Commit Graph

10016 Commits (f584d5c1c55cc433d3d85b49096270e7eb237db5)

Author SHA1 Message Date
mr_me bd646ded1b fixed the check function 2016-10-11 14:06:03 -05:00
mr_me d8f98ccd4e run through msftidy 2016-10-10 22:36:20 -05:00
mr_me f2252bb179 fixed a few things, thanks @h00die 2016-10-10 22:30:01 -05:00
mr_me 3c3f424a4d added a some references 2016-10-10 17:56:03 -05:00
mr_me bca3aab1db added CVE-2016-0752 2016-10-10 17:36:20 -05:00
h00die 9d2355d128 removed debug line 2016-10-10 10:23:51 -04:00
h00die 2ad82ff8e3 more nagios versatility 2016-10-10 10:21:49 -04:00
Pearce Barry 7b84e961ed
Minor output correction. 2016-10-09 19:01:06 -05:00
Pearce Barry d1a11f46e8
Land #7418, Linux recvmmsg Priv Esc (CVE-2014-0038) 2016-10-09 18:37:52 -05:00
h00die 7e6facd87f added wrong file 2016-10-09 09:49:58 -04:00
h00die 2c4a069e32 prepend fork fix 2016-10-09 09:40:44 -04:00
h00die 2dfebe586e working cve-2014-0038 2016-10-08 23:58:09 -04:00
Brent Cook b77a910205
Land #7355, allwinner post to local exploit conversion 2016-10-08 21:38:54 -05:00
wchen-r7 0e57808914 Update to class name MetasploitModule 2016-10-08 14:06:35 -05:00
RageLtMan f24bfe7d4e Import Powershell::exec_in_place
Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.
2016-10-08 14:06:35 -05:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
h00die 7c20f20493 remove unneeded bash 2016-10-07 21:12:27 -04:00
Spencer McIntyre bbdb58eb00 Add an HTA server module using powershell 2016-10-06 19:25:22 -04:00
funkypickle fb0a438fdf Perform a version check to determine exploitability for graphite pickle 2016-10-05 16:08:02 -07:00
h00die 27cf5c65c4 working module 2016-10-04 23:21:53 -04:00
h00die 75bea08e0e changing branches 2016-10-04 21:08:12 -04:00
William Vu 63ed5624ff
Land #7395, Ninja Forms module update 2016-10-04 11:14:30 -05:00
William Vu f60d575d62 Add EOF newline back in 2016-10-04 11:14:15 -05:00
OJ 3101564a0a
Enable support for windows 8 in the exploit 2016-10-04 16:27:33 +10:00
OJ a4efa77878
Support driver list, adjust capcom exploit
This commit adds MSF-side support for listing currently loaded drivers
on the machine that Meterpreter is running on. It doesn't add a UI-level
command at this point, as I didn't see the need for it. It is, however,
possible to enumerate drivers on the target using the client API.

Also, the capcom exploit is updated so that it no longer checks for the
existence of the capcom.sys file in a fixed location on disk. Instead,
it enumerates the currently loaded drivers using the new driver listing
function, and if found it checks to make sure the MD5 of the target file
is the same as the one that is expected. The has is used instead of file
version information because the capcom driver doesn't have any version
information in it.
2016-10-04 11:27:20 +10:00
h00die e6daef62b4 egypt 2016-10-03 20:24:59 -04:00
wchen-r7 b1cb153c31 Make errors more meaningful 2016-10-03 15:29:40 -05:00
h00die 7b0a8784aa additional doc updates 2016-09-29 19:02:16 -04:00
h00die bac4a25b2c compile or nill 2016-09-29 06:15:17 -04:00
h00die 4fac5271ae slight cleanup 2016-09-29 05:51:13 -04:00
h00die c036c258a9 cve-2016-4557 2016-09-29 05:23:12 -04:00
h00die 3b548dc3cd update email and paths 2016-09-28 18:37:48 -04:00
jvoisin 2272e15ca2 Remove some anti-patterns, in the same spirit than #7372 2016-09-29 00:15:01 +02:00
William Vu 988471b860
Land #7372, useless use of cat fix
Obligatory: modules/exploits/linux/local/kloxo_lxsuexec.rb.
