6fe7bb0bb6
Increase sleep time to 10 seconds
...
Increase the wait time before removing the registry key - allows the payload to spawn successfully on slow systems.
2018-10-29 12:55:03 -04:00
b705059bca
Added channel name length check
2018-10-28 20:18:58 +00:00
60aa1181ca
Add IBM WebSphere MQ Login Bruteforce module
...
Used to bruteforce usernames that can connect to the Queue Manager. The name of a valid server-connection channel without SSL configured is required, as well as a list of usernames to try.
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
* Tested on IBM MQ 7.5, 8 and 9
* Usage:
* Download and install MQ Server from the above link
* Create a new Queue Manager
* Create a new channel (without SSL)
* Allow remote connections for admin users by removing the CHLAUTH record that denies all users or configure access for a specific username.
* Run the module
2018-10-28 19:29:45 +00:00
92d5ab469c
Update ibm_mq_channel_brute.rb
2018-10-28 18:21:54 +00:00
1c340f8202
Land #10853 , Add universal targeting to Mercury/32 IMAP LOGIN exploit
2018-10-28 18:17:46 +00:00
296d9a08eb
Removing unnecessary line
...
Co-Authored-By: pkb1s <petkoutroubis@gmail.com>
2018-10-28 18:10:51 +00:00
3e3be18189
Using print_line instead of print("\n")
...
Co-Authored-By: pkb1s <petkoutroubis@gmail.com>
2018-10-28 18:10:14 +00:00
f8c829dc81
Using print_line instead of print("\n")
...
Co-Authored-By: pkb1s <petkoutroubis@gmail.com>
2018-10-28 18:10:09 +00:00
67e8a7ce13
Changing CHANNELS_FILE option type
...
Co-Authored-By: pkb1s <petkoutroubis@gmail.com>
2018-10-28 18:08:12 +00:00
f51a95465e
Changed http to https in metasploit url
...
Co-Authored-By: pkb1s <petkoutroubis@gmail.com>
2018-10-28 18:07:20 +00:00
a6135e3738
Added "increase timeout" message
2018-10-28 17:48:15 +00:00
02d9d0f006
Add IBM WebSphere MQ Queue Manager Name and MQ Version Enumeration module
...
Run this auxiliary against the listening port of an IBM MQ Queue Manager to identify its name and version. Any channel type can be used to get this information as long as the name of the channel is valid.
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
* Tested on IBM MQ 7.5, 8 and 9
* Usage:
* Download and install MQ Server from the above link
* Create a new Queue Manager
* Create a new channel (without SSL)
* Run the module
2018-10-28 16:09:17 +00:00
a23cb7dfe8
Add IBM WebSphere MQ Channel Name Bruteforce module
...
Uses a dictionary to bruteforce MQ channel names. For all identified channels it also returns if SSL is used and whether it is a server-connection channel.
* IBM Downloads page: https://developer.ibm.com/messaging/mq-downloads/
* Tested on IBM MQ 7.5, 8 and 9
* Usage:
** Download and install MQ Server
** Create a Queue Manager
** Create a new channel (without SSL)
** Run the module
2018-10-28 15:22:27 +00:00
370bcaf8d8
Update mercury_login.md
2018-10-28 09:49:15 +01:00
a34310095c
Update modules/exploits/windows/imap/mercury_login.md
...
Co-Authored-By: kr3bz <44395414+kr3bz@users.noreply.github.com>
2018-10-28 09:41:29 +01:00
bfd3a17c0e
Update modules/exploits/windows/imap/mercury_login.rb
...
Co-Authored-By: kr3bz <44395414+kr3bz@users.noreply.github.com>
2018-10-28 09:41:14 +01:00
5efbefdaea
Update mercury_login.md
2018-10-28 09:37:47 +01:00
2839a73cbd
Update mercury_login.rb
2018-10-28 09:35:15 +01:00
52fee303d4
Remove the size restriction from payload_inject
2018-10-27 21:26:09 -04:00
caf76a6555
Add applicable notes to my exploit modules
2018-10-27 20:54:14 -04:00
c61737bb18
Update mercury_login.md
2018-10-27 20:52:54 +02:00
239632ca03
Update mercury_login.md
2018-10-27 20:52:24 +02:00
3cf8a01b55
Update mercury_login.md
2018-10-27 20:51:31 +02:00
965c2d5c01
Update modules/exploits/windows/imap/mercury_login.rb
...
