Commit Graph

25838 Commits (edf7c4147897e7833584c9ff5d12b12235339699)

Author SHA1 Message Date
Brent Cook 86850e7062
Land #11217, fix syntax and logic errors in badpdf module 2019-01-10 12:52:08 -06:00
sinn3r 74330f87dc
Land #11223 - ueb priv esc suggestion
ueb priv esc suggestion.
2019-01-10 10:35:28 -06:00
phra dc2d3c5774
feat: add juicy potato post module, fixes #11229 2019-01-10 17:20:43 +01:00
Jacob Robles 2f939481e7
Land #11206, add coldfusion ckeditor file upload 2019-01-10 07:27:38 -06:00
Jacob Robles b81f59e7b1
Fix targets and syntax changes 2019-01-10 06:39:45 -06:00
h00die 799a79b715 ueb priv esc suggestion 2019-01-09 20:28:53 -05:00
Luis Rosa 4bfb90ce06 new PCOM module to send admin commands 2019-01-09 20:27:15 +00:00
William Vu 913c80c352
Land #11106, Allen-Bradley legacy protocol DoS 2019-01-09 12:12:02 -06:00
William Vu 0f156140fe Clean up module 2019-01-09 12:11:50 -06:00
Jacob Robles 307cc8c107
fix comment 2019-01-09 11:12:51 -06:00
Clément Notin cf1b4b43cb
auxiliary/fileformat/badpdf: fix syntax and logic error in options handling 2019-01-09 14:30:24 +01:00
Jacob Robles 0c984fa232
Fix messages /successfuly/successfully 2019-01-09 06:32:22 -06:00
Jacob Robles 16b8cf7059
Land #11148, Adding Module MailCleaner RCE 2019-01-08 14:10:31 -06:00
Jacob Robles a0acfa79d7
Target payloads 2019-01-08 13:27:26 -06:00
Jacob Robles c2da3dbbd3
Land #11052, Add gather chrome cookies post module 2019-01-08 07:32:16 -06:00
Jacob Robles a95384e288
Additional support and code cleanup 2019-01-08 06:57:56 -06:00
William Vu f96514528b
Land #10648, auth bypass for couchdb_enum 2019-01-07 12:53:11 -06:00
William Vu 3a726554e9 Fix review comments 2019-01-07 12:51:52 -06:00
Qazeer a63c057c3a Integrate bcoles' comments (filename generation, conditional block improvement, etc.) 2019-01-06 22:50:46 +01:00
Qazeer c03466d2f2 Fixed date format issue and added Bugtraq ID 2019-01-06 14:34:40 +01:00
Qazeer 4644ad8966 Add CVE-2018-15961 Adobe ColdFusion CKEditor unrestricted file upload 2019-01-06 04:55:20 +01:00
Brent Cook e990bb31df
Land #11182, bump mettle, change debug and background options 2019-01-03 02:57:19 -06:00
Alex 811605a9b8 Cleanup headless Chrome process for meterpreter sessions 2018-12-30 18:05:41 +11:00
Brendan Coles 5957315167
Land #11141, Ensure Byte XORi Encoder uses cacheflush() 2018-12-29 10:20:07 +00:00
Brendan Coles 005b2664b8
Land #11140, Ensure MIPS Long XOR Encoder uses cacheflush() 2018-12-29 10:14:47 +00:00
bwatters 9e109c7e7c
Update cache size 2018-12-28 16:08:15 -06:00
Shelby Pace 29e7c49332
Land #10444, add Consul rexec RCE module 2018-12-28 09:14:28 -06:00
Shelby Pace fb8f06b2f5
Land #10443, add Consul service RCE module 2018-12-28 08:33:56 -06:00
Mehmet İnce 4e8ad22a7a Adding CVE number 2018-12-26 13:15:36 +03:00
Green-m 69e7956adf
Land #11174, Fix platform bug when upgrade shell.
The platform on windows powershell should be 'win', rather than
'windows', this bug leads to failure when upgrade powershell session
to meterpreter.
2018-12-26 11:31:39 +08:00
Mehmet İnce fa542b9691 Adding platform and arch to top level 2018-12-25 15:56:25 +03:00
L ee7120d63a fixed post/multi/manage/shell_to_meterpreter 2018-12-25 15:00:39 +08:00
Quentin Kaiser 18c844623a Remove extra spaces. 2018-12-24 13:48:07 +01:00
Quentin Kaiser e10792f4e6 Remove extra space. 2018-12-24 13:30:03 +01:00
Tim W 58aebb6dec fix #11133, sleep to avoid the second stage being read too early 2018-12-24 19:26:10 +08:00
Brendan Coles 98dc59728e Add blueman set_dhcp_handler D-Bus Privilege Escalation 2018-12-24 08:03:55 +00:00
Brent Cook b9742802aa
Land #11137, Clean up linux/local/vmware_alsa_config exploit module 2018-12-21 17:04:11 -06:00
Garvit Dewan 81f4ed6db3
Add references and remove reserved function calls 2018-12-22 00:30:37 +05:30
Garvit Dewan 5838ad87fb
Check if directory and file exist and report accordingly 2018-12-21 19:36:01 +05:30
Jacob Robles 4bc871c499
Add CmdStager to erlang_cookie_rce 2018-12-21 07:33:37 -06:00
Garvit Dewan ba9c7039f7
Add psreadline_history module 2018-12-21 18:18:21 +05:30
Brent Cook c959c98161 add original public research author 2018-12-21 02:54:35 -06:00
Brent Cook a7e8afe760 update references, remove unused metadata, use more straightforward string operations 2018-12-21 02:54:35 -06:00
