Commit Graph

18012 Commits (c257f8945b888174ce74a9d54985a9198b41b107)

Author SHA1 Message Date
wchen-r7 d622c782ef
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash renderer 2015-06-10 11:52:47 -05:00
wchen-r7 667db8bc30
Land #5517, adobe_flash_casi32_int_overflow (exec from the flash renderer) 2015-06-10 11:39:13 -05:00
William Vu b23647d5ae
Land #5521, @todb-r7's module cleanup 2015-06-10 11:29:41 -05:00
Tod Beardsley dc2fec76a9
Land #5509, remove msfencode and msfpayload
Fixes #4326

Thanks @wchen-r7!
2015-06-10 11:15:35 -05:00
Tod Beardsley 0d979f61ae
Minor fixups on newish modules 2015-06-10 11:09:42 -05:00
jvazquez-r7 fb531d0069
Update version coverage 2015-06-10 09:38:00 -05:00
jvazquez-r7 a6fe383852
Use AS Exploiter 2015-06-10 09:32:52 -05:00
root 7cb82f594b Add ftp port for service 2015-06-10 14:24:05 +05:00
root 3ffe006e09 Update titan_ftp_admin_pwd to use the new creds API 2015-06-10 13:36:26 +05:00
root 3fe6ddd10a Change credential status from untried to successful 2015-06-10 10:09:57 +05:00
root 78a6e1bc90 Change credential status from untried to successful 2015-06-10 10:07:33 +05:00
root 1b3f911f84 Change credential status from untried to successful 2015-06-10 09:54:10 +05:00
jvazquez-r7 e5d6c9a3cb Make last code cleanup 2015-06-09 16:01:57 -05:00
jvazquez-r7 cf8c6b510b
Debug version working 2015-06-09 15:46:21 -05:00
William Vu 9fa423464c
Fix #5224, comma fixes
My fault for missing these.
2015-06-09 14:28:01 -05:00
William Vu 8a69704d3e Fix up commas 2015-06-09 14:27:35 -05:00
William Vu d31a59cd22
Fix #5224, altered option description 2015-06-09 14:15:58 -05:00
William Vu cc8650f98a Fix TMPPATH description 2015-06-09 14:15:18 -05:00
William Vu 9c97da3b7c
Land #5224, ProFTPD mod_copy exploit 2015-06-09 14:11:27 -05:00
William Vu 5ab882a8d4 Clean up module 2015-06-09 14:10:46 -05:00
jvazquez-r7 b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code 2015-06-09 11:31:39 -05:00
wchen-r7 6eb25743e3
Merge branch 'upstream-master' into bapv2 2015-06-09 10:10:00 -05:00
root 49e4820c57 Add depcrecated note to the existing modules 2015-06-09 10:42:53 +05:00
Josh Abraham 8381d4f994 update smb_enumusers_domain to store enumerated users in the DB 2015-06-08 19:42:03 -04:00
David Maloney bb56f6043e
explicitly use windows\temp
instead of using the user temp directory
trying to get around some intermittant permissions
issues

MSP-12358
2015-06-08 13:17:18 -05:00
David Maloney 2a474c8375
Merge branch 'master' into feature/MSP-12358/ntds-dump-module 2015-06-08 11:42:03 -05:00
wchen-r7 5a6a16c4ec Resolve #4326, remove msfpayload & msfencode. Use msfvenom instead!
msfpayload and msfencode are no longer in metasploit. Please use
msfvenom instead.

Resolves #4326
2015-06-08 11:30:04 -05:00
root 3279518bbd Move VMware modules to the VMware directory 2015-06-08 14:58:22 +05:00
root 245c76374d Update nessus_xmlrpc_logic to use the new creds API 2015-06-08 14:40:15 +05:00
jvazquez-r7 a39539f8ef
Land #5457, @wchen-r7 updates spark_im to use the new cred API 2015-06-07 20:45:42 -05:00
HD Moore 25aa96cfc1
Land #5456, removes obsolete comment 2015-06-07 14:25:23 -05:00
HD Moore 1f11cd5470
Lands #5446, support for 64-bit native powershell payloads 2015-06-07 14:16:19 -05:00
HD Moore c80017992a A dirty patch for a number of Net::DNS/dns_enum issues 2015-06-06 13:48:52 -05:00
jvazquez-r7 dca2607d54
Land #5452, @wchen-r7 Update tortoisesvn to use the new cred API 2015-06-06 01:35:40 -05:00
jvazquez-r7 bf35b9bdf4
Minor fix 2015-06-06 01:35:09 -05:00
HD Moore 135958a225 Cleanup the udp_(sweep|probe) SNMP generators 2015-06-06 00:54:08 -05:00
HD Moore 6b05302059 Fixes #5459, refactors LoginScanner::SNMP 2015-06-06 00:50:55 -05:00
wchen-r7 ea33d7060e Correct ranking 2015-06-05 21:07:27 -05:00
wchen-r7 ff39e32cc6 Single quote 2015-06-05 21:06:57 -05:00
jvazquez-r7 c3437dab2a
Land #5451, @wchen-r7 Update filezilla_client_cred to use the new cred API 2015-06-05 16:39:31 -05:00
jvazquez-r7 57b7d10ec5
Land #5449, @wchen-r7 updates total_commander to use the new cred API 2015-06-05 16:28:32 -05:00
wchen-r7 ee13a215e9
Merge branch 'upstream-master' into bapv2 2015-06-05 14:09:07 -05:00
jvazquez-r7 318f67fcda
update descriptions 2015-06-05 09:01:20 -05:00
root 3ec6d9b7aa Update owa_login to use new cred API 2015-06-05 15:41:07 +05:00
root b6936febbe Update pcanywhere_login to use the new cred API 2015-06-05 12:16:00 +05:00
wchen-r7 71a8487091 Correct Flash version in the module description
There is no 11.2.202.404, mang.
2015-06-04 23:46:41 -05:00
wchen-r7 5f4b2ed22a Newline 2015-06-04 23:36:36 -05:00
wchen-r7 69968fc9f1 Merge branch 'upstream-master' into bapv2 2015-06-04 23:36:24 -05:00
jvazquez-r7 02181addc5
Update CVE-2014-0556 2015-06-04 18:23:50 -05:00
wchen-r7 874e090aa1 Update wordpress_login_enum to use the new cred API 2015-06-04 18:16:14 -05:00
root d4f418fe3f Style corrections
See #5480
2015-06-04 15:52:07 -05:00
wchen-r7 23df66bf3a
Land #5481, no powershell. exec shellcode from the renderer process. 2015-06-04 15:45:09 -05:00
wchen-r7 487cc15b0b
Land #5476, multi-platform update for adobe_flash_net_connection_confusion 2015-06-04 12:32:42 -05:00
jvazquez-r7 ab68d8429b Add more targets 2015-06-04 12:11:53 -05:00
wchen-r7 be709ba370
Merge branch 'upstream-master' into bapv2 2015-06-04 10:33:07 -05:00
wchen-r7 744baf2d44 Update kloxo_sqli to use the new cred API 2015-06-03 23:28:35 -05:00
jvazquez-r7 80cb70cacf
Add support for Windows 8.1/Firefox 2015-06-03 22:46:04 -05:00
wchen-r7 78e4677bb1 Oops it blew up 2015-06-03 20:10:01 -05:00
wchen-r7 a0aa6135c5 Update ca_arcserve_rpc_authbypass to use the new cred API 2015-06-03 20:02:07 -05:00
John Sherwood d3c3741478 Use run_host so that we can use THREADS
- The refactor left the module using run_batch even though the
  features of the code that made this desirable were removed (i.e.,
  it was no longer doing one batch per community string).  By now
  switching back to run_host, we can again take advantage of the
  built-in metasploit multithreading capabilities.