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
2018-10-26 13:37:37 +02:00
b4c005c4d4
Land #10561 , Add Windows local privilege escalation - CVE-2018-0824
...
Merge branch 'land-10561' into upstream-master
2018-10-25 13:22:31 -05:00
e1a7c35834
Clean up check_banner
2018-10-25 05:20:20 -05:00
f90992dc08
Fix typo.
2018-10-25 17:55:01 +08:00
760b14e71d
Update the version match code.
2018-10-25 15:33:54 +08:00
2ab9a003d4
Land #10864 , Add Cisco WebEx RCE Modules
2018-10-24 16:20:00 -05:00
f52cbdf9d7
Change option types
2018-10-24 16:18:17 -05:00
4ec7e41f9e
Change option type
2018-10-24 16:16:03 -05:00
e84ba62740
Cosmetic changes for local/webexec
2018-10-24 16:13:47 -05:00
16d633fabd
Remove spaces before EOL
2018-10-24 11:04:41 -04:00
3729e9ed7b
added description, references
2018-10-24 09:46:00 -05:00
2e2d742ae7
Added updated mercury_login
...
Added additional space for the payload, made recommended changes, msftidy does not produce errors, readded null byte as a badchar.
2018-10-24 11:08:37 +02:00
458f635159
Add supported payloads to module description
2018-10-24 01:30:27 -05:00
839c4e0467
Drop rank to AverageRanking for now
2018-10-24 01:30:17 -05:00
37560760df
Add RequiredCmd for generic and telnet
2018-10-24 01:23:15 -05:00
ef2854c918
Use in-memory reflection for executing the payload
...
Use to_win32pe_psh_reflection() instead of to_win32pe_psh_net() in order to reduce the amount of processes and forensic artifacts created by this module.
2018-10-23 22:12:10 -04:00
d75c599929
Use ShellExecuteA to spawn eventvwr.exe
...
Use ShellExecuteA from railgun to spawn eventvwr.exe, as opposed to cmd /c. This reduces the amount of processes generated by this module.
2018-10-23 21:52:36 -04:00
da4b424780
Fix typo in cleanup message
2018-10-23 21:33:49 -04:00
569c2e03c9
Fix exploit relics and documentation
2018-10-23 17:15:34 -05:00
67f2933b58
Make fewer assumptions about Apache
...
Returning CheckCode::Safe is too aggressive for a supplemental check.
Admins can change the directive in top-level configuration, anyway.
2018-10-23 16:26:17 -05:00
d1111ace5d
fixes
2018-10-23 17:19:14 -04:00
34ae9c38f9
added WebEx modules, arch check
2018-10-23 15:51:23 -05:00
927a29530b
Remove duplicated files
2018-10-23 12:31:18 -05:00
65c0573738
Land #10848 , improve play_youtube post module
2018-10-23 12:26:55 -05:00
e992b63520
Land #10856 , add SSL support to php meterpreter
2018-10-23 11:59:09 -05:00
be2ec76ed2
Added modified mercury_login.rb
...
Modified the script with recommendations.
2018-10-23 17:17:30 +02:00
9c49acb924
Fail scanner instead of returning
2018-10-23 10:07:38 -05:00
58a1b65e60
Update Exploit::CheckCode::Unknown
...
Brain fart.
2018-10-23 09:34:48 -05:00
899238a4e3
Update libssh_auth_bypass with command output
2018-10-23 09:34:42 -05:00
c71bbc1019
Remove spaces that msftidy caught
2018-10-23 10:13:44 -04:00
0e7259040d
Update modules/exploits/windows/imap/mercury_login.rb
...
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
2018-10-23 14:32:53 +02:00
903f5e9ede
Update modules/exploits/windows/imap/mercury_login.rb
...
