a7fa2941a8
Land #7597 , Added post module for accessing OSX messages database
2016-11-28 11:43:06 -06:00
4eb109b22f
Land #7609 , set SSL to true by default for cisco_nac_manager_traversal
2016-11-28 11:30:41 -06:00
5e8a47ac00
Merge upstream/master into universal handler work
2016-11-28 15:26:43 +10:00
60210f57e9
Land #7505 , fixed some targets for cisco_asa_extrabacon
2016-11-27 22:19:45 -06:00
e8158bd200
Add multi platform type, wire into the multi stage
2016-11-28 09:34:09 +10:00
8824cc990a
Use Auxilliary Actions for different behaviors.
2016-11-26 13:04:04 -06:00
0935d31de1
Changed print_status to print_good
...
Changed line 315 print type to good instead of the general status indication, so that the result output is easier to see.
2016-11-25 16:54:58 -06:00
c286c708d9
Print file contents
...
Added a print_good statement at line 63 in order to print to contents of the newly discovered robots.txt file.
2016-11-25 15:57:37 -06:00
efa191dd10
fixed some spacing
2016-11-25 11:50:56 -05:00
b4add59a3d
Moved metadata_creds() so Client can be included in Aux/Post modules
2016-11-24 21:03:38 -08:00
5fdd5a7326
More progress on http universal staged handler
2016-11-25 13:00:35 +10:00
00d9e69a98
potential double fix for #7582
2016-11-24 12:14:09 -05:00
ec020e3d07
Land #7611 , cisco_ironport_enum falsely claimed connection failed
...
Fixes #7610
2016-11-24 09:54:09 -06:00
fd11e7c4df
modified it as recommended (@brandonprry) and added Module Documentation
2016-11-24 10:36:32 +01:00
dc64f63517
Removed useless comments
2016-11-24 01:33:20 +00:00
5284e20a52
Optimised SQL vars, removed unneeded requires and changed the "exec" function name
2016-11-24 01:27:03 +00:00
65b858ac06
Fix issue 7610, cisco_ironport_enum falsely claimed connection failed.
...
Make sure we return 1 in check_conn method.
2016-11-23 14:59:07 -06:00
b7ae7a47be
Fix issue #7608 where the SSL option was not turned on by default
...
Set the SSL option to be on by default.
2016-11-23 14:45:42 -06:00
c48587066d
Added reference and minor fixes
2016-11-23 10:58:37 -08:00
0df3e17e0c
Fix the issue in MS2132 where OWA_LOGIN doesn't continue on connection error.
...
The possibility of temporary connnection disruption means this module should keep trying other user/pass pairs upon error.
2016-11-23 09:56:27 -06:00
43e1b5bdd1
Adds module to create an AWS IAM user from a pwned AWS host
2016-11-22 14:55:03 -08:00
c606eabbb9
Merge 'upstream/master' into universal-handlers
2016-11-22 14:06:46 +10:00
ce514ed3e5
Fixed broken fail_with function call and whitespace on line ending
2016-11-22 03:04:12 +00:00
e0f8d622ec
Added metasploit module for access OSX messages database
2016-11-22 02:53:38 +00:00
59f3c9e769
Land #7579 , rename netfilter_priv_esc to rename netfilter_priv_esc_ipv4
2016-11-21 17:59:29 -06:00
83a3a4e348
Fix #7463 , check nil return value when using redis_command
...
Fix #7463
2016-11-21 15:52:12 -06:00
6f8660f345
Land #7586 , NameError fix for brute_dirs
2016-11-21 14:46:19 -06:00
7b5c819430
Land #7588 , disclosure date fix for OpenNMS sploit
2016-11-21 14:01:18 -06:00
c8320d661f
Land #7590 , mixin order fix for buffalo_login
2016-11-21 13:57:27 -06:00
90d360a592
Fix the issue 7589, both RHOST and RHOSTS options are quired
...
