2dc4539d0d
Change class name to MetasploitModule
2016-04-10 23:27:40 +01:00
1fa7c83ca1
Create file for CVE-2016-1593
2016-04-10 23:17:07 +01:00
6b4dd8787b
Fix #6764 , nil SQL error in lib/msf/core/exploit/postgres
...
Fix #6764
2016-04-08 15:20:04 -05:00
28875313be
Change class name to MetasploitModule
2016-04-08 14:27:52 -05:00
ae46b5a688
Bring #6417 up to date with upstream-master
2016-04-08 13:41:40 -05:00
c4aac2a54a
Remove unwanted comments
2016-04-07 11:22:57 -05:00
7658014fb7
Add CVEs
2016-04-07 08:39:29 -05:00
87d59a9bfb
Add exploit for ExaGrid known credentials
2016-04-07 04:17:43 -05:00
11bf1018aa
Fix typo
2016-04-06 14:20:41 -05:00
a4ef9980f4
Land #6677 , atutor_sqli update
2016-04-05 19:52:44 -05:00
d9d257cb1a
Fix some things
2016-04-05 19:23:11 -05:00
08736c798d
Correct proftp version check at module runtime
2016-04-05 13:06:10 -05:00
d23a1c4551
Bump deprecation date
2016-04-01 13:57:58 -05:00
60bee16e8c
Restore psexec_psh
...
See @jabra-'s comments on #6222 .
2016-04-01 13:56:22 -05:00
ae0aecdd03
Change class name for exploits/windows/ftp/pcman_put.rb
2016-03-31 19:36:02 -05:00
de0e02549c
Bring #6507 up to date with upstream-master
2016-03-31 19:30:45 -05:00
f3336c7003
Update windows/http/easyfilesharing_seh
2016-03-31 19:24:06 -05:00
dd83757966
Bring #6488 up to date with upstream-master
2016-03-31 19:11:11 -05:00
82cec68606
Land #6427 , removes the deprecated psexec_psh module; please use exploit/windows/smb/psexec instead
2016-03-30 12:58:43 -07:00
dee9adbc50
Remove deprecated psexec_psh module
2016-03-30 14:35:47 -05:00
c7e63c3452
Land #6694 , Add Apache Jetspeed exploit
...
CVE-2016-0710
CVE-2016-0709
2016-03-30 11:17:21 -05:00
74f25f04bd
Make sure to always print the target IP:Port
2016-03-30 11:16:41 -05:00
2b90846268
Add Apache Jetspeed exploit
2016-03-23 19:22:32 -05:00
102d28bda4
Update atutor_filemanager_traversal
2016-03-22 14:44:07 -05:00
9cb43f2153
Update atutor_filemanager_traversal
2016-03-22 14:42:36 -05:00
3842009ffe
Add ATutor 2.2.1 Directory Traversal Exploit Module
2016-03-22 12:17:32 -05:00
ebc7316442
Spelling Fix
...
Fixed Thorugh to Through
2016-03-19 13:58:13 -04:00
31279291c2
Resolve merge conflict for ie_unsafe_scripting.rb
2016-03-17 14:42:36 -05:00
b1b68294bb
Update class name
2016-03-17 14:41:23 -05:00
7b2d717280
Change ranking to manual and restore BAP2 count to 21
...
Since the exploit requires the target to be configured manually,
it feel more appropriate to be ManualRanking.
2016-03-17 14:39:28 -05:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
af642379e6
Fix some OptInts
2016-03-16 14:13:18 -05:00
1769bad762
fix FORCE logic
2016-03-16 09:53:09 -05:00
d70308f76e
undo logic changes in adobe_flas_otf_font
2016-03-16 09:52:21 -05:00
5ef8854186
Update ATutor - Remove Login Code
2016-03-15 17:37:37 -05:00
05f585157d
Land #6646 , add SSL SNI and unify SSLVersion opts
2016-03-15 16:35:22 -05:00
e29fc5987f
Add missing stream.raw for hp_sitescope_dns_tool
...
