Commit Graph

2231 Commits (1276960d8802e6a98662382f858873be48d04efb)

Author SHA1 Message Date
HD Moore 0520d7cf76 First crack at Samba CVE-2017-7494 2017-05-24 19:42:04 -05:00
HD Moore afc804fa03 Quick Ghostscript module based on the public PoC 2017-04-28 09:56:52 -05:00
anhilo f3d6a8c456 split PSModulePath in multi strings with ';'
1、allows the HTA window to be invisible
2017-04-26 11:01:59 +08:00
wchen-r7 5bbb4d755a
Land #8254, Add CVE-2017-0199 - Office Word HTA Module 2017-04-24 16:05:00 -05:00
Brandon Knight c724f0e05d Handle multiple entries in PSModulePath
This commit handles the case where more than one entry exists in
the PSModulePath environment variable. The updated code will loop
through each entry in the PSModulePath checking for the presence of
powershell.exe. When one is encountered it will execute the payload
and exit the for loop.
2017-04-19 11:22:38 -04:00
nixawk 637098466c Hidden black flash windows / Close HTA windows 2017-04-16 22:53:17 -05:00
nixawk a9df917257 Fix rtf info author 2017-04-14 21:16:39 -05:00
nixawk 8c662562d3 add CVE-2017-0199 format 2017-04-14 13:22:32 -05:00
bwatters-r7 64c06a512e
Land #8020, ntfs-3g local privilege escalation 2017-04-04 09:48:15 -05:00
h00die e80b8cb373 move sploit.c out to data folder 2017-03-31 20:51:33 -04:00
Pearce Barry c00b9ca1e5
Land #8175, Get into the DANGER ZOOOOOOONE 2017-03-31 14:31:22 -05:00
HD Moore b5771b0f72 Get into the DANGER ZOOOOOOONE 2017-03-31 12:26:42 -05:00
dmohanty-r7 1ce7bf3938
Land #8126, Add SolarWind LEM Default SSH Pass/RCE 2017-03-31 11:21:32 -05:00
Mehmet Ince e9f816272d
Adding solarwinds lem default ssh credentials to the wordlist 2017-03-24 13:24:05 +03:00
Jon P 4628dfe16b Remove old banner + rubygems requirements 2017-03-13 17:36:21 +01:00
Jon P c9a5190726 Patching "undefined method empty?" errors + "encoding error" 2017-03-13 17:32:56 +01:00
Jon P e8257122b3 Creation of a sub-module for modules/auxiliary/crawler/msfcrawler
Catching links in comments
2017-03-13 17:18:39 +01:00
wchen-r7 6965a00b45 Resolve #8023, Support backward compatibility for Office macro
Resolve #8023
2017-02-27 13:02:41 -06:00
William Webb 83cc28a091
Land #7972, Microsoft Office Word Macro Generator OS X Edition 2017-02-21 13:26:42 -06:00
Brent Cook 2c570b6709
Land #7942, Microsoft SQL Server Clr Stored Procedure Payload Execution 2017-02-17 17:28:54 -06:00
wchen-r7 3d269b46ad Support OS X for Microsoft Office macro exploit 2017-02-16 12:28:11 -06:00
OJ 2d834a3f5a
Finalise module, and add supporting binaries 2017-02-10 12:56:40 +10:00
bwatters-r7 272d1845fa
Land #7934, Add exploit module for OpenOffice with a malicious macro 2017-02-09 13:42:58 -06:00
wchen-r7 047a9b17cf Completed version of openoffice_document_macro 2017-02-08 16:29:40 -06:00
wchen-r7 cefbee2df4 Add PoC for OpenOffice macro module 2017-02-07 10:12:23 -06:00
wchen-r7 ccaa783a31 Add Microsoft Office Word Macro exploit 2017-02-02 17:44:55 -06:00
William Webb fb74b2d8f3
initial commit of finished product 2017-01-20 11:01:36 -06:00
bwatters_r7 4035dd7485
Land #7796, Improve zip module windows script fallback 2017-01-17 10:59:04 -06:00
Brent Cook 24f7959805
add binary for futex_requeue 2017-01-11 13:25:30 -06:00
Brent Cook 2585c8c8b5
Land #7461, convert futex_requeue (towelroot) module to use targetting and core_loadlib 2017-01-11 13:24:25 -06:00
Brent Cook 31f85b905a add comments 2017-01-07 12:50:11 -06:00
Brent Cook cdcf4cce7d improve zip module windows script fallback
- handle non-English locales
 - wait more reliably, handle network paths where FS info gets stale
 - use absolute paths correctly
2017-01-07 12:27:03 -06:00
Brent Cook 2652f347fa add module binary 2016-12-22 03:25:10 -06:00
Tim e6d4c0001c
hide debug printing 2016-12-20 00:52:11 +08:00
Pearce Barry 1dae206fde
Land #7379, Linux Kernel BPF Priv Esc (CVE-2016-4557) 2016-11-11 16:50:20 -06:00
scriptjunkie 268a72f210
Land #7193 Office DLL hijack module 2016-11-08 23:15:27 -06:00
Yorick Koster 3c1f642c7b Moved PPSX to data/exploits folder 2016-11-08 16:04:46 +01:00
William Webb 31b593ac67
Land #7402, Add Linux local privilege escalation via overlayfs 2016-11-01 12:46:40 -05:00
dmohanty-r7 d918e25bde
Land #7439, Add Ghostscript support to ImageMagick Exploit 2016-10-28 17:07:13 -05:00
Pearce Barry 43fd0a8813
Land #7436, Put Rex-exploitation Gem Back 2016-10-18 16:03:54 -05:00
h00die 0d1fe20ae5 revamped 2016-10-15 20:57:31 -04:00
Brent Cook 741c4b8916 updated android payload gem, removed unused extension jar 2016-10-14 09:59:06 -05:00
Brent Cook 9fbe1ddd9d
Land #7384, CVE-2016-6415 - Cisco IKE Information Disclosure 2016-10-14 08:41:34 -05:00
William Vu 9b15899d91 Add PS template 2016-10-13 17:40:15 -05:00
William Vu 6f4f2bfa5f Add PS target and remove MIFF 2016-10-13 17:39:55 -05:00
David Maloney 7894d5b2c1 Revert "Revert "use the new rex-exploitation gem""
This reverts commit f3166070ba.
2016-10-11 17:40:43 -05:00
Pearce Barry d1a11f46e8
Land #7418, Linux recvmmsg Priv Esc (CVE-2014-0038) 2016-10-09 18:37:52 -05:00
h00die 2dfebe586e working cve-2014-0038 2016-10-08 23:58:09 -04:00
Brent Cook f3166070ba
Revert "use the new rex-exploitation gem"
This reverts commit 52f6265d2e.
2016-10-08 21:55:16 -05:00
William Vu 3b3185069f
Land #7408, Mirai botnet wordlists 2016-10-06 10:07:20 -05:00
Tonimir Kisasondi 83548a0dde added mirai user/pass to unhash set 2016-10-05 22:24:11 +02:00
Tonimir Kisasondi 7ce73be936 Add linux.mirai wordlists 2016-10-05 17:57:08 +02:00
David Maloney 52f6265d2e use the new rex-exploitation gem
use the new rex-exploitation gem instead of the packaged in lbirary code
cleans up a huge ammount of space in framework

