b0c6671721
Add module for ZDI-15-038, HPCA command injection
2015-02-20 00:41:17 -06:00
49f4b68671
Land #4790 , injecting code into eval-based Javascript unpackers
2015-02-19 12:33:52 -06:00
036a6089eb
Drop ungenuine x64 support in ms13_022_silverlight_script_object
...
The MS13-022 exploit does not actually run as x64. IE by default
still runs x86 so BES will always automatically select that target.
If IE forces x64 (which can be done manually), the BES detection
code will see it as ARCH_X86_64, and the payload generator will
still end up generating a x86 payload anyway.
If the user actually chooses a x64 payload, such as
windows/x64/meterpreter/reverse_tcp, the exploit is going to crash
because you can't run x64 shellcode on an x86 architecture.
2015-02-19 10:39:43 -06:00
f6c871a8e5
Deleted spaces at EOL
2015-02-19 05:06:00 -05:00
caabb82975
Fixed indentation errors
2015-02-19 05:02:10 -05:00
2a584da6d9
Added cookie value in print function
2015-02-19 00:43:57 -05:00
fe840635e5
Land #4791 , fix ms14-070 CreateFile arguments
...
The arguments to CreateFileA used to require that the user had
some level of access on the \\.\tcp device.
2015-02-18 17:15:45 -05:00
ffa6550aec
Land #4787 , HD's new Zabbix and Chef LoginScanners
...
Lands the new LoginScanners HD wrote for Zabbix
and the Chef WebUI
2015-02-18 14:51:16 -06:00
804db0ff0c
add leixcal sorting to methods
...
lexical sort the new methods except for
msf module entrypoint methods which should always be at
the top
2015-02-18 14:50:33 -06:00
483a145d19
Fix msftidy issues.
2015-02-18 14:08:03 -06:00
35511636cc
Land #4788 , splunk_web_login new version support
2015-02-18 11:54:54 -06:00
e40772efe2
Fixed open device issue for non-priv users
...
Fixed the open_device call to work for users without Administrator
privileges
2015-02-18 12:44:58 -05:00
f8609ab0ba
Add file format exploit for injecting code into unpackers.
2015-02-18 11:26:45 -06:00
10960310da
Land #4786 , cosmetic fixes from @hmoore-r7
...
For {axis,glassfish}_login.
2015-02-18 03:56:13 -06:00
cc6899d783
Fix a stack trace on null response, thanks @jlee-r7
2015-02-18 00:38:55 -06:00
f4d8a25981
Add support for newer Splunk versions
2015-02-18 00:30:47 -06:00
2847507f03
Add a chef brute force module
2015-02-17 23:49:57 -06:00
27d5ab45b4
Add a zabbix brute force module
2015-02-17 22:56:08 -06:00
f0e69cb526
Fix two cosmetic typos in the axis/glassfish modules
2015-02-17 21:01:35 -06:00
6acbe64dbd
The MSB reference in the title is wrong
...
It should be MS13-022.
MS12-022 is MSFT Expression Design.
2015-02-17 14:56:14 -06:00
be5a0ee9c2
Land #4777 , @todb-r7's release fixes
2015-02-17 13:45:00 -06:00
e0d87a8886
Update to use store_loot for CSV export
2015-02-17 19:21:31 +00:00
fb06cb13cc
Land #4774 , Chromecast HTTP scanner
2015-02-17 13:11:25 -06:00
a8108cfc17
Be less stupid in the description
...
[See #4774 ]
2015-02-17 13:04:26 -06:00
71c5f622ca
Land #4775 , Kindle Fire TV Stick controller
2015-02-17 12:59:54 -06:00
053de8e62c
Fix whitespace in author name
...
[See #4777 ]
2015-02-17 12:57:36 -06:00
14e764ff5a
Move to http subdirectory
...
After all, the wordpress scanners are all HTTP as well, and not under
some platform specific "wordpress" directory. Lots of other HTTP-ish
devices in there as well.
2015-02-17 12:53:18 -06:00
5e07b01a1f
Fix up description a tiny bit
2015-02-17 12:51:55 -06:00
45b16c92b7
Prefer sleep
...
