Commit Graph

21138 Commits (c48587066d4d9ca723796c21ca85c6ad7a4122cd)

Author SHA1 Message Date
Stephen Haywood d088005d95 TABLE_NAME option not needed. 2016-10-03 10:58:13 -04:00
Stephen Haywood 5f12c8e026 Incorrect warning message
The filename is not always test so the warning message and the note in the description are incorrect.
2016-10-03 10:57:25 -04:00
Stephen Haywood 25996a16bb Fixed file read block. 2016-10-03 10:47:03 -04:00
Stephen Haywood 708eb0eb4f Fixed syntax error. 2016-10-03 10:17:29 -04:00
Stephen Haywood fac03570d1 Use File.open block. 2016-10-03 10:09:45 -04:00
Stephen Haywood bc57537205 Add warning statement. 2016-10-03 10:07:40 -04:00
Stephen Haywood a627c3cd5e Removed unnecessary return statements. 2016-10-03 10:02:26 -04:00
Stephen Haywood 6fa8f40b31 Use unless instead of if (not ...) 2016-10-03 10:00:56 -04:00
Interference Security 3e01dbfded Fixed Space-Tab mixed indent warning 2016-10-01 15:13:26 +05:30
Interference Security 4227cb76a8 Fixed stack trace bug & verified logic
- Fixed stack trace bug when value of "packet" is nill.
- Verified logic of Oracle TNS Listener poisoning which requires an ACCEPT response to be marked as vulnerable.
2016-10-01 15:01:02 +05:30
Stephen Haywood 63c0b6f569 Login failure message. 2016-09-30 17:09:41 -04:00
David Maloney 3f9540d906
fix trailing whitespace
this commit got dropped during landing
2016-09-30 14:30:31 -05:00
David Maloney 72bd75e681
Land #7253, x64 xor encoder fix
Land fullmetalcache's fix for the x64 xor encoder
2016-09-30 14:28:10 -05:00
Stephen Haywood 7996c4b048 Warning about leaving files on disk. 2016-09-30 14:53:15 -04:00
Stephen Haywood 3e4a23cdf6 Removed unnecessary require statement. 2016-09-30 14:51:43 -04:00
Jon Hart b3c6ec09a0
Show status when gathering, which can take a bit 2016-09-30 06:42:22 -07:00
Jon Hart abed3bf6c2
Rename 2016-09-30 06:35:26 -07:00
Jon Hart 9ee6e1931a
target_uri simplification, cleanup 2016-09-30 06:24:50 -07:00
Jon Hart 60cfe6216a
mstfidy 2016-09-29 22:00:35 -07:00
Jon Hart 558adb5e1e
Uncork module and address style issues 2016-09-29 21:59:19 -07:00
Jon Hart b2e06bed66
Initial commit of post module to gather AWS EC2 instance metadata 2016-09-29 21:52:22 -07:00
nixawk ac76c3591a reference urls 2016-09-29 22:43:00 -05:00
nixawk 5929d72266 CVE-2016-6415 - cisco_ike_benigncertain.rb 2016-09-29 22:25:57 -05:00
Brent Cook fabb296b15 update cache and add payload test 2016-09-29 21:19:55 -05:00
h00die 7b0a8784aa additional doc updates 2016-09-29 19:02:16 -04:00
Brent Cook 301e38b08f use correct base class for modules 2016-09-29 17:21:59 -05:00
RageLtMan a7470991d9 Bring Python reverse_tcp_ssl payload upstream
Adds TLS/SSL transport encryption for reverse tcp payloads in
python
2016-09-29 17:21:59 -05:00
h00die bac4a25b2c compile or nill 2016-09-29 06:15:17 -04:00
h00die 4fac5271ae slight cleanup 2016-09-29 05:51:13 -04:00
h00die c036c258a9 cve-2016-4557 2016-09-29 05:23:12 -04:00
h00die 3b548dc3cd update email and paths 2016-09-28 18:37:48 -04:00
jvoisin 2272e15ca2 Remove some anti-patterns, in the same spirit than #7372 2016-09-29 00:15:01 +02:00
William Vu 988471b860
Land #7372, useless use of cat fix
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
William Vu 3033c16da6 Add missing rank 2016-09-28 16:37:04 -05:00
jvoisin b46073b34a Replace `cat` with Ruby's `read_file`
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
Jeffrey Martin 1689f10890
Land #7292, add android stageless meterpreter_reverse_tcp 2016-09-28 16:05:22 -05:00
William Vu 45ee59581b
Fix inverted logic in Docker exploit
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.

Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
William Vu ab94bb9cdd
Land #7365, nonce fix for Ninja Forms exploit 2016-09-28 13:57:08 -05:00
averagesecurityguy f7e588cdeb Initial commit of module. 2016-09-28 14:55:32 -04:00
Julien (jvoisin) Voisin dbb2abeda1 Remove the `cat $FILE | grep $PATTERN` anti-pattern
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
Tim b4a1adaf0f refactor into android.rb 2016-09-28 18:23:34 +08:00
Tim dc43f59dcf dalvik -> android 2016-09-28 14:50:52 +08:00
h00die 35a2b3e59d working panda 2016-09-27 20:15:17 -04:00
wchen-r7 f838c9990f Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
OJ 76b3c37262
Fix msftidy errors 2016-09-27 22:56:07 +10:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
Pearce Barry edbe1c3e14
Land #7361, Make OSX screencapture silent 2016-09-26 17:24:03 -05:00
Brendan b9de73e803
Land #7334, Add aux module to exploit WINDOWS based (java) Colorado
FTP server directory traversal
2016-09-26 14:15:23 -05:00
Pearce Barry 6382fffc75
Land #7326, Linux Kernel Netfilter Privesc 2016-09-26 12:38:50 -05:00
Tim 53823a4807 oops msftidy 2016-09-26 23:50:38 +08:00
Henry Pitcairn e5c05c05d2 Make OSX screencapture silent
By default, the `screencapture` command on OS X plays a camera sound effect. The -x option silences this.
2016-09-25 22:54:57 -04:00
Adam Cammack a13e83af8a
Land #7357, Stagefright CVE-2015-3864 2016-09-25 17:10:06 -05:00
h00die 23e5556a4c binary drops work! 2016-09-24 21:31:00 -04:00
Brent Cook e0ff8859e9
Land #7359, add EXTRABACON auxiliary module auxiliary/admin/cisco/cisco_asa_extrabacon 2016-09-24 10:46:13 -04:00
Brent Cook df28e2a85e Add credit to wwebb-r7 for the initial module and ASA hacking notes 2016-09-24 05:48:31 -04:00
TheNaterz cd4299b3a2 Added offsets for version 9.2(4)14
This version of the ASA is patched and our offsets do not work currently. We may do more work on this to find a solution.
2016-09-23 16:57:08 -06:00
TheNaterz 087e9461ce Added offsets for version 9.2(4)13 2016-09-23 16:50:50 -06:00
TheNaterz 3f985d94d7 Added offsets for version 8.4(6)5 2016-09-23 16:32:42 -06:00
TheNaterz 352946d8f5 Added offsets for version 8.4(4)9 2016-09-23 16:19:36 -06:00
TheNaterz 368fd1a77f Added offsets for version 8.4(4)5 2016-09-23 16:07:42 -06:00
TheNaterz 19fe09318a Added offsets for version 8.4(4)3 2016-09-23 15:56:02 -06:00
TheNaterz 8840af0e90 Added offsets for version 8.4(4)1 2016-09-23 15:44:39 -06:00
TheNaterz 19caff2293 Added offsets for 8.3(2)40 2016-09-23 15:26:02 -06:00
TheNaterz ba4505bcce Added offsets for version 8.3(2)39 2016-09-23 15:05:39 -06:00
TheNaterz 64df7b0524 Added offsets for verion 8.3(2)-npe
We currently can't distinguish between 8.3(2) and 8.3(2)-npe versions from the SNMP strings. We've commented out the 8.3(2)-npe offsets, but in the future, we'd like to incorporate this version.
2016-09-23 14:49:57 -06:00
TheNaterz 926e5fab9e Added offsets for version 8.2(5)41 2016-09-23 14:00:23 -06:00
TheNaterz b4d3e8ea3e Added offsets for version 9.2(1) 2016-09-23 13:52:13 -06:00
TheNaterz d36e16fc32 Added offsets for version 8.2(5)33 2016-09-23 13:15:39 -06:00
TheNaterz f19ed4376b Adding new version offsets 2016-09-23 12:57:36 -06:00
Joshua J. Drake dbf66f27d5 Add a browser-based exploit module for CVE-2015-3864 2016-09-23 11:14:31 -05:00
Tijl Deneut 2fab62b14d Update profinet_siemens.rb
Removed unnecessary rescue, gave "timeout" variable a better name.
2016-09-23 18:05:45 +02:00
George Papakyriakopoulos 639dee993a Fixed interactive password prompt issue
Fixed an issue where the exploit would drop to interactive password prompt by default on newer ruby version which rendered the exploit unusable. It now properly forces pubkey authentication instead and proceeds with the bypass as expected.
