Commit Graph

876 Commits (ccf7314c8f7934b836d38d6440c2242521b8c9ac)

Author SHA1 Message Date
Tod Beardsley 36db6a4d59
Land #2616, SuperMicro close_window BOF 2013-11-15 11:34:53 -06:00
Chris John Riley 5bd5eacd77 Added option to ignore banner checks 2013-11-15 15:01:11 +01:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
jvazquez-r7 40f8e80775 Fix jlee-r7's feedback 2013-11-08 14:28:19 -06:00
jvazquez-r7 b7e360922d Update ranking 2013-11-07 15:10:26 -06:00
jvazquez-r7 decf6ff6a0 Add module for CVE-2013-3623 2013-11-07 14:59:40 -06:00
James Lee 9e30c58495 Blow away remnants of Local::Unix 2013-11-05 13:51:45 -06:00
James Lee 36f96d343e Revert "Revert "Land #2505" to resolve new rspec fails"
This reverts commit e7d3206dc9.
2013-11-05 13:45:00 -06:00
jvazquez-r7 c92e8ff98d Delete extra space 2013-10-30 19:34:54 -05:00
Tod Beardsley 9045eb06b0
Various title and description updates 2013-10-28 14:00:19 -05:00
jvazquez-r7 dd094eee04 Use 443 by default with SSL 2013-10-24 16:30:26 -05:00
jvazquez-r7 72f686d99a Add module for CVE-2013-2751 2013-10-24 16:10:32 -05:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Tod Beardsley e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
This reverts commit 717dfefead, reversing
changes made to 6430fa3354.
2013-10-21 12:47:57 -05:00
sinn3r cacaf40276
Land #2542 - D-Link DIR-605L Captcha Handling Buffer Overflow 2013-10-21 12:03:07 -05:00
sinn3r 9bfd98b001 Change plate 2013-10-21 11:54:42 -05:00
William Vu 717dfefead
Land #2505, missing source fix for sock_sendpage 2013-10-21 11:47:55 -05:00
jvazquez-r7 7dd39ae5e6 Update ranking 2013-10-17 22:43:47 -05:00
jvazquez-r7 a00a813649 Add real device libraries base addresses 2013-10-17 22:34:54 -05:00
jvazquez-r7 3d3a7b3818 Add support for OSVDB 86824 2013-10-17 01:08:01 -05:00
Tod Beardsley ba2c52c5de
Fixed up some more weird splat formatting. 2013-10-16 16:25:48 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
Tod Beardsley 63e40f9fba
Release time fixes to modules
* Period at the end of a description.
  * Methods shouldn't be meth_name! unless the method is destructive.
  * "Setup" is a noun, "set up" is a verb.
  * Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
jvazquez-r7 75aaded842
Land #2471, @pyoor's exploit for CVE-2013-5743 2013-10-14 14:03:28 -05:00
jvazquez-r7 a6f17c3ba0 Clean zabbix_sqli 2013-10-14 14:01:58 -05:00
Joe Barrett d929bdfaab Re-fixing 8419, consistency is important. 2013-10-12 08:09:19 -04:00
James Lee dfe74ce36c Factorize sock_sendpage 2013-10-11 13:40:01 -05:00
pyoor 171b70fa7c Zabbix v2.0.8 SQLi and RCE Module
Conflicts:
	modules/exploits/linux/http/zabbix_sqli.rb

Commit completed version of zabbix_sqli.rb
2013-10-10 22:50:02 -04:00
James Lee b9b2c82023 Add some entropy
* Random filename
* Stop shipping debug strings to the exploit executable

Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
2013-10-10 18:18:01 -05:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
James Lee 947925e3a3 Use a proper main signature with arguments
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
James Lee c251596f0b Fix some bugs in preparation for factorizing
* Stop removing \x0a characters with String#scan, which of course breaks
  the shellcode
* Fork so the original session continues to work
2013-10-09 16:03:40 -05:00
Winterspite 0acb170ee8 Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00
joev 4ba001d6dd Put my short name to prevent conflicts. 2013-10-07 14:10:47 -05:00
joev ec6516d87c Deprecate misnamed module.
* Renames to a linux linksys module.
2013-10-07 14:06:13 -05:00
Tod Beardsley fcba424308
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 11:01:27 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
jvazquez-r7 813bd2c9a5
Land #2379, @xistence's exploit for OSVDB 88860 2013-09-26 13:52:15 -05:00
xistence c2ff5accee stability fixes to astium_sqli_upload 2013-09-26 10:23:33 +07:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley 4bff8f2cdc Update descriptions for clarity. 2013-09-23 13:48:23 -05:00
jvazquez-r7 1fc849bdd5 Land #2188, @m-1-k-3's module for OSVDB 90221 2013-09-23 11:44:43 -05:00
jvazquez-r7 71d74655f9 Modify description 2013-09-23 11:44:04 -05:00
sinn3r 0eb838156b Land #2390 - Use payload.encoded because BadChars are defined 2013-09-19 22:10:55 -05:00
jvazquez-r7 1a00cce8a9 Clean up 2013-09-19 11:51:07 -05:00
jvazquez-r7 926ddf35bc Fix possible collisions on binding port and handle rex socket 2013-09-19 08:23:25 -05:00
jvazquez-r7 accad24f31 Use payload.encoded because BadChars are defined 2013-09-18 13:03:35 -05:00
jvazquez-r7 61ab0e245c Add Context to rex sockets plus track them with add_socket 2013-09-18 12:39:08 -05:00
jvazquez-r7 1988085a94 Fix possible port conflict 2013-09-18 12:24:36 -05:00
xistence adc1bd9c65 changes made to astium_sqli_upload based on suggestions 2013-09-18 16:52:31 +07:00
James Lee 9a555d8701 Fix the modules added since the branch 2013-09-17 18:25:12 -05:00
James Lee 150f0f644e Merge branch 'rapid7' into bug/osx-mods-load-order
Conflicts:
	modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
xistence 82aa3f97b0 added Astium confweb 25399 RCE 2013-09-17 12:32:10 +07:00
Tod Beardsley b4b7cecaf4 Various minor desc fixes, also killed some tabs. 2013-09-16 15:50:00 -05:00
Tod Beardsley f89af79223 Correct OSVDB for sophos sblistpack exploit 2013-09-16 15:41:50 -05:00
jvazquez-r7 c18c41d8ea Don't hidde exceptions 2013-09-16 09:26:13 -05:00
jvazquez-r7 86e5163cad Fix Indentation and cleanup 2013-09-16 09:19:26 -05:00
jvazquez-r7 62cf9cb07c Retab changes for PR #2188 2013-09-16 09:09:16 -05:00
jvazquez-r7 842dba20b9 Merge for retab 2013-09-16 09:08:36 -05:00
jvazquez-r7 c665f41cd6 Fix description 2013-09-13 09:09:14 -05:00
sinn3r ac90cd1263 Land #2248 - Fix dlink upnp exec noauth 2013-09-12 15:10:20 -05:00
sinn3r 5aa6a0dd6b Land #2346 - Sophos Web Protection Appliance sblistpack Arbitrary Command Execution 2013-09-12 14:19:02 -05:00
sinn3r 8db66aeb98 Yes, clearly it is. 2013-09-12 14:16:34 -05:00
jvazquez-r7 bf40dc02ce Add module for CVE-2013-4984 2013-09-09 23:27:24 -05:00
jvazquez-r7 c3ff9a03d8 Add module for CVE-2013-4983 2013-09-09 23:26:10 -05:00
Tab Assassin f780a41f87 Retab changes for PR #2248 2013-09-05 14:12:24 -05:00
Tab Assassin 554d1868ce Merge for retab 2013-09-05 14:12:18 -05:00
Tab Assassin 845bf7146b Retab changes for PR #2304 2013-09-05 13:41:25 -05:00
Tab Assassin adf9ff356c Merge for retab 2013-09-05 13:41:23 -05:00
Tab Assassin 896bb129cd Retab changes for PR #2325 2013-09-05 13:24:09 -05:00
Tab Assassin 5ff25d8b96 Merge for retab 2013-09-05 13:23:25 -05:00
James Lee 50c6f26329 Don't deregister PrependFork 2013-09-05 10:50:36 -05:00
James Lee b913fcf1a7 Add a proper PrependFork for linux
Also fixes a typo bug for AppendExit
2013-09-04 00:15:07 -05:00
Tab Assassin 84aaf2334a Retab new material 2013-09-03 11:47:26 -05:00
Tab Assassin 0c1e6546af Update from master 2013-09-03 11:45:39 -05:00
sinn3r c4aa557364 Land #2292 - Fix the way to get a session over a telnet connection 2013-08-31 00:29:25 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
James Lee 63adde2429 Fix load order in posts, hopefully forever 2013-08-29 13:37:50 -05:00
James Lee feae4a41e7 I don't like end-of-line comments 2013-08-28 12:42:26 -05:00
jvazquez-r7 0bfc12ada1 Fix the way to get a session over a telnet connection 2013-08-27 11:38:49 -05:00
jvazquez-r7 93c46c4be5 Complete the Author metadata 2013-08-26 23:29:16 -05:00
jvazquez-r7 e1e889131b Add references and comments 2013-08-26 23:26:13 -05:00
James Lee 63786f9e86 Add local exploit for taviso's vmware privesc 2013-08-26 21:06:40 -05:00
jvazquez-r7 7b555679e6 Really delete the telnet target 2013-08-19 15:06:47 -05:00
jvazquez-r7 d64c8748e8 Fix descriptions and names 2013-08-19 15:05:27 -05:00
jvazquez-r7 232289d500 Add new module to exploit to through telnet dlink_upnp_exec_noauth 2013-08-19 15:01:29 -05:00
jvazquez-r7 846925e3ba Delete telnet target from dlink_upnp_exec_noauth 2013-08-19 14:56:12 -05:00
m-1-k-3 c902b0ea4b removed user and pass option 2013-08-19 18:07:11 +02:00
m-1-k-3 5fc806e3e0 little fixes 2013-08-18 16:18:27 +02:00
m-1-k-3 9ae977ec80 Merge branch 'raidsonic_telnet' of https://github.com/jvazquez-r7/metasploit-framework into raidsonic-ib5220-exec
