_tcp_uuid
...
Default to linux/x86/meterpreter/reverse_tcp_uuid for now because
of issue #6833
2016-04-29 11:52:50 -05:00
288975a9ce
rm modules/exploits/multi/http/struts_dmi_exec.rb
2016-04-30 00:44:31 +08:00
9d279d2a74
Merge pull request #15 from wchen-r7/pr6831
...
Changes for Apache struts from @wchen-r7
2016-04-30 00:37:53 +08:00
15ffae4ae8
rename module name
2016-04-30 00:17:26 +08:00
1d95a8a76d
rename struts_code_exec_dynamic_method_invocation.rb to struts_dmi_exec.rb
2016-04-30 00:13:34 +08:00
97061c1b90
Update struts_dmi_exec.rb
2016-04-29 11:13:25 -05:00
9e56bb8358
send http request (get -> post)
2016-04-30 00:08:00 +08:00
e9535dbc5b
Address all @FireFart's feedback
2016-04-29 11:03:15 -05:00
6f6558923b
Rename module as struts_dmi_exec.rb
2016-04-29 10:34:48 -05:00
643591546e
struts s2_032 rce - linux_stager
2016-04-29 10:49:56 +08:00
c16a02638c
Add Oracle Application Testing Suite exploit
2016-04-26 15:41:27 -05:00
0cb555f28d
Fix typo
2016-04-26 15:26:22 -05:00
4a435e8d13
Bring hp_dataprotector_install_service up to date w/ upstream-master
2016-04-22 13:42:41 -05:00
db1d973ef0
Cosmetic changes for hp_dataprotector_install_service
2016-04-22 13:41:18 -05:00
67968e912c
Land #6785 Add CVE-2016-0854 Advantech WebAccess Arbitrary File Upload
2016-04-21 12:02:04 -05:00
c08872144f
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-21 09:33:03 +08:00
dcb9c83f98
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-21 09:28:42 +08:00
57cb8e49a2
remove overwritten keys from hashes
2016-04-20 07:43:57 -04:00
2400345fff
Merge pull request #2 from open-security/advantech_webaccess_dashboard_file_upload
...
Advantech webaccess dashboard file upload
2016-04-19 12:59:32 +08:00
0407acc0ec
add print_status with vuln_version?
2016-04-19 11:22:00 +08:00
c88ddf1cc4
fix NilClass for res.body
2016-04-19 10:27:20 +08:00
fd603102db
Land #6765 , Fixed SQL error in lib/msf/core/exploit/postgres
2016-04-18 10:44:20 -07:00
a895b452e6
fix
2016-04-19 00:21:26 +08:00
ce9b692dd8
add print_status
2016-04-18 20:43:39 +08:00
7143668671
fix version_match
2016-04-18 20:31:32 +08:00
897238f3ec
identify fingerpriint / make the code clear
2016-04-18 19:55:42 +08:00
7d1095bc08
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-18 11:24:03 +08:00
47b5398152
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-18 11:05:25 +08:00
ae23da39b8
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-17 21:23:45 +08:00
ab9e988dd4
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-17 21:15:03 +08:00
6c969b1c3b
Update advantech_webaccess_dashboard_file_upload.rb
2016-04-17 18:49:56 +08:00
32192d3034
Advantech WebAccess Dashboard Viewer Arbitrary File Upload
...
Advantech WebAccess Dashboard Viewer Arbitrary File Upload
2016-04-17 11:29:06 +08:00
a434622d21
Land #6769 , Add CVE-2016-1593 Novell ServiceDesk Authenticated Upload
2016-04-15 18:59:37 -05:00
92ef8f4ab3
Land #6751 , Correct proftp version check at module runtime
2016-04-14 15:34:53 -05:00
8dfe98d96c
Add bugtraq reference
2016-04-14 10:23:53 +01:00
252632a802
Use %w{} for a couple things
...
Why not? :)
2016-04-13 19:38:57 -05:00
de004d7da3
Line up some hash rockets
2016-04-13 19:32:35 -05:00
f8e4253e2f
Add telnet to RequiredCmd
...
Baffles me that cmd/unix/reverse isn't cmd/unix/reverse_telnet.
2016-04-13 18:22:28 -05:00
07ee18a62b
Do something shady with the exploit method
...
Hat tip @acammack-r7.
2016-04-13 18:15:17 -05:00
43e74fce9e
Add Exim privesc
2016-04-13 17:51:20 -05:00
1d1a495a93
Style check
2016-04-13 10:19:57 -05:00
b61175c6b4
Add Dell Kace K1000 unauthenticated remote root exploit
2016-04-12 16:15:37 +00:00
2dc4539d0d
Change class name to MetasploitModule
2016-04-10 23:27:40 +01:00
1fa7c83ca1
Create file for CVE-2016-1593
2016-04-10 23:17:07 +01:00
6b4dd8787b
Fix #6764 , nil SQL error in lib/msf/core/exploit/postgres
...
