Commit Graph

5746 Commits (c7c1fcfa9860774c8850495d9bd09bbad9733369)

Author SHA1 Message Date
FireFart 84ec2cbf11 remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:42:44 +02:00
jvazquez-r7 58d4096e0f Resolv conflicts on #2267 2013-09-25 13:06:14 -05:00
jvazquez-r7 ff610dc752 Add vulnerability discoverer as author 2013-09-25 12:45:54 -05:00
jvazquez-r7 5c88ad41a8 Beautify nodejs_js_yaml_load_code_exec metadata 2013-09-25 12:44:34 -05:00
joev 99e46d2cdb Merge branch 'master' into cve-2013-4660_js_yaml_code_exec
Conflicts:
	modules/exploits/multi/handler.rb
2013-09-25 00:32:56 -05:00
Tod Beardsley d91cb85a31
Not actually a typo
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley ac1388368f
Typo in module name 2013-09-24 15:50:58 -05:00
jvazquez-r7 a50ab1ddd3
Land #2409, @xistence exploit for ZeroShell 2013-09-24 15:32:55 -05:00
jvazquez-r7 6c2063c9c0 Do not get a session on every execute_command call 2013-09-24 15:31:40 -05:00
jvazquez-r7 79ca123051 Use snake_case 2013-09-24 15:16:51 -05:00
jvazquez-r7 34b84395c1 Fix References field 2013-09-24 15:16:02 -05:00
Tod Beardsley 93486a627d Whoops on trailing commas 2013-09-24 15:14:11 -05:00
jvazquez-r7 adfacfbed1 Do not fail_with on method used from check 2013-09-24 15:08:48 -05:00
jvazquez-r7 4b6a646899 Fix typo 2013-09-24 15:06:35 -05:00
jvazquez-r7 f5cac304f4 Use default send_request_cgi timeout 2013-09-24 15:05:24 -05:00
William Vu 52a92a55ce Land #2394, ms13_005_hwnd_broadcast require fix 2013-09-24 13:43:21 -05:00
jvazquez-r7 ce4cf55d22
Land #2417, @todb-r7's change to Platform field to make ruby style compliant 2013-09-24 13:30:48 -05:00
William Vu 89222f4b16 Land #2416, OSVDB refs for arkeia_upload_exec 2013-09-24 13:22:24 -05:00
Tod Beardsley 3906d4a2ca Fix caps that throw msftidy warnings 2013-09-24 13:03:16 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley 081c279b61 Remove misleading comment 2013-09-24 11:42:31 -05:00
jvazquez-r7 d15f442e56 Add OSVDB references to arkeia_upload_exec 2013-09-24 08:48:28 -05:00
xistence 8b9adf6886 changes made to zeroshell_exec according to suggestions 2013-09-24 08:35:07 +07:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley 2656c63459 Knock out a Unicode character 2013-09-23 14:22:11 -05:00
Tod Beardsley 99f145cbff Don't split the post requires 2013-09-23 14:02:43 -05:00
Tod Beardsley 4bff8f2cdc Update descriptions for clarity. 2013-09-23 13:48:23 -05:00
William Vu a46ac7533d Land #2407, require fix for current_user_psexec 2013-09-23 11:57:19 -05:00
jvazquez-r7 1fc849bdd5 Land #2188, @m-1-k-3's module for OSVDB 90221 2013-09-23 11:44:43 -05:00
jvazquez-r7 71d74655f9 Modify description 2013-09-23 11:44:04 -05:00
xistence 6429219a1d added ZeroShell RC2 RCE 2013-09-22 15:13:55 +07:00
jvazquez-r7 8417b916c7 Complete MS13-071 Information 2013-09-21 21:22:34 -05:00
darknight007 6b06ed0df1 Update current_user_psexec.rb 2013-09-22 03:07:17 +05:00
Joe Vennix a08d195308 Add Node.js as a platform.
