Commit Graph

7625 Commits (ee5c249c89e4ef594fbf4656414133837d45f90f)

Author SHA1 Message Date
jvazquez-r7 810bf598b1 Use fail_with 2014-12-12 12:03:12 -06:00
Jon Hart 1e6bbc5be8
Use blank? 2014-12-12 09:51:08 -08:00
jvazquez-r7 4f3ac430aa
Land #4341, @EgiX's module for tuleap PHP Unserialize CVE-2014-8791 2014-12-12 11:48:25 -06:00
jvazquez-r7 64f529dcb0 Modify default timeout for the exploiting request 2014-12-12 11:47:49 -06:00
Jon Hart 24f1b916e0 Minor ruby style cleanup 2014-12-12 09:47:35 -08:00
Jon Hart 1d1aa5838f Use Gem::Version to compare versions in check 2014-12-12 09:47:01 -08:00
jvazquez-r7 d01a07b1c7 Add requirement to description 2014-12-12 11:42:45 -06:00
jvazquez-r7 fd09b5c2f6 Fix title 2014-12-12 10:52:18 -06:00
jvazquez-r7 4871228816 Do minor cleanup 2014-12-12 10:52:06 -06:00
Christian Mehlmauer 0f27c63720
fix msftidy warnings 2014-12-12 13:16:21 +01:00
Jon Hart 65b316cd8c
Land #4372 2014-12-11 18:48:16 -08:00
Christian Mehlmauer 544f75e7be
fix invalid URI scheme, closes #4362 2014-12-11 23:34:10 +01:00
Christian Mehlmauer de88908493
code style 2014-12-11 23:30:20 +01:00
Jon Hart 24dbc28521
Land #4356 2014-12-11 09:03:18 -08:00
Tod Beardsley 0eea9a02a1
Land #3144, psexec refactoring 2014-12-10 17:30:39 -06:00
Meatballs c813c117db
Use DNS names 2014-12-10 22:25:44 +00:00
Marc Wickenden 245b76477e Fix issue with execution of perl due to gsub not matching across newlines 2014-12-10 21:38:04 +00:00
EgiX 700ccc71e7 Create tuleap_unserialize_exec.rb 2014-12-09 10:15:46 +01:00
jvazquez-r7 21742b6469 Test #3729 2014-12-06 21:20:52 -06:00
Brendan Coles 42744e5650 Add actualanalyzer_ant_cookie_exec exploit 2014-12-06 19:09:20 +00:00
William Vu 2f98a46241
Land #4314, @todb-r7's module cleanup 2014-12-05 14:05:09 -06:00
sinn3r 7ae786a53b Add a comment as an excuse to tag the issue
Fix #4246

... so it will automatically close the ticket.
2014-12-05 11:26:26 -06:00
sinn3r f25e3ebaaf Fix #4246 - More undef 'payload_exe' in other modules
Root cause: payload_exe is an accessor in the TFPT command stager
mixin, you need stager_instance in order to retreive that info.
2014-12-05 11:19:58 -06:00
Christian Mehlmauer 5ea062bb9c
fix bug 2014-12-05 11:30:45 +01:00
Christian Mehlmauer 55b8d6720d
add wordpress download-manager exploit 2014-12-05 11:17:54 +01:00
sinn3r e3f7398acd Fix #4246 - Access payload_exe information correctly
This fixes an undef method 'payload_exe' error. We broke this when
all modules started using Msf::Exploit::CmdStager as the only source
to get a command stager payload. The problem with that is "payload_exe"
is an accessor in CmdStagerTFTP, not in CmdStager, so when the module
wants to access that, we trigger the undef method error.

