c1e604f201
Land #4562 : wchen-r7's CVE addition
2015-01-15 14:34:37 -06:00
47cd5a3e59
Land #4562 , wchen-r7's Win8 NtApphelpCacheControl privilege escalation
2015-01-15 13:52:07 -06:00
09eaf80a90
Add CVE
2015-01-15 13:22:00 -06:00
68dc3ce876
Minor code formatting
2015-01-15 19:33:08 +01:00
57904773e7
Configurable resource
2015-01-15 10:28:03 -06:00
ef0be946b1
Use HttpServer instead of TcpServer
2015-01-15 10:39:17 +01:00
3768cf0a69
Change version to int and add proper timestamp
2015-01-14 22:59:11 +00:00
621cada2ac
Undo build_gc_call_data refactoring
2015-01-14 16:47:28 -06:00
da0fce1ea8
Add module for CVE-2014-2206
2015-01-14 22:04:30 +01:00
8a89b3be28
Cleanup of various bits of code
2015-01-13 22:20:40 +00:00
ac4eb3bb90
Land #4578 , @dlanner's fix for rails_secret_deserialization
2015-01-13 09:37:28 -08:00
c5cfc11d84
fix cookie regex by removing a space
2015-01-12 23:13:18 -05:00
8246f4e0bb
Add ability to use both WP and EC attack vectors
2015-01-12 23:30:59 +00:00
e6f6acece9
Add a date hash to the post data
2015-01-12 21:21:50 +00:00
7876401419
Land #4476 - Lexmark MarkVision Enterprise Arbitrary File Upload
2015-01-12 10:44:23 -06:00
34bbc5be90
print error message about limitation
2015-01-11 20:12:40 -06:00
ea37e2e198
Add WP EasyCart file upload exploit module
2015-01-10 21:05:02 +00:00
46d1616994
Hello ARCH_X86_64
2015-01-10 06:16:22 -06:00
3c8be9e36d
Just x86
2015-01-09 19:12:51 -06:00
74e8e057dd
Use RDL
2015-01-09 19:02:08 -06:00
d4d1a53533
fix invalid url
2015-01-09 21:57:52 +01:00
fd2307680d
Land #4550 , wp-symposium file upload
2015-01-09 21:55:02 +01:00
d65ed54e0c
Check STARTUP_FOLDER option
2015-01-09 12:21:01 -06:00
2c633e403e
Do code cleanup
2015-01-09 12:07:59 -06:00
d52e9d4e21
Fix metadata again
2015-01-09 11:20:00 -06:00
9dbf163fe7
Do minor style fixes
2015-01-09 11:17:16 -06:00
8f09e0c20c
Fix metadata by copying the mysql_mof data
2015-01-09 11:15:32 -06:00
da6496fee1
Test landing #2156 into up to date branch
2015-01-09 11:04:47 -06:00
ee5c249c89
Add EDB reference
2015-01-09 00:19:12 -06:00
75de792558
Add a basic check
2015-01-09 00:03:39 -06:00
4911127fe2
Match the title and change the description a little bit
2015-01-08 21:48:01 -06:00
b7b3ae4d2a
A little randomness
2015-01-08 21:25:55 -06:00
e4547eb474
Land #4537 , @wchen-r7's fix for #4098
2015-01-08 17:57:16 -08:00
f13e56aef8
Handle bracketed and unbracketed results, add more useful logging
2015-01-08 17:51:31 -08:00
14db112c32
Add logging to show executed Java and result
2015-01-08 16:53:12 -08:00
b65013c5c5
Another update
2015-01-08 18:39:04 -06:00
b2ff5425bc
Some changes
2015-01-08 18:33:30 -06:00
53e6f42d99
This works
2015-01-08 17:57:14 -06:00
c76aec60b0
Add OSVDB id and full disclosure URL
2015-01-08 23:29:38 +00:00
7ed6b3117a
Update
2015-01-08 17:18:14 -06:00
fb5170e8b3
Land #2766 , Meatballs1's refactoring of ExtAPI services
...
- Many code duplications are eliminated from modules in favor of shared
implementations in the framework.
- Paths are properly quoted in shell operations and duplicate operations are
squashed.
- Various subtle bugs in error handling are fixed.
- Error handling is simpler.
- Windows services API is revised and modules are updated to use it.
