4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
c319ea91b3
Delete verbose print
2014-10-26 17:31:19 -05:00
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
4f8801eeba
Land #3651 , local Bluetooth exploit a @KoreLogic
...
This started life as #3653 . I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00
d5959d6bd6
Land #2585 , Refactor Bypassuac with Runas Mixin
2014-09-28 09:24:22 +01:00
9d3d25a3b3
Solve conflicts
2014-08-28 10:19:12 -05:00
d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
cad281494f
Minor caps, grammar, desc fixes
2014-08-18 13:35:34 -05:00
0cc3bdfb35
Moar bad packs
2014-08-15 21:11:37 +01:00
b55f425ec0
Merge in changes from @todb-r7.
2014-08-14 17:22:07 -04:00
f91116a8e8
Land #3634 - Virtual box 3D Acceleration OpenGL Host escape
2014-08-13 20:08:13 -05:00
127d094a8d
Dont share once device is opened
2014-08-13 16:13:38 -05:00
05a198bc96
Correct spelling
2014-08-13 14:06:25 +01:00
4a01c27ed4
Use get_env and good pack specifier
2014-08-13 10:59:22 +01:00
da4b572a0d
Change module name
2014-08-12 17:17:26 -05:00
3eccc12f50
Switch from vprint to print
2014-08-12 17:11:24 -05:00
f203fdebcb
Use Msf::Exploit::Local::WindowsKernel
2014-08-12 17:09:39 -05:00
e1debd68ad
Merge to update
2014-08-12 16:21:39 -05:00
183b27ee27
There is only one target
2014-08-12 16:14:41 -05:00
c8e4048c19
Some style fixes
2014-08-12 16:11:31 -05:00
ea3d2f727b
Dont fail_with while checking
2014-08-12 16:09:59 -05:00
486b5523ee
Refactor set_version
2014-08-09 02:17:07 -05:00
d959affd6e
Delete debug message
2014-08-09 01:58:42 -05:00
da04b43861
Add module for CVE-2014-0983
2014-08-09 01:56:38 -05:00
b602e47454
Implement improvements based on feedback
2014-08-05 21:24:37 -07:00
9cd6353246
Update mqac_write to use the mixin and restore pointers
2014-08-04 12:15:39 -07:00
a523898909
Apply rubocop suggestions for ms_ndproxy
2014-08-04 11:49:01 -07:00
86e2377218
Switch ms_ndproxy to use the new WindowsKernel mixin
2014-08-04 11:49:01 -07:00
58d29167e8
Refactor MS11-080 to use the mixin and for style
2014-08-04 11:49:01 -07:00
6c2b8f54cf
rubocop cleanup, long lines, etc
2014-08-03 23:19:08 -05:00
2b021e647d
Minor tidies to conform to standards
2014-08-03 23:19:08 -05:00
31c51eeb63
Move error messages to `check`
2014-08-03 23:19:08 -05:00
cbf15660bf
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-08-03 23:19:08 -05:00
add5cefe17
Change runas method to use lib
...
Changed runas method to use the new runas lib. Also did some rubocop
changes.
2014-08-01 17:13:24 -07:00
df98098b0c
New shell_execute_option command
...
Also removed upload option
2014-08-01 17:12:04 -07:00
5c2b074264
Matched bypassuac to upstream
2014-08-01 14:40:23 -07:00
def652a50e
Merge https://github.com/rapid7/metasploit-framework into bypassuac/psh_option
2014-08-01 14:32:55 -07:00
15c1ab64cd
Quick rubocop
2014-07-31 23:11:00 +01:00
d336c56b99
Merge remote-tracking branch 'upstream/master' into land_2551
2014-07-31 23:06:37 +01:00
53b66f3b4a
Land #2075 , Powershell Improvements
2014-07-31 00:49:39 +01:00
e00d892f99
rubocop cleanup, long lines, etc
2014-07-28 22:04:45 -05:00
210342df5b
Minor tidies to conform to standards
2014-07-25 09:32:54 +10:00
9fe2dd59aa
Move error messages to `check`
2014-07-25 07:57:09 +10:00
3ec30bdf78
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-07-24 14:48:29 +10:00
042278ed6a
Update code to reflect @OJ code suggestions
2014-07-23 11:01:43 -04:00
534a5d964b
Add CVE-2014-4971 BthPan local privilege escalation
...
Add CVE-2014-4971 BthPan local privilege escalation for Windows XP SP3
2014-07-22 18:17:06 -04:00
0db3a0ec97
Update code to reflect @jlee-r7's code review
2014-07-22 15:14:24 -04:00
125b2df8f5
Update code to reflect @hdmoore code suggestions
2014-07-22 14:53:24 -04:00
7f79e58e7f
Lots and cleanups based on PR feed back
2014-07-22 14:45:00 -04:00
5d9c6bea9d
Fix a typo and use the execute_shellcode function
2014-07-22 13:06:57 -04:00
12904edf83
Remove unnecessary target info and add url reference
2014-07-22 11:20:07 -04:00
ca0dcf23b0
Add a simple check method for cve-2014-4971
2014-07-22 10:54:10 -04:00
6a545c2642
Clean up the mqac escalation module
2014-07-22 10:39:34 -04:00
da4eb0e08f
First commit of MQAC arbitrary write priv escalation
2014-07-22 10:04:12 -04:00
b0a596b4a1
Update newer modules
2014-07-20 21:59:10 +01:00
474ee81807
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-20 21:01:54 +01:00
2be6eb16a2
Add in exploit check and version checks
...
