Commit Graph

22239 Commits (e1ca78e6c62b1366954aa4d31fdea17066fd7406)

Author SHA1 Message Date
Yorick Koster 6870a48c48 Code suggestion from @jvoisin 2017-05-02 16:41:06 +02:00
Joe Testa 012081eed2 Added support for ANY queries. Silently ignore unsupported queries instead of spamming stdout. 2017-05-01 17:28:56 -04:00
William Vu 03e4ee91c2
Correct Ghostscript 9.2.1 to 9.21 as per advisory 2017-05-01 16:23:14 -05:00
William Vu 41ef1a4e90
Land #8325, cmd/unix/reverse_ncat_ssl payload 2017-05-01 14:54:52 -05:00
C_Sto 772a16f4cd fix style 2017-05-02 00:55:57 +08:00
C_Sto 9e06c3f07e fix argument arrangement 2017-05-02 00:39:00 +08:00
C_Sto 5a2afbc364 Tidy payload 2017-05-01 21:38:34 +08:00
Yorick Koster 006ed42248 Added fix information
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/0002
09.html
2017-05-01 09:01:14 +02:00
C_Sto cfa204b8e8 add reverse ncat ssl 2017-05-01 06:57:28 +08:00
reanar 0b62a6478a Modification for Travis (remove require msf/core, and self.class in register) 2017-04-30 17:05:11 +02:00
reanar 3f348150c6 Modification of description 2017-04-30 16:38:39 +02:00
reanar 52ec448511 Add WordPress Directory Traversal DoS Module 2017-04-30 15:03:48 +02:00
Yorick Koster 673dbdc4b9 Code review feedback from h00die 2017-04-29 20:37:39 +02:00
Yorick Koster fcf14212b4 Fixed disclosure date 2017-04-29 16:25:25 +02:00
Yorick Koster f9e7715adb Fixed formatting 2017-04-29 16:07:45 +02:00
Yorick Koster 1569d2cf8e MediaWiki SyntaxHighlight extension exploit module
This module exploits an option injection vulnerability in the SyntaxHighlight extension of MediaWiki. It tries to create & execute a PHP file in the document root. The USERNAME & PASSWORD options are only needed if the Wiki is configured as private.
2017-04-29 14:29:56 +02:00
Brandon Knight c4b3ba0d14 Actually removing msf/core this time... ><
Helps to actually remove the bits that were failing. Now with even more
removal of msf/core!
2017-04-28 21:42:06 -04:00
Brandon Knight ff263812fc Fix msftidy warnings
Remove explicitly loading msf/core and self.class from the register_
functions.
2017-04-28 21:26:53 -04:00
HD Moore afc804fa03 Quick Ghostscript module based on the public PoC 2017-04-28 09:56:52 -05:00
Brandon Knight f8fb03682a Fix issue in ps_wmi_exec and powershell staging
The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.

Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.
2017-04-28 03:31:56 -04:00
itsmeroy2012 cd73bd137a Making use of while loop and solving StagerRetryWait issue 2017-04-27 11:50:13 +05:30
William Vu 1a402ed1d8 Add arch to smb_ms17_010 DOUBLEPULSAR detection 2017-04-26 20:59:13 -05:00
Brent Cook 037fdf854e move common json-rpc bits to a library 2017-04-26 18:08:08 -05:00
Brent Cook 480a0b4273 update payload sizes 2017-04-26 18:02:14 -05:00
Brent Cook a60e5789ed update mettle->meterpreter references in modules 2017-04-26 17:55:10 -05:00
Brent Cook 078ba66e5f remove unneeded msf/core requires 2017-04-26 17:17:20 -05:00
Brent Cook 353191992f move mettle payloads to meterpreter, add reverse_http/s stageless 2017-04-26 17:06:34 -05:00
Brent Cook f8792956ee fix one module for testing 2017-04-26 16:21:13 -05:00
Daniel Teixeira a3a4ba7605 Buffer Overflow on Dup Scout Enterprise v9.5.14 2017-04-26 15:19:00 +01:00
Spencer McIntyre da6c03d13f Fix function names to always be snake_case 2017-04-26 09:30:29 -04:00
William Vu bbee7f86b5
Land #8263, Mercurial SSH exec module 2017-04-26 01:38:01 -05:00
William Vu f60807113b Clean up module 2017-04-26 01:37:49 -05:00
Spencer McIntyre a3bcd20b26 Minor cleanups for multi-platform railgun 2017-04-25 17:45:07 -04:00
William Vu 5476f6066c
Land #8271, DOUBLEPULSAR detection for MS17-010 2017-04-25 16:31:39 -05:00
Craig Smith 4019a14865 The local HWBridge now does not print out status for each URI request per default. This can be enabled by setting verbose to true.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith 5537348e28 Addes Statistics support from the API. When typing status in a hardware bridge it will also print packet statistics.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
wchen-r7 320898697a
Land #8266, Add Buffer Overflow Exploit on Disk Sorter Enterprise 2017-04-24 17:17:30 -05:00
wchen-r7 1d86905fca
Land #8288, Minor changes to WiPG-1000 module 2017-04-24 17:09:25 -05:00
wchen-r7 e333cb65e5 Restore require 'msf/core' 2017-04-24 17:09:02 -05:00
wchen-r7 c573628e10 Fix header 2017-04-24 17:01:35 -05:00
wchen-r7 e775f9ccbd
Land #8259, Add post module to upload and execute a file 2017-04-24 17:00:55 -05:00
Matthias Brun d3aba846b9 Make minor changes 2017-04-24 23:35:36 +02:00
wchen-r7 5bbb4d755a
Land #8254, Add CVE-2017-0199 - Office Word HTA Module 2017-04-24 16:05:00 -05:00
wchen-r7 6029a9ee2b Use a built-in HTA server and update doc 2017-04-24 16:04:27 -05:00
zerosum0x0 55f01d3fc7 made the plugin less spammy with more vprintf 2017-04-24 13:33:05 -06:00
zerosum0x0 453ca6e3bf added OS printing on vulnerable systems 2017-04-24 13:20:44 -06:00
Daniel Teixeira 47898717c9 Minor documentation improvements
Space after ,
2017-04-24 14:47:25 +01:00
itsmeroy2012 bd2379784e Improved error handling for the python reverse_tcp payload
Handling all kinds of errors

