7b781d53c9
Small code refactoring, added verbose output
2018-03-12 07:01:03 -05:00
fe89e2d391
Corrected check method, warning in case of absence of news and TARGETURI parameter
2018-03-12 07:01:03 -05:00
f09d9a8994
Solved msftidy.rb issues
2018-03-12 07:01:02 -05:00
dbba27cc97
Fixed minor issues and added automatic detection of Patten1/Pattern2
2018-03-12 07:01:02 -05:00
63444a2c43
Corrected wrong label in password hash message
2018-03-12 07:01:02 -05:00
4a40f40c14
Typo3 News Module Sql Injection exploit
2018-03-12 07:00:45 -05:00
420905137b
CVA added.
2018-03-12 08:42:28 +03:00
d71b6bdf0d
Update syncbreeze_enterprise_dos.rb
...
msftidy.rb adjustment.
2018-03-11 23:27:46 +03:00
0e4e260a02
Adding Sync Breeze Enterprise 10.6.24 DOS
...
This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. Vulnerable version of the product can be downloaded here (http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe ). After installing the software web server should be enabled via Options->Server->Enable web server on port. Module triggers a user space write access violation on syncbrs.exe memory region. Number of requests that will crash the server changes between 200-1000 depending on the OS version and system memory.
2018-03-11 23:07:50 +03:00
615f6b02af
varnish no auth file read
2018-03-09 11:25:13 -06:00
1fd0087a97
Land #7654 , varnish file read
2018-03-09 10:59:04 -06:00
a458cb9ebc
varnish file read msftidy fixes
2018-03-09 10:56:52 -06:00
037559023a
Update connect/disconnect varnish
...
[ticket: #7654 ]
2018-03-09 10:37:14 -06:00
ea78e21961
Documentation accuracy
2018-03-09 07:43:12 -06:00
9df99e8ce3
Update smb_ms17_010.rb
2018-03-09 16:10:20 +05:30
56fe70d84b
Update smb_ms17_010.rb
2018-03-09 16:07:09 +05:30
ec7a62bc4c
move ssh platforms to lib
2018-03-08 21:23:11 -05:00
478f01d0d9
fix format
2018-03-09 02:25:58 +05:30
9a8f1ace2d
Add slowloris support for IPv6 and hostnames
...
Replace manual socket creation with `socket.create_connection` to get
auto-detection goodness.
2018-03-07 17:06:04 -06:00
5a2f197c47
Remove redundant RPORT
2018-03-07 14:41:51 -06:00
e8a227b1a6
Changes as requested by jhart-r7:
...
- Default Username / Password are now random
- Doc fixed
- REST typo fixed
2018-03-07 10:48:05 +01:00
a69c2e29d2
Correct comment
2018-03-06 18:16:22 -08:00
1e04fa009f
Fix style
2018-03-06 18:13:50 -08:00
74ec9f00e7
Add WIP memcached UDP version scanner
2018-03-06 17:54:00 -08:00
e72372d6d8
Add disclosure date and correct CVE for memcached amp
2018-03-06 16:04:00 -08:00
d6871f5733
Land #9614 , Juniper post enum module
2018-03-06 10:29:56 -06:00
f6ebce2440
Update User List
2018-03-06 06:38:06 -06:00
5fde6bf5d3
Update Code
2018-03-05 22:39:16 -06:00
f2de2a7f21
Appease most of rubocop's concerns
2018-03-04 07:17:25 -08:00
2edb2dd8d0
Add CVE; clarify vuln name
2018-03-04 07:13:28 -08:00
e7a7b557bc
Randomize and doc memcached stats probe; catch multi-packet responses
2018-03-01 16:56:34 -08:00
155f45fc28
Simplify memcached amplification scanner to use UDPScanner for most of the work
2018-03-01 15:37:23 -08:00
9e1a7c869c
Use drdos mixin for memcached amp module
2018-02-27 22:51:27 -08:00
05c99ffb5c
Add Memcached amplification scanner
2018-02-28 11:24:17 +07:00
a344ffadd8
Modified Code, Added additional check
2018-02-26 07:29:08 -06:00
4e4aeb7b4d
Add GitStack v2.3.10 Unauth REST API Aux Module
2018-02-26 06:04:38 -06:00
a1587bcd68
Update smb_ms17_010.rb
2018-02-24 09:05:35 +05:30
46af6239df
Update smb_ms17_010.rb
2018-02-24 08:50:39 +05:30
9bae6246b2
Check for accessible named pipe on vuln targets
...
