045b848a30
added exploit module for optimizepress
2013-11-30 21:51:56 +01:00
3417c4442a
Make check really better
2013-11-30 09:47:34 -06:00
749e6bd65b
Do better check method
2013-11-30 09:46:22 -06:00
0a7c0eea78
Fix references
2013-11-29 23:13:07 -06:00
691d47f3a3
Add module for ZDI-13-255
2013-11-29 23:11:44 -06:00
8817c0eee0
Change description a bit
...
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
807e2dfd31
Fix title
2013-11-28 10:53:12 -06:00
7dee4ffd4d
Add module for ZDI-13-270
2013-11-28 10:47:04 -06:00
d1e4975f76
Use res.get_cookies instead of homebrew parse. Use _cgi
2013-11-28 16:35:36 +13:00
a02e0ee3e4
Land #2682 - Kimai v0.9.2 'db_restore.php' SQL Injection
2013-11-27 19:10:44 -06:00
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
bb0753fcdd
Updated module to comply with indentation standard and to use suggestions from reviewers
2013-11-27 16:00:00 +13:00
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
a914fbc400
Land #2693 - case sensitive
2013-11-26 11:16:57 -06:00
671c0d9473
Fix nokogiri typo
...
[SeeRM #8730 ]
2013-11-26 10:54:31 -06:00
253719d70c
Fix title
2013-11-26 08:11:29 -06:00
6cb63cdad6
Land #2679 , @wchen-r7's exploit for cve-2013-3906
2013-11-25 22:04:26 -06:00
0079413e81
Full revert the change
2013-11-25 22:04:02 -06:00
fa97c9fa7c
Revert this change
2013-11-25 20:54:39 -06:00
3247106626
Heap spray adjustment by @jvazquez-r7
2013-11-25 20:50:53 -06:00
4c249bb6e9
Fix heap spray
2013-11-25 20:06:42 -06:00
385381cde2
Change target address
...
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
57f4f68559
Land #2652 - Apache Roller OGNL Injection
2013-11-25 15:14:35 -06:00
8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln
2013-11-25 13:06:09 -06:00
4773270ff0
Land #2677 - MS12-022 COALineDashStyleArray vuln
2013-11-25 12:58:45 -06:00
a03cfce74c
Add table prefix and doc root as fallback options
2013-11-25 17:44:26 +10:30
fc14a6c149
Land #2576 - NETGEAR ReadyNAS Perl Code Evaluation Vulnerability
2013-11-24 00:47:14 -06:00
d8700314e7
Add Kimai v0.9.2 'db_restore.php' SQL Injection module
2013-11-24 02:32:16 +10:30
9987ec0883
Hmm, change ranking
2013-11-23 00:51:58 -06:00
6ccc3e3c48
Make payload execution more stable
2013-11-23 00:47:45 -06:00
d748fd4003
Final commit
2013-11-22 23:35:26 -06:00
f871452b97
Slightly change the description
...
