jvazquez-r7
0737d0dbd5
Refactor auxiliary module
2014-08-22 17:05:45 -05:00
jvazquez-r7
9ef09a7725
Pass msftidy
2014-08-22 13:24:59 -05:00
jvazquez-r7
38e6576990
Update
2014-08-22 13:22:57 -05:00
Tod Beardsley
08bb815bd8
Add Yokogawa unauth admin module
2014-08-09 13:30:10 -05:00
jvazquez-r7
ed97751ead
Land #2999 , @j0hnf's modifiction to check_dir_file to handle file:
2014-08-04 11:55:18 -05:00
jvazquez-r7
cd45ed0e0a
Handle exceptions when connecting the SMBHSARE
2014-08-04 11:54:30 -05:00
jvazquez-r7
85b5c5a691
Refactor check_path
2014-08-04 11:48:13 -05:00
jvazquez-r7
1e29bef51b
Fix msftidy warnings
2014-08-04 11:46:27 -05:00
jvazquez-r7
04bf0b4ab6
Fix forgotten comma
2014-08-04 11:34:12 -05:00
us3r777
cd2e225359
Refactored auxilliary jboss_bshdeployer
...
Switch modules/auxiliary/admin/http/jboss_bshdeployer.rb to use the
changes.
2014-08-02 11:10:49 +02:00
us3r777
9e9244830a
Added spec for lib/msf/http/jboss
...
Also renamed get_undeploy_bsh and get_undeploy_stager to
gen_undeploy_bsh and gen_undeploy_stager to be consistent
with the other functions
2014-07-29 01:57:04 +02:00
us3r777
cd2ec0a863
Refactored jboss mixin and modules
...
Moved fail_with() from mixin to modules. Added PACKAGE datastore to
lib/msf/http/jboss/bsh.rb.
2014-07-24 22:58:58 +02:00
us3r777
b526fc50f8
Refactored jboss mixin and modules
...
Moved VERB option to the mixin. Replaced "if datastore['VERBOSE']"
by vprint_status().
2014-07-22 23:08:42 +02:00
us3r777
ae2cd63391
Refactored Jboss mixin
...
Moved TARGETURI option to the JBoss mixin. The mixin now includes
Msf::Exploit::Remote::HttpClient which provides USERNAME and PASSWORD
2014-07-21 23:41:58 +02:00
us3r777
088f208c7c
Added auxiliary module jboss_bshdeployer
...
The module allows to deploy a WAR (a webshell for instance) using the
BSHDeployer.
Also refactored modules/exploits/multi/http/jboss_bshdeployer.rb to
use the new Mixin (lib/msf/http/jboss).
2014-07-18 11:51:46 +02:00
William Vu
ff6c8bd5de
Land #3479 , broken sock.get fix
2014-07-16 14:57:32 -05:00
William Vu
b6ded9813a
Remove EOL whitespace
2014-07-16 14:56:34 -05:00
jvazquez-r7
8937fbb2f5
Fix email format
2014-07-11 12:45:23 -05:00
HD Moore
90eccefcc8
Fix sock.get use and some minor bugs
2014-06-28 16:17:15 -05:00
HD Moore
5e900a9f49
Correct sock.get() to sock.get_once() to prevent indefinite hangs/misuse
2014-06-28 16:06:46 -05:00
HD Moore
3868348045
Fix incorrect use of sock.get that leads to indefinite hang
2014-06-28 15:48:58 -05:00
Tod Beardsley
0219c4974a
Release fixups, word choice, refs, etc.
2014-06-23 11:17:00 -05:00
Spencer McIntyre
61f4c769eb
Land #3461 , Chromecast factory reset module
2014-06-21 17:43:31 -04:00
William Vu
79bf80e6bf
Add generic error handling
...
Just in case a factory reset happens to fail.
2014-06-21 15:35:03 -05:00
William Vu
075eec39e1
Add Chromecast factory reset module
2014-06-18 10:04:17 -05:00
j0hnf
1a82a20c09
re-added incorrectly removed SMBSHARE option
2014-06-16 20:10:11 +01:00
William Vu
cb91b2b094
Fix broken table indent (s/Ident/Indent/ hash key)
2014-06-12 13:41:44 -05:00
Tod Beardsley
1aa029dbed
Avoid double quotes in the initialize/elewhere
...
There is no need to have double quotes there for uninterpolated strings,
and every other module uses single quotes.
2014-06-12 13:20:59 -05:00
William Vu
6ca5cf6c26
Add Chromecast YouTube remote control
2014-06-11 00:08:08 -05:00
jvazquez-r7
8a9c005f13
Add URL
2014-05-20 17:43:07 -05:00
Tod Beardsley
0ef2e07012
Minor desc and status updates, cosmetic
2014-05-19 08:59:54 -05:00
jvazquez-r7
2012d41b3d
Add origin of the user, and mark web users
2014-05-16 13:51:42 -05:00
jvazquez-r7
4143474da9
Add support for web databases
2014-05-16 11:47:01 -05:00
jvazquez-r7
883d2f14b5
delete debug print_status
2014-05-16 11:13:03 -05:00
jvazquez-r7
ea38a2c6e5
Handle ISO-8859-1 special chars
2014-05-16 11:11:58 -05:00
jvazquez-r7
c9465a8922
Rescue when the recovered info is in a format we can't understand
2014-05-16 08:57:59 -05:00
jvazquez-r7
7ec85c9d3a
Delete blank lines
2014-05-16 01:03:04 -05:00
jvazquez-r7
9091ce443a
Add suport to decode passwords
2014-05-16 00:59:27 -05:00
jvazquez-r7
5b3bb8fb3b
Fix @FireFart's review
2014-05-14 09:00:52 -05:00
jvazquez-r7
a7075c7e08
Add module for ZDI-14-077
2014-05-13 14:17:59 -05:00
Christian Mehlmauer
3f3283ba06
Resolved some msftidy warnings (Set-Cookie)
2014-05-12 21:23:30 +02:00
nodeofgithub
b80d366bb7
Add filter to output WPA-PSK password on Netgear DG834GT
2014-04-26 15:52:31 +02:00
Tod Beardsley
9035d1523d
Update wol.rb to specify rhost/rport directly
...