Removing 'e'

Updating payload cached sizes

Updating payload cached sizes 2.0

Adding option to set retry time
2017-04-23 20:43:57 +05:30
zerosum0x0 a69aba0eab added XOR Key calculation 2017-04-22 23:54:30 -06:00
h00die 8e4c093a22 added version numbers 2017-04-22 09:45:55 -04:00
Spencer McIntyre ffe6d35b4d Add a module to dump network passwords from gnome 2017-04-21 16:17:18 -04:00
zerosum0x0 8a77bf7b60 removed wrong comments 2017-04-21 08:27:13 -06:00
Matthias Brun 714ada2b66 Inline execute_cmd function 2017-04-21 15:32:15 +02:00
zerosum0x0 9fab64c60e added references 2017-04-20 15:22:37 -06:00
zerosum0x0 dd12afd717
added DoublePulsar detection 2017-04-20 15:03:29 -06:00
Matthias Brun 8218f024e0 Add WiPG-1000 Command Injection module 2017-04-20 16:32:23 +02:00
Koen Riepe 55ab800f13
Minor code fixes. 2017-04-19 14:41:11 +02:00
DanielRTeixeira f1c51447c1 Add files via upload
Buffer Overflow on Disk Sorter Enterprise
2017-04-19 10:57:41 +01:00
Jonathan Claudius f5430e5c47
Revert Msf::Exploit::Remote::Tcp 2017-04-18 19:27:35 -04:00
Jonathan Claudius 9a870a623d
Make use of Msf::Exploit::Remote::Tcp 2017-04-18 19:17:48 -04:00
Jonathan Claudius 03e3065706
Fix MSF tidy issues 2017-04-18 18:56:42 -04:00
Jonathan Claudius 32f0b57091
Fix new line issues 2017-04-18 18:52:53 -04:00
James Lee bdeeb8ee1d
Add a check 2017-04-18 16:32:06 -05:00
William Vu 3b38d0d900
Land #8262, PR ref for huawei_hg532n_cmdinject 2017-04-18 16:29:13 -05:00
Jonathan Claudius bfca4da9b0
Add mercurial ssh exec 2017-04-18 16:33:23 -04:00
Tod Beardsley 1fcc1f7417
Trailing comma. Why isn't this Lua? 2017-04-18 14:27:44 -05:00
wchen-r7 0428e12b10
Land #8216, Add CVE-2016-7552/CVE-2016-7547 exploit 2017-04-18 14:26:55 -05:00
Tod Beardsley 4ec71f9272
Add a reference to the original PR
This was the source of first public disclosure, so may as well include
it.
2017-04-18 14:20:25 -05:00
James Lee 84dd5cd01a
Add a simple upload exec module 2017-04-17 19:34:21 -05:00
Nate Caroe 92e7183a74 Small typo fix
Running msfconsole would generate an Ubuntu crash report (?). This seems to be the culprit.
2017-04-17 11:14:51 -06:00
William Vu 942959f7e8
Land #8255, fixes for smb_ms17_010 2017-04-17 11:38:34 -05:00
Brent Cook 7b936b0012
Land #8184, convert IPMI protocol and modules to bindata 2017-04-17 07:40:15 -05:00
Brent Cook 6f70efcfa1 add module documentation 2017-04-17 07:39:43 -05:00
William Vu b1c7f1302b Fix report_vuln and prefer vprint_error 2017-04-17 02:48:56 -05:00
Ahmed S. Darwish e21504b22d huawei_hg532n_cmdinject: Use send_request_cgi() 'vars_get' key
Instead of rolling our own GET parameters implementation.