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
2018-10-23 14:32:44 +02:00
0b37e29c9a
Update modules/exploits/windows/imap/mercury_login.rb
...
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
2018-10-23 14:32:38 +02:00
43dd23042b
Update modules/exploits/windows/imap/mercury_login.rb
...
Co-Authored-By: kr3bz <racic.ivan@gmail.com>
2018-10-23 14:32:10 +02:00
bdf2d44415
Augment check with Apache Server header
2018-10-23 07:04:14 -05:00
0249f1a4af
Improve check method and refactor
2018-10-23 06:20:31 -05:00
ee3c663baf
Upgraded exploit to work on any Windows target
...
In short, added egghunter and return address of
the executable file itself, so it should work
on any windows system.
Also, upgraded to modern exploit module requirements.
2018-10-23 12:11:56 +02:00
3d06c10ad0
Link to Apache AllowOverride directive and change
2018-10-23 03:51:16 -05:00
c9673df3b8
Add WordPress Work The Flow File Upload links
...
As noted by @bcoles, we have a module exploiting this vuln in #5130 ,
though it was described as the WordPress plugin and not the asset it had
included. The vuln was "patched" in the plugin by deleting the code.
Somehow this flew under everyone's noses.
msf5 exploit(unix/webapp/wp_worktheflow_upload) > edit
msf5 exploit(unix/webapp/wp_worktheflow_upload) > git diff
[*] exec: git diff
diff --git a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
index 727c1936f5..2146be49ec 100644
--- a/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
+++ b/modules/exploits/unix/webapp/wp_worktheflow_upload.rb
@@ -50,8 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote
post_data = data.to_s
res = send_request_cgi({
- 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
- 'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
+ 'uri' => '/jQuery-File-Upload/server/php/index.php',
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
@@ -70,8 +69,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_status("Calling payload...")
send_request_cgi(
- 'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
- 'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
+ 'uri' => "/jQuery-File-Upload/server/php/files/#{php_pagename}"
)
end
end
msf5 exploit(unix/webapp/wp_worktheflow_upload) > rerun
[*] Reloading module...
[*] Started reverse TCP handler on 172.28.128.1:4444
[+] Our payload is at: rLRFvlAiE.php. Calling payload...
[*] Calling payload...
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54386) at 2018-10-23 03:17:59 -0500
[+] Deleted rLRFvlAiE.php
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : ubuntu-xenial
OS : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >
Welp.
2018-10-23 03:51:11 -05:00
a55f7ff30a
Clarify vuln (re)discovery vs. disclosure
...
https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/
2018-10-23 03:22:45 -05:00
b4bdc52597
Sort path list by frequency
2018-10-22 23:35:42 -05:00
dbc0c802d5
Add detection of additional paths
2018-10-22 23:35:42 -05:00
c4f8b6c937
Add rudimentary check method
2018-10-22 23:35:42 -05:00
dba7e35819
Refactor slightly with methods
...
And also check upload response.
2018-10-22 23:35:42 -05:00
e7ada1a40c
Add timeout on payload request
...
This ensures we don't block on execution.