Because it isn't that slow
2013-11-22 19:27:00 -06:00
eddedd4746
Working version
2013-11-22 19:14:56 -06:00
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
c8fd761c53
Progress
2013-11-22 16:57:29 -06:00
a7ad107e88
Add ruby code for ms13-022
2013-11-22 16:41:56 -06:00
953a96fc2e
This one looks promising
2013-11-22 12:27:10 -06:00
8476ca872e
More progress
2013-11-22 11:53:57 -06:00
f1d181afc7
Progress
2013-11-22 04:51:55 -06:00
6d5c1c230c
Progress
2013-11-22 03:55:40 -06:00
4d2253fe35
Diet
2013-11-22 02:25:09 -06:00
8382d31f46
More progress
2013-11-21 18:48:12 -06:00
885fedcc3b
Fix target name
2013-11-21 17:42:31 -06:00
22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2
2013-11-21 15:30:42 -06:00
56d1c545e7
Oh look, more code
2013-11-21 14:42:07 -06:00
851cf6f0d1
Land #2650 , @pnegry's exploit for DesktopCentral 8
2013-11-21 09:30:17 -06:00
77aa665385
Add Privileged flag
2013-11-21 09:28:28 -06:00
2ab3ab8b66
Delete empty Payload metadata section
2013-11-21 09:27:25 -06:00
6bd3c4c887
Fix target name
2013-11-21 09:07:25 -06:00
4c2ad4ca9a
Fix metadata
2013-11-21 09:06:47 -06:00
8e4c5dbb5e
improve upload_file response check
2013-11-21 09:02:11 -06:00
8fdfeb73db
Fix use of FileDropper and improve check method
2013-11-21 09:01:41 -06:00
4abf01c64c
Clean indentation
2013-11-21 08:32:54 -06:00
ddd5b0abb9
More progress
2013-11-21 04:27:41 -06:00
e13e457d8f
Progress
2013-11-20 17:11:13 -06:00
9f45121b23
Remove EOL spaces
2013-11-20 15:08:13 -06:00
cec4166766
Fix description
2013-11-20 12:49:22 -06:00
18e69bee8c
Make OGNL expressions compatible with struts 2.0.11.2
2013-11-20 12:42:10 -06:00
94e13a0b8a
Initial commit of CVE-2013-3906
2013-11-19 23:10:32 -06:00
4cc20f163b
Update References field to be compliant.
2013-11-20 13:01:21 +13:00
c76fa32345
Fixed reference format
2013-11-20 12:53:21 +13:00
26a5e37266
Use MSF::Exploit:FileDropper to register the uploaded file for cleanup.
2013-11-20 12:27:22 +13:00
07c76fd3e6
Module cleaned for msftidy compliance.
2013-11-20 11:33:14 +13:00
a9de5e2846
Land #2634 - Opt browser autopwn load list
2013-11-19 15:10:29 -06:00
14c6ab4ca5
Add module for CVE-2013-4212
2013-11-19 10:25:52 -06:00
b5fc0493a5
Land #2642 - Fix titles
2013-11-18 12:14:36 -06:00
9e46975a95
Land #2643 , @ChrisJohnRiley SkipVersionCheck for exim4_dovecot_bannercheck
2013-11-18 11:28:07 -06:00
540b85df3f
Set SkipVersionCheck as not required
2013-11-18 11:27:32 -06:00
bddb314073
Fix usage of Retries
2013-11-18 09:09:20 -06:00
237bb22771
Disable auto migrate
2013-11-18 08:54:22 -06:00
960f7c9bbb
Add DesktopCentral arbitrary file upload exploit.
2013-11-18 16:11:28 +13:00
60a245b0c3
Fix the arch declaration in uploaded module.
2013-11-18 14:49:03 +13:00
636fdfe2d2
Added Kaseya uploadImage exploit.
2013-11-18 14:23:34 +13:00
89d0b3c41c
Return the splat and require on a module.
2013-11-15 12:19:53 -06:00
36db6a4d59
Land #2616 , SuperMicro close_window BOF
2013-11-15 11:34:53 -06:00
cbb7eb192c
Add module for CVE-2013-3918
2013-11-15 10:38:52 -06:00
5bd5eacd77
Added option to ignore banner checks
2013-11-15 15:01:11 +01:00
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
4cf16cf360
Land #2633 , @OJ's port of Kitrap0d as local exploit
2013-11-14 09:27:10 -06:00
fe2cd93a65
Delete ms13_037_svg_dashstyle from the browser_autopwn list
2013-11-13 23:46:50 -06:00
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
8771b163f0
Solve conflicts with aladdin_choosefilepath_bof
2013-11-12 23:11:42 -06:00
e4fc361b37
Various tidies and fixes
...
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.
Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
ef6d9db48f
Land #2613 , @wchen-r7's BrowserExploitServer mixin
2013-11-12 17:33:12 -06:00
004c1bac78
Reduce number of modules available on BrowserAutopwn
2013-11-12 12:37:29 -06:00
40f58ce534
Finalise the local exploit for kitrap0d
...
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.
New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
65993704c3
Actually commit the mode change.