Thanks @wvu-r7!
2017-04-17 09:11:50 +02:00
nixawk 3d082814cb Fix default options 2017-04-17 01:09:48 -05:00
Ahmed S. Darwish 7daec53106 huawei_hg532n_cmdinject: Improve overall documentation
- Add section on compiling custom binaries for the device
- Add documentation for Huawei's wget flavor (thanks @h00die)
- Abridge the module's info hash contents (thanks @wwebb-r7)
- Abridge the module's comments; reference documentation (@h00die)
2017-04-17 08:00:51 +02:00
Ahmed S. Darwish 8a302463ab huawei_hg532n_cmdinject: Use minimum permissions for staged binary
Use u+rwx permissions only, instead of full 777, while staging the
wget binary to target. As suggested by @wvu-r7 and @busterb.
2017-04-17 03:27:57 +02:00
Ahmed S. Darwish 7ca7528cba huawei_hg532n_cmdinject: Spelling fixes suggested by @wvu-r7 2017-04-17 03:23:20 +02:00
Ahmed S. Darwish 7b8e5e5016 Add Huawei HG532n command injection exploit 2017-04-15 21:01:47 +02:00
Brent Cook 7950087804 Merge branch 'upstream-master' into land-8237- 2017-04-14 21:53:26 -05:00
nixawk fb001180c4 Fix generate_uri 2017-04-14 21:52:31 -05:00
nixawk 590816156f rename exp module 2017-04-14 21:32:48 -05:00
nixawk 1952529a87 Format Code 2017-04-14 21:30:26 -05:00
Brent Cook a9857eb1c2
Land #8099, Aux module to launch instances in AWS 2017-04-14 14:12:10 -05:00
Brent Cook 42122d2835
Land #8238, move SMB2 support back into smb_login, add simpler permissions checks 2017-04-14 14:06:46 -05:00
nixawk 8ab0b448fd CVE-2017-0199 exploit module 2017-04-14 13:22:59 -05:00
Brent Cook eb61241673
Land #8228, New mainframe privesc payload for z/OS 2017-04-14 13:19:41 -05:00
dmohanty-r7 d75f852d01
Land #8167, Add MS17-010 auxiliary detection module 2017-04-14 13:00:16 -05:00
David Maloney 91fb3ce6b8
collapse SMB2 support into smb_login
converge the SMB and SMB loginscanners so that
there is only one SMB loginscanner that supports both

MS-2636
2017-04-13 15:22:03 -05:00
David Maloney adeb4d10d7
smb2 login scanner admin check now working
we can now check for admin privs in the smb2
login scanner

MS-2636
2017-04-13 14:40:32 -05:00
William Webb 48560d29f3
remove keyscan_extract and modify calling modules 2017-04-13 10:42:28 -05:00
m0t 5e42dde6b6 msftidy clean up 2017-04-12 16:25:21 +01:00
Koen Riepe 9f289bdf52
Fixed error messages and some syntax. 2017-04-12 13:48:11 +02:00
William Webb c21d78b23b
Land #8186, Convert DNS Fuzzer to use bindata 2017-04-11 23:27:08 -05:00
bigendiansmalls fa8011fd07 New mainframe privesc payload for z/OS
This module performs a privilege escaltion on mainframe systems
runing z/OS and using RACF for their security manager.  A user
with any non-privileged credentials and the ability to write to
an apf authorized library can use this payload to add "root level"
privileges (e.g. SPECIAL / BPX.SUPERUSER) to their profile.
2017-04-11 15:04:44 -05:00
William Webb c867b7e228
Land #8204, Add Cambian ePMP SNMP Configuration download 2017-04-11 10:59:13 -05:00
mr_me 3c2dc68e9c improved description, no point repeating the same thing\! 2017-04-11 09:55:11 -05:00
mr_me c359e15de6 updated the print statement 2017-04-11 09:31:17 -05:00
mr_me 84ac9d905c improved the description of the module 2017-04-11 09:24:43 -05:00
m0t 374d7809b5 last fixes and tests 2017-04-11 09:48:57 +01:00
William Vu 288e384164
Land #8189, irssi password post gather module 2017-04-10 23:34:54 -05:00
Jonathan Claudius 96927b449c
Rework module to grab entire irssi configs 2017-04-11 00:02:40 -04:00
Jonathan Claudius 6a1531da34
Fix loot name attributes 2017-04-10 23:52:31 -04:00
Jonathan Claudius d92f94e077
Fix grammar issue 2017-04-10 23:44:18 -04:00
Jonathan Claudius d9e96a8b4f
Consolidate loot into single file 2017-04-10 23:42:50 -04:00
Jonathan Claudius 7f6bbb6ff2
Fix trailing space issue 2017-04-10 21:38:30 -04:00
Jonathan Claudius 9432a3543f
Extend irssi post mod to grab network passwords 2017-04-10 15:35:26 -04:00
mr_me b1d127e689 satisfied travis 2017-04-10 14:11:18 -05:00
Jonathan Claudius 47d74819a5
Update regex per reviewer request 2017-04-10 14:45:10 -04:00
Jonathan Claudius d816092c56
Fix missing new line 2017-04-10 14:41:25 -04:00
mr_me 0f07875a2d added CVE-2016-7552/CVE-2016-7547 exploit 2017-04-10 13:32:58 -05:00
William Vu 06ca406d18 Fix weird whitespace 2017-04-09 22:23:58 -05:00
zerosum0x0 f7c8bd2464 add rescue for ::Rex::Proto::SMB::Exceptions::LoginError 2017-04-07 15:37:56 -06:00
juushya 3c189f0cb0 Adding Cambium SNMP Loot module 2017-04-07 01:32:45 +05:30
Christian Mehlmauer 74dc7e478f
update piwik module 2017-04-05 20:19:07 +02:00
m0t 9a0789f839 Exploit for pmmasterd Buffer Overflow (CVE-2017-6553) 2017-04-05 17:59:54 +01:00
bwatters-r7 dd5a91f153
Land #8008, Added archmigrate module for windows sessions 2017-04-05 08:55:27 -05:00
Koen Riepe 08b2a97293
Changed styling to be more in line with rubocop. 2017-04-05 10:05:56 +02:00
Jonathan Claudius b8af7c1db0
Add irssi password post gather module 2017-04-05 00:56:24 -04:00
bwatters-r7 64c06a512e
Land #8020, ntfs-3g local privilege escalation 2017-04-04 09:48:15 -05:00
Brent Cook 891e7e465e convert DNS fuzzer to bindata 2017-04-04 03:03:32 -05:00
Brent Cook 46c7e822c8 convert IPMI protocol and modules to bindata 2017-04-04 02:44:17 -05:00
Christian Mehlmauer 30c4a665f4
update iis exploit 2017-04-03 20:06:16 +02:00
Brent Cook 98ffa4d380
Land #7652, add varnish cache CLI authentication scanner module 2017-04-02 21:52:45 -05:00
Brent Cook 4c0539d129
Land #8178, Add support for non-Ruby modules 2017-04-02 21:02:37 -05:00
h00die a34c01ebd2
Land #8137 shodan honeyscore module 2017-04-02 21:37:36 -04:00
h00die 0092818893
Land #8169 add exploit rank where missing 2017-04-02 20:59:25 -04:00
Bryan Chu 151ed16c02 Re-ranking files
../exec_shellcode.rb
Rank Great -> Excellent

