Commit Graph

17493 Commits (dfae4bbbf0c1a8f5e6dfda07fdc5302530904aa8)

Author SHA1 Message Date
lanjelot 5ab9f01eee Use byte[] so it works even if Base64 unavailable 2015-04-30 12:46:14 +10:00
lanjelot 15bb4d1ea4 Fix #4243, regression introduced by commit 6e80481384 2015-04-30 12:42:39 +10:00
jvazquez-r7 d773f85dca
Add reference to malware 2015-04-29 17:53:29 -05:00
jvazquez-r7 dbba466b5b
Add module for CVE-2014-8440 2015-04-29 17:52:04 -05:00
Brent Cook 4c9f44b00c
Revert "Land #4888, @h00die's brocade credential bruteforcer"
There were some issues with this module that caused backtraces when run outside
of msfconsole. Reverting it for now so we can add some specs and ensure that it
works like the other login scanners.
2015-04-29 15:36:03 -05:00
William Vu 5defb50252
Fix #5267, references fixes 2015-04-29 14:21:23 -05:00
William Vu a4531e62a0 Clean up references 2015-04-29 14:21:08 -05:00
William Vu 7962be3e2a
Fix #5271, moved OSVDB reference 2015-04-29 14:18:52 -05:00
William Vu b2d08251e4 Move reference 2015-04-29 14:18:45 -05:00
William Vu 1eeb9af2d0
Land #5271, Symantec Workspace Streaming updates 2015-04-29 14:16:23 -05:00
William Vu fd567195e3 Fix punctuation and missing comma 2015-04-29 14:12:44 -05:00
Darius Freamon 5f0736fa4c enhance title and description, add OSVDB reference, standardized JBoss 2015-04-29 11:39:40 -06:00
Brent Cook cc47f8f6e8
Land #5265, handle SSL being disabled in the SSL version scanner 2015-04-29 12:34:55 -05:00
Darius Freamon c01fc829ab Title enhancement, OSVDB refs 2015-04-28 15:56:34 -06:00
William Vu 9b17191e48 Remove unnecessary {,dis}connect 2015-04-28 15:09:16 -05:00
William Vu 28e661e204 Fix false positive in POODLE scanner
If SSL is false somehow.
2015-04-28 14:19:48 -05:00
m-1-k-3 0a4554a204 reporting included, extract device details 2015-04-28 13:01:51 +02:00
Brent Cook 6058dee99a explicitly require bind_tcp/reverse_tcp modules
This transient error was noted in the release documentation builder.

metasploit-framework/modules/payloads/singles/windows/powershell_bind_tcp.rb:37:in
   `initialize': uninitialized constant Msf::Handler::BindTcp (NameError)
2015-04-27 20:57:31 -05:00
Christian Mehlmauer 7523e592d2
Land #5198, WordPress contus video gallery 2.7 scanner 2015-04-27 23:24:57 +02:00
m-1-k-3 ce697ee44c netgear soap password extractor 2015-04-27 17:56:30 +02:00
m-1-k-3 d8b8017e0b remove debugging 2015-04-27 06:36:34 +02:00
m-1-k-3 8db88994ac fingerprint, title 2015-04-27 06:34:46 +02:00
m-1-k-3 285d767e20 initial commit of UPnP exploit for Airties devices 2015-04-27 05:34:30 +02:00
Brandon Perry 7a2084cdc5 Rename wordpress_contus_video_gallery_sqli.rb to wp_contus_video_gallery_sqli.rb 2015-04-26 16:54:21 -05:00
HD Moore 1fd601510c
Lands #5194, merges in PowerShell session support & initial payloads 2015-04-26 16:01:51 -05:00
HD Moore f56eac7f10 Cosmetic cleanup and binary mode read for powershell script 2015-04-26 15:57:51 -05:00
Ben Turner 82fe480c2e Update session to display username and hostname 2015-04-26 21:47:49 +01:00
benpturner f2c745d2a7 update cached sizes 2015-04-26 20:24:41 +01:00
benpturner d19406c593 Update the payload cache size 2015-04-26 18:56:32 +01:00
benpturner 1cc167a7fb Inserted ARCH_X86 payloads, removed interactive_powershell and updated base powershell session 2015-04-26 18:50:42 +01:00
benpturner 4cb1a6c255 Updated payload cached size 2015-04-26 09:30:41 +01:00
benpturner e6c61c461e Updated payloads and fixed msftidy. 2015-04-26 09:20:29 +01:00
OJ 6da8a14f62 Initial work on x64 payloads for new config 2015-04-26 13:41:31 +10:00
OJ 6ac3ecfa7c Refactor, add reverse_winhttps support
Getting closer to a normalised view of what this stuff will look like.
There URL patching is slowly being removed. Reverse HTTPS works fine,
and by default HTTP should too.

Next up, x64 for the same main ones.
2015-04-26 12:11:14 +10:00
m-1-k-3 b330b1d41c typo in title of telnet_encrypt_overflow.rb 2015-04-26 02:32:14 +02:00
OJ 2455163d24 Refactor configuration for meterpreter payloads (x86)
RDI is now back to what it was before, as this leaves all the other RDI
style payloads alone. Instead we have a new Meterpreter loader which
does the stuff that is required to make meterpreter work well with the
new configuration options.

