820f589df0
Missed this one.
2013-06-17 15:52:53 -05:00
163d3e771b
Handle connect_login return value properly
...
Some modules ignore connect_login's return value, which may result
an EOF if send_cmd() is used later on. All the modules fixed are
the ones require auth according to the module description, or
CVE/vendor/OSVDB info.
2013-06-17 15:48:34 -05:00
bd17e67f75
Land #1960 , lower ranking for MS13-009
2013-06-14 15:28:06 -05:00
2abf70a1ca
Lower ranking for MS13-009
...
We haven't been able to make this one more reliable, so todb suggests
we lower the ranking first.
2013-06-14 15:24:43 -05:00
d35c3469e8
Fix typo
...
EDB reference
2013-06-14 15:16:20 -05:00
0d384d23b8
Land #1954 - Fix resource_uri and mp4 file path
2013-06-14 13:15:17 -05:00
933ac88b44
Missing the file param that's needed to download the mp4
2013-06-14 13:13:48 -05:00
d2df3234f4
Land #1955 - mozilla_mchannel.rb undefined agent variable
2013-06-14 11:14:20 -05:00
223807d0df
Land #1956 - fix regex error for mozilla_reduceright.rb
2013-06-14 11:09:49 -05:00
ca0ab8d6ee
maxthon_history_xcs.rb - fix User-agent string
...
request.headers['User-agent'] is incorrect, it should be
request.headers['User-Agent'].
Downloaded following version from oldapps.com to confirm
the exploit code is wrong.
Supported Systems Windows 98, 2000 (Maxthon 2.5.15 Build
1000), XP, Vista, 7, 8
MD5 Checksum F3791637C886A46940876211209F82F4
SHA1 Checksum 039BB218245E5DC1BAB0F57298C68AC487F86323
Release Date 20 October, 2011 (2 years ago )
2013-06-11 13:37:21 +10:00
69c25014ae
Make msftidy happy
2013-06-13 18:58:38 -05:00
12801430e3
Update both ultraiso files to the right fix
2013-06-13 18:44:19 -05:00
0440c03c7a
Land #1934 - Fix UltraISO Exploit File Creation
2013-06-13 13:57:09 -05:00
81813a78fc
Fix module Name
2013-06-13 11:55:23 -05:00
afb2f83238
Add module for CVE-2012-1533
2013-06-12 14:40:53 -05:00
c38eabe481
Fix description, code and perform test
2013-06-12 11:07:03 -05:00
5c8053491f
Add DEP bypass for ntdll ms12-001
2013-06-12 10:41:05 -05:00
a1c7961cbc
Suport js obfuscation for the trigger
2013-06-12 08:06:12 -05:00
5240c6e164
Add module for MS13-037 CVE-2013-2551
2013-06-12 07:37:57 -05:00
081baad68c
Remove variable 'overflow' because it's not used
...
The 'overflow' variable isn't needed
2013-06-11 02:26:45 -05:00
4e41e871bb
mozilla_reduceright.rb - fix regex error.
...
[] is character class, and will match on 1, 6, 7, and |.
Where as (16|17) will match on either 16, or 17.
irb(main):053:0> y = /Firefox\/3\.6\.[16|17]/
=> /Firefox\/3\.6\.[16|17]/
irb(main):054:0> x = "Firefox/3.6.13"
=> "Firefox/3.6.13"
irb(main):055:0> x =~ y
=> 0
irb(main):056:0> y = /Firefox\/3\.6\.(16|17)/
=> /Firefox\/3\.6\.(16|17)/
irb(main):057:0> x =~ y
=> nil
2013-06-11 11:52:27 +10:00
996171b35f
mozilla_mchannel.rb undefined agent variable
...
If the TARGET is chosen instead of using the default
automatic, the agent variable will be undefined, which
causes the exploit to fail.
