461ab4501d
add 'Also known as', AKA 'AKA', to module references
2017-06-28 15:53:00 -04:00
f9493f46d7
bcole fixes
2017-06-24 14:06:11 -04:00
18410d8230
Land #8540 , Add Symantec Messaging Gateway RCE
2017-06-22 19:00:32 -05:00
4fdd77f19a
Land #8051 , Add Netgear DGN2200v1/v2/v3/v4 Command Injection Module
2017-06-22 11:46:40 -05:00
a4e8cdfa6e
msftidy fixes
2017-06-22 11:44:40 -05:00
b51fc0a34e
Land #8489 , more httpClient modules use store_valid_credential
2017-06-21 17:18:34 -05:00
e20169c428
Disable VMware hint popups
2017-06-20 11:39:57 +00:00
668aa4edaf
Use WfsDelay
2017-06-20 08:56:33 +00:00
4f6eab102f
Code cleanup
2017-06-20 00:55:33 +00:00
1bd7a0ea2a
Replace tabs with spaces
2017-06-20 00:06:50 +00:00
cf8cf564b2
Add VMware Workstation ALSA Config File Privesc module
2017-06-18 11:16:25 +00:00
8c23769cbc
Updated module to use an instance variable for using HTTP session tokens across functions.
2017-06-18 12:59:34 +10:00
19ceb53304
Modified payload handling and uploaded documentation
2017-06-18 02:04:22 +10:00
07051d1f00
Removed whitespace
2017-06-17 09:59:46 +10:00
8eb59eac3f
Stuffed up regex.. left some random $ characters floating around and have now removed them.
2017-06-17 08:03:09 +10:00
6363a319d2
Fixed Typo
2017-06-17 07:32:17 +10:00
b34bf76fea
Adding GoAutoDial RCE module
2017-06-17 07:22:41 +10:00
e005e51f05
some edits finished
2017-06-16 06:48:31 -04:00
49383f8f3a
Update and fix grammar to the CryptoLog module
...
After talking to the vendor, it appears that the PHP version of CryptoLog has been EOL'ed since 2009. It has since been replaced with an ASP.NET version, which, obviously, is no longer vulnerable to these PHP exposures.
2017-06-15 13:00:44 -05:00
46ffd250a0
module working and docs
2017-06-14 21:15:56 -04:00
c147779097
Add CVE number to the symantec-messaging-gateway-exec module
2017-06-14 23:07:58 +03:00
c35dffc648
first draft of oinkcode
2017-06-14 08:04:17 -04:00
55f0edb732
Land #8491 , fixes for service_persistence
2017-06-13 17:17:53 -05:00
6ae540d889
Adding Symantec messaging gateway rce
2017-06-10 12:23:12 +03:00
3e20296cf5
Add service_details for SSH
2017-06-08 13:28:29 -05:00
e22334343e
Use store_valid_credential in my modules
...
I used report_note because using the creds API was a pain in the ass.
2017-06-08 00:57:51 -05:00
bac17a8e80
Land #8053 , Add DC/OS Marathon UI Exploit
2017-06-06 09:29:26 -05:00
361cc2dbeb
fix newline issue and service call
2017-05-30 22:37:26 -04:00
f98b40d038
adds check on service writing before running it
2017-05-30 22:14:49 -04:00
0e145573fc
more httpClient modules use store_valid_credential
2017-05-30 14:56:05 -05:00
9c93aae412
Removed self.class from register
2017-05-30 10:07:07 -04:00
bac23757a4
Updated based on busterb comments
2017-05-30 09:33:03 -04:00
28fb5cc7da
spelling
2017-05-30 00:14:33 -05:00
e31e3fc545
add additional architectures and targets
2017-05-30 00:07:37 -05:00
66f06cd4e3
Fix small typos in comments
2017-05-28 14:40:33 -05:00
965915eb19
Fix typo, thanks!
