Commit Graph

8995 Commits (e9841b216cc3e3986c83cc573628f2c0ad7da948)

Author SHA1 Message Date
m-1-k-3 2b4d6eb455 feedback included, server header check 2013-03-29 21:30:45 +01:00
m-1-k-3 b6a50da394 feedback included, server header check 2013-03-29 21:20:51 +01:00
m-1-k-3 c5e358c9c3 compatible payloads 2013-03-29 20:54:35 +01:00
jvazquez-r7 714fc83cfe Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into bwall-Ra1NX_pubcall 2013-03-29 19:58:06 +01:00
m-1-k-3 0164cc34be msftidy, generate exe, register_file_for_cleanup 2013-03-29 19:00:04 +01:00
bwall 21ea1c9ed4 Merge branch 'Ra1NX_pubcall' of https://github.com/bwall/metasploit-framework into Ra1NX_pubcall 2013-03-29 13:29:38 -04:00
bwall 10d9e86b42 Renamed file to be all lower case 2013-03-29 13:29:05 -04:00
jvazquez-r7 c55a3870a8 cleanup for hp_system_management 2013-03-29 18:02:23 +01:00
m-1-k-3 cfeddf3f34 cmd payload working, most feedback included 2013-03-29 14:43:48 +01:00
jvazquez-r7 cd1820d769 trying to solve irc comm issues 2013-03-29 12:54:57 +01:00
bwall 6cf44d9c85 added a 3 message window for recieving the check response 2013-03-28 21:14:52 -04:00
James Lee 9086c53751 Not an HttpClient, so doesn't have normalize_uri
[FixRM #7851]
2013-03-28 13:16:21 -05:00
nmonkee eee702a329 vprint_status changed to vprint_error as requested 2013-03-28 14:23:21 +00:00
nmonkee e2212ca8c9 vprint_status changed to vprint_error as requested 2013-03-28 14:22:01 +00:00
jvazquez-r7 29ad9939e1 cleanup for stunshell_eval 2013-03-28 15:11:20 +01:00
jvazquez-r7 514aed404c Merge branch 'STUNSHELL_eval' of https://github.com/bwall/metasploit-framework into bwall-STUNSHELL_eval 2013-03-28 15:10:57 +01:00
jvazquez-r7 9b18eb858b cleanup for stunshell_exec 2013-03-28 14:45:51 +01:00
jvazquez-r7 a7a5569725 Merge branch 'STUNSHELL_exec' of https://github.com/bwall/metasploit-framework into bwall-STUNSHELL_exec 2013-03-28 14:45:28 +01:00
agix 4a683ec9a4 Fix msftidy WARNING 2013-03-28 13:36:35 +01:00
agix 139926a25b Fix msftidy Warning 2013-03-28 13:22:26 +01:00
agix eec386de60 fail in git usage... sorry 2013-03-28 12:05:49 +01:00
agix 4bcadaabc1 hp system management homepage DataValidation?iprange buffer overflow 2013-03-28 12:00:17 +01:00
agix 69fb465293 Put gadgets in Target 2013-03-28 11:15:13 +01:00
agix dee5835eab Create mongod_native_helper.rb
metasploit exploit module for CVE-2013-1892
2013-03-28 03:10:38 +01:00
bwall ce9f11aeb3 Changed the targets to be more specific 2013-03-27 17:22:29 -04:00
bwall f14d5ba8ec Removed extra comma 2013-03-27 17:15:34 -04:00
bwall 2a60ef2d60 Renamed and fixed some code issues 2013-03-27 17:14:41 -04:00
bwall cc92b54e83 Moved module and cleaned code 2013-03-27 17:03:18 -04:00
bwall 76fb6ff48f Updated ranking 2013-03-27 16:41:35 -04:00
jvazquez-r7 e25a06c649 delete comma 2013-03-27 21:33:58 +01:00
jvazquez-r7 276e8f647b Merge branch 'v0pCr3w' of https://github.com/bwall/metasploit-framework into bwall-v0pCr3w 2013-03-27 21:33:34 +01:00
jvazquez-r7 5fc5a4f429 use target_uri 2013-03-27 20:45:34 +01:00
jvazquez-r7 f29cfbf393 cleanup for v0pCr3w_exec 2013-03-27 20:38:11 +01:00
bwall fd302d62b8 Removed testing code 2013-03-27 12:50:42 -04:00
m-1-k-3 dfd451f875 make msftidy happy 2013-03-27 17:46:02 +01:00
sinn3r 951f95db05 Merge branch 'java_cmm' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-java_cmm 2013-03-27 11:41:46 -05:00
jvazquez-r7 0109d81c95 fix typo 2013-03-27 17:39:18 +01:00
m-1-k-3 e042fd3697 first test of e1500 down and exec exploit 2013-03-27 17:09:17 +01:00
jvazquez-r7 353f02cdcc move word_unc_injector to gather dir 2013-03-27 16:23:19 +01:00