To be exact, this is the actual commit that broke it:
7ced5927d8

Fix #4246
2014-12-05 02:08:13 -06:00
Jon Hart 52851d59c0
Update GATEWAY to GATEWAY_PROBE_HOST, add GATEWAY_PROBE_PORT 2014-12-04 13:26:16 -08:00
Jon Hart 6bd56ac225
Update any modules that deregistered NETMASK 2014-12-04 13:22:06 -08:00
Tod Beardsley 79f2708a6e
Slight fixes to grammar/desc/whitespace
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
sinn3r 2fcbcc0c26 Resolve merge conflict for ie_setmousecapture_uaf (#4213)
Conflicts:
	modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
2014-12-03 14:12:15 -06:00
sinn3r a631ee65f6 Fix #4293 - Use OperatingSystems::Match::WINDOWS
Fix #4293. Modules should use OperatingSystems::Match::WINDOWS
instead of Msf::OperatingSystems::WINDOWS, because the second
won't match anything anymore.
2014-12-02 13:46:27 -06:00
sinn3r a88ee0911a Fix os detection
See #3373
2014-12-02 01:15:55 -06:00
sinn3r a42c7a81e7 Fix os detection
See #4283
2014-12-02 01:13:51 -06:00
William Vu 394d132d33
Land #2756, tincd post-auth BOF exploit 2014-12-01 12:13:37 -06:00
sinn3r 0f973fdf2b Fix #4284 - Typo "neline" causing the exploit to break
"neline" isn't supposed to be there at all.
2014-12-01 01:24:30 -06:00
jvazquez-r7 7a2c9c4c0d
Land #4263, @jvennix-r7's OSX Mavericks root privilege escalation
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
jvazquez-r7 b357fd88a7 Add comment 2014-11-30 21:08:38 -06:00
jvazquez-r7 0ab99549bd Change ranking 2014-11-30 21:08:12 -06:00
jvazquez-r7 7772da5e3f Change paths, add makefile and compile 2014-11-30 21:06:11 -06:00
jvazquez-r7 d7d1b72bce Rename local_variables 2014-11-30 20:40:55 -06:00
jvazquez-r7 d77c02fe43 Delete unnecessary metadata 2014-11-30 20:37:34 -06:00
sinn3r f7f4a191c1
Land #4255 - CVE-2014-6332 Internet Explorer 2014-11-28 10:12:27 -06:00
sinn3r 2a7d4ed963 Touchup 2014-11-28 10:12:05 -06:00
Rasta Mouse 985838e999 Suggestions from OJ 2014-11-27 21:38:50 +00:00
Rasta Mouse 25ecf73d7d Add configurable directory, rather than relying on the session working
directory.
2014-11-27 17:12:37 +00:00
OJ 75e5553cd4 Change to in exploit 2014-11-26 16:53:30 +10:00
jvazquez-r7 9524efa383 Fix banner 2014-11-25 23:14:20 -06:00
jvazquez-r7 16ed90db88 Delete return keyword 2014-11-25 23:11:53 -06:00
jvazquez-r7 85926e1a07 Improve check 2014-11-25 23:11:32 -06:00
jvazquez-r7 5a2d2914a9 Fail on upload errors 2014-11-25 22:48:57 -06:00
jvazquez-r7 b24e641e97 Modify exploit logic 2014-11-25 22:11:43 -06:00
jvazquez-r7 4bbadc44d6 Use Msf::Exploit::FileDropper 2014-11-25 22:00:42 -06:00
jvazquez-r7 7fbd5b63b1 Delete the Rex::MIME::Message gsub 2014-11-25 21:54:50 -06:00
jvazquez-r7 eaa41e9a94 Added reference 2014-11-25 21:37:04 -06:00
jvazquez-r7 2c207597dc Use single quotes 2014-11-25 18:30:25 -06:00
jvazquez-r7 674ceeed40 Do minor cleanup 2014-11-25 18:26:41 -06:00
jvazquez-r7 6ceb47619a Change module filename 2014-11-25 18:09:15 -06:00
jvazquez-r7 1305d56901 Update from upstream master 2014-11-25 18:07:13 -06:00
Joe Vennix 3a5de9970f
Update description, rename xnu_ver -> osx_ver. 2014-11-25 12:38:29 -06:00
Joe Vennix 7a3fb12124
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 12:34:16 -06:00