2017-05-27 22:22:34 -05:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
f9ecdf2b4d
Add some bonus archs for interact mode
2017-05-27 17:26:50 -05:00
41253ab32b
Make msftidy happy
2017-05-27 17:17:20 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
78d649232b
Remove obsolete module options
2017-05-26 21:21:05 -05:00
123a03fd21
Detect server-side path, work on Samba 3.x and 4.x
2017-05-26 17:02:18 -05:00
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
231510051c
Fix uri_str for exploit
2017-05-11 16:30:10 -05:00
e414bdb876
don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules
2017-05-11 15:19:11 -05:00
30c48deeab
msftidy and misc. fixups for Quest BoF module
2017-05-11 08:07:39 -05:00
e8aed42ecd
Land #8223 , Quest Privilege Manager pmmasterd Buffer Overflow
2017-05-11 00:44:19 -05:00
18d95b6625
Land #8346 , Templatize shims for external modules
2017-05-10 18:15:54 -05:00
fede672a81
further revise templates
2017-05-08 14:26:24 -05:00
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
ab245b5042
added note to description
2017-05-07 13:56:50 +01:00
4f12a1e271
added note to description
2017-05-07 13:54:28 +01:00
05bf16e91e
Land #8331 , Adding module CryptoLog Remote Code Execution
2017-05-05 18:24:14 -05:00
720a02f5e2
Addressing Spaces at EOL issue reported by Travis
2017-05-05 11:05:17 +03:00
58d2e818b1
Merging multiple sqli area as a func
2017-05-05 10:49:05 +03:00
81bcf2ca70
updating all LHOST to use the new opt type
2017-05-04 12:57:50 -05:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
d04e7cba10
Rename the module as well as title
2017-05-03 19:18:46 +03:00
ae8035a30f
Fixing typo and using shorter sqli payload
2017-05-03 16:45:17 +03:00
db2a2ed289
Removing space at eof and self.class from register_options
2017-05-03 01:31:13 +03:00
77acbb8200
Adding cryptolog rce
2017-05-03 01:05:40 +03:00
494711ee65
Land #8307 , Add lib for writing Python modules
2017-05-02 15:53:13 -05:00
037fdf854e
move common json-rpc bits to a library
2017-04-26 18:08:08 -05:00
a60e5789ed
update mettle->meterpreter references in modules
2017-04-26 17:55:10 -05:00
bbee7f86b5
Land #8263 , Mercurial SSH exec module
2017-04-26 01:38:01 -05:00
f60807113b
Clean up module
2017-04-26 01:37:49 -05:00
e333cb65e5
Restore require 'msf/core'
2017-04-24 17:09:02 -05:00
d3aba846b9
Make minor changes
2017-04-24 23:35:36 +02:00
8e4c093a22
added version numbers
2017-04-22 09:45:55 -04:00
714ada2b66
Inline execute_cmd function
2017-04-21 15:32:15 +02:00
8218f024e0
Add WiPG-1000 Command Injection module
2017-04-20 16:32:23 +02:00
f5430e5c47
Revert Msf::Exploit::Remote::Tcp
2017-04-18 19:27:35 -04:00
9a870a623d
Make use of Msf::Exploit::Remote::Tcp
2017-04-18 19:17:48 -04:00
03e3065706
Fix MSF tidy issues
2017-04-18 18:56:42 -04:00
32f0b57091
Fix new line issues
2017-04-18 18:52:53 -04:00
bfca4da9b0
Add mercurial ssh exec
2017-04-18 16:33:23 -04:00
1fcc1f7417
Trailing comma. Why isn't this Lua?
2017-04-18 14:27:44 -05:00
4ec71f9272
Add a reference to the original PR
...
This was the source of first public disclosure, so may as well include
it.
2017-04-18 14:20:25 -05:00
92e7183a74
Small typo fix
...
Running msfconsole would generate an Ubuntu crash report (?). This seems to be the culprit.
2017-04-17 11:14:51 -06:00
e21504b22d
huawei_hg532n_cmdinject: Use send_request_cgi() 'vars_get' key
...
Instead of rolling our own GET parameters implementation.
Thanks @wvu-r7!
2017-04-17 09:11:50 +02:00
7daec53106
huawei_hg532n_cmdinject: Improve overall documentation
...
- Add section on compiling custom binaries for the device
- Add documentation for Huawei's wget flavor (thanks @h00die)
- Abridge the module's info hash contents (thanks @wwebb-r7)
- Abridge the module's comments; reference documentation (@h00die)
2017-04-17 08:00:51 +02:00
8a302463ab
huawei_hg532n_cmdinject: Use minimum permissions for staged binary
...
Use u+rwx permissions only, instead of full 777, while staging the
wget binary to target. As suggested by @wvu-r7 and @busterb.
