b79bb4726d
Go for background approach
2014-02-09 19:41:24 +00:00
038aae5adb
Run as jobs
2014-02-09 19:30:16 +00:00
1c169e2935
Uniq results
2014-02-09 17:52:06 +00:00
2cea90f931
Working remoting
2014-02-09 17:43:44 +00:00
f1959f5313
Fixup WMI
2014-02-09 11:18:15 +00:00
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
c426946886
Final tidyups
2014-01-03 15:55:03 +00:00
9028060f7d
Refactor service_create
2014-01-03 15:44:59 +00:00
5adc9e93f4
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2014-01-03 14:39:55 +00:00
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
c3aee714af
shadowcopy should use service_restart
2013-12-18 12:12:34 +00:00
42bc5ab75f
Use Services calls in enable_rdp
...
Update calls to change_service_config to check success
2013-12-18 11:34:12 +00:00
55a5a7e032
Fix typo
2013-12-18 11:06:03 +00:00
bce7fab2cd
Fixup IKEEXT
2013-12-18 00:08:01 +00:00
0bac2415ca
Some post testing fixes
...
Also deprecate net escalate as it is covered by service_permissions
as a generic exploit
2013-12-18 00:00:14 +00:00
067e6d89bb
Use service_restart in IKEEXT and ServicePermissions
...
Service_restart is aggressive so should attempt to leave as Auto
2013-12-17 17:21:35 +00:00
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
c2dd174e3c
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2013-12-17 01:54:24 +00:00
a33721f444
service_change_config keys should match extapi
2013-12-17 01:48:09 +00:00
101e5a8ccf
Tidyup trusted_service_path
...
Use filedropper, use service exe, dont migrate
2013-12-17 01:46:45 +00:00
560080fa21
Update start_service return value
...
Add service_restart
2013-12-17 00:43:35 +00:00
f39bc0b07a
Update service_stop return
2013-12-17 00:22:37 +00:00
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
5be9622782
Tidy and constants
2013-12-16 18:35:24 +00:00
435cc9b93f
Add single quote encapsulation
...
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
87fe6ecfaa
Fixup modules
2013-12-15 18:43:55 +00:00
f10a35ed08
Use :display correctly
2013-12-15 18:28:29 +00:00
cd837ebe16
ikeext_service service_info fixup
2013-12-15 18:28:06 +00:00
c89b7cb4ee
nvidia_nvsvc service_info fixup
2013-12-15 18:20:25 +00:00
375103b930
trusted_service_path service_info fixup
2013-12-15 18:15:48 +00:00
7d7495a5dd
Large refactor of service_permissions
2013-12-15 18:00:14 +00:00
fe7852b524
Unworking refactor of serv_perm
2013-12-15 04:02:11 +00:00
2a819d4b08
Tidyup trusted_Path
...
We dont just want to escalate to SYSTEM it would be handy to know
if we can escalate to anything e.g. Domain logins etc.
2013-12-15 04:01:02 +00:00
ddf23ae8e8
Refactor service_list to return array of hashes
...
Update trusted_service_path, service_permissions,
net_runtime_modify and enum_services to handle change.
Refactor enum_services to tidy it up a bit
2013-12-15 03:00:29 +00:00
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
6916f7c5d2
Fixup description
2013-12-15 01:12:47 +00:00
3d1646d18e
Exit process when complete
2013-12-15 01:12:47 +00:00
dd32c2b0b8
Spawn 32bit process
2013-12-15 01:12:46 +00:00
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
5eca4714c2
Renamed module
2013-12-15 01:12:46 +00:00
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
04496a539c
Fix up local wmi exploit.
2013-12-14 20:05:51 +00:00
e8396dc37a
Delete redefinition of ntdll functions on railgun
2013-12-13 16:02:47 -06:00
1ab3e891c9
Modify ms_ndproxy to use railgun additions
2013-12-13 15:54:34 -06:00
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
eb4e3f8a32
Fix os detection
2013-12-12 07:39:19 -06:00
8b518776bc
Dont fail_with on check
2013-12-11 22:08:36 -06:00
02915c751c
Favor unless over if not and add reference
2013-12-11 16:28:09 -06:00
b6fa3f28b1
Modify description
2013-12-11 08:56:31 -06:00
c4721de4a0
Add module for CVE-2013-5065
2013-12-11 08:52:35 -06:00
0cf1b7fece
add original ask.rb
2013-12-09 14:35:31 -07:00
1d07b2bbfa
Revert "removed ask file, already in pull request 2551"
...