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
a50b21238e
Land #6669 , remove debug code from apache_roller_ognl_injection that breaks Windows
2016-03-13 14:14:10 -05:00
23eeb76294
update php_utility_belt_rce to use MetasploitModule
2016-03-13 13:59:47 -05:00
a6316d326e
Land #6662 , update disclosure date for php_utility_belt_rce
2016-03-13 13:58:04 -05:00
dabe5c8465
Land #6655 , use MetasploitModule as module class name
2016-03-13 13:48:31 -05:00
b22a057165
Fix #6554 , hardcoded File.open path in apache_roller_ognl_injection
...
The hardcoded File.open path was meant for debugging purposes during
development, but apparently we forgot to remove it. This line causes
the exploit to be unusable on Windows platform.
Fix #6554
2016-03-11 18:48:17 -06:00
8953952a8f
correction for the DisclosureDate based on Exploit-DB
2016-03-11 14:05:26 +08:00
7009682100
Landing #6659 , Fix bug in MS08-067 related to incorrect service pack identification when fingerprinting
2016-03-10 14:29:29 -06:00
8d22358892
Land #6624 , PHP Utility Belt exploit
2016-03-09 14:12:45 -06:00
52d12b68ae
Clean up module
2016-03-09 14:08:26 -06:00
179d38b914
Fix #6658 , MS08-067 unable to find the right target for W2k3SP0
...
Fix #6658 .
When there is no service pack, the
Msf::Exploit::Remote::SMB#smb_fingerprint_windows_sp method returns
an empty string. But in the MS08-067 exploit, instead of check an
empty string, it checks for "No Service Pack", which causes it to
never detect the right target for Windows Server 2003 SP0.
2016-03-09 11:05:34 -06:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
eea8fa86dc
unify the SSLVersion fields between modules and mixins
...
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
2016-03-06 22:06:27 -06:00
a2c3b05416
Land #6405 , prefer default module base class of simply 'Metasploit'
2016-03-06 17:10:55 -06:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
71b034a566
Land #6627 , atutor_sqli regex fix
2016-03-03 16:54:38 -06:00
ba4e0d304b
Do regex \d+ instead
2016-03-03 11:05:16 -06:00
22b69c8dee
Land #6588 , Add AppLocker Execution Prevention Bypass module
2016-03-01 22:30:23 -06:00
a798581fa3
Update #get_dotnet_path
2016-03-01 22:25:40 -06:00
cda4c6b3b3
Update the regex for the number of students in ATutor
2016-03-01 09:41:17 -06:00
62a611a472
Adding PHP Utility Belt Remote Code Execution
2016-03-01 09:22:25 +08:00
274b9acb75
rm #push
2016-02-29 18:58:05 -06:00
f55835cceb
Merge new code changes from mr_me
2016-02-29 18:39:52 -06:00
638d91197e
Override print_* to always print the IP and port
2016-02-29 16:18:03 -06:00
54ede19150
Use FileDropper to cleanup
2016-02-29 16:15:50 -06:00
727a119e5b
Report cred
2016-02-29 16:06:31 -06:00
4cc690fd8d
Let the user specify username/password
2016-02-29 15:45:33 -06:00
726c1c8d1e
There is no http_send_command, so I guess the check should not work
2016-02-29 15:43:47 -06:00
a3fa57c8f6
Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module
2016-02-29 14:59:26 -06:00
7731fbf48f
Land #6530 , NETGEAR ProSafe Network Management System 300 File Upload
2016-02-26 10:39:09 -06:00
6188da054d
Remove //
2016-02-25 22:20:48 -06:00
044b12d3a4
Made style changes requested by OJ and others
2016-02-23 15:14:04 +07:00
138e48b202
Fix vuln_version?
2016-02-22 00:39:44 +08:00
53a52fafd5
make code to be readable / rebuild / testing
2016-02-22 00:34:49 +08:00
3e22de116f
Changes to fix peer and style as recommended by jhart-r7.
2016-02-20 13:53:32 -08:00
bc7bf28872
Land #6591 , don't require username for wrt110 cmd exec module
2016-02-18 20:20:15 -06:00
3b9502cb1d
Don't require username in wrt110 module.
