Stephen Haywood
d088005d95
TABLE_NAME option not needed.
2016-10-03 10:58:13 -04:00
Stephen Haywood
5f12c8e026
Incorrect warning message
...
The filename is not always test so the warning message and the note in the description are incorrect.
2016-10-03 10:57:25 -04:00
Stephen Haywood
25996a16bb
Fixed file read block.
2016-10-03 10:47:03 -04:00
Stephen Haywood
708eb0eb4f
Fixed syntax error.
2016-10-03 10:17:29 -04:00
Stephen Haywood
fac03570d1
Use File.open block.
2016-10-03 10:09:45 -04:00
Stephen Haywood
bc57537205
Add warning statement.
2016-10-03 10:07:40 -04:00
Stephen Haywood
a627c3cd5e
Removed unnecessary return statements.
2016-10-03 10:02:26 -04:00
Stephen Haywood
6fa8f40b31
Use unless instead of if (not ...)
2016-10-03 10:00:56 -04:00
Interference Security
3e01dbfded
Fixed Space-Tab mixed indent warning
2016-10-01 15:13:26 +05:30
Interference Security
4227cb76a8
Fixed stack trace bug & verified logic
...
- Fixed stack trace bug when value of "packet" is nill.
- Verified logic of Oracle TNS Listener poisoning which requires an ACCEPT response to be marked as vulnerable.
2016-10-01 15:01:02 +05:30
Stephen Haywood
63c0b6f569
Login failure message.
2016-09-30 17:09:41 -04:00
David Maloney
3f9540d906
fix trailing whitespace
...
this commit got dropped during landing
2016-09-30 14:30:31 -05:00
David Maloney
72bd75e681
Land #7253 , x64 xor encoder fix
...
Land fullmetalcache's fix for the x64 xor encoder
2016-09-30 14:28:10 -05:00
Stephen Haywood
7996c4b048
Warning about leaving files on disk.
2016-09-30 14:53:15 -04:00
Stephen Haywood
3e4a23cdf6
Removed unnecessary require statement.
2016-09-30 14:51:43 -04:00
Jon Hart
b3c6ec09a0
Show status when gathering, which can take a bit
2016-09-30 06:42:22 -07:00
Jon Hart
abed3bf6c2
Rename
2016-09-30 06:35:26 -07:00
Jon Hart
9ee6e1931a
target_uri simplification, cleanup
2016-09-30 06:24:50 -07:00
Jon Hart
60cfe6216a
mstfidy
2016-09-29 22:00:35 -07:00
Jon Hart
558adb5e1e
Uncork module and address style issues
2016-09-29 21:59:19 -07:00
Jon Hart
b2e06bed66
Initial commit of post module to gather AWS EC2 instance metadata
2016-09-29 21:52:22 -07:00
nixawk
ac76c3591a
reference urls
2016-09-29 22:43:00 -05:00
nixawk
5929d72266
CVE-2016-6415 - cisco_ike_benigncertain.rb
2016-09-29 22:25:57 -05:00
Brent Cook
fabb296b15
update cache and add payload test
2016-09-29 21:19:55 -05:00
h00die
7b0a8784aa
additional doc updates
2016-09-29 19:02:16 -04:00
Brent Cook
301e38b08f
use correct base class for modules
2016-09-29 17:21:59 -05:00
RageLtMan
a7470991d9
Bring Python reverse_tcp_ssl payload upstream
...
Adds TLS/SSL transport encryption for reverse tcp payloads in
python
2016-09-29 17:21:59 -05:00
h00die
bac4a25b2c
compile or nill
2016-09-29 06:15:17 -04:00
h00die
4fac5271ae
slight cleanup
2016-09-29 05:51:13 -04:00
h00die
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
h00die
3b548dc3cd
update email and paths
2016-09-28 18:37:48 -04:00
jvoisin
2272e15ca2
Remove some anti-patterns, in the same spirit than #7372
2016-09-29 00:15:01 +02:00
William Vu
988471b860
Land #7372 , useless use of cat fix
...
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
William Vu
3033c16da6
Add missing rank
2016-09-28 16:37:04 -05:00
jvoisin
b46073b34a
Replace `cat` with Ruby's `read_file`
...
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
Jeffrey Martin
1689f10890
Land #7292 , add android stageless meterpreter_reverse_tcp
2016-09-28 16:05:22 -05:00
William Vu
45ee59581b
Fix inverted logic in Docker exploit
...
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.
Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
William Vu
ab94bb9cdd
Land #7365 , nonce fix for Ninja Forms exploit
2016-09-28 13:57:08 -05:00
averagesecurityguy
f7e588cdeb
Initial commit of module.
2016-09-28 14:55:32 -04:00
Julien (jvoisin) Voisin
dbb2abeda1
Remove the `cat $FILE | grep $PATTERN` anti-pattern
...