Conflicts:
	modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
2013-08-18 15:56:39 +02:00
sinn3r 462ccc3d36 Missed these little devils 2013-08-15 16:50:13 -05:00
HD Moore 6c1ba9c9c9 Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00
jvazquez-r7 7a8bafd82c Beautify 2013-08-14 13:50:08 -05:00
jvazquez-r7 90aec6cff5 Fix telnet negotiation for the raidsonic case 2013-08-14 13:38:51 -05:00
jvazquez-r7 178a7b0dbb Fix author's email format 2013-08-14 11:56:47 -05:00
jvazquez-r7 2a4b8e4a64 Add useful comment 2013-08-14 11:49:32 -05:00
jvazquez-r7 e6c36864c4 Fix telnet related stuff 2013-08-14 11:47:57 -05:00
m-1-k-3 6b87240323 thx to juan ... session stuff looks better 2013-08-14 16:51:09 +02:00
jvazquez-r7 f2e5092fd5 Add module for ZDI-13-179 2013-08-10 18:44:33 -05:00
sinn3r 5436ec7dd3 Title change for dlink_dir300_exec_telnet
Title change for dlink_dir300_exec_telnet. Also correct the email
format.
2013-08-09 15:41:50 -05:00
jvazquez-r7 74eeacf9f2 Fix regex 2013-08-08 08:40:45 -05:00
jvazquez-r7 821673c4d2 Try to fix a little description 2013-08-07 10:26:39 -05:00
jvazquez-r7 33ac0c5c3f Make exploit more print friendly 2013-08-07 10:21:14 -05:00
jvazquez-r7 32436973e4 Land #2192, @m-1-k-3's exploit for OSVDB-89861 2013-08-07 10:16:49 -05:00
jvazquez-r7 ae685ac41d Beautify description 2013-08-07 09:52:29 -05:00
jvazquez-r7 afb8a95f0a Land #2179, @m-1-k-3's exploit for OSVDB-92698 2013-08-07 09:00:41 -05:00
m-1-k-3 885417c9d9 removing config file from target 2013-08-06 15:11:54 +02:00
m-1-k-3 dd35495fb8 dir 300 and 600 auxiliary module replacement 2013-08-05 22:28:59 +02:00
m-1-k-3 786f16fc91 feedback included 2013-08-05 21:55:30 +02:00
m-1-k-3 2efc2a79bf fail with 2013-08-05 21:41:28 +02:00
Tod Beardsley e7206af5b5 OSVDB and comment doc fixes 2013-08-05 09:08:17 -05:00
m-1-k-3 34134b2e11 feedback included 2013-08-04 14:45:55 +02:00
m-1-k-3 b8ed364cb8 telnet user working 2013-08-03 15:07:10 +02:00
m-1-k-3 62e3c01190 raidsonic nas - command execution 2013-08-02 21:04:19 +02:00
m-1-k-3 a19afd163a feedback included 2013-08-02 17:30:39 +02:00
m-1-k-3 15906b76db dir300 and 615 command injection 2013-07-31 14:36:51 +02:00
m-1-k-3 6b514bb44a dir300 and 615 command injection telnet session 2013-07-31 14:34:03 +02:00
sinn3r 5efcbbd474 Land #2167 - PineApp Mail-SeCure livelog.html Exec 2013-07-29 13:18:18 -05:00
sinn3r 7967426db1 Land #2166 - PineApp Mail-SeCure ldapsyncnow.php EXEC 2013-07-29 13:16:42 -05:00
jvazquez-r7 a1d9ed300e Add module for ZDI-13-184 2013-07-28 09:57:41 -05:00
jvazquez-r7 f4e35b62ac Add module for ZDI-13-185 2013-07-27 12:12:06 -05:00
jvazquez-r7 fab9d33092 Fix disclosure date 2013-07-27 12:10:21 -05:00
jvazquez-r7 ac7bb1b07f Add module for ZDI-13-188 2013-07-27 03:25:39 -05:00
Tod Beardsley 147d432b1d Move from DLink to D-Link 2013-07-23 14:11:16 -05:00
jvazquez-r7 af1bd01b62 Change datastore options names for consistency 2013-07-22 16:57:32 -05:00
Tod Beardsley 5e55c506cd Land #2140, add CWS as a first-class reference. 2013-07-22 13:50:38 -05:00
Tod Beardsley 164153f1e6 Minor updates to titles and descriptions 2013-07-22 13:04:54 -05:00
jvazquez-r7 77e8250349 Add support for CWE 2013-07-22 12:13:56 -05:00
jvazquez-r7 6158415bd3 Clean CWE reference, will ad in new pr 2013-07-22 12:03:55 -05:00
jvazquez-r7 da4fda6cb1 Land #2110, @rcvalle's exploit for Foreman Ruby Injection 2013-07-22 12:02:43 -05:00
Ramon de C Valle 04e9398ddd Fix CSRF regular expressions as per review 2013-07-22 13:10:56 -03:00
jvazquez-r7 de6e2ef6f4 Final cleanup for dlink_upnp_exec_noauth 2013-07-22 10:53:09 -05:00
jvazquez-r7 c1c72dea38 Land @2127, @m-1-k-3's exploit for DLink UPNP SOAP Injection 2013-07-22 10:52:13 -05:00
Ramon de C Valle 11ef4263a4 Remove call to handler as per review 2013-07-22 12:49:42 -03:00
jvazquez-r7 4beea52449 Use instance variables 2013-07-19 14:46:17 -05:00
Ramon de C Valle 6761f95892 Change print_error/ret to fail_with as per review 2013-07-19 12:19:29 -03:00
m-1-k-3 e93eef4534 fixing server header check 2013-07-19 08:00:02 +02:00
m-1-k-3 f26b60a082 functions and some tweaking 2013-07-19 07:57:27 +02:00
jvazquez-r7 a1a6aac229 Delete debug code from mutiny_frontend_upload 2013-07-18 14:03:19 -05:00
Ramon de C Valle 8fd6dd50de Check session and CSRF variables as per review 2013-07-16 14:30:55 -03:00
Ramon de C Valle dc51c8a3a6 Change URIPATH option to TARGETURI as per review 2013-07-16 14:27:47 -03:00
Ramon de C Valle 3dbe8fab2c Add foreman_openstack_satellite_code_exec.rb
This module exploits a code injection vulnerability in the 'create'
action of 'bookmarks' controller of Foreman and Red Hat
OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier).
2013-07-16 12:07:31 -03:00
m-1-k-3 f594c4b128 small cleanup 2013-07-15 08:48:18 +02:00
m-1-k-3 393c1b2a99 session stuff 2013-07-15 07:57:30 +02:00
m-1-k-3 a6b48f3082 HTTP GET 2013-07-14 19:02:53 +02:00
m-1-k-3 9f65264af4 make msftidy happy 2013-07-14 15:45:14 +02:00
m-1-k-3 47ca4fd48f session now working 2013-07-14 15:42:41 +02:00
m-1-k-3 9133dbac4a some feedback included and some playing 2013-07-14 14:14:06 +02:00
m-1-k-3 49c70911be dlink upnp command injection 2013-07-09 13:24:12 +02:00
sinn3r 4df943d1a2 CVE and OSVDB update 2013-06-25 02:06:20 -05:00
jvazquez-r7 b86b4d955a Make random strings also length random 2013-06-24 12:01:30 -05:00