This reverts commit 5ceda7c042
2013-12-09 14:31:43 -07:00
9b2ae3c447
Uncomment fail_with
2013-12-05 23:21:06 +00:00
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
1e60ff91ea
Move ExitThread patching to Msf::Util::EXE
2013-12-05 17:16:14 +00:00
496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2013-12-05 17:09:32 +00:00
dc0f2b7291
Use ExitProcess
2013-12-05 17:08:47 +00:00
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
.gitmodules
external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
cd68b10bcf
Broadcast needs a decent WfsDelay.
...
Due to the multi railgun changes. Because they return quickly but
the process is still broadcasting them the exploit thinks work has
finished...
2013-11-23 19:18:13 +00:00
6c83109422
Really fix wmi
2013-11-23 16:44:44 +00:00
c194fdc67e
Fixup WMI
...
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
ec36cebeb4
Update cmd_psh_payloads to send the architecture.
2013-11-22 23:31:33 +00:00
622a1dccda
Update wmi to use generated powershell command line
2013-11-22 23:18:22 +00:00
9835649858
Update hwnd_broadcast to use generated powershell command line.
2013-11-22 23:04:44 +00:00
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
e4fc361b37
Various tidies and fixes
...
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.
Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
40f58ce534
Finalise the local exploit for kitrap0d
...
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.
New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
82739c0315
Add extra URL for exploit detail
2013-11-11 22:07:36 +10:00
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
e488a54a06
Resplat new WMI module
2013-10-30 15:14:16 -05:00
278dff93e7
Add missing require for Msf::Exploit::Powershell
...
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
5ceda7c042
removed ask file, already in pull request 2551
2013-10-25 14:46:50 -07:00
84999115d7
Added PSH option if UAC is turned off
...
This will give the option to drop an exe or use psh if uac is turned
off. The lib can be used for post exploitation to drop an exe or use
powershell and then execute it with the runas command. I have used the
lib for both bypassuac and ask.
2013-10-25 14:37:12 -07:00
868b70c9ed
Added priv lib and runas lib
...
Cleaned up code with using the new lib files
2013-10-25 14:05:33 -07:00
6fdf5cab15
Update bypassuac_injection inline with latest privs lib
2013-10-23 21:15:41 +01:00
e6a2a1006f
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows/priv.rb
modules/exploits/windows/local/bypassuac.rb
2013-10-23 21:02:32 +01:00
a06c0a9575
Merge branch 'local/ask'
2013-10-22 16:06:16 -07:00
69131323af
Merge remote-tracking branch 'upstream/master'
2013-10-22 16:05:19 -07:00
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
af174639cd
Land #2468 - Hwnd Broadcast Performance
2013-10-22 17:03:02 -05:00
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
9695b2d662
Added check method
...
The method checks to see if the user is a part of the admin group. If
the user is the exploit continues, if not the exploit stops because it
will prompt the user for a password instead of just clicking ok.
2013-10-21 11:57:50 -07:00
1599d1171d
Land #2558 - Release fixes
2013-10-21 13:48:11 -05:00
c1954c458c
Just warn, don't bail
...
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.
If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)
For details on this module, see #2503 . I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
bce8d9a90f
Update license comments with resplat.
2013-10-21 13:36:15 -05:00
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
6881774c03
Updated with comments from jlee-r7 and Meatballs1
...
Added fail_with instead of just print_error
figured a way to execute the cmd_psh_payload with out using gsub
added case statment for datastore['TECHNIQUE']
2013-10-20 01:15:51 -07:00
6de279733c
Merge branch 'local/ask'
2013-10-19 10:51:55 -07:00
a5dc75a82e
Added PSH option to windows/local/ask exploit
...
Gives you the ability to use powershell to 'ask' for admin rights if the
user has them. Using powershell makes the pop up blue instead of orange
and states that the company is Microsoft, it also doesn't drop an exe
on the system. Looks like 32 bit https works but if you migrate out you
loose priv and if you run cachedump the session hangs.
2013-10-19 00:15:38 -07:00
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
55426882d4
Further bypassuac tidyup
2013-10-18 00:08:06 +01:00
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
...