- Also, added back in the display of the result.proof field.  This
  aids in identifying false positives (which have a blank response)
  and is functionality worth keeping.
2015-06-03 18:08:38 -04:00
jvazquez-r7 74117a7a52
Allow to execute payload from the flash renderer 2015-06-03 16:33:41 -05:00
wchen-r7 39d38f1641 Update pptpd_chap_secrets to use the new cred API 2015-06-03 16:33:10 -05:00
Pedro Ribeiro d5b33a0074 Update sysaid_rdslogs_fle_upload.rb 2015-06-03 22:01:13 +01:00
Pedro Ribeiro 37827be10f Update sysaid_auth_file_upload.rb 2015-06-03 22:00:44 +01:00
Pedro Ribeiro 7f35c3b4f5 Update sysaid_sql_creds.rb 2015-06-03 22:00:08 +01:00
Pedro Ribeiro 54bfe29527 Update and rename sysaid_file_ to sysaid_file_download.rb 2015-06-03 21:59:45 +01:00
Pedro Ribeiro 42e84cd7d5 Update sysaid_admin_acct.rb 2015-06-03 21:59:04 +01:00
Pedro Ribeiro 6683b86822 Create sysaid_sql_creds.rb 2015-06-03 21:46:48 +01:00
Pedro Ribeiro 72b7982e7a Create sysaid_file_ 2015-06-03 21:46:13 +01:00
Pedro Ribeiro 62993c35d3 Create sysaid_rdslogs_fle_upload.rb 2015-06-03 21:45:14 +01:00
Pedro Ribeiro 193b7bcd2e Create sysaid_auth_file_upload.rb 2015-06-03 21:44:02 +01:00
Pedro Ribeiro 765077d741 Create sysaid_admin_acct.rb 2015-06-03 21:38:43 +01:00
wchen-r7 656f64d9bd Update razorsql to use the new cred API 2015-06-03 13:49:06 -05:00
Roberto Soares b305fa62f4 Changed vprint_error when nothing was downloaded. 2015-06-03 14:46:59 -03:00
Roberto Soares 24ec3b2fb5 Changed vprint_error to fail_with method. 2015-06-03 13:46:59 -03:00
OJ a6467f49ec Update description 2015-06-03 22:17:25 +10:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
wchen-r7 b038760be7 Update razer_synapse to use the new cred API 2015-06-03 01:44:20 -05:00
wchen-r7 ef0d6490da Update smartermail to use the new cred API 2015-06-03 00:48:52 -05:00
wchen-r7 c64f025c4e Add module_fullname: fullname 2015-06-02 12:35:06 -05:00
wchen-r7 e43163135b Add module_fullname: fullname, 2015-06-02 12:33:34 -05:00
benpturner dddbf3886b Updated payload spec to be in the correct order and updated payload cached size 2015-06-02 18:33:06 +01:00
wchen-r7 63708f2bba Add module_fullname: fullname 2015-06-02 12:27:35 -05:00
wchen-r7 28556ea6e2 Update spark_im to use the new cred API 2015-06-02 12:16:07 -05:00
wchen-r7 aac2db826f Remove comment about report_auth_info
This module isn't using report_auth_info, so this comment is no
longer needed.
2015-06-02 10:24:55 -05:00
Tim ac2a52b522
fix android/java reverse_tcp 2015-06-02 10:54:49 +01:00
root 7485cf776e Remove unnecessary spaces 2015-06-02 14:18:36 +05:00
root b4cfe93977 Add creds API 2015-06-02 14:16:16 +05:00
wchen-r7 1ae9265fb9 Update tortoisesvn to use the new cred API 2015-06-02 00:52:43 -05:00
wchen-r7 b98cc89f0c Update filezilla_client_cred to use the new cred API 2015-06-02 00:22:17 -05:00
Tim c721cb6f4e
Land #5448, fix author name typo 2015-06-02 05:08:48 +01:00
wchen-r7 c3e15059a7 Update total_commander to use the new cred API 2015-06-01 21:17:58 -05:00
James Lee d03ee5667b
Remove assigned but unused local vars 2015-06-01 16:45:36 -05:00
James Lee 7133f0a68e
Fix typo in author's name 2015-06-01 16:45:09 -05:00
Brent Cook 449ce32f07 update for new UUID namespace 2015-06-01 15:16:04 -05:00
benpturner 9d1a7cead4 New modules to support 64bit process powershell. 2015-06-01 16:11:23 +01:00
Brent Cook 64e86165ef remove android meterpreter bins, update to payloads 1.0.2
This switches us to using the Android payload files from the
metasploit-payloads gem
2015-06-01 09:14:31 -05:00
Brent Cook 70ef1b83f9 Merge branch 'master' into land-5366-android 2015-06-01 09:07:55 -05:00
wchen-r7 e83677d29d rm deprecated mod 2015-05-29 17:43:26 -05:00
OJ 3dd3ef5edb
Merge branch 'upstrea/master' into winhttp-ie-proxy 2015-05-30 08:03:43 +10:00
jvazquez-r7 4a6fec7f1e
Land #5439, @Firefart's explanations on dlink_upnp_header_exec_noauth 2015-05-29 16:46:41 -05:00
Brent Cook b8a8e65c2c Merge branch 'master' into land-5394-uuid-tracker 2015-05-29 16:22:45 -05:00
jvazquez-r7 6669665d6d
Land #5402, @nstarke's module to extract accouns information from a AVTECH744_DVR device 2015-05-29 16:14:50 -05:00
jvazquez-r7 843572df6d
Change module filename 2015-05-29 16:14:16 -05:00
jvazquez-r7 acb0af3826
Update description 2015-05-29 16:13:43 -05:00
jvazquez-r7 39ae6263e9
Use Rex::Text.encode_base64 2015-05-29 16:12:21 -05:00
Christian Mehlmauer 73f7885eea
add comment 2015-05-29 23:08:55 +02:00
jvazquez-r7 8338b21f6c
Make some code cleanup 2015-05-29 16:04:29 -05:00
Brent Cook 7b0006a1b2 Merge branch 'master' into land-5394-uuid-tracker 2015-05-29 15:41:31 -05:00
Brent Cook 96a1e1b344
Land #5367, add UUID stagers 2015-05-29 15:18:53 -05:00
wchen-r7 13779adab4
Merge branch 'upstream-master' into bapv2 2015-05-29 14:59:04 -05:00
wchen-r7 6be363d82a
Merge branch 'upstream-master' into bapv2 2015-05-29 14:58:38 -05:00
jvazquez-r7 1be04a9e7e
Land #5182, @m-1-k-3's exploit for Dlink UPnP SOAP-Header Injection 2015-05-29 14:49:09 -05:00
jvazquez-r7 8b2e49eabc
Do code cleanup 2015-05-29 14:45:47 -05:00
jvazquez-r7 8c7d41c50c
Land #5426, @wchen-r7's adds more restriction on Windows 7 target for MS14-064 2015-05-29 14:35:44 -05:00
wchen-r7 c3fa52f443 Update description 2015-05-29 13:47:20 -05:00
wchen-r7 dab9a66ea3 Use current ruby hash syntax 2015-05-29 13:43:20 -05:00
jvazquez-r7 9ccf04a63b
Land #5420, @m-1-k-3's miniigd command injection module (ZDI-15-155) 2015-05-29 13:29:03 -05:00
jvazquez-r7 9ebd6e5d6e
Use REXML 2015-05-29 13:27:19 -05:00
Brent Cook 7d5af66fa0 Merge branch 'master' into land-5367-uuid-stagers 2015-05-29 13:00:35 -05:00
jvazquez-r7 294fa78c1f
Land #5430, @m-1-k-3's adding specific endianess Arch to some exploits 2015-05-29 11:43:25 -05:00
jvazquez-r7 dd39d196f5
Land #5226, @m-1-k-3's Airties login Buffer Overflow exploit 2015-05-29 10:51:32 -05:00
jvazquez-r7 952f391fb4
Do minor code cleanup 2015-05-29 10:49:51 -05:00
wchen-r7 bb444a8259
Land #5429, Decrypt encrypted passwords in DBVisualizer 2015-05-29 09:57:08 -05:00
root 17c0af6380 Consistent column names 2015-05-29 11:08:24 +05:00
root 101f12b9d2 Remove base64 require 2015-05-29 10:38:06 +05:00
root 3ac5088a9a Add decryption.final for proper padding 2015-05-29 10:33:55 +05:00
wchen-r7 b6b055a5f2
Land #5431, deprecate cold_fusion_version, use coldfusion_version instead. 2015-05-28 15:40:34 -05:00
wchen-r7 80c3022dc1 Deprecate cold_fusion_version. Please use coldfusion_version.
auxiliary/scanner/http/cold_fusion_version is deprecated. Please use
auxiliary/scanner/http/coldfusion_version instead.
2015-05-28 15:39:14 -05:00
wchen-r7 00a80ce2ab
Land #5425, Add Linux support to CVE-2015-0336 2015-05-28 15:18:44 -05:00
wchen-r7 2a260f0689 Update description 2015-05-28 15:18:05 -05:00
Christian Mehlmauer 52e30d4fc2
Land #5434, OSVDB reference 2015-05-28 22:00:44 +02:00
wchen-r7 068198c980
Land #5386, automatically find file for ms15_034 2015-05-28 14:52:31 -05:00
wchen-r7 f9f35db7f3 Update description 2015-05-28 14:52:03 -05:00
Tod Beardsley 818dbf58f0
Adding an OSVDB number to the Netgear module 2015-05-28 14:37:39 -05:00
Michael Messner 666b0bc34a MIPSBE vs MIPS 2015-05-28 18:50:48 +02:00
erwanlr a74c3372c0 Uses vprint instead of print in #check_host 2015-05-28 15:46:51 +01:00
erwanlr 6d01d7f986 Uses peer instead of ip:port across all the module 2015-05-28 09:32:05 +01:00
erwanlr 447c4ee7df Allows the targetèuri to be shared between the #check and #dos 2015-05-28 09:30:04 +01:00
root 2756c7375e Add datastore options 2015-05-28 10:58:36 +05:00
root 1ab49397a2 Decrypt encrypted passwords 2015-05-28 10:21:00 +05:00
jvazquez-r7 e9714bfc82
Solve conflics 2015-05-27 23:22:00 -05:00
Spencer McIntyre 24b4dacec5
Land #5408, @g0tmi1k fixes verbiage and whitespace 2015-05-27 21:02:02 -04:00
wchen-r7 bcdae5fa1a Forgot to add the datastore option 2015-05-27 18:12:38 -05:00
wchen-r7 4f0e908c8b Never mind, Vista doesn't have powershell. 2015-05-27 18:08:58 -05:00
wchen-r7 d43706b65e It doesn't look like Vista shows the powershell prompt 2015-05-27 18:04:35 -05:00
wchen-r7 53774fed56 Be more strict with Win 7 for MS14-064
The Powershell prompt can cause BAP to hang so we need to be more
strict about that.
2015-05-27 18:01:40 -05:00
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
wchen-r7 2ae9e39719
Land #5376, Report ipmi_dumphashes credentials with create_credential_login 2015-05-27 13:11:07 -05:00
Tod Beardsley 95b5ff6bea
Minor fixups on recent modules.
Edited modules/auxiliary/admin/http/netgear_soap_password_extractor.rb
first landed in #5301, @m-1-k-3's aux module to extract passwords from
Netgear soap interfaces