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
Tim
b4a1adaf0f
refactor into android.rb
2016-09-28 18:23:34 +08:00
Tim
dc43f59dcf
dalvik -> android
2016-09-28 14:50:52 +08:00
h00die
35a2b3e59d
working panda
2016-09-27 20:15:17 -04:00
wchen-r7
f838c9990f
Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
...
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
OJ
76b3c37262
Fix msftidy errors
2016-09-27 22:56:07 +10:00
OJ
0e82ced082
Add LPE exploit module for the capcom driver flaw
...
This commit includes:
* RDI binary that abuses the SMEP bypass and userland function pointer
invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.
This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
Pearce Barry
edbe1c3e14
Land #7361 , Make OSX screencapture silent
2016-09-26 17:24:03 -05:00
Brendan
b9de73e803
Land #7334 , Add aux module to exploit WINDOWS based (java) Colorado
...
FTP server directory traversal
2016-09-26 14:15:23 -05:00
Pearce Barry
6382fffc75
Land #7326 , Linux Kernel Netfilter Privesc
2016-09-26 12:38:50 -05:00
Tim
53823a4807
oops msftidy
2016-09-26 23:50:38 +08:00
Henry Pitcairn
e5c05c05d2
Make OSX screencapture silent
...
By default, the `screencapture` command on OS X plays a camera sound effect. The -x option silences this.
2016-09-25 22:54:57 -04:00
Adam Cammack
a13e83af8a
Land #7357 , Stagefright CVE-2015-3864
2016-09-25 17:10:06 -05:00
h00die
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
Brent Cook
e0ff8859e9
Land #7359 , add EXTRABACON auxiliary module auxiliary/admin/cisco/cisco_asa_extrabacon
2016-09-24 10:46:13 -04:00
Brent Cook
df28e2a85e
Add credit to wwebb-r7 for the initial module and ASA hacking notes
2016-09-24 05:48:31 -04:00
TheNaterz
cd4299b3a2
Added offsets for version 9.2(4)14
...
This version of the ASA is patched and our offsets do not work currently. We may do more work on this to find a solution.
2016-09-23 16:57:08 -06:00
TheNaterz
087e9461ce
Added offsets for version 9.2(4)13
2016-09-23 16:50:50 -06:00
TheNaterz
3f985d94d7
Added offsets for version 8.4(6)5
2016-09-23 16:32:42 -06:00
TheNaterz
352946d8f5
Added offsets for version 8.4(4)9
2016-09-23 16:19:36 -06:00
TheNaterz
368fd1a77f
Added offsets for version 8.4(4)5
2016-09-23 16:07:42 -06:00
TheNaterz
19fe09318a
Added offsets for version 8.4(4)3
2016-09-23 15:56:02 -06:00
TheNaterz
8840af0e90
Added offsets for version 8.4(4)1
2016-09-23 15:44:39 -06:00
TheNaterz
19caff2293
Added offsets for 8.3(2)40
2016-09-23 15:26:02 -06:00
TheNaterz
ba4505bcce
Added offsets for version 8.3(2)39
2016-09-23 15:05:39 -06:00
TheNaterz
64df7b0524
Added offsets for verion 8.3(2)-npe
...
We currently can't distinguish between 8.3(2) and 8.3(2)-npe versions from the SNMP strings. We've commented out the 8.3(2)-npe offsets, but in the future, we'd like to incorporate this version.
2016-09-23 14:49:57 -06:00
TheNaterz
926e5fab9e
Added offsets for version 8.2(5)41
2016-09-23 14:00:23 -06:00
TheNaterz
b4d3e8ea3e
Added offsets for version 9.2(1)
2016-09-23 13:52:13 -06:00
TheNaterz
d36e16fc32
Added offsets for version 8.2(5)33
2016-09-23 13:15:39 -06:00
TheNaterz
f19ed4376b
Adding new version offsets
2016-09-23 12:57:36 -06:00
Joshua J. Drake
dbf66f27d5
Add a browser-based exploit module for CVE-2015-3864
2016-09-23 11:14:31 -05:00
Tijl Deneut
2fab62b14d
Update profinet_siemens.rb
...
Removed unnecessary rescue, gave "timeout" variable a better name.
2016-09-23 18:05:45 +02:00
George Papakyriakopoulos
639dee993a
Fixed interactive password prompt issue
...
Fixed an issue where the exploit would drop to interactive password prompt by default on newer ruby version which rendered the exploit unusable. It now properly forces pubkey authentication instead and proceeds with the bypass as expected.