2013-11-11 22:16:29 -06:00
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
b01d8c50e0
Restore module crash documentation
2013-11-11 17:09:41 -06:00
30de61168d
Support heap spray obfuscation
2013-11-11 17:05:54 -06:00
922f0eb900
Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer
2013-11-11 17:01:09 -06:00
b887ed68b5
Land #2608 - Allow guest login option for psexec.
2013-11-11 10:09:41 -06:00
82739c0315
Add extra URL for exploit detail
2013-11-11 22:07:36 +10:00
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
40f8e80775
Fix jlee-r7's feedback
2013-11-08 14:28:19 -06:00
d419c73488
Land #2517 , @3v0lver's exploit for cve-2008-2286
2013-11-08 08:41:04 -06:00
fddb69edb3
Use instance variables for 1-time injections
2013-11-08 08:30:35 -06:00
69b261a9f2
Clean post exploitation code
2013-11-07 18:11:54 -06:00
9f51268d21
Make xp_shell_enable instance variable
2013-11-07 17:53:28 -06:00
aa1000df72
Clean check method
2013-11-07 17:44:22 -06:00
c2662d28e0
Move module to the misc folder
2013-11-07 17:34:22 -06:00
b068e4beb5
Fix indentation and refactor send_update_computer
2013-11-07 17:33:35 -06:00
b7e360922d
Update ranking
2013-11-07 15:10:26 -06:00
decf6ff6a0
Add module for CVE-2013-3623
2013-11-07 14:59:40 -06:00
bdba80c05c
Land #2569 , @averagesecurityguy and others exploit for CVE-2013-4468, CVE-2013-4467
2013-11-07 12:20:42 -06:00
7615264b17
Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix
2013-11-07 10:35:00 -06:00
944528e633
Updated for temporal pathing with TEMP variable
2013-11-07 01:34:55 -05:00
2d4090d9c3
Make option astGUIclient credentials
2013-11-06 20:33:47 -06:00
24d22c96a5
Improve exploitation
2013-11-06 20:15:40 -06:00
2b2ec1a576
Change module location
2013-11-06 15:53:45 -06:00
b9cb8e7930
Add new options
2013-11-06 15:53:12 -06:00
61e4700832
Allow guest login option.
...
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
7dcb071f11
Remote shebang and fix pxexeploit
2013-11-06 07:10:25 +10:00
9e30c58495
Blow away remnants of Local::Unix
2013-11-05 13:51:45 -06:00
36f96d343e
Revert "Revert "Land #2505" to resolve new rspec fails"
...
This reverts commit e7d3206dc9
2013-11-05 13:45:00 -06:00
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
5c923757e8
Removed generic command execution capability
2013-10-30 21:35:24 -04:00
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
c92e8ff98d
Delete extra space
2013-10-30 19:34:54 -05:00
e488a54a06
Resplat new WMI module
2013-10-30 15:14:16 -05:00
98224ee89f
CVE update for vtiger issue
2013-10-30 13:48:35 -05:00
344413b74d
Reorder refs for some reason.
2013-10-30 12:25:55 -05:00
32794f9d37
Move OpenBravo to aux module land
2013-10-30 12:20:04 -05:00
17d796296c
Un-dupe References for ispconfig
2013-10-30 12:03:35 -05:00
0d480f3a7d
Typo fix
2013-10-30 11:38:04 -05:00
97a4ca0752
Update references for FOSS modules
2013-10-30 11:36:16 -05:00
78381316a2
Add @brandonprry's seven new modules
...
Already reviewed privately, no associated PR.
2013-10-30 11:04:21 -05:00
5b76947767
Add a few more modules.
2013-10-30 10:25:48 -05:00
c8ceaa25c6
Land #2589 , @wvu-r7's exploit for OSVDB 98714
2013-10-29 14:56:30 -05:00
9f81aeb4ad
Fix style
2013-10-29 14:55:16 -05:00
5af42f2c28
Add short comment on why the padding is necessary
2013-10-29 11:46:10 -05:00
e368cb0a5e
Add Win7 SP1 to WinXP SP3 target
2013-10-29 10:45:14 -05:00
c4c171d63f
Clean processmaker_exec
2013-10-29 09:53:39 -05:00
3eed800b85
Add ProcessMaker Open Source Authenticated PHP Code Execution
2013-10-29 23:27:29 +10:30
ea7bba4035
Add Beetel Connection Manager NetConfig.ini BOF
2013-10-28 22:52:02 -05:00
9045eb06b0
Various title and description updates
2013-10-28 14:00:19 -05:00
278dff93e7
Add missing require for Msf::Exploit::Powershell
...