Edited modules/auxiliary/scanner/http/influxdb_enum.rb first landed in

Edited modules/auxiliary/scanner/http/title.rb first landed in #5333,
HTML Title Grabber

Edited modules/exploits/multi/browser/adobe_flash_uncompress_zlib_uaf.rb
first landed in #5401, multi-platform CVE-2015-0311 - Flash uncompress()
UAF

Edited modules/exploits/unix/webapp/wp_revslider_upload_execute.rb first
landed in #5290, Wordpress RevSlider Module
2015-05-26 17:00:10 -05:00
wchen-r7 60cdf71e6c
Merge branch 'upstream-master' into bapv2 2015-05-26 15:56:48 -05:00
wchen-r7 a0e0e3d360 Description 2015-05-25 17:24:41 -05:00
Michael Messner 43f505b462 fix contact details 2015-05-25 19:31:50 +02:00
OJ 307dcd09dd Update payload cache sizes again 2015-05-25 20:12:20 +10:00
OJ 7f59a7482e Update authors and stuff 2015-05-25 12:02:52 +10:00
OJ e103b2365a Update payload sizes and add new payloads to spec 2015-05-25 11:31:15 +10:00
OJ 9e50114082
Merge branch 'upstream/master' into uuid-stagers 2015-05-25 11:22:35 +10:00
OJ 9042f141ff Implement the IPv6 UUID bind stagers 2015-05-25 11:21:28 +10:00
jvazquez-r7 f953dc08d9
Land #5280, @m-1-k-3's support for Airties devices to miniupnpd_soap_bof 2015-05-24 15:17:38 -05:00
Nicholas Starke a3ff9859c8 Adding Credentials Capabilities
This commit adds the ability for credentials
to be retrieved via the 'creds' command.  It
also contains a few miscellaneous stylistic
syntax changes.
2015-05-24 15:03:06 -05:00
Michael Messner 10baf1ebb6 echo stager 2015-05-23 15:50:35 +02:00
wchen-r7 60b0be8e3f Fix a lot of bugs 2015-05-23 01:59:29 -05:00
jvazquez-r7 5bceeb4f27
Land #5349, @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation 2015-05-22 17:14:20 -05:00
wchen-r7 9600f6a30a rm deprecated exploit 2015-05-22 17:14:08 -05:00
wchen-r7 6de75ffd9f
Merge branch 'upstream-master' into bapv2 2015-05-22 17:11:03 -05:00
wchen-r7 eb5aadfb4e
Land #5401, multi-platform CVE-2015-0311 - Flash uncompress() UAF 2015-05-22 16:50:13 -05:00
jvazquez-r7 3aa1ffb4f5
Do minor code cleanup 2015-05-22 16:20:36 -05:00
wchen-r7 2bb6f390c0 Add session limiter and fix a race bug in notes removal 2015-05-22 12:22:41 -05:00
jvazquez-r7 03b70e3714
Land #5388, @wchen-r7's fixes #5373 by add info to BrowserRequiements 2015-05-22 10:21:59 -05:00
HD Moore c17ee64d81 Merge branch 'master' into feature/uuid-registration 2015-05-22 00:29:16 -05:00
OJ 1c73c190fc Add machine_id support to windows php meterp 2015-05-22 14:55:29 +10:00
Brent Cook 9ce669f878
Land #5328: reworked x64 http/https stagers 2015-05-21 23:26:34 -05:00
Tim 7a9e875a25
use uuid aware generate_uri_uuid_mode 2015-05-22 05:21:08 +01:00
OJ 10bd75348c
Merge branch 'upstream/master' into uuid-stagers 2015-05-22 13:07:25 +10:00
OJ a6a274d3a3
Merge recent stager changes 2015-05-22 13:01:45 +10:00
Nicholas Starke 9430d38a09 Adding AVTECH744_DVR Module
This module retrieves account information from
an AVTECH 744 DVR, including username, cleartext
password, account role, and the device PIN.
2015-05-21 16:33:06 -05:00
jvazquez-r7 e1f10772b3
Use create_cracked_credential 2015-05-21 16:30:42 -05:00
jvazquez-r7 305da46491
Land #5301, @m-1-k-3's aux module to extract passwords from Netgear soap interfaces 2015-05-21 16:07:05 -05:00
jvazquez-r7 6da94b1dd5
Deprecate windows module 2015-05-21 15:01:41 -05:00
jvazquez-r7 b9f9647ab1
Use all the BES power 2015-05-21 14:06:41 -05:00
Roberto Soares b4a6cdbad0 Remove new line in vprint_line. 2015-05-21 12:33:09 -03:00
Roberto Soares 0135b3639f Add WordPress Simple Backup File Read Vulnerability. 2015-05-21 12:23:24 -03:00
erwanlr d9d8634948 Changes the message displayed when vulnerable 2015-05-21 08:46:16 +01:00
wchen-r7 6e8ee2f3ba Add whitelist feature 2015-05-21 00:05:14 -05:00
wchen-r7 bdf30dd383
Land #5374, --smallest option in msfvenom 2015-05-20 21:06:10 -05:00
HD Moore a8d111ce89 Merge branch 'master' into feature/uuid-registration 2015-05-20 19:48:39 -05:00
jvazquez-r7 aa919da84d
Add the multiplatform exploit 2015-05-20 18:57:59 -05:00
wchen-r7 2cadd5e658 Resolve #5373, Add ActiveX info in BrowserRequirements
Resolve #5373
2015-05-20 16:34:09 -05:00
Brent Cook a4df3468de unique: should be update:, include uri in data hash 2015-05-20 16:20:09 -05:00
Brent Cook c85b82e8a7 Merge branch 'master' into land-5358-notes 2015-05-20 16:02:59 -05:00
erwanlr 4f6fe2abce Avoids swallowing exceptions 2015-05-20 21:36:03 +01:00
erwanlr 202a77fc12 Improves detection of the MS15-034 2015-05-20 18:08:00 +01:00
wchen-r7 23c77adc68
Land #5377, Update cred reporting method for http_ntlm 2015-05-20 11:57:42 -05:00
OJ 44f8cf4124 Add more size to stagers, adjust psexec payloads
This psexec payload size should be evaluated to make sure I'm not doing
anything stupid. i can't see a reason why increasing these sizes would
be bad. They seem to work fine.
2015-05-20 17:07:56 +10:00
OJ 5963a5833a Fix up php stageless payload includes 2015-05-20 16:50:00 +10:00
Tim 96a30118e2
add https cert validation 2015-05-20 07:27:59 +01:00
OJ d0a5b803e8 Use generate_payload_uuid instead of manual obj creation 2015-05-20 16:25:52 +10:00
OJ 289873c25f
Merge all the stager changes 2015-05-20 16:02:37 +10:00
OJ 6859b24c1c Fix missing label, update payload sizes 2015-05-20 15:42:31 +10:00
William Vu c1b8cee315
Land #5369, @dmaloney-r7's snmp_login fixes 2015-05-19 10:39:03 -05:00
Tim ebd20fbedd fix http 2015-05-19 16:25:46 +01:00
Tim e7c8a3b56c add support for SessionRetryTotal and SessionRetryWait on Android 2015-05-19 16:16:04 +01:00
OJ a93565b5d1 Add 'Payload' section with 'Size' to psexec_psh
This missing parameter was causing the payload 'Size' to come through to
the encoders as `nil`. This meant that all the stagers that were
looking at the payload sizes were being told there was no size. In the
case of the meterpreter payloads, this was causing issues with the proxy
settings because the proxy configuration detail isn't added to the
payload unless there's enough space.