This is just the case for reverse_tcp and bind_tcp so far, need to do
the other payloads too, along with all the x64 versions.
2015-04-26 09:57:30 +10:00
benpturner ded904c72c New payloads 2015-04-26 00:16:59 +01:00
Roberto Soares c41c7a1ba2 Rewrote the conditions of res. 2015-04-25 17:18:38 -03:00
Roberto Soares d01da0c522 Changed if conditions and exception handling 2015-04-25 15:08:36 -03:00
Roberto Soares 3a84396f32 Removed authorization header. 2015-04-25 14:30:21 -03:00
benpturner a02ea90824 New payloads which work with cmd 2015-04-25 16:49:22 +01:00
Roberto Soares b810a96dac Add Module for Enum on InfluxDB database. 2015-04-25 04:41:33 -03:00
benpturner 7afb6e1aa6 Removed stand-alone payloads and will push these as a seperate fork request. 2015-04-25 07:57:43 +01:00
benpturner 6be2c0beab Dynamic 2015-04-25 07:49:34 +01:00
benpturner 2273fb541a payload cached_sizes 2015-04-25 07:33:51 +01:00
benpturner 215e67bcbd Updated comments 2015-04-25 07:02:25 +01:00
Brent Cook 4ffffa59fe
Land #5184, restore store_loot for ssh_creds gatherer 2015-04-24 13:55:06 -05:00
Brent Cook ff96101dba
Land #5218, fix #3816, remove print_debug / DEBUG 2015-04-24 13:41:07 -05:00
benpturner 941a4ee572 updated cached size using tools/update_payload_cached_sizes.rb 2015-04-24 19:13:54 +01:00
jvazquez-r7 7167dc1147
Land #5243, @espreto's WordPress WPshop eCommerce File Upload exploit 2015-04-24 11:30:28 -05:00
jvazquez-r7 558103b25d
Do code cleanup 2015-04-24 11:30:08 -05:00
jvazquez-r7 896d6e8cb7
Fix title 2015-04-24 11:09:39 -05:00
jvazquez-r7 1825b45ac3
Land #5242, @espreto's module for GI-Media Library Plugin Directory Traversal 2015-04-24 11:08:52 -05:00
jvazquez-r7 7af6f31c3a
Fix message 2015-04-24 11:08:00 -05:00
jvazquez-r7 5ca6fe3cb0
Do code cleanup 2015-04-24 11:07:13 -05:00
Brent Cook f457f36cdd
Land #5213, improvements to MS15-035 DoS 2015-04-24 10:54:48 -05:00
jvazquez-r7 7a3949ed52 Land #5230, @espreto's exploit for WordPress InBoundio Marketing File Upload
* OSVDB 119890
2015-04-24 10:49:52 -05:00
jvazquez-r7 8a8d9a26f4
Do code cleanup 2015-04-24 10:47:46 -05:00
jvazquez-r7 b5223912cb
Fix check method 2015-04-24 10:41:41 -05:00
Roberto Soares c9b4a272e3 Changed fail_with output. 2015-04-24 12:16:23 -03:00
kaospunk bb0b2eee37 Fix missing . in SRV query
This update adds a missing . to the end of the
_ldap._tcp SRV record so that it properly forms
the DNS query.
2015-04-24 10:42:31 -04:00
benpturner 2ccf818c7b msftidy 2015-04-24 11:16:31 +01:00
Roberto Soares e14c6af194 Removed double 'Calling payload'. 2015-04-24 06:26:04 -03:00
benpturner 00d8958cc8 New payloads for reverse_tcp for powershell 2015-04-24 10:25:37 +01:00
Roberto Soares 01efc97c4a Add WordPress WPshop eCommerce File Upload. 2015-04-24 06:21:49 -03:00
Roberto Soares e51897d64e Filepath option 2015-04-24 04:35:59 -03:00
Roberto Soares 7b0b59b5f6 Add WordPress GI-Media Library Plugin File Read. 2015-04-24 04:24:16 -03:00
benpturner 9e137c6403 ref 2015-04-23 23:28:33 +01:00
benpturner 468166408e ref 2015-04-23 23:28:21 +01:00
benpturner 3711b2579c new powershell session 2015-04-23 23:13:12 +01:00
benpturner 0f7442dec2 new powershell session 2015-04-23 23:12:58 +01:00
benpturner b642ddb989 interact powershell session 2015-04-23 23:12:38 +01:00
benpturner b6abd9dc8e updates to rex 2015-04-23 22:14:11 +01:00
benpturner a3710752c6 updates to rex 2015-04-23 22:14:00 +01:00
benpturner 5b604d07dd updates 2015-04-23 22:13:46 +01:00
benpturner 3e693c95df update bind_tcp settings 2015-04-23 14:43:08 +01:00
benpturner 94d99cd833 use Rex::Powershell::Command 2015-04-23 14:42:45 +01:00
benpturner e7b84ea40e rhost mandatory 2015-04-23 10:17:13 +01:00
benpturner 4ad3394e82 make rhost mandatory 2015-04-23 10:09:50 +01:00
Roberto Soares 5bf4c9187a Removed double "Calling payload..." 2015-04-23 03:41:34 -03:00
Roberto Soares 844f768eee Add WordPress InBoundio Marketing File Upload 2015-04-23 03:32:17 -03:00
OJ 19a6ae68ff Update bind_tcp sizes to dynamic
This is required due to the fact that we can now turn on/off the
closing of the listen socket.
2015-04-23 09:53:18 +10:00
m-1-k-3 f5b0a7e082 include rop gadget description 2015-04-23 00:11:02 +02:00
benpturner 711061a49b updates 2015-04-22 21:03:13 +01:00
benpturner 5a648ef79b updates to script 2015-04-22 20:45:43 +01:00
Brandon Perry e9f8b25987 Update wordpress_contus_video_gallery_sqli.rb
Update to use the Wordpress mixin
2015-04-22 14:43:55 -05:00
Brandon Perry 26d208f089 Update wordpress_contus_video_gallery_sqli.rb
remove 'uri'
2015-04-22 14:42:03 -05:00
benpturner 99156f1247 reverse payload 2015-04-22 20:41:45 +01:00
benpturner 4ae3c5925d bind payload 2015-04-22 20:41:35 +01:00
m-1-k-3 1ec0e09a43 msftidy 2015-04-22 10:32:47 +02:00
m-1-k-3 58099d0469 airties login bof module 2015-04-22 10:21:58 +02:00