2016-09-23 17:03:40 +01:00
TheNaterz
98cf5d8eb5
Changed 'build_offsets' to 'build_payload'
2016-09-23 09:32:17 -06:00
zerosum0x0
1868371ba7
fix merge conflicts
2016-09-23 14:49:36 +00:00
zerosum0x0
2591d0b7c6
numerous fixes as per @busterb
2016-09-23 14:46:40 +00:00
Pearce Barry
5de1d34869
Land #7341 , add module metasploit_static_secret_key_base
2016-09-23 09:20:48 -05:00
h00die
cba297644e
post to local conversion
2016-09-22 22:08:24 -04:00
TheNaterz
dda6b67928
Added basic error handling for unsupported ASA versions
2016-09-22 18:24:25 -06:00
TheNaterz
cf070853e9
Moved required datastore option into constructor
2016-09-22 18:08:35 -06:00
h00die
7646771dec
refactored for live compile or drop binary
2016-09-22 20:07:07 -04:00
TheNaterz
df25f07b34
Replaced '+=' with '<<'
2016-09-22 17:53:28 -06:00
TheNaterz
f525c24a9f
Added offsets for 8.4(7)
2016-09-22 17:16:37 -06:00
zerosum0x0
28a09c2d13
stupid comment
2016-09-22 22:57:42 +00:00
TheNaterz
7762f42dfa
Added offsets for 8.3(1)
2016-09-22 16:17:37 -06:00
TheNaterz
064aed858b
Added RiskSense contributor repo to references
2016-09-22 16:10:30 -06:00
TheNaterz
961524d648
Adding offsets for 9.1(1)4
2016-09-22 16:04:44 -06:00
TheNaterz
4e9459d876
Added offsets for 9.0(1)
2016-09-22 15:35:59 -06:00
TheNaterz
5ca6563c8f
Fixed problem with 9.2(2)8 offsets
2016-09-22 15:24:49 -06:00
TheNaterz
b77adc97f0
Removing redundant version check
2016-09-22 15:05:42 -06:00
TheNaterz
c22a2a19e8
Added offsets for 9.2(2)8
2016-09-22 14:59:49 -06:00
TheNaterz
e8d1f6d5a0
Added offsets for 8.2(3)
2016-09-22 14:38:52 -06:00
Jenna Magius
a0ba8b7401
Fix whitespace per msftidy
2016-09-22 14:25:04 -06:00
TheNaterz
022189c075
Added offsets for 8.4(3)
2016-09-22 14:12:33 -06:00
zerosum0x0
4288c3fb46
added always_return_true variable
2016-09-22 19:44:55 +00:00
TheNaterz
c18045128a
Replaced global vars, made 'patched_code' value static
2016-09-22 13:42:23 -06:00
zerosum0x0
3c7fc49788
Added module auxiliary/admin/cisco/cisco_asa_extrabacon
...
This module patches the authentication functions of a Cisco ASA
to allow uncredentialed logins. Uses improved shellcode for payload.
2016-09-22 18:06:03 +00:00
wchen-r7
bc425b0378
Update samsung_security_manager_put
...
This patch improves the following
* Stage 1 XSS/JS attack to use the body.onload callback
* Better timing for FF
2016-09-22 12:02:49 -05:00
Tim
34e02fe097
stageless http
2016-09-22 16:26:26 +01:00
Tim
1b911e7117
placate msftidy
2016-09-22 16:26:26 +01:00
Tim
32c2311b86
android meterpreter_reverse_tcp
2016-09-22 16:26:26 +01:00
Brent Cook
9f3c8c7eee
Land #7268 , add metasploit_webui_console_command_execution post-auth exploit
2016-09-22 00:50:58 -05:00
Brent Cook
88cef32ea4
Land #7339 , SSH module fixes from net:ssh updates
2016-09-22 00:27:32 -05:00
Brendan
04f8f7a0ea
Land #7266 , Add Kaltura Remote PHP Code Execution
2016-09-21 17:14:49 -05:00
Justin Steven
dcfbb9ee6a
Tidy info
...
Replace errant \t with \x20
2016-09-21 20:14:11 +10:00
Justin Steven
1e24568406
Tweak verbosity re: found secrets
2016-09-21 20:14:08 +10:00
Justin Steven
30d07ce0c7
Tidy metasploit_static_secret_key_base module
...
* Inline magic values
* Optimise out dead Rails3-specific code
2016-09-21 20:13:58 +10:00
Kyle Gray
9d01f24cff
Land #7388 , relocate Rex::Platform:Windows content
...
This PR consolidates the few lines of consts/code in lib/rex/platforms/windows.rb into MSF core.
Completes #MS-1714
2016-09-20 16:39:07 -05:00
Louis Sato
8b1d29feef
Land #7304 , fix rails_secret_deserialization popchain
2016-09-20 16:05:03 -05:00
Mehmet Ince
2d3c167b78
Grammar changes again.
