Commit Graph

21037 Commits (f60b29c7a65648e8c455b99bbb63f5636670e99e)

Author SHA1 Message Date
jvazquez-r7 f60b29c7a6
Land #2503, @MrXors's local exploit using VSS 2013-10-15 12:35:26 -05:00
MrXors f345414832 Added correct spelling in info 2013-10-15 10:13:18 -07:00
jvazquez-r7 0b9cf24103 Convert vss_persistence to Local Exploit 2013-10-15 11:11:04 -05:00
jvazquez-r7 3b7be50d50 Fix typos 2013-10-15 10:03:00 -05:00
jvazquez-r7 18b4f80ca9 Add minor cleanup for vss_persistence 2013-10-15 09:56:18 -05:00
MrXors 6a1b1f35a8 Msftidy done. 2013-10-14 19:41:10 -07:00
MrXors d444ed054f Fixed RUNKEY, Fixed SCHTASKS, merged code 2013-10-14 19:36:44 -07:00
Meatballs 63e850505e
Land #2523, WDS use read_response
This is more robust at correctly receiving the entire DCERPC response.

[Closes #2511]
2013-10-14 23:54:56 +01:00
Tod Beardsley d0b1479d5b
Use the real timeout option for DCERPC 2013-10-14 17:41:51 -05:00
Tod Beardsley e8d0292118
Use read_response class method
Looks like this was never implemented in other modules, but it collects
data from the socket in the usual get_once sort of way.
2013-10-14 17:24:22 -05:00
Tod Beardsley 14be85ea5d
Land #2511, fix up NoMethodError and hanging connx 2013-10-14 16:30:19 -05:00
Meatballs a3af5d681b
Ensure TCP connection is closed 2013-10-14 21:53:22 +01:00
William Vu 31dc7c0c08 Land #2522, @todb-r7's pre-release module fixes 2013-10-14 15:37:23 -05:00
Tod Beardsley 63e40f9fba
Release time fixes to modules
* Period at the end of a description.
  * Methods shouldn't be meth_name! unless the method is destructive.
  * "Setup" is a noun, "set up" is a verb.
  * Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
James Lee 29ae6be403
Land #2521, nil fix for ms13_069 2013-10-14 15:15:47 -05:00
sinn3r 15e8c3bcd6 [FixRM #8470] - can't convert nil into String
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.

[FixRM #8470]
2013-10-14 14:10:08 -05:00
jvazquez-r7 75aaded842
Land #2471, @pyoor's exploit for CVE-2013-5743 2013-10-14 14:03:28 -05:00
jvazquez-r7 a6f17c3ba0 Clean zabbix_sqli 2013-10-14 14:01:58 -05:00
William Vu 07772cebb0 Land #2519, undefined method fix for msfcli 2013-10-14 13:56:07 -05:00
William Vu 35dd94f0ac Land #2518, uninitialized JavascriptOSDetect fix 2013-10-14 13:32:04 -05:00
sinn3r 5514736deb [FixRM 8489] undefined method `empty?' for nil:NilClass in msfcli
This fixes a undefined method `empty?' for nil:NilClass (NoMethodError)
in msfcli. [SeeRM 8489]
2013-10-14 13:13:56 -05:00
sinn3r e10dbf8a5d
Land #2508 - Add nodejs payloads 2013-10-14 12:23:31 -05:00
sinn3r da3081e1c8 [FixRM 8482] Fix uninit constant Rex::Exploitation::JavascriptOSDetect
This fixes an uninit constant Rex::Exploitation::JavascriptOSDetect
while using a module with js_os_detect. It was originally reported
by Metasploit user @viniciuskmax

[FixRM 8482]
2013-10-14 11:40:46 -05:00
MrXors fc62b4c4ed removed global var from file_on_target and useless code 2013-10-14 09:16:54 -07:00
William Vu eab90e1a2e Land #2491, missing platform info update 2013-10-14 10:38:25 -05:00
MrXors 17e5c63f7f removed debugging prompts 2013-10-14 00:29:24 -07:00
MrXors b505234bf6 cleand up code and add run function 2013-10-14 00:12:37 -07:00
sinn3r 698ce6ec34
Land #2516 - DLink xmlset_roodkcableoj28840ybtide user-agent backdoor module 2013-10-13 19:30:41 -05:00
sinn3r 2a1ade2541 Add disclosure date and some explanation about it 2013-10-13 19:29:51 -05:00
jvazquez-r7 e2c5e6c19f Fix email format 2013-10-13 18:28:35 -05:00
jvazquez-r7 008f787627 Add module for the dlink user-agent backdoor 2013-10-13 14:42:45 -05:00
sinn3r 74f37c58b2
Land #2514 - Update CVE reference for Joomla 2013-10-13 12:58:23 -05:00
joev e2a9339592 Add CVE to joomla media upload module. 2013-10-12 21:20:11 -05:00
jvazquez-r7 3dbdc9f848
Land #2510, @wchen-r7's exploit for cve-2013-3897 2013-10-12 20:06:41 -05:00
sinn3r 9725918be8 Remove junk variables/params 2013-10-12 18:51:57 -05:00
Meatballs fb858ae72c
Land #2506, Python Meterpreter - Fixes Registry Endianess 2013-10-12 23:41:26 +01:00
Spencer McIntyre 6f23e95c14 Fix an endianess issue in pymeterpreter registry_query_value. 2013-10-12 23:39:22 +01:00
sinn3r 2153dd26eb
Land #2501 - HP Data Protector Cell Request Service Buffer Overflow 2013-10-12 16:55:48 -05:00
sinn3r bc317760dc Make the GET params a little bit harder to read. 2013-10-12 16:37:49 -05:00
jvazquez-r7 172c6b9b8f Escape dots on regexs 2013-10-12 16:15:10 -05:00
jvazquez-r7 0b7ec26dac
Land #2509, @darknight007's patch to handle ms12_020_maxchannelids exceptions while connecting 2013-10-12 15:52:35 -05:00
Meatballs 988ac68074
Dont define the NDR syntax 2013-10-12 19:56:52 +01:00
Meatballs 765b55182e
Randomize client variables
Also tidyup indents and use predefined UUID syntax.
2013-10-12 19:52:15 +01:00
sinn3r b139757021 Correct a typo in description 2013-10-12 13:24:36 -05:00
sinn3r 79c612cd67 Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
Meatballs cad717a186
Use NDR 32bit syntax.
Compatible with both x86 and x64 systems.
Tidy up the module...
2013-10-12 18:52:45 +01:00
Joe Barrett d929bdfaab Re-fixing 8419, consistency is important. 2013-10-12 08:09:19 -04:00
darknight007 7b82c64983 ms12-020 stack print resolve 2013-10-12 16:49:03 +05:00
darknight007 e1b9f1a3c4 modified ms12-020 module to resolve stack print 2013-10-12 16:36:37 +05:00
darknight007 291b90405d Merge branch 'master' of https://github.com/darknight007/metasploit-framework
Conflicts:
	modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids.rb
2013-10-12 16:23:09 +05:00