7585999e18
Land #7782 , Update themoon exploit to use wget command stager
2017-01-03 16:30:12 -06:00
ed74b239e3
Land #7768 , PHPMailer Sendmail Argument Injection exploit
2017-01-03 16:04:05 -06:00
3155af679a
Fix a typo
2017-01-03 16:03:45 -06:00
fe0a3c8669
Update themoon exploit to use wget command stager
2017-01-03 15:50:57 -06:00
cd90fd3b1c
Fix PHPMailer targets since 5.2.20 is not affected
2016-12-30 15:31:15 -05:00
1eab4b3a7d
Add an optional explicit triggeruri for phpmailer
2016-12-30 14:24:07 -05:00
64037b0d6e
Use a proper target instead of VERSION
2016-12-29 17:37:16 -05:00
c9dd7a50b6
Add the PHPMailer Argument Injection exploit
2016-12-29 17:17:06 -05:00
9d0ada9b83
Land #7749 , make drb_remote_codeexec great again
2016-12-28 06:11:48 -06:00
cfca4b121c
Clean up module
2016-12-28 06:10:46 -06:00
afd8315e1d
Remove apache_continuum_cmd_exec CmdStager flavor
...
It is inferred from the platform, and we don't want to override it
needlessly. :bourne is what worked during testing, but it won't always
work. Now we can override the flavor with CMDSTAGER::FLAVOR.
2016-12-27 16:24:16 -06:00
57e4bcbf71
Land #7454 , add CVE-2013-6282, put_user/get_user exploit for Android
2016-12-24 14:44:34 -06:00
679ebf31bd
Minor fix to make dRuby great again
2016-12-23 15:12:22 +01:00
d69acd116d
Make dRuby great again
2016-12-22 15:37:16 +01:00
934b05e736
Land #7310 , at(1) persistence module
2016-12-22 03:33:58 -06:00
b65a62ba93
Clean up module
2016-12-22 03:33:08 -06:00
25a8283af3
fork early and use WfsDelay
2016-12-20 00:59:27 +08:00
f1efa760df
more fixes
2016-12-20 00:52:11 +08:00
7ac3859393
convert futex_requeue module to use targetting and core_loadlib
2016-12-20 00:52:11 +08:00
c2dc350378
better fix for session compatibility
2016-12-15 17:41:44 +08:00
fa016de78a
Land #7634 , Implement universal HTTP/S handlers for Meterpreter payloads
2016-12-13 18:13:22 -06:00
fe9972cc25
fork early and use WfsDelay
2016-12-13 17:02:23 +08:00
7b7deb0588
better library cleanup
2016-12-13 17:02:23 +08:00
96b01effa7
cleanup library after use
2016-12-13 17:02:23 +08:00
909773120c
typos
2016-12-13 17:02:23 +08:00
ebf7ae0739
add CVE-2013-6282, put_user/get_user exploit for Android
2016-12-13 17:02:23 +08:00
a4f681ae35
Add quoted hex encoding
2016-12-06 09:05:35 -06:00
d549c2793f
Fix module filename to be TR-064
2016-12-02 08:49:21 -06:00
9e4e9ae614
Add a reference to the TR-064 spec
2016-12-02 08:48:09 -06:00
ddac5600e3
Reference TR-064, not TR-069
2016-12-02 08:45:15 -06:00
41355898fa
Remove extra def report_cred in vbulletin_vote_sqli_exec
2016-12-01 15:31:24 -06:00
174cd74900
Land #7532 , Add bypass UAC local exploit via Event Viewer module
2016-12-01 11:16:49 -06:00
1e9d80c998
Fix another typo
2016-12-01 11:16:06 -06:00
b8243b5d10
Fix a typo
2016-12-01 11:15:26 -06:00
1d6ee7192a
Land #7427 , new options for nagios_xi_chained_rce
2016-11-30 17:11:02 -06:00
3e8cdd1f36
Polish up USER_ID and API_TOKEN options
2016-11-30 17:10:52 -06:00
ebf5121359
Merge branch 'upstream/master' into add-bypassuac-eventvwr
2016-12-01 07:58:16 +10:00
6890e56b30
Remove call to missing function
2016-12-01 07:57:54 +10:00
d1be2d735f
Land #7578 , pdf-shaper exploit
...