jvazquez-r7 6672679530 Add local privilege escalation for ZPanel zsudo abuse 2013-06-23 11:00:39 -05:00
James Lee 81b4efcdb8 Fix requires for PhpEXE
And incidentally fix some msftidy complaints
2013-06-19 16:27:59 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
sinn3r f55edac0ca Title and description update 2013-06-07 22:38:53 -05:00
sinn3r a510084f1c Description change. 2013-06-07 22:35:46 -05:00
jvazquez-r7 600494817d Fix typo and target name 2013-06-07 21:08:38 -05:00
jvazquez-r7 9025b52951 make the payload build more clear 2013-06-07 18:05:11 -05:00
jvazquez-r7 d76e14fc9c Add module for OSVDB 93004 - Exim Dovect exec 2013-06-07 17:59:04 -05:00
Steve Tornio 4d26299de3 add osvdb ref 93881 and edb ref 21191 2013-06-05 18:57:33 -05:00
jvazquez-r7 3111013991 Minor cleanup for miniupnpd_soap_bof 2013-06-04 08:53:52 -05:00
jvazquez-r7 6497e5c7a1 Move exploit under the linux tree 2013-06-04 08:53:18 -05:00
sinn3r c705928052 Landing #1899 - Add OSVDB ref 85462 for esva_exec.rb 2013-06-03 10:40:31 -05:00
Steve Tornio 76faba60b7 add osvdb ref 85462 2013-06-03 06:16:43 -05:00
Steve Tornio e612a3d017 add osvdb ref 77183 2013-06-03 05:42:56 -05:00
sinn3r e74c1d957f Landing #1897 - Add OSVDB ref 93444 for mutiny_frontend_upload.rb 2013-06-03 02:15:35 -05:00
sinn3r 093830d725 Landing #1896 - Add OSVDB ref 82925 for symantec_web_gateway_exec.rb 2013-06-03 02:13:34 -05:00
Steve Tornio c2c630c338 add osvdb ref 93444 2013-06-02 21:03:44 -05:00
Steve Tornio bc993b76fc add osvdb ref 82925 2013-06-02 20:43:16 -05:00
Steve Tornio ae17e9f7b5 add osvdb ref 56992 2013-06-02 18:32:46 -05:00
Steve Tornio 61c8861fcf add osvdb ref 2013-06-02 08:33:42 -05:00
sinn3r 90117c322c Landing #1874 - Post API cleanup 2013-05-31 16:15:23 -05:00
Tod Beardsley e7a1f06fbc Modules shouldn't be +x 2013-05-29 15:11:35 -05:00
James Lee f3ff5b5205 Factorize and remove includes
Speeds up compilation and removes dependency on bionic source
2013-05-28 15:46:06 -05:00
Tod Beardsley 75d6c8079a Spelling, whitespace
Please be sure to run msftidy.rb on new modules. Thanks!
2013-05-28 10:03:37 -05:00
jvazquez-r7 bfcd86022d Add code cleanup for nginx_chunked_size. 2013-05-22 14:37:42 -05:00
LinuxGeek247 81b690ae4b Initial check in of nginx module 2013-05-22 13:52:00 -04:00
James Lee f4498c3916 Remove $Id tags
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7 94bc3bf8eb Fix msftidy warning 2013-05-20 10:35:59 -05:00
jvazquez-r7 395aac90c2 Do minor cleanup for linksys_wrt160nv2_apply_exec 2013-05-20 10:34:39 -05:00
jvazquez-r7 08b2c9db1e Land #1801, @m-1-k-3's linksys wrt160n exploit 2013-05-20 10:33:44 -05:00
m-1-k-3 1a904ccf7d tftp download 2013-05-19 20:37:46 +02:00
jvazquez-r7 dfa19cb46d Do minor cleanup for dlink_dir615_up_exec 2013-05-19 12:43:01 -05:00
jvazquez-r7 348705ad46 Land #1800, @m-1-k-3's exploit for DLINK DIR615 2013-05-19 12:42:02 -05:00
m-1-k-3 f3a2859bed removed user,pass in request 2013-05-19 18:50:12 +02:00
m-1-k-3 aee5b02f65 tftp download check 2013-05-19 18:45:01 +02:00
m-1-k-3 4816925f83 feeback included 2013-05-19 16:19:45 +02:00
James Lee 3009bdb57e Add a few more references for those without 2013-05-16 14:32:02 -05:00
jvazquez-r7 649a8829d3 Add modules for Mutiny vulnerabilities 2013-05-15 09:02:25 -05:00
sinn3r 5e925f6629 Description update 2013-05-14 14:20:27 -05:00
jvazquez-r7 42cfa72f81 Update data after test kloxo 6.1.12 2013-05-13 19:09:06 -05:00
jvazquez-r7 58f2373171 Added module for EDB 25406 2013-05-13 18:08:23 -05:00
m-1-k-3 981cc891bc description 2013-05-12 20:07:32 +02:00
m-1-k-3 09bf23f4d6 linksys wrt160n tftp download module 2013-05-06 16:18:15 +02:00
m-1-k-3 22d850533a dir615 down and exec exploit 2013-05-06 15:33:45 +02:00
Tod Beardsley 60e0cfb17b Trivial description cleanup 2013-04-29 14:11:20 -05:00
jvazquez-r7 2b4144f20f Add module for US-CERT-VU 345260 2013-04-24 10:47:16 -05:00
Antoine 0115833724 SyntaxError fixes 2013-04-21 20:22:41 +00:00
jvazquez-r7 19a158dce9 Do final cleanup for netgear_dgn2200b_pppoe_exec 2013-04-19 15:50:23 -05:00
jvazquez-r7 c1819e6ecc Land #1700, @m-1-k-3's exploit for Netgear DGN2200B 2013-04-19 15:49:30 -05:00
m-1-k-3 2713991c64 timeout and HTTP_Delay 2013-04-17 20:25:59 +02:00
m-1-k-3 59045f97fb more testing, reworking of config restore, rework of execution 2013-04-17 18:10:27 +02:00
Tod Beardsley 513b3b1455 Minor cleanup on DLink module 2013-04-15 13:27:47 -05:00
jvazquez-r7 7e5d4bc893 Landing #1614, @jwpari nagios nrpe exploit 2013-04-11 17:53:52 +02:00
jvazquez-r7 a1605184ed Landing #1719, @m-1-k-3 dlink_diagnostic_exec_noauth exploit module 2013-04-10 11:17:29 +02:00
jvazquez-r7 4f2e3f0339 final cleanup for dlink_diagnostic_exec_noauth 2013-04-10 11:15:32 +02:00
m-1-k-3 8fbade4cbd OSVDB 2013-04-10 10:45:30 +02:00
jvazquez-r7 157f25788b final cleanup for linksys_wrt54gl_apply_exec 2013-04-09 12:39:57 +02:00
jvazquez-r7 b090495ffb Landing pr #1703, m-1-k-3's linksys_wrt54gl_apply_exec exploit 2013-04-09 12:38:49 +02:00
m-1-k-3 b93ba58d79 EDB, BID 2013-04-09 11:56:53 +02:00
m-1-k-3 cbefc44a45 correct waiting 2013-04-08 21:40:50 +02:00
m-1-k-3 955efc7009 final cleanup 2013-04-07 17:59:57 +02:00
m-1-k-3 9f89a996b2 final regex, dhcp check and feedback from juan 2013-04-07 17:57:18 +02:00
jvazquez-r7 0e69edc89e fixing use of regex 2013-04-07 11:39:29 +02:00
jvazquez-r7 6a410d984d adding get_config where I forgot 2013-04-06 19:13:42 +02:00