Brent Cook 3963289519
Land #4888, @h00die's brocade credential bruteforcer 2015-04-21 18:27:03 -05:00
Mike 3a1778ef7c Spelling Fix
s/Brocde/Brocade/ as per bcook-r7
2015-04-21 17:57:36 -04:00
jvazquez-r7 3db0e12b67
Modify autopwn comment 2015-04-21 14:19:15 -05:00
jvazquez-r7 3f40342ac5
Fix sock_sendpage 2015-04-21 14:17:19 -05:00
jvazquez-r7 ab94f15a60
Take care of modules using the 'DEBUG' option 2015-04-21 12:13:40 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
Brent Cook 073850c5ad
Land #5158, OWA internal IP disclosure scanner 2015-04-21 11:10:39 -05:00
Brent Cook 5296c6507d
Land #5157, OWA login scanner auth timing logs 2015-04-21 11:06:08 -05:00
wchen-r7 a44da8e6d7 URL refs 2015-04-21 09:29:08 -05:00
OJ 86957d9b07
Merge branch 'upstream/master' into connection-recovery 2015-04-21 20:01:59 +10:00
wchen-r7 a3b0f2e424
Land #5175, Update mcafee_vse_hashdump description 2015-04-20 21:49:24 -05:00
Brent Cook 9a49538c1a
Land #5016, add SSL Labs scanner 2015-04-20 21:34:16 -05:00
Brent Cook 752c3243f6 wrap print* functions in report_* wrappers
Preserve the semantics in the code, but don't call functions like 'print_error'
unless there is an actual error running the module. Fix spelling of 'Overall'.
2015-04-20 21:13:43 -05:00
wchen-r7 ff32d6cee3 Improve MS15-034 DOS 2015-04-20 20:36:08 -05:00
jvazquez-r7 c6c7560aed
Land #4846, @joevennix's android 4.3 uxss module 2015-04-20 18:43:24 -05:00
jvazquez-r7 9b240e1d8f Use parenthesis 2015-04-20 18:42:34 -05:00
William Vu 3fbd4e2fe6
Land #5172, x64 BSD shell_{bind,reverse}_tcp 2015-04-20 15:37:29 -05:00
William Vu 79ca0a56f9
Land #4171, Steam protocol support 2015-04-20 15:35:06 -05:00
jvazquez-r7 f762873a31
Land #5192, @joevennix's module for Safari CVE-2015-1126
* Module to profit cross domain vulnerability on safari
2015-04-20 15:19:54 -05:00
jvazquez-r7 e2eaff6b3a
Don't modify datastore options 2015-04-20 15:16:21 -05:00
jvazquez-r7 88c52ae7ae
Delete second stop_service, the mixin should had done the job 2015-04-20 15:13:11 -05:00
jvazquez-r7 dc0549d2dd
Use #wait 2015-04-20 15:06:01 -05:00
jvazquez-r7 c1234e05e2
Delete parenthesis from condition 2015-04-20 14:56:37 -05:00
jvazquez-r7 0283ac05e5
Do minor style fixes 2015-04-20 14:54:39 -05:00
jvazquez-r7 69b8edda4a
Use single quotes 2015-04-20 14:53:38 -05:00
jvazquez-r7 16daa935dd
Do minor code cleanup 2015-04-20 13:08:51 -05:00
jvazquez-r7 4f59abe842
Land #5203, @Meatballs1 fixes #5199 by using the correct namespace
* Fixes web_delivery
2015-04-20 11:20:48 -05:00
benpturner d9d8451b9f Updated tools/msftidy.rb issues 2015-04-20 16:03:34 +01:00
Meatballs eb1c01417a
Bogus : 2015-04-20 11:00:26 +01:00
Meatballs aa4f913800
Resolves #5199
Fix Powershell namespace in web_delivery module
2015-04-20 09:37:42 +01:00
Christian Mehlmauer a60fe4af8e
Land #5201, Change module wording to conform with other WP modules 2015-04-20 10:07:05 +02:00
aushack 1a32cf7fc0 Change module wording to conform with other WP modules. 2015-04-20 16:48:35 +10:00
Brandon Perry b622aae97f Update wordpress_contus_video_gallery_sqli.rb 2015-04-19 18:24:12 -05:00
Meatballs ac1f03b1de
Use fail_with if unknown exception 2015-04-20 00:11:23 +01:00
Brandon Perry c393f7c398 add contus video gallery scanner 2015-04-19 17:58:08 -05:00
Meatballs 1cc08a56a8
Additional tidyup 2015-04-19 23:55:55 +01:00
Meatballs b0d50dc2be
Create our own Rex connection to the endpoint
Ensure powershell process closes when module completes
Add a windows cmd interact payload
2015-04-19 23:41:28 +01:00
Christian Mehlmauer ed9175d73f
Land #5167, WordPress CP Multi-View Calendar SQLI Scanner 2015-04-19 23:36:23 +02:00
Brandon Perry 8c0bcd2e03 Update wordpress_cp_calendar_sqli.rb
Use the new WPVDB
2015-04-19 16:32:57 -05:00
Christian Mehlmauer a5583debdc
Land #5131, WordPress Slideshow Upload 2015-04-19 23:12:26 +02:00
Meatballs 8bd0da580d
Move script out of module 2015-04-19 21:12:44 +01:00
Meatballs 9fd3d3aa8c
Move to exploit module 2015-04-19 20:58:20 +01:00
benpturner 1ee850246a Interactive powershell post module that allows a user to gain an
interactive powershell prompt from a compromised session. It opens a TCP
listener for Powershell and automatically creates the handler. You can
also pass this other powershell files in the LOAD_MODULE option to go
ahead and download using the download cradle once the session is
established.
2015-04-19 20:51:41 +01:00
joev 2010e966b3 Add non-httponly cookie theft module for ios/osx safari. 2015-04-19 11:32:37 -05:00
Roberto Soares c1a1143377 Remove line in description and output line in fail_with 2015-04-18 15:38:42 -03:00
OJ 19f8a76475 Porting bind_tcp for posix to metasm
And supporting SO_REUSEADDR and stageless meterp
2015-04-18 19:19:40 +10:00
wchen-r7 43e9244b4c Fix #5134, Put store_loot back
Fix #5134