../cfme_manageiq_evm_upload_exec.rb
Rank Great -> Excellent

../hp_smhstart.rb
Rank Average -> Normal
2017-04-02 18:33:46 -04:00
zerosum0x0 26fc6bc920 added report_vuln() 2017-04-01 21:48:19 -06:00
h00die e80b8cb373 move sploit.c out to data folder 2017-03-31 20:51:33 -04:00
William Webb 035f37cf42
Land #8144, Add Moxa Device Discovery Scanner Module 2017-03-31 19:11:27 -05:00
William Webb f870f94fa9
Land #8163, Add Cambium ePMP Arbitrary Command Execution 2017-03-31 19:06:19 -05:00
Adam Cammack 6910cb04dd
Add first exploit written in Python 2017-03-31 17:07:55 -05:00
h00die 823c1a6286 added more verifieds 2017-03-31 16:52:20 -04:00
h00die 23ac9214ea
land #8010 post gather module for tomcat creds 2017-03-31 16:15:55 -04:00
h00die 34a152dc76 handle no sysinfo from ssh_login 2017-03-31 16:15:16 -04:00
Pearce Barry ab4d86fd21
Land #8168, change description of alpha encoders 2017-03-31 11:37:12 -05:00
dmohanty-r7 1ce7bf3938
Land #8126, Add SolarWind LEM Default SSH Pass/RCE 2017-03-31 11:21:32 -05:00
dmohanty-r7 c445a1a85a
Wrap ssh.loop with begin/rescue 2017-03-31 11:16:10 -05:00
Koen Riepe 22b2215d2e
Fixed a typo causing bot to fail. 2017-03-31 16:40:21 +02:00
Koen Riepe 3a674b731c
Added error handling, added documentation and fixed some style issues. 2017-03-31 16:35:25 +02:00
Koen Riepe 628827cda9
Added some documentation and gracefull error handeling. 2017-03-31 12:45:30 +02:00
Koen Riepe df2a9a4af3
Added documentation file and implemented fixes for output and linux parsing. 2017-03-31 11:19:12 +02:00
Bryan Chu 5e31a32771 Add missing ranks
../exec_shellcode.rb
Rank = Great
This exploit is missing autodetection and version checks,
but should be ranked Great due to high number of possible targets

../cfme_manageiq_evm_upload_exec.rb
Rank = Great
This exploit implements a check to assess target availability,
and the vulnerability does not require any user action

../dlink_dcs_930l_authenticated_remote_command_execution
Rank = Excellent
Exploit utilizes command injection

../efw_chpasswd_exec
Rank = Excellent
Exploit utilizes command injection

../foreman_openstack_satellite_code_exec
Rank = Excellent
Exploit utilizes code injection

../nginx_chunked_size
Rank = Great
Exploit has explicit targets with nginx version auto-detection

../tp_link_sc2020n_authenticated_telnet_injection
Rank = Excellent
See dlink_dcs_930l_authenticated_remote_command_execution,
exploit uses OS Command Injection

