Commit Graph

203 Commits (19ab71aa43a3c726e4280bd6b5851202b27bb54d)

Author SHA1 Message Date
jvazquez-r7 31b4e72196 Switch to soft tabs the cs code 2013-11-23 23:06:52 -06:00
jvazquez-r7 9f539bafae Add README on the source code dir 2013-11-22 17:56:05 -06:00
jvazquez-r7 25eb13cb3c Small fix to interface 2013-11-22 17:02:08 -06:00
jvazquez-r7 288a1080db Add MS13-022 Silverlight app code 2013-11-22 16:53:06 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Meatballs b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo

Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
Meatballs 2764bfc1b4 Remove opensdf 2013-09-27 10:19:16 +01:00
Meatballs c3c07b5fd7 Better arch checking 2013-09-27 09:39:29 +01:00
Meatballs dfac7b57d2 Fixup SysWOW64 2013-09-27 09:10:49 +01:00
Meatballs b8df7cc496 Initialize strings fool 2013-09-27 09:01:00 +01:00
Meatballs 5bd414d4b4 Submodule 2013-09-26 23:19:13 +01:00
Meatballs fc5e389708 Small changes to proj 2013-09-05 22:27:36 +01:00
Meatballs 81c78efaea Example submodule 2013-09-05 22:00:04 +01:00
Meatballs 280f78c249 Update source 2013-08-30 10:48:47 +01:00
Meatballs ff5cf396ab Remove large file and rename payload.dll 2013-08-27 00:30:27 +01:00
Meatballs 035e97523b In memory bypassuac 2013-08-27 00:13:19 +01:00
jvazquez-r7 795ad70eab Change directory names 2013-08-15 22:52:42 -05:00
jvazquez-r7 cc5804f5f3 Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00
jvazquez-r7 c7361043ae up to date 2013-07-17 11:47:06 -05:00
Meatballs 2634d33832 Forgot C changes 2013-07-06 09:30:09 +01:00
Meatballs 66c2b79177 Initial commit 2013-07-05 19:48:27 +01:00
jvazquez-r7 a4d353fcb3 Clean a little more the VS project 2013-06-29 15:15:27 -05:00
jvazquez-r7 de245113af Wrap Reflective DLL Readme.md to 80 columns 2013-06-29 09:29:09 -05:00
jvazquez-r7 6878534d4b Clean Visual Studio Project 2013-06-29 09:20:40 -05:00
jvazquez-r7 7725937461 Add Module for cve-2013-3660 2013-06-28 18:18:21 -05:00
jvazquez-r7 3c1af8217b Land #2011, @matthiaskaiser's exploit for cve-2013-2460 2013-06-26 14:35:22 -05:00
jvazquez-r7 b400c0fb8a Delete project files 2013-06-25 12:58:39 -05:00
jvazquez-r7 d25e1ba44e Make fixes proposed by review and clean 2013-06-25 12:58:00 -05:00
jvazquez-r7 b32513b1b8 Fix CVE-2013-2171 with @jlee-r7 feedback 2013-06-25 10:40:55 -05:00
sinn3r 74825af933 Add Makefile 2013-06-24 16:08:22 -05:00
sinn3r 6780566a54 Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation Module 2013-06-24 11:50:21 -05:00
Matthias Kaiser 8a96b7f9f2 added Java7u21 RCE module
Click2Play bypass doesn't seem to work anymore.
2013-06-24 02:04:38 -04:00
jvazquez-r7 7090d4609b Add module for CVE-2013-1488 2013-06-07 13:38:41 -05:00
jvazquez-r7 9fca89f70b fix small issues 2013-04-20 01:43:14 -05:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
jvazquez-r7 f04df6300a makefile updated 2013-02-21 13:44:37 +01:00
jvazquez-r7 da9e58ef79 Added the java code to get the ser file 2013-02-20 18:14:24 +01:00
jvazquez-r7 d88ad80116 Added first version of cve-2013-0431 2013-02-20 16:39:53 +01:00
jvazquez-r7 ee2fed8335 Merge branch 'master' of https://github.com/booboule/metasploit-framework into booboule-master 2013-01-24 16:18:06 +01:00
booboule afa32c7552 Update external/source/exploits/cve-2012-5076_2/Makefile
Wrong directory path
2013-01-23 20:18:24 +01:00
booboule d2b75ad005 Update external/source/exploits/cve-2012-5088/Makefile 2013-01-23 12:42:33 +01:00
jvazquez-r7 807bd6e88a Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl 2013-01-22 15:33:39 +01:00