2013-06-11 10:43:47 +10:00
d91b412661
adobe_flash_sps.rb - resource_uri vs get_resource
...
resource_uri will randomize the returned uri unless
datastore['URIPATH"] is set.
get_resource will return the currently used reosurce_uri
Since the incorrect type is used, this exploit is completely broken.
Tested fix with both URIPATH set to / and unset, and it works after
redirect.
2013-06-11 07:13:02 +10:00
0895184e1f
Land #1932 - Actually support OUTPUTPATH datastore option
2013-06-10 11:22:28 -05:00
f58e279066
Cleanup on module names, descriptions.
2013-06-10 10:52:22 -05:00
cd64e3593c
Fix UltraISO file creation
...
This makes file creation where datastore['FILENAME'] is not used when
a different filename is required, and ends up creating files in the
wrong place.
2013-06-09 12:37:34 +10:00
c6b4290fea
Fix UltraISO Exploit File Creation
...
Both ultraiso_ccd.rb and ultraiso_cue.rb use File.open to create
files, instead of using the create_file() function. This leads
to files being created in the wrong directory.
We work around this by dynamically changing the
file_format_filename function to return the corrected filename.
2013-06-09 09:51:15 +10:00
cb79aa252a
Fix output path in ms10_004_textbytesatom.rb
...
ms10_004_textbytesatom.rb does not write to the local data directory,
instead it writes to the metasploit path (at least, that's where I
started msfrpcd).
This fixes it by using Msf::Config.local_directory
2013-06-09 07:28:48 +10:00
a157e65802
Land #1916 , @wchen-r7's exploit for Synactics PDF
2013-06-07 12:11:45 -05:00
ea2895ac13
Change to AverageRanking
...
Just to play with the firing order for Browser Autopwn, this one
should fire as late as possible.
2013-06-07 12:08:51 -05:00
9c7b446532
Updates description about default browser setting
2013-06-07 11:58:31 -05:00
f3421f2c3a
Fix different landings
2013-06-07 10:26:04 -05:00
da4b18c6a1
[FixRM:#8012] - Fix message data type to int
...
This patch makes sure s.message is actually an int, that way we can
properly stop or enable the service.
2013-06-06 23:49:14 -05:00
e559824dc8
Remove whitespace
2013-06-06 20:08:50 -05:00
d3e57ffc46
Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
...
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx. When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.
2013-06-06 20:05:08 -05:00
6d3dcf0cef
Land #1912 - Fixed check for Admins SID in whoami /group output
2013-06-05 02:55:38 -05:00
a3b25fd7c9
Land #1909 - Novell Zenworks Mobile Device Managment exploit & auxiliary
2013-06-05 02:45:45 -05:00
0c1d46c465
Add more references
2013-06-05 02:43:43 -05:00
46aa6d38f8
Add a check for it
2013-06-05 02:41:03 -05:00
a270d37306
Take apart the version detection code
2013-06-05 02:34:35 -05:00
25fe03b981
People like this format better: IP:PORT - Message
2013-06-05 02:26:18 -05:00
02e29fff66
Make msftidy happy
2013-06-05 02:25:08 -05:00
35459f2657
Small name change, don't mind me
2013-06-05 02:18:11 -05:00
227fa4d779
Homie needs a default target
2013-06-05 02:16:59 -05:00
1032663cd4
Fixed check for Administrators SID in whoami /group output
2013-06-04 18:34:06 -04:00
ed4766dc46
initial commit of novell mdm modules
2013-06-04 09:20:10 -07:00
30a019e422
Land #1891 , @wchen-r7's improve for ie_cgenericelement_uaf
2013-06-03 15:35:43 -05:00
4cf682691c
New module title and description fixes
2013-06-03 14:40:38 -05:00
cb33c5685f
Landing #1890 - Oracle WebCenter Content openWebdav() vulnerability
2013-06-02 12:35:40 -05:00
cc951e3412
Modifies the exploit a little for better stability
...
