d4ba28a20b
Land #8457 , Update multi/fileformat/office_word_macro to allow custom templates
2017-05-26 15:09:23 -05:00
f0f99ad479
nttrans packet setup correctly,everything broken
...
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
2017-05-26 14:54:46 -05:00
162a660d45
Remove the old windows/fileformat/office_word_macro
...
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.
If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
04a701dba5
Check template file extension name
2017-05-26 07:31:34 -05:00
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
2835c165d7
Land #8390 , Add module to execute powershell on Octopus Deploy server
2017-05-25 17:33:07 -05:00
330526af72
Update check method
2017-05-25 17:30:58 -05:00
ae22b4ccf4
Land #8450 , Samba is_known_pipename() exploit
2017-05-25 16:36:28 -05:00
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
0b0e2f64ca
update SMB1 "Freehole" packet
...
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
2017-05-25 13:43:16 -05:00
1a8961b5e3
fied typo
2017-05-25 19:14:59 +02:00
bc8ad811aa
remove old anonymous login packet
...
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
2017-05-25 10:49:42 -05:00
238052a18b
use RubySMB client echo
...
replaced the manually created echo packet
with the RubySMB client echo command
2017-05-25 10:47:14 -05:00
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
4ffe666b52
improve the cred fallback
...
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
2017-05-24 17:36:07 -05:00
4c02b7b13a
added credentialed fallback
...
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00
dc67fcd5a8
use RubySMB for anonymous login
...
use the new anonymous login capabilities in
RubySMB
2017-05-24 15:40:05 -05:00
e4ea618edf
Land #8419 , ETERNALBLUE fixes (round two)
...
Hope I resolved the conflicts correctly.
2017-05-23 17:03:21 -05:00
46eb6bdf62
Land #8399 , ETERNALBLUE fixes (round one)
2017-05-23 16:51:19 -05:00
f80c3aa3f4
Correct absolute path
2017-05-23 16:50:25 -05:00
52363aec13
Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
...
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.
Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
2017-05-24 00:18:20 +12:00
b7b1995238
Land #8274 , Wordpress admin upload `check`
2017-05-22 22:08:32 -05:00
d69bfd509f
store the credential using the new store_valid_credential
2017-05-22 15:08:03 -05:00
93bb47d546
msftidy fix
2017-05-22 19:27:15 +01:00
092e7b96b8
typo
2017-05-22 17:27:50 +01:00
74c08cebee
Add bypassuac fodhelper module for Windows 10
2017-05-22 17:25:17 +01:00
467f1ce0ca
Land #8411 , Buffer overflow in VXSearch Enterprise v9.5.12
2017-05-22 07:37:31 -05:00
b5caeb29dd
only support for 32bit so far
2017-05-22 12:30:52 +02:00
036f063988
Fix a stack trace when no SMB response is received
2017-05-19 16:24:41 -05:00
b76229b5f7
removed unessessary line
2017-05-18 19:15:49 -07:00
7ca0fe5a68
Added make_junk function
2017-05-18 19:06:09 -07:00
4def7ce6cc
Land #8327 , Simplify storing credentials
2017-05-18 16:49:01 -05:00
c1624d0967
VX Search Enterprise GET Buffer Overflow
2017-05-18 17:12:47 +01:00
bdf121e1c0
x86 kernels will safely ret instead of BSOD
2017-05-17 23:48:14 -06:00
d944bdfab0
expect 0xC00000D
2017-05-17 23:05:20 -06:00
646ca14375
basic OS verification, ghetto socket read code
2017-05-17 22:48:45 -06:00
c0bf2cc6e7
Land #8401 , Buffer Overflow on Sync Breeze Enterprise 9.4.28
2017-05-17 23:39:50 -05:00
3360171977
Land #8319 , Add exploit module for Mediawiki SyntaxHighlight extension
2017-05-17 23:23:50 -05:00
ad8788cc74
Update syncbreeze_bof.rb
2017-05-17 11:33:24 +01:00
5329ce56c4
Sync Breeze Enterprise GET Buffer Overflow
2017-05-17 10:53:28 +01:00
2f39daafc5
Updated module removing hardcoded binary payload strings
...
