Commit Graph

24817 Commits (fa4e835804a263c835041b6681735fb0827fccc0)

Author SHA1 Message Date
jvazquez-r7 aea0379451 Fix typos 2014-05-29 12:37:51 -05:00
sinn3r 3a3d038904
Land #3397 - ElasticSearch Dynamic Script Arbitrary Java Execution 2014-05-29 12:21:21 -05:00
sinn3r dfa61b316e A bit of description change 2014-05-29 12:20:40 -05:00
Tod Beardsley 2ce6f325f5
Be more specific with Nokogiri check
There are still strong reservations about using Nokogiri to parse
untrusted XML data.

http://www.wireharbor.com/hidden-security-risks-of-xml-parsing-xxe-attack/

It is also believed that many desktop operating systems are still
shipping out-of-date and vulnerable libxml2 libraries, which become
exposed via Nokogiri. For example:

http://stackoverflow.com/questions/18627075/nokogiri-1-6-0-still-pulls-in-wrong-version-of-libxml-on-os-x

While this isn't a problem for binary builds of Metasploit (Metasploit
Community, Express, or Pro) it can be a problem for development
versions or Kali's / Backtrack's version.

So, the compromise here is to allow for modules that don't directly
expose XML parsing. I can't say for sure that the various libxml2
vulnerabilities (current and future) aren't also exposed via
`Nokogiri::HTML` but I also can't come up with a reasonable demo.

Metasploit committers should still look at any module that relies on
Nokogiri very carefully, and suggest alternatives if there are any. But,
it's sometimes going to be required for complex HTML parsing.

tl;dr: Use REXML for XML parsing, and Nokogiri for HTML parsing if you
absolutely must.
2014-05-29 11:52:17 -05:00
jvazquez-r7 75777cb3f9 Add IE11SandboxEscapes source 2014-05-29 11:38:43 -05:00
William Vu 53ab2aefaa
Land #3386, a few datastore msftidy error fixes 2014-05-29 10:44:37 -05:00
William Vu 325e75b72f
Land #3380, datastore msftidy errors set to INFO
[SeeRM #8498]
2014-05-29 10:19:59 -05:00
Spencer McIntyre 145776db4d Add a DEBUGGING option to the python meterpreter 2014-05-29 10:52:49 -04:00
Tom Sellers aa85cb8195 Update powershell.rb 2014-05-29 05:46:32 -05:00
Christian Mehlmauer 21d5e630f4
Land #3400, last msftody set-cookie warnings 2014-05-29 12:07:37 +02:00
William Vu 8a2236ecbb
Fix the last of the Set-Cookie msftidy warnings 2014-05-29 04:42:49 -05:00
Spencer McIntyre 15b1c79039 Adjust whitespace and set bytes to str for Python 2 2014-05-28 16:30:27 -04:00
William Vu 3f86aebabf
Land #3398, CAPWAP DoS description cleanup 2014-05-28 14:55:22 -05:00
William Vu 785b53820e
Land #3399, print_error instead of print_status 2014-05-28 14:53:00 -05:00
joev c89cd24621 Rewire some snmp modules to use print_error instead of print_status. 2014-05-28 13:31:00 -05:00
Tod Beardsley 4b5c62ba8d
Dress up CAPWAP DoS desc a little. 2014-05-28 12:19:17 -05:00
William Vu 832d22cdb8
Land #3395, sqlite3 gem for some post modules 2014-05-27 19:22:46 -05:00
jvazquez-r7 7a29ae5f36 Add module for CVE-2014-3120 2014-05-27 18:01:16 -05:00
jvazquez-r7 55ef5dd484
Land #3115, @silascutler's module for elasticsearch indeces enumeration 2014-05-27 11:28:34 -05:00
jvazquez-r7 2271afc1a5 Change module filename 2014-05-27 11:25:39 -05:00
jvazquez-r7 3de8beb5fd Clean code 2014-05-27 11:22:40 -05:00
James Lee cc1e81ecb7
Add sqlite3 to Gemfile
Fixes all the post modules that require it to parse pilfered sqlite DB
files.
2014-05-27 10:29:55 -05:00
jvazquez-r7 69e8286838 Fix title 2014-05-27 10:29:32 -05:00
jvazquez-r7 1316365c2f Fix description 2014-05-27 10:22:39 -05:00
jvazquez-r7 abe1d6ffc7
Land #3190, @Karmanovskii's module to fingerprint MyBB database 2014-05-27 10:20:24 -05:00
jvazquez-r7 86221de10e Fix message 2014-05-27 10:18:27 -05:00
jvazquez-r7 b96c2dd0ca Change module filename 2014-05-27 10:15:39 -05:00
jvazquez-r7 1d8c46155b Do last code cleaning 2014-05-27 10:14:55 -05:00
Tom Sellers ae1b7e564b Update powershell.rb 2014-05-27 05:18:00 -05:00
William Vu 704e4d78ca
Fix typo in client_request.rb comment 2014-05-26 23:55:48 -05:00
William Vu 0133e861f8
Fix typo 2014-05-26 23:55:20 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
William Vu 936c29e69b
Land #3387, some Set-Cookie msftidy warning fixes 2014-05-26 23:37:33 -05:00
Karmanovskii eacf70af83 Update mybb_get_type_db.rb
26.05.2014  23:26
I deleted mimicking IE11
2014-05-26 23:26:28 +04:00
Meatballs 1914e0abd3
Land 3393, Add session and framework vars to irb 2014-05-26 18:50:20 +01:00
jvazquez-r7 994891e9c5
Land #3383, @wchen-r7's [FixRM #8804] Fix / URIPATH for BrowserExploitServer 2014-05-25 19:51:30 -05:00
jvazquez-r7 217a14e4d7
Land #3366, @jholgui's module for CVE-2013-4074 2014-05-25 18:53:30 -05:00
jvazquez-r7 33ba134147 Clean msftidy warnings and metadata 2014-05-25 18:52:01 -05:00
jvazquez-r7 d3c17d8e3e Delete wireshark_capwap_dos 2014-05-25 18:39:53 -05:00
Spencer McIntyre 77e70d8bbe Add 2 more variables for meterpreter irb 2014-05-25 16:28:40 -04:00
Spencer McIntyre c559483176
Land #3392, @TomSellers patch to use python constants 2014-05-25 16:18:42 -04:00
Tom Sellers 77f66f8510 Update reverse_tcp.rb 2014-05-25 14:04:54 -05:00
Tom Sellers b5c567c462 Update bind_tcp.rb 2014-05-25 14:03:45 -05:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
Tom Sellers 42a17cc085 Update powershell.rb
To be clear, the shell that was tested with was 'windows/shell_reverse_tcp' delivered via 'exploit/windows/smb/psexec'