2016-09-23 17:03:40 +01:00
TheNaterz 98cf5d8eb5 Changed 'build_offsets' to 'build_payload' 2016-09-23 09:32:17 -06:00
zerosum0x0 1868371ba7 fix merge conflicts 2016-09-23 14:49:36 +00:00
zerosum0x0 2591d0b7c6 numerous fixes as per @busterb 2016-09-23 14:46:40 +00:00
Pearce Barry 5de1d34869
Land #7341, add module metasploit_static_secret_key_base 2016-09-23 09:20:48 -05:00
h00die cba297644e post to local conversion 2016-09-22 22:08:24 -04:00
TheNaterz dda6b67928 Added basic error handling for unsupported ASA versions 2016-09-22 18:24:25 -06:00
TheNaterz cf070853e9 Moved required datastore option into constructor 2016-09-22 18:08:35 -06:00
h00die 7646771dec refactored for live compile or drop binary 2016-09-22 20:07:07 -04:00
TheNaterz df25f07b34 Replaced '+=' with '<<' 2016-09-22 17:53:28 -06:00
TheNaterz f525c24a9f Added offsets for 8.4(7) 2016-09-22 17:16:37 -06:00
zerosum0x0 28a09c2d13 stupid comment 2016-09-22 22:57:42 +00:00
TheNaterz 7762f42dfa Added offsets for 8.3(1) 2016-09-22 16:17:37 -06:00
TheNaterz 064aed858b Added RiskSense contributor repo to references 2016-09-22 16:10:30 -06:00
TheNaterz 961524d648 Adding offsets for 9.1(1)4 2016-09-22 16:04:44 -06:00
TheNaterz 4e9459d876 Added offsets for 9.0(1) 2016-09-22 15:35:59 -06:00
TheNaterz 5ca6563c8f Fixed problem with 9.2(2)8 offsets 2016-09-22 15:24:49 -06:00
TheNaterz b77adc97f0 Removing redundant version check 2016-09-22 15:05:42 -06:00
TheNaterz c22a2a19e8 Added offsets for 9.2(2)8 2016-09-22 14:59:49 -06:00
TheNaterz e8d1f6d5a0 Added offsets for 8.2(3) 2016-09-22 14:38:52 -06:00
Jenna Magius a0ba8b7401 Fix whitespace per msftidy 2016-09-22 14:25:04 -06:00
TheNaterz 022189c075 Added offsets for 8.4(3) 2016-09-22 14:12:33 -06:00
zerosum0x0 4288c3fb46 added always_return_true variable 2016-09-22 19:44:55 +00:00
TheNaterz c18045128a Replaced global vars, made 'patched_code' value static 2016-09-22 13:42:23 -06:00
zerosum0x0 3c7fc49788 Added module auxiliary/admin/cisco/cisco_asa_extrabacon
This module patches the authentication functions of a Cisco ASA
to allow uncredentialed logins. Uses improved shellcode for payload.
2016-09-22 18:06:03 +00:00
wchen-r7 bc425b0378 Update samsung_security_manager_put
This patch improves the following

* Stage 1 XSS/JS attack to use the body.onload callback
* Better timing for FF
2016-09-22 12:02:49 -05:00
Tim 34e02fe097 stageless http 2016-09-22 16:26:26 +01:00
Tim 1b911e7117 placate msftidy 2016-09-22 16:26:26 +01:00
Tim 32c2311b86 android meterpreter_reverse_tcp 2016-09-22 16:26:26 +01:00
Brent Cook 9f3c8c7eee
Land #7268, add metasploit_webui_console_command_execution post-auth exploit 2016-09-22 00:50:58 -05:00
Brent Cook 88cef32ea4
Land #7339, SSH module fixes from net:ssh updates 2016-09-22 00:27:32 -05:00
Brendan 04f8f7a0ea
Land #7266, Add Kaltura Remote PHP Code Execution 2016-09-21 17:14:49 -05:00
Justin Steven dcfbb9ee6a
Tidy info
Replace errant \t with \x20
2016-09-21 20:14:11 +10:00
Justin Steven 1e24568406
Tweak verbosity re: found secrets 2016-09-21 20:14:08 +10:00
Justin Steven 30d07ce0c7
Tidy metasploit_static_secret_key_base module
* Inline magic values
* Optimise out dead Rails3-specific code
2016-09-21 20:13:58 +10:00
Kyle Gray 9d01f24cff
Land #7388, relocate Rex::Platform:Windows content
This PR consolidates the few lines of consts/code in lib/rex/platforms/windows.rb into MSF core.