Thanks to Will who found it's due to the order of mixin.
2016-11-21 11:06:32 -06:00
8869ebfe9b
Fix incorrect disclosure date for OpenNMS exploit
...
Disclosure date was Nov 2015, not Nov 2014
2016-11-21 16:44:36 +00:00
18b873be47
Fix the exception issue reported in issue #7585
...
Fix the exception by initialize a key variable that caused the exception.
2016-11-21 10:00:23 -06:00
6c6221445c
Land #7543 , Create exploit for CVE-2016-6563 / Dlink DIR HNAP Login
2016-11-21 09:59:50 -06:00
6ae8a2dd2e
Remove unused/empty function body
2016-11-21 17:59:49 +10:00
8c036885bc
Fix msftidy issues
2016-11-21 17:23:03 +10:00
e226047457
Merge 'upstream/master' into the bypassuac via eventvwr mod
2016-11-21 17:18:40 +10:00
0504cae21f
Land #7536 , fix get_ipv4_addr(@interface) usage
2016-11-21 01:09:05 -06:00
0a3acf57d1
update payload sizes
2016-11-20 19:47:17 -06:00
005d34991b
update architecture
2016-11-20 19:09:33 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
6a35b366bc
Land #7577 , URPORT fix
2016-11-18 14:41:10 -06:00
cfd31e32c6
renaming per @bwatters-r7 comment in #7491
2016-11-18 13:52:09 -05:00
00e4a8881f
Land #7574 , Update open_proxy aux module
2016-11-18 11:41:43 -06:00
d3adfff663
Change syntax
2016-11-18 11:41:04 -06:00
f894b9a4c5
Fix typo
2016-11-18 11:39:26 -06:00
920ecf6fc5
finishing metacoms work for pdf-shaper-bo
2016-11-18 11:36:02 -06:00
8d1c718873
Land #7572 , wireshark dos typos
...
Lands mcantoni's pr for fixing typos in the
wireshark dos modules
2016-11-18 11:01:32 -06:00
4596785217
Land #7450 , PowerShellEmpire Arbitrary File Upload
2016-11-17 17:47:15 -06:00
22d70ddd09
Fix #7455 , handle the URIPORT option properly in is_uxss_injection
...
Fix #7455
2016-11-17 15:50:35 -06:00
abddeb5cd2
Land 7473, add censys search module
2016-11-17 13:44:00 -06:00
f2b9498643
Land #7576 , Fix RHOSTS use in auxiliary/scanner/ftp/titanftp_xcrc_traversal
2016-11-17 13:06:29 -06:00
c03f35ef13
Fix the hanging of module auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb
...
Thanks for Wei who pointed out the error: in store_loop call, it used "rhosts", should have been ip.
2016-11-17 10:08:59 -06:00
c9b9be9328
Update open_proxy aux module
2016-11-17 15:44:03 +01:00
b3b89a57b5
Add WordPress Symposium Plugin SQL Injection module
2016-11-17 15:04:53 +01:00
30f7006b5b
Fixed typos of an old commit
2016-11-17 14:39:33 +01:00
c0af5b690d
Land #6638 , add local exploit module to execute payload w/ stealth
2016-11-16 16:25:15 -06:00
e1ff37f3eb
Title change and handling Rex::TimeoutError exception
2016-11-16 16:23:44 -06:00
18bafaa2e7
Land #7531 , Fix drb_remote_codeexec and create targets
2016-11-16 12:58:22 -06:00
be2aabb873
Merge updates to mettle stages from acammack-r7
2016-11-16 19:13:20 +10:00
7b83720b90
Bring #6638 up to date
2016-11-15 12:27:05 -06:00
f50e609d12
Land #7556 , Prevent psexec_command from dying when one host errors
2016-11-15 12:17:01 -06:00
e5d3289c18
Fix name for exception
2016-11-15 12:14:58 -06:00
b56b6a49ac
Land #7328 , Extend lsa_transname_heap exploit to MIPS
2016-11-15 07:37:19 -06:00
fa9f2b340e
def setup isn't needed
2016-11-14 15:52:02 -06:00
bab07b5691
Bring #7540 up to date
2016-11-14 14:59:21 -06:00
c458d662ed
report correct credential status as successful
2016-11-14 12:27:22 -06:00
4ae90cbbef
Land #7191 , Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE.
