3c8be9e36d
Just x86
2015-01-09 19:12:51 -06:00
74e8e057dd
Use RDL
2015-01-09 19:02:08 -06:00
ee5c249c89
Add EDB reference
2015-01-09 00:19:12 -06:00
75de792558
Add a basic check
2015-01-09 00:03:39 -06:00
4911127fe2
Match the title and change the description a little bit
2015-01-08 21:48:01 -06:00
b7b3ae4d2a
A little randomness
2015-01-08 21:25:55 -06:00
b65013c5c5
Another update
2015-01-08 18:39:04 -06:00
b2ff5425bc
Some changes
2015-01-08 18:33:30 -06:00
53e6f42d99
This works
2015-01-08 17:57:14 -06:00
7ed6b3117a
Update
2015-01-08 17:18:14 -06:00
fb5170e8b3
Land #2766 , Meatballs1's refactoring of ExtAPI services
...
- Many code duplications are eliminated from modules in favor of shared
implementations in the framework.
- Paths are properly quoted in shell operations and duplicate operations are
squashed.
- Various subtle bugs in error handling are fixed.
- Error handling is simpler.
- Windows services API is revised and modules are updated to use it.
- various API docs added
- railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
0e6c7181b1
"Stash" it
2015-01-08 14:13:14 -06:00
a9fee9c022
Fall back to runas if UAC disabled
2015-01-08 11:07:57 +00:00
844460dd87
Update bypass UAC to work on 8.1 and 2012
...
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.
I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
c60b6969bc
Oh so that's it
2015-01-07 10:39:46 -06:00
dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2015-01-05 22:18:44 +00:00
3c755a6dfa
Template
2015-01-02 11:31:28 -06:00
ebb05a64ea
Land #4357 , @Meatballs1 Kerberos Support for current_user_psexec
2014-12-23 20:38:31 -06:00
44084b4ef6
Correct Microsoft security bulletin for ppr_flatten_rec
2014-12-22 10:40:23 +00:00
4fc4866fd8
Merge code in from #2395
2014-12-12 16:22:51 -06:00
c813c117db
Use DNS names
2014-12-10 22:25:44 +00:00
b634bde8a1
Lateral movement through PSRemoting
2014-12-04 22:06:28 +00:00
e471271231
Move comment
2014-12-04 20:24:37 +00:00
c14ba11e79
If extapi dont stage payload
2014-12-04 20:17:48 +00:00
145e610c0f
Avoid shadowing new method
2014-11-17 12:22:30 -06:00
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
5e0993d756
Add OJ as author
2014-10-28 09:58:34 -05:00
830f631da4
Make the check routine less strict
2014-10-27 12:51:20 -04:00
46b1abac4a
More robust check routine for cve-2014-4113
2014-10-27 11:19:12 -04:00
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
c319ea91b3
Delete verbose print
2014-10-26 17:31:19 -05:00
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
4f8801eeba
Land #3651 , local Bluetooth exploit a @KoreLogic
...
This started life as #3653 . I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00
d5959d6bd6
Land #2585 , Refactor Bypassuac with Runas Mixin
2014-09-28 09:24:22 +01:00
9d3d25a3b3
Solve conflicts
2014-08-28 10:19:12 -05:00
d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
cad281494f
Minor caps, grammar, desc fixes
2014-08-18 13:35:34 -05:00
0cc3bdfb35
Moar bad packs
2014-08-15 21:11:37 +01:00
b55f425ec0
Merge in changes from @todb-r7.