Brent Cook 0dab74a71f tweak description 2018-12-21 02:54:35 -06:00
Brent Cook 46acd7a206 simplify 2018-12-21 02:54:35 -06:00
Brent Cook 2f35695327 update web link 2018-12-21 02:54:35 -06:00
Brent Cook ac51fbd122 style fixes 2018-12-21 02:54:35 -06:00
Brent Cook dc6ae6f058 initial import, CVE-2016-4117 OSX exploit 2018-12-21 02:54:35 -06:00
Brent Cook b83c6ad496
Land #11149, fix a PTY leak in Python Meterpreter 2018-12-20 17:30:42 -06:00
Quentin Kaiser bf2de42077 Now supports all version of Consul. 2018-12-20 18:56:07 +01:00
Quentin Kaiser 2919b970cd Implement execution checks with a timeout limit so we don't leave zombie checks running in background. 2018-12-20 18:41:35 +01:00
Quentin Kaiser ba5c40db77 No need for CVE field. 2018-12-20 18:18:53 +01:00
Mehmet İnce 9481ad04f2 Adding support for ARCH_CMD and updating docs 2018-12-20 12:12:01 +03:00
William Vu 5af05ad976
Land #11143, nc -j fix for cups_root_file_read 2018-12-19 22:37:00 -06:00
Jeffrey Martin bf4bb0a5b9
bump metasploit-payloads gem
Update metasploit-payloads gem to 1.3.57 to pick up
fix for Python Meterpreter PTY Leak from rapid7/metasploit-payloads#319
2018-12-19 18:19:24 -06:00
Mehmet İnce 68ceb08957 Fixing minor issues such as err codes 2018-12-19 22:17:34 +03:00
asoto-r7 d601837e03
Land #10401, java_jmx_server scanner for Java JMX MBean servers 2018-12-19 13:12:03 -06:00
asoto-r7 50b7d93a18
java_jmx_scanner: Incorporate @bcoles suggestions 2018-12-19 12:56:53 -06:00
Wei Chen f7eb3452be
Land #11083, set user agent in Windows reverse_http(s) stagers 2018-12-19 11:38:12 -06:00
Mehmet İnce e5c8c18ded Adding Mailcleaner exec 2018-12-19 17:35:40 +03:00
Jacob Robles 6921b79890
Land #11089, Erlang cookie rce exploit module 2018-12-19 08:02:40 -06:00
Jacob Robles 3838be0a03
Windows Hide Chrome Window 2018-12-19 05:58:11 -06:00
William Vu 1b8b3bbb95 Update nc -j check in cups_root_file_read 2018-12-18 17:38:33 -06:00
asoto-r7 51ce96a2b4
Merge branch 'jmx_scanner' of https://github.com/sgorbaty/metasploit-framework into sgorbaty-jmx_scanner 2018-12-18 16:05:03 -06:00
asoto-r7 60f3cfbb79
ysoserial: Cleaned up ysoserial payload in `hp_imc_java_deserialize` 2018-12-18 15:17:51 -06:00
Milton-Valencia bb758f9a61 I didn't forget msftidy I swear 2018-12-18 14:55:12 -06:00
Milton-Valencia 8a2a605a99 added targets 2018-12-18 14:50:57 -06:00
Jacob Robles 0464f941a7
Add Windows Support 2018-12-18 14:17:10 -06:00
Quentin Kaiser ef8601aa71 Bail early if we receive an unexpected response. 2018-12-18 19:42:26 +01:00
Quentin Kaiser 4ee7bdee6c Merge branch 'consul_service_exec' of github.com:QKaiser/metasploit-framework into consul_service_exec 2018-12-18 19:33:51 +01:00
Quentin Kaiser b3563b1bc2 Cleaner version of check function thanks to @bcoles. 2018-12-18 19:33:30 +01:00
Brendan Coles 5e134d7d8d
Update modules/exploits/multi/misc/consul_service_exec.rb
Co-Authored-By: QKaiser <QKaiser@users.noreply.github.com>
2018-12-18 19:27:19 +01:00
Brendan Coles 5192c081ee
Update modules/exploits/multi/misc/consul_service_exec.rb
Co-Authored-By: QKaiser <QKaiser@users.noreply.github.com>
2018-12-18 19:27:08 +01:00
Quentin Kaiser 6ad40deac3 print_status will never throw a JSON::ParseError exception. 2018-12-18 19:15:13 +01:00
jdiog0 b2b410cbbe DoS Exploitation of Allen-Bradley legacy protocol (PCCC) 2018-12-18 16:49:53 +00:00
Pedro Ribeiro 1e88ce9a3d
Edit the comments to -84 2018-12-18 16:33:44 +00:00
Pedro Ribeiro 05218654f4
adjust the offset to -84 2018-12-18 16:30:47 +00:00
Pedro Ribeiro af418ec7f7
Fix mipsle byte_xori too 2018-12-18 16:05:23 +00:00
Quentin Kaiser a52ffbcead Missing disclosure date. 2018-12-18 17:03:09 +01:00
Quentin Kaiser a3d020a7e2 Add support for authorization with X-Consul-Token ACL header. 2018-12-18 16:56:03 +01:00
Quentin Kaiser 1839144978 Cleaner to define this as a Hash, then call .to_json on it. 2018-12-18 16:53:49 +01:00
Pedro Ribeiro d40d6c4e3d
Update longxor.rb
Suffers from the same problem as the mipsbe version
2018-12-18 15:48:29 +00:00
Pedro Ribeiro 34c9555717
Fix byte_xori encoder
The byte_xori encoder for mipsbe does not work correctly. At the end of the decoding, it should invoke cacheflush() with the correct parameters:
int cacheflush(char *addr, int nbytes, int cache)