This patch makes sure the LFH is enabled before the CGenericElement
object is created. Triggers is also modified a little.
2013-06-02 03:02:42 -05:00
5939ca8ce4
Add analysis at the end of the module
2013-06-01 15:59:17 -05:00
9be8971bb0
Add module for ZDI-13-094
2013-06-01 15:44:01 -05:00
8671ae9de7
add osvdb ref
2013-06-01 14:27:50 -05:00
f8e9535c39
Add ZDI reference
2013-05-31 20:50:53 -05:00
4f6d80c813
Land #1804 , user-settable filename for psexec
2013-05-31 13:34:52 -05:00
5964d36c40
Fix a syntax error
...
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
d0489b5d1e
Delete some commas
2013-05-30 14:25:53 -05:00
6abb591428
Do minor cleanup for lianja_db_net
2013-05-30 14:25:05 -05:00
70e1379338
Use msvcrt in ropdb for stability.
2013-05-30 11:13:22 -04:00
c3ab1ed2a5
Exploit module for Lianja SQL 1.0.0RC5.1
2013-05-29 08:48:41 -04:00
d16d316658
Fixes mssql_findandsampledata & ms11_006_creat esizeddibsection
...
[FixRM:7987]
[FixRM:7986]
2013-05-28 11:15:17 -05:00
e678b2c5d8
Add module for CVE-2012-5946
2013-05-26 00:21:20 -05:00
57b7e4ec44
Update ms11_006_createsizeddibsection.rb
2013-05-25 13:14:41 +06:00
ecb9d1d7fa
Landing #1848 - AdobeCollabSync Buffer Overflow on Adobe Reader X
2013-05-22 12:24:42 -05:00
53cb493bc9
Fix @jlee-r7's feedback
2013-05-20 18:44:21 -05:00
f4498c3916
Remove $Id tags
...
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
85ceaa1a62
Add module for CVE-2013-2730
2013-05-18 12:44:24 -05:00
3009bdb57e
Add a few more references for those without
2013-05-16 14:32:02 -05:00
e1111928c2
Adds patch info for ie_cgenericelement_uaf
...
This one is MS13-038
2013-05-14 14:55:02 -05:00
ce594a3ba2
Deprecate modules/exploits/windows/http/sap_mgmt_con_osexec_payload
2013-05-12 08:46:40 -05:00
7fcf20201b
Ranking should be the same (to GoodRanking)
2013-05-11 09:19:25 -05:00
95b0d4e5ec
move filename init up to remove dup code
...
as suggested by @jlee-r7
2013-05-09 13:29:21 -04:00
9043eeda66
A slight change for stability
...
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in #1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable. I did a few tests, seems better.
2013-05-08 20:02:55 -05:00
bdd2287daf
Land #1809 , @wchen-r7's modification for ie_cgenericelement_uaf
2013-05-08 16:21:11 -05:00
9a1400a75b
Forgot to remove this print_warning
2013-05-08 15:44:04 -05:00
075f6e8d45
Updates ROP chain and mstime_malloc usage
2013-05-08 15:42:45 -05:00
c7609ac7d1
Initial update
2013-05-08 14:24:52 -05:00
1aa80cd35e
Add module for CVE-2013-0726
2013-05-08 13:48:48 -05:00
71c68d09c1
Allow user ability to set filename for psexec service binary
...
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
8239998ada
Typo on URL for #1797 . Thx @Meatballs1
2013-05-05 12:26:06 -05:00
c9ea7e250e
Fix disclosure date, ref for #1897
2013-05-05 12:13:02 -05:00
a33510e821
Add MS IE8 DoL 0day exploit (CVE-2013-1347)
...
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
13202a3273
Add OSVDB reference
2013-05-03 09:46:29 -05:00
a95de101e7
Delete extra line
2013-05-02 22:04:27 -05:00
6210b42912
Port EDB 25141 to msf
2013-05-02 22:00:43 -05:00
a2e1fbe7a9
Make msftidy happy
2013-05-02 19:46:26 -05:00
eb23b5feeb
Forgot to remove function ie8_smil. Don't need this anymore.