2014-08-14 17:22:07 -04:00
f91116a8e8
Land #3634 - Virtual box 3D Acceleration OpenGL Host escape
2014-08-13 20:08:13 -05:00
127d094a8d
Dont share once device is opened
2014-08-13 16:13:38 -05:00
05a198bc96
Correct spelling
2014-08-13 14:06:25 +01:00
4a01c27ed4
Use get_env and good pack specifier
2014-08-13 10:59:22 +01:00
da4b572a0d
Change module name
2014-08-12 17:17:26 -05:00
3eccc12f50
Switch from vprint to print
2014-08-12 17:11:24 -05:00
f203fdebcb
Use Msf::Exploit::Local::WindowsKernel
2014-08-12 17:09:39 -05:00
e1debd68ad
Merge to update
2014-08-12 16:21:39 -05:00
183b27ee27
There is only one target
2014-08-12 16:14:41 -05:00
c8e4048c19
Some style fixes
2014-08-12 16:11:31 -05:00
ea3d2f727b
Dont fail_with while checking
2014-08-12 16:09:59 -05:00
486b5523ee
Refactor set_version
2014-08-09 02:17:07 -05:00
d959affd6e
Delete debug message
2014-08-09 01:58:42 -05:00
da04b43861
Add module for CVE-2014-0983
2014-08-09 01:56:38 -05:00
b602e47454
Implement improvements based on feedback
2014-08-05 21:24:37 -07:00
9cd6353246
Update mqac_write to use the mixin and restore pointers
2014-08-04 12:15:39 -07:00
a523898909
Apply rubocop suggestions for ms_ndproxy
2014-08-04 11:49:01 -07:00
86e2377218
Switch ms_ndproxy to use the new WindowsKernel mixin
2014-08-04 11:49:01 -07:00
58d29167e8
Refactor MS11-080 to use the mixin and for style
2014-08-04 11:49:01 -07:00
6c2b8f54cf
rubocop cleanup, long lines, etc
2014-08-03 23:19:08 -05:00
2b021e647d
Minor tidies to conform to standards
2014-08-03 23:19:08 -05:00
31c51eeb63
Move error messages to `check`
2014-08-03 23:19:08 -05:00
cbf15660bf
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-08-03 23:19:08 -05:00
add5cefe17
Change runas method to use lib
...
Changed runas method to use the new runas lib. Also did some rubocop
changes.
2014-08-01 17:13:24 -07:00
df98098b0c
New shell_execute_option command
...
Also removed upload option
2014-08-01 17:12:04 -07:00
5c2b074264
Matched bypassuac to upstream
2014-08-01 14:40:23 -07:00
def652a50e
Merge https://github.com/rapid7/metasploit-framework into bypassuac/psh_option
2014-08-01 14:32:55 -07:00
15c1ab64cd
Quick rubocop
2014-07-31 23:11:00 +01:00
d336c56b99
Merge remote-tracking branch 'upstream/master' into land_2551
2014-07-31 23:06:37 +01:00
53b66f3b4a
Land #2075 , Powershell Improvements
2014-07-31 00:49:39 +01:00
e00d892f99
rubocop cleanup, long lines, etc
2014-07-28 22:04:45 -05:00
210342df5b
Minor tidies to conform to standards
2014-07-25 09:32:54 +10:00
9fe2dd59aa
Move error messages to `check`
2014-07-25 07:57:09 +10:00
3ec30bdf78
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-07-24 14:48:29 +10:00
042278ed6a
Update code to reflect @OJ code suggestions
2014-07-23 11:01:43 -04:00
534a5d964b
Add CVE-2014-4971 BthPan local privilege escalation
...
Add CVE-2014-4971 BthPan local privilege escalation for Windows XP SP3
2014-07-22 18:17:06 -04:00
0db3a0ec97
Update code to reflect @jlee-r7's code review
2014-07-22 15:14:24 -04:00
125b2df8f5
Update code to reflect @hdmoore code suggestions
2014-07-22 14:53:24 -04:00
7f79e58e7f
Lots and cleanups based on PR feed back
2014-07-22 14:45:00 -04:00
5d9c6bea9d
Fix a typo and use the execute_shellcode function
2014-07-22 13:06:57 -04:00
12904edf83
Remove unnecessary target info and add url reference
2014-07-22 11:20:07 -04:00
ca0dcf23b0
Add a simple check method for cve-2014-4971
2014-07-22 10:54:10 -04:00
6a545c2642
Clean up the mqac escalation module
2014-07-22 10:39:34 -04:00
da4eb0e08f
First commit of MQAC arbitrary write priv escalation
2014-07-22 10:04:12 -04:00
b0a596b4a1
Update newer modules
2014-07-20 21:59:10 +01:00
474ee81807
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-20 21:01:54 +01:00
2be6eb16a2
Add in exploit check and version checks
...
