Commit Graph

1240 Commits (4c72b096b656c424a3964a688b37cb5b5fb31d16)

Author SHA1 Message Date
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Tod Beardsley d91cb85a31
Not actually a typo
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley ac1388368f
Typo in module name 2013-09-24 15:50:58 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley 081c279b61 Remove misleading comment 2013-09-24 11:42:31 -05:00
jvazquez-r7 6f5e528699 Remove author, all the credits go to corelanc0der and sinn3r 2013-09-20 10:27:37 -05:00
sinn3r 83f54d71ea Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure.  The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one.  Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
sinn3r 4847976995 Update information about original discovery
Update info about original discovoery. See #2337 too.
2013-09-13 10:42:11 -05:00
sinn3r 0ee0168556 Retabbed
One kills a man, one is an assassin; one kills millions, one is a
conqueror; one kills a tab, one is a Metasploit dev.
2013-09-09 10:01:01 -05:00
sinn3r 6ab905e9e0 Less alignment 2013-09-09 09:39:02 -05:00
sinn3r 992bdcf530 Not from the future 2013-09-09 00:36:28 -05:00
sinn3r c3db41334b Add MS13-055 Internet Explorer Use-After-Free Vulnerability
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.

This bug is specific to Internet Explorer 8 only. It was originally discovered by
Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so
no CVE as of now.
2013-09-08 20:02:23 -05:00
Tab Assassin 84aaf2334a Retab new material 2013-09-03 11:47:26 -05:00
Tab Assassin 0c1e6546af Update from master 2013-09-03 11:45:39 -05:00
Tod Beardsley ca8dacb93b Minor module description updates for grammar. 2013-09-03 10:31:45 -05:00
sinn3r 0736677a01 Land #2299 - Add powershell support & removes ADODB.Stream requirement 2013-08-31 00:32:23 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
jvazquez-r7 5b32c63a42 Land #2308, @wchen-r7's exploit for MS13-059 2013-08-30 10:59:36 -05:00
jvazquez-r7 ea8cd2dc46 Update authors list 2013-08-30 10:52:39 -05:00
sinn3r a283f1d4fa Correct module title 2013-08-30 10:50:35 -05:00
sinn3r f4e09100bd Correct file name 2013-08-30 10:50:05 -05:00
sinn3r 38dbab9dd0 Fix typos 2013-08-30 10:43:26 -05:00
sinn3r 0a1b078bd8 Add CVE-2013-3184 (MS13-058) CFlatMarkupPointer Use After Free
Please see module description for more info.
2013-08-30 03:16:28 -05:00
jvazquez-r7 657be3a3d9 Fix typo 2013-08-29 14:42:59 -05:00
jvazquez-r7 4a6bf1da7f Add module for ZDI-13-207 2013-08-29 14:09:45 -05:00
Meatballs a12f5092dd Encode the powershell cmd 2013-08-28 22:37:11 +01:00
Meatballs aa0563244b Update unsafe scripting module 2013-08-28 22:30:46 +01:00
sinn3r b0226cab79 Land #2290 - HP LoadRunner lrFileIOService ActiveX Vulnerability 2013-08-27 11:19:43 -05:00
jvazquez-r7 f59f57e148 Randomize object id 2013-08-27 10:35:06 -05:00
jvazquez-r7 66fa1b41aa Fix logic to spray correctly IE9 2013-08-27 09:57:55 -05:00
jvazquez-r7 f8d1d29648 Add module for ZDI-13-182 2013-08-25 23:07:08 -05:00
jvazquez-r7 82cf812311 Switch to PrependMigrate 2013-08-24 10:46:04 -05:00
jvazquez-r7 ff6ad30be0 Add module for ZDI-13-006 2013-08-22 18:15:35 -05:00
HD Moore 6c1ba9c9c9 Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00
jvazquez-r7 31cbc270fd Favor unless over if for negative condition 2013-08-13 08:46:12 -05:00
