Commit Graph

5703 Commits (de09559cc833f6f0e671180fa2e35c024bbeb2ff)

Author SHA1 Message Date
Tod Beardsley 77b1f2d2f0
Fixup for release
Fixes the grammar on the SMTP enumeration module and the Cisco CDP
module, and adds a more informative description and reference for the
CDP module introduced on PR #4061.
2014-11-24 10:50:43 -06:00
jvazquez-r7 10d0305cb2 Update from upstream master 2014-11-24 09:48:43 -06:00
Jon Hart e9750e2df8
Minor style/usability cleanups 2014-11-24 06:57:31 -08:00
sinn3r 57419bb0fc Fix #4253 - Print access level for snmp_login
Fix #4253 - module should print the access level
2014-11-22 23:09:15 -06:00
tate 9828598cb7 removing timeout method and option 2014-11-22 00:28:56 -07:00
tate 57b04f96a7 working with DLSw protocol check 2014-11-21 23:54:00 -07:00
tate b9a274f869 improving DLSw detection 2014-11-21 18:58:02 -07:00
jvazquez-r7 3ac1f7d4fb
Land #4242, @Meatballs1 fix for sap_service_discovery report_note
* I cannot reproduce @Meatballs1 issue
* But I noticed report_note should :update with :unique_data
* Fixed the :update
2014-11-21 10:16:08 -06:00
jvazquez-r7 e30ee9fee2 Update with :unique_data 2014-11-21 10:14:39 -06:00
HD Moore 99a23ada5c Module cleanup, error handling, and reporting 2014-11-20 16:18:20 -06:00
Jon Hart e255db9429
Partial commit 2014-11-20 13:49:36 -08:00
Jon Hart 94e5ba13a4 YARD and spec cleanup 2014-11-20 13:28:01 -08:00
Jon Hart df36ac910d Mostly complete Kademlia PING / BOOTSTRAP scanner 2014-11-20 13:28:01 -08:00
Jon Hart ab49d01a1b Add beginnings of Kademlia gather module and protocol support 2014-11-20 13:28:00 -08:00
HD Moore 2f6c4a9ba4 Slight tweak to description/author email formatting 2014-11-20 14:53:52 -06:00
Meatballs ee15179441
Fix service discovery errors 2014-11-20 18:22:33 +00:00
Rich Whitcroft 8306d739e3 add scanner module to extract domain from NTLM challenge 2014-11-20 11:02:21 -05:00
tate a4a1048f95 modified to get data collection off sock working 2014-11-19 11:17:58 -07:00
Jon Hart 684975a315 Use correct target address for fake As 2014-11-19 08:28:56 -08:00
Jon Hart 3777e78a85 Sanitize creation of target host. Return minimal for SRV 2014-11-19 08:28:56 -08:00
Jon Hart 52e004d8ab Use less conflicting name for SRV record port 2014-11-19 08:28:56 -08:00
Jon Hart ee90e4353b Add more consistent logging for fakedns types that support fake vs bypass 2014-11-19 08:28:55 -08:00
Jon Hart 0910275fac Don't artificially insert additional records when BYPASS 2014-11-19 08:28:55 -08:00
Fatih Ozavci a38cb3ee53 @jhart-r7 commits are accepted and conflicts fixed. 2014-11-19 08:28:55 -08:00
Fatih Ozavci ab7f6866f5 FAKE and BYPASS actions are implemented for SRV queries 2014-11-19 08:28:55 -08:00
Fatih Ozavci f403d27fbd Author update for the fakedns module 2014-11-19 08:28:55 -08:00
Fatih Ozavci 47f7d8c4be IN:SRV expansion for Fake DNS server 2014-11-19 08:28:55 -08:00
Jon Hart 895bdd9c6f Remove unused options 2014-11-19 08:09:52 -08:00
Jon Hart 134046975e Remove report mixin which was not used 2014-11-19 08:09:52 -08:00
Jon Hart 4c112e71c1 Remove errant whitespace, unnecessary to_s 2014-11-19 08:09:52 -08:00
Jon Hart f54fc3da87 More CDP cleanup. Loop, cleaner packet construction, style 2014-11-19 08:09:52 -08:00
Jon Hart 0dac2de3fd Use PacketFu::EthHeader.mac2str for MAC formatting 2014-11-19 08:09:52 -08:00
Jon Hart 2d484a3e1a Remove sniffing capabilities from cdp -- use wireshark/tcpdump instead 2014-11-19 08:09:52 -08:00
Jon Hart 39d691086e First round of basic Ruby style cleanup in cdp 2014-11-19 08:09:52 -08:00
Fatih Ozavci 7e93d890ab Viproy is removed from names
Author section is fixed
2014-11-19 08:09:52 -08:00
Fatih Ozavci d78d57eaf4 Viproy VoIP Pen-Test Kit - Cisco CDP Testing Module 2014-11-19 08:09:52 -08:00
Jon Hart 7d6e7a6bfa
Minor Ruby style and module usability cleanup 2014-11-18 16:33:05 -08:00
tate 6b8b49ff98 improving metasploit module based on feedback 2014-11-18 15:03:18 -07:00
jvazquez-r7 fb4b6543e2 Handle other rex exceptions 2014-11-18 15:57:41 -06:00