Completes #MS-1714
2016-09-20 16:39:07 -05:00
Louis Sato 8b1d29feef
Land #7304, fix rails_secret_deserialization popchain 2016-09-20 16:05:03 -05:00
Mehmet Ince 2d3c167b78
Grammar changes again. 2016-09-20 23:51:12 +03:00
Mehmet Ince 0f16393220
Yet another grammar changes 2016-09-20 19:48:40 +03:00
Mehmet Ince fb00d1c556
Another minor grammer changes 2016-09-20 19:23:28 +03:00
Brendan 251421e4a7 Minor grammar changes 2016-09-20 10:37:39 -05:00
Mehmet Ince 385428684f
Move module and docs under the exploit/linux/http folder 2016-09-20 12:45:23 +03:00
Brent Cook a9a1146155 fix more ssh option hashes 2016-09-20 01:30:35 -05:00
Mehmet Ince c689a8fb61
Removing empty lines before module start 2016-09-20 01:42:18 +03:00
Mehmet Ince 29a14f0147
Change References to EDB number and remove 4 space 2016-09-20 01:31:56 +03:00
Justin Steven a1ca27d491
add module metasploit_static_secret_key_base 2016-09-20 07:04:00 +10:00
David Maloney e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules 2016-09-19 15:27:37 -05:00
David Maloney 06ff7303a6
make pubkey verifier work with old module
make the new pubkey verifier class and
the old identify_pubkeys aux module work
together

7321
2016-09-19 15:20:35 -05:00
Pearce Barry 3f5ed75198
Relocate Rex::Platform:Windows content (fixes MS-1714) 2016-09-19 14:34:44 -05:00
h00die 3bc566a50c fix email 2016-09-18 20:09:38 -04:00
h00die 9c922d111f colorado ftp 2016-09-18 20:03:16 -04:00
h00die edd1704080 reexploit and other docs and edits added 2016-09-18 09:01:41 -04:00
h00die 4f85a1171f reexploit and other docs and edits added 2016-09-18 08:51:27 -04:00
Mehmet Ince 53d4162e7d Send payload with POST rather than custom header. 2016-09-17 23:11:16 +03:00
Thao Doan d2100bfc4e
Land #7301, Support URIHOST for exim4_dovecot_exec for NAT 2016-09-16 12:49:57 -07:00
Thao Doan 7c396dbf59
Use URIHOST 2016-09-16 12:48:54 -07:00
William Vu 4d0643f4d1
Add missing DefaultTarget to Docker exploit 2016-09-16 13:09:00 -05:00
William Vu da516cb939
Land #7027, Docker privesc exploit 2016-09-16 12:44:21 -05:00
William Vu 4ba1ed2e00
Fix formatting in fortinet_backdoor
Also add :config and :use_agent options.
2016-09-16 12:32:30 -05:00
William Vu e3060194c6
Fix formatting in ubiquiti_airos_file_upload
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
David Maloney 26491eed1a
pass the public key in as a file instead of data
when using key_data it seems to assume it is a private
key now. the initial key parsing error can be bypassed
by doing this

7321
2016-09-16 11:48:51 -05:00
Jan Mitchell c102384b7a Remove spaces at EOL 2016-09-16 11:28:08 +01:00
Jan Mitchell 7393d91bfa Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master 2016-09-16 10:46:44 +01:00
h00die 4be4bcf7eb forgot updates 2016-09-16 02:08:09 -04:00
h00die 2e42e0f091 first commit 2016-09-16 01:54:49 -04:00
Brent Cook 90f0eec390
Land #7325, Fix missing form inputs in skybluecanvas_exec 2016-09-15 19:55:32 -05:00
William Vu a7103f2155 Fix missing form inputs
Also improve check string.
2016-09-15 19:19:24 -05:00
Brent Cook 60e728ec5c
Land #7065, Correct display errors for SHA-512 hashes with MS SQL Server 2012 2016-09-15 18:06:02 -05:00
Brent Cook 8b050fcc9b simplify cleanup code, remove duplicate logic 2016-09-15 18:05:34 -05:00
Brent Cook 6e221ca575
Land #7221, Updated JCL cmd payloads to use PR7007 format 2016-09-15 16:38:31 -05:00
David Maloney dfcd5742c1
some more minor fixes
some more minor fixes around broken
ssh modules

7321
2016-09-15 14:25:17 -05:00
David Maloney e10c133eef
fix the exagrid exploit module
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used

7321
2016-09-15 11:44:19 -05:00
Justin Steven 116c754328
tidy Platform 2016-09-15 10:35:42 +10:00
Justin Steven 8a0c8b54fc
merge branch 'master' into PR branch
make Travis happy
2016-09-15 10:31:24 +10:00
Justin Steven ff1c839b7d
appease msftidy
trailing whitespace
2016-09-15 08:18:43 +10:00
William Webb 01327f0265
Land #7245, NetBSD mail.local privilege escalation module 2016-09-14 16:07:12 -05:00
William Vu c6214d9c5e Fix and clean module 2016-09-14 14:36:29 -05:00
James Lee 27be29edb4
Fix typo 2016-09-14 13:21:37 -05:00
James Barnett 6509b34da1
Land #7255, Fix issue causing Glassfish to fail uploading to Windows targets. 2016-09-14 12:57:41 -05:00
William Vu 8533e6c5fd
Land #7252, ARCH_CMD to ARCH_PHP for phoenix_exec 2016-09-14 10:38:37 -05:00
William Vu cac890a797
Land #7308, disclosure date additions 2016-09-13 23:16:30 -05:00
William Vu e4e6f5daac Fix indentation 2016-09-13 23:15:37 -05:00
William Vu a5502264d4