Move the initial checking for the vboxguest device and os checks
into the MSF check routine.
2014-07-17 14:56:34 -04:00
25f74b79b8
Land #3484 , bad pack/unpack specifier fix
2014-07-16 14:52:23 -05:00
7583ed4950
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-16 20:34:34 +01:00
6d49f6ecdd
Update code to reflect hdmoore's code review.
2014-07-16 14:29:17 -04:00
cef2c257dc
Add CVE-2014-2477 local privilege escalation
2014-07-16 05:49:19 -04:00
05c9757624
Merge in #3488
2014-07-04 20:37:09 +01:00
21f6e7bf6c
Change description
2014-07-01 10:44:21 -05:00
c9b6c05eab
Fix improper use of host-endian or signed pack/unpack
...
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.
When in doubt, please use:
```
ri pack
```
2014-06-30 02:50:10 -05:00
ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape
2014-06-26 13:48:28 -05:00
0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape
2014-06-26 11:45:47 -05:00
a081beacc2
Use Gem::Version for string versions comparison
2014-06-20 09:44:29 -05:00
5879ca3340
Merge branch 'upstream/master' into meatballs x64_injection
2014-06-18 10:24:33 +10:00
d5b32e31f8
Fix a typo where platform was 'windows' not 'win'
...
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
43699b1dfb
Don't clean env variable before using it
2014-06-03 09:56:19 -05:00
b8a2cf776b
Do test
2014-06-03 09:52:01 -05:00
05ed2340dc
Use powershell
2014-06-03 09:29:04 -05:00
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
9574a327f8
use the new check also in exploit()
2014-06-02 14:38:33 -05:00
3c38c0d87c
Dont be confident about string comparision
2014-06-02 14:37:29 -05:00
d0241cf4c1
Add check method
2014-06-02 08:14:40 -05:00
31af8ef07b
Check .NET version
2014-06-01 20:58:08 -05:00
3c5fae3706
Use correct include
2014-06-01 11:51:06 +01:00
4801a7fca0
Allow x86->x64 injection
2014-06-01 11:50:13 +01:00
3ae4a16717
Clean environment variables
2014-05-30 12:21:23 -05:00
b99b577705
Clean environment variable
2014-05-30 12:20:00 -05:00
b27a95c008
Delete unused code
2014-05-30 12:08:55 -05:00
e215bd6e39
Delete unnecessary code and use get_env
2014-05-30 12:07:59 -05:00
1dbd36a3dd
Check for the .NET dfsvc and use %windir%
2014-05-30 09:02:43 -05:00
ffbcbe8cc1
Use cmd_psh_payload
2014-05-29 18:12:18 -05:00
03889ed31f
Use cmd_psh_payload
2014-05-29 18:11:22 -05:00
e145298c13
Add module for CVE-2014-0257
2014-05-29 11:45:19 -05:00
6e122e683a
Add module for CVE-2013-5045
2014-05-29 11:42:54 -05:00
52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom
2014-05-19 22:00:35 +01:00
b84379ab3b
Note about EXE::Custom
2014-05-19 22:00:09 +01:00
c97c827140
Adjust desc and ranking on ms13-053
...
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
0db22c5c57
Use library method
2014-05-05 13:24:33 +01:00
c474ff4465
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
modules/exploits/windows/local/service_permissions.rb
modules/post/windows/manage/rpcapd_start.rb
2014-05-05 13:19:25 +01:00
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
56c5eac823
Message correction
2014-05-02 14:18:18 +01:00
69915c0de5
Message correction
2014-05-02 14:17:27 +01:00
8b138b2d37
Fix unquoted path in cleanup script
2014-04-30 16:34:33 -05:00
6b740b727b
Changes PATH to proper case
...
