Commit Graph

2271 Commits (cf33f482a1fae6fff98978be21326beeccd7fd57)

Author SHA1 Message Date
Pearce Barry c00b9ca1e5
Land #8175, Get into the DANGER ZOOOOOOONE 2017-03-31 14:31:22 -05:00
HD Moore b5771b0f72 Get into the DANGER ZOOOOOOONE 2017-03-31 12:26:42 -05:00
dmohanty-r7 1ce7bf3938
Land #8126, Add SolarWind LEM Default SSH Pass/RCE 2017-03-31 11:21:32 -05:00
Mehmet Ince e9f816272d
Adding solarwinds lem default ssh credentials to the wordlist 2017-03-24 13:24:05 +03:00
Jon P 4628dfe16b Remove old banner + rubygems requirements 2017-03-13 17:36:21 +01:00
Jon P c9a5190726 Patching "undefined method empty?" errors + "encoding error" 2017-03-13 17:32:56 +01:00
Jon P e8257122b3 Creation of a sub-module for modules/auxiliary/crawler/msfcrawler
Catching links in comments
2017-03-13 17:18:39 +01:00
wchen-r7 6965a00b45 Resolve #8023, Support backward compatibility for Office macro
Resolve #8023
2017-02-27 13:02:41 -06:00
William Webb 83cc28a091
Land #7972, Microsoft Office Word Macro Generator OS X Edition 2017-02-21 13:26:42 -06:00
Brent Cook 2c570b6709
Land #7942, Microsoft SQL Server Clr Stored Procedure Payload Execution 2017-02-17 17:28:54 -06:00
wchen-r7 3d269b46ad Support OS X for Microsoft Office macro exploit 2017-02-16 12:28:11 -06:00
OJ 2d834a3f5a
Finalise module, and add supporting binaries 2017-02-10 12:56:40 +10:00
bwatters-r7 272d1845fa
Land #7934, Add exploit module for OpenOffice with a malicious macro 2017-02-09 13:42:58 -06:00
wchen-r7 047a9b17cf Completed version of openoffice_document_macro 2017-02-08 16:29:40 -06:00
wchen-r7 cefbee2df4 Add PoC for OpenOffice macro module 2017-02-07 10:12:23 -06:00
wchen-r7 ccaa783a31 Add Microsoft Office Word Macro exploit 2017-02-02 17:44:55 -06:00
William Webb fb74b2d8f3
initial commit of finished product 2017-01-20 11:01:36 -06:00
bwatters_r7 4035dd7485
Land #7796, Improve zip module windows script fallback 2017-01-17 10:59:04 -06:00
Brent Cook 24f7959805
add binary for futex_requeue 2017-01-11 13:25:30 -06:00
Brent Cook 2585c8c8b5
Land #7461, convert futex_requeue (towelroot) module to use targetting and core_loadlib 2017-01-11 13:24:25 -06:00
Brent Cook 31f85b905a add comments 2017-01-07 12:50:11 -06:00
Brent Cook cdcf4cce7d improve zip module windows script fallback
- handle non-English locales
 - wait more reliably, handle network paths where FS info gets stale
 - use absolute paths correctly
2017-01-07 12:27:03 -06:00
Brent Cook 2652f347fa add module binary 2016-12-22 03:25:10 -06:00
Tim e6d4c0001c
hide debug printing 2016-12-20 00:52:11 +08:00
Pearce Barry 1dae206fde
Land #7379, Linux Kernel BPF Priv Esc (CVE-2016-4557) 2016-11-11 16:50:20 -06:00
scriptjunkie 268a72f210
Land #7193 Office DLL hijack module 2016-11-08 23:15:27 -06:00
Yorick Koster 3c1f642c7b Moved PPSX to data/exploits folder 2016-11-08 16:04:46 +01:00
William Webb 31b593ac67
Land #7402, Add Linux local privilege escalation via overlayfs 2016-11-01 12:46:40 -05:00
dmohanty-r7 d918e25bde
Land #7439, Add Ghostscript support to ImageMagick Exploit 2016-10-28 17:07:13 -05:00
Pearce Barry 43fd0a8813
Land #7436, Put Rex-exploitation Gem Back 2016-10-18 16:03:54 -05:00
h00die 0d1fe20ae5 revamped 2016-10-15 20:57:31 -04:00
Brent Cook 741c4b8916 updated android payload gem, removed unused extension jar 2016-10-14 09:59:06 -05:00
Brent Cook 9fbe1ddd9d
Land #7384, CVE-2016-6415 - Cisco IKE Information Disclosure 2016-10-14 08:41:34 -05:00
William Vu 9b15899d91 Add PS template 2016-10-13 17:40:15 -05:00
William Vu 6f4f2bfa5f Add PS target and remove MIFF 2016-10-13 17:39:55 -05:00
David Maloney 7894d5b2c1 Revert "Revert "use the new rex-exploitation gem""
This reverts commit f3166070ba.
