adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55,054 Commits 27 Branches 1,043 Tags
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
Commit Graph

27999 Commits

Author SHA1 Message Date
Quentin Kaiser 551f8c5e92 Support for echo and printf command stager flavors + support for curl and wget command stager flavors (hence reactivation of SRVHOST, SRVPORT, URIPATH and SSLCert). 2018-12-18 15:48:58 +01:00
Quentin Kaiser f290221a66 Cleaner response check in check function. Usage of CheckCode instead of Exploit::CheckCode. 2018-12-18 15:36:52 +01:00
Quentin Kaiser aeec5cf23e Cleaner to define this as a Hash, then call .to_json on it. Better support of agent definition in check function. 2018-12-18 15:31:30 +01:00
Quentin Kaiser e51530688b fail_with is not allowed in check method. Use vprint_error and return a CheckCode instead. 2018-12-18 15:09:04 +01:00
Quentin Kaiser 4682cf5796 Define in register_options rather than DefaultOptions. 2018-12-18 15:04:28 +01:00
Pedro Ribeiro 86cbddf46d fix spacing 2018-12-18 13:35:16 +00:00
Pedro Ribeiro fff850a07e Make longxor encoder great again 
The longxor encoder for mipsbe does not work correctly. At the end of the decoding, it should invoke cacheflush() with the correct parameters:
int cacheflush(char *addr, int nbytes, int cache)

The encoder previously did not setup the arguments, as it even said so in the comments:
;       addiu   $4, $16, -4       ; not checked by Linux
;       li      $5,40                   ; not checked by Linux
;       li      $6,3                    ; $6 is set above

I think this is because the encoder is pretty old (2008), and before kernel 2.6.11, cacheflush() did not need any parameters (from the cacheflush man page):
BUGS
       Linux  kernels older than version 2.6.11 ignore the addr and nbytes arguments, making this function fairly expensive.  Therefore, the
       whole cache is always flushed.

This commit fixes that by setting up the parameters correctly. As an unfortunate side effect this increases the shellcode by 16 bytes, but it is absolutely necessary for it to work properly. 

Note that this bug is not present when testing the encoder output on an emulator like qemu; emulators do not need to flush the caches to work properly.

As an added bonus I have also made it compatible with toupper() restrictions, which is common in web server exploits too. This did not add any extra bytes to the encoder.
 2018-12-18 12:30:55 +00:00
Brent Cook fc2d217c0a Land #11135, strip comments from source code before uploading it to the target 2018-12-17 21:23:29 -06:00
Brent Cook 333d44186b Land #11138, add reverse_tcp mixin for vax payload 2018-12-17 21:17:40 -06:00
Andres Rodriguez a10a5e74c4 Use of send_request_cgi instead of raw socket(incomplete responses) and other small fixes 2018-12-17 15:10:36 -08:00
Andres Rodriguez 8072b038ed Use of send_request_cgi instead of raw socket(incomplete responses) and other small fixes 2018-12-17 15:09:08 -08:00
Andres Rodriguez 3fb723cc1b Use of send_request_cgi instead of raw socket(incomplete requests) and other small fixes 2018-12-17 15:04:55 -08:00
bwatters bf13693d37 Land #11101, temp fix for x64/xor stage encoder 
Merge branch 'land-11101' into upstream-master
 2018-12-17 14:14:55 -06:00
LouDnl 2a69fffa6b fix for ReverseTcp error 
Update vax shell_reverse_tcp.rb to fix ReverseTcp NameError
Error:
/opt/metasploit-framework/embedded/framework/modules/payloads/singles/bsd/vax/shell_reverse_tcp.rb:24:in `initialize': uninitialized constant Msf::Handler::ReverseTcp (NameError)