Land #7305, missing env var fix for Steam module 2016-09-13 23:11:40 -05:00
h00die d73531c0d3 added disclosure dates 2016-09-13 20:37:04 -04:00
Brent Cook 7352029497 first round of SSL damage fixes 2016-09-13 17:42:31 -05:00
wchen-r7 245237d650
Land #7288, Add LoginScannerfor Octopus Deploy server 2016-09-13 17:26:56 -05:00
wchen-r7 10efafe44e
Land #7306, Update links and add CVE to WebNMS modules 2016-09-13 15:52:27 -05:00
wchen-r7 ed5bbb9885
Land #7284, Add SugarCRM REST PHP Object Injection exploit 2016-09-13 15:46:46 -05:00
wchen-r7 a0095ad809 Check res properly and update Ruby syntax
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
Pedro Ribeiro 8d4ee3fac6 Forgot the bracket! 2016-09-13 19:01:22 +01:00
Pedro Ribeiro 4d49f7140c update links and CVE on webnms_file_download 2016-09-13 18:50:53 +01:00
Pedro Ribeiro 41bdae4b84 update links and CVE on webnms_file_upload 2016-09-13 18:50:25 +01:00
Pedro Ribeiro 8b90df8b67 update links and CVE on webnms_cred_disclosure 2016-09-13 18:49:58 +01:00
wchen-r7 89705cc803 Avoid potential undef method error '+' for nil 2016-09-13 11:13:02 -05:00
wchen-r7 50447fc4cf Fix post/windows/gather/credentials/steam for an empty env var 2016-09-13 11:04:42 -05:00
Justin Steven 17bad7bd4f
fix popchain
ERB changed as per <https://github.com/ruby/ruby/commit/e82f4195d4>
which broke the popchain used for code execution.
2016-09-13 21:25:14 +10:00
nixawk 1ce9aedb97 parenthesis for condition expression 2016-09-13 03:37:47 -05:00
nixawk fd16c1c3b7 Fix issue-7295 2016-09-13 01:32:20 -05:00
aushack 11342356f8 Support LHOST for metasploit behind NAT 2016-09-13 11:23:49 +10:00
Tijl Deneut 8df8f7dda0 Initial commit of profinet_siemens.rb 2016-09-11 09:15:41 +02:00
scriptjunkie a0e05d4c4c
Land #7287, mdaemon cred dumper 2016-09-10 08:43:07 -05:00
Brent Cook a81f351cb3
Land #7274, Remove deprecated modules 2016-09-09 12:01:59 -05:00
Brent Cook 1d4b0de560
Land #6616, Added an Outlook EWS NTLM login module. 2016-09-09 11:43:52 -05:00
Justin Steven 6bafad44f2
drop 'require uri', tweak option text 2016-09-09 20:31:23 +10:00
Justin Steven 0b012c2496
Combine Unix and Windows modules 2016-09-09 20:28:13 +10:00
Agora Security 00f09d19b1 SMTP Typo
Correct SMTP Type (before SMPT)
2016-09-09 01:36:37 -05:00
William Vu 92dba8ff9d
Land #7290, env var check for WinSCP module 2016-09-07 21:08:12 -05:00
Brendan a30711ddcd
Land #7279, Use the rubyntlm gem (again) 2016-09-07 16:33:35 -05:00
wchen-r7 a9c3c5d391 Fix typos 2016-09-07 15:40:10 -05:00
wchen-r7 831c7a08a8 Check environment variables before using for winscp module 2016-09-07 15:24:22 -05:00
William Vu 7d44bd5ba4 Clean up module 2016-09-06 23:30:58 -05:00
aushack 015b790295 Added default rport. 2016-09-07 14:24:07 +10:00
aushack 7632c74aba Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2016-09-07 14:15:57 +10:00
aushack 6e21684ff7 Fix typo. 2016-09-07 14:08:46 +10:00
james-otten dcf0d74428 Adding module to scan for Octopus Deploy server
This module tries to log into one or more Octopus Deploy servers.

More information about Octopus Deploy:
https://octopus.com
2016-09-06 20:52:49 -05:00
catatonic c06ee991ed Adding WiFi pineapple command injection via authenticaiton bypass. 2016-09-06 17:22:25 -07:00
catatonic 8d40dddc17 Adding WiFi pineapple preconfig command injection module. 2016-09-06 17:18:36 -07:00
EgiX df5fdbff41 Add module for KIS-2016-07: SugarCRM REST PHP Object Injection
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
2016-09-07 01:58:41 +02:00
Quentin Kaiser e4d118108a Trend Micro SafeSync exploit. 2016-09-06 19:33:23 +00:00
William Vu fed2ed444f Remove deprecated modules
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
Justin Steven ea220091ea
add metasploit_webui_console_command_execution
These modules target the Metasploit Community/Express/Pro Web UI on
Unix and Windows via the diagnostic console feature
2016-09-03 09:12:09 +10:00
Mehmet Ince ba6c2117cf
Fix msftidy issues 2016-09-02 18:18:43 +03:00
Mehmet Ince 144fb22c32
Add Kaltura PHP Remote Code Execution module 2016-09-02 18:09:53 +03:00
Brendan 81bc6bd672
Land #7228, Create zabbix_toggleids_sqli auxiliary module 2016-09-01 16:33:17 -05:00
Jan Mitchell 411689aa44 Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router 2016-09-01 10:05:13 +01:00
Jan Mitchell 4d3611ceb9 Added MIPSBE support to Samba exploit. Added a MIPSBE nop generator 2016-09-01 09:55:08 +01:00
Jon Hart b0e45341e5
Update redis file_upload to optionally FLUSHALL before writing
This increases the chances that the uploaded file will be usable as-is
rather than being surround by the data in redis itself.