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
b69ee1fc67
[FixRM #8419 ] Add module platform to ms04_011_pct
2013-10-25 09:29:19 -05:00
dd094eee04
Use 443 by default with SSL
2013-10-24 16:30:26 -05:00
72f686d99a
Add module for CVE-2013-2751
2013-10-24 16:10:32 -05:00
2ef33aabe7
Clean open_flash_chart_upload_exec
2013-10-24 10:15:28 -05:00
110daa6e96
Check for nil response from request in check method.
2013-10-24 09:12:37 -04:00
8a5d4d45b4
Add Open Flash Chart v2 Arbitrary File Upload exploit
2013-10-24 22:46:41 +10:30
ecbbd7bb4b
Ran resplat.rb and retab.rb. Fixed msftidy issues.
2013-10-23 20:59:27 -04:00
655e09f007
Fixed description to look better in info output.
2013-10-23 16:36:39 -04:00
9f84ced00e
Fixed boilerplate text.
2013-10-23 16:13:25 -04:00
58a32ebb45
Initial commit.
2013-10-23 14:47:42 -04:00
bea04cceeb
Remove the trailing slash from the ZDI ref
2013-10-23 11:05:33 -05:00
7d84fa487e
Correct ZDI ref to match new scheme
2013-10-23 11:44:44 +02:00
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
af174639cd
Land #2468 - Hwnd Broadcast Performance
2013-10-22 17:03:02 -05:00
2e8c369c69
Land #2559 - remove content-length
2013-10-22 16:03:42 -05:00
dc0d9ae21d
Land #2560 , ZDI references
...
[FixRM #8513 ]
2013-10-22 15:58:21 -05:00
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
85479f5994
removed PrependMigrate, introduced migrate -f
2013-10-22 16:11:19 -04:00
11b2719ccc
Change module plate
2013-10-22 12:36:58 -05:00
df42dfe863
Land #2536 , @ddouhine's exploit for ZDI-11-061
2013-10-22 12:35:40 -05:00
c34155b8be
Clean replication_manager_exec
2013-10-22 12:34:35 -05:00
71fab72e06
Delete duplicate content-length from axis2_deployer
2013-10-21 15:35:51 -05:00
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
10a4ff41de
Delete Content-Length duplicate header
2013-10-21 15:11:37 -05:00
1599d1171d
Land #2558 - Release fixes
2013-10-21 13:48:11 -05:00
c1954c458c
Just warn, don't bail
...
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.
If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)
For details on this module, see #2503 . I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
bce8d9a90f
Update license comments with resplat.
2013-10-21 13:36:15 -05:00
c070108da6
Release-related updates
...
* Lua is not an acronym
* Adds an OSVDB ref
* credit @jvazquez-r7, not HD, for the Windows CMD thing
2013-10-21 13:33:00 -05:00
4c14595525
Land #2535 - Use %PATH% for notepad
2013-10-21 13:14:44 -05:00
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
...
This reverts commit 717dfefead6430fa3354
2013-10-21 12:47:57 -05:00
cacaf40276
Land #2542 - D-Link DIR-605L Captcha Handling Buffer Overflow
2013-10-21 12:03:07 -05:00
9bfd98b001
Change plate
2013-10-21 11:54:42 -05:00
717dfefead
Land #2505 , missing source fix for sock_sendpage
2013-10-21 11:47:55 -05:00
6430fa3354
Land #2539 - Support Windows CMD generic payload
...