jvazquez-r7 ed23fe6502 Merge branch 'post-word_unc_injector.rb' of https://github.com/SphaZ/metasploit-framework into SphaZ-post-word_unc_injector.rb 2013-03-27 16:21:54 +01:00
m-1-k-3 aa981cc991 DIR-645 also working 2013-03-27 12:11:14 +01:00
jvazquez-r7 ef11a584f4 work on word_unc_injector 2013-03-27 11:17:29 +01:00
m-1-k-3 615aa57399 Dlink DIR615 HW rev B login module 2013-03-27 09:26:23 +01:00
m-1-k-3 680b551215 default to user admin 2013-03-27 08:59:19 +01:00
m-1-k-3 032214fb1d default to user admin 2013-03-27 08:49:04 +01:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
m-1-k-3 e1a719a6c0 http login module for DLink DIR300revB, DIR600revB, DIR815 2013-03-26 20:57:24 +01:00
m-1-k-3 c4fe21865c user fix 2013-03-26 20:15:19 +01:00
jvazquez-r7 1d95abc458 cleanup for joomla_comjce_imgmanager 2013-03-26 12:02:39 +01:00
jvazquez-r7 9b3bbd577f module moved to unix webapps 2013-03-26 12:02:08 +01:00
jvazquez-r7 c4fcf85af2 Merge branch 'heyder-joomla' of https://github.com/heyder/metasploit-framework into heyder-heyder-joomla 2013-03-26 12:01:46 +01:00
bwall a5346240de Updated v0pCr3w_exec to use send_request_cgi 2013-03-26 01:33:30 -04:00
heyder 014c01099e improve cleanup 2013-03-26 02:22:10 -03:00
nmonkee 121c75f646 vprint_status mod 2013-03-25 20:18:14 +00:00
nmonkee da6a99defb vprint_status mod 2013-03-25 20:16:11 +00:00
jvazquez-r7 9717a8c3b4 cleanup for tplink_traversal_noauth 2013-03-25 19:20:18 +01:00
jvazquez-r7 543b401a55 Merge branch 'tplink-traversal' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-tplink-traversal 2013-03-25 19:18:53 +01:00
sinn3r dcce23d23d Merge branch 'bugs/tomcat_enum-double_check' of github.com:neinwechter/metasploit-framework into neinwechter-bugs/tomcat_enum-double_check 2013-03-25 12:19:52 -05:00
nmonkee 01ee30e389 PFL_CHECK_OS_FILE_EXISTENCE (file existence and SMB relay) 2013-03-25 17:11:23 +00:00
jvazquez-r7 fdd06c923a cleanup for dlink_dir_645_password_extractor 2013-03-25 18:04:12 +01:00
jvazquez-r7 a9a5a3f64f Merge branch 'dlink-dir645-password-extractor' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-dlink-dir645-password-extractor 2013-03-25 18:02:51 +01:00
Nathan Einwechter aad0eed485 Fix whitespace EOL 2013-03-25 13:00:37 -04:00
nmonkee 5be98593a9 RZL_READ_DIR_LOCAL (directory listing and SMB relay) 2013-03-25 16:59:37 +00:00
Nathan Einwechter 3f79b2fd3b Use :abort for scanner mixin 2013-03-25 12:59:18 -04:00
sinn3r 56c07211a0 Merge branch 'actfax_raw_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-actfax_raw_bof 2013-03-25 11:56:15 -05:00
sinn3r 47e3d7de59 Merge branch 'bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue' of github.com:neinwechter/metasploit-framework into neinwechter-bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue 2013-03-25 11:46:37 -05:00
sinn3r 0d56da0511 Merge branch 'netgear-sph200d' of github.com:m-1-k-3/metasploit-framework into m-1-k-3-netgear-sph200d 2013-03-25 11:45:40 -05:00
sinn3r f4c04503d2 Merge branch 'master' of github.com:rapid7/metasploit-framework 2013-03-25 11:38:08 -05:00
Nathan Einwechter 99fe2a33d7 Deregister USER_AS_PASS and stop on connect error 2013-03-25 12:35:52 -04:00
jvazquez-r7 53b862300e cleanup for linksys_e1500_traversal 2013-03-25 17:33:38 +01:00
jvazquez-r7 ea804d433e change file name 2013-03-25 17:33:16 +01:00
jvazquez-r7 660d3d5388 Merge branch 'linksys-traversal' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys-traversal 2013-03-25 17:31:11 +01:00
m-1-k-3 e57498190b dlink dir 300/600 login module - initial commit 2013-03-25 08:48:24 +01:00
bwall 5218831167 Added license information and tidied up the code 2013-03-25 00:05:31 -04:00