jvazquez-r7 542eb6e301 Handle exception in brute force exploits 2014-11-18 12:17:10 -08:00
Jon Hart 500c4249fe Update solaris_kcms_readfile to gracefully handle RPC errors 2014-11-18 12:17:10 -08:00
Jon Hart 82f89e620b Clean up nfs mount scanner to *print_* better 2014-11-18 12:17:10 -08:00
Jon Hart b2f9307e0a vprint # of RPC programs, since the table comes right after 2014-11-18 12:17:10 -08:00
Jon Hart a9f9a8b116 Introduce new ::Rex::Proto::SunRPC::RPCError, making run_host cleaner 2014-11-18 12:17:10 -08:00
Jon Hart c7794a7ed9 Clean up Ruby style in sunrpc_portmapper 2014-11-18 12:17:09 -08:00
Jon Hart 059d84e4ca More consistent *print_* and Rex::Ui::Text::Table for sunrpc_portmapper 2014-11-18 12:17:09 -08:00
tate 703e0486fb Add DLSw leak capture module for CVE-2014-7992 2014-11-17 20:35:54 -07:00
jvazquez-r7 45d219c0d8 Land #4102, @jhart-r7's fix for nbns_response
* Use request src_port instead of 137
2014-11-17 15:46:38 -06:00
nullbind 8c34f35ca9 added mssql_enum_windows_domain_accounts.rb 2014-11-17 13:03:43 -06:00
William Vu fd53e969fd
Land #4217, browser_autopwn variable fix 2014-11-17 11:46:52 -06:00
William Vu 405eae4b6e
Remove EOL whitespace 2014-11-17 11:46:36 -06:00
jvazquez-r7 2c36f79934
Land #4165, @jhart-r7's check for datastore options on Cisco dtp
* Fix modules/auxiliary/spoof/cisco/dtp
* Just one of the two options is required
2014-11-17 11:23:31 -06:00
Joe Vennix fc1635e80a
Fix BAP JS ref error. 2014-11-17 10:06:15 -06:00
HD Moore 9fe4994492 Chris McNab has been working with MITRE to add these CVEs
These CVEs are not live yet, but have been confirmed by cve-assign
t
2014-11-16 18:42:53 -06:00
William Vu a521d469ed
Land #4194, Quake protocol support 2014-11-15 17:44:19 -06:00
Jon Hart 57aef9a6f5
Land #4177, @hmoore-r7's fix for #4169 2014-11-13 18:29:57 -08:00
Tod Beardsley e2dc862121
Fix newly introduced typo. 2014-11-13 14:53:57 -06:00
Tod Beardsley dd1920edd6
Minor typos and grammar fixes 2014-11-13 14:48:23 -06:00
jvazquez-r7 f081ede2aa Land #4155, @pedrib's module for CVE-2014-8499
* Password Manager Pro privesc + password disclosure
2014-11-12 23:56:26 -06:00
Jon Hart ebf6fe4e56
Minor style cleanup 2014-11-12 16:44:43 -08:00
Jon Hart 07a1653e57
Add gather module for Quake servers 2014-11-12 13:32:56 -08:00
Pedro Ribeiro 9df31e950f Add OSVDB id 2014-11-12 21:32:33 +00:00
Tod Beardsley 54158c8662
Land #4005, TNS poison checker 2014-11-12 13:29:59 -06:00
Tod Beardsley d242bc220b
Minor fixups and disclosure date for TNS module 2014-11-12 13:25:10 -06:00
Tod Beardsley 955a5142ca Edit e-mail address for antispam 2014-11-12 13:19:04 -06:00
jvazquez-r7 70589668c2 Really land the #4130 module 2014-11-12 09:39:01 -06:00
jvazquez-r7 ece8013d7a Use #empty? 2014-11-12 09:35:06 -06:00
jvazquez-r7 f048463ed6 Do minor fixupts
* Delete peer method
* Make verifications more strict
2014-11-12 09:33:49 -06:00
jvazquez-r7 a5c87db65e Do minor cleanup
* Beautify description
* Use double quotes for interpolation
2014-11-12 09:29:53 -06:00
jvazquez-r7 e1164d3e14 Use snake_case on filename 2014-11-12 09:26:47 -06:00
Tod Beardsley 7e05f88399
Reapply PR #4113 (removed via #4175) 2014-11-11 15:06:43 -06:00
HD Moore 6b4eb9a8e2 Differentiate failed binds from connects, closes #4169
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Tod Beardsley 017a44c0ae
Revert errored merge of deea30d
Revert "Merge branch 'master' of https://github.com/farias-r7/metasploit-framework into upstream-master"

This reverts commit deea30ddb4, reversing
changes made to 14514d7b8b.
2014-11-11 14:38:47 -06:00
Jon Hart 9238d80a24 Use correct source port for NBNS spoofer
137 is only correct for systems that use this as their source port.
Systems running Samba, for example, don't use this.  So use the port
taken from the original request, not 137 or 1337
2014-11-11 10:33:27 -08:00
HD Moore 96ba6da697
Add the UDP scanner template, lands #4113.
There is some additional work to do regarding CHOST/CPORT, but this is not tied to the udp template changes.