-Used only nessessary pointers needed for exploit to work removing junk/filler chars
-Repaced ROP chain with generic from msvcrt (even though original was beautiful and smaller, uses hardcoded pointers for leave instructions)
-Cannot use ropdb since 4 byte junk char during generation may result in InvalidByteSequenceError during UTF conversion
-It's been some years since my last pull request...so I might be a bit rusty to new Metasploit standards (please forgive me!)
2017-05-16 23:22:42 -07:00
7e2dab4ddc
Land #8303 , Buffer Overflow on Dupscout Enterprise v9.5.14
2017-05-17 01:04:59 -05:00
6fb4040d11
add core buffer dump for OS version
2017-05-16 23:18:39 -06:00
1f4ff30adb
Improve 200 fail_with in wp_phpmailer_host_header
...
One. last. commit. Noticed this in the response body.
2017-05-16 22:38:36 -05:00
77a9676efb
Land #8347 , Add Serviio Media Server checkStreamUrl Command Execution
2017-05-16 16:20:39 -05:00
6d81ca4208
Fix Array/String TypeError in ms17_010_eternalblue
2017-05-16 15:53:34 -05:00
e24de5f110
Fix Class/String TypeError in ms17_010_eternalblue
2017-05-16 15:41:16 -05:00
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
29b7aa5b9b
Update fail_with for 200 (bad user?)
2017-05-16 15:03:42 -05:00
e62fc3e93c
Land #8376 , Add BuilderEngine 3.5 Arbitrary file upload & exec exploit
2017-05-16 14:53:32 -05:00
631267480d
Update module description
2017-05-16 14:48:46 -05:00
2ed8ae11b4
Add doc and make minor changes
2017-05-16 14:47:19 -05:00
7c1dea2f02
Refactor prestager to work with newer Exim
...
Apparently it doesn't like reduce with extract.
2017-05-16 14:22:43 -05:00
53bb5a8440
Update ms17_010_eternalblue.rb
2017-05-16 10:43:43 -06:00
7c2fb9acc1
Fix nil bug in Server header check
2017-05-16 10:43:04 -05:00
5fd6cb0890
Remove nil case, since response might be nil
...
It doesn't always return something. Forgot that.
2017-05-15 21:23:49 -05:00
b41427412b
Improve fail_with granularity for 400 error
...
Also corrects BadConfig to NoTarget in another one of my modules. Oops.
2017-05-15 21:15:43 -05:00
1a644cadc4
Add print_good to on_request_uri override
...
Maybe the ability to send prestagers will be a part of CmdStager in the
future, or maybe CmdStager will actually be able to encode for badchars.
2017-05-15 19:17:58 -05:00
3c4dfee4f5
Module to execute powershell on Octopus Deploy server
...
This is not a bug, but a feature which gives users with the correct
permissions the ability to take over a host running Octopus Deploy.
During an automated deployment initiated by this module, a powershell
based payload is executed in the context of the Octopus Deploy server,
which is running as either Local System or a custom domain account.
This is done by creating a release that contains a single script step
that is run on the Octopus Deploy server. The said script step is
deleted after the deployment is started. Though the script step will
not be visible in the Octopus Deploy UI, it will remain in the server's
database (with lot's of other interesting data).
Options for authenticating with the Octopus Deploy server include
username and password combination or an api key. Accounts are handled
by Octopus Deploy (stored in database) or Active Directory.
More information about Octopus Deploy:
https://octopus.com
2017-05-15 18:57:38 -05:00
c4c55be444
Clarify why we're getting 400 and add fail_with
2017-05-15 18:53:36 -05:00
489d9a6032
Drop module to AverageRanking and note 400 error
2017-05-15 17:35:40 -05:00
2055bf8f65
Add note about PHPMailer being bundled
2017-05-15 14:29:11 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
cb4c700e62
fix typo
2017-05-14 21:52:36 -06:00
865a36068e
sleep fix and new shellcode
2017-05-14 21:45:19 -06:00
e3dcf0ab2d
added docs
2017-05-14 19:22:26 -06:00
9634f974dd
fix msftidy
2017-05-14 18:14:02 -06:00
fa79339432
eternalblue module
2017-05-14 18:11:41 -06:00
f39e378496
Land #8330 , fix ps_wmi_exec and psh staging
2017-05-13 14:26:47 -04:00
c622e3fc22
Deregister URIPATH because it's overridden by Path
2017-05-12 11:56:38 -05:00
84af5d071d
Deregister VHOST because it's overridden by Host
2017-05-12 11:44:10 -05:00
27e1de14b0
BuilderEngine 3.5 Arbitrary file upload and execution exploit
2017-05-12 18:37:08 +02:00
231510051c
Fix uri_str for exploit
2017-05-11 16:30:10 -05:00
2ae943d981
Use payload common case instead of general case
...