2016-09-28 16:37:11 -05:00
William Vu 3033c16da6 Add missing rank 2016-09-28 16:37:04 -05:00
jvoisin b46073b34a Replace `cat` with Ruby's `read_file`
Thanks to wvu-r7 for the comment
2016-09-28 23:22:19 +02:00
William Vu 45ee59581b
Fix inverted logic in Docker exploit
Positive condition should be tested first, imo. Confusing otherwise. My
bad, though.

Credit to @fslavin-r7.
2016-09-28 15:36:09 -05:00
William Vu ab94bb9cdd
Land #7365, nonce fix for Ninja Forms exploit 2016-09-28 13:57:08 -05:00
Julien (jvoisin) Voisin dbb2abeda1 Remove the `cat $FILE | grep $PATTERN` anti-pattern
The `kloxo_lxsuexec.rb` and `netfilter_pvi_esc.rb` exploits
were using the infamous `cat+grep` anti-pattern, this commit
replaces it with `cat` and Ruby's `.include?` method.
2016-09-28 13:41:25 +02:00
h00die 35a2b3e59d working panda 2016-09-27 20:15:17 -04:00
wchen-r7 f838c9990f Fix nonce bug in wp_ninja_forms_unauthenticated_file_upload
If wordpress saves the nonce value in JavaScript, we could get an
undefined method for nil.
2016-09-27 11:30:52 -05:00
OJ 76b3c37262
Fix msftidy errors 2016-09-27 22:56:07 +10:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
Pearce Barry 6382fffc75
Land #7326, Linux Kernel Netfilter Privesc 2016-09-26 12:38:50 -05:00
Adam Cammack a13e83af8a
Land #7357, Stagefright CVE-2015-3864 2016-09-25 17:10:06 -05:00
h00die 23e5556a4c binary drops work! 2016-09-24 21:31:00 -04:00
Joshua J. Drake dbf66f27d5 Add a browser-based exploit module for CVE-2015-3864 2016-09-23 11:14:31 -05:00
George Papakyriakopoulos 639dee993a Fixed interactive password prompt issue
Fixed an issue where the exploit would drop to interactive password prompt by default on newer ruby version which rendered the exploit unusable. It now properly forces pubkey authentication instead and proceeds with the bypass as expected.
2016-09-23 17:03:40 +01:00
Pearce Barry 5de1d34869
Land #7341, add module metasploit_static_secret_key_base 2016-09-23 09:20:48 -05:00
h00die cba297644e post to local conversion 2016-09-22 22:08:24 -04:00
h00die 7646771dec refactored for live compile or drop binary 2016-09-22 20:07:07 -04:00
wchen-r7 bc425b0378 Update samsung_security_manager_put
This patch improves the following

* Stage 1 XSS/JS attack to use the body.onload callback
* Better timing for FF
2016-09-22 12:02:49 -05:00
Brent Cook 9f3c8c7eee
Land #7268, add metasploit_webui_console_command_execution post-auth exploit 2016-09-22 00:50:58 -05:00
Brent Cook 88cef32ea4
Land #7339, SSH module fixes from net:ssh updates 2016-09-22 00:27:32 -05:00
Brendan 04f8f7a0ea
Land #7266, Add Kaltura Remote PHP Code Execution 2016-09-21 17:14:49 -05:00
Justin Steven dcfbb9ee6a
Tidy info
Replace errant \t with \x20
2016-09-21 20:14:11 +10:00
Justin Steven 1e24568406
Tweak verbosity re: found secrets 2016-09-21 20:14:08 +10:00
Justin Steven 30d07ce0c7
Tidy metasploit_static_secret_key_base module
* Inline magic values
* Optimise out dead Rails3-specific code
2016-09-21 20:13:58 +10:00
Louis Sato 8b1d29feef
Land #7304, fix rails_secret_deserialization popchain 2016-09-20 16:05:03 -05:00
Mehmet Ince 2d3c167b78
Grammar changes again. 2016-09-20 23:51:12 +03:00
Mehmet Ince 0f16393220
Yet another grammar changes 2016-09-20 19:48:40 +03:00
Mehmet Ince fb00d1c556
Another minor grammer changes 2016-09-20 19:23:28 +03:00