I think this is because the encoder is based of the longxori encoder, which itself is pretty old (2008), and before kernel 2.6.11, cacheflush() did not need any parameters (from the cacheflush man page):
BUGS
Linux kernels older than version 2.6.11 ignore the addr and nbytes arguments, making this function fairly expensive. Therefore, the whole cache is always flushed.

This commit fixes that by setting up the parameters correctly. As an unfortunate side effect this increases the shellcode by 16 bytes, but it is absolutely necessary for it to work properly.

Note that this bug is not present when testing the encoder output on an emulator like qemu; emulators do not need to flush the caches to work properly.
2018-12-18 15:37:47 +00:00
Quentin Kaiser 177ae2f927 fail_with is not allowed in check method. Use vprint_error and return a CheckCode instead. Cleaner response check in check function. Usage of CheckCode instead of Exploit::CheckCode. 2018-12-18 16:33:53 +01:00
Quentin Kaiser 0feadf636b Define in RPORT and SSL in register_options rather than DefaultOptions. Support for echo and printf command stager flavors + support for curl and wget command stager flavors (hence reactivation of SRVHOST, SRVPORT, URIPATH and SSLCert). 2018-12-18 16:29:36 +01:00
Quentin Kaiser 0acdcd98f2 Merge branch 'master' into consul_service_exec 2018-12-18 16:27:08 +01:00
Quentin Kaiser f487f978c2 Merge branch 'consul_exec' of github.com:QKaiser/metasploit-framework into consul_exec 2018-12-18 16:09:18 +01:00
Quentin Kaiser 08541cd7b9 Merge branch 'master' into consul_exec 2018-12-18 16:07:08 +01:00
Quentin Kaiser a1e1e4a4f4 Remove useless comment. 2018-12-18 16:05:50 +01:00
Quentin Kaiser b80e5715d4 Add support for authorization with X-Consul-Token ACL header. 2018-12-18 16:02:39 +01:00
Quentin Kaiser 551f8c5e92 Support for echo and printf command stager flavors + support for curl and wget command stager flavors (hence reactivation of SRVHOST, SRVPORT, URIPATH and SSLCert). 2018-12-18 15:48:58 +01:00
Quentin Kaiser f290221a66 Cleaner response check in check function. Usage of CheckCode instead of Exploit::CheckCode. 2018-12-18 15:36:52 +01:00
Quentin Kaiser aeec5cf23e Cleaner to define this as a Hash, then call .to_json on it. Better support of agent definition in check function. 2018-12-18 15:31:30 +01:00
Quentin Kaiser e51530688b fail_with is not allowed in check method. Use vprint_error and return a CheckCode instead. 2018-12-18 15:09:04 +01:00
Quentin Kaiser 4682cf5796 Define in register_options rather than DefaultOptions. 2018-12-18 15:04:28 +01:00
Pedro Ribeiro 86cbddf46d
fix spacing 2018-12-18 13:35:16 +00:00
Pedro Ribeiro fff850a07e
Make longxor encoder great again
The longxor encoder for mipsbe does not work correctly. At the end of the decoding, it should invoke cacheflush() with the correct parameters:
int cacheflush(char *addr, int nbytes, int cache)

