jvazquez-r7
03a84a1de3
Search the AccessToken
2014-10-30 12:17:03 -05:00
OJ
908094c3d3
Remove debug, treat warnings as errors
2014-10-28 09:04:02 +10:00
OJ
0a03b2dd48
Final code tidy
2014-10-28 08:59:33 +10:00
OJ
6f3b373f01
More code tidy and unifying of stuff
2014-10-28 08:37:49 +10:00
OJ
0e761575c8
More code tidying, reduced x64/x86 duplication
2014-10-28 08:09:18 +10:00
OJ
062eff8ede
Fix project settings, make files, start tidying of code
2014-10-28 07:58:19 +10:00
Spencer McIntyre
d6a63ccc5e
Remove unnecessary C debugging code for the exploit
2014-10-27 11:24:23 -04:00
Spencer McIntyre
46b1abac4a
More robust check routine for cve-2014-4113
2014-10-27 11:19:12 -04:00
jvazquez-r7
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
jvazquez-r7
0aaebc7872
Make GetPtiCurrent USER32 independent
2014-10-26 18:51:02 -05:00
jvazquez-r7
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
Spencer McIntyre
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
jvazquez-r7
d8eaf3dd65
Add exploit source code
2014-10-23 18:59:58 -05:00
HD Moore
8cca4d7795
Fix the makefile to use the right directory
...
Reported by severos on IRC, the current output
class is in the right place, but the makefile
was broken.
2014-08-03 13:38:15 -05:00
sinn3r
ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape
2014-06-26 13:48:28 -05:00
sinn3r
0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape
2014-06-26 11:45:47 -05:00
Meatballs
25ed68af6e
Land #3017 , Windows x86 Shell Hidden Bind
...
A bind shellcode that responds as 'closed' unless the client matches the
AHOST ip.
2014-06-08 13:49:49 +01:00
Meatballs
bf1a665259
Land #2657 , Dynamic generation of windows service executable functions
...
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
jvazquez-r7
443f9f175c
Update IE11Sandbox exploit source
2014-06-03 09:58:07 -05:00
jvazquez-r7
372a12b966
Restore make.msbuild permissions
2014-06-03 09:07:34 -05:00
jvazquez-r7
98a06b3d72
Restore make.msbuild
2014-06-03 09:05:26 -05:00
jvazquez-r7
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
jvazquez-r7
f6862cd130
Land @OJ's updated meterpreter binaries
2014-05-30 20:27:28 -05:00
OJ
d2b8706bd6
Include meterpreter bins, add Sandbox builds
...
This commit contains the binaries that are needed for Juan's sandbox
escape functionality (ie. the updated old libloader code). It also
contains rebuilt binaries for all meterpreter plugins.
I've also added command line build scripts for the sandbox escapes
and added that to the "exploits" build.
2014-05-31 08:12:34 +10:00
jvazquez-r7
c1368dbb4c
Use %windir%
2014-05-30 09:06:41 -05:00
jvazquez-r7
75777cb3f9
Add IE11SandboxEscapes source
2014-05-29 11:38:43 -05:00
Florian Gaultier
bb4e9e2d4d
correct error in block service_change_description
2014-05-13 16:04:39 +02:00
Florian Gaultier
6332957bd2
Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work...
2014-05-13 16:04:39 +02:00
Florian Gaultier
bdbb70ab71
up block_service_stopped.asm
2014-05-13 16:04:39 +02:00
Florian Gaultier
e269c1e4f1
Improve service_block with service_stopped block to cleanly terminate service
2014-05-13 16:04:38 +02:00
Florian Gaultier
c43e3cf581
Improve block_create_remote_process to point on shellcode everytime
2014-05-13 16:04:38 +02:00
Florian Gaultier
25d48b7300
Add create_remote_process block, now used in exe_service generation
2014-05-13 16:04:38 +02:00
Florian Gaultier
0bdf7904ff
Change author of single_service_stuff.asm
2014-05-13 16:04:38 +02:00
Florian Gaultier
513f3de0f8
new service exe creation refreshed
2014-05-13 16:04:36 +02:00
jvazquez-r7
58c46cc73d
Add compilation instructions for the AS
2014-05-08 16:48:42 -05:00
jvazquez-r7
5fd732d24a
Add module for CVE-2014-0515
2014-05-07 17:13:16 -05:00
sinn3r
6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution
2014-05-05 10:39:26 -05:00
OJ
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
jvazquez-r7
b4c7c5ed1f
Add module for CVE-2014-0497
2014-05-03 20:04:46 -05:00
Meatballs
850f6b0276
Address OJ's comments
2014-05-02 13:33:55 +01:00
jvazquez-r7
60e7e9f515
Add module for CVE-2013-5331
2014-04-27 10:40:46 -05:00
sinn3r
5c0664fb3b
Land #3292 - Mac OS X NFS Mount Privilege Escalation Exploit
2014-04-24 13:43:20 -05:00
Joe Vennix
143aede19c
Add osx nfs_mount module.