2018-10-22 23:35:42 -05:00
15f14bb295
Add note about Apache .htaccess
2018-10-22 23:35:42 -05:00
a986a17bb0
Link to @lcashdol's PoC
2018-10-22 23:35:42 -05:00
37dbdbf58f
Update project URL to PR
2018-10-22 23:35:42 -05:00
41721c31fb
Add blueimp's jQuery (Arbitrary) File Upload
2018-10-22 23:35:42 -05:00
15e67de8fc
Add the EMBED option for play_youtube.rb
2018-10-22 19:51:41 -04:00
3ca309423a
Add check method to detect 4.3BSD fingerd
2018-10-22 18:32:37 -05:00
8459aad215
Prefer aobleq over incl/cmpl/bleq in payload
2018-10-22 18:32:37 -05:00
01d11e71db
Add Space, BadChars, Encoder, and DisableNops
2018-10-22 18:32:37 -05:00
fa892d8eba
Add Morris worm fingerd stack buffer overflow
2018-10-22 18:32:37 -05:00
8f2df4864c
Add 4.3BSD VAX reverse command shell payload
2018-10-22 18:32:37 -05:00
380aaf7889
bump payloads gem
2018-10-22 18:20:45 -05:00
e6bbc6dbd6
Land #10845 , glassfish_traversal typo fix
2018-10-22 15:32:14 -05:00
8d9bd33222
new version using Metasm
2018-10-22 16:36:04 -03:00
6125ef06ad
fix small typo
2018-10-23 00:01:13 +08:00
74683ce951
Add Windows Post Module to disable Windows Defender signatures
2018-10-21 12:07:54 -05:00
58a6c4137d
Add a better timeout than expect can provide
2018-10-20 13:56:37 -05:00
a965abaf36
Add full payload support by setting $PATH
2018-10-20 13:56:33 -05:00
60c4b87ad1
Prefer expect over sleeping between writes
2018-10-20 13:15:15 -05:00
ad6f15c8ca
Add Morris worm sendmail debug mode exploit
2018-10-20 13:15:01 -05:00
7a36056713
Move exploit/qnx/qconn_exec to exploit/qnx/qconn/qconn_exec
2018-10-20 18:16:59 +00:00
aae74472d2
Land #10817 , QNX qconn module rename
2018-10-20 03:10:22 -05:00
accf9edf89
Land #10835 , libssh fingerprint improvements
2018-10-19 19:48:23 -05:00
47353553e5
Get everything together finally (still needs cleanup)
2018-10-19 18:15:44 -05:00
a6be9e573f
Should have saved the actual file...
2018-10-19 16:30:21 -05:00
eeec3c115e
This is as far as I can take it for an exploit module
...
but it still does not work. Commiting for posterity.
2018-10-19 16:12:47 -05:00
abd425c863
Land #10819 , os_name population for ssh_login*
2018-10-19 15:53:38 -05:00
db7bd3d50c
Update style
2018-10-19 15:52:26 -05:00
2a1dec45ed
Land #10832 , TARGETURI for tomcat_utf8_traversal
2018-10-19 15:47:37 -05:00
e4c71265fb
Improve banner checking in libssh_auth_bypass
...
Now we do the right thing when libssh is patched.
2018-10-19 15:21:12 -05:00
3a02e9e80f
First release, messagebox payload for x64
2018-10-19 16:39:41 -03:00
65d26d3a1e
Use the DISPLAY environment variable when available
2018-10-19 14:35:35 -04:00
21397330f8
Refactor fortinet_backdoor copypasta
2018-10-19 00:07:18 -05:00
863ab3447f
Add libssh auth bypass module
2018-10-18 23:03:23 -05:00
3cee96d8ed
Land #10664 , add Windows SetImeInfoEx Win32k NULL Pointer Dereference
2018-10-18 14:42:14 -05:00
fac05db154
Update rescue statement
2018-10-18 14:30:20 -05:00
02c916b1b4
Update modules/auxiliary/admin/http/tomcat_utf8_traversal.rb
2018-10-19 04:16:26 +11:00
175e5e5adf
Added module TARGETURI support.
