Kent Gruber
7cd532c384
Change targetr to target to fix small typo bug on one failure
...
The target object seems to have a typo where it is referred to as
“targetr” which I’d guess isn’t exactly what we’d like to do in this
case. So, I’ve changed that to “target” in order to work.
So, I’ve simply fixed that small typo.
2017-10-19 19:55:58 -04:00
Wei Chen
c67a5872cd
Land #9055 , Add exploit for Sync Breeze HTTP Server
...
Land #9055
2017-10-13 17:34:03 -05:00
Wei Chen
3a2c6128be
Support automatic targeting
2017-10-13 16:53:22 -05:00
bwatters-r7
294230c455
Land #8509 , add Winsxs bypass for UAC
2017-10-11 16:24:52 -05:00
Wei Chen
a4bc3ea3c2
Merge branch 'pr9032' into upstream-master
...
Land #9032 , Improve CVE-2017-8464 LNK exploit
Land #9032
2017-10-10 17:11:51 -05:00
Mehmet Ince
c14c93d450
Integrate OfficeScan 11 exploitation and fix grammer issues
2017-10-09 22:11:42 +03:00
jakxx
ef282ea154
Sync Breeze HTTP Server v10.0.28 BOF
...
Added support for v10.0.28 to Sync Breeze BOF module
2017-10-09 13:50:24 -04:00
bwatters-r7
fc5ab96ad6
Merging to prep for testing
...
Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master
2017-10-09 10:31:30 -05:00
bwatters-r7
7df18e378d
Fix conflicts in PR 8509 by mergeing to master
2017-10-09 10:30:21 -05:00
Mehmet Ince
79c9123261
Adding Trend Micro OfficeScan widget rce module
2017-10-08 17:54:18 +03:00
William Webb
d9e0d891a1
Land #9010 , Remove checks for hardcoded SYSTEM account name
2017-10-06 13:42:18 -05:00
Brent Cook
9d2e8b1e4d
Land #8003 , Evasions for delivering nops/shellcode into memory
2017-10-05 16:44:36 -05:00
Spencer McIntyre
482ce005fd
Update the advanced option names and a typo
2017-10-05 10:11:00 -04:00
William Vu
10dafdcb12
Fix #9036 , broken refs in bypassuac_comhijack
...
Each ref needs to be an individual array.
2017-10-03 13:36:29 -05:00
ashish gahlot
9ff6efd3a3
Remove broken link
2017-10-02 20:43:55 +05:30
Spencer McIntyre
f2f48cbc8f
Update the CVE-2017-8464 module
2017-09-30 18:25:16 -04:00
Christian Mehlmauer
41e3895424
remove checks for hardcoded name
2017-09-27 07:41:06 +02:00
Pearce Barry
e8eeb784e4
Land #8960 , spelling/grammar fixes part 3
2017-09-22 18:51:31 -05:00
Pearce Barry
8de6fa79c1
Tweakz, yo.
2017-09-22 18:49:09 -05:00
h00die
c90f885938
Finished spelling issues
2017-09-17 16:00:04 -04:00
William Webb
d5362333e2
Land #8958 , Add Disk Pulse Enterprise web server buffer overflow
2017-09-15 13:34:22 -05:00
h00die
30f833f684
80 pages left
2017-09-13 22:03:34 -04:00
loftwing
52385f4d9e
fix formatting to fit rubocop
2017-09-13 11:46:57 -05:00
loftwing
b8c40a9d95
Clean up formatting
2017-09-13 11:13:33 -05:00
loftwing
3c204f91ef
Correct module title
2017-09-13 11:02:13 -05:00
loftwing
65f2ee9109
added generate_seh_record
2017-09-13 10:56:32 -05:00
loftwing
7db506887b
Add exploit code
2017-09-13 10:36:36 -05:00
loftwing
eb0d174987
Add disk_pulse_enterprise_get module
2017-09-13 10:19:24 -05:00
Pearce Barry
7b87915e1f
Land #8923 , Add additional error checking to mssql_clr_payload module
2017-09-11 17:39:33 -05:00
Tod Beardsley
5f66b7eb1a
Land #8940 , @h00die's second round of desc fixes
...
One ninja edit along the way as well.
2017-09-11 13:05:13 -05:00
Tod Beardsley
cfbd3c1615
Fix spelling of Honeywell
2017-09-11 13:02:18 -05:00
james
ba880d1a85
Changes to mssql_clr_payload error handling based on code review
2017-09-10 14:15:39 -05:00
h00die
7339658ba9
224 pages of spelling issues left
2017-09-09 09:52:08 -04:00
h00die
0910c482a9
35 pages of spelling done
2017-09-08 22:19:55 -04:00
h00die
be66ed8af3
Land #8788 exploits for Gh0st and PlugX malware controllers
2017-09-05 20:42:07 -04:00
james
44fb059cea
Add error checking to mssql_clr_payload
...
Additional error checking had been added to exploits/windows/mssql/mssql_clr_payload
If an error is encountered when changing the trustworthy or clr setting, the exploit fails with a message.
2017-09-05 18:48:22 -05:00
h00die
d05c401866
modules cleanup and add docs
2017-09-04 20:57:23 -04:00
Brent Cook
367c760927
window move is now directly in the template
2017-08-20 17:48:59 -05:00
Brent Cook
e734a7923a
Land #8267 , Handle multiple entries in PSModulePath
2017-08-20 17:44:30 -05:00
Brent Cook
2eba188166
Land #8789 , Add COM class ID hijack method for bypassing UAC
2017-08-20 13:57:17 -05:00
Brent Cook
26193216d1
Land #8686 , add 'download' and simplified URI request methods to http client mixin
...
Updated PDF author metadata downloader to support the new methods.
2017-08-14 01:40:17 -04:00
Brent Cook
7d4561e0fd
rename to download_log to avoid conflicting with the mixin
2017-08-14 01:10:37 -04:00
Brent Cook
da3ca9eb90
update some documentation
2017-08-03 17:09:44 -05:00
Brent Cook
ddd841c0a8
code style cleanup + add automatic targeting based on payload
2017-08-03 00:27:54 -05:00
Brent Cook
b62429f6fa
handle drive letters specified like E: nicely
2017-08-03 00:27:22 -05:00
Yorick Koster
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
Yorick Koster
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
Yorick Koster
3229320ba9
Code review feedback from @nixawk
2017-08-02 15:46:51 -05:00
Yorick Koster
565a3355be
CVE-2017-8464 LNK Remote Code Execution Vulnerability
...
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
2017-08-02 15:46:30 -05:00
OJ
54ded4300e
Land #8791 - Update Accuvant refs to point to Optiv
2017-08-02 13:26:52 +10:00