Commit Graph

642 Commits (05a91f1d823d43c68c8f5d1aef32b04e8d9473bc)

Author SHA1 Message Date
wchen-r7 a798581fa3 Update #get_dotnet_path 2016-03-01 22:25:40 -06:00
OJ 6d88c26474 Change title, and remove requires 2016-02-18 14:26:38 +10:00
OJ 2ae1e6df7d Address concerns from @wvu-r7 2016-02-18 14:21:35 +10:00
OJ 2f4ec0af31 Add module for AppLocker bypass
This commit includes a new module that allows for payloads to be
uploaded and executed from disk while bypassing AppLocker in the
process. This module is useful for when you're attempting to generate
new shells on the target once you've already got a session. It is also
a handy way of switching between 32 and 64 bit sessions (in the case of
the InstallUtil technique).

The code is taken from Casey Smith's AppLocker bypass research (added in
the references), and includes just one technique at this point. This
technique uses the InstallUtil feature that comes with .NET. Other
techiques can be added at any time.

The code creates a C# file and uploads it to the target. The csc.exe
compiler is used to create a .NET assembly that contains an uninstaller
that gets invoked by InstallUtil behind the scenes. This function is
what contains the payload.

This was tested on Windows 7 x64. It supports running of both 32 and 64
bit payloads out of the box, and checks to make sure that .NET is
installed on the target as well as having a payload that is valid for
the machine (ie. don't run x64 on x86 OSes).

This appears to work fine with both staged and stageless payloads.
2016-02-18 13:46:32 +10:00
wchen-r7 3c72135a2f No to_i
What happens here is it converts to a Fixnum, and then it converts
back to a String anway because it's in a String.
2015-11-18 15:25:18 -06:00
sammbertram a484b318eb Update registry_persistence.rb 2015-11-18 16:13:18 +00:00
sammbertram 1fe8bc9cea Added a SLEEP_TIME option
Added a SLEEP_TIME options which is the number of seconds to sleep prior to executing the initial IEX request. This is useful in cases where a machine would have to establish a VPN connection, initiated by the user, after a reboot. 

Alternatively, as opposed to a sleep time, it could have a loop that attempts to retry for a certain period of item.
2015-11-18 11:17:57 +00:00
wchen-r7 154fb585f4 Remove bad references (dead links)
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
OJ 7451cf390c Add Windows 10 "support" to bypassuac_injection 2015-10-01 11:16:18 +10:00
wchen-r7 c7afe4f663
Land #5930, MS15-078 (atmfd.dll buffer overflow) 2015-09-16 15:33:38 -05:00
jvazquez-r7 24af3fa12e
Add rop chains 2015-09-15 14:46:45 -05:00
jvazquez-r7 0d52a0617c
Verify win32k 6.3.9600.17837 is working 2015-09-12 15:27:50 -05:00
jvazquez-r7 9626596f85
Clean template code 2015-09-12 13:43:05 -05:00
jvazquez-r7 53f995b9c3
Do first prototype 2015-09-10 19:35:26 -05:00
jvazquez-r7 329e6f4633
Fix title 2015-09-08 15:31:14 -05:00
jvazquez-r7 ef6df5bc26
Use get_target_arch 2015-09-03 16:30:46 -05:00
jvazquez-r7 2588439246
Add references for the win32k info leak 2015-09-03 15:35:41 -05:00
jvazquez-r7 697a6cd335
Rescue the process execute 2015-09-03 13:03:36 -05:00
jvazquez-r7 80a1e32339
Set Manual Ranking 2015-09-03 12:24:45 -05:00
HD Moore 9b51352c62
Land #5639, adds registry persistence 2015-09-03 11:26:38 -05:00
jvazquez-r7 dbe901915e
Improve version detection 2015-09-03 09:54:38 -05:00
jvazquez-r7 de25a6c23c
Add metadata 2015-09-02 18:32:45 -05:00
jvazquez-r7 8f70ec8256
Fix Disclosure date 2015-09-02 18:21:36 -05:00
jvazquez-r7 b912e3ce65
Add exploit template 2015-09-02 17:28:35 -05:00
HD Moore 4090c2c8ea
Land #5880, adds ScriptHost UAC bypass for Win7/2008 2015-09-02 14:14:18 -05:00
Meatballs 582cc795ac
Remove newlines 2015-09-02 19:42:04 +01:00
Meatballs 8f25a006a8
Change to automatic target 2015-09-02 09:13:25 +01:00
wchen-r7 4275a65407 Update local exploit checks to follow the guidelines.
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs 27775fbe58
Restrict to 7 and 2k8 2015-09-01 22:23:37 +01:00
jvazquez-r7 da4b360202
Fix typo 2015-08-26 15:29:34 -05:00
jvazquez-r7 5d0ed797a3
Update DLL 2015-08-26 15:15:32 -05:00
jvazquez-r7 dd529013f6
Update ruby side 2015-08-26 15:12:09 -05:00
Brent Cook b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1 2015-08-24 09:26:00 -05:00
Meatballs 1c91b126f1
X64 compat for payload_inject 2015-08-23 22:03:57 +01:00
Meatballs 228087dced
Initial working scripthost bypass uac 2015-08-23 20:16:15 +01:00
wchen-r7 45c7e4760a Support x64 payloads 2015-08-20 02:09:58 -05:00
Meatballs 6f31183904
Fix VSS Persistance to check integrity level 2015-08-01 23:13:05 +01:00
Meatballs a6a8117e46 Revert "Land #5777, fix #4558 vss_persistence"
This reverts commit ba4b2fbbea, reversing
changes made to affc86bfd9.
2015-08-01 22:35:24 +01:00
jvazquez-r7 1ec960d8f9
Make the time to write flush configurable 2015-07-31 16:43:43 -05:00
jvazquez-r7 bf6975c01a
Fix #4558 by restoring the old wmicexec 2015-07-27 14:04:10 -05:00
Donny Maasland e355e56539 Add check 2015-07-02 10:54:44 +02:00
Donny Maasland 56c3102603 That's what you get for making edits on github.com.. 2015-07-01 17:51:57 +02:00
Donny Maasland 4847fb9830 Add a neater powershell command 2015-07-01 17:47:47 +02:00
Donny Maasland 822a46fee6 Merge branch 'master' of github:dmaasland/metasploit-framework 2015-07-01 17:47:33 +02:00
Donny Maasland 4f72df3202 Create a neater powershell command 2015-07-01 17:47:08 +02:00
Donny Maasland ffe710af2d Update registry_persistence.rb
Omg spaces
2015-07-01 17:21:12 +02:00
Donny Maasland 26e3ec0a5f Add a switch for creating a cleanup rc file 2015-07-01 17:06:16 +02:00
Donny Maasland 20708ebc82 Add a check to prevent accidental deletion of existing registry keys 2015-07-01 16:45:03 +02:00
Donny Maasland 2e48bae71c fixes 2015-07-01 16:15:13 +02:00
Donny Maasland 335487afa0 fixes 2015-07-01 16:09:55 +02:00