e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell
2014-03-13 13:36:37 -05:00
952b50f8c1
Add priv escalation mixin to the firefox local exploit.
2014-03-13 11:49:44 -05:00
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
170608e97b
Fix first chunk of msftidy "bad char" errors
...
There needs to be a better way to go about preventing/fixing these.
2014-03-11 11:18:54 -05:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
2086224a4c
Minor fixes. Includes a test module.
2014-03-10 14:49:45 -05:00
26be236896
Pass MSFTidy please
2014-03-10 14:45:56 -05:00
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack
2014-03-07 10:29:56 -06:00
9638bc7061
Allow a custom .app bundle.
...
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
5abb442757
Adds more descriptive explanation of 10.8+ settings.
2014-03-06 15:15:27 -06:00
43d315abd5
Hardcode the platform in the safari exploit.
2014-03-06 13:04:47 -06:00
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
38a2e6e436
Minor fixes.
2014-03-05 19:03:54 -06:00
dca807abe9
Tweaks for BES.
2014-03-05 19:00:15 -06:00
12cf5a5138
Add BES, change extra_plist -> plist_extra.
2014-03-05 18:51:42 -06:00
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00
cd3c2f9979
Move osx-app format to EXE.
2014-03-04 22:54:00 -06:00
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
32c27f6be0
Tweak timeouts.
2014-03-04 17:16:23 -06:00
40047f01d3
Adds Safari User Assisted download launch module.
2014-03-04 17:02:51 -06:00
e30238fe0d
Land #3062 , unused arg fix for vmware_mount
2014-03-04 11:37:41 -06:00
68205fa43c
Actually use the argument
2014-03-04 11:30:42 -06:00
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet
2014-02-28 14:10:55 -06:00
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
6c490af75e
Add randomization to Rex::Zip::Jar and java_signed_applet
2014-02-27 12:38:52 -06:00
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
c981bbeab9
Land #3011 , @wchen-r7's fix for Dexter exploit
2014-02-24 10:53:10 -06:00
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
998fa06912
Land #2998 , @bit4bit's fix for the vtigercrm exploit
2014-02-20 08:36:05 -06:00
0b27cd13e8
Make module work
2014-02-20 08:35:37 -06:00
ed2ac95396
Always replace \ with / for Dexter exploit
...
Fix for the following:
48199fec27 (commitcomment-5419010)
2014-02-19 09:24:07 -06:00
50fb9b247e
Restructure some of the exploit methods.
2014-02-19 02:31:22 -06:00
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
c216357815
Land #3000 , audiotran_pls_1424 SEH exploit
2014-02-18 13:27:14 -06:00
57449ac719
Adds working shellcode exec local exploit.
2014-02-17 15:31:45 -06:00
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
52ac85be11
Land #2931 - Oracle Forms and Reports RCE
2014-02-17 08:54:23 -06:00
110ffbf342
Indent looks off for this line
2014-02-17 08:53:29 -06:00
632ea05688
100 columns
2014-02-17 08:52:56 -06:00
8da7ba131b
In case people actually don't know what RCE means
2014-02-17 08:51:48 -06:00
73459baefd
Add OSVDB references
2014-02-17 08:50:34 -06:00
fb7b938f8e
check func fixed
2014-02-17 15:11:56 +01:00
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
e27d98368e
fixed local server issues
2014-02-16 18:26:08 +01:00
e40b9e5f37
updated and improved
2014-02-16 16:24:39 +01:00
74344d6c7e
vtigerolservice.php to vtigerservice.php
...
using direct soap/vtigerolservice.php not work..php need require('config.php');
2014-02-15 20:36:36 -05:00
b7d69c168c
bugfix and user supplied local path support
2014-02-15 16:24:59 +01:00
9daffbd484
Land #2973 - Dexter panel (CasinoLoader) SQLi to file upload code exec
2014-02-14 17:16:27 -06:00
48199fec27
Change URL identifier, and make the user choose a target
2014-02-14 17:15:00 -06:00
745f313413
Remove @nmonkee as author per twitter convo
2014-02-13 14:41:10 -06:00
371f23b265
Unbreak the URL refs add nmonkee as ref and author
...
While @nmonkee didn't actually contribute to #2942 , he did publish a
python exploit that leverages WebView, so given our policy of being
loose with author credit, I added him.
Also added a ref to @nmonkee's thing.
@jduck @jvennix-r7 if you have a problem with this, please do say so, I
don't think adding @nmonkee in any way diminishes your work, and I don't
want to appear like we're secretly ripping off people's work. I know you
aren't on this or any other module, and I know @nmonkee doesn't think
that either.
2014-02-13 14:19:59 -06:00
ff267a64b1
Have into account the Content-Transfer-Encoding header
2014-02-12 12:40:11 -06:00
sinn3r
Joe Vennix
William Vu
OJ
Tod Beardsley
jvazquez-r7
Brendan Coles
James Lee
David Maloney
sgabe
Meatballs
Fr330wn4g3
xistence
Philip OKeefe
Mekanismen
Jovany Leandro G.C