../hp_smhstart
Rank = Average
Must be specific user to exploit, no autodetection,
specific versions only
2017-03-31 02:39:44 -04:00
Christian Mehlmauer 0a398a59c5
change description 2017-03-30 20:06:23 +02:00
bwatters-r7 6bcb9b523b
Land #8165, Fix x86 mettle shellcode 2017-03-30 11:45:11 -05:00
zerosum0x0 4bd50b0ad2 Merge branch 'ms17-010' of github.com:RiskSense-Ops/metasploit-framework into ms17-010 2017-03-30 10:10:08 -06:00
zerosum0x0 a125566fc7
removed unnecessary arguments 2017-03-30 10:09:31 -06:00
Pearce Barry a13d6a7810
Land #8166, Add new SMB LoginScanner using RubySMB for SMB1/SMB2 Support 2017-03-30 11:08:17 -05:00
Pearce Barry ac83ff7e48
Land #8155, Style fixes for HWBridge RF and a couple small bug fixes 2017-03-29 20:37:13 -05:00
zerosum0x0 ef7de6d49e added MSB to description, moved a print statement 2017-03-29 17:43:49 -06:00
Carter 4bdbdc0e00 Fix response parsing 2017-03-29 18:21:12 -05:00
zerosum0x0 68f5c0e663
removed a print statement 2017-03-29 16:24:59 -06:00
zerosum0x0 7e6b8b02b8
replaced magic constant with setup_count 2017-03-29 15:37:28 -06:00
zerosum0x0 9923c39799
removed superfluous status 2017-03-29 15:32:29 -06:00
zerosum0x0 f0a1e12a7e
small typos 2017-03-29 15:30:35 -06:00
bwatters-r7 691811af5a
Land #7994, Add Windows Gather DynaZIP Saved Password Extraction post module 2017-03-29 16:04:09 -05:00
zerosum0x0 ffa376c514
added MS17-010 auxiliary detection module 2017-03-29 14:33:02 -06:00
David Maloney a571bcdba4
update module description 2017-03-29 13:58:36 -05:00
David Maloney 418e371e35
add SMB2 login scanner and module
add smb2_login module backed by an smb2
LoginScanner class. This is a temporary alternative
to smb_login until ruby_smb catches up more on feature parity

MS-2557
2017-03-29 11:36:33 -05:00
Adam Cammack 2758010355
Fix x86 mettle shellcode 2017-03-28 17:59:13 -05:00
dmchell 8b3fe0ac06 Merge branch 'dmchell-cve-2017-7269' into iis_6_sc-dev 2017-03-28 19:33:37 +01:00
dmchell 697d3978af Update iis_webdav_scstoragepathfromurl.rb 2017-03-28 19:14:32 +01:00
Carter d7bed334b0 Add Metasploit header 2017-03-28 12:07:57 -05:00
Carter ebbed949c2 Get rid of double header 2017-03-28 12:05:44 -05:00
Carter d1c269e5e8 Update iis_webdav_scstoragepathfromurl.rb 2017-03-28 11:54:52 -05:00
Carter 4972b510d1 Use HttpClient instead of Tcp 2017-03-28 11:37:40 -05:00
Carter c203fa71d1 Create iis_webdav_scstoragepathfromurl.rb 2017-03-28 11:34:11 -05:00
dmchell ffdd5fb471 Update iis_webdav_scstoragepathfromurl.rb
converted to Msf::Exploit::Remote::HttpClient
2017-03-28 17:16:35 +01:00
dmchell ed90971489 Update iis_webdav_scstoragepathfromurl.rb 2017-03-28 16:16:51 +01:00
dmchell 1552cc4cac Update iis_webdav_scstoragepathfromurl.rb 2017-03-28 16:11:44 +01:00
dmchell b301a8d0c0 Update iis_webdav_scstoragepathfromurl.rb 2017-03-28 16:07:12 +01:00
dmchell 20a9b88eb6 Update and rename iis_webdav_ScStoragePathFromUrl.rb to iis_webdav_scstoragepathfromurl.rb 2017-03-28 15:53:18 +01:00
dmchell f7cecaf31e Update and rename cve-2017-7269.rb to iis_webdav_ScStoragePathFromUrl.rb 2017-03-28 15:47:20 +01:00
dmchell 9e8ec532a2 Create cve-2017-7269.rb
Exploit for cve-2017-7269.rb
2017-03-28 15:33:20 +01:00
juushya 30896d1fab Add Cambium ePMP Arbitrary Command Execution Module 2017-03-28 00:17:36 +05:30
William Webb 66a585ab41
Land #8050, Add Cambium ePMP System Hash Dumper 2017-03-27 12:08:53 -05:00
William Webb 935c59306b
Land #7897, Add Cambium ePMP 1000 Device Configuration file dumper 2017-03-27 12:05:11 -05:00
William Webb d705949b37
Land #7784, Cambium ePMP 1000 Login Scanner 2017-03-27 12:01:56 -05:00
Pearce Barry 31c03840bb
Style fixes for HWBridge RF and a couple small bug fixes
I should have tweaked these earlier, my bad.
2017-03-26 13:45:19 -05:00
juushya dd7cf39678 updated references 2017-03-25 12:31:08 +05:30
juushya 63d88c159a updated references 2017-03-25 12:27:38 +05:30
juushya fd5e25bcc2 restored version check 2017-03-25 12:08:00 +05:30
Javier Godinez 68e4b8a855 Updated user data param to load aggregator 2017-03-24 22:58:04 -07:00
Carter 82ebbfb9a7 Fix msftidy warnings 2017-03-24 23:12:48 -04:00
Carter 3e2173d4f9 Add key length check and remove mixin
Also add a reference to the original honeyscore website
2017-03-24 22:33:09 -04:00
Carter 581d523d5b Fix things from review 2017-03-24 21:22:23 -04:00
Pearce Barry 9db2e9fbcd
Land #8146, Add Default Secret & Deserialization Exploit for Github Enterprise 2017-03-24 14:38:47 -05:00
dmohanty-r7 92c0748447
Land #8102, Add a plugin to notify new sessions via SMS 2017-03-24 11:17:59 -05:00
William Webb e04f01ed6b
Land #7778, RCE on Netgear WNR2000v5 2017-03-23 15:34:16 -05:00
wchen-r7 3b062eb8d4 Update version info 2017-03-23 13:46:09 -05:00
wchen-r7 fdb52a6823 Avoid checking res.code to determine RCE success
Because it's not accurate
2017-03-23 13:39:45 -05:00
wchen-r7 39682d6385 Fix grammar 2017-03-23 13:23:30 -05:00
wchen-r7 ee21377d23 Credit Brent & Adam 2017-03-23 11:22:49 -05:00
wchen-r7 196a0b6ac4 Add Default Secret & Deserialization Exploit for Github Enterprise 2017-03-23 10:40:31 -05:00
Mehmet Ince d37966f1bb
Remove old file 2017-03-23 12:53:08 +03:00
Mehmet Ince 8a43a05c25
Change name of the module 2017-03-23 12:49:31 +03:00
Carter 8dd0f953b0 remove unnecessary require 2017-03-22 19:48:24 -04:00
Carter 420df11c44 Change up the way shodan is reached 2017-03-22 19:39:45 -04:00
bwatters-r7 a93aef8b7a
Land #8086, Add Module Logsign Remote Code Execution 2017-03-22 11:33:49 -05:00
Patrick DeSantis 2200c9faee Create moxa_discover.rb 2017-03-22 10:49:26 -04:00
Carter fa61d67761 Fix score comparison 2017-03-21 19:17:20 -04:00
Brent Cook 3af0f814c3
Land #8138, fix mettle UAF and add initial http/https transport support 2017-03-21 16:51:09 -05:00
William Vu 1a8e8402ae
Land #8113, SysGauge SMTP server validation sploit 2017-03-21 16:45:42 -05:00
Brent Cook 9542087642 bump mettle to 0.1.8 2017-03-21 16:45:25 -05:00
wchen-r7 d10b3da6ec
Land #8132, Support Python 2 & 3 for web_delivery 2017-03-21 13:48:27 -05:00
wchen-r7 6b3cfe0a98 Support both Python 2 and Python 3 in one line
Tested on:

