Commit Graph

4414 Commits (ddc8a4f103dc4e7e63930d6139d35a987ee756ca)

Author SHA1 Message Date
HD Moore f80b9d50f0 Prevent duplicate signatures by using http_fingerprint() without args 2014-03-23 09:59:34 -07:00
Joshua Smith 312f117262 updates file read to close file more quickly 2014-03-21 14:53:15 -04:00
Matteo Cantoni 4b2a2d4dea Improve NTP monlist auxiliary module 2014-03-21 16:39:53 +01:00
Matteo Cantoni fbcd661504 removed snmp_enum_hp_laserjet from this pull request 2014-03-21 15:58:53 +01:00
Spencer McIntyre aa26405c23 Cleanup an expression and avoid fail_with 2014-03-20 17:33:09 -04:00
sinn3r 0c4b71c8bf
Land #3094 - Joomla weblinks-categories Unauth SQLI Arbitrary File Read 2014-03-20 12:08:18 -05:00
sinn3r 93ad818358 Fix header and e-mail format for author 2014-03-20 12:07:50 -05:00
Spencer McIntyre 74398c4b6e Allow using a single URI and/or a list of URIs 2014-03-20 09:54:02 -04:00
Joshua Smith a8d919feb0 use TARGET_URI if given, otherwise TARGET_URIS_FILE 2014-03-19 23:32:04 -05:00
Brandon Perry 9b2cfb6c84 change default targeturi to something more universal 2014-03-19 21:03:50 -05:00
Brandon Perry b52a535609 add official url 2014-03-19 20:41:32 -05:00
Brandon Perry ab42cb1bff better error handling for the user 2014-03-19 18:46:57 -05:00
William Vu b79920ba8f
Land #3089, InvalidWordCount fix for smb_login
[FixRM #8730]
2014-03-19 16:12:56 -05:00
sinn3r fe0b76e24e
Land #2994 - OWA 2013 support 2014-03-19 13:16:37 -05:00
Brandon Perry 2ef2f9b47c use vars_get 2014-03-19 07:51:34 -07:00
Brandon Perry 920b2da720 Merge branch 'master' into joomla_sqli 2014-03-19 07:43:32 -07:00
xistence 8fdb5250d4 changes to smtp relay aux module 2014-03-17 15:09:29 +07:00
David Maloney da0c37cee2
Land #2684, Meatballs PSExec refactor 2014-03-14 13:01:20 -05:00
Brandon Perry a01dd48640 a bit better error message if injection works but no file 2014-03-13 13:38:43 -07:00
Brandon Perry b0688e0fca clarify LOAD_FILE perms in description 2014-03-13 13:11:27 -07:00
Brandon Perry 2734b89062 update normalize_uri calls 2014-03-13 06:55:15 -07:00
William Vu 5aad8f2dc3
Land #3088, SNMP timestamp elements fix 2014-03-13 02:22:14 -05:00
Brandon Perry 7540dd83eb randomize markers 2014-03-12 20:11:55 -05:00
Brandon Perry 3fedafb530 whoops, extra char 2014-03-12 19:54:58 -05:00
Brandon Perry aa00a5d550 check method 2014-03-12 19:47:39 -05:00
Brandon Perry 9cb1c1a726 whoops, typoed the markers 2014-03-12 10:58:34 -07:00
Brandon Perry 6636d43dc5 initial module 2014-03-12 10:46:56 -07:00
Tod Beardsley 206660ddde
Recreate the intent of cfebdae from @parzamendi-r7
The idea was to rescue on a NoReply instead of just fail, and was part
of a fix in #2656.

[SeeRM #8730]
2014-03-11 14:30:01 -05:00
sho-luv f7af9780dc
Rescue InvalidWordCount error
This is a cherry-pick of commit ea86da2 from PR #2656
2014-03-11 14:17:36 -05:00
James Lee f51ee2d6b4
snmp_enum: Treat missing timestamp elements as 0
Timestamps don't always have all the elements we expect. This treats
them as zeroes to ensure that we don't raise silly exceptions in that
case.
2014-03-11 12:44:07 -05:00
William Vu 170608e97b Fix first chunk of msftidy "bad char" errors
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
jvazquez-r7 8cfa5679f2 More nick instead of name 2014-03-10 16:12:44 +01:00
jvazquez-r7 bc8590dbb9 Change DoS module location 2014-03-10 16:12:20 +01:00
sinn3r e32ff7c775
Land #3077 - Allow TFTP server to take a host/port argument 2014-03-08 00:58:52 -06:00
Tod Beardsley 151e2287b8
OptPath, not OptString. 2014-03-07 10:52:45 -06:00
Tod Beardsley 5cf1f0ce4d
Since dirs are required, server will send/recv
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.

Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
2014-03-07 10:49:11 -06:00
Tod Beardsley 37fa4a73a1
Make the path options required and use /tmp
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
2014-03-07 10:41:18 -06:00
Spencer McIntyre ebee365fce
Land #2742, report_vuln for MongoDB no auth 2014-03-06 19:34:45 -05:00
Spencer McIntyre 84f280d74f
Use a more descriptive MongoDB vulnerability title 2014-03-06 19:20:52 -05:00
Tod Beardsley 8a0531650c
Allow TFTP server to take a host/port argument
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.

This is almost never correct.