2016-10-11 17:40:43 -05:00
Pearce Barry d1a11f46e8
Land #7418, Linux recvmmsg Priv Esc (CVE-2014-0038) 2016-10-09 18:37:52 -05:00
h00die 2dfebe586e working cve-2014-0038 2016-10-08 23:58:09 -04:00
Brent Cook f3166070ba
Revert "use the new rex-exploitation gem"
This reverts commit 52f6265d2e.
2016-10-08 21:55:16 -05:00
William Vu 3b3185069f
Land #7408, Mirai botnet wordlists 2016-10-06 10:07:20 -05:00
Tonimir Kisasondi 83548a0dde added mirai user/pass to unhash set 2016-10-05 22:24:11 +02:00
Tonimir Kisasondi 7ce73be936 Add linux.mirai wordlists 2016-10-05 17:57:08 +02:00
David Maloney 52f6265d2e use the new rex-exploitation gem
use the new rex-exploitation gem instead of the packaged in lbirary code
cleans up a huge ammount of space in framework

MS-1709
2016-10-05 09:05:27 -05:00
h00die 27cf5c65c4 working module 2016-10-04 23:21:53 -04:00
David Maloney af4f3e7a0d use templates from the gem for psh
use the templates now contained within the magical
gem of rex-powershell

7309
MS-2106
2016-10-04 14:14:25 -05:00
mach-0 dcc77fda5b Add back accidentally-deleted nasm comment. 2016-10-03 23:47:13 -05:00
mach-0 eff85e4118 Just remove DT_HASH. 2016-10-03 23:43:19 -05:00
mach-0 8828060886 Fix linux x64 elf-so template.
Previously the elf-so would crash when loaded with LD_PRELOAD,
due to not enough room for the symbol table.
2016-10-03 23:24:31 -05:00
nixawk 7368b995f2 CVE-2016-6415 Cisco - sendpacket.raw 2016-09-29 22:24:55 -05:00
h00die c036c258a9 cve-2016-4557 2016-09-29 05:23:12 -04:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
Pearce Barry 6382fffc75
Land #7326, Linux Kernel Netfilter Privesc 2016-09-26 12:38:50 -05:00
h00die 23e5556a4c binary drops work! 2016-09-24 21:31:00 -04:00
Joshua J. Drake dbf66f27d5 Add a browser-based exploit module for CVE-2015-3864 2016-09-23 11:14:31 -05:00
Adam Muntner 726079c6e7 diffed with fuzzdb
https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/predictable-filepaths/webservers-appservers/SAP.txt
2016-09-21 00:20:46 -04:00
dmohanty-r7 4c4f2e45d6
Land #7283, add jsp payload generator 2016-09-16 14:37:59 -05:00
Tim 6cb331e74d
Land 7281, add vagrant default password to wordlist 2016-09-07 13:01:01 +01:00
Tim 96f81b4817
add root:vagrant to root_userpass 2016-09-07 12:59:12 +01:00
Christian Mehlmauer c6012e7947
add jsp payload generator 2016-09-06 22:17:21 +02:00
Pearce Barry 9d5a276e91
Fix recent metasploit-framework.gemspec conflict. 2016-09-06 13:10:28 -05:00
wchen-r7 23a5d737fc Add password "vagrant" to wordlists
The password "vagrant" is often used in Metasploitable3.
