47f2cef22e
Syntax changes to humor rubocop and ruby style
2016-07-11 12:50:58 -07:00
d0e1c67c18
Land #7026 , Add Action Pack render exploit CVE-2016-2098
2016-07-07 16:16:37 -05:00
2cc6565cc9
Update rails_actionpack_inline_exec
2016-07-07 15:56:50 -05:00
5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-05 10:48:38 -05:00
eeba35f87a
Create file for WebNMS 5.2 remote code execution
2016-07-04 21:07:03 +01:00
d1281b6594
Chmod to remove the exec bit.
2016-06-30 10:43:46 -04:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-06-28 15:00:35 -05:00
fcf8cda22f
Add basic module for CVE-2016-2098
...
ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.
This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.
Test Procedures:
Clone https://github.com/hderms/dh-CVE_2016_2098
Run bundle install to match gem versions to those in lockfile
Run the rails server and configure the metasploit module:
Set TARGETURI to /exploits
Configure payload and handler options
Execute the module, move on to post-exp
2016-06-28 03:28:16 -04:00
2480781409
pesky pry.
2016-06-27 01:55:49 -04:00
c2b4e22b46
updated with discovered changes from k kali & documentation update changes requested.
2016-06-27 01:53:20 -04:00
15a1a9ed71
Raise if payload.arch doesn't match expected
...
This is necessary when payload is a generic/* since we can't actually
figure out what we need the prefix/suffix to be because the generics are
a pain to extract the arch/platform info out of.
Also remove some unnecessary options.
2016-06-24 16:08:47 -05:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
3fb9eae687
EOL space if a ruby devil.
2016-06-23 15:40:16 -07:00
b38b116c9a
@ePaul comments added to description.
2016-06-23 15:33:11 -07:00
08d08d2c95
Fix Java payload generator
2016-06-23 14:51:26 -05:00
464808d825
First, put the RC data in the module proper
2016-06-23 14:43:37 -05:00
92c70dab6f
Real array, and fix PHP
2016-06-23 13:22:21 -05:00
ffabf26593
No Automatic target.
2016-06-23 12:50:23 -05:00
7a36d03fe3
Trying multi arch
2016-06-23 12:34:51 -05:00
47674c77ad
chmod 644 swagger_param_inject.rb
2016-06-23 11:49:16 -04:00
fbd0bc4308
updated as per @egypt & @todb-r7 recommendations.
2016-06-23 11:41:54 -04:00
fc79f3a2a9
Modify for only NodeJS
...
Not sure if we can do multiple arch's in the same module. Doesn't look
like it's possible today.
See rapid7#7015
2016-06-23 10:14:57 -05:00
579a3bcf7c
default payload is NOT text based, so do nothing with it.
2016-06-23 07:00:14 -07:00
47e4321424
CVE-2016-5641
2016-06-23 06:09:37 -07:00
7cdadca79b
Land #6945 , Add struts_dmi_rest_exec exploit
2016-06-08 23:16:46 -05:00
e4c55f97db
Fix module desc
2016-06-06 10:40:36 -05:00
9f19d2c210
add apache struts2 S2-033 rce module
2016-06-06 05:07:48 -05:00
f333481fb8
Add vendor patch info
2016-06-02 16:41:06 -05:00
7c9227f70b
Cosmetic changes for magento_unserialize to pass msftidy & guidelines
2016-06-02 16:34:41 -05:00
4f42cc8c08
Added module
2016-06-02 09:24:10 -05:00
14adcce8bf
Missed the HTTPUSERNAME fix
2016-05-27 18:37:04 -05:00
61f9cc360b
Correct casing - should be HttpUsername and HttpPassword
2016-05-27 18:31:54 -05:00
4dcddb2399
Fix #4885 , Support basic and form auth at the same time
...
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.
Fix #4885
2016-05-27 16:25:42 -05:00
028b1ac251
Land #6816 Oracle Application Testing Suite File Upload
2016-05-24 18:27:10 -05:00
5bf8891c54
Land #6882 , fix moodle_cmd_exec HTML parsing to use REX
2016-05-23 23:25:22 -05:00
506356e15d
Land #6889 , check #nil? and #empty? instead of #empty?