* Fix some whitespace issues in platform.rb
2013-09-20 18:14:01 -05:00
Joe Vennix 49f15fbea4 Removes PayloadType from exploit module. 2013-09-20 18:01:55 -05:00
sinn3r 8381bf8646 Land #2404 - Add powershell support for current_user_psexec 2013-09-20 17:14:55 -05:00
sinn3r 96364c78f8 Need to catch RequestError too
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
jvazquez-r7 59a201a8d3 Land #2334, @tkrpata and @jvennix-r7's patch for sudo_password_bypass 2013-09-20 17:01:19 -05:00
jvazquez-r7 fb8d0dc887 Write the return 2013-09-20 17:00:07 -05:00
Meatballs 6e69fe48bf Undo psexec changes 2013-09-20 22:30:00 +01:00
Meatballs 2591be503b Psh support 2013-09-20 22:07:42 +01:00
Meatballs 15885e4ef6 Change static x value 2013-09-20 20:31:14 +01:00
Meatballs ee365a6b64 Some liberal sleeping 2013-09-20 19:33:27 +01:00
jvazquez-r7 29649b9a04 Land #2388, @dummys's exploit for CVE-2013-5696 2013-09-20 13:03:01 -05:00
jvazquez-r7 8922d0fc7f Fix small bugs on glpi_install_rce 2013-09-20 13:01:41 -05:00
jvazquez-r7 b24ae6e80c Clean glpi_install_rce 2013-09-20 12:58:23 -05:00
Meatballs 7d1c5c732a Correct powershell 2013-09-20 18:36:24 +01:00
sinn3r bb7b57cad9 Land #2370 - PCMAN FTP Server post-auth stack buffer overflow 2013-09-20 12:29:10 -05:00
sinn3r feb76ea767 Modify check
Since auth is required, check function needs to look into that too
2013-09-20 12:28:21 -05:00
sinn3r 2d6c76d0ad Rename pcman module
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
2013-09-20 12:18:24 -05:00
sinn3r 6690e35761 Account for username length
Username is part of the overflowing string, need to account for that
2013-09-20 12:17:34 -05:00
sinn3r 9d67cbb4db Retabbed 2013-09-20 11:58:53 -05:00
Meatballs 9819566d94 Nearly 2013-09-20 17:18:14 +01:00
sinn3r 85152c4281 Land #2400 - Add OSVDB reference for openemr_sqli_privesc_upload 2013-09-20 10:39:06 -05:00
jvazquez-r7 6f5e528699 Remove author, all the credits go to corelanc0der and sinn3r 2013-09-20 10:27:37 -05:00
sinn3r 83f54d71ea Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure.  The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one.  Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
jvazquez-r7 bad6f2279d Add OSVDB reference for openemr_sqli_privesc_upload 2013-09-20 09:41:23 -05:00
Meatballs a00f3d8b8e initial 2013-09-20 13:40:28 +01:00
dummys 032b9115a0 removed the old exploit 2013-09-20 10:53:52 +02:00
dummys 187ab16467 many change in the code and replace at the correct place the module 2013-09-20 10:45:10 +02:00
Rick Flores (nanotechz9l) 7d17eef7a7 Updated several msftidy [WARNING] Spaces at EOL issues. 2013-09-19 20:35:08 -07:00
sinn3r 955365d605 Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability 2013-09-19 22:21:09 -05:00
sinn3r 0eb838156b Land #2390 - Use payload.encoded because BadChars are defined 2013-09-19 22:10:55 -05:00
sinn3r 9598853fee Land #2389 - Fix use of Rex sockets from dlink modules 2013-09-19 22:09:53 -05:00
sinn3r 8d70a9d893 Add more refs 2013-09-19 22:05:23 -05:00