2016-02-18 18:45:04 -06:00
6d88c26474
Change title, and remove requires
2016-02-18 14:26:38 +10:00
2ae1e6df7d
Address concerns from @wvu-r7
2016-02-18 14:21:35 +10:00
2f4ec0af31
Add module for AppLocker bypass
...
This commit includes a new module that allows for payloads to be
uploaded and executed from disk while bypassing AppLocker in the
process. This module is useful for when you're attempting to generate
new shells on the target once you've already got a session. It is also
a handy way of switching between 32 and 64 bit sessions (in the case of
the InstallUtil technique).
The code is taken from Casey Smith's AppLocker bypass research (added in
the references), and includes just one technique at this point. This
technique uses the InstallUtil feature that comes with .NET. Other
techiques can be added at any time.
The code creates a C# file and uploads it to the target. The csc.exe
compiler is used to create a .NET assembly that contains an uninstaller
that gets invoked by InstallUtil behind the scenes. This function is
what contains the payload.
This was tested on Windows 7 x64. It supports running of both 32 and 64
bit payloads out of the box, and checks to make sure that .NET is
installed on the target as well as having a payload that is valid for
the machine (ie. don't run x64 on x86 OSes).
This appears to work fine with both staged and stageless payloads.
2016-02-18 13:46:32 +10:00
ffce1cc321
Update easyfilesharing_seh.rb
2016-02-15 22:43:28 -05:00
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
fc491ffa3e
Land #6555 , Content-Length fix for HP modules
2016-02-10 10:39:08 -06:00
5b3fb99231
Land #6549 , module option for X-Jenkins-CLI-Port
2016-02-10 10:34:33 -06:00
c67360f436
Remove extraneous whitespace
2016-02-10 09:44:01 -06:00
8a3bc83c4d
Resolve #6553 , remove unnecessary content-length header
...
Rex will always generate a content-length header, so the module
doesn't have to do this anymore.
Resolve #6553
2016-02-09 21:25:56 -06:00
c590fdd443
Land #6501 , Added Dlink DCS Authenticated RCE Module
2016-02-09 17:19:33 -06:00
1d6b782cc8
Change logic
...
I just can't deal with this "unless" syntax...
2016-02-08 18:40:48 -06:00
d60dcf72f9
Resolve #6546 , support manual config for X-Jenkins-CLI-Port
...
Resolve #6546
2016-02-08 18:16:48 -06:00
4cea6c0236
Update ie_unsafe_scripting to use BrowserExploitServer
...
This patch updates the ie_unsafe_scripting exploit to use the
BrowserExploitServer mixin in order to implement a JavaScript check.
The JS check allows the exploit to determine whether or not it is
in the poorly configured zone before firing.
It also adds another datastore option to carefully avoid IEs that
come with Protected Mode enabled by default. This is even though
IE allows unsafe ActiveX, PM could still block the malicious VBS or
Powershell execution by showing a security prompt. This is not ideal
during BrowserAutopwn.
And finally, since BAP2 can automatically load this exploit, we
bump the MaxExploitCount to 22 to continue favoring the
adobe_flash_uncompress_zlib_uninitialized module to be on the
default list.
Resolves #6341 for the purpose of better user experience.
2016-02-04 15:12:57 -06:00
1f4324f686
Create file for CERT VU 777024
2016-02-04 07:54:16 +08:00
b979128a2e
Added OSVBD ID thanks to @shipcod3
2016-02-01 17:11:46 -06:00
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
110a4840e9
Land #6491 , Shrink the size of ms08_067 so that it again works w/ bind_tcp
2016-01-29 11:03:03 -06:00
b049debef0
Fixes as recommended in the PR discussion.
2016-01-28 23:29:01 -08:00
d51be6e3da
Fixing typo
...
This commit fixes a typo in the word "service"
2016-01-28 16:44:42 -06:00
1ef7aef996
Fixing User : Pass delimiter
...