2016-05-19 19:23:04 -05:00
99a573a013
Do unless instead "if !" to follow the Ruby guideline
2016-05-19 19:21:45 -05:00
41bcdcce61
fix struts_code_exec_exception_delegator - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:11:57 -05:00
bc257ea628
fix struts_code_exec - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:10:32 -05:00
e8ac568352
doesn't look like we're using the tcp mixin
2016-05-17 03:15:26 -05:00
08394765df
Fix #6879 , REXML::ParseException No close tag for /div
2016-05-17 03:14:00 -05:00
cf0176e68b
Land #6867 , Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-16 19:00:10 -05:00
8f9762a3e5
Fix some comments
2016-05-12 00:19:18 -05:00
da293081a9
Fix a typo
2016-05-11 22:48:23 -05:00
9d128cfd9f
Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-11 22:27:18 -05:00
32e1a19875
Fix up the disclosure date
2016-05-11 00:18:22 -05:00
ded79ce1ff
Fix CVE syntax
2016-05-10 23:18:45 -05:00
4a5d150716
Fixups to continue supporting Rails 4.2.x
2016-05-10 23:12:48 -05:00
04bb493ccb
Small typo fixed
2016-05-10 23:07:51 -05:00
7c6958bbd8
Rework rails_web_console_v2_code_exec to support CVE-2015-3224
2016-05-10 11:08:02 -05:00
2abb062070
Clean up module
2016-05-06 11:51:29 -05:00
8dc7de5b84
Land #6838 , add Rails web-console module
2016-05-05 15:53:52 -05:00
779a7c0f68
Switch to the default rails server port
2016-05-03 02:06:58 -05:00
8b04eaaa60
Clean up various whitespace
2016-05-03 02:06:37 -05:00
df44dc9c1c
Deprecate exploits/linux/http/struts_dmi_exec
...
Please use exploits/multi/http/struts_dmi_exec, which supports
Windows and Java targets.
2016-05-02 15:03:25 -05:00
3300bcc5cb
Make msftidy happier
2016-05-02 02:33:06 -05:00
67c9f6a1cf
Add rails_web_console_v2_code_exec, abuse of a debug feature
2016-05-02 02:31:14 -05:00
6a00f2fc5a
mv exploits/linux/http/struts_dmi_exec.rb to exploits/multi/http/struts_dmi_exec.rb
2016-05-01 00:00:29 +08:00
c16a02638c
Add Oracle Application Testing Suite exploit
2016-04-26 15:41:27 -05:00
0cb555f28d
Fix typo
2016-04-26 15:26:22 -05:00
4a95e675ae
Rm empty references
2016-04-24 11:46:08 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
57cb8e49a2
remove overwritten keys from hashes
2016-04-20 07:43:57 -04:00
fd603102db
Land #6765 , Fixed SQL error in lib/msf/core/exploit/postgres
2016-04-18 10:44:20 -07:00
8dfe98d96c
Add bugtraq reference
2016-04-14 10:23:53 +01:00
2dc4539d0d
Change class name to MetasploitModule
2016-04-10 23:27:40 +01:00
1fa7c83ca1
Create file for CVE-2016-1593
2016-04-10 23:17:07 +01:00
6b4dd8787b
Fix #6764 , nil SQL error in lib/msf/core/exploit/postgres
...
Fix #6764
2016-04-08 15:20:04 -05:00
28875313be
Change class name to MetasploitModule
2016-04-08 14:27:52 -05:00
ae46b5a688
Bring #6417 up to date with upstream-master
2016-04-08 13:41:40 -05:00
11bf1018aa
Fix typo
2016-04-06 14:20:41 -05:00
a4ef9980f4
Land #6677 , atutor_sqli update
2016-04-05 19:52:44 -05:00
d9d257cb1a
Fix some things
2016-04-05 19:23:11 -05:00
74f25f04bd
Make sure to always print the target IP:Port
2016-03-30 11:16:41 -05:00
2b90846268
Add Apache Jetspeed exploit
2016-03-23 19:22:32 -05:00
ebc7316442
Spelling Fix
...
Fixed Thorugh to Through
2016-03-19 13:58:13 -04:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
af642379e6
Fix some OptInts
2016-03-16 14:13:18 -05:00
1769bad762
fix FORCE logic
2016-03-16 09:53:09 -05:00
5ef8854186
Update ATutor - Remove Login Code
2016-03-15 17:37:37 -05:00
a50b21238e
Land #6669 , remove debug code from apache_roller_ognl_injection that breaks Windows
2016-03-13 14:14:10 -05:00
23eeb76294
update php_utility_belt_rce to use MetasploitModule
2016-03-13 13:59:47 -05:00
a6316d326e
Land #6662 , update disclosure date for php_utility_belt_rce
2016-03-13 13:58:04 -05:00
dabe5c8465
Land #6655 , use MetasploitModule as module class name
2016-03-13 13:48:31 -05:00
b22a057165
Fix #6554 , hardcoded File.open path in apache_roller_ognl_injection
...
The hardcoded File.open path was meant for debugging purposes during
development, but apparently we forgot to remove it. This line causes
the exploit to be unusable on Windows platform.
