9387a765e5
Fix msftidy warns/errs
2017-08-30 03:10:46 +01:00
4934023fa5
Use alternate system() payload, dont worry about restarts
...
Use nohup and & to background the meterpreter process
2017-08-30 03:10:46 +01:00
d53f10554d
Configurable restart command
2017-08-30 03:10:46 +01:00
d0ff2694b3
Restart after payload process ends
2017-08-30 03:10:46 +01:00
aee44e3bd2
Working meterpreter exploit
...
No service restart
2017-08-30 03:10:46 +01:00
7cfb5fcc97
Rename
2017-08-30 03:10:46 +01:00
8b67b710fa
Add template
2017-08-30 03:10:46 +01:00
202c936868
Land #8826 , git submodule remote command execution
2017-08-29 18:11:32 -05:00
46eeb1bee0
update style
2017-08-29 17:44:39 -05:00
39299c0fb8
randomize submodule path
2017-08-29 16:54:08 +08:00
a40429158f
40% done
2017-08-28 20:17:58 -04:00
8f17d536a7
Update phpmailer_arg_injection.rb
...
Removed second parameter as it was not necessary. Only changed needed was to change "send_request_cgi" to "send_request_cgi!"
2017-08-24 00:29:28 -06:00
c49b72a470
Follow 301 re-direct
...
I found that in some cases, the trigger URL cannot be accessed directly. For example, if the uploaded file was example.php, browsing to "example.php" would hit a 301 re-direct to "/example". It isn't until hitting "/example" that the php is executed. This small change will just allow the trigger to follow one 301 redirect.
2017-08-23 18:53:54 -06:00
821121d40b
Land #8871 , improve compatibility and speed of JDWP exploit
2017-08-23 18:53:47 -05:00
4c285c0129
Land #8827 , QNAP Transcode Server RCE
2017-08-22 23:07:01 -05:00
128949217e
more osx
2017-08-22 16:48:09 -05:00
bb120962aa
more osx support
2017-08-22 14:01:48 -05:00
7263c7a66e
add 64-bit, osx support
2017-08-22 13:51:28 -05:00
e01caac9ed
removing slice operators from jdwp_debugger
2017-08-21 16:36:54 -05:00
edbe8d73c2
Revert "Revert passive stance for multi/handler"
...
This reverts commit 66a4ea4f0b
2017-08-21 16:14:23 -05:00
eabe4001c2
Land #8492 , Add IBM OpenAdmin Tool SOAP welcomeServer PHP Code Execution module
2017-08-20 18:48:22 -05:00
367c760927
window move is now directly in the template
2017-08-20 17:48:59 -05:00
e734a7923a
Land #8267 , Handle multiple entries in PSModulePath
2017-08-20 17:44:30 -05:00
1225555125
remove unnecessary require
2017-08-20 17:37:42 -05:00
840c0d5f56
Land #7808 , add exploit for VMware VDP with known ssh private key (CVE-2016-7456)
2017-08-20 17:36:45 -05:00
88f39d924b
Land #8816 , added Jenkins v2 cookie support
2017-08-20 14:58:38 -05:00
2eba188166
Land #8789 , Add COM class ID hijack method for bypassing UAC
2017-08-20 13:57:17 -05:00
e8ab518d76
Land #8853 , Revert passive stance for multi/handler
2017-08-19 22:04:26 -05:00
66a4ea4f0b
Revert passive stance for multi/handler
...
It's gotten to be a bit annoying. ExitOnSession=false was good, but this
was too much. Typing run -j isn't difficult.
2017-08-18 13:16:12 -05:00
d659cdc8f6
Convert quest_pmmasterd_bof to cmd_interact/find
2017-08-18 00:19:09 -05:00
ac976eee8e
Add author
2017-08-15 03:27:40 +00:00
b8f56d14e0
Land #8698 , Add HEADERS to php_eval module
2017-08-14 09:54:22 -04:00
26193216d1
Land #8686 , add 'download' and simplified URI request methods to http client mixin
...
Updated PDF author metadata downloader to support the new methods.
2017-08-14 01:40:17 -04:00
7d4561e0fd
rename to download_log to avoid conflicting with the mixin
2017-08-14 01:10:37 -04:00
0a374b1a88
Add QNAP Transcode Server Command Execution exploit module
2017-08-13 09:13:56 +00:00
7881a7ddc4
git submodule command exec
2017-08-13 11:47:44 +08:00
7e860571ae
fix bug where api_token auth was being used without token being set
2017-08-09 12:30:26 -04:00
9bb102d72d
add jenkins v2 cookie support
2017-08-09 12:29:31 -04:00
2383afd8dc
Fix improved error handling
2017-08-04 23:42:44 +02:00
7ce813ae6e
Land #8767 , Add exploit module for CVE-2017-8464
...
LNK Code Execution Vulnerability
2017-08-03 17:10:16 -05:00
da3ca9eb90
update some documentation
2017-08-03 17:09:44 -05:00
ddd841c0a8
code style cleanup + add automatic targeting based on payload
2017-08-03 00:27:54 -05:00
b62429f6fa
handle drive letters specified like E: nicely
2017-08-03 00:27:22 -05:00
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
3229320ba9
Code review feedback from @nixawk
2017-08-02 15:46:51 -05:00
565a3355be
CVE-2017-8464 LNK Remote Code Execution Vulnerability
...
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
2017-08-02 15:46:30 -05:00
b78cb12546
Ruby 2.2 support. See #8792
2017-08-02 18:06:48 +02:00
6f97e45b35
enable Ruby 2.2 compat checks in Rubocop, correct multi/handler compat
2017-08-02 06:18:02 -05:00
54ded4300e
Land #8791 - Update Accuvant refs to point to Optiv
2017-08-02 13:26:52 +10:00
Calum Hutton