2924318ca5
update java_rmi_server modules with CVE
2017-06-02 12:59:48 -05:00
d5e74ffdf3
Merge branch 'master' into feature/eternal_blue/rubysmb_refactor
2017-05-30 13:59:31 -05:00
a5f910ea63
move trans2 conditional to case statement
...
this is cleaner as a case statement
2017-05-30 13:52:29 -05:00
b65c959347
limited port of the trans2 exploit packets
...
ported some of the Trans2 packets for EternalBlue
over to RubySMB, but there is so much jacked up about these
packets I'm not sure we can do much more here
2017-05-30 13:49:27 -05:00
72ff4fbf48
Reword warning message, since it didn't make sense
2017-05-30 13:13:08 -05:00
890d35cc30
Fix warning placement to be more helpful
2017-05-30 13:06:23 -05:00
e9ac3fce5a
update credential mode for EB exploit
...
ExternalBlue can now just flat out take
credentials to authenticate with. If credentials
are not supplied then it will still do the
anonymous login.
2017-05-30 10:55:28 -05:00
beb1cef835
rescue connection failure for netbios, suggest how to fix it
2017-05-30 08:06:39 -05:00
ea6063138a
Land #8476 , Implement VerifyArch for ETERNALBLUE
2017-05-30 00:31:32 -05:00
a01a2ead1a
Land #8467 , Samba CVE-2017-7494 Improvements
2017-05-30 00:15:03 -05:00
28fb5cc7da
spelling
2017-05-30 00:14:33 -05:00
e31e3fc545
add additional architectures and targets
2017-05-30 00:07:37 -05:00
a781480e89
Add error handling to get_once
...
And check for specific ack result/reason for 32-bit.
2017-05-29 22:28:50 -05:00
6e253a5be7
Use Rex::Proto::DCERPC::Response
2017-05-29 21:58:03 -05:00
42b14a93b8
Add comments
2017-05-28 23:45:09 -05:00
7a2944d113
Implement VerifyArch for ETERNALBLUE
2017-05-28 23:26:59 -05:00
66f06cd4e3
Fix small typos in comments
2017-05-28 14:40:33 -05:00
965915eb19
Fix typo, thanks!
2017-05-27 22:22:34 -05:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
f9ecdf2b4d
Add some bonus archs for interact mode
2017-05-27 17:26:50 -05:00
41253ab32b
Make msftidy happy
2017-05-27 17:17:20 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
78d649232b
Remove obsolete module options
2017-05-26 21:21:05 -05:00
123a03fd21
Detect server-side path, work on Samba 3.x and 4.x
2017-05-26 17:02:18 -05:00
ee5f37d2f7
remove nt trans raw sock op
...
don't send the nt transact packet as raw
socket data, instead use the client send_recv
method
2017-05-26 15:50:18 -05:00
d4ba28a20b
Land #8457 , Update multi/fileformat/office_word_macro to allow custom templates
2017-05-26 15:09:23 -05:00
f0f99ad479
nttrans packet setup correctly,everything broken
...
got the nttrans packet setup correctly but somewhere
along the line i broke the whole exploit wtf?
2017-05-26 14:54:46 -05:00
162a660d45
Remove the old windows/fileformat/office_word_macro
...
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.
If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
04a701dba5
Check template file extension name
2017-05-26 07:31:34 -05:00
072ab7291c
Add /tank (from ryan-c) to search path
2017-05-26 06:56:41 -05:00
2835c165d7
Land #8390 , Add module to execute powershell on Octopus Deploy server
2017-05-25 17:33:07 -05:00
330526af72
Update check method
2017-05-25 17:30:58 -05:00
ae22b4ccf4
Land #8450 , Samba is_known_pipename() exploit
2017-05-25 16:36:28 -05:00
1474faf909
Remove ARMLE for now, will re-PR once functional
2017-05-25 16:14:35 -05:00
2ad386948f
Small cosmetic typo
2017-05-25 16:10:37 -05:00
18a871d6a4
Delete the .so, add PID bruteforce option, cleanup
2017-05-25 16:03:14 -05:00
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
0b0e2f64ca
update SMB1 "Freehole" packet
...
the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket
2017-05-25 13:43:16 -05:00
1a8961b5e3
fied typo
2017-05-25 19:14:59 +02:00
bc8ad811aa
remove old anonymous login packet
...
we are now using the anonymous login from the
RubySMB client we no longer need this method to
manually build the packet
2017-05-25 10:49:42 -05:00
238052a18b
use RubySMB client echo
...
replaced the manually created echo packet
with the RubySMB client echo command
2017-05-25 10:47:14 -05:00
cf7cfa9b2c
Add check() implementation based on bcoles notes
2017-05-25 09:49:45 -05:00
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
4ffe666b52
improve the cred fallback
...
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
2017-05-24 17:36:07 -05:00
4c02b7b13a
added credentialed fallback
...
if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00
dc67fcd5a8
use RubySMB for anonymous login
...
use the new anonymous login capabilities in
RubySMB
2017-05-24 15:40:05 -05:00
e4ea618edf
Land #8419 , ETERNALBLUE fixes (round two)
...
Hope I resolved the conflicts correctly.
2017-05-23 17:03:21 -05:00
46eb6bdf62
Land #8399 , ETERNALBLUE fixes (round one)
2017-05-23 16:51:19 -05:00
f80c3aa3f4
Correct absolute path
2017-05-23 16:50:25 -05:00
b7b1995238
Land #8274 , Wordpress admin upload check
2017-05-22 22:08:32 -05:00
Jeffrey Martin