Commit Graph

24096 Commits (f38e5af0bf71023366844fddc8bf8d00278d653d)

Author SHA1 Message Date
Brent Cook 34f8a9a5ee fix continuation warnings in payloads 2018-05-01 04:57:42 -05:00
Jeffrey Martin 28173222a8
Land #9881, cleanup psexec code 2018-04-30 18:39:36 -05:00
Brent Cook e29a53b7cb
Land #9951, Update linux/gather/enum_protections module 2018-04-30 16:52:30 -05:00
Brent Cook f3fa9af098 fixup osx sizes 2018-04-30 15:21:23 -05:00
Brent Cook 7e31c2cf76
Land #9942, IPv6 channel fixes for Python and Linux/macOS Meterpreters 2018-04-30 15:14:12 -05:00
Auxilus bc0cad43bc
Update wireless_ap.rb 2018-04-30 19:19:12 +05:30
Auxilus ca7afae730
Add wireless_ap post module for Android
This module displays all the saved wireless AP creds in the target device
2018-04-30 19:02:30 +05:30
Lars Sorenson 2ca05ee7c1 Remove explicit EDB url in favor of MSF autogenerated one
Use more appropriate Failwith errors for connection issues
Remove an unnecessary `to_s` call
Use the cookie kwarg for send_request_cgi over explicitly setting a header
2018-04-29 22:24:49 -04:00
Brendan Coles 3351a59efb Update linux/gather/enum_protections 2018-04-29 06:52:47 +00:00
Chris Long 9ae0acd489 Removing debug statement 2018-04-28 15:56:56 -07:00
Chris Long c7caac627b Replacing Import with Fiddle, adding fork compatibility for High Sierra 2018-04-28 15:53:23 -07:00
Brendan Coles f7504dd9d5 Add AF_PACKET packet_set_ring Privilege Escalation exploit 2018-04-28 01:40:17 +00:00
Aaron Soto c4bca03fea
Land #9908, msfd_rce_remote and msfd_rce_browser 2018-04-27 18:54:17 -05:00
Aaron Soto 82fc4aba64
Land #9918, XDebug Unauthenticated OS command execution 2018-04-27 17:08:58 -05:00
Touhid M Shaikh ce099aea76
playsms_filename_exec.rb
PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
2018-04-28 01:15:52 +05:30
Brent Cook 8fd7448e48
bump payloads, ipv6 channel fixes 2018-04-27 14:18:54 -05:00
Auxilus d29bc920c1 print o/p to new line 2018-04-27 20:58:25 +05:30
Auxilus 912970ad3b change vprint to print for printing o/p in psexec_command 2018-04-27 20:47:21 +05:30
Auxilus 0374de5e0d change vprint to print for printing o/p 2018-04-27 10:49:04 +05:30
Auxilus 25cf8d175a report command execution o/p 2018-04-27 08:43:30 +05:30
Brent Cook 79d8f5e86c
autofilter = false means skip, which is reverse of intuition 2018-04-26 17:20:55 -05:00
Jeffrey Martin 54aaf1f718
Land #9937, enable autofilter on tp-link camera exploit 2018-04-26 16:08:09 -05:00
Brent Cook 4789cdc596 enable autofilter on tp-link camera exploit 2018-04-26 14:56:39 -05:00
Brent Cook 0fa0358993
Land #9853, Update Linux sock_sendpage local exploit module 2018-04-26 14:30:51 -05:00
William Vu 873cbcee27 Fix #9876, minor updates to Drupalgeddon 2
1. Tested versions are already listed in the module doc, and we've
tested more than just 7.57 and 8.4.5 now. Removing a source of potential
inconsistency in the future.
2. No problem with ivars anymore. No idea what happened, but maybe I was
just too tired to code. Removing cleanup method.
2018-04-25 18:09:54 -05:00
Brent Cook f52e6a18a2
Land #9876, Drupalgeddon 2 2018-04-25 15:49:53 -05:00
William Vu b8eb7f2a86 Set target type instead of regexing names
We're no longer matching multiple targets like /In-Memory/ or /Dropper/,
so it makes sense to match on a specific value now.

Old matching in this commit: 1900aa2708.
2018-04-25 11:53:26 -05:00
Brent Cook 2cd0228db2
Land #9900, add base64 encoder for ruby 2018-04-25 04:06:50 -05:00
Brent Cook 4cba6d1df4 suggest a reason if we get no server response 2018-04-25 03:57:12 -05:00
William Vu 910e9337fb Use print_good for patch level check, oops 2018-04-24 23:21:22 -05:00
William Vu b7ac16038b Correct comment about PHP CLI (it's not our last!) 2018-04-24 23:18:51 -05:00
William Vu ec43801564 Add check for patch level in CHANGELOG.txt
Looks like 8.x has core/CHANGELOG.txt instead.
2018-04-24 23:12:33 -05:00
William Vu 2ff0e597a0 Add SA-CORE-2018-002 as an AKA ref
Makes sense to me. Even though it's technically the advisory.
