automatic module_metadata_base.json update

GSoC/Meterpreter_Web_Console
Metasploit 2018-06-21 13:42:14 -07:00
parent a408a2a719
commit bfd1bd590b
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
1 changed files with 38 additions and 0 deletions

View File

@ -81863,6 +81863,44 @@
"is_install_path": true, "is_install_path": true,
"ref_name": "windows/smb/ms17_010_eternalblue" "ref_name": "windows/smb/ms17_010_eternalblue"
}, },
"exploit_windows/smb/ms17_010_eternalblue_win8": {
"name": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+",
"full_name": "exploit/windows/smb/ms17_010_eternalblue_win8",
"rank": 200,
"disclosure_date": "2017-03-14",
"type": "exploit",
"author": [
"Equation Group",
"Shadow Brokers",
"sleepya",
"wvu <wvu@metasploit.com>"
],
"description": "EternalBlue exploit for Windows 8, Windows 10, and 2012 by sleepya\n The exploit might FAIL and CRASH a target system (depended on what is overwritten)\n The exploit support only x64 target\n\n Tested on:\n - Windows 2012 R2 x64\n - Windows 8.1 x64\n - Windows 10 Pro Build 10240 x64\n - Windows 10 Enterprise Evaluation Build 10586 x64\n\n\n Default Windows 8 and later installation without additional service info:\n - anonymous is not allowed to access any share (including IPC$)\n - More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows\n - tcp port 445 is filtered by firewall\n\n\n Reference:\n - http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/\n - \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit\n\n\n Exploit info:\n - If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at\n https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same\n - The exploit use heap of HAL for placing fake struct (address 0xffffffffffd00e00) and shellcode (address 0xffffffffffd01000).\n On Windows 8 and Wndows 2012, the NX bit is set on this memory page. Need to disable it before controlling RIP.\n - The exploit is likely to crash a target when it failed\n - The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.\n - If exploit failed but target does not crash, try increasing 'GroomAllocations' value (at least 5)\n - See the code and comment for exploit detail.\n\n\n Disable NX method:\n - The idea is from \"Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre\" (see link in reference)\n - The exploit is also the same but we need to trigger bug twice\n - First trigger, set MDL.MappedSystemVa to target pte address\n - Write '\\x00' to disable the NX flag\n - Second trigger, do the same as Windows 7 exploit\n - From my test, if exploit disable NX successfully, I always get code execution",
"references": [
"MSB-MS17-010",
"CVE-2017-0143",
"CVE-2017-0144",
"CVE-2017-0145",
"CVE-2017-0146",
"CVE-2017-0147",
"CVE-2017-0148",
"EDB-42030",
"URL-https://github.com/worawit/MS17-010",
"AKA-ETERNALBLUE"
],
"is_server": true,
"is_client": false,
"platform": "Windows",
"arch": "x64",
"rport": "445",
"targets": [
"win x64"
],
"mod_time": "2018-06-21 15:10:47 +0000",
"path": "/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py",
"is_install_path": true,
"ref_name": "windows/smb/ms17_010_eternalblue_win8"
},
"exploit_windows/smb/ms17_010_psexec": { "exploit_windows/smb/ms17_010_psexec": {
"name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution", "name": "MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution",
"full_name": "exploit/windows/smb/ms17_010_psexec", "full_name": "exploit/windows/smb/ms17_010_psexec",