store_loot was used at one point, but we ended up removing it.
Turns out store_loot is handy in some cases so we're brining it back.
2015-04-17 16:33:51 -05:00
Michael Messner b991dec0f9 Dlink UPnP SOAP-Header Injection 2015-04-17 22:54:32 +02:00
wchen-r7 4f903a604c Fix #5103, Revert unwanted URI encoding
Fix #5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
karllll e3ce4eb88e Update mcafee_vse_hashdump.rb 2015-04-17 09:47:02 -04:00
OJ 97912882ca Adjustments for POSIX meterpreter patching 2015-04-17 19:53:05 +10:00
Christian Mehlmauer bba0927c7e
Land #5163, WordPress Reflex Gallery Plugin File Upload 2015-04-17 11:26:34 +02:00
Christian Mehlmauer 6653c9e33d
Land #5162, WordPress Dukapress File Read Vulnerability 2015-04-17 11:20:55 +02:00
Christian Mehlmauer 6c77b64dae
wrong method name 2015-04-17 11:20:14 +02:00
Christian Mehlmauer aef464fc2e
Land #5159, WordPress Mobile Edition Plugin File Read Vuln 2015-04-17 11:13:00 +02:00
OJ 0a8b29dd86 Merge branch 'upstream/master' into connection-recovery
Conflicts:
	lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
2015-04-17 14:40:21 +10:00
wchen-r7 3927024f79
Land #5154, CVE-2015-0556 (Flash copyPixelsToByteArray int overflow)
sage aborts
2015-04-16 21:21:09 -05:00
William Vu 3422501d91
Land #5174, deprecated module cleanup 2015-04-16 17:43:28 -05:00
Christian Mehlmauer 153344a1dd
fix Unkown typo 2015-04-16 23:59:28 +02:00
Christian Mehlmauer 2b9fd93729
remove deprecated modules 2015-04-16 22:49:22 +02:00
Roberto Soares 33cf2f1578 Added Faliure:: symbol to fail_with 2015-04-16 17:40:25 -03:00
Roberto Soares ed588e335b Changed the print_error output. 2015-04-16 17:32:59 -03:00
Roberto Soares bf3bdcffb4 Changed the deph value to 7. 2015-04-16 17:30:28 -03:00
Roberto Soares dd474757fe Changed the print_error output. 2015-04-16 17:26:44 -03:00
Roberto Soares f50cedeafd Changed the depth value to 7. 2015-04-16 17:22:49 -03:00
Roberto Soares 2138325129 Add Failure:: symbol to fail_with 2015-04-16 17:15:24 -03:00
karllll cb2e8f4949 Update mcafee_vse_hashdump description
The description of this module has been added upon to include cracking details.
2015-04-16 16:09:43 -04:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer 8c5890d506
more fixes 2015-04-16 21:56:42 +02:00
Christian Mehlmauer 8c12361bda
remove fail_with defs 2015-04-16 21:49:31 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
Christian Mehlmauer b4b8ac0849
moar fail_with's 2015-04-16 21:26:37 +02:00
Christian Mehlmauer a193ae42b0
moar fail_with's 2015-04-16 21:25:05 +02:00
Christian Mehlmauer 4dc402fd3c
moar fail_with's 2015-04-16 21:16:52 +02:00
Christian Mehlmauer 0e186fa617
first fail_with fixes 2015-04-16 21:08:33 +02:00
William Vu f0d6735332
Land #5165, version number correction 2015-04-16 12:10:12 -05:00
William Vu 26f2b350d2
Land #5168, more fail_with fixes 2015-04-16 12:04:55 -05:00
William Vu 1455d4e94d Fix AUTH_TIME 2015-04-16 11:39:33 -05:00
William Vu 7c572777e1 Fix whitespace 2015-04-16 11:34:50 -05:00
William Vu 7a9167b235 Fix comments 2015-04-16 11:34:47 -05:00
Nate Power 9bcc988266 Update owa_login 2015-04-16 11:23:04 -05:00
sinn3r 904339f0d7 Fix #5130, Correct use of fail_with in wp_worktheflow_upload.rb 2015-04-16 10:32:50 -05:00
sinn3r 5c98270f4d Fix #5137 - Correct use of fail_with 2015-04-16 09:57:02 -05:00
Brandon Perry 75b88f199a Create wordpress_cp_calendar_sqli.rb 2015-04-16 09:53:00 -05:00
Christian Mehlmauer 418d8586a5
Land #5137 (again), WordPress N-Media Website File Upload 2015-04-16 16:24:41 +02:00
Christian Mehlmauer 7f79acb996
Land #5137, WordPress N-Media Website File Upload 2015-04-16 16:17:20 +02:00
Roberto Soares 517ad54617 Fix the correct version in check. 2015-04-16 10:56:43 -03:00
Roberto Soares 95310dbe4f Fix 'if' condition. 2015-04-16 10:51:36 -03:00
