Commit Graph

1332 Commits (master)

Author SHA1 Message Date
Tim W 2ec7f11b90 add binary 2018-05-30 18:02:17 +08:00
Tim W df60c5bb6b embed mettle within PhoenixNonce 2018-05-30 17:30:03 +08:00
bwatters-r7 ce5be387c4
Land #8795, Added CVE-2016-0040 Windows Privilege Escalation
Merge branch 'land-8795' into upstream-master
2018-05-03 16:33:53 -05:00
bwatters-r7 5a787bcce5
We don't need the application.c file 2018-05-03 15:08:42 -05:00
bwatters-r7 26f2bdbfb1
Change Platform toolset from 140 (vs2015) to 120 (vs2013) 2018-05-03 14:58:30 -05:00
bwatters-r7 c08f45223d
Clean up comment typos from copy/pasta 2018-05-03 14:43:31 -05:00
Tim W 7c3e5da450 add more credits/references 2018-04-03 14:59:00 +08:00
Tim W c5039251a2 add CVE-2016-4655
rebase
2018-04-03 14:58:57 +08:00
Kirk Swidowski 34f2385b8b Merge branch 'master' of https://github.com/de7ec7ed/metasploit-framework 2018-03-07 08:20:37 -08:00
Kirk Swidowski d7cfe41983 removed files. 2018-03-07 08:20:22 -08:00
Tim W a01f0f3023 fix #9366, fix osx x64 stage location 2018-02-20 13:50:44 +08:00
Adam Cammack 64c725164a
Add macOS reverse stager binary 2018-01-31 14:27:44 -06:00
Tim W 0ce125ec55 more fixes 2018-01-30 17:54:10 +08:00
Tim W 39c07e2289 add references 2018-01-30 17:52:01 +08:00
Tim W 9aaf93ff3b fix fix for older osx versions 2018-01-29 03:50:39 +08:00
Tim W 82fde6b1d1 fix for older osx versions 2018-01-21 08:04:26 +08:00
Tim W 46a45550fd add osx x64 stager 2018-01-03 14:04:14 +08:00
Tim 358aca9435
apple_ios/aarch64/shell_reverse_tcp 2017-12-19 15:42:21 +08:00
bwatters-r7 5a07be9b96
Land #9041, Add LPE on Windows using CVE-2017-8464 2017-11-08 10:09:03 -06:00
Spencer McIntyre c2578c1487 Refactor GetProcessSid to remove do while FALSE 2017-11-07 19:11:24 -05:00
bwatters-r7 7df18e378d Fix conflicts in PR 8509 by mergeing to master 2017-10-09 10:30:21 -05:00
Spencer McIntyre 3f6f70f820 Move the cve-2017-8464 source to external/source 2017-10-08 13:58:51 -04:00
Kirk Swidowski 2ee94ca3d9 made changes based on PR feedback. 2017-09-01 16:49:17 -07:00
Kirk Swidowski b7fc990d17 moved project to the source directory. 2017-09-01 16:09:53 -07:00
Tim ffbf21cb1c cleanup 2017-08-31 18:35:18 +08:00
Tim 7b71f60ea1 fix the stack 2017-08-31 18:35:18 +08:00
Tim 26f4fa3b09 setup stack 2017-08-31 18:35:17 +08:00
Tim a2396991f0 stager not setting up stack 2017-08-31 18:35:17 +08:00
Tim 6dbe00158f fix stager 2017-08-31 18:35:17 +08:00
David Tomaschik ef6c20ce51 Update README
Meterpreter repo now redirects to metasploit-payloads.