```
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
[+] 192.168.0.2:445 - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.2:445 - Checking for accessible named pipes
[+] 192.168.0.2:445 - Found accessible named pipe: netlogon
[+] 192.168.0.2:445 - Found accessible named pipe: lsarpc
[+] 192.168.0.2:445 - Found accessible named pipe: samr
[+] 192.168.0.2:445 - Found accessible named pipe: browser
[+] 192.168.0.2:445 - Found accessible named pipe: atsvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
2018-02-24 03:20:34 +05:30
133b34827f
Fix false+ login in a few more places
2018-02-23 13:16:41 -06:00
c7bbc6eca4
juniper post enum module
2018-02-22 21:08:21 -05:00
5815b626d9
Dont save email addresses as valid
...
Also add module doc for owa_login module
2018-02-22 14:58:11 -06:00
e531dbc976
Fix bug causing all logins to appear valid
...
The headers we were looking for were a little too loose
and were incorrectly identifying all responses as successful
login attempts
2018-02-22 11:25:35 -06:00
738d6ab33a
Land #9604 , Fix logged errors when running without Python 3.6 / gmpy2
2018-02-22 08:11:30 -06:00
7e665ab287
check for extra libraries explicitly, fail gracefully
2018-02-21 21:54:58 -06:00
3880f6a65e
Finally fix "Unknown admin user ''" after 2yrs
...
The failed password auth was necessary after all. I misread the PoC. :'(
Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
2018-02-21 20:44:35 -06:00
cc2495dd9c
Explain fortinet-backdoor -> FortinetBackdoor
2018-02-21 17:05:30 -06:00
a5d78b82d4
Add require for Net::SSH::CommandStream
2018-02-21 15:51:53 -06:00
854ac67b8e
Use start_session in fortinet_backdoor
...
Still get "Unknown admin user ''" from a shell channel request,
@busterb's more complete implementation notwithstanding.
Hoping we fix this in a subsequent commit or related PR.
Please see #6612 and #9524 .
2018-02-21 15:33:34 -06:00
78822fd799
Land #9524 , prefer 'shell' channels over 'exec' channels for ssh CommandStream
2018-02-21 06:59:09 -06:00
9cbc55ce40
Land #9593 , finger_users regex fix
2018-02-21 01:27:40 -06:00
d6206dc046
Better regex in finger_users
2018-02-20 15:48:00 -06:00
56c00a8cb6
initial OWA 2016 support
2018-02-19 21:43:49 -06:00
ac7fe99a2b
specify a python encoding for the module
2018-02-16 16:17:52 -06:00
242f2d3117
Land #9512 , Add Claymore Dual GPU Miner<= 10.5 DoS module
2018-02-16 10:46:48 -06:00
b533ec6019
Land #9509 , Ulterius Server < v1.9.5.0 Directory Traversal
...
Land #9509
2018-02-15 16:34:31 -06:00
949b474a0a
Avoid target_uri.path
...
It doesn't look like target_uri.path is suitable for this scenario,
because it causes our input to be modified and hard to use.
2018-02-15 16:31:09 -06:00
5467f4c97e
Add header
2018-02-15 16:19:54 -06:00
c4c864f391
Land #9558 , Fix #9417 , map timeout exp to a var for telnet_encrypt_overflow
2018-02-15 15:54:23 -06:00
ef948ccc38
Fix #9417 , map timeout exp to a var for telnet_encrypt_overflow
...
Fix #9417
2018-02-14 09:19:28 -06:00
7cfc17860d
udp_probe is necessary for pivot scans
2018-02-14 08:45:46 -06:00
234f5a316b
Revert "Remove old deprecated modules"
...