Roberto Soares 626a9f0508 Fix the correct version in check. 2015-04-16 10:46:08 -03:00
Roberto Soares ecc67b1a57 Fix loot name 2015-04-16 10:42:20 -03:00
Roberto Soares d898af5513 Add check version and removed HttpClient 2015-04-16 10:40:35 -03:00
Roberto Soares 6ef074cd28 Fix the correct version in check 2015-04-16 10:34:34 -03:00
Roberto Soares 768294710b Add check and removed HttpClient 2015-04-16 10:22:10 -03:00
Christian Mehlmauer d9f4c7548f
Land #5136, WordPress Creative Contact Form upload 2015-04-16 15:17:14 +02:00
Christian Mehlmauer 84c74b8d42
use correct version number 2015-04-16 15:01:54 +02:00
Roberto Soares ee8dc49a25 Fix wrong version in check. 2015-04-16 09:45:18 -03:00
Roberto Soares e16cc6fa82 Fix the correct version in check. 2015-04-16 09:38:42 -03:00
Roberto Soares 890561bff3 Rewriting the condition 'if' for only one line 2015-04-16 09:23:56 -03:00
Roberto Soares b90ff36ef4 Rewriting the condition 'if' for only one line 2015-04-16 09:15:17 -03:00
Christian Mehlmauer 7dde7f6f7c
Land #5130, WordPress WorkTheFlow Upload 2015-04-16 14:06:37 +02:00
Roberto Soares dc7f161339 Add author, EDB, OSVDB and WPVDB. 2015-04-16 08:56:33 -03:00
Roberto Soares 1112a3b0ae Add WordPress Reflex Gallery Plugin File Upload 2015-04-16 08:40:51 -03:00
Roberto Soares 21e964e699 Add Author and references.. 2015-04-16 07:20:48 -03:00
Roberto Soares f6f4bd0746 Add WordPress Dukapress File Read Vulnerability 2015-04-16 07:17:46 -03:00
Roberto Soares 4aa4f83372 Removed timeout 2. 2015-04-16 05:37:11 -03:00
Roberto Soares 39556c10c7 Rewrote check method. 2015-04-16 05:36:20 -03:00
Roberto Soares ace316a54f Added WPVDB and EDB references. 2015-04-16 05:29:21 -03:00
Roberto Soares 10c218319a Rewrote response condition. 2015-04-16 05:26:48 -03:00
Roberto Soares 5cb9b1a44c Removed timeout 2. 2015-04-16 05:21:59 -03:00
Roberto Soares 0e1b173d15 Renamed USER/PASSWORD to WP_USER/WP_PASSWORD. 2015-04-16 05:11:56 -03:00
Roberto Soares 13ded8abe7 Added WPVDB. 2015-04-16 05:08:45 -03:00
Roberto Soares 64923ffdc2 Fixed plugin name in check method 2015-04-16 05:06:36 -03:00
Roberto Soares c8e1185a04 Included Wordpress mixin. 2015-04-16 05:02:39 -03:00
Roberto Soares e9212c4d6b wordpress_url_admin_ajax intead of wordpress_url_backend 2015-04-16 04:53:05 -03:00
Roberto Soares 81d898fd7e Rewrote check code. 2015-04-16 04:51:40 -03:00
Roberto Soares aeb0484889 Removed timeout 2. 2015-04-16 04:48:00 -03:00
Roberto Soares e6e9c173e3 Rewrote res conditions. 2015-04-16 04:43:34 -03:00
Roberto Soares d11db4edc7 Rewrote check code. 2015-04-16 04:37:30 -03:00
Roberto Soares f13d31c7c2 Added WPVDB. 2015-04-16 04:31:23 -03:00
Roberto Soares cccda4e851 Removed unnecessary line. 2015-04-16 04:27:15 -03:00
William Vu 42ff0decc7
Land #4722, timing options for snmp_login 2015-04-16 02:25:29 -05:00
William Vu 88062a578d Clean up PR 2015-04-16 02:25:06 -05:00
Roberto Soares d3a6de761d Removed timeout 2. 2015-04-16 04:09:02 -03:00
William Vu 01625e3bba
Land #5148, DRY BSD/OS X shellcode
Also fix a semi-regression in the Rootpipe exploit.
2015-04-16 02:08:18 -05:00
William Vu 13da15e434 Add default PAYLOAD again
PrependSetreuid doesn't work with generic/shell_reverse_tcp.
2015-04-16 02:07:02 -05:00
Roberto Soares 1249f29ee8 Add JSON::ParserError exception handler. 2015-04-16 04:03:54 -03:00
William Vu bec6270f07 Fix regex 2015-04-15 23:47:03 -05:00
William Vu 86c5e96d19
Land #5146, enum_system cleanup 2015-04-15 22:02:32 -05:00
William Vu 001253a8da Clean up module some more 2015-04-15 22:02:04 -05:00
William Vu 0a4ab99aa5
Land #5149, couchdb_enum cleanup 2015-04-15 21:50:30 -05:00
William Vu 4410f8da6e Clean up module some more 2015-04-15 21:48:19 -05:00
Brent Cook 30d60975ba
Land #5144, add missing report_note in apache_range_dos 2015-04-15 21:47:18 -05:00
William Vu 01ae7002cf Fix EOF whitespace 2015-04-15 21:27:53 -05:00