jvazquez-r7 bc9a26d4ee Fix condition 2013-08-12 23:05:26 -05:00
jvazquez-r7 0f975da5f4 Update target info and something else... 2013-08-07 16:00:06 -05:00
jvazquez-r7 d1beb313f6 Add module for 2013-1690 2013-08-07 15:36:54 -05:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
jvazquez-r7 05be76ecb7 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-29 16:41:22 -05:00
Tod Beardsley 37312f2aa9 Module, singular 2013-07-29 10:58:36 -05:00
Tod Beardsley 11e9cca855 Spelling and description touch ups. 2013-07-29 10:57:19 -05:00
jvazquez-r7 47c21dfe85 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-24 11:42:11 -05:00
jvazquez-r7 b0c17fdebc Land #2002, @jlee-r7's patch for better handling uri resources 2013-07-23 15:49:21 -05:00
jvazquez-r7 99a345f8d1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-22 13:54:26 -05:00
Tod Beardsley 164153f1e6 Minor updates to titles and descriptions 2013-07-22 13:04:54 -05:00
jvazquez-r7 bdfad076b4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 15:43:58 -05:00
jvazquez-r7 efb8591a49 Update apple_quicktime_rdrf references 2013-07-18 13:57:31 -05:00
jvazquez-r7 52079c960f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 12:52:42 -05:00
sinn3r b94cde1d65 Name change for pyoor 2013-07-18 10:50:25 -05:00
jvazquez-r7 104edd8e93 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 10:38:53 -05:00
jvazquez-r7 bf023f261a Delete comma 2013-07-17 20:46:03 -05:00
jvazquez-r7 7ee4855345 Fix msftidy and delete duplicate stack adjustment 2013-07-17 20:45:54 -05:00
sinn3r 6713fb1609 Fix typos 2013-07-17 18:06:40 -05:00
sinn3r 9ae7c80b15 Add more targets plus some other corrections 2013-07-17 14:43:41 -05:00
sinn3r c85b994c07 Add CVE-2013-1017: Apple Quicktime Invalid Atom Length BoF
This module exploits a vulnerability found in Apple Quicktime. The
flaw is triggered when Quicktime fails to properly handle the data
length for certain atoms such as 'rdrf' or 'dref' in the Alis record,
which may result a buffer overflow by loading a specially crafted .mov
file, and allows arbitrary code execution under the context of the user.
2013-07-17 13:45:05 -05:00
jvazquez-r7 6e44cb56bf Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-03 12:44:47 -05:00
sinn3r 7ef5695867 [FixRM:#8129] - Remove invalid metasploit.com references
These "metasploit.com" references aren't related to the vulns,
shouldn't be in them.
2013-07-03 11:52:10 -05:00
jvazquez-r7 90b30dc317 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-26 14:31:52 -05:00
Steve Tornio 6ea622c45e reference updates 2013-06-26 09:44:56 -05:00
jvazquez-r7 7ab4d4dcc4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 17:34:29 -05:00
Steve Tornio 5b71013dde reference updates 2013-06-25 13:41:22 -05:00
jvazquez-r7 0c306260be Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 09:13:01 -05:00
sinn3r 4df943d1a2 CVE and OSVDB update 2013-06-25 02:06:20 -05:00
James Lee 2c12a43e77 Add a method for dealing with hardcoded URIs 2013-06-21 15:48:02 -05:00
jvazquez-r7 ae1a3e3ca1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-17 20:39:31 -05:00
Tod Beardsley 4ca9a88324 Tidying up grammar and titles 2013-06-17 16:49:14 -05:00
jvazquez-r7 11bf17b0d6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-15 11:55:22 -05:00
sinn3r 2abf70a1ca Lower ranking for MS13-009
We haven't been able to make this one more reliable, so todb suggests
we lower the ranking first.
