adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41,247 Commits 27 Branches 1,043 Tags
5383900a54ef6e9dab353bbf4e29d024cb6cba4d
Commit Graph

469 Commits

Author SHA1 Message Date
wchen-r7 5d0b532b20 Fix #8002, Use post/windows/manage/priv_migrate instead of migrate -f 
Because migrate -f uses a meterpreter script, and meterpreter scripts
are deprecated, we should be replacing with a post module

Fix #8002
 2017-02-23 17:04:36 -06:00
William Webb dd60fc3598 move cisco_webex_ext to exploits/windows/browser/ 2017-01-27 16:59:20 -06:00
William Webb 94f9971300 add module doc and remove the word EXPLOIT from document title 2017-01-26 13:36:18 -06:00
William Webb d87cb4b085 nfi why i didnt set ssl by default 2017-01-25 21:02:34 -06:00
William Webb ad0e2c7d95 remove extraneous warning alerts 2017-01-25 18:53:54 -06:00
William Webb d2bc8c7f7e msftidy complaints 2017-01-25 18:24:10 -06:00
William Webb 10066e0c16 get your targets straight son 2017-01-25 18:21:58 -06:00
William Webb d4b18bb3b9 initial commit of webex rce mod 2017-01-25 18:03:19 -06:00
Brent Cook 005d34991b update architecture 2016-11-20 19:09:33 -06:00
OJ 57eabda5dc Merge upstream/master 2016-10-29 13:54:31 +10:00
OJ 1d617ae389 Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00
David Maloney 6b77f509ba fixes bad file refs for cmdstagers 
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced

Fixes #7466
 2016-10-21 12:31:18 -05:00
Spencer McIntyre bd110430e9 Remove unnecessary require statements 2016-10-11 15:35:49 -04:00
Spencer McIntyre bbdb58eb00 Add an HTA server module using powershell 2016-10-06 19:25:22 -04:00
wchen-r7 51c457dfb3 Update vmhgfs_webdav_dll_sideload 2016-08-08 11:40:03 -05:00
Yorick Koster dae1679245 Fixed build warnings 2016-08-05 20:40:41 +02:00
Yorick Koster 02e065dae6 Fixed disclosure date format 2016-08-05 20:32:58 +02:00
Yorick Koster 97d11a7041 Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack 2016-08-05 20:19:40 +02:00
Brent Cook b08d1ad8d8 Revert "Land #6812, remove broken OSVDB references" 
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
 2016-07-15 12:00:31 -05:00
Brent Cook 2b016e0216 Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Trenton Ivey 3a39d8020d Moving back to PSH option only 2016-06-13 12:44:21 -05:00
Trenton Ivey 52bbd22a81 Moving back to PSH option only 2016-06-13 12:10:48 -05:00
Trenton Ivey 8c7796c6d3 Module Cleanup 2016-06-11 18:12:42 -05:00
Trenton Ivey 46eff4c96d Added command option 2016-06-11 18:07:24 -05:00
Trenton Ivey 6af3c4ab99 Added zero to Run method to prevent popup 2016-06-10 14:52:02 -05:00
Trenton Ivey 17974d74e2 Removing space at end of line 2016-06-09 21:49:24 -05:00
Trenton Ivey 6cd1da414f Regsvr32.exe Application Whitelist Bypass Server 2016-06-09 21:15:07 -05:00
wwebb-r7 ab27c1b701 Merge pull request #6940 from samvartaka/master 
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
 2016-06-08 11:25:51 -05:00
samvartaka 5260031991 Modifications based on suggestions by @wchen-r7 2016-06-08 01:17:15 +02:00
wchen-r7 60c60bf004 Minor cosmetic changes 2016-06-06 22:45:00 -05:00
samvartaka 290e1eb0fa This module exploits a previously unknown stack buffer overflow vulnerability 
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't
require knowledge of the secret key as it abuses a flaw in the cryptographic protocol.
Note that this is a different vulnerability from the one affecting versions 2.2.0 and up
(https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof).

See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.

## Console output

Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is
set to 'pivypass' and unknown to attacker).

### Version 2.1.4

```
msf > use windows/misc/poisonivy_21x_bof
msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf exploit(poisonivy_21x_bof) > check
[*] 192.168.0.104:3460 The target appears to be vulnerable.
msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_21x_bof) > exploit
[*] 192.168.0.104:3460 - Performing handshake...

[*] Started bind handler
[*] 192.168.0.104:3460 - Sending exploit...
[*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4>
```
 2016-06-03 19:20:06 +02:00
root d72492fe30 Add support for older Data Protector versions 
Increases support by enabling all SSL ciphers. Some older versions
of DP only support weaker export ciphers not enabled by default.
 2016-06-01 10:45:47 +01:00
Ian Lovering eb2398a446 Renamed hp_dataprotector_encrypted_comms 
Renamed to match other data protector exploits
 2016-05-31 22:58:32 +01:00
Ian Lovering 54c4771626 Exploit for HP Data Protector Encrypted Comms 
Added exploit for HP Data Protector when using encrypted communications.

This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.
 2016-05-31 22:44:14 +01:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references. 
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
 2016-04-23 12:32:34 -05:00
wchen-r7 4a435e8d13 Bring hp_dataprotector_install_service up to date w/ upstream-master 2016-04-22 13:42:41 -05:00
wchen-r7 db1d973ef0 Cosmetic changes for hp_dataprotector_install_service 2016-04-22 13:41:18 -05:00
Adam Cammack 05f585157d Land #6646, add SSL SNI and unify SSLVersion opts 2016-03-15 16:35:22 -05:00
Christian Mehlmauer 3123175ac7 use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00
Brent Cook f703fa21d6 Revert "change Metasploit3 class names" 
This reverts commit 666ae14259.
 2016-03-07 13:19:55 -06:00
Christian Mehlmauer 666ae14259 change Metasploit3 class names 2016-03-07 09:56:58 +01:00
Brent Cook eea8fa86dc unify the SSLVersion fields between modules and mixins 
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
 2016-03-06 22:06:27 -06:00
James Lee 12256a6423 Remove now-redundant peer 
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
 2016-02-01 15:12:03 -06:00
benpturner c5773b1a02 Removal of spaces found with msftidy 2016-01-12 17:04:50 +00:00
benpturner 9d64edc16f New module to exploit the Install Service vulnerability inside data protector. I released this vulnearbility on exploit DB some years back but Metasploit didnt support setting up a SMB server at the time. I have re-submitted this module to exploit the vulnerability. I have tested this on Windows Server 2003 and it works without fail. 2016-01-12 16:53:26 +00:00
wchen-r7 cea3bc27b9 Fix #6362, avoid overriding def peer repeatedly 
def peer is a method that gets repeated a lot in modules, so we
should have it in the tcp mixin. This commit also clears a few
modules that use the HttpClient mixin with def peer.
 2015-12-23 11:44:55 -06:00
wchen-r7 154fb585f4 Remove bad references (dead links) 
These links are no longer available. They are dead links.
 2015-10-27 12:41:32 -05:00
William Vu 86dfbf23e8 Fix whitespace 2015-10-15 22:48:53 -05:00
xistence 018b515150 Add CVE/URL references to manageengine_eventlog_analyzer_rce 2015-10-16 10:41:39 +07:00
jvazquez-r7 b206de7708 Land #5981, @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit 2015-09-27 00:42:17 -05:00