a03cfce74c
Add table prefix and doc root as fallback options
2013-11-25 17:44:26 +10:30
48578c3bc0
Update description about suitable targets
...
The same technique work for Microsoft Office 2013 as well. Tested.
2013-11-24 23:02:37 -06:00
49441875f3
Land #2683 , @wchen-r7's module name consistency fix
2013-11-24 16:51:22 -06:00
b015dd4f1c
Land #2532 Enum LSA Secrets
...
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
ce8b63f240
Update module name to stay consistent
...
This module is under the windows/gather, so must be named the same
way like the rest.
2013-11-24 01:01:29 -06:00
fc14a6c149
Land #2576 - NETGEAR ReadyNAS Perl Code Evaluation Vulnerability
2013-11-24 00:47:14 -06:00
f3b907537c
Module to identifies open Chargen service
2013-11-23 17:17:24 +01:00
d8700314e7
Add Kimai v0.9.2 'db_restore.php' SQL Injection module
2013-11-24 02:32:16 +10:30
9987ec0883
Hmm, change ranking
2013-11-23 00:51:58 -06:00
6ccc3e3c48
Make payload execution more stable
2013-11-23 00:47:45 -06:00
d748fd4003
Final commit
2013-11-22 23:35:26 -06:00
f871452b97
Slightly change the description
...
Because it isn't that slow
2013-11-22 19:27:00 -06:00
eddedd4746
Working version
2013-11-22 19:14:56 -06:00
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
c8fd761c53
Progress
2013-11-22 16:57:29 -06:00
6a28aa298e
Module for CVE-2013-4164
...
So far, just a DoS. So far, just tested on recent Rails with Webrick and
Thin front ends -- would love to see some testing on ngix/apache with
passenger/mod_rails but I don't have it set up at the moment.
2013-11-22 16:51:02 -06:00
a7ad107e88
Add ruby code for ms13-022
2013-11-22 16:41:56 -06:00
266de2d27f
Updated
2013-11-23 00:01:03 +03:00
b712c77413
capitalization
2013-11-22 14:37:54 -06:00
52a3b93f24
Hopefully final commit.
...
ALL issues mentioned by todb in https://github.com/rapid7/metasploit-framework/pull/2663/ have been fixed or erased.
Only exception is comment https://github.com/rapid7/metasploit-framework/pull/2663/#discussion_r7837036 which if omitted as recommended, breaks the module.
2013-11-22 14:17:20 -06:00
9addd37458
minor changes:
...
s/grab/gather/g
2013-11-22 14:03:54 -06:00
b742ed13b9
junk commit
2013-11-22 12:38:06 -06:00
953a96fc2e
This one looks promising
2013-11-22 12:27:10 -06:00
8476ca872e
More progress
2013-11-22 11:53:57 -06:00
4a6511311d
Code improvements according to feedback
2013-11-22 15:35:45 +01:00
f1d181afc7
Progress
2013-11-22 04:51:55 -06:00
6d5c1c230c
Progress
2013-11-22 03:55:40 -06:00
4d2253fe35
Diet
2013-11-22 02:25:09 -06:00
8382d31f46
More progress
2013-11-21 18:48:12 -06:00
885fedcc3b
Fix target name
2013-11-21 17:42:31 -06:00
3afa21c721
Added favorite and recent shares to the output
2013-11-21 23:55:24 +01:00
22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2
2013-11-21 15:30:42 -06:00
56d1c545e7
Oh look, more code
2013-11-21 14:42:07 -06:00
851cf6f0d1
Land #2650 , @pnegry's exploit for DesktopCentral 8
2013-11-21 09:30:17 -06:00
77aa665385
Add Privileged flag
2013-11-21 09:28:28 -06:00
2ab3ab8b66
Delete empty Payload metadata section
2013-11-21 09:27:25 -06:00
6bd3c4c887
Fix target name
2013-11-21 09:07:25 -06:00
4c2ad4ca9a
Fix metadata
2013-11-21 09:06:47 -06:00
8e4c5dbb5e
improve upload_file response check
2013-11-21 09:02:11 -06:00
8fdfeb73db
Fix use of FileDropper and improve check method
2013-11-21 09:01:41 -06:00
4abf01c64c
Clean indentation
2013-11-21 08:32:54 -06:00
ddd5b0abb9
More progress
2013-11-21 04:27:41 -06:00
b5011891a0
corrected rport syntax
2013-11-21 08:57:45 +03:00
9539972340
Module for OpenMind Message-OS portal login
2013-11-21 06:33:05 +03:00
3926617972
Land #2664 , clear EOL spaces
...
[SeeRM #8498 ]
2013-11-20 17:27:06 -06:00
eea811b71a
Merge branch 'landing-2601-mipsle-encoders' into upstream-master
2013-11-20 17:14:45 -06:00
e13e457d8f
Progress
2013-11-20 17:11:13 -06:00
9f45121b23
Remove EOL spaces
2013-11-20 15:08:13 -06:00
e8eb983ae1
Resplat shell_bind_tcp_random_port
2013-11-20 14:48:53 -06:00
cec4166766
Fix description
2013-11-20 12:49:22 -06:00
18e69bee8c
Make OGNL expressions compatible with struts 2.0.11.2
2013-11-20 12:42:10 -06:00
94e13a0b8a
Initial commit of CVE-2013-3906
2013-11-19 23:10:32 -06:00
4cc20f163b
Update References field to be compliant.