- [ ] Fire up tcpdump on the listening interface
- [ ] Run the module and see the pcap:
listening on vmnet8, link-type EN10MB (Ethernet), capture size 65535
bytes
20:56:02.592331 IP 192.168.145.1.41547 > 255.255.255.255.9: UDP, length
102
2014-04-14 20:57:20 -05:00
jvazquez-r7
d83f665466
Delete commas
2014-03-25 13:34:02 -05:00
Ramon de C Valle
e27adf6366
Fix msftidy warnings
2014-03-25 10:39:40 -03:00
Ramon de C Valle
473f745c3c
Add katello_satellite_priv_esc.rb
...
This module exploits a missing authorization vulnerability in the
"update_roles" action of "users" controller of Katello and Red Hat
Satellite (Katello 1.5.0-14 and earlier) by changing the specified
account to an administrator account.
2014-03-24 23:44:44 -03:00
David Maloney
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
William Vu
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
Tod Beardsley
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
jvazquez-r7
bfdefdb338
Land #3023 , @m-1-k-3's module for Linksys WRT120N bof reset password
2014-02-26 09:36:14 -06:00
jvazquez-r7
6ba26bf743
Use normalize_uri
2014-02-26 09:35:42 -06:00
jvazquez-r7
582372ec3e
Do minor cleanup
2014-02-26 09:32:11 -06:00
Michael Messner
b79197b8ab
feedback included, cleanup, login check
2014-02-26 13:44:36 +01:00
James Lee
d2945b55c1
Fix typo
...
inside_workspace_boundary() -> inside_workspace_boundary?()
2014-02-24 14:46:08 -06:00
Michael Messner
ec8e1e3d6f
small fixes
2014-02-21 21:59:45 +01:00
Michael Messner
1384150b7a
make msftidy happy
2014-02-21 21:56:46 +01:00
Michael Messner
c77fc034da
linksys wrt120 admin reset exploit
2014-02-21 21:53:56 +01:00
j0hnf
c62fa83a70
msf recommended changes + tweaked exception handling
2014-02-19 22:20:24 +00:00
j0hnf
4b247e2b9f
altered check_dir_file.rb so that it can check for the presence of a list of files/directories supplied using file:/ format rather than being limited to just the one file, handy for checking for indicators of compromise
2014-02-16 03:22:11 +00:00
sinn3r
89e1bcc0ca
Deprecate modules with date 2013-something
...
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
sinn3r
7faa41dac0
Change Unknown to Safe because it's just a banner check
2014-01-23 15:36:19 -06:00
sinn3r
81a3b2934e
Fix prints
2014-01-23 15:33:24 -06:00
sinn3r
5025736d87
Fix check for modicon_password_recovery
2014-01-19 17:20:20 -06:00
jvazquez-r7
0b1671f1b8
Undo debugging comment
2014-01-14 17:02:30 -06:00
jvazquez-r7
6372ae6121
Save some parsing
2014-01-14 17:00:00 -06:00
Matt Andreko
2d40f936e3
Added some additional creds that were useful
2014-01-13 23:15:51 -05:00
Matt Andreko
42fb8c48d1
Fixed the credential parsing and made output consistent
...
So in the previous refactor, we made the dedicated method to parse
usernames and passwords from the split up config values. However, that
didn't work, because on a single iteration of the loop, you only have
access to a possible username OR password. The other matching key will
be another iteration of the loop. Because of this, no credential pairs
were being reported.
The only way I can see around this (maybe because I'm a ruby newb) would
be to iterate over configs, and if the user or password regex matches,
add the matching value to a hash, which is identified by a key for both
user & pass. Then upon completion of the loop, it'd iterate over the
hash, finding keys that had both user & pass values.
2014-01-13 22:57:25 -05:00
Tod Beardsley
207e9c413d
Add the test info for sercomm_dump_config
2014-01-13 14:27:03 -06:00
Tod Beardsley
671027a126
Pre-release title/desc fixes
2014-01-13 13:57:34 -06:00
jvazquez-r7
95a5d12345
Merge #2835 , #2836 , #2837 , #2838 , #2839 , #2840 , #2841 , #2842 into one branch
2014-01-13 10:57:09 -06:00
jvazquez-r7
410302d6d1
Fix indentation
2014-01-09 15:14:52 -06:00
Matt Andreko
b1073b3dbb
Code Review Feedback
...