MS-1709
2016-10-05 09:05:27 -05:00
h00die 27cf5c65c4 working module 2016-10-04 23:21:53 -04:00
David Maloney af4f3e7a0d use templates from the gem for psh
use the templates now contained within the magical
gem of rex-powershell

7309
MS-2106
2016-10-04 14:14:25 -05:00
mach-0 dcc77fda5b Add back accidentally-deleted nasm comment. 2016-10-03 23:47:13 -05:00
mach-0 eff85e4118 Just remove DT_HASH. 2016-10-03 23:43:19 -05:00
mach-0 8828060886 Fix linux x64 elf-so template.
Previously the elf-so would crash when loaded with LD_PRELOAD,
due to not enough room for the symbol table.
2016-10-03 23:24:31 -05:00
nixawk 7368b995f2 CVE-2016-6415 Cisco - sendpacket.raw 2016-09-29 22:24:55 -05:00
h00die c036c258a9 cve-2016-4557 2016-09-29 05:23:12 -04:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
Pearce Barry 6382fffc75
Land #7326, Linux Kernel Netfilter Privesc 2016-09-26 12:38:50 -05:00
h00die 23e5556a4c binary drops work! 2016-09-24 21:31:00 -04:00
Joshua J. Drake dbf66f27d5 Add a browser-based exploit module for CVE-2015-3864 2016-09-23 11:14:31 -05:00
Adam Muntner 726079c6e7 diffed with fuzzdb
https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/predictable-filepaths/webservers-appservers/SAP.txt
2016-09-21 00:20:46 -04:00
dmohanty-r7 4c4f2e45d6
Land #7283, add jsp payload generator 2016-09-16 14:37:59 -05:00
Tim 6cb331e74d
Land 7281, add vagrant default password to wordlist 2016-09-07 13:01:01 +01:00
Tim 96f81b4817
add root:vagrant to root_userpass 2016-09-07 12:59:12 +01:00
Christian Mehlmauer c6012e7947
add jsp payload generator 2016-09-06 22:17:21 +02:00
Pearce Barry 9d5a276e91
Fix recent metasploit-framework.gemspec conflict. 2016-09-06 13:10:28 -05:00
wchen-r7 23a5d737fc Add password "vagrant" to wordlists
The password "vagrant" is often used in Metasploitable3.
2016-09-06 12:36:02 -05:00
Brendan 83160b7e49
Land #7173, Add post module to compress (zip) a file or directory 2016-08-24 09:38:04 -05:00
wchen-r7 e154aafaaa On Error Resume Next for zip.vbs 2016-08-17 17:08:38 -05:00
David Maloney 8bece28d00
remove *scan bins as well
all *scan bins need to be removed as the rex-bin_tools
gem will now handle these and put them in PATH