As per the PR comments, this commit replaces the user and
pass delimiter from "/" to ":"
2016-01-27 17:20:58 -06:00
f6f2e1403b
Land #6496 , specify scripting language - elastic search
2016-01-27 15:42:47 -06:00
51efb2daee
Land #6422 , Add support for native target in Android webview exploit
2016-01-27 14:27:41 -06:00
2df458c359
Few updates per OJ and wvu
2016-01-26 23:19:18 -06:00
3cab27086f
Added PCMan FTP PUT Buffer Overflow Exploit
2016-01-26 17:09:31 -06:00
4560d553b5
Fixing more issues from comments
...
This commit includes more minor fixes from the github
comments for this PR.
2016-01-24 19:43:02 -06:00
d877522ea5
Fixing various issues from comments
...
This commit fixes issues with specifying "rhost:rport",
replacing them instead with "peer". Also, a couple of
"Unknown" errors were replaced with "UnexpectedReply".
2016-01-23 13:43:09 -06:00
a5a2e7c06b
Fixing Disclosure Date
...
Disclosure date was in incorrect format, this commit
fixes the issue
2016-01-23 11:41:05 -06:00
8c8cdd9912
Adding Dlink DCS Authenticated RCE Module
...
This module takes advantage of an authenticated HTTP RCE
vulnerability to start telnet on a random port. The module
then connects to that telnet session and returns a shell.
This vulnerability is present in version 2.01 of the firmware
and resolved by version 2.12.
2016-01-23 11:15:23 -06:00
d6facbe339
Land #6421 , ADB protocol and exploit
2016-01-22 20:45:44 -06:00
1b386fa7f1
Add targets to avoid ARCH_ALL payload confusion
2016-01-22 16:45:10 -06:00
51eb79adc7
first try in changing class names
2016-01-22 23:36:37 +01:00
ad93d11868
Delete easyfilesharing_seh.rb
2016-01-22 13:04:14 -05:00
45c88d3189
Create easyfilesharing_seh.rb
2016-01-22 13:04:03 -05:00
76a8899d59
Delete EasyFileSharing_SEH.rb
2016-01-22 12:39:44 -05:00
b02c762b93
Grab zeroSteiner's module/jenkins-cmd branch
2016-01-22 10:17:32 -06:00
99de466a4d
Bugfix: specify scripting language
2016-01-22 15:00:10 +01:00
dc6dd55fe4
Shrink the size of ms08_067 so that it again works with bind_tcp
...
In #6283 , we discovered that ms08_067 was busted with reverse_tcp. The
solution was to bump the amount of space needed to help with encoding.
However, we flew a little too close to the sun, and introduced a
regression with bind_tcp on Windows XP SP2 EN where the payload stages
but does not run.
This shrinks the payload just enough to make bind_tcp work again, but
reverse_tcp also continues to work as expected.
2016-01-21 19:37:09 -06:00
1a80878054
Create easyfilesharing_seh.rb
2016-01-21 13:46:43 -05:00
9b43876270
Create EasyFileSharing_SEH.rb
2016-01-20 18:18:00 -05:00
a7cd5991ac
Add encoding of the upload path into the module
2016-01-17 22:44:41 +00:00
5660c1238b
Fix problem causing upload to fail on versions 1.2 and 1.3 of theme
2016-01-17 18:44:00 +00:00
fec75c1daa
Land #6457 , FileDropper for axis2_deployer
2016-01-14 15:10:05 -06:00
37178cda06
Land #6449 , properly handle HttpServer resource collisions
2016-01-14 12:15:18 -06:00
7e1446d8fa
Land #6400 , iis_webdav_upload_asp improvements
2016-01-14 12:12:33 -06:00
0216d027f9
Use OptEnum instead of OptString
2016-01-14 09:06:45 +00:00
564b4807a2
Add METHOD to simple_backdoors_exec
2016-01-13 14:42:11 +00:00
889a5d40a1
Add VAR to simple_backdoors_exec
2016-01-13 13:46:26 +00:00
315d079ae8
Land #6402 , Add Post Module for Windows Priv Based Meterpreter Migration
...