Joe Vennix 137b3bc6ea Fix whitespace issues. 2013-09-19 17:29:11 -05:00
Joe Vennix bd96c6c093 Adds module for CVE-2013-3568. 2013-09-19 17:26:30 -05:00
jvazquez-r7 46a241b168 Fix my own cleanup 2013-09-19 14:51:22 -05:00
dummys 08c7b49be0 corrected too much if 2013-09-19 21:47:01 +02:00
jvazquez-r7 31903be393 Land #2380, @xistence exploit for EDB 28329 2013-09-19 14:42:27 -05:00
jvazquez-r7 cb737525b1 Final cleanup for openemr_sqli_privesc_upload 2013-09-19 14:40:57 -05:00
jvazquez-r7 76e170513d Do first clean on openemr_sqli_privesc_upload 2013-09-19 14:36:25 -05:00
jvazquez-r7 cf0375f7e6 Fix check return value 2013-09-19 14:17:45 -05:00
dummys 862a8fb8aa corrected indentation bug again 2013-09-19 20:27:23 +02:00
jvazquez-r7 9b486e1dbb Add comment about the smb_* methods 2013-09-19 13:23:46 -05:00
dummys ce8e94b5fe corrected indentation bug 2013-09-19 20:14:07 +02:00
jvazquez-r7 bf0f4a523f Land #2381, @xistence exploit for EDB 28330 2013-09-19 13:06:41 -05:00
jvazquez-r7 c63423ad69 Update code comment 2013-09-19 13:03:55 -05:00
jvazquez-r7 6073e6f2dc Fix use of normalize_uri 2013-09-19 12:59:37 -05:00
jvazquez-r7 b4fa535f2b Fix usage of fail_with 2013-09-19 12:45:29 -05:00
jvazquez-r7 1aba7550f9 Fix check indentation 2013-09-19 12:44:11 -05:00
jvazquez-r7 1f7c3d82c1 Refactor easy methods 2013-09-19 12:42:38 -05:00
jvazquez-r7 891a54aad7 Fix metadata 2013-09-19 12:41:13 -05:00
jvazquez-r7 1a00cce8a9 Clean up 2013-09-19 11:51:07 -05:00
William Vu 628cfe8e67 Land #2393, tape_engine_8A filename disambiguation 2013-09-19 10:31:40 -05:00
Tod Beardsley ef72b30074 Include the post requires until #2354 lands
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
Tod Beardsley fb72e7f02a Disambiguate tape_engine_8A as tape_engine_0x8a
This will reopen #2358 to avoid filename collisions on Windows, Rubymine
environments, etc.
2013-09-19 09:35:31 -05:00
Rick Flores (nanotechz9l) 058e0fdd80 Changed ret to push esp C:\WINDOWS\system32\msvcrt.dll 2013-09-19 07:21:51 -07:00
dummys f9617e351d corrected Integer() 2013-09-19 16:04:20 +02:00
jvazquez-r7 926ddf35bc Fix possible collisions on binding port and handle rex socket 2013-09-19 08:23:25 -05:00
James Lee 8fe9132159
Land #2358, deprecate funny names 2013-09-18 14:55:33 -05:00
Rick Flores (nanotechz9l) 766e96510d Added minor indentation updates 2013-09-18 12:12:35 -07:00
jvazquez-r7 60d448f600 Add minor cleanup 2013-09-18 14:10:13 -05:00
Rick Flores (nanotechz9l) db8881966e Merge remote-tracking branch 'upstream/master' 2013-09-18 12:02:01 -07:00
jvazquez-r7 68647c7363 Add module for MS13-071 2013-09-18 13:40:35 -05:00
jvazquez-r7 accad24f31 Use payload.encoded because BadChars are defined 2013-09-18 13:03:35 -05:00
jvazquez-r7 61ab0e245c Add Context to rex sockets plus track them with add_socket 2013-09-18 12:39:08 -05:00
jvazquez-r7 1988085a94 Fix possible port conflict 2013-09-18 12:24:36 -05:00
Tod Beardsley 8728a9a3b7 Bumping out deprecation date
Pray I don't alter the deprecation date further.
