From e78d08e20d5d8d32a9b088bb0c04cbb81733671a Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 12 Feb 2015 12:11:40 -0600 Subject: [PATCH 1/5] Fix up titles, descriptions --- modules/exploits/android/local/futex_requeue.rb | 13 +++++++------ .../exploits/windows/local/ms14_070_tcpip_ioctl.rb | 9 +++++---- modules/exploits/windows/misc/achat_bof.rb | 10 +++++----- modules/post/windows/gather/file_from_raw_ntfs.rb | 3 ++- 4 files changed, 19 insertions(+), 16 deletions(-) diff --git a/modules/exploits/android/local/futex_requeue.rb b/modules/exploits/android/local/futex_requeue.rb index d890f39818..9b5ec81028 100644 --- a/modules/exploits/android/local/futex_requeue.rb +++ b/modules/exploits/android/local/futex_requeue.rb @@ -14,16 +14,17 @@ class Metasploit4 < Msf::Exploit::Local def initialize(info={}) super( update_info( info, { - 'Name' => 'Android Futex Requeue Kernel Exploit', + 'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit", 'Description' => %q{ - This module exploits a bug in futex_requeue in the linux kernel. - Any android phone with a kernel built before June 2014 should be vulnerable. + This module exploits a bug in futex_requeue in the Linux kernel, using + similiar techniques employed by the towelroot exploit. Any Android device + with a kernel built before June, 2014 is likely to be vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ - 'Pinkie Pie', #discovery - 'geohot', #towelroot - 'timwr' #metasploit module + 'Pinkie Pie', # discovery + 'geohot', # towelroot + 'timwr' # metasploit module ], 'References' => [ diff --git a/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb b/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb index fc159d599e..bdfe648cff 100644 --- a/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb +++ b/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb @@ -18,11 +18,12 @@ class Metasploit3 < Msf::Exploit::Local def initialize(info={}) super(update_info(info, { - 'Name' => 'Windows tcpip!SetAddrOptions NULL Pointer Dereference', + 'Name' => 'MS14-070 Windows tcpip!SetAddrOptions NULL Pointer Dereference', 'Description' => %q{ - A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys, - can allow an attacker to trigger a NULL pointer dereference by using a - specially crafted IOCTL. + A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys + can allow a local attacker to trigger a NULL pointer dereference by using a + specially crafted IOCTL. This flaw can be abused to elevate privileges to + SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => diff --git a/modules/exploits/windows/misc/achat_bof.rb b/modules/exploits/windows/misc/achat_bof.rb index e74499e98e..1c1837e14a 100644 --- a/modules/exploits/windows/misc/achat_bof.rb +++ b/modules/exploits/windows/misc/achat_bof.rb @@ -13,13 +13,13 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Achat v0.150 beta7 Buffer Overflow', + 'Name' => 'Achat Stack Based Buffer Overflow', 'Description' => %q{ - This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By - sending a crafted message to the default port 9256 it's possible to overwrites the - SEH handler. Even when the exploit is reliable it depends of timing since there are + This module exploits a Unicode SEH based stack based buffer overflow in Achat. By + sending a crafted message to the default port UDP/9256, it's possible to overwrite the + SEH handler. Even when the exploit is reliable, it depends of timing since there are two threads overflowing the stack in the same time. This module has been tested on - Windows XP SP3 and Windows 7. + Achat v0.150 running on Windows XP SP3 and Windows 7. }, 'Author' => [ diff --git a/modules/post/windows/gather/file_from_raw_ntfs.rb b/modules/post/windows/gather/file_from_raw_ntfs.rb index 3704fba66d..b29c903c2d 100644 --- a/modules/post/windows/gather/file_from_raw_ntfs.rb +++ b/modules/post/windows/gather/file_from_raw_ntfs.rb @@ -16,7 +16,8 @@ class Metasploit3 < Msf::Post 'Name' => 'Windows File Gather File from Raw NTFS', 'Description' => %q( This module gathers a file using the raw NTFS device, bypassing some Windows restrictions - such as open file with write lock. Can be used to retrieve files such as NTDS.dit.), + such as open file with write lock. Because it avoids the usual file locking issues, it can + be used to retrieve files such as NTDS.dit.), 'License' => 'MSF_LICENSE', 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], From d89eda65faa643ff5198f24c88fd3e0694434802 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 12 Feb 2015 12:46:38 -0600 Subject: [PATCH 2/5] Moar fixes, thanks @wvu-r7 See #4755 --- modules/exploits/windows/misc/achat_bof.rb | 6 +++--- modules/post/windows/gather/file_from_raw_ntfs.rb | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/misc/achat_bof.rb