2014-03-06 16:13:20 -06:00
sinn3r 7cb6e7e261
Land #3057 - MantisBT Admin SQL Injection Arbitrary File Read 2014-03-04 17:52:29 -06:00
sinn3r f0e97207b7 Fix email format 2014-03-04 17:51:24 -06:00
Brandon Perry c86764d414 update default password to root 2014-03-04 11:55:30 -08:00
Brandon Perry 2b06791ea6 updates regarding PR comments 2014-03-04 10:08:31 -08:00
Brandon Perry a3523bdcb9 Update mantisbt_admin_sqli.rb
remove extra new line and fix author line
2014-03-04 08:44:53 -06:00
Brandon Perry 98b59c4103 update desc 2014-03-03 12:40:58 -08:00
Brandon Perry c5d1071456 add mantisbt aux module 2014-03-03 12:36:38 -08:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00
William Vu fd1586ee6a
Land #2515, plaintext creds fix for John
[FixRM #8481]
2014-02-28 09:53:47 -06:00
Spencer McIntyre 12e4e0e36d Return whether result is nil or not. 2014-02-28 10:17:37 -05:00
Spencer McIntyre dfa91310c2 Support checking a single URI for ntlm information. 2014-02-28 08:47:29 -05:00
jgor 8be33f42fe Define service as udp 2014-02-27 12:53:29 -06:00
Peter Arzamendi ea5fe9ec0a Updated to use get_cookie 2014-02-27 08:52:54 -06:00
Peter Arzamendi 9e52a10f2d Set SSL to default to true and removed SSL from register_options. Updated Author to include full name 2014-02-26 20:49:03 -06:00
jvazquez-r7 bfdefdb338
Land #3023, @m-1-k-3's module for Linksys WRT120N bof reset password 2014-02-26 09:36:14 -06:00
jvazquez-r7 6ba26bf743 Use normalize_uri 2014-02-26 09:35:42 -06:00
jvazquez-r7 582372ec3e Do minor cleanup 2014-02-26 09:32:11 -06:00
jvazquez-r7 0531abb691
Land #3026, @ribeirux DoS module for CVE-2014-0050 2014-02-26 08:53:55 -06:00
jvazquez-r7 449d0d63d1 Do small clean up 2014-02-26 08:52:51 -06:00
Michael Messner b79197b8ab feedback included, cleanup, login check 2014-02-26 13:44:36 +01:00
William Vu 63bbe7bef2
Land #3034, 302 redirect for http_basic 2014-02-25 13:54:58 -06:00
William Vu 4cc91095de Fix minor formatting issues 2014-02-25 13:48:37 -06:00
kn0 6783e31c67 Used the builtin send_redirect method in Msf::Exploit::Remote::HttpServer instead of creating a redirect inline 2014-02-24 15:59:49 -06:00
ribeirux ead7cbc692 Author and URI fixed 2014-02-24 22:20:34 +01:00
kn0 f1e71b709c Added 301 Redirect option to Basic Auth module 2014-02-24 14:59:20 -06:00
William Vu 6f398f374e
Land #3032, inside_workspace_boundary? typo fix 2014-02-24 14:55:09 -06:00
James Lee d2945b55c1
Fix typo
inside_workspace_boundary() -> inside_workspace_boundary?()
2014-02-24 14:46:08 -06:00
sinn3r 5cdd9a2ff3
Land #2995 - sqlmap minor cleanup, description & file tests 2014-02-24 10:39:01 -06:00
ribeirux 8f7f1d0497 Add module for CVE-2014-0050 2014-02-22 14:56:59 +01:00
Michael Messner ec8e1e3d6f small fixes 2014-02-21 21:59:45 +01:00
Michael Messner 1384150b7a make msftidy happy 2014-02-21 21:56:46 +01:00
Michael Messner c77fc034da linksys wrt120 admin reset exploit 2014-02-21 21:53:56 +01:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
xistence 1864089085 removed rport definition 2014-02-17 11:32:24 +07:00
Matteo Cantoni 8a24da9eea Module to query Jboss status servlet 2014-02-15 17:46:52 +01:00
Tod Beardsley f6be574453
Slightly better file checks on sqlmap.py 2014-02-15 09:58:03 -06:00
Tod Beardsley dacbf55fc1
Minor cleanup of title and desc on sqlmap 2014-02-15 09:55:06 -06:00
Royce Davis 0e7074c139 Modififed output for smb_enumshares module 2014-02-14 13:39:13 -06:00
Royce Davis 6dc9840064 Modified output for smb_enumshares 2014-02-14 13:12:52 -06:00
Russell Sim ee3f1fc25b Record successful passwordless access to mongodb 2014-02-14 08:52:17 +11:00
Matteo Cantoni 7c860b9553 fix description 2014-02-13 21:11:50 +01:00
Peter Arzamendi 5ef40e3844 Removed bad sets on datastore['USERNAME'] and datastore['PASSWORD'] 2014-02-12 13:31:03 -06:00
Peter Arzamendi 2b8a8259f9 Updates to support OWA 2013 and some syntax changes 2014-02-12 09:40:49 -06:00
xistence 6944c54d13 Added EXTENDED option to smtp_relay 2014-02-12 15:44:53 +07:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
Tod Beardsley 1236a4eb07
Fixup on description and some option descrips 2014-02-10 14:41:59 -06:00
sinn3r 8a8bc74687
Land #2940 - DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials 2014-02-10 13:49:02 -06:00
sinn3r 306b31eee3
Small changes before merging 2014-02-10 13:47:31 -06:00
xistence 02fb84db20 Changed dns_amp to avoid false positives 2014-02-10 17:13:06 +07:00
jvazquez-r7 ac52edabd5
Land #2801, Land @kicks4kittens IBM Sametime modules 2014-02-06 10:17:03 -06:00
jvazquez-r7 30c325c22e Make better json check 2014-02-06 10:16:26 -06:00
kicks4kittens 564f9bccc8 Correct print output
Printing the room details is the purpose of the module.