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
45d06dd28d
Change plate
2013-10-21 11:24:30 -05:00
8c05f8cf51
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal
2013-10-21 11:14:22 -05:00
d22e4ac2f1
Check timeout condition
2013-10-21 11:13:48 -05:00
36dace26fa
Land #2538 - Fix redirect URLs
2013-10-21 11:08:03 -05:00
27078eb5a6
Add support for HP imc /BIMS 5.1
2013-10-20 18:18:34 -05:00
b0d32a308a
Update version information
2013-10-19 00:52:22 -05:00
7d8a0fc06c
Add BID reference
2013-10-19 00:29:43 -05:00
cf239c2234
Add module for ZDI-13-238
2013-10-19 00:05:09 -05:00
70fced1d74
Delete unnecessary requires and make msftidy compliant
2013-10-18 16:54:20 -05:00
dbd74bceed
Add the ARCH_CMD target
2013-10-18 16:35:22 -05:00
2339cdc713
Land #2513 , @joev-r7's osx persistence local exploit
2013-10-18 15:13:50 -05:00
83f27296d3
Fix some bugs in osx persistence.
...
- the RUN_NOW datastore option did not work as expected
- Adds support for OSX < 10.4 KeepAlive option
- organizes private methods alphabetically.
2013-10-18 14:12:33 -05:00
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
681db6cb41
Use fully qualified constant in include.
2013-10-18 11:31:02 -05:00
05bea41458
mkdir -p the dirname, not the file.
2013-10-18 11:27:37 -05:00
2e0a14d719
Introduced PrependMigrate, PPID killing and general clean-up
2013-10-18 12:24:50 -04:00
9d6031acdb
Reverting payload_inject because of x64 shellcode
...
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
7a47059e1d
Fix a couple more shellescapes.
2013-10-18 00:47:22 -05:00
a2e3c6244e
Remove unnecessary Exe::Custom logic.
...
- this is handled by the exe.rb mixin.
- adds support for a RUN_NOW datastore option.
- tested working on java meterpreter and x86 shell session.
2013-10-18 00:41:18 -05:00
7dd39ae5e6
Update ranking
2013-10-17 22:43:47 -05:00
a00a813649
Add real device libraries base addresses
2013-10-17 22:34:54 -05:00
55426882d4
Further bypassuac tidyup
2013-10-18 00:08:06 +01:00
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
94db3f511a
Avoid extra slash in redirect URI
...
[SeeRM #8507 ]
2013-10-17 14:10:15 -05:00
be1d6ee0d3
Support Windows CMD generic payload
2013-10-17 14:07:27 -05:00
22b4bf2e94
Resplat webtester_exec.rb
2013-10-17 13:30:54 -05:00
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
7f6dadac16
Merge for sync
2013-10-17 10:40:01 -05:00
b03783baec
minors fixes and rand for endstring
2013-10-17 17:10:05 +02:00
22eb2ba163
randstring and fixes
2013-10-17 16:51:34 +02:00
352eca1147
Fix check method and set a big space available for payload
2013-10-17 09:30:59 -05:00
563bf4e639
Fix bug #8502 , used %PATH% for notepad invocation
...
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
54cf7855a2
Add WebTester 5.x Command Execution exploit module
2013-10-17 16:57:57 +10:30
3d3a7b3818
Add support for OSVDB 86824
2013-10-17 01:08:01 -05:00
7a0671eba9
Land #2531 - rm deprecated mods
2013-10-16 20:02:58 -05:00
a54b4c7370
Land #2482 , use runas when UAC is DoNotPrompt
2013-10-16 17:51:11 -05:00
f1a67ecafe
Remove overdue deprecated modules
...
[See PT #56795804 ]
[See PT #56796034 ]
2013-10-16 17:02:28 -05:00
0ce221274b
Change JS comments in Ruby.
2013-10-16 16:40:54 -05:00
ba2c52c5de
Fixed up some more weird splat formatting.
2013-10-16 16:25:48 -05:00
4fa3b8f820
Add support for IE7 on XP
2013-10-16 15:56:34 -05:00
06a212207e
Put PrependMigrate on hold because of #1674
...
But I will probably still want this.
2013-10-16 09:24:46 -05:00
ac78f1cc5b
Use Base64 encoding for OS parameter
...