This reverts commit a2c5cc0ffb
2018-02-14 08:42:44 -06:00
fbeba8bfd2
Fix #9513 , Add private_type to be able to store password for Tomcat
...
If there is no :private_type, the create_credential method in
Metasploit::Credential::Creation will quietly skip the password,
which makes it look like a bug when the user is trying to view
the password from the creds command.
Fix #9513
2018-02-13 14:31:56 -06:00
fe46f635db
Changes as requested by bcoles
2018-02-13 10:54:42 +01:00
ecb5fffb0b
Typo fix: "withint" --> "within"
2018-02-13 06:20:57 +13:00
f606773096
Add module for HP iLO CVE-2017-12542 authentication bypass
2018-02-09 11:14:20 +01:00
44b08feeb0
Land #9525 , Update mysql_hashdump for MySQL 5.7 and above
2018-02-08 13:56:26 -06:00
1bb5499fce
fix whitespace
2018-02-08 13:55:40 -06:00
c642d420c2
Land #9489 , Add scanner for the Bleichenbacker oracle (AKA: ROBOT)
2018-02-08 12:55:02 -06:00
c9a3894bdb
Removed require statements
2018-02-08 12:00:47 -06:00
00ead05237
Update for MySQL 5.7 and above
...
Starting from MySQL 5.7 the password column was changed to authentication_string. I've added a check to determine the version. Tested on both MySQL 5.6 and 5.7.
2018-02-08 13:40:35 +00:00
b1d0529161
prefer 'shell' channels over 'exec' channels for ssh
...
If a command is not specified to CommandStream, request a "shell"
session rather than running exec. This allows targets that do not have a
true "shell" which supports exec to instead return a raw shell session.
2018-02-08 02:21:16 -06:00
724a0e29f6
Update Parsing, Added Rescue
2018-02-07 19:19:58 -06:00
1de8ec1073
Implemented Suggested Changes
...
Updated documentation headings and function/filename formatting.
Updated module options and formatting. Added check for file to parse.
2018-02-07 08:01:54 -06:00
0abee0303f
add change
2018-02-07 03:48:36 +08:00
278e9a92fc
add module and documentation
2018-02-06 20:30:34 +08:00
1233bb855c
msftidy checks
2018-02-05 22:54:03 -06:00
1e9e9c9be0
Ulterius Server < v1.9.5.0 Directory Traversal
...
Adds documentation and module for Ulterius Server
directory traversal vulnerability.
2018-02-05 22:50:09 -06:00
51e098da35
Add scanner for Bleichenbacher oracle (ROBOT)
2018-02-02 16:29:07 -06:00
c9473f8cbc
Land #9473 , new MS17-010 aux and exploit modules
2018-02-01 23:56:29 -06:00
812d7ca739
Update native DNS spoofer for Dnsruby
...
Fix methods relating to answer/question data structures which were
set up for Net::DNS objects in the original implementation
utilizing uppercase letters in the exact same method names.
Testing:
None yet, completely forgot i even wrote this module till i saw
it in my merge conflicts after upstream merged the PR.
2018-01-31 23:44:51 -05:00
beb4d56f7d
Land #9354 , Debut embedded httpd server (Brother printers) DoS
2018-01-31 17:03:13 -06:00
08dcb5cc49
Land #9445 fixes for ssl labs scanner module
2018-01-29 20:51:05 -05:00
237c3f7b2c
crash 10.14393... should fail to leak transaction
2018-01-28 18:52:43 -07:00
2723b328aa
misc tidying, added more randomness
2018-01-28 18:20:18 -07:00
6c2d5b1fc2
semi-completed exploit files
2018-01-28 18:13:25 -07:00
62573731fe
remove empty line
2018-01-24 20:54:21 -05:00
4be0e7f9ef
final fixes for brother debut dos
2018-01-24 20:53:08 -05:00
6caba521d3
Land #9424 , Add SharknAT&To external scanner
2018-01-24 12:40:29 -05:00
eb572a3ef5
Land #8632 , colorado ftp fixes
2018-01-23 17:45:07 -06:00
be08af5404
More Python style fixes
2018-01-23 09:17:22 -06:00
03d1523d43
Land #6611 , add native DNS to Rex, MSF mixin, sample modules
2018-01-22 23:54:32 -06:00
a6e5944ec5
fix msftidy, add nicer errors on bind failure
2018-01-22 23:37:39 -06:00
10fde42adc
Land #9431 , Fix owa_login to handle inserting credentials for a hostname
2018-01-22 16:46:39 -06:00
b12953fa85
Land #9404 , update module author
2018-01-22 16:41:50 -06:00
04d305feb3
update SSL Labs scanner with new API, be robust
...
