adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
45,311 Commits 27 Branches 1,043 Tags
109bc87ffbdfd5ef16e4d9ca9d0ee04fbb901190
Commit Graph

23516 Commits

Author SHA1 Message Date
William Vu 109bc87ffb Check for nil, EOFError, and zero-length response 2018-03-02 19:15:20 -06:00
William Vu bcdfebf93c Add a vprint for creds we chose 2018-03-02 19:15:19 -06:00
William Vu 4418a0de02 Enhance detection of telnetenabled vs. telnetd 2018-03-02 19:15:19 -06:00
William Vu fba30d47a2 Use default creds specific to protocol 2018-03-02 19:15:18 -06:00
William Vu 1f40afea9c Add automatic target for detection of TCP or UDP 2018-03-02 19:15:18 -06:00
William Vu a5e5b618fd Add print statements I forgot 2018-03-02 19:15:17 -06:00
William Vu e87681f2c4 Add NETGEAR TelnetEnable 2018-03-02 19:15:17 -06:00
bwatters-r7 0d07d44b14 ReLand #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 
This reverts commit 7964868fcd.
 2018-03-02 16:09:52 -06:00
bwatters-r7 7964868fcd Revert "Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm" 
This reverts commit fcc579377f, reversing
changes made to 95cd149378.
 2018-03-02 08:29:48 -06:00
bwatters-r7 fcc579377f Land #9565, Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 2018-03-02 07:34:45 -06:00
Sonny Gonzalez 883654f0ea Land #9653, fix Y2k38 issue (until Jan 1, 2038) 2018-03-01 09:13:41 -06:00
Brent Cook 27bd2a4a9f workaround Y2k38 issues in java certificate generation 2018-03-01 08:41:28 -06:00
Brent Cook 325ad7256e if multi/handler is disabled, exit 2018-02-27 04:30:09 -06:00
Rob Fuller 0c82b0a922 Support Windows 2008/7 and above 
Probably about time that we supported versions less than 10 years old :)
 2018-02-24 16:06:55 -05:00
Brent Cook cd728defed Merge branch 'master' into land-9607- 2018-02-23 11:09:20 -06:00
William Vu 7663e5c1f6 Land #9601, ms17_010_eternalblue reliability fixes 2018-02-22 15:30:45 -06:00
James Barnett e531dbc976 Fix bug causing all logins to appear valid 
The headers we were looking for were a little too loose
and were incorrectly identifying all responses as successful
login attempts
 2018-02-22 11:25:35 -06:00
bwatters-r7 4b8a8fa2b1 Land #9441, Create exploit for AsusWRT LAN RCE 
Merge branch 'land-9441' into upstream-master
 2018-02-22 10:40:45 -06:00
Jacob Robles 738d6ab33a Land #9604, Fix logged errors when running without Python 3.6 / gmpy2 2018-02-22 08:11:30 -06:00
Brent Cook 99e278fa29 Land #9584, Fix reverse_php_ssl infinite loop 2018-02-22 07:03:52 -06:00
Trevor Sibanda 77b3673e38 Fix reverse_php_ssl infinite loop 2018-02-22 08:42:54 +00:00
Brent Cook 7e665ab287 check for extra libraries explicitly, fail gracefully 2018-02-21 21:54:58 -06:00
William Vu 3880f6a65e Finally fix "Unknown admin user ''" after 2yrs 
The failed password auth was necessary after all. I misread the PoC. :'(

Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
 2018-02-21 20:44:35 -06:00
William Vu cc2495dd9c Explain fortinet-backdoor -> FortinetBackdoor 2018-02-21 17:05:30 -06:00
William Vu a5d78b82d4 Add require for Net::SSH::CommandStream 2018-02-21 15:51:53 -06:00
William Vu 854ac67b8e Use start_session in fortinet_backdoor 
Still get "Unknown admin user ''" from a shell channel request,
@busterb's more complete implementation notwithstanding.

Hoping we fix this in a subsequent commit or related PR.