2018-04-24 22:51:33 -05:00
Auxilus 382a7f8aa3 Merge https://github.com/rapid7/metasploit-framework into psexec_cleanup 2018-04-25 09:09:48 +05:30
William Vu 8bc1417c8c Use PHP_FUNC as a fallback in case assert() fails
Additionally drop a file in a writable directory in case CWD fails.
2018-04-24 22:29:27 -05:00
Auxilus cbfdaf23a0 updated for requested changes 2018-04-25 08:56:54 +05:30
William Vu 8ff4407ca6 Clarify version detection error message
This was supposed to imply that we couldn't configure the exploit for a
targetable version. Instead, it just read weirdly. I think it was
missing "to target" at the end. "Determine" is a much better word,
though, since we may be doing detection instead of mere configuration.
2018-04-24 20:51:51 -05:00
Auxilus e7ac2cd155 move report_auth to psexec module 2018-04-24 23:00:55 +05:30
Robin Stenvi c81ad8fec0 Changes after review 2018-04-24 18:33:27 +02:00
William Vu cfaca5baa3 Restore a return lost in the refactor :(
Also spiff up comments.
2018-04-24 11:25:55 -05:00
Auxilus 3353102dc1 fix opt dependencies 2018-04-24 21:55:09 +05:30
William Vu a0f16b4a66 Prefer print_warning for consistency 2018-04-24 11:17:19 -05:00
William Vu 7ef8b99480 Improve printing in ETERNALBLUE's verify_arch
Now shows the invalid arch instead of showing nothing.
2018-04-24 11:09:54 -05:00
William Vu b507391f1b Change back to vprint_status for the nth time
I really couldn't decide, especially once I got rid of CmdStager.

Also fully document the module options.
2018-04-24 04:23:52 -05:00
William Vu c8b6482ab0 Rewrite PHP targets to work with 7.x and 8.x
Win some, lose some. php -r spawns a new (obvious) command. :/

Check method and version detection also rewritten. :)
2018-04-24 03:38:05 -05:00
Brendan Coles ef5272cdc6 Update tested versions 2018-04-23 20:28:24 +00:00
Brendan Coles 00583caadf Add Libuser roothelper Privilege Escalation exploit 2018-04-23 17:49:11 +00:00
Wei Chen f9a804e7d8
Bring the PR up to date 2018-04-23 08:52:05 -05:00
Robin Stenvi 60c6f970c1 Added base64 encoder for Ruby 2018-04-21 10:54:26 +02:00
William Vu 8be58d315c Stop being lazy about badchar analysis
Badchars apply to all targets.
2018-04-20 19:30:38 -05:00
William Vu 5be4526085 Merge remote-tracking branch 'upstream/master' into feature/drupal 2018-04-20 18:42:15 -05:00
bwatters-r7 1c92134606
Land #9756, Add lastore-daemon D-Bus Privilege Escalation exploit
Merge branch 'land-9756' into upstream-master
2018-04-20 15:45:37 -05:00
bwatters-r7 f12f6d54a5
Land #9862, Post-exploitation module for meterpreter (Windows) to send wireless probe requests
Merge branch 'land-9862' into upstream-master
2018-04-20 14:32:01 -05:00
bwatters-r7 37a844bef0
Land # 9247, Add ASUS infosvr Auth Bypass Command Execution exploit
Merge branch 'land-9247' into upstream-master
2018-04-20 11:24:47 -05:00
William Vu fcfe927b7a Add PHP dropper functionality and targets 2018-04-19 05:11:21 -05:00
William Vu 62aca93d8b Cache version detection and print only once
Oops. This is the problem with overloading methods.
2018-04-19 04:59:07 -05:00
William Vu 2670d06f99 Add in-memory PHP execution using assert() 2018-04-19 02:18:56 -05:00
William Vu 7a2cc991ff Refactor once more with feeling
Nested conditionals are the devil. Printing should be consistent now.
2018-04-18 23:59:14 -05:00
William Vu 3d116d721d Add version detection and automatic targeting
I also refactored error handling. Should be cleaner now.