2016-09-20 23:51:12 +03:00
Mehmet Ince
0f16393220
Yet another grammar changes
2016-09-20 19:48:40 +03:00
Mehmet Ince
fb00d1c556
Another minor grammer changes
2016-09-20 19:23:28 +03:00
Brendan
251421e4a7
Minor grammar changes
2016-09-20 10:37:39 -05:00
Mehmet Ince
385428684f
Move module and docs under the exploit/linux/http folder
2016-09-20 12:45:23 +03:00
Brent Cook
a9a1146155
fix more ssh option hashes
2016-09-20 01:30:35 -05:00
Mehmet Ince
c689a8fb61
Removing empty lines before module start
2016-09-20 01:42:18 +03:00
Mehmet Ince
29a14f0147
Change References to EDB number and remove 4 space
2016-09-20 01:31:56 +03:00
Justin Steven
a1ca27d491
add module metasploit_static_secret_key_base
2016-09-20 07:04:00 +10:00
David Maloney
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
David Maloney
06ff7303a6
make pubkey verifier work with old module
...
make the new pubkey verifier class and
the old identify_pubkeys aux module work
together
7321
2016-09-19 15:20:35 -05:00
Pearce Barry
3f5ed75198
Relocate Rex::Platform:Windows content (fixes MS-1714)
2016-09-19 14:34:44 -05:00
h00die
3bc566a50c
fix email
2016-09-18 20:09:38 -04:00
h00die
9c922d111f
colorado ftp
2016-09-18 20:03:16 -04:00
h00die
edd1704080
reexploit and other docs and edits added
2016-09-18 09:01:41 -04:00
h00die
4f85a1171f
reexploit and other docs and edits added
2016-09-18 08:51:27 -04:00
Mehmet Ince
53d4162e7d
Send payload with POST rather than custom header.
2016-09-17 23:11:16 +03:00
Thao Doan
d2100bfc4e
Land #7301 , Support URIHOST for exim4_dovecot_exec for NAT
2016-09-16 12:49:57 -07:00
Thao Doan
7c396dbf59
Use URIHOST
2016-09-16 12:48:54 -07:00
William Vu
4d0643f4d1
Add missing DefaultTarget to Docker exploit
2016-09-16 13:09:00 -05:00
William Vu
da516cb939
Land #7027 , Docker privesc exploit
2016-09-16 12:44:21 -05:00
William Vu
4ba1ed2e00
Fix formatting in fortinet_backdoor
...
Also add :config and :use_agent options.
2016-09-16 12:32:30 -05:00
William Vu
e3060194c6
Fix formatting in ubiquiti_airos_file_upload
...
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
David Maloney
26491eed1a
pass the public key in as a file instead of data
...
when using key_data it seems to assume it is a private
key now. the initial key parsing error can be bypassed
by doing this
7321
2016-09-16 11:48:51 -05:00
Jan Mitchell
c102384b7a
Remove spaces at EOL
2016-09-16 11:28:08 +01:00
Jan Mitchell
7393d91bfa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2016-09-16 10:46:44 +01:00
h00die
4be4bcf7eb
forgot updates
2016-09-16 02:08:09 -04:00
h00die
2e42e0f091
first commit
2016-09-16 01:54:49 -04:00
Brent Cook
90f0eec390
Land #7325 , Fix missing form inputs in skybluecanvas_exec
2016-09-15 19:55:32 -05:00
William Vu
a7103f2155
Fix missing form inputs
...
Also improve check string.
2016-09-15 19:19:24 -05:00
Brent Cook
60e728ec5c
Land #7065 , Correct display errors for SHA-512 hashes with MS SQL Server 2012
2016-09-15 18:06:02 -05:00
Brent Cook
8b050fcc9b
simplify cleanup code, remove duplicate logic
2016-09-15 18:05:34 -05:00
Brent Cook
6e221ca575
Land #7221 , Updated JCL cmd payloads to use PR7007 format
2016-09-15 16:38:31 -05:00
David Maloney
dfcd5742c1
some more minor fixes
...
some more minor fixes around broken
ssh modules
7321
2016-09-15 14:25:17 -05:00
David Maloney
e10c133eef
fix the exagrid exploit module
...
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used
7321
2016-09-15 11:44:19 -05:00
Justin Steven
116c754328
tidy Platform
2016-09-15 10:35:42 +10:00
Justin Steven
8a0c8b54fc
merge branch 'master' into PR branch
...
make Travis happy
2016-09-15 10:31:24 +10:00
Justin Steven
ff1c839b7d
appease msftidy
...
trailing whitespace
2016-09-15 08:18:43 +10:00
William Webb
01327f0265
Land #7245 , NetBSD mail.local privilege escalation module
2016-09-14 16:07:12 -05:00
William Vu
c6214d9c5e
Fix and clean module
2016-09-14 14:36:29 -05:00
James Lee
27be29edb4
Fix typo
2016-09-14 13:21:37 -05:00
James Barnett
6509b34da1
Land #7255 , Fix issue causing Glassfish to fail uploading to Windows targets.