2013-11-20 13:01:21 +13:00
c76fa32345
Fixed reference format
2013-11-20 12:53:21 +13:00
26a5e37266
Use MSF::Exploit:FileDropper to register the uploaded file for cleanup.
2013-11-20 12:27:22 +13:00
07c76fd3e6
Module cleaned for msftidy compliance.
2013-11-20 11:33:14 +13:00
a9de5e2846
Land #2634 - Opt browser autopwn load list
2013-11-19 15:10:29 -06:00
14c6ab4ca5
Add module for CVE-2013-4212
2013-11-19 10:25:52 -06:00
ded56f89c3
Fix caps in description
2013-11-18 16:15:50 -06:00
f963f960cb
Update title
2013-11-18 15:07:59 -06:00
274247bfcd
Land #2647 , @jvennix-r7's module for Gzip Memory Bomb DoS
2013-11-18 15:06:46 -06:00
589660872e
Kill FILEPATH datastore option.
2013-11-18 14:13:25 -06:00
f690667294
Land #2617 , @FireFart's mixin and login bruteforcer for TYPO3
2013-11-18 13:37:16 -06:00
0391ae2bc0
Delete general reference
2013-11-18 13:19:09 -06:00
1c4dabaf34
Beautify typo3_bruteforce module
2013-11-18 13:17:15 -06:00
b5fc0493a5
Land #2642 - Fix titles
2013-11-18 12:14:36 -06:00
455934a545
Land #2645 , Redis spec conformity for redis_server
2013-11-18 12:00:38 -06:00
9e46975a95
Land #2643 , @ChrisJohnRiley SkipVersionCheck for exim4_dovecot_bannercheck
2013-11-18 11:28:07 -06:00
540b85df3f
Set SkipVersionCheck as not required
2013-11-18 11:27:32 -06:00
f6f0d81149
Land #2632 , @peto01 OSX VPN Manager post module
2013-11-18 09:49:14 -06:00
0a930ef6e1
Clean osx vpn post module
2013-11-18 09:47:52 -06:00
bddb314073
Fix usage of Retries
2013-11-18 09:09:20 -06:00
237bb22771
Disable auto migrate
2013-11-18 08:54:22 -06:00
960f7c9bbb
Add DesktopCentral arbitrary file upload exploit.
2013-11-18 16:11:28 +13:00
60a245b0c3
Fix the arch declaration in uploaded module.
2013-11-18 14:49:03 +13:00
636fdfe2d2
Added Kaseya uploadImage exploit.
2013-11-18 14:23:34 +13:00
8e889c61f7
Update description.
2013-11-17 15:48:27 -06:00
f7820139dc
Add a content_type datastore option.
2013-11-17 15:38:55 -06:00
43d2711b98
Default to 1 round compression.
2013-11-17 15:35:35 -06:00
1e3860d648
Add gzip bomb dos aux module.
2013-11-17 14:44:33 -06:00
b2e7ff4587
Small change for filetime conversion
2013-11-17 22:26:30 +02:00
b73260b74c
Add functionality to enum_prefetch post module
2013-11-17 22:10:55 +02:00
7d22312cd8
Fix redis communication
2013-11-15 19:36:18 -06:00
89d0b3c41c
Return the splat and require on a module.
2013-11-15 12:19:53 -06:00
36db6a4d59
Land #2616 , SuperMicro close_window BOF
2013-11-15 11:34:53 -06:00
cbb7eb192c
Add module for CVE-2013-3918
2013-11-15 10:38:52 -06:00
5bd5eacd77
Added option to ignore banner checks
2013-11-15 15:01:11 +01:00
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
4cf16cf360
Land #2633 , @OJ's port of Kitrap0d as local exploit
2013-11-14 09:27:10 -06:00
7db42efdd4
Code restructure and more robust error handling
2013-11-14 13:44:49 +01:00
fe2cd93a65
Delete ms13_037_svg_dashstyle from the browser_autopwn list
2013-11-13 23:46:50 -06:00
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
5b96ad595f
Skip reg values with no secretes
...
Also update header comment to match new standard
2013-11-13 19:05:16 -06:00
cb10b4783b
Mark XP hashes as mscash for JtR to recognize
2013-11-13 19:04:16 -06:00
0aef145f64
Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa
2013-11-13 18:11:21 -06:00
8471f74b75
Refactor ivar to a more reasonable method
...
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
8bb72764ec
Rename credentials/lsa -> lsa_secrets
...
Secrets are not necessarily credentials
2013-11-13 15:23:15 -06:00
16627c1bd3
Add spec for capture_lsa_key
2013-11-13 15:16:34 -06:00
334a93af45
Land #2638 , refs for android_htmlfileprovider
2013-11-13 14:51:46 -06:00
0612f340f1
Commas are good.
2013-11-13 14:38:50 -06:00
ad5f82d211
Add missing refs to aux/gather/android_htmlfileprovider.