2013-09-18 11:00:35 -05:00
dummys bc57c9c6ec corrected some codes requested by Meatballs 2013-09-18 17:55:36 +02:00
dummys 3366c3aa77 CVE-2013-5696 RCE for GLPI 2013-09-18 16:11:32 +02:00
xistence adc1bd9c65 changes made to astium_sqli_upload based on suggestions 2013-09-18 16:52:31 +07:00
xistence 65ee8c7d5c changed openemr_sqli_privesc_upload according to suggestions 2013-09-18 12:38:20 +07:00
Rick Flores (nanotechz9l) 6cbe371381 minor change 2013-09-17 20:33:46 -07:00
xistence d6a1182bd4 changes to arkeia_upload_exec to comply with r7 suggestions #2 2013-09-18 08:24:40 +07:00
xistence 24a671b530 changes to arkeia_upload_exec to comply with r7 suggestions 2013-09-18 08:10:58 +07:00
Rick Flores (nanotechz9l) 0052f9712b Updated hard tabs per new requirement 2013-09-17 17:42:01 -07:00
James Lee 9a555d8701 Fix the modules added since the branch 2013-09-17 18:25:12 -05:00
James Lee 150f0f644e Merge branch 'rapid7' into bug/osx-mods-load-order
Conflicts:
	modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
xistence 82aa3f97b0 added Astium confweb 25399 RCE 2013-09-17 12:32:10 +07:00
Joe Vennix 5fc724bced Kill explanatory comment. 2013-09-16 21:34:38 -05:00
Joe Vennix 2c47e56d90 Adds module for yaml code exec. 2013-09-16 21:33:57 -05:00
Rick Flores (nanotechz9l) 52a1b5fa57 updated pcman_stor_msf.rb module with community feedback. 2013-09-16 17:43:10 -07:00
Rick Flores (nanotechz9l) 226a75b5da updated pcman_stor_msf.rb module with community feedback. 2013-09-16 17:37:29 -07:00
Tod Beardsley b4b7cecaf4 Various minor desc fixes, also killed some tabs. 2013-09-16 15:50:00 -05:00
Tod Beardsley f89af79223 Correct OSVDB for sophos sblistpack exploit 2013-09-16 15:41:50 -05:00
Rick Flores (nanotechz9l) d4f2e72b9c updated module to include msftidy.rb 2013-09-16 12:46:13 -07:00
Rick Flores (nanotechz9l) 82e3910959 added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624) 2013-09-16 12:40:36 -07:00
Rick Flores (nanotechz9l) 92cf886e49 updated module to include msftidy.rb 2013-09-16 12:38:00 -07:00
Rick Flores 4c83336944 Delete pcman_stor_msf.rb
delete because of commit issues.
2013-09-16 12:25:39 -07:00
Joe Vennix e1e1cab797 Module gets me a shell, yay 2013-09-16 13:37:16 -05:00
Rick Flores (nanotechz9l) f657f4d145 added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624) 2013-09-16 09:57:27 -07:00
jvazquez-r7 c18c41d8ea Don't hidde exceptions 2013-09-16 09:26:13 -05:00
jvazquez-r7 86e5163cad Fix Indentation and cleanup 2013-09-16 09:19:26 -05:00
jvazquez-r7 62cf9cb07c Retab changes for PR #2188 2013-09-16 09:09:16 -05:00
jvazquez-r7 842dba20b9 Merge for retab 2013-09-16 09:08:36 -05:00
xistence af873b7349 added OpenEMR 4.1.1 Patch 14 SQLi Privesc Upload RCE 2013-09-16 16:19:35 +07:00
xistence b2b629f932 added WD Arkeia Appliance RCE 2013-09-16 14:38:50 +07:00
sinn3r 67cd62f306 Land #2366 - HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload 2013-09-16 01:44:23 -05:00
jvazquez-r7 54e9cd81f3 Add module for ZDI-13-226 2013-09-13 17:31:51 -05:00
jvazquez-r7 10303a8c2a Delete debug print_status 2013-09-13 17:05:23 -05:00
jvazquez-r7 dca4351303 Add check function 2013-09-13 16:51:14 -05:00
jvazquez-r7 f7c4e081bb Add module for ZDI-13-225 2013-09-13 16:40:28 -05:00
Tod Beardsley b2ba4b445f
Land #2362, update description 2013-09-13 12:56:04 -05:00
sinn3r 4847976995 Update information about original discovery
Update info about original discovoery. See #2337 too.