- various API docs added
- railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012
2015-01-08 16:19:55 -06:00
fa5cd928a1
Refactor exploit to use the mixin
2015-01-08 16:04:56 -06:00
82e6183136
Add Msf::Exploit::FileDropper mixin
2015-01-08 21:07:00 +00:00
93dc90d9d3
Tidied up some code with existing mixins
2015-01-08 20:53:56 +00:00
873ade3b8a
Refactor exploit module
2015-01-08 14:52:55 -06:00
0e6c7181b1
"Stash" it
2015-01-08 14:13:14 -06:00
a9fee9c022
Fall back to runas if UAC disabled
2015-01-08 11:07:57 +00:00
ea793802cc
Land #4528 , mantisbt_php_exec improvements
2015-01-08 04:50:00 -06:00
844460dd87
Update bypass UAC to work on 8.1 and 2012
...
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.
I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
7b92c6c2df
Add WP Symposium Shell Upload module
2015-01-07 22:02:39 +00:00
0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
ef97d15158
Fix msftidy and make sure all print_*s in check() are vprint_*s
2015-01-07 12:12:25 -06:00
3e80efb5a8
Land #4521 , Pandora FMS upload
2015-01-07 11:13:57 -06:00
1ccef7dc3c
Shorter timeout so we get shell sooner
...
The request to execute our payload will never return, so waiting for the
default timeout (20 seconds) is pointless.
2015-01-07 11:11:33 -06:00
4c240e8959
Fix #4098 - False negative check for script_mvel_rce
...
Fix #4098 , thanks @arnaudsoullie
2015-01-07 10:40:58 -06:00
c60b6969bc
Oh so that's it
2015-01-07 10:39:46 -06:00
efe83a4f31
Whitespace
2015-01-07 10:19:17 -06:00
09bd0465cf
fix regex
2015-01-07 11:54:55 +01:00
b3def856fd
Applied changes recommended by jlee-r7
...
used Rex::ConnectionError
refactor begin/rescue blocks
removed ::URI::InvalidURIError
changed @peer with peer
used Exploit::CheckCode:Appears instead of Exploit::CheckCode::Vulnerable
2015-01-07 18:38:19 +08:00
eaad4e0bea
fix check method
2015-01-07 11:01:08 +01:00
862af074e9
fix bug
2015-01-07 09:10:50 +01:00
d007b72ab3
favor include? over =~
2015-01-07 07:33:16 +01:00
4277c20a83
use include?
2015-01-07 06:51:28 +01:00
39e33739ea
support for anonymous login
2015-01-07 00:08:04 +01:00
bf0bdd00df
added some links, use the res variable
2015-01-06 23:25:11 +01:00
2ed05869b8
Make Msf::Exploit::PDF follow the Ruby method naming convention
...
Just changing method names.
It will actually also fix #4520
2015-01-06 12:42:06 -06:00
f9f2bc07ac
some improvements to the mantis module
2015-01-06 11:33:45 +01:00
f2710f6ba7
Land #4443 , BulletProof FTP client exploit
2015-01-06 02:10:42 -06:00
482cfb8d59
Clean up some stuff
2015-01-06 02:10:25 -06:00
dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2015-01-05 22:18:44 +00:00
44dfa746eb
Resolve #4513 - Change #inspect to #to_s
...
Resolve #4513
2015-01-05 11:50:51 -06:00
547b7f2752
Syntax and File Upload BugFix
...
Fix unexpected ) in line 118
Fix file cleanup missing _
Fix more robust version check script
Fix file upload
2015-01-05 19:23:22 +08:00
c9b76a806a
Create manageengine_auth_upload.rb
2015-01-04 17:05:53 +00:00
c959d42a29
minor tweak
2015-01-03 10:15:52 +00:00
d45cdd61aa
Resolve #4507 - respond_to? + send = evil
...
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve #4507
2015-01-02 13:29:17 -06:00
3c755a6dfa
Template
2015-01-02 11:31:28 -06:00
c1718fa490
Land #4440 , git client exploit from @jhart-r7
...
Also fixes #4435 and makes progress against #4445 .
2015-01-01 13:18:43 -06:00
d7564f47cc
Move Mercurial option to advanced, update ref url
...
See #4440
2015-01-01 13:08:36 -06:00
914c724abe
Rename module
...