It's all the same, anyway.
2015-02-17 12:43:14 -06:00
787deb4b23
Change service name to something more appropriate
...
Technically, it's part of DIAL, but we don't want to confuse the user
even more.
2015-02-17 12:41:31 -06:00
b90639fd66
Land #4726 , X360 Software actvx buffer overflow
2015-02-17 11:41:23 -06:00
8e50baaded
Land #4771 , userPrincipalName fix
...
Lands Meatballs1's PR to add userPrincipalName as a column
enumerated by the enum_ad_user* post modules.
2015-02-17 11:31:15 -06:00
666b8e3e72
Add timeout to connection handler
2015-02-17 17:27:03 +00:00
728cfafe4d
cleanups
2015-02-17 17:27:03 +00:00
e4bab60007
Generic HTTP DLL Injection Exploit Module
...
This is an example implementation of using the
Msf::Exploit::Remote::SMBFileServer module to perform
arbitrary DLL injection over SMB.
2015-02-17 17:27:03 +00:00
c86caacf95
Merge branch 'master' into module-exploitsmbdllserver
...
Conflicts:
lib/msf/core/exploit/smb.rb
2015-02-17 17:16:09 +00:00
9f04e3bcf0
Merge branch 'master' into hp_dataprotector_dll_cmd_exec
2015-02-17 17:06:40 +00:00
afca27dae5
Merge branch 'master' into cve-2014-0094
2015-02-17 17:06:21 +00:00
214146beaa
Correct author attribution
2015-02-17 10:52:55 -06:00
e08206d192
Land #4768 , jvazquez-r7 reorganizes the SMB mixins
2015-02-17 10:36:19 -06:00
6370c99755
Avoid version numbers in titles
2015-02-17 10:28:56 -06:00
62a679ebb8
Avoid version numbers in titles
...
Usually, the versions are more of a range, and nearly always, the module
author never truly knows where the ranges are bounded. It's okay to
clarify in the description.
2015-02-17 10:26:40 -06:00
0597d2defb
Land #4560 , Massive Java RMI update
2015-02-17 10:07:07 -06:00
ecefad946e
Spellingz
2015-02-17 14:39:34 +00:00
b4e2a50a6a
Really fix the bug
...
App is so slow. :(
2015-02-17 06:10:32 -06:00
09239b37aa
Fix touchy YouTube app
...
It likes the previous video stopped before playing a new one.
2015-02-17 06:07:58 -06:00
76e3539434
Add Amazon Fire TV YouTube remote control
2015-02-17 05:44:04 -06:00
b3d301e960
Fix annoying double quotes
...
As much as I love them, the use here is inconsistent.
2015-02-17 05:12:28 -06:00
e16614abb9
Program a bit more defensively
...
Even though /setup/eureka_info should always be JSON...
2015-02-17 05:04:26 -06:00
ea4dd023ae
Add SSID to report_service info
2015-02-17 04:46:11 -06:00
e5d6af6b23
Gather info from /setup/eureka_info
...
Looks better with SSID.
2015-02-17 04:37:16 -06:00
b6f83937ef
Add chromecast_webserver scanner
2015-02-17 03:27:48 -06:00
19cd00e6d5
Fix cookit name split
2015-02-16 23:53:32 +07:00
6559b43f1e
EOL Spaces argh
2015-02-16 15:46:45 +00:00
12f2828829
Allow additional fields
2015-02-16 15:24:28 +00:00
b77aed1c56
UPN is optional, should use sAMAccountName
2015-02-16 15:08:09 +00:00
3a894a29de
Dont use magic values and use the userPrincipalName as the
...
username
2015-02-16 15:02:01 +00:00
e42bbcbcbb
Enum_ad modules should retrive userPrincipalName as it may differ
...
to the sAMAccountName value.