2018-10-19 03:55:45 +11:00
b3d45586db
feedback from code review
2018-10-18 12:30:46 +08:00
64e257649f
cleanup module
2018-10-18 11:45:59 +08:00
290d4428c1
create git mixin
2018-10-18 11:31:31 +08:00
063e477ff2
git submodule url exec (CVE-2018-17456)
2018-10-18 11:02:28 +08:00
d2c013001d
Update stuff
2018-10-17 17:17:05 -05:00
763506f28d
ssh_login now populates the os_name field
2018-10-16 22:02:44 -04:00
4a06fe1d4b
use store_valid_credential instead
2018-10-16 14:01:49 -04:00
a14df8d86e
Move exploit/unix/misc/qnx_qconn_exec to exploit/qnx/qconn_exec
2018-10-16 16:21:28 +00:00
9e069c95f5
add auto targeting
2018-10-15 23:26:08 -07:00
6cdfe604d4
removed exception handling for reg_file_for_handle
2018-10-15 18:29:15 -07:00
a19046dedb
Land #10793 , improve windows_defender_js_hta
2018-10-15 17:42:21 -05:00
8e442cc980
Update documenation
2018-10-15 15:45:39 -05:00
b0313dd25c
Update getgodm_http_response_bof for proper auto targets
2018-10-15 15:25:55 -05:00
ff9f3ed9ff
Add support for v5
2018-10-15 15:14:12 -05:00
5433d2cca9
Sync up upstream master
2018-10-15 14:19:07 -05:00
f78ccbf995
Indentation
2018-10-15 08:32:58 +05:30
8877582086
Land #10668 rsh stack clash solaris priv esc
2018-10-14 10:34:48 -04:00
f399b59ae4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into cisco_device_manager
2018-10-13 13:31:20 -04:00
a942654515
rescue-from-method addressed
2018-10-12 14:47:05 -05:00
26631bcfbd
addressed suggestions
2018-10-12 14:35:42 -05:00
5b14d94957
Land #10671 , struts2_namespace_ognl updates
...
There are still some outstanding concerns, but I want to unblock this.
2018-10-12 11:08:33 -05:00
2989507b85
Copy check for data_header to avoid crash
...
Variable was used but out of scope.
2018-10-12 11:06:26 -05:00
96eeaf7da3
Made few changes
...
Thank you bcoles
2018-10-12 11:47:53 +05:30
f675ba5243
password not username
2018-10-11 17:08:03 -04:00
20a376130e
cat variable name
2018-10-11 17:04:57 -04:00
7cc46df6db
add docs and update cisco_device_manager
2018-10-11 17:01:38 -04:00
a67122aaf7
updated doc, added x86_64 binary
2018-10-11 12:37:51 -05:00
521b50af55
added separate binaries, extended for x86
2018-10-11 10:43:35 -05:00
f8ad47d475
improve windows_defender_js_hta :
...
-add platform detection for jsc
-prevent cmd prompt when launching jsc
2018-10-11 17:38:47 +02:00
1da99c8bd1
Fixed syntax errors
...
Corrected redundant returns and indentation errors
2018-10-11 10:01:47 -04:00
86f7c270c6
Fixed stylistic and syntax errors
2018-10-11 09:19:35 -04:00
ed2ba1cb00
add support for ProcessName option, defaults to spoolsv.exe
2018-10-11 17:23:59 +08:00
ce848712dd
add support for ProcessName option, defaults to spoolsv.exe
2018-10-11 10:56:07 +08:00
c0aff8f134
Description update / typo fix
...
fix typo in module description (added one word)
2018-10-10 17:56:17 -04:00
04cc40136f
changed formatting, deleted post, renamed files
2018-10-10 14:41:14 -05:00
76325bd21e
fixed indentation
2018-10-10 14:18:44 -05:00
fb689da24c
Land #10335 , Add vlc_mkv exploit module
2018-10-10 13:47:08 -05:00
0f3917f540
Fixed syntax errors
2018-10-10 13:26:49 -04:00
50a7ee5e6a
Minor modifications
2018-10-10 12:22:47 -05:00
ee2c6274c7
Updating description
2018-10-10 22:26:07 +05:30
4a821101ce
Fixing cmd_exec_get_pid
2018-10-10 21:59:46 +05:30
796579e265
Use fail_with
2018-10-10 11:24:16 -05:00
4beb434054
Default Payloads
...
exploit:vlc_mkv default target payloads
2018-10-10 11:23:17 -05:00
c1c07d5c8f
Updating
...
