Commit Graph

20552 Commits (59a201a8d350a43a66b09efb6bb48705701bcfa6)

Author SHA1 Message Date
jvazquez-r7 59a201a8d3 Land #2334, @tkrpata and @jvennix-r7's patch for sudo_password_bypass 2013-09-20 17:01:19 -05:00
jvazquez-r7 fb8d0dc887 Write the return 2013-09-20 17:00:07 -05:00
sinn3r b6c7116890 Land #1778 - Mimikatz Fix for table.print and x86 warning 2013-09-20 16:13:53 -05:00
sinn3r ace8e85227 Land #2403 - Complete CmdStagerEcho code doc 2013-09-20 15:03:46 -05:00
jvazquez-r7 4ad9bd53f0 Land #2354, @jlee-r7's patch for loading problems on test post modules 2013-09-20 13:44:10 -05:00
jvazquez-r7 87f75e1065 Complete CmdStagerEcho code doc 2013-09-20 13:24:53 -05:00
jvazquez-r7 29649b9a04 Land #2388, @dummys's exploit for CVE-2013-5696 2013-09-20 13:03:01 -05:00
jvazquez-r7 8922d0fc7f Fix small bugs on glpi_install_rce 2013-09-20 13:01:41 -05:00
jvazquez-r7 b24ae6e80c Clean glpi_install_rce 2013-09-20 12:58:23 -05:00
sinn3r bb7b57cad9 Land #2370 - PCMAN FTP Server post-auth stack buffer overflow 2013-09-20 12:29:10 -05:00
sinn3r feb76ea767 Modify check
Since auth is required, check function needs to look into that too
2013-09-20 12:28:21 -05:00
sinn3r 2d6c76d0ad Rename pcman module
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
2013-09-20 12:18:24 -05:00
sinn3r 6690e35761 Account for username length
Username is part of the overflowing string, need to account for that
2013-09-20 12:17:34 -05:00
sinn3r 9d67cbb4db Retabbed 2013-09-20 11:58:53 -05:00
sinn3r 85152c4281 Land #2400 - Add OSVDB reference for openemr_sqli_privesc_upload 2013-09-20 10:39:06 -05:00
jvazquez-r7 ec393cfcc0 Land #2401, @wchen-r7's exploit for cve-2013-3205 2013-09-20 10:29:02 -05:00
jvazquez-r7 6f5e528699 Remove author, all the credits go to corelanc0der and sinn3r 2013-09-20 10:27:37 -05:00
sinn3r 83f54d71ea Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.

The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure.  The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one.  Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
jvazquez-r7 bad6f2279d Add OSVDB reference for openemr_sqli_privesc_upload 2013-09-20 09:41:23 -05:00
dummys 032b9115a0 removed the old exploit 2013-09-20 10:53:52 +02:00
dummys 187ab16467 many change in the code and replace at the correct place the module 2013-09-20 10:45:10 +02:00
Rick Flores (nanotechz9l) 7d17eef7a7 Updated several msftidy [WARNING] Spaces at EOL issues. 2013-09-19 20:35:08 -07:00
sinn3r c3976e8315 Land #2364 - Update retab util 2013-09-19 22:24:45 -05:00
sinn3r 955365d605 Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability 2013-09-19 22:21:09 -05:00
sinn3r 0eb838156b Land #2390 - Use payload.encoded because BadChars are defined 2013-09-19 22:10:55 -05:00
sinn3r 9598853fee Land #2389 - Fix use of Rex sockets from dlink modules 2013-09-19 22:09:53 -05:00
sinn3r 4abdf5ed15 Land #2398 - Use https://rubygems.org 2013-09-19 22:08:26 -05:00
sinn3r 2569259180 Land #2397 - cmd injection in Linksys WRT110 web interface. 2013-09-19 22:06:19 -05:00
sinn3r 8d70a9d893 Add more refs 2013-09-19 22:05:23 -05:00
Alexia Cole 262b44ff2f Use HTTPS in our Gemfile. 2013-09-20 08:06:48 +07:00
Joe Vennix 137b3bc6ea Fix whitespace issues. 2013-09-19 17:29:11 -05:00
Joe Vennix bd96c6c093 Adds module for CVE-2013-3568. 2013-09-19 17:26:30 -05:00
jvazquez-r7 46a241b168 Fix my own cleanup 2013-09-19 14:51:22 -05:00
Tod Beardsley e9e1b28ba8
Land #2371, echo -e cmd stager 2013-09-19 14:47:39 -05:00
dummys 08c7b49be0 corrected too much if 2013-09-19 21:47:01 +02:00
jvazquez-r7 31903be393 Land #2380, @xistence exploit for EDB 28329 2013-09-19 14:42:27 -05:00
jvazquez-r7 cb737525b1 Final cleanup for openemr_sqli_privesc_upload 2013-09-19 14:40:57 -05:00
jvazquez-r7 76e170513d Do first clean on openemr_sqli_privesc_upload 2013-09-19 14:36:25 -05:00
jvazquez-r7 cf0375f7e6 Fix check return value 2013-09-19 14:17:45 -05:00
dummys 862a8fb8aa corrected indentation bug again 2013-09-19 20:27:23 +02:00
jvazquez-r7 9b486e1dbb Add comment about the smb_* methods 2013-09-19 13:23:46 -05:00
dummys ce8e94b5fe corrected indentation bug 2013-09-19 20:14:07 +02:00
jvazquez-r7 bf0f4a523f Land #2381, @xistence exploit for EDB 28330 2013-09-19 13:06:41 -05:00
jvazquez-r7 c63423ad69 Update code comment 2013-09-19 13:03:55 -05:00
jvazquez-r7 6073e6f2dc Fix use of normalize_uri 2013-09-19 12:59:37 -05:00
jvazquez-r7 b4fa535f2b Fix usage of fail_with 2013-09-19 12:45:29 -05:00
jvazquez-r7 1aba7550f9 Fix check indentation 2013-09-19 12:44:11 -05:00
jvazquez-r7 1f7c3d82c1 Refactor easy methods 2013-09-19 12:42:38 -05:00
jvazquez-r7 891a54aad7 Fix metadata 2013-09-19 12:41:13 -05:00
William Vu 628cfe8e67 Land #2393, tape_engine_8A filename disambiguation 2013-09-19 10:31:40 -05:00