cefbee2df4
Add PoC for OpenOffice macro module
2017-02-07 10:12:23 -06:00
ccaa783a31
Add Microsoft Office Word Macro exploit
2017-02-02 17:44:55 -06:00
fb74b2d8f3
initial commit of finished product
2017-01-20 11:01:36 -06:00
24f7959805
add binary for futex_requeue
2017-01-11 13:25:30 -06:00
2585c8c8b5
Land #7461 , convert futex_requeue (towelroot) module to use targetting and core_loadlib
2017-01-11 13:24:25 -06:00
2652f347fa
add module binary
2016-12-22 03:25:10 -06:00
e6d4c0001c
hide debug printing
2016-12-20 00:52:11 +08:00
1dae206fde
Land #7379 , Linux Kernel BPF Priv Esc (CVE-2016-4557)
2016-11-11 16:50:20 -06:00
268a72f210
Land #7193 Office DLL hijack module
2016-11-08 23:15:27 -06:00
3c1f642c7b
Moved PPSX to data/exploits folder
2016-11-08 16:04:46 +01:00
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
43fd0a8813
Land #7436 , Put Rex-exploitation Gem Back
2016-10-18 16:03:54 -05:00
0d1fe20ae5
revamped
2016-10-15 20:57:31 -04:00
9fbe1ddd9d
Land #7384 , CVE-2016-6415 - Cisco IKE Information Disclosure
2016-10-14 08:41:34 -05:00
9b15899d91
Add PS template
2016-10-13 17:40:15 -05:00
6f4f2bfa5f
Add PS target and remove MIFF
2016-10-13 17:39:55 -05:00
7894d5b2c1
Revert "Revert "use the new rex-exploitation gem""
...
This reverts commit f3166070ba
2016-10-11 17:40:43 -05:00
d1a11f46e8
Land #7418 , Linux recvmmsg Priv Esc (CVE-2014-0038)
2016-10-09 18:37:52 -05:00
2dfebe586e
working cve-2014-0038
2016-10-08 23:58:09 -04:00
f3166070ba
Revert "use the new rex-exploitation gem"
...
This reverts commit 52f6265d2e
2016-10-08 21:55:16 -05:00
52f6265d2e
use the new rex-exploitation gem
...
use the new rex-exploitation gem instead of the packaged in lbirary code
cleans up a huge ammount of space in framework
MS-1709
2016-10-05 09:05:27 -05:00
27cf5c65c4
working module
2016-10-04 23:21:53 -04:00
7368b995f2
CVE-2016-6415 Cisco - sendpacket.raw
2016-09-29 22:24:55 -05:00
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
0e82ced082
Add LPE exploit module for the capcom driver flaw
...
This commit includes:
* RDI binary that abuses the SMEP bypass and userland function pointer
invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.
This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
21e6211e8d
add exploit for cve-2016-0189
2016-08-01 13:26:35 -05:00
322fc11225
Fix whitespace
2016-07-27 12:37:14 -05:00
dbe31766af
Update CVE-2016-0099 Powershell
2016-07-27 12:35:43 -05:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
8f928c6ca1
Land #7006 , Add MS16-032 Local Priv Esc Exploit
2016-07-12 15:22:35 -05:00
621f3fa5a9
Change naming style
2016-07-12 15:18:18 -05:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
b4b3a84fa5
refactor ms16-016 code
2016-07-05 20:50:43 -05:00
df1a9bee13
Move ps1, Use Env var, Fix license, New Cleanup
...
MS16-032 ps1 moved to external file. This ps1 will now detect windir
to find cmd.exe. The module now also detects windir to find
powershell.exe. The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
is now standard. The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
ab27c1b701
Merge pull request #6940 from samvartaka/master
...
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
5260031991
Modifications based on suggestions by @wchen-r7
2016-06-08 01:17:15 +02:00
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
2bac46097f
Remove url() for MVG
...
Technically unnecessary here.
2016-05-05 14:18:42 -05:00
334c432901
Force https://localhost for SVG and MVG
...
https: is all that's needed to trigger the bug, but we don't want wget
and curl to gripe. localhost should be a safe host to request.
2016-05-05 14:18:42 -05:00
decd770a0b
Encode the entire SVG string
...
Because why not? Not like people care about what's around the command.
2016-05-05 14:18:42 -05:00
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
57ab974737
File.exists? must die
2016-04-21 00:47:07 -04:00
e29fc5987f
Add missing stream.raw for hp_sitescope_dns_tool
...
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
eb4611642d
Add Jenkins CLI Java serialization exploit module
...
CVE-2015-8103
2015-12-11 14:57:10 -06:00
c7afe4f663
Land #5930 , MS15-078 (atmfd.dll buffer overflow)
2015-09-16 15:33:38 -05:00
9626596f85
Clean template code
2015-09-12 13:43:05 -05:00
53f995b9c3
Do first prototype
2015-09-10 19:35:26 -05:00
122d57fc20
Land #5945 , Add auto-accept to osx/enum_keychain
2015-09-08 10:56:08 -05:00
1b320bae6a
Add auto-accept to osx/enum_keychain.