jvazquez-r7 ef16a7fd24 cleanup 2013-01-17 21:45:13 +01:00
jvazquez-r7 670b4e8e06 cleanup 2013-01-17 21:39:41 +01:00
jvazquez-r7 78279a0397 Added new module for cve-2012-5076 2013-01-17 21:27:47 +01:00
jvazquez-r7 d0b9808fc7 Added module for CVE-2012-5088 2013-01-17 21:14:49 +01:00
jvazquez-r7 51f3f59d2f cve and references available 2013-01-11 00:54:53 +01:00
jvazquez-r7 e503d596ed code indention for exploit.java fixed 2013-01-10 20:34:58 +01:00
jvazquez-r7 876d889d82 added exploit for j7u10 0day 2013-01-10 20:30:43 +01:00
jvazquez-r7 133ad04452 Cleanup of #1062 2012-12-07 11:55:48 +01:00
jvazquez-r7 fd1557b6d2 Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated 2012-11-28 21:49:36 +01:00
Meatballs1 bc9065ad42 Move MSI source and binary location 2012-11-27 18:12:49 +00:00
jvazquez-r7 5076198ba2 fixing bperry comments 2012-11-11 20:18:19 +01:00
jvazquez-r7 08cc6d56ec updated java source 2012-11-11 20:11:33 +01:00
jvazquez-r7 c07701f61e Makefile updated 2012-11-11 17:44:27 +01:00
jvazquez-r7 1528ccf423 added Makefile for java code 2012-11-11 17:43:57 +01:00
jvazquez-r7 8619c5291b Added module for CVE-2012-5076 2012-11-11 17:05:51 +01:00
sinn3r d37b52c9d3 Update source information 2012-08-30 17:48:02 -05:00
jvazquez-r7 363c0913ae changed dir names according to CVE 2012-08-28 16:33:01 +02:00
jvazquez-r7 52ca1083c2 Added java_jre17_exec 2012-08-27 11:25:04 +02:00
sinn3r f715527423 Improve CVE-2012-1535 2012-08-21 19:58:21 -05:00
sinn3r 13df1480c8 Add exploit for CVE-2012-1535 2012-08-17 12:16:54 -05:00
sinn3r 54576a9bbd Last touch-up
The contents of this pull request are very similar to what the msf
dev had in private, so everybody is credited for the effort.
2012-07-10 00:37:07 -05:00
LittleLightLittleFire 956ec9d1da added Makefile for CVE-2012-1723 2012-07-10 14:12:07 +10:00
LittleLightLittleFire e9ac90f7b0 added CVE-2012-1723 2012-07-10 12:20:37 +10:00
jvazquez-r7 38abeeb235 changes on openfire_auth_bypass 2012-06-27 23:16:07 +02:00
jvazquez-r7 245205c6c9 changes on openfire_auth_bypass 2012-06-27 23:15:40 +02:00
h0ng10 6cc8390da9 Module rewrite, included Java support, direct upload, plugin deletion 2012-06-26 11:56:44 -04:00
h0ng10 65197e79e2 added Exploit for CVE-2008-6508 (Openfire Auth bypass) 2012-06-24 07:35:38 -04:00
jvazquez-r7 b891e868f5 Added actionscript and swf needed 2012-06-23 08:36:35 +02:00
Steven Seeley fcf42d3e7b added adobe flashplayer array indexing exploit (CVE-2011-2110) 2012-06-20 12:52:37 +10:00
jvazquez-r7 14d8ba00af Added batik svg java module 2012-05-17 16:48:38 +02:00
sinn3r f5e8f57497 Minor fixes 2012-04-19 18:07:35 -05:00
sinn3r 835d8b209d clear whitespace 2012-04-12 01:08:22 -05:00
0a2940 654701f1b2 new file: data/exploits/CVE-2008-5499.swf
new file:   external/source/exploits/CVE-2008-5499/Exploit.as
	new file:   modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb
2012-04-10 20:58:22 +01:00
James Lee 6b996ed9de Add checks for data being null, too, just in case 2012-03-30 16:46:49 -06:00
James Lee b424475774 Add a makefile
Compiles with an old -target so it will work on older JVMs
2012-03-30 16:25:47 -06:00
sinn3r e018c6604f Modify CVE-2012-0507 2012-03-30 02:06:56 -05:00
sinn3r 791ebdb679 Add CVE-2012-0507 (Java) 2012-03-29 10:31:14 -05:00
sinn3r befb60217c Add CVE-2012-0754 .as source 2012-03-07 19:25:51 -06:00
juan e69037959f Added CVE-2010-0842 2012-02-15 23:32:31 +01:00
scriptjunkie 1e811aed02 Adds scriptjunkie's multilingual admin fie for pxexploit
Also removes duplicated code between external/source/exploits/pxesploit
and external/source/pxesploit.