2017-08-27 10:26:35 -07:00
Tim d6d6c67f33 add stage_shell.s and cleanup 2017-08-21 14:42:30 +08:00
Tim ac6495a7eb formatting 2017-08-21 12:35:13 +08:00
Tim 9768a89bcd aarch64 staged shell 2017-08-21 11:14:42 +08:00
Tim 8b4ccc66c7 add linux/aarch64/shell_reverse_tcp 2017-08-17 18:55:37 +08:00
Brent Cook 59086af261
Land #8771, rewrite linux x64 stagers with Metasm 2017-08-14 02:32:29 -04:00
tkmru f961d7da13 update src 2017-07-29 21:08:52 +09:00
tkmru 6c5d8279ca change to generate payload from metasm 2017-07-16 19:21:09 +09:00
tkmru 4e046db9b3 add retry to linux reverse tcp x86 2017-07-14 12:47:32 +09:00
tkmru 62533509c6 fit source to shellcode prev change 2017-07-12 16:26:00 +09:00
Tim db8698e82b
Land #8655, add error handling to mipsle linux reverse tcp stager 2017-07-11 22:33:54 +08:00
Tim b9f5ebcf66 update comment 2017-07-11 00:58:03 +08:00
Tim 75c571de83
Land #8653, add error handling to mipsbe linux reverse tcp stager 2017-07-09 19:36:15 +08:00
Tim cd0c2c213f pedantic tweaks 2017-07-09 19:36:03 +08:00
tkmru a4a959266b update cachedSize 2017-07-06 17:43:27 +09:00
tkmru adeffd6600 add error handling to stager_sock_reverse src on mipsle 2017-07-06 17:07:11 +09:00
tkmru 2d8a71de6f tab to space 2017-07-05 18:22:06 +09:00
tkmru d02d6826a9 fix reverse tcp stager src 2017-07-05 17:56:59 +09:00
tkmru d1f08a80bd add error handling to reverse_tcp on mipsbe 2017-07-05 17:50:49 +09:00
tkmru 084b211e9b add x64 stager_sock_reverse src 2017-06-25 16:31:37 +09:00
Tim 03116d7933
Land #8543, add error handling to ARM linux reverse tcp stager 2017-06-18 15:38:16 +08:00
Tim 210a4cb299 fix indent 2017-06-18 15:35:23 +08:00
tkmru 1773a5f188 fix indent 2017-06-16 15:57:09 +09:00
Tim 9cf9d22bae fix mmap return cmp 2017-06-16 06:26:40 +08:00
RaMMicHaeL f17b28930d Update executex64.asm 2017-06-04 13:18:50 +03:00
L3cr0f 6a3fc618a4 Add bypassuac_injection_winsxs.rb module 2017-06-03 12:59:50 +02:00
RaMMicHaeL ca5b20f4d0 Fixed an elusive bug on AMD CPUs
Details:
http://blog.rewolf.pl/blog/?p=1484
rwfpl/rewolf-wow64ext@8771485
2017-06-03 11:30:11 +03:00
zerosum0x0 bdf121e1c0 x86 kernels will safely ret instead of BSOD 2017-05-17 23:48:14 -06:00
zerosum0x0 4f3a98d434 add arch detection to shellcode 2017-05-17 23:36:17 -06:00
zerosum0x0 a5c391dae2 multi-arch ring0->ring3 shellcode .asm file (work in progress) 2017-05-17 23:29:05 -06:00
Brent Cook 176e88f293
Land #7835, Add Windows Local Privilege Escalation exploit stub 2017-03-08 06:20:58 -05:00
William Webb 83cc28a091
Land #7972, Microsoft Office Word Macro Generator OS X Edition 2017-02-21 13:26:42 -06:00
wchen-r7 3d269b46ad Support OS X for Microsoft Office macro exploit 2017-02-16 12:28:11 -06:00
OJ 1c62559e55
Add v1 of SQL Clr stored proc payload module 2017-02-10 10:28:22 +10:00
wchen-r7 ccaa783a31 Add Microsoft Office Word Macro exploit 2017-02-02 17:44:55 -06:00
OJ b6e882c8eb
Add a Windows LPE exploit template for x64/x86 2017-01-17 11:20:14 +10:00
OJ 32173b9701
Move execute_payload to the kernel lib 2017-01-17 11:19:26 +10:00
Brent Cook 2585c8c8b5