jvazquez-r7 0c25ffb4de Landing #1695, agix's smhstart local root exploit 2013-04-06 17:32:12 +02:00
jvazquez-r7 55302ee07f Merge remote-tracking branch 'origin/pr/1695' into landing-pr1695 2013-04-06 17:30:02 +02:00
jvazquez-r7 9a2f409974 first cleanup for linksys_wrt54gl_apply_exec 2013-04-06 01:05:09 +02:00
m-1-k-3 ecaaaa34bf dlink diagnostic - initial commit 2013-04-05 19:56:15 +02:00
m-1-k-3 96b444c79e ManualRanking 2013-04-04 17:40:53 +02:00
m-1-k-3 67f0b1b6ee little cleanump 2013-04-04 17:33:46 +02:00
m-1-k-3 f07117fe7d replacement of wrt54gl auxiliary module - initial commit 2013-04-04 17:30:36 +02:00
agix b947dc71e9 english :) "must be" 2013-04-03 13:47:57 +02:00
agix 60dfece55c add opcode description 2013-04-03 13:46:56 +02:00
jvazquez-r7 ce88d8473a cleanup for netgear_dgn1000b_setup_exec 2013-04-03 12:44:04 +02:00
jvazquez-r7 3c27678168 Merge branch 'netgear-dgn1000b-exec-exploit' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-netgear-dgn1000b-exec-exploit 2013-04-03 12:43:42 +02:00
m-1-k-3 a93ec3aea3 fix name 2013-04-03 10:40:52 +02:00
m-1-k-3 2ceecabede make msftidy happy 2013-04-03 10:34:28 +02:00
m-1-k-3 91b0e5f800 netgear dgn2200b pppoe exec exploit - initial commit 2013-04-03 10:32:52 +02:00
m-1-k-3 642d8b846f netgear_dgn1000b_setup_exec - initial commit 2013-04-02 14:41:50 +02:00
m-1-k-3 7f3c6f7629 netgear_dgn1000b_setup_exec - initial commit 2013-04-02 14:39:04 +02:00
m-1-k-3 1b27d39591 netgear dgn1000b mipsbe exploit 2013-04-02 14:34:09 +02:00
agix 7359151c14 decrement esp to fix crash in the middle of shellcode 2013-04-02 13:25:31 +02:00
jvazquez-r7 6a6fa5b39e module filename changed 2013-04-02 10:50:50 +02:00
jvazquez-r7 b3feb51c49 cleanup for linksys_e1500_up_exec 2013-04-02 10:49:09 +02:00
jvazquez-r7 5e42b8472b Merge branch 'linksys_e1500_exploit' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys_e1500_exploit 2013-04-02 10:48:28 +02:00
m-1-k-3 579c499f43 Juans SRVHOST check included 2013-04-02 07:50:51 +02:00
jvazquez-r7 08ba2c70d3 update title and descr for mongod_native_helper 2013-04-01 21:44:08 +02:00
jvazquez-r7 81bca2c45a cleanup for mongod_native_helper 2013-04-01 21:35:34 +02:00
m-1-k-3 c386d54445 check SRVHOST 2013-04-01 18:12:13 +02:00
agix cc598bf977 Resolv a problem with mmap64 libc function and its unknown last argument 2013-04-01 17:38:09 +02:00
agix 6b639ad2ee add memcpy to the ropchain due to the zeroed mmap function under ubuntu 2013-04-01 14:13:19 +02:00
agix baf1ce22b3 increase mmap RWX size 2013-03-31 21:04:39 +02:00
jvazquez-r7 0f965ddaa3 waiting for payload download on linksys_e1500_more_work 2013-03-31 16:07:14 +02:00
agix 30111e3d8b hpsmh smhstart local exploit BOF 2013-03-31 13:04:34 +02:00
m-1-k-3 1d6184cd63 fixed author details 2013-03-30 12:41:31 +01:00
m-1-k-3 cd8bc2f87d description, blind exploitation info on cmd payload 2013-03-30 12:03:14 +01:00
m-1-k-3 b0a61adc23 juans feedback included 2013-03-30 11:43:10 +01:00
jvazquez-r7 5fd996f775 added osvdb reference 2013-03-30 10:42:58 +01:00
jvazquez-r7 3bf0046e3e Merge branch 'hp_system_management' of https://github.com/agix/metasploit-framework into agix-hp_system_management 2013-03-30 10:42:06 +01:00
m-1-k-3 7965f54890 juans feedback included 2013-03-30 08:40:42 +01:00
jvazquez-r7 607b1c5c14 little cleanup for e1500_up_exec 2013-03-29 23:16:13 +01:00
m-1-k-3 1b563ad915 stop_service 2013-03-29 22:38:06 +01:00
m-1-k-3 813ff1e61e removed payload stuff 2013-03-29 22:32:57 +01:00
m-1-k-3 c5e358c9c3 compatible payloads 2013-03-29 20:54:35 +01:00
m-1-k-3 0164cc34be msftidy, generate exe, register_file_for_cleanup 2013-03-29 19:00:04 +01:00
jvazquez-r7 c55a3870a8 cleanup for hp_system_management 2013-03-29 18:02:23 +01:00
m-1-k-3 cfeddf3f34 cmd payload working, most feedback included 2013-03-29 14:43:48 +01:00
agix 4a683ec9a4 Fix msftidy WARNING 2013-03-28 13:36:35 +01:00
agix 139926a25b Fix msftidy Warning 2013-03-28 13:22:26 +01:00
agix eec386de60 fail in git usage... sorry 2013-03-28 12:05:49 +01:00
agix 4bcadaabc1 hp system management homepage DataValidation?iprange buffer overflow 2013-03-28 12:00:17 +01:00
agix 69fb465293 Put gadgets in Target 2013-03-28 11:15:13 +01:00
agix dee5835eab Create mongod_native_helper.rb
metasploit exploit module for CVE-2013-1892
2013-03-28 03:10:38 +01:00
m-1-k-3 dfd451f875 make msftidy happy 2013-03-27 17:46:02 +01:00
jvazquez-r7 cd58a6e1a1 cleanup for nagios_nrpe_arguments 2013-03-20 19:22:48 +01:00
Joel Parish 21e9f7dbd2 Added module for CVE-2013-1362
Module exploits a shell code metacharacter escaping vulnerability in
poorly configured Nagios Remote Plugin Executor installations.
2013-03-19 01:43:46 -07:00
jvazquez-r7 6ccfa0ec18 cleanup for dreambox_openpli_shell 2013-03-14 15:02:21 +01:00
m-1-k-3 9366e3fcc5 last adjustment 2013-03-14 11:18:52 +01:00
m-1-k-3 0140caf1f0 Merge branch 'master' of git://github.com/rapid7/metasploit-framework into openpli-shell 2013-03-14 10:55:52 +01:00
jvazquez-r7 4852f1b9f7 modify exploits to be compatible with the new netcat payloads 2013-03-11 18:35:44 +01:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
David Maloney 0ae489b37b last of revert-merge snaffu 2013-02-19 23:16:46 -06:00
m-1-k-3 3ab5585107 make msftidy happy 2013-02-16 20:49:32 +01:00
m-1-k-3 121a736e28 initial commit 2013-02-16 20:42:02 +01:00
Tod Beardsley 8ddc19e842 Unmerge #1476 and #1444
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.