2013-06-14 15:24:43 -05:00
jvazquez-r7 2d083be8e7 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-14 13:28:44 -05:00
sinn3r 0d384d23b8 Land #1954 - Fix resource_uri and mp4 file path 2013-06-14 13:15:17 -05:00
jvazquez-r7 060261bb3b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-14 13:15:13 -05:00
sinn3r 933ac88b44 Missing the file param that's needed to download the mp4 2013-06-14 13:13:48 -05:00
sinn3r d2df3234f4 Land #1955 - mozilla_mchannel.rb undefined agent variable 2013-06-14 11:14:20 -05:00
sinn3r 223807d0df Land #1956 - fix regex error for mozilla_reduceright.rb 2013-06-14 11:09:49 -05:00
jvazquez-r7 95118895d6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-13 13:05:42 -05:00
jvazquez-r7 81813a78fc Fix module Name 2013-06-13 11:55:23 -05:00
jvazquez-r7 707bc33148 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-13 10:17:28 -05:00
jvazquez-r7 eaba8e7b59 up to date 2013-06-12 15:44:00 -05:00
jvazquez-r7 afb2f83238 Add module for CVE-2012-1533 2013-06-12 14:40:53 -05:00
jvazquez-r7 c38eabe481 Fix description, code and perform test 2013-06-12 11:07:03 -05:00
jvazquez-r7 5c8053491f Add DEP bypass for ntdll ms12-001 2013-06-12 10:41:05 -05:00
jvazquez-r7 a1c7961cbc Suport js obfuscation for the trigger 2013-06-12 08:06:12 -05:00
jvazquez-r7 5240c6e164 Add module for MS13-037 CVE-2013-2551 2013-06-12 07:37:57 -05:00
jvazquez-r7 9ea58ba165 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-11 10:40:01 -05:00
sinn3r 081baad68c Remove variable 'overflow' because it's not used
The 'overflow' variable isn't needed
2013-06-11 02:26:45 -05:00
Ruslaideemin ca0ab8d6ee maxthon_history_xcs.rb - fix User-agent string
request.headers['User-agent'] is incorrect, it should be
request.headers['User-Agent'].

Downloaded following version from oldapps.com to confirm
the exploit code is wrong.

Supported Systems Windows 98, 2000 (Maxthon 2.5.15 Build
  1000), XP, Vista, 7, 8
MD5 Checksum F3791637C886A46940876211209F82F4
SHA1 Checksum 039BB218245E5DC1BAB0F57298C68AC487F86323

Release Date 20 October, 2011 (2 years ago )
2013-06-11 13:37:21 +10:00
Ruslaideemin 4e41e871bb mozilla_reduceright.rb - fix regex error.
[] is character class, and will match on 1, 6, 7, and |.
Where as (16|17) will match on either 16, or 17.

irb(main):053:0> y = /Firefox\/3\.6\.[16|17]/
=> /Firefox\/3\.6\.[16|17]/
irb(main):054:0> x = "Firefox/3.6.13"
=> "Firefox/3.6.13"
irb(main):055:0> x =~ y
=> 0
irb(main):056:0> y = /Firefox\/3\.6\.(16|17)/
=> /Firefox\/3\.6\.(16|17)/
irb(main):057:0> x =~ y
=> nil
2013-06-11 11:52:27 +10:00
Ruslaideemin 996171b35f mozilla_mchannel.rb undefined agent variable
If the TARGET is chosen instead of using the default
automatic, the agent variable will be undefined, which
causes the exploit to fail.
2013-06-11 10:43:47 +10:00
jvazquez-r7 72b871d762 up to date 2013-06-10 16:37:05 -05:00
Ruslaideemin d91b412661 adobe_flash_sps.rb - resource_uri vs get_resource
resource_uri will randomize the returned uri unless
datastore['URIPATH"] is set.

get_resource will return the currently used reosurce_uri

Since the incorrect type is used, this exploit is completely broken.

Tested fix with both URIPATH set to / and unset, and it works after
redirect.