Removed the parameters from get() since it works without them
2014-01-09 15:54:23 -05:00
Matt Andreko
2a0f2acea4
Made fixes from the PR from jvazquez-r7
...
The get_once would *only* return "MMcS", and stop. I
modified it to be a get(3, 3). Additionally, the command
length was set to 0x01 when it needed to be 0x00.
2014-01-09 15:33:04 -05:00
jvazquez-r7
be6958c965
Clean sercomm_dump_config
2014-01-09 13:42:11 -06:00
Matt Andreko
01c5585d44
Moved auxiliary module to a more appropriate folder
2014-01-09 10:17:26 -05:00
Matt Andreko
d9e737c3ab
Code Review Feedback
...
Refactored the configuration settings so that creds could be reported to
the database more easily, while still being able to print general
configuration settings separately.
2014-01-09 10:14:34 -05:00
Matt Andreko
81adff2bff
Code Review Feedback
...
Changed datastore['rhost'] to rhost
Made the array storing configuration values into a class const
Moved superfluous array look-over to not be executed unless in verbose
mode
2014-01-09 09:19:13 -05:00
Niel Nielsen
1479ef3903
Update typo3_winstaller_default_enc_keys.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:08:10 +01:00
Matt Andreko
c5a3a0b5b7
Cleanup
2014-01-02 20:44:18 -05:00
Matt Andreko
6effdd42fa
Added module to enumerate certain Sercomm devices through backdoor
...
See more: https://github.com/elvanderb/TCP-32764
2014-01-02 20:42:42 -05:00
jvazquez-r7
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
jvazquez-r7
0eac17083a
Clean cfme_manageiq_evm_pass_reset
2013-12-18 16:16:32 -06:00
Ramon de C Valle
b9a9b90088
Update module to use added bcrypt gem
2013-12-18 16:15:35 -02:00
Ramon de C Valle
e20569181b
Remove EzCrypto-related code as per review
2013-12-18 16:15:22 -02:00
Ramon de C Valle
ef081cec49
Add missing disclosure date as per review
2013-12-18 15:47:23 -02:00
Ramon de C Valle
37826688ce
Add cfme_manageiq_evm_pass_reset.rb
...
This module exploits a SQL injection vulnerability in the "explorer"
action of "miq_policy" controller of the Red Hat CloudForms Management
Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier)
by changing the password of the target account to the specified
password.
2013-12-09 16:49:07 -02:00
sinn3r
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
Tod Beardsley
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
sinn3r
20e0a7dcfb
Land #2709 - ZyXEL GS1510-16 Password Extractor
2013-12-02 13:13:01 -06:00
Sven Vetsch / Disenchant
39fbb59ba9
re-added the reference I accidentally deleted
2013-12-02 19:06:19 +01:00
Sven Vetsch / Disenchant
cb98d68e47
added @wchen-r7's code to store the password into the database
2013-12-02 18:35:59 +01:00
Sven Vetsch / Disenchant
8e73023baa
and now in the correct data structure
2013-12-01 17:38:35 +01:00
Sven Vetsch / Disenchant
ef77b7fbbf
added reference as requested at https://github.com/rapid7/metasploit-framework/pull/2709
2013-12-01 17:36:15 +01:00
Sven Vetsch / Disenchant
aa62800184
added ZyXEL GS1510-16 Password Extractor
2013-11-29 10:42:17 +01:00
Jeff Jarmoc
03838aaa79
Update rails_devise_pass_reset.rb
...
Fixed erroneous status if FLUSHTOKENS is false.
2013-11-27 22:27:45 -06:00
Jeff Jarmoc
7f8baf979d
Adds the ability to configure object name in URI and XML. This allows exploiting other platforms that include devise.
...
For example, activeadmin is exploitable if running a vulnerable devise and rails version with the following settings;
msf > use auxiliary/admin/http/rails_devise_pass_reset
msf auxiliary(rails_devise_pass_reset) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(rails_devise_pass_reset) > set RPORT 3000
RPORT => 3000
msf auxiliary(rails_devise_pass_reset) > set TARGETEMAIL admin@example.com
TARGETEMAIL => admin@example.com
msf auxiliary(rails_devise_pass_reset) > set TARGETURI /admin/password
TARGETURI => /admin/password
msf auxiliary(rails_devise_pass_reset) > set PASSWORD msf_pwnd
PASSWORD => msf_pwnd
msf auxiliary(rails_devise_pass_reset) > set OBJECTNAME admin_user
OBJECTNAME => admin_user
msf auxiliary(rails_devise_pass_reset) > exploit
[*] Clearing existing tokens...
[*] Generating reset token for admin@example.com...
[+] Reset token generated successfully
[*] Resetting password to "msf_pwnd"...
[+] Password reset worked successfully
[*] Auxiliary module execution completed
msf auxiliary(rails_devise_pass_reset) >
2013-11-27 15:35:43 -06:00
Meatballs
dd9bb459bf
PSEXEC Refactor
...
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
Tod Beardsley
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
Rich Lundeen
c3113f796e
Incorporating a few more cleanup items from jvazquez
2013-10-31 21:32:58 -07:00
Rich Lundeen
cbfef6ec7a
incoporating jvazquez feedback
2013-10-31 00:17:50 -07:00
Tod Beardsley
344413b74d
Reorder refs for some reason.
