Commit Graph

437 Commits (4dacc70b9ab59277cedc61ba235970955220760c)

Author SHA1 Message Date
wchen-r7 dbe31766af Update CVE-2016-0099 Powershell 2016-07-27 12:35:43 -05:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references"
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
2016-07-15 12:00:31 -05:00
wchen-r7 8f928c6ca1
Land #7006, Add MS16-032 Local Priv Esc Exploit 2016-07-12 15:22:35 -05:00
wchen-r7 621f3fa5a9 Change naming style 2016-07-12 15:18:18 -05:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
William Webb b4b3a84fa5 refactor ms16-016 code 2016-07-05 20:50:43 -05:00
khr0x40sh df1a9bee13 Move ps1, Use Env var, Fix license, New Cleanup
MS16-032 ps1 moved to external file.  This ps1 will now detect windir
to find cmd.exe.  The module now also detects windir to find
powershell.exe.  The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
 is now standard.  The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
wwebb-r7 ab27c1b701 Merge pull request #6940 from samvartaka/master
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
samvartaka 5260031991 Modifications based on suggestions by @wchen-r7 2016-06-08 01:17:15 +02:00
William Vu 9128ba3e57 Add popen() vuln to ImageMagick exploit
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)

Thanks to @hdm for his sharp eye. ;x

[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
William Vu 2bac46097f Remove url() for MVG
Technically unnecessary here.
2016-05-05 14:18:42 -05:00
William Vu 334c432901 Force https://localhost for SVG and MVG
https: is all that's needed to trigger the bug, but we don't want wget
and curl to gripe. localhost should be a safe host to request.
2016-05-05 14:18:42 -05:00
William Vu decd770a0b Encode the entire SVG string
Because why not? Not like people care about what's around the command.
2016-05-05 14:18:42 -05:00
William Vu 232cc114de Change placeholder text to something useful
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
William Vu 5c04db7a09 Add ImageMagick exploit 2016-05-05 14:18:42 -05:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references.
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
2016-04-23 12:32:34 -05:00
Brent Cook 57ab974737 File.exists? must die 2016-04-21 00:47:07 -04:00
l0gan e29fc5987f Add missing stream.raw for hp_sitescope_dns_tool
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
dmohanty-r7 eb4611642d Add Jenkins CLI Java serialization exploit module
CVE-2015-8103
2015-12-11 14:57:10 -06:00
wchen-r7 c7afe4f663
Land #5930, MS15-078 (atmfd.dll buffer overflow) 2015-09-16 15:33:38 -05:00
jvazquez-r7 9626596f85
Clean template code 2015-09-12 13:43:05 -05:00
jvazquez-r7 53f995b9c3
Do first prototype 2015-09-10 19:35:26 -05:00
wchen-r7 122d57fc20
Land #5945, Add auto-accept to osx/enum_keychain 2015-09-08 10:56:08 -05:00
joev 1b320bae6a Add auto-accept to osx/enum_keychain. 2015-09-07 21:17:49 -05:00
jvazquez-r7 b39575928e
Update reflective exploit 2015-09-03 11:01:41 -05:00
jvazquez-r7 b912e3ce65
Add exploit template 2015-09-02 17:28:35 -05:00
HD Moore 4090c2c8ea
Land #5880, adds ScriptHost UAC bypass for Win7/2008 2015-09-02 14:14:18 -05:00
wchen-r7 9364982467
Land #5665, Add osx rootpipe entitlements exploit for 10.10.3 2015-08-28 13:33:16 -05:00
wchen-r7 11db9c2112
Land #5896, Update ms15_004_tswbproxy to use a Reflective DLL 2015-08-27 17:11:26 -05:00
HD Moore a2d5511e39
Land #5379, new post modules to load into powershell sessions 2015-08-26 17:11:40 -05:00
jvazquez-r7 5d0ed797a3
Update DLL 2015-08-26 15:15:32 -05:00
Meatballs 228087dced
Initial working scripthost bypass uac 2015-08-23 20:16:15 +01:00
Meatballs 129edd8b2e
Original bypass script 2015-08-23 19:46:24 +01:00
William Vu d54249370b Move tpwn source to external/source/exploits 2015-08-17 18:27:47 -05:00
William Vu efc980074c Add tpwn exploit files 2015-08-17 17:11:07 -05:00
wchen-r7 7113c801b1
Land #5732, reliability update for adobe_flash_hacking_team_uaf 2015-07-17 16:43:39 -05:00
jvazquez-r7 255d8ed096
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
jvazquez-r7 a637921305
Update swf 2015-07-15 18:35:41 -05:00
jvazquez-r7 b504f0be8e
Update adobe_flash_hacking_team_uaf 2015-07-15 18:18:04 -05:00
jvazquez-r7 299978d0e2
Put again old exploiter 2015-07-11 00:36:32 -05:00
jvazquez-r7 63005a3b92
Add module for flash CVE-2015-5122
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
Tod Beardsley 3d630de353
Replace with a real CVE number 2015-07-07 14:44:12 -05:00