2013-09-13 10:42:11 -05:00
jvazquez-r7 c665f41cd6 Fix description 2013-09-13 09:09:14 -05:00
Tod Beardsley 76f27ecde8 Require the deprecation mixin in all modules
Because rememberin to require it, and hoping against a race is not how we
roll any more.
2013-09-12 15:49:33 -05:00
Tod Beardsley 761042f14b require the deprecated mixin 2013-09-12 15:42:01 -05:00
Tod Beardsley 968f299772 Deprecate A-PDF exploit for filename change
See PT 56796034
See PT 56795804
2013-09-12 15:30:26 -05:00
sinn3r ac90cd1263 Land #2248 - Fix dlink upnp exec noauth 2013-09-12 15:10:20 -05:00
James Lee 58b634dd27 Remove unnecessary requires from post mods 2013-09-12 14:36:01 -05:00
sinn3r 34383661cb Land #2351 - Agnitum Outpost Internet Security Local Privilege Escalation 2013-09-12 14:21:05 -05:00
sinn3r 5aa6a0dd6b Land #2346 - Sophos Web Protection Appliance sblistpack Arbitrary Command Execution 2013-09-12 14:19:02 -05:00
sinn3r f42e6e8bca Land #2345 - Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation 2013-09-12 14:17:24 -05:00
sinn3r 8db66aeb98 Yes, clearly it is. 2013-09-12 14:16:34 -05:00
sinn3r d781f447db Merge branch 'pr2345' into upstream-master 2013-09-12 14:15:18 -05:00
Tod Beardsley d47de46d94 Deprecate brightstor/tape_engine_8A
This module is getting renamed to 8a, instead of 8A.
2013-09-12 13:59:44 -05:00
jvazquez-r7 9ad1be7318 Make junk easier 2013-09-11 09:33:01 -05:00
jvazquez-r7 825eb9d1ca Add module for OSVDB 96208 2013-09-11 00:11:00 -05:00
jvazquez-r7 4f1db80c24 Fix requires in new post modules 2013-09-10 11:13:07 -05:00
jvazquez-r7 bf40dc02ce Add module for CVE-2013-4984 2013-09-09 23:27:24 -05:00
jvazquez-r7 c3ff9a03d8 Add module for CVE-2013-4983 2013-09-09 23:26:10 -05:00
Tod Beardsley aff35a615b Grammar fixes in descriptions 2013-09-09 15:09:53 -05:00
jvazquez-r7 791b6f69c2 Land #2337, @wchen-r7's exploit for MS13-055 2013-09-09 11:12:03 -05:00
sinn3r 0ee0168556 Retabbed
One kills a man, one is an assassin; one kills millions, one is a
conqueror; one kills a tab, one is a Metasploit dev.
2013-09-09 10:01:01 -05:00
sinn3r 6ab905e9e0 Less alignment 2013-09-09 09:39:02 -05:00
sinn3r 992bdcf530 Not from the future 2013-09-09 00:36:28 -05:00
sinn3r c3db41334b Add MS13-055 Internet Explorer Use-After-Free Vulnerability
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.

This bug is specific to Internet Explorer 8 only. It was originally discovered by
Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so
no CVE as of now.