2016-08-31 14:27:18 -07:00
Brandon Perry 874fec4e31 Update zabbix_toggleids_sqli.rb 2016-08-31 17:23:16 -04:00
Brandon Perry d43380330e Update zabbix_toggleids_sqli.rb 2016-08-31 17:18:28 -04:00
bigendian smalls 05278c868e
Updated JCL cmd payloads to use PR7007 format
PR7007 centralized JCL job card for any JCL cmd payload.  This PR simply
uses that new format for existing JCL cmd payloads.  No functionality
for these payloads was changed, added or deleted.
2016-08-31 14:39:01 -05:00
AgoraSecurity d65ca818ea Add validation of session type 2016-08-31 11:29:04 -05:00
AgoraSecurity ce7d4cf7f7 Removed "shell" from SessionTypes
Remove the need to check for the session type manually. It will be automatically validated at the time of module run.
2016-08-31 00:12:31 -05:00
AgoraSecurity 401044ee43 Fix error when saving creds 2016-08-30 16:49:31 -05:00
wchen-r7 445a43bd97 Trim the fat 2016-08-30 15:56:51 -05:00
wchen-r7 1b505b9b67 Fix #7247, Fix GlassFish on Windows targets
Fix #7247
2016-08-30 15:46:08 -05:00
William Vu e403df57e0
Land #7251, CPORT fix for smb_login 2016-08-30 00:52:22 -05:00
fullmetalcache fd1efaea9f Attempts to address issue #6963 x64/xor encoder not working 2016-08-29 19:59:39 -06:00
William Vu ea7721608b
Land #7248, CredEnumerateA fix for enum_cred_store 2016-08-29 15:12:23 -05:00
William Vu 7a412031e5 Convert phoenix_exec to ARCH_PHP 2016-08-29 14:14:22 -05:00
William Vu 43a9b2fa26
Fix missing return
My bad.
2016-08-29 14:13:18 -05:00
William Vu d50a6408ea
Fix missed Twitter handle 2016-08-29 13:46:26 -05:00
William Vu f8fa090ec0
Fix one more missed comma 2016-08-29 13:40:55 -05:00
William Vu 53516d3323
Fix #7220, phoenix_exec module cleanup 2016-08-29 13:28:15 -05:00
Brendan b21ea2ba3f Added code to assign CPORT value to the parent scanner object 2016-08-29 13:17:10 -05:00
Brendan bc6a529388 Added some error checking to CredEnuerateA() railgun call 2016-08-26 16:21:54 -05:00
h00die 748c959cba forgot to save before PR 2016-08-25 21:45:17 -04:00
h00die 5dff01625d working code 2016-08-25 21:32:25 -04:00
Pearce Barry 226ded8d7e
Land #6921, Support basic and form auth at the same time 2016-08-25 16:31:26 -05:00
wchen-r7 52b81f32b1
Land #7238, Add DETECT_ANY_AUTH to smb_login 2016-08-25 11:52:14 -05:00
Louis Sato 4a6b2ef8de
fixing typo for reference for golden ticket 2016-08-24 10:55:36 -05:00
Brendan 83160b7e49
Land #7173, Add post module to compress (zip) a file or directory 2016-08-24 09:38:04 -05:00
William Vu cd858a149f Add DETECT_ANY_AUTH to make bogus login optional 2016-08-23 23:05:47 -05:00
wchen-r7 89c3b6f399 Remove the -d flag for Linux machines 2016-08-23 18:43:50 -05:00
Pearce Barry 03e14ec86f
Land #7232, Net::SSH Regression Fixes
Fixes #7160
Fixes #7175
Fixes #7229
2016-08-23 14:53:42 -05:00
Brandon Perry 38a8d21e5b Update zabbix_toggleids_sqli.rb 2016-08-22 18:57:25 -05:00
Brandon Perry 6b9635d7a5 Rename zabbix_toggleids_sqli to zabbix_toggleids_sqli.rb 2016-08-22 18:52:16 -05:00
David Maloney 20947cd6cd
remove old dependency on net-ssh moneykpatch
the ssh_login_pubkey scanner relied on functionality that
was monkeypatched into our vendored copy. this was an uneeded solution
in the first palce, and we now use a more sane method of accomplishing
the same thing
2016-08-22 10:54:09 -05:00
h00die f2e2cb6a5e cant transfer file 2016-08-21 19:42:29 -04:00
h00die 6306fa5aa5 Per discussion in #7195, trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe) 2016-08-21 19:16:04 -04:00
Brandon Perry 2abf71a3ac Create zabbix_toggleids_sqli 2016-08-21 12:43:20 -05:00
Jay Turla ee89b20ab7 remove 'BadChars' 2016-08-19 23:49:11 +08:00
Jay Turla e3d1f8e97b Updated the description 2016-08-19 22:22:56 +08:00
Jay Turla 5a4f0cf72f run msftidy 2016-08-19 21:56:02 +08:00
Jay Turla c66ea5ff8f Correcting the date based on the EDB 2016-08-19 21:47:57 +08:00
Jay Turla d4c82868de Add Phoenix Exploit Kit Remote Code Execution
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.