2013-11-13 14:36:18 -06:00
2594427999
Land #2631 , @peto01's osx screen capture post module
2013-11-13 13:58:03 -06:00
2b19490095
Fix Exception handling
2013-11-13 13:57:15 -06:00
95f371a1a6
Move screen_capture to the capture folder
2013-11-13 13:41:11 -06:00
f65e82523b
Clean screen_capture
2013-11-13 13:40:41 -06:00
3168359a82
Refactor lsa and add a spec for its crypto methods
2013-11-13 11:55:39 -06:00
0c096c10fb
Submitting first version for pull request
2013-11-13 17:03:38 +01:00
f5760d5e4c
Removed unnecessary delay
2013-11-13 16:25:47 +01:00
c4a8bfb175
Tighter error handling
2013-11-13 16:19:38 +01:00
78199409dd
Changes according to feedback
2013-11-13 14:13:40 +01:00
92da6760ef
Modified module to use windows/screen_spy code
2013-11-13 13:30:20 +01:00
3fdaf4de94
Work in progress
2013-11-13 13:11:27 +01:00
76660b858c
In progress
2013-11-13 12:32:49 +01:00
049111cd94
In progress
2013-11-13 11:21:39 +01:00
d9c402c035
Fixed the module name
2013-11-13 08:57:50 +01:00
8771b163f0
Solve conflicts with aladdin_choosefilepath_bof
2013-11-12 23:11:42 -06:00
2d9e8e09e6
Minor bugfix
2013-11-13 02:07:06 +01:00
1fed50c96a
General improvements according to feedback
2013-11-13 01:54:42 +01:00
e4fc361b37
Various tidies and fixes
...
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.
Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
6e12553393
Changed option SNAP_FILETYPE to FILETYPE
2013-11-13 00:51:58 +01:00
779cb48b76
General improvements addressing feedback
2013-11-13 00:42:00 +01:00
ef6d9db48f
Land #2613 , @wchen-r7's BrowserExploitServer mixin
2013-11-12 17:33:12 -06:00
da25785eba
Land #2350 , shell_bind_tcp_random_port for Linux
2013-11-12 16:06:37 -06:00
004c1bac78
Reduce number of modules available on BrowserAutopwn
2013-11-12 12:37:29 -06:00
970e70a853
Land #2626 - Add wordpress scanner
2013-11-12 11:30:23 -06:00
6a28f1f2a7
Change 4-space tabs to 2-space tabs
2013-11-12 11:29:28 -06:00
40f58ce534
Finalise the local exploit for kitrap0d
...
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.
New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
c5f21ef463
added osx vpn module
2013-11-12 12:47:33 +01:00
b722fee15c
added OSX module screen_capture
2013-11-12 12:32:30 +01:00
65993704c3
Actually commit the mode change.
2013-11-11 22:16:29 -06:00
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
b01d8c50e0
Restore module crash documentation
2013-11-11 17:09:41 -06:00
30de61168d
Support heap spray obfuscation
2013-11-11 17:05:54 -06:00
922f0eb900
Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer
2013-11-11 17:01:09 -06:00
28c5dd63fd
references fix
2013-11-11 17:14:50 -03:00
8f6917a117
references fix
2013-11-11 17:12:45 -03:00
e3641158d9
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-11-11 14:29:19 -03:00
030fbba539
Merge branch 'master' of https://github.com/geyslan/metasploit-framework
2013-11-11 14:22:00 -03:00
81a7b1a9bf
Fixes for #2350 , random bind shellcode
...
* Moved shortlink to a reference.
* Reformat e-mail address.
* Fixed whitespace
* Use multiline quote per most other module descriptions
Still need to resplat the modules, but it's no big thang to do that
after landing. Also, References do not seem to appear for post modules
in the normal msfconsole. This is a bug in the UI, not for these modules
-- many payloads would benefit from being explicit on their references,
so may as well start with these.
2013-11-11 10:33:15 -06:00
b887ed68b5
Land #2608 - Allow guest login option for psexec.
2013-11-11 10:09:41 -06:00
063da8a22e
Update reverse_https_proxy stager/handler
...