2014-11-11 11:59:30 -06:00
jvazquez-r7 01fda27264 Fix title 2014-11-11 11:15:53 -06:00
jvazquez-r7 a588bfd31a Use single quotes 2014-11-11 09:56:46 -06:00
jvazquez-r7 77c8dc2b64 Dont return nil from 'run' 2014-11-11 09:39:08 -06:00
jvazquez-r7 fb309aae11 Use a Fixnum as FuzzInt default value 2014-11-11 09:36:53 -06:00
jvazquez-r7 f6762b41b6 Use random fake db name 2014-11-11 09:35:51 -06:00
jvazquez-r7 94c353222d Do small cosmetic changes 2014-11-11 09:31:57 -06:00
jvazquez-r7 e9e5869951 update from master 2014-11-11 09:24:33 -06:00
Nikita c0285067c9 Add new module to test TNS poison
msf auxiliary(tnspoison_checker) > show options 

Module options (auxiliary/scanner/oracle/tnspoison_checker1):

   Name     Current Setting                          Required  Description
   ----     ---------------                          --------  -----------
   RHOSTS   172.16.2.100, 172.16.2.24, 172.16.2.101  yes       The target address range or CIDR identifier
   RPORT    1521                                     yes       The target port
   THREADS  1                                        yes       The number of concurrent threads

msf auxiliary(tnspoison_checker) > exploit 

[+] 172.16.2.100:1521 is vulnerable
[*] Scanned 1 of 3 hosts (033% complete)
[-] 172.16.2.24:1521 is not vulnerable 
[*] Scanned 2 of 3 hosts (066% complete)
[-] 172.16.2.101:1521 unable to connect to the server
[*] Scanned 3 of 3 hosts (100% complete)
[*] Auxiliary module execution completed
2014-11-11 17:29:27 +03:00
jvazquez-r7 091da05a86 update from master 2014-11-10 22:59:44 -06:00
jvazquez-r7 cac6494427 Use snake_case in filename 2014-11-10 16:58:46 -06:00
jvazquez-r7 2c33642de8 Do minor cleanup 2014-11-10 16:57:57 -06:00
jvazquez-r7 12ae8b3ec6 update from master 2014-11-10 16:19:26 -06:00
nullbind 493b81d874 cleanup 2014-11-10 15:22:21 -06:00
nullbind 31fa57fcb2 mssql_enum_sql_logins 2014-11-10 15:19:55 -06:00
Scott Sutherland d543b16cc1 Added mssql_enum_sql_logins.rb 2014-11-10 15:02:46 -06:00
Scott Sutherland ea226f7482 Update mssql_enum_sql_logins.rb 2014-11-10 15:02:14 -06:00
nullbind 74344e9295 added mssql_enum_sql_logins 2014-11-10 13:42:52 -06:00
jvazquez-r7 4b701700c1 Fix banner 2014-11-10 12:40:53 -06:00
Jon Hart 7ed11ffd52
Check for INTERFACE or SMAC in dtp setup 2014-11-10 10:14:47 -08:00
jvazquez-r7 65dbb1a83f Do print_status 2014-11-10 11:26:53 -06:00
jvazquez-r7 7aed1e9581 Create loot_passwords method 2014-11-10 11:21:44 -06:00
jvazquez-r7 92df11baa7 Create report_super_admin_creds method 2014-11-10 11:16:25 -06:00
jvazquez-r7 8f17011909 do run clean up
* Reduce code complexity
* Don't report not valid administrator credentials
2014-11-10 11:12:04 -06:00
jvazquez-r7 635df2f233 Fail with NoAccess 2014-11-10 09:50:26 -06:00
jvazquez-r7 9c033492d2 Fix indentation 2014-11-10 09:48:22 -06:00
jvazquez-r7 2236518694 Check res.body before accessing #to_s 2014-11-10 09:47:05 -06:00
jvazquez-r7 8b8ab61e3d Favor && over and 2014-11-10 09:45:12 -06:00
jvazquez-r7 ee4924582a Use target_uri 2014-11-10 09:43:44 -06:00
jvazquez-r7 8ddd6a4655 Redefine RPORT having into account it is builtin 2014-11-10 09:42:30 -06:00
jvazquez-r7 eb36a36272 Change title 2014-11-10 09:40:22 -06:00
Pedro Ribeiro b3c27452cd Add full disclosure URL 2014-11-09 10:40:41 +00:00
Deral Heiland 5bf8901822 Fixed several recommended changes by jvazquez-r7, Also Correct a XML parsing issue 2014-11-09 02:43:36 -05:00
Pedro Ribeiro f680b666c7 Add github adv URL 2014-11-08 11:29:36 +00:00
Pedro Ribeiro 143033f657 Rename manageengine_pmp_sadmin.rb to manageengine_pmp_privesc.rb 2014-11-08 11:28:04 +00:00
Pedro Ribeiro 2843437ca9 Create exploit for CVE-2014-8499 2014-11-08 11:24:50 +00:00
Pedro Ribeiro e7b448537f Add OSVDB ids 2014-11-08 11:05:34 +00:00
jvazquez-r7 9d6e0664a4 Guess service name and port 2014-11-07 20:56:01 -06:00
jvazquez-r7 a44640c9fc Use single quotes 2014-11-07 20:48:04 -06:00
jvazquez-r7 7c1c08fc19 Use single quotes without interpolation 2014-11-07 20:46:47 -06:00
jvazquez-r7 0373156cce Use unless over if not 2014-11-07 20:42:08 -06:00
jvazquez-r7 f5a920da99 Use || operator 2014-11-07 20:41:44 -06:00
jvazquez-r7 64754a5609 Delete unnecessary begin..end block 2014-11-07 20:38:36 -06:00
jvazquez-r7 0919f74a3d Delete unused variable 2014-11-07 20:37:57 -06:00
jvazquez-r7 22b875d0f3 Reduce code complexity 2014-11-07 20:37:40 -06:00
jvazquez-r7 b1517e6ace Delete unnecessary nil comparision 2014-11-07 20:34:13 -06:00
jvazquez-r7 aa1fec7f02 Use fail_with 2014-11-07 20:33:33 -06:00
jvazquez-r7 d630eac272 Reduce code complexity 2014-11-07 20:32:15 -06:00
jvazquez-r7 cea30b5427 Use built-in format for RPORT 2014-11-07 20:30:32 -06:00
jvazquez-r7 e99cc00a57 No more than 100 columns on description 2014-11-07 20:29:38 -06:00
Pedro Ribeiro c00a3ac9cd Add full disclosure URL 2014-11-07 08:06:21 +00:00
Pedro Ribeiro 8a0249cdbf Address Juan's points 2014-11-06 21:02:28 +00:00
Pedro Ribeiro e71ba1ad4a Push exploit for CVE-2014-6038/39 2014-11-05 20:12:03 +00:00
Tod Beardsley cca30b536f
Land #4094, fixes for OWA brute forcer
Fixes #4083

Thanks TONS to @jhart-r7 for doing most of the work on this!