```
msf exploit(phoenix_exec) > show options

Module options (exploit/multi/http/phoenix_exec):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.52.128               yes       The target address
   RPORT      80                           yes       The target port
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /Phoenix/includes/geoip.php  yes       The path of geoip.php which is vulnerable to RCE
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.52.129   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Phoenix Exploit Kit / Unix


msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit

[*] Started reverse TCP double handler on 192.168.52.129:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400

uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
2016-08-19 21:29:55 +08:00
wchen-r7 b081dbf703 Make destination required 2016-08-18 15:56:16 -05:00
William Webb 3eb3c5afa2
Land #7215, Fix drupal_coder_exec bugs #7215 2016-08-18 13:43:23 -05:00
William Vu bc9a402d9e
Land #7214, print_brute ip:rport fix 2016-08-17 22:48:40 -05:00
William Vu 2b6576b038
Land #7012, Linux service persistence module 2016-08-17 22:45:35 -05:00
William Vu c64d91457f
Land #7003, cron/crontab persistence module 2016-08-17 22:45:16 -05:00
William Vu 2fa4c7073b
Land #6995, SSH key persistence module 2016-08-17 22:44:57 -05:00
wchen-r7 60937ec5e9 If user is SYSTEM, then steal a token before decompression 2016-08-17 16:56:09 -05:00
William Vu 4228868c29 Clean up after yourself
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
William Vu 1f63f8f45b Don't override payload
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
William Vu b3402a45f7 Add generic payloads
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
wchen-r7 5f8ef6682a Fix #7202, Make print_brute print ip:rport if available
Fix #7202
2016-08-16 15:34:30 -05:00
Brent Cook 870669bdf7 handle exception in getsystem module 2016-08-15 23:51:05 -05:00
William Vu 2fed51bb18
Land #7115, Drupal CODER exploit 2016-08-15 01:15:23 -05:00
William Vu 62d28f10cb Clean up Mehmet modules 2016-08-15 01:12:58 -05:00
Brent Cook d34579f1f0
Land #7203, Fix struts_default_action_mapper payload request delay 2016-08-12 23:00:44 -05:00
Brent Cook 1733d3e1f1 remove obsolete tested-on comment 2016-08-12 17:26:43 -05:00
Pearce Barry 1e7663c704
Land #7200, Rex::Ui::Text cleanup 2016-08-12 16:22:55 -05:00
Mehmet Ince b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd 2016-08-13 00:14:25 +03:00
Mehmet Ince d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log. 2016-08-12 23:35:29 +03:00
wchen-r7 f4e4a5dcf3 Fix struts_default_action_mapper payload request delay
MS-1609
2016-08-12 15:29:00 -05:00
Mehmet Ince ba79579202
Extending Space limitation up to 250 2016-08-12 22:32:49 +03:00
Brendan 1a7286f625
Land #7062, Create exploit for WebNMS 5.2 RCE 2016-08-12 07:11:48 -07:00
wchen-r7 c2c05a820a Force uripath and srvport options 2016-08-10 18:25:45 -05:00
wchen-r7 e56e801c12 Update ie_sandbox_findfiles.rb 2016-08-10 18:09:58 -05:00
David Maloney eb73a6914d
replace old rex::ui::text::table refs
everywhere we called the class we have now rewritten it
to use the new namespace

MS-1875
2016-08-10 13:30:09 -05:00
Yorick Koster 87b27951cf Fixed some build errors 2016-08-09 20:46:49 +02:00
Yorick Koster 0fcced2091 Revert "Internet Explorer iframe sandbox local file name disclosure vulnerability"
This reverts commit 3ed7908b83.