This fix adds a default size of 2048 (the same as the plain psexec
module). This makes the proxy settings work as expected.
2015-05-19 22:11:29 +10:00
OJ 9fddc21cf3 Shaved another sneaky byte off the payload 2015-05-19 21:21:07 +10:00
OJ 6e96e6d118 Shellcode golf to make the payload smaller
Tried to implement some more of the stuff that egypt suggested, managed
to get some in, but not others. Ultimately, its smaller than it was, and
I'm sure there are ways to make it better as well.
2015-05-19 21:17:42 +10:00
OJ 62720ab357 Fix the wininet stager for http/s
For some reason this was only working on Windows7/2008, yet when tired
on Windows 2012 it was resulting in crashes. It was also stopping
working in exploits such as psexec_psh.

Went back to the beginning and started again. With this in place, we can
now do a bit of shellcode golf to make it a bit smaller.

Adjusted payload sizes as well.
2015-05-19 20:03:22 +10:00
jvazquez-r7 55c07b1bdd
Report credentials with create_credential_login 2015-05-19 00:14:55 -05:00
HD Moore c7932855f2 Move UUIDOptions to UUID::Options 2015-05-18 23:35:18 -05:00
jvazquez-r7 d564a85f6f
Fix jtr_format 2015-05-18 19:55:48 -05:00
jvazquez-r7 f49362492a
Report hash's username correctly 2015-05-18 19:46:17 -05:00
jvazquez-r7 c6fcb9c6c5
Report credentials with create_credential_login 2015-05-18 19:39:03 -05:00
HD Moore 448736989d Merge branch 'master' into feature/msfvenom-smallest 2015-05-18 18:41:44 -05:00
wchen-r7 89be3fc1f2 Do global requirement comparison in BAP 2015-05-18 16:27:18 -05:00
Brent Cook 5d085a3e13
Land #5351, use 32-bit registry view when detecting epo_sql 2015-05-18 15:48:14 -05:00
Brent Cook 79db696c15 fix EOL character 2015-05-18 15:46:55 -05:00
HD Moore 093ca31c7d The InvalidPayloadSizeException wasn't actually defined anywhere 2015-05-18 15:36:15 -05:00
HD Moore b0a8c77127 Switch RuntimeError -> EncodingError 2015-05-18 15:33:01 -05:00
HD Moore 7989a29203 Switch to the stock EncodingError exception 2015-05-18 15:27:31 -05:00
HD Moore 5c31586c68 Switch to the correct exception class 2015-05-18 15:25:26 -05:00
David Maloney 69a7a89936
use the correct print_error message
vrpint_error feeds through the old authbrute mixin
which does not behave properly anymore. use
print_error instead

5266
2015-05-18 13:51:23 -05:00
David Maloney 09d735e855
remove proof from failure message
the snmp login scanner will only have
proof on success, not on failure. remove it from
the failure message for cleaner formatting

5266
2015-05-18 13:45:01 -05:00
Donny Maasland (Fox-IT) e1eed6e9d9 single quotes and slashes.. 2015-05-18 16:33:57 +02:00
OJ 4a5f92072e Make msftidy happy 2015-05-18 22:00:51 +10:00
OJ 923c4274d3 Formatting fixes 2015-05-18 21:52:33 +10:00
OJ 28abceaec5 Update payload sizes and specs 2015-05-18 21:22:54 +10:00
OJ e7f80042d4 Finalise work on the bind_ipv6_tcp stager for UUID support 2015-05-18 21:19:04 +10:00
Donny Maasland (Fox-IT) 7d65095472 fix quotes 2015-05-18 12:20:42 +02:00
OJ 6c00e62649 Small fix to PHP stage 2015-05-18 19:11:33 +10:00
Donny Maasland (Fox-IT) 30f7c651c9 use REGISTRY_VIEW_32_BIT 2015-05-18 10:19:32 +02:00
OJ e2d4ed6045 Add the UUID payloads for PHP 2015-05-18 17:49:34 +10:00
OJ 9296a024e2 PHP meterpreter refactoring in prep for uuid work 2015-05-18 17:40:48 +10:00
OJ e41ae93524 Payload sizes, specs and more 2015-05-18 14:58:10 +10:00
OJ 4488a5e634 Add uuid support to python, and rework stages/stagers 2015-05-18 14:33:35 +10:00
OJ 0d56b3ee66 Stage UUIDs, generation options, php and python meterp uuid 2015-05-18 13:29:46 +10:00
OJ bf2b113abb
Merge branch 'upstream/master' into update-x64-stagers 2015-05-18 13:28:36 +10:00
Hans-Martin Münch (h0ng10) d99eedb1e4 Adding begin...ensure block 2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10) acb053a2a7 CloseHandle cleanup 2015-05-17 20:39:10 +02:00
Brent Cook d804f5fe49 update to metasploit-payloads 0.0.7 2015-05-17 10:06:38 -05:00
Stuart Morgan 79b9ef008a Bugfix 2015-05-17 13:55:56 +01:00
Brent Cook 829f8420e2
Update static payload sizes for metasploit-payloads-0.0.6 2015-05-15 18:43:47 -05:00
David Maloney fd1a24d6f9
some more minor cleanup noise
apparently we standardized on using get_env
instead of expand_path in these cases. Not sure
on the effective difference here but no big deal

MSP-12358
2015-05-15 13:33:48 -05:00
jvazquez-r7 dd5060e08c
Land #5340, @wchen-r7's change to the symantec_web_gateway_login writing style 2015-05-15 13:18:35 -05:00
jvazquez-r7 cf5fa6752e
Use parenthesis 2015-05-15 13:17:54 -05:00
jvazquez-r7 d05cae5faf
Land #5329, @wchen-r7's add configurable options to jenkins_login 2015-05-15 11:38:21 -05:00
David Maloney 631dfc0a0e
increase timeout on ntdsutil
default timeout is 15 seconds. we'll give it 90
seconds for now. This may still be too short for
really really large domains, but too long of a timeout
can create other issues

MSP-12358
2015-05-15 11:19:35 -05:00
David Maloney a3d91dff0b
clean up ntds.dit file when done
delete the ntds.dit file we copied when
we are done

MSP-12358
2015-05-15 11:13:19 -05:00
jvazquez-r7 2882374582
Land #5276, @lanjelot fixes #4243 and improves java_jdwp_debugger 2015-05-15 11:12:10 -05:00
jvazquez-r7 a46975f1f0
Fix read_reply to use get_once correctly 2015-05-15 11:11:25 -05:00
David Maloney ac04b8d1e7
a little bit of cleanup
constantise some of the magic numbers in
the NTDS Account class