* Python 2.7.13 on Windows
* Python 3.5.3 on Windows
2017-03-21 13:47:07 -05:00
Carter fef8ec10bc Fix author formatting 2017-03-21 13:23:41 -04:00
Carter d7640713df Add more checks and formatting 2017-03-21 13:23:06 -04:00
Carter 1f68a3bda6 Rename honeypot.rb to shodan_honeyscore.rb 2017-03-21 13:10:31 -04:00
James Lee 2e096be869
Remove debugging output 2017-03-21 11:26:02 -05:00
Carter 79c7b84f08 Create honeypot.rb 2017-03-21 11:15:12 -04:00
bwatters-r7 be41df6de0
Land #8036, Fix run_as_psh with domain accounts 2017-03-21 09:05:50 -05:00
Pearce Barry f397624a69
Land #7935, HWBridge RF transceiver extension 2017-03-21 06:12:32 -05:00
Brent Cook aa5e9cd702
Land #8058, Allow the http_payload stager to sleep before retry 2017-03-21 00:07:10 -05:00
Pearce Barry c4279a837a Minor formatting/spelling/verbiage changes. 2017-03-20 17:37:12 -05:00
Craig Smith 2fde287424 Initial patch for rftransceiver (RfCat / YardstickOne) 2017-03-20 17:36:16 -05:00
Pearce Barry 2acd941b16 Merge branch 'master' into dtc_fix 2017-03-20 14:10:01 -05:00
Craig Smith 0be6b8c905 Fixes #8022
Adds detection for ELM327 chips reporting CAN ERROR when vehicle is off.
Addes some enhanced UDS Error codes.
Cleaned up reporting from getvinfo if the vehicle is off or not connected.
2017-03-20 13:49:39 -05:00
Pearce Barry 06ebb22a8f
Land #8065, Zigbee Hardware Bridge Extension 2017-03-20 10:44:15 -05:00
Swiftb0y ffe77c484e fixed spacing 2017-03-20 16:37:35 +01:00
Swiftb0y e51063aa56 added the python3 syntax to the web_delivery script 2017-03-20 16:08:08 +01:00
h00die 7bcd53d87d
Land #8079, exploit and aux for dnaLims 2017-03-20 11:08:05 -04:00
h00die fd5345a869 updates per pr 2017-03-20 10:40:43 -04:00
h00die fe5167bf26 changes to file per pr 2017-03-20 10:16:42 -04:00
William Vu f9ecefe465
Land #8031, nil fixes for HWBridge 2017-03-19 22:37:28 -05:00
Brent Cook aa1e76f28e
Land #8128, ensure there is a response before deferencing 2017-03-19 22:17:31 -05:00
Brent Cook e2c6f959f4
Land #8129, s/colom/colon/g 2017-03-19 22:14:38 -05:00
Javier Godinez 534ca8c5cb fix: URL encoding userdata 2017-03-18 21:52:49 -07:00
Javier Godinez 26d344a0ef Initial checkin of launch instances module 2017-03-18 21:52:49 -07:00
Carter ae883d7f02 Update multi_meterpreter_inject.rb 2017-03-19 00:27:28 -04:00
Carter 661bf6e492 Update multi_meterpreter_inject.rb 2017-03-19 00:27:03 -04:00
Carter 93a6614ab3 Update multi_meterpreter_inject.rb 2017-03-19 00:25:46 -04:00
h00die f88a522bf5 fix #8121 2017-03-18 14:50:24 -04:00
h00die 06e6a973ce
land #7944 a scanner for Carlo Gavazzi energy meters 2017-03-18 10:35:43 -04:00
h00die 84e4b8d596
land #8115 which adds a CVE reference to IMSVA 2017-03-18 09:51:52 -04:00
alpiste 1d0024ee3c tools/modules/update_payload_cached_sizes.rb update 2017-03-17 20:58:41 -03:00
Pearce Barry d55b680394
Land #8088, Add some binaries to enum_protections 2017-03-17 17:14:59 -05:00
Mehmet Ince 6aa42dcf08
Add solarwinds default ssh user rce 2017-03-17 21:54:35 +03:00
William Webb 1180bd6ed7
Land #8037, priv_migrate improvements 2017-03-17 13:19:51 -05:00
Brent Cook 52cea93ea2 Merge remote-tracking branch 'upstream/master' into land-8118- 2017-03-17 12:39:30 -05:00
Brent Cook e67c83e92c
Land #8119, Updated rails_secret_deserialization to add '.' cookie regex 2017-03-17 12:34:25 -05:00
Brent Cook ea4ca7ecc5
Land #8116, Handle ::Errno::ECONNRESET in telnet_version 2017-03-17 12:32:02 -05:00
Pearce Barry 095a110e65
Code and doc tweaks (minor).
Only one behavior change in the scan loop of zstumbler.rb to, when doing a scan across all the channels, keep it from retrying channel 11 again one last time just before it exits.
2017-03-16 21:43:36 -05:00
William Vu db6bc6c784
