Commit Graph

39059 Commits (c682490c1b6f15f69f979fccd0a0cf2fe6b976e7)

Author SHA1 Message Date
David Maloney 97f9ca4028
Merge branch 'master' into egypt/ruby-ntlm 2016-06-28 14:14:56 -05:00
Metasploit e3e360cc83
Bump version of framework to 4.12.10 2016-06-28 12:13:26 -07:00
Adam Cammack ac5d2709cf
Land #7031, Revert #6729 2016-06-28 13:52:53 -05:00
Louis Sato d5d0b9e9b8 Revert "Land #6729, Speed up the datastore"
This reverts commit c6b1955a5a, reversing
changes made to 4fb7472391.
2016-06-28 13:39:52 -05:00
Pearce Barry 0660880332 Ensure 'show options' reflects correct values.
Small fix here to ensure that, even when boolean 'option' variables have a default value of 'true', that their current value is correctly reflected via the 'show options' command.  This change should play fine with all other option variable types, I believe.

Current behavior:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEW_VERSION false
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEW_VERSION
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```

New behavior with this change:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEWVERSION
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    false            no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    false            no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```
2016-06-28 13:12:34 -05:00
wchen-r7 70a7415185 Change description 2016-06-28 11:24:38 -05:00
RageLtMan fcf8cda22f Add basic module for CVE-2016-2098
ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.

This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.

Test Procedures:
  Clone https://github.com/hderms/dh-CVE_2016_2098
  Run bundle install to match gem versions to those in lockfile
  Run the rails server and configure the metasploit module:
    Set TARGETURI to /exploits
    Configure payload and handler options
  Execute the module, move on to post-exp
2016-06-28 03:28:16 -04:00
William Vu 5f08591fef Add Nagios XI exploit 2016-06-27 15:17:18 -05:00
dmohanty-r7 c2f3d411c3
Replace rex/java with rex-java gem 2016-06-27 14:52:49 -05:00
Metasploit fd07da3519
Bump version of framework to 4.12.9 2016-06-27 11:54:04 -07:00
Scott Lee Davis 2480781409 pesky pry. 2016-06-27 01:55:49 -04:00
Scott Lee Davis c2b4e22b46 updated with discovered changes from k kali & documentation update changes requested. 2016-06-27 01:53:20 -04:00
wchen-r7 1e7202cf9b Add module documentation for auxiliary/admin/netbios/netbios_spoof 2016-06-25 12:20:08 -05:00
James Lee 058115c21f
Land #7015, sdavis' swagger exploit 2016-06-24 16:13:51 -05:00
James Lee 15a1a9ed71
Raise if payload.arch doesn't match expected
This is necessary when payload is a generic/* since we can't actually
figure out what we need the prefix/suffix to be because the generics are
a pain to extract the arch/platform info out of.

Also remove some unnecessary options.
2016-06-24 16:08:47 -05:00
James Lee 5d4cc7ab40
Add nodejs to list of defaults 2016-06-24 16:06:50 -05:00
David Maloney 409e26351b
remove test module
sponge left in patient
2016-06-24 15:12:47 -05:00
David Maloney 6c3871bd0c
update ssh modules to use new SSHFactory
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH

MS-1688
2016-06-24 13:55:28 -05:00
William Vu 4c5fd78937
Land #7005, rm the crap out of lib/rex
And stuff the code into gems!
2016-06-24 13:38:30 -05:00
David Maloney 5bc513d6cd
get ssh sessions working properly
ssh sessions now working correctly