2016-09-06 12:36:02 -05:00
Brendan 83160b7e49
Land #7173, Add post module to compress (zip) a file or directory 2016-08-24 09:38:04 -05:00
wchen-r7 e154aafaaa On Error Resume Next for zip.vbs 2016-08-17 17:08:38 -05:00
David Maloney 8bece28d00
remove *scan bins as well
all *scan bins need to be removed as the rex-bin_tools
gem will now handle these and put them in PATH

MS-1691
2016-08-15 14:04:00 -05:00
wchen-r7 8f7d0eae0c Fix #7155 - Add post module to compress (zip) a file or directory
Fix #7155
2016-08-02 14:44:58 -05:00
William Webb 21e6211e8d add exploit for cve-2016-0189 2016-08-01 13:26:35 -05:00
Brent Cook d1f65b27b8
Land #7151, Improve CVE-2016-0099 reliability 2016-07-29 09:22:11 -05:00
Brendan ee40c9d809
Land #6625, Send base64ed shellcode and decode with certutil (Actually MSXML) 2016-07-28 13:01:05 -07:00
wchen-r7 322fc11225 Fix whitespace 2016-07-27 12:37:14 -05:00
wchen-r7 dbe31766af Update CVE-2016-0099 Powershell 2016-07-27 12:35:43 -05:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references"
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
2016-07-15 12:00:31 -05:00
wchen-r7 8f928c6ca1
Land #7006, Add MS16-032 Local Priv Esc Exploit 2016-07-12 15:22:35 -05:00
wchen-r7 621f3fa5a9 Change naming style 2016-07-12 15:18:18 -05:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
William Webb b4b3a84fa5 refactor ms16-016 code 2016-07-05 20:50:43 -05:00
khr0x40sh df1a9bee13 Move ps1, Use Env var, Fix license, New Cleanup
MS16-032 ps1 moved to external file.  This ps1 will now detect windir
to find cmd.exe.  The module now also detects windir to find
powershell.exe.  The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
 is now standard.  The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
Brent Cook ba72d3fd92
Land #6988, Update banners to metasploit.com, not .pro 2016-06-17 15:29:30 -05:00
h00die cd207df6b8 adding karaf to unix lists per 4358 2016-06-15 20:31:48 -04:00
Tod Beardsley fe4cfd7e3e
Update banners to metasploit.com, not .pro 2016-06-14 15:11:04 -05:00
wwebb-r7 ab27c1b701 Merge pull request #6940 from samvartaka/master
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
samvartaka 5260031991 Modifications based on suggestions by @wchen-r7 2016-06-08 01:17:15 +02:00
William Vu 9128ba3e57 Add popen() vuln to ImageMagick exploit
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)

Thanks to @hdm for his sharp eye. ;x

[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
Brent Cook 7b024d1a72
Land #6914, add siem to the namelist 2016-05-24 14:22:44 -05:00
x90" * 365 9d545b0a05 Update namelist.txt 2016-05-24 13:00:59 -04:00
William Vu 2bac46097f Remove url() for MVG
Technically unnecessary here.
2016-05-05 14:18:42 -05:00
William Vu 334c432901 Force https://localhost for SVG and MVG
https: is all that's needed to trigger the bug, but we don't want wget
and curl to gripe. localhost should be a safe host to request.
2016-05-05 14:18:42 -05:00
William Vu decd770a0b Encode the entire SVG string
Because why not? Not like people care about what's around the command.