This updates the SSL Labs scanner to know about new additions to the API, and prevents the module from breaking again just because there is new JSON in the output. I couldn't figure out how to get the Api class to print messages normally, and there is some other output that needs to be added. But the module does work again.
2018-01-22 16:32:16 -06:00
394c31c1e3
Remove NoMethod Rescue for cerberus_sftp_enumusers
...
Please see reasons in #9436
2018-01-22 11:10:23 -06:00
38d056b930
Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil
...
Land #9436
Thanks Steve!
2018-01-22 11:07:23 -06:00
85d018096b
Pass password_prompt and non_interactive to fix #8970
...
Fix #8970
2018-01-22 11:06:12 -06:00
2a6b3671bf
Add connection addr+port info to http response object.
...
Update owa_login to use this instead of doing lookups on its own.
2018-01-19 13:37:33 -06:00
8f75d3a46b
Possible fix to changes in net::ssh usage
2018-01-19 15:10:14 +00:00
e9ce2374e5
Auto-resolve target if it's a hostname (owa_login).
...
Ensures the module does save the creds which it claims to be saving. See MS-2968.
2018-01-17 16:47:21 -06:00
0f0b116751
Rename scanner bits to avoid confusion
2018-01-17 14:46:31 -06:00
c7894f1d74
Split long lines and add comments
2018-01-17 12:04:12 -06:00
37bf68869f
Add scanner for the open proxy from 'SharknAT&To'
2018-01-16 21:05:19 -06:00
736d438813
Address second round of feedback
...
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.
Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
2018-01-13 22:55:01 -06:00
1a8eb7bf2a
Update nis_ypserv_map after bootparam feedback
...
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
2018-01-13 15:40:17 -06:00
c080329ee6
Update module after feedback
...
Looks like I can't decide on certain style preferences.
Not keen on using blank?, but I've used it before. Time to commit?
Also, fail_with has been fixed for aux and post since #8643 . Use it!
2018-01-13 15:40:11 -06:00
d172259f5d
umlaut
2018-01-13 16:06:11 +11:00
eb8429cbd3
Revert "umlaut"
...
This reverts commit ffd7073420
2018-01-12 22:57:22 -06:00
ffd7073420
umlaut
2018-01-13 15:48:45 +11:00
2916c5ae45
Rescue Rex::Proto::SunRPC::RPCTimeout
...
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
0c9f1d71d3
Add NIS bootparamd domain name disclosure
2018-01-12 19:34:53 -06:00
c65c03722c
Migrate native DNS services to Dnsruby data format
...
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.
Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.
Testing:
Internal tests for resolution of different record types locally
and over pivot sessions.
2018-01-12 05:00:00 -05:00
4b225c30fd
Land #9368 , ye olde NIS ypserv map dumper
2018-01-10 22:02:36 -06:00
f66b11f262
Nix an unneeded variable declaration
2018-01-10 20:24:02 -06:00
b66889ac86
Rescue additional errors and refactor code
...
https://jvns.ca/blog/2015/11/27/why-rubys-timeout-is-dangerous-and-thread-dot-raise-is-terrifying/
2018-01-10 20:11:25 -06:00
dd737c3bc8
Land #9317 , remove multiple deprecated modules
...
Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
4a5a17a8e1
Add NIS ypserv map dumper
2018-01-08 14:27:53 -06:00
51e5fb450f
Detect and return on bad VNC negotiations
2018-01-05 10:12:13 -06:00
fb75cd4617
it does work!
2018-01-04 14:44:43 -05:00
7849155347
Land #9359 , Improve DCE/RPC fault handling
2018-01-03 20:42:17 -06:00
a98de2d9a3
Land #9358 , Support password protected key files
2018-01-03 15:12:28 -06:00
e23e87b444
bcoles fixes
2018-01-02 20:23:24 -05:00
086f657c56
Fix early termination of auxiliary/scanner/dcerpc/hidden
...
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
2017-12-31 14:41:33 +01:00
f2a8d68a1f
Permit encrypted SSH keys for login scanner
...
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.
Testing:
None yet
2017-12-31 02:53:06 -05:00
bc0a08ef5a
a few updates per bcoles
2017-12-30 11:23:58 -05:00
7f3df74134
fixup! Adding Module for Postfixadmin CVE-2017-5930
...
Add error handling if request fails
Fix a typo in doc, add default value to doc
2017-12-30 13:04:23 +01:00
67c2119736
oh brother
2017-12-29 14:16:34 -05:00
289e887895
Adding Module for Postfixadmin CVE-2017-5930
...
This exploit allows domain admins to delete protected aliases.
It can be used to redirect aliases like abuse@domain and can aid in
further attacks.
2017-12-29 17:13:59 +01:00
8de760f1f7
Land #9348 , Only use basic auth in couchdb_enum when credentials are provided
2017-12-28 21:24:45 -06:00
c2bb144d0f
Land #9302 , Implement ARD auth and add remote CVE-2017-13872 (iamroot) module
2017-12-28 14:11:26 -06:00
fad4ccece9
Only use basic auth in couchdb_enum when credentials are provided
2017-12-27 20:16:01 -06:00
bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-27 13:08:44 -08:00
e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
...
These cover several of the CVEs mentioned in
https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
1bb2bb9d2c
Oops, no admin in that path
2017-12-26 12:06:45 -06:00
9af88681a2
Move deprecation out 60 days
2017-12-26 11:56:47 -06:00
038119d9df
Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more
2017-12-23 00:14:27 +05:30
5dfb5d581a
Switch get_cookies to get_cookies_parsed
...
Am I doing it right? See #9333
2017-12-21 09:00:56 -06:00
962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 18:58:36 -08:00
298cb16b1a
Set default USER/PASS files
2017-12-20 18:44:43 -08:00
b9af835d06
Style
2017-12-20 18:05:00 -08:00
d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
...
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
495c649c7d
Better printing
2017-12-20 14:40:42 -08:00
ed5f177fcd
syntax
2017-12-20 14:20:08 -08:00
e66ec85677
Set default u/p
2017-12-20 14:18:33 -08:00
8cd7185a7f
Land #9313 , Add DirectAdmin login_scanner module
2017-12-20 15:23:24 -06:00
7f8a5d3834
improved credential reporting
2017-12-20 15:09:11 -06:00
14c779b945
Fix rubocop warning
2017-12-20 12:44:27 -08:00
c817df0bbc
Add module for bruteforcing authentication on MQTT endpoints
2017-12-20 12:30:21 -08:00
7e91274796
Add module for connecting to/discovering MQTT endpoints
2017-12-20 12:29:50 -08:00
a8b845fff9
Land #9283 , Add node.js ws websocket library DoS module
2017-12-20 14:20:42 -06:00
9fb445fbf0
Land #9300 , Add private data type to auxiliary scanner ftp_login and telnet_login
2017-12-20 00:30:43 -06:00
216d00e39f
Use a random fname destination for /etc/passwd
2017-12-19 17:02:16 -06:00
e93282b71d
Drop calls to vprint_*
2017-12-19 16:53:02 -06:00
2dc2ac134e
Don't default verbose
2017-12-19 16:48:41 -06:00
a2c5cc0ffb
Remove old deprecated modules
2017-12-19 07:56:16 -08:00
acc6951bf3
fixed typo
2017-12-19 08:35:11 -05:00
f0df1750de
Land #9180
...