The encoder previously did not setup the arguments, as it even said so in the comments:
;       addiu   $4, $16, -4       ; not checked by Linux
;       li      $5,40                   ; not checked by Linux
;       li      $6,3                    ; $6 is set above

I think this is because the encoder is pretty old (2008), and before kernel 2.6.11, cacheflush() did not need any parameters (from the cacheflush man page):
BUGS
       Linux  kernels older than version 2.6.11 ignore the addr and nbytes arguments, making this function fairly expensive.  Therefore, the
       whole cache is always flushed.

This commit fixes that by setting up the parameters correctly. As an unfortunate side effect this increases the shellcode by 16 bytes, but it is absolutely necessary for it to work properly. 

Note that this bug is not present when testing the encoder output on an emulator like qemu; emulators do not need to flush the caches to work properly.

As an added bonus I have also made it compatible with toupper() restrictions, which is common in web server exploits too. This did not add any extra bytes to the encoder.
2018-12-18 12:30:55 +00:00
Brent Cook fc2d217c0a
Land #11135, strip comments from source code before uploading it to the target 2018-12-17 21:23:29 -06:00
Brent Cook 333d44186b
Land #11138, add reverse_tcp mixin for vax payload 2018-12-17 21:17:40 -06:00
bwatters bf13693d37
Land #11101, temp fix for x64/xor stage encoder
Merge branch 'land-11101' into upstream-master
2018-12-17 14:14:55 -06:00
LouDnl 2a69fffa6b
fix for ReverseTcp error
Update vax shell_reverse_tcp.rb to fix ReverseTcp NameError
Error:
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb:24:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)

After adding this line the error dissapeared for me and I was able to run msfconsole again.
2018-12-17 19:28:07 +01:00
Shelby Pace 2fc501d260
Land #11112, Fix bpf_priv_esc exploit module 2018-12-17 10:00:50 -06:00
Jacob Robles 7839add2fd
Land #11123, Add module windows persistent service 2018-12-17 09:07:21 -06:00
Jacob Robles 88b7b7df4a
Fix additional path space issues 2018-12-17 07:00:23 -06:00
Brendan Coles d973a58052 Clean up linux/local/vmware_alsa_config 2018-12-17 08:01:34 +00:00
Green-m 0aa6e5a640
Handle path with spaces correctly. 2018-12-17 10:25:06 +08:00
Brendan Coles fcb512878c Add strip_comments method to Linux local exploits 2018-12-16 14:11:54 +00:00
Wei Chen 5bf28887d2
Land #11127, Fix TARGETURI support in struts2_namespace_ognl 2018-12-15 09:33:48 -06:00
Brendan Coles b8e134b95d Update version check 2018-12-15 05:39:50 +00:00
Francesco Soncina 6237740116
lint: remove spaces 2018-12-15 01:02:13 +01:00
epi cb3ea8dfed Remove binding.pry from bind payload.
In response to
https://github.com/rapid7/metasploit-framework/pull/11039#discussion_r241890477.
2018-12-14 16:32:19 -06:00
asoto-r7 cd2dbf0edf
ysoserial: Modified `hp_imc_java_deserialize` to use the library 2018-12-14 16:13:17 -06:00
Jacob Robles 8adfef5730
Remove Version, Fix Whitespace 2018-12-14 13:19:49 -06:00
Jacob Robles e67eaa94c9
Move code to ERB template 2018-12-14 13:13:32 -06:00
William Vu 38bdee19e8 Fix TARGETURI support in struts2_namespace_ognl 2018-12-14 13:08:50 -06:00
Auxilus 6c9fafb9d5
Delete unused variable
I suppose the variable 'f' was for Name in 06720ee18b/modules/exploits/linux/smtp/haraka.py (L70)