2016-05-05 14:18:42 -05:00
William Vu 232cc114de Change placeholder text to something useful
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
William Vu 5c04db7a09 Add ImageMagick exploit 2016-05-05 14:18:42 -05:00
wchen-r7 71c8ad555e Resolve #6839, Make Knowledge Base as default
Resolve #6839
2016-05-02 14:12:09 -05:00
wchen-r7 d80d2bb8d3 Land #6825, Fixed borders on code boxes 2016-04-27 11:59:52 -07:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references.
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
2016-04-23 12:32:34 -05:00
Brent Cook 57ab974737 File.exists? must die 2016-04-21 00:47:07 -04:00
wchen-r7 22831695dd
Land #6721, Add additional SOLMAN default creds 2016-03-30 10:48:53 -05:00
Meatballs 4f84c5a3b7
Add additional SOLMAN default creds 2016-03-29 15:53:15 +01:00
f7b053223a9e 629bc00696 Use MSXML decoder instead 2016-03-25 22:52:16 +09:00
wchen-r7 57984706b8 Resolve merge conflict with Gemfile 2016-03-24 18:13:31 -05:00
wchen-r7 76c6f8c19d Move module_doc_template 2016-03-24 17:07:19 -05:00
l0gan e29fc5987f Add missing stream.raw for hp_sitescope_dns_tool
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
wchen-r7 d6742c4097 Change <hr> color 2016-03-10 10:44:18 -06:00
wchen-r7 ad0a948ae7 Update module_doc_template 2016-03-08 12:21:20 -06:00
wchen-r7 58b8c35146 Escape HTML for KB and update rspec 2016-03-08 10:10:10 -06:00
wchen-r7 027315eeaa Update post_demo_template 2016-03-05 20:33:40 -06:00
wchen-r7 03eb568af7 Add --- to make sections to stand out more 2016-03-05 15:17:19 -06:00
wchen-r7 f4866fd5f0 Update template and web_delivery doc 2016-03-03 01:27:14 -06:00
wchen-r7 cececa749d Update css 2016-03-03 00:58:17 -06:00
wchen-r7 11964c5c1a Add remote exploit demo and web_delivery doc 2016-03-02 19:52:11 -06:00
f7b053223a9e 19bd7b98f4 Fix minor indenting issue 2016-03-01 11:50:56 +09:00
f7b053223a9e c8c5549b19 Send base64ed shellcode and decode with certutil 2016-03-01 10:48:25 +09:00
wchen-r7 fd8e3e719d real demo 2016-02-26 14:43:53 -06:00
wchen-r7 ed0dfa5725 basic usage 2016-02-26 14:35:07 -06:00
wchen-r7 250ce6fb17 lets be clear 2016-02-26 14:30:12 -06:00
wchen-r7 1c53e53d23 More info about how to write the doc 2016-02-26 14:24:24 -06:00
wchen-r7 e40f1e69db Update default template 2016-02-26 14:18:24 -06:00
wchen-r7 6060c7b09b We make this pretty 2016-02-26 14:15:54 -06:00
wchen-r7 95a9f42996 Add a template for future module documentation 2016-02-24 19:28:17 -06:00
wchen-r7 24530e2734 Scrollable list, tab name change, print_status 2016-02-19 20:46:39 -06:00
wchen-r7 34d10d7829 Should be fullname 2016-02-19 00:13:55 -06:00
wchen-r7 7444a0ff04 Make it more obvious which tab the user is viewing 2016-02-18 17:59:45 -06:00
wchen-r7 4fc7008561 Close div properly 2016-02-18 16:12:27 -06:00
wchen-r7 56c2ba9f75 Turn the HTML template into external 2016-02-18 15:41:14 -06:00
wchen-r7 e5ad6fa781 Support "knowledge base" 2016-02-18 15:02:24 -06:00
wchen-r7 f8d6a59cdc Change wording 2016-02-18 12:19:25 -06:00
wchen-r7 089d6985b6 Add more demo templates 2016-02-18 00:17:32 -06:00
wchen-r7 1bfe1ad140 More demos 2016-02-17 19:04:06 -06:00
wchen-r7 76f2c917ee Allow no GITHUB_OAUTH_TOKEN, and gsub for demo 2016-02-17 15:38:30 -06:00
wchen-r7 714106174e Do external erb template 2016-02-17 14:27:29 -06:00
wchen-r7 b0cfb4aacf Add info -d to show module documentation in .md 2016-02-16 22:44:03 -06:00
Jay Turla aeb1d80e0d Adding top 100 adobe passwords 2016-02-11 08:55:45 +08:00
Bigendian Smalls b3e8bd1dab
Updated zsploit screens to use std msf colors
Using Rex::Ui::Text::Colors now instead of ansi codes
Thanks to @mainframed for the quick turnaround
2016-02-09 12:01:25 -06:00
Bigendian Smalls 90e37ea749
Added three cool new mainframe themed screens
Thanks to *Solider of Fortran* @mainframed for his amazing original artwork!
