e31e3fc545
add additional architectures and targets
2017-05-30 00:07:37 -05:00
66f06cd4e3
Fix small typos in comments
2017-05-28 14:40:33 -05:00
965915eb19
Fix typo, thanks!
2017-05-27 22:22:34 -05:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
f9ecdf2b4d
Add some bonus archs for interact mode
2017-05-27 17:26:50 -05:00
41253ab32b
Make msftidy happy
2017-05-27 17:17:20 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
78d649232b
Remove obsolete module options
2017-05-26 21:21:05 -05:00
123a03fd21
Detect server-side path, work on Samba 3.x and 4.x
2017-05-26 17:02:18 -05:00
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
e3f4cc0dfd
Land #8345 , WordPress PHPMailer Exim injection
...
CVE-2016-10033
2017-05-16 15:07:21 -05:00
35670713ff
Remove budding anti-patterns to avoid copypasta
...
While it offers a better OOBE, don't set a default LHOST. Force the user
to think about what they're setting it to. Also, RequiredCmd is largely
unnecessary and difficult to determine ahead of time unless the target
is a virtual appliance or something else "shipped."
2017-05-15 12:56:14 -05:00
231510051c
Fix uri_str for exploit
2017-05-11 16:30:10 -05:00
e414bdb876
don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules
2017-05-11 15:19:11 -05:00
30c48deeab
msftidy and misc. fixups for Quest BoF module
2017-05-11 08:07:39 -05:00
e8aed42ecd
Land #8223 , Quest Privilege Manager pmmasterd Buffer Overflow
2017-05-11 00:44:19 -05:00
18d95b6625
Land #8346 , Templatize shims for external modules
2017-05-10 18:15:54 -05:00
fede672a81
further revise templates
2017-05-08 14:26:24 -05:00
b794bfe5db
Land #8335 , rank fixes for the msftidy god
2017-05-07 21:20:33 -05:00
88bef00f61
Add more ranks, remove module warnings
...
../vmware_mount.rb
Rank = Excellent
Exploit uses check code for target availability,
the vulnerability does not require user action,
and the exploit uses privilege escalation to run
arbitrary executables
../movabletype_upgrade_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../uptime_file_upload_2.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../zpanel_information_disclosure_rce.rb
Rank = ExcellentRanking
Exploit allows remote code execution,
implements version check for pChart
../spip_connect_exec.rb
Rank = ExcellentRanking
Exploit utilizes code injection,
has a check for availability
../wp_optimizepress_upload.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../wing_ftp_admin_exec.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary commands,
has a check for availability
../novell_mdm_lfi.rb
Rank = ExcellentRanking
Exploit allows execution of arbitrary code,
has a check for availability
../run_as.rb
Rank = ExcellentRanking
Exploit utilizes command injection,
checks system type, and does not require user action
2017-05-07 15:41:26 -04:00
ab245b5042
added note to description
2017-05-07 13:56:50 +01:00
4f12a1e271
added note to description
2017-05-07 13:54:28 +01:00
05bf16e91e
Land #8331 , Adding module CryptoLog Remote Code Execution
2017-05-05 18:24:14 -05:00
720a02f5e2
Addressing Spaces at EOL issue reported by Travis
2017-05-05 11:05:17 +03:00
58d2e818b1
Merging multiple sqli area as a func
2017-05-05 10:49:05 +03:00
81bcf2ca70
updating all LHOST to use the new opt type
2017-05-04 12:57:50 -05:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
d04e7cba10
Rename the module as well as title
2017-05-03 19:18:46 +03:00
ae8035a30f
Fixing typo and using shorter sqli payload
2017-05-03 16:45:17 +03:00
db2a2ed289
Removing space at eof and self.class from register_options
2017-05-03 01:31:13 +03:00
77acbb8200
Adding cryptolog rce
2017-05-03 01:05:40 +03:00
494711ee65
Land #8307 , Add lib for writing Python modules
2017-05-02 15:53:13 -05:00
037fdf854e
move common json-rpc bits to a library
2017-04-26 18:08:08 -05:00
a60e5789ed
update mettle->meterpreter references in modules
2017-04-26 17:55:10 -05:00
bbee7f86b5
Land #8263 , Mercurial SSH exec module
2017-04-26 01:38:01 -05:00
f60807113b
Clean up module
2017-04-26 01:37:49 -05:00
e333cb65e5
Restore require 'msf/core'
2017-04-24 17:09:02 -05:00
d3aba846b9
Make minor changes
2017-04-24 23:35:36 +02:00
8e4c093a22
added version numbers
2017-04-22 09:45:55 -04:00
714ada2b66
Inline execute_cmd function
2017-04-21 15:32:15 +02:00
8218f024e0
Add WiPG-1000 Command Injection module
2017-04-20 16:32:23 +02:00
f5430e5c47
Revert Msf::Exploit::Remote::Tcp
2017-04-18 19:27:35 -04:00
9a870a623d
Make use of Msf::Exploit::Remote::Tcp
2017-04-18 19:17:48 -04:00
03e3065706
Fix MSF tidy issues
2017-04-18 18:56:42 -04:00
32f0b57091
Fix new line issues
2017-04-18 18:52:53 -04:00
bfca4da9b0
Add mercurial ssh exec
2017-04-18 16:33:23 -04:00
1fcc1f7417
Trailing comma. Why isn't this Lua?