Land #7461, convert futex_requeue (towelroot) module to use targetting and core_loadlib 2017-01-11 13:24:25 -06:00
Tim 25a8283af3
fork early and use WfsDelay 2016-12-20 00:59:27 +08:00
Tim f1efa760df
more fixes 2016-12-20 00:52:11 +08:00
Tim e6d4c0001c
hide debug printing 2016-12-20 00:52:11 +08:00
Tim 7ac3859393
convert futex_requeue module to use targetting and core_loadlib 2016-12-20 00:52:11 +08:00
Tim 3afa20a1af
fix double \n in printf 2016-12-13 17:02:23 +08:00
Tim fe9972cc25
fork early and use WfsDelay 2016-12-13 17:02:23 +08:00
Tim 891fccb4e2
add pattern for GT-S7392 2016-12-13 17:02:23 +08:00
Tim 07ce7f3aed
fix make run 2016-12-13 17:02:23 +08:00
Tim 9ece45a180
dont exit(0) when exploit fails 2016-12-13 17:02:23 +08:00
Tim ebf7ae0739
add CVE-2013-6282, put_user/get_user exploit for Android 2016-12-13 17:02:23 +08:00
William Webb 31b593ac67
Land #7402, Add Linux local privilege escalation via overlayfs 2016-11-01 12:46:40 -05:00
h00die 0d1fe20ae5 revamped 2016-10-15 20:57:31 -04:00
h00die 12493d5c06 moved c code to external sources 2016-10-13 20:37:03 -04:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
William Webb 21e6211e8d add exploit for cve-2016-0189 2016-08-01 13:26:35 -05:00
Pearce Barry 7b1d9596c7
Land #7068, Introduce 'mettle' - new POSIX meterpreter 2016-07-11 22:38:40 -05:00
William Webb b4b3a84fa5 refactor ms16-016 code 2016-07-05 20:50:43 -05:00
Adam Cammack 0390ed4d6e Add MIPS O32 Linux support (big and little endian) 2016-07-05 11:24:54 -05:00
Adam Cammack 8de508c4e0 Add mettle module for ARM 2016-07-05 11:24:54 -05:00
EarthQuake 3147553d4f armeb comments modified 2016-06-10 19:59:59 +02:00
EarthQuake 26680f58ca Original shellcode added for Linux ARM big endian bind ipv4 tcp 2016-06-10 19:19:16 +02:00
James Lee f1857d6350
Kill defanged mode 2016-03-28 09:02:07 -05:00
Brent Cook 6eda702b25
Land #6292, add reverse_tcp command shell for Z/OS (MVS) 2015-12-23 14:11:37 -06:00
Brent Cook 5a19caf10a remove temp file 2015-12-23 11:42:09 -06:00
dmohanty-r7 eb4611642d Add Jenkins CLI Java serialization exploit module
CVE-2015-8103
2015-12-11 14:57:10 -06:00
jvazquez-r7 bb3a3ae8eb
Land #6176, @ganzm's fix for 64 bits windows loadlibrary payload 2015-12-01 13:18:41 -06:00
Bigendian Smalls 09d63de502
Added revshell shellcode source
Put shell_reverse_tcp.s shellcode source for mainframe reverse shell
into external/source/shellcode/mainframe
2015-12-01 08:26:42 -06:00
Brent Cook 1b951b36fe remove -db / -pcap / -all gemspecs, merge into one 2015-11-11 15:01:50 -06:00
William Vu e6202e3eda Revert "Land #6060, Gemfile/gemspec updates"
This reverts commit 8f4046da40, reversing
changes made to 2df149b0a5.
2015-11-08 19:32:15 -06:00
Brent Cook 7c7eb06058 remove unused kissfft library 2015-11-04 08:35:45 -06:00
Matthias Ganz 4eaf1ace81 Bugfix loading address of library path into rcx
The old code breaks if the payload is executed from a memory area where the 4 most significant bytes are non-zero.
2015-11-02 16:56:07 +01:00
William Vu 77fae28cd4 Add -q option to msfd to disable banner 2015-10-07 01:57:58 -05:00