2016-09-14 12:57:41 -05:00
William Vu
8533e6c5fd
Land #7252 , ARCH_CMD to ARCH_PHP for phoenix_exec
2016-09-14 10:38:37 -05:00
William Vu
cac890a797
Land #7308 , disclosure date additions
2016-09-13 23:16:30 -05:00
William Vu
e4e6f5daac
Fix indentation
2016-09-13 23:15:37 -05:00
William Vu
a5502264d4
Land #7305 , missing env var fix for Steam module
2016-09-13 23:11:40 -05:00
h00die
d73531c0d3
added disclosure dates
2016-09-13 20:37:04 -04:00
Brent Cook
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
wchen-r7
245237d650
Land #7288 , Add LoginScannerfor Octopus Deploy server
2016-09-13 17:26:56 -05:00
wchen-r7
10efafe44e
Land #7306 , Update links and add CVE to WebNMS modules
2016-09-13 15:52:27 -05:00
wchen-r7
ed5bbb9885
Land #7284 , Add SugarCRM REST PHP Object Injection exploit
2016-09-13 15:46:46 -05:00
wchen-r7
a0095ad809
Check res properly and update Ruby syntax
...
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
Pedro Ribeiro
8d4ee3fac6
Forgot the bracket!
2016-09-13 19:01:22 +01:00
Pedro Ribeiro
4d49f7140c
update links and CVE on webnms_file_download
2016-09-13 18:50:53 +01:00
Pedro Ribeiro
41bdae4b84
update links and CVE on webnms_file_upload
2016-09-13 18:50:25 +01:00
Pedro Ribeiro
8b90df8b67
update links and CVE on webnms_cred_disclosure
2016-09-13 18:49:58 +01:00
wchen-r7
89705cc803
Avoid potential undef method error '+' for nil
2016-09-13 11:13:02 -05:00
wchen-r7
50447fc4cf
Fix post/windows/gather/credentials/steam for an empty env var
2016-09-13 11:04:42 -05:00
Justin Steven
17bad7bd4f
fix popchain
...
ERB changed as per <https://github.com/ruby/ruby/commit/e82f4195d4 >
which broke the popchain used for code execution.
2016-09-13 21:25:14 +10:00
nixawk
1ce9aedb97
parenthesis for condition expression
2016-09-13 03:37:47 -05:00
nixawk
fd16c1c3b7
Fix issue-7295
2016-09-13 01:32:20 -05:00
aushack
11342356f8
Support LHOST for metasploit behind NAT
2016-09-13 11:23:49 +10:00
Tijl Deneut
8df8f7dda0
Initial commit of profinet_siemens.rb
2016-09-11 09:15:41 +02:00
scriptjunkie
a0e05d4c4c
Land #7287 , mdaemon cred dumper
2016-09-10 08:43:07 -05:00
Brent Cook
a81f351cb3
Land #7274 , Remove deprecated modules
2016-09-09 12:01:59 -05:00
Brent Cook
1d4b0de560
Land #6616 , Added an Outlook EWS NTLM login module.
2016-09-09 11:43:52 -05:00
Justin Steven
6bafad44f2
drop 'require uri', tweak option text
2016-09-09 20:31:23 +10:00
Justin Steven
0b012c2496
Combine Unix and Windows modules
2016-09-09 20:28:13 +10:00
Agora Security
00f09d19b1
SMTP Typo
...
Correct SMTP Type (before SMPT)
2016-09-09 01:36:37 -05:00
William Vu
92dba8ff9d
Land #7290 , env var check for WinSCP module
2016-09-07 21:08:12 -05:00
Brendan
a30711ddcd
Land #7279 , Use the rubyntlm gem (again)
2016-09-07 16:33:35 -05:00
wchen-r7
a9c3c5d391
Fix typos
2016-09-07 15:40:10 -05:00
wchen-r7
831c7a08a8
Check environment variables before using for winscp module
2016-09-07 15:24:22 -05:00
William Vu
7d44bd5ba4
Clean up module
2016-09-06 23:30:58 -05:00
aushack
015b790295
Added default rport.
2016-09-07 14:24:07 +10:00
aushack
7632c74aba
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2016-09-07 14:15:57 +10:00
aushack
6e21684ff7
Fix typo.
2016-09-07 14:08:46 +10:00
james-otten
dcf0d74428
Adding module to scan for Octopus Deploy server
...
This module tries to log into one or more Octopus Deploy servers.
More information about Octopus Deploy:
https://octopus.com
2016-09-06 20:52:49 -05:00
catatonic
c06ee991ed
Adding WiFi pineapple command injection via authenticaiton bypass.
2016-09-06 17:22:25 -07:00
catatonic
8d40dddc17
Adding WiFi pineapple preconfig command injection module.
2016-09-06 17:18:36 -07:00
EgiX
df5fdbff41
Add module for KIS-2016-07: SugarCRM REST PHP Object Injection
...
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
2016-09-07 01:58:41 +02:00
Quentin Kaiser
e4d118108a
Trend Micro SafeSync exploit.
2016-09-06 19:33:23 +00:00
William Vu
fed2ed444f
Remove deprecated modules
...
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
Justin Steven
ea220091ea
add metasploit_webui_console_command_execution
...