MD-1688
2016-06-24 12:14:48 -05:00
wchen-r7 9f280d714e
Land #6994, NetBIOS Name Brute Force Spoofing modules 2016-06-23 17:54:51 -05:00
Scott Davis 3fb9eae687 EOL space if a ruby devil. 2016-06-23 15:40:16 -07:00
Scott Davis b38b116c9a @ePaul comments added to description. 2016-06-23 15:33:11 -07:00
Scott Davis 5e1b7d8c0f even more clean up. 2016-06-23 14:59:11 -07:00
Scott Davis 63d8787101 added back (new) usage examples for nodejs,java,ruby,php. 2016-06-23 14:56:46 -07:00
Scott Lee Davis 0fd83b50d1 Merge pull request #3 from todb-r7/return-of-multiarch
Return of multiarch: LGTM.  thank you! @wchen-r7 @egypt @todb-r7 !
2016-06-23 16:00:33 -04:00
Tod Beardsley ff741fbc35
Rename for docs 2016-06-23 14:53:49 -05:00
Tod Beardsley 92522138c5
Remove the RC files 2016-06-23 14:52:23 -05:00
Tod Beardsley 08d08d2c95
Fix Java payload generator 2016-06-23 14:51:26 -05:00
Tod Beardsley 464808d825
First, put the RC data in the module proper 2016-06-23 14:43:37 -05:00
Tod Beardsley 92c70dab6f
Real array, and fix PHP 2016-06-23 13:22:21 -05:00
Tod Beardsley ffabf26593
No Automatic target. 2016-06-23 12:50:23 -05:00
Tod Beardsley 7a36d03fe3
Trying multi arch 2016-06-23 12:34:51 -05:00
Scott Lee Davis 47674c77ad chmod 644 swagger_param_inject.rb 2016-06-23 11:49:16 -04:00
Scott Lee Davis fbd0bc4308 updated as per @egypt & @todb-r7 recommendations. 2016-06-23 11:41:54 -04:00
Scott Lee Davis e9e4e7d069 Merge pull request #1 from todb-r7/nodejs-only-7015
Modify for only NodeJS
2016-06-23 11:38:29 -04:00
khr0x40sh 40d7de05ef Fix Payload Generation
Payload generation now only occurs once and function 'setup_pay'
removed.  Payload is generated with cmd_psh_payload and is mutated to
fit dropped text file.
2016-06-23 11:20:22 -04:00
Tod Beardsley fc79f3a2a9
Modify for only NodeJS
Not sure if we can do multiple arch's in the same module. Doesn't look
like it's possible today.

See rapid7#7015
2016-06-23 10:14:57 -05:00
Scott Davis 579a3bcf7c default payload is NOT text based, so do nothing with it. 2016-06-23 07:00:14 -07:00
Scott Davis 47e4321424 CVE-2016-5641 2016-06-23 06:09:37 -07:00
h00die a3b08418b9 fixed markdown 2016-06-22 20:32:51 -04:00
wchen-r7 048741660c
Land #6980, Add ClamAV Remote Command Transmitter 2016-06-22 15:50:45 -05:00
wchen-r7 a1b1b31f98 Update clamav_control.md 2016-06-22 15:49:23 -05:00
wchen-r7 f5e6eccce2 Add clamav_control.md doc 2016-06-22 15:43:31 -05:00
David Maloney 3e94abe555
put net:ssh::commandstream back
this was apparently our own creation for doing
ssh sessions

MD-1688
2016-06-22 15:02:36 -05:00
David Maloney 18f6d2143c
Merge branch 'master' into feature/rex-cleanup/first-gems 2016-06-22 14:56:56 -05:00
David Maloney 6072697126
continued 2016-06-22 14:54:00 -05:00
David Maloney 140621ad9b
start to move to canonical net-ssh
removed vendored net::ssh
pulled in net:ssh gem
made Rex::Socket::SSHFactory clas to bridge rex sockets in
Renamed getpeername to getpeername-as_array to not override
core socket behaviour

MS-1688
2016-06-22 14:52:33 -05:00
wchen-r7 de5152401a
Land #6992, Add tiki calendar exec exploit 2016-06-22 11:18:14 -05:00
wchen-r7 8697d3d6fb Update tiki_calendar_exec module and documentation 2016-06-22 11:17:45 -05:00