Commit Graph

968 Commits (017ae463edf47d228d224fc2dade2063097652c6)

Author SHA1 Message Date
jvazquez-r7 8e547e27b3 Use correct types 2014-10-31 12:37:21 -05:00
OJ cbd616bbf5 A few sneaky style changes, but no functional ones
Changes were purely for style, and Juan was happy to let me make them
as part of the merge.
2014-10-31 09:08:11 +10:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 03a84a1de3 Search the AccessToken 2014-10-30 12:17:03 -05:00
OJ 908094c3d3 Remove debug, treat warnings as errors 2014-10-28 09:04:02 +10:00
OJ 0a03b2dd48 Final code tidy 2014-10-28 08:59:33 +10:00
OJ 6f3b373f01 More code tidy and unifying of stuff 2014-10-28 08:37:49 +10:00
OJ 0e761575c8 More code tidying, reduced x64/x86 duplication 2014-10-28 08:09:18 +10:00
OJ 062eff8ede Fix project settings, make files, start tidying of code 2014-10-28 07:58:19 +10:00
Spencer McIntyre d6a63ccc5e Remove unnecessary C debugging code for the exploit 2014-10-27 11:24:23 -04:00
Spencer McIntyre 46b1abac4a More robust check routine for cve-2014-4113 2014-10-27 11:19:12 -04:00
jvazquez-r7 4406972b46 Do version checking minor cleanup 2014-10-27 09:32:42 -05:00
jvazquez-r7 0aaebc7872 Make GetPtiCurrent USER32 independent 2014-10-26 18:51:02 -05:00
jvazquez-r7 34697a2240 Delete 'callback3' also from 32 bits version 2014-10-26 17:28:35 -05:00
Spencer McIntyre 7416c00416 Initial addition of x64 target for cve-2014-4113 2014-10-26 16:54:42 -04:00
jvazquez-r7 d8eaf3dd65 Add exploit source code 2014-10-23 18:59:58 -05:00
HD Moore 8cca4d7795 Fix the makefile to use the right directory
Reported by severos on IRC, the current output
class is in the right place, but the makefile
was broken.
2014-08-03 13:38:15 -05:00
sinn3r ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape 2014-06-26 13:48:28 -05:00
sinn3r 0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape 2014-06-26 11:45:47 -05:00
Meatballs 25ed68af6e
Land #3017, Windows x86 Shell Hidden Bind
A bind shellcode that responds as 'closed' unless the client matches the
AHOST ip.
2014-06-08 13:49:49 +01:00
Meatballs bf1a665259
Land #2657, Dynamic generation of windows service executable functions
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
jvazquez-r7 443f9f175c Update IE11Sandbox exploit source 2014-06-03 09:58:07 -05:00
jvazquez-r7 372a12b966 Restore make.msbuild permissions 2014-06-03 09:07:34 -05:00
jvazquez-r7 98a06b3d72 Restore make.msbuild 2014-06-03 09:05:26 -05:00
jvazquez-r7 f918bcc631 Use powershell instead of mshta 2014-06-03 09:01:56 -05:00
jvazquez-r7 f6862cd130 Land @OJ's updated meterpreter binaries 2014-05-30 20:27:28 -05:00
OJ d2b8706bd6
Include meterpreter bins, add Sandbox builds
This commit contains the binaries that are needed for Juan's sandbox
escape functionality (ie. the updated old libloader code). It also
contains rebuilt binaries for all meterpreter plugins.