2013-10-30 12:25:55 -05:00
Tod Beardsley
32794f9d37
Move OpenBravo to aux module land
2013-10-30 12:20:04 -05:00
Tod Beardsley
9bb9f8b27b
Update descriptions on SMB file utils.
2013-10-28 13:48:25 -05:00
Tod Beardsley
0f63420e9f
Be specific about the type of hash
...
See #2583 . Since there are several types of hashes, we need to be more
specific about this -- see modules/exploits/windows/smb/psexec.rb which
uses an "smb_hash" as a password type.
Also, the fixes in #2583 do not appear to address anything else reported
on the Redmine issue, namely, operating system and architecture
identification discovered with this module (assuming good credentials).
Therefore, the Redmine issue should not be considered resolved.
[SeeRM #4398 ]
2013-10-28 13:40:07 -05:00
jvazquez-r7
9276a839d4
[FixRM #4398 ] Report credentials to database
2013-10-25 16:19:47 -05:00
sinn3r
7ee615223d
Land #2570 - HP Intelligent Management SOM Account Creation
2013-10-24 14:14:06 -05:00
jvazquez-r7
69da39ad52
Add module for ZDI-13-240
2013-10-23 16:01:01 -05:00
sinn3r
d1e1968cb9
Land #2566 - Download and delete a file via SMB
2013-10-23 12:28:57 -05:00
sinn3r
9a51dd5fc4
Do exception handling and stuff
2013-10-23 12:28:25 -05:00
sinn3r
0500842625
Do some exception handling
2013-10-23 12:22:49 -05:00
sinn3r
83a4ac17e8
Make sure fd is closed to avoid a possible resource leak
2013-10-23 12:16:18 -05:00
sinn3r
af02fd0355
Use store_loot, sorry mubix
2013-10-23 12:13:05 -05:00
Rob Fuller
8f3228d191
chage author but basic copied from hdms upload_file
2013-10-22 21:13:30 -04:00
Rob Fuller
b2b8824e2e
add delete and download modules for smb
2013-10-22 16:31:56 -04:00
William Vu
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
sinn3r
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
sinn3r
6430fa3354
Land #2539 - Support Windows CMD generic payload
...
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
jvazquez-r7
be1d6ee0d3
Support Windows CMD generic payload
2013-10-17 14:07:27 -05:00
Tod Beardsley
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
Tod Beardsley
2833d58387
Add OSVDB for vbulletin exploit
2013-10-16 15:01:28 -05:00
Tod Beardsley
3c2dddd7aa
Update reference with a non-plagarised source
2013-10-16 14:44:18 -05:00
Tod Beardsley
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
Tod Beardsley
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
Tod Beardsley
cad7329f2d
Minor updates to vbulletin admin exploit
2013-10-10 22:09:38 -05:00
jvazquez-r7
4f3bbaffd1
Clean module and add reporting
2013-10-09 13:54:28 -05:00
jvazquez-r7
5c36533742
Add module for the vbulletin exploit in the wild
2013-10-09 13:12:57 -05:00
Meatballs
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
Meatballs
7ba846ca24
Find and replace
2013-09-26 20:34:48 +01:00
FireFart
09fa7b7692
remove rport methods since it is already defined in Msf::Exploit::Remote::HttpClient
2013-09-25 23:50:34 +02:00
sinn3r
d006ee52b1
Land #2344 - Sophos Web Protection Appliance patience.cgi Directory Traversal
2013-09-12 14:13:32 -05:00
jvazquez-r7
02a073a8fe
Change module filename
2013-09-09 23:30:37 -05:00
jvazquez-r7
64348dc020
Update information
2013-09-09 23:29:48 -05:00
jvazquez-r7
2252aee398
Fix ltype on store_loot
2013-09-09 14:02:28 -05:00
jvazquez-r7
ce769b0c78
Add module for CVE-2013-2641
2013-09-09 13:56:45 -05:00
jvazquez-r7
3d48ba5cda
Escape dot on regex
2013-09-08 20:26:20 -05:00
jvazquez-r7
be9b0da595
Update print message
2013-09-06 16:09:38 -05:00
jvazquez-r7
830bc2ae64
Update OSVDB reference
2013-09-06 13:01:39 -05:00
jvazquez-r7
4e3d4994c3
Update description
2013-09-06 12:58:54 -05:00
jvazquez-r7
45821a505b
Add module for CVE-2013-0653
2013-09-06 12:42:34 -05:00
Tab Assassin
6b330ad39f
Retab changes for PR #2134
2013-09-05 14:24:37 -05:00
Tab Assassin
52ce6afd99
Merge for retab
2013-09-05 14:24:31 -05:00
Tab Assassin
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
jvazquez-r7
b9360b9de6
Land #2286 , @wchen-r7's patch for undefined method errors
2013-08-26 20:46:05 -05:00
sinn3r
7fad26968c
More fix to jboss_seam_exec
2013-08-26 17:16:15 -05:00
Tod Beardsley
5b4890f5b9
Fix caps on typo3_winstaller module
2013-08-26 14:47:42 -05:00
sinn3r
37eaa62096
Fix undefined method error
...
[FixRM #8346 ]
2013-08-21 00:42:33 -05:00
sinn3r
9ca7a727e1
Fix undefined method error
...
[FixRM #8347 ]
2013-08-21 00:41:49 -05:00
sinn3r
5993cbe3a8
Fix undefined method error
...