We are also replacing smart_migrate with this.
2016-01-13 01:21:32 -06:00
6deb57dca3
Deprecate post/windows/manage/smart_migrate and other things
...
This includes:
* Give credit to thelightcosine in priv_migrate
* Deprecate smart_migrate
* Update InitialAutoRunScript for winrm_script_exec
2016-01-12 23:14:13 -06:00
514199e88f
Register early so the cleanup can actually rm the file
2016-01-12 15:22:03 -06:00
c5773b1a02
Removal of spaces found with msftidy
2016-01-12 17:04:50 +00:00
9d64edc16f
New module to exploit the Install Service vulnerability inside data protector. I released this vulnearbility on exploit DB some years back but Metasploit didnt support setting up a SMB server at the time. I have re-submitted this module to exploit the vulnerability. I have tested this on Windows Server 2003 and it works without fail.
2016-01-12 16:53:26 +00:00
78bc394f80
Fix #6268 , Use FileDropper for axis2_deployer
...
Fix #6268
2016-01-08 17:09:09 -06:00
6a2b4c2530
Fix #6445 , Unexpected HttpServer terminations
...
Fix #6445
Problem:
When an HttpServer instance is trying to register a resource that
is already taken, it causes all HttpServers to terminate, which
is not a desired behavior.
Root Cause:
It appears the Msf::Exploit::Remote::TcpServer#stop_service method
is causing the problem. When the service is being detected as an
HttpServer, the #stop method used actually causes all servers to
stop, not just for a specific one. This stopping route was
introduced in 04772c8946
2016-01-07 16:55:41 -06:00
22a0d970da
Don't delete the payload after running.
2016-01-07 02:26:01 -06:00
fb99c61089
Remove print_status statement.
2016-01-07 01:17:49 -06:00
210f065427
Add a background option for the echo cmdstager.
2016-01-07 01:16:08 -06:00
436ea85b18
Further cleanup and fixes
2016-01-05 21:11:08 -08:00
d7061e8110
OCD fixes
2016-01-05 23:28:56 +00:00
7259d2a65c
Use unless instead of if !
2016-01-05 13:05:01 -06:00
7907c93047
Add D-Link DCS-931L File Upload module
2016-01-05 04:15:38 +00:00
00dc6364b5
Add support for native target in addjsif exploit.
2016-01-03 01:07:36 -06:00
0436375c6f
Change require to module level.
2016-01-02 23:06:23 -06:00
3a14620dba
Update linemax to match max packet size.
2016-01-02 23:00:46 -06:00
d64048cd48
Rename to match gdb_server_exec module.
2016-01-02 22:45:27 -06:00
dcd36b74db
Last mile polish and tweaks.
2016-01-02 22:41:38 -06:00
22aae81006
Rename to exec_payload.
2016-01-02 14:13:54 -06:00
6575f4fe4a
Use the cmdstager mixin.
2016-01-02 14:09:56 -06:00
a88471dc8d
Add ADB client and module for obtaining shell.
2016-01-02 01:13:53 -06:00
5c9c27691e
Execute commands on postgres through built-in functionality
2016-01-01 04:26:20 -08:00
2fd796a699
Execute commands on postgres through built-in functionality
2016-01-01 03:51:00 -08:00
814bf2a102
Execute commands on postgres through built-in functionality
2016-01-01 02:43:56 -08:00
fa3431c732
Pushing now. Still working on it.
2015-12-26 17:53:52 -05:00
9120a6aa76
iis_webdav_upload_asp: Add COPY and a few other tricks
2015-12-26 16:01:46 +00:00
283cf5b869
Update msftidy to catch more potential URL vs PACKETSTORM warnings
...
