bbe4162320
Added error checking and some suggested style changes
2016-07-08 08:27:56 -07:00
d0e1c67c18
Land #7026 , Add Action Pack render exploit CVE-2016-2098
2016-07-07 16:16:37 -05:00
2cc6565cc9
Update rails_actionpack_inline_exec
2016-07-07 15:56:50 -05:00
09dcd1dade
Added version check and error handling, changed regex to ruby syntax.
...
Also made a few syntax changes to placate rubocop.
2016-07-07 10:35:18 -07:00
892f354ece
give me some credit
2016-07-06 21:39:45 -04:00
47cf6d5edf
better docs, extract more data
2016-07-06 21:28:57 -04:00
fee361dae0
Land #7075 , Add ms16-016 local privilege escalation
2016-07-06 12:01:01 -05:00
532ea5d4c4
Make sure there's a ref and checkcode
2016-07-06 12:00:20 -05:00
45401bfe45
Land #7069 , modify check codes in multiple local exploits
2016-07-06 00:04:24 -05:00
b4b3a84fa5
refactor ms16-016 code
2016-07-05 20:50:43 -05:00
1164c025a2
Revert "Land #7009 , egypt's rubyntlm cleanup"
...
This reverts commit d90f0779f8e3e360cc83
2016-07-05 15:22:44 -05:00
21bede1166
unify stager style
2016-07-05 11:24:54 -05:00
049b322ae4
add x86 and x64 stagers for mettle
2016-07-05 11:24:54 -05:00
8490a3b775
Remove hard-float requirement for MIPS O32
2016-07-05 11:24:54 -05:00
0390ed4d6e
Add MIPS O32 Linux support (big and little endian)
2016-07-05 11:24:54 -05:00
8de508c4e0
Add mettle module for ARM
2016-07-05 11:24:54 -05:00
6290cb681f
Change class name Metasploit4 to MetasploitModule
2016-07-05 11:12:49 -05:00
5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-05 10:48:38 -05:00
7d638a0975
Remove misc_anti_emu
2016-07-05 17:29:37 +02:00
e29d5b9efe
Land #6954 , Fix the available size of payload for exploit/.../payload_inject
2016-07-05 07:38:27 -07:00
0f8efec001
Fix modules broken by @wchen-r7 's 4275a65407 commit.
...
These modules call check() in the exploit() function and expected to get a CheckCode::Vulnerable, now that check() returns Appears instead of Vulnerable they always refuse to run.
I've flipped the logic, based on examples in other modules, now they refuse to run only if check() positively returns Safe.
2016-07-05 13:49:14 +02:00
cfc368ab65
Land #6959 , Add Linux ARM big endian ipv4 bind shellcode
2016-07-05 00:41:00 -05:00
54dfcee665
Land #7055 , add netgear_soap_password_extractor docs
2016-07-04 23:59:10 -05:00
ec4769fade
Create exploit for WebNMS credential disclosure
2016-07-04 21:15:15 +01:00
05ef5316df
Create exploit for WebNMS arbitrary file download
2016-07-04 21:10:14 +01:00
78335f8e20
Update the cache size in bsd/x64/shell_reverse_tcp
2016-07-04 00:35:52 +02:00
f246aa0b58
dup2() to STDERR_FILENO in bsd/x64/shell_reverse_tcp
2016-07-04 00:00:33 +02:00
54092177a2
Remove superfluous xor in bsd/x64/shell_reverse_tcp
2016-07-03 23:53:11 +02:00
12812650c0
Land #7054 , Fix busted alpha encoding on ms02_018_htr
2016-07-02 17:07:25 -05:00
4ed12d7077
Added: support for credentials saving using report_cred method as suggested
...
Added: support for detection of valid user credentials to skip login SQLi if not necessary.
2016-07-02 01:41:13 -04:00
844c13dc17
added new vuln device to netgear list, plus docs
2016-07-01 18:32:30 -04:00
3850431966
Fix busted alpha encoding on this old-ass exploit
2016-07-01 17:20:00 -05:00
bca0d716c0
Land #7047 , Ensure http_login scanner module saves passwds
2016-07-01 12:21:28 -05:00
70a79bb0e8
Land #7014 , Nagios remote root shell exploit
2016-07-01 08:17:38 -07:00
a1bd640eff
Fix hashrocket alignment
2016-07-01 09:05:03 -05:00
9663f88fdc
Download profile.zip instead of including it
...
profile.zip is GPL-licensed...
2016-07-01 01:17:23 -05:00
159446ce92
Ensure http_login scanner module saves passwds.
...