These modules target the Metasploit Community/Express/Pro Web UI on
Unix and Windows via the diagnostic console feature
2016-09-03 09:12:09 +10:00
Mehmet Ince
ba6c2117cf
Fix msftidy issues
2016-09-02 18:18:43 +03:00
Mehmet Ince
144fb22c32
Add Kaltura PHP Remote Code Execution module
2016-09-02 18:09:53 +03:00
Brendan
81bc6bd672
Land #7228 , Create zabbix_toggleids_sqli auxiliary module
2016-09-01 16:33:17 -05:00
Jan Mitchell
411689aa44
Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router
2016-09-01 10:05:13 +01:00
Jan Mitchell
4d3611ceb9
Added MIPSBE support to Samba exploit. Added a MIPSBE nop generator
2016-09-01 09:55:08 +01:00
Jon Hart
b0e45341e5
Update redis file_upload to optionally FLUSHALL before writing
...
This increases the chances that the uploaded file will be usable as-is
rather than being surround by the data in redis itself.
2016-08-31 14:27:18 -07:00
Brandon Perry
874fec4e31
Update zabbix_toggleids_sqli.rb
2016-08-31 17:23:16 -04:00
Brandon Perry
d43380330e
Update zabbix_toggleids_sqli.rb
2016-08-31 17:18:28 -04:00
bigendian smalls
05278c868e
Updated JCL cmd payloads to use PR7007 format
...
PR7007 centralized JCL job card for any JCL cmd payload. This PR simply
uses that new format for existing JCL cmd payloads. No functionality
for these payloads was changed, added or deleted.
2016-08-31 14:39:01 -05:00
AgoraSecurity
d65ca818ea
Add validation of session type
2016-08-31 11:29:04 -05:00
AgoraSecurity
ce7d4cf7f7
Removed "shell" from SessionTypes
...
Remove the need to check for the session type manually. It will be automatically validated at the time of module run.
2016-08-31 00:12:31 -05:00
AgoraSecurity
401044ee43
Fix error when saving creds
2016-08-30 16:49:31 -05:00
wchen-r7
445a43bd97
Trim the fat
2016-08-30 15:56:51 -05:00
wchen-r7
1b505b9b67
Fix #7247 , Fix GlassFish on Windows targets
...
Fix #7247
2016-08-30 15:46:08 -05:00
William Vu
e403df57e0
Land #7251 , CPORT fix for smb_login
2016-08-30 00:52:22 -05:00
fullmetalcache
fd1efaea9f
Attempts to address issue #6963 x64/xor encoder not working
2016-08-29 19:59:39 -06:00
William Vu
ea7721608b
Land #7248 , CredEnumerateA fix for enum_cred_store
2016-08-29 15:12:23 -05:00
William Vu
7a412031e5
Convert phoenix_exec to ARCH_PHP
2016-08-29 14:14:22 -05:00
William Vu
43a9b2fa26
Fix missing return
...
My bad.
2016-08-29 14:13:18 -05:00
William Vu
d50a6408ea
Fix missed Twitter handle
2016-08-29 13:46:26 -05:00
William Vu
f8fa090ec0
Fix one more missed comma
2016-08-29 13:40:55 -05:00
William Vu
53516d3323
Fix #7220 , phoenix_exec module cleanup
2016-08-29 13:28:15 -05:00
Brendan
b21ea2ba3f
Added code to assign CPORT value to the parent scanner object
2016-08-29 13:17:10 -05:00
Brendan
bc6a529388
Added some error checking to CredEnuerateA() railgun call
2016-08-26 16:21:54 -05:00
h00die
748c959cba
forgot to save before PR
2016-08-25 21:45:17 -04:00
h00die
5dff01625d
working code
2016-08-25 21:32:25 -04:00
Pearce Barry
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
wchen-r7
52b81f32b1
Land #7238 , Add DETECT_ANY_AUTH to smb_login
2016-08-25 11:52:14 -05:00
Louis Sato
4a6b2ef8de
fixing typo for reference for golden ticket
2016-08-24 10:55:36 -05:00
Brendan
83160b7e49
Land #7173 , Add post module to compress (zip) a file or directory
2016-08-24 09:38:04 -05:00
William Vu
cd858a149f
Add DETECT_ANY_AUTH to make bogus login optional
2016-08-23 23:05:47 -05:00
wchen-r7
89c3b6f399
Remove the -d flag for Linux machines
2016-08-23 18:43:50 -05:00
Pearce Barry
03e14ec86f
Land #7232 , Net::SSH Regression Fixes
...
