60e7e9f515
Add module for CVE-2013-5331
2014-04-27 10:40:46 -05:00
e514ff3607
Description and print_status fixes for release
...
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
67f44072ca
Merge remote-tracking branch 'upstream/master' into pr2075
2014-04-19 18:45:55 +01:00
acb12a8bef
Beautify and fix both ruby an AS
2014-04-17 23:32:29 -05:00
91d9f9ea7f
Update from master
2014-04-17 15:32:49 -05:00
749e141fc8
Do first clean up
2014-04-17 15:31:56 -05:00
23c2a071cd
Small name change
2014-04-15 18:35:00 -05:00
abd76c5000
Add module for CVE-2014-0322
2014-04-15 17:55:24 -05:00
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
a7a0a306f9
Fix usage of os_flavor for target matching
2014-04-02 07:23:30 -07:00
55d9928186
Fix use of os_flavor to ensure correct target matching
2014-04-02 07:21:54 -07:00
be4a366eab
Fix up two modules using the old os_flavor definition
2014-04-02 07:19:47 -07:00
7e227581a7
Rework OS fingerprinting to match Recog changes
...
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.
This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
466096f637
Add MSB number to name
2014-03-28 20:33:40 -05:00
f7b1874e7d
Land #3151 , @wchen-r7's use of BrowserExploitServer in ms13-59's exploit
2014-03-28 14:43:38 -05:00
8ec10f7438
Use BrowserExploitServer for MS13-059 module
2014-03-26 17:49:01 -05:00
19918e3207
Land #3143 , @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf
2014-03-26 14:16:35 -05:00
fdc355147f
Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb
2014-03-25 18:41:47 -05:00
6c206e4ced
Add a comment about what this build version range is covering
2014-03-25 11:43:13 -05:00
7108d2b90a
Add ua_ver and mshtml_build requirements
...
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-14 22:52:55 +00:00
e6905837eb
Land #2960 , rand_text_alpha for amaya_bdo
2014-02-10 16:44:11 -06:00
1236a4eb07
Fixup on description and some option descrips
2014-02-10 14:41:59 -06:00
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
32c02dd56a
Added some randomness
2014-02-08 11:27:25 +08:00
a18de35fa7
Add module for ZDI-14-011
2014-02-06 18:25:36 -06:00
88c283880a
Fix bugs
2014-01-18 17:04:46 -05:00
766c408d86
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption
2014-01-18 11:07:11 -05:00
1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path
2014-01-03 08:14:02 +10:00
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
f88a3a55b6
More slight updates.
2013-12-16 15:05:39 -06:00
04b7e8b174
Fix module title and add vendor patch information
2013-12-16 14:59:00 -06:00
533accaa87
Add module for CVE-2013-3346
2013-12-16 14:13:47 -06:00
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
253719d70c
Fix title
2013-11-26 08:11:29 -06:00
8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln
2013-11-25 13:06:09 -06:00
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
ec36cebeb4
Update cmd_psh_payloads to send the architecture.
2013-11-22 23:31:33 +00:00
a7ad107e88
Add ruby code for ms13-022
2013-11-22 16:41:56 -06:00
a9de5e2846
Land #2634 - Opt browser autopwn load list
2013-11-19 15:10:29 -06:00
bddb314073
Fix usage of Retries
2013-11-18 09:09:20 -06:00
237bb22771
Disable auto migrate
2013-11-18 08:54:22 -06:00
cbb7eb192c
Add module for CVE-2013-3918
2013-11-15 10:38:52 -06:00
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
fe2cd93a65
Delete ms13_037_svg_dashstyle from the browser_autopwn list
2013-11-13 23:46:50 -06:00
8771b163f0
Solve conflicts with aladdin_choosefilepath_bof
2013-11-12 23:11:42 -06:00
004c1bac78
Reduce number of modules available on BrowserAutopwn
2013-11-12 12:37:29 -06:00
b01d8c50e0
Restore module crash documentation
2013-11-11 17:09:41 -06:00
30de61168d
Support heap spray obfuscation
2013-11-11 17:05:54 -06:00
922f0eb900
Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer
2013-11-11 17:01:09 -06:00
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
36dace26fa
Land #2538 - Fix redirect URLs
2013-10-21 11:08:03 -05:00
94db3f511a
Avoid extra slash in redirect URI
...
[SeeRM #8507 ]
2013-10-17 14:10:15 -05:00
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
0ce221274b
Change JS comments in Ruby.
2013-10-16 16:40:54 -05:00
4fa3b8f820
Add support for IE7 on XP
2013-10-16 15:56:34 -05:00
06a212207e
Put PrependMigrate on hold because of #1674
...
But I will probably still want this.
2013-10-16 09:24:46 -05:00
ac78f1cc5b
Use Base64 encoding for OS parameter
...
I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
2013-10-15 23:37:11 -05:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
31dc7c0c08
Land #2522 , @todb-r7's pre-release module fixes
2013-10-14 15:37:23 -05:00
63e40f9fba
Release time fixes to modules
...
* Period at the end of a description.
* Methods shouldn't be meth_name! unless the method is destructive.
* "Setup" is a noun, "set up" is a verb.
* Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
15e8c3bcd6
[FixRM #8470 ] - can't convert nil into String
...
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.
[FixRM #8470 ]
2013-10-14 14:10:08 -05:00
eab90e1a2e
Land #2491 , missing platform info update
2013-10-14 10:38:25 -05:00
9725918be8
Remove junk variables/params
2013-10-12 18:51:57 -05:00
bc317760dc
Make the GET params a little bit harder to read.
2013-10-12 16:37:49 -05:00
b139757021
Correct a typo in description
2013-10-12 13:24:36 -05:00
79c612cd67
Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
...
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.
This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange". During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
4fd599b7e0
Land #2483 , @wchen-r7's patch for [SeeRM #8458 ]
2013-10-09 14:32:26 -05:00
1e3b84d39b
Update ie_cgenericelement_uaf
2013-10-09 13:40:48 -05:00
0acb170ee8
Bug #8419 - Added platform info missing on exploits
2013-10-08 22:41:50 -04:00
199bd20b95
Update CVE-2013-3893's Microsoft reference
...
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
f4000d35ba
Use RopDb for ms13_069
...
Target tested
2013-10-07 15:24:01 -05:00
7222e3ca49
Use RopDb for ms13_055_canchor.
...
All targets tested.
2013-10-07 15:09:36 -05:00
67228bace8
Use RopDb for ie_cgenericelement_uaf.
...
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
aea63130a4
Use RopDb for ie_cbutton_uaf.
...
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
219bef41a7
Decaps Siemens (consistent with other modules)
2013-10-07 13:12:32 -05:00
e016c9a62f
Use RopDb msvcrt ROP chain. Tested all targets.
2013-10-07 12:27:43 -05:00
539a22a49e
Typo on Microsoft
2013-10-03 12:20:47 -05:00
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
23b0c3b723
Add Metasploit blog references
...
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
932ed0a939
Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln
2013-10-01 20:35:17 -05:00
ed82be6fd8
Use RopDB
2013-10-01 13:23:09 -05:00
6483c5526a
Add module for OSVDB 93696
2013-10-01 11:42:36 -05:00
c82ed33a95
Forgot Math.cos()
2013-09-30 13:29:16 -05:00
d6cd0e5c67
Tweak for office 2007 setup
2013-09-30 13:27:59 -05:00
jvazquez-r7
Tod Beardsley
Meatballs
sinn3r
HD Moore
William Vu
OJ
David Maciejak
dukeBarman
James Lee
jvazquez-r7
Winterspite