Suggestion given by Shelby
2018-10-10 21:30:12 +05:30
8826932f72
Fix syntax errors
2018-10-10 14:39:07 +00:00
15cfeb37ea
CamelCase
2018-10-10 14:35:34 +00:00
7a048afd14
Make WritableDir an advanced option
2018-10-10 14:12:29 +00:00
dbcee56995
Fixing spaces at EOL
2018-10-10 15:10:58 +05:30
619a07fc3c
Update
2018-10-10 14:21:08 +05:30
6cdfbdd281
Land #10554 , Rescue REX runtime errors in x86 encoders
2018-10-09 22:52:48 -05:00
1cb8418b2d
Filename options
...
exploit:vlc_mkv overwrite fileformat filename method
to supply options
2018-10-09 21:15:10 -05:00
94f260f289
exploit rand_text
...
exploit:vlc_mkv use rand_text functions defined in exploit.rb
2018-10-09 21:15:05 -05:00
e07da5c518
EDB Ref Fix
...
exploit:vlc_mkv
2018-10-09 20:57:44 -05:00
26482ee6d6
Fixed EOL spaces
2018-10-09 18:30:41 -04:00
9c9cd33c34
Fixed syntax errors and inconsistencies
2018-10-09 17:45:02 -04:00
af594f6744
Merge in master
2018-10-09 12:56:31 -05:00
c86f68cb60
Minor changes to module, updated documentation.
2018-10-09 20:39:00 +06:30
4332c4cffd
Increased linemax from 128 to 2048.
2018-10-09 15:35:47 +06:30
97b398963b
Suggestions by @bcoles implemented, randomized MAC
2018-10-09 14:02:56 +06:30
e2f9fb5d8e
Updating Indentation
2018-10-09 12:52:34 +05:30
9bbd90f978
Style fixes and add full disc URL
2018-10-09 13:38:13 +07:00
78624b7020
Updated documentation and fixed the code (mostly).
2018-10-09 10:52:06 +06:30
9ec989a1bd
Address @bcoles' review in #10672
2018-10-08 14:15:21 -05:00
6e10718ed5
Format ZDI ref correctly.
2018-10-08 13:48:52 -05:00
f7d2815a01
Add a ZDI reference
2018-10-08 13:23:50 -05:00
bed497c6ae
Land #10672 , Add COMMGR Buffer Overflow module
2018-10-08 10:04:52 -05:00
0fe989b42f
Code streamlining.
2018-10-08 21:12:27 +06:30
4cc2c22026
Used a command stager, improved upon vulnerability detection and
...
generally attempted to streamline most of the code. Hardcoded one
vulnerable URI since it's the most likely to be present in all versions
of the vulnerable firmwares.
2018-10-08 20:51:58 +06:30
56a39545c6
Updating
2018-10-08 16:40:19 +05:30
097e9b8bfe
Indentation
2018-10-08 14:48:05 +05:30
b552b803bb
Still working on the HTTP stager.
2018-10-08 15:18:47 +06:30
fcb0b90d7a
Fixed numbering in the documentation steps, offed some whitespace,
...
streamlined the send_request_cgi, removed the conn_check.
2018-10-08 15:04:32 +06:30
b08c5ad597
Adding DefaultOptions
2018-10-08 13:24:48 +05:30
22d0325d33
Add placeholder for full disclosure URL
2018-10-08 12:33:36 +07:00
743a72dff6
Remove header from my own repo
2018-10-08 12:17:11 +07:00
f0443bbb57
Create cisco prime exploit
2018-10-08 12:16:24 +07:00
3340cf529c
Fixed duplicate output for check.
2018-10-08 11:19:24 +06:30
272f26640b
Added module for CVE-2016-1555 (netgear_unauth_exec)
...
and its corresponding wordlist file (netgear_boardData_paths.txt).