bwall e98a463de2 Added license information and tidied up code 2013-03-25 00:04:39 -04:00
bwall e37fa3b40a Added license information and tidied up code 2013-03-25 00:03:32 -04:00
bwall 6be88224bf Added the license information and tidied up 2013-03-25 00:01:20 -04:00
heyder 0c169f94eb correct some bad indent 2013-03-24 21:07:51 -03:00
jvazquez-r7 d54687cb37 fix typo 2013-03-25 00:58:47 +01:00
jvazquez-r7 26b43d9ed2 Added module for ZDI-13-050 2013-03-25 00:54:30 +01:00
heyder 50ac5cf247 Adjust payload size and others code adjustments 2013-03-24 20:25:29 -03:00
m-1-k-3 98ac6e8090 feedback included 2013-03-24 21:01:30 +01:00
bwall 7e0b0ac092 Added STUNSHELL webshell remote command execution module 2013-03-24 15:18:08 -04:00
bwall b23d259485 Added STUNSHELL webshell remote code evaluation[PHP] module 2013-03-24 15:16:45 -04:00
bwall bbcf21ee24 Added v0pCr3w webshell remote command execution module 2013-03-24 15:13:42 -04:00
bwall ca6ab7c8c2 Added Ra1NX pubcall authentication bypass exploit module 2013-03-24 14:59:27 -04:00
m-1-k-3 d90de54891 reporting and feedback 2013-03-24 15:00:18 +01:00
m-1-k-3 9f8ec37060 store loot 2013-03-24 11:48:49 +01:00
m-1-k-3 71708c4bc3 dir 645 password extractor - initial commit 2013-03-24 11:44:24 +01:00
jvazquez-r7 49ac3ac1a3 cleanup for linksys_e1500_e2500_exec 2013-03-23 23:30:49 +01:00
jvazquez-r7 98be5d97b8 Merge branch 'linksys-e1500-e2500-exec' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys-e1500-e2500-exec 2013-03-23 23:30:14 +01:00
m-1-k-3 b2bf1df098 fixed encoding and set telnetd as default cmd 2013-03-23 22:56:15 +01:00
m-1-k-3 7ff9c70e38 10 to 0 is good :) 2013-03-23 22:46:26 +01:00
m-1-k-3 47d458a294 replacement of the netgear-sph200d module 2013-03-23 22:40:32 +01:00
m-1-k-3 bd522a03e3 replace module to the scanner directory 2013-03-23 22:29:44 +01:00
m-1-k-3 b1ae2f7bf4 replace module to the scanner directory 2013-03-23 22:29:31 +01:00
m-1-k-3 8f59999f82 replace module to the scanner directory 2013-03-23 22:25:04 +01:00
m-1-k-3 f58554bb57 replace module to the scanner directory 2013-03-23 22:24:50 +01:00
m-1-k-3 965ec34368 check of the server on the first try 2013-03-23 22:13:01 +01:00
m-1-k-3 aacd14ae45 version removed, encode params removed 2013-03-23 21:31:08 +01:00
m-1-k-3 b01959ea70 tplink traversal - initial commit 2013-03-23 20:30:32 +01:00
m-1-k-3 36d1746c0d linksys traversal module - initial commit 2013-03-23 17:01:02 +01:00
m-1-k-3 270f64acc2 feedback included 2013-03-23 15:54:34 +01:00
heyder 5bee1471df many code adjustments 2013-03-22 23:07:08 -03:00
Nathan Einwechter 89c0e8c27e Fix add_resource call in adobe_flas_mp5_cprt 2013-03-22 19:27:02 -04:00
jvazquez-r7 6eaf995642 cleaning exploiting string 2013-03-22 21:48:02 +01:00
jvazquez-r7 fd63283524 make msftidy happy 2013-03-22 21:46:12 +01:00
sinn3r f22c18e026 Merge branch 'module-psexec_command-file_prefix' of github.com:kn0/metasploit-framework into kn0-module-psexec_command-file_prefix 2013-03-22 13:08:13 -05:00
sinn3r 11754f271a Merge branch 'mutiny_subnetmask_exec' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-mutiny_subnetmask_exec 2013-03-22 13:05:16 -05:00
sinn3r 051e31c19f Merge branch 'kingview_kingmess_kvl' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-kingview_kingmess_kvl 2013-03-22 13:00:38 -05:00
sinn3r dea48b459f Merge branch 'download_exec_shell' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-download_exec_shell 2013-03-22 12:53:36 -05:00
Tod Beardsley d908050808 Merge epo_sql fix from neinwechter
Easy, sensible fix -- since report_auth_info uses full_user, print_good
should too.