This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00
82739c0315
Add extra URL for exploit detail
2013-11-11 22:07:36 +10:00
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
48faa38c44
bugfix for wordpress_scanner
2013-11-11 00:24:32 +01:00
b472c2b195
added a wordpress scanner
2013-11-10 23:08:59 +01:00
40f8e80775
Fix jlee-r7's feedback
2013-11-08 14:28:19 -06:00
d419c73488
Land #2517 , @3v0lver's exploit for cve-2008-2286
2013-11-08 08:41:04 -06:00
fddb69edb3
Use instance variables for 1-time injections
2013-11-08 08:30:35 -06:00
69b261a9f2
Clean post exploitation code
2013-11-07 18:11:54 -06:00
9f51268d21
Make xp_shell_enable instance variable
2013-11-07 17:53:28 -06:00
aa1000df72
Clean check method
2013-11-07 17:44:22 -06:00
c2662d28e0
Move module to the misc folder
2013-11-07 17:34:22 -06:00
b068e4beb5
Fix indentation and refactor send_update_computer
2013-11-07 17:33:35 -06:00
bdd33d4daf
implement feedback from @jlee-r7
2013-11-07 23:07:58 +01:00
cc3ee5f97b
typo3_bruteforce: update msf license
2013-11-07 22:53:28 +01:00
e897c8379f
typo3_bruteforce: bugfix
2013-11-07 22:46:26 +01:00
9d616dbfe9
added typo3 bruteforcer
2013-11-07 22:38:27 +01:00
b7e360922d
Update ranking
2013-11-07 15:10:26 -06:00
decf6ff6a0
Add module for CVE-2013-3623
2013-11-07 14:59:40 -06:00
bdba80c05c
Land #2569 , @averagesecurityguy and others exploit for CVE-2013-4468, CVE-2013-4467
2013-11-07 12:20:42 -06:00
7615264b17
Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix
2013-11-07 10:35:00 -06:00
944528e633
Updated for temporal pathing with TEMP variable
2013-11-07 01:34:55 -05:00
2d4090d9c3
Make option astGUIclient credentials
2013-11-06 20:33:47 -06:00
24d22c96a5
Improve exploitation
2013-11-06 20:15:40 -06:00
2b2ec1a576
Change module location
2013-11-06 15:53:45 -06:00
b9cb8e7930
Add new options
2013-11-06 15:53:12 -06:00
09c31f7582
Small nitpicks to catch bad http responses
2013-11-06 15:06:04 -06:00
7ec7248500
Land #2610 , new Supermicro modules
2013-11-06 14:26:19 -06:00
91639dbb99
Trailing whitespace
2013-11-06 14:25:28 -06:00
079816777a
I kin spel
2013-11-06 14:22:41 -06:00
6b43d94c72
Rename, change titles/descriptions, fix minor bugs
2013-11-06 13:45:40 -06:00
b9caf091d4
Change supermicro_ipmi_traversal location
2013-11-06 12:47:50 -06:00
c132a60973
Move Supermicro web interface name to a constant
2013-11-06 12:47:50 -06:00
0609c5b290
Move private key to a constant
2013-11-06 12:47:50 -06:00
275fd5e2ba
Sort options by name
2013-11-06 12:47:50 -06:00
9f87fb33a7
Move digest calculation to a variable
2013-11-06 12:47:50 -06:00
46f0998903
Add URL refs
2013-11-06 12:47:50 -06:00
a973862c74
Add new modules
2013-11-06 12:47:50 -06:00
61e4700832
Allow guest login option.
...
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
7dcb071f11
Remote shebang and fix pxexeploit
2013-11-06 07:10:25 +10:00
faf6be4529
Missed an errant require
...
Wasn't even using it anyway
2013-11-05 14:00:55 -06:00
9e30c58495
Blow away remnants of Local::Unix
2013-11-05 13:51:45 -06:00
36f96d343e
Revert "Revert "Land #2505" to resolve new rspec fails"
...
This reverts commit e7d3206dc9
2013-11-05 13:45:00 -06:00
f62247e731
Fix comments, indenting and pxexploit module
...
Updated the comments and indentation so they're not blatantly wrong.
Adjusted the pxexploit module so that it doesn't break any more as
a result of the refactoring.
2013-11-05 06:35:50 +10:00
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
79e59b2066
Fix metasm data
2013-11-02 10:37:57 -05:00
b077b0accf
Add byte xori mipsle encoder
2013-11-02 10:22:41 -05:00
594ee42398
Add byte xori mipsbe encoder
2013-11-02 10:10:51 -05:00
5c923757e8
Removed generic command execution capability
2013-10-30 21:35:24 -04:00
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
c92e8ff98d
Delete extra space
2013-10-30 19:34:54 -05:00
e488a54a06
Resplat new WMI module
2013-10-30 15:14:16 -05:00
98224ee89f
CVE update for vtiger issue
2013-10-30 13:48:35 -05:00
344413b74d
Reorder refs for some reason.
2013-10-30 12:25:55 -05:00
32794f9d37
Move OpenBravo to aux module land
2013-10-30 12:20:04 -05:00
17d796296c
Un-dupe References for ispconfig
2013-10-30 12:03:35 -05:00
0d480f3a7d
Typo fix
2013-10-30 11:38:04 -05:00
97a4ca0752
Update references for FOSS modules
2013-10-30 11:36:16 -05:00
78381316a2
Add @brandonprry's seven new modules
...
Already reviewed privately, no associated PR.
2013-10-30 11:04:21 -05:00
5b76947767
Add a few more modules.
2013-10-30 10:25:48 -05:00
c8ceaa25c6
Land #2589 , @wvu-r7's exploit for OSVDB 98714
2013-10-29 14:56:30 -05:00
9f81aeb4ad
Fix style
2013-10-29 14:55:16 -05:00
5af42f2c28
Add short comment on why the padding is necessary
2013-10-29 11:46:10 -05:00
e368cb0a5e
Add Win7 SP1 to WinXP SP3 target
2013-10-29 10:45:14 -05:00
c4c171d63f
Clean processmaker_exec
2013-10-29 09:53:39 -05:00
3eed800b85
Add ProcessMaker Open Source Authenticated PHP Code Execution
2013-10-29 23:27:29 +10:30
ea7bba4035
Add Beetel Connection Manager NetConfig.ini BOF
2013-10-28 22:52:02 -05:00
4128aa8c08
Resplat and tabs
2013-10-28 14:03:15 -05:00
9045eb06b0
Various title and description updates
2013-10-28 14:00:19 -05:00
9bb9f8b27b
Update descriptions on SMB file utils.