Reinstated printing the table in non-verbose mode (users won't know it's there otherwise)
2014-02-05 22:00:02 +01:00
kicks4kittens 445cd7be5a remove "on {peer}
line already includes {peer} info
2014-02-05 21:57:58 +01:00
kicks4kittens 4c0c9101aa Correct check, reinstate print
Corrected JSON check (response is empty, but valid JSON on check success)
Reinstated print to warn user (not only in VERBOSE)
2014-02-05 21:56:56 +01:00
kicks4kittens 60cf68f899 added default SSL 2014-02-05 21:54:02 +01:00
kicks4kittens 3560b41eb2 correct variable name
body isn't valid, replaced with res.body and tested
2014-02-05 21:51:55 +01:00
kicks4kittens 38add0ab50 alter print_status
Altered print_status to print_good to differentiate when user is online easier
2014-02-05 21:49:39 +01:00
sinn3r 89e1bcc0ca Deprecate modules with date 2013-something
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
William Vu a58698c177
Land #2922, multithreaded check command 2014-02-04 11:21:05 -06:00
jvazquez-r7 cccf2e4258
Land #2926, @xistence A10 Networks Loadbalancer dir traversal module 2014-02-04 07:28:51 -06:00
jvazquez-r7 cc09367c62 Change the datastore name option 2014-02-04 07:28:14 -06:00
jvazquez-r7 ffd90a3d38 Add confirmation datastore option 2014-02-03 12:40:58 -06:00
Tod Beardsley 9953821451
Fix desc on Drupal module, some peer prints 2014-02-03 12:16:06 -06:00
bcoles 9b9b2fab58 Add DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials module 2014-02-04 02:00:11 +10:30
jvazquez-r7 a92256e8d1 Clean a10networks_ax_directory_traversal 2014-02-03 08:41:23 -06:00
jvazquez-r7 53c2a737e9 Don't register rport again 2014-01-31 09:42:41 -06:00
jvazquez-r7 452042e757
Land #2925, @xistence aux module for Support Center Plus traversal 2014-01-31 09:38:01 -06:00
jvazquez-r7 e9f04d9203 Do final cleanup for Support Center Plus module 2014-01-31 09:37:40 -06:00
jvazquez-r7 32c5d77ebd
Land #2918, @wvu's fix for long argument lists 2014-01-31 08:49:22 -06:00
xistence e81a0ed22b Changes as requested for SupportCenterPlus module 2014-01-31 13:28:45 +07:00
William Vu 56287e308d Clean up unused variables 2014-01-30 11:20:21 -06:00
xistence 8ac0ef396e Added DNS recursion amplification scanner 2014-01-29 14:21:21 +07:00
xistence d3be54fed6 Added Extended SMTP Open Relay aux module 2014-01-29 13:46:54 +07:00
xistence c8296298b3 added A10Networks AX loadbalancer Dir Traversal Auxiliary Module 2014-01-28 16:37:25 +07:00
xistence 32d7f15a5c added ManageEngine Support Center Plus directory traversal auxiliary module 2014-01-28 15:45:23 +07:00
jvazquez-r7 f766a74150
Land #2920, @wvu-r7's author metadata update for printer aux modules 2014-01-27 13:02:31 -06:00
William Vu d19e9307c6 Fix missing colon in :caller_host symbol
Good catch, @jvazquez-r7!
2014-01-27 12:43:59 -06:00
jvazquez-r7 0dbaeb6742 Add Matteo's email 2014-01-27 08:40:44 -06:00
sinn3r f471f50092 ms08_067_check.rb is deprecated.
[SeeRM #8755]
2014-01-26 12:22:13 -06:00
William Vu 52371be52a Clarify why contributors are listed as authors
Also adding @mcantoni to the list of authors. Sorry we missed you!

Dear contributors,

Even though we weren't able to use your code, we absolutely appreciate
that you wrote it. That's why we're listing you as authors. Thanks!!!

https://dev.metasploit.com/redmine/issues/6034
https://dev.metasploit.com/redmine/issues/5217
https://dev.metasploit.com/redmine/issues/6864
2014-01-25 18:02:17 -06:00
Matteo Cantoni f18fef1864 Module to HP LaserJet Printer SNMP Enumeration 2014-01-25 15:48:13 +01:00
William Vu eaeb2af97f Use opts hash for h323_version
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:32:37 -06:00
sinn3r f7ecae3f75
Land #2909 - Drupal OpenID External Entity Injection 2014-01-24 15:03:07 -06:00
sinn3r c8e2301111 Be more informative about why CheckCode::Unknown
This is just kind of personal preference here. In case users wonder
why Unknown.
2014-01-24 15:01:52 -06:00
Tod Beardsley 82bf02910d
Land #2911, correct author name for PJL credit 2014-01-24 11:00:12 -06:00
jvazquez-r7 fdaa172cc5
Land #2896, @wchen-r7's check's normalization for auxiliary modules 2014-01-24 08:53:53 -06:00
jvazquez-r7 e8b591ef54 Delete registering of check on bailiwicked modules 2014-01-24 08:47:04 -06:00
sinn3r 9ba72ffc71 Remove check support
Actually, you can't support check because in check mode the module
doesn't know the IP
2014-01-23 21:30:11 -06:00
sinn3r dc52d00be6 Modify vmware_http_login to work with check 2014-01-23 21:27:36 -06:00
jvazquez-r7 cf17bf2e72 Small fix 2014-01-23 19:34:50 -06:00
jvazquez-r7 43de7eb74f Use REXML 2014-01-23 19:32:42 -06:00
William Vu a67068f019 Correct author name
Was using the name quoted in Redmine. Technically, the author is Myo Soe
of the YGN Ethical Hacker Group (YEHG).