2014-11-05 14:00:26 -06:00
Jon Hart ff8d481eec Update description to remove comments about defaults. Default to 2013 2014-11-04 21:21:19 -08:00
Fatih Ozavci d91ffa893b Viproy is removed from names
Author sections are fixed
2014-11-05 15:44:32 +11:00
Jon Hart 2c028ca7a6 Move redirect check before body check -- a redirect won't have a body 2014-11-04 14:19:21 -08:00
Jon Hart 7855ede2de Move userpass emptiness checking into setup 2014-11-04 14:07:39 -08:00
William Vu ebb8b70472
Land #4015, another Android < 4.4 UXSS module 2014-11-04 15:52:29 -06:00
Tod Beardsley f8593ca1b5
Land #4109, tnftp savefile exploit from @wvu-r7 2014-11-04 15:44:13 -06:00
Tod Beardsley 5fb268bbdf
Updates to better OWA fix 2014-11-04 14:32:54 -06:00
nullbind 56a02fdb4a added mssql_escalate_executeas_sqli.rb 2014-11-04 13:38:13 -06:00
Jon Hart b0e388f4c3
Land #3516, @midnitesnake's snmp_enumusers fix for Solaris, OS X 2014-11-04 08:23:16 -08:00
nullbind 15119d2a0f comment fix-sorry 2014-11-04 09:07:08 -06:00
nullbind f108d7b20a fixed code comment 2014-11-04 08:51:27 -06:00
Tod Beardsley 51b96cb85b
Cosmetic title/desc updates 2014-11-03 13:37:45 -06:00
nullbind fbe3adcb4c added mssql_escalate_executeas module 2014-11-03 11:29:15 -06:00
Jon Hart 8f197d4918 Move to build_probe 2014-11-03 08:41:51 -08:00
sinn3r 6f013cdcaf Missed these 2014-10-31 18:48:48 -05:00
sinn3r d6a830eb6e Rescue the correct exception: Rex::HostUnreachable 2014-10-31 16:43:33 -05:00
Jon Hart 121ebdfef6 update_info 2014-10-31 13:17:50 -07:00
Jon Hart b99e71dcdd Example UDPScanner style cleanup, move most to UDPScanner 2014-10-31 12:14:04 -07:00
Jon Hart ff0b52cffb Example per-batch vprint, a useful default 2014-10-31 10:31:31 -07:00
Jon Hart 94d4388af9 Improvements to example UDPScanner 2014-10-31 09:53:10 -07:00
Joe Vennix 1e9f9ce425
Handle invalid JSON errors and fix typo. 2014-10-31 11:01:49 -05:00
Jon Hart d9f0a10737 Add new example template for scanning UDP services 2014-10-31 08:06:31 -07:00
William Vu 953a642b0e
Finally write a decent description 2014-10-30 22:51:42 -05:00
William Vu e3ed7905f1
Add tnftp_savefile exploit
Also add URI{HOST,PORT} and {,v}print_good to HttpServer.
2014-10-30 20:38:16 -05:00
sinn3r 92ad2c434d
Land #4081 - Xerox workcentre 5735 LDAP service redential extractor 2014-10-30 13:52:07 -05:00
sinn3r 470a067384 Final changes 2014-10-30 13:51:44 -05:00
sinn3r 912f6c8eee
Land #4085 - Xerox Administrator Console Password Extract 2014-10-30 13:37:32 -05:00
sinn3r 02b1c5c4bc Final changes 2014-10-30 13:37:02 -05:00
sinn3r 127d1640da Print password 2014-10-30 13:27:40 -05:00
Deral Heiland a6980b9eb8 Updated to module based feedback from wchen-r7 2014-10-30 12:59:11 -04:00
Joe Vennix 6dc13f90cd
Update descriptions to mention Webview bugginess. 2014-10-30 10:55:56 -05:00
Joe Vennix 0ad9f95806
Remove stray alert() for debugging. 2014-10-30 10:52:06 -05:00
Joe Vennix 88040fbce0
Add another Android < 4.4 UXSS exploit. 2014-10-30 10:34:14 -05:00
Jon Hart 15e1c253fa Numerous cleanups for snmp_enumusers
* Bring in line with Ruby standards
* More sane format for adding new OSs
* Better logging for use on larger networks
* Better error handling
2014-10-29 23:54:32 -07:00
Peter Arzamendi 9d56f0298a Changed upper XXX to lower XXX. 2014-10-29 20:09:02 -05:00
Deral Heiland 6c13c14be1 Konica MFP ftp and SMB credential gathering module 2014-10-29 16:12:16 -04:00
Peter Arzamendi b35a8935db Updated get_once for get_once undefined method and EOFError 2014-10-29 13:47:07 -05:00
Peter Arzamendi 2bc8767751 Updated rescue to catch other errors from the socket API 2014-10-29 08:03:28 -05:00
Jon Hart ba5035c7ef
Prevent calling match when there is no WWW-auth header 2014-10-28 17:13:57 -07:00
Jon Hart a5d883563d
Abort if 2013 desired but redirect didn't happen 2014-10-28 15:59:22 -07:00
Jon Hart 7ca4ba26b0
Show more helpful vprint messages when login fails 2014-10-28 15:48:04 -07:00
Jon Hart bce8f34a71
Set proper Cookie header from built cookie string 2014-10-28 15:41:36 -07:00
Jon Hart a3e1e11987
Ensure necessary cookies are present in OWA 2010 login response 2014-10-28 15:40:15 -07:00
Peter Arzamendi 604cad9fbb Updated timeout to default to 45 seconds to wait for the print job to finish. 2014-10-28 15:45:28 -05:00
Peter Arzamendi b17d6a661d Moved module to auxiliary/gather and updated timeout to wait for the printer job to complete before we try to grab the creds. 2014-10-28 15:23:47 -05:00
Peter Arzamendi 0e42cf25d1 Updated per wchen-r7's recommendations. Still waiting to hear on Nokogiri 2014-10-28 15:13:16 -05:00
Tod Beardsley 9c028c1435
Fixes #4083, make the split nil-safe
In the reported case, the expected cookies were not present on the
response, thus, the second split was trying to split a `nil`. This
solves the immediately problem by a) splitting up the splits into
discrete sections, and b) `NilClass#to_s`'ing the result of the first
split.

This makes the split safe. Now, there may be a larger issue here where
you're not getting the expected cookies -- it sounds like the target in
this case is responding differently, which implies that the module isn't
going to be effective against that particular target. But, at least it
won't crash. It may merely try fruitlessly the entire run, though. I
can't know without looking at a pcap, and in the reported case, a pcap
seems unlikely since this was a bug found in the field.
