1016cb675d
Land #7107 , Use VHOST info for redirection in firefox_proto_crmfrequest
2016-07-24 15:50:21 -05:00
72caeaa72f
Fix redirect url
2016-07-24 15:49:03 -05:00
b057a9486c
Don't use ssh agent
2016-07-19 17:07:22 -05:00
ff63e6e05a
Land #7018 , unvendor net-ssh
2016-07-19 17:06:35 -05:00
14c9569afa
2013-1710 - Use header VHOST info for redirection
...
When this exploit is hit by hostname, the HTTP request contains
a Host header field which does not match the IP-based redirection.
Update the module to check request headers for host information,
and fallback to the prior behavior if none exists.
Tested in conjunction with #6611 DNS spoofer - works great, see
issue #7098 for details.
2016-07-17 04:50:54 -04:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
b6b52952f4
set ssh to non-interactive
...
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password
MS-1688
2016-07-14 11:12:03 -05:00
01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-14 09:48:28 -05:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
d0e1c67c18
Land #7026 , Add Action Pack render exploit CVE-2016-2098
2016-07-07 16:16:37 -05:00
2cc6565cc9
Update rails_actionpack_inline_exec
2016-07-07 15:56:50 -05:00
5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-07-05 10:48:38 -05:00
d1281b6594
Chmod to remove the exec bit.
2016-06-30 10:43:46 -04:00
3d93c55174
move sshfactory into a mixin method
...
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
2016-06-28 15:23:12 -05:00
ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup
2016-06-28 15:00:35 -05:00
fcf8cda22f
Add basic module for CVE-2016-2098
...
ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.
This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.
Test Procedures:
Clone https://github.com/hderms/dh-CVE_2016_2098
Run bundle install to match gem versions to those in lockfile
Run the rails server and configure the metasploit module:
Set TARGETURI to /exploits
Configure payload and handler options
Execute the module, move on to post-exp
2016-06-28 03:28:16 -04:00
2480781409
pesky pry.
2016-06-27 01:55:49 -04:00
c2b4e22b46
updated with discovered changes from k kali & documentation update changes requested.
2016-06-27 01:53:20 -04:00
15a1a9ed71
Raise if payload.arch doesn't match expected
...
This is necessary when payload is a generic/* since we can't actually
figure out what we need the prefix/suffix to be because the generics are
a pain to extract the arch/platform info out of.
Also remove some unnecessary options.
2016-06-24 16:08:47 -05:00
6c3871bd0c
update ssh modules to use new SSHFactory
...
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH
MS-1688
2016-06-24 13:55:28 -05:00
3fb9eae687
EOL space if a ruby devil.
2016-06-23 15:40:16 -07:00
b38b116c9a
@ePaul comments added to description.
2016-06-23 15:33:11 -07:00
08d08d2c95
Fix Java payload generator
2016-06-23 14:51:26 -05:00
464808d825
First, put the RC data in the module proper
2016-06-23 14:43:37 -05:00
92c70dab6f
Real array, and fix PHP
2016-06-23 13:22:21 -05:00
ffabf26593
No Automatic target.
2016-06-23 12:50:23 -05:00
7a36d03fe3
Trying multi arch
2016-06-23 12:34:51 -05:00
47674c77ad
chmod 644 swagger_param_inject.rb
2016-06-23 11:49:16 -04:00
fbd0bc4308
updated as per @egypt & @todb-r7 recommendations.
2016-06-23 11:41:54 -04:00
fc79f3a2a9
Modify for only NodeJS
...
Not sure if we can do multiple arch's in the same module. Doesn't look
like it's possible today.
See rapid7#7015
2016-06-23 10:14:57 -05:00
579a3bcf7c
default payload is NOT text based, so do nothing with it.
2016-06-23 07:00:14 -07:00
47e4321424
CVE-2016-5641
2016-06-23 06:09:37 -07:00
7cdadca79b
Land #6945 , Add struts_dmi_rest_exec exploit
2016-06-08 23:16:46 -05:00
e4c55f97db
Fix module desc
2016-06-06 10:40:36 -05:00
9f19d2c210
add apache struts2 S2-033 rce module
2016-06-06 05:07:48 -05:00
f333481fb8
Add vendor patch info
2016-06-02 16:41:06 -05:00
7c9227f70b
Cosmetic changes for magento_unserialize to pass msftidy & guidelines
2016-06-02 16:34:41 -05:00
4f42cc8c08
Added module
2016-06-02 09:24:10 -05:00
028b1ac251
Land #6816 Oracle Application Testing Suite File Upload
2016-05-24 18:27:10 -05:00
5bf8891c54
Land #6882 , fix moodle_cmd_exec HTML parsing to use REX
2016-05-23 23:25:22 -05:00
506356e15d
Land #6889 , check #nil? and #empty? instead of #empty?
2016-05-19 19:23:04 -05:00
99a573a013
Do unless instead "if !" to follow the Ruby guideline
2016-05-19 19:21:45 -05:00
41bcdcce61
fix struts_code_exec_exception_delegator - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:11:57 -05:00
bc257ea628
fix struts_code_exec - NoMethodError undefined method 'empty?' for nil:NilClass
2016-05-18 00:10:32 -05:00
e8ac568352
doesn't look like we're using the tcp mixin
2016-05-17 03:15:26 -05:00
08394765df
Fix #6879 , REXML::ParseException No close tag for /div
2016-05-17 03:14:00 -05:00
cf0176e68b
Land #6867 , Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-16 19:00:10 -05:00
8f9762a3e5
Fix some comments
2016-05-12 00:19:18 -05:00
da293081a9
Fix a typo
2016-05-11 22:48:23 -05:00
9d128cfd9f
Add Dell SonicWALL Scrutinizer 11.0.1 MethodDetail SQL Injection
2016-05-11 22:27:18 -05:00
wchen-r7