Commit Graph

21082 Commits (07ab53ab39b0e46a33880bd87f889df3831b1344)

Author SHA1 Message Date
OJ 82162ef486 Add error message support to railgun
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of https://github.com/rapid7/metasploit-framework/pull/740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.

This PR is the MSF side of https://github.com/rapid7/meterpreter/pull/26
2013-10-01 17:23:08 +10:00
sinn3r 7c6c8291e2 Add ROP chains for Office 2007 and Office 2010 (hxds.dll)
This adds two ROP chains for Office 2007 and Office 2010 based on
hxds.dll.
2013-10-01 01:33:35 -05:00
Tod Beardsley 301c370b68 Add William and alphabetize correctly 2013-09-30 17:04:57 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Tod Beardsley 49187e8a31 Alphabetize for real (case insensitive) 2013-09-30 15:23:20 -05:00
Tod Beardsley 9c4510940f Alphabetize 2013-09-30 15:21:09 -05:00
Tod Beardsley 9610f74ff9 Prefer github usernames 2013-09-30 15:19:56 -05:00
Tod Beardsley 96f7ea7b75
Update bperry and chao-mu in .mailmap 2013-09-30 15:16:21 -05:00
Brandon Turner 3cfee5a7c0
Land #2440, remaining tabassassin changes 2013-09-30 14:30:50 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tab Assassin 0ecba377f5 Avoid retabbing things in .git/ 2013-09-30 13:45:34 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
Tod Beardsley 9ada96ac51
Fix sqlmap accidental codepoint
See http://www.ruby-doc.org/core-1.9.3/String.html#method-i-3C-3C

Apparently, String#<< uses Integer#chr, not Integer#to_s. News to me.

Fixed originally by @TsCl in PR #2435, but fixing seperately in order to
avoid screwing up his downstream tracking. Note, this isn't a merge, so
using Closes tag on the commit message.

[Closes #2435]
2013-09-30 11:23:17 -05:00
Tod Beardsley bce2f12375
Land #2436, Fixups to AlwaysInstallElevated 2013-09-30 11:12:06 -05:00
darknight007 f1ab7b51b1 Update ms12_020_maxchannelids.rb
ms12_020_maxchannelids.rb produces a call stack when the connection is timed out. 

To reproduct, just run the module against a system having no RDP enabled.
2013-09-30 13:43:26 +05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Tod Beardsley 2fb770f73e
Land #1569, MSI payloads
The bins are signed by Meatballs, everything looks good here, so
landing. Thanks for your patience on these!
2013-09-27 16:29:27 -05:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley 63d638888d Get rid of interior tabs 2013-09-27 16:04:03 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tod Beardsley ae655e42d2 Touchups: boolean check, unless, and TODO comment 2013-09-27 15:54:03 -05:00
Tod Beardsley 37e4d58f4a Call CSV text/plain so it can be viewed normally
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
2013-09-27 15:48:48 -05:00
Tod Beardsley 5e77dccd48 Add a ref to an example unattend.xml 2013-09-27 15:45:57 -05:00
Meatballs 8aeb134581
Retab... 2013-09-27 20:40:16 +01:00
Meatballs 6ca01adf1d
Merge branch 'master' into msi_payload
Conflicts:
	lib/msf/util/exe.rb
2013-09-27 20:37:40 +01:00
Meatballs 34c443f346
Forgot msi-nouac 2013-09-27 20:36:00 +01:00
Meatballs c366726d2d
Land #2432, Fix bad tabs
Episode II: Tabassassin strikes again

[Closes #2432]
2013-09-27 20:27:43 +01:00
Meatballs1 7808da04b8 Merge pull request #27 from todb-r7/respec-1770-unattended
Respec 1770 unattended
2013-09-27 12:05:14 -07:00
Meatballs e806047411
Add MSI bins 2013-09-27 20:03:19 +01:00
Meatballs 8a9843cca6
Merge upstream/master 2013-09-27 20:02:23 +01:00
Tabassassin 120cca8bb3 Retab unattended_spec to avoid conflicts 2013-09-27 13:44:33 -05:00
Tab Assassin c94e8a616f Retabbed to catch new bad tabs 2013-09-27 13:34:13 -05:00
Tod Beardsley 5bab85fcda Use a context for #parse 2013-09-27 13:04:18 -05:00
Tod Beardsley 6345fb2788 Use described_class 2013-09-27 12:59:10 -05:00
Meatballs 9fde8bee2b Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master 2013-09-27 18:12:17 +01:00
Tod Beardsley 7d9d98c9eb
Land #2421, update to cookie parsing specs 2013-09-27 11:45:33 -05:00
Tod Beardsley 869c10af04
Land #2396, aspx-exe shellcode generator
Looks good to me, specs are all happy (also added a #to_h spec)
2013-09-27 11:42:16 -05:00
Meatballs d66269a559
Land #2428, Updated Meterpreter Bins
Fix crashes for kitrap0d and XPSP0

[Closes #2428]
2013-09-27 17:38:08 +01:00
Tod Beardsley 8f957a5394 Add spec for new #to_h method 2013-09-27 11:27:31 -05:00
Christian Mehlmauer 45f52b580d Merge pull request #3 from todb-r7/pr-2421-more-descriptive-rspec
PR #2421 More descriptive rspec
2013-09-27 08:28:20 -07:00
Tod Beardsley 103a64a32a Indent like a sane person. 2013-09-27 10:22:46 -05:00
Tod Beardsley 623aeb367f Set a context for #get_cookies 2013-09-27 10:12:11 -05:00