Brendan 251421e4a7 Minor grammar changes 2016-09-20 10:37:39 -05:00
Mehmet Ince 385428684f
Move module and docs under the exploit/linux/http folder 2016-09-20 12:45:23 +03:00
Brent Cook a9a1146155 fix more ssh option hashes 2016-09-20 01:30:35 -05:00
Mehmet Ince c689a8fb61
Removing empty lines before module start 2016-09-20 01:42:18 +03:00
Mehmet Ince 29a14f0147
Change References to EDB number and remove 4 space 2016-09-20 01:31:56 +03:00
Justin Steven a1ca27d491
add module metasploit_static_secret_key_base 2016-09-20 07:04:00 +10:00
David Maloney e315ec4e73
Merge branch 'master' into bug/7321/fix-ssh-modules 2016-09-19 15:27:37 -05:00
h00die 3bc566a50c fix email 2016-09-18 20:09:38 -04:00
h00die edd1704080 reexploit and other docs and edits added 2016-09-18 09:01:41 -04:00
h00die 4f85a1171f reexploit and other docs and edits added 2016-09-18 08:51:27 -04:00
Mehmet Ince 53d4162e7d Send payload with POST rather than custom header. 2016-09-17 23:11:16 +03:00
Thao Doan d2100bfc4e
Land #7301, Support URIHOST for exim4_dovecot_exec for NAT 2016-09-16 12:49:57 -07:00
Thao Doan 7c396dbf59
Use URIHOST 2016-09-16 12:48:54 -07:00
William Vu 4d0643f4d1
Add missing DefaultTarget to Docker exploit 2016-09-16 13:09:00 -05:00
William Vu da516cb939
Land #7027, Docker privesc exploit 2016-09-16 12:44:21 -05:00
William Vu e3060194c6
Fix formatting in ubiquiti_airos_file_upload
Also add :config and :use_agent options.
2016-09-16 12:27:09 -05:00
Jan Mitchell 7393d91bfa Merge branch 'master' of https://github.com/rapid7/metasploit-framework into upstream-master 2016-09-16 10:46:44 +01:00
h00die 4be4bcf7eb forgot updates 2016-09-16 02:08:09 -04:00
h00die 2e42e0f091 first commit 2016-09-16 01:54:49 -04:00
William Vu a7103f2155 Fix missing form inputs
Also improve check string.
2016-09-15 19:19:24 -05:00
David Maloney dfcd5742c1
some more minor fixes
some more minor fixes around broken
ssh modules

7321
2016-09-15 14:25:17 -05:00
David Maloney e10c133eef
fix the exagrid exploit module
split the exagrid exploit module up and
refactor to be able to easily tell if the
key or the password was used

7321
2016-09-15 11:44:19 -05:00
Justin Steven 116c754328
tidy Platform 2016-09-15 10:35:42 +10:00
Justin Steven 8a0c8b54fc
merge branch 'master' into PR branch
make Travis happy
2016-09-15 10:31:24 +10:00
Jon Hart a7cf0c8a32
Make at_persistence more persistent 2016-09-14 16:19:59 -07:00
Justin Steven ff1c839b7d
appease msftidy
trailing whitespace
2016-09-15 08:18:43 +10:00
William Webb 01327f0265
Land #7245, NetBSD mail.local privilege escalation module 2016-09-14 16:07:12 -05:00
William Vu c6214d9c5e Fix and clean module 2016-09-14 14:36:29 -05:00
James Lee 27be29edb4
Fix typo 2016-09-14 13:21:37 -05:00
James Barnett 6509b34da1
Land #7255, Fix issue causing Glassfish to fail uploading to Windows targets. 2016-09-14 12:57:41 -05:00
William Vu 8533e6c5fd
Land #7252, ARCH_CMD to ARCH_PHP for phoenix_exec 2016-09-14 10:38:37 -05:00
Jon Hart 79a8123d2f
Trim platform, expand payload 2016-09-13 21:44:41 -07:00
Jon Hart 18d424bb83
Update waiting message to indicate that it will wait up to that long 2016-09-13 21:16:59 -07:00
Jon Hart b16e84f574
Bump default WfsDelay to account for execution at 0s and execution delays
Also, platforms, which I think achieves nothing right now.