Fix #6554
2016-03-11 18:48:17 -06:00
8953952a8f
correction for the DisclosureDate based on Exploit-DB
2016-03-11 14:05:26 +08:00
8d22358892
Land #6624 , PHP Utility Belt exploit
2016-03-09 14:12:45 -06:00
52d12b68ae
Clean up module
2016-03-09 14:08:26 -06:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
a2c3b05416
Land #6405 , prefer default module base class of simply 'Metasploit'
2016-03-06 17:10:55 -06:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
ba4e0d304b
Do regex \d+ instead
2016-03-03 11:05:16 -06:00
cda4c6b3b3
Update the regex for the number of students in ATutor
2016-03-01 09:41:17 -06:00
62a611a472
Adding PHP Utility Belt Remote Code Execution
2016-03-01 09:22:25 +08:00
274b9acb75
rm #push
2016-02-29 18:58:05 -06:00
f55835cceb
Merge new code changes from mr_me
2016-02-29 18:39:52 -06:00
638d91197e
Override print_* to always print the IP and port
2016-02-29 16:18:03 -06:00
54ede19150
Use FileDropper to cleanup
2016-02-29 16:15:50 -06:00
727a119e5b
Report cred
2016-02-29 16:06:31 -06:00
4cc690fd8d
Let the user specify username/password
2016-02-29 15:45:33 -06:00
726c1c8d1e
There is no http_send_command, so I guess the check should not work
2016-02-29 15:43:47 -06:00
a3fa57c8f6
Add CVE-2016-2555: ATutor 2.2.1 SQL Injection Exploit Module
2016-02-29 14:59:26 -06:00
138e48b202
Fix vuln_version?
2016-02-22 00:39:44 +08:00
53a52fafd5
make code to be readable / rebuild / testing
2016-02-22 00:34:49 +08:00
3e22de116f
Changes to fix peer and style as recommended by jhart-r7.
2016-02-20 13:53:32 -08:00
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
b049debef0
Fixes as recommended in the PR discussion.
2016-01-28 23:29:01 -08:00
f6f2e1403b
Land #6496 , specify scripting language - elastic search
2016-01-27 15:42:47 -06:00
51eb79adc7
first try in changing class names
2016-01-22 23:36:37 +01:00
b02c762b93
Grab zeroSteiner's module/jenkins-cmd branch
2016-01-22 10:17:32 -06:00
99de466a4d
Bugfix: specify scripting language
2016-01-22 15:00:10 +01:00
fec75c1daa
Land #6457 , FileDropper for axis2_deployer
2016-01-14 15:10:05 -06:00
37178cda06
Land #6449 , properly handle HttpServer resource collisions
2016-01-14 12:15:18 -06:00
0216d027f9
Use OptEnum instead of OptString
2016-01-14 09:06:45 +00:00
564b4807a2
Add METHOD to simple_backdoors_exec
2016-01-13 14:42:11 +00:00
889a5d40a1
Add VAR to simple_backdoors_exec
2016-01-13 13:46:26 +00:00
514199e88f
Register early so the cleanup can actually rm the file
2016-01-12 15:22:03 -06:00
78bc394f80
Fix #6268 , Use FileDropper for axis2_deployer
...
Fix #6268
2016-01-08 17:09:09 -06:00
6a2b4c2530
Fix #6445 , Unexpected HttpServer terminations
...
Fix #6445
Problem:
When an HttpServer instance is trying to register a resource that
is already taken, it causes all HttpServers to terminate, which
is not a desired behavior.
Root Cause:
It appears the Msf::Exploit::Remote::TcpServer#stop_service method
is causing the problem. When the service is being detected as an
HttpServer, the #stop method used actually causes all servers to
stop, not just for a specific one. This stopping route was
introduced in 04772c8946
2016-01-07 16:55:41 -06:00
436ea85b18
Further cleanup and fixes
2016-01-05 21:11:08 -08:00
5c9c27691e
Execute commands on postgres through built-in functionality
2016-01-01 04:26:20 -08:00
2fd796a699
Execute commands on postgres through built-in functionality
2016-01-01 03:51:00 -08:00
814bf2a102
Execute commands on postgres through built-in functionality
2016-01-01 02:43:56 -08:00
fa3431c732
Pushing now. Still working on it.
2015-12-26 17:53:52 -05:00
27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL
2015-12-24 09:05:02 -08:00
efdb6a8885
Land #6392 , @wchen-r7's 'def peer' cleanup, fixing #6362
2015-12-24 08:53:32 -08:00
e4f9594646
Land #6331 , ensure generic payloads raise correct exceptions on failure
2015-12-23 15:43:12 -06:00
7444f24721
update whitespace / syntax for java_calendar_deserialize
2015-12-23 15:42:27 -06:00
cea3bc27b9
Fix #6362 , avoid overriding def peer repeatedly
...
def peer is a method that gets repeated a lot in modules, so we
should have it in the tcp mixin. This commit also clears a few
modules that use the HttpClient mixin with def peer.
2015-12-23 11:44:55 -06:00
493700be3a
remove duplicate key warning from Ruby 2.2.x
...
This gets rid of the warning:
modules/exploits/multi/http/uptime_file_upload_2.rb:283: warning: duplicated key at line 284 ignored: "newuser"
2015-12-23 10:39:35 -06:00
424e7b6bfe
Land #6384 , more joomla rce references
2015-12-22 22:54:58 +01:00
18398afb56
Update joomla_http_header_rce.rb
2015-12-23 05:48:26 +08:00
cc40c61848
Update joomla_http_header_rce.rb
2015-12-23 05:38:57 +08:00
f6eaff5d96
use the new and shiny joomla mixin
2015-12-22 21:36:42 +01:00
314e902098
Add original exploit discoverer and exploit-db ref
...
