Commit Graph

1113 Commits (33e134418a0900835772999b04106755b9ce0037)

Author SHA1 Message Date
Brent Cook 59086af261
Land #8771, rewrite linux x64 stagers with Metasm 2017-08-14 02:32:29 -04:00
tkmru f961d7da13 update src 2017-07-29 21:08:52 +09:00
tkmru 6c5d8279ca change to generate payload from metasm 2017-07-16 19:21:09 +09:00
tkmru 4e046db9b3 add retry to linux reverse tcp x86 2017-07-14 12:47:32 +09:00
tkmru 62533509c6 fit source to shellcode prev change 2017-07-12 16:26:00 +09:00
Tim db8698e82b
Land #8655, add error handling to mipsle linux reverse tcp stager 2017-07-11 22:33:54 +08:00
Tim b9f5ebcf66 update comment 2017-07-11 00:58:03 +08:00
Tim 75c571de83
Land #8653, add error handling to mipsbe linux reverse tcp stager 2017-07-09 19:36:15 +08:00
Tim cd0c2c213f pedantic tweaks 2017-07-09 19:36:03 +08:00
tkmru a4a959266b update cachedSize 2017-07-06 17:43:27 +09:00
tkmru adeffd6600 add error handling to stager_sock_reverse src on mipsle 2017-07-06 17:07:11 +09:00
tkmru 2d8a71de6f tab to space 2017-07-05 18:22:06 +09:00
tkmru d02d6826a9 fix reverse tcp stager src 2017-07-05 17:56:59 +09:00
tkmru d1f08a80bd add error handling to reverse_tcp on mipsbe 2017-07-05 17:50:49 +09:00
tkmru 084b211e9b add x64 stager_sock_reverse src 2017-06-25 16:31:37 +09:00
Tim 03116d7933
Land #8543, add error handling to ARM linux reverse tcp stager 2017-06-18 15:38:16 +08:00
Tim 210a4cb299 fix indent 2017-06-18 15:35:23 +08:00
tkmru 1773a5f188 fix indent 2017-06-16 15:57:09 +09:00
Tim 9cf9d22bae fix mmap return cmp 2017-06-16 06:26:40 +08:00
RaMMicHaeL f17b28930d Update executex64.asm 2017-06-04 13:18:50 +03:00
RaMMicHaeL ca5b20f4d0 Fixed an elusive bug on AMD CPUs
Details:
http://blog.rewolf.pl/blog/?p=1484
rwfpl/rewolf-wow64ext@8771485
2017-06-03 11:30:11 +03:00
zerosum0x0 bdf121e1c0 x86 kernels will safely ret instead of BSOD 2017-05-17 23:48:14 -06:00
zerosum0x0 4f3a98d434 add arch detection to shellcode 2017-05-17 23:36:17 -06:00
zerosum0x0 a5c391dae2 multi-arch ring0->ring3 shellcode .asm file (work in progress) 2017-05-17 23:29:05 -06:00
Brent Cook 176e88f293
Land #7835, Add Windows Local Privilege Escalation exploit stub 2017-03-08 06:20:58 -05:00
William Webb 83cc28a091
Land #7972, Microsoft Office Word Macro Generator OS X Edition 2017-02-21 13:26:42 -06:00
wchen-r7 3d269b46ad Support OS X for Microsoft Office macro exploit 2017-02-16 12:28:11 -06:00
OJ 1c62559e55
Add v1 of SQL Clr stored proc payload module 2017-02-10 10:28:22 +10:00
wchen-r7 ccaa783a31 Add Microsoft Office Word Macro exploit 2017-02-02 17:44:55 -06:00
OJ b6e882c8eb
Add a Windows LPE exploit template for x64/x86 2017-01-17 11:20:14 +10:00
OJ 32173b9701
Move execute_payload to the kernel lib 2017-01-17 11:19:26 +10:00
Brent Cook 2585c8c8b5
Land #7461, convert futex_requeue (towelroot) module to use targetting and core_loadlib 2017-01-11 13:24:25 -06:00
Tim 25a8283af3
fork early and use WfsDelay 2016-12-20 00:59:27 +08:00
Tim f1efa760df
more fixes 2016-12-20 00:52:11 +08:00
Tim e6d4c0001c
hide debug printing 2016-12-20 00:52:11 +08:00
Tim 7ac3859393
convert futex_requeue module to use targetting and core_loadlib 2016-12-20 00:52:11 +08:00
Tim 3afa20a1af
fix double \n in printf 2016-12-13 17:02:23 +08:00
Tim fe9972cc25
fork early and use WfsDelay 2016-12-13 17:02:23 +08:00
Tim 891fccb4e2
add pattern for GT-S7392 2016-12-13 17:02:23 +08:00
Tim 07ce7f3aed
fix make run 2016-12-13 17:02:23 +08:00
Tim 9ece45a180
dont exit(0) when exploit fails 2016-12-13 17:02:23 +08:00
Tim ebf7ae0739
add CVE-2013-6282, put_user/get_user exploit for Android 2016-12-13 17:02:23 +08:00
William Webb 31b593ac67
Land #7402, Add Linux local privilege escalation via overlayfs 2016-11-01 12:46:40 -05:00
h00die 0d1fe20ae5 revamped 2016-10-15 20:57:31 -04:00
h00die 12493d5c06 moved c code to external sources 2016-10-13 20:37:03 -04:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
William Webb 21e6211e8d add exploit for cve-2016-0189 2016-08-01 13:26:35 -05:00
Pearce Barry 7b1d9596c7
Land #7068, Introduce 'mettle' - new POSIX meterpreter 2016-07-11 22:38:40 -05:00
William Webb b4b3a84fa5 refactor ms16-016 code 2016-07-05 20:50:43 -05:00