This changes PATH to Path
2014-04-30 17:26:36 -04:00
fdc81b198f
Adds the ability to specify path
...
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
d73854ff17
Fix wmi and add automatic target
2014-04-22 14:28:27 +01:00
3019cb99c1
Update cmd_upgrade module
2014-04-19 19:13:48 +01:00
00234aeec3
Remove powershell remoting
2014-04-19 19:03:18 +01:00
5c3289bbc6
merge fix
2014-04-17 21:26:04 -04:00
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
b524507e4e
Merge remote-tracking branch 'upstream/master' into land_2551
...
Conflicts:
modules/exploits/windows/local/ask.rb
2014-03-22 18:14:45 +00:00
7b2f0a64fc
Tidy up
2014-03-22 18:07:57 +00:00
04506d76f3
Dont check for admin
2014-03-22 17:57:27 +00:00
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075
2014-03-02 20:57:02 +00:00
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
4c557a1401
Add Post::Windows::Services#each_service
...
Also cleans up some style issues and adds yardoc comments for some stuff
in Post::File
Note that windows/local/service_permissions is still using
`service_list` because it now builds a Rex::Table, which has to have
all the data up front, anyway.
2014-02-18 18:24:23 -06:00
684c45a5ff
Merge remote-tracking branch 'upstream/pr/2766' into merge-2766
2014-02-18 17:36:13 -06:00
b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-14 22:52:55 +00:00
b453362a52
Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs
2014-02-12 16:43:30 -05:00
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00
502dbb1370
Add references
2014-02-10 13:55:02 -06:00
abb03d0bbe
Fixing messages
2014-02-10 13:10:42 -06:00
541bb6134e
Change exploit filename
2014-02-10 13:06:23 -06:00
2e130ce843
Make it work with Reader Sandbox
2014-02-10 13:04:13 -06:00
7c43565ea8
Include missing require for powershell
2014-02-10 11:02:53 -06:00
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
a4b451dbc0
Ensure we start in a new conhost/process
2014-02-09 23:36:25 +00:00
aa93299931
Sleep instead of noexit
2014-02-09 23:19:14 +00:00
b79bb4726d
Go for background approach
2014-02-09 19:41:24 +00:00
038aae5adb
Run as jobs
2014-02-09 19:30:16 +00:00
1c169e2935
Uniq results
2014-02-09 17:52:06 +00:00
2cea90f931
Working remoting
2014-02-09 17:43:44 +00:00
f1959f5313
Fixup WMI
2014-02-09 11:18:15 +00:00
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
c426946886
Final tidyups
2014-01-03 15:55:03 +00:00
9028060f7d
Refactor service_create
2014-01-03 15:44:59 +00:00
5adc9e93f4
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2014-01-03 14:39:55 +00:00
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
c3aee714af
shadowcopy should use service_restart
2013-12-18 12:12:34 +00:00
42bc5ab75f
Use Services calls in enable_rdp
...
Update calls to change_service_config to check success
2013-12-18 11:34:12 +00:00
55a5a7e032
Fix typo
2013-12-18 11:06:03 +00:00
bce7fab2cd
Fixup IKEEXT
2013-12-18 00:08:01 +00:00
0bac2415ca
Some post testing fixes
...
Also deprecate net escalate as it is covered by service_permissions
as a generic exploit
2013-12-18 00:00:14 +00:00
sinn3r
Brent Cook
Meatballs
OJ
jvazquez-r7
Jon Cave
HD Moore
Spencer McIntyre
URI Assassin
Tod Beardsley
Jay Smith
Joshua Smith
b00stfr3ak
William Vu
kaospunk
RageLtMan
kyuzo
David Maloney
James Lee