2014-01-23 19:09:20 -06:00
jvazquez-r7 5a59e3d4e4 Fix typo 2014-01-23 18:53:58 -06:00
jvazquez-r7 f529eb1d4b Clean code 2014-01-23 18:51:24 -06:00
jvazquez-r7 8e17d38c77 Add check method 2014-01-23 18:30:18 -06:00
jvazquez-r7 b0deb45fad Add Drupal advisory as reference 2014-01-23 18:10:57 -06:00
jvazquez-r7 6d0d7eda10 Delete garbage comment 2014-01-23 18:09:05 -06:00
jvazquez-r7 72b72effa6 Add module for CVE-2012-4554 2014-01-23 18:04:31 -06:00
sinn3r 7faa41dac0 Change Unknown to Safe because it's just a banner check 2014-01-23 15:36:19 -06:00
sinn3r 81a3b2934e Fix prints 2014-01-23 15:33:24 -06:00
sinn3r f5a935a186 Support check for bailiwicked_host 2014-01-23 15:31:37 -06:00
sinn3r 8d411d2037 Fix bailiwicked_domain to allow support of check() 2014-01-23 15:29:40 -06:00
Tod Beardsley f5809423a3
Let's spell right in my spellcheck PR
Updates #2900
2014-01-21 15:57:59 -06:00
Tod Beardsley b3b51eb48c
Pre-release fixup
* Updated descriptions to be a little more descriptive.

  * Updated store_loot calls to inform the user where the
loot is stored.

  * Removed newlines in print_* statments -- these will screw
up Scanner output when dealing with multiple hosts.

Of the fixed newlines, I haven't see any output, so I'm not sure what
the actual message is going to look like -- I expect it's a whole bunch
of newlines in there so it'll be kinda ugly as is (not a blocker for
this but should clean up eventually)
2014-01-21 13:29:08 -06:00
sinn3r 5025736d87 Fix check for modicon_password_recovery 2014-01-19 17:20:20 -06:00
sinn3r a239e14084 Fix nodejs_popelining check 2014-01-19 17:06:35 -06:00
sinn3r 7080bb336c Update ColdFusion check 2014-01-19 17:05:03 -06:00
sinn3r 4fdd2c19a1 Update vbulletin check 2014-01-19 16:54:27 -06:00
sinn3r 0a8aa07131 Fix check method
This isn't a check, so shouldn't be using the check method
2014-01-19 16:47:15 -06:00
jvazquez-r7 01ab6fd545 Do small fixes 2014-01-17 17:59:03 -06:00
jvazquez-r7 5ec062ea1c Beautify print message 2014-01-17 17:42:26 -06:00
jvazquez-r7 d96772ead1 Clean multi-threading on ibm_sametime_enumerate_users 2014-01-17 17:38:16 -06:00
jvazquez-r7 bb3d9da0bb Do first cleaning on ibm_sametime_enumerate_users 2014-01-17 16:33:25 -06:00
jvazquez-r7 584401dc3f Clean ibm_sametime_room_brute code 2014-01-17 15:57:12 -06:00
jvazquez-r7 4d079d47b8 Enable SSL by default 2014-01-17 15:34:33 -06:00
jvazquez-r7 277711b578 Fix metadata 2014-01-17 15:31:51 -06:00
jvazquez-r7 10fd5304ce Parse response body just one time 2014-01-17 15:17:25 -06:00
jvazquez-r7 fe64dbde83 Use rhost and rport methods 2014-01-17 14:49:50 -06:00
jvazquez-r7 5e8ab6fb89 Clea ibm_sametime_version 2014-01-17 12:23:11 -06:00
jvazquez-r7 bce321c628 Do response handling a little better, fake test 2014-01-17 11:02:35 -06:00
jvazquez-r7 11d613f1a7 Clean ibm_sametime_webplayer_dos 2014-01-17 10:52:42 -06:00
jvazquez-r7 51b3d164f7 Move the DoS module to the correct location 2014-01-17 09:30:51 -06:00
sinn3r a1eba03d1f
Land #2725 - Rex::Proto::PJL plus modules 2014-01-16 15:57:38 -06:00
William Vu 9bf90b836b Add environment variables support 2014-01-16 14:53:25 -06:00
William Vu 311704fc0a Perform final cleanup 2014-01-15 13:49:37 -06:00
kicks4kittens d0d82fe405 Fixed code issues as requested in PR2801
Mostly coding style issues
Re-tested in testbed - output as expected
2014-01-15 13:53:14 +01:00
kicks4kittens 87648476e1 Fixed code issues as requested in PR2801
Mostly coding style issues
Re-tested in testbed - output as expected
2014-01-15 13:52:45 +01:00
kicks4kittens 55d4ad1b6a Fixed code issues as requested in PR2801
Mostly coding style issues
Re-tested in testbed - output as expected
2014-01-15 13:51:19 +01:00
jvazquez-r7 0b1671f1b8 Undo debugging comment 2014-01-14 17:02:30 -06:00
jvazquez-r7 6372ae6121 Save some parsing 2014-01-14 17:00:00 -06:00
Matt Andreko 2d40f936e3 Added some additional creds that were useful 2014-01-13 23:15:51 -05:00
Matt Andreko 42fb8c48d1 Fixed the credential parsing and made output consistent
So in the previous refactor, we made the dedicated method to parse
usernames and passwords from the split up config values. However, that
didn't work, because on a single iteration of the loop, you only have
access to a possible username OR password. The other matching key will
be another iteration of the loop. Because of this, no credential pairs
were being reported.

The only way I can see around this (maybe because I'm a ruby newb) would
be to iterate over configs, and if the user or password regex matches,
add the matching value to a hash, which is identified by a key for both
user & pass. Then upon completion of the loop, it'd iterate over the
hash, finding keys that had both user & pass values.