Land @RootUp's Samsung browser SOP module
2017-12-18 17:28:03 -06:00
85350a9645
Add Rapid7 blog references
2017-12-18 17:11:47 -06:00
ae4edd65e1
Hard wrap descriptions
2017-12-18 17:03:13 -06:00
27a324237b
Initial commit for Cambium issues from @juushya
...
Note, these will trigger a bunch of WARNING msftidy messages for setting
cookies directly. This is on purpose.
2017-12-18 16:32:55 -06:00
a33ed82a40
Land #9214 , @realoriginal's update to the Cisco SMI scanner to also fetch Cisco IOS configs
2017-12-18 12:22:26 -08:00
6d565b6c33
added author information
2017-12-18 09:18:36 -05:00
f447fa1a12
Added DirectAdmin Login Utillity
2017-12-17 22:43:37 -05:00
917dd8e846
Update samsung_browser_sop_bypass.rb
2017-12-16 22:10:02 +05:30
8f91377acb
Update samsung_browser_sop_bypass.rb
2017-12-16 22:09:21 +05:30
3b3b0e6e96
And this is why I hate using single quotes
...
Also, restored the store_cred call.
This will fix up RootUp/metasploit-framework#3 for PR #9180
2017-12-14 14:28:25 -06:00
0b3a5567a4
Add module for CVE-2017-13872 iamroot remote exploit via ARD (VNC)
2017-12-14 13:59:35 -06:00
384b250659
Add credential data type
...
Added credential data type so that successful passwords are stored in the database and accessible via the creds command.
2017-12-14 08:07:59 -06:00
be4939b56a
Add credential data type
...
Added credential data type so a successful ftp login stores the password in the database to be accessed later by the creds command.
2017-12-14 08:05:57 -06:00
3cd287ddd6
Update the MS17-010 scanner to use dcerpc_getarch
2017-12-14 02:08:30 -06:00
d7ad443be1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2017-12-13 19:33:05 -05:00
c0a534140d
Land #9284 a regex dos for ua_parser_js npm module
2017-12-13 19:31:49 -05:00
deacebc46b
Land #9264 , Add private type when storing SSH password
...
Land #9264
2017-12-13 18:24:31 -06:00
5226181d6d
Better conditionals from @bcoles
2017-12-13 16:48:05 -06:00
966060d470
Nits picked by @bcoles: commas, quotes, and <head>
2017-12-13 16:38:17 -06:00
dd5532c5de
Addressing Formatting Issues
...
There were several formatting and layout issues
that are fixed in this commit. Also changing
`RHOSTS` to `RHOST`.
2017-12-13 14:26:27 -06:00
622050ddfc
Oops, leftover comment
2017-12-12 14:48:00 -06:00
efa46efb48
Actually save creds, or fail through sanely
...
This incidentally also allows for a custom collector to be implemented
by the user -- for example, if they'd rather pick up a session ID or
inject a browser hook or something along those lines. It's a little
clunky, using the advanced option of CUSTOM_JS, but it seems to work
fine.
2017-12-12 14:06:18 -06:00
5f70199218
Update samsung_browser_sop_bypass.rb
2017-12-12 15:52:55 +05:30
2d23054a1f
Changes as per comments
...
A few things were changed as per the PR comments:
1) The module title was reworded
2) The module description was multi-lined
3) Negative logic was rewritten to use 'unless'
4) Strings which did not require interpolation were rewritten
5) Documentation markdown was added.
2017-12-11 14:11:40 -06:00
ba174f3f92
updates per @bigendiansmalls fork
2017-12-11 14:40:09 -05:00
3c916c303d
bcoles comments from #7334
2017-12-11 14:22:44 -05:00
c5f218c84c
Addressing comments
...
1. Updated documentation
2. Made the Sec-WebSocket-Key header a random value
2017-12-11 11:49:31 -05:00
cba5c7cb0f
Rename to actually call out the browser name
2017-12-08 13:53:13 -06:00
0a9dcafb77
Actually collect the creds, sort of
...
