adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
43,599 Commits 27 Branches 1,043 Tags
f1be6b720b7aaec00d5d9e5dd19be2ebbfbaf64b
Commit Graph

495 Commits

Author SHA1 Message Date
h00die d05c401866 modules cleanup and add docs 2017-09-04 20:57:23 -04:00
Professor-plum 055d64d32b Fixed to modules as suggested from upstream 
fixed typo in xtreme.rb when communicating with C&C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
 2017-07-30 10:14:05 -06:00
Professor-plum 99546330f1 Added PlugX Controller Stack Overflow Module 
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.

## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.

- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target

Sample output:
```
msf> use exploit/windows/misc/plugx 
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check

[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
 2017-07-29 10:36:42 -06:00
Professor-plum c336daec8d Added Gh0st Controller Buffer Overflow Module 
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution 

## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.

- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit

Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 192.168.161.1:4444 
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
 2017-07-29 10:21:05 -06:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
g0tmi1k 524373bb48 OCD - Removed un-needed full stop 2017-07-21 07:41:51 -07:00
g0tmi1k b8d80d87f1 Remove last newline after class - Make @wvu-r7 happy 2017-07-19 11:19:49 +01:00
g0tmi1k a008f8e795 BruteForce - > Brute Force 2017-07-19 10:39:58 +01:00
g0tmi1k 4720d1a31e OCD fixes - Spaces 2017-07-14 08:46:59 +01:00
g0tmi1k fd843f364b Removed extra lines 2017-07-14 08:17:16 +01:00
g0tmi1k 424522147e OCD fixes - Start of *.rb files 2017-07-13 23:53:59 +01:00
William Vu 64452de06d Fix msf/core and self.class msftidy warnings 
Also fixed rex requires.
 2017-05-03 15:44:51 -05:00
William Webb e96013cd0f Land #7781, IBM Websphere Java Deserialization RCE 2017-03-14 17:21:18 -05:00
wizard32 78ff7a8865 Module renamed 
Renamed from websphere_java_deserialize.rb to ibm_websphere_java_deserialize.rb
 2017-03-13 08:22:24 +02:00
wchen-r7 5d0b532b20 Fix #8002, Use post/windows/manage/priv_migrate instead of migrate -f 
Because migrate -f uses a meterpreter script, and meterpreter scripts
are deprecated, we should be replacing with a post module

Fix #8002
 2017-02-23 17:04:36 -06:00
William Webb dd60fc3598 move cisco_webex_ext to exploits/windows/browser/ 2017-01-27 16:59:20 -06:00
William Webb 94f9971300 add module doc and remove the word EXPLOIT from document title 2017-01-26 13:36:18 -06:00
William Webb d87cb4b085 nfi why i didnt set ssl by default 2017-01-25 21:02:34 -06:00
William Webb ad0e2c7d95 remove extraneous warning alerts 2017-01-25 18:53:54 -06:00
William Webb d2bc8c7f7e msftidy complaints 2017-01-25 18:24:10 -06:00
William Webb 10066e0c16 get your targets straight son 2017-01-25 18:21:58 -06:00
William Webb d4b18bb3b9 initial commit of webex rce mod 2017-01-25 18:03:19 -06:00
wizard32 467a476598 Update websphere_java_deserialize.rb 2017-01-08 13:33:01 +02:00
wizard32 829f7da7e0 Update websphere_java_deserialize.rb 2017-01-06 18:39:04 +02:00
wizard32 538a1bf21d 'WfsDelay' Option added 
20sec added on 'WfsDelay' Option for first time exploit run due to the delay of powershell to load all the available modules.
 2017-01-06 18:11:48 +02:00
wizard32 c55e2e58f0 'raw_headers' Updated 2017-01-05 15:19:17 +02:00
wizard32 1d82ee0470 'raw_headers' field Updated 2017-01-05 15:17:17 +02:00
wizard32 c29a9ac00f Show Info updated 2017-01-05 14:18:38 +02:00
wizard32 1a38caa230 Encode - Decode code Updated 2017-01-05 13:07:34 +02:00
wizard32 9f4be89391 Update websphere_java_deserialize.rb 
Update information "Options" field
 2017-01-05 12:38:54 +02:00
wizard32 82e49fb27e Update websphere_java_deserialize.rb 2017-01-04 10:23:48 +02:00
wizard32 b06c5bac2f Invalid CVE format and Spaces at EOL fixed 2017-01-03 21:45:22 +02:00
wizard32 0722944b47 Invalid CVE format fixed 2017-01-03 21:38:32 +02:00
wizard32 8534fde50f Websphere Java Deserialization (RCE) 
This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.
 2017-01-03 16:04:51 +02:00
Brent Cook 005d34991b update architecture 2016-11-20 19:09:33 -06:00
OJ 57eabda5dc Merge upstream/master 2016-10-29 13:54:31 +10:00
OJ 1d617ae389 Implement first pass of architecture/platform refactor 2016-10-28 07:16:05 +10:00
David Maloney 6b77f509ba fixes bad file refs for cmdstagers 
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced

Fixes #7466
 2016-10-21 12:31:18 -05:00
Spencer McIntyre bd110430e9 Remove unnecessary require statements 2016-10-11 15:35:49 -04:00
Spencer McIntyre bbdb58eb00 Add an HTA server module using powershell 2016-10-06 19:25:22 -04:00
wchen-r7 51c457dfb3 Update vmhgfs_webdav_dll_sideload 2016-08-08 11:40:03 -05:00
Yorick Koster dae1679245 Fixed build warnings 2016-08-05 20:40:41 +02:00
Yorick Koster 02e065dae6 Fixed disclosure date format 2016-08-05 20:32:58 +02:00
Yorick Koster 97d11a7041 Exploit module for CVE-2016-5330 VMware Host Guest Client Redirector DLL hijack 2016-08-05 20:19:40 +02:00
Brent Cook b08d1ad8d8 Revert "Land #6812, remove broken OSVDB references" 
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
 2016-07-15 12:00:31 -05:00
Brent Cook 2b016e0216 Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Trenton Ivey 3a39d8020d Moving back to PSH option only 2016-06-13 12:44:21 -05:00
Trenton Ivey 52bbd22a81 Moving back to PSH option only 2016-06-13 12:10:48 -05:00
Trenton Ivey 8c7796c6d3 Module Cleanup 2016-06-11 18:12:42 -05:00
Trenton Ivey 46eff4c96d Added command option 2016-06-11 18:07:24 -05:00