Land #8100, msfcrawler improvements
Does anyone use this anymore??
2017-03-16 21:31:23 -05:00
Chris Higgins 7a12e446a0 Updated documentation and fixed module header. Whoops, copy/paste fail. 2017-03-16 21:28:24 -05:00
bwatters-r7 ab75794cd4
Land #8071, Add API to send an MMS message to mobile devices 2017-03-16 11:57:34 -05:00
Craig Smith 78586f0dc9 Fixed an extra space at the EOL 2017-03-16 09:22:01 -07:00
Dallas Kaman 80c33fc27f
adding '-' to rails deserialization regex for cookie matching 2017-03-16 10:54:32 -05:00
Thomas Reburn 59c7de671e
Updated rails_secret_deserialization to add '.' regex for cookie matching. 2017-03-16 10:45:43 -05:00
Chris Higgins f4bb1d6a37 Updated based on @wvu's comments 2017-03-15 19:15:12 -05:00
bwatters-r7 91a4657c36 Bumped the metasploit-payloads version and cache sizes with PR#8043 2017-03-15 19:02:21 -05:00
bwatters-r7 b2a7d18584 Update cached payload sizes 2017-03-15 18:43:48 -05:00
Mehmet Ince f706c4d7f6
Removing prefix 2017-03-16 00:49:55 +03:00
wchen-r7 a1d7748d82 Fix #8061, Handle ::Errno::ECONNRESET in telnet_version
Fix #8061
2017-03-15 16:33:37 -05:00
Mehmet Ince 60186f6046
Adding CVE number 2017-03-16 00:31:21 +03:00
wchen-r7 d4ee254057
Land #8076, Add Easy File Sharing FTP Server Version 3.6 traversal 2017-03-15 16:17:13 -05:00
wchen-r7 8afe6a9061 Update easy_file_sharing_ftp and add documentation 2017-03-15 16:14:41 -05:00
William Vu a0ba3f17e7
Land #8110, process migration by name fix 2017-03-15 15:52:54 -05:00
William Vu 456ddcebc0 Remove nil values that are default already
There are four lights!
2017-03-15 15:51:22 -05:00
Brent Cook 8995629037
Land #7061, allow chaining the service stub with other encoders 2017-03-15 13:56:09 -05:00
Brent Cook b65919e7b1
Land #7956, Add QNAP NAS/NVR administrator hash disclosure 2017-03-15 11:12:59 -05:00
William Vu 0a71e4a903 Update check with Exploit::CheckCode::Appears 2017-03-15 05:13:30 -05:00
William Vu 86d2217f4d Fix whitespace and clarify options 2017-03-15 04:27:30 -05:00
William Vu a0bff5c8c3 Bump RETRIES to 10
3 was a bit too low. I was using 10 and had more success with it.
2017-03-15 03:18:09 -05:00
Chris Higgins b3fbbbee34 Spelling is hard 2017-03-14 23:34:00 -05:00
Chris Higgins cc4f18e6c5 Add sysgauge_client_bof module and documentation 2017-03-14 23:29:19 -05:00
William Webb e96013cd0f
Land #7781, IBM Websphere Java Deserialization RCE 2017-03-14 17:21:18 -05:00
wchen-r7 cf8b4a78fa
Bring branch up to date with upstream-master 2017-03-14 16:48:33 -05:00
Rich Whitcroft 04f11b0bf7 fix migrate by process name 2017-03-14 17:27:46 -04:00
wchen-r7 1736332638
Land #8103, Add CVE-2017-5638, Struts2 Content-Type OGNL injection 2017-03-14 16:10:49 -05:00
wchen-r7 9201f5039d Use vprint for check because of rules 2017-03-14 15:02:54 -05:00
James Lee f429b80c4e
Forgot to rm this when i combined 2017-03-14 12:18:11 -05:00
William Vu 01ea5262b8
Land #8070, msftidy vars_get fixes 2017-03-14 12:05:24 -05:00
William Vu 5c436f2867 Appease msftidy in tr064_ntpserver_cmdinject
Also s/"/'/g.
2017-03-14 11:52:21 -05:00
William Vu 5d6a159ba9 Use query instead of uri in mvpower_dvr_shell_exec
I should have caught this in #7987, @bcoles, but I forgot. Apologies.
This commit finishes what @itsmeroy2012 attempted to do in #8070.
2017-03-14 11:51:55 -05:00
itsmeroy2012 79331191be msftidy error updated 2.5 2017-03-14 22:02:59 +05:30
itsmeroy2012 67fc43a0a1 msftidy error updated 2.4 2017-03-14 21:33:53 +05:30
James Lee 53c9caa013
Allow native payloads 2017-03-13 20:10:02 -05:00
James Lee 2053b77b01
ARCH_CMD works 2017-03-13 18:37:50 -05:00
wchen-r7 bb4d6e17c8 Resolve #8026, Add a plugin to notify new sessions via SMS
This plugin will notify you of a new session via SMS.