2015-09-07 21:17:49 -05:00
b39575928e
Update reflective exploit
2015-09-03 11:01:41 -05:00
b912e3ce65
Add exploit template
2015-09-02 17:28:35 -05:00
4090c2c8ea
Land #5880 , adds ScriptHost UAC bypass for Win7/2008
2015-09-02 14:14:18 -05:00
9364982467
Land #5665 , Add osx rootpipe entitlements exploit for 10.10.3
2015-08-28 13:33:16 -05:00
11db9c2112
Land #5896 , Update ms15_004_tswbproxy to use a Reflective DLL
2015-08-27 17:11:26 -05:00
a2d5511e39
Land #5379 , new post modules to load into powershell sessions
2015-08-26 17:11:40 -05:00
5d0ed797a3
Update DLL
2015-08-26 15:15:32 -05:00
228087dced
Initial working scripthost bypass uac
2015-08-23 20:16:15 +01:00
129edd8b2e
Original bypass script
2015-08-23 19:46:24 +01:00
d54249370b
Move tpwn source to external/source/exploits
2015-08-17 18:27:47 -05:00
efc980074c
Add tpwn exploit files
2015-08-17 17:11:07 -05:00
7113c801b1
Land #5732 , reliability update for adobe_flash_hacking_team_uaf
2015-07-17 16:43:39 -05:00
255d8ed096
Improve adobe_flash_opaque_background_uaf
2015-07-16 14:56:32 -05:00
a637921305
Update swf
2015-07-15 18:35:41 -05:00
b504f0be8e
Update adobe_flash_hacking_team_uaf
2015-07-15 18:18:04 -05:00
299978d0e2
Put again old exploiter
2015-07-11 00:36:32 -05:00
63005a3b92
Add module for flash CVE-2015-5122
...
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
3d630de353
Replace with a real CVE number
2015-07-07 14:44:12 -05:00
d9aacf2d41
Add module for hacking team flash exploit
2015-07-07 11:19:48 -05:00
c993c70006
Remove sleep(), clean up WritableDir usage.
2015-07-05 18:59:00 -05:00
a8b56bb44a
Oops, need to include the binary files.
2015-07-05 18:24:45 -05:00
1de94a6865
Add module for CVE-2015-3113
2015-07-01 13:13:57 -05:00
ee0377ca16
Add module for CVE-2015-3105
2015-06-25 13:35:01 -05:00
ae41f2bfa0
Update exploit binaries for ms15-051
2015-06-25 09:33:15 +10:00
3686accadd
Merge branch 'upstream/master' into cve-2015-1701
2015-06-22 07:52:17 +10:00
de1542e589
Add module for CVE-2015-3090
2015-06-18 12:36:14 -05:00
17b8ddc68a
Land #5524 , adobe_flash_pixel_bender_bof in flash renderer
2015-06-15 02:42:16 -05:00
72672fc8f7
Delete debug
2015-06-11 17:39:36 -05:00
8ed13b1d1b
Add linux support for CVE-2014-0515
2015-06-11 16:18:50 -05:00
ae21b0c260
Land #5523 , adobe_flash_domain_memory_uaf in the flash renderer
2015-06-10 16:59:19 -05:00
4c5b1fbcef
Land #5522 , adobe_flash_worker_byte_array_uaf in the flash renderer
2015-06-10 14:49:41 -05:00
7527aa4f34
Disable debug
2015-06-10 14:07:18 -05:00
6c7ee10520
Update to use the new flash Exploiter
2015-06-10 13:52:43 -05:00
7fba64ed14
Allow more search space
2015-06-10 12:26:53 -05:00
ecbddc6ef8
Play with memory al little bit better
2015-06-10 11:54:57 -05:00
d622c782ef
Land #5519 , adobe_flash_uncompress_zlib_uninitialized in the flash renderer
2015-06-10 11:52:47 -05:00
2b4fe96cfd
Tweak Heap Spray
2015-06-10 10:56:24 -05:00
a6fe383852
Use AS Exploiter
2015-06-10 09:32:52 -05:00
e5d6c9a3cb
Make last code cleanup
2015-06-09 16:01:57 -05:00
cf8c6b510b
Debug version working
2015-06-09 15:46:21 -05:00
39851d277d
Unset debug flag
2015-06-09 11:36:09 -05:00
b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code
2015-06-09 11:31:39 -05:00
b291d41b76
Quick hack to remove hard-coded offsets
2015-06-05 13:19:41 +10:00
02181addc5
Update CVE-2014-0556
2015-06-04 18:23:50 -05:00
23df66bf3a
Land #5481 , no powershell. exec shellcode from the renderer process.
2015-06-04 15:45:09 -05:00
ab68d8429b
Add more targets
2015-06-04 12:11:53 -05:00
80cb70cacf
Add support for Windows 8.1/Firefox
2015-06-03 22:46:04 -05:00
wchen-r7
William Webb
Brent Cook
Tim
Pearce Barry
scriptjunkie
Yorick Koster
dmohanty-r7
h00die
William Vu
David Maloney
nixawk
OJ
khr0x40sh
samvartaka
l0gan
jvazquez-r7
joev
HD Moore
Meatballs
Tod Beardsley