Fix the affected modules
2015-12-24 09:12:24 -08:00
27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL
2015-12-24 09:05:02 -08:00
efdb6a8885
Land #6392 , @wchen-r7's 'def peer' cleanup, fixing #6362
2015-12-24 08:53:32 -08:00
0f2f2a3d08
Remove peer; included via Exploit::Remote::Tcp in lib/msf/core/exploit/mysql.rb
2015-12-24 07:46:55 -08:00
e4f9594646
Land #6331 , ensure generic payloads raise correct exceptions on failure
2015-12-23 15:43:12 -06:00
7444f24721
update whitespace / syntax for java_calendar_deserialize
2015-12-23 15:42:27 -06:00
cea3bc27b9
Fix #6362 , avoid overriding def peer repeatedly
...
def peer is a method that gets repeated a lot in modules, so we
should have it in the tcp mixin. This commit also clears a few
modules that use the HttpClient mixin with def peer.
2015-12-23 11:44:55 -06:00
493700be3a
remove duplicate key warning from Ruby 2.2.x
...
This gets rid of the warning:
modules/exploits/multi/http/uptime_file_upload_2.rb:283: warning: duplicated key at line 284 ignored: "newuser"
2015-12-23 10:39:35 -06:00
424e7b6bfe
Land #6384 , more joomla rce references
2015-12-22 22:54:58 +01:00
18398afb56
Update joomla_http_header_rce.rb
2015-12-23 05:48:26 +08:00
cc40c61848
Update joomla_http_header_rce.rb
2015-12-23 05:38:57 +08:00
f6eaff5d96
use the new and shiny joomla mixin
2015-12-22 21:36:42 +01:00
314e902098
Add original exploit discoverer and exploit-db ref
...
Adding Gary @ Sec-1 ltd for the original exploit and two exploit-db references. Marc-Alexandre Montpas modified Gary's exploit that uses "User-Agent" header. Marc-Alexandre Montpas used "X-FORWARDED-FOR" header to avoid default logged to access.log
2015-12-22 22:44:59 +08:00
3034cd22df
Land #6372 , fix psexec nil bug + missing return
2015-12-21 10:59:10 -06:00
f129c0363e
Fix broken logic
...
Forgot to set retval when I removed the ensure.
2015-12-21 10:52:03 -06:00
726578b189
Land #6370 , add joomla reference
2015-12-18 17:05:07 -06:00
afe4861195
Fix nil bug and missing return
2015-12-18 15:54:51 -06:00
fb6ede80c9
add joomla reference
2015-12-18 18:27:48 +01:00
485196af4e
Remove modules/exploits/multi/http/uptime_file_upload.rb
...
Please use exploit/multi/http/uptime_file_upload_1 for exploiting
post2file.php on an older version of uptime.
If you are exploiting uptime that is patched against
exploit/multi/http/uptime_file_upload_1, then you may want to try
exploit/multi/http/uptime_file_upload_2.
2015-12-17 23:01:57 -06:00
06f1949e2c
Land #6355 , Joomla HTTP Header Unauthenticated Remote Code Execution
...
CVE-2015-8562
2015-12-16 17:55:51 -06:00
8c43ecbfaf
add random terminator and clarify target
2015-12-17 00:08:52 +01:00
08d0ffd709
implement @wvu-r7 's feedback
2015-12-16 22:44:01 +01:00
76438dfb2f
implement @wchen-r7 's suggestions
2015-12-16 20:31:43 +01:00
b43d580276
try to detect joomla version
2015-12-16 16:16:59 +01:00
30f90f35e9
also check for debian version number
2015-12-16 15:19:33 +01:00
67eba0d708
update description
2015-12-16 14:46:00 +01:00
fa3fb1affc
better ubuntu version check
2015-12-16 14:18:44 +01:00
60181feb51
more ubuntu checks
2015-12-16 14:02:26 +01:00
934c6282a5
check for nil
2015-12-16 13:52:06 +01:00
2661cc5899
check ubuntu specific version
2015-12-16 13:49:07 +01:00
675dff3b6f
use Gem::Version for version compare
2015-12-16 13:04:15 +01:00
01b943ec93
fix check method
2015-12-16 07:26:25 +01:00
595645bcd7
update description
2015-12-16 07:03:01 +01:00
d80a7e662f
some formatting
2015-12-16 06:57:06 +01:00
c2795d58cb
use target_uri.path
2015-12-16 06:55:23 +01:00
2e54cd2ca7
update description
2015-12-16 06:42:41 +01:00
d4ade7a1fd
update check method
2015-12-16 00:18:39 +01:00
c603430228
fix version check
2015-12-15 18:26:21 +01:00
b9b280954b
Add a check for joomla
2015-12-15 11:03:36 -06:00
e4309790f5
renamed module because X-FORWARDED-FOR header is also working
2015-12-15 17:37:45 +01:00
84d5067abe
add joomla RCE module
2015-12-15 17:20:49 +01:00
ab3fe64b6e
Add method peer for jenkins_java_deserialize.rb
2015-12-15 01:18:27 -06:00
30c805d9c7
Land #6344 , R7-2015-22 / CVE-2015-8249
2015-12-14 12:30:51 -06:00
b25aae3602
Add refs to module
...