2018-10-08 10:22:59 +06:30
94e45b12b1
Replace cmd generation with built-in stager module
2018-10-07 10:15:10 +08:00
5951f5724e
Pass msftidy
2018-10-06 16:04:07 -05:00
da525db6e9
Updating
2018-10-07 01:54:20 +05:30
7c1fbf2c5a
Update description
2018-10-06 09:22:35 -05:00
a25a7086b2
Rename file
2018-10-06 09:20:15 -05:00
c7efd57144
Sync up with master
2018-10-06 08:27:01 -05:00
3d507250b0
Land #9745 , Update QNX iwatchd to use newer APIs
2018-10-06 05:06:42 -04:00
c9ebe5ae23
Land #9745 , Add ifwatchd QNX privilege escalation exploit module
2018-10-06 05:03:50 -04:00
89b6aafd85
Use register_file_for_cleanup
2018-10-06 04:37:04 +00:00
e2f97c75a0
Land #10616 , update Unitrends UEB module to support vulnerabilities in version 10
2018-10-05 16:20:38 -05:00
a51243ce91
Land #10745 , Update lastore_daemon_dbus_priv_esc tested versions
2018-10-05 11:35:31 -04:00
7bc98e0ea8
Fix formatting and convert a missed AKA reference
2018-10-05 03:22:08 -05:00
d9cb052189
Fix improper use of the Ruby shovel operator (<<)
...
junk would be modified and returned, and we just want to return the
concatenated string. Practically doesn't matter, but it's incorrect.
This was my first public module. I've been wanting to fix this since.
I'm noticing it again now as I look for how I used Ret in a target.
2018-10-05 02:18:06 -05:00
0f34f94496
Add back SSL options for tc-agent-xmlrpc-module
2018-10-05 15:11:13 +08:00
8ae0bcbacd
Refactor if statements to be cleaner
2018-10-05 09:48:44 +08:00
28fb27187a
Land #10418 , Add DCOM/RPC NTLM Reflection (MS16-075) Via Reflective DLL
...
Merge branch 'land-10418' into upstream-master
2018-10-04 16:54:53 -05:00
9a45c66db4
Fixed check to you know, check.
2018-10-04 16:38:35 -05:00
fe7ce02dfd
Update tested versions
2018-10-04 21:13:21 +00:00
9f30512532
Land #10707 , module traits to augment module rank
2018-10-04 13:26:14 -05:00
071aa04111
Land #10738 , Add Zahir Enterprise 6 build 10b BOF
2018-10-04 11:00:12 -05:00
fb60558777
Land #10712 , Make exploit/linux/http/axis_srv_parhand_rce more stable
2018-10-04 10:10:28 -05:00
060c68d2e0
Aligment, minor modifications
2018-10-04 10:10:09 -05:00
8b955f8ec5
Land #10704 , Navigate CMS Unauthenticated RCE
2018-10-04 06:44:21 -05:00
9f8f0b8885
Fixing carriage/spaces return at EOL
2018-10-04 15:41:46 +05:30
783789d098
Updating
2018-10-04 15:01:06 +05:30
ff0ee51da1
Land #10686 , ARGS, TIMEOUT, and output to upload_exec module
...
Merge remote-tracking branch 'upstream/pr/10686' into upstream-master
2018-10-04 04:28:02 -05:00
144c76ecd4
Latest fix based on @jrobles-r7 recommendations
...
Fixing:
- MetasploitModule class changed
- Remove the word 'exploit' from name
- Remove StackAdjustment
- Remove Privileged option
- Remove make_nops(12)
- Remove extra buffer at the end of exploit
2018-10-04 16:18:02 +07:00
991ac3c671
Fixing for msftidy
...
Fixing some format because still throw errors
2018-10-03 18:55:29 +07:00
11d9b44922
Add exploit module for TeamCity Agent XMLRPC
2018-10-03 18:33:10 +08:00
cb5d68b641
Fixing based on msftidy.rb
...