Fix #6764
2016-04-08 15:20:04 -05:00
28875313be
Change class name to MetasploitModule
2016-04-08 14:27:52 -05:00
ae46b5a688
Bring #6417 up to date with upstream-master
2016-04-08 13:41:40 -05:00
c4aac2a54a
Remove unwanted comments
2016-04-07 11:22:57 -05:00
7658014fb7
Add CVEs
2016-04-07 08:39:29 -05:00
87d59a9bfb
Add exploit for ExaGrid known credentials
2016-04-07 04:17:43 -05:00
11bf1018aa
Fix typo
2016-04-06 14:20:41 -05:00
a4ef9980f4
Land #6677 , atutor_sqli update
2016-04-05 19:52:44 -05:00
d9d257cb1a
Fix some things
2016-04-05 19:23:11 -05:00
08736c798d
Correct proftp version check at module runtime
2016-04-05 13:06:10 -05:00
d23a1c4551
Bump deprecation date
2016-04-01 13:57:58 -05:00
60bee16e8c
Restore psexec_psh
...
See @jabra-'s comments on #6222 .
2016-04-01 13:56:22 -05:00
ae0aecdd03
Change class name for exploits/windows/ftp/pcman_put.rb
2016-03-31 19:36:02 -05:00
de0e02549c
Bring #6507 up to date with upstream-master
2016-03-31 19:30:45 -05:00
f3336c7003
Update windows/http/easyfilesharing_seh
2016-03-31 19:24:06 -05:00
dd83757966
Bring #6488 up to date with upstream-master
2016-03-31 19:11:11 -05:00
82cec68606
Land #6427 , removes the deprecated psexec_psh module; please use exploit/windows/smb/psexec instead
2016-03-30 12:58:43 -07:00
dee9adbc50
Remove deprecated psexec_psh module
2016-03-30 14:35:47 -05:00
c7e63c3452
Land #6694 , Add Apache Jetspeed exploit
...
CVE-2016-0710
CVE-2016-0709
2016-03-30 11:17:21 -05:00
74f25f04bd
Make sure to always print the target IP:Port
2016-03-30 11:16:41 -05:00
2b90846268
Add Apache Jetspeed exploit
2016-03-23 19:22:32 -05:00
102d28bda4
Update atutor_filemanager_traversal
2016-03-22 14:44:07 -05:00
9cb43f2153
Update atutor_filemanager_traversal
2016-03-22 14:42:36 -05:00
3842009ffe
Add ATutor 2.2.1 Directory Traversal Exploit Module
2016-03-22 12:17:32 -05:00
ebc7316442
Spelling Fix
...
Fixed Thorugh to Through
2016-03-19 13:58:13 -04:00
31279291c2
Resolve merge conflict for ie_unsafe_scripting.rb
2016-03-17 14:42:36 -05:00
b1b68294bb
Update class name
2016-03-17 14:41:23 -05:00
7b2d717280
Change ranking to manual and restore BAP2 count to 21
...
Since the exploit requires the target to be configured manually,
it feel more appropriate to be ManualRanking.
2016-03-17 14:39:28 -05:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
af642379e6
Fix some OptInts
2016-03-16 14:13:18 -05:00
1769bad762
fix FORCE logic
2016-03-16 09:53:09 -05:00
d70308f76e
undo logic changes in adobe_flas_otf_font
2016-03-16 09:52:21 -05:00
5ef8854186
Update ATutor - Remove Login Code
2016-03-15 17:37:37 -05:00
05f585157d
Land #6646 , add SSL SNI and unify SSLVersion opts
2016-03-15 16:35:22 -05:00
e29fc5987f
Add missing stream.raw for hp_sitescope_dns_tool
...
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
a50b21238e
Land #6669 , remove debug code from apache_roller_ognl_injection that breaks Windows
2016-03-13 14:14:10 -05:00
23eeb76294
update php_utility_belt_rce to use MetasploitModule
2016-03-13 13:59:47 -05:00
a6316d326e
Land #6662 , update disclosure date for php_utility_belt_rce
2016-03-13 13:58:04 -05:00
dabe5c8465
Land #6655 , use MetasploitModule as module class name
2016-03-13 13:48:31 -05:00
b22a057165
Fix #6554 , hardcoded File.open path in apache_roller_ognl_injection
...
The hardcoded File.open path was meant for debugging purposes during
development, but apparently we forgot to remove it. This line causes
the exploit to be unusable on Windows platform.
Fix #6554
2016-03-11 18:48:17 -06:00
8953952a8f
correction for the DisclosureDate based on Exploit-DB
2016-03-11 14:05:26 +08:00
7009682100
Landing #6659 , Fix bug in MS08-067 related to incorrect service pack identification when fingerprinting
2016-03-10 14:29:29 -06:00
8d22358892
Land #6624 , PHP Utility Belt exploit
2016-03-09 14:12:45 -06:00
52d12b68ae
Clean up module
2016-03-09 14:08:26 -06:00
179d38b914
Fix #6658 , MS08-067 unable to find the right target for W2k3SP0
...
Fix #6658 .
When there is no service pack, the
Msf::Exploit::Remote::SMB#smb_fingerprint_windows_sp method returns
an empty string. But in the MS08-067 exploit, instead of check an
empty string, it checks for "No Service Pack", which causes it to
never detect the right target for Windows Server 2003 SP0.
2016-03-09 11:05:34 -06:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
rastating
William Vu
wchen-r7
ssyy201506
Vex Woo
Brent Cook
Bigendian Smalls
Nicholas Starke
HD Moore
David Maloney
Louis Sato
Security Corporation
dmohanty-r7
504137480
thao doan
Pedro Ribeiro
Brendan Coles
James Lee
greg.mikeska@rapid7.com
Steven Seeley
h00die
Adam Cammack
l0gan
Jay Turla
James Barnett
Christian Mehlmauer