2013-06-11 07:13:02 +10:00
jvazquez-r7 9c44ea0c61 up to date 2013-06-10 13:02:01 -05:00
jvazquez-r7 b20a38add4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-10 12:22:52 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 9c27a294cb Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-07 13:01:37 -05:00
sinn3r ea2895ac13 Change to AverageRanking
Just to play with the firing order for Browser Autopwn, this one
should fire as late as possible.
2013-06-07 12:08:51 -05:00
sinn3r 9c7b446532 Updates description about default browser setting 2013-06-07 11:58:31 -05:00
sinn3r f3421f2c3a Fix different landings 2013-06-07 10:26:04 -05:00
sinn3r e559824dc8 Remove whitespace 2013-06-06 20:08:50 -05:00
sinn3r d3e57ffc46 Add OSVDB-93754: Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow
This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX
component, specifically PDF_IN_1.ocx.  When a long string of data is given
to the ConnectToSynactis function, which is meant to be used for the ldCmdLine
argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry
class pointer saved on the stack, and results in arbitrary code execution under the
context of the user.
2013-06-06 20:05:08 -05:00
jvazquez-r7 a5f9ed890b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-03 16:23:12 -05:00
jvazquez-r7 30a019e422 Land #1891, @wchen-r7's improve for ie_cgenericelement_uaf 2013-06-03 15:35:43 -05:00
jvazquez-r7 4079484968 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-03 15:27:36 -05:00
sinn3r cc951e3412 Modifies the exploit a little for better stability
This patch makes sure the LFH is enabled before the CGenericElement
object is created.  Triggers is also modified a little.
2013-06-02 03:02:42 -05:00
jvazquez-r7 5939ca8ce4 Add analysis at the end of the module 2013-06-01 15:59:17 -05:00
jvazquez-r7 9be8971bb0 Add module for ZDI-13-094 2013-06-01 15:44:01 -05:00
jvazquez-r7 d42ac02e3e Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-31 23:01:05 -05:00
jvazquez-r7 f8e9535c39 Add ZDI reference 2013-05-31 20:50:53 -05:00
jvazquez-r7 66ea59b03f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-28 15:22:46 -05:00
jvazquez-r7 e678b2c5d8 Add module for CVE-2012-5946 2013-05-26 00:21:20 -05:00
jvazquez-r7 0dee5ae94d Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-22 12:54:44 -05:00
James Lee f4498c3916 Remove $Id tags
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
jvazquez-r7 352a7afcd6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-14 22:29:24 -05:00
sinn3r e1111928c2 Adds patch info for ie_cgenericelement_uaf
This one is MS13-038
2013-05-14 14:55:02 -05:00
jvazquez-r7 01ce751c51 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-12 17:08:14 -05:00
sinn3r 7fcf20201b Ranking should be the same (to GoodRanking) 2013-05-11 09:19:25 -05:00
jvazquez-r7 823d89935a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-09 12:36:43 -05:00
sinn3r 9043eeda66 A slight change for stability
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in #1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable.  I did a few tests, seems better.
2013-05-08 20:02:55 -05:00
jvazquez-r7 866fa167ab Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-08 16:29:52 -05:00
sinn3r 9a1400a75b Forgot to remove this print_warning 2013-05-08 15:44:04 -05:00
sinn3r 075f6e8d45 Updates ROP chain and mstime_malloc usage 2013-05-08 15:42:45 -05:00
sinn3r c7609ac7d1 Initial update 2013-05-08 14:24:52 -05:00
jvazquez-r7 425a16c511 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-05 22:00:07 -05:00
Tod Beardsley 8239998ada Typo on URL for #1797. Thx @Meatballs1 2013-05-05 12:26:06 -05:00
Tod Beardsley c9ea7e250e Fix disclosure date, ref for #1897 2013-05-05 12:13:02 -05:00
sinn3r a33510e821 Add MS IE8 DoL 0day exploit (CVE-2013-1347)
This module exploits a use-after-free vuln in IE 8, used in the
Department of Labor attack.