2015-02-16 14:03:15 +00:00
a44e858bd7
Fixed minor errors in F5 BigIP cookie disclosure module
2015-02-16 01:31:52 -05:00
73bac94fa8
Add Ultimate CSV Importer extract module
2015-02-15 15:27:27 +00:00
40c92f5fe3
Add URL reference
2015-02-14 13:09:37 +00:00
4dce589bbe
Add WordPress Holding Pattern file upload module
2015-02-14 12:54:03 +00:00
0158e94a18
Fix mixin usage
2015-02-13 17:18:51 -06:00
0372b08d83
Fix mixin usage on modules
2015-02-13 17:17:59 -06:00
fd441d2c5e
Fix #4764 , NameError unitialized constant Net::DNS in shodan_search
2015-02-13 14:40:23 -06:00
b197b98ab9
Land #4759 , fix ms09_067_excel_featheader
2015-02-13 13:25:15 -06:00
19144e143a
Fixed some errors in F5 BigIP cookie disclosure module
2015-02-13 03:29:23 -05:00
29163db7fc
Add CVE reference for ie_uxss_injection
2015-02-12 17:16:59 -06:00
3ae3d56caa
Land #4745 , fixes #4711 , BrowserAutoPwn failing due to getpeername
2015-02-12 16:51:09 -06:00
92422c7b9a
Save the output file on local_directory
2015-02-12 16:16:21 -06:00
55f57e0b9b
Land #4746 , WordPress photo-gallery exploit
2015-02-12 22:24:12 +01:00
bce7211f86
added url and randomize upload directory
2015-02-12 22:16:37 +01:00
05d2703a98
Explain why obfuscation is disabled
2015-02-12 14:00:01 -06:00
9b10cd5655
Land #4755 , @todb-r7's release fixes
2015-02-12 13:16:08 -06:00
d7fa06de06
Fix off-by-one whitespace
2015-02-12 13:12:13 -06:00
c156ed62a9
on, not of.
2015-02-12 12:56:53 -06:00
e35f603888
Comma fascism
2015-02-12 12:49:45 -06:00
d89eda65fa
Moar fixes, thanks @wvu-r7
...
See #4755
2015-02-12 12:46:38 -06:00
e78d08e20d
Fix up titles, descriptions
2015-02-12 12:11:40 -06:00
50c72125a4
::Errno::EINVAL, disable obfuscation, revoke ms14-064
2015-02-12 11:54:01 -06:00
155651e187
Make filename shorter
2015-02-12 11:45:51 -06:00
95bfe7a7de
Do minor cleanup
2015-02-12 11:45:51 -06:00
30f310321d
Added CVE reference
2015-02-12 11:45:51 -06:00
38ad960640
Add Maarch LetterBox file upload module
2015-02-12 11:45:51 -06:00
309159d876
Land #4753 , updated ms14_070_tcpip_ioctl info
2015-02-12 09:57:29 -06:00
8ab469d3bd
Update ms14-070 module information and references
2015-02-12 09:51:01 -05:00
02fe57e2a1
Bump out to April, 60ish days
2015-02-11 12:56:37 -06:00
fd11afff1a
Deprecate manage/pxexploit
...
modules/post/windows/manage/pxeexploit.rb
2015-02-11 12:39:10 -06:00
58b6b7519a
Deprecate server/pxexploit
...
modules/auxiliary/server/pxeexploit.rb
2015-02-11 12:38:38 -06:00
6294cbf4de
Fix manage/pxexploit datastore
2015-02-11 12:19:59 -06:00
b894050bba
Fix local/pxeexploit datastore
2015-02-11 12:19:56 -06:00
9e717084af
Fix server/pxexploit datastore
2015-02-11 12:19:39 -06:00
f99ef5c0f5
fix msftidy warnings about towelroot module
2015-02-11 11:17:44 -06:00
cb1efa3edd
Improved error handling, tidied up some code
2015-02-11 10:16:18 +00:00
80a086d5f6
Add WordPress Photo Gallery upload module
2015-02-11 01:03:51 +00:00
d23c9b552f
Trade MS12-004 for MS13-090 against Windows XP BrowserAutoPwn
2015-02-10 18:58:56 -06:00
b07ef333e9
Fix java_rmi_server include
2015-02-10 12:52:19 -06:00
29c68ef1ec
End fixing namespaces
2015-02-10 11:55:14 -06:00
1e8f98c285
Updated description, credit, and URL
2015-02-10 11:25:13 -06:00
1b89242a75
Add module for R7-2015-02
2015-02-10 11:03:46 -06:00
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
5687028f09
Land #4671 , @earthquake's exploit for achat buffer overflow
2015-02-09 17:50:09 -06:00
6165d623ff
Change module filename
2015-02-09 17:39:55 -06:00
eb0741d7a7
Modify reference
2015-02-09 17:39:18 -06:00
0a42ac947a
Land #4737 , fix Socket Context usages
2015-02-09 17:34:03 -06:00
86f3bcad11
Do minor cleanup
2015-02-09 17:33:05 -06:00
7ee5fd9b32
Fix lotus_domino to use get_cookies correctly.