2014-01-13 22:57:25 -05:00
William Vu 7c52f9b496 Update description to use %q{} 2014-01-13 14:42:25 -06:00
William Vu 61b30e8b60
Land #2869, pre-release title/desc fixes 2014-01-13 14:29:27 -06:00
Tod Beardsley 207e9c413d
Add the test info for sercomm_dump_config 2014-01-13 14:27:03 -06:00
jvazquez-r7 fe6d10ac5d
Land #2852, @mandreko's scanner for OSVDB 101653 2014-01-13 14:07:07 -06:00
Tod Beardsley 671027a126
Pre-release title/desc fixes 2014-01-13 13:57:34 -06:00
jvazquez-r7 8c3a71a2e7 Clean sercomm_backdoor scanner according to feedback 2014-01-13 13:53:47 -06:00
jvazquez-r7 95a5d12345 Merge #2835, #2836, #2837, #2838, #2839, #2840, #2841, #2842 into one branch 2014-01-13 10:57:09 -06:00
jvazquez-r7 4a64c4651e
Land #2822, @mandreko's aux module for OSVDB 101653 2014-01-09 15:15:37 -06:00
jvazquez-r7 410302d6d1 Fix indentation 2014-01-09 15:14:52 -06:00
Matt Andreko b1073b3dbb Code Review Feedback
Removed the parameters from get() since it works without them
2014-01-09 15:54:23 -05:00
William Vu d69b658de0
Land #2848, @sho-luv's MS08-067 scanner 2014-01-09 14:39:25 -06:00
Matt Andreko 2a0f2acea4 Made fixes from the PR from jvazquez-r7
The get_once would *only* return "MMcS", and stop. I
modified it to be a get(3, 3). Additionally, the command
length was set to 0x01 when it needed to be 0x00.
2014-01-09 15:33:04 -05:00
William Vu fc616c4413 Clean up formatting 2014-01-09 14:16:31 -06:00
Matt Andreko 93668b3286 Code Review Feedback
Made it less verbose, converting to vprint_error
2014-01-09 14:53:33 -05:00
jvazquez-r7 be6958c965 Clean sercomm_dump_config 2014-01-09 13:42:11 -06:00
Matt Andreko e21c97fd4d Added missing metadata
Add credit where due
Add disclosure date and references
2014-01-09 14:33:54 -05:00
Matt Andreko 9456d26467 Added Scanner module for SerComm backdoor 2014-01-09 14:25:28 -05:00
Matt Andreko 01c5585d44 Moved auxiliary module to a more appropriate folder 2014-01-09 10:17:26 -05:00
Matt Andreko d9e737c3ab Code Review Feedback
Refactored the configuration settings so that creds could be reported to
the database more easily, while still being able to print general
configuration settings separately.
2014-01-09 10:14:34 -05:00
Matt Andreko 81adff2bff Code Review Feedback
Changed datastore['rhost'] to rhost
Made the array storing configuration values into a class const
Moved superfluous array look-over to not be executed unless in verbose
mode
2014-01-09 09:19:13 -05:00
William Vu 7fd4935263 Make the module output prettier 2014-01-09 01:03:01 -06:00
William Vu 27f079ad7c Move {begin,end}_job from libs to modules 2014-01-09 01:03:01 -06:00
William Vu 131bfcaf41 Refactor away leftover get_rdymsg 2014-01-09 01:03:01 -06:00
William Vu d3bbe5b5d0 Add filesystem commands and new PoC modules
This commit also refactors some of the code.
2014-01-09 01:03:01 -06:00
William Vu af66310e3a Address @jlee-r7's comments 2014-01-09 01:03:01 -06:00
William Vu bab32d15f3 Address @wchen-r7's comments 2014-01-09 01:03:00 -06:00
William Vu 1c889beada Add Rex::Proto::PJL and PoC modules 2014-01-09 01:03:00 -06:00
sho-luv a8fcf13972 Added credits and clean initialize
Added wvu to creds as he did most of work. ;)
2014-01-08 21:16:09 -05:00
William Vu 8993c74083 Fix even moar outstanding issues 2014-01-08 19:38:54 -06:00
William Vu 1dd29d3b64 Fix moar outstanding issues 2014-01-08 18:11:18 -06:00
William Vu 945a2a296a Fix outstanding issues 2014-01-08 17:09:41 -06:00
sho-luv 35ac9712ab Added auxiliary check for MS08_067
I simply copied the check from ms08_0867_netapi.rb and put them in
a auxiliary check so I could scan for it. This was done because
Nmap's check is not safe and this is more stable.
2014-01-08 16:41:44 -05:00
Niel Nielsen 1479ef3903 Update typo3_winstaller_default_enc_keys.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:08:10 +01:00
Matt Andreko c5a3a0b5b7 Cleanup 2014-01-02 20:44:18 -05:00
Matt Andreko 6effdd42fa Added module to enumerate certain Sercomm devices through backdoor
See more: https://github.com/elvanderb/TCP-32764
2014-01-02 20:42:42 -05:00
jvazquez-r7 90158b9932
Land #2791, @morisson's support to remote dns resolution on sap_router_portscanner 2014-01-02 12:19:50 -06:00
jvazquez-r7 f75782bc2f Use RHOST, RPORT for the SAPROUTER options 2014-01-02 12:18:54 -06:00
Tod Beardsley b8e17c2d8e
Don't use Pcap.lookupaddrs any more 2014-01-01 18:50:15 -06:00
jvazquez-r7 7f9f4ba4db Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00
Tod Beardsley c34a5f3758
Unacronym the title on Poison Ivy C&C 2013-12-26 10:30:30 -06:00
Tod Beardsley 47765a1c4f
Fix chargen probe title, comment on the CVE 2013-12-26 10:29:11 -06:00
Tod Beardsley 056661e5dd
No at-signs in names please. 2013-12-26 10:26:01 -06:00
jvazquez-r7 b02e21a1d3
Land #2779, @wchen-r7's mod to raise Msf::OptionValidateError when PORTS is invalid 2013-12-26 09:27:27 -06:00
kicks4kittens 17c0751677 Create ibm_sametime_room_brute.rb
init
2013-12-26 13:02:52 +01:00
kicks4kittens 7ba1950424 Create ibm_sametime_enumerate_users.rb
init
2013-12-26 13:01:48 +01:00
kicks4kittens 2d6f41d67f Create ibm_sametime_version.rb
init
2013-12-26 13:00:39 +01:00
rbsec 86a94022c0 Fix lotus_domino_hashes not working.