Both x86 and x64 work on x64, but we really expect x64, and there's no
migration to move us from x86 to x64.
2017-05-11 15:43:49 -05:00
e414bdb876
don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules
2017-05-11 15:19:11 -05:00
30c48deeab
msftidy and misc. fixups for Quest BoF module
2017-05-11 08:07:39 -05:00
e8aed42ecd
Land #8223 , Quest Privilege Manager pmmasterd Buffer Overflow
2017-05-11 00:44:19 -05:00
18d95b6625
Land #8346 , Templatize shims for external modules
2017-05-10 18:15:54 -05:00
09f6c21f94
Add note about Host header limitations
2017-05-10 15:17:20 -05:00
b446cbcfce
Add reference to Exim string expansions
2017-05-10 15:17:20 -05:00
8842764d95
Add some comments about badchars
2017-05-10 15:17:20 -05:00
ecb79f2f85
Use reduce instead of extracting twice
2017-05-10 15:17:20 -05:00
b5f25ab7ca
Use extract instead of doubling /bin/echo
2017-05-10 15:17:20 -05:00
9a64ecc9b0
Create a pure-Exim, one-shot HTTP client
2017-05-10 15:17:20 -05:00
0ce475dea3
Add WordPress 4.6 PHPMailer exploit
2017-05-10 15:17:20 -05:00
42c7d64b28
Update style
2017-05-10 06:37:09 +00:00
72388a957f
Land #8355 , IIS ScStoragePathFromUrl
...
See #8162
2017-05-09 11:06:01 -05:00
2b4ace9960
convert to "screaming snake"
2017-05-09 09:30:45 +02:00
32dafb06af
Replace NoTarget with NotVulnerable
2017-05-08 22:29:44 +00:00
f70b402dd9
add comment
2017-05-09 00:17:00 +02:00
806963359f
fix fail with condition
2017-05-08 23:47:48 +02:00
f62ac6327d
add @rwhitcroft
2017-05-08 23:20:12 +02:00
26373798fa
change rank
2017-05-08 23:07:12 +02:00
962a31f879
change minimum length
2017-05-08 23:01:17 +02:00
7dccb17834
auto extract values and implement brute forcing
2017-05-08 22:47:29 +02:00
841f63ad20
make office_word_hta backward compat with older Rubies
2017-05-08 15:10:48 -05:00
406a7f1ae2
Merge remote-tracking branch 'dmchell/dmchell-cve-2017-7269' into iis2
2017-05-08 21:51:51 +02:00
fede672a81
further revise templates
2017-05-08 14:26:24 -05:00
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
ab245b5042
added note to description
2017-05-07 13:56:50 +01:00
4f12a1e271
added note to description
2017-05-07 13:54:28 +01:00
05bf16e91e
Land #8331 , Adding module CryptoLog Remote Code Execution
2017-05-05 18:24:14 -05:00
e2fe70d531
convert store_valid_credential to named params
2017-05-05 18:23:15 -05:00
720a02f5e2
Addressing Spaces at EOL issue reported by Travis
2017-05-05 11:05:17 +03:00
0eacf64324
Add Serviio Media Server checkStreamUrl Command Execution
2017-05-05 07:54:00 +00:00
58d2e818b1
Merging multiple sqli area as a func
2017-05-05 10:49:05 +03:00
63b6ab5355
simplify valid credential storage
2017-05-04 22:51:40 -05:00
81bcf2ca70
updating all LHOST to use the new opt type
2017-05-04 12:57:50 -05:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
d04e7cba10
Rename the module as well as title
2017-05-03 19:18:46 +03:00
ae8035a30f
Fixing typo and using shorter sqli payload
2017-05-03 16:45:17 +03:00
db2a2ed289
Removing space at eof and self.class from register_options
2017-05-03 01:31:13 +03:00
77acbb8200
Adding cryptolog rce
2017-05-03 01:05:40 +03:00
494711ee65
Land #8307 , Add lib for writing Python modules
2017-05-02 15:53:13 -05:00
6870a48c48
Code suggestion from @jvoisin
2017-05-02 16:41:06 +02:00
03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory
2017-05-01 16:23:14 -05:00
006ed42248
Added fix information
...