2017-04-18 14:27:44 -05:00
4ec71f9272
Add a reference to the original PR
...
This was the source of first public disclosure, so may as well include
it.
2017-04-18 14:20:25 -05:00
92e7183a74
Small typo fix
...
Running msfconsole would generate an Ubuntu crash report (?). This seems to be the culprit.
2017-04-17 11:14:51 -06:00
e21504b22d
huawei_hg532n_cmdinject: Use send_request_cgi() 'vars_get' key
...
Instead of rolling our own GET parameters implementation.
Thanks @wvu-r7!
2017-04-17 09:11:50 +02:00
7daec53106
huawei_hg532n_cmdinject: Improve overall documentation
...
- Add section on compiling custom binaries for the device
- Add documentation for Huawei's wget flavor (thanks @h00die)
- Abridge the module's info hash contents (thanks @wwebb-r7)
- Abridge the module's comments; reference documentation (@h00die)
2017-04-17 08:00:51 +02:00
8a302463ab
huawei_hg532n_cmdinject: Use minimum permissions for staged binary
...
Use u+rwx permissions only, instead of full 777, while staging the
wget binary to target. As suggested by @wvu-r7 and @busterb.
2017-04-17 03:27:57 +02:00
7ca7528cba
huawei_hg532n_cmdinject: Spelling fixes suggested by @wvu-r7
2017-04-17 03:23:20 +02:00
7b8e5e5016
Add Huawei HG532n command injection exploit
2017-04-15 21:01:47 +02:00
5e42dde6b6
msftidy clean up
2017-04-12 16:25:21 +01:00
374d7809b5
last fixes and tests
2017-04-11 09:48:57 +01:00
9a0789f839
Exploit for pmmasterd Buffer Overflow (CVE-2017-6553)
2017-04-05 17:59:54 +01:00
64c06a512e
Land #8020 , ntfs-3g local privilege escalation
2017-04-04 09:48:15 -05:00
4c0539d129
Land #8178 , Add support for non-Ruby modules
2017-04-02 21:02:37 -05:00
0092818893
Land #8169 add exploit rank where missing
2017-04-02 20:59:25 -04:00
151ed16c02
Re-ranking files
...
../exec_shellcode.rb
Rank Great -> Excellent
../cfme_manageiq_evm_upload_exec.rb
Rank Great -> Excellent
../hp_smhstart.rb
Rank Average -> Normal
2017-04-02 18:33:46 -04:00
e80b8cb373
move sploit.c out to data folder
2017-03-31 20:51:33 -04:00
6910cb04dd
Add first exploit written in Python
2017-03-31 17:07:55 -05:00
1ce7bf3938
Land #8126 , Add SolarWind LEM Default SSH Pass/RCE
2017-03-31 11:21:32 -05:00
c445a1a85a
Wrap ssh.loop with begin/rescue
2017-03-31 11:16:10 -05:00
5e31a32771
Add missing ranks
...