MSP-12358
2015-05-15 10:47:31 -05:00
Donny Maasland (Fox-IT) 2721be946a also check Wow6432Node keys 2015-05-15 14:28:12 +02:00
Hans-Martin Münch (h0ng10) e075495a5b string concatenation, clear \ handling 2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10) 94d39c5c75 remove hard coded pipe name 2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10) bb4f5da6d9 replace client.sys.config.getenv with get_env 2015-05-15 06:33:57 +02:00
OJ 7b2aee2a60
Merge branch 'upstream/master' into update-x64-stagers 2015-05-15 12:27:40 +10:00
wchen-r7 8bcdd08f34 Some basic code in place for real-time exploit list generation 2015-05-14 19:09:38 -05:00
Hans-Martin Münch (h0ng10) bba261a1cf Initial version 2015-05-15 00:36:03 +02:00
David Maloney 724b7c6f16
save the ntlm hases as creds
the last step is now complete. the current and historical
hashes are all saved to the database for cracking and/or
replay

MSP-12358
2015-05-14 13:52:11 -05:00
wchen-r7 24a989b8a3
Land #5249, Add Module for Enum on InfluxDB database 2015-05-14 11:22:54 -05:00
wchen-r7 005c36b2a6 If data is empty, don't save (or even continue) 2015-05-14 11:22:10 -05:00
David Maloney 452fc6b149
Merge branch 'feature/MSP-12357/meterp-ntds' into feature/MSP-12358/ntds-dump-module 2015-05-14 10:31:28 -05:00
OJ 83fbd41970 Merge branch 'upstream/master' into multi-transport-support
Conflicts:
	Gemfile.lock
	modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
2015-05-14 14:50:25 +10:00
HD Moore 5f3947312d
Lands #5327, SSL support + refactor for PowerShell 2015-05-13 23:25:15 -05:00
wchen-r7 1a8ab91ce3 Configurable max exploits 2015-05-13 16:23:22 -05:00
wchen-r7 7617217eff Add ability to exclude 2015-05-13 15:55:19 -05:00
David Maloney 0e666d5732
gaurd against arch mismatch
this will not work from an x86 proc
on an x64 machine, so guard against that.

MSP-12358
2015-05-13 15:28:11 -05:00
David Maloney 9308da7956
2003 code path working
using VSS directly on server 2003 and repairing
the database with esentutl is now working

MSP-12358
2015-05-13 12:25:44 -05:00
benpturner 36aa136091 missing require 2015-05-13 17:36:45 +01:00
benpturner 1f294eac0b Updated to remove dup code 2015-05-13 17:26:21 +01:00
OJ e9e3d9c1e4 Update payloads gem, and updated payload sizes 2015-05-13 15:37:09 +10:00
wchen-r7 ac0e4e747a Change writing style of symantec_web_gateway_login 2015-05-13 00:23:37 -05:00
OJ 7148e45bfc Fix incorrect reference to data path for linux meterpreter stage 2015-05-13 14:21:22 +10:00
wchen-r7 202c5e0121
Land #5333, HTML Title Grabber 2015-05-12 11:19:06 -05:00
wchen-r7 faec5844cb Some fixes 2015-05-12 11:18:21 -05:00
jvazquez-r7 a5267ab77e
Land #4940, @dnkolegov's modules for F5 BIG-IP devices 2015-05-12 09:59:21 -05:00
Stuart Morgan f0048b9a6d Apparently you don't quote the keys with the new syntax 2015-05-12 11:00:18 +01:00
Stuart Morgan 7c81adbd89 MSFTidy is now quiet and happy 2015-05-12 10:47:49 +01:00
Stuart Morgan 1f6bd3e2be Updated to new ruby hash syntax and removed <> from title 2015-05-12 10:43:32 +01:00
OJ 237827bfdc Fix up payload cached sizes again
This time it's against the currently "installed" version of Meterpeter
binaries. When Meterpreter is landed down the track we'll need to make
sure that the payload sizes are updated again.
2015-05-12 12:44:34 +10:00
OJ 836feaa2d8 Fix uuid setting, fix reverse_https x64 payload
The payload changes in this PR will be fixed up/removed in the
update-x64-stagers PR.
2015-05-12 10:24:11 +10:00
jvazquez-r7 0fb21af247
Verify deletion at on_new_session moment 2015-05-11 18:56:18 -05:00
OJ 51e6c13bc4 Adjust transport configuration include for x64/reverse_http
Not sure how I missed this, but I did!
2015-05-12 09:54:08 +10:00
OJ 474461d2a4 Merge format and structure changes from multi transport 2015-05-12 09:46:02 +10:00
OJ 69d2b8ffb1 Various code format, style changes, file moves
As per Egypt's suggestions.
2015-05-12 09:43:41 +10:00
jvazquez-r7 a40af79ed9
Delete dummy test case 2015-05-11 17:15:13 -05:00
OJ 0dbfc1e02b
Merge the stager size work from mult-transport-support 2015-05-12 07:50:56 +10:00
OJ fe51f552b8 Make stageless, and reverse_tcp x64 non-dynamic 2015-05-12 07:37:12 +10:00
Stuart Morgan 518e28674e Removed CGI dependency (@hmoore-r7, @wchen-r7) 2015-05-11 21:10:18 +01:00
jvazquez-r7 3cba27e461
Add test case 2015-05-11 15:03:05 -05:00
David Maloney 21004046c1
begin parsing of the database
clean up and begin aprsing the database
after we have copied it