2016-11-14 12:06:02 -06:00
4e40546958
Land #7502 , Disk Pulse Enterprise Login Buffer Overflow
2016-11-14 10:28:53 -06:00
4f323527c9
Land #7549 , Deprecate/move wp_ninja_forms_unauthenticated_file_upload
2016-11-14 03:00:02 -06:00
908713ce68
remove whitespace at end of module name
2016-11-14 08:35:34 +00:00
4e9802786c
Removed spaces causing build to fail
2016-11-13 21:46:24 -06:00
a8a09261e1
Use files for rescue error, because left is not available
2016-11-11 21:49:06 -07:00
9eb9d612ca
Minor typo fixups.
2016-11-11 16:54:16 -06:00
1dae206fde
Land #7379 , Linux Kernel BPF Priv Esc (CVE-2016-4557)
2016-11-11 16:50:20 -06:00
8e3888f20c
the template ref in this module was missed
...
when we cleaned up all the other powershell template refs
we missed the one in this module which seems to e replicating
large ammounts of library code
7533
2016-11-11 14:24:33 -06:00
2b5517f597
Land #7506 , Add gather AWS keys post module
2016-11-11 13:56:12 -06:00
db32c5fdcc
msftidy whitespace fixes
2016-11-11 10:28:37 -07:00
fddc2c221f
Catch the specific exception. Include the error code in the error message.
2016-11-11 10:24:05 -07:00
69a4a327b8
Add begin-rescue blocks that prevent individual hosts from bailing out a threaded multi-host execution
2016-11-11 10:15:36 -07:00
8cd9a9b670
Deprecate wp_ninja_forms_unauthenticated_file_upload
...
wp_ninja_forms_unauthenticated_file_upload actually supports
multiple platforms.
Instead of using:
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Please use:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
2016-11-10 11:17:09 -06:00
268a72f210
Land #7193 Office DLL hijack module
2016-11-08 23:15:27 -06:00
50f578ba79
Add full disclosure link
2016-11-08 22:15:19 +00:00
3c1f642c7b
Moved PPSX to data/exploits folder
2016-11-08 16:04:46 +01:00
95bd950133
Point to proper link on github
2016-11-07 17:59:29 +00:00
f268c28415
Create dlink_hnap_login_bof.rb
2016-11-07 17:45:37 +00:00
099a5984f9
Updated with style suggestions from msftidy and rubocop.
...
Also updated with commented from other contributors.
2016-11-07 10:18:52 -06:00
4eb42a9171
Fix broken ternary in phoenix_command
2016-11-07 00:12:04 -06:00
689fc28d1b
Added WinaXe 7.7 FTP client Server Ready buffer overflow
2016-11-06 23:35:16 -06:00
92964c1f95
Update phoenix_command.rb
2016-11-06 21:22:54 +01:00
2c2729f0b2
Update phoenix_command.rb
...
Coded was messed up by MS Edge, don't use it :)
2016-11-06 21:21:20 +01:00
1b4409f950
Update phoenix_command.rb
...
Style fix: replace "ractionport == nil ?" with "ractionport.nil?"
Is it OK? Did not find time to install and run rubocop ...
2016-11-06 21:15:31 +01:00
4ea9214466
Fixed a small bug
2016-11-06 16:20:55 +01:00
e9d85750c2
fix get_ipv4_addr(@interface) usage
...
get_ipv4_addr(@interface) returns a string not list, so get_ipv4_addr(@interface)[0] only got the first character of IP, which raises an error.
