6557cabd65
Land #12900 , add teamviewer password recovery
2020-02-07 10:24:12 -05:00
cbf0d14666
Fix the store_valid_credentials service info
2020-02-07 10:07:41 -05:00
b01f02480f
Land #12912 , removes and aliases jtr modules
2020-02-07 12:38:26 +00:00
4dcb2fbd96
Land #12889 , Add OpenSMTPD MAIL FROM RCE
2020-02-07 11:43:18 +00:00
a5a5ea7ded
clean up code, update documentation
2020-02-06 22:27:47 -06:00
7f3c0c9314
Land #12906 , Add module for CVE-2019-19363
...
Merge branch 'land-12906' into upstream-master
2020-02-06 15:22:17 -06:00
9a8d9c6c88
check arch
2020-02-06 14:11:42 -06:00
e736588795
change method of exploitation for reliability
...
This commit changes a few things:
1. The module first writes the dll to a
temp location.
2. The module writes a batch file to a
temp location.
3. The batch file copies the dll until
the copy command fails (presumably
because the dll is now in use by
PrintIsolationHost.exe).
4. The dropped files are deleted.
5. Docs updated to reflect changes.
2020-02-06 12:51:36 -06:00
62c98710ad
Reword vulnerable commit range
2020-02-06 11:03:20 -06:00
abd2c3e1fc
adjust moved_from calls to original module names
2020-02-06 10:23:53 -06:00
e053ed7a1e
Add Msf::Exploit::Expect mixin and refactor again
2020-02-05 21:16:24 -06:00
95fa8602bc
Refactor modules that use Expect
2020-02-05 21:16:21 -06:00
81f9fc7608
Refactor arbitrary payload support
2020-02-05 17:01:54 -06:00
2bb91a2262
remove jtr specific modules that are refactored
2020-02-05 16:52:19 -06:00
dae06ab0c9
Reword comments in morris_sendmail_debug
...
Not sure why I used singular, but it was probably reading too much RFC.
2020-02-05 14:23:29 -06:00
a154efa250
Land #12887 , add dlink ssdpcgi cmd inject
2020-02-05 13:19:05 -06:00
9db6b5184b
Land #12894 , Add Windscribe WindscribeService Named Pipe Privilege Escalation
...
Merge branch 'land-12894' into upstream-master
2020-02-05 12:37:34 -06:00
de25920f30
The written word "through" is modified
2020-02-05 11:53:51 -03:00
25c23073c8
Modify disclosure URL, remove printf...
...
... as stager flavor and silence msftidy error.
2020-02-04 15:20:57 -03:00
5f7004cf7c
Remove 'HttpClient', 'Payload' and 'RHOST'; ...
...
... replace 'Targets' for a new option, and format 'header', as suggested in the review.
2020-02-04 14:04:23 -03:00
22a75c7bee
Revert "Fix style"
...
This reverts commit 9f81aeb4ad
2020-02-04 10:10:46 -06:00
4474b6f6dc
fix carriage return and spaces at EOL
2020-02-03 21:54:55 -06:00
13e670ceb3
fix carriage return and spaces at EOL
2020-02-03 21:52:30 -06:00
303bddbb37
add cleanup code and modified options
2020-02-03 16:24:48 -06:00
5f6c9a265f
Fix puts to print_error
2020-02-03 16:11:23 -06:00
f3e6f562a1
add docs, fix module location
2020-02-03 13:16:53 -06:00
7175126319
Update title for smb_doublepulsar_rce
2020-02-03 11:19:20 -06:00
fa6573f8e7
Note arch in supported target
2020-02-03 11:16:16 -06:00
a3717e13f6
Unf*ck PAYLOAD being set for neutralization
2020-02-03 11:16:16 -06:00
e12d993027
Move SMB DOPU module to match new naming scheme
2020-02-03 11:16:16 -06:00
f49ee7c60e
Prefer exploit.rb's rand_text wrapper
2020-02-03 11:16:16 -06:00
d64eb10b17
Update credit
2020-02-03 11:16:16 -06:00
548529e1d4
Clean up parsing
2020-02-03 11:16:16 -06:00
9e690414a1
Update ping response parsing with new information
...
Found the struct that corresponds to the ping response!
2020-02-03 11:16:16 -06:00
6241555531
Fix service pack
2020-02-03 11:16:16 -06:00
2ce49456a7
Fix arch detection and add product type
...
Thanks to @tsellers-r7 for testing XP and producing output to compare
against. Without a 32-bit test, the architecture guess was incorrect.
Additionally, product type had yet to be determined. The trailing bytes
were indeed significant! Thanks, Tom!
2020-02-03 11:16:16 -06:00
992a386ece
Use build_data_tpdu and note channelJoinConfirm
2020-02-03 11:16:16 -06:00
4d21b0e88e
Update prints in check for visibility
...
vprint_good should be print_warning, and most vprints should be print,
even if in check, since check is critical functionality.
2020-02-03 11:16:16 -06:00
7ba7221a8f
Parse ping response into version, build, and arch
2020-02-03 11:16:16 -06:00
db1a201885
Add RDP DOUBLEPULSAR RCE module
2020-02-03 11:16:16 -06:00
1ef34283eb
obtain session unreliably
2020-02-03 11:07:36 -06:00
97f5f37344
Land #12807 , Install OpenSSH for Windows
2020-02-03 14:50:30 +00:00
e2d0d8f011
Cleanup module and permit alternate payload scheme
...
The original Qualys exploit uses an inline-shell for loop to read
and thereby consume lines from the input stream preceeding the
intended script for execution in the body section. Payloads which
do not contain bad characters (encoded or coincidentally simple)
can be placed directly into the FROM field and executed in place
of the original for loop filter.
2020-02-01 15:04:22 -05:00
34621c0adc
Add Windscribe WindscribeService Named Pipe Privilege Escalation
2020-02-01 00:41:07 +00:00
8d4637a42b
can now add printers
2020-01-31 15:07:56 -06:00
312a3466ee
Update 2020-7247 to execute from body
...
Using method from
https://www.openwall.com/lists/oss-security/2020/01/28/3
Attempted several other line readers via awk, while, for. Tried
without pipes or `>` in the strings. It appears other characters
are also illegal (conditional brackets likely culprits).
Initial testing on wide-open-configured opensmtpd on OpenBSD 6.6
libvirt Vagrant image produces shells, python meterpreter sessions,
and executes generic commands.
2020-01-31 04:32:03 -05:00
b05fe7453f
add improved check method
2020-01-30 11:40:24 -06:00
394e99fbe9
Land #12568 , Fix exploit/windows/local/ms16_032_secondary_logon_handle_privesc
2020-01-30 11:57:56 +01:00
bf68730c76
Land #12885 , URL reference fix
2020-01-29 23:21:58 -06:00
9da4555509
Move clean-up code to cleanup method ( #2 )
...
Move clean-up code to cleanup method
2020-01-29 17:11:07 +01:00
Spencer McIntyre