MSP-12358
2015-05-11 14:48:12 -05:00
Stuart Morgan 78e310562b Readability style change 2015-05-11 19:48:12 +01:00
Stuart Morgan 8e3d803e74 Updated style as per @void-in's comments 2015-05-11 19:46:10 +01:00
Stuart Morgan 62d67469da Updated code style as per @hmoore-r7's instructions 2015-05-11 19:34:23 +01:00
Stuart Morgan b8f7c80fd2 Rubocop 2015-05-11 18:50:03 +01:00
Stuart Morgan 8308c2a925 Added check for nonsensical options 2015-05-11 18:48:55 +01:00
Stuart Morgan 99133deabb Reran tests, sorted out strip problem 2015-05-11 18:29:44 +01:00
Stuart Morgan c25a5d3859 Fixed a bunch of rubocop errors 2015-05-11 18:14:37 +01:00
Stuart Morgan 34cf90af59 Removed unnecessary include 2015-05-11 17:31:31 +01:00
Stuart Morgan c001f014ce HTML Title Grabber 2015-05-11 17:29:22 +01:00
wchen-r7 d8cc2c19d3 Fix #5315, User configurable options for jenkins_login
Fix #5315. This patch allows the user to configure the HTTP method
for the login, as well as the URL.
2015-05-11 10:15:49 -05:00
OJ 6fdf23ad98 Update payload sizes again 2015-05-11 22:33:45 +10:00
benpturner a97f24a12d Update payload cached sizes 2015-05-11 10:00:14 +01:00
OJ d9068b7719 Fix up payload cache sizes, and powershell include 2015-05-11 17:43:51 +10:00
OJ e69e6c4a73 Implement winhttp for x64
Still has some quirks to fix up, but we're getting there. Everything
seems to work except for reverse_winhttps. I can't see why at this
point.
2015-05-11 17:27:47 +10:00
OJ 800ab11abd Payload size adjustment, typo fix
Woot, this somehow reduces the payload sizes by 2 bytes... woot.. or
something.
2015-05-11 17:24:32 +10:00
OJ 21397b46aa Add proxy user/pass to x64 reverse_http/s 2015-05-11 17:24:31 +10:00
OJ b922da8f80 Add support for x64 reverse_http
Still need to bake in support for proxies in the stagers, but wer'e
getting there.
2015-05-11 17:24:31 +10:00
OJ 15e9fb7e40 Port reverse_https (wininet) x64 to metasm
This laid the groundwork for implementation of reverse_http as well.
2015-05-11 17:24:31 +10:00
wchen-r7 30b1c508f1 javascript portion 2015-05-10 16:50:32 -05:00
benpturner c0388a770e Update cached sizes 2015-05-10 22:01:30 +01:00
benpturner c916021fc5 SSL Support for Powershell Payloads 2015-05-10 21:45:59 +01:00
Denis Kolegov efb226a55c Fixed some minor errors 2015-05-10 02:59:57 -04:00
William Vu cc87df9123
Land #5323, default creds fix for NETGEAR dirtrav 2015-05-09 14:36:00 -05:00
William Vu eeb87a3489 Polish up module 2015-05-09 14:33:41 -05:00
HD Moore fe907dfe98 Fix the disclosure date 2015-05-09 10:44:28 -05:00
Meatballs d2e1fdbbc3
Land #5324, fixes #5318
Fixes enum_domain_group_users when running as SYSTEM.
2015-05-09 10:49:05 +01:00
Meatballs 028f9dd43b
Tidy and rubocop 2015-05-09 10:48:07 +01:00
Meatballs e9dc93f345
Use cmd_exec 2015-05-09 10:44:02 +01:00
jvazquez-r7 cb51bcc776
Land #5147, @lightsey's exploit for CVE-2015-1592 MovableType deserialization 2015-05-09 01:56:38 -05:00
jvazquez-r7 89bc405c54
Do minor code cleanup 2015-05-09 01:54:05 -05:00
jvazquez-r7 a8adcda941
Redo port checks 2015-05-08 15:29:30 -05:00
jvazquez-r7 156aac1dff
Use timeout options 2015-05-08 15:23:08 -05:00
jvazquez-r7 bf9ca1f88f
Change module filename 2015-05-08 15:08:59 -05:00
jvazquez-r7 f56115552f
Do code cleanup 2015-05-08 14:56:39 -05:00
jvazquez-r7 b73241882b
Use datastore option 2015-05-08 14:48:19 -05:00
jvazquez-r7 b5f5bacb8c
Use the connect/read timeout as used by the HTTPClient mixin 2015-05-08 14:46:08 -05:00
rwhitcroft 8c3a97667a use get_env instead of client.sys.config.getenv 2015-05-08 15:25:20 -04:00
jvazquez-r7 9fdbfd7031
Use vprint_error 2015-05-08 14:21:36 -05:00
jvazquez-r7 017ae463ed
Fix description style 2015-05-08 14:18:29 -05:00
jvazquez-r7 2e01eb519d
Do minor fixes 2015-05-08 14:04:44 -05:00
jvazquez-r7 5588ad36b3
Print status message 2015-05-08 13:51:00 -05:00
jvazquez-r7 7e62ba85a1
Do code cleanup 2015-05-08 13:33:28 -05:00
jvazquez-r7 60c2c7a7cd
Delete unused variable 2015-05-08 13:19:39 -05:00
jvazquez-r7 c0f21c3ae1
Fix metadata 2015-05-08 13:19:23 -05:00
rwhitcroft b2ce2ddb05 determine the domain using env vars instead of parsing net.exe output 2015-05-08 14:17:49 -04:00
void-in a7988f9e93 Change credentials to service:service 2015-05-08 22:52:59 +05:00
wchen-r7 8e86a92210 Update 2015-05-08 00:25:34 -05:00
William Vu 508574970c
Land #5307, Brocade login scanner resurrection 2015-05-07 22:43:39 -05:00
William Vu 8d3737d13c Fix some stylistic issues 2015-05-07 22:43:23 -05:00
William Vu 71518ef613
Land #5303, metasploit-payloads Java binaries 2015-05-07 22:39:54 -05:00
William Vu 2f2169af90 Use single quotes consistently 2015-05-07 22:39:36 -05:00
wchen-r7 95f087ffd3 Some progress 2015-05-07 19:26:38 -05:00
jvazquez-r7 51bb4b5a9b
Add module for CVE-2015-0359 2015-05-07 17:00:00 -05:00