I've also added command line build scripts for the sandbox escapes
and added that to the "exploits" build.
2014-05-31 08:12:34 +10:00
jvazquez-r7 c1368dbb4c Use %windir% 2014-05-30 09:06:41 -05:00
jvazquez-r7 75777cb3f9 Add IE11SandboxEscapes source 2014-05-29 11:38:43 -05:00
Florian Gaultier bb4e9e2d4d correct error in block service_change_description 2014-05-13 16:04:39 +02:00
Florian Gaultier 6332957bd2 Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work... 2014-05-13 16:04:39 +02:00
Florian Gaultier bdbb70ab71 up block_service_stopped.asm 2014-05-13 16:04:39 +02:00
Florian Gaultier e269c1e4f1 Improve service_block with service_stopped block to cleanly terminate service 2014-05-13 16:04:38 +02:00
Florian Gaultier c43e3cf581 Improve block_create_remote_process to point on shellcode everytime 2014-05-13 16:04:38 +02:00
Florian Gaultier 25d48b7300 Add create_remote_process block, now used in exe_service generation 2014-05-13 16:04:38 +02:00
Florian Gaultier 0bdf7904ff Change author of single_service_stuff.asm 2014-05-13 16:04:38 +02:00
Florian Gaultier 513f3de0f8 new service exe creation refreshed 2014-05-13 16:04:36 +02:00
jvazquez-r7 58c46cc73d Add compilation instructions for the AS 2014-05-08 16:48:42 -05:00
jvazquez-r7 5fd732d24a Add module for CVE-2014-0515 2014-05-07 17:13:16 -05:00
sinn3r 6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution 2014-05-05 10:39:26 -05:00
OJ 7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) 2014-05-04 16:41:17 +10:00
jvazquez-r7 b4c7c5ed1f Add module for CVE-2014-0497 2014-05-03 20:04:46 -05:00
Meatballs 850f6b0276
Address OJ's comments 2014-05-02 13:33:55 +01:00
jvazquez-r7 60e7e9f515 Add module for CVE-2013-5331 2014-04-27 10:40:46 -05:00
sinn3r 5c0664fb3b
Land #3292 - Mac OS X NFS Mount Privilege Escalation Exploit 2014-04-24 13:43:20 -05:00
Joe Vennix 143aede19c
Add osx nfs_mount module. 2014-04-23 02:32:42 -05:00
jvazquez-r7 acb12a8bef Beautify and fix both ruby an AS 2014-04-17 23:32:29 -05:00
jvazquez-r7 abd76c5000 Add module for CVE-2014-0322 2014-04-15 17:55:24 -05:00
OJ 409787346e
Bring build tools up to date, change some project settings
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
Tod Beardsley 520d1e69c4
Rapid7 Comma Inc
After some more discussion with Rapid7's legal fellow.
2014-03-13 09:46:20 -05:00
Tod Beardsley 9d4ceaa3a0
Let's try to be consistent about Rapid7 Inc.
According to

http://www.sec.gov/Archives/edgar/data/1560327/000156032712000001/0001560327-12-000001.txt

Rapid7 is actually "Rapid7 Inc" not "Rapid7, LLC" any more.

This does not address the few copyright/license statements around
"Metasploit LLC," whatever that is.
2014-03-12 11:20:17 -05:00
kyuzo 41720428e4 Refactoring exploit and adding build files for dll. 2014-03-12 10:25:52 +00:00
root 1fda6b86a1 Changed cmp eax by inc eax. Saved one byte 2014-03-10 12:13:10 +01:00
kyuzo 2a1e96165c Adding MS013-058 for Windows7 x86 2014-03-06 18:39:34 +00:00
somename11111 99cd36c036 Fix description of Input 2014-03-06 03:16:55 +01:00
somename11111 689523a26f Clean Code based on jlee-r7's comments
- Put allocations in loop

- Decomment exitfunc

- Aligned comments

- Some more code cleaning
2014-03-06 02:44:24 +01:00
somename11111 83929facc4 Fix bug on Windows XP
Correct the addresses of functions in pstorec.dll.

Successfully tested on Server 2003 and XP.
2014-03-06 02:35:44 +01:00
somename11111 4aca648faf Correct file information 2014-03-06 02:35:36 +01:00
somename11111 ba31e304b5 Clean the code
Remove debugging functions from block_get_pstore_proxy_auth.asm.
Reduce allocation size to 1kB.
2014-03-06 02:35:25 +01:00
somename11111 b6b46abe9f Add new stager stager_reverse_http_proxy_pstore
This stager looks for proxy credentials in windows protected storage. If it finds proxy credentials, it will use them to connect back. If it does not find credentials, it will do the same as stager_reverse_http.