These set of 3 limited edition, original, one-of-a-kind screens will modernize
your msf installation to the 1960s and beyond.  No seriously they are super cool
and now that metasploit-framework supports System Z - it seemed only fitting.
2016-01-20 06:10:51 -06:00
Brent Cook 7f9b804060
Land #6410, remove JtR binaries, update for independent framework releases 2016-01-06 14:16:49 -06:00
Chris Doughty 97ae09729c Add john.conf to data dir as referenced by: lib/metasploit/framework/jtr/cracker.rb 2016-01-06 13:00:05 -06:00
Chris Doughty ae57bce262 Adding wordlists back to path 2016-01-06 12:54:25 -06:00
JT bf764deefb Add SCADA Default UserPass List
This list was based on SCADAPASS: https://github.com/scadastrangelove/SCADAPASS
2016-01-06 12:25:29 +08:00
William Vu be340774ea
Land #6432, Piata SSH scanner wordlist 2016-01-05 10:15:17 -06:00
JT 66e2d945d8 Add more SAP ICM paths 2016-01-05 13:05:46 +08:00
JT 913e8ec525 Update piata_ssh_userpass.txt 2016-01-05 11:28:54 +08:00
JT 713828d0b6 Add piata wordlist
Add user and pass wordlist from Piata Mass SSH scanner
2016-01-05 11:27:04 +08:00
Chris Doughty 8090bbc750 Changes to support framework as a gem 2015-12-30 11:00:45 -06:00
wchen-r7 5f5b3ec6a1 Add MS15-134 Microsoft Windows Media Center MCL Information Disclosure
CVE-2015-6127
2015-12-17 22:41:58 -06:00
dmohanty-r7 eb4611642d Add Jenkins CLI Java serialization exploit module
CVE-2015-8103
2015-12-11 14:57:10 -06:00
Brent Cook c301c7c7b0 use wav with sounds plugin for windows / linux compat 2015-12-08 16:20:44 -06:00
wchen-r7 d44224142e Update audio files 2015-11-25 23:41:18 -06:00
wchen-r7 776455d10a Add another sound and event
Add sound: "We've got a shell"
Add event on_session_fail
2015-11-25 22:46:51 -06:00
wchen-r7 af8c557fa9 Add the MP3s 2015-11-25 18:09:27 -06:00
wchen-r7 fa32f43ee4 Muts says "Try harder!" or "Excellent" for the sounds plugin
With the sounds plugin, muts will say "excellent!" when a session
is received. If a session is terminated (either exited or lost),
muts will say "try harder!"
2015-11-25 18:06:58 -06:00
scriptjunkie 8703987535 Add HTTPS and new transport support for hop 2015-11-11 21:25:23 -06:00
Louis Sato 9c347fbaae
Land #6195, remove ff buildid from os.js 2015-11-05 15:01:15 -06:00
William Vu 2f65405a4e Fix missing brace and indent level 2015-11-05 14:30:26 -06:00