First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.

FixRM #7752
2013-02-11 20:49:55 -06:00
David Maloney 4c1e630bf3 BasicAuth datastore cleanup
cleanup all the old BasicAuth datastore options
2013-02-04 13:02:26 -06:00
sinn3r c174e6a208 Correctly use normalize_uri()
normalize_uri() should be used when you're joining URIs.  Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
sinn3r 690ef85ac1 Fix trailing slash problem
These modules require the target URI to be a directory path. So
if you remove the trailing slash, the web server might return a
301 or 404 instead of 200.

Related to: [SeeRM: #7727]
2013-01-28 13:19:31 -06:00
sinn3r f50c7ea551 A version number helps deciding which exploit to use 2013-01-23 11:43:39 -06:00
sinn3r ca144b9e84 msftidy fix 2013-01-23 11:40:12 -06:00
jvazquez-r7 dd0fdac73c fix indent 2013-01-23 18:19:14 +01:00
jvazquez-r7 9c9a0d1664 Added module for cve-2012-0432 2013-01-23 10:51:29 +01:00
Tod Beardsley 33751c7ce4 Merges and resolves CJR's normalize_uri fixes
Merge remote-tracking branch 'ChrisJohnRiley/set_normalize_uri_on_modules'
into set_normalize_uri_on_modules