William Vu 20d4d1ce3f Move report_goods before the return 2015-04-15 21:22:41 -05:00
joev 9b6aea12e1 Oops, missed a comma. 2015-04-15 19:26:53 -05:00
Roberto Soares 0031f09d60 Add author, EDB, WPVDB and fix loot. 2015-04-15 20:03:36 -03:00
jvazquez-r7 c1753672bf
Delete file_contents initialization 2015-04-15 17:58:32 -05:00
Roberto Soares 0f1cf1d1b1 Add Module WP Mobile Edition Plugin File Read Vuln 2015-04-15 19:45:08 -03:00
William Vu 66b7179a97 Rename module to owa_iis_internal_ip 2015-04-15 17:10:01 -05:00
William Vu a109dae033 Fix EOL whitespace 2015-04-15 16:58:59 -05:00
William Vu cc422eeeea Fix splat 2015-04-15 16:58:18 -05:00
Nate Power 34ce4edacb Add exchange_iis_internal_ip 2015-04-15 16:55:19 -05:00
sinn3r 7cc80c418b Correct a bad spelling in ms15_034_ulonglongadd.rb 2015-04-15 15:32:55 -05:00
joev 4a18714191 Update authors and license to original osx x86 module. 2015-04-15 14:34:26 -05:00
joev a01d98d1f5 Implement shell_bind and shell_reverse payloads for bsd x64. 2015-04-15 14:33:27 -05:00
jvazquez-r7 3ca7d6aae5
Land #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
* `check` to test, `run` to DoS
2015-04-15 14:29:18 -05:00
jvazquez-r7 28fac60c81
Add module for CVE-2015-0556 2015-04-15 14:08:16 -05:00
sinn3r 76d36a46dc Missing a checkcode 2015-04-15 14:04:18 -05:00
sinn3r 8a542b841c Don't check Server header 2015-04-15 13:33:09 -05:00
sinn3r 90ed6ee0b6 No "vhost" 2015-04-15 13:32:11 -05:00
sinn3r 3aa8e6908d Converted to a DOS module 2015-04-15 13:13:16 -05:00
sinn3r 19ab71aa43 Final update i swear 2015-04-15 10:20:15 -05:00
sinn3r 7a77dbc9f0 Update description 2015-04-15 10:15:40 -05:00
jvazquez-r7 ef6bf54e2f
Fix metadata 2015-04-15 09:22:59 -05:00
jvazquez-r7 1da6b32df7
Land #4924, @m-1-k-3's DLink CVE-2015-1187 exploit
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
jvazquez-r7 6019bbe0d2
Add ranking comment 2015-04-15 09:12:03 -05:00
jvazquez-r7 ad465c4d5b
Do code cleanup 2015-04-15 09:10:18 -05:00
sinn3r 2206ae48a1 Match the PR title 2015-04-15 01:50:59 -05:00
sinn3r 63048a7385 Newline
-_-
2015-04-15 01:38:09 -05:00
sinn3r 6f874b81ff Add MS15-034 check (CVE-2015-1635) 2015-04-15 01:37:43 -05:00
Roberto Soares 1d6300991c Clean the code of the module couchdb_enum. 2015-04-15 02:58:51 -03:00
joev 0d19b5d4c3 Fix require order issue. 2015-04-14 23:23:02 -05:00
joev e56590e1e3 DRY up common code between BSD / OSX. 2015-04-14 23:08:57 -05:00
Roberto Soares c6e8ffb7e3 Fix some "mistakes" following the style guide 2015-04-15 00:35:14 -03:00
Roberto Soares 9250869ace Fix typo 2015-04-14 20:19:38 -03:00
Roberto Soares 6aad8b3a70 Changed the conditions if/elsif to case statements 2015-04-14 20:05:52 -03:00
William Vu 3cdc84bf27 Fix missing type in report_note 2015-04-14 14:02:20 -05:00
sinn3r aca93cc86e Add missing Rank 2015-04-14 13:33:37 -05:00
William Vu e114c85044
Land #5127, x64 OS X prepend stubs 'n' stuff 2015-04-14 01:25:39 -05:00
William Vu 8d1126eaa5
Land #5129, x64 BSD prepend stubs 'n' stuff 2015-04-14 01:24:50 -05:00
Roberto Soares a09e643a71 Add author, URL, WPVDB and disclosure date. 2015-04-13 22:54:05 -03:00
Roberto Soares 271a81778e Add Module WP N-Media Website Contact Form Upload 2015-04-13 22:48:34 -03:00
Roberto Soares 7f10fb5bf0 Fix disclosure date 2015-04-13 18:53:20 -03:00
Roberto Soares e94ca0bdd1 Add EDB, OSVDB and author. 2015-04-13 18:42:17 -03:00
Roberto Soares d5d975c450 Add Module WordPress Creative Contact Form Upload 2015-04-13 18:38:43 -03:00
William Vu e324819feb Add Privileged to info hash
Also remove default payload. Was set for CMD.
2015-04-13 15:23:30 -05:00
Tod Beardsley bd3b6514fa
Dubbed. Whump whump. 2015-04-13 10:52:32 -05:00
Tod Beardsley d87483b28d
Squashed commit of the following:
commit 49f480af8b9d27e676c02006ae8873a119e1aae6
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Apr 13 10:42:13 2015 -0500