2013-10-28 13:48:25 -05:00
0f63420e9f
Be specific about the type of hash
...
See #2583 . Since there are several types of hashes, we need to be more
specific about this -- see modules/exploits/windows/smb/psexec.rb which
uses an "smb_hash" as a password type.
Also, the fixes in #2583 do not appear to address anything else reported
on the Redmine issue, namely, operating system and architecture
identification discovered with this module (assuming good credentials).
Therefore, the Redmine issue should not be considered resolved.
[SeeRM #4398 ]
2013-10-28 13:40:07 -05:00
1fee3ce952
Land #2584 , reporting for energizer_duo_detect
2013-10-28 10:48:20 -05:00
efcfc9eef7
Land #2273 , @kaospunk's enum domain feature for owa_login
2013-10-28 09:47:54 -05:00
71a1ccf771
Clean owa_login enum_domain feature
2013-10-28 09:46:41 -05:00
87dc58191d
Land #2583 - Report creds to db
2013-10-26 23:22:40 -05:00
278dff93e7
Add missing require for Msf::Exploit::Powershell
...
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
e0aec13ce1
[FixRM #4397 ] Add reporting for energizer_duo_detect
2013-10-25 16:51:44 -05:00
9276a839d4
[FixRM #4398 ] Report credentials to database
2013-10-25 16:19:47 -05:00
df83114f0b
Land #2578 , @wchen-r7's [FixRM #8525 ]
2013-10-25 13:28:59 -05:00
a95425de08
Check dec instead
2013-10-25 10:47:41 -05:00
b69ee1fc67
[FixRM #8419 ] Add module platform to ms04_011_pct
2013-10-25 09:29:19 -05:00
1d0a3aad70
[FixRM #8525 ] undefined method `+' for nil:NilClass in enum_ie
...
Looks like for some reason if CryptUnprotectData fails, the decrypt_reg()
method will return "". And when you unpack "", you produce an array of nils.
Since you cannot add something to nil, this should cause an
"undefined method `+' for nil:NilClass" error.
This will check if we get an array of nils, we jump to the next iteration.
2013-10-25 00:26:38 -05:00
dd094eee04
Use 443 by default with SSL
2013-10-24 16:30:26 -05:00
72f686d99a
Add module for CVE-2013-2751
2013-10-24 16:10:32 -05:00
7d788fbf76
Land #2571 - HP Intelligent Management SOM FileDownloadServlet Arbitrary Download
2013-10-24 14:15:26 -05:00
7ee615223d
Land #2570 - HP Intelligent Management SOM Account Creation
2013-10-24 14:14:06 -05:00
ea80c15c3b
Land #2383 , @jamcut's aux module for jenkins enum
2013-10-24 11:31:36 -05:00
8428671f32
Land #2455 , @juushya's aux module for radware
2013-10-24 10:54:02 -05:00
1673b66cbe
Delete some white lines
2013-10-24 10:50:14 -05:00
b589e9aa6e
Use the peer method
2013-10-24 10:45:02 -05:00
2ef33aabe7
Clean open_flash_chart_upload_exec
2013-10-24 10:15:28 -05:00
110daa6e96
Check for nil response from request in check method.
2013-10-24 09:12:37 -04:00
8a5d4d45b4
Add Open Flash Chart v2 Arbitrary File Upload exploit
2013-10-24 22:46:41 +10:30
ecbbd7bb4b
Ran resplat.rb and retab.rb. Fixed msftidy issues.
2013-10-23 20:59:27 -04:00
b5f26455a3
Land #2545 , javascript library overhaul
2013-10-23 16:12:49 -05:00
255cd18868
Use peer helper
2013-10-23 16:08:40 -05:00
69da39ad52
Add module for ZDI-13-240
2013-10-23 16:01:01 -05:00
655e09f007
Fixed description to look better in info output.
2013-10-23 16:36:39 -04:00
9f84ced00e
Fixed boilerplate text.
2013-10-23 16:13:25 -04:00
58a32ebb45
Initial commit.
2013-10-23 14:47:42 -04:00
d1e1968cb9
Land #2566 - Download and delete a file via SMB
2013-10-23 12:28:57 -05:00
9a51dd5fc4
Do exception handling and stuff
2013-10-23 12:28:25 -05:00
0500842625
Do some exception handling
2013-10-23 12:22:49 -05:00
83a4ac17e8
Make sure fd is closed to avoid a possible resource leak
2013-10-23 12:16:18 -05:00
af02fd0355
Use store_loot, sorry mubix
2013-10-23 12:13:05 -05:00
55e3f36589
Add module for ZDI-13-242
2013-10-23 11:24:29 -05:00
bea04cceeb
Remove the trailing slash from the ZDI ref
2013-10-23 11:05:33 -05:00
7d84fa487e
Correct ZDI ref to match new scheme
2013-10-23 11:44:44 +02:00
8f3228d191
chage author but basic copied from hdms upload_file
2013-10-22 21:13:30 -04:00
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
af174639cd
Land #2468 - Hwnd Broadcast Performance
2013-10-22 17:03:02 -05:00
2e8c369c69
Land #2559 - remove content-length
2013-10-22 16:03:42 -05:00
dc0d9ae21d
Land #2560 , ZDI references
...