spdfire 583494c0db use BrowserExploitServer 2014-11-24 18:49:27 +01:00
spdfire 08a67d78c5 module for CVE-2014-6332. 2014-11-24 08:25:18 +01:00
Mark Schloesser 9e9954e831 fix placeholder to show the firmware version I used 2014-11-19 21:23:39 +01:00
Mark Schloesser a718e6f83e add exploit for r7-2014-18 / CVE-2014-4880 2014-11-19 21:07:02 +01:00
Joe Vennix a9cb6e0d2f
Add jduck as an author on samsung_knox_smdm_url 2014-11-19 10:18:08 -06:00
Meatballs 1d0d5582c1 Remove datastore options 2014-11-19 15:05:36 +00:00
Meatballs 7004c501f8
Merge remote-tracking branch 'upstream/master' into psexec_refactor_round2
Conflicts:
	modules/exploits/windows/smb/psexec.rb
2014-11-19 14:40:50 +00:00
jvazquez-r7 542eb6e301 Handle exception in brute force exploits 2014-11-18 12:17:10 -08:00
Jon Hart 60e31cb342 Allow sunrpc_create to raise on its own 2014-11-18 12:17:10 -08:00
jvazquez-r7 7daedac399
Land #3972 @jhart-r7's post gather module for remmina Remmina
* Gather credentials managed with Remmina
2014-11-17 16:44:41 -06:00
Tod Beardsley 286827c6e5
Land #4186, Samsung KNOX exploit. Ty @jvennix-r7! 2014-11-17 13:29:39 -06:00
Tod Beardsley 39980c7e87
Fix up KNOX caps, descriptive description 2014-11-17 13:29:00 -06:00
Tod Beardsley 0f41bdc8b8
Add an OSVDB ref 2014-11-17 13:26:21 -06:00
jvazquez-r7 145e610c0f Avoid shadowing new method 2014-11-17 12:22:30 -06:00
William Vu 91ba25a898
Land #4208, psexec delay fix 2014-11-17 11:35:56 -06:00
Joe Vennix cd61975966
Change puts to vprint_debug. 2014-11-17 10:13:13 -06:00
floyd 9243cfdbb7 Minor fixes to ruby style things 2014-11-17 17:12:17 +01:00
Joe Vennix 2a24151fa8
Remove BAP target, payload is flaky. Add warning. 2014-11-17 02:02:37 -06:00
HD Moore 9fe4994492 Chris McNab has been working with MITRE to add these CVEs
These CVEs are not live yet, but have been confirmed by cve-assign
t
2014-11-16 18:42:53 -06:00
Joe Vennix 5de69ab6a6
minor syntax fixes. 2014-11-15 21:39:37 -06:00
Joe Vennix 3fb6ee4f7d
Remove dead constant. 2014-11-15 21:38:11 -06:00
Joe Vennix 7a62b71839
Some URL fixes from @jduck and exploit ideas from Andre Moulu.
The exploit works with the URLs fixed, installs the APK, but hangs at the Installing...
screen and never actually launches. We tried opening the APK in a setTimeout() intent
URI, but the previously launched intent seemed unresponsive. Andre had the bright
idea of re-opening the previously launched intent with invalid args, crashing it and
allow us to launch the payload.
2014-11-15 21:33:16 -06:00
Christian Mehlmauer 28135bcb09
Land #4159, MantisBT PHP code execution by @itseco 2014-11-15 07:49:54 +01:00
Rich Lundeen 27d5ed624f fix for IE9 exploit config 2014-11-14 17:21:59 -08:00
Rich Lundeen 17ab0cf96e ADD winxpIE8 exploit for MS13-080 2014-11-14 17:16:51 -08:00
sinn3r e194d5490d See #4162 - Don't delay before deleting a file via SMB
So I was looking at issue #4162, and on my box I was seeing this
problem of the exploit failing to delete the payload in C:\Windows,
and the error was "Rex::Proto::SMB::Exceptions::NoReply The SMB
server did not reply to our request". I ended up removing the sleep(),
and that got it to function properly again. The box was a Win 7 SP1.