2017-04-17 03:27:57 +02:00
7ca7528cba
huawei_hg532n_cmdinject: Spelling fixes suggested by @wvu-r7
2017-04-17 03:23:20 +02:00
7b8e5e5016
Add Huawei HG532n command injection exploit
2017-04-15 21:01:47 +02:00
5e42dde6b6
msftidy clean up
2017-04-12 16:25:21 +01:00
374d7809b5
last fixes and tests
2017-04-11 09:48:57 +01:00
9a0789f839
Exploit for pmmasterd Buffer Overflow (CVE-2017-6553)
2017-04-05 17:59:54 +01:00
64c06a512e
Land #8020 , ntfs-3g local privilege escalation
2017-04-04 09:48:15 -05:00
4c0539d129
Land #8178 , Add support for non-Ruby modules
2017-04-02 21:02:37 -05:00
0092818893
Land #8169 add exploit rank where missing
2017-04-02 20:59:25 -04:00
151ed16c02
Re-ranking files
...
../exec_shellcode.rb
Rank Great -> Excellent
../cfme_manageiq_evm_upload_exec.rb
Rank Great -> Excellent
../hp_smhstart.rb
Rank Average -> Normal
2017-04-02 18:33:46 -04:00
e80b8cb373
move sploit.c out to data folder
2017-03-31 20:51:33 -04:00
6910cb04dd
Add first exploit written in Python
2017-03-31 17:07:55 -05:00
1ce7bf3938
Land #8126 , Add SolarWind LEM Default SSH Pass/RCE
2017-03-31 11:21:32 -05:00
c445a1a85a
Wrap ssh.loop with begin/rescue
2017-03-31 11:16:10 -05:00
5e31a32771
Add missing ranks
...
../exec_shellcode.rb
Rank = Great
This exploit is missing autodetection and version checks,
but should be ranked Great due to high number of possible targets
../cfme_manageiq_evm_upload_exec.rb
Rank = Great
This exploit implements a check to assess target availability,
and the vulnerability does not require any user action
../dlink_dcs_930l_authenticated_remote_command_execution
Rank = Excellent
Exploit utilizes command injection
../efw_chpasswd_exec
Rank = Excellent
Exploit utilizes command injection
../foreman_openstack_satellite_code_exec
Rank = Excellent
Exploit utilizes code injection
../nginx_chunked_size
Rank = Great
Exploit has explicit targets with nginx version auto-detection
../tp_link_sc2020n_authenticated_telnet_injection
Rank = Excellent
See dlink_dcs_930l_authenticated_remote_command_execution,
exploit uses OS Command Injection
../hp_smhstart
Rank = Average
Must be specific user to exploit, no autodetection,
specific versions only
2017-03-31 02:39:44 -04:00
9db2e9fbcd
Land #8146 , Add Default Secret & Deserialization Exploit for Github Enterprise
2017-03-24 14:38:47 -05:00
e04f01ed6b
Land #7778 , RCE on Netgear WNR2000v5
2017-03-23 15:34:16 -05:00
3b062eb8d4
Update version info
2017-03-23 13:46:09 -05:00
fdb52a6823
Avoid checking res.code to determine RCE success
...
Because it's not accurate
2017-03-23 13:39:45 -05:00
39682d6385
Fix grammar
2017-03-23 13:23:30 -05:00
ee21377d23
Credit Brent & Adam
2017-03-23 11:22:49 -05:00
196a0b6ac4
Add Default Secret & Deserialization Exploit for Github Enterprise
2017-03-23 10:40:31 -05:00
d37966f1bb
Remove old file
2017-03-23 12:53:08 +03:00
8a43a05c25
Change name of the module
2017-03-23 12:49:31 +03:00
a93aef8b7a
Land #8086 , Add Module Logsign Remote Code Execution
2017-03-22 11:33:49 -05:00
7bcd53d87d
Land #8079 , exploit and aux for dnaLims
2017-03-20 11:08:05 -04:00
fd5345a869
updates per pr
2017-03-20 10:40:43 -04:00
fe5167bf26
changes to file per pr
2017-03-20 10:16:42 -04:00
84e4b8d596
land #8115 which adds a CVE reference to IMSVA
2017-03-18 09:51:52 -04:00
6aa42dcf08
Add solarwinds default ssh user rce
2017-03-17 21:54:35 +03:00
f706c4d7f6
Removing prefix
2017-03-16 00:49:55 +03:00
60186f6046
Adding CVE number
2017-03-16 00:31:21 +03:00
01ea5262b8
Land #8070 , msftidy vars_get fixes
2017-03-14 12:05:24 -05:00
5c436f2867
Appease msftidy in tr064_ntpserver_cmdinject
...
Also s/"/'/g.
2017-03-14 11:52:21 -05:00
5d6a159ba9
Use query instead of uri in mvpower_dvr_shell_exec
...