[FixRM #8513 ]
2013-10-22 15:58:21 -05:00
e1c4aef805
Land #1789 - Windows SSO Post Module
2013-10-22 15:48:15 -05:00
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
b2b8824e2e
add delete and download modules for smb
2013-10-22 16:31:56 -04:00
85479f5994
removed PrependMigrate, introduced migrate -f
2013-10-22 16:11:19 -04:00
6989f16661
Land #2548 , @titanous's aux module for CVE-2013-4450
2013-10-22 15:02:54 -05:00
bdf07456ba
Last cleanup for nodejs_pipelining
2013-10-22 15:00:58 -05:00
db447b65f9
Add exploit for Node.js HTTP Pipelining DoS
2013-10-22 15:12:14 -04:00
11b2719ccc
Change module plate
2013-10-22 12:36:58 -05:00
df42dfe863
Land #2536 , @ddouhine's exploit for ZDI-11-061
2013-10-22 12:35:40 -05:00
c34155b8be
Clean replication_manager_exec
2013-10-22 12:34:35 -05:00
a4dd53f650
Chane module filename
2013-10-22 11:16:14 -05:00
cdd183f43a
Add reporting
2013-10-22 11:15:16 -05:00
e447aff0ec
Fix misleading statement in Outlook post module
...
Since this module doesn't retrieve domain exchange information as it isn't stored there it shouldn't say that Outlook isn't installed at all.
2013-10-22 11:53:15 -04:00
0d73275c3f
Delete not necessary check
2013-10-22 10:39:54 -05:00
c50e7c73b6
Make parsing easier
2013-10-22 10:30:03 -05:00
0cc7be0138
Use snake_case
2013-10-22 10:04:32 -05:00
e4a340b7f1
Fix small issues
2013-10-22 10:02:32 -05:00
a425e2be78
Fix typo
2013-10-22 09:28:43 -05:00
111c12ef0d
Do cosmetic changes
2013-10-22 09:28:15 -05:00
f46cdb8970
Add the correct plate
2013-10-22 09:27:37 -05:00
de0d09886c
Retab changes for PR #2383
2013-10-22 09:26:44 -05:00
0214501891
Merge for retab
2013-10-22 09:22:10 -05:00
72f3d4f86c
Land #2496 - Added ability to generate multiple payloads
...
Thx Dave!
2013-10-22 01:42:03 -05:00
afcce8a511
Merge osdetect and addonsdetect
2013-10-22 01:11:11 -05:00
9a3e719233
Rework the naming style
2013-10-21 20:16:37 -05:00
5613cfb249
Retab changes for PR #2455
2013-10-21 15:57:23 -05:00
39d38e598d
Merge for retab
2013-10-21 15:55:48 -05:00
71fab72e06
Delete duplicate content-length from axis2_deployer
2013-10-21 15:35:51 -05:00
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
10a4ff41de
Delete Content-Length duplicate header
2013-10-21 15:11:37 -05:00
57e39c2b2c
Land #2498 - multiple payload capabilities
2013-10-21 14:51:24 -05:00
03adb48d48
Resolve NoMethodError undefined method `empty?' for nil:NilClass
...
blank? should fix this.
2013-10-21 14:50:25 -05:00
1599d1171d
Land #2558 - Release fixes
2013-10-21 13:48:11 -05:00
c1954c458c
Just warn, don't bail
...
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.
If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)
For details on this module, see #2503 . I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
bce8d9a90f
Update license comments with resplat.
2013-10-21 13:36:15 -05:00
c070108da6
Release-related updates
...
* Lua is not an acronym
* Adds an OSVDB ref
* credit @jvazquez-r7, not HD, for the Windows CMD thing
2013-10-21 13:33:00 -05:00
58a43e87dd
Added fixes suggested by jlee-r7
...
additional code clean up
2013-10-21 14:18:12 -04:00
4c14595525
Land #2535 - Use %PATH% for notepad
2013-10-21 13:14:44 -05:00
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
...
This reverts commit 717dfefead6430fa3354
2013-10-21 12:47:57 -05:00
cacaf40276
Land #2542 - D-Link DIR-605L Captcha Handling Buffer Overflow
2013-10-21 12:03:07 -05:00
9bfd98b001
Change plate
2013-10-21 11:54:42 -05:00
717dfefead
Land #2505 , missing source fix for sock_sendpage
2013-10-21 11:47:55 -05:00
6430fa3354
Land #2539 - Support Windows CMD generic payload
...