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/0002
09.html
2017-05-01 09:01:14 +02:00
673dbdc4b9
Code review feedback from h00die
2017-04-29 20:37:39 +02:00
fcf14212b4
Fixed disclosure date
2017-04-29 16:25:25 +02:00
f9e7715adb
Fixed formatting
2017-04-29 16:07:45 +02:00
1569d2cf8e
MediaWiki SyntaxHighlight extension exploit module
...
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
2017-04-29 14:29:56 +02:00
c4b3ba0d14
Actually removing msf/core this time... ><
...
Helps to actually remove the bits that were failing. Now with even more
removal of msf/core!
2017-04-28 21:42:06 -04:00
ff263812fc
Fix msftidy warnings
...
Remove explicitly loading msf/core and self.class from the register_
functions.
2017-04-28 21:26:53 -04:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
f8fb03682a
Fix issue in ps_wmi_exec and powershell staging
...
The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.
Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.
2017-04-28 03:31:56 -04:00
18fa411189
Updated with Egypt's suggestion, also changed the target name to include other versions
2017-04-27 13:19:44 +01:00
037fdf854e
move common json-rpc bits to a library
2017-04-26 18:08:08 -05:00
a60e5789ed
update mettle->meterpreter references in modules
2017-04-26 17:55:10 -05:00
a3a4ba7605
Buffer Overflow on Dup Scout Enterprise v9.5.14
2017-04-26 15:19:00 +01:00
bbee7f86b5
Land #8263 , Mercurial SSH exec module
2017-04-26 01:38:01 -05:00
f60807113b
Clean up module
2017-04-26 01:37:49 -05:00
320898697a
Land #8266 , Add Buffer Overflow Exploit on Disk Sorter Enterprise
2017-04-24 17:17:30 -05:00
e333cb65e5
Restore require 'msf/core'
2017-04-24 17:09:02 -05:00
d3aba846b9
Make minor changes
2017-04-24 23:35:36 +02:00
5bbb4d755a
Land #8254 , Add CVE-2017-0199 - Office Word HTA Module
2017-04-24 16:05:00 -05:00
6029a9ee2b
Use a built-in HTA server and update doc
2017-04-24 16:04:27 -05:00
47898717c9
Minor documentation improvements
...
Space after ,
2017-04-24 14:47:25 +01:00
8e4c093a22
added version numbers
2017-04-22 09:45:55 -04:00
714ada2b66
Inline execute_cmd function
2017-04-21 15:32:15 +02:00
8218f024e0
Add WiPG-1000 Command Injection module
2017-04-20 16:32:23 +02:00
f1c51447c1
Add files via upload
...
Buffer Overflow on Disk Sorter Enterprise
2017-04-19 10:57:41 +01:00
f5430e5c47
Revert Msf::Exploit::Remote::Tcp
2017-04-18 19:27:35 -04:00
9a870a623d
Make use of Msf::Exploit::Remote::Tcp
2017-04-18 19:17:48 -04:00
03e3065706
Fix MSF tidy issues
2017-04-18 18:56:42 -04:00
32f0b57091
Fix new line issues
2017-04-18 18:52:53 -04:00
William Webb
David Maloney
wchen-r7
HD Moore
William Vu
nks
Matthew Daley
Jeffrey Martin
amaloteaux
Christian Mehlmauer
lincoln
James Lee
Daniel Teixeira
zerosum0x0
zerosum0x0
james-otten
Spencer McIntyre
Mzack9999
Brent Cook
Adam Cammack
Brendan Coles
Bryan Chu
m0t
Mehmet Ince
darkbushido
Yorick Koster
Yorick Koster
Brandon Knight
Sara Perez
Brent Cook
Matthias Brun
h00die
Jonathan Claudius