Instead of an alert() (which the attacker won't see), this collects the
offered credentials in a POST action, and displays them in the console.
This should further store the creds somewhere handy, but this is good
enough for now for testing from @RootUp
2017-12-08 13:51:02 -06:00
aee883a706
Fixed up description to be descriptive
2017-12-08 12:24:58 -06:00
306c5d20d9
Adding ua_parser_js ReDoS Module
...
"ua-parser-js" is an npm module for parsing browser
user-agent strings. Vulnerable version of this module
have a problematic regular expression that can be exploited
to cause the entire application processing thread to "pause"
as it tries to apply the regular expression to the input.
This is problematic for single-threaded application environments
such as nodejs. The end result is a denial of service
condition for vulnerable applications, where no further
requests can be processed.
2017-12-07 10:25:29 -06:00
c992837f0d
Adding ws DoS module
...
This module verifies if ws is vulnerable
to DoS by sending a request to the server
containing a specific header value.
ws is a npm module which handles websockets.
2017-12-07 10:45:57 -05:00
b24f70c7c6
Update ssh_login.rb
...
Added credential data type so password is stored in creds.
2017-11-30 11:02:06 -06:00
283b7c5145
Add WS-Discovery Information Discovery module
2017-11-29 12:21:22 +00:00
778e69f929
Land #9229 , Randomize slowloris HTTP headers
2017-11-22 14:42:24 -06:00
ae43883e2b
Fix mongodb_login typo
2017-11-22 08:03:12 -05:00
99555dde02
sleep! per feedback
2017-11-21 21:33:29 -05:00
5484ee840e
Correct port when eating cisco config
2017-11-21 18:09:51 -08:00
bdc822c67d
Improve logging when requesting config
2017-11-21 18:09:02 -08:00
5a358db260
Clean up shutdown messaging
2017-11-21 17:55:17 -08:00
93c424c255
Remove unused
2017-11-21 17:54:31 -08:00
b0d8b0a191
Clean up incoming file handling
2017-11-21 17:54:02 -08:00
785e5944d6
Enhanced slowloris HTTP headers and minor cleanup
2017-11-21 18:19:20 -05:00
b6c81e6da0
Reimplement slowloris as external module
2017-11-21 16:21:01 -05:00
db2bd22d86
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
e07fe77a69
Close sockets to resolve file handle error
2017-11-21 15:49:45 -05:00
52f56527d8
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
74becb69e8
Update slow_loris.rb
2017-11-21 15:49:45 -05:00
b7bc68c843
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
53123d92e2
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
21a6d0bd6e
Update slow_loris.rb
2017-11-21 15:49:44 -05:00
60878215e0
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
9457359b11
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
29017b8926
Update slow_loris.rb
2017-11-21 15:49:43 -05:00
f79b41edde
Slow Loris
2017-11-21 15:48:11 -05:00
cfd06ab24a
what was i thinking?
2017-11-20 16:08:48 -05:00
b6e2e2aa45
adjust delay
2017-11-19 09:43:18 -05:00
1087b8ca16
cleanup
2017-11-18 20:09:29 -05:00
35567e3e23
Fix - copy system:running-config tftp://ip/file
...
Copies running config directly to TFTP server, thus removing the need to delete the file :D.
2017-11-18 13:02:12 -05:00
f84f824a71
remove ?
2017-11-17 16:15:18 -05:00
b457c60542
WORK IN PROGRESS - "GET"
...
Work in progress of GET, and PUT. PUT works fine for grabbing the configuration. GET will be used for service a config to execute commands , or the also WIP action "UPLOAD"
2017-11-17 15:36:27 -05:00
8b59c4615b
Update cisco_smart_install.rb
2017-11-17 07:09:41 -05:00
feb24efd27
add DOWNLOAD action
...
Adds DOWNLOAD function, to download config and send to attacker TFTP server.
2017-11-16 12:58:54 -05:00
4a8d32af85
Update cisco_smart_install.rb
2017-11-16 12:53:27 -05:00
2f6da89674
Change author name to nick.