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
45d06dd28d
Change plate
2013-10-21 11:24:30 -05:00
0670020701
Land #2553 - HP Intelligent Management BIMS DownloadServlet Directory Traversal
2013-10-21 11:20:16 -05:00
8c05f8cf51
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal
2013-10-21 11:14:22 -05:00
d22e4ac2f1
Check timeout condition
2013-10-21 11:13:48 -05:00
36dace26fa
Land #2538 - Fix redirect URLs
2013-10-21 11:08:03 -05:00
09c9cba3d5
Updated code
2013-10-21 19:29:05 +05:30
183116c81f
Make module work, and final cleanup
2013-10-20 18:39:41 -05:00
27078eb5a6
Add support for HP imc /BIMS 5.1
2013-10-20 18:18:34 -05:00
b0d32a308a
Update version information
2013-10-19 00:52:22 -05:00
7d8a0fc06c
Add BID reference
2013-10-19 00:29:43 -05:00
aa6a24da1b
Add module template
2013-10-19 00:27:57 -05:00
cf239c2234
Add module for ZDI-13-238
2013-10-19 00:05:09 -05:00
5a0b8095c0
Land #2382 , Lua bind and reverse shells
2013-10-18 17:11:37 -05:00
70fced1d74
Delete unnecessary requires and make msftidy compliant
2013-10-18 16:54:20 -05:00
dbd74bceed
Add the ARCH_CMD target
2013-10-18 16:35:22 -05:00
2339cdc713
Land #2513 , @joev-r7's osx persistence local exploit
2013-10-18 15:13:50 -05:00
83f27296d3
Fix some bugs in osx persistence.
...
- the RUN_NOW datastore option did not work as expected
- Adds support for OSX < 10.4 KeepAlive option
- organizes private methods alphabetically.
2013-10-18 14:12:33 -05:00
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
681db6cb41
Use fully qualified constant in include.
2013-10-18 11:31:02 -05:00
05bea41458
mkdir -p the dirname, not the file.
2013-10-18 11:27:37 -05:00
2e0a14d719
Introduced PrependMigrate, PPID killing and general clean-up
2013-10-18 12:24:50 -04:00
9d6031acdb
Reverting payload_inject because of x64 shellcode
...
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
7a47059e1d
Fix a couple more shellescapes.
2013-10-18 00:47:22 -05:00
a2e3c6244e
Remove unnecessary Exe::Custom logic.
...
- this is handled by the exe.rb mixin.
- adds support for a RUN_NOW datastore option.
- tested working on java meterpreter and x86 shell session.
2013-10-18 00:41:18 -05:00
7dd39ae5e6
Update ranking
2013-10-17 22:43:47 -05:00
a00a813649
Add real device libraries base addresses
2013-10-17 22:34:54 -05:00
55426882d4
Further bypassuac tidyup
2013-10-18 00:08:06 +01:00
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
94db3f511a
Avoid extra slash in redirect URI
...
[SeeRM #8507 ]
2013-10-17 14:10:15 -05:00
be1d6ee0d3
Support Windows CMD generic payload
2013-10-17 14:07:27 -05:00
22b4bf2e94
Resplat webtester_exec.rb
2013-10-17 13:30:54 -05:00
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
7f6dadac16
Merge for sync
2013-10-17 10:40:01 -05:00
b03783baec
minors fixes and rand for endstring
2013-10-17 17:10:05 +02:00
22eb2ba163
randstring and fixes
2013-10-17 16:51:34 +02:00
352eca1147
Fix check method and set a big space available for payload
2013-10-17 09:30:59 -05:00
563bf4e639
Fix bug #8502 , used %PATH% for notepad invocation
...
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
54cf7855a2
Add WebTester 5.x Command Execution exploit module
2013-10-17 16:57:57 +10:30
3d3a7b3818
Add support for OSVDB 86824
2013-10-17 01:08:01 -05:00
8f2ba68934
move decrypt_lsa and decrypt_secret to priv too
2013-10-17 00:04:21 -04:00
541d932d77
move decrypt_lsa to priv as well
2013-10-16 23:53:33 -04:00
60d8ee1434
move capture_lsa_key to priv
2013-10-16 23:45:28 -04:00
1a9fcf2cbb
move convert_des_56_to_64 to priv
2013-10-16 23:39:07 -04:00
26d07c0689
add a needed -end
2013-10-16 23:35:14 -04:00
b318e32487
removed duplicate code for capture_boot_key functions
2013-10-16 23:17:20 -04:00
8be21a7413
remove the insane amount of rescues
2013-10-16 22:58:14 -04:00
1a85bd22a8
move capture_boot_key to post win priv
2013-10-16 22:46:15 -04:00
b223504980
clean up run code - remove catchall rescue
2013-10-16 22:22:45 -04:00
ca88c071cf
remove unneeded railgun call and make vprints out of commented puts
2013-10-16 22:20:21 -04:00
f672e2075b
get rid of ID and Version
2013-10-16 22:18:24 -04:00
2fbd7ea0ba
msftidy up
2013-10-16 22:17:05 -04:00
b42687151f
convert from tabs to spaces
2013-10-16 22:14:55 -04:00
c59bdbf52e
move Rob Bathurst enum_lsa module in from the unstable cold
2013-10-16 22:10:22 -04:00
7a0671eba9
Land #2531 - rm deprecated mods
2013-10-16 20:02:58 -05:00
a54b4c7370
Land #2482 , use runas when UAC is DoNotPrompt
2013-10-16 17:51:11 -05:00
f1a67ecafe
Remove overdue deprecated modules
...
[See PT #56795804 ]
[See PT #56796034 ]
2013-10-16 17:02:28 -05:00
0ce221274b
Change JS comments in Ruby.
2013-10-16 16:40:54 -05:00
f0aedd932d
More stragglers
2013-10-16 16:29:55 -05:00
ba2c52c5de
Fixed up some more weird splat formatting.