2016-11-06 19:04:57 +08:00
da356e7d62
Remove Compat hash to allow more payloads
2016-11-04 13:57:05 -05:00
f0c89ffb56
Refactor module and use FileDropper
2016-11-04 13:57:05 -05:00
6d7cf81429
Update references
2016-11-04 13:57:05 -05:00
009d6a45aa
Update description
2016-11-04 13:57:05 -05:00
bf7936adf5
Add instance_eval and syscall targets
2016-11-04 13:57:05 -05:00
4bf966f695
Add module to bypassuac using eventvwr
...
This module was inspired by the work done by Matt Nelson and Matt
Graeber who came up with the method in the first place. This works
nicely on a fully patched Windows 10 at the time of writing.
2016-11-05 04:41:38 +10:00
5b810fae41
Update atg_client to identify responses that indicate the command was not understood
2016-11-04 10:12:02 -07:00
ca5610ccde
Land #7511 , Update jenkins_script_console to support newer versions
2016-11-04 11:24:25 -05:00
e5ea4a53d3
Fix typo in windows cred phish module
2016-11-04 13:26:10 +10:00
b0970783ff
Another interim commit moving towards universal handlers
2016-11-04 13:25:02 +10:00
5ed030fcf6
Land #7529 , nil.downcase fix for tomcat_mgr_deploy
...
Don't think it was ever needed, since the password is case-sensitive.
Fixed a minor merge conflict where PASSWORD became HttpPassword.
2016-11-03 15:39:46 -05:00
2f8d3c3cf3
Remove the bug where downcase() is invoked on password which is optional and can be empty.
2016-11-03 15:23:19 -05:00
dae1f26313
Land #7521 , Modernize TLS protocol configuration for SMTP / SQL Server
2016-11-03 12:56:50 -05:00
eca4b73aab
Land #7499 , check method for pkexec exploit
2016-11-03 10:59:06 -05:00
1c746c0f93
Prefer CheckCode::Detected
2016-11-03 11:14:48 +01:00
2cdff0f414
Fix check method
2016-11-03 11:14:48 +01:00
5169341f62
Land #7522 , Fix psh template to avoid 100% cpu spike on CTRL+C
2016-11-02 16:40:34 -05:00
7895ba810d
Update payload cached size for the powershell payload
2016-11-03 02:50:13 +10:00
cc8c1adc00
Add first pass of multi x86 http/s payload (not working yet)
2016-11-03 02:44:53 +10:00
a651985b4f
Land #7498 , Joomla account creation and privesc
2016-11-01 22:46:36 -05:00
f414db5d6d
Clean up module
2016-11-01 22:46:28 -05:00
494b4e67bd
Refactor http/s handler & payloads
...
This commit moves much of the platform-specific logic from the
reverse_http handler down into the payloads. This makes the handler
a bit more agnostic of what the payload is (which is a good thing).
There is more to do here though, and things can be improved.
Handling of datastore settings has been changed to make room for the
ability to override the datastore completely when generating the
payloads. If a datastore is given via the `opts` then this is used
instead otherwise it falls back to the settings specified in the usual
datatstore location.
Down the track, we'll have a payload that supports multiple stages, and
the datastore will be generated on the fly, along with the stage itself.
Without this work, there's no other nice way of getting datastore
settings to be contained per-stager.
2016-11-02 11:33:59 +10:00
a924981369
Landing #7516 , X11 print fixes
2016-11-01 19:50:05 -04:00
a79f860cb7
Add UUIDs to mettle stages
2016-11-01 16:58:21 -05:00
05e2aad837
Land #7497 , Add Kerberos domain user enumeration module
2016-11-01 14:34:47 -05:00
e4b4264d79
Fix psh template to avoid 100% cpu spike on CTRL+C
...