2017-11-09 03:00:24 +11:00
03cd8af29a
Update browser_sop_bypass.rb
2017-11-08 12:50:49 +05:30
0c247d5635
Update browser_sop_bypass.rb
2017-11-08 12:38:37 +05:30
fc87ee08d9
Land #9060 , IBM Lotus Notes DoS (CVE-2017-1130).
2017-11-07 11:20:12 -06:00
872894f743
Update browser_sop_bypass.rb
2017-11-07 21:29:16 +05:30
2fad61101e
Update browser_sop_bypass.rb
2017-11-07 21:13:06 +05:30
3dad025b8c
Create browser_sop_bypass.rb
2017-11-07 14:24:50 +05:30
88db98c381
Update ibm_lotus_notes2.rb
2017-11-06 20:45:50 +05:30
77c13286e0
Ensure closing script tag has necessary escape.
2017-11-05 13:41:29 -06:00
87934b8194
Convert tnftp_savefile from auxiliary to exploit
...
This has been a long time coming. Fixes #4109 .
2017-11-01 17:37:41 -05:00
972f9c08eb
Land #9135 , peer print for jenkins_enum
2017-11-01 15:33:13 -05:00
77181bcc9c
Prefer peer over rhost/rport
2017-11-01 15:32:32 -05:00
0e66ca1dc0
Fix #3444/#4774, get_json_document over JSON.parse
...
Forgot to update these when I wrote new modules.
2017-11-01 15:05:49 -05:00
c36184697c
Merge pull request #9150 from bcook-r7/runtimeerror
...
Fix several broken raise RuntimeError calls in error paths
2017-10-31 14:47:42 -05:00
f1e6e7eed5
Land #9107 , add MinRID to complement MaxRID
2017-10-31 12:18:28 -05:00
aa0ac57238
use implicit RuntimeError
2017-10-31 04:53:14 -05:00
9389052f61
fix more broken RuntimeError calls
2017-10-31 04:45:19 -05:00
9c16da9c98
Update ibm_lotus_notes2.rb
2017-10-28 18:53:15 +05:30
587c9673c6
Added host and port to output
...
I added the host and port number to reporting when instances are found.
2017-10-27 09:34:49 -07:00
80aba7264c
Update ibm_lotus_notes2.rb
2017-10-25 10:33:25 +05:30
9658776adf
Land #9079 , adding @h00die's gopher scanner
2017-10-20 17:16:08 -07:00
d715f53604
add MinRID to complement MaxRID, allowing continuing or starting from a higher value
...
from @lvarela-r7
2017-10-20 15:32:25 -05:00
664e774a33
style/rubocop cleanup
2017-10-20 09:44:07 -07:00
7e338fdd8c
Land #9086 , proxying fix for nessus_rest_login
2017-10-16 11:52:04 -05:00
9597157e26
Make nessus_rest_login scanner proxy-aware again
2017-10-14 11:16:41 +02:00
f4ae2e6cdc
Make pop3_login scanner proxy-aware again
2017-10-14 11:05:54 +02:00
a63c947768
gopher proto
2017-10-12 21:32:01 -04:00
deb2d76678
Land #9058 , Add proxies back to smb_login
2017-10-12 17:31:45 -05:00
Mzack9999
Ege Balcı
Jacob Robles
Auxilus
h00die
Adam Cammack
Fab
Jon Hart
Brent Cook
xistence
James Barnett
William Vu
James Lee
Wei Chen
HD Moore
follower
Osanda Malith Jayathissa
青鸟
bluebird
RageLtMan
zerosum0x0
Matthew Kienow
Pearce Barry
Steve Embling
Brendan Coles
jgor
Aaron Soto
bka-dev
Jan-Frederik Rieckers
james
Tod Beardsley
juushya
Jeffrey Martin
Nick Marcoccio
RootUp
nromsdahl
Nicholas Starke
Ryan Knell
attackdebris
Austin
Daniel Teixeira
Patrick Webster
lvarela-r7
sho-luv
Brent Cook
Hanno Heinrichs