Note that this trips all kinds of msftidy warnings, but that's for another
day.

Conflicts:
	modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb
	modules/exploits/windows/http/xampp_webdav_upload_php.rb
2013-01-07 11:16:58 -06:00
Christian Mehlmauer 6654faf55e Msftidy fixes 2013-01-04 09:29:34 +01:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
James Lee 20cc2fa38d Make Windows postgres_payload more generic
* Adds Exploit::EXE to windows/postgres/postgres_payload. This gives us
  the ability to use generate_payload_dll() which generates a generic dll
  that spawns rundll32 and runs the shellcode in that process. This is
  basically what the linux version accomplishes by compiling the .so on
  the fly. On major advantage of this is that the resulting DLL will
  work on pretty much any version of postgres

* Adds Exploit::FileDropper to windows version as well. This gives us
  the ability to delete the dll via the resulting session, which works
  because the template dll contains code to shove the shellcode into a
  new rundll32 process and exit, thus leaving the file closed after
  Postgres calls FreeLibrary.

* Adds pre-auth fingerprints for 9.1.5 and 9.1.6 on Ubuntu and 9.2.1 on
  Windows

* Adds a check method to both Windows and Linux versions that simply
  makes sure that the given credentials work against the target service.

* Replaces the version-specific lo_create method with a generic
  technique that works on both 9.x and 8.x

* Fixes a bug when targeting 9.x; "language C" in the UDF creation query
  gets downcased and subsequently causes postgres to error out before
  opening the DLL

* Cleans up lots of rdoc in Exploit::Postgres
2012-12-22 00:30:09 -06:00
Tod Beardsley e762ca0d9b Merge remote branch 'jlee-r7/midnitesnake-postgres_payload' 2012-12-12 15:30:56 -06:00
sinn3r f5193b595c Update references 2012-12-10 11:42:21 -06:00
James Lee 17d8d3692b Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-11-27 11:14:54 -06:00
jvazquez-r7 35b3bf4aa5 back to the original Brute mixin 2012-11-19 14:13:49 +01:00
jvazquez-r7 24fe043960 Merge branch 'samba' of https://github.com/mephos/metasploit-framework into mephos-samba 2012-11-19 14:13:15 +01:00
Chris John Riley f88ec5cbc8 Add normalize_uri to modules that may have
been missed by PULL 1045.

Please ensure PULL 1045 is in place prior to
looking at this (as it implements normalize_uri)

ref --> https://github.com/rapid7/metasploit-framework/pull/1045
2012-11-08 17:42:48 +01:00
James Lee ac1b60e6db Remove debug load 2012-11-07 20:00:41 -06:00
m m e170c1e3e3 typo in centos5 range 2012-10-31 18:28:26 +01:00
m m f7481b160c add centos5 target 2012-10-31 18:21:41 +01:00
m m 3e3c518753 remove SessionTypes as per egypt 2012-10-30 17:13:57 +01:00
m m 3855ba88b1 add meterpreter/command support to samba exploit using ROP 2012-10-29 17:33:00 +01:00
sinn3r 799c22554e Warn user if a file/permission is being modified during new session 2012-10-24 00:54:17 -05:00
Tod Beardsley be9a954405 Merge remote branch 'jlee-r7/cleanup/post-requires' 2012-10-23 15:08:25 -05:00
Michael Schierl 910644400d References EDB cleanup
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
James Lee 9c95c7992b Require's for all the include's 2012-10-23 13:24:05 -05:00
Michael Schierl f9ac55c221 Infohash key cleanups
Replace obvious typos in infohash keys. Note that this *does*
affect the behaviour as those keys have been ignored before.
2012-10-22 21:24:36 +02:00
Michael Schierl e9f7873afc Version cleanup
Remove all values that are neither 0 nor $Revision$.
2012-10-22 20:57:02 +02:00
James Lee 768d2c5921 Go back to old behavior for unknown versions
May not be correct, but it's what we used to do, so probably better than
just raising.