[FixRM #8348 ]
2013-08-21 00:40:38 -05:00
sinn3r
9f98d4afe6
Fix undefined method error
...
[FixRM #8349 ]
2013-08-21 00:38:35 -05:00
sinn3r
ea78e8309d
Fix undefined method error
...
[FixRM #8350 ]
2013-08-21 00:35:36 -05:00
jvazquez-r7
586ae8ded3
Land #2249 , @wchen-r7's patch for [SeeRM #8314 ]
2013-08-20 10:32:47 -05:00
jvazquez-r7
4790d8de50
Land #2256 , @wchen-r7's patch for [FixRM #8316 ]
2013-08-19 23:23:57 -05:00
sinn3r
5366453031
[FixRM #8316 ] - Escape characters correctly
...
dots need to be escaped
2013-08-19 16:51:19 -05:00
sinn3r
7fc37231e0
Fix email format
...
Correct email format
2013-08-19 16:34:14 -05:00
sinn3r
17b5e57280
Typo
2013-08-19 15:32:19 -05:00
sinn3r
fb5ded1472
[FixRM #8314 ] - Use OptPath instead of OptString
...
These modules need to use OptPath to make sure the path is validated.
2013-08-19 15:30:33 -05:00
jvazquez-r7
f42797fc5c
Fix indentation
2013-08-16 14:19:37 -05:00
Tod Beardsley
f7339f4f77
Cleanup various style issues
...
* Unset default username and password
* Register SSL as a DefaultOption instead of redefining it
* Use the HttpClient mixin `ssl` instead of datastore.
* Unless is better than if !
* Try to store loot even if you can't cleanup the site ID.
2013-08-16 14:03:59 -05:00
jvazquez-r7
dfa1310304
Commas in the author array
2013-08-16 13:54:46 -05:00
Tod Beardsley
24b8fb0d7b
Whitespace retab, add rport 3780 as default
2013-08-16 13:31:05 -05:00
Tod Beardsley
e436d31d23
Use SSL by defailt
2013-08-16 11:32:10 -05:00
Tod Beardsley
60a229c71a
Use rhost and rport, not local host and port
2013-08-16 11:12:39 -05:00
Tod Beardsley
646d55b638
Description should be present tense
2013-08-16 11:06:34 -05:00
Tod Beardsley
f0237f07d6
Correct author and references
2013-08-16 11:04:51 -05:00
Brandon Perry
46d6fb3b42
Add module for xxe
2013-08-16 10:51:05 -05:00
Tod Beardsley
7e539332db
Reverting disaster merge to 593363c5f
with diff
...
There was a disaster of a merge at 6f37cf22eb
that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).
What this commit does is simulate a hard reset, by doing thing:
git checkout -b reset-hard-ohmu
git reset --hard 593363c5f9
git checkout upstream-master
git checkout -b revert-via-diff
git diff --no-prefix upstream-master..reset-hard-ohmy > patch
patch -p0 < patch
Since there was one binary change, also did this:
git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf
Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
jvazquez-r7
47c21dfe85
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-24 11:42:11 -05:00
Tod Beardsley
147d432b1d
Move from DLink to D-Link
2013-07-23 14:11:16 -05:00
jvazquez-r7
4367a9ae49
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-22 15:09:35 -05:00
jvazquez-r7
70900cfe5e
Final cleanup for foreman_openstack_satellite_priv_esc
2013-07-22 14:59:23 -05:00
Ramon de C Valle
b6c9fd4723
Add foreman_openstack_satellite_priv_esc.rb
...
This module exploits a mass assignment vulnerability in the 'create'
action of 'users' controller of Foreman and Red Hat OpenStack/Satellite
(Foreman 1.2.0-RC1 and earlier) by creating an arbitrary administrator
account.
2013-07-22 15:24:25 -03:00
Rich Lundeen
12e48e252f
one more logdir fix, tested
2013-07-20 10:40:06 -07:00
Rich Lundeen
5fd8d53378
fixed bug with default logdir
2013-07-20 10:35:25 -07:00
Rich Lundeen
183cd7337d
added ability to execute larger scripts
2013-07-19 15:24:51 -07:00
jvazquez-r7
52079c960f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-07-18 12:52:42 -05:00
Tod Beardsley
3ac2ae6098
Disambiguate the module title from existing psexec
2013-07-17 17:11:56 -05:00
jvazquez-r7
7ab4d4dcc4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-25 17:34:29 -05:00
jvazquez-r7
5c265c99d2
Clean jboss_seam_exec @cmaruti's collab
2013-06-25 14:09:30 -05:00
Cristiano Maruti
f78b4d8874
modified according to jvazquez-r7 feedback
2013-06-20 16:29:42 +02:00
Cristiano Maruti
4846a680db
modified according to jvazquez-r7 feedback
2013-06-20 16:19:43 +02:00
Cristiano Maruti
8e64bf3d16
modified according to jvazquez-r7 feedback
2013-06-20 16:15:28 +02:00
Cristiano Maruti
a5332e5ed2
Module was updated to support WebSphere AS running seam-2.