Adding Gary @ Sec-1 ltd for the original exploit and two exploit-db references. Marc-Alexandre Montpas modified Gary's exploit that uses "User-Agent" header. Marc-Alexandre Montpas used "X-FORWARDED-FOR" header to avoid default logged to access.log
2015-12-22 22:44:59 +08:00
726578b189
Land #6370 , add joomla reference
2015-12-18 17:05:07 -06:00
fb6ede80c9
add joomla reference
2015-12-18 18:27:48 +01:00
485196af4e
Remove modules/exploits/multi/http/uptime_file_upload.rb
...
Please use exploit/multi/http/uptime_file_upload_1 for exploiting
post2file.php on an older version of uptime.
If you are exploiting uptime that is patched against
exploit/multi/http/uptime_file_upload_1, then you may want to try
exploit/multi/http/uptime_file_upload_2.
2015-12-17 23:01:57 -06:00
06f1949e2c
Land #6355 , Joomla HTTP Header Unauthenticated Remote Code Execution
...
CVE-2015-8562
2015-12-16 17:55:51 -06:00
8c43ecbfaf
add random terminator and clarify target
2015-12-17 00:08:52 +01:00
08d0ffd709
implement @wvu-r7 's feedback
2015-12-16 22:44:01 +01:00
76438dfb2f
implement @wchen-r7 's suggestions
2015-12-16 20:31:43 +01:00
b43d580276
try to detect joomla version
2015-12-16 16:16:59 +01:00
30f90f35e9
also check for debian version number
2015-12-16 15:19:33 +01:00
67eba0d708
update description
2015-12-16 14:46:00 +01:00
fa3fb1affc
better ubuntu version check
2015-12-16 14:18:44 +01:00
60181feb51
more ubuntu checks
2015-12-16 14:02:26 +01:00
934c6282a5
check for nil
2015-12-16 13:52:06 +01:00
2661cc5899
check ubuntu specific version
2015-12-16 13:49:07 +01:00
675dff3b6f
use Gem::Version for version compare
2015-12-16 13:04:15 +01:00
01b943ec93
fix check method
2015-12-16 07:26:25 +01:00
595645bcd7
update description
2015-12-16 07:03:01 +01:00
d80a7e662f
some formatting
2015-12-16 06:57:06 +01:00
c2795d58cb
use target_uri.path
2015-12-16 06:55:23 +01:00
2e54cd2ca7
update description
2015-12-16 06:42:41 +01:00
d4ade7a1fd
update check method
2015-12-16 00:18:39 +01:00
c603430228
fix version check
2015-12-15 18:26:21 +01:00
b9b280954b
Add a check for joomla
2015-12-15 11:03:36 -06:00
e4309790f5
renamed module because X-FORWARDED-FOR header is also working
2015-12-15 17:37:45 +01:00
84d5067abe
add joomla RCE module
2015-12-15 17:20:49 +01:00
563be5c207
Land #6322 , another Perl IRC bot exploit
2015-12-10 09:43:07 -06:00
a945350821
Land #6307 , Perl IRC bot exploit
2015-12-10 09:42:35 -06:00
11c1eb6c78
Raise Msf::NoCompatiblePayloadError if generate_payload_exe fails
...
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
2015-12-08 21:13:23 -06:00
53acfd7ce3
Land #6303 , Add phpFileManager 0.9.8 Remote Code Execution
2015-12-07 21:13:48 -06:00
ea3c7cb35b
Minor edits
2015-12-07 21:13:14 -06:00
b36834f4bc
Update legend_bot_exec.rb
2015-12-07 10:38:36 +08:00
2244f2aa43
Add Legend Perl IRC Bot Remote Code Execution
2015-12-07 10:30:28 +08:00
26c8fd8faa
Update xdh_x_exec.rb
2015-12-07 08:25:19 +08:00
9ee5498090
Update xdh_x_exec.rb
...
satisfying msftidy's request
2015-12-06 20:21:18 +08:00
10a8e98e41
Update xdh_x_exec.rb
2015-12-06 20:11:49 +08:00
14afbc6800
Update xdh_x_exec.rb
...
updated description and new author.