jvazquez-r7 d9aacf2d41
Add module for hacking team flash exploit 2015-07-07 11:19:48 -05:00
joev c993c70006 Remove sleep(), clean up WritableDir usage. 2015-07-05 18:59:00 -05:00
joev a8b56bb44a Oops, need to include the binary files. 2015-07-05 18:24:45 -05:00
jvazquez-r7 1de94a6865
Add module for CVE-2015-3113 2015-07-01 13:13:57 -05:00
jvazquez-r7 ee0377ca16
Add module for CVE-2015-3105 2015-06-25 13:35:01 -05:00
OJ ae41f2bfa0 Update exploit binaries for ms15-051 2015-06-25 09:33:15 +10:00
OJ 3686accadd
Merge branch 'upstream/master' into cve-2015-1701 2015-06-22 07:52:17 +10:00
jvazquez-r7 de1542e589
Add module for CVE-2015-3090 2015-06-18 12:36:14 -05:00
wchen-r7 17b8ddc68a
Land #5524, adobe_flash_pixel_bender_bof in flash renderer 2015-06-15 02:42:16 -05:00
jvazquez-r7 72672fc8f7
Delete debug 2015-06-11 17:39:36 -05:00
jvazquez-r7 8ed13b1d1b
Add linux support for CVE-2014-0515 2015-06-11 16:18:50 -05:00
wchen-r7 ae21b0c260
Land #5523, adobe_flash_domain_memory_uaf in the flash renderer 2015-06-10 16:59:19 -05:00
wchen-r7 4c5b1fbcef
Land #5522, adobe_flash_worker_byte_array_uaf in the flash renderer 2015-06-10 14:49:41 -05:00
jvazquez-r7 7527aa4f34
Disable debug 2015-06-10 14:07:18 -05:00
jvazquez-r7 6c7ee10520 Update to use the new flash Exploiter 2015-06-10 13:52:43 -05:00
jvazquez-r7 7fba64ed14
Allow more search space 2015-06-10 12:26:53 -05:00
jvazquez-r7 ecbddc6ef8
Play with memory al little bit better 2015-06-10 11:54:57 -05:00
wchen-r7 d622c782ef
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash renderer 2015-06-10 11:52:47 -05:00
jvazquez-r7 2b4fe96cfd Tweak Heap Spray 2015-06-10 10:56:24 -05:00
jvazquez-r7 a6fe383852
Use AS Exploiter 2015-06-10 09:32:52 -05:00
jvazquez-r7 e5d6c9a3cb Make last code cleanup 2015-06-09 16:01:57 -05:00
jvazquez-r7 cf8c6b510b
Debug version working 2015-06-09 15:46:21 -05:00
jvazquez-r7 39851d277d
Unset debug flag 2015-06-09 11:36:09 -05:00
jvazquez-r7 b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code 2015-06-09 11:31:39 -05:00
OJ b291d41b76 Quick hack to remove hard-coded offsets 2015-06-05 13:19:41 +10:00
jvazquez-r7 02181addc5
Update CVE-2014-0556 2015-06-04 18:23:50 -05:00
wchen-r7 23df66bf3a
Land #5481, no powershell. exec shellcode from the renderer process. 2015-06-04 15:45:09 -05:00
jvazquez-r7 ab68d8429b Add more targets 2015-06-04 12:11:53 -05:00
jvazquez-r7 80cb70cacf
Add support for Windows 8.1/Firefox 2015-06-03 22:46:04 -05:00
jvazquez-r7 74117a7a52
Allow to execute payload from the flash renderer 2015-06-03 16:33:41 -05:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
jvazquez-r7 e9714bfc82
Solve conflics 2015-05-27 23:22:00 -05:00
wchen-r7 e749733eb6
Land #5419, Fix Base64 decoding on ActionScript 2015-05-27 23:13:51 -05:00
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
jvazquez-r7 801deeaddf Fix CVE-2015-0336 2015-05-27 15:42:06 -05:00
jvazquez-r7 bd1bdf22b5
Fix CVE-2015-0359 2015-05-26 17:27:20 -05:00
jvazquez-r7 19c7445d9d
Fix CVE-2015-0336 2015-05-26 17:20:49 -05:00
jvazquez-r7 23d244b1fa
Fix CVE-2015-0313 2015-05-26 16:11:44 -05:00
jvazquez-r7 5c8c5aef37
Fix CVE-2014-8440 2015-05-26 16:05:08 -05:00
jvazquez-r7 d78d04e070
Fix CVE-2014-0569 2015-05-26 15:49:22 -05:00
jvazquez-r7 e0a1fa4ef6
Fix indentation 2015-05-26 15:38:56 -05:00
jvazquez-r7 1742876757
Fix CVE-2014-0556 2015-05-26 15:30:39 -05:00
jvazquez-r7 3e122fe87c
Fix b64 decoding 2015-05-26 15:15:33 -05:00
jvazquez-r7 29ccc8367b
Add More messages 2015-05-26 14:47:47 -05:00
jvazquez-r7 1bf1c37cfa
Add exception handling 2015-05-26 14:31:07 -05:00
jvazquez-r7 fb8a927941
Hardcode params 2015-05-26 14:20:43 -05:00
jvazquez-r7 f119da94ca
Add one more message 2015-05-26 14:14:38 -05:00
jvazquez-r7 15533fabe6
Log messages 2015-05-26 14:08:24 -05:00
jvazquez-r7 91357ee45b
Improve reliability 2015-05-26 13:47:33 -05:00
jvazquez-r7 f35d7a85d3
Adjust numbers 2015-05-21 15:56:11 -05:00
jvazquez-r7 80d4f3cfb0
Update swf 2015-05-21 14:55:00 -05:00
jvazquez-r7 8d6cbf0568
Make adobe_flash_uncompress_zlib_af multiplatform 2015-05-20 18:57:37 -05:00
benpturner c0b995cc97 new changes 2015-05-19 16:18:06 +01:00
benpturner b513304756 new changes 2015-05-19 15:47:30 +01:00
benpturner 0cda746bfb Updated size 2015-05-19 14:08:59 +01:00
benpturner 811c45ab90 new 2015-05-19 14:06:41 +01:00
benpturner d4798a2500 Fix spacinG 2015-05-11 09:04:03 +01:00
benpturner c916021fc5 SSL Support for Powershell Payloads 2015-05-10 21:45:59 +01:00