[Closes #1629]
2013-03-22 11:22:24 -05:00
Nathan Einwechter 096ec9a5d7 Fix to print out correct/full username 2013-03-22 10:22:24 -04:00
heyder b5c65ad51b add Joomla Component JCE File Upload Code Execution 2013-03-22 10:41:35 -03:00
jvazquez-r7 bbff20fd65 cleanup for struts_code_exec_parameters 2013-03-21 22:17:47 +01:00
jvazquez-r7 50c6a98530 Merge branch 'struts-param-rce' of https://github.com/Console/metasploit-framework into Console-struts-param-rce 2013-03-21 22:17:20 +01:00
Console cbccda10ca fixing issue raised by @meatballs1 2013-03-21 20:58:40 +00:00
Console 302193f98b Various fixes and improvements
Chunk_length now varies according to targeturi and parameter
A few typographical inconsistences corrected
CMD option removed as its not being used
custom http request timeout removed
2013-03-21 19:03:39 +00:00
Console 8027615608 fixed comments left in by accident 2013-03-21 16:43:44 +00:00
Console 4edf5260f4 check function now tells user about delay 2013-03-21 16:40:45 +00:00
jvazquez-r7 f27333567f use bash or sh according to availability 2013-03-21 17:26:56 +01:00
jvazquez-r7 47ea8aea30 Merge branch 'download_exec_wget' of https://github.com/dougsko/metasploit-framework into dougsko-download_exec_wget 2013-03-21 17:09:20 +01:00
Console a714b430ca used normalize_uri 2013-03-21 14:05:08 +00:00
Console 5c9bec1552 commit fix branch for Console-struts-RCE 2013-03-21 13:40:16 +00:00
jvazquez-r7 370f849e29 cleanup for download_exec 2013-03-21 09:24:02 +01:00
Doug P 39b1ad8bd6 spacing cleanup 2013-03-21 00:21:10 -04:00
Doug P 837d426ff0 removed an extra space 2013-03-21 00:18:35 -04:00
Doug P 08029ca2e8 edited Description 2013-03-21 00:17:55 -04:00
Doug P edd85ccd69 added wget support 2013-03-21 00:09:22 -04:00
Tod Beardsley e149c8670b Unconflicting ruby_string method
Looks like the conflict was created by the msftidy fixes that happened
over on the master branch. No big deal after all.
2013-03-20 15:49:23 -05:00
m-1-k-3 dcd2aebdcd feedback included 2013-03-20 21:34:30 +01:00
SphaZ 804e2cfa3a small fixup of unused old vars 2013-03-20 21:31:28 +01:00
Tod Beardsley 011b6899b0 Merge 'neinwechter/browser_autopwn-updates'
Brings in neinwechter's BAP fixes. Seems to not only be a more sane
strategy, but in practice, ends up with tons more shells for at least
MSIE which is what most people are using it for anyway.

[Closes #1612]
2013-03-20 15:26:09 -05:00
SphaZ b275797ba2 Used msf file mixin where possible and more in memory handling 2013-03-20 21:25:07 +01:00
Tod Beardsley e377e30873 unscrewing syntax error 2013-03-20 15:04:31 -05:00
Tod Beardsley fd20eba35e Expanding the title and desc for external_ip
Also allowing the capitalization on "via" to be small.
2013-03-20 14:42:12 -05:00
jvazquez-r7 cd58a6e1a1 cleanup for nagios_nrpe_arguments 2013-03-20 19:22:48 +01:00
jvazquez-r7 072fca9f6c Merge branch 'post_linux_manage_download_exec' of https://github.com/jasbro/metasploit-framework into jasbro-post_linux_manage_download_exec 2013-03-20 18:02:51 +01:00
jvazquez-r7 54f22ed06c check if curl is on the path 2013-03-20 17:31:48 +01:00
Joshua Abraham 9948d1ec12 change from vcmd_exec to a method in the module 2013-03-19 20:40:25 -04:00
jvazquez-r7 26dec4eb8f last cleanup for sami_ftpd_list 2013-03-19 21:32:05 +01:00
jvazquez-r7 42efe5955b Merge branch 'osvdb-90815' of https://github.com/dougsko/metasploit-framework into dougsko-osvdb-90815 2013-03-19 21:31:46 +01:00
jvazquez-r7 b19c51aa81 cleanup for sami_ftpd_list 2013-03-19 19:04:14 +01:00
m-1-k-3 9fc0f9a927 initial commit 2013-03-19 17:31:01 +01:00
dougsko e2a9245b08 Changed target to Windows XP 2013-03-19 13:20:23 -03:00
sinn3r 0c0d15024a No tabs for these 2013-03-19 08:39:47 -05:00
sinn3r 07a3f15292 Merge branch 'coolpdf_image_stream_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-coolpdf_image_stream_bof 2013-03-19 08:38:30 -05:00
sinn3r 116f5b87f0 Merge branch 'axigen_file_access' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-axigen_file_access 2013-03-19 08:33:58 -05:00
Joel Parish 21e9f7dbd2 Added module for CVE-2013-1362
Module exploits a shell code metacharacter escaping vulnerability in
poorly configured Nagios Remote Plugin Executor installations.
2013-03-19 01:43:46 -07:00
Matt Andreko fd5bd52e6d Added some error handling if the connection dies. 2013-03-18 17:26:40 -04:00
Matt Andreko 66dcbca562 Sysax Multi-Server SSHD DoS
This exploit affects Sysax Multi-Server version 6.10. It causes a
Denial of Service by sending a specially crafted Key Exchange, which
causes the service to crash.