MS-1691
2016-08-15 14:04:00 -05:00
wchen-r7 8f7d0eae0c Fix #7155 - Add post module to compress (zip) a file or directory
Fix #7155
2016-08-02 14:44:58 -05:00
William Webb 21e6211e8d add exploit for cve-2016-0189 2016-08-01 13:26:35 -05:00
Brent Cook d1f65b27b8
Land #7151, Improve CVE-2016-0099 reliability 2016-07-29 09:22:11 -05:00
Brendan ee40c9d809
Land #6625, Send base64ed shellcode and decode with certutil (Actually MSXML) 2016-07-28 13:01:05 -07:00
wchen-r7 322fc11225 Fix whitespace 2016-07-27 12:37:14 -05:00
wchen-r7 dbe31766af Update CVE-2016-0099 Powershell 2016-07-27 12:35:43 -05:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references"
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
2016-07-15 12:00:31 -05:00
wchen-r7 8f928c6ca1
Land #7006, Add MS16-032 Local Priv Esc Exploit 2016-07-12 15:22:35 -05:00
wchen-r7 621f3fa5a9 Change naming style 2016-07-12 15:18:18 -05:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
William Webb b4b3a84fa5 refactor ms16-016 code 2016-07-05 20:50:43 -05:00
khr0x40sh df1a9bee13 Move ps1, Use Env var, Fix license, New Cleanup
MS16-032 ps1 moved to external file.  This ps1 will now detect windir
to find cmd.exe.  The module now also detects windir to find
powershell.exe.  The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
 is now standard.  The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
Brent Cook ba72d3fd92
Land #6988, Update banners to metasploit.com, not .pro 2016-06-17 15:29:30 -05:00
h00die cd207df6b8 adding karaf to unix lists per 4358 2016-06-15 20:31:48 -04:00
Tod Beardsley fe4cfd7e3e
Update banners to metasploit.com, not .pro 2016-06-14 15:11:04 -05:00
wwebb-r7 ab27c1b701 Merge pull request #6940 from samvartaka/master
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
samvartaka 5260031991 Modifications based on suggestions by @wchen-r7 2016-06-08 01:17:15 +02:00
William Vu 9128ba3e57 Add popen() vuln to ImageMagick exploit
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)

Thanks to @hdm for his sharp eye. ;x

[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
Brent Cook 7b024d1a72
Land #6914, add siem to the namelist 2016-05-24 14:22:44 -05:00
x90" * 365 9d545b0a05 Update namelist.txt 2016-05-24 13:00:59 -04:00
William Vu 2bac46097f Remove url() for MVG
Technically unnecessary here.
2016-05-05 14:18:42 -05:00
William Vu 334c432901 Force https://localhost for SVG and MVG
https: is all that's needed to trigger the bug, but we don't want wget
and curl to gripe. localhost should be a safe host to request.
2016-05-05 14:18:42 -05:00
William Vu decd770a0b Encode the entire SVG string
Because why not? Not like people care about what's around the command.
2016-05-05 14:18:42 -05:00
William Vu 232cc114de Change placeholder text to something useful
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
William Vu 5c04db7a09 Add ImageMagick exploit 2016-05-05 14:18:42 -05:00
wchen-r7 71c8ad555e Resolve #6839, Make Knowledge Base as default
Resolve #6839
2016-05-02 14:12:09 -05:00