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
a54b4c7370
Land #2482 , use runas when UAC is DoNotPrompt
2013-10-16 17:51:11 -05:00
5d86ab4ab8
Catch mis-formatted bracket comments.
2013-10-15 14:52:12 -05:00
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
c68319d098
Fix author
2013-10-15 12:59:19 -05:00
f345414832
Added correct spelling in info
2013-10-15 10:13:18 -07:00
0b9cf24103
Convert vss_persistence to Local Exploit
2013-10-15 11:11:04 -05:00
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
a843722ae3
Concurrent printing of the output no longer makes sense...
2013-10-10 19:01:19 +01:00
536c3c7b92
Use multi railgun call for a large performance increase.
2013-10-10 19:01:14 +01:00
aed2490536
add some output and fixing
2013-10-07 15:42:41 -04:00
75d2abc8c2
integrate some ask functionality into bypassuac
2013-10-07 15:14:54 -04:00
0799766faa
Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
...
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:
Here is prior to the change on a fully patched Windows 8 machine:
msf exploit(bypassuac) > exploit
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) >
Here's the module when running with the most recent changes that are being proposed:
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400
meterpreter >
With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
b306415ecf
Tidy and updates to info
2013-09-29 17:32:39 +01:00
29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
...
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
353cd9aaf5
Check payload.arch
2013-09-27 11:13:19 +01:00
d2fa7d84a9
Tidyup includes
2013-09-27 10:12:53 +01:00
5fa0eb32a9
Merge upstream
2013-09-27 10:11:10 +01:00
c3c07b5fd7
Better arch checking
2013-09-27 09:39:29 +01:00
dfac7b57d2
Fixup SysWOW64
2013-09-27 09:10:49 +01:00
b8df7cc496
Initialize strings fool
2013-09-27 09:01:00 +01:00
3d812742f1
Merge upstream master
2013-09-26 21:27:44 +01:00
7ba846ca24
Find and replace
2013-09-26 20:34:48 +01:00
a25833e4d7
Fix %TEMP% path
2013-09-26 19:22:36 +01:00
52a92a55ce
Land #2394 , ms13_005_hwnd_broadcast require fix
2013-09-24 13:43:21 -05:00
8db1a389eb
Land #2304 fix post module require order
...
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
99f145cbff
Don't split the post requires
2013-09-23 14:02:43 -05:00
6b06ed0df1
Update current_user_psexec.rb
2013-09-22 03:07:17 +05:00
96364c78f8
Need to catch RequestError too
...
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
6e69fe48bf
Undo psexec changes
2013-09-20 22:30:00 +01:00
2591be503b
Psh support
2013-09-20 22:07:42 +01:00
15885e4ef6
Change static x value
2013-09-20 20:31:14 +01:00
ee365a6b64
Some liberal sleeping
2013-09-20 19:33:27 +01:00
7d1c5c732a
Correct powershell
2013-09-20 18:36:24 +01:00
9819566d94
Nearly
2013-09-20 17:18:14 +01:00
a00f3d8b8e
initial
2013-09-20 13:40:28 +01:00
ef72b30074
Include the post requires until #2354 lands
...
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
9a555d8701
Fix the modules added since the branch
2013-09-17 18:25:12 -05:00
150f0f644e
Merge branch 'rapid7' into bug/osx-mods-load-order
...
Conflicts:
modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
b4b7cecaf4
Various minor desc fixes, also killed some tabs.