See rapid7#4440
2015-01-01 13:03:17 -06:00
65977c9762
Add some more useful URLs
2014-12-31 10:54:04 -08:00
264d3f9faa
Minor grammar fixes on modules
2014-12-31 11:45:14 -06:00
6d966dbbcf
Land #4203 , @jvazquez-r7's cleanup for java_rmi_server
2014-12-31 11:25:19 -05:00
48919eadb6
Land #4444 - i-FTP BoF
2014-12-30 12:38:28 -06:00
96fe693c54
update drupal regex
2014-12-30 09:12:39 +01:00
d2af956b16
Do minor cleanups
2014-12-29 10:39:51 -06:00
9f98fd4d87
Info leak webapp ROOT so we can cleanup
2014-12-27 08:47:51 -06:00
5afd2d7f4b
Add module for ZDI-14-410
2014-12-26 20:40:28 -06:00
655cfdd416
Land #4321 , @wchen-r7's fixes #4246 ms01_026_dbldecode undef method
2014-12-26 12:48:29 -06:00
51049152b6
Use Rex::Text.rand_mail_address for more realistic fake commit
2014-12-26 10:39:52 -08:00
c1b0385a4b
Land #4460 , @Meatballs1's ssl cert validation bypass on powershell web delivery
2014-12-26 12:07:45 -06:00
2bed52dcd5
Land #4459 , @bcoles's ProjectSend Arbitrary File Upload module
2014-12-26 11:28:42 -06:00
b5b0be9001
Do minor cleanup
2014-12-26 11:24:02 -06:00
121c0406e9
Beautify restart_command creation
2014-12-24 15:52:15 -06:00
43ec8871bc
Do minor c code cleanup
2014-12-24 15:45:38 -06:00
92113a61ce
Check payload
2014-12-24 15:43:49 -06:00
36ac0e6279
Clean get_restart_commands
2014-12-24 14:55:18 -06:00
92b3505119
Clean exploit method
2014-12-24 14:49:19 -06:00
9c4d892f5e
Use single quotes when possible
2014-12-24 14:37:39 -06:00
bbbb917728
Do style cleaning on metadata
2014-12-24 14:35:35 -06:00
af24e03879
Update from upstream
2014-12-24 14:25:25 -06:00
0b85a81b01
Use REXML to generate exploit file
2014-12-24 19:23:28 +01:00
a692656ab7
Update comments to reflect reality, minor cleanup
2014-12-23 19:09:45 -08:00
ebb05a64ea
Land #4357 , @Meatballs1 Kerberos Support for current_user_psexec
2014-12-23 20:38:31 -06:00
59f75709ea
Print out malicious URLs that will be used by default
2014-12-23 10:10:31 -08:00
905f483915
Remove unused and commented URIPATH
2014-12-23 09:40:27 -08:00
8e57688f04
Use random URIs by default, different method for enabling/disabling Git/Mercurial
2014-12-23 09:39:39 -08:00
bd3dc8a5e7
Use fail_with rather than fail
2014-12-23 08:20:03 -08:00
015b96a24a
Add back perl and bash related payloads since Windows git will have these and OS X should
2014-12-23 08:13:00 -08:00
16302f752e
Enable generic command
2014-12-23 14:22:26 +00:00
a3b0b9de62
Configure module to target bash by default
2014-12-23 14:19:51 +00:00
313d6cc2f8
Add super call
2014-12-23 14:12:47 +00:00
43221d4cb0
Remove redundant debugging stuff
2014-12-23 14:09:12 +00:00
42a10d6d50
Add Powershell target
2014-12-23 14:07:57 +00:00
40c1fb814e
one line if statement
2014-12-23 11:20:24 +00:00
b41e259252
Move it to a common method
2014-12-23 11:16:07 +00:00
5c82b8a827
Add ProjectSend Arbitrary File Upload module
2014-12-23 10:53:03 +00:00
abec7c206b
Update description to describe current limitations
2014-12-22 20:32:45 -08:00
1505588bf6
Rename the file to reflect what it really is
2014-12-22 20:27:40 -08:00
ff440ed5a4
Describe vulns in more detail, add more URLs
2014-12-22 20:20:48 -08:00
b4f6d984dc
Minor style cleanup
2014-12-22 17:51:35 -08:00
421fc20964
Partial mercurial support. Still need to implement bundle format
2014-12-22 17:44:14 -08:00
fdd1d085ff
Don't encode the payload because this only complicates OS X
2014-12-22 13:36:38 -08:00
0bf3a9cd55
Fix duplicate :ua_maxver key.