2018-04-18 21:40:22 -05:00
William Vu 86ffbc753e Refactor clean URL handling and remove dead code 2018-04-18 19:56:42 -05:00
Tim W 1547a47026
Land #9784, add osx high sierra APFS password disclosure post module 2018-04-18 14:27:22 +08:00
Tim W 72cd97d3e4 minor documentation and comment tweaks 2018-04-18 14:22:32 +08:00
William Vu 1900aa2708 Refactor module and address review comments 2018-04-17 19:05:45 -05:00
Auxilus f0b9ea635a cleanup psexec code 2018-04-16 09:04:36 +05:30
Lars Sorenson 143fdde1f8 Flipped Safe and Appears in check 2018-04-15 12:10:10 -04:00
Lars Sorenson 60ac89c336 Restructure some logic to make the flow more intuitive 2018-04-14 15:03:12 -04:00
Lars Sorenson 36c1bf5453 Remove a missed tab 2018-04-14 10:30:49 -04:00
Lars Sorenson 083f6936fd Update for @bcoles review
Refactor version checking to use Gem::Version
Change the title of the exploit to fit convention
Change print statements used in check to vprint
Change fail_with Failure for connection issues to be Unknown instead
	of NoAccess
Add CVE reference
Refactor how some nil checking is done for response for
	send_request_cgi
Text-wrap description to 80 chars
Remove unnecessary string interpolation for cookie in payload
	delivery
Change how the payload cradle is escaped and encoded; switch to HTTP
	POST for stealth
Remove nil check that is redundant and also typo'd to
2018-04-14 10:24:05 -04:00
Lars Sorenson 486ab7c776 Update for msftidy and contribution guidelines 2018-04-14 09:20:13 -04:00
Lars Sorenson 27ded57cda Add MSF module for EDB 6768 2018-04-14 08:51:51 -04:00
William Vu d8508b8d7d Add Drupal Drupalgeddon 2 2018-04-14 00:22:30 -05:00
Chris Long b282db3c6a Fixing broken imports for keylog_recorder.rb and improving control chars 2018-04-12 02:08:53 -07:00
Adam Cammack 2a6acfd1d0
Land #9823, Private IP leak via WebRTC 2018-04-11 17:37:56 -05:00
Borja Merino 2d33320921 Added a post-exploitation module to send wireless probe requests 2018-04-11 16:43:33 +02:00
Brendan Coles 154951cd37
minor update 2018-04-11 01:45:41 +10:00
Dhiraj Mishra 8be159bdc7
Fixing space-tab mixed 2018-04-10 20:45:38 +05:30
Dhiraj Mishra 7cbba34c83
Parsing IP address only
Changed title name and description, however few things still needs to fix.
2018-04-10 20:32:52 +05:30
Brendan Coles fc7040099c Update Linux sock_sendpage local exploit module 2018-04-10 11:15:42 +00:00
Tim W ee6f83c281 match newfs_apfs regex 2018-04-10 14:45:14 +08:00
Aaron Soto be18930f12
Cleaned up output, only querying for %WINDIR% if necessary 2018-04-09 15:27:50 -05:00
Auxilus c07f2f1a09
Update run_as.rb 2018-04-09 21:24:16 +05:30
Auxilus c34b796f13
Remove temp file from dist after cmd execution
https://github.com/rapid7/metasploit-framework/issues/9830
2018-04-09 20:14:01 +05:30
h00die a473dd04a8
Land #9813, Add etcd library and version scanner 2018-04-08 07:05:31 -04:00
gushmazuko bd672ae148
Description changed 2018-04-08 12:00:14 +02:00
gushmazuko 1e439b623b
Description changed 2018-04-08 11:46:01 +02:00
Brent Cook b55eb9b8f2 bump payloads, add Python UDP channel support
This pulls in Python UDP channel support from
https://github.com/rapid7/metasploit-payloads/pull/276
2018-04-07 14:21:30 -05:00
thecarterb 3f40f43609 Make final output more readable 2018-04-07 11:05:47 -04:00
Dhiraj Mishra 201cdfb189
Handling execption by MSFTIDY 2018-04-06 22:54:21 +05:30
Daniel Teixeira 37c578e16d
Update oscommerce_installer_unauth_code_exec.rb 2018-04-06 17:10:53 +01:00
Dhiraj Mishra 4e6afd49ed
Update browser_getprivateip.rb 2018-04-06 21:10:29 +05:30
Daniel Teixeira dee01189ca
Update oscommerce_installer_unauth_code_exec.rb 2018-04-06 15:41:21 +01:00
Daniel Teixeira 50c3f53e03
Update oscommerce_installer_unauth_code_exec.rb 2018-04-06 14:39:45 +01:00
Daniel Teixeira 0c829a5c6b
Update oscommerce_installer_unauth_code_exec.rb 2018-04-06 14:35:33 +01:00
Daniel Teixeira cbdb3a35b2
Update oscommerce_installer_unauth_code_exec.rb 2018-04-06 14:14:11 +01:00
Cantoni Matteo c8544c3bc0 Add 'phpMyAdmin Authenticated Remote Code Execution' aux module - CVE-2016-5734 2018-04-06 14:57:07 +02:00
Dhiraj Mishra f6cfcefbae
Some tweaks suggested by bcoles. 2018-04-06 17:44:43 +05:30
Daniel Teixeira 6698f1b64b
Update oscommerce_installer_unauth_code_exec.rb 2018-04-06 13:05:40 +01:00
Daniel Teixeira 806c72ebcb
Update and rename oscommerce.rb to oscommerce_installer_unauth_code_exec.rb 2018-04-06 11:29:29 +01:00
Daniel Teixeira 3efd17a801
Rename osCommerce.rb to oscommerce.rb 2018-04-06 10:46:00 +01:00
Daniel Teixeira 0d254b4e5c
Update osCommerce.rb 2018-04-06 10:40:28 +01:00
Dhiraj Mishra 582eb2e61c
Create browser_getprivateip.rb 2018-04-06 14:42:57 +05:30
Daniel Teixeira b5681cb954
osCommerce Module 2018-04-05 20:28:14 +01:00
Brent Cook 81c78a51c2
Land #9794, Added support for regional dialects 2018-04-05 12:56:07 -05:00
Spencer McIntyre 0a3bcf570c Add the scanner/smb/impacket/dcomexec module 2018-04-04 17:34:41 -04:00
Jon Hart 63aabc00f1
etcd rubocop style 2018-04-04 11:01:38 -07:00
Jon Hart a8c76638d3
Rename 2018-04-04 10:54:20 -07:00
Jon Hart 518e17118a
Add DisclosureDate 2018-04-04 10:52:47 -07:00
Jon Hart a6c31aceb2
Refactor common etc capabilities; add separate version scanner 2018-04-04 10:48:27 -07:00
Chris Higgins 1fa40bfe3b
Land #8539, ProcessMaker Plugin Upload exploit 2018-04-03 20:52:17 -05:00
bwatters-r7 0faf2f4e04
Land # 8007, Added NTDSgrab module to metasploit.