2015-12-06 20:10:19 +08:00
faac44f257
Update xdh_x_exec.rb
2015-12-04 12:39:19 +08:00
f52e6ce65c
Update xdh_x_exec.rb
2015-12-04 11:17:16 +08:00
4955357015
Update xdh_x_exec.rb
2015-12-04 11:06:06 +08:00
4e43a90187
Add Xdh / fBot IRC Bot Remote Code Execution
2015-12-04 10:40:37 +08:00
340fe5640f
Land #6255 , @wchen-r7's module for Atlassian HipChat JIRA plugin
2015-12-03 20:01:06 -06:00
a972b33825
Fix typo
2015-12-03 20:00:37 -06:00
f8c11b9cd1
Move to multi
2015-12-03 17:49:21 -06:00
3bbc413935
Update phpfilemanager_rce.rb
2015-12-04 06:20:43 +08:00
28ca899914
Update phpfilemanager_rce.rb
2015-12-03 18:07:25 +08:00
d63bb4768f
Update phpfilemanager_rce.rb
2015-12-03 14:09:02 +08:00
374b630601
Update phpfilemanager_rce.rb
2015-12-03 13:57:19 +08:00
56b810cb18
Update phpfilemanager_rce.rb
2015-12-03 12:44:41 +08:00
5414f33804
Update phpfilemanager_rce.rb
2015-12-03 12:43:47 +08:00
ab77ab509a
Update phpfilemanager_rce.rb
2015-12-03 12:35:49 +08:00
869caf789f
Update phpfilemanager_rce.rb
2015-12-03 12:34:17 +08:00
a2d51d48cd
Add phpFileManager 0.9.8 Remote Code Execution
2015-12-03 12:11:31 +08:00
16d0d53150
Update Shellshock modules, add Advantech coverage
2015-12-01 10:40:46 -06:00
dc5e9a1d0a
Support CSRF token in the Jenkins aux cmd module
2015-11-22 17:51:27 -05:00
9a0f0a7843
Land #6142 , uptime refactor
2015-11-12 16:58:55 -06:00
ee25cb88b5
Land #6196 , vBulletin 5.1.2 Unserialize Code Execution
2015-11-12 14:38:39 -06:00
6077617bfd
rm res var name
...
the res variable isn't used
2015-11-12 14:37:47 -06:00
199ed9ed25
Move vbulletin_unserialize.rb to exploits/multi/http/
...
According to @all3g, this works on Windows too, so we will move
this to multi/http.
2015-11-12 14:36:01 -06:00
a0351133a6
Add more references to this exploit
...
Adding exploit-db doc about China Chopper webshell and details about this webshell in US-CERT.
2015-11-11 09:51:05 +08:00
f86f427d54
Move Compat into Payload so that is actually used
2015-11-09 16:06:05 -06:00
0cc8165b52
And I forgot to rm the test line
2015-11-06 18:11:27 -06:00
8f2a716306
I don't really need to override fail_with
2015-11-06 18:11:08 -06:00
0213da3810
Handle more NilClass bugs
2015-11-06 18:08:51 -06:00
46fac897bd
Land #6144 , China Chopper Web Shell (Backdoor) module
2015-11-05 18:29:36 -06:00
ea22583ed1
Update title and description
2015-11-05 18:29:03 -06:00
27be832c4c
remove the fail_with because it's always triggering anyway
2015-11-05 18:19:46 -06:00
a71d7ae2ae
Land #6089 , @jvazquez-r7 Fix HTTP mixins namespaces
2015-11-05 16:56:41 -06:00
038cb66937
Use the right module path
2015-11-05 16:16:46 -06:00
109e9b6b6e
remove debug info - require 'pry'
2015-11-03 06:52:11 +00:00
46fe0c0899
base64 for evasion purposes
2015-11-03 06:42:52 +00:00
6c16d2a1ca
caidao's exploit module
2015-11-02 08:54:18 +00:00
57304a30a8
Land #6139 , remove bad ref links
2015-10-29 16:00:43 -05:00
da52c36687
Put back some links
2015-10-29 15:48:47 -05:00
8757743821
Update description
2015-10-27 17:39:11 -05:00
cfe9748962
Deprecate exploits/multi/http/uptime_file_upload
...
Please use uptime_file_upload_1.rb
2015-10-27 17:36:54 -05:00
0c648eb210
Move to modules/exploits/multi/http/uptime_file_upload_2
...
This exploit is rather similiar to uptime_file_upload.rb, because
they both abuse post2file to upload. The difference is that this
module requires a priv escalation to be able to upload, and the
other one doesn't.
2015-10-27 17:31:31 -05:00
592fdef93d
Update uptime_code_exec
2015-10-27 17:29:55 -05:00
5b86d2ef95
Fix #6133 , update description, authors and references
...
Fix #6133
Thank you @japp-0xlabs
2015-10-27 14:38:18 -05:00
154fb585f4
Remove bad references (dead links)
...