2015-02-09 17:29:44 -06:00
ac6879cfe1
proper payload encoding from now on
2015-02-09 23:36:35 +01:00
c7880ab4e1
hex strings related explanations
2015-02-09 23:21:38 +01:00
9891026d30
sleep changed to Rex::sleep
2015-02-09 22:33:41 +01:00
81cad064ea
Land #4724 , @wchen-r7's AllowWin32SEH's change on alpha encoders
2015-02-09 11:01:00 -06:00
af405eeb7d
Land #4287 , @timwr's exploit form CVS-2014-3153
2015-02-09 10:33:14 -06:00
831a1494ac
Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumUpper
2015-02-08 18:29:25 -06:00
3e7e9ae99b
Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumMixed
2015-02-08 18:22:11 -06:00
133ae4cd04
Land #4679 , Windows Post Gather File from raw NTFS.
2015-02-08 18:50:50 +00:00
69e53a46cb
Final tidyups, description etc
2015-02-08 18:49:17 +00:00
9518090b8b
Ignore some error conditions
2015-02-08 18:46:48 +00:00
cc4fc1aefa
use GetFileAttributesW and CreateFileW
2015-02-08 17:36:49 +01:00
1f7bee35b5
Land #4731 , fix fail_with message
2015-02-07 22:27:17 -06:00
a5b2e99136
Correct punctuation on outlook, too.
2015-02-07 22:26:14 -06:00
6d46182c2f
Land #4570 , @rastating 's module for wp-easycart
2015-02-07 23:42:23 +01:00
f2b834cebe
remove check because the vuln is unpatched
2015-02-07 23:38:44 +01:00
d2421a2d75
wrong version
2015-02-07 23:34:19 +01:00
56d2bc5adb
correct version number
2015-02-07 23:22:43 +01:00
1390c81420
Fix fail_with text
...
Fix fail_with text, when the target system is locked.
2015-02-07 21:20:24 +01:00
345d5c5c08
Update version numbers to reflect latest release
2015-02-07 19:09:16 +00:00
b1726fd609
Missing comma
2015-02-07 11:56:22 -06:00
8d982e3286
Pass the framework/module down into LoginScanner
2015-02-07 11:50:30 -06:00
358ab2590e
Small tidyup
2015-02-07 11:35:47 +00:00
87775c6ee4
Fix description
2015-02-06 23:55:27 -06:00
76387eebe0
Use File.open
2015-02-06 21:35:07 -06:00
1ea4a326c1
Land #4656 , @nanomebia's fixes for sugarcrm_unserialize_exec
2015-02-06 16:42:01 -06:00
e511f72ab4
Delete final check
...
* A session is the best proof of success
2015-02-06 16:34:34 -06:00
a543d957d4
Fix #4717 - Change AllowWin32SEH's default to false
...
This is patch to change AllowWin32SEH to false.
Root cause:
The truely intended behavior is that if the user doesn't set a
BufferRegister and the encoder is for Windows, the AllowWin32SEH
code should kick in.
The problem here is that msfencode and msfvenom handle the platform
information differently, so we get different results.
With msfencode, the platform information isn't passed when alpha_mixed
is used, so even if you're using the encoder for Win32, the encoder
doesn't actually know about this. But everything works out just fine
anyway because people don't actually rely on AllowWin32SEH.
With msfvenom, the platform information is passed, so the encoder
actually knows it's for Windows. The two conditions are met (regster
and platform), so AllowWin32SEH kicks in. However, the AllowWin32SEH
technique enforces the BufferRegister to ECX, and that there's no
GetPC, so by default this isn't going to work.