Merge branch 'land-8007' into upstream-master
2018-04-03 15:56:37 -05:00
bwatters-r7 d9039d43ef
Land #9734, Remove unwanted 'pop RAX' from windows/x64/reverse_(win)http 2018-04-03 14:23:41 -05:00
bwatters-r7 e17be05e6a
Land #9595, Add post module RID Hijacking on Windows 2018-04-03 14:12:34 -05:00
Brent Cook 8f7d9f3ac8 rename module 2018-04-03 13:44:55 -05:00
Brent Cook 19eef59f23 add disclosure date, fix target 2018-04-03 13:39:11 -05:00
Brent Cook cd7831a2a3 An unforgettable luncheon 2018-04-03 13:39:11 -05:00
cbrnrd 0806c0725f Fix some bugs with command exits
Also fix a bug in check()
2018-04-03 10:35:49 -04:00
Brendan Coles dfb3a421fe Remove require statement 2018-04-03 12:56:06 +00:00
Brent Cook 8c2138f13b
Land #9742, QNX exploit improvements 2018-04-03 07:50:29 -05:00
Tim W 9f174e7323 msftidy 2018-04-03 16:10:41 +08:00
Tim W 7c3e5da450 add more credits/references 2018-04-03 14:59:00 +08:00
Tim W c5039251a2 add CVE-2016-4655
rebase
2018-04-03 14:58:57 +08:00
Tim W d465226d89 add loader 2018-04-03 14:44:54 +08:00
Tim W cd1f4e1373 webkit apple safari trident exploit 2018-04-03 14:44:54 +08:00
Brendan Coles d860d7af5b require 'rex/tar' 2018-04-03 06:34:30 +00:00
Brent Cook bd3c00dfd0
Land #9726, add simple Rex::Tar wrapper for consistency with other archive types 2018-04-02 23:35:22 -05:00
Brent Cook 226ef160ff
Land #9748, Convert the smbloris DoS into an external module
Help reliability and performance. This some Ruby-specific external module
tooling as a result as well.
2018-04-02 23:25:10 -05:00
Brent Cook b445583a14
Land #9774, use correct whitespace when patching python meterpreter 2018-04-02 23:07:36 -05:00
r4wd3r d6dc0a2d4f
Adjust rid_hijack.rb code style with rubocop recommendations. 2018-04-03 04:57:41 +02:00
gushmazuko 11389a6d53
Fixed errors 2 2018-04-02 17:33:53 +02:00
gushmazuko 1327c0bb7e
Fixed errors 2018-04-02 17:21:16 +02:00
Brent Cook fa34f3e0a4
Land #9718, Add get_user_spns 'kerberoasting' module 2018-04-02 10:04:44 -05:00
cbrnrd c401872af6 Fix some logic flaws and other review things
Also make the output more reliable
2018-03-30 19:20:20 -07:00
cbrnrd 76af9d5a15 Add apfs_encrypted_volume_passwd.rb 2018-03-29 23:47:45 -07:00
William Vu e3e12ad924
Land #9782, CheckCode::Safe for ms_ndproxy 2018-03-29 17:07:33 -05:00
Brent Cook 3a54f0d5f8
Land #9776, if data is nil, stop reading the heartbleed socket 2018-03-29 11:23:08 -05:00
Brendan Coles 3aac041dcf Return CheckCode::Safe for unsupported x64 systems 2018-03-29 12:03:33 +00:00
gushmazuko 922ed8c284
Slui File Handler Hijack LPE
Slui File Handler Hijack LPE
2018-03-29 00:15:03 +02:00
gushmazuko 69d9321e6b
Slui File Handler Hijack LPE
Slui File Handler Hijack LPE - MSF Module
UAC Bypass | Local Privilege Escalation Via Slui Hijack
2018-03-28 20:44:16 +02:00
Jon Hart a1e83ce835
Land #9760, @h00die's etcd scanner 2018-03-28 10:41:22 -07:00
Jon Hart 5cdfadd0df
Fix more style issues 2018-03-28 09:43:30 -07:00
Jon Hart 7767505678
Fix some style issues 2018-03-28 09:43:22 -07:00
Jacob Robles a1fff486bc
Land #9666, Add 2017-8917 RCE for Joomla 3.7.0 2018-03-28 11:08:38 -05:00
Jacob Robles 0fa63ae7b3
Update documentation and module
Included Super User in the documentation.
Implemented changes h00die suggested.