See rapid7#6344.
2015-12-14 12:05:46 -06:00
bd8aea2618
Fix check for jenkins_java_deserialize.rb
...
This fixes the following:
* nil return value checks
* handle missing X-Jenkins-CLI-Port scenario more properly
* proper HTTP path normalization
2015-12-14 11:25:59 -06:00
5ffc80dc20
Add ManageEngine ConnectionId Arbitrary File Upload Vulnerability
2015-12-14 10:51:59 -06:00
eb4611642d
Add Jenkins CLI Java serialization exploit module
...
CVE-2015-8103
2015-12-11 14:57:10 -06:00
a5c6e260f2
Update hp_vsa_login_bof.rb
...
Updated reference URL to latest location
2015-12-10 10:56:39 -05:00
563be5c207
Land #6322 , another Perl IRC bot exploit
2015-12-10 09:43:07 -06:00
a945350821
Land #6307 , Perl IRC bot exploit
2015-12-10 09:42:35 -06:00
11c1eb6c78
Raise Msf::NoCompatiblePayloadError if generate_payload_exe fails
...
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
2015-12-08 21:13:23 -06:00
53acfd7ce3
Land #6303 , Add phpFileManager 0.9.8 Remote Code Execution
2015-12-07 21:13:48 -06:00
ea3c7cb35b
Minor edits
2015-12-07 21:13:14 -06:00
b36834f4bc
Update legend_bot_exec.rb
2015-12-07 10:38:36 +08:00
2244f2aa43
Add Legend Perl IRC Bot Remote Code Execution
2015-12-07 10:30:28 +08:00
26c8fd8faa
Update xdh_x_exec.rb
2015-12-07 08:25:19 +08:00
9ee5498090
Update xdh_x_exec.rb
...
satisfying msftidy's request
2015-12-06 20:21:18 +08:00
10a8e98e41
Update xdh_x_exec.rb
2015-12-06 20:11:49 +08:00
14afbc6800
Update xdh_x_exec.rb
...
updated description and new author.
2015-12-06 20:10:19 +08:00
faac44f257
Update xdh_x_exec.rb
2015-12-04 12:39:19 +08:00
f52e6ce65c
Update xdh_x_exec.rb
2015-12-04 11:17:16 +08:00
4955357015
Update xdh_x_exec.rb
2015-12-04 11:06:06 +08:00
4e43a90187
Add Xdh / fBot IRC Bot Remote Code Execution
2015-12-04 10:40:37 +08:00
340fe5640f
Land #6255 , @wchen-r7's module for Atlassian HipChat JIRA plugin
2015-12-03 20:01:06 -06:00
a972b33825
Fix typo
2015-12-03 20:00:37 -06:00
f8c11b9cd1
Move to multi
2015-12-03 17:49:21 -06:00
3bbc413935
Update phpfilemanager_rce.rb
2015-12-04 06:20:43 +08:00
67edf88c39
Doc
2015-12-03 14:25:01 -06:00
f33e63c16f
Support Win/Linx/Java payloads for Win/Linux platforms
2015-12-03 14:02:32 -06:00
28ca899914
Update phpfilemanager_rce.rb
2015-12-03 18:07:25 +08:00
83824b2902
First commit to support Windows for jira_hipchat_template
...