I'm not sure, should it be 'f' at 06720ee18b/modules/exploits/linux/smtp/haraka.py (L70) or just the way it is atm?
2018-12-14 22:27:11 +05:30
Jacob Robles 556d182231
Remove code that was replaced 2018-12-14 09:15:01 -06:00
Jacob Robles a057b72bd9
Use argument 2018-12-14 09:14:27 -06:00
Jacob Robles dfa84aa1af
Use exploit default exception handling 2018-12-14 09:12:32 -06:00
Jacob Robles 5fd7b82f7a
Remove unused parameter 2018-12-14 09:10:29 -06:00
Brent Cook 673cfe6889
Land #11119, Add WEBUI_PORT to hp_van_sdn_cmd_inject exploit 2018-12-13 16:15:53 -06:00
Jacob Robles 58aa16d06b
Work around snprintf 2018-12-13 14:29:54 -06:00
bwatters-r7 f00118851a Revert "Land #10886, Bypassuac computerdefault"
This reverts commit 14b2cdc120, reversing
changes made to a79b936e09.
2018-12-13 13:56:16 -06:00
Wei Chen cc7cb7302e
Land #10944, Add macOS Safari exploit from pwn2own2018 2018-12-13 13:50:19 -06:00
Jacob Robles 92feeea0ca
Minor syntax change 2018-12-13 13:46:40 -06:00
William Vu cb5648a1c7 Add WEBUI_PORT to hp_van_sdn_cmd_inject exploit 2018-12-13 12:22:36 -06:00
Milton-Valencia 3f1aa425b4 msftidy....lol 2018-12-13 11:03:41 -06:00
Milton-Valencia 2e26ceac8f added comments 2018-12-13 10:55:09 -06:00
bwatters-r7 89e4e8bdea Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master 2018-12-13 09:30:10 -06:00
William Vu 8b79634338 Update a few stragglers
And since eaton_xpert_backdoor was copied from my fortinet_backdoor
module, update the error handling there, too.
2018-12-12 15:47:18 -06:00
William Vu e69f006992 Remove CommandShell mixin in exploits
This was cargo culting. Exploits use handler instead of start_session.
2018-12-12 15:43:13 -06:00
William Vu 6e77ae7e3e Update my SSH scanner modules
Especially with proper error handling for Net::SSH::CommandStream.
2018-12-12 15:36:54 -06:00
Stephen Haywood 7cffbac65b Update additional scanner modules. 2018-12-12 15:32:31 -06:00
Stephen Haywood fa2164ebb9 Update to match coding style. 2018-12-12 15:32:31 -06:00
Stephen Haywood eceb47a9da Move CREATE_SESSION option to advanced option CreateSession 2018-12-12 15:32:31 -06:00
Stephen Haywood 8a7187ad79 Add CREATE_SESSION option to CommanShell
Register the CREATE_SESSION option in command_shell_options so it
can be used with all modules that use start_session.
Modify ssh_login.rb, ssh_login_pubkey.rb, and telnet_login.rb to
use the new CREATE_SESSION option.
When CREATE_SESSION is set to true (default) a new session is
created with each successful login. When set to false a new session
is not created but the successful login is still registered in the
credentials database.
2018-12-12 15:32:31 -06:00
Stephen Haywood 904f342848 Option to not create shell on login. 2018-12-12 15:32:30 -06:00
Wei Chen 8ffd9e47b0 Up to date PR10429 2018-12-12 13:30:58 -06:00
Wei Chen 96c281daef Add send_not_found and module documentation for webdav_delivery 2018-12-12 13:26:46 -06:00
Brendan Coles 68d451711b Fix bpf_priv_esc module 2018-12-12 17:23:12 +00:00
Jacob Robles ea724dec46
Merge in upstream/master 2018-12-12 11:00:31 -06:00
William Vu aa0c206b4b
Land #11107, double negative logic cleanup 2018-12-11 20:29:53 -06:00
Shelby Pace ae089ce573
Land #10960, add wp duplicator code inject module 2018-12-11 12:02:07 -06:00
Shelby Pace b82e3469a2
renamed module and doc 2018-12-11 11:59:19 -06:00
Julien Legras 7e953e34b9 Added the clean_up function 2018-12-11 18:13:46 +01:00
bwatters b109321b44
Kill `unless not` 2018-12-11 10:16:16 -06:00
bwatters ac88c604fd Remove copy/pasta'd funtion that was never called 2018-12-11 10:02:36 -06:00
Jacob Robles 1ab69c221c
Land #11040, Add CyberLink LabelPrint Local BOF 2018-12-11 08:19:51 -06:00
Jacob Robles 165f082160
Fix syntax, minor edits 2018-12-11 07:55:20 -06:00
Francesco Soncina ff2d048530
fixes: update x86/xor_dynamic for #11100 2018-12-10 22:45:45 +01:00
Francesco Soncina a94e52ca31
fixes: updates x64/xor_dynamic for #11100 2018-12-10 22:42:31 +01:00
William Vu 3f18ffa224
Land #10318, Oracle function-based index privesc 2018-12-10 11:32:39 -06:00
William Vu d0f1f72426 Clean up module 2018-12-10 11:21:16 -06:00
Brent Cook bc6356a2cd
Land #11090, update code and style for exploit/linux/local/glibc_origin_expansion_priv_esc 2018-12-10 09:59:03 -06:00
Milton-Valencia 565f2e3e38 wait wrong 2018-12-09 19:23:54 -06:00
Milton-Valencia ee2ed46143 added date based on man page 2018-12-09 19:17:22 -06:00
Milton-Valencia f6bfbddb8d twks 2018-12-09 15:59:58 -06:00
Milton-Valencia 2beddf1012 req changes 2018-12-09 15:01:09 -06:00
Brendan Coles 237d3c86c4 Code cleanup and update style 2018-12-09 07:26:51 +00:00
Milton-Valencia 39229125b7 tweak 2018-12-09 00:22:49 -06:00
Milton-Valencia 02f3d4688f changes 2018-12-09 00:10:54 -06:00
Milton-Valencia 69ed80f685 varys -> varies 2018-12-08 22:51:52 -06:00
Milton-Valencia fcad3f0c8f erlang cookie rce exploit module 2018-12-08 22:36:56 -06:00
Brendan Coles a9c0a5d53d Use ::File::binread for exploit_data file read 2018-12-09 04:09:56 +00:00
Alex c5015c62b8 Simplify Chrome Gather Cookies
Module now uses Chrome itself as a websocket client, reading websockets
via js. It no longer downloads and executes `websocat`.
2018-12-09 09:52:45 +11:00
Brent Cook d3fc707c98
Land #11080, update mettle payloads 2018-12-08 09:51:37 -06:00
Brent Cook 3768f79568
Land #11085, add lkrg_installed? checks to various modules 2018-12-08 09:19:33 -06:00
Brent Cook 733c2f637d
Land #11081, Add Msf::Post::Linux::Kernel.lkrg_installed? method 2018-12-08 09:14:57 -06:00
Brendan Coles d8ab6a552b Add lkrg_installed? checks 2018-12-08 13:37:12 +00:00
Brent Cook 2e5e392085
Land #11079, add kernel configuration checks to local exploits 2018-12-08 06:58:48 -06:00
Brent Cook 0ce05f0c07 update payload sizes 2018-12-08 06:24:02 -06:00
Brent Cook df76521100
Land #11066, add rpc output locking, fix logging 2018-12-07 13:49:10 -06:00
Brent Cook 7f4d97ef46 don't embed status characters in messages, use correct logging instead 2018-12-07 13:29:56 -06:00
Brendan Coles 80d83720df Add Msf::Post::Linux::Kernel.lkrg_installed? method 2018-12-07 14:42:16 +00:00
Brendan Coles 275c043cfd Add kernel_config checks 2018-12-07 03:28:17 +00:00
Brent Cook 0345c8f66c update mettle payloads
This is a large update to mettle payloads including:

 * Adds globbing support to the `ls` command (https://github.com/rapid7/mettle/pull/139)
 * Fixes crashes on iOS platforms when cryptTLV is enabled (https://github.com/rapid7/mettle/pull/142)
 * Fixes display of the OS version on macOS and iOS (https://github.com/rapid7/mettle/pull/143)
 * Fixes the local port handling for pivoted client network connections (https://github.com/rapid7/mettle/pull/144)
 * Fixes an unaligned memory access in TLV packet handling, needed for some CPUs (https://github.com/rapid7/mettle/pull/145)
 * Fixes some compatibility issues building on Solaris (https://github.com/rapid7/mettle/pull/147)
 * Updated libpcap, mbedtls, and libcurl to the latest versions (https://github.com/rapid7/mettle/pull/146)
2018-12-06 21:16:41 -06:00
Brent Cook 7d8458d8d4
Land #11076, Prevent storing empty config files as loot 2018-12-06 20:30:08 -06:00
epi c3a40d3752 Remove trailing whitespace at EOL. 2018-12-06 20:18:21 -06:00
Brent Cook 71f84fe6a7
Land #11060, Add checks to post/linux/gather/enum_protections 2018-12-06 20:17:50 -06:00
epi 392ad18dba Implement reverse_ipv6 shellcode via metasm in lib.
Per the linked request
    https://github.com/rapid7/metasploit-framework/pull/11039#issuecomment-443915955
Rewrote previous version of payload module to make use of metasm for
more reusable shellcode.
2018-12-06 20:10:07 -06:00
epi f728b46a80 WIP on add-linux-x64-ipv6-bind-shell: 87fa3af6b9 Implement shellcode via metasm in lib. 2018-12-06 16:23:20 -06:00
Tod Beardsley 140833215f
Add CVE as issued by DWF
See discussion on #10987.