2013-03-18 17:16:12 -04:00
dougsko fb90a1b497 Uses IP address length in offset calculation 2013-03-18 16:18:04 -03:00
jvazquez-r7 4aab1cc5df delete debug code 2013-03-18 16:28:39 +01:00
jvazquez-r7 dffec1cd41 added module for cve-2012-4914 2013-03-17 21:12:40 +01:00
Doug P 3d92d6e977 removed the handler call 2013-03-15 16:48:53 -04:00
Doug P a96283029e made payload size a little smaller 2013-03-15 16:08:43 -04:00
Doug P 8b5c782b54 changed Platform from Windows to win 2013-03-15 15:13:52 -04:00
Doug P 8f4b3d073a Explicitly set EXITFUNC to thread 2013-03-15 14:52:39 -04:00
Doug P e9af05a178 made recommended changes 2013-03-15 11:35:12 -04:00
Joshua Abraham 07d78af421 Linux post module to download and run a command 2013-03-15 10:13:56 -04:00
Doug P 4bb64a0f41 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-14 16:10:10 -04:00
Doug P bbbf395659 got everything working and cleaned up 2013-03-14 16:02:41 -04:00
jvazquez-r7 d8f46e3df4 Merge branch 'module/fb_cnct_target_214' of https://github.com/zeroSteiner/metasploit-framework into zeroSteiner-module/fb_cnct_target_214 2013-03-14 16:27:58 +01:00
jvazquez-r7 b86b70c31c Merge branch 'openpli-shell' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-openpli-shell 2013-03-14 15:58:14 +01:00
jvazquez-r7 02f90b5bbd cleanup for dopewars 2013-03-14 15:53:19 +01:00
jvazquez-r7 4d9f2bbb06 Merge branch 'master' of https://github.com/dougsko/metasploit-framework into dougsko-master 2013-03-14 15:51:47 +01:00
jvazquez-r7 6ccfa0ec18 cleanup for dreambox_openpli_shell 2013-03-14 15:02:21 +01:00
jvazquez-r7 7403239de7 cleanup for psexec_ntdsgrab 2013-03-14 13:40:45 +01:00
jvazquez-r7 9ae2c8e718 Merge branch 'ntdsgrab4' of https://github.com/R3dy/metasploit-framework into R3dy-ntdsgrab4 2013-03-14 13:39:41 +01:00
m-1-k-3 9366e3fcc5 last adjustment 2013-03-14 11:18:52 +01:00
m-1-k-3 0140caf1f0 Merge branch 'master' of git://github.com/rapid7/metasploit-framework into openpli-shell 2013-03-14 10:55:52 +01:00
Trenton Ivey 97023413cb Added advanced option for temp filenames prefix 2013-03-14 01:50:52 -05:00
Royce Davis abbb3b248d methods that use @ip now reference it directly instead of being passed in as paramaters 2013-03-13 19:35:53 -05:00
Royce Davis 462ffb78c1 Simplified copy_ntds & copy_sys check on line 91 2013-03-13 19:31:36 -05:00
Royce Davis 4e9af74763 All print statements now use #{peer} 2013-03-13 19:28:09 -05:00
Royce Davis edf2804bb5 Added simple.disconnect to end of cleanup_after method 2013-03-13 19:23:22 -05:00
Royce Davis 8eba71ebe2 Added simple.disconnect to end of download_sys_hive method 2013-03-13 19:20:58 -05:00
Doug P 1f7b2a8e9f minor edits 2013-03-13 17:48:37 -04:00
Doug P fa5c988110 got sami_ftpd_list.rb working 2013-03-13 17:27:02 -04:00
James Lee 2f11796dfa Fix typo
[SeeRM #7800]
2013-03-13 16:10:20 -05:00
jvazquez-r7 456e4449e5 definitely the free trial of 6.53 is also vulnerable 2013-03-13 20:29:07 +01:00
jvazquez-r7 5345af87f2 better description according to advisory 2013-03-13 20:25:13 +01:00
jvazquez-r7 5339c6f76e better target description according to advisory 2013-03-13 20:23:22 +01:00
jvazquez-r7 50083996ff better target description 2013-03-13 20:13:09 +01:00
jvazquez-r7 a2755820cb Added module for CVE-2012-4711 2013-03-13 20:07:58 +01:00
Spencer McIntyre 458ffc1f19 Add a target for Firebird 2.1.4.18393 2013-03-13 13:44:28 -04:00
jvazquez-r7 e5f7c08d6f Added module for CVE-2012-4940 2013-03-13 11:52:54 +01:00
Doug P 22133ba8ff removed version number 2013-03-12 16:36:14 -04:00
Doug P 70da739666 fixed errors in dopewars.rb shown by msftidy 2013-03-12 15:47:31 -04:00
doug b5c3161ceb Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-12 13:20:06 -04:00
Doug P c8c50a6407 cleaned up dopewars module 2013-03-12 12:56:12 -04:00
Royce Davis 9a970415bc Module uses store_loot now instead of logdir which has been removed 2013-03-11 20:05:23 -05:00
doug a199c397e4 ... 2013-03-11 17:09:17 -04:00
doug 4d6e19b40b small edits to dopewars.rb 2013-03-11 17:07:05 -04:00
James Lee 6da4c53191 Merge remote-tracking branch 'jvazquez-r7/netcat_gaping' into rapid7
[Closes #1576]
2013-03-11 16:02:49 -05:00
doug 0e607f8252 added dopewars module 2013-03-11 16:52:49 -04:00
jvazquez-r7 2684e6103c use of send_request_cgi 2013-03-11 20:36:47 +01:00