Some Lotus Domino servers prefix the "dspHTTPPassword" with a dollar
sign. Updated regex to take this into account.
2013-12-24 11:57:13 +00:00
sinn3r 213556761a
Land #2765 - Added Poison Ivy Command and Control Scanner 2013-12-23 17:36:18 -06:00
sinn3r 0a07bbdf2e Minor changes 2013-12-23 17:35:42 -06:00
jvazquez-r7 88b3b2c78e Switch RHOSTS to TARGETS and add validation 2013-12-23 11:58:26 -06:00
Bruno Morisson 94da642f5c fixed typo: innacurated -> inaccurate 2013-12-21 20:36:43 +00:00
Bruno Morisson c387a850ca Fixed default value for RESOLVE (local) 2013-12-21 19:21:57 +00:00
Bruno Morisson 6ce0bab036 Cleanup, also split IP addresses separated by commas. 2013-12-21 00:15:00 +00:00
SeawolfRN bf2dc97595 Merge branch 'poisonivyscanner' of github.com:SeawolfRN/metasploit-framework into poisonivyscanner 2013-12-20 18:46:35 +00:00
SeawolfRN ae7a0159e7 Changed to Puts and get_once - also forgot the timeout... 2013-12-20 18:44:42 +00:00
jvazquez-r7 8be481f324
Land #2681, @mcantoni and @todb-r7's support for chargen 2013-12-20 11:53:08 -06:00
jvazquez-r7 12efa99ce5 Fix udp_sweep 2013-12-20 11:47:48 -06:00
jvazquez-r7 2dc7ef4398 Fix udp_probe 2013-12-20 11:45:27 -06:00
Tod Beardsley 2f34f8458b
Downcase chargen service name 2013-12-20 10:41:53 -06:00
Tod Beardsley 35c847da94
Add chargen to udp_probe and udp_sweep
This simplifies the checks considerably for PR #2681 from @mcantoni
2013-12-20 10:32:15 -06:00
jvazquez-r7 eba164d2e3 Clean chargen_probe 2013-12-20 09:10:15 -06:00
Bruno Morisson 6ac0aad38b Prevent report_* when RESOLVE is remote, since hostname may be unknown and local resolution fail, thus spitting out an error and failing 2013-12-19 23:37:13 +00:00
Bruno Morisson c881ef5472 Unreachable and time out error identification 2013-12-19 22:59:56 +00:00
Matteo Cantoni a199dc39af used the recvfrom timeout 2013-12-19 20:56:11 +01:00
Bruno Morisson 773d4c5cd1 commented out response packet vprint 2013-12-19 18:35:11 +00:00
Bruno Morisson ad8a156263 RHOSTS can be a comma separated list of hostnames 2013-12-19 18:33:32 +00:00
Bruno Morisson 564601e083 msftidy - fixed 2013-12-19 17:30:34 +00:00
Bruno Morisson 2480f023b1 Dropped scanner mixin. Tried to maintain usage 2013-12-19 17:15:44 +00:00
Bruno Morisson 21d959c58d RESOLVE option takes either "remote" or "local" 2013-12-19 00:38:47 +00:00
Bruno Morisson 1778a08e98 Keeping changes away from the "ip" variable 2013-12-19 00:19:58 +00:00
sinn3r d41f05e0b6
Land #2776 - Avoid having the same port twice 2013-12-18 18:09:43 -06:00
Bruno Morisson 7ebcd5a8c9 Option to perform host resolution on remote saprouter 2013-12-18 23:53:58 +00:00
jvazquez-r7 f21d666631
Land #2744, @rcvalle module for CVE-2013-2050 2013-12-18 16:19:25 -06:00
jvazquez-r7 0eac17083a Clean cfme_manageiq_evm_pass_reset 2013-12-18 16:16:32 -06:00
sinn3r ee87f357b0 Raise Msf::OptionValidateError when the PORTS option is invalid
Instead of print_error for invalid ports, modules should be raising
Msf::OptionValidateError to warn the user about the invalid input.
2013-12-18 15:04:53 -06:00
sinn3r 4028dcede7 Add an input check for datastore option PORTS
If Rex::Socket.portspec_crack returns an empty array, we assume
there are no valid ports to test, so we raise an OptionValidateError
to warn the user about it.