b/modules/exploits/windows/misc/achat_bof.rb index 1c1837e14a..e627f915dd 100644 --- a/modules/exploits/windows/misc/achat_bof.rb +++ b/modules/exploits/windows/misc/achat_bof.rb @@ -13,10 +13,10 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Achat Stack Based Buffer Overflow', + 'Name' => 'Achat Unicode SEH Buffer Overflow', 'Description' => %q{ - This module exploits a Unicode SEH based stack based buffer overflow in Achat. By - sending a crafted message to the default port UDP/9256, it's possible to overwrite the + This module exploits a Unicode SEH buffer overflow in Achat. By + sending a crafted message to the default port 9256/UDP, it's possible to overwrite the SEH handler. Even when the exploit is reliable, it depends of timing since there are two threads overflowing the stack in the same time. This module has been tested on Achat v0.150 running on Windows XP SP3 and Windows 7. diff --git a/modules/post/windows/gather/file_from_raw_ntfs.rb b/modules/post/windows/gather/file_from_raw_ntfs.rb index b29c903c2d..27f1bb693d 100644 --- a/modules/post/windows/gather/file_from_raw_ntfs.rb +++ b/modules/post/windows/gather/file_from_raw_ntfs.rb @@ -14,10 +14,11 @@ class Metasploit3 < Msf::Post def initialize(info = {}) super(update_info(info, 'Name' => 'Windows File Gather File from Raw NTFS', - 'Description' => %q( + 'Description' => %q{ This module gathers a file using the raw NTFS device, bypassing some Windows restrictions such as open file with write lock. Because it avoids the usual file locking issues, it can - be used to retrieve files such as NTDS.dit.), + be used to retrieve files such as NTDS.dit. + }, 'License' => 'MSF_LICENSE', 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], From e35f603888a0848e8f88824e5a50df29b821ff64 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 12 Feb 2015 12:49:45 -0600 Subject: [PATCH 3/5] Comma fascism --- modules/exploits/android/local/futex_requeue.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/android/local/futex_requeue.rb b/modules/exploits/android/local/futex_requeue.rb index 9b5ec81028..204bf8af5b 100644 --- a/modules/exploits/android/local/futex_requeue.rb +++ b/modules/exploits/android/local/futex_requeue.rb @@ -18,7 +18,7 @@ class Metasploit4 < Msf::Exploit::Local 'Description' => %q{ This module exploits a bug in futex_requeue in the Linux kernel, using similiar techniques employed by the towelroot exploit. Any Android device - with a kernel built before June, 2014 is likely to be vulnerable. + with a kernel built before June 2014 is likely to be vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ From c156ed62a9d58a01e3288d1e36dd0b997e13933c Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 12 Feb 2015 12:56:53 -0600 Subject: [PATCH 4/5] on, not of. --- modules/exploits/windows/misc/achat_bof.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/achat_bof.rb b/modules/exploits/windows/misc/achat_bof.rb index e627f915dd..7a53dee238 100644 --- a/modules/exploits/windows/misc/achat_bof.rb +++ b/modules/exploits/windows/misc/achat_bof.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Description' => %q{ This module exploits a Unicode SEH buffer overflow in Achat. By sending a crafted message to the default port 9256/UDP, it's possible to overwrite the - SEH handler. Even when the exploit is reliable, it depends of timing since there are + SEH handler. Even when the exploit is reliable, it depends on timing since there are two threads overflowing the stack in the same time. This module has been tested on Achat v0.150 running on Windows XP SP3 and Windows 7. }, From d7fa06de068289b069343f9f46c271ae16ca44ed Mon Sep 17 00:00:00 2001 From: William Vu Date: Thu, 12 Feb 2015 13:01:30 -0600 Subject: [PATCH 5/5] Fix off-by-one whitespace --- modules/post/windows/gather/file_from_raw_ntfs.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/post/windows/gather/file_from_raw_ntfs.rb b/modules/post/windows/gather/file_from_raw_ntfs.rb index 27f1bb693d..b2a50ac2eb 100644 --- a/modules/post/windows/gather/file_from_raw_ntfs.rb +++ b/modules/post/windows/gather/file_from_raw_ntfs.rb @@ -15,10 +15,10 @@ class Metasploit3 < Msf::Post super(update_info(info, 'Name' => 'Windows File Gather File from Raw NTFS', 'Description' => %q{ - This module gathers a file using the raw NTFS device, bypassing some Windows restrictions - such as open file with write lock. Because it avoids the usual file locking issues, it can - be used to retrieve files such as NTDS.dit. - }, + This module gathers a file using the raw NTFS device, bypassing some Windows restrictions + such as open file with write lock. Because it avoids the usual file locking issues, it can + be used to retrieve files such as NTDS.dit. + }, 'License' => 'MSF_LICENSE', 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'],