jvazquez-r7 9c89599737 cleanup before merge external_ip 2013-03-11 20:35:25 +01:00
jvazquez-r7 546e24a9c6 Merge branch 'external_ip_discovery' of https://github.com/sempervictus/metasploit-framework into sempervictus-external_ip_discovery 2013-03-11 20:35:07 +01:00
Royce Davis aa4cc11640 Removed Scanner class running as stand-alone single target module now 2013-03-11 13:39:47 -05:00
Tod Beardsley 2f95d083e8 Updating URL for Honewell EBI exploit 2013-03-11 13:35:58 -05:00
Tod Beardsley 23972fbebc Merge branch 'release' 2013-03-11 13:08:30 -05:00
Tod Beardsley d81d9261e7 Adding Honeywell exploit. 2013-03-11 13:03:59 -05:00
jvazquez-r7 4852f1b9f7 modify exploits to be compatible with the new netcat payloads 2013-03-11 18:35:44 +01:00
jvazquez-r7 627e7f6277 avoiding grouping options 2013-03-11 18:26:03 +01:00
jvazquez-r7 f0cee29100 modified CommandDispatcher::Exploit to have the change into account 2013-03-11 18:08:46 +01:00
jvazquez-r7 c9268c3d54 original modules renamed 2013-03-11 18:04:22 +01:00
jvazquez-r7 074ea7dee4 Merge branch 'ssl' of https://github.com/luh2/metasploit-framework into luh2-ssl 2013-03-11 15:36:20 +01:00
Royce Davis a96753e9df Added licensing stuff at the top 2013-03-10 20:07:04 -05:00
Royce Davis bf9a2e4f52 Fixed module to use psexec mixin 2013-03-10 15:15:50 -05:00
Royce Davis 907983db4a updating with r7-msf 2013-03-10 14:19:20 -05:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
RageLtMan 25f3f935c4 Apply Egypt's cleanup
Remove revision, raise the exception itself, remove scanner mixin,
datastore['RHOST'] unstead of RHOSTS, and useles agent var removed.
2013-03-07 18:34:12 -05:00
jvazquez-r7 64398d2b60 deleting some commas 2013-03-07 21:34:51 +01:00
jvazquez-r7 ab44e3e643 cleanup for fb_cnct_group 2013-03-07 21:34:07 +01:00
jvazquez-r7 969490771f Merge branch 'module-fb_cnct_group' of https://github.com/zeroSteiner/metasploit-framework into zeroSteiner-module-fb_cnct_group 2013-03-07 21:33:33 +01:00
jvazquez-r7 c5e61f1e9d Merge branch 'msftidy_ssl_shells' of https://github.com/sempervictus/metasploit-framework into sempervictus-msftidy_ssl_shells 2013-03-07 20:47:11 +01:00
jvazquez-r7 25db782b03 change print location 2013-03-07 19:15:40 +01:00
jvazquez-r7 fdd7c375ad added linux native target 2013-03-07 19:12:25 +01:00
Spencer McIntyre 398d13e053 Initial commit of the Firebird CNCT Group Number Buffer Overflow. 2013-03-07 09:51:05 -05:00
jvazquez-r7 03f3b06ccb added module for cve-2012-3001 2013-03-07 14:23:13 +01:00
J.Townsend db1f4d7e1d added license info 2013-03-07 00:20:02 +00:00
J.Townsend e8c1899dc2 added license info 2013-03-07 00:18:32 +00:00
J.Townsend 3946cdf91e added license info 2013-03-07 00:17:55 +00:00
J.Townsend 1b493d0e4c added license info 2013-03-07 00:16:26 +00:00
J.Townsend 9e89d9608f added license info 2013-03-07 00:11:45 +00:00
J.Townsend 56639e7f15 added license info 2013-03-07 00:10:46 +00:00
RageLtMan 7f80692457 everyone will comply, resistance is futile 2013-03-06 18:38:14 -05:00
sinn3r b65f410048 Updates the description 2013-03-06 16:37:41 -06:00
RageLtMan dfe3a4f394 msftidy and module placement per todb 2013-03-06 17:36:01 -05:00
sinn3r fee07678dd Rename module to better describe the bug. 2013-03-06 16:33:41 -06:00
sinn3r 79d3597d31 That's not a real check... 2013-03-06 16:32:53 -06:00
sinn3r 16d7b625bc Format cleanup 2013-03-06 16:31:39 -06:00
sinn3r 7219c7b4aa Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb 2013-03-06 16:15:24 -06:00
Royce Davis 1d8c759a34 yeah 2013-03-06 16:01:36 -06:00
Enrique A. Sanchez Montellano aa5c9461ae Fixed more styling issues, EOL, tabs and headers 2013-03-06 10:50:31 -08:00
Enrique A. Sanchez Montellano 437d6d6ba6 Fixed EOL, bad indent, added header, removed #!/usr/env/ruby 2013-03-06 10:44:29 -08:00
sinn3r af9982e289 Merge branch 'codesys_gateway_server_remote_execution.rb' of github.com:nahualito/metasploit-framework into nahualito-codesys_gateway_server_remote_execution.rb 2013-03-06 12:11:58 -06:00
Enrique A. Sanchez Montellano aa3a54fba0 Added CoDeSyS Gateway.exe Server remote execution via arbitrary file creation 2013-03-06 09:29:28 -08:00
RageLtMan 225b15f7f3 Add external IP discovery module
This module performs an HTTP request to ifconfig.me/ip.