    Fix funny punctuation on rootpipe exploit title

    See #5119

commit 0b439671efd6dabcf1a69fd0b089c28badf5ccff
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Apr 13 10:37:39 2015 -0500

    Fix vendor caps

    Trusting the github repo README at

    https://github.com/embedthis/goahead

    See #5101
2015-04-13 10:46:47 -05:00
Roberto Soares 7b57496501 Fix typo and add email addr. 2015-04-13 04:12:32 -03:00
Roberto Soares abee3f17c4 Add author, CVE and EDB references 2015-04-13 04:08:34 -03:00
Roberto Soares 58c4042321 Add Module WP Slideshow Gallery Shell Upload 2015-04-13 03:56:59 -03:00
Roberto Soares 2d1f8c510e Add author and references 2015-04-12 21:21:49 -03:00
Roberto Soares 9f06cee53d Add Module WordPress WorkTheFlow Shell Upload 2015-04-12 21:09:44 -03:00
joev 2d3614f647 Implement x64 BSD exec and exe template.
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
2015-04-12 12:17:25 -05:00
joev ceadd1e6ec Update osx x86 payload cached sizes to be accurate.
- Right now there is a bug in the payload_spec, which causes the payload's
  datastore during the spec run to have things like 'PrependSetuid' => 'false',
  where 'false' is a string, which means 'if (datastore['PrependSetuid'])'
  branch will be taken, resulting in incorrect behavior.
2015-04-12 00:21:18 -05:00
joev c132a3fb0a Fix OSX prepends and implement x64 setreuid. 2015-04-11 20:04:21 -05:00
jvazquez-r7 656abac13c Use keyword arguments 2015-04-10 18:03:45 -05:00
jvazquez-r7 1720d4cd83
Introduce get_file_contents 2015-04-10 17:34:00 -05:00
jvazquez-r7 ca6a5cad17
support changing files 2015-04-10 16:53:12 -05:00
sinn3r 284ef5bbbb
Land #5112, Nessus REST Login Module 2015-04-10 13:32:53 -05:00
jvazquez-r7 b2e17a61a9
Fix disclosure date 2015-04-10 13:09:24 -05:00
jvazquez-r7 ab944b1897
Add module to exploit dangerous group policy startup scripts 2015-04-10 13:01:50 -05:00
joev 3313dac30f
Land #5119, @wvu's addition of the OSX rootpipe privesc exploit.
orts
borts
2015-04-10 12:38:25 -05:00
sinn3r 4419c1c728
Land #5120, Adobe Flash Player casi32 Integer Overflow 2015-04-10 12:18:11 -05:00
William Vu e8e7a2a67a
Land #5122, undefined "upload_path" fix 2015-04-10 11:30:50 -05:00
William Vu fc814a17ae Add admin check
Also break out version check.
2015-04-10 11:24:49 -05:00
William Vu 41885133d8 Refactor and clean
Finally breaking free of some stubborn old habits. :)
2015-04-10 11:22:27 -05:00
William Vu a7601c1b9a Use zsh to avoid dropping privs
Also add some configurable options.
2015-04-10 11:22:00 -05:00
William Vu 4cc6ac6eaa Clarify vulnerable versions 2015-04-10 11:22:00 -05:00
William Vu c4b7b32745 Add Rootpipe exploit 2015-04-10 11:22:00 -05:00
Jon Cave b2b7da2dc5 Fix spelling of Microsoft in module name 2015-04-10 11:09:16 +01:00
Jon Cave c6f062d49e Ensure that local variable `upload_path` is defined
Merge `upload_payload` and `parse_upload_response` so that the
`upload_path` variable is defined for use in error messages in the event
of failure.
2015-04-10 10:58:20 +01:00
OJ 91202e2447 Port of reverse_tcp payload to metasm 2015-04-10 17:46:27 +10:00
root 7810f3d9a3 Add previous nessus_xmlrpc_login file 2015-04-10 12:32:42 +05:00
root bbbd4d3634 change name to keep both XML and REST modules 2015-04-10 12:20:43 +05:00
OJ fadb13b8ef Porting block api, exitfunk, bind to metasm
Also add the flag which lets the bind stager leave the listen socket
open.
2015-04-10 16:23:03 +10:00
jvazquez-r7 91f5d0af5a
Add module for CVE-2014-0569
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
Pedro Ribeiro 4808d61af3 Add OSVDB id and full disclosure URL 2015-04-09 16:32:22 +01:00
OJ 809409d8c4 Lots of changes to support moving timeouts to common spots
Session expiry, comms timeout, retry total/wait are all now part of all
of the meterpreter payloads as these are going to be used for
maintaining access with resiliency and will aim for consistency across
the payload types.
2015-04-09 17:57:43 +10:00
root b6e750d7eb Nessus auxiliary scanner for updated REST API 2015-04-09 11:36:17 +05:00
OJ bc5fd4b813 A few adjustments to make bind_tcp keep listen sockets open 2015-04-09 08:46:35 +10:00
William Vu c9bf8f3140
Land #5105, @joevennix's cable modem 0day 2015-04-08 16:09:46 -05:00
William Vu 831a59b10b Fix whitespace 2015-04-08 16:09:28 -05:00
Tod Beardsley 52f1b95222 Add disclosure link 2015-04-08 16:07:33 -05:00
sinn3r 1bfda9e78f
Land #5101, Add Directory Traversal for GoAhead Web Server 2015-04-08 15:30:23 -05:00
Brent Cook e03f2df691
Land #5002, RMI/JMX improvements 2015-04-08 15:23:29 -05:00
Tod Beardsley 7ed1655976
Adding module for R7-2015-01
Disclosure coming soon, will update this module with a pointer to the
correct reference.
2015-04-08 12:34:31 -05:00
sinn3r 5f389cf3c2 Add ManageEngine Desktop Central Login Utility 2015-04-08 02:05:56 -05:00
HD Moore e7a4ee637a Port windows reverse_tcp|bind_tcp to Metasm, add error handling
Conflicts:
	lib/msf/core/payload/windows/bind_tcp.rb
	modules/payloads/stagers/windows/bind_tcp.rb

Cherry-picked form @hmoore-r7's repo.
2015-04-08 16:21:10 +10:00
OJ 9ebcb27929 Merge branch 'upstream/master' into connection-recovery 2015-04-08 15:48:21 +10:00
Roberto Soares dc14c770be Changed the traversal variable to just one line 2015-04-08 02:26:59 -03:00
OJ a9804dff62 Initial work to support fault-tolerant connectivity
This code adjusts the bind_tcp stager for x86 so that the listener
socket isn't close for meterpreter payloads. This means that meterpreter
can make an educated guess as to whether or not the payload was a bind
or tcp payload, and from there can attempt to establish communications
in the same way as before should something break along the way.