2014-12-22 14:57:44 -06:00
ea9f5ed6ca
Minor cleanup
2014-12-22 12:16:53 -08:00
dd73424bd1
Don't link to unused repositories
2014-12-22 12:04:55 -08:00
6c8cecf895
Make git/mercurial support toggle-able, default mercurial to off
2014-12-22 11:36:50 -08:00
574d3624a7
Clean up setup_git verbose printing
2014-12-22 11:09:08 -08:00
16543012d7
Correct planted clone commands
2014-12-22 10:56:33 -08:00
01055cd41e
Use a trigger to try to only start a handler after the malicious file has been requested
2014-12-22 10:43:54 -08:00
3bcd67ec2e
Unique URLs for public repo page and malicious git/mercurial repos
2014-12-22 10:03:30 -08:00
308eea0c2c
Make malicious hook file name be customizable
2014-12-22 08:28:55 -08:00
7f3cfd2207
Add a ranking
2014-12-22 07:51:47 -08:00
44084b4ef6
Correct Microsoft security bulletin for ppr_flatten_rec
2014-12-22 10:40:23 +00:00
9be95eacb8
Use %Q for double-quoted string
2014-12-22 07:37:32 +01:00
bb33a91110
Update description to be a little more descriptive
2014-12-21 19:31:58 +01:00
74783b1c78
Remove ruby and telnet requirement
2014-12-21 10:06:06 -08:00
cd02e61a57
Add module for OSVDB-114279
2014-12-21 17:00:45 +01:00
31f320c901
Add mercurial debugging
2014-12-20 20:00:12 -08:00
3da1152743
Add better logging. Split out git support in prep for mercurial
2014-12-20 19:34:55 -08:00
58d5b15141
Add another useful URL. Use a more git-like URIPATH
2014-12-20 19:11:56 -08:00
9f97b55a4b
Add module for CVE-2014-2973
2014-12-20 18:38:22 +01:00
f41d0fe3ac
Randomize most everything about the malicious commit
2014-12-19 19:31:00 -08:00
805241064a
Create a partially capitalized .git directory
2014-12-19 19:07:45 -08:00
f7630c05f8
Use payload.encoded
2014-12-19 18:52:34 -08:00
7f2247f86d
Add description and URL
2014-12-19 15:50:16 -08:00
9b815ea0df
Some style cleanup
2014-12-19 15:35:09 -08:00
4d0b5d1a50
Add some vprints and use a sane URIPATH
2014-12-19 15:33:26 -08:00
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
48444a27af
Remove debugging pp
2014-12-19 15:27:06 -08:00
1c7fb7cc7d
Mostly working exploit for CVE-2014-9390
2014-12-19 15:24:27 -08:00
4888ebe68d
Initial commit of POC module for CVE-2013-9390 ( #4435 )
2014-12-19 12:58:02 -08:00
f237c56a13
This oracle scheduler exploit hangs if not vuln
...
When this exploit gets run against a system that isn't vulnerable
it can hang for a signifigant ammount of time. This change uses the check
method on the exploit to see whether it should proceed. Don't try to exploit
the host if it's not vulnerable.
2014-12-16 09:42:42 -06:00
025c0771f8
Have exploit call check. Have check report_vuln
2014-12-15 09:53:11 -08:00
f521e7d234
Use newer Ruby hash syntax
2014-12-15 09:17:32 -08:00
c93dc04a52
Resolve address before storing the working cred
2014-12-15 09:11:12 -08:00
5ca8f187b3
Merge remote-tracking branch 'upstream/pr/4328' into temp
2014-12-15 08:15:51 -08:00
9a0ed723d1
Adds error handling for drive letter enumeration
2014-12-14 12:56:20 -05:00
4530066187
return nil
2014-12-15 01:04:39 +11:00
55d9e9cff6
Use list of potential analytics hosts
2014-12-14 23:15:41 +11:00
223d6b7923
Merged with Fr330wn4g3's changes
2014-12-14 13:08:19 +08:00
0c5f4ce4ee
Removed the handler-ish code
2014-12-13 22:18:41 -05:00
2addd0fdc4
Fixed name, removed tabs, updated license
2014-12-13 20:37:19 -05:00
b1453afb52
Land #4297 , fixes #4293 , Use OperatingSystems::Match::WINDOWS
...