2013-05-02 14:04:15 -05:00
329e8228d1
Uses js_mstime_malloc to do the no-spray technique
2013-05-02 14:00:15 -05:00
99b46202b9
Do final cleanup for sap_configservlet_exec_noauth
2013-04-26 08:45:34 -05:00
308b880d79
Land #1759 , @andrewkabai's exploit for SAP Portal Command Execution
2013-04-26 08:44:11 -05:00
5839e7bb16
simplify code
2013-04-26 12:14:42 +02:00
4aadd9363d
improve description
2013-04-26 12:13:45 +02:00
f3f60f3e02
Fixes P/P/R for target 0 (BadBlue 2.72b)
...
Target 1, which covers 2.72b, uses an invalid P/P/R from some unknown
DLL, and appears to be broken. Because 2.72b actually uses the same
ext.dll as BadBlue EE 2.7 (and that target 0 actually also works
against 2.72b), we might as well just use the same P/P/R again.
[FixRM #7875 ]
2013-04-25 20:20:24 -05:00
9dd9b2d1ba
implement cleanup functionality
...
register DELETE_FILES advanced option to take control of the cleanup
functionality of CmdStagerVBS and FileDropper, implement the necessary
changes
2013-04-25 20:02:24 +02:00
a28ef1847b
update references
2013-04-25 18:26:13 +02:00
676f2f5f4a
implement "check" functionality
2013-04-25 07:47:30 +02:00
3b46d5d4cd
fix typos
2013-04-25 07:22:16 +02:00
2759ef073e
correction on error handling
2013-04-25 07:19:27 +02:00
6b14ac5e71
add rank to module
2013-04-25 07:07:35 +02:00
f22d19a10c
remove unused code block
...
ARCH_CMD was implemented in previous version of this code.
2013-04-24 21:51:35 +02:00
0339be229a
implement dynamic timeout handling
2013-04-24 18:22:37 +02:00
6f8fc81497
improve error handling
2013-04-24 17:59:11 +02:00
57113bee80
fine correction
...
add license
remove one unnecessary tab to make msftidy happy
2013-04-24 15:07:32 +02:00
6485124cdf
fix module name
2013-04-24 10:54:52 +02:00
358b8934bf
clarify description
2013-04-24 10:31:40 +02:00
00e6eeca54
implement command line magick to prevent bad char usage
...
commas in the HTTP queries are not allowed but the VBS stager contains
some, therefore it was necessary to find a way to echo out commas
without directly use them.
thanks to Laszlo Toth to help me figure out this windows command line
trick.
2013-04-24 09:46:36 +02:00
783cca6c17
allow only ARCH_X86 payloads
2013-04-24 09:29:47 +02:00
cae30bec23
Clean up all the whitespace found
2013-04-23 18:27:11 -05:00
750638e4d6
note on bad characters
2013-04-22 17:24:08 +02:00
a1e52b5b27
command execution needs cmd /c
2013-04-22 10:20:45 +02:00
d26289e05a
proper output handling in case of CMD payloads
2013-04-20 17:38:58 +02:00
d59ba37e6d
resize linemax
2013-04-20 17:37:50 +02:00
e36b58169b
implement CmbStagerVBS payload execution
2013-04-20 16:37:47 +02:00
8244c4dcac
multiple payload types, different paths to execute payloads
2013-04-20 14:20:30 +02:00
7b6a784a84
basic payload execution through OS command execution
2013-04-20 13:02:22 +02:00
223556a4e6
switch to exploit module environment
...
switch to Msf::Exploit, change the necessary declarations, start to
change the exploitation process
2013-04-20 12:30:44 +02:00
cff47771a2
initial commit
...
the original aux module will be the base of the exploit module
2013-04-20 11:32:05 +02:00
4e8d32a89a
cleanup for freefloatftp_user
2013-04-16 20:43:38 -05:00
eedeb37047
Landing #1731 , @dougsko's freefloat ftp server bof exploit
2013-04-16 20:42:01 -05:00
a36c6d2434
Lands #1730 , adds a VERBOSE option checker
...