2014-04-23 02:32:42 -05:00
jvazquez-r7
acb12a8bef
Beautify and fix both ruby an AS
2014-04-17 23:32:29 -05:00
jvazquez-r7
abd76c5000
Add module for CVE-2014-0322
2014-04-15 17:55:24 -05:00
OJ
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
Tod Beardsley
520d1e69c4
Rapid7 Comma Inc
...
After some more discussion with Rapid7's legal fellow.
2014-03-13 09:46:20 -05:00
Tod Beardsley
9d4ceaa3a0
Let's try to be consistent about Rapid7 Inc.
...
According to
http://www.sec.gov/Archives/edgar/data/1560327/000156032712000001/0001560327-12-000001.txt
Rapid7 is actually "Rapid7 Inc" not "Rapid7, LLC" any more.
This does not address the few copyright/license statements around
"Metasploit LLC," whatever that is.
2014-03-12 11:20:17 -05:00
kyuzo
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
root
1fda6b86a1
Changed cmp eax by inc eax. Saved one byte
2014-03-10 12:13:10 +01:00
kyuzo
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
somename11111
99cd36c036
Fix description of Input
2014-03-06 03:16:55 +01:00
somename11111
689523a26f
Clean Code based on jlee-r7's comments
...
- Put allocations in loop
- Decomment exitfunc
- Aligned comments
- Some more code cleaning
2014-03-06 02:44:24 +01:00
somename11111
83929facc4
Fix bug on Windows XP
...
Correct the addresses of functions in pstorec.dll.
Successfully tested on Server 2003 and XP.
2014-03-06 02:35:44 +01:00
somename11111
4aca648faf
Correct file information
2014-03-06 02:35:36 +01:00
somename11111
ba31e304b5
Clean the code
...
Remove debugging functions from block_get_pstore_proxy_auth.asm.
Reduce allocation size to 1kB.
2014-03-06 02:35:25 +01:00
somename11111
b6b46abe9f
Add new stager stager_reverse_http_proxy_pstore
...
This stager looks for proxy credentials in windows protected storage. If it finds proxy credentials, it will use them to connect back. If it does not find credentials, it will do the same as stager_reverse_http.
Works on:
- Windows Server 2003
- Windows XP
- Internet Explorer versions 4 to 6
2014-03-06 02:35:12 +01:00
Meatballs
7877589537
Delete correctly
2014-02-23 02:47:13 +00:00
Meatballs
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
David Maloney
9d9149d9d8
remove some dead code paths
...
refactor some dead conditionals and a case/switch
that wasn't doing anything
2014-02-27 11:45:57 -06:00
OJ
4b924659b2
Adjust project config
...
* Remove editbin usage for console apps
* Remove whole program optimisation
2014-02-26 17:14:14 +10:00
OJ
10829299f5
Add make support for command line builds
2014-02-26 16:40:54 +10:00
OJ
eb3da1ce87
Editbin and post build steps
2014-02-26 16:36:55 +10:00
OJ
712f47cb4e
Remove Palm configuration from bypassuac config
2014-02-26 16:07:22 +10:00
OJ
9159512a3d
Fix VS 2013 build, remove old files, rejig project config
...
This wasn't building cleanly for a few reasons with VS 2013 on my desktop.