2014-10-28 14:59:20 -05:00
Peter Arzamendi 1012cd8d6b Updated based on wchen-r7 feedback. 2014-10-28 11:38:50 -05:00
Tod Beardsley dade6b97ba
Land #4088, wget exploit
Fixes #4077 as well.
2014-10-28 09:03:07 -05:00
sinn3r e31c9f579d
Land #3987 - Buffalo Linkstation NAS Login Scanner 2014-10-28 01:45:57 -05:00
Jonathan Claudius d799625507 Switch to vprint_good for verbose good things 2014-10-28 01:53:54 -04:00
Jonathan Claudius 0fa461737e Fix null arguments syntax 2014-10-28 01:49:54 -04:00
Jonathan Claudius 7a727f9bff Make msftidy happy 2014-10-28 01:48:13 -04:00
Jonathan Claudius 595b4d2bbd Clean up aux check review comments 2014-10-28 01:44:52 -04:00
HD Moore 64c206fa62 Add module for CVE-2014-4877 (Wget) 2014-10-27 23:37:41 -05:00
Fatih Ozavci 329b9ac292 Actions updates of the Viproy CUCDM exploits 2014-10-28 14:11:07 +11:00
Fatih Ozavci 703393e9f1 First revision of the Viproy CUCDM exploits 2014-10-28 13:53:13 +11:00
Peter Arzamendi 0b225d94b1 Xerox Admin password extractor. 2014-10-27 19:26:40 -05:00
jvazquez-r7 b990b14a65
Land #3771, @us3r777's deletion of jboss_bshdeployer STAGERNAME option 2014-10-27 18:09:35 -05:00
parzamendi-r7 f7f6cff327 Update xerox_workcentre_5XXX_ldap.rb 2014-10-27 17:23:47 -05:00
Peter Arzamendi f119abbf8c Xerox workcentre 5735 LDAP credential extractor 2014-10-27 15:52:12 -05:00
Jon Hart b8c9ef96ca
Land #4003, @nstarke's Login Scanner for WD MyBook Live NAS 2014-10-27 09:57:43 -07:00
scriptjunkie 4dfbce425a use vprintf... 2014-10-26 09:20:32 -05:00
scriptjunkie c31fb0633d Merge branch 'wp-psexeccmd' of github.com:webstersprodigy/metasploit-framework into webstersprodigy-wp-psexeccmd 2014-10-26 09:05:25 -05:00
Fatih Ozavci 1db09fee01 Viproy VoIP Pen-Test Kit - Cisco CUCDM Exploits 2014-10-24 11:46:52 +11:00
Jon Hart 83df08aaa7 Properly encode body and catch invalid configs 2014-10-22 22:43:06 -07:00
sinn3r 0ea03c00a5 Use print_brute instead of print_good for format consistency 2014-10-22 16:14:45 -05:00
Jon Hart ce8a9941ea Cleanup. Sanity check in setup. vprint 2014-10-22 10:36:24 -07:00
James Lee 46acf08e2d Merge remote-tracking branch 'upstream/master' into bug/msp-11497/loginscanner-tcp-evasions 2014-10-22 09:09:34 -05:00
nstarke ee3dd3a2ac More Fixes for WD MyBook Live Scanner
Fixes include removing deregistered options
from credentials collection object and adding proof
 when there is no response
2014-10-22 03:06:21 +00:00
James Lee 0fcd1ac4f6
Restore tcp evasions to smb_login 2014-10-21 18:59:11 -05:00
James Lee e1a7e902d6
Re-enable tcp evasions for more LoginScanners
Untested since I don't have targets for these.
2014-10-21 18:58:28 -05:00
sinn3r 6d11ec8477 These mods support Proxies, so make the option visible for the user 2014-10-21 15:39:24 -05:00
sinn3r db7c420d8d Merge the latest changes 2014-10-21 13:49:42 -05:00
James Lee f9f8c413a8
Derp, ssh modules don't include Tcp for #proxies 2014-10-21 13:28:13 -05:00
sinn3r 79d393c5aa Resolve merge conflicts
Conflicts:
	lib/msf/core/exploit/smb.rb
	lib/msf/core/exploit/tcp.rb
	modules/auxiliary/scanner/http/axis_login.rb
2014-10-21 13:06:35 -05:00
James Lee 4705aeb762
Restore tcp evasions to ftp, pop3, vnc 2014-10-21 11:06:55 -05:00
James Lee 7d150ce0dd
Add tcp evasions to mysql 2014-10-21 10:05:18 -05:00
James Lee e76ee294a1
Restore tcp evasions to telnet 2014-10-21 09:44:55 -05:00
nstarke 82b74d5f3c Fixes to MyBook Live Module
This commit contains three fixes as requested on PR
#4003.  Those include:

+ Removing extraneous puts statement
+ Checking for valid response
+ SSL support.
2014-10-21 00:50:40 +00:00
nstarke 70b13819d9 Adding Login Scanner for MyBook Live
This is a LoginScanner auxiliary module for Western
Digital MyBook Live NAS devices as well as the spec
for testing.
2014-10-21 00:50:40 +00:00
jvazquez-r7 d6f4c02c2a
Land #3979, @wchen-r7 fixes #3976, http_login not using TARGETURI, neither uri normalization 2014-10-20 18:10:57 -05:00
jvazquez-r7 74ac16081f
Land #3981, @wchen-r7 Fixes #3974, axis_login.rb does not normalize URI 2014-10-20 17:51:13 -05:00
jvazquez-r7 00f137cdcf
Land #4040, @nullbind's MS SQL privilege escalation through SQLi 2014-10-20 16:23:50 -05:00
jvazquez-r7 acc590b59c Modify metadata 2014-10-20 16:22:10 -05:00
jvazquez-r7 1381c7fb37 Modify title 2014-10-20 16:17:47 -05:00
jvazquez-r7 323680c31a Clean code 2014-10-20 16:17:06 -05:00
HD Moore 935a23296d
Updates to NAT-PMP, lands #4041 2014-10-20 11:26:26 -05:00
sinn3r 6b9742b444
Land #3966 - Add exploit for CVE-2014-4872 BMC / Numara Track-It! 2014-10-20 11:23:23 -05:00
James Lee 3051b6c5ba
Clean up exceptions
Of particular note is mysql, who was rescuing Rex::ConnectionTimeout
*after* Rex::ConnectionError, which never would have fired anyway.