../exec_shellcode.rb
Rank = Great
This exploit is missing autodetection and version checks,
but should be ranked Great due to high number of possible targets
../cfme_manageiq_evm_upload_exec.rb
Rank = Great
This exploit implements a check to assess target availability,
and the vulnerability does not require any user action
../dlink_dcs_930l_authenticated_remote_command_execution
Rank = Excellent
Exploit utilizes command injection
../efw_chpasswd_exec
Rank = Excellent
Exploit utilizes command injection
../foreman_openstack_satellite_code_exec
Rank = Excellent
Exploit utilizes code injection
../nginx_chunked_size
Rank = Great
Exploit has explicit targets with nginx version auto-detection
../tp_link_sc2020n_authenticated_telnet_injection
Rank = Excellent
See dlink_dcs_930l_authenticated_remote_command_execution,
exploit uses OS Command Injection
../hp_smhstart
Rank = Average
Must be specific user to exploit, no autodetection,
specific versions only
2017-03-31 02:39:44 -04:00
9db2e9fbcd
Land #8146 , Add Default Secret & Deserialization Exploit for Github Enterprise
2017-03-24 14:38:47 -05:00
e04f01ed6b
Land #7778 , RCE on Netgear WNR2000v5
2017-03-23 15:34:16 -05:00
3b062eb8d4
Update version info
2017-03-23 13:46:09 -05:00
fdb52a6823
Avoid checking res.code to determine RCE success
...
Because it's not accurate
2017-03-23 13:39:45 -05:00
39682d6385
Fix grammar
2017-03-23 13:23:30 -05:00
ee21377d23
Credit Brent & Adam
2017-03-23 11:22:49 -05:00
196a0b6ac4
Add Default Secret & Deserialization Exploit for Github Enterprise
2017-03-23 10:40:31 -05:00
d37966f1bb
Remove old file
2017-03-23 12:53:08 +03:00
8a43a05c25
Change name of the module
2017-03-23 12:49:31 +03:00
a93aef8b7a
Land #8086 , Add Module Logsign Remote Code Execution
2017-03-22 11:33:49 -05:00
7bcd53d87d
Land #8079 , exploit and aux for dnaLims
2017-03-20 11:08:05 -04:00
fd5345a869
updates per pr
2017-03-20 10:40:43 -04:00
fe5167bf26
changes to file per pr
2017-03-20 10:16:42 -04:00
84e4b8d596
land #8115 which adds a CVE reference to IMSVA
2017-03-18 09:51:52 -04:00
6aa42dcf08
Add solarwinds default ssh user rce
2017-03-17 21:54:35 +03:00
f706c4d7f6
Removing prefix
2017-03-16 00:49:55 +03:00
60186f6046
Adding CVE number
2017-03-16 00:31:21 +03:00
01ea5262b8
Land #8070 , msftidy vars_get fixes
2017-03-14 12:05:24 -05:00
5c436f2867
Appease msftidy in tr064_ntpserver_cmdinject
...
Also s/"/'/g.
2017-03-14 11:52:21 -05:00
5d6a159ba9
Use query instead of uri in mvpower_dvr_shell_exec
...
I should have caught this in #7987 , @bcoles, but I forgot. Apologies.
This commit finishes what @itsmeroy2012 attempted to do in #8070 .
2017-03-14 11:51:55 -05:00
79331191be
msftidy error updated 2.5
2017-03-14 22:02:59 +05:30
67fc43a0a1
msftidy error updated 2.4
2017-03-14 21:33:53 +05:30
fe4e2306b4
Reverting one step
2017-03-13 22:22:24 +05:30
fe4f20c0cc
Land #7968 , NETGEAR R7000 exploit
2017-03-10 16:02:30 -06:00
1c54e0ba94
msftidy error updated 2.2
2017-03-10 23:59:38 +05:30
6d8789a56e
Updated msftidy error 2.1
2017-03-10 23:03:37 +05:30
c0f17cf6b8
msftidy error updated 2.0
2017-03-10 22:16:27 +05:30
f6bac3ae31
Add iso link to md file and change CheckCode code
2017-03-10 13:00:49 +03:00
0ab3ad86ee
change dnalims_file_retrieve module type
2017-03-09 10:06:31 -05:00
Brent Cook
HD Moore
James Lee
William Vu
William Webb
Adam Cammack
Bryan Chu
m0t
Jeffrey Martin
Mehmet Ince
darkbushido
Brent Cook
wchen-r7
Matthias Brun
h00die
Jonathan Claudius
Tod Beardsley
Nate Caroe
Ahmed S. Darwish
bwatters-r7
dmohanty-r7
Pearce Barry
itsmeroy2012
flakey-biscuits