2013-12-18 14:55:51 -06:00
Ramon de C Valle b9a9b90088 Update module to use added bcrypt gem 2013-12-18 16:15:35 -02:00
Ramon de C Valle e20569181b Remove EzCrypto-related code as per review 2013-12-18 16:15:22 -02:00
Ramon de C Valle ef081cec49 Add missing disclosure date as per review 2013-12-18 15:47:23 -02:00
OJ 5e4c395f86 Fix small spacing issue 2013-12-18 17:14:47 +10:00
jvazquez-r7 80eea97ccd ChrisJohnRiley fix for sap_service_discovery 2013-12-17 13:31:56 -06:00
zeknox 2eee34babf added timeout options and rescue timeout 2013-12-16 20:00:13 -06:00
zeknox fe34d0e36e fixed syntax 2013-12-16 19:26:40 -06:00
zeknox 7b8de95f6b fixed database overwriting issues 2013-12-16 19:16:12 -06:00
zeknox 07f686bb1a added ResolverArgumentError rescue statement 2013-12-16 18:46:14 -06:00
SeawolfRN 24bc10905e Added Spaces and removed Interrupt 2013-12-16 22:12:35 +00:00
SeawolfRN bf561fef95 Corrected Extraneous Whitespace\Newlines 2013-12-16 16:38:49 +00:00
SeawolfRN 79022c2e29 Probably should have checked it worked... 2013-12-16 11:33:08 +00:00
SeawolfRN 59003a9842 Updated Poison Ivy Scanner 2013-12-15 22:02:14 +00:00
SeawolfRN 226cd241bf Added Poison Ivy Command and Control Scanner\n Auxiliary module to scan for Poison Ivy C&C on ports 80,8080,443 and 3460 2013-12-15 14:34:50 +00:00
Matteo Cantoni 999006e037 fixed some things, as suggested by jvazquez-r7 2013-12-14 19:41:31 +01:00
zeknox e6f1f648be modified wordlist path, modified report_goods to log udp or tcp, made wordlist not required 2013-12-13 10:49:44 -06:00
zeknox d6e19df8e2 added additional url reference 2013-12-12 22:57:23 -06:00
zeknox 9f18c57fce added period to description and changed tester to user 2013-12-12 22:11:02 -06:00
zeknox dba0e9bf77 msftidy done 2013-12-12 20:30:46 -06:00
zeknox 554cd41403 added dns_cache_scraper and useful wordlists 2013-12-12 20:18:18 -06:00
William Vu ff9cb481fb Land #2464, fixes for llmnr_response and friends
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
Tod Beardsley e737b136cc
Minor grammar/caps fixup for release 2013-12-09 14:01:27 -06:00
Ramon de C Valle 37826688ce Add cfme_manageiq_evm_pass_reset.rb
This module exploits a SQL injection vulnerability in the "explorer"
action of "miq_policy" controller of the Red Hat CloudForms Management
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier)
by changing the password of the target account to the specified
password.
2013-12-09 16:49:07 -02:00
jvazquez-r7 c59b8fd7bc
Land #2741, @russell TCP support for nfsmount 2013-12-09 09:46:34 -06:00
Russell Sim 291a52712e Allow the NFS protocol to be specified in the mount scanner 2013-12-09 21:26:29 +11:00
sinn3r 1e30cd55f7
Land #2740 - Real regex for MATCH and EXCLUDE 2013-12-09 03:05:08 -06:00
sinn3r feca3efafb
Land #2728 - vBulletin Password Collector via nodeid SQL Injection 2013-12-09 02:12:42 -06:00
sinn3r 92412279ae Account for failed cred gathering attempts
Sometimes the SQL error doesn't contain the info we need.
2013-12-09 02:11:46 -06:00
Joe Vennix cd66cca8a1 Make browser autopwn datastore use OptRegexp. 2013-12-08 17:46:33 -06:00
jvazquez-r7 75fb38fe8d
Land #2724, @wchen-r7 and @jvennix-r7's module for CVE-2013-6414 2013-12-07 14:26:46 -06:00
jvazquez-r7 fdebfe3d2f Add references 2013-12-07 14:25:58 -06:00
sinn3r adc241faf8 Last one, I say 2013-12-06 15:52:42 -06:00
sinn3r 17193e06a9 Last commit, I swear 2013-12-06 15:49:44 -06:00
sinn3r 58a70779ac Final update 2013-12-06 15:48:59 -06:00
sinn3r 9f5768ae37 Another update 2013-12-06 14:53:35 -06:00
sinn3r af16f11784 Another update 2013-12-06 14:39:26 -06:00
sinn3r 87e77b358e Use the correct URI 2013-12-06 12:08:19 -06:00
sinn3r 5d4acfa274 Plenty of changes 2013-12-06 11:57:02 -06:00
sinn3r c07686988c random uri 2013-12-05 18:07:24 -06:00
jvazquez-r7 f2f8c08c8e Use blank? method 2013-12-05 16:36:44 -06:00
jvazquez-r7 a380d9b4f2 Add aux module for CVE-2013-3522 2013-12-05 15:58:05 -06:00
sinn3r 8e9723788d Correct description 2013-12-04 17:25:58 -06:00
sinn3r fb2fcf429f This one actually works 2013-12-04 17:22:42 -06:00
sinn3r d0071d7baa Add CVE-2013-6414 Rails Action View DoS 2013-12-04 14:57:30 -06:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
sinn3r 99dc9f9e7e Fix msftidy warning 2013-12-03 00:09:51 -06:00
Jonathan Claudius e37f7d3643 Use send_request_cgi instead of send_request_raw 2013-12-03 00:57:26 -05:00
Jonathan Claudius 14e600a431 Clean up res nil checking 2013-12-03 00:51:19 -05:00
Jonathan Claudius b796095582 Use peer vs. rhost and rport for prints 2013-12-03 00:49:05 -05:00
Jonathan Claudius 0480e01830 Account for nil res value 2013-12-03 00:45:57 -05:00
Jonathan Claudius c91d190d39 Add Cisco ASA ASDM Login 2013-12-03 00:16:04 -05:00
Tod Beardsley 55847ce074
Fixup for release
Notably, adds a description for the module landed in #2709.