I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
2013-10-15 23:37:11 -05:00
5d86ab4ab8
Catch mis-formatted bracket comments.
2013-10-15 14:52:12 -05:00
ed0b84b7f7
Another round of re-splatting.
2013-10-15 14:14:15 -05:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
c68319d098
Fix author
2013-10-15 12:59:19 -05:00
f60b29c7a6
Land #2503 , @MrXors's local exploit using VSS
2013-10-15 12:35:26 -05:00
f345414832
Added correct spelling in info
2013-10-15 10:13:18 -07:00
0b9cf24103
Convert vss_persistence to Local Exploit
2013-10-15 11:11:04 -05:00
31dc7c0c08
Land #2522 , @todb-r7's pre-release module fixes
2013-10-14 15:37:23 -05:00
63e40f9fba
Release time fixes to modules
...
* Period at the end of a description.
* Methods shouldn't be meth_name! unless the method is destructive.
* "Setup" is a noun, "set up" is a verb.
* Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
15e8c3bcd6
[FixRM #8470 ] - can't convert nil into String
...
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.
[FixRM #8470 ]
2013-10-14 14:10:08 -05:00
75aaded842
Land #2471 , @pyoor's exploit for CVE-2013-5743
2013-10-14 14:03:28 -05:00
a6f17c3ba0
Clean zabbix_sqli
2013-10-14 14:01:58 -05:00
eab90e1a2e
Land #2491 , missing platform info update
2013-10-14 10:38:25 -05:00
de156dc8da
new exploit module for CVE-2008-2286, Altiris DS
2013-10-13 22:39:49 -04:00
74f37c58b2
Land #2514 - Update CVE reference for Joomla
2013-10-13 12:58:23 -05:00
e2a9339592
Add CVE to joomla media upload module.
2013-10-12 21:20:11 -05:00
ea9235c506
Better whitespace.
2013-10-12 20:53:16 -05:00
78b29b5f20
Bring osx persistence module to the finish line.
2013-10-12 20:50:53 -05:00
3dbdc9f848
Land #2510 , @wchen-r7's exploit for cve-2013-3897
2013-10-12 20:06:41 -05:00
9725918be8
Remove junk variables/params
2013-10-12 18:51:57 -05:00
2153dd26eb
Land #2501 - HP Data Protector Cell Request Service Buffer Overflow
2013-10-12 16:55:48 -05:00
5a1b099570
Make osx persistence a local exploit.
2013-10-12 16:47:35 -05:00
bc317760dc
Make the GET params a little bit harder to read.
2013-10-12 16:37:49 -05:00
172c6b9b8f
Escape dots on regexs
2013-10-12 16:15:10 -05:00
4fe407d7ee
Move osx persistence to a local exploit.
2013-10-12 16:08:22 -05:00
b139757021
Correct a typo in description
2013-10-12 13:24:36 -05:00
79c612cd67
Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
...
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.
This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange". During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
d929bdfaab
Re-fixing 8419, consistency is important.
2013-10-12 08:09:19 -04:00
dfe74ce36c
Factorize sock_sendpage
2013-10-11 13:40:01 -05:00
0b93996b05
Clean and add Automatic target
2013-10-11 13:19:10 -05:00
171b70fa7c
Zabbix v2.0.8 SQLi and RCE Module
...
Conflicts:
modules/exploits/linux/http/zabbix_sqli.rb
Commit completed version of zabbix_sqli.rb
2013-10-10 22:50:02 -04:00
b9b2c82023
Add some entropy
...
* Random filename
* Stop shipping debug strings to the exploit executable
Also makes the writable path configurable, so we don't always have to
use /tmp in case it is mounted noexec, etc.
2013-10-10 18:18:01 -05:00
Mekanismen
jvazquez-r7
sinn3r
Thomas Hibbert
OJ
Tod Beardsley
bcoles
William Vu
Chris John Riley
jvazquez-r7
scriptjunkie
root
James Lee
AverageSecurityGuy
Booboule
Meatballs
joev
Norbert Szetei
Davy Douhine
MrXors
Joe Barrett
pyoor