It also changes the SMS text format to MIME.

Resolve #8026
2017-03-13 16:13:59 -05:00
itsmeroy2012 fe4e2306b4 Reverting one step 2017-03-13 22:22:24 +05:30
Jon P 665adec298 Patching storedb function (adding host/port/ssl for correct report_web_page) 2017-03-13 17:37:47 +01:00
wizard32 78ff7a8865 Module renamed
Renamed from websphere_java_deserialize.rb to ibm_websphere_java_deserialize.rb
2017-03-13 08:22:24 +02:00
William Vu 9f76b4d99c Change default RPORT to 443 with SSL
I never really tested port 80, so I wonder why I didn't change this.
Turns out 80 isn't even the vuln service. Welp. Hat tip @bcoles.
2017-03-12 21:03:31 -05:00
William Vu e7c920db44 Remove DEBEUG/print_debeug :( 2017-03-12 21:01:48 -05:00
William Vu d57b772ac9 Bump default RETRIES to 3 2017-03-12 21:00:38 -05:00
William Vu 8638f9ec7e Update freesshd_authbypass to use CmdStager fully 2017-03-11 19:59:39 -06:00
Pearce Barry 4e32c80e8e
Use the Msf::Exploit::CmdStager mixin. Fixes #8092. 2017-03-11 17:44:05 -06:00
William Vu fe4f20c0cc
Land #7968, NETGEAR R7000 exploit 2017-03-10 16:02:30 -06:00
dmohanty-r7 25bfa88c46
Land #7877, Add mDNS query spoofing service 2017-03-10 15:44:57 -06:00
itsmeroy2012 1c54e0ba94 msftidy error updated 2.2 2017-03-10 23:59:38 +05:30
itsmeroy2012 6d8789a56e Updated msftidy error 2.1 2017-03-10 23:03:37 +05:30
itsmeroy2012 c0f17cf6b8 msftidy error updated 2.0 2017-03-10 22:16:27 +05:30
jvoisin 84b9449137 Add some binaries to enum_protections
- gradm2 for grsec
- aa-status for apparmor
- getenforce for setlinux
2017-03-10 14:16:58 +01:00
Mehmet Ince f6bac3ae31
Add iso link to md file and change CheckCode code 2017-03-10 13:00:49 +03:00
James Lee e7b65587b4
Move to a more descriptive name 2017-03-09 14:19:06 -06:00
James Lee e07d5332de Don't step on the payload accessor 2017-03-09 13:54:00 -06:00
James Lee d92ffe2d51 Grab the os.name when checking 2017-03-09 13:52:58 -06:00