Fixes #6983 . When the auxiliary/scanner/http/http_login module discovers a successful basic auth user+password combination, make sure we properly store the password by specifically telling the credentials gem that the private data we're storing is a :password.
2016-06-30 16:58:39 -05:00
1401a61f59
Land #6998 , Fix #6984 Undefined method 'winver' in ms10_092_schelevator
2016-06-30 16:14:09 -05:00
3edb0b3625
Reduce chance to get a null byte in the decoder stub
2016-06-30 19:14:32 +02:00
31ea58d7f0
Inherit from Msf::Encoder::Xor to get key preventing badchars
...
I guess it what Msf::Encoder::Xor find_bad_keys is for.
2016-06-30 18:29:30 +02:00
1ecef265a1
Do a fail_with in case nonce is not found at all
2016-06-30 11:21:45 -05:00
e2b9225907
Fix #7022 , Failing to find wpnonce in fetch_ninja_form_nonce
...
This patch fixes a problem when the module is used against an older
version of ninja forms (such as 2.9.27), the nonce is found in a
hidden input instead of the JavaScript code, which actually causes
an undefined method 'gsub' bug in the module.
Fix #7022
2016-06-30 11:15:38 -05:00
afbeb2b668
Land #7023 , fixes for swagger exploit
...
Thanks @sdavis-r7!
See #7015 as well.
2016-06-30 10:54:34 -04:00
d1281b6594
Chmod to remove the exec bit.
2016-06-30 10:43:46 -04:00
068a4007de
Riverbed SteelCentral NetProfiler & NetExpress Exploit Module
...
Changes to be committed:
new file: modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb
2016-06-29 22:27:40 -04:00
8a777bec41
Forget to rename function after msftidy correction
2016-06-29 23:30:48 +02:00
c489c5ce3e
Add two x64 encoders to improve anti-virus evasion
2016-06-29 23:11:24 +02:00
68bd4e2375
Fire and forget the shell
...
Edge case where reverse_perl returns 302 when app is unconfigured.
2016-06-29 14:51:05 -05:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
4e63591ce8
Use the proper Author key, not Authors
2016-06-28 15:21:19 -05:00
ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-06-28 15:00:35 -05:00
97f9ca4028
Merge branch 'master' into egypt/ruby-ntlm
2016-06-28 14:14:56 -05:00
d5d0b9e9b8
Revert "Land #6729 , Speed up the datastore"
...
This reverts commit c6b1955a5a4fb7472391
2016-06-28 13:39:52 -05:00
fcf8cda22f
Add basic module for CVE-2016-2098
...
ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.
This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.
Test Procedures:
Clone https://github.com/hderms/dh-CVE_2016_2098
Run bundle install to match gem versions to those in lockfile
Run the rails server and configure the metasploit module:
Set TARGETURI to /exploits
Configure payload and handler options
Execute the module, move on to post-exp
2016-06-28 03:28:16 -04:00
5f08591fef
Add Nagios XI exploit
2016-06-27 15:17:18 -05:00
2480781409
pesky pry.
2016-06-27 01:55:49 -04:00
c2b4e22b46
updated with discovered changes from k kali & documentation update changes requested.
2016-06-27 01:53:20 -04:00
058115c21f
Land #7015 , sdavis' swagger exploit
2016-06-24 16:13:51 -05:00
15a1a9ed71
Raise if payload.arch doesn't match expected
...
This is necessary when payload is a generic/* since we can't actually
figure out what we need the prefix/suffix to be because the generics are
a pain to extract the arch/platform info out of.
Also remove some unnecessary options.
2016-06-24 16:08:47 -05:00
409e26351b
remove test module
...
sponge left in patient
2016-06-24 15:12:47 -05:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
5bc513d6cd
get ssh sessions working properly
...
ssh sessions now working correctly
MD-1688
2016-06-24 12:14:48 -05:00
9f280d714e
Land #6994 , NetBIOS Name Brute Force Spoofing modules
2016-06-23 17:54:51 -05:00
3fb9eae687
EOL space if a ruby devil.
2016-06-23 15:40:16 -07:00
b38b116c9a
@ePaul comments added to description.
2016-06-23 15:33:11 -07:00
08d08d2c95
Fix Java payload generator
2016-06-23 14:51:26 -05:00
464808d825
First, put the RC data in the module proper
2016-06-23 14:43:37 -05:00
92c70dab6f
Real array, and fix PHP
2016-06-23 13:22:21 -05:00
ffabf26593
No Automatic target.