2013-09-08 20:02:23 -05:00
Joe Vennix 3da9c4a685 Cleans up timeouts, wait before dropping payload, actually call #cleanup#super to kill the dropped file 2013-09-06 13:05:17 -05:00
Tyler Krpata 2aed293d9a Handle locked date and time preference pane
If the date and time preference pane is locked, effects are:
1. systemsetup takes 30 seconds to return
    added a 30-second timeout to cmd_exec
2. Unable to change system date and time settings
    added additional check to see if date change was successful
2013-09-06 10:17:09 -04:00
jvazquez-r7 7d4bf0c739 Retab changes for PR #2327 2013-09-05 23:25:41 -05:00
jvazquez-r7 34b499588b Merge for retab 2013-09-05 23:24:22 -05:00
Meatballs 473f08bbb6 Register cleanup and update check 2013-09-05 22:43:26 +01:00
Meatballs 400b433267 Sort out exception handling 2013-09-05 22:21:44 +01:00
Tyler Krpata 07060e4e69 Add return in check 2013-09-05 16:57:47 -04:00
Meatballs d4043a6646 Spaces and change to filedropper 2013-09-05 20:41:37 +01:00
Meatballs c5daf939d1 Stabs tabassassin 2013-09-05 20:36:52 +01:00
Tab Assassin f780a41f87 Retab changes for PR #2248 2013-09-05 14:12:24 -05:00
Tab Assassin 554d1868ce Merge for retab 2013-09-05 14:12:18 -05:00
Tab Assassin f5a4c05dbc Retab changes for PR #2267 2013-09-05 14:11:03 -05:00
Tab Assassin 4703a10b64 Merge for retab 2013-09-05 14:10:58 -05:00
Tab Assassin d0360733d7 Retab changes for PR #2282 2013-09-05 14:05:34 -05:00
Tab Assassin 49dface180 Merge for retab 2013-09-05 14:05:28 -05:00
Meatballs 9787bb80e7 Address @jlee-r7's feedback 2013-09-05 19:57:05 +01:00
jvazquez-r7 206b52ea30 Land #2325, @jlee-r7's Linux PrependFork addition 2013-09-05 13:50:59 -05:00
Tab Assassin 845bf7146b Retab changes for PR #2304 2013-09-05 13:41:25 -05:00
Tab Assassin adf9ff356c Merge for retab 2013-09-05 13:41:23 -05:00
jvazquez-r7 86ceadc53d Fix target description 2013-09-05 13:37:01 -05:00
jvazquez-r7 d43326d0f4 Check 302 while checking too 2013-09-05 13:36:35 -05:00
jvazquez-r7 ab83a12354 Check 302 on anonymous access too 2013-09-05 13:35:52 -05:00
Tab Assassin 896bb129cd Retab changes for PR #2325 2013-09-05 13:24:09 -05:00
Tab Assassin 5ff25d8b96 Merge for retab 2013-09-05 13:23:25 -05:00
Tab Assassin c9c6f84668 Retab changes for PR #2328 2013-09-05 13:16:15 -05:00
Tab Assassin 9bdc274904 Merge for retab 2013-09-05 13:15:07 -05:00
James Lee 50c6f26329 Don't deregister PrependFork 2013-09-05 10:50:36 -05:00
jvazquez-r7 5c06a471f9 Get the call result 2013-09-05 08:33:35 -05:00
jvazquez-r7 3681955f68 Use Msf::Config.data_directory 2013-09-05 08:28:50 -05:00
jvazquez-r7 6b1d7545d6 Refactor, avoid duplicate code 2013-09-05 08:26:49 -05:00
jgor 84e4b42f6b allow 302 redirects 2013-09-04 16:59:42 -05:00
jgor 66d5af5a11 remove dependency on tmpl=component 2013-09-04 16:58:49 -05:00
jvazquez-r7 b6245eea72 Update target info 2013-09-04 16:43:26 -05:00
jvazquez-r7 34b3ee5e17 Update ranking and description 2013-09-04 16:10:15 -05:00