2013-10-16 16:25:48 -05:00
4fa3b8f820
Add support for IE7 on XP
2013-10-16 15:56:34 -05:00
d13fa7e9a5
Land #2528 , base64 for ms13-080
2013-10-16 15:54:56 -05:00
cc42fbc59e
Added ext .rb
...
... ext .rb why you no save.
2013-10-17 01:40:05 +05:30
f3d4229ed4
Updated code
...
msftidy compliant now. Have run it thru retab.rb, hence the indent like this.
2013-10-17 01:36:26 +05:30
2833d58387
Add OSVDB for vbulletin exploit
2013-10-16 15:01:28 -05:00
3c2dddd7aa
Update reference with a non-plagarised source
2013-10-16 14:44:18 -05:00
06a212207e
Put PrependMigrate on hold because of #1674
...
But I will probably still want this.
2013-10-16 09:24:46 -05:00
ac78f1cc5b
Use Base64 encoding for OS parameter
...
I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
2013-10-15 23:37:11 -05:00
f57032636e
Straggler on a weird boilerplate format
2013-10-15 14:57:04 -05:00
5d86ab4ab8
Catch mis-formatted bracket comments.
2013-10-15 14:52:12 -05:00
ed0b84b7f7
Another round of re-splatting.
2013-10-15 14:14:15 -05:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
c68319d098
Fix author
2013-10-15 12:59:19 -05:00
f60b29c7a6
Land #2503 , @MrXors's local exploit using VSS
2013-10-15 12:35:26 -05:00
f345414832
Added correct spelling in info
2013-10-15 10:13:18 -07:00
0b9cf24103
Convert vss_persistence to Local Exploit
2013-10-15 11:11:04 -05:00
3b7be50d50
Fix typos
2013-10-15 10:03:00 -05:00
18b4f80ca9
Add minor cleanup for vss_persistence
2013-10-15 09:56:18 -05:00
6a1b1f35a8
Msftidy done.
2013-10-14 19:41:10 -07:00
d444ed054f
Fixed RUNKEY, Fixed SCHTASKS, merged code
2013-10-14 19:36:44 -07:00
d0b1479d5b
Use the real timeout option for DCERPC
2013-10-14 17:41:51 -05:00
e8d0292118
Use read_response class method
...
Looks like this was never implemented in other modules, but it collects
data from the socket in the usual get_once sort of way.
2013-10-14 17:24:22 -05:00
14be85ea5d
Land #2511 , fix up NoMethodError and hanging connx
2013-10-14 16:30:19 -05:00
a3af5d681b
Ensure TCP connection is closed
2013-10-14 21:53:22 +01:00
31dc7c0c08
Land #2522 , @todb-r7's pre-release module fixes
2013-10-14 15:37:23 -05:00
63e40f9fba
Release time fixes to modules
...
* Period at the end of a description.
* Methods shouldn't be meth_name! unless the method is destructive.
* "Setup" is a noun, "set up" is a verb.
* Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
4b4804538f
Fixes issues based on feedback
...
This commit addresses comments made by @jvazquez-r7.
2013-10-14 16:02:29 -04:00
15e8c3bcd6
[FixRM #8470 ] - can't convert nil into String
...
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.
[FixRM #8470 ]
2013-10-14 14:10:08 -05:00
75aaded842
Land #2471 , @pyoor's exploit for CVE-2013-5743
2013-10-14 14:03:28 -05:00
a6f17c3ba0
Clean zabbix_sqli
2013-10-14 14:01:58 -05:00
e10dbf8a5d
Land #2508 - Add nodejs payloads
2013-10-14 12:23:31 -05:00
fc62b4c4ed
removed global var from file_on_target and useless code
2013-10-14 09:16:54 -07:00
eab90e1a2e
Land #2491 , missing platform info update
2013-10-14 10:38:25 -05:00
17e5c63f7f
removed debugging prompts
2013-10-14 00:29:24 -07:00
b505234bf6
cleand up code and add run function
2013-10-14 00:12:37 -07:00
de156dc8da
new exploit module for CVE-2008-2286, Altiris DS
2013-10-13 22:39:49 -04:00
2a1ade2541
Add disclosure date and some explanation about it
2013-10-13 19:29:51 -05:00
e2c5e6c19f
Fix email format
2013-10-13 18:28:35 -05:00
008f787627
Add module for the dlink user-agent backdoor
2013-10-13 14:42:45 -05:00
74f37c58b2
Land #2514 - Update CVE reference for Joomla
2013-10-13 12:58:23 -05:00
e2a9339592
Add CVE to joomla media upload module.
2013-10-12 21:20:11 -05:00
bcoles
sinn3r
jvazquez-r7
Meatballs
Matteo Cantoni
Tod Beardsley
Karn Ganeshen
jonvalt
Peter Toth
joev
William Vu
Thomas Hibbert
jiuweigui
Chris John Riley
OJ
James Lee
Geyslan G. Bem
FireFart
jvazquez-r7
scriptjunkie
root
HD Moore
AverageSecurityGuy
Booboule
Rob Fuller
Jonathan Rudenberg
jamcut
Norbert Szetei
Davy Douhine
MrXors
kaospunk