2013-09-16 15:50:00 -05:00
58b634dd27
Remove unnecessary requires from post mods
2013-09-12 14:36:01 -05:00
9ad1be7318
Make junk easier
2013-09-11 09:33:01 -05:00
825eb9d1ca
Add module for OSVDB 96208
2013-09-11 00:11:00 -05:00
4f1db80c24
Fix requires in new post modules
2013-09-10 11:13:07 -05:00
473f08bbb6
Register cleanup and update check
2013-09-05 22:43:26 +01:00
400b433267
Sort out exception handling
2013-09-05 22:21:44 +01:00
d4043a6646
Spaces and change to filedropper
2013-09-05 20:41:37 +01:00
c5daf939d1
Stabs tabassassin
2013-09-05 20:36:52 +01:00
d0360733d7
Retab changes for PR #2282
2013-09-05 14:05:34 -05:00
49dface180
Merge for retab
2013-09-05 14:05:28 -05:00
1460474a55
Retab changes for PR #2288
2013-09-05 13:58:24 -05:00
e711a495eb
Merge for retab
2013-09-05 13:58:19 -05:00
9787bb80e7
Address @jlee-r7's feedback
2013-09-05 19:57:05 +01:00
845bf7146b
Retab changes for PR #2304
2013-09-05 13:41:25 -05:00
adf9ff356c
Merge for retab
2013-09-05 13:41:23 -05:00
3066e7e19d
ReverseConnectRetries ftw
2013-09-04 00:16:19 +01:00
a8e77c56bd
Updates
2013-09-03 22:46:20 +01:00
ac0c493cf9
Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring
2013-09-03 21:33:11 +01:00
84aaf2334a
Retab new material
2013-09-03 11:47:26 -05:00
0c1e6546af
Update from master
2013-09-03 11:45:39 -05:00
ac0b14e793
Add the missing CVE reference
...
Was looking at all the 2013 exploit modules for missing CVE references
2013-08-31 18:54:16 -05:00
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
63adde2429
Fix load order in posts, hopefully forever
2013-08-29 13:37:50 -05:00
ff5cf396ab
Remove large file and rename payload.dll
2013-08-27 00:30:27 +01:00
035e97523b
In memory bypassuac
2013-08-27 00:13:19 +01:00
05f1622fcb
Fix require
2013-08-26 16:21:18 +01:00
3b9ded5a8e
BypassUAC now checks if the process is LowIntegrityLevel
...
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
2013-08-26 13:54:55 +01:00
6c1ba9c9c9
Switch to Failure vs Exploit::Failure
2013-08-15 14:14:46 -05:00
5128458c90
Land #2201 - Better check for ppr_flatten_rec
2013-08-09 14:44:23 -05:00
021c358159
Land #2203 - Fix regex for x64 detection
2013-08-09 13:23:38 -05:00
7178633140
Fixed architecture detection in bypassuac modules
2013-08-09 03:42:02 +02:00
318280fea7
Add 7/2k8 RTM versions
2013-08-08 20:02:14 +01:00
d64352652f
Adds unsupported Vista versions
2013-08-08 19:58:40 +01:00
08c32c250f
File versions
2013-08-08 19:42:14 +01:00
40f015f596
Avoid require race with powershell
2013-08-05 09:56:32 -05:00
5ea67586c8
Rewrite description for MS13-005
...
The first part of the description was copy-pasted from
http://packetstormsecurity.com/files/122588/ms13_005_hwnd_broadcast.rb.txt
which contained some grammatical errors. Please try to avoid cribbing
other researchers' descriptions directly for Metasploit modules.
2013-08-05 09:29:29 -05:00
e7206af5b5
OSVDB and comment doc fixes
2013-08-05 09:08:17 -05:00
3a05993f16
Make msftidy happy and warn user about long times
2013-07-29 11:45:30 -05:00
234e49d982
Add type technique
2013-07-26 23:33:16 +01:00
805a9675a7
Modify the check for Integrity Level and Allow dropt o fs
2013-07-26 14:54:50 -05:00
12a58c730a
Small fix
2013-07-26 10:15:47 +01:00
6a13ed0371
Missing include
2013-07-26 03:18:17 +01:00
72b8891ba3
Check for low integrity
2013-07-26 03:16:45 +01:00
030640d5bc
back to cmd
2013-07-26 03:00:36 +01:00
d3f3e5d63e
Working with psh download
2013-07-26 02:29:55 +01:00
b99ad41a64
Add api constants and tidy
2013-07-26 01:48:39 +01:00
0235e6803d
Initial working
2013-07-25 23:24:11 +01:00
44cae75af1
Cleanup
2013-07-24 19:52:59 +01:00
ad94f434ab
Avoid a fix address for the final userland payload
2013-07-05 10:21:11 -05:00
226f4dd8cc
Use execute_shellcode for novell_client_nicm.rb
2013-07-03 13:57:41 -05:00
f9cfba9021
Use execute_shellcode for novell_client_nwfs.rb
2013-07-03 13:55:50 -05:00
2a6056fd2a
exploits/s4u_persistence~Fixed typos+default values
2013-07-03 00:38:50 +01:00
a2b8daf149
Modify fail message when exploitation doen't success
2013-06-29 10:45:13 -05:00
a5c3f4ca9b
Modify ruby code according to comments
2013-06-29 08:54:00 -05:00
427e26c4dc
Fix current_pid
2013-06-28 21:36:49 -05:00
32ae7ec2fa
Fix error description and bad variable usage
2013-06-28 21:30:33 -05:00
fb67002df9
Switch from print_error to print_warning
2013-06-28 21:29:20 -05:00
3ab948209b
Fix module according to @wchen-r7 feedback
2013-06-28 20:44:42 -05:00
00416f3430
Add a new print_status
2013-06-28 18:23:49 -05:00
7725937461
Add Module for cve-2013-3660
2013-06-28 18:18:21 -05:00
795dd6a02a
Add module for OSVDB 93718
2013-06-24 23:51:28 -05:00
a920127f8c
reference updates for several modules
2013-06-23 20:43:34 -05:00
f106b6db50
Add comment with the component version
2013-06-21 17:38:30 -05:00
5fe9a80bf0
Add module for OSVDB 46578
2013-06-21 17:31:40 -05:00
da4b18c6a1
[FixRM:#8012] - Fix message data type to int
...