...
msf auxiliary(jboss_seam_exec) > run
[*] Found right index at [0] - getRuntime
[*] Index [1]
[*] Index [2]
[*] Index [3]
[*] Index [4]
[*] Index [5]
[*] Found right index at [6] - exec
[*] Index [7]
[*] Index [8]
[*] Index [9]
[*] Index [10]
[*] Index [11]
[*] Index [12]
[*] Index [13]
[*] Index [14]
[*] Index [15]
[*] Index [16]
[*] Index [17]
[*] Index [18]
[*] Index [19]
[*] Index [20]
[*] Index [21]
[*] Index [22]
[*] Index [23]
[*] Index [24]
[*] Target appears VULNERABLE!
[*] Sending remote command:pwd
[*] Exploited successfully
[*] Auxiliary module execution completed
2013-06-20 12:17:07 +02:00
jvazquez-r7
66ea59b03f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-28 15:22:46 -05:00
darknight007
6f2ddb3704
Update mssql_findandsampledata.rb
2013-05-25 11:33:57 +05:00
jvazquez-r7
011b0bb741
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-15 09:07:47 -05:00
jvazquez-r7
649a8829d3
Add modules for Mutiny vulnerabilities
2013-05-15 09:02:25 -05:00
jvazquez-r7
51a532e8b4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-12 17:39:58 -05:00
jvazquez-r7
feac292d85
Clean up for dlink_dsl320b_password_extractor
2013-05-12 17:35:59 -05:00
jvazquez-r7
ee46771de5
Land #1799 , @m-1-k-3's auth bypass module for Dlink DSL320
2013-05-12 17:34:08 -05:00
m-1-k-3
e3582887cf
OSVDB, Base64
2013-05-07 08:28:48 +02:00
m-1-k-3
0f2a3fc2d4
dsl320b authentication bypass - password extract
2013-05-06 14:31:47 +02:00
jvazquez-r7
7bf4aa317f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-25 10:31:51 -05:00
jvazquez-r7
b67fcd3219
Add OSVDB ref to sap_configservlet_exec_noauth
2013-04-25 08:13:32 -05:00
jvazquez-r7
96b66d3856
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-22 21:49:59 -05:00
jvazquez-r7
1529dff3f3
Do final cleanup for sap_configservlet_exec_noauth
2013-04-22 21:43:41 -05:00
jvazquez-r7
8c9715c2ed
Land #1751 , @andrewkabai's SAP Portal remote OS command exec
2013-04-22 21:41:53 -05:00
jvazquez-r7
5f5e772f7c
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-22 21:31:16 -05:00
Andras Kabai
79eb2ff62d
add EDB ID to references
2013-04-22 18:37:28 +02:00
Andras Kabai
15b06c43aa
sap_configservlet_exec_noauth auxiliary module
...
the final module was moved from my master branch to here because of the
pull request needs
2013-04-22 17:40:27 +02:00
Andras Kabai
b4f1f3efbb
remove aux module from master branch
2013-04-22 17:34:01 +02:00
Antoine
0115833724
SyntaxError fixes
2013-04-21 20:22:41 +00:00
Andras Kabai
49b055e5fd
make msftidy happy
2013-04-20 00:26:04 +02:00
Andras Kabai
e4d9c45ce9
remove unnecessary rank rating
2013-04-20 00:23:55 +02:00
Andras Kabai
763d1ac2f1
remove unnecessary option declaration
2013-04-19 21:42:28 +02:00
Andras Kabai
85932a2445
improve URI path and parameter handling
...
switch from PATH to TARGETURI datastore;
use normalize_uri to build uri;
use query in send_request_cgi to to prepare query string (instead of
vars_get that escapes the necessary semicolons)
2013-04-19 21:37:39 +02:00
Andras Kabai
c52588f579
remove Scanner mixin
...
remove Scanner mixin because this module is not a scanner modul
2013-04-19 20:28:44 +02:00
Andras Kabai
8f76c436d6
SAP ConfigServlet OS Command Execution module
...
This module allows execution of operating system commands throug the
SAP ConfigServlet without any authentication.