Modified sqli to generate strings used in regex.
2018-03-28 10:57:28 -05:00
h00die c97743925f jhart suggestions 2018-03-27 18:46:31 -04:00
Jeffrey Martin 288bd28d3a
if data is nil stop reading the heartbleed socket 2018-03-27 15:51:14 -05:00
Wei Chen 94fd599756
Land #9684, Adding ManageEngine Application Manager RCE
Land #9684
2018-03-27 15:17:20 -05:00
William Vu 1f31bcd26f Update telpho10_credential_dump 2018-03-27 14:57:57 -05:00
Wei Chen 0a0bef0c4f
Land #9633, Exodus Wallet Remote Code Execution
Land #9633
2018-03-27 14:51:15 -05:00
Jeffrey Martin 7a76593e1c
update payload size cause whitespace is more exact 2018-03-27 14:38:17 -05:00
Wei Chen 8c88c53e5d
Land #9670, Gitstack v2.3.10 RCE
Land #9670
2018-03-27 13:00:47 -05:00
Jacob Robles 26463b33a2
Land #9636, Improve post module persistence_exe 2018-03-26 17:48:53 -05:00
Jacob Robles 57b048fbf7
Remove requires, changed in-place modification 2018-03-26 17:46:18 -05:00
William Vu c19fc4c18f
Land #9423, PSH for jenkins_xstream_deserialize 2018-03-26 17:09:16 -05:00
William Vu 862a3ff74d
Land #9618, pipe auditing improvements 2018-03-26 17:01:48 -05:00
h00die 327b2176c0 change and 2018-03-26 17:35:58 -04:00
Andrew Morris 217dea60fc
Update blog link to up-to-date blog post 2018-03-26 15:43:10 -04:00
h00die e462cb49a2 updated docs 2018-03-25 14:53:30 -04:00
h00die d739a9a057 working etcd scanner 2018-03-25 13:54:55 -04:00
h00die 80c4d59560
Land #9702 exploit for clipbucket 2018-03-24 19:59:17 -04:00
h00die 0028e2c5ba documentation update 2018-03-24 19:25:59 -04:00
Brendan Coles 9bb6e72020 Add lastore-daemon D-Bus Privilege Escalation exploit 2018-03-24 23:16:42 +00:00
Brendan Coles fdd2af2d2a Update tested versions 2018-03-24 00:23:12 +00:00
Adam Cammack 5ece14b064
Convert SMBLoris to an external module 2018-03-23 14:55:18 -05:00
Touhid M Shaikh 230c0a295f
Delete playsms_uploadcsv_exec.rb 2018-03-23 12:29:07 +05:30
William Vu 09cb4a52df Update smb_ms17_010 scanner with PipeAuditor mixin 2018-03-22 15:37:45 -05:00
William Vu e4c026fffd Update pipe_auditor module with PipeAuditor mixin 2018-03-22 15:37:45 -05:00
Brendan Coles 9d28549e84 Update qnx_qconn_exec 2018-03-22 06:25:44 +00:00
Jacob Robles 8d0e3ada74
Change option names and module type 2018-03-21 06:49:50 -05:00
Jacob Robles fc9005df8a
Add External License Support 2018-03-21 06:26:25 -05:00
Jacob Robles 8d12118d1f
Add get_user_spns external module and documentation 2018-03-21 06:26:15 -05:00
Touhid M Shaikh a506efe0b6
playsms_uploadcsv_exec.rb
PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
2018-03-21 14:13:52 +05:30
Jacob Robles ca7caae622
Change External Module Type Names
Change the a couple of external module type names
to be consistent with the template files.
2018-03-20 10:19:57 -05:00
Summus6 b865d4fee2 Fix CachedSize for windows/x64/reverse_(win)http(s) payloads 2018-03-20 11:27:43 +01:00
Brendan Coles ac9f506b45 Update tested versions 2018-03-20 02:49:56 +00:00
Mehmet İnce 53eabfc1df Update documentation and add check before exploit 2018-03-19 23:27:18 +03:00
Touhid M Shaikh f012916742
Delete playsms_uploadcsv_exec.rb 2018-03-18 13:57:53 +05:30
Touhid M Shaikh 0e0fcdf727 PlaySMS 1.4 RCE
PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
2018-03-18 13:46:30 +05:30
Jeffrey Martin 4801021aba
Land #9613, add bind_named_pipe x86 2018-03-17 15:53:06 -05:00
Brent Cook 44d5022380
Land #9529, Add module for HP iLO CVE-2017-12542 authentication bypass 2018-03-16 16:50:54 -05:00
Brent Cook d1722d507b handle reset from the target on exploit 2018-03-16 16:46:50 -05:00
Brent Cook 65ae1e33e1
Land #9694, move ssh platforms to lib 2018-03-16 12:49:57 -05:00
Jacob Robles 1b2f1ced02
Land #8422, Typo3 News Module Sql Injection exploit 2018-03-15 10:55:04 -05:00
Jacob Robles ba0d990273
Documentation added and Error Checks 2018-03-15 10:46:08 -05:00
Jacob Robles 9e23997c3d
Added Error Handling 2018-03-14 08:16:17 -05:00
Jacob Robles 1d51cf6d24
Implement Suggested Changes 2018-03-14 06:15:49 -05:00
Mehmet İnce b55a750fa9 Fix typo and couple tiny nitpicks 2018-03-14 11:51:21 +03:00
Jacob Robles 64a51c1bd7
Save Credentials and IP 2018-03-13 08:47:08 -05:00
Mehmet İnce 889c914b3d Updating documentation and minor code changes 2018-03-13 12:05:27 +03:00
Touhid M Shaikh ea3378753b
syntax error fixed on 70 line