Works on:

- Windows Server 2003

- Windows XP

- Internet Explorer versions 4 to 6
2014-03-06 02:35:12 +01:00
Meatballs 7877589537
Delete correctly 2014-02-23 02:47:13 +00:00
Meatballs 6127ff92ce
Fix race condition
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
David Maloney 9d9149d9d8
remove some dead code paths
refactor some dead conditionals and a case/switch
that wasn't doing anything
2014-02-27 11:45:57 -06:00
OJ 4b924659b2 Adjust project config
* Remove editbin usage for console apps
* Remove whole program optimisation
2014-02-26 17:14:14 +10:00
OJ 10829299f5 Add make support for command line builds 2014-02-26 16:40:54 +10:00
OJ eb3da1ce87 Editbin and post build steps 2014-02-26 16:36:55 +10:00
OJ 712f47cb4e Remove Palm configuration from bypassuac config 2014-02-26 16:07:22 +10:00
OJ 9159512a3d Fix VS 2013 build, remove old files, rejig project config
This wasn't building cleanly for a few reasons with VS 2013 on my desktop.
This commit fixes this problems with the configuration and makes things fit
with the way we're now doing things (ie. output locations, etc).

Incremental builds are disabled as they were causing problems, but this isn't
a concern for a project as small as this.
2014-02-26 16:05:24 +10:00
OJ d37774e12d Remove ARM config, add build to make for all exploits 2014-02-26 10:57:15 +10:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
David Maloney 289580777c remove unneccsary logging elements
update soloutions for VS2013
remove the CLogger
Remove Print Usage
this removes unneccsary strings that can
be used to easily identify our executable
2014-02-20 20:00:19 -06:00
root b4a22aa25d hidden bind shell payload 2014-02-20 16:19:40 +01:00
jvazquez-r7 1f0020a61c
Land #2946, @jlee-r7's optimization of the x86 block_api code 2014-02-11 15:00:00 -06:00
Spencer McIntyre 0ac1acda70 Upgrade toolchain to Visual Studio 2013 v120. 2014-02-10 09:35:07 -05:00
Spencer McIntyre 01f41a209c Remove the DLL and add make.msbuild for easier compiling. 2014-02-07 10:05:05 -05:00
Spencer McIntyre f686385349 Remove an unnecessary VS file and modify version check. 2014-02-07 08:45:51 -05:00
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
James Lee c70680cf1c
Fix infinite-retry bug
Derp, block_api clobbers ecx
2014-02-04 11:59:16 -06:00
James Lee 9c3664bd45
Unify reverse_http and reverse_https
This will make copy-pasta less painful in the future.  There's still the
problem of reverse_https_proxy being very similar, but the logic in how
it gets generated in the module is more than i want to tackle right now
2014-02-04 09:09:12 -06:00
James Lee 6d53570c22
Fix abysmal mixed indentedness. 2014-02-03 11:39:03 -06:00
James Lee c29c6be212 Shave 3 bytes off of block_api 2014-02-03 11:34:41 -06:00
James Lee bfc0ac4dd4 Golf a few bytes off of reverse_http(s) 2014-02-03 11:33:55 -06:00
jvazquez-r7 a056d937e7 Fluch data cache and improve documentation 2014-01-14 14:06:01 -06:00
jvazquez-r7 a8806887e9 Add support for MIPS reverse shell staged payloads 2014-01-14 12:25:11 -06:00
Meatballs ea349e6618
Rm redundant solution file 2013-12-20 16:03:08 +00:00
OJ 0db062a1ce
Merge branch 'meatballs-vncdll-submodule' 2013-12-20 18:29:27 +10:00
OJ 0ebef33345 Quick fix to x64 kitrap0d project
Stops errors on debug builds, not that anyone cares.
2013-12-20 09:51:24 +10:00
OJ 34cdec5155
Update project VS 2013, clean CLI build
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
OJ e22b4ba88c Add make script for nvidia nvsvc 2013-12-15 01:12:49 +00:00
OJ 0c82817445 Final changes before PR 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs be4dae7db9 Forgot C changes 2013-12-15 01:12:48 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
Meatballs ab1ddac0c8
Merge remote-tracking branch 'upstream/master' into submodule
Conflicts:
	external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
2013-12-08 18:25:03 +00:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
Meatballs 6edd9aa736
Update for new ReflectiveDLL Submodule 2013-11-30 20:12:08 +00:00
Meatballs cf12826d2c
Dont use xp toolchain
and dont bother editbin
2013-11-30 20:04:00 +00:00
Meatballs d3a0199539
Update for new Reflective DLL Submodule
Update to VS2013 Toolsets
Include .msbuild and make.bat
Tidyup of if { }
Post build step to copy to output directory
2013-11-30 19:58:25 +00:00