This patch makes sure s.message is actually an int, that way we can
properly stop or enable the service.
2013-06-06 23:49:14 -05:00
1032663cd4
Fixed check for Administrators SID in whoami /group output
2013-06-04 18:34:06 -04:00
53cb493bc9
Fix @jlee-r7's feedback
2013-05-20 18:44:21 -05:00
85ceaa1a62
Add module for CVE-2013-2730
2013-05-18 12:44:24 -05:00
05426cb61b
Fix dir creation
2013-04-27 21:39:29 +01:00
8bfaa41723
Fix x64 dll creation
2013-04-27 20:44:46 +01:00
e2b8d5ed23
Fix from David Kennedy, enable Windows 8 support
2013-04-09 02:07:40 -05:00
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
07475e5483
Update
2013-02-22 21:22:51 +00:00
769ca6335f
Mrg Juan's changes, stop shadowing
2013-02-22 20:09:21 +00:00
416a7aeaa3
make msftidy happy for s4u_persistence
2013-02-18 15:23:06 +01:00
be0feecf8f
Merge branch 's4u_persistence' of https://github.com/smilingraccoon/metasploit-framework into smilingraccoon-s4u_persistence
2013-02-18 15:22:37 +01:00
25f8a7dcb9
Fix expire tag logic and slight clean up
...
Was a dumbass again and didn't fully understand how Optints worked when left blank at run time. If not 0 the expire tag will be inserted now. Also made it print the xpath if used because I believe it will be of value to the user for trouble shooting.
2013-02-17 22:35:52 -05:00
a8d574e4ce
Updated one print_status
2013-02-17 14:08:33 -05:00
7b2c1afadb
I'm an idiot, fix logon xpath
2013-02-14 09:16:47 -05:00
e78cbdd14d
missed one line
2013-02-13 18:17:38 -05:00
bbf8fe0213
Use Post::File methods and fail_with
2013-02-13 18:10:05 -05:00
42a6d96ff4
using Post::File methods plus little more cleanup
2013-02-12 01:33:07 +01:00
97edbb7868
using always a vbs file to drop exe
2013-02-12 00:58:26 +01:00
5edb138a8f
fixed nil issue
2013-02-11 11:51:33 -04:00
3a499b1a6d
added s4u_persistence.rb
2013-02-10 14:22:36 -05:00
fea84cad10
Fix additional typos per recomendation
2013-02-08 14:47:16 -04:00
b8f0a94c3f
Fixed typos mentioned by Egypt
2013-02-08 14:42:10 -04:00
c131b7ef0e
Added exception handing and return checking as requested by Sinn3r
2013-02-07 21:06:05 -04:00
19e989dff9
Initial commit fo the migrated module
2013-02-07 19:11:44 -04:00
Meatballs
Spencer McIntyre
sinn3r
OJ
jvazquez-r7
Tod Beardsley
b00stfr3ak
William Vu
James Lee
jvazquez-r7
MrXors
Rob Fuller
trustedsec
darknight007
Tab Assassin
HD Moore
Sagi Shahar
g0tmi1k
Steve Tornio
cbgabriel
Thomas McCarthy
smilingraccoon
Carlos Perez