improve check payload was uploaded or not condition using AND condition on line 121
2018-03-13 14:15:03 +05:30
Tim W 39e2cddf70 update python payload cached size 2018-03-13 15:30:54 +08:00
Mehmet İnce ec10a82c56 Make the rubocop happy 2018-03-13 09:44:13 +03:00
h00die 97dbc1273a copy pasta 2018-03-12 20:14:08 -04:00
Mehmet İnce 2fd9b0b77b Fixing rubocop errors 2018-03-13 01:40:01 +03:00
Brent Cook 1587b5b682
Land #9686, add ipv6 to slowloris, rhost to non-scanner modules 2018-03-12 16:13:21 -05:00
Auxilus ef515d256d msftidy fixes 2018-03-13 00:34:25 +05:30
Auxilus 2c52498d4a
Update smb_ms17_010.rb 2018-03-13 00:28:37 +05:30
Auxilus 6e9a4916f5 scanner update 2018-03-13 00:23:18 +05:30
Ege Balcı 2950c84660
Better code.
Added check function.
Smaller & cleaner code.
2018-03-12 20:33:46 +03:00
Touhid M Shaikh 5e30982184
check fucktion and some words fixed
all changes done which is bcoles suggested
2018-03-12 21:03:34 +05:30
Brent Cook d86dcbc237
Land #9632, owa_login and auth_brute enhancements 2018-03-12 10:31:20 -05:00
Mzack9999 5ee50c5fab
Username and password reported as credentials 2018-03-12 07:01:03 -05:00
Mzack9999 3d6af4c7ee
Removed mail from author section 2018-03-12 07:01:03 -05:00
Mzack9999 b0ed8c4702
code cleanup 2018-03-12 07:01:03 -05:00
Mzack9999 7b781d53c9
Small code refactoring, added verbose output 2018-03-12 07:01:03 -05:00
Mzack9999 fe89e2d391
Corrected check method, warning in case of absence of news and TARGETURI parameter 2018-03-12 07:01:03 -05:00
Mzack9999 f09d9a8994
Solved msftidy.rb issues 2018-03-12 07:01:02 -05:00
Mzack9999 dbba27cc97
Fixed minor issues and added automatic detection of Patten1/Pattern2 2018-03-12 07:01:02 -05:00
Mzack9999 63444a2c43
Corrected wrong label in password hash message 2018-03-12 07:01:02 -05:00
Mzack9999 4a40f40c14
Typo3 News Module Sql Injection exploit 2018-03-12 07:00:45 -05:00
Touhid M Shaikh 9b0ba4a6fa clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
Ege Balcı 420905137b
CVA added. 2018-03-12 08:42:28 +03:00
Ege Balcı d71b6bdf0d
Update syncbreeze_enterprise_dos.rb
msftidy.rb adjustment.
2018-03-11 23:27:46 +03:00
Ege Balcı 0e4e260a02
Adding Sync Breeze Enterprise 10.6.24 DOS
This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. Vulnerable version of the product can be downloaded here (http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe). After installing the software web server should be enabled via Options->Server->Enable web server on port. Module triggers a user space write access violation on syncbrs.exe memory region. Number of requests that will crash the server changes between 200-1000 depending on the OS version and system memory.
2018-03-11 23:07:50 +03:00
Luis Hernandez dddad415a5 add Msf::Exploit::Remote::HTTP::Joomla 2018-03-11 07:59:26 -05:00
Jacob Robles 615f6b02af
varnish no auth file read 2018-03-09 11:25:13 -06:00
Jacob Robles 1fd0087a97
Land #7654, varnish file read 2018-03-09 10:59:04 -06:00
Jacob Robles a458cb9ebc
varnish file read msftidy fixes 2018-03-09 10:56:52 -06:00
Jacob Robles 037559023a
Update connect/disconnect varnish
[ticket: #7654]
2018-03-09 10:37:14 -06:00
Luis Hernandez 37bf4d118a Changes suggested by h00die 0803 2018-03-09 09:55:50 -05:00
Jacob Robles ea78e21961
Documentation accuracy 2018-03-09 07:43:12 -06:00
Jacob Robles 2735ae57cb
Documentation accuracy 2018-03-09 07:31:55 -06:00
Auxilus 9df99e8ce3
Update smb_ms17_010.rb 2018-03-09 16:10:20 +05:30
Auxilus 56fe70d84b
Update smb_ms17_010.rb 2018-03-09 16:07:09 +05:30
Mehmet İnce 4b483e079b Adding assigned CVE number 2018-03-09 12:25:19 +03:00
h00die ec7a62bc4c move ssh platforms to lib 2018-03-08 21:23:11 -05:00
Luis Hernandez 048d0d1fe4 Changes suggested by h00die 2018-03-08 20:13:01 -05:00
Auxilus 478f01d0d9 fix format 2018-03-09 02:25:58 +05:30
Jacob Robles 24079c345d
Style guide and grammar fixes 2018-03-08 07:30:02 -06:00
Jeffrey Martin b9ad1f2872
Land #9687, bump payloads, fix PHP meterpreter message parsing 2018-03-07 18:48:56 -06:00
Jeffrey Martin 26481d503e
one more payload size adjustment 2018-03-07 18:48:10 -06:00
Brent Cook b977b1c951 bump payload sizes 2018-03-07 17:41:58 -06:00
Adam Cammack 9a8f1ace2d
Add slowloris support for IPv6 and hostnames
Replace manual socket creation with `socket.create_connection` to get
auto-detection goodness.