2016-06-23 12:50:23 -05:00
7a36d03fe3
Trying multi arch
2016-06-23 12:34:51 -05:00
47674c77ad
chmod 644 swagger_param_inject.rb
2016-06-23 11:49:16 -04:00
fbd0bc4308
updated as per @egypt & @todb-r7 recommendations.
2016-06-23 11:41:54 -04:00
40d7de05ef
Fix Payload Generation
...
Payload generation now only occurs once and function 'setup_pay'
removed. Payload is generated with cmd_psh_payload and is mutated to
fit dropped text file.
2016-06-23 11:20:22 -04:00
fc79f3a2a9
Modify for only NodeJS
...
Not sure if we can do multiple arch's in the same module. Doesn't look
like it's possible today.
See rapid7#7015
2016-06-23 10:14:57 -05:00
579a3bcf7c
default payload is NOT text based, so do nothing with it.
2016-06-23 07:00:14 -07:00
47e4321424
CVE-2016-5641
2016-06-23 06:09:37 -07:00
048741660c
Land #6980 , Add ClamAV Remote Command Transmitter
2016-06-22 15:50:45 -05:00
3e94abe555
put net:ssh::commandstream back
...
this was apparently our own creation for doing
ssh sessions
MD-1688
2016-06-22 15:02:36 -05:00
6072697126
continued
2016-06-22 14:54:00 -05:00
140621ad9b
start to move to canonical net-ssh
...
removed vendored net::ssh
pulled in net:ssh gem
made Rex::Socket::SSHFactory clas to bridge rex sockets in
Renamed getpeername to getpeername-as_array to not override
core socket behaviour
MS-1688
2016-06-22 14:52:33 -05:00
de5152401a
Land #6992 , Add tiki calendar exec exploit
2016-06-22 11:18:14 -05:00
8697d3d6fb
Update tiki_calendar_exec module and documentation
2016-06-22 11:17:45 -05:00
07f7e5e148
Convert non-loginscanner MSSQL to rubyntlm
2016-06-22 10:15:22 -05:00
df1a9bee13
Move ps1, Use Env var, Fix license, New Cleanup
...
MS16-032 ps1 moved to external file. This ps1 will now detect windir
to find cmd.exe. The module now also detects windir to find
powershell.exe. The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
is now standard. The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
9cb57d78d7
updated check and docs that 14.2 may not be vuln
2016-06-21 16:48:09 -04:00
81f30ca962
Land #6966 , Microsoft Office Trusted Locations Enumeration
2016-06-21 21:45:39 +01:00
b9d0bcc193
Add MS16-032 Local Priv Esc Exploit to tree
...
This module will use the powershell port of ms16-032 created by
@FuzzySec. All payloads are pushed to a compress powershell script in a
plain text file on the disk to execute.
2016-06-21 14:56:12 -04:00
15a3d739c0
fix per wchen
2016-06-20 17:57:10 -04:00
3f9d0630ce
Merge remote-tracking branch 'upstream/pr/6955' into land-6955
2016-06-20 13:14:37 -05:00
e692e32dae
Land #6955 , DarkComet C2 Arbitrary File Download Exploit
2016-06-20 12:03:38 -05:00
c816af1e4d
Merge remote-tracking branch 'upstream/pr/6955' into land-6955
2016-06-20 12:00:19 -05:00
2b85b210e9
Fix #6984 , Undefined method 'winver' in ms10_092_schelevator
...
Fix #6984
2016-06-20 10:37:41 -05:00
95517b4a45
Avoid exception on missing key in prefs.
2016-06-20 09:26:10 -05:00
6cb2a6970e
Fix unused SessionType in two modules
...
Pretty sure it should be "shell."
2016-06-19 23:41:34 -05:00
856a4c7684
Reference BadTunnel (appropriate for the nat module)
2016-06-19 20:50:12 -05:00
6fe7698b13
follow redirect automatically
2016-06-19 20:24:54 -04:00
a84614f2c0
Whitespace only
2016-06-19 18:44:32 -05:00
ce7c6496dd
Rework to clarify that this a brute force spoof, unrelated to BadTunnel
2016-06-19 13:36:39 -05:00
3f25c27e34
2 void-in fixes of 3
2016-06-19 14:35:27 -04:00
ddfd015310
functionalized calendar call, updated docs
2016-06-19 08:53:22 -04:00
Brendan
wchen-r7
h00die
William Webb
James Lee
Brent Cook
Adam Cammack
David Maloney
agix
Clément Notin
Pedro Ribeiro
Hans Jerry Illikainen
Pearce Barry
Francesco
William Vu
Tod Beardsley
Louis Sato
RageLtMan
Scott Lee Davis
khr0x40sh
Meatballs
HD Moore