jvazquez-r7 94125a434b Add module for ZDI-13-205 2013-09-04 15:57:22 -05:00
James Lee b913fcf1a7 Add a proper PrependFork for linux
Also fixes a typo bug for AppendExit
2013-09-04 00:15:07 -05:00
Meatballs 3066e7e19d ReverseConnectRetries ftw 2013-09-04 00:16:19 +01:00
Meatballs a8e77c56bd Updates 2013-09-03 22:46:20 +01:00
Meatballs ac0c493cf9 Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring 2013-09-03 21:33:11 +01:00
Tab Assassin 84aaf2334a Retab new material 2013-09-03 11:47:26 -05:00
Tab Assassin 0c1e6546af Update from master 2013-09-03 11:45:39 -05:00
Tod Beardsley ca8dacb93b Minor module description updates for grammar. 2013-09-03 10:31:45 -05:00
sinn3r ac0b14e793 Add the missing CVE reference
Was looking at all the 2013 exploit modules for missing CVE references
2013-08-31 18:54:16 -05:00
sinn3r 0736677a01 Land #2299 - Add powershell support & removes ADODB.Stream requirement 2013-08-31 00:32:23 -05:00
sinn3r c4aa557364 Land #2292 - Fix the way to get a session over a telnet connection 2013-08-31 00:29:25 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
jvazquez-r7 5b32c63a42 Land #2308, @wchen-r7's exploit for MS13-059 2013-08-30 10:59:36 -05:00
jvazquez-r7 ea8cd2dc46 Update authors list 2013-08-30 10:52:39 -05:00
sinn3r a283f1d4fa Correct module title 2013-08-30 10:50:35 -05:00
sinn3r f4e09100bd Correct file name 2013-08-30 10:50:05 -05:00
sinn3r 38dbab9dd0 Fix typos 2013-08-30 10:43:26 -05:00
sinn3r 7401f83d8e Land #2305 - HP LoadRunner lrFileIOService ActiveX WriteFileString Bug 2013-08-30 03:23:47 -05:00
sinn3r 0a1b078bd8 Add CVE-2013-3184 (MS13-058) CFlatMarkupPointer Use After Free
Please see module description for more info.
2013-08-30 03:16:28 -05:00
jvazquez-r7 657be3a3d9 Fix typo 2013-08-29 14:42:59 -05:00
jvazquez-r7 4a6bf1da7f Add module for ZDI-13-207 2013-08-29 14:09:45 -05:00
James Lee 63adde2429 Fix load order in posts, hopefully forever 2013-08-29 13:37:50 -05:00
Tod Beardsley 7b9314763c Add the require boilerplate
Fixes a bug that sometimes comes up with load order on this module. I
know @jlee-r7 is working on a better overall solution but this should
solve for the short term.

Note, since the problem is practically machine-specific. @jlee-r7
suggested rm'ing all modules but the one under test. Doing that exposes
the bug, and I've verified this fix in that way.
2013-08-29 13:03:11 -05:00
Meatballs a12f5092dd Encode the powershell cmd 2013-08-28 22:37:11 +01:00
Meatballs aa0563244b Update unsafe scripting module 2013-08-28 22:30:46 +01:00
James Lee feae4a41e7 I don't like end-of-line comments 2013-08-28 12:42:26 -05:00
sinn3r 57c7d0679a Land #2295 - Add platform info 2013-08-28 10:38:50 -05:00
jvazquez-r7 26531dbaa7 Land #2100, @ddouhine's exploit for OSVDB 83543 2013-08-28 08:55:59 -05:00
jvazquez-r7 ab572d7d72 Fix Authors metadata section 2013-08-28 08:53:48 -05:00
Vlatko Kosturjak b702a0d353 Fix "A payload has not been selected."
Since platform definition is missing, exploitation fails.