The solution:
We are actually better off with setting AllowWin32SEH to false, mainly
because the SEH technique is pretty much dead (congrats MSFT!). And we
want the GetPC routine by default.
If people want to use AllowWin32SEH routine, they can simply set
AllowWin32SEH to true to bring it right back. For example:
e = framework.encoders.create('x86/alpha_mixed')
e.datastore.import_options_from_hash({'AllowWin32SEH'=>true})
buf = e.encode("AAAA", nil, nil, ::Msf::Module::PlatformList.win32)
Or in msfvenom:
msfvenom -p windows/meterpreter/bind_tcp -e x86/alpha_mixed
AllowWin32SEH=true -f raw
Fix #4717
2015-02-06 12:38:04 -06:00
f6933ed02c
Add module for EDB-35948
2015-02-06 11:05:29 -06:00
036cb77dd0
Land #4709 , fixed up some datastore mangling
2015-02-05 21:22:38 -06:00
7e649a919c
This version will actually work.
2015-02-05 21:00:54 -06:00
3e0ce4a955
Fix datastore mangling with instance variables
...
See rapid7/metasploit-framework #4709
2015-02-05 20:37:18 -06:00
4e0a62cb3a
Land #4664 , MS14-070 Server 2003 tcpip.sys priv esc
2015-02-05 18:49:15 -05:00
a359fe9acc
Minor fixup on the ms14-070 module description
2015-02-05 18:41:58 -05:00
f8c81e601c
Land #4710 for real.
...
This isn't a proper merge commit. Will need to figure out what I did to
wang up the last landing -- I'm guessing I didn't fetch enough first.
This should fix #4710 .
2015-02-05 17:18:51 -06:00
0a587c9f5a
Land #4710 , really
...
Looks like my publish script ended up rebasing wchen-r7/aux_ie_uxss and
didn't catch the file rename correctly.
Conflicts:
modules/auxiliary/gather/ie_uxss_injection.rb
2015-02-05 17:13:53 -06:00
79e0ddadf6
Rename file again
2015-02-05 17:09:11 -06:00
97aa9f9dd2
Credit @joevennix
2015-02-05 17:09:11 -06:00
7585c625fa
Another update
...
Thanks @joevennix
2015-02-05 17:09:11 -06:00
12aadb3132
Another update
2015-02-05 17:09:10 -06:00
17f2d8048d
Another update
2015-02-05 17:09:10 -06:00
01252078ea
Use store_loot to store coookie
2015-02-05 17:09:10 -06:00
6fd38307e7
An update
2015-02-05 17:09:10 -06:00
727fc51c0b
Don't need this line
2015-02-05 17:09:10 -06:00
4924749b96
Try to make the filename more self explanatory
2015-02-05 17:09:09 -06:00
26af10c3b6
Change public ip option name and store cookie to db
2015-02-05 17:09:09 -06:00
bfa7b61663
Final
2015-02-05 17:09:09 -06:00
b90515ae5d
IE UXSS
2015-02-05 17:09:09 -06:00
970c5d115a
spellcheck
2015-02-05 22:08:39 +01:00
d16cc843b2
Correct disclosure date
2015-02-05 15:00:13 -06:00
0955e14dad
Final, really, I think
2015-02-05 14:59:24 -06:00
dc13446536
Forgot to comment ret instruction
2015-02-05 14:09:01 -05:00
578423501a
Another update
2015-02-05 13:08:33 -06:00
5a39ba32f6
Make the ret instruction for token stealing optional
2015-02-05 14:00:38 -05:00
dabc163076
Modify the shellcode stub to save the process
2015-02-05 13:54:52 -05:00
c633c710bc
Mostly caps/grammar/spelling, GoodRanking on MBAM
2015-02-05 12:36:47 -06:00
562063c4d5
Rename file again
2015-02-05 12:26:17 -06:00
80ebde4fe1
Credit @joevennix
2015-02-05 12:25:38 -06:00
27b8d1057f
Another update
...