Land lsato's work on the pdf-shaper buffer overflow
exploit
2016-11-30 11:13:12 -06:00
43cd788350
Switch back to echo as cmdstager flavor
2016-11-30 10:18:09 -06:00
b75fbd454a
Add missing peer in vprint_error
2016-11-30 07:59:41 -06:00
657d52951b
Linemax 63, switch to printf
2016-11-30 07:51:36 -06:00
08b9684c1a
Add a FORCE_EXPLOIT option for @FireFart
2016-11-29 16:37:13 -06:00
57d156a5e2
Revert "XML encode the command passed"
...
This reverts commit 9952c0ac6f
2016-11-29 16:24:26 -06:00
b7904fe0cc
Oh silly delimiters and lack thereof
2016-11-29 15:53:05 -06:00
9952c0ac6f
XML encode the command passed
2016-11-29 15:49:55 -06:00
851aae3f15
Oops, wrong module
...
This reverts commit d55d2099c5
2016-11-29 15:15:18 -06:00
d55d2099c5
Just one platform thanks
2016-11-29 15:08:45 -06:00
4d6b2dfb46
Use CmdStager instead
...
Oh, and this is totally untested as of this commit.
2016-11-29 15:03:38 -06:00
8de17981c3
Get rid of the WiFi key stealer
2016-11-29 14:48:04 -06:00
75bcf82a09
Never set DefaultPaylod, reverse target options
2016-11-29 14:43:10 -06:00
f55f578f8c
Title, desc, authors, refs
2016-11-29 14:39:38 -06:00
d691b86443
First commit of Kenzo's original exploit
...
This is a work in progress, and is merely the copy-paste
of the original PoC exploit from:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
2016-11-29 09:13:52 -06:00
e8158bd200
Add multi platform type, wire into the multi stage
2016-11-28 09:34:09 +10:00
6f70323460
Minor misspelling mistakes and corrected the check of the mysqld process
2016-11-25 19:03:23 +00:00
1119dc4abe
Targets set to automatic
...
removed targets and set only automatic
the targets weren't used so there's no funcionallity loss
2016-11-25 17:35:28 +00:00
59f3c9e769
Land #7579 , rename netfilter_priv_esc to rename netfilter_priv_esc_ipv4
2016-11-21 17:59:29 -06:00
8869ebfe9b
Fix incorrect disclosure date for OpenNMS exploit
...
Disclosure date was Nov 2015, not Nov 2014
2016-11-21 16:44:36 +00:00
6c6221445c
Land #7543 , Create exploit for CVE-2016-6563 / Dlink DIR HNAP Login
2016-11-21 09:59:50 -06:00
6ae8a2dd2e
Remove unused/empty function body
2016-11-21 17:59:49 +10:00
8c036885bc
Fix msftidy issues
2016-11-21 17:23:03 +10:00
e226047457
Merge 'upstream/master' into the bypassuac via eventvwr mod
2016-11-21 17:18:40 +10:00
005d34991b
update architecture
2016-11-20 19:09:33 -06:00
f313389be4
Merge remote-tracking branch 'upstream/master' into land-7507-uuid-arch
2016-11-20 19:08:56 -06:00
acfd214195
Mysql privilege escalation
...
Documentation, compiled binary and final implementation.
Completed the documentation, added the missing compiled binary and a
final and tested implementation of the module.
2016-11-19 11:24:29 +00:00
cfd31e32c6
renaming per @bwatters-r7 comment in #7491
2016-11-18 13:52:09 -05:00
920ecf6fc5
finishing metacoms work for pdf-shaper-bo
2016-11-18 11:36:02 -06:00
4596785217
Land #7450 , PowerShellEmpire Arbitrary File Upload
2016-11-17 17:47:15 -06:00
c0af5b690d
Land #6638 , add local exploit module to execute payload w/ stealth
2016-11-16 16:25:15 -06:00
e1ff37f3eb
Title change and handling Rex::TimeoutError exception
2016-11-16 16:23:44 -06:00
18bafaa2e7
Land #7531 , Fix drb_remote_codeexec and create targets
2016-11-16 12:58:22 -06:00
7b83720b90
Bring #6638 up to date
2016-11-15 12:27:05 -06:00
b56b6a49ac
Land #7328 , Extend lsa_transname_heap exploit to MIPS
2016-11-15 07:37:19 -06:00
fa9f2b340e
def setup isn't needed
2016-11-14 15:52:02 -06:00
bab07b5691
Bring #7540 up to date
2016-11-14 14:59:21 -06:00
c458d662ed
report correct credential status as successful
2016-11-14 12:27:22 -06:00
4ae90cbbef
Land #7191 , Add exploit for CVE-2016-6267 - Trend Micro Smart Protection Server authenticated RCE.