Brent Cook a066105a86 prefer reading directly with MetasploitPayloads where possible 2015-05-07 16:59:02 -05:00
William Vu 134a674ef3
Land #5312, @todb-r7's release fixes 2015-05-07 15:34:31 -05:00
William Vu c9cb9ad564 Fix extraneous comma 2015-05-07 15:32:48 -05:00
Christian Mehlmauer 1469a151ad
Land #5290, Wordpress RevSlider Module 2015-05-07 22:15:56 +02:00
OJ fd827db6dd Fix up bind stager payload sizes 2015-05-07 10:13:27 +10:00
OJ 9d7a7cb68d Merge branch 'upstream/master' into multi-transport-support
Conflicts:
	lib/msf/core/payload/linux/bind_tcp.rb
2015-05-07 07:24:22 +10:00
OJ 60e25170fa
Land #5313 : fixup bind_tcp stager 2015-05-07 07:09:19 +10:00
Tod Beardsley 4df622c76b
Oops, one last for #5312. 2015-05-06 14:48:17 -05:00
Tod Beardsley e8913e5620
Addressed most of @wvu's issues with #5312 2015-05-06 14:47:08 -05:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
William Vu b8c7161819 Fix up NameError'd payload_exe 2015-05-06 11:34:05 -05:00
William Vu 59ffe5d98f
Land #5306, payload_exe NameError fix 2015-05-06 11:29:29 -05:00
wchen-r7 4b0f54f0aa
Land #5305, CVE-2015-0336 Flash NetConnection Type Confusion 2015-05-06 11:26:22 -05:00
wchen-r7 97807e09ca
Lad #5125, Group Policy startup exploit 2015-05-06 11:17:01 -05:00
wchen-r7 5b57e4e9ca Add info about the waiting time 2015-05-06 11:15:11 -05:00
Brent Cook 0493f58834 Reenable metasm bind_tcp stager 2015-05-06 09:34:35 -05:00
Brent Cook 3c2e6bb698 rollback linux bind_tcp stager metasm port
The new metasm port of the linux bind_tcp stager doesn't yet generate valid
executables. While we're debugging the problem, this reverts the bind_tcp.rb
stager to use the static ASM again.
2015-05-06 09:26:04 -05:00
Tom Sellers 94d1905fd6 Added WPVDB reference
Added a link to the new WPVDB article 7540 that @FireFart provided.
2015-05-06 05:41:02 -05:00
Tom Sellers c293066198 Leverage check_version_from_custom_file in PR #5292
Change the 'check' code to leverage check_version_from_custom_file added to wordpress/version.rb by @FireFart in PR #5292
2015-05-06 05:41:02 -05:00
Tom Sellers 18697d8d02 Fixed the following based on feedback from @FireFart ( Thanks! )
- Adjusted references section
- Corrected call to normalize_uri
- Removed unnecessary require for rex/zip
2015-05-06 05:41:02 -05:00
Tom Sellers 8cb18f8afe Initial commit of code 2015-05-06 05:41:02 -05:00
Sam Roth 5cb8b9a20a Fix #5304 2015-05-05 22:25:06 -04:00
Brent Cook 93c785560b remove brocade_telnet scanner, extend telnet
Rather than duplicate the entire telnet scanner, add a pre-login hook that a
module can use to extend the behavior on connect. This also adds a local
pass-through print_error method like http has.
2015-05-05 21:19:46 -05:00
Mike dc053aeb58 Spelling Fix
s/Brocde/Brocade/ as per bcook-r7
2015-05-05 21:16:24 -05:00
root fc1c0028a8 moved array definition to avoid error 2015-05-05 21:16:23 -05:00
root 7949daf42b brocade_enable_login msftidy success 2015-05-05 21:16:23 -05:00
root 6b5aaa5479 brocade enable command bruteforcer 2015-05-05 21:16:23 -05:00
jvazquez-r7 582919acac
Add module for CVE-2015-0336 2015-05-05 17:25:19 -05:00
Brent Cook a0c806c213 Update java meterpreter and payload references to use metasploit-payloads 2015-05-05 15:01:00 -05:00
Darius Freamon c988447c18 title enhancement, OSVDB ref
touch up title and add OSVDB reference
2015-05-05 13:21:36 -06:00
m-1-k-3 c8123c147f upnp vs hnap 2015-05-05 20:57:05 +02:00
David Maloney 2ce0e61d98
Merge branch 'master' into feature/MSP-12358/ntds-dump-module 2015-05-05 09:47:59 -05:00
OJ 232117117b Fix missing includes
The powershell one broke thanks to include hierarchy changes. The others
failed in the specs only for some reason.
2015-05-05 14:24:21 +10:00
OJ 146f41992f Fix up payload sizes 2015-05-05 13:52:20 +10:00
OJ 852961f059 Tweaking of transport behaviour, removal of patch 2015-05-05 11:45:22 +10:00
OJ cf62d1fd7c Remove patch and old stageless stuff 2015-05-05 09:27:01 +10:00
OJ b42f4f5cd2 Merge branch 'upstream/master' into multi-transport-support
Conflicts:
	lib/msf/core/payload/windows/stageless_meterpreter.rb
	lib/msf/core/payload/windows/x64/stageless_meterpreter.rb
	lib/rex/post/meterpreter/client_core.rb
	modules/payloads/stages/linux/x86/meterpreter.rb
	modules/payloads/stages/windows/meterpreter.rb
	modules/payloads/stages/windows/x64/meterpreter.rb
2015-05-05 07:53:54 +10:00
Brent Cook 05e4af8162
Land #5214, initial meterpreter session recovery support 2015-05-04 16:25:27 -05:00
jvazquez-r7 b95be1b25f
Support information to include logon scripts 2015-05-04 15:49:19 -05:00
David Maloney 3c9c578a3d
ntdsutil method in place
ntdsutil method built out to make a copy
of ntds.dit on later version of Winbdows Server