2016-08-09 20:44:45 +02:00
Yorick Koster 79a84fb320 Internet Explorer iframe sandbox local file name disclosure vulnerability
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
2016-08-09 20:35:42 +02:00
Yorick Koster 3ed7908b83 Internet Explorer iframe sandbox local file name disclosure vulnerability
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
2016-08-09 20:23:35 +02:00
Yorick Koster b7049939d9 Fixed more build errors 2016-08-09 12:55:18 +02:00
Yorick Koster 22054ce85c Fixed build errors 2016-08-09 12:47:08 +02:00
Yorick Koster b935e3df2e Office OLE Multiple DLL Side Loading Vulnerabilities
Multiple DLL side loading vulnerabilities were found in various COM
components.
These issues can be exploited by loading various these components as an
embedded
OLE object. When instantiating a vulnerable object Windows will try to
load one
or more DLLs from the current working directory. If an attacker
convinces the
victim to open a specially crafted (Office) document from a directory
also
containing the attacker's DLL file, it is possible to execute arbitrary
code with
the privileges of the target user. This can potentially result in the
attacker
taking complete control of the affected system.
2016-08-09 12:29:08 +02:00
wchen-r7 de16a6d536
Land #7182, Nuuo / Netgear Surveillance admin password reset module 2016-08-08 16:10:30 -05:00
wchen-r7 c64e1b8fe6
Land #7181, NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance 2016-08-08 16:04:33 -05:00
wchen-r7 cb04ff48bc
Land #7180, Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE 2016-08-08 15:55:39 -05:00
wchen-r7 8654baf3dd
Land #6880, add a module for netcore/netdis udp 53413 backdoor 2016-08-08 15:43:34 -05:00
wchen-r7 f98efb1345 Fix typos 2016-08-08 15:41:03 -05:00
Quentin Kaiser 1320647f31 Exploit for Trend Micro Smart Protection Server (CVE-2016-6267). 2016-08-08 18:47:46 +00:00
Pedro Ribeiro 7ca7682d17 Fix whitespace error from msftidy 2016-08-08 17:57:03 +01:00
wchen-r7 3d1289dac3
Land #7185, Add VMware Host Guest Client Redirector DLL Hijack Exploit 2016-08-08 11:41:40 -05:00
wchen-r7 51c457dfb3 Update vmhgfs_webdav_dll_sideload 2016-08-08 11:40:03 -05:00
Pearce Barry ae59c4ae74
Land #6687, Fix meterpreter platform to include OS in the tuple for all meterpreters 2016-08-07 05:00:24 -05:00
Pedro Ribeiro 3b64b891a6 Update nuuo_nvrmini_unauth_rce.rb 2016-08-05 21:53:25 +01:00
Pedro Ribeiro 746ba4d76c Add bugtraq reference 2016-08-05 21:53:08 +01:00
Pedro Ribeiro 106f26587e Add bugtraq reference 2016-08-05 21:52:46 +01:00
Steven Seeley 230903562f Add Samsung Security Manager 1.5 ActiveMQ Broker exploit 2016-08-05 15:19:22 -05:00
Yorick Koster dae1679245 Fixed build warnings 2016-08-05 20:40:41 +02:00
Yorick Koster 02e065dae6 Fixed disclosure date format 2016-08-05 20:32:58 +02:00
Yorick Koster 97d11a7041 Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack 2016-08-05 20:19:40 +02:00
Pedro Ribeiro 07e210c143 Add changes requested to target.uri 2016-08-04 17:50:16 +01:00
Pedro Ribeiro 036d0502db Add github link 2016-08-04 17:38:45 +01:00
Pedro Ribeiro 2aca610095 Add github link 2016-08-04 17:38:31 +01:00
Pedro Ribeiro 7d8dc9bc82 Update nuuo_nvrmini_unauth_rce.rb 2016-08-04 17:38:14 +01:00
Pedro Ribeiro ec67db03f1 add exploit for CVE 2016-5676 2016-08-04 16:56:16 +01:00
Pedro Ribeiro b48518099c add exploit for CVE 2016-5674 2016-08-04 16:55:21 +01:00
Pedro Ribeiro 0deac80d61 add exploit for CVE 2016-5675 2016-08-04 16:54:38 +01:00
wchen-r7 14a387e4eb
Land #7163, Add exploit payload delivery via SMB 2016-08-03 14:44:59 -05:00
wchen-r7 2f6e0fb58c
Land #7172, Add exploit for CVE-2016-0189 (MSIE) 2016-08-03 14:14:16 -05:00
wchen-r7 e16c57ed07 Lower rank 2016-08-03 14:02:47 -05:00
wchen-r7 96dbf627ae Remove unwanted metadata for HttpServer 2016-08-03 13:55:58 -05:00
wchen-r7 45801bc44e get_env 2016-08-03 11:11:34 -05:00
wchen-r7 bddf5edcf1 Fix typo 2016-08-03 11:04:53 -05:00
Jon Hart 554a0c5ad7
Deprecate nbname_probe, which duplicate nbname as of 77cd6dbc8b 2016-08-02 17:36:22 -07:00
wchen-r7 8f7d0eae0c Fix #7155 - Add post module to compress (zip) a file or directory
Fix #7155
2016-08-02 14:44:58 -05:00