Now that I said that out loud, I realize that the original PR for this
module is a really funny PR number.
2018-12-06 14:59:05 -06:00
Brendan Coles eecc5d60e0 Prevent storing empty config files as loot 2018-12-06 13:06:50 +00:00
Berk Dusunur f94559a36a
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 07:09:44 +03:00
Berk Dusunur 9d7389b448
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 07:04:24 +03:00
Berk Dusunur cbe3f0eec9
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:36:29 +03:00
Berk Dusunur 4880dcbda8
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:34:13 +03:00
Berk Dusunur ca558d4b14
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:26:34 +03:00
Berk Dusunur c72065987b
Update nuuo_nvrmini_upgrade_rce.rb 2018-12-06 06:19:16 +03:00
Berk Dusunur 3ac5096e1a
Create nuuo_nvrmini_upgrade_rce.rb 2018-12-06 05:51:10 +03:00
Christopher Lee b0560c1ec8 Centralize logging sync, fix minor logging issues 2018-12-05 12:42:44 -06:00
epi 87fa3af6b9 Implement shellcode via metasm in lib.
Per the linked request
    https://github.com/rapid7/metasploit-framework/pull/11039#issuecomment-443915955
Rewrote previous payload module to make use of metasm for more reusable
shellcode.
2018-12-05 06:14:31 -06:00
Julien Legras 224e782772 Cleaned the create_wp_config_file function 2018-12-05 10:56:22 +01:00
Julien Legras 2774c17ca1 Replaced print_error and return with a fail_with 2018-12-05 10:11:09 +01:00
Thomas Gregory 1bc024eaa7 Update cyberlink_lpp_bof.rb
Update includes all suggestions and new targets (Win8.1 x64 and Win10 x64)
2018-12-05 14:53:10 +07:00
Julien Legras 2735c71bda Fixed typos, removed not working cleaning 2018-12-04 18:42:54 +01:00
Brent Cook 55a9a12670
Land #10964, add initial golang modules for enumerating owa/o365 2018-12-04 10:33:37 -06:00
Brendan Coles 40906e0b36 Add checks to post/linux/gather/enum_protections 2018-12-04 11:57:24 +00:00
Julien Legras b58342843b Refactored check 2018-12-04 12:03:49 +01:00
asoto-r7 c27c149a4d
Land #10947, HPE Intelligent Management Center Java Deserialization RCE 2018-12-03 17:07:31 -06:00
asoto-r7 0f82b207c4
hp_imc_java_deserialize: Repro steps for JSONSS ysoserial payload sections 2018-12-03 17:03:04 -06:00
asoto-r7 3f930ff141
hp_imc_java_deserialize: Default WfsDelay to 10 seconds to increase reliability 2018-12-03 16:36:37 -06:00
Brent Cook ffb57387b4
Land #11049, Add Emacs movemail local exploit 2018-12-03 12:43:56 -06:00
William Vu 4242de3468 Refactor check method 2018-12-03 12:22:40 -06:00
bwatters-r7 df9c3da47e
Land #10842, Add Windows Post Module to roll back Windows Defender signatures
Merge branch 'land-10842' into upstream-master
2018-12-03 10:57:38 -06:00
Christopher Lee b11bcd92a4 Broken into 3 modules, addressed review comments 2018-12-03 10:25:21 -06:00
Jeffrey Martin ab1bea1b22
Land #10798, Cisco device manager update 2018-12-03 01:39:19 -06:00
Brendan Coles 58dde9ff33
Apply suggestions from code review
Co-Authored-By: defaultnamehere <defaultnamehere@users.noreply.github.com>
2018-12-03 18:39:07 +11:00
Alex d0aca05c69 Add post/chrome/gather/cookies module 2018-12-03 16:07:50 +11:00
William Vu d1220bc170 Add Emacs movemail local exploit 2018-12-01 12:05:08 -06:00
epi 8cece2cf54 Add Linux x86_64 IPv6 Inline Bind Shell
Implements inline x86_64 Linux bourne bind shell over IPv6.
2018-12-01 07:39:38 -06:00
bwatters-r7 a801d741c9
Remove old module 2018-11-30 17:28:54 -06:00
bwatters-r7 70031b6721
Shut up msftidy and document updates 2018-11-30 16:41:40 -06:00
bwatters-r7 3c992b7af1
Updated documentation and added options in the module to update or roll back
definitions
2018-11-30 16:25:33 -06:00
bwatters-r7 a41b9a77d8 Change the module name, fix cleanup, add documentation 2018-11-30 15:20:34 -06:00
Christopher Lee 5b926bcbcf Addressed feedback 2018-11-30 13:18:02 -06:00
Christopher Lee 6225c04b99 Address review feedback, fix bugs 2018-11-30 11:36:39 -06:00
Moshe Kaplan bd41895fc4
Removed "randomizer" 2018-11-30 09:44:14 -05:00
Brendan Coles 1eeb1005db
Update modules/auxiliary/admin/oracle/oracle_index_privesc.rb
Use print_error for errors and print the error details,