[Closes #63]

Squashed commit of the following:

commit 325f52527233ded1bf6506c366ec8cb9efdc2610
Author: scriptjunkie <scriptjunkie@scriptjunkie.us>
Date:   Fri Dec 16 12:14:18 2011 -0600

    Jetzt auf Deutsch! y español! 中國人!
    [update pxexploit to resolve administrators' group name rather than assume the English 'Administrators']
    Also remove duplicate/old pxexploit source code from the tree.
2011-12-23 12:24:45 -06:00
sinn3r e7c179d0b5 The more description the better 2011-12-01 03:03:37 -06:00
sinn3r 9e71be8ed0 Add source for CVE-2011-3544 2011-11-29 18:04:31 -06:00
Matt Buck 16f45fc894 Add empty directories from svn repo. 2011-11-09 18:41:40 -06:00
Matt Weeks 971b6f96f6 pxesploit update; compatibility with x64, compatibility with different windows versions.
Still no custom payload yet.



git-svn-id: file:///home/svn/framework3/trunk@12430 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-25 02:51:07 +00:00
David Rude 8c614a9296 made the shellcode request random to avoid signatures
git-svn-id: file:///home/svn/framework3/trunk@12148 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-26 16:00:52 +00:00
David Rude ff3659aa37 Lots of work to make this a lot more reliable =)
git-svn-id: file:///home/svn/framework3/trunk@12146 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-26 06:35:28 +00:00
Joshua Drake fb6107ffb5 enable java payloads, currently via one-off method
git-svn-id: file:///home/svn/framework3/trunk@12012 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-17 23:57:11 +00:00
Joshua Drake 4644110962 add exploit for cve-2010-4452, currently windows only and no payloads :(
git-svn-id: file:///home/svn/framework3/trunk@11982 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-16 04:50:25 +00:00
HD Moore 5d23306f01 Add bypassuac source to the tree
git-svn-id: file:///home/svn/framework3/trunk@11484 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-06 17:30:20 +00:00
James Lee 6f7af42667 add an exploit for cve-2010-3563, thanks Matthias Kaiser
git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-19 23:02:35 +00:00
James Lee 85126af521 add an exploit module for cve-2010-0094, thanks Matthias Kaiser.
git-svn-id: file:///home/svn/framework3/trunk@10255 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-08 08:20:55 +00:00
James Lee b35cea94cd add source code for cve-2010-0840
git-svn-id: file:///home/svn/framework3/trunk@10095 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-21 07:27:26 +00:00
James Lee 50914a1e68 add a makefile so i don't forget how to compile this stuff
git-svn-id: file:///home/svn/framework3/trunk@9901 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-21 07:27:15 +00:00
James Lee 119f9328fc remove debug prints. =/
git-svn-id: file:///home/svn/framework3/trunk@9875 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 00:57:03 +00:00
James Lee 08d705c1db add java meterpreter and update java_calendar_deserialize to be able to use it, see #406
git-svn-id: file:///home/svn/framework3/trunk@9874 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 00:53:24 +00:00
Joshua Drake b37c34579b add exploit module for cve-2009-3869
NOTE: no policy change is required for this exploit to succeed.



git-svn-id: file:///home/svn/framework3/trunk@7899 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-17 04:52:40 +00:00
Joshua Drake 255724d640 compile java applet with 1.3, Fixes #685
git-svn-id: file:///home/svn/framework3/trunk@7850 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-14 17:26:19 +00:00
Joshua Drake 34408c5e3e add exploit module for CVE-2009-3867 (JRE getSoundbank)
git-svn-id: file:///home/svn/framework3/trunk@7827 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-11 21:18:31 +00:00
HD Moore b8efb1bbf9 Add Stephen Fewer's shiny exploit for the Java deserialization flaw
git-svn-id: file:///home/svn/framework3/trunk@6664 4d416f70-5f16-0410-b530-b9f4589650da
2009-06-16 17:19:44 +00:00