2014-10-20 10:27:02 -05:00
James Lee b7d69bec83
Restore proxies to ssh scanners 2014-10-20 10:19:06 -05:00
nullbind 036d43ba37 fixed logic bug 2014-10-19 20:56:29 -05:00
Jon Hart 2985b39267
Land #3980, @wchen-r7 fixed #3975 2014-10-19 17:11:06 -07:00
ikkini c2174c7910 return if no version response received 2014-10-19 00:29:36 +02:00
nullbind 1e2f1eaee0 cleaning up 2014-10-18 12:00:11 -05:00
James Lee 329a600b84
Add tcp evasion options to mssql_login 2014-10-17 17:40:21 -05:00
William Vu 10f3969079
Land #4043, s/http/http:/ splat
What is a splat?
2014-10-17 13:41:07 -05:00
William Vu 367ea5d3db
Add disclosure date 2014-10-17 12:35:28 -05:00
Tod Beardsley ccdaf2b576
Fix the banner
Turns out these will be broken in outstanding PRs for a while. At least
they won't be merge conflicts.
2014-10-17 12:23:23 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley ad501b25e4
Filename move to be less redundant 2014-10-17 11:25:14 -05:00
nullbind bf92769ba2 added mssql_escalate_dbowner_sqli 2014-10-17 10:25:20 -05:00
Jon Hart 8fdae8fbfb Move protocol and lifetime to mixin, use correct map_target if CHOST 2014-10-16 13:24:17 -07:00
James Lee 40b360555f
Make the error message a little more useful 2014-10-16 12:47:13 -05:00
Tod Beardsley 8cf10be779
Don't assume SSLv3 is set (kill FP+s) 2014-10-16 10:43:58 -05:00
Tod Beardsley 0b67efd51e
Add a POODLE scanner and general SSL version scan 2014-10-16 10:27:37 -05:00
James Lee 41a57b7ba5
Re-enable proxies for HTTP-based login scanners 2014-10-15 17:00:44 -05:00
Jon Hart 07f2d4dafe
Further improvements to NAT-PMP. Faster, more useful, less not useful 2014-10-15 06:39:38 -07:00
Tod Beardsley 592f1e9893
Land #3999, errors on login suppressed by default
This also solved the merge conflict on:

	modules/auxiliary/scanner/http/jenkins_login.rb

Fixes #3995.
2014-10-14 16:35:09 -05:00
Jon Hart ea6824c46f WIP of NAT-PMP rework 2014-10-14 14:20:24 -07:00
William Vu bdbad5a81d
Fix misaligned bracket 2014-10-14 13:43:59 -05:00
Tod Beardsley 9f6008e275
A couple OSVDB updates for recent modules 2014-10-14 13:39:36 -05:00
Tod Beardsley 56534e7ad3
Changed a login failed to vprint instead of print
People often like to supress failed attempts. Note that this change may
or may not have any effect, given the status of #3995.

This module was introduced in PR #3947.
2014-10-14 12:01:09 -05:00
Tod Beardsley 6ea3a78b47
Clarify the description on HP perfd module
Introduced in #3992
2014-10-14 11:58:52 -05:00
Nikita 621b9523b1 Update tnspoison_checker.rb 2014-10-13 22:05:08 +04:00
Nikita 1996886ae9 Update tnspoison_checker.rb 2014-10-13 12:53:39 +04:00
Nikita 22aabc7805 Add new module to test TNS poison
This module simply checks the server for vulnerabilities like TNS Poison
2014-10-13 12:21:07 +04:00
Jon Hart d51d2bf5a0
Land #3990, @wchen-r7's fix for #3984, a busted check in drupal_views_user_enum 2014-10-12 19:38:55 -07:00
Jon Hart 76275a259a
Minor style cleanup of help and a failure message 2014-10-12 18:34:13 -07:00
Jon Hart c3a58cec9e
Make note of other commands to investigate 2014-10-11 13:07:52 -07:00
Jon Hart c80a5b5796 List commands in sorted order 2014-10-11 13:00:30 -07:00
Jon Hart 4ffc8b153c
Support running more than one perfd command in a single pass 2014-10-11 11:38:00 -07:00
Jon Hart c72593fae4
Store just banner for service, loot the rest. Also, minor style. 2014-10-11 11:12:49 -07:00
Jon Hart 9550c54cd2
Correct indentation and whitespace 2014-10-11 10:39:12 -07:00
sinn3r 9500038695 Fix #3995 - Make negative messages less verbose
As an user testing against a large network, I only want to see
good news, not bad news.
2014-10-11 11:11:09 -05:00
Roberto Soares Espreto 7bd0f2c114 Changed Name, array in OptEnum and operator 2014-10-11 09:03:18 -03:00
Roberto Soares Espreto cbde2e8cd1 Variable cmd now with interpolation 2014-10-10 18:21:16 -03:00
Roberto Soares Espreto 291bfed47e Using Rex.sleep instead of select 2014-10-10 15:17:40 -03:00
Roberto Soares Espreto bd315d7655 Changed print_good and OptEnum 2014-10-10 13:54:42 -03:00
Roberto Soares Espreto 08fdb4fab2 Add module to enumerate environment HP via perfd daemon 2014-10-10 13:09:36 -03:00
sinn3r 260aa8dc22 Fix #3984 - Fix broken check for drupal_views_user_enum 2014-10-10 10:23:20 -05:00
nstarke 472985a8a8 Adding Buffalo Linkstation NAS Login Scanner
I have added a login scanner for the Buffalo Linkstation
NAS.  I have been testing against version 1.68 of the
firmware.  Also included are some specs for this module.