2016-11-14 12:06:02 -06:00
4e40546958
Land #7502 , Disk Pulse Enterprise Login Buffer Overflow
2016-11-14 10:28:53 -06:00
4f323527c9
Land #7549 , Deprecate/move wp_ninja_forms_unauthenticated_file_upload
2016-11-14 03:00:02 -06:00
908713ce68
remove whitespace at end of module name
2016-11-14 08:35:34 +00:00
4e9802786c
Removed spaces causing build to fail
2016-11-13 21:46:24 -06:00
9eb9d612ca
Minor typo fixups.
2016-11-11 16:54:16 -06:00
1dae206fde
Land #7379 , Linux Kernel BPF Priv Esc (CVE-2016-4557)
2016-11-11 16:50:20 -06:00
8cd9a9b670
Deprecate wp_ninja_forms_unauthenticated_file_upload
...
wp_ninja_forms_unauthenticated_file_upload actually supports
multiple platforms.
Instead of using:
exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
Please use:
exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload
2016-11-10 11:17:09 -06:00
268a72f210
Land #7193 Office DLL hijack module
2016-11-08 23:15:27 -06:00
50f578ba79
Add full disclosure link
2016-11-08 22:15:19 +00:00
3c1f642c7b
Moved PPSX to data/exploits folder
2016-11-08 16:04:46 +01:00
95bd950133
Point to proper link on github
2016-11-07 17:59:29 +00:00
f268c28415
Create dlink_hnap_login_bof.rb
2016-11-07 17:45:37 +00:00
099a5984f9
Updated with style suggestions from msftidy and rubocop.
...
Also updated with commented from other contributors.
2016-11-07 10:18:52 -06:00
689fc28d1b
Added WinaXe 7.7 FTP client Server Ready buffer overflow
2016-11-06 23:35:16 -06:00
da356e7d62
Remove Compat hash to allow more payloads
2016-11-04 13:57:05 -05:00
f0c89ffb56
Refactor module and use FileDropper
2016-11-04 13:57:05 -05:00
6d7cf81429
Update references
2016-11-04 13:57:05 -05:00
009d6a45aa
Update description
2016-11-04 13:57:05 -05:00
bf7936adf5
Add instance_eval and syscall targets
2016-11-04 13:57:05 -05:00
4bf966f695
Add module to bypassuac using eventvwr
...
This module was inspired by the work done by Matt Nelson and Matt
Graeber who came up with the method in the first place. This works
nicely on a fully patched Windows 10 at the time of writing.
2016-11-05 04:41:38 +10:00
ca5610ccde
Land #7511 , Update jenkins_script_console to support newer versions
2016-11-04 11:24:25 -05:00
5ed030fcf6
Land #7529 , nil.downcase fix for tomcat_mgr_deploy
...
Don't think it was ever needed, since the password is case-sensitive.
Fixed a minor merge conflict where PASSWORD became HttpPassword.
2016-11-03 15:39:46 -05:00
2f8d3c3cf3
Remove the bug where downcase() is invoked on password which is optional and can be empty.
2016-11-03 15:23:19 -05:00
Brent Cook
wchen-r7
Adam Cammack
Spencer McIntyre
William Vu
joernchen of Phenoelit
Tim
Tod Beardsley
OJ
David Maloney
x2020
Prateep Bandharangshi
William Webb
h00die
Louis Sato
Brendan
Jeffrey Martin
Pedro Ribeiro
Chris Higgins
Pearce Barry
scriptjunkie
Yorick Koster
Jin Qian