Additional changes required to fix regex to support the multiline output.  Also, InstanceId uses a lower case 'D' on the platforms I tested - PowerShell 2.0 on Windows 2003, Windows 7, Windows 2008 R2 as well as PowerShell 4.0 on Windows 2012 R2.

This method doesn't appear to be used anywhere in the Metasploit codebase currently.
2014-05-25 08:59:42 -05:00
Tom Sellers 76b9273f10 Improve reliability of have_powershell
I have a case where on a Windows 2008 R2 host with PowerShell 2.0 the 'have_powershell' method times out.  When I interactively run the command I find that the output stops after the PowerShell command and the token from 'cmd_exec' is NOT displayed.  When I hit return the shell then processes the '&echo <randomstring>' and generates the token that 'cmd_exec' was looking for.  I tried various versions of the PowerShell command string such as 'Get-Host;Exit(0)', '$PSVErsionTable.PSVersion', and '-Command Get-Host' but was unable to change the behavior.  I found that adding 'echo. | ' simulated pressing enter and did not disrupt the results on this host or on another host where the 'have_powershell' method functioned as expected.

There may be a better solution, but this was the only one that I could find.
2014-05-25 08:07:38 -05:00
JoseMi 9f166b87f6 Changed the description 2014-05-24 18:58:36 +01:00
JoseMi 71e2d19040 Adapted to auxiliary modules structure 2014-05-24 18:53:10 +01:00
Christian Mehlmauer df97c66ff5
Fixed check 2014-05-24 00:37:52 +02:00
Christian Mehlmauer 8d4d40b8ba
Resolved some Set-Cookie warnings 2014-05-24 00:34:46 +02:00