I should have caught this in #7987 , @bcoles, but I forgot. Apologies.
This commit finishes what @itsmeroy2012 attempted to do in #8070 .
2017-03-14 11:51:55 -05:00
79331191be
msftidy error updated 2.5
2017-03-14 22:02:59 +05:30
67fc43a0a1
msftidy error updated 2.4
2017-03-14 21:33:53 +05:30
fe4e2306b4
Reverting one step
2017-03-13 22:22:24 +05:30
fe4f20c0cc
Land #7968 , NETGEAR R7000 exploit
2017-03-10 16:02:30 -06:00
1c54e0ba94
msftidy error updated 2.2
2017-03-10 23:59:38 +05:30
6d8789a56e
Updated msftidy error 2.1
2017-03-10 23:03:37 +05:30
c0f17cf6b8
msftidy error updated 2.0
2017-03-10 22:16:27 +05:30
f6bac3ae31
Add iso link to md file and change CheckCode code
2017-03-10 13:00:49 +03:00
0ab3ad86ee
change dnalims_file_retrieve module type
2017-03-09 10:06:31 -05:00
95a01b9f5e
add dnaLIMS exploits
2017-03-09 09:46:18 -05:00
081ca17ebf
Specify default resource in start_service
...
This eliminates the need to override resource_uri. Depends on #8078 .
2017-03-09 03:00:51 -06:00
c52b0cba5e
msftidy error on master updated
2017-03-08 20:58:01 +05:30
0f899fdb0b
Convert ARCH_CMD to CmdStager
2017-03-08 07:35:37 -06:00
7976966ce9
Issue 7923 - msftidy errors on master
2017-03-08 03:12:41 +05:30
14ed60e44d
Fix msftidy warning
2017-03-05 02:06:43 -05:00
62bcc95b7f
Update model check
2017-03-05 01:53:34 -05:00
a49c0a6824
removed trailing line
2017-03-03 11:03:25 -05:00
6a83220131
cleaned up travis errors
2017-03-03 10:49:00 -05:00
0943eb24a9
DC/OS Marathon UI Exploit
2017-03-03 09:56:14 -05:00
e0a46c2c06
Create netgear_dnslookup_cmd_exec.rb
2017-03-02 17:51:24 -05:00
fb5e090f15
fixes from jvoisin
2017-02-28 20:09:26 -05:00
e5636d6ce1
Adding logsign rce module and doc
2017-02-28 21:04:37 +03:00
e3e607a552
reword description
2017-02-26 15:24:22 -05:00
0c353841ab
forgot add fixes for travis
2017-02-25 23:25:36 -05:00
a8609f5c66
ntfs-3g lpe
2017-02-25 23:09:22 -05:00
f18b533226
change platform time to unix (although it is linux in reality but whatevs)
2017-02-24 22:58:24 +00:00
5d3a4cce67
Use all caps for module option names
2017-02-23 16:30:01 +11:00
25b3cc685a
Update netgear_r7000_cgibin_exec.rb
2017-02-22 11:36:52 -05:00
47fec5626e
Style update
2017-02-22 07:56:17 +00:00
e491f01c70
Add MVPower DVR Shell Unauthenticated Command Execution module
2017-02-22 05:15:57 +00:00
48f6740fee
Land #7969 , Add Module Trend Micro IMSVA Remote Code Execution
2017-02-21 17:29:04 -06:00
a9b9a58d4d
Land #7893 , Add Module AlienVault OSSIM/USM Remote Code Execution
2017-02-21 13:35:56 -06:00
e99ba0ea86
Msftidy stuff
2017-02-18 00:34:49 -05:00
189d5dc005
Thanks netgear
2017-02-18 00:15:45 -05:00
52350292cf
Fix msftidy warning
2017-02-17 18:41:11 -05:00
63d1de9acd
Updates from review
...