I also tested other Winodws boxes such as Win XP SP3, Windows Server
2008 SP2 and not having the sleep() doesn't seem to break anything.
So I don't even know why someone had to add the sleep() in the first
place.
2014-11-14 15:45:37 -06:00
jvazquez-r7 ee9b1aa83a Manage Rex::ConnectionRefused exceptions 2014-11-14 10:53:03 -06:00
jvazquez-r7 428fe00183 Handle Rex::ConnectionTimeout 2014-11-13 22:34:28 -06:00
Jon Hart 57aef9a6f5
Land #4177, @hmoore-r7's fix for #4169 2014-11-13 18:29:57 -08:00
jvazquez-r7 4a0e9b28a4 Use peer 2014-11-13 19:26:01 -06:00
jvazquez-r7 4a06065774 Manage Exceptions to not wait the full wfs_delay 2014-11-13 19:17:09 -06:00
jvazquez-r7 73ce4cbeaa Use primer 2014-11-13 18:21:19 -06:00
jvazquez-r7 0bcb99c47d Fix metadata 2014-11-13 18:00:11 -06:00
jvazquez-r7 a5c8152f50 Use fail_with 2014-11-13 17:57:26 -06:00
jvazquez-r7 6ddf6c3863 Fail when the loader cannot find the java payload class 2014-11-13 17:55:49 -06:00
Christian Mehlmauer 3faa48d810 small bugfix 2014-11-13 22:51:41 +01:00
Christian Mehlmauer 7d6b6cba43 some changes 2014-11-13 22:46:53 +01:00
Tod Beardsley dd1920edd6
Minor typos and grammar fixes 2014-11-13 14:48:23 -06:00
Juan Escobar 17032b1eed Fix issue reported by FireFart 2014-11-13 04:48:45 -05:00
jvazquez-r7 31f3aa1f6d Refactor create packager methods 2014-11-13 01:16:15 -06:00
jvazquez-r7 38a96e3cfc Update target info 2014-11-13 00:56:42 -06:00
jvazquez-r7 e25b6145f9 Add module for MS14-064 bypassing UAC through python for windows 2014-11-13 00:56:10 -06:00
Joe Vennix ea6d8860a1
Not root, just arbitrary permissions. 2014-11-12 21:51:55 -06:00
Joe Vennix 1895311911
Change URL to single line. 2014-11-12 10:56:51 -06:00
Joe Vennix 8689b0adef
Add module for samsung knox root exploit. 2014-11-12 09:53:20 -06:00
jvazquez-r7 c35dc2e6b3 Add module for CVE-2014-6352 2014-11-12 01:10:49 -06:00
HD Moore 6b4eb9a8e2 Differentiate failed binds from connects, closes #4169
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
Juan Escobar ac17780f6d Fix by @FireFart to recover communication with the application after a meterpreter session 2014-11-11 05:49:18 -05:00
Juan Escobar 6bf1f613b6 Fix issues reported by FireFart 2014-11-11 00:41:58 -05:00
Juan Escobar d4bbf0fe39 Fix issues reported by wchen-r7 and mmetince 2014-11-10 15:27:10 -05:00
floyd 9d848c8c3b Adding tincd post-auth stack buffer overflow exploit module for several OS
Minor changes to comments