Thanks @joevennix
2015-02-05 12:23:32 -06:00
988b54f594
Another update
2015-02-05 12:01:19 -06:00
53134aeb17
Another update
2015-02-05 11:46:38 -06:00
871c8aa8d0
Use store_loot to store coookie
2015-02-05 11:36:35 -06:00
dbe99014f2
An update
2015-02-05 11:29:52 -06:00
08d796c5e3
Don't need this line
2015-02-05 10:53:29 -06:00
d6fe077f79
Try to make the filename more self explanatory
2015-02-05 09:53:38 -06:00
ed6ee27896
Change public ip option name and store cookie to db
2015-02-05 09:48:45 -06:00
75c697c4dc
Final
2015-02-05 04:36:44 -06:00
1ccfb6cb43
IE UXSS
2015-02-05 03:03:28 -06:00
b43522a2b8
Fix scadapro_cmdexe datastore
2015-02-05 02:54:03 -06:00
a12d1244b9
Fix zenworks_helplauncher_exec datastore
2015-02-05 02:53:47 -06:00
148ffaf55f
Fix real_arcade_installerdlg datastore
2015-02-05 02:53:38 -06:00
a7156cf4a8
Fix zabbix_script_exec datastore
2015-02-05 02:53:22 -06:00
9c1487c944
Fix dns_fuzzer datastore
2015-02-05 02:53:14 -06:00
c22865fb71
Fix nexpose_xxe_file_read datastore
2015-02-05 02:53:00 -06:00
5b2eb986c9
Land #4678 Add post module to phish credentials
2015-02-04 23:43:02 -06:00
434bca0b27
Land #4613 , auxiliary/server/capture/smb credential creation
2015-02-04 22:45:36 -06:00
aebf5056ac
Dont compare a string to an integer
2015-02-04 16:55:43 -05:00
47d4acd91d
Land #4605 , Malwarebytes fake update exploit
2015-02-04 10:28:17 -06:00
fbf32669c6
Use single quote
2015-02-04 09:47:27 -06:00
de09559cc8
Change HTTP requests to succeed when going through HTTP proxies
2015-02-04 15:32:14 +01:00
c366e7777d
Delete ternary operators
2015-02-03 17:43:00 -06:00
c0e1440572
Land #4685 , @FireFart's module for Wordpress Platform Theme RCE
2015-02-03 17:35:59 -06:00
28f303d431
Decrease timeout
2015-02-03 17:33:29 -06:00
34717d166d
Fix typo
2015-02-03 17:12:54 -06:00
a1c157a4db
Land #4609 , @h0ng10's module for Wordpress Pixabay Images PHP Code Upload
2015-02-03 17:01:32 -06:00
eebee7c066
Do better session creation handling
2015-02-03 17:00:37 -06:00
4ca4fd1be2
Allow to provide the traversal depth
2015-02-03 16:38:40 -06:00
e62a5a4fff
Make the calling payload code easier
2015-02-03 16:23:04 -06:00
61cdb5dfc9
Change filename
2015-02-03 16:13:10 -06:00
82be43ea58
Do minor cleanup
2015-02-03 16:07:27 -06:00
82eeec0946
Delete comments
2015-02-03 15:25:52 -06:00
52616a069a
Add support for NTLMSSP
2015-02-03 15:25:02 -06:00
b5794db973
Spelling
2015-02-03 14:10:47 -06:00
edd5ec3b0d
Refactor and rename of @sgabe's module
...
Renamed because it's not just MBAM, and having malwarebytes in the name
is more memorable anyway.
This refactor's @sgabe's original module to prefer if/else over
unless/else, clearly labelling variables, and wrapping up discrete
functionality into specific methods, and adds an OSVDB and the original
discoverer's URL.
2015-02-03 14:08:25 -06:00
jvazquez-r7
sinn3r
dnkolegov
Spencer McIntyre
David Maloney
joev
William Vu
Jay Smith
HD Moore
rastating
Tod Beardsley
Matthew Hall
Brent Cook
Meatballs
Nikita Oleksov
Christian Mehlmauer
Balazs Bucsay
Bazin Danil
wez3
scriptjunkie
julianvilas