2014-10-10 03:16:48 +00:00
Tod Beardsley aefd15c185
Land #3376, ARRIS SNMP enumerator from @inokii 2014-10-09 15:28:06 -05:00
sinn3r 7d8eadada6 Fix #3974 - Validate and normalize URI for axis_login 2014-10-09 14:33:39 -05:00
sinn3r c9c34beafa Fix #3975 - Register TARGETURI, not URI
The module should register TARGETURI and call #target_uri for
URI validation.
2014-10-09 14:10:29 -05:00
Pedro Ribeiro 8163b7de96 Thanks for helping me clean up Todd! 2014-10-09 18:20:31 +01:00
sinn3r d366cdcd6e Fix #3976 - validate and normalize user-supplied URI for http_login.rb
URI should be validated and normalized before being used in an HTTP
request.
2014-10-09 12:14:33 -05:00
Pedro Ribeiro 9d1e206e43 Incorporate cred changes and other minor fixes 2014-10-09 17:59:38 +01:00
Spencer McIntyre a535d236f6
Land #3947, login scanner for jenkins by @nstarke 2014-10-09 12:59:02 -04:00
Spencer McIntyre 6ea530988e Apply rubocop changes and remove multiline print 2014-10-09 12:57:39 -04:00
jvazquez-r7 3305b1e9c3
Land #3984, @nullbind's MSSQL privilege escalation module 2014-10-09 11:39:15 -05:00
jvazquez-r7 10b160bedd Do final cleanup 2014-10-09 11:38:45 -05:00
jvazquez-r7 bbe435f5c9 Don't rescue everything 2014-10-09 11:25:13 -05:00
jvazquez-r7 0cd7454a64 Use default value for doprint 2014-10-09 11:04:42 -05:00
jvazquez-r7 db6f6d4559 Reduce code complexity 2014-10-09 10:59:14 -05:00
jvazquez-r7 615b8e5f4a Make easy method comments 2014-10-09 10:48:00 -05:00
jvazquez-r7 dd03e5fd7d Make just one connection 2014-10-09 10:46:51 -05:00
sinn3r df0d4f9fb2 Fix #3973 - Unneeded datastore option URI
When Glassfish is installed, the web root is always /, so there is
no point to make this arbitrary.
2014-10-09 00:06:15 -05:00
nullbind 168f1e559c fixed status 2014-10-08 21:19:50 -05:00
nullbind 3ebcaa16a1 removed scanner 2014-10-08 21:18:56 -05:00
nstarke 328be3cf34 Fine Tuning Jenkins Login Module
At the request of the maintainers, I have deregistered the
RHOST option and made the failure proof a verbose only
print.
2014-10-08 17:53:21 -05:00
Pedro Ribeiro 4817e1e953 Update trackit_sql_domain_creds.rb 2014-10-08 21:41:04 +01:00
Tod Beardsley a901916b0b
Remove nonfunctional jtr_unshadow
This module hasn't been doing anything but print_error a go away message
since June, so may as well get rid of it.
2014-10-08 10:23:29 -05:00
Brendan Coles 3c7be9c4c5 Remove hash rockets from references #3766
[SeeRM #8776]
2014-10-08 09:01:19 +00:00
Pedro Ribeiro 6af6b502c3 Remove spaces at EOL 2014-10-08 08:30:30 +01:00
Pedro Ribeiro 713ff5134a Add OSVDB id 2014-10-08 08:24:44 +01:00
Pedro Ribeiro bd812c593c Add full disclosure URL 2014-10-08 08:24:04 +01:00
Pedro Ribeiro bbac61397d Restore :address to rhost and explain why 2014-10-08 08:23:43 +01:00
Pedro Ribeiro 9cb0ad1ac2 Change the reporting address to the real value 2014-10-08 01:18:17 +01:00
Pedro Ribeiro 6e9bebdaf9 Fix noob mistake in assignment 2014-10-08 01:04:15 +01:00
Pedro Ribeiro 7dbfa19e65 Add exploit for Track-It! domain/sql creds vuln 2014-10-07 23:54:43 +01:00
nullbind 031fb19153 requested updates 2014-10-06 23:52:30 -05:00
William Vu 399a61d52e
Land #3946, ntp_readvar updates 2014-10-06 21:57:57 -05:00
nstarke e1b0ba5d3d Removing 'require pry'
I accidentally left a reference to pry in my code.
Removing
2014-10-06 21:40:39 -05:00
nstarke b8c2643d56 Converting Module to LoginScanner w/ Specs
The previous commits for this Jenkins CI module relied on an
obsolete pattern.  Consequently, it was necessary to write
this module as a LoginScanner and incorporate the appropriate
specs so that the tests will run properly.
2014-10-06 21:14:10 -05:00
sinn3r d3354d01f0 Fix #3808 - NoMethodError undefined method `map'
NoMethodError undefined method `map' due to an incorrect use of
load_password_vars
2014-10-06 15:42:51 -05:00
Jon Hart 8c8ccc1d54
Update Authors 2014-10-06 11:30:39 -07:00
nstarke 69400cf280 Fixing Author Declaration
I had accidentally listed myself three times as the author.
Fixing that issue so that I am only declaring myself once.
2014-10-05 23:17:28 -05:00
nstarke c0a3691817 Adding Jenkins-CI Login Scanner
Per Github issue #3871 (RM8774), I have added a
login scanner module for Jenkins-CI installations.
2014-10-05 22:08:34 -05:00
James Lee a65ee6cf30
Land #3373, recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Jon Hart a341756e83
Support spoofing source IPs for NTP readvar, include status messages 2014-10-03 14:05:57 -07:00
Jon Hart fa4414155a
Only include the exact readvar payload, not any padding 2014-10-03 13:58:13 -07:00
Jon Hart 65c1a8230a
Address most Rubocop complaints 2014-10-03 13:47:29 -07:00
Jon Hart 0715c671c6
Update NTP readvar module to detect DRDoS, UDPScanner to be faster 2014-10-03 13:28:30 -07:00
Christian Mehlmauer f45b89503d change WPVULNDBID to WPVDB 2014-10-03 17:13:18 +02:00
Christian Mehlmauer 33b37727c7 Added wpvulndb links 2014-10-02 23:03:31 +02:00
William Vu 5df614d39b
Land #3928, release fixes 2014-10-01 17:21:08 -05:00
HD Moore 77bb2df215 Adds support for both CVEs, lands #3931 2014-10-01 17:06:59 -05:00
William Vu 51bc5f52c1
Add CVE-2014-6278 support
Going with an OptEnum to simplify the code for now...