Fixes #7293
2016-11-02 05:19:52 +10:00
1b4cef10d1
Change creds_name to Kerberos
2016-11-01 17:59:51 +00:00
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
f8912486df
fix typos
2016-11-01 05:43:03 -05:00
47ec362148
Small fixes for dbvis enum
2016-11-01 07:35:36 +10:00
5c065459ae
print_{good,error} more specifically in open_x11
2016-10-31 11:29:00 -05:00
ffb53b7ca3
Tidy arch check in meterpreter inject
2016-11-01 01:51:12 +10:00
557424d2ec
Small tidy of the multiport_egress_traffic module
2016-11-01 01:46:58 +10:00
ec8536f7e9
Fix firefox module to use symbols where appopriate
2016-11-01 01:43:25 +10:00
b9bbb5e857
Replace regex use with direct string checks in dbvis module
2016-11-01 01:35:01 +10:00
3c57ff5c59
Avoid internal constants for bypassuac file path generation
2016-11-01 01:32:24 +10:00
6ce7352c45
Revert silly change in applocker bypass
2016-11-01 01:30:54 +10:00
3c56f1e1f7
Remove commented x64 arch from sock_sendpage
2016-11-01 01:29:11 +10:00
6b264ce6c4
Land #7508 , Fix typo PAYLOAD_OVERWRITE vs PAYLOAD_OVERRIDE
...
Fixes #7504 .
2016-10-30 17:58:43 -05:00
45d6012f2d
fix check method
2016-10-30 14:57:42 -04:00
ccce361768
Remove accidentally included debug output
2016-10-29 18:46:51 -04:00
fa7cbf2c5a
Fix the jenkins exploit module for new versions
2016-10-29 18:19:14 -04:00
f754adad0c
Fix typo PAYLOAD_OVERWRITE vs PAYLOAD_OVERRIDE
2016-10-29 11:20:32 +01:00
640827c24b
Final pass of regex -> string checks
2016-10-29 14:59:05 +10:00
57eabda5dc
Merge upstream/master
2016-10-29 13:54:31 +10:00
8b97183924
Update UUID to match detected platform, fail exploit on invalid session
2016-10-29 13:45:28 +10:00
0737d7ca12
Tidy code, remove regex and use comparison for platform checks
2016-10-29 13:41:20 +10:00
8173e87756
Add references
2016-10-28 16:12:46 -07:00
5c12d55c84
Land #7484 , Add Telpho10 Credentials Dump Exploit
2016-10-28 17:41:46 -05:00
991a3fe448
Markdown docs added.
2016-10-28 17:38:00 -05:00
96c204d1ea
Add aws_keys docs; correct description
2016-10-28 15:27:47 -07:00
751742face
Fix typo in arch check for inject script
2016-10-29 08:25:23 +10:00
1ca2fe1398
More platform/arch/session fixes
2016-10-29 08:11:20 +10:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
7dea613507
Initial commit of module for snagging AWS key material from shell/meterpreter sessions
2016-10-28 14:48:55 -07:00
971c8207bd
Update telpho10_credential_dump.rb
...
Code improvements suggested by @h00die
2016-10-28 16:45:14 -05:00
c9574a4707
Update telpho10_credential_dump.rb
...
output correction
2016-10-28 16:44:52 -05:00
wchen-r7
OJ
Brent Cook
jjarmoc
John Q. Public
h00die
Javier Godinez
Pearce Barry
Cantoni Matteo
root
Jin Qian
William Vu
Prateep Bandharangshi
William Webb
David Maloney
Louis Sato
Brian Patterson
Brendan
Jeffrey Martin
Pedro Ribeiro
Chris Higgins
Dylan Davis
dmohanty-r7
Jenna Magius
scriptjunkie
Yorick Koster
Tijl Deneut
朱雄宇
Jon Hart
Jin Qian
Adam Cammack
attackdebris
Alex Flores
Spencer McIntyre
Konrads Smelkovs
Jan Rude