2013-04-18 20:26:48 +02:00
jvazquez-r7
070fd399f2
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-31 20:23:08 +02:00
m-1-k-3
587170ae52
fixed author details - next try
2013-03-30 12:43:55 +01:00
m-1-k-3
1d6184cd63
fixed author details
2013-03-30 12:41:31 +01:00
jvazquez-r7
393d5d8bf5
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-25 19:09:42 +01:00
jvazquez-r7
fdd06c923a
cleanup for dlink_dir_645_password_extractor
2013-03-25 18:04:12 +01:00
jvazquez-r7
a9a5a3f64f
Merge branch 'dlink-dir645-password-extractor' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-dlink-dir645-password-extractor
2013-03-25 18:02:51 +01:00
sinn3r
0d56da0511
Merge branch 'netgear-sph200d' of github.com:m-1-k-3/metasploit-framework into m-1-k-3-netgear-sph200d
2013-03-25 11:45:40 -05:00
jvazquez-r7
2d5a0d6916
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-25 17:08:23 +01:00
m-1-k-3
98ac6e8090
feedback included
2013-03-24 21:01:30 +01:00
m-1-k-3
d90de54891
reporting and feedback
2013-03-24 15:00:18 +01:00
m-1-k-3
9f8ec37060
store loot
2013-03-24 11:48:49 +01:00
m-1-k-3
71708c4bc3
dir 645 password extractor - initial commit
2013-03-24 11:44:24 +01:00
jvazquez-r7
49ac3ac1a3
cleanup for linksys_e1500_e2500_exec
2013-03-23 23:30:49 +01:00
jvazquez-r7
98be5d97b8
Merge branch 'linksys-e1500-e2500-exec' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys-e1500-e2500-exec
2013-03-23 23:30:14 +01:00
m-1-k-3
b2bf1df098
fixed encoding and set telnetd as default cmd
2013-03-23 22:56:15 +01:00
m-1-k-3
47d458a294
replacement of the netgear-sph200d module
2013-03-23 22:40:32 +01:00
jvazquez-r7
cb56b2de4b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-23 20:06:05 +01:00
m-1-k-3
270f64acc2
feedback included
2013-03-23 15:54:34 +01:00
sinn3r
f22c18e026
Merge branch 'module-psexec_command-file_prefix' of github.com:kn0/metasploit-framework into kn0-module-psexec_command-file_prefix
2013-03-22 13:08:13 -05:00
m-1-k-3
dcd2aebdcd
feedback included
2013-03-20 21:34:30 +01:00
jvazquez-r7
44f07cef19
Merge branch 'linksys-e1500-e2500-exec' of https://github.com/m-1-k-3/metasploit-framework
2013-03-20 00:47:31 +01:00
jvazquez-r7
80d218b284
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-19 19:55:51 +01:00
m-1-k-3
9fc0f9a927
initial commit
2013-03-19 17:31:01 +01:00
sinn3r
116f5b87f0
Merge branch 'axigen_file_access' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-axigen_file_access
2013-03-19 08:33:58 -05:00
jvazquez-r7
d3a78db77a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-03-14 14:12:11 +01:00
jvazquez-r7
7403239de7
cleanup for psexec_ntdsgrab
2013-03-14 13:40:45 +01:00
Trenton Ivey
97023413cb
Added advanced option for temp filenames prefix
2013-03-14 01:50:52 -05:00
Royce Davis
abbb3b248d
methods that use @ip now reference it directly instead of being passed in as paramaters
2013-03-13 19:35:53 -05:00
Royce Davis
462ffb78c1
Simplified copy_ntds & copy_sys check on line 91
2013-03-13 19:31:36 -05:00
Royce Davis
4e9af74763
All print statements now use #{peer}
2013-03-13 19:28:09 -05:00
Royce Davis
edf2804bb5
Added simple.disconnect to end of cleanup_after method
2013-03-13 19:23:22 -05:00
Royce Davis
8eba71ebe2
Added simple.disconnect to end of download_sys_hive method
2013-03-13 19:20:58 -05:00
jvazquez-r7
e5f7c08d6f
Added module for CVE-2012-4940
2013-03-13 11:52:54 +01:00
jvazquez-r7
91fbeda062
up to date
2013-03-12 17:04:27 +01:00
jvazquez-r7
6055438476
up to date
2013-03-12 17:04:27 +01:00
Royce Davis
9a970415bc
Module uses store_loot now instead of logdir which has been removed
2013-03-11 20:05:23 -05:00
Royce Davis
aa4cc11640
Removed Scanner class running as stand-alone single target module now
2013-03-11 13:39:47 -05:00
Royce Davis
a96753e9df
Added licensing stuff at the top
2013-03-10 20:07:04 -05:00
Royce Davis
bf9a2e4f52
Fixed module to use psexec mixin
2013-03-10 15:15:50 -05:00
Royce Davis
907983db4a
updating with r7-msf
2013-03-10 14:19:20 -05:00
James Lee
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
J.Townsend
db1f4d7e1d
added license info
2013-03-07 00:20:02 +00:00
J.Townsend
e8c1899dc2
added license info
2013-03-07 00:18:32 +00:00
J.Townsend
3946cdf91e
added license info
2013-03-07 00:17:55 +00:00
J.Townsend
1b493d0e4c
added license info
2013-03-07 00:16:26 +00:00
J.Townsend
9e89d9608f
added license info
2013-03-07 00:11:45 +00:00
J.Townsend
56639e7f15
added license info
2013-03-07 00:10:46 +00:00
Royce Davis
1d8c759a34
yeah
2013-03-06 16:01:36 -06:00
James Lee
ca43900a7c
Merge remote-tracking branch 'R3dy/psexec-mixin2' into rapid7
2013-03-05 16:34:11 -06:00
James Lee
27727df415
Merge branch 'R3dy-psexec-mixin2' into rapid7
2013-03-05 14:36:55 -06:00
David Maloney
4212c36566
Fix up basic auth madness
2013-03-01 11:59:02 -06:00
Royce Davis
ac50c32d51
Tested, works on server 2k8
2013-02-20 10:02:50 -06:00
James Lee
4703278183
Move SMB mixins into their own directory
2013-02-19 12:55:06 -06:00
James Lee
ede804e6af
Make psexec mixin a bit better
...
* Removes copy-pasted code from psexec_command module and uses the mixin
instead
* Uses the SMB protocol to delete files rather than psexec'ing to call
cmd.exe and del
* Replaces several instances of "rescue StandardError" with better
exception handling so we don't accidentally swallow things like
NoMethodError
* Moves file reading and existence checking into the Exploit::SMB mixin
2013-02-19 12:33:19 -06:00
jvazquez-r7
ec5c8e3a88
Merge branch 'dlink-dir300-600-execution' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-dlink-dir300-600-execution
2013-02-16 19:12:42 +01:00
Jeff Jarmoc
c2f8e4adbd
Minor - Note Rails 3.1.11 patch in Description.