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
0d9ebe13a1
Modify check
2015-10-26 15:25:38 -05:00
4f244c54f8
Update mma_backdoor_upload.rb
2015-10-26 23:01:38 +08:00
ad80f00159
Update mma_backdoor_upload.rb
2015-10-24 11:16:49 +08:00
f461c4682b
Update mma_backdoor_upload.rb
2015-10-24 11:15:26 +08:00
181e7c4c75
Update metadata
2015-10-23 17:22:31 -05:00
01c2641c6b
Change print_*
2015-10-23 16:27:52 -05:00
3c961f61a7
Modify check to use Nokogiri
2015-10-23 14:29:16 -05:00
6f02cedff8
Move method create_exec_service
2015-10-23 13:10:00 -05:00
2828653f8f
Update uptime_code_exec.rb
2015-10-23 11:49:21 +02:00
5539363218
Update uptime_code_exec.rb
2015-10-23 11:33:59 +02:00
be89cb32c9
Th3 MMA mma.php Backdoor Arbitrary File Upload
2015-10-23 08:47:40 +08:00
f06d7591d6
Add header for zpanel_information_disclosure_rce.rb
2015-10-20 16:19:44 -05:00
70b005de7f
Land #6041 , Zpanel info disclosure exploit
2015-10-20 16:08:16 -05:00
728fd17856
Make code changes for zpanel_information_disclosure_rce.rb
...
Use Nokogiri and URI, as well as indent fixes and other things
2015-10-20 16:07:02 -05:00
28ca34c40a
Fix conflicts
2015-10-16 15:38:59 -05:00
c399d7e381
Land #5959 , Add Nibbleblog File Upload Vuln
2015-10-16 15:30:13 -05:00
9666660c06
Enforce check and add another error message
2015-10-16 15:29:12 -05:00
6a1553ae63
Add EDB/CVE/URL references to arkeia_agent_exec
2015-10-16 10:23:20 +07:00
4517270627
Fix modules using Msf::HTTP::JBoss
2015-10-15 11:49:15 -05:00
30d2a3f2a9
Land #5999 , teach PSH web delivery to use a proxy
2015-10-14 11:05:45 -05:00
d67b55d195
Fix autofilter values for aggressive modules
2015-10-13 15:56:18 -07:00
b9b488c109
Deleted unused exception handling
2015-10-09 23:38:52 -05:00
c60fa496c7
Delete extra spaces
2015-10-09 23:37:11 -05:00
e6fbca716c
Readd comment
2015-10-09 23:29:23 -05:00
af445ee411
Re apply a couple of fixes
2015-10-09 23:24:51 -05:00
a590b80211
Update autoregister_ports, try both addresses for the MBean
2015-10-09 20:20:35 -07:00
2b94b70365
Always connect to RHOST regardless of JMXRMI address
2015-10-09 17:49:22 -07:00
cd2e9d4232
Move Msf::Java to the normal Msf::Exploit::Remote namespace
2015-10-09 13:24:34 -07:00
5e9faad4dc
Revert "Merge branch using Rex sockets as IO"
...
This reverts commit c48246c91c3cd9dc4fde
2015-10-09 14:09:12 -05:00
347495e2f5
Rescue Rex::StreamClosedError when there is a session
2015-10-09 13:41:41 -05:00
28454f3b2e
MSFTidyness
2015-10-08 12:59:46 -04:00
871f46a14e
Land #6038 , ManageEngine ServiceDesk Plus Arbitrary File Upload
2015-10-07 15:17:58 -05:00
dddfaafac7
Update reference
2015-10-07 15:17:22 -05:00
5eff3e5637
Removed hard tabs
2015-10-02 14:34:00 -04:00
4ee7ba05aa
Removing hard tabs test
2015-10-02 14:31:46 -04:00
6406a66bc0
Remove Ranking
2015-10-02 14:24:46 -04:00
9f71fd9bfd
Formatting ZPanel Exploit
2015-10-02 14:23:07 -04:00
89a50c20d0
Added Zpanel Exploit
2015-10-02 13:29:53 -04:00
a773627d26
Land #5946 , simple_backdoors_exec module
2015-10-02 11:18:29 -05:00
5b8f98ee06
Land #6022 , zemra_panel_rce module
2015-10-02 11:18:09 -05:00
659a09f7d2
Create manageengine_sd_uploader.rb
2015-10-02 16:04:05 +01:00
33916997a4
Update zemra_panel_rce.rb
...
revised the name and the description
2015-10-02 09:49:59 +08:00
fa1391de87
Update simple_backdoors_exec.rb
...
Updating the code as suggested
2015-10-02 07:53:15 +08:00
501325d9f4
Update zemra_panel_rce.rb
2015-10-02 06:48:34 +08:00
30101153fa
Remove spaces
2015-10-01 18:56:37 +02:00
41cf0ef676
Add reference for CVE-2015-2342 - VMWare VCenter JMX RMI RCE
2015-10-01 18:43:21 +02:00
2802b3ca43
Update zemra_panel_rce.rb
...
sticking res
2015-10-02 00:00:30 +08:00
2ab779ad3d
Land #6010 , capture_sendto fixes
2015-10-01 10:54:24 -05:00
5c5f3a4e7f
Update zemra_panel_rce.rb
...
called http_send_command right away :)
2015-10-01 23:39:36 +08:00
66560d5339
Update zemra_panel_rce.rb
2015-10-01 19:16:23 +08:00
a7fa939fda
Zemra Botnet C2 Web Panel Remote Code Execution
...