Move the initial checking for the vboxguest device and os checks
into the MSF check routine.
2014-07-17 14:56:34 -04:00
25f74b79b8
Land #3484 , bad pack/unpack specifier fix
2014-07-16 14:52:23 -05:00
7583ed4950
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-16 20:34:34 +01:00
6d49f6ecdd
Update code to reflect hdmoore's code review.
2014-07-16 14:29:17 -04:00
cef2c257dc
Add CVE-2014-2477 local privilege escalation
2014-07-16 05:49:19 -04:00
05c9757624
Merge in #3488
2014-07-04 20:37:09 +01:00
21f6e7bf6c
Change description
2014-07-01 10:44:21 -05:00
c9b6c05eab
Fix improper use of host-endian or signed pack/unpack
...
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.
When in doubt, please use:
```
ri pack
```
2014-06-30 02:50:10 -05:00
ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape
2014-06-26 13:48:28 -05:00
0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape
2014-06-26 11:45:47 -05:00
a081beacc2
Use Gem::Version for string versions comparison
2014-06-20 09:44:29 -05:00
5879ca3340
Merge branch 'upstream/master' into meatballs x64_injection
2014-06-18 10:24:33 +10:00
d5b32e31f8
Fix a typo where platform was 'windows' not 'win'
...
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
43699b1dfb
Don't clean env variable before using it
2014-06-03 09:56:19 -05:00
b8a2cf776b
Do test
2014-06-03 09:52:01 -05:00
05ed2340dc
Use powershell
2014-06-03 09:29:04 -05:00
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
9574a327f8
use the new check also in exploit()
2014-06-02 14:38:33 -05:00
3c38c0d87c
Dont be confident about string comparision
2014-06-02 14:37:29 -05:00
d0241cf4c1
Add check method
2014-06-02 08:14:40 -05:00
31af8ef07b
Check .NET version
2014-06-01 20:58:08 -05:00
3c5fae3706
Use correct include
2014-06-01 11:51:06 +01:00
4801a7fca0
Allow x86->x64 injection
2014-06-01 11:50:13 +01:00
3ae4a16717
Clean environment variables
2014-05-30 12:21:23 -05:00
b99b577705
Clean environment variable
2014-05-30 12:20:00 -05:00
b27a95c008
Delete unused code
2014-05-30 12:08:55 -05:00
e215bd6e39
Delete unnecessary code and use get_env
2014-05-30 12:07:59 -05:00
1dbd36a3dd
Check for the .NET dfsvc and use %windir%
2014-05-30 09:02:43 -05:00
ffbcbe8cc1
Use cmd_psh_payload
2014-05-29 18:12:18 -05:00
03889ed31f
Use cmd_psh_payload
2014-05-29 18:11:22 -05:00
e145298c13
Add module for CVE-2014-0257
2014-05-29 11:45:19 -05:00
6e122e683a
Add module for CVE-2013-5045
2014-05-29 11:42:54 -05:00
52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom
2014-05-19 22:00:35 +01:00
b84379ab3b
Note about EXE::Custom
2014-05-19 22:00:09 +01:00
c97c827140
Adjust desc and ranking on ms13-053
...
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
0db22c5c57
Use library method
2014-05-05 13:24:33 +01:00
c474ff4465
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
modules/exploits/windows/local/service_permissions.rb
modules/post/windows/manage/rpcapd_start.rb
2014-05-05 13:19:25 +01:00
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
56c5eac823
Message correction
2014-05-02 14:18:18 +01:00
69915c0de5
Message correction
2014-05-02 14:17:27 +01:00
8b138b2d37
Fix unquoted path in cleanup script
2014-04-30 16:34:33 -05:00
6b740b727b
Changes PATH to proper case
...
This changes PATH to Path
2014-04-30 17:26:36 -04:00
fdc81b198f
Adds the ability to specify path
...
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
d73854ff17
Fix wmi and add automatic target
2014-04-22 14:28:27 +01:00
3019cb99c1
Update cmd_upgrade module
2014-04-19 19:13:48 +01:00
00234aeec3
Remove powershell remoting
2014-04-19 19:03:18 +01:00
5c3289bbc6
merge fix
2014-04-17 21:26:04 -04:00
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
b524507e4e
Merge remote-tracking branch 'upstream/master' into land_2551
...