After adding this line the error dissapeared for me and I was able to run msfconsole again.
 2018-12-17 19:28:07 +01:00
Shelby Pace 2fc501d260 Land #11112, Fix bpf_priv_esc exploit module 2018-12-17 10:00:50 -06:00
Jacob Robles 7839add2fd Land #11123, Add module windows persistent service 2018-12-17 09:07:21 -06:00
Jacob Robles 88b7b7df4a Fix additional path space issues 2018-12-17 07:00:23 -06:00
Andres Rodriguez b9cccc2e8f Improvements on code quality and documentation 2018-12-17 00:15:48 -08:00
Brendan Coles d973a58052 Clean up linux/local/vmware_alsa_config 2018-12-17 08:01:34 +00:00
Andres Rodriguez f05ea634a3 Improvements on code quality and documentation 2018-12-16 23:42:59 -08:00
Green-m 0aa6e5a640 Handle path with spaces correctly. 2018-12-17 10:25:06 +08:00
Andres Rodriguez 48df4be54e Improvements on code quality and documentation 2018-12-16 12:47:52 -08:00
Andres Rodriguez 1ecc5461bf Metasploit module for CVE 2017-3248, Weblogic serialization RCE RMI UnicastRef 2018-12-16 06:21:09 -08:00
Brendan Coles fcb512878c Add strip_comments method to Linux local exploits 2018-12-16 14:11:54 +00:00
Andres Rodriguez 8ce7643e41 Some improvements in code and documentation. 2018-12-15 21:07:53 -08:00
Andres Rodriguez 873d048b89 Some improvements in code and documentation. 2018-12-15 20:42:17 -08:00
Brendan Coles 4c14642b99 Update modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb 
Co-Authored-By: acamro <acamro@users.noreply.github.com>
 2018-12-15 23:23:23 -05:00
Brendan Coles 8dfd8aa4cd Update modules/exploits/multi/misc/weblogic_deserialize_rawobject.rb 
Co-Authored-By: acamro <acamro@users.noreply.github.com>
 2018-12-15 23:23:14 -05:00
Andres Rodriguez 29c70b8585 Some fixes of sintax errors 2018-12-15 19:44:05 -08:00
Andres Rodriguez 826c93ff8a Sintax error in an elseif 2018-12-15 19:41:35 -08:00
Andres Rodriguez 25a447fa35 Removed line at the end of file (to pass all tests) 2018-12-15 19:21:37 -08:00
Andres Rodriguez d8f19ff6c8 Removed line at the end of file (to pass all tests) 2018-12-15 19:19:47 -08:00
Andres Rodriguez a936d3f78f Metasploit module for CVE 2016-3510, Weblogic serialization RCE Marshalled Object 2018-12-15 19:12:33 -08:00
Andres Rodriguez 82db6025c9 Some fixes to pass msftidy. 2018-12-15 18:32:17 -08:00
Andres Rodriguez 446144ba8e Metasploit module for CVE 2015-4852, Weblogic serialization RCE Raw Object 2018-12-15 18:26:34 -08:00
Wei Chen 5bf28887d2 Land #11127, Fix TARGETURI support in struts2_namespace_ognl 2018-12-15 09:33:48 -06:00
Brendan Coles b8e134b95d Update version check 2018-12-15 05:39:50 +00:00
Francesco Soncina 6237740116 lint: remove spaces 2018-12-15 01:02:13 +01:00
epi cb3ea8dfed Remove binding.pry from bind payload. 
In response to
https://github.com/rapid7/metasploit-framework/pull/11039#discussion_r241890477.
 2018-12-14 16:32:19 -06:00
asoto-r7 cd2dbf0edf ysoserial: Modified hp_imc_java_deserialize to use the library 2018-12-14 16:13:17 -06:00
Jacob Robles 8adfef5730 Remove Version, Fix Whitespace 2018-12-14 13:19:49 -06:00
Jacob Robles e67eaa94c9 Move code to ERB template 2018-12-14 13:13:32 -06:00
William Vu 38bdee19e8 Fix TARGETURI support in struts2_namespace_ognl 2018-12-14 13:08:50 -06:00
Auxilus 6c9fafb9d5 Delete unused variable 
I suppose the variable 'f' was for Name in https://github.com/rapid7/metasploit-framework/blob/06720ee18b2d661aa5ea695ed80e4daa88fbf20c/modules/exploits/linux/smtp/haraka.py#L70

I'm not sure, should it be 'f' at https://github.com/rapid7/metasploit-framework/blob/06720ee18b2d661aa5ea695ed80e4daa88fbf20c/modules/exploits/linux/smtp/haraka.py#L70 or just the way it is atm?
 2018-12-14 22:27:11 +05:30
Jacob Robles 556d182231 Remove code that was replaced 2018-12-14 09:15:01 -06:00
Jacob Robles a057b72bd9 Use argument 2018-12-14 09:14:27 -06:00
Jacob Robles dfa84aa1af Use exploit default exception handling 2018-12-14 09:12:32 -06:00
Jacob Robles 5fd7b82f7a Remove unused parameter 2018-12-14 09:10:29 -06:00
Brent Cook 673cfe6889 Land #11119, Add WEBUI_PORT to hp_van_sdn_cmd_inject exploit 2018-12-13 16:15:53 -06:00
Jacob Robles 58aa16d06b Work around snprintf 2018-12-13 14:29:54 -06:00