Please see #6612 and #9524.
 2018-02-21 15:33:34 -06:00
Aaron Soto af45c1764b Tweak exception handling and timing of ms17_010_eternalblue 2018-02-21 13:40:04 -06:00
Brent Cook 78822fd799 Land #9524, prefer 'shell' channels over 'exec' channels for ssh CommandStream 2018-02-21 06:59:09 -06:00
William Vu 9cbc55ce40 Land #9593, finger_users regex fix 2018-02-21 01:27:40 -06:00
Aaron Soto bda7fefa7f Land #9444 - hsts_eraser module and docs 2018-02-20 21:22:55 -06:00
Jacob Robles b2cb4c425d Land #9594, CloudMe Sync v1.10.9 Buffer Overflow 2018-02-20 17:49:19 -06:00
Jacob Robles 6a62ca15e7 Remove NOPS 
[ticket: #9594]
 2018-02-20 17:40:33 -06:00
Daniel Teixeira 745ad4d727 CloudMe Sync Client BoF 2018-02-20 21:57:13 +00:00
James Lee d6206dc046 Better regex in finger_users 2018-02-20 15:48:00 -06:00
Jacob Robles 107a41a4ce Land #9561, Disk Savvy Enterprise v10.4.18 built-in server buffer overflow 2018-02-20 15:42:12 -06:00
Jacob Robles d02bf40d69 Modified Exploit 
Remove NOPS that weren't needed and freed up space for a larger payload.

[ticket: #9561]
 2018-02-20 15:35:43 -06:00
Tim W f10d58bc2d upgrade osx shells to osx meterpreter 2018-02-21 02:54:38 +08:00
Brent Cook 05e002e3c5 Land #9366, Add x64 staged Meterpreter for macOS 2018-02-19 23:15:03 -06:00
Brent Cook 69c7e83a55 Land #9164, add OWA 2016 support 2018-02-19 23:12:27 -06:00
Chris Higgins 74c6e21f49 Lands #9504, MagniComp SysInfo privilege escalation 2018-02-19 22:47:33 -06:00
Brent Cook 56c00a8cb6 initial OWA 2016 support 2018-02-19 21:43:49 -06:00
Brent Cook ac7fe99a2b specify a python encoding for the module 2018-02-16 16:17:52 -06:00
Brent Cook 242f2d3117 Land #9512, Add Claymore Dual GPU Miner<= 10.5 DoS module 2018-02-16 10:46:48 -06:00
RageLtMan 354eb4092a Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 
To round out the work done by mihi for x86 stages back in the day,
this PR provides x64 Windows stage encryption in RC4 via assembly
written/modified by max3raza during adjacent work on DNS tunneled
transport.

Stage encryption differs from encoding in that there is no decoder
stub or key materiel carried with the stage which can be used by
defensive systems to decode and identify the contents. Persistence
payloads, oob-delivered stage0, and other contexts benefit heavily
from this as their subsequent stage is difficult to detect/identify,
and the chance of accidental execution of the wrong payload/stage
is drastically reduced if separate keys are in play for individual
targets - acquiring the wrong stage will result in decryption
failure and prevent further execution.

For historical context, all of the RC4 stagers implement in-place
decryption via stage0 for the contents of stage1 using the provided
passphrase converted to a key and embedded in stage0 as part of the
payload.

Testing:
  In-house testing with Max - we got sessions, loaded extensions.

Notes:
  All credit for the work goes to Max3raza - big ups for getting
this knocked out.
 2018-02-16 05:15:05 -05:00
Brent Cook 25d2b551d8 Land #9539, add bind_named_pipe transport to Windows meterpreter 2018-02-15 17:39:32 -06:00
Brent Cook d28f6888b2 bump payloads, include bind_named_pipe support 2018-02-15 17:37:33 -06:00
Wei Chen b533ec6019 Land #9509, Ulterius Server < v1.9.5.0 Directory Traversal 
Land #9509
 2018-02-15 16:34:31 -06:00
Wei Chen 949b474a0a Avoid target_uri.path 
It doesn't look like target_uri.path is suitable for this scenario,
because it causes our input to be modified and hard to use.
 2018-02-15 16:31:09 -06:00
Brent Cook 38b03fdfff Merge branch 'upstream-master' into land-9539- 2018-02-15 16:22:13 -06:00
Wei Chen 5467f4c97e Add header 2018-02-15 16:19:54 -06:00