Also removes VERBOSE options from extant modules. There were only 5 of
them, and one was a commented option.
2013-04-15 15:32:56 -05:00
29101bad41
Removing VERBOSE offenders
2013-04-15 15:29:56 -05:00
e2b8d5ed23
Fix from David Kennedy, enable Windows 8 support
2013-04-09 02:07:40 -05:00
1d6184cd63
fixed author details
2013-03-30 12:41:31 +01:00
0109d81c95
fix typo
2013-03-27 17:39:18 +01:00
c225d8244e
Added module for CVE-2013-1493
2013-03-26 22:30:18 +01:00
56c07211a0
Merge branch 'actfax_raw_bof' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-actfax_raw_bof
2013-03-25 11:56:15 -05:00
47e3d7de59
Merge branch 'bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue' of github.com:neinwechter/metasploit-framework into neinwechter-bugs/RM7108-adobe_flash_mp4_cprt-add_resource_issue
2013-03-25 11:46:37 -05:00
d54687cb37
fix typo
2013-03-25 00:58:47 +01:00
26b43d9ed2
Added module for ZDI-13-050
2013-03-25 00:54:30 +01:00
89c0e8c27e
Fix add_resource call in adobe_flas_mp5_cprt
2013-03-22 19:27:02 -04:00
6eaf995642
cleaning exploiting string
2013-03-22 21:48:02 +01:00
fd63283524
make msftidy happy
2013-03-22 21:46:12 +01:00
051e31c19f
Merge branch 'kingview_kingmess_kvl' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-kingview_kingmess_kvl
2013-03-22 13:00:38 -05:00
26dec4eb8f
last cleanup for sami_ftpd_list
2013-03-19 21:32:05 +01:00
42efe5955b
Merge branch 'osvdb-90815' of https://github.com/dougsko/metasploit-framework into dougsko-osvdb-90815
2013-03-19 21:31:46 +01:00
b19c51aa81
cleanup for sami_ftpd_list
2013-03-19 19:04:14 +01:00
e2a9245b08
Changed target to Windows XP
2013-03-19 13:20:23 -03:00
0c0d15024a
No tabs for these
2013-03-19 08:39:47 -05:00
fb90a1b497
Uses IP address length in offset calculation
2013-03-18 16:18:04 -03:00
4aab1cc5df
delete debug code
2013-03-18 16:28:39 +01:00
dffec1cd41
added module for cve-2012-4914
2013-03-17 21:12:40 +01:00
3d92d6e977
removed the handler call
2013-03-15 16:48:53 -04:00
a96283029e
made payload size a little smaller
2013-03-15 16:08:43 -04:00
8b5c782b54
changed Platform from Windows to win
2013-03-15 15:13:52 -04:00
8f4b3d073a
Explicitly set EXITFUNC to thread
2013-03-15 14:52:39 -04:00
e9af05a178
made recommended changes
2013-03-15 11:35:12 -04:00
4bb64a0f41
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-14 16:10:10 -04:00
bbbf395659
got everything working and cleaned up
2013-03-14 16:02:41 -04:00
1f7b2a8e9f
minor edits
2013-03-13 17:48:37 -04:00
fa5c988110
got sami_ftpd_list.rb working
2013-03-13 17:27:02 -04:00
sinn3r
William Vu
Ruslaideemin
jvazquez-r7
Tod Beardsley
cbgabriel
steponequit
Steve Tornio
James Lee
Spencer McIntyre
darknight007
Rob Fuller
Andras Kabai
Tod Beardsley
HD Moore
m-1-k-3
sinn3r
Nathan Einwechter
dougsko