In Java
2015-12-03 02:39:55 -06:00
d63bb4768f
Update phpfilemanager_rce.rb
2015-12-03 14:09:02 +08:00
374b630601
Update phpfilemanager_rce.rb
2015-12-03 13:57:19 +08:00
56b810cb18
Update phpfilemanager_rce.rb
2015-12-03 12:44:41 +08:00
5414f33804
Update phpfilemanager_rce.rb
2015-12-03 12:43:47 +08:00
ab77ab509a
Update phpfilemanager_rce.rb
2015-12-03 12:35:49 +08:00
869caf789f
Update phpfilemanager_rce.rb
2015-12-03 12:34:17 +08:00
a2d51d48cd
Add phpFileManager 0.9.8 Remote Code Execution
2015-12-03 12:11:31 +08:00
0f24ca7d13
Land #6280 , @wchen-r7's module for Oracle Beehive processEvaluation Vulnerability
2015-12-01 21:38:09 -06:00
d269be22e7
Land #6223 , @wchen-r7's module for Oracle Beehive prepareAudioToPlay exploit
2015-12-01 21:36:18 -06:00
9697ce5033
Specify arch & platform for generate_payload_exe
...
If not specified, generic payloads will fail.
2015-12-01 18:46:52 -06:00
0e21265ecc
Fix cookie parsing, typo, and unused var
2015-12-01 17:39:40 -06:00
385378f338
Add reference to Rapid7 advisory
2015-12-01 11:37:27 -06:00
9dbf7cb86c
Remove the SSL option (not needed)
2015-12-01 11:34:03 -06:00
758e7c7b58
Rename
2015-12-01 11:33:45 -06:00
ea2174fc95
Typo and switch from raw -> encoded
2015-12-01 10:59:12 -06:00
16d0d53150
Update Shellshock modules, add Advantech coverage
2015-12-01 10:40:46 -06:00
ea363dd495
priv to true
2015-12-01 10:23:36 -06:00
2621753417
priv to true
2015-12-01 10:21:56 -06:00
d5d4a4acdc
Register the correct jsp to cleanup
2015-12-01 10:21:15 -06:00
7dc268d601
Land #6283 , increase the amount of space needed for ms08_067
2015-11-25 19:37:25 -06:00
35ea8c3f74
relax space needed a bit less, work with Windows XP and 2k3
2015-11-25 11:25:57 -06:00
2a89a2bc9a
increase the amount of space needed for ms08_067
2015-11-25 07:13:16 -06:00
f9d3652e1a
Land #6282 , deprecated module cleanup
...
rm modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
2015-11-24 23:48:09 -06:00
6fbcb3d127
Land #6263 , add BisonWare BisonFTP Server Buffer Overflow
2015-11-24 22:55:15 -06:00
f57ebad0e6
Change hard tabs to spaces
2015-11-24 22:54:52 -06:00
9a7e51daec
Update bison_ftp_bof.rb
2015-11-25 11:47:21 +08:00
3d6e4068cb
Update bison_ftp_bof.rb
2015-11-25 11:17:07 +08:00
591da3c97e
Please use exploit/multi/browser/adobe_flash_pixel_bender_bof
...
Time to say goodbye to:
exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
Please use:
exploit/multi/browser/adobe_flash_pixel_bender_bof
Reason: The replacement supports multiple platforms, so better.
2015-11-24 20:37:57 -06:00
Pedro Ribeiro
wchen-r7
James Lee
William Vu
greg.mikeska@rapid7.com
thao doan
Steven Seeley
h00die
Brent Cook
Adam Cammack
l0gan
Jay Turla
James Barnett
Christian Mehlmauer
nixawk
Micheal
joev
OJ
Starwarsfan2099
Chris Higgins
Nicholas Starke
Louis Sato
Lutz Wolf
rastating
Rory McNamara
benpturner
g0tmi1k
Brendan Coles
Jon Hart
Tod Beardsley
dmohanty-r7
karllll
jvazquez-r7
HD Moore