2016-09-13 21:04:30 -07:00
Jon Hart 18c54ebb5e
Minor rubocop gripe 2016-09-13 20:54:30 -07:00
Jon Hart 15e44e296b
Fix cmd execution; use and cleanup temporary files 2016-09-13 20:51:32 -07:00
Jon Hart 972db476ef
Implement check for at_persistence 2016-09-13 16:08:49 -07:00
Brent Cook 7352029497 first round of SSL damage fixes 2016-09-13 17:42:31 -05:00
wchen-r7 10efafe44e
Land #7306, Update links and add CVE to WebNMS modules 2016-09-13 15:52:27 -05:00
wchen-r7 ed5bbb9885
Land #7284, Add SugarCRM REST PHP Object Injection exploit 2016-09-13 15:46:46 -05:00
wchen-r7 a0095ad809 Check res properly and update Ruby syntax
If res is nil, it should not be doing res.code
2016-09-13 15:45:57 -05:00
Pedro Ribeiro 8d4ee3fac6 Forgot the bracket! 2016-09-13 19:01:22 +01:00
Pedro Ribeiro 41bdae4b84 update links and CVE on webnms_file_upload 2016-09-13 18:50:25 +01:00
Jon Hart c69d65c47e
Initial commit of at(1) 'persistence'
Initial inspiration from @h00die's cron module in #7003
2016-09-13 10:25:13 -07:00
Justin Steven 17bad7bd4f
fix popchain
ERB changed as per <https://github.com/ruby/ruby/commit/e82f4195d4>
which broke the popchain used for code execution.
2016-09-13 21:25:14 +10:00
nixawk 1ce9aedb97 parenthesis for condition expression 2016-09-13 03:37:47 -05:00
nixawk fd16c1c3b7 Fix issue-7295 2016-09-13 01:32:20 -05:00
aushack 11342356f8 Support LHOST for metasploit behind NAT 2016-09-13 11:23:49 +10:00
Brent Cook a81f351cb3
Land #7274, Remove deprecated modules 2016-09-09 12:01:59 -05:00
Justin Steven 6bafad44f2
drop 'require uri', tweak option text 2016-09-09 20:31:23 +10:00
Justin Steven 0b012c2496
Combine Unix and Windows modules 2016-09-09 20:28:13 +10:00
William Vu 7d44bd5ba4 Clean up module 2016-09-06 23:30:58 -05:00
aushack 015b790295 Added default rport. 2016-09-07 14:24:07 +10:00
catatonic c06ee991ed Adding WiFi pineapple command injection via authenticaiton bypass. 2016-09-06 17:22:25 -07:00
catatonic 8d40dddc17 Adding WiFi pineapple preconfig command injection module. 2016-09-06 17:18:36 -07:00
EgiX df5fdbff41 Add module for KIS-2016-07: SugarCRM REST PHP Object Injection
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
2016-09-07 01:58:41 +02:00
Quentin Kaiser e4d118108a Trend Micro SafeSync exploit. 2016-09-06 19:33:23 +00:00
William Vu fed2ed444f Remove deprecated modules
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
2016-09-03 12:43:01 -05:00
Justin Steven ea220091ea
add metasploit_webui_console_command_execution
These modules target the Metasploit Community/Express/Pro Web UI on
Unix and Windows via the diagnostic console feature
2016-09-03 09:12:09 +10:00
Mehmet Ince ba6c2117cf
Fix msftidy issues 2016-09-02 18:18:43 +03:00
Mehmet Ince 144fb22c32
Add Kaltura PHP Remote Code Execution module 2016-09-02 18:09:53 +03:00
Jan Mitchell 411689aa44 Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router 2016-09-01 10:05:13 +01:00
wchen-r7 445a43bd97 Trim the fat 2016-08-30 15:56:51 -05:00
wchen-r7 1b505b9b67 Fix #7247, Fix GlassFish on Windows targets
Fix #7247
2016-08-30 15:46:08 -05:00
William Vu 7a412031e5 Convert phoenix_exec to ARCH_PHP 2016-08-29 14:14:22 -05:00
William Vu 43a9b2fa26
Fix missing return
My bad.
