The failed password auth was necessary after all. I misread the PoC. :'(
Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
Still get "Unknown admin user ''" from a shell channel request,
@busterb's more complete implementation notwithstanding.
Hoping we fix this in a subsequent commit or related PR.
Please see #6612 and #9524.
If there is no :private_type, the create_credential method in
Metasploit::Credential::Creation will quietly skip the password,
which makes it look like a bug when the user is trying to view
the password from the creds command.
Fix#9513
Starting from MySQL 5.7 the password column was changed to authentication_string. I've added a check to determine the version. Tested on both MySQL 5.6 and 5.7.
If a command is not specified to CommandStream, request a "shell"
session rather than running exec. This allows targets that do not have a
true "shell" which supports exec to instead return a raw shell session.
Land #9317
The following modules are replaced by the following:
auxiliary/scanner/discovery/udp_probe
is replaced by:
auxiliary/scanner/discovery/udp_sweep
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
is replaced by:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
exploit/windows/misc/regsvr32_applocker_bypass_server
is replaced by:
exploits/multi/script/web_delivery
This commit fixes an issue, where auxiliary/scanner/dcerpc/hidden terminates directly, once an endpoint can't be reached or access is denied. Instead the next endpoint in list should be checked, instead of terminating directly.
Net::SSH::KeyFactory permits loading keys using a passphrase.
The Framework SSH modules were implemented back when we had a fork
of net-ssh in our tree, and can now use functionality provided by
the upstream gem.
Update the ssh key login scanner to add a KEY_PASS datastore
OptString which is then passed to the KeyCollection class and used
in the updated :read_key method which now calls the KeyFactory to
read data and give us the appropriate String representation of the
key in the KeyCollection's cache.
A bit of cleanup performed as well, removing legacy code paths no
longer hit by the module. Shamelessly added self to authors, fair
amount of blood and sweat in the SSH subsystem over the years, hope
nobody objects.
Testing:
None yet
James Barnett
Jacob Robles
Brent Cook
William Vu
James Lee
Wei Chen
HD Moore
follower
Osanda Malith Jayathissa
Adam Cammack
Matthew Kienow
Pearce Barry
Steve Embling
Brendan Coles
jgor
Aaron Soto
bka-dev
RageLtMan
james
Jon Hart
Tod Beardsley