The body of the response contains the publicly routable IP from
which the request originated. This can be useful in discovering
routes on pivoted hosts and initial recon as a simple aux module.
2013-03-05 23:42:31 -05:00
James Lee ca43900a7c Merge remote-tracking branch 'R3dy/psexec-mixin2' into rapid7 2013-03-05 16:34:11 -06:00
jvazquez-r7 781132b1cf cleanup for openssl_aesni 2013-03-05 22:41:16 +01:00
jvazquez-r7 784c075986 Merge branch 'module-cve-2012-2686' of https://github.com/ettisan/metasploit-framework into ettisan-module-cve-2012-2686 2013-03-05 22:40:46 +01:00
James Lee 27727df415 Merge branch 'R3dy-psexec-mixin2' into rapid7 2013-03-05 14:36:55 -06:00
James Lee a74b576a0f Merge branch 'rapid7' into rsmudge-authproxyhttpstager 2013-03-04 17:50:48 -06:00
James Lee c0689a7d43 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-03-04 12:14:33 -06:00
Wolfgang Ettlinger 867875b445 Beautified OpenSSL-AESNI module
Modifed the CVE-2012-2686 module to follow
suggestions by @jvazquez-r7:
* Added description for all fields in the
  SSL packets
* MAX_TRIES now required
* use get_once instead of timeout
2013-03-04 19:09:50 +01:00
David Maloney 71ba044d03 remove debugging aid 2013-03-04 11:25:34 -06:00
David Maloney 6dcca7df78 Remove duplicated header issues
Headers were getting duped back into client config, causing invalid
requests to be sent out
2013-03-04 11:24:26 -06:00
sinn3r 7fa24d9060 Module rename 2013-03-04 10:54:33 -06:00
sinn3r 59b5e8e688 Merge branch 'setuid_tunnelblick' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-setuid_tunnelblick 2013-03-04 10:53:31 -06:00
sinn3r 95cd46d362 Merge branch 'master' of github.com:rapid7/metasploit-framework 2013-03-04 10:46:27 -06:00
sinn3r 12247d47ba Rename module, sorry, no pull request. 2013-03-04 10:46:05 -06:00
jvazquez-r7 e465a07030 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-04 17:41:18 +01:00
jvazquez-r7 92ee4300df cleanup for reflective_dll_inject 2013-03-04 17:40:09 +01:00
jvazquez-r7 582395412f Merge branch 'post_ref_dll_inj' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-post_ref_dll_inj 2013-03-04 17:39:11 +01:00
jvazquez-r7 a980bf0ef6 minor fixes 2013-03-03 19:54:17 +01:00
jvazquez-r7 248481f195 fixed EOF 2013-03-03 19:52:31 +01:00
jvazquez-r7 81e2dbc71e added module for CVE-2012-3485 2013-03-03 19:48:12 +01:00
jvazquez-r7 76180f22fc added module for cve-2012-4284 2013-03-03 13:23:21 +01:00
Raphael Mudge 1cc49f75f5 move flag comment to where it's used. 2013-03-03 03:26:43 -05:00
Raphael Mudge ecdb884b13 Make download_exec work with authenticated proxies
Adds INTERNET_FLAG_KEEP_CONNECTION to HttpOpenRequest flags to allow
download_exec to transparently authenticate to a proxy device through
wininet.

Fun trivia, Windows 7 systems uses Connection: keep-alive by default.
This flag benefits older targets (e.g., Windows XP).
2013-03-03 01:42:17 -05:00
Michael Schierl 4a17a30ffd Regenerate ruby modules
For shellcode changes (removed unneeded instruction) committed in
46a5c4f4bf. Saves 2 bytes per shellcode.