2016-08-29 14:13:18 -05:00
William Vu d50a6408ea
Fix missed Twitter handle 2016-08-29 13:46:26 -05:00
William Vu f8fa090ec0
Fix one more missed comma 2016-08-29 13:40:55 -05:00
William Vu 53516d3323
Fix #7220, phoenix_exec module cleanup 2016-08-29 13:28:15 -05:00
h00die 748c959cba forgot to save before PR 2016-08-25 21:45:17 -04:00
h00die 5dff01625d working code 2016-08-25 21:32:25 -04:00
Pearce Barry 226ded8d7e
Land #6921, Support basic and form auth at the same time 2016-08-25 16:31:26 -05:00
h00die f2e2cb6a5e cant transfer file 2016-08-21 19:42:29 -04:00
h00die 6306fa5aa5 Per discussion in #7195, trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe) 2016-08-21 19:16:04 -04:00
Jay Turla ee89b20ab7 remove 'BadChars' 2016-08-19 23:49:11 +08:00
Jay Turla e3d1f8e97b Updated the description 2016-08-19 22:22:56 +08:00
Jay Turla 5a4f0cf72f run msftidy 2016-08-19 21:56:02 +08:00
Jay Turla c66ea5ff8f Correcting the date based on the EDB 2016-08-19 21:47:57 +08:00
Jay Turla d4c82868de Add Phoenix Exploit Kit Remote Code Execution
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.

```
msf exploit(phoenix_exec) > show options

Module options (exploit/multi/http/phoenix_exec):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.52.128               yes       The target address
   RPORT      80                           yes       The target port
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /Phoenix/includes/geoip.php  yes       The path of geoip.php which is vulnerable to RCE
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.52.129   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Phoenix Exploit Kit / Unix


msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit

[*] Started reverse TCP double handler on 192.168.52.129:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400

uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
2016-08-19 21:29:55 +08:00
William Webb 3eb3c5afa2
Land #7215, Fix drupal_coder_exec bugs #7215 2016-08-18 13:43:23 -05:00
William Vu 2b6576b038
Land #7012, Linux service persistence module 2016-08-17 22:45:35 -05:00
William Vu c64d91457f
Land #7003, cron/crontab persistence module 2016-08-17 22:45:16 -05:00
William Vu 4228868c29 Clean up after yourself
Can't use FileDropper. :(
2016-08-16 23:09:14 -05:00
William Vu 1f63f8f45b Don't override payload
pl is a cheap replacement.
2016-08-16 23:08:53 -05:00
William Vu b3402a45f7 Add generic payloads
Useful for testing and custom stuff.
2016-08-16 23:08:09 -05:00
William Vu 2fed51bb18
Land #7115, Drupal CODER exploit 2016-08-15 01:15:23 -05:00
William Vu 62d28f10cb Clean up Mehmet modules 2016-08-15 01:12:58 -05:00
Brent Cook d34579f1f0
Land #7203, Fix struts_default_action_mapper payload request delay 2016-08-12 23:00:44 -05:00
Brent Cook 1733d3e1f1 remove obsolete tested-on comment 2016-08-12 17:26:43 -05:00
Pearce Barry 1e7663c704
Land #7200, Rex::Ui::Text cleanup 2016-08-12 16:22:55 -05:00
Mehmet Ince b4846e5793
Enabling cmd_bash payload type with bash-tcp cmd 2016-08-13 00:14:25 +03:00
Mehmet Ince d38e9f8ceb
Using # instead of ;. Semicolon is causing msg in error.log. 2016-08-12 23:35:29 +03:00
wchen-r7 f4e4a5dcf3 Fix struts_default_action_mapper payload request delay
MS-1609
2016-08-12 15:29:00 -05:00
Mehmet Ince ba79579202
Extending Space limitation up to 250 2016-08-12 22:32:49 +03:00
Brendan 1a7286f625
Land #7062, Create exploit for WebNMS 5.2 RCE 2016-08-12 07:11:48 -07:00
David Maloney eb73a6914d
replace old rex::ui::text::table refs
everywhere we called the class we have now rewritten it
to use the new namespace

MS-1875
2016-08-10 13:30:09 -05:00
Yorick Koster b7049939d9 Fixed more build errors 2016-08-09 12:55:18 +02:00
Yorick Koster 22054ce85c Fixed build errors 2016-08-09 12:47:08 +02:00
Yorick Koster b935e3df2e Office OLE Multiple DLL Side Loading Vulnerabilities
Multiple DLL side loading vulnerabilities were found in various COM
components.