2013-05-05 12:04:17 -05:00
jvazquez-r7 796f7a39ac Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-02 20:04:48 -05:00
jvazquez-r7 a2e1fbe7a9 Make msftidy happy 2013-05-02 19:46:26 -05:00
sinn3r eb23b5feeb Forgot to remove function ie8_smil. Don't need this anymore. 2013-05-02 14:04:15 -05:00
sinn3r 329e8228d1 Uses js_mstime_malloc to do the no-spray technique 2013-05-02 14:00:15 -05:00
jvazquez-r7 38e41f20fe Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-24 13:24:13 -05:00
sinn3r cae30bec23 Clean up all the whitespace found 2013-04-23 18:27:11 -05:00
jvazquez-r7 6cd6a7d6b9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-28 12:16:18 +01:00
jvazquez-r7 0109d81c95 fix typo 2013-03-27 17:39:18 +01:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
jvazquez-r7 393d5d8bf5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-25 19:09:42 +01:00
Nathan Einwechter 89c0e8c27e Fix add_resource call in adobe_flas_mp5_cprt 2013-03-22 19:27:02 -04:00
Patrick Webster 5312c58c72 Added BID for ms09_002_memory_corruption. 2013-03-12 16:57:47 +01:00
Patrick Webster 56bb907f9f Fixed exceptions in ms05_054_onload exploit module. 2013-03-12 16:57:47 +01:00
jvazquez-r7 74b58185cd up to date 2013-03-12 16:48:11 +01:00
Tod Beardsley 2f95d083e8 Updating URL for Honewell EBI exploit 2013-03-11 13:35:58 -05:00
Tod Beardsley 23972fbebc Merge branch 'release' 2013-03-11 13:08:30 -05:00
Tod Beardsley d81d9261e7 Adding Honeywell exploit. 2013-03-11 13:03:59 -05:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
sinn3r 2b65cfa5ab Minor changes 2013-02-22 21:02:19 -06:00
jvazquez-r7 5b16e26f82 change module filename 2013-02-21 20:05:13 +01:00
jvazquez-r7 b4f4cdabbc cleanup for the module 2013-02-21 20:04:05 +01:00
Jeff Jarmoc ade2c9ef56 msftidy - fix line endings. 2013-02-14 11:42:02 -06:00
Jeff Jarmoc 4c90cacffe Send iframe when URIPATH isnt '/' 2013-02-14 11:23:08 -06:00
Jeff Jarmoc 947aa24d44 MS13-009 / CVE-2013-0025 ie_slayout_uaf.rb by Scott Bell 2013-02-14 11:18:19 -06:00
sinn3r 4074a12fd7 Randomize some gadgets 2013-02-13 14:12:52 -06:00
jvazquez-r7 f58cc6a2e0 more fix version info 2013-02-12 18:51:04 +01:00
jvazquez-r7 96b1cb3cfb fix version info 2013-02-12 18:50:36 +01:00
jvazquez-r7 69267b82b0 Make stable #1318 foxit reader exploit 2013-02-12 18:44:19 +01:00
jvazquez-r7 17b349ab50 added crash to comments 2013-02-09 17:49:57 +01:00
jvazquez-r7 5b576c1ed0 fix ident and make happy msftidy 2013-02-09 17:40:45 +01:00
sinn3r b706af54a0 Merge branch 'ovftool_format_string_browser' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-ovftool_format_string_browser 2013-02-05 15:12:24 -06:00
jvazquez-r7 9ce5f39bc6 added migrate as initial script 2013-02-04 16:42:56 +01:00
jvazquez-r7 e0d4bb5799 Added module for cve-2012-3569, browser version 2013-02-04 16:37:42 +01:00
Tod Beardsley e8def29b4f Dropping all twitter handles
Also adds "pbot" as an accepted lowercase word. This will come up pretty
routinley for functions and stuff.