2013-12-02 16:19:05 -06:00
sinn3r 20e0a7dcfb
Land #2709 - ZyXEL GS1510-16 Password Extractor 2013-12-02 13:13:01 -06:00
Sven Vetsch / Disenchant 39fbb59ba9 re-added the reference I accidentally deleted 2013-12-02 19:06:19 +01:00
Sven Vetsch / Disenchant cb98d68e47 added @wchen-r7's code to store the password into the database 2013-12-02 18:35:59 +01:00
jvazquez-r7 ba39a8e826
Land #2705, @jjarmoc's user object configuration on rails_devise_pass_reset 2013-12-02 11:04:29 -06:00
jvazquez-r7 8d6a534582
Change title 2013-12-02 08:54:37 -06:00
jvazquez-r7 24d09f2085
Land #2700, @juushya's Oracle ILO Brute Forcer login 2013-12-02 08:53:10 -06:00
Sven Vetsch / Disenchant 8e73023baa and now in the correct data structure 2013-12-01 17:38:35 +01:00
Sven Vetsch / Disenchant ef77b7fbbf added reference as requested at https://github.com/rapid7/metasploit-framework/pull/2709 2013-12-01 17:36:15 +01:00
Sven Vetsch / Disenchant aa62800184 added ZyXEL GS1510-16 Password Extractor 2013-11-29 10:42:17 +01:00
Karn Ganeshen bc41120b75 Updated 2013-11-29 12:47:47 +05:30
Karn Ganeshen 1109a1d157 Updated 2013-11-28 11:30:02 +05:30
Jeff Jarmoc 03838aaa79 Update rails_devise_pass_reset.rb
Fixed erroneous status if FLUSHTOKENS is false.
2013-11-27 22:27:45 -06:00
Jeff Jarmoc 7f8baf979d Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise.
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit

[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
2013-11-27 15:35:43 -06:00
Matteo Cantoni 3111aee866 fix match and boolean expression 2013-11-26 21:42:09 +01:00
jvazquez-r7 a7e6a79b15
Land #2685, @wchen-r7's update for the word injector description 2013-11-25 15:47:57 -06:00
jvazquez-r7 92807d0399
Land #2676, @todb-r7 module for CVE-2013-4164 2013-11-25 15:40:33 -06:00
Tod Beardsley 23448b58e7
Remove timeout checkers that are rescued anyway 2013-11-25 12:37:23 -06:00
Tod Beardsley f311b0cd1e
Add user-controlled verbs.
GET, HEAD, POST, and PROPFIND were tested on WebRick, all successful.
2013-11-25 12:29:05 -06:00
jvazquez-r7 cc60ca2e2a
Fix module title 2013-11-25 09:33:43 -06:00
jvazquez-r7 cc261d2c25
Land #2670, @juushya's aux brute forcer mod for OpenMind 2013-11-25 09:29:41 -06:00
Karn Ganeshen e157ff73d3 Oracle ILOM Login utility 2013-11-25 13:55:31 +05:30
sinn3r 48578c3bc0 Update description about suitable targets
The same technique work for Microsoft Office 2013 as well. Tested.
2013-11-24 23:02:37 -06:00
Meatballs dd9bb459bf
PSEXEC Refactor
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
Matteo Cantoni f3b907537c Module to identifies open Chargen service 2013-11-23 17:17:24 +01:00
Tod Beardsley 6a28aa298e
Module for CVE-2013-4164
So far, just a DoS. So far, just tested on recent Rails with Webrick and
Thin front ends -- would love to see some testing on ngix/apache with
passenger/mod_rails but I don't have it set up at the moment.
2013-11-22 16:51:02 -06:00
Karn Ganeshen 266de2d27f Updated 2013-11-23 00:01:03 +03:00
Karn Ganeshen b5011891a0 corrected rport syntax 2013-11-21 08:57:45 +03:00
Karn Ganeshen 9539972340 Module for OpenMind Message-OS portal login 2013-11-21 06:33:05 +03:00
William Vu 9f45121b23 Remove EOL spaces 2013-11-20 15:08:13 -06:00
Tod Beardsley ded56f89c3
Fix caps in description 2013-11-18 16:15:50 -06:00
jvazquez-r7 f963f960cb Update title 2013-11-18 15:07:59 -06:00
jvazquez-r7 274247bfcd
Land #2647, @jvennix-r7's module for Gzip Memory Bomb DoS 2013-11-18 15:06:46 -06:00
joev 589660872e Kill FILEPATH datastore option. 2013-11-18 14:13:25 -06:00
jvazquez-r7 f690667294
Land #2617, @FireFart's mixin and login bruteforcer for TYPO3 2013-11-18 13:37:16 -06:00
jvazquez-r7 0391ae2bc0 Delete general reference 2013-11-18 13:19:09 -06:00
jvazquez-r7 1c4dabaf34 Beautify typo3_bruteforce module 2013-11-18 13:17:15 -06:00
sinn3r b5fc0493a5
Land #2642 - Fix titles 2013-11-18 12:14:36 -06:00
joev 8e889c61f7 Update description. 2013-11-17 15:48:27 -06:00
joev f7820139dc Add a content_type datastore option. 2013-11-17 15:38:55 -06:00
joev 43d2711b98 Default to 1 round compression. 2013-11-17 15:35:35 -06:00
joev 1e3860d648 Add gzip bomb dos aux module. 2013-11-17 14:44:33 -06:00
jvazquez-r7 7d22312cd8 Fix redis communication 2013-11-15 19:36:18 -06:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
William Vu 334a93af45
Land #2638, refs for android_htmlfileprovider 2013-11-13 14:51:46 -06:00
joev 0612f340f1 Commas are good. 2013-11-13 14:38:50 -06:00
joev ad5f82d211 Add missing refs to aux/gather/android_htmlfileprovider. 2013-11-13 14:36:18 -06:00
sinn3r 970e70a853
Land #2626 - Add wordpress scanner 2013-11-12 11:30:23 -06:00
sinn3r 6a28f1f2a7
Change 4-space tabs to 2-space tabs 2013-11-12 11:29:28 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
FireFart 48faa38c44 bugfix for wordpress_scanner 2013-11-11 00:24:32 +01:00