These issues can be exploited by loading various these components as an
embedded
OLE object. When instantiating a vulnerable object Windows will try to
load one
or more DLLs from the current working directory. If an attacker
convinces the
victim to open a specially crafted (Office) document from a directory
also
containing the attacker's DLL file, it is possible to execute arbitrary
code with
the privileges of the target user. This can potentially result in the
attacker
taking complete control of the affected system.
2016-08-09 12:29:08 +02:00
wchen-r7 c64e1b8fe6
Land #7181, NUUO NVRmini 2 / Crystal / NETGEAR ReadyNAS Surveillance 2016-08-08 16:04:33 -05:00
wchen-r7 cb04ff48bc
Land #7180, Add exploit for CVE 2016-5674 / Nuuo / Netgear unauth RCE 2016-08-08 15:55:39 -05:00
wchen-r7 8654baf3dd
Land #6880, add a module for netcore/netdis udp 53413 backdoor 2016-08-08 15:43:34 -05:00
wchen-r7 f98efb1345 Fix typos 2016-08-08 15:41:03 -05:00
Quentin Kaiser 1320647f31 Exploit for Trend Micro Smart Protection Server (CVE-2016-6267). 2016-08-08 18:47:46 +00:00
wchen-r7 3d1289dac3
Land #7185, Add VMware Host Guest Client Redirector DLL Hijack Exploit 2016-08-08 11:41:40 -05:00
wchen-r7 51c457dfb3 Update vmhgfs_webdav_dll_sideload 2016-08-08 11:40:03 -05:00
Pedro Ribeiro 3b64b891a6 Update nuuo_nvrmini_unauth_rce.rb 2016-08-05 21:53:25 +01:00
Pedro Ribeiro 746ba4d76c Add bugtraq reference 2016-08-05 21:53:08 +01:00
Steven Seeley 230903562f Add Samsung Security Manager 1.5 ActiveMQ Broker exploit 2016-08-05 15:19:22 -05:00
Yorick Koster dae1679245 Fixed build warnings 2016-08-05 20:40:41 +02:00
Yorick Koster 02e065dae6 Fixed disclosure date format 2016-08-05 20:32:58 +02:00
Yorick Koster 97d11a7041 Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack 2016-08-05 20:19:40 +02:00
Pedro Ribeiro 07e210c143 Add changes requested to target.uri 2016-08-04 17:50:16 +01:00
Pedro Ribeiro 2aca610095 Add github link 2016-08-04 17:38:31 +01:00
Pedro Ribeiro 7d8dc9bc82 Update nuuo_nvrmini_unauth_rce.rb 2016-08-04 17:38:14 +01:00
Pedro Ribeiro b48518099c add exploit for CVE 2016-5674 2016-08-04 16:55:21 +01:00
Pedro Ribeiro 0deac80d61 add exploit for CVE 2016-5675 2016-08-04 16:54:38 +01:00
wchen-r7 14a387e4eb
Land #7163, Add exploit payload delivery via SMB 2016-08-03 14:44:59 -05:00
wchen-r7 2f6e0fb58c
Land #7172, Add exploit for CVE-2016-0189 (MSIE) 2016-08-03 14:14:16 -05:00
wchen-r7 e16c57ed07 Lower rank 2016-08-03 14:02:47 -05:00
wchen-r7 96dbf627ae Remove unwanted metadata for HttpServer 2016-08-03 13:55:58 -05:00
William Webb be4f55aa2f forgot to update ranking 2016-08-02 13:30:12 -05:00
William Webb 4c15e5e33a
Land #7171, Hint about incorrect RAILSVERSION 2016-08-01 15:40:27 -05:00
Brent Cook abf435d6c2
Land #6960, Auth bypass for Polycom HDX video endpoints 2016-08-01 14:02:50 -05:00
Brent Cook 5309f2e4fb endpoints, not end points 2016-08-01 14:02:17 -05:00
Brent Cook b34201e65c restore session as an instance variable 2016-08-01 13:58:54 -05:00
William Webb ba0da52274 msftidy cleanup 2016-08-01 13:36:05 -05:00
William Webb 21e6211e8d add exploit for cve-2016-0189 2016-08-01 13:26:35 -05:00
William Vu 3b13adba70 Hint about incorrect RAILSVERSION
If the secret doesn't match, you might have set the wrong RAILSVERSION.