Also testing some things, line 84 and 85 mostly
2017-02-17 18:29:46 -05:00
811f6d4d58
Update netgear_r7000_cgibin_exec.rb
2017-02-16 08:38:06 -05:00
90224af813
Fix msftidy warning
2017-02-15 22:39:16 -05:00
81d63c8cc7
Create netgear_r7000_cgibin_exec.rb
2017-02-15 22:33:48 -05:00
4ee05313d8
Update tested version numbers
2017-02-08 19:31:01 +03:00
906fcfe355
OSSIM 5.0.0 version requires a authen token on action create
2017-02-03 23:45:33 +03:00
2ff170a1fa
Land #7820 , Exploit for TrueOnline Billion 5200W-T
2017-01-31 11:33:56 -06:00
f167358540
Land #7821 , Command Injection Exploit for TrueOnline ZyXEL P660HN
2017-01-31 11:28:46 -06:00
b3521dfb69
Land #7822 , Command Injection Exploit for TrueOnline P660HN v2
2017-01-31 11:22:49 -06:00
c666ac93f5
Adding xff header
2017-01-31 14:37:22 +03:00
40108c2374
first commit
2017-01-31 14:15:46 +03:00
0aceb0b1cb
Fix whitespace, thanks msftidy!
2017-01-30 10:16:42 +00:00
5fd31e621e
Add CVE number
2017-01-30 10:03:46 +00:00
ff2b8dcf99
Revert "Land #7605 , Mysql privilege escalation, CVE-2016-6664" - premature merge
...
This reverts commit 92a1c1ece49b16cdf602
2017-01-22 19:16:33 -06:00
92a1c1ece4
Land #7605 , Mysql privilege escalation, CVE-2016-6664
2017-01-22 17:17:28 -06:00
836da6177f
Cipher::Cipher is deprecated
2017-01-22 10:20:03 -06:00
c2c352c2ac
Adding Trend Micro IMSVA module
2017-01-18 11:34:16 +03:00
2dca53e19a
Add full disclosure link
2017-01-17 11:09:44 +00:00
1160a47b55
Add full disclosure link
2017-01-17 11:09:29 +00:00
c2cd26a6e1
Add full disclosure link
2017-01-17 11:09:11 +00:00
7fafade128
fix msftidy stuff v2
2017-01-12 18:06:13 +00:00
ba8dfbd9f1
fix msftidy stuff
2017-01-12 18:05:54 +00:00
f88e68da25
fix msftidy stuff
2017-01-12 18:04:58 +00:00
2274e38925
fix msftidy stuff
2017-01-12 18:03:12 +00:00
b863db9d02
add billion sploit
2017-01-12 17:51:24 +00:00
2827a7ea1a
add 660v2 sploit
2017-01-12 17:50:57 +00:00
af2516d074
add 660v1 sploit
2017-01-12 17:49:28 +00:00
c0880985bc
fix duplicate entry for platform
2017-01-10 01:17:44 +00:00
74cea5dd04
Use Linux payloads instead of cmd/unix/interact
...
As of now, cmd/unix/interact causes msfconsole to freeze, so
we can't use this.
2017-01-09 11:11:17 -06:00
e331066d6d
Add CVE-2016-6433 Cisco Firepower Management Console UserAdd Exploit
2017-01-06 17:05:25 -06:00
13bca2ebc7
add httpusername and password for auto auth
2017-01-06 16:33:51 +00:00
19319f15d4
Land #7626 , Eir D1000 modem exploit
2017-01-04 17:02:39 -06:00
d95a3ff2ac
made changes suggested
2017-01-04 23:02:10 +00:00
b0e79076fe
Switch to wget CmdStager and tune timing
...
We don't want to trample the device with requests.
2017-01-04 16:42:53 -06:00
94d76cfb06
Merge remote-tracking branch 'upstream/master' into tr-069-ntpserver-command-injection
2017-01-03 17:04:04 -06:00
fe0a3c8669
Update themoon exploit to use wget command stager
2017-01-03 15:50:57 -06:00
a9a83bc21c
fix for uninitialized constant in Net::SSH on OS X
2017-01-03 06:16:07 -05:00
3c2486b9f5
initial version of CVE-2016-7456 exploit
2017-01-03 03:39:22 -05:00
589084896a
initial version of CVE-2016-7456 exploit
2017-01-03 03:36:49 -05:00
9d3e90e8e5
cleanup
2017-01-02 17:32:38 +00:00
4c29d23c8a
further cleaning
2016-12-31 17:02:34 +00:00
Brent Cook
h00die
dmohanty-r7
Jin Qian
Brendan Coles
mccurls
Tod Beardsley
Mehmet Ince
James Lee
William Vu
Jeffrey Martin
wolfthefallen
HD Moore
William Webb
Adam Cammack
Bryan Chu
m0t
darkbushido
Brent Cook
wchen-r7
Matthias Brun
Jonathan Claudius
Nate Caroe
Ahmed S. Darwish
bwatters-r7
Pearce Barry
itsmeroy2012
flakey-biscuits
=
Carter
Pedro Ribeiro
phroxvs