2013-02-13 22:30:54 -06:00
jvazquez-r7
d1784babea
little cleanup plus msftidy compliant
2013-02-13 20:24:49 +01:00
jvazquez-r7
0ae473b010
info updated with rails information
2013-02-13 09:52:17 +01:00
jvazquez-r7
f46eda2fa9
Merge branch 'rails_devise_pw_reset' of https://github.com/jjarmoc/metasploit-framework into jjarmoc-rails_devise_pw_reset
2013-02-13 09:51:37 +01:00
jvazquez-r7
799beb5adc
minor cleanup
2013-02-13 01:00:25 +01:00
Jeff Jarmoc
1d5d33f306
use normalize_uri()
2013-02-12 14:58:07 -06:00
Jeff Jarmoc
c6a7a4e68d
/URIPATH/TARGETURI/g
2013-02-12 14:50:10 -06:00
Jeff Jarmoc
c7719bf4cb
Verify response is non-nil.
2013-02-12 13:41:21 -06:00
Jeff Jarmoc
9e1f106a87
msftidy cleanup
2013-02-12 13:38:58 -06:00
jvazquez-r7
766257d26a
pointed by @m-1-k-3 while working on #1472
2013-02-11 21:21:43 +01:00
Jeff Jarmoc
5f0a3c6b9e
Removes pry, oops.
2013-02-11 14:02:46 -06:00
Jeff Jarmoc
753fa2c853
Handles error when TARGETEMAIL is invalid.
2013-02-11 13:58:56 -06:00
Jeff Jarmoc
61ffcedbfd
Address HD's other comments, fixes mismatched var name in last commit.
2013-02-11 11:17:26 -06:00
Jeff Jarmoc
e72dc47448
Uses REXML for encoding of password.
2013-02-11 11:12:29 -06:00
Jeff Jarmoc
43a1fbb6f2
Make msftiday happy.
2013-02-10 21:13:18 -06:00
Jeff Jarmoc
55cba56591
Aux module for joernchen's devise vuln - CVE-2013-0233
2013-02-10 21:10:00 -06:00
m-1-k-3
63c6791473
return
2013-02-09 11:17:02 +01:00
m-1-k-3
6cccf86a00
Merge branch 'master' of git://github.com/rapid7/metasploit-framework into dlink-dir300-600-execution
2013-02-09 11:09:56 +01:00
Tod Beardsley
5357e23675
Fixups to the Linksys module
...
Professionalizes the description a little, but more importantly, handles
LANIP better, I think. Instead of faking a 1.1.1.1 address, just detect
if it's set or not in a method and return the right thing accordingly.
Please test this before landing, obviously. I think it's what's
intended.
2013-02-06 12:46:50 -06:00
Tod Beardsley
faeaa74a49
Msftidy whitespace
2013-02-06 11:06:13 -06:00
m-1-k-3
43f3bb4fe6
small updates
2013-02-05 13:54:10 +01:00
m-1-k-3
5ca0e45388
initial commit
2013-02-04 08:44:12 +01:00
jvazquez-r7
2bf2d4d8a4
Merge branch 'netgear_sph200d_traversal' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-netgear_sph200d_traversal
2013-02-03 23:35:29 +01:00
jvazquez-r7
c24c926ffa
add aditional check to detect valid device
2013-02-01 20:55:06 +01:00
jvazquez-r7
996ee06b0f
fix another print_ call
2013-02-01 20:43:54 +01:00
jvazquez-r7
152f397a1f
first module cleanup
2013-02-01 20:38:11 +01:00
m-1-k-3
988761a6de
more updates, BID, Exploit-DB
2013-02-01 20:18:53 +01:00
m-1-k-3
fdd5fe77c1
more updates ...
2013-02-01 19:59:19 +01:00
m-1-k-3
0e22ee73b5
updates ...
2013-02-01 19:26:34 +01:00
sinn3r
c174e6a208
Correctly use normalize_uri()
...
normalize_uri() should be used when you're joining URIs. Because if
you're merging URIs after it's normalized, you could get double
slashes again.
2013-01-30 23:23:41 -06:00
m-1-k-3
ea5e993bf3
initial
2013-01-29 22:02:29 +01:00
sinn3r
690ef85ac1
Fix trailing slash problem
...
These modules require the target URI to be a directory path. So
if you remove the trailing slash, the web server might return a
301 or 404 instead of 200.
Related to: [SeeRM: #7727 ]
2013-01-28 13:19:31 -06:00
Brandon McCann
15253f23bf
added RHOSTS funct
2013-01-24 15:29:35 -06:00
jvazquez-r7
1fc747994e
cleanup for linksys_wrt54gl_exec
2013-01-24 17:50:14 +01:00
m-1-k-3
3a5e92ba6f
hopefully all fixex included
2013-01-23 12:15:34 +01:00
Royce Davis
c601ceba3c
Fixed error deleting ntds and sys files
2013-01-22 09:42:49 -06:00
Royce Davis
ed3b886b61
working with psexec mixin
2013-01-22 09:36:43 -06:00
m-1-k-3
11c13500be
small fix
2013-01-21 13:41:42 +01:00