The difference is secret_token (Rails 3) vs. secret_key_base (Rails 4).
2016-08-01 09:36:25 -07:00
James Lee d46c3a1d8c
Collector looks like hex, store it as a string 2016-07-29 21:57:51 -05:00
Andrew Smith 1d6fa11c4f Addition of SMB delivery module 2016-07-29 14:58:30 -04:00
wchen-r7 1e1866f583 Fix #7158, tiki_calendar_exec incorrectly reports successful login
Fix #7158
2016-07-28 17:03:31 -05:00
Vex Woo 864989cf6c For echo command 2016-07-26 20:27:23 -05:00
Brendan 4720d77c3a
Land #6965, centreon useralias exec 2016-07-26 15:02:36 -07:00
Mehmet Ince dadafd1fdf
Use data:// instead of bogus web server and check() improvements. 2016-07-26 13:31:46 +03:00
wchen-r7 1016cb675d
Land #7107, Use VHOST info for redirection in firefox_proto_crmfrequest 2016-07-24 15:50:21 -05:00
wchen-r7 72caeaa72f Fix redirect url 2016-07-24 15:49:03 -05:00
Mehmet Ince 780e83dabb
Fix for Opt params and Space limits 2016-07-22 20:48:15 +03:00
Mehmet Ince 7e9c5f9011
Fix for double space and indentation 2016-07-21 20:27:52 +03:00
Mehmet Ince 634ee93de4
Add Drupal CODER remote command execution 2016-07-21 20:23:54 +03:00
William Vu 32f1c83c9e Switch to single quotes
Might as well, since we're avoiding escaping.
2016-07-21 00:10:17 -05:00
William Vu 2e631cab5b Prefer quoting over escaping
Having to escape backslashes in a single-quoted string sucks.
2016-07-21 00:02:08 -05:00
William Vu c6b309d5c9 Fix drupal_restws_exec check method false positive 2016-07-20 23:28:49 -05:00
William Vu 8bd6db8bd7
Land #7108, Drupal RESTWS exploit 2016-07-20 13:49:37 -05:00
William Vu b49a847c98 Fix additional things 2016-07-20 13:49:23 -05:00
Mehmet Ince 51bb950201
Avoid return where not required 2016-07-20 21:27:51 +03:00
Mehmet Ince b0a0544627
Remove random string from URI 2016-07-20 20:50:10 +03:00
Pedro Ribeiro c93e88f3a3 Make changes requested by wvu-r7 2016-07-20 14:21:04 +02:00
James Lee b057a9486c
Don't use ssh agent 2016-07-19 17:07:22 -05:00
James Lee ff63e6e05a
Land #7018, unvendor net-ssh 2016-07-19 17:06:35 -05:00
Mehmet Ince 089816236d
Remove double spaces and fix checkcode 2016-07-20 00:01:25 +03:00
Mehmet Ince 9c8e351ba8
Use vars_get un send_request_cgi 2016-07-19 20:12:14 +03:00
Mehmet Ince ec2f8fcc71
Change check method and use meterpreter instead of unix cmd 2016-07-19 11:13:06 +03:00
forzoni 6f35a04e21 Incorporate review fixes, ensure PrependFork is true, fix echo compat. 2016-07-19 01:45:56 -05:00
Mehmet Ince 650034b600
Use normalize_uri params instead of string concatenation 2016-07-19 01:01:05 +03:00
Mehmet Ince c8deb54938
Add Drupal RESTWS Remote Unauth PHP Code Exec 2016-07-18 21:32:10 +03:00
RageLtMan 14c9569afa 2013-1710 - Use header VHOST info for redirection
When this exploit is hit by hostname, the HTTP request contains
a Host header field which does not match the IP-based redirection.