Also documents things a bit better.
2012-10-18 16:57:40 -05:00
James Lee 1eccb24bf8 Raise if the version isn't what we expect
Also adds some clarifying commentation and adds todb to the list of
authors since he wrote the original module for windows upon which this
one is based.
2012-10-18 15:55:55 -05:00
James Lee 3c5c1cd86e Remove unnecessary version restrictions
Since the payload is now run in the .so constructor, there's no need to
be compatible with a particular Postgres API.

Also:
 - report the service
 - delete the payload in the payload itself to reduce forensics
	 footprint
 - randomize the created function name instead of abusing
	 postgres_create_sys_exec
2012-10-18 15:40:27 -05:00
James Lee 0221f75f39 Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-10-18 13:57:25 -05:00
James Lee 52feae2dcd Add missing require
[FixRM #7345]
2012-10-15 17:18:04 -05:00
sinn3r 529f88c66d Some msftidy fixes 2012-10-14 19:16:54 -05:00
James Lee 9c6fdbe9d7 Compile a .so instead of being version-specific
This makes it possible to use payloads for the appropriate architecture

NOTE: need to test windows and make sure I didn't break it
2012-10-13 15:18:25 -05:00
James Lee ad1870d819 Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-10-12 14:18:34 -05:00
James Lee db12413b09 Convert vcms_upload to use PhpEXE
Incidentally adds a Linux x86 target
2012-10-12 04:29:57 -05:00
jvazquez-r7 aba69d8438 fix indentation 2012-10-05 20:18:40 +02:00
jvazquez-r7 4c646762a5 Added target debian squeeze 2012-10-05 20:12:09 +02:00
jvazquez-r7 6679ff765a remove extra commas 2012-09-28 12:21:59 +02:00
sinn3r 4087790cf7 Oops, forgot to update the check() function 2012-09-27 18:22:57 -05:00
jvazquez-r7 9d3a1871a6 Added module for Samba CVE-2012-1182 2012-09-28 01:18:52 +02:00
jvazquez-r7 25e6990dc7 added osvdb reference 2012-09-24 21:49:32 +02:00
jvazquez-r7 ed24154915 minor fixes 2012-09-21 11:36:58 +02:00
bcoles 6ee2c32f08 add ZEN Load Balancer module 2012-09-21 17:25:20 +09:30
Ramon de C Valle 11f82de098 Update author information 2012-09-19 14:00:51 -03:00
jvazquez-r7 8b251b053e initializing msghdr a little better 2012-09-18 12:12:27 +02:00
jvazquez-r7 16c5df46fc fix while testing ubuntu intrepid 2012-09-18 11:52:50 +02:00
jvazquez-r7 0708ec72fc module moved to a more correct location 2012-09-15 15:31:21 +02:00
jvazquez-r7 0f67f8d08a target modified 2012-09-15 15:14:33 +02:00
jvazquez-r7 0061d23b37 Added module for CVE-2012-2982 2012-09-15 15:09:19 +02:00
sinn3r 1f58458073 Merge branch 'udev_netlink' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-udev_netlink 2012-09-13 10:37:52 -05:00
jvazquez-r7 12f3ef9c7c added osvdb numbers 2012-09-13 14:00:12 +02:00
Tod Beardsley fba219532c Updating BID for openfiler 2012-09-12 14:13:21 -05:00
sinn3r f5a0f74d27 Merge branch 'wanem_exec_improve' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-wanem_exec_improve 2012-09-10 13:35:48 -05:00
James Lee bbeb6cc97a Add a privilege escalation exploit for udev < 1.4.1
Also includes a new ```rm_f``` method for Post::File for deleting remote
files in a platform-independent way.
2012-09-10 12:32:14 -05:00
sinn3r 64b8696e3c Extra condition that's not actually needed
Don't actually need to check nil res, because no code will
actually try to access res when it's nil anyway. And the 'return'
at the of the function will catch it when the response times out.
2012-09-09 04:06:48 -05:00
bcoles cb95a7b520 Add openfiler_networkcard_exec exploit 2012-09-09 17:28:09 +09:30
jvazquez-r7 37c7f366f2 check function test vulnerability + minor improvements 2012-09-09 00:42:02 +02:00
bcoles f02659184a Add WANem v2.3 command execution 2012-09-08 16:01:45 +09:30
sinn3r bbab206eac Add CVE-2012-3579 - Symantec Messaging Gateway 9 Default SSH Pass
This module exploits a default misconfig flaw on Symantec Messaging
Gateway 9.5 (or older).  The "support" user has a known default
password, which can be used to login to the SSH service, and then
gain privileged access from remote.
2012-09-05 13:21:10 -05:00
sinn3r 9d97dc8327 Add Metasploit blogs as references, because they're useful. 2012-09-03 15:57:27 -05:00
midnitesnake 25ee8fd357 Run postgres.rb & postgres_payload through msftidy, and cleaned up the files 2012-08-25 01:44:49 +01:00
sinn3r ea7d7b847a Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-08-24 11:17:14 -05:00
jvazquez-r7 8f748d833a Added BID reference 2012-08-24 17:30:52 +02:00
jvazquez-r7 261a17d28a Added module for CVE-2009-4498 2012-08-23 18:29:39 +02:00