MSP-12358
2015-05-04 15:35:36 -05:00
Darius Freamon dc42a3ee1a add OSVDB ref
add OSVDB ref
2015-05-04 14:27:44 -06:00
David Maloney e0c64038a7
start new ddomain hashdump post module
module checks for all preconditions so far
including that Domain Services are running,
that we are Admin, that we have bypassed uac
and that it is a supported version of windows.

MSP-12358
2015-05-04 15:07:27 -05:00
Brent Cook e6ea5511ca update linux and windows meterpreters to use metasploit-payloads 2015-05-04 09:44:36 -05:00
OJ c2dc4677fb Prevent stagless from overwriting socket
Stageless payloads need to have the socket FD left along (ie. 0)
otherwise each of them will think that the socket is already open.
Instead we need to make sure it's left as 0 as per the configuration and
from there the stageless code will fire up a new socket based on the
transport in question.
2015-05-04 22:36:59 +10:00
OJ e835f2b99c Rejig transport config into module
Adjust a few other things along the way, including tidying of code,
removing of dead stuff.
2015-05-04 22:04:34 +10:00
m-1-k-3 c7e05448e7 various MIPS vs MIPSBE fixes 2015-05-04 12:55:21 +02:00
OJ 93bf995b32 Reverse tcp support for POSIX
Ported the stager and wired in the new work to make the configuration
function.
2015-05-04 20:11:26 +10:00
OJ 9300158c9a Initial rework of POSIX stuff to handle new configuration 2015-05-04 18:58:55 +10:00
William Vu 67a23f2c74
Land #5296, info hash product name fix 2015-05-03 14:36:25 -05:00
John Lightsey 4bfb9262e6 Add exploit module for MovableType CVE-2015-1592
This module targets the deserialization of untrusted Storable data in
MovableType before 5.2.12 and 6.0.7. The destructive attack will
function on most installations, but will leave the webapp corrupted.
The non-destructive attack will only function on servers that have the
Object::MultiType (uncommon) and DateTime (common) Perl modules
installed in addition to MovableType.
2015-05-03 14:18:01 -05:00
Darius Freamon a5c10b7f10 Fix product name
Product name missing a letter in two locations
2015-05-03 13:11:22 -06:00
m-1-k-3 53043dcbbc make msftidy happy 2015-05-03 18:14:51 +02:00
m-1-k-3 6fbce56a52 realtek upnp command injection 2015-05-03 18:09:22 +02:00
joev db999d2c62 Remove ff 31-34 exploit from autopwn, requires interaction. 2015-05-03 10:42:21 -05:00
Balazs Bucsay 0b580acfb4 \t removed 2015-05-02 21:16:50 +02:00
Balazs Bucsay a0539cd672 new x64 bsd shellcodes (bind/reverse) ipv4/6. ipv4 shells are smaller than
the existing one.
2015-05-02 20:52:09 +02:00
jvazquez-r7 1bc6822811
Delete Airties module 2015-05-22 11:57:45 -05:00
jvazquez-r7 70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof 2015-05-22 11:57:19 -05:00