Update the module to check request headers for host information,
and fallback to the prior behavior if none exists.

Tested in conjunction with #6611 DNS spoofer - works great, see
issue #7098 for details.
2016-07-17 04:50:54 -04:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references"
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
2016-07-15 12:00:31 -05:00
h00die 03dca5fee2 updates round 2 2016-07-15 09:02:23 -04:00
h00die 33ce3ec3ed fixes round 2 2016-07-15 08:44:39 -04:00
Brendan 8968a6603e Syntax cleanup 2016-07-14 13:25:31 -07:00
Brendan 927b3a88a1 Changed to one delete 2016-07-14 13:11:59 -07:00
David Maloney b6b52952f4
set ssh to non-interactive
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password

MS-1688
2016-07-14 11:12:03 -05:00
David Maloney 01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-14 09:48:28 -05:00
William Vu b2c3267a2a
Land #7042, fetch_ninja_form_nonce/wponce fix 2016-07-13 11:38:11 -05:00
wchen-r7 8f928c6ca1
Land #7006, Add MS16-032 Local Priv Esc Exploit 2016-07-12 15:22:35 -05:00
wchen-r7 815c426b4d Match naming style 2016-07-12 15:18:39 -05:00
wchen-r7 f11b84f106 Update wfsdelay and check for ms16-032 2016-07-12 15:17:21 -05:00
William Vu f164afaef8
Land #6932, joomla_contenthistory_sqli_rce fixes 2016-07-12 14:26:49 -05:00
William Vu 310332b521 Clean up module 2016-07-12 11:17:10 -05:00
wchen-r7 b869b890c7
Land #7090, Add module for Tikiwiki Upload Exec 2016-07-12 11:16:50 -05:00
wchen-r7 2471e8bc8c Add FileDropper to cleanup properly 2016-07-12 11:16:18 -05:00
William Vu 277950cc79
Land #6733, psexec StackAdjustment fix 2016-07-12 11:14:16 -05:00
Mehmet Ince 43833c8756
Fixing double normalize function call 2016-07-12 07:30:18 +03:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Brent Cook a530aa4cf1 restrict perms a bit more 2016-07-11 22:22:34 -05:00
Brent Cook a107a0f955 remove unneeded rport/rhost defines 2016-07-11 22:22:34 -05:00
Brent Cook 6bf51fe064 streamline payload generation 2016-07-11 22:22:34 -05:00
Brent Cook 7ef6c8bf9e ruby style updates 2016-07-11 22:22:33 -05:00
Brent Cook c1f51e7ddf Update and fixup module against OpenNMS-16 2016-07-11 22:22:33 -05:00
benpturner 50746eec29 Fixes comments in regards to #{peer} 2016-07-11 22:22:33 -05:00
benpturner ce8317294f New module to exploit the OpenNMS Java Object Unserialization RCE vulnerability. This now gets flagged inside Nessus and there was no Metasploit module to exploit this.
This module exploits the vulnerability to a full session.
2016-07-11 22:22:32 -05:00
khr0x40sh 7211936f96 Fix Payload exit issue
Fixed payload exiting issue by adding while ($true){Start-Sleep 1000};
statement.
2016-07-11 16:21:08 -04:00
Mehmet Ince fc56ab6722
Fixing some coding style because of rubocop 2016-07-11 23:10:18 +03:00
Brendan 47f2cef22e Syntax changes to humor rubocop and ruby style 2016-07-11 12:50:58 -07:00
Mehmet Ince e79c3ba7c0
Tiki Wiki unauth rce 2016-07-11 22:44:07 +03:00
William Webb 52c6daa0f2
Land #7048, Riverbed SteelCentral NetProfiler and NetExpress Remote
Command Injection
2016-07-10 18:54:12 -05:00
Francesco b75084249a Removed duplicate 'Privileged' key 2016-07-10 01:37:03 -04:00