Conflicts:
modules/exploits/windows/local/ask.rb
2014-03-22 18:14:45 +00:00
7b2f0a64fc
Tidy up
2014-03-22 18:07:57 +00:00
04506d76f3
Dont check for admin
2014-03-22 17:57:27 +00:00
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075
2014-03-02 20:57:02 +00:00
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
4c557a1401
Add Post::Windows::Services#each_service
...
Also cleans up some style issues and adds yardoc comments for some stuff
in Post::File
Note that windows/local/service_permissions is still using
`service_list` because it now builds a Rex::Table, which has to have
all the data up front, anyway.
2014-02-18 18:24:23 -06:00
684c45a5ff
Merge remote-tracking branch 'upstream/pr/2766' into merge-2766
2014-02-18 17:36:13 -06:00
b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-14 22:52:55 +00:00
b453362a52
Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs
2014-02-12 16:43:30 -05:00
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00
502dbb1370
Add references
2014-02-10 13:55:02 -06:00
abb03d0bbe
Fixing messages
2014-02-10 13:10:42 -06:00
541bb6134e
Change exploit filename
2014-02-10 13:06:23 -06:00
2e130ce843
Make it work with Reader Sandbox
2014-02-10 13:04:13 -06:00
7c43565ea8
Include missing require for powershell
2014-02-10 11:02:53 -06:00
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
a4b451dbc0
Ensure we start in a new conhost/process
2014-02-09 23:36:25 +00:00
aa93299931
Sleep instead of noexit
2014-02-09 23:19:14 +00:00
b79bb4726d
Go for background approach
2014-02-09 19:41:24 +00:00
038aae5adb
Run as jobs
2014-02-09 19:30:16 +00:00
1c169e2935
Uniq results
2014-02-09 17:52:06 +00:00
2cea90f931
Working remoting
2014-02-09 17:43:44 +00:00
f1959f5313
Fixup WMI
2014-02-09 11:18:15 +00:00
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
c426946886
Final tidyups
2014-01-03 15:55:03 +00:00
9028060f7d
Refactor service_create
2014-01-03 15:44:59 +00:00
5adc9e93f4
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2014-01-03 14:39:55 +00:00
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
c3aee714af
shadowcopy should use service_restart
2013-12-18 12:12:34 +00:00
42bc5ab75f
Use Services calls in enable_rdp
...
Update calls to change_service_config to check success
2013-12-18 11:34:12 +00:00
55a5a7e032
Fix typo
2013-12-18 11:06:03 +00:00
bce7fab2cd
Fixup IKEEXT
2013-12-18 00:08:01 +00:00
0bac2415ca
Some post testing fixes
...
Also deprecate net escalate as it is covered by service_permissions
as a generic exploit
2013-12-18 00:00:14 +00:00
067e6d89bb
Use service_restart in IKEEXT and ServicePermissions
...
Service_restart is aggressive so should attempt to leave as Auto
2013-12-17 17:21:35 +00:00
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
c2dd174e3c
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2013-12-17 01:54:24 +00:00
a33721f444
service_change_config keys should match extapi
2013-12-17 01:48:09 +00:00
101e5a8ccf
Tidyup trusted_service_path
...
Use filedropper, use service exe, dont migrate
2013-12-17 01:46:45 +00:00
560080fa21
Update start_service return value
...
Add service_restart
2013-12-17 00:43:35 +00:00
f39bc0b07a
Update service_stop return
2013-12-17 00:22:37 +00:00
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
5be9622782
Tidy and constants
2013-12-16 18:35:24 +00:00
435cc9b93f
Add single quote encapsulation
...
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
87fe6ecfaa
Fixup modules
2013-12-15 18:43:55 +00:00
f10a35ed08
Use :display correctly
2013-12-15 18:28:29 +00:00
cd837ebe16
ikeext_service service_info fixup
2013-12-15 18:28:06 +00:00
c89b7cb4ee
nvidia_nvsvc service_info fixup
2013-12-15 18:20:25 +00:00
375103b930
trusted_service_path service_info fixup
2013-12-15 18:15:48 +00:00
7d7495a5dd
Large refactor of service_permissions
2013-12-15 18:00:14 +00:00
fe7852b524
Unworking refactor of serv_perm
2013-12-15 04:02:11 +00:00
2a819d4b08
Tidyup trusted_Path
...
We dont just want to escalate to SYSTEM it would be handy to know
if we can escalate to anything e.g. Domain logins etc.
2013-12-15 04:01:02 +00:00
ddf23ae8e8
Refactor service_list to return array of hashes
...
Update trusted_service_path, service_permissions,
net_runtime_modify and enum_services to handle change.
Refactor enum_services to tidy it up a bit
2013-12-15 03:00:29 +00:00
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
jvazquez-r7
Spencer McIntyre
URI Assassin
Tod Beardsley
Jay Smith
sinn3r
Meatballs
Joshua Smith
OJ
b00stfr3ak
William Vu
HD Moore
kaospunk
RageLtMan
kyuzo
David Maloney
James Lee