Commit Graph

20826 Commits (39eb20e33a9b94042250c2cce821be2d2e0f4c30)

Author SHA1 Message Date
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
jvazquez-r7 0db93111de
Land #2445, @todb-r7's new tab warning for msftidy 2013-10-02 17:19:12 -05:00
Tabassassin 773abf0567
Pow, tab assassinated. 2013-10-02 17:16:38 -05:00
Tod Beardsley 3d6b3a4e21
Empty commit to try to sober up Travis-CI
Travis, you're drunk. You need help. Don't try to build f123cd1, because
that commit doesn't exist.

Try this one, it'll make you feel better.
2013-10-02 16:58:01 -05:00
sinn3r 427b4b262a Land #2441 - Update .mailmap 2013-10-02 13:20:08 -05:00
Tod Beardsley 40c313b711
Land #2450, fix UDPSweep modules for Windows 2013-10-02 12:29:52 -05:00
jvazquez-r7 758fd02619 Windows 7 SP1 and newer fail when forcing IPv6 sockets 2013-10-02 09:45:51 -05:00
jvazquez-r7 7436ea0281
Land #2449, @wchen-r7's references update 2013-10-02 08:17:12 -05:00
James Lee 56b6f0be02 Add bins for #2443
See #740 and meterpreter#26
2013-10-01 23:47:24 -05:00
James Lee 9436b6df08
Land #2443, railgun error messages
See #740 and meterpreter#26
2013-10-01 23:44:43 -05:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
sinn3r 81365855fc Land #2446 - Use ROP chains from ROPDb
Now that we have successfully imported the Office 2007/2010 ROP chains
to ROPDb, this exploit can be the first to use it.
2013-10-01 20:28:59 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 981212a034
Land #2442, @wchen-r7's rop chains for Office 2013-10-01 13:21:30 -05:00
Tod Beardsley 36d058b28c
Warn for tabbed indentation 2013-10-01 12:22:46 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
OJ 82162ef486 Add error message support to railgun
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of https://github.com/rapid7/metasploit-framework/pull/740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.

This PR is the MSF side of https://github.com/rapid7/meterpreter/pull/26
2013-10-01 17:23:08 +10:00
sinn3r 7c6c8291e2 Add ROP chains for Office 2007 and Office 2010 (hxds.dll)
This adds two ROP chains for Office 2007 and Office 2010 based on
hxds.dll.
2013-10-01 01:33:35 -05:00
Tod Beardsley 301c370b68 Add William and alphabetize correctly 2013-09-30 17:04:57 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Tod Beardsley 49187e8a31 Alphabetize for real (case insensitive) 2013-09-30 15:23:20 -05:00
Tod Beardsley 9c4510940f Alphabetize 2013-09-30 15:21:09 -05:00
Tod Beardsley 9610f74ff9 Prefer github usernames 2013-09-30 15:19:56 -05:00
Tod Beardsley 96f7ea7b75
Update bperry and chao-mu in .mailmap 2013-09-30 15:16:21 -05:00
Brandon Turner 3cfee5a7c0
Land #2440, remaining tabassassin changes 2013-09-30 14:30:50 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tab Assassin 0ecba377f5 Avoid retabbing things in .git/ 2013-09-30 13:45:34 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
Tod Beardsley 9ada96ac51
Fix sqlmap accidental codepoint
See http://www.ruby-doc.org/core-1.9.3/String.html#method-i-3C-3C

Apparently, String#<< uses Integer#chr, not Integer#to_s. News to me.

Fixed originally by @TsCl in PR #2435, but fixing seperately in order to
avoid screwing up his downstream tracking. Note, this isn't a merge, so
using Closes tag on the commit message.

[Closes #2435]
2013-09-30 11:23:17 -05:00
Tod Beardsley bce2f12375
Land #2436, Fixups to AlwaysInstallElevated 2013-09-30 11:12:06 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Tod Beardsley 2fb770f73e
Land #1569, MSI payloads
The bins are signed by Meatballs, everything looks good here, so
landing. Thanks for your patience on these!
2013-09-27 16:29:27 -05:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley 63d638888d Get rid of interior tabs 2013-09-27 16:04:03 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tod Beardsley ae655e42d2 Touchups: boolean check, unless, and TODO comment 2013-09-27 15:54:03 -05:00
Tod Beardsley 37e4d58f4a Call CSV text/plain so it can be viewed normally
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
2013-09-27 15:48:48 -05:00
Tod Beardsley 5e77dccd48 Add a ref to an example unattend.xml 2013-09-27 15:45:57 -05:00
Meatballs 8aeb134581
Retab... 2013-09-27 20:40:16 +01:00
Meatballs 6ca01adf1d
Merge branch 'master' into msi_payload
Conflicts:
	lib/msf/util/exe.rb
2013-09-27 20:37:40 +01:00
Meatballs 34c443f346
Forgot msi-nouac 2013-09-27 20:36:00 +01:00