2014-10-01 16:40:55 -05:00
James Lee 7e05ff343e
Fix smbdirect
Also some whitespace and a typo in output message
2014-10-01 16:02:59 -05:00
Tod Beardsley 4fbab43f27
Release fixes, all titles and descs 2014-10-01 14:26:09 -05:00
sinn3r be1df68563 Remove auxiliary/scanner/elasticsearch/indeces_enum.rb
Time is up, so good bye.
2014-09-30 17:24:21 -05:00
William Vu 5ea968f3ee
Update description to prefer the exploit module 2014-09-30 11:34:28 -05:00
William Vu 162e42080a
Update title to reflect scanner status 2014-09-30 11:04:17 -05:00
William Vu 12d7073086
Use idiomatic Ruby for the marker 2014-09-29 22:32:07 -05:00
William Vu 71d6b37088
Fix bad header error from pure Bash CGI script 2014-09-29 22:25:42 -05:00
William Vu df44dfb01a
Add OSVDB and EDB references to Shellshock modules 2014-09-29 21:39:07 -05:00
Christian Mehlmauer b266233e95 fix bug 2014-09-30 00:21:52 +02:00
HD Moore 878f3d12cd Remove kind_of? per @trosen-r7 2014-09-29 15:39:10 -05:00
HD Moore 77efa7c19a Change if/else to case statement 2014-09-29 15:37:58 -05:00
sinn3r 21b2d9eb3f
Land #3899 - WordPress custom-contact-forms Plugin SQL Upload 2014-09-29 14:40:28 -05:00
HD Moore 64dbc396dd Add header specification to check module, lands #3902 2014-09-27 12:58:29 -05:00
William Vu 044eeb87a0
Add variable HTTP header
Also switch from OptEnum to OptString for flexibility.
2014-09-27 12:39:24 -05:00
Christian Mehlmauer c51c19ca88 bugfix 2014-09-27 14:56:34 +02:00
Christian Mehlmauer 9a424a81bc fixed bug 2014-09-27 13:46:55 +02:00
Christian Mehlmauer 1c30c35717 Added WordPress custom_contact_forms module 2014-09-27 13:42:49 +02:00
sinn3r c75a0185ec
Land #3897 - Fix check for apache_mod_cgi_bash_env & apache_mod_cgi_bash_env_exec 2014-09-26 17:06:23 -05:00
jvazquez-r7 80d9af9b49 Fix spacing in description 2014-09-26 17:03:28 -05:00
jvazquez-r7 9e540637ba Add module for CVE-2014-5377 ManageEngine DeviceExpert User Credentials 2014-09-26 17:02:27 -05:00
jvazquez-r7 3259509a9c Use return 2014-09-26 16:04:15 -05:00
jvazquez-r7 0a3735fab4 Make it better 2014-09-26 16:01:10 -05:00
jvazquez-r7 3538b84693 Try to make a better check 2014-09-26 15:55:26 -05:00
jvazquez-r7 e1f00a83bc Fix Rex because domainname and domain_name were duplicated 2014-09-26 13:40:52 -05:00
jvazquez-r7 5044117a78 Refactor dhclient_bash_env to use the egypt's mixin mods 2014-09-26 13:34:44 -05:00
nullbind ebf4e5452e Added mssql_escalate_dbowner module 2014-09-26 10:29:35 -05:00
jvazquez-r7 a31b4ecad9
Merge branch 'review_3893' into test_land_3893 2014-09-26 08:41:43 -05:00
James Lee 86f85a356d
Add DHCP server module for CVE-2014-6271 2014-09-26 01:24:42 -05:00
HD Moore b878ad2b75 Add a module to exploit bash via DHCP, lands #3891
This module is just a starting point for folks to test their DHCP client implementations and we plan to significantly overhaul this once we get a bit of breathing room.
2014-09-25 23:38:40 -05:00
Ramon de C Valle 9c11d80968 Add dhclient_bash_env.rb (Bash exploit)
This module exploits a code injection in specially crafted environment
variables in Bash, specifically targeting dhclient network configuration
scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
2014-09-26 01:37:00 -03:00
William Vu f66c854ad6
Fix description to be less lulzy 2014-09-25 07:09:08 -05:00
William Vu 9ed28408e1
Favor check_host for a scanner 2014-09-25 07:06:12 -05:00
William Vu 62b74aeaed
Reimplement old check code I was testing before
I would like to credit @wchen-r7 for providing advice and feedback.

@jvazquez-r7, too! :)
2014-09-25 06:38:25 -05:00
William Vu d9120cd586
Fix typo in description
Running on fumes here...
2014-09-25 01:22:08 -05:00
William Vu 790df96396
Fix missed var 2014-09-25 01:19:14 -05:00
William Vu e051cf020d
Add missed mixin 2014-09-25 01:14:58 -05:00
William Vu 27b8580f8d
Add protip to description
This gets you lots of shells.
2014-09-25 01:10:22 -05:00
William Vu b1e9b3664e
Improve false positive check 2014-09-25 01:01:11 -05:00
William Vu 8daf8d4339 Report vuln for apache_mod_cgi_bash_env
Now with fewer false positives! It's kinda like a check method.
2014-09-25 00:42:14 -05:00
William Vu 5a59b7cd89
Fix formatting 2014-09-24 23:12:11 -05:00
William Vu e6f0736797
Add peer 2014-09-24 22:48:51 -05:00
William Vu 8b6519b5b4
Revert shortened reference
But it's so long. :(
2014-09-24 22:43:33 -05:00
William Vu ecb10ebe28
Add variable HTTP method and other stuff 2014-09-24 22:41:01 -05:00