Some simple adjustments to the x64 meterpreter stage as well, but more
to come here.
2015-04-08 14:41:32 +10:00
Roberto Soares 441042ed37 Removed the segments variable 2015-04-08 01:29:45 -03:00
Roberto Soares d399d05383 Add Directory Traversal for GoAhead Web Server 2015-04-07 20:22:06 -03:00
Zach Grace 42e82cc644 Rubocop fixes 2015-04-07 18:21:08 -05:00
Zach Grace 7275d5745f Fixes, refactoring and adding JBoss AS default creds scanning 2015-04-07 17:40:25 -05:00
OJ 9fd40870d0 Update http(s) generator functions
Methods now require a hash. I went with the hash because 1) that's what
we seem to use everywhere else, and 2) I couldn't get the new keyword
arguments working nicely with the block syntax (I'm clearly stupid).
2015-04-08 07:56:54 +10:00
Pedro Ribeiro cf8b92b747 Create zcm_file_upload.rb 2015-04-07 16:05:51 +01:00
OJ 8f58e08c13 Add support for stageless reverse_http payloads
This includes both x64 and x86.
2015-04-07 11:01:24 +10:00
OJ 38a77c930e
Land #5072 : Support and embed payload UUIDs 2015-04-07 10:10:36 +10:00
William Vu 7a2d3f5ebd
Land #5082, firefox_proxy_prototype autopwn_info 2015-04-06 13:36:03 -05:00
William Vu e1af495d21 Add extra release fixes 2015-04-06 13:08:40 -05:00
Tod Beardsley b62011121b
Minor word choice fix on Solarwinds exploit
Removing the second person pronoun usage.

[See #5050]
2015-04-06 12:40:22 -05:00
Tod Beardsley 5be5b6097c
Minor grammar on #5030, Adobe Flash
[See #5030]
2015-04-06 12:36:25 -05:00
Tod Beardsley 1e6d895975
Description fixes on #4784, jboss exploit
Also, needed to run through msftidy.

[See #4784]
2015-04-06 12:34:49 -05:00
root cd65e6f282 Add browser_autopwn info to firefox_proxy_prototype 2015-04-06 10:42:32 +05:00
HD Moore 78c73cc2a3 Update cached sizes with the new uri defaults 2015-04-05 22:11:12 -05:00
Jon Cave 7aceb9218e Use bitwise OR to select both primary and backup DCs
SV_TYPE_DOMAIN_CTRL || SV_TYPE_DOMAIN_BAKCTRL returns
SV_TYPE_DOMAIN_CTRL rather than ORing the bits together.
2015-04-05 11:05:42 +01:00
HD Moore c9696d3f6c Merge in stageless/transport work, deconflict 2015-04-04 11:52:26 -07:00
William Vu 56dc7afea6
Land #5068, @todb-r7's module author cleanup 2015-04-03 16:00:36 -05:00
jvazquez-r7 79b2a23dff
Land #5015, @espreto file traversal scanner for RIPS 2015-04-03 15:35:58 -05:00
jvazquez-r7 ce6e5e12d8
Make depth an option 2015-04-03 15:33:27 -05:00
jvazquez-r7 70fad73092
Add metadata 2015-04-03 15:27:28 -05:00
jvazquez-r7 e3bbb7c297 Solve conflicts 2015-04-03 14:57:49 -05:00
jvazquez-r7 e729185804
Land #5051, @nullbind's new options for mssql_enum_domain_accounts_sqli 2015-04-03 14:44:20 -05:00
jvazquez-r7 fe9fbfd157
Make calculations easier 2015-04-03 14:43:01 -05:00
jvazquez-r7 6c36a82f78
Land #5059, @void-in's documentation clean up 2015-04-03 14:16:34 -05:00
jvazquez-r7 828301a6cc
Land #5050, @wchen-r7's exploit for Solarwinds Firewall Security Manager
* CVE-2015-2284
2015-04-03 13:45:30 -05:00
jvazquez-r7 7c9b19c6f8
Do minor cleanup 2015-04-03 11:53:50 -05:00
root 452ebcf9ad travis 2015-04-03 16:29:35 +05:00
root be829e77ba cravis error solve 2015-04-03 16:25:18 +05:00
root 4bd40fed7f yard doc and comment corrections for auxiliary 2015-04-03 16:12:23 +05:00
Denis Kolegov c9e8f9cbea Add BigIP HTTP VS scanner and fix connection errors 2015-04-03 02:30:03 -04:00
Brent Cook 16cb334325
Land #5065: OJ fix missed merges for uri_checksum and others 2015-04-02 22:53:29 -05:00
OJ fd043d4842 Fix up build and missing uri_checksum stuff
Somehow this made it into a merge when it shouldn't have. This fix moves
the URI checksum module to where it needs to be and updates all the
references where required. This will result in a class with the dynamic
transport branch, but I can fix that after.
2015-04-03 13:42:25 +10:00
scriptjunkie 0f7c644fff
Land #4784, JBoss Seam 2 upload exec exploit 2015-04-02 22:32:35 -05:00
OJ 5b5dc3ef59 Merge branch 'upstream/master' into stageless-x64
Merge required adjustment of the proxy datastore names that were changed.
2015-04-03 08:53:09 +10:00
Tod Beardsley 3ff91d74ca
More cleanup, mostly abysssec
[See #5012]
2015-04-02 16:16:38 -05:00
Tod Beardsley 11057e5b3b
Fix up the last couple from Tenable, missed last
[See #5012]
2015-04-02 15:27:46 -05:00