Updated URLs

Added Fedora ROP, cleaned up

Fixing URLs again, typos

Added support for Archlinux (new target)

Added support for OpenSuse (new target)

Tincd is now a separate file, uses the TCP mixin/REX sockets.

Started ARM exploiting

Style changes, improvements according to egyp7's comments

Style changes according to sane rubocop messages

RSA key length other than 256 supported. Different key lengths for client/server supported.

Drop location for binary can be customized

Refactoring: Replaced pop_inbuffer with slice

Refactoring: fail_with is called, renamed method to send_recv to match other protocol classes,
using rand_text_alpha instead of hardcoded \x90,

Fixed fail command usage

Version exploiting ARM with ASLR brute force

Cleaned up version with nicer program flow

More elegant solution for data too large for modulus

Minor changes in comments only (comment about firewalld)

Correct usage of the TCP mixin

Fixes module option so that the path to drop the binary on the server is not validated against the local filesystem

Added comments

Minor edits

Space removal at EOL according to msftidy
2014-11-10 12:03:17 +01:00
William Vu 0e772cc338
Land #4161, "stop" NilClass fix 2014-11-09 19:37:32 -06:00
sinn3r cd0dbc0e24 Missed another 2014-11-09 14:06:39 -06:00
Juan Escobar 9cce7643ab update description and fix typos 2014-11-09 09:10:01 -05:00
Juan Escobar 5d17637038 Add CVE-2014-7146 PHP Code Execution for MantisBT 2014-11-09 08:00:44 -05:00
Jon Hart 2b7d25950b
Land #4148, @wchen-r7 fixed #4133 2014-11-07 08:26:29 -08:00
sinn3r 0dbfecba36 Better method name
Should be srvhost, not lhost
2014-11-07 02:23:34 -06:00
Joshua Smith 7b25e3be75
Land #4139, Visual Mining NetCharts
landed after some touch up
2014-11-06 22:52:41 -06:00
Joshua Smith 7510fb40aa touch up visual_mining_netcharts_upload 2014-11-06 22:50:20 -06:00
sinn3r 579481e5f8 Explain why I did this
Also tagging Fix #4133
2014-11-06 14:25:11 -06:00
sinn3r f210ade253 Use SRVHOST for msvidctl_mpeg2 2014-11-06 14:23:21 -06:00
sinn3r f7e308cae8
Land #4110 - Citrix Netscaler BoF 2014-11-06 00:04:17 -06:00
jvazquez-r7 54c1e13a98
Land #4140, @wchen-r7's default template for adobe_pdf_embedded_exe
* Fixes #4134
* Adds a default PDF template
2014-11-05 20:21:14 -06:00
jvazquez-r7 adefb2326e
Land #4124, @wchen-r7 fixes #4115 adding HTTP auth support to iis_webdav_upload_asp 2014-11-05 18:14:33 -06:00
sinn3r 1b2554bc0d Add a default template for CVE-2010-1240 PDF exploit 2014-11-05 17:08:38 -06:00
jvazquez-r7 79cabc6d68 Fix clean up 2014-11-05 15:46:33 -06:00
jvazquez-r7 c08993a9c0 Add module for ZDI-14-372 2014-11-05 15:31:20 -06:00
jvazquez-r7 400ef51897
Land #4076, exploit for x7chat PHP application 2014-11-03 18:22:04 -06:00
jvazquez-r7 3bf7473ac2 Add github pull request as reference 2014-11-03 18:18:42 -06:00
jvazquez-r7 44a2f366cf Switch ranking 2014-11-03 18:06:09 -06:00
jvazquez-r7 039d3cf9ae Do minor cleanup 2014-11-03 18:04:30 -06:00
Juan Escobar 7e4248b601 Added compatibility with older versions, Updated descriptions and fixed issue with Ubuntu 12.04 2014-11-03 16:42:50 -05:00
sinn3r 9a27984ac1 switch from error to switch 2014-11-03 13:56:41 -06:00
sinn3r a823ca6b2f Add support for HTTP authentication. And more informative. 2014-11-03 13:46:53 -06:00
Tod Beardsley 51b96cb85b
Cosmetic title/desc updates 2014-11-03 13:37:45 -06:00
jvazquez-r7 40bf44bd05 Don't allow 127.0.0.1 as SRVHOST 2014-10-31 08:19:15 -05:00
jvazquez-r7 7d2fa9ee94 Delete unnecessary to_s 2014-10-30 22:59:22 -05:00
sinn3r 64f4777407
Land #4091 - Xerox DLM injection 2014-10-30 22:15:16 -05:00
sinn3r b7a1722b46 Pass msftidy, more descriptive name and description 2014-10-30 22:14:18 -05:00
jvazquez-r7 8fdea5f74c Change module filename 2014-10-30 20:34:24 -05:00
jvazquez-r7 9404e24b24 Update module information 2014-10-30 20:33:38 -05:00
Jon Hart 1a37a6638c Fix splunk_upload_app_exec to work on new installs. Style 2014-10-30 18:28:56 -07:00
Jon Hart 55f245f20f
Merge #3507 into local, recently updated branch of master for landing 2014-10-30 17:28:20 -07:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 ac939325ce Add module first version 2014-10-29 21:11:57 -05:00
Deral Heiland 64a59e805c Fix a simple typo 2014-10-29 12:40:24 -04:00
Deral Heiland 1bf1be0e46 Updated to module based feedback from wchen-r7 2014-10-29 11:42:07 -04:00
Juan Escobar 2e53027bb6 Fix value of X7C2P cookie and typo 2014-10-29 08:32:36 -05:00
Juan Escobar 9f21ac8ba2 Fix issues reported by wchen-r7 2014-10-28 21:31:33 -05:00
Meatballs 4f61710c9a
Merge remote-tracking branch 'upstream/master' into psexec_refactor_round2 2014-10-28 20:26:44 +00:00