2013-08-28 12:53:08 +02:00
jvazquez-r7 0bfc12ada1 Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00
sinn3r b0226cab79 Land #2290 - HP LoadRunner lrFileIOService ActiveX Vulnerability 2013-08-27 11:19:43 -05:00
sinn3r 2e4e3fdbe6 Land #2237 - Fix check function 2013-08-27 11:11:54 -05:00
jvazquez-r7 997c5e5516 Land #2291, @todb-r7's patch for oracle_endeca_exec's requires 2013-08-27 11:01:21 -05:00
Tod Beardsley 15b741bb5f Require the powershell mixin explicitly 2013-08-27 10:36:51 -05:00
jvazquez-r7 f59f57e148 Randomize object id 2013-08-27 10:35:06 -05:00
jvazquez-r7 66fa1b41aa Fix logic to spray correctly IE9 2013-08-27 09:57:55 -05:00
g0tmi1k 7efe85dbd6 php_include - added @wchen-r7's code improvements 2013-08-27 14:00:13 +01:00
jvazquez-r7 93c46c4be5 Complete the Author metadata 2013-08-26 23:29:16 -05:00
jvazquez-r7 8efe2d9206 Land #2289, @jlee-r7's exploit for CVE-2013-1662 2013-08-26 23:27:19 -05:00
jvazquez-r7 e1e889131b Add references and comments 2013-08-26 23:26:13 -05:00
James Lee 63786f9e86 Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00
sinn3r 7a4d781538 Land #2274 - Firefox XMLSerializer Use After Free 2013-08-26 20:53:42 -05:00
violet 4cbdf38377 updated contact info
MASTER OF DISASTER

ULTRA LASER

:::::::-.  :::::::..        :::::::-.      ...         ...     .        :
 ;;,   `';,;;;;``;;;;        ;;,   `';, .;;;;;;;.   .;;;;;;;.  ;;,.    ;;;
 `[[     [[ [[[,/[[['        `[[     [[,[[     \[[,,[[     \[[,[[[[, ,[[[[,
  $$,    $$ $$$$$$c           $$,    $$$$$,     $$$$$$,     $$$$$$$$$$$"$$$
  888_,o8P' 888b "88bo,d8b    888_,o8P'"888,_ _,88P"888,_ _,88P888 Y88" 888o
  MMMMP"`   MMMM   "W" YMP    MMMMP"`    "YMMMMMP"   "YMMMMMP" MMM  M'  "MMM
2013-08-26 16:14:49 -07:00
Tod Beardsley 6b15a079ea Update for grammar in descriptions on new modules. 2013-08-26 14:52:51 -05:00
jvazquez-r7 252f48aeee Land #2272, @jvennix-r7's exploit for CVE-2013-1775 2013-08-26 13:21:58 -05:00
jvazquez-r7 0baaf989fb Delete on_new_session cleanup, as discusses with @jlee-r7 2013-08-26 13:20:43 -05:00
Meatballs 05f1622fcb Fix require 2013-08-26 16:21:18 +01:00
Meatballs 3b9ded5a8e BypassUAC now checks if the process is LowIntegrityLevel
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
2013-08-26 13:54:55 +01:00
jvazquez-r7 f8d1d29648 Add module for ZDI-13-182 2013-08-25 23:07:08 -05:00
Christian Mehlmauer 45ad043102 moderated comments are now also working (even for unauthenticated users) 2013-08-25 11:02:15 +02:00
Christian Mehlmauer 035258389f use feed first before trying to bruteforce 2013-08-25 10:16:43 +02:00
Joe Vennix 757886bece Remove some extra wip files. 2013-08-24 14:52:52 -05:00
Joe Vennix 29320f5b7f Fix vn refs. Add juan as an @author. 2013-08-24 13:07:35 -05:00
jvazquez-r7 5b812b0c22 Add references 2013-08-24 12:12:21 -05:00
jvazquez-r7 b4ad8c8867 Beautify module 2013-08-24 12:08:38 -05:00
Joe Vennix 0e116730a1 Polishing module. Tested on 10.8, 10.8.2, and 10.8.4. 2013-08-24 12:01:38 -05:00
Christian Mehlmauer 9af1341179 consistent naming 2013-08-24 18:51:07 +02:00