Fixes #7160
Fixes #7175
Fixes #7229
2016-08-23 14:53:42 -05:00
Brandon Perry
38a8d21e5b
Update zabbix_toggleids_sqli.rb
2016-08-22 18:57:25 -05:00
Brandon Perry
6b9635d7a5
Rename zabbix_toggleids_sqli to zabbix_toggleids_sqli.rb
2016-08-22 18:52:16 -05:00
David Maloney
20947cd6cd
remove old dependency on net-ssh moneykpatch
...
the ssh_login_pubkey scanner relied on functionality that
was monkeypatched into our vendored copy. this was an uneeded solution
in the first palce, and we now use a more sane method of accomplishing
the same thing
2016-08-22 10:54:09 -05:00
h00die
f2e2cb6a5e
cant transfer file
2016-08-21 19:42:29 -04:00
h00die
6306fa5aa5
Per discussion in #7195 , trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe)
2016-08-21 19:16:04 -04:00
Brandon Perry
2abf71a3ac
Create zabbix_toggleids_sqli
2016-08-21 12:43:20 -05:00
Jay Turla
ee89b20ab7
remove 'BadChars'
2016-08-19 23:49:11 +08:00
Jay Turla
e3d1f8e97b
Updated the description
2016-08-19 22:22:56 +08:00
Jay Turla
5a4f0cf72f
run msftidy
2016-08-19 21:56:02 +08:00
Jay Turla
c66ea5ff8f
Correcting the date based on the EDB
2016-08-19 21:47:57 +08:00
Jay Turla
d4c82868de
Add Phoenix Exploit Kit Remote Code Execution
...
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.
```
msf exploit(phoenix_exec) > show options
Module options (exploit/multi/http/phoenix_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.52.128 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /Phoenix/includes/geoip.php yes The path of geoip.php which is vulnerable to RCE
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.52.129 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Phoenix Exploit Kit / Unix
msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit
[*] Started reverse TCP double handler on 192.168.52.129:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400
uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
2016-08-19 21:29:55 +08:00
wchen-r7
b081dbf703
Make destination required
2016-08-18 15:56:16 -05:00
William Webb
3eb3c5afa2
Land #7215 , Fix drupal_coder_exec bugs #7215
2016-08-18 13:43:23 -05:00
William Vu
bc9a402d9e
Land #7214 , print_brute ip:rport fix
2016-08-17 22:48:40 -05:00
William Vu
2b6576b038
Land #7012 , Linux service persistence module
2016-08-17 22:45:35 -05:00
William Vu
c64d91457f
Land #7003 , cron/crontab persistence module
2016-08-17 22:45:16 -05:00
William Vu
2fa4c7073b
Land #6995 , SSH key persistence module
2016-08-17 22:44:57 -05:00
wchen-r7
60937ec5e9
If user is SYSTEM, then steal a token before decompression
2016-08-17 16:56:09 -05:00
William Vu
4228868c29
Clean up after yourself
...
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
William Vu
1f63f8f45b
Don't override payload
...
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
William Vu
b3402a45f7
Add generic payloads
...
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
wchen-r7
5f8ef6682a
Fix #7202 , Make print_brute print ip:rport if available
...
Fix #7202
2016-08-16 15:34:30 -05:00
Brent Cook
870669bdf7
handle exception in getsystem module
2016-08-15 23:51:05 -05:00
William Vu
2fed51bb18
Land #7115 , Drupal CODER exploit
2016-08-15 01:15:23 -05:00
William Vu
62d28f10cb
Clean up Mehmet modules
2016-08-15 01:12:58 -05:00
Brent Cook
d34579f1f0
Land #7203 , Fix struts_default_action_mapper payload request delay
2016-08-12 23:00:44 -05:00
Brent Cook
1733d3e1f1
remove obsolete tested-on comment
2016-08-12 17:26:43 -05:00
Pearce Barry
1e7663c704
Land #7200 , Rex::Ui::Text cleanup
2016-08-12 16:22:55 -05:00
Mehmet Ince
b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd
2016-08-13 00:14:25 +03:00
Mehmet Ince
d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log.
2016-08-12 23:35:29 +03:00
wchen-r7
f4e4a5dcf3
Fix struts_default_action_mapper payload request delay
...
MS-1609
2016-08-12 15:29:00 -05:00
Mehmet Ince
ba79579202
Extending Space limitation up to 250
2016-08-12 22:32:49 +03:00
Brendan
1a7286f625
Land #7062 , Create exploit for WebNMS 5.2 RCE
2016-08-12 07:11:48 -07:00
wchen-r7
c2c05a820a
Force uripath and srvport options
2016-08-10 18:25:45 -05:00
wchen-r7
e56e801c12
Update ie_sandbox_findfiles.rb
2016-08-10 18:09:58 -05:00
David Maloney
eb73a6914d
replace old rex::ui::text::table refs
...
everywhere we called the class we have now rewritten it
to use the new namespace
MS-1875
2016-08-10 13:30:09 -05:00
Yorick Koster
87b27951cf
Fixed some build errors
2016-08-09 20:46:49 +02:00
Yorick Koster
0fcced2091
Revert "Internet Explorer iframe sandbox local file name disclosure vulnerability"
...
This reverts commit 3ed7908b83
.
2016-08-09 20:44:45 +02:00
Yorick Koster
79a84fb320
Internet Explorer iframe sandbox local file name disclosure vulnerability
...
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
2016-08-09 20:35:42 +02:00
Yorick Koster
3ed7908b83
Internet Explorer iframe sandbox local file name disclosure vulnerability
...