* instead of Msf::OperatingSystems::WINDOWS
2014-12-12 18:19:58 -06:00
4fc4866fd8
Merge code in from #2395
2014-12-12 16:22:51 -06:00
488f46c8a1
Land #4324 , payload_exe rightening.
...
Fixes #4323 , but /not/ #4246 .
2014-12-12 15:04:57 -06:00
9908e0e35b
Land #4384 , fix typo.
2014-12-12 14:39:47 -06:00
50b734f996
Add Portuguese target, lands #3961 (also reorders targets)
2014-12-12 14:23:02 -06:00
008c33ff51
Fix description
2014-12-12 13:36:28 -06:00
81460198b0
Add openssl payload to distcc exploit
...
This is required to test #4274
2014-12-12 13:25:55 -06:00
b334e7e0c6
Land #4322 , @FireFart's wordpress exploit for download-manager plugin
2014-12-12 12:41:59 -06:00
aaed7fe957
Make the timeout for the calling payload request lower
2014-12-12 12:41:06 -06:00
00f66b6050
Correct named captures
2014-12-12 10:22:14 -08:00
98dca6161c
Delete unused variable
2014-12-12 12:03:32 -06:00
810bf598b1
Use fail_with
2014-12-12 12:03:12 -06:00
1e6bbc5be8
Use blank?
2014-12-12 09:51:08 -08:00
4f3ac430aa
Land #4341 , @EgiX's module for tuleap PHP Unserialize CVE-2014-8791
2014-12-12 11:48:25 -06:00
64f529dcb0
Modify default timeout for the exploiting request
2014-12-12 11:47:49 -06:00
24f1b916e0
Minor ruby style cleanup
2014-12-12 09:47:35 -08:00
1d1aa5838f
Use Gem::Version to compare versions in check
2014-12-12 09:47:01 -08:00
d01a07b1c7
Add requirement to description
2014-12-12 11:42:45 -06:00
fd09b5c2f6
Fix title
2014-12-12 10:52:18 -06:00
4871228816
Do minor cleanup
2014-12-12 10:52:06 -06:00
0f27c63720
fix msftidy warnings
2014-12-12 13:16:21 +01:00
65b316cd8c
Land #4372
2014-12-11 18:48:16 -08:00
544f75e7be
fix invalid URI scheme, closes #4362
2014-12-11 23:34:10 +01:00
de88908493
code style
2014-12-11 23:30:20 +01:00
24dbc28521
Land #4356
2014-12-11 09:03:18 -08:00
0eea9a02a1
Land #3144 , psexec refactoring
2014-12-10 17:30:39 -06:00
c813c117db
Use DNS names
2014-12-10 22:25:44 +00:00
245b76477e
Fix issue with execution of perl due to gsub not matching across newlines
2014-12-10 21:38:04 +00:00
700ccc71e7
Create tuleap_unserialize_exec.rb
2014-12-09 10:15:46 +01:00
21742b6469
Test #3729
2014-12-06 21:20:52 -06:00
42744e5650
Add actualanalyzer_ant_cookie_exec exploit
2014-12-06 19:09:20 +00:00
2f98a46241
Land #4314 , @todb-r7's module cleanup
2014-12-05 14:05:09 -06:00
7ae786a53b
Add a comment as an excuse to tag the issue
...
Fix #4246
... so it will automatically close the ticket.
2014-12-05 11:26:26 -06:00
f25e3ebaaf
Fix #4246 - More undef 'payload_exe' in other modules
...
Root cause: payload_exe is an accessor in the TFPT command stager
mixin, you need stager_instance in order to retreive that info.
2014-12-05 11:19:58 -06:00
8d1ca872d8
Now with logging of command response output
2014-12-05 10:58:40 -06:00
5ea062bb9c
fix bug
2014-12-05 11:30:45 +01:00
55b8d6720d
add wordpress download-manager exploit
2014-12-05 11:17:54 +01:00
Brent Cook
sinn3r
sgabe
Pedro Ribeiro
jvazquez-r7
rastating
Jon Hart
David Lanner
Christian Mehlmauer
Meatballs
William Vu
OJ
James Lee
rcnunez
Tim
Tod Beardsley
Spencer McIntyre
Brendan Coles
Joe Vennix
Jon Cave
David Maloney
Sean Verity
HD Moore
Marc Wickenden
EgiX
headlesszeke