2018-03-07 17:06:04 -06:00
Mehmet İnce 611b208267 Adding ManageEngine Application Manager RCE 2018-03-07 23:54:01 +03:00
Jacob Robles 5a2f197c47
Remove redundant RPORT 2018-03-07 14:41:51 -06:00
Jacob Robles 9ce6c2ae32
Remove redundant RPORT 2018-03-07 14:31:58 -06:00
Jacob Robles 15269ec3ce
Land #9678, Add memcached UDP version scanner 2018-03-07 10:14:29 -06:00
Jacob Robles 86dd382e6a
Land #9554, Eclipse Equinoxe OSGi console RCE 2018-03-07 08:41:31 -06:00
Fab e8a227b1a6 Changes as requested by jhart-r7:
- Default Username / Password are now random
- Doc fixed
- REST typo fixed
2018-03-07 10:48:05 +01:00
Jon Hart a69c2e29d2
Correct comment 2018-03-06 18:16:22 -08:00
Jon Hart 1e04fa009f
Fix style 2018-03-06 18:13:50 -08:00
Jon Hart 74ec9f00e7
Add WIP memcached UDP version scanner 2018-03-06 17:54:00 -08:00
Jon Hart e72372d6d8
Add disclosure date and correct CVE for memcached amp 2018-03-06 16:04:00 -08:00
Brent Cook d6871f5733
Land #9614, Juniper post enum module 2018-03-06 10:29:56 -06:00
Jacob Robles f6ebce2440
Update User List 2018-03-06 06:38:06 -06:00
Jacob Robles 5fde6bf5d3
Update Code 2018-03-05 22:39:16 -06:00
Jacob Robles 4ace73a3f9
Added references, fixed code 2018-03-05 22:00:28 -06:00
bwatters-r7 e878e19bbd Land #9665, Add missing reverse_tcp_rc4 payload tests.
Merge branch 'land-9665' into upstream-master
2018-03-05 17:18:04 -06:00
William Vu 176fb13c84 Fix #9650, missed code from TelnetEnable refactor
1. Functionality was added incrementally, and I missed an opportunity to
consolidate a few methods under @do_exploit.
2. The Capture mixin can raise RuntimeError for a number of different
reasons, not just a lack of root privileges.

tl;dr Fix my incompetence and laziness. :-)

I don't think EDB and friends usually get these updates. :(
2018-03-05 14:46:27 -06:00
Jacob Robles 57118e1265
msftidy fix 2018-03-05 13:37:32 -06:00
Jacob Robles a4f48eb80f
Add GitStack v2.3.10 RCE 2018-03-05 13:25:41 -06:00
Jon Hart 3028dccd7a
Land #9644, @xistence's memcached stats amplification scanner 2018-03-05 09:02:28 -08:00
Luis Hernandez d945734f43 Add 2017-8917 RCE for Joomla 3.0.7 2018-03-04 22:17:49 -05:00
Jeffrey Martin eac7cc63fc
add missing payload tests 2018-03-04 17:54:52 -06:00
Jon Hart f2de2a7f21
Appease most of rubocop's concerns 2018-03-04 07:17:25 -08:00
Jon Hart 2edb2dd8d0
Add CVE; clarify vuln name 2018-03-04 07:13:28 -08:00
h00die ea62497385
Land #9658 spelling and grammar fixes 2018-03-04 06:24:59 -05:00
Biswajit Roy 3925686173
Fixed error in my correction
Changed from `an username` to `a username`
2018-03-03 10:16:44 +05:30
William Vu 6dbf9445c9 Add MAC address discovery 2018-03-02 19:18:30 -06:00
William Vu 107512498c Add check method 2018-03-02 19:16:37 -06:00
William Vu 25f36fb926 Refactor code into new methods 2018-03-02 19:16:37 -06:00
William Vu 109bc87ffb Check for nil, EOFError, and zero-length response 2018-03-02 19:15:20 -06:00
William Vu bcdfebf93c Add a vprint for creds we chose 2018-03-02 19:15:19 -06:00
William Vu 4418a0de02 Enhance detection of telnetenabled vs. telnetd 2018-03-02 19:15:19 -06:00
William Vu fba30d47a2 Use default creds specific to protocol 2018-03-02 19:15:18 -06:00
William Vu 1f40afea9c Add automatic target for detection of TCP or UDP 2018-03-02 19:15:18 -06:00
William Vu a5e5b618fd Add print statements I forgot 2018-03-02 19:15:17 -06:00
William Vu e87681f2c4 Add NETGEAR TelnetEnable 2018-03-02 19:15:17 -06:00
bwatters-r7 0d07d44b14
ReLand #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
This reverts commit 7964868fcd.