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
2016-08-09 20:23:35 +02:00
Yorick Koster
b7049939d9
Fixed more build errors
2016-08-09 12:55:18 +02:00
Yorick Koster
22054ce85c
Fixed build errors
2016-08-09 12:47:08 +02:00
Yorick Koster
b935e3df2e
Office OLE Multiple DLL Side Loading Vulnerabilities
...
Multiple DLL side loading vulnerabilities were found in various COM
components.
These issues can be exploited by loading various these components as an
embedded
OLE object. When instantiating a vulnerable object Windows will try to
load one
or more DLLs from the current working directory. If an attacker
convinces the
victim to open a specially crafted (Office) document from a directory
also
containing the attacker's DLL file, it is possible to execute arbitrary
code with
the privileges of the target user. This can potentially result in the
attacker
taking complete control of the affected system.
2016-08-09 12:29:08 +02:00
wchen-r7
de16a6d536
Land #7182 , Nuuo / Netgear Surveillance admin password reset module
2016-08-08 16:10:30 -05:00
wchen-r7
c64e1b8fe6
Land #7181 , NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance
2016-08-08 16:04:33 -05:00
wchen-r7
cb04ff48bc
Land #7180 , Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE
2016-08-08 15:55:39 -05:00
wchen-r7
8654baf3dd
Land #6880 , add a module for netcore/netdis udp 53413 backdoor
2016-08-08 15:43:34 -05:00
wchen-r7
f98efb1345
Fix typos
2016-08-08 15:41:03 -05:00
Quentin Kaiser
1320647f31
Exploit for Trend Micro Smart Protection Server (CVE-2016-6267).
2016-08-08 18:47:46 +00:00
Pedro Ribeiro
7ca7682d17
Fix whitespace error from msftidy
2016-08-08 17:57:03 +01:00
wchen-r7
3d1289dac3
Land #7185 , Add VMware Host Guest Client Redirector DLL Hijack Exploit
2016-08-08 11:41:40 -05:00
wchen-r7
51c457dfb3
Update vmhgfs_webdav_dll_sideload
2016-08-08 11:40:03 -05:00
Pearce Barry
ae59c4ae74
Land #6687 , Fix meterpreter platform to include OS in the tuple for all meterpreters
2016-08-07 05:00:24 -05:00
Pedro Ribeiro
3b64b891a6
Update nuuo_nvrmini_unauth_rce.rb
2016-08-05 21:53:25 +01:00
Pedro Ribeiro
746ba4d76c
Add bugtraq reference
2016-08-05 21:53:08 +01:00
Pedro Ribeiro
106f26587e
Add bugtraq reference
2016-08-05 21:52:46 +01:00
Steven Seeley
230903562f
Add Samsung Security Manager 1.5 ActiveMQ Broker exploit
2016-08-05 15:19:22 -05:00
Yorick Koster
dae1679245
Fixed build warnings
2016-08-05 20:40:41 +02:00
Yorick Koster
02e065dae6
Fixed disclosure date format
2016-08-05 20:32:58 +02:00
Yorick Koster
97d11a7041
Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack
2016-08-05 20:19:40 +02:00
Pedro Ribeiro
07e210c143
Add changes requested to target.uri
2016-08-04 17:50:16 +01:00
Pedro Ribeiro
036d0502db
Add github link
2016-08-04 17:38:45 +01:00
Pedro Ribeiro
2aca610095
Add github link
2016-08-04 17:38:31 +01:00
Pedro Ribeiro
7d8dc9bc82
Update nuuo_nvrmini_unauth_rce.rb
2016-08-04 17:38:14 +01:00
Pedro Ribeiro
ec67db03f1
add exploit for CVE 2016-5676
2016-08-04 16:56:16 +01:00
Pedro Ribeiro
b48518099c
add exploit for CVE 2016-5674
2016-08-04 16:55:21 +01:00
Pedro Ribeiro
0deac80d61
add exploit for CVE 2016-5675
2016-08-04 16:54:38 +01:00
wchen-r7
14a387e4eb
Land #7163 , Add exploit payload delivery via SMB
2016-08-03 14:44:59 -05:00
wchen-r7
2f6e0fb58c
Land #7172 , Add exploit for CVE-2016-0189 (MSIE)
2016-08-03 14:14:16 -05:00
wchen-r7
e16c57ed07
Lower rank
2016-08-03 14:02:47 -05:00
wchen-r7
96dbf627ae
Remove unwanted metadata for HttpServer
2016-08-03 13:55:58 -05:00
wchen-r7
45801bc44e
get_env
2016-08-03 11:11:34 -05:00
wchen-r7
bddf5edcf1
Fix typo
2016-08-03 11:04:53 -05:00
Jon Hart
554a0c5ad7
Deprecate nbname_probe, which duplicate nbname as of 77cd6dbc8b
2016-08-02 17:36:22 -07:00
wchen-r7
8f7d0eae0c
Fix #7155 - Add post module to compress (zip) a file or directory
...
Fix #7155
2016-08-02 14:44:58 -05:00