Commit Graph

20804 Commits (3d6b3a4e212bdddc96ccc4818ed80831312290ea)

Author SHA1 Message Date
Tod Beardsley 3d6b3a4e21
Empty commit to try to sober up Travis-CI
Travis, you're drunk. You need help. Don't try to build f123cd1, because
that commit doesn't exist.

Try this one, it'll make you feel better.
2013-10-02 16:58:01 -05:00
Tod Beardsley 36d058b28c
Warn for tabbed indentation 2013-10-01 12:22:46 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Brandon Turner 3cfee5a7c0
Land #2440, remaining tabassassin changes 2013-09-30 14:30:50 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tab Assassin 0ecba377f5 Avoid retabbing things in .git/ 2013-09-30 13:45:34 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
Tod Beardsley 9ada96ac51
Fix sqlmap accidental codepoint
See http://www.ruby-doc.org/core-1.9.3/String.html#method-i-3C-3C

Apparently, String#<< uses Integer#chr, not Integer#to_s. News to me.

Fixed originally by @TsCl in PR #2435, but fixing seperately in order to
avoid screwing up his downstream tracking. Note, this isn't a merge, so
using Closes tag on the commit message.

[Closes #2435]
2013-09-30 11:23:17 -05:00
Tod Beardsley bce2f12375
Land #2436, Fixups to AlwaysInstallElevated 2013-09-30 11:12:06 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Tod Beardsley 2fb770f73e
Land #1569, MSI payloads
The bins are signed by Meatballs, everything looks good here, so
landing. Thanks for your patience on these!
2013-09-27 16:29:27 -05:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley 63d638888d Get rid of interior tabs 2013-09-27 16:04:03 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tod Beardsley ae655e42d2 Touchups: boolean check, unless, and TODO comment 2013-09-27 15:54:03 -05:00
Tod Beardsley 37e4d58f4a Call CSV text/plain so it can be viewed normally
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
2013-09-27 15:48:48 -05:00
Tod Beardsley 5e77dccd48 Add a ref to an example unattend.xml 2013-09-27 15:45:57 -05:00
Meatballs 8aeb134581
Retab... 2013-09-27 20:40:16 +01:00
Meatballs 6ca01adf1d
Merge branch 'master' into msi_payload
Conflicts:
	lib/msf/util/exe.rb
2013-09-27 20:37:40 +01:00
Meatballs 34c443f346
Forgot msi-nouac 2013-09-27 20:36:00 +01:00
Meatballs c366726d2d
Land #2432, Fix bad tabs
Episode II: Tabassassin strikes again

[Closes #2432]
2013-09-27 20:27:43 +01:00
Meatballs1 7808da04b8 Merge pull request #27 from todb-r7/respec-1770-unattended
Respec 1770 unattended
2013-09-27 12:05:14 -07:00
Meatballs e806047411
Add MSI bins 2013-09-27 20:03:19 +01:00
Meatballs 8a9843cca6
Merge upstream/master 2013-09-27 20:02:23 +01:00
Tabassassin 120cca8bb3 Retab unattended_spec to avoid conflicts 2013-09-27 13:44:33 -05:00
Tab Assassin c94e8a616f Retabbed to catch new bad tabs 2013-09-27 13:34:13 -05:00
Tod Beardsley 5bab85fcda Use a context for #parse 2013-09-27 13:04:18 -05:00
Tod Beardsley 6345fb2788 Use described_class 2013-09-27 12:59:10 -05:00
Meatballs 9fde8bee2b Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master 2013-09-27 18:12:17 +01:00
Tod Beardsley 7d9d98c9eb
Land #2421, update to cookie parsing specs 2013-09-27 11:45:33 -05:00
Tod Beardsley 869c10af04
Land #2396, aspx-exe shellcode generator
Looks good to me, specs are all happy (also added a #to_h spec)
2013-09-27 11:42:16 -05:00
Meatballs d66269a559
Land #2428, Updated Meterpreter Bins
Fix crashes for kitrap0d and XPSP0

[Closes #2428]
2013-09-27 17:38:08 +01:00
Tod Beardsley 8f957a5394 Add spec for new #to_h method 2013-09-27 11:27:31 -05:00
Christian Mehlmauer 45f52b580d Merge pull request #3 from todb-r7/pr-2421-more-descriptive-rspec
PR #2421 More descriptive rspec
2013-09-27 08:28:20 -07:00
Tod Beardsley 103a64a32a Indent like a sane person. 2013-09-27 10:22:46 -05:00
Tod Beardsley 623aeb367f Set a context for #get_cookies 2013-09-27 10:12:11 -05:00
Tod Beardsley 467c503fb9 DRY with a cookie_sanity_check method 2013-09-27 10:07:28 -05:00
Tod Beardsley 5e95df1370 Convert local variables to HEREDOC methods 2013-09-27 10:02:22 -05:00
Tod Beardsley 57862125b9 Use shuffle and *splat operator to test arrays
Also, move the local variables to inside the describe block to avoid any
future scope issues.
2013-09-27 09:53:04 -05:00
jvazquez-r7 58600b6475
Land #2423, @TecR0c's exploit for OSVDB 96517 2013-09-27 09:48:52 -05:00
jvazquez-r7 6381bbfd39 Clean up freeftpd_pass 2013-09-27 09:47:39 -05:00
Tod Beardsley 0aa2556dfc Use described_class, not a new constant 2013-09-27 09:32:15 -05:00