2013-03-03 00:14:30 +01:00
David Maloney 4212c36566 Fix up basic auth madness 2013-03-01 11:59:02 -06:00
David Maloney b2f68f0fdb Merge branch 'dmaloney-r7-feature/http/authv2' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-dmaloney-r7-feature/http/authv2 2013-02-28 14:37:37 -06:00
David Maloney c290bc565e Merge branch 'master' into feature/http/authv2 2013-02-28 14:33:44 -06:00
jvazquez-r7 8f58c7b25e cleanup for sap_icf_public_info 2013-02-28 18:47:48 +01:00
jvazquez-r7 0dcfb51071 cleanup for sap_soap_rfc_system_info 2013-02-28 18:46:18 +01:00
jvazquez-r7 1a10c27872 Merge branch 'sap_rfc_system_info' of https://github.com/ChrisJohnRiley/metasploit-framework into ChrisJohnRiley-sap_rfc_system_info 2013-02-28 18:45:42 +01:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Wolfgang Ettlinger e7015985e7 Added CVE-2012-2686
Added Module for a DoS issue in OpenSSL (pre 1.0.1d). Can be exploited
with services that use TLS >= 1.1 and AES-NI. Because of improper
length computation, an integer underflow occurs leading to a
segmentation fault. This module brute-forces serveral encrypted
messages - when the decrypted message coincidentally specifies a
certain value for the size, the integer underflow occurs. Though this
could be accomplished more effectively (e.g. implementing or
maninpulating and TLS implementation), this module still does what it
should do.
2013-02-27 22:57:53 +01:00
James Lee d3b3587660 Merge branch 'rapid7' into dmaloney-r7-feature/http/authv2 2013-02-27 14:01:57 -06:00
sinn3r 4085fa73c5 Merge branch 'stephenfewer-master' 2013-02-27 11:13:10 -06:00
sinn3r 3334257aa4 Merge branch 'bug/fix_screenspy' of github.com:kernelsmith/metasploit-framework into kernelsmith-bug/fix_screenspy 2013-02-26 13:54:47 -06:00
Joe Rozner abdcde06cd Fix polarcms_upload_exec exploit 2013-02-25 22:58:26 -08:00
sinn3r 0158919031 Merge branch 'master' of github.com:L1ghtn1ng/metasploit-framework into L1ghtn1ng-master 2013-02-25 19:41:29 -06:00
sinn3r 181e3c0496 Uses normalize_uri 2013-02-25 19:36:48 -06:00
J.Townsend cbce1bdff2 update module description
This adds the version of wordpress the issue was fixed in to the description
2013-02-26 00:24:46 +00:00
James Lee 1ce86b7adb Whitespace 2013-02-25 14:29:10 -06:00
James Lee e41922853e Merge branch 'rapid7' into dmaloney-r7-feature/http/authv2 2013-02-25 14:15:22 -06:00
sinn3r 1ed74b46be Add CVE-2013-0803
From:
http://dev.metasploit.com/redmine/issues/7691
2013-02-25 14:14:57 -06:00
sinn3r cae1939914 Kinda too long 2013-02-25 13:44:11 -06:00
sinn3r 593be7ab2f Merge branch 'xbmc' of github.com:mandreko/metasploit-framework into mandreko-xbmc 2013-02-25 13:43:12 -06:00
sinn3r f3f913edc5 Correct bad naming style 2013-02-25 13:29:27 -06:00
sinn3r 690e7ec8a7 Uses normalize_uri 2013-02-25 13:28:00 -06:00
sinn3r b930613653 Merge branch 'kordil-edms-upload-exec' of github.com:bcoles/metasploit-framework into bcoles-kordil-edms-upload-exec 2013-02-25 12:43:50 -06:00
sinn3r 5fe2c26d82 Merge branch 'bcoles-glossword_upload_exec' 2013-02-25 12:41:05 -06:00
sinn3r 52241b847a Uses normalize_uri instead of manually adding a slash 2013-02-25 12:20:37 -06:00
Tod Beardsley 1446992253 Merge jvazquez-r7's java exploit 2013-02-25 07:19:12 -06:00
bcoles d7c0ce4e4a Fix 'check()' in glossword_upload_exec 2013-02-25 15:52:07 +10:30
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
bcoles 1f46b3aa02 Add Glossword Arbitrary File Upload Vulnerability exploit 2013-02-25 01:59:46 +10:30
Matt Andreko 2c0a916c83 Made the password optional 2013-02-23 17:14:30 -05:00
Matt Andreko b221711ecd Added basic error handling 2013-02-23 10:24:04 -05:00
Matt Andreko 67c2c3da20 Code Review Feedback
Fixed the USER/PASS that I missed in last review
Converted from Scanner module to Gather
2013-02-23 10:09:23 -05:00
sinn3r 2b65cfa5ab Minor changes 2013-02-22 21:02:19 -06:00
sinn3r 1623877151 Merge branch 'MS13-009' of github.com:jjarmoc/metasploit-framework into jjarmoc-MS13-009 2013-02-22 20:58:42 -06:00
Meatballs 15d505f7a9 Msftidy 2013-02-22 22:09:19 +00:00
Meatballs 0ea7247a43 Initial commit 2013-02-22 22:05:29 +00:00
James Lee fc07bf16e7 Merge branch 'rapid7' into dmaloney-r7-feature/http/authv2 2013-02-22 15:41:49 -06:00