2018-03-02 16:09:52 -06:00
bwatters-r7 7964868fcd
Revert "Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm"
This reverts commit fcc579377f, reversing
changes made to 95cd149378.
2018-03-02 08:29:48 -06:00
bwatters-r7 fcc579377f
Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 2018-03-02 07:34:45 -06:00
Biswajit Roy 38c42f3b10
Fixed Typos
Fixed minor typing errors.
2018-03-02 17:38:19 +05:30
Green-m 18a1593de7 Clean up registry and fix bug when cleaning the windows local file 2018-03-02 02:31:09 -05:00
Green-m d1e91dfdfd Fix bug 2018-03-01 22:19:03 -05:00
Green-m 2bb8fc7325 Fix bug 2018-03-01 22:16:59 -05:00
Jon Hart e7a7b557bc
Randomize and doc memcached stats probe; catch multi-packet responses 2018-03-01 16:56:34 -08:00
Jon Hart 155f45fc28
Simplify memcached amplification scanner to use UDPScanner for most of the work 2018-03-01 15:37:23 -08:00
Sonny Gonzalez 883654f0ea
Land #9653, fix Y2k38 issue (until Jan 1, 2038) 2018-03-01 09:13:41 -06:00
Brent Cook 27bd2a4a9f workaround Y2k38 issues in java certificate generation 2018-03-01 08:41:28 -06:00
Daniel Teixeira c84ece15a3
Update exodus.rb 2018-02-28 11:04:16 +00:00
Daniel Teixeira c366f94017
Update exodus.rb 2018-02-28 10:35:05 +00:00
Jon Hart 9e1a7c869c
Use drdos mixin for memcached amp module 2018-02-27 22:51:27 -08:00
xistence 05c99ffb5c Add Memcached amplification scanner 2018-02-28 11:24:17 +07:00
UserExistsError 35b66d0e60 added payload tests 2018-02-27 19:24:51 -07:00
Green-m 174c47195a Add options LocalExePath, StartupName, ServiceDescription 2018-02-27 05:32:07 -05:00
Brent Cook 325ad7256e if multi/handler is disabled, exit 2018-02-27 04:30:09 -06:00
Green-m fcd6e8acab Add options LocalExePath, StartupName, ServiceDescription 2018-02-27 05:27:32 -05:00
attackdebris 2939695991 Add ARCH_CMD and general fixup 2018-02-26 16:59:36 -05:00
Daniel Teixeira 15bd45cee3
Exodus Module 2018-02-26 21:31:13 +00:00
Jacob Robles a344ffadd8
Modified Code, Added additional check 2018-02-26 07:29:08 -06:00
Jacob Robles 4e4aeb7b4d
Add GitStack v2.3.10 Unauth REST API Aux Module 2018-02-26 06:04:38 -06:00
Green-m 553a82a408 Add options LEXEPATH, STARTUP_NAME, SERVICE_DESC 2018-02-26 02:39:11 -05:00
Green-m f786a1cfb9 Add options LEXEPATH, STARTUP_NAME, SERVICE_DESC 2018-02-26 01:59:49 -05:00
Rob Fuller 0c82b0a922
Support Windows 2008/7 and above
Probably about time that we supported versions less than 10 years old :)
2018-02-24 16:06:55 -05:00
Auxilus a1587bcd68
Update smb_ms17_010.rb 2018-02-24 09:05:35 +05:30
Auxilus 46af6239df
Update smb_ms17_010.rb 2018-02-24 08:50:39 +05:30
Auxilus 9bae6246b2
Check for accessible named pipe on vuln targets
```
msf5 auxiliary(scanner/smb/smb_ms17_010) > run

[+] 192.168.0.2:445       - Host is likely VULNERABLE to MS17-010! - Windows 7 Ultimate 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.0.2:445       - Checking for accessible named pipes
[+] 192.168.0.2:445       - Found accessible named pipe: netlogon
[+] 192.168.0.2:445       - Found accessible named pipe: lsarpc
[+] 192.168.0.2:445       - Found accessible named pipe: samr
[+] 192.168.0.2:445       - Found accessible named pipe: browser
[+] 192.168.0.2:445       - Found accessible named pipe: atsvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
2018-02-24 03:20:34 +05:30
James Barnett 133b34827f
Fix false+ login in a few more places 2018-02-23 13:16:41 -06:00
Brent Cook cd728defed Merge branch 'master' into land-9607- 2018-02-23 11:09:20 -06:00
h00die c7bbc6eca4 juniper post enum module 2018-02-22 21:08:21 -05:00
UserExistsError e19a071910 add bind_named_pipe x86 2018-02-22 19:03:37 -07:00