This commit fixes this problems with the configuration and makes things fit
with the way we're now doing things (ie. output locations, etc).
Incremental builds are disabled as they were causing problems, but this isn't
a concern for a project as small as this.
2014-02-26 16:05:24 +10:00
OJ
d37774e12d
Remove ARM config, add build to make for all exploits
2014-02-26 10:57:15 +10:00
Meatballs
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
David Maloney
289580777c
remove unneccsary logging elements
...
update soloutions for VS2013
remove the CLogger
Remove Print Usage
this removes unneccsary strings that can
be used to easily identify our executable
2014-02-20 20:00:19 -06:00
root
b4a22aa25d
hidden bind shell payload
2014-02-20 16:19:40 +01:00
jvazquez-r7
1f0020a61c
Land #2946 , @jlee-r7's optimization of the x86 block_api code
2014-02-11 15:00:00 -06:00
Spencer McIntyre
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
Spencer McIntyre
01f41a209c
Remove the DLL and add make.msbuild for easier compiling.
2014-02-07 10:05:05 -05:00
Spencer McIntyre
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
Spencer McIntyre
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
James Lee
c70680cf1c
Fix infinite-retry bug
...
Derp, block_api clobbers ecx
2014-02-04 11:59:16 -06:00
James Lee
9c3664bd45
Unify reverse_http and reverse_https
...
This will make copy-pasta less painful in the future. There's still the
problem of reverse_https_proxy being very similar, but the logic in how
it gets generated in the module is more than i want to tackle right now
2014-02-04 09:09:12 -06:00
James Lee
6d53570c22
Fix abysmal mixed indentedness.
2014-02-03 11:39:03 -06:00
James Lee
c29c6be212
Shave 3 bytes off of block_api
2014-02-03 11:34:41 -06:00
James Lee
bfc0ac4dd4
Golf a few bytes off of reverse_http(s)
2014-02-03 11:33:55 -06:00
jvazquez-r7
a056d937e7
Fluch data cache and improve documentation
2014-01-14 14:06:01 -06:00
jvazquez-r7
a8806887e9
Add support for MIPS reverse shell staged payloads
2014-01-14 12:25:11 -06:00
Meatballs
ea349e6618
Rm redundant solution file
2013-12-20 16:03:08 +00:00
OJ
0db062a1ce
Merge branch 'meatballs-vncdll-submodule'
2013-12-20 18:29:27 +10:00
OJ
0ebef33345
Quick fix to x64 kitrap0d project
...
Stops errors on debug builds, not that anyone cares.
2013-12-20 09:51:24 +10:00
OJ
34cdec5155
Update project VS 2013, clean CLI build
...
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
OJ
e22b4ba88c
Add make script for nvidia nvsvc
2013-12-15 01:12:49 +00:00
OJ
0c82817445
Final changes before PR
2013-12-15 01:12:49 +00:00
OJ
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
Meatballs
be4dae7db9
Forgot C changes
2013-12-15 01:12:48 +00:00
Meatballs
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
Meatballs
ab1ddac0c8
Merge remote-tracking branch 'upstream/master' into submodule
...
Conflicts:
external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
2013-12-08 18:25:03 +00:00
Meatballs
496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2013-12-05 17:09:32 +00:00
Meatballs
dc0f2b7291
Use ExitProcess
2013-12-05 17:08:47 +00:00
Meatballs
6edd9aa736
Update for new ReflectiveDLL Submodule
2013-11-30 20:12:08 +00:00
Meatballs
cf12826d2c
Dont use xp toolchain
...
and dont bother editbin
2013-11-30 20:04:00 +00:00
Meatballs
d3a0199539
Update for new Reflective DLL Submodule
...
Update to VS2013 Toolsets
Include .msbuild and make.bat
Tidyup of if { }
Post build step to copy to output directory
2013-11-30 19:58:25 +00:00
Meatballs
915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
.gitmodules
external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
Meatballs
57342a9c0c
Merge remote-tracking branch 'upstream/master' into submodule
...
Conflicts:
.gitmodules
external/source/ReflectiveDLLInjection
2013-11-30 19:07:54 +00:00
OJ
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00