This module exploits the C2 web panel of Zemra Botnet which contains a backdoor inside its leaked source code. Zemra is a crimeware bot that can be used to conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.
2015-09-30 19:24:21 +08:00
2de6c77fa2
Update simple_backdoors_exec.rb
2015-09-30 18:11:05 +08:00
46adceec8f
Update simple_backdoors_exec.rb
2015-09-29 10:40:28 +08:00
dd650409e4
Update simple_backdoors_exec.rb
2015-09-29 08:05:13 +08:00
a47557b9c1
Upd. multi/handler to include mainframe platform
...
Quick update to multi handler so it recognizes mainframe platform based
modules
2015-09-28 11:14:08 -05:00
96e4e883ae
Fix #6008 for wireshark_lwres_getaddrbyname_loop
2015-09-27 14:56:11 -07:00
bd2f73f40a
Fix #6008 for wireshark_lwres_getaddrbyname
2015-09-27 14:55:19 -07:00
bbd08b84e5
Fix #6008 for snort_dce_rpc
2015-09-27 14:53:40 -07:00
e185277ac5
Update simple_backdoors_exec.rb
2015-09-24 14:14:23 +08:00
56a551313c
Update simple_backdoors_exec.rb
2015-09-24 13:54:40 +08:00
192369607d
Update simple_backdoors_exec.rb
...
updated the string 'echo me' to a random text
2015-09-24 13:49:33 +08:00
66c9222968
Make web_delivery proxy aware
2015-09-23 20:45:51 +01:00
d798ef0885
Land #5893 , w3tw0rk/Pitbul RCE module
2015-09-23 02:41:01 -05:00
8106bcc320
Clean up module
2015-09-21 14:37:54 -05:00
9e6d3940b3
Update simple_backdoors_exec.rb
2015-09-13 23:30:14 +08:00
0c4604734e
Webserver starts at the beginning, stops at the end
2015-09-12 19:42:31 +02:00
602a12a1af
typo
2015-09-10 18:28:42 -05:00
68521da2ce
Fix check method.
2015-09-10 04:40:12 -03:00
4566f47ac5
Fix check method.
2015-09-10 03:56:46 -03:00
0ba03f7a06
Fix words.
2015-09-09 21:27:57 -03:00
bc3f5b43ab
Removerd WordPress mixin.
2015-09-09 21:26:15 -03:00
4e31dd4e9f
Add curesec team as vuln discovery.
2015-09-09 21:13:51 -03:00
6336301df3
Add Nibbleblog File Upload Vulnerability
2015-09-09 21:05:36 -03:00
d3aa61d6a0
Move bolt_file_upload.rb to exploits/multi/http
2015-09-09 13:41:44 -03:00
31a8907385
Update simple_backdoors_exec.rb
2015-09-09 08:30:21 +08:00
4e23bba14c
Update simple_backdoors_exec.rb
...
removing the parenthesis for the if statements
2015-09-08 15:47:38 +08:00
002aada59d
Update simple_backdoors_exec.rb
...
changed shell to res
2015-09-08 14:54:26 +08:00
467f9a8353
Update simple_backdoors_exec.rb
2015-09-08 14:45:54 +08:00
37c28ddefb
Update simple_backdoors_exec.rb
...
Updated the description
2015-09-08 13:42:12 +08:00
0f8123ee23
Simple Backdoor Shell Remote Code Execution
2015-09-08 13:08:47 +08:00
944f47b064
Update
...
Check nil
Removed headers
Fixed url normalization
2015-09-05 10:07:58 +02:00
2f8dc7fdab
Update w3tw0rk_exec.rb
...
changed response to res
2015-09-05 14:21:07 +08:00
68d27acd69
Update
...
Add exploit-db references
nil check to version
2015-09-04 23:18:24 +02:00
5b5e97f37a
Update
...
Add normalize_uri
Change print_status tp vprint_status
Removed unused http headers
an other minor changes
2015-09-04 22:12:42 +02:00
5063acac3c
Poorly designed argument fixed
...
Poorly designed argument fixed
2015-09-04 19:43:49 +02:00
04d622b69b
Cleanup Jenkins-CI module titles and option descriptions
2015-09-04 10:25:51 -07:00
cf8b34191d
Updates
...
Add Def for cgi request.
2015-09-04 19:19:02 +02:00
b2c401696b
Add certutil support.
...
Tested while landing #5736
2015-09-03 14:24:37 -05:00
1e6a1f6d05
Revert "Fix spec like I shoulda done before landing #5736"
...
This reverts commit 956c8e550d
2015-09-03 14:18:55 -05:00
92aa09a586
Merge remote-tracking branch 'rapid7/master' into Uptime
2015-09-03 20:48:50 +02:00
6250983fb4
Update
...
Update
2015-09-03 20:29:57 +02:00
b4547711f3
Add certutil support.
...
Tested while landing #5736
2015-09-03 13:27:10 -05:00
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
252e80e793
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
...