Makes msftidy happy
2018-10-03 17:13:24 +07:00
e0a664c0cd
Improve prints, use FileDropper, and bump TIMEOUT
2018-10-02 21:53:18 -05:00
428d368444
shut up, rubocop
2018-10-02 14:40:55 -05:00
64d53cd882
code cleanup
2018-10-02 14:06:25 -05:00
4927f96f61
Fixed small typo
2018-10-02 15:57:57 +02:00
97729727d8
Minor modifications
2018-10-02 06:57:04 -05:00
faae2ac2f9
Land #10725 , move post/android/gather/subinfo
2018-10-02 05:14:41 -05:00
2c0d4de70b
Land #10732 , add api key for android wlan_geolocate
2018-10-02 05:09:10 -05:00
6dd36bd8da
Land #10427 , add OSX VNC password gather module
2018-10-02 14:47:51 +08:00
b5cf682169
cleanup post/osx/gather/vnc_password_osx and add loot/credentials
2018-10-02 14:22:09 +08:00
b993d74f6c
minor tweak
2018-10-02 11:41:58 +08:00
5cfc19b804
fix post/multi/gather/wlan_geolocate on Android
2018-10-02 11:35:47 +08:00
6f5a8f8f42
Fix outdated metadata
2018-10-01 18:59:09 +01:00
a0052c7f47
Add evasion module using HTA + JavaScript + C#
2018-10-01 12:57:05 -05:00
37dc0ce64d
fix post/android/gather/subinfo.rb path
2018-10-01 16:54:46 +08:00
b678db8bb6
Remove spaces at EOL
2018-09-29 15:29:51 -04:00
ff560ee990
Add test for Zahir 0day exploit
...
Add test for Zahir 0day exploit, need to test more e.g. VirtualBox or Physical machines.
2018-09-29 18:59:14 +07:00
8d1d6ff29f
Create PureVPN Credential Collector Post Explotation Module
2018-09-28 12:00:34 -04:00
ee06ec2fda
Background a subshell to continue execution
...
This provides a more stable injection. I should have tested this sooner.
2018-09-27 23:51:42 -05:00
0dab5b622f
Change default target to cmd/unix
2018-09-27 23:39:32 -05:00
e999b4d81c
Lower rank to AverageRanking
2018-09-27 23:28:13 -05:00
7a2d0acee6
Add basic check method and move rand_srv
...
The .srv can be random each request.
2018-09-27 23:28:13 -05:00
d29d936d6f
Bump WfsDelay to 10 for this slow-ass device
2018-09-27 23:28:13 -05:00
e4256f4595
Make ENABLE_STATIC an OptBool, as I should have done in the first place
2018-09-27 17:54:22 -05:00
086e2b311b
Update constants
2018-09-27 12:31:04 -05:00
342cfe4199
Refactor again
2018-09-27 12:38:05 +02:00
82b1f40925
Add cleanup code
2018-09-27 11:17:53 +02:00
2b86297138
Refactor
2018-09-27 11:16:54 +02:00
f55483d17d
Fix incorrect session_id extraction
2018-09-27 11:07:43 +02:00
9064fac1ff
Fix code based on Will's feedback
2018-09-26 21:13:37 -05:00
583874d370
Update use of reliability/side-effects/stability metadata
2018-09-26 18:54:08 -05:00
3bda794f00
Update upload_exec with chmod
2018-09-26 18:46:43 -05:00
4adca52103
create chmod helper function
2018-09-26 18:46:42 -05:00
81d020f810
Add a couple more Unix platforms
...
This is so we don't trigger the session compatibility warning. These
platforms have been worked on most recently.
2018-09-26 18:46:42 -05:00
a119465495
Tell the user when there's blank output
2018-09-26 18:46:42 -05:00
6dd6e8abcb
Change vprint to print because we test output
...
Fewer surprises this way when people don't set VERBOSE.
2018-09-26 18:46:42 -05:00
42fab6266d
Prefer vprint_line for better formatting
2018-09-26 18:46:42 -05:00
40f19efe2c
Don't use cmd.exe /c start so we can fetch output
2018-09-26 18:46:42 -05:00
Elazar Broad
root
pkb1s
Brendan Coles
kr3bz
Spencer McIntyre
bwatters-r7
William Vu
Green-m
Wei Chen
Shelby Pace
egre55
Brent Cook
Ivan Racic
Jeffrey Martin
pasta
blue-bird1
Luisco100
Patrick Webster
Tim W
h00die
Dhiraj Mishra
amaloteaux
Alex Gonzalez
l9c
Patrick DeSantis
Jacob Robles
Imran E. Dawoodjee
Pedro Ribeiro
Tod Beardsley
Dylan Pindur
Thomas Gregory
Fabio Poloni
Rob
space-r7
Agora Security
asoto-r7
Pyriphlegethon