Co-Authored-By: moshekaplan <me@moshekaplan.com>
2018-11-30 09:39:57 -05:00
Julien Legras 6874dddc55 Fix space at EOL and sed replace 2018-11-30 15:26:14 +01:00
Julien Legras a4ee221333 Fixed the timeout for web requests 2018-11-30 14:47:41 +01:00
Jacob Robles 8047bf2b09
Add authenticating... message 2018-11-30 07:24:35 -06:00
Jacob Robles b31afb4e3d
Spaces at EOL fixes 2018-11-29 17:29:05 -06:00
Jacob Robles fcbc0cddba
Land #11035, improve fingerprinting for Cisco ASA VPN scanner 2018-11-29 16:41:22 -06:00
Jacob Robles dec08a0b43
Land #10954, apache spark unauth rce module 2018-11-29 13:56:21 -06:00
Jacob Robles 88ca775fd3
Land #10952, WP GDPR Compliance plugin exploit 2018-11-29 13:31:31 -06:00
Julien Legras 160015d3a7 Check the HTTP response first 2018-11-29 18:54:07 +01:00
Julien Legras 984354194f Check the HTTP response first 2018-11-29 18:49:41 +01:00
bwatters-r7 1304f93f1f
Add more checks and a cleanup function 2018-11-29 10:39:46 -06:00
Jacob Robles 01af176679
Change delay implementation 2018-11-29 10:05:47 -06:00
Jacob Robles ed6c2896e3
Remove duplicate check 2018-11-29 10:04:51 -06:00
Jacob Robles 8508824cc2
Modify check logic 2018-11-29 10:04:05 -06:00
Julien Legras 2b61c4e118 Fixes for PR 2018-11-29 15:02:03 +01:00
Thomas Gregory a4c3b8edc7 Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)
Add CyberLink LabelPrint < 2.5 - Local Buffer Overflow (SEH Unicode)
2018-11-29 20:20:05 +07:00
Jacob Robles 3de07f1bff
Add Notes metadata and warning 2018-11-29 06:35:37 -06:00
Jacob Robles bfaa6cb416
Add module suggestion 2018-11-29 06:23:45 -06:00
epi 5058afb615 Fixed lport and scopeid offsets.
Offsets for scopeid and lport were incorrect in the previous commit.
Updated offsets to the correct values.  Confirmed by viewing the connect
syscall values with strace.
2018-11-29 05:42:54 -06:00
epi 947f5ffbf3 Add Linux x86_64 IPv6 Inline Reverse Shell
Implements inline x86_64 Linux reverse bourne shell over IPv6.
2018-11-28 21:58:12 -06:00
Green-m 4888ec0c29 Delete unused variable. 2018-11-29 10:48:25 +08:00
Jacob Robles 6845f44a2e
Logic... 2018-11-28 20:26:27 -06:00
Jacob Robles 2864c30965
Fix fail_with issue 2018-11-28 20:18:03 -06:00
Jacob Robles e142f5716e
Update documentation 2018-11-28 19:08:01 -06:00
Jacob Robles 1af7cf2b3b
Update print statements 2018-11-28 18:03:55 -06:00
Jacob Robles c4959da77f
Email validation and user registration 2018-11-28 17:56:55 -06:00
Jacob Robles 9c0c9b3ba9
Use warnings when changing config options 2018-11-28 17:44:02 -06:00
Jacob Robles 43cef24f6b
Fix version check 2018-11-28 17:43:33 -06:00
Brent Cook bff261616c improve fingerprinting for Cisco ASA VPN scanner 2018-11-28 14:30:17 -06:00
asoto-r7 504237c77a
Land #10877, ibm-mq-login username/password checker 2018-11-28 11:36:53 -06:00
asoto-r7 84f0a59fe6
ibm_mq_login: Added support for WebSphere 9 via the PASSWORD option 2018-11-28 11:08:37 -06:00
Green-m ca0a2684f5
Randomize payload main class. 2018-11-28 11:26:51 +08:00