Uptime Version 7.4.0 / 7.5.0 Upload and Exec file
2015-08-31 23:57:39 +02:00
d670a62000
Land #5822 , migrate obsolete payload compatibility options
2015-08-31 15:20:20 -05:00
ff868f9704
Update w3tw0rk_exec.rb
2015-08-26 23:51:09 +08:00
3f6c04a445
Update w3tw0rk_exec.rb
2015-08-26 23:48:31 +08:00
16341d34a2
Update w3tw0rk_exec.rb
2015-08-26 23:34:29 +08:00
892f427664
Update w3tw0rk_exec.rb
...
removed w3tw0rk_login
2015-08-26 09:18:15 +08:00
6edba2cdc8
Update w3tw0rk_exec.rb
2015-08-26 09:11:30 +08:00
c77226c354
Update w3tw0rk_exec.rb
2015-08-26 01:28:07 +08:00
25fb325410
w3tw0rk / Pitbul IRC Bot Remote Code Execution
2015-08-26 01:22:55 +08:00
98e2d074c3
Add disclosure date.
2015-08-15 20:09:41 -05:00
a133e98ba5
Adds a ff 35-36 RCE vector based off the recent ff bug.
2015-08-15 20:02:00 -05:00
80a22412d9
use EXITFUNC instead of ExitFunction
2015-08-13 21:22:32 +02:00
605a14350f
Land #5833 , sshexec improvements
2015-08-13 14:16:22 -05:00
3bd6c4cee4
Add a comma
2015-08-13 14:16:09 -05:00
c94a185610
Land #5697 , Werkzeug debug RCE
2015-08-13 13:32:27 -05:00
d54ee19ce9
Clean up module
2015-08-13 13:32:22 -05:00
28fbb7cdde
Update the description of the sshexec module
2015-08-12 16:05:09 -04:00
dfe2bbf1e9
Add a python target to the sshexec module
2015-08-12 15:46:47 -04:00
203c231b74
Fix #5659 : Update CMD exploits payload compatibility options
2015-08-10 17:12:59 -05:00
eab9b3bf5b
interpolation fix on secret
2015-08-01 14:39:12 -04:00
ceb49a51a6
thanks @espreto for help
2015-08-01 11:11:37 -04:00
4561241609
updates per @jvazquez-r7 comments
2015-07-24 20:34:40 -04:00
2c9183fa56
Return check code
2015-07-24 16:14:43 -05:00
a163606513
Delete unused SLEEP option
2015-07-24 15:29:56 -05:00
1b1ac09d2a
Merge to solve conflicts
2015-07-24 15:24:29 -05:00
cadb03bac0
Fix my own blasted typo, ty @wvu-r7
2015-07-20 17:14:34 -05:00
2052b4ef56
Fixed the HT leak attribution a little
2015-07-20 16:36:47 -05:00
f7c11d0852
More cleanups
...
Edited modules/exploits/multi/browser/adobe_flash_hacking_team_uaf.rb
first landed in #5678 , adobe_flash_hacking_team_uaf.rb
Edited
modules/exploits/multi/browser/adobe_flash_opaque_background_uaf.rb
first landed in #5698 , Adobe Flash CVE-2015-5122 opaqueBackground
Edited modules/exploits/multi/http/sysaid_auth_file_upload.rb first
landed in #5471 , @pedrib's module for SysAid CVE-2015-2994
Edited modules/exploits/multi/http/sysaid_rdslogs_file_upload.rb first
landed in #5473 Correct spelling of sysaid module
2015-07-20 16:29:49 -05:00
ab6204ca2e
Correct spelling of sysaid module
...
First landed in #5473 .
2015-07-20 16:21:50 -05:00
3fe165a265
Remove whitespace at the end
2015-07-18 20:18:34 +01:00
70a2247941
Pick target is not needed...
2015-07-18 20:12:49 +01:00
7483e77bba
Fix Linux target by trying again if exploit fails
2015-07-18 20:12:13 +01:00
7113c801b1
Land #5732 , reliability update for adobe_flash_hacking_team_uaf
2015-07-17 16:43:39 -05:00
837eb9ea38
Land #5742 , better quality coverage for adobe_flash_opaque_background_uaf
2015-07-17 16:25:14 -05:00
f77f7d6916
Bump rank
2015-07-17 16:23:27 -05:00
Brendan
wchen-r7
David Maloney
Pedro Ribeiro
Tod Beardsley
RageLtMan
Scott Lee Davis
James Lee
Vex Woo
mr_me
William Webb
Brent Cook
HD Moore
William Vu
Louis Sato
thao doan
h00die
Jay Turla
Christian Mehlmauer
net-ninja
Micheal
Lutz Wolf
Rory McNamara
Jon Hart
jvazquez-r7
HD Moore
Spencer McIntyre
dmohanty-r7
Ewerson Guimaraes (Crash)
xistence
brent morris
Hans-Martin Münch (h0ng10)
bigendian smalls
Meatballs
Roberto Soares
joev
h00die