2013-02-01 16:33:52 -06:00
sinn3r 04b35a38ff Update MSB ref 2013-01-14 14:59:32 -06:00
jvazquez-r7 5901058a61 Merge branch 'ms11_081' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_081 2013-01-09 23:24:14 +01:00
sinn3r f3b88d34c1 Add MS11-081 2013-01-09 15:52:33 -06:00
jvazquez-r7 736f8db6c0 Deleting from browser autopwn 2013-01-09 09:58:20 +01:00
jvazquez-r7 377905be7f Avoid FileDropper in this case 2013-01-09 09:15:38 +01:00
jvazquez-r7 52982c0785 Added BrowserAutopwn info 2013-01-08 19:53:34 +01:00
jvazquez-r7 0e475dfce1 improvements and testing 2013-01-08 19:43:58 +01:00
jvazquez-r7 b2575f0526 Added module for OSVDB 76681 2013-01-08 17:46:31 +01:00
Christian Mehlmauer 6654faf55e Msftidy fixes 2013-01-04 09:29:34 +01:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
sinn3r 6fd35482cc This exploit should be in browser auto pwn 2013-01-03 14:45:00 -06:00
sinn3r 06b937ec11 Implements WTFUzz's no-spray technique
Do not try to bend the spoon, that is impossible. Instead, only
try to realize the truth: there is no spoon.
2013-01-03 11:57:47 -06:00
sinn3r 38157b86a9 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-31 11:15:44 -06:00
sinn3r f7543e18fe Your def of commit apparently is a little different than mine, git. 2012-12-31 00:35:13 -06:00
sinn3r 2b3f7c4430 Module rename
Sorry, Tod, this must be done.
2012-12-31 00:29:19 -06:00
sinn3r 5703274bc4 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-30 20:34:57 -06:00
sinn3r 1084334d5e Randomness 2012-12-30 20:34:14 -06:00
sinn3r 7cb42a5eb4 Add BID ref 2012-12-30 18:14:22 -06:00
sinn3r cc52e2c533 Where's Juan's name? 2012-12-30 12:58:16 -06:00
jvazquez-r7 14f21c0a29 using the rop as expected 2012-12-30 16:13:48 +01:00
jvazquez-r7 eed5a74f32 description updated and reference added 2012-12-30 16:08:01 +01:00
Christian Mehlmauer f7d6594314 re-deleted comma 2012-12-30 13:39:14 +01:00
jvazquez-r7 6be8ed6168 readd fix for #1219 2012-12-30 13:25:42 +01:00
jvazquez-r7 cd58cc73d9 fixed rop chain for w2003 2012-12-30 13:12:55 +01:00
Christian Mehlmauer cab84b5c27 Fix for issue #1219 2012-12-30 13:02:13 +01:00
Christian Mehlmauer dcf018c339 Comma 2012-12-30 12:54:44 +01:00
Christian Mehlmauer 14d197eeb2 Added Windows Server 2003 2012-12-30 11:35:29 +01:00
jvazquez-r7 6cb9106218 Added module for CVE-2012-4792 2012-12-30 01:46:56 +01:00
sinn3r eb2037bdba Merge branch 'inotes_dwa85w_bof' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-inotes_dwa85w_bof 2012-12-28 12:16:06 -06:00
jvazquez-r7 9ffb0dcf79 switch to some random data 2012-12-28 12:48:36 +01:00
jvazquez-r7 8f62cd5561 swith to some random data 2012-12-28 12:47:20 +01:00
jvazquez-r7 af61438b0b added module for zdi-12-132 2012-12-28 11:45:32 +01:00
jvazquez-r7 8ea5c993a2 added module for zdi-12-134 2012-12-28 11:44:30 +01:00
sinn3r 6a3bf6a2a6 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2012-12-24 17:57:02 -06:00
sinn3r 38f0886058 James has more modules that need to be updated.
e-mail update.
2012-12-24 17:51:58 -06:00
jvazquez-r7 4c897c5181 added module for ZDI-12-154 2012-12-24 16:23:19 +01:00