Commit Graph

544 Commits (5b25ba5df33a554c0e6b5488c4f1159067743c29)

Author SHA1 Message Date
OJ 41c538856a Re-add RDI mixin changes 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs 6916f7c5d2 Fixup description 2013-12-15 01:12:47 +00:00
Meatballs 3d1646d18e Exit process when complete 2013-12-15 01:12:47 +00:00
Meatballs dd32c2b0b8 Spawn 32bit process 2013-12-15 01:12:46 +00:00
Meatballs 819ba30a33 msftidy
Conflicts:
	lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs 5eca4714c2 Renamed module 2013-12-15 01:12:46 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
Meatballs 04496a539c
Fix up local wmi exploit. 2013-12-14 20:05:51 +00:00
jvazquez-r7 e8396dc37a Delete redefinition of ntdll functions on railgun 2013-12-13 16:02:47 -06:00
jvazquez-r7 1ab3e891c9 Modify ms_ndproxy to use railgun additions 2013-12-13 15:54:34 -06:00
jvazquez-r7 5c1ca97e21 Create a new process to host the final payload 2013-12-12 08:26:44 -06:00
jvazquez-r7 eb4e3f8a32 Fix os detection 2013-12-12 07:39:19 -06:00
jvazquez-r7 8b518776bc Dont fail_with on check 2013-12-11 22:08:36 -06:00
jvazquez-r7 02915c751c Favor unless over if not and add reference 2013-12-11 16:28:09 -06:00
jvazquez-r7 b6fa3f28b1 Modify description 2013-12-11 08:56:31 -06:00
jvazquez-r7 c4721de4a0 Add module for CVE-2013-5065 2013-12-11 08:52:35 -06:00
b00stfr3ak 0cf1b7fece add original ask.rb 2013-12-09 14:35:31 -07:00
b00stfr3ak 1d07b2bbfa Revert "removed ask file, already in pull request 2551"
This reverts commit 5ceda7c042.
2013-12-09 14:31:43 -07:00
Meatballs 9b2ae3c447
Uncomment fail_with 2013-12-05 23:21:06 +00:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
Meatballs 1e60ff91ea
Move ExitThread patching to Msf::Util::EXE 2013-12-05 17:16:14 +00:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
Meatballs 915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
OJ 0b879d8f39 Comments for WfsDelay, adjustment to injection
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.

This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Meatballs cd68b10bcf
Broadcast needs a decent WfsDelay.
Due to the multi railgun changes. Because they return quickly but
the process is still broadcasting them the exploit thinks work has
finished...
2013-11-23 19:18:13 +00:00
Meatballs 6c83109422
Really fix wmi 2013-11-23 16:44:44 +00:00
Meatballs c194fdc67e
Fixup WMI
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
Meatballs ec36cebeb4
Update cmd_psh_payloads to send the architecture. 2013-11-22 23:31:33 +00:00
Meatballs 622a1dccda
Update wmi to use generated powershell command line 2013-11-22 23:18:22 +00:00
Meatballs 9835649858
Update hwnd_broadcast to use generated powershell command line. 2013-11-22 23:04:44 +00:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ e4fc361b37 Various tidies and fixes
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.

Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
OJ 82739c0315 Add extra URL for exploit detail 2013-11-11 22:07:36 +10:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Tod Beardsley e488a54a06
Resplat new WMI module 2013-10-30 15:14:16 -05:00
William Vu 278dff93e7 Add missing require for Msf::Exploit::Powershell
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
b00stfr3ak 5ceda7c042 removed ask file, already in pull request 2551 2013-10-25 14:46:50 -07:00
b00stfr3ak 84999115d7 Added PSH option if UAC is turned off
This will give the option to drop an exe or use psh if uac is turned
off.  The lib can be used for post exploitation to drop an exe or use
powershell and then execute it with the runas command.  I have used the
lib for both bypassuac and ask.
2013-10-25 14:37:12 -07:00
b00stfr3ak 868b70c9ed Added priv lib and runas lib
Cleaned up code with using the new lib files
2013-10-25 14:05:33 -07:00
Meatballs 6fdf5cab15
Update bypassuac_injection inline with latest privs lib 2013-10-23 21:15:41 +01:00
Meatballs e6a2a1006f
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows/priv.rb
	modules/exploits/windows/local/bypassuac.rb
2013-10-23 21:02:32 +01:00
b00stfr3ak a06c0a9575 Merge branch 'local/ask' 2013-10-22 16:06:16 -07:00
b00stfr3ak 69131323af Merge remote-tracking branch 'upstream/master' 2013-10-22 16:05:19 -07:00
sinn3r acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel 2013-10-22 17:16:26 -05:00
sinn3r af174639cd
Land #2468 - Hwnd Broadcast Performance 2013-10-22 17:03:02 -05:00
Meatballs 8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac 2013-10-22 21:42:36 +01:00
sinn3r ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers 2013-10-22 15:39:32 -05:00
b00stfr3ak 9695b2d662 Added check method
The method checks to see if the user is a part of the admin group.  If
the user is the exploit continues, if not the exploit stops because it
will prompt the user for a password instead of just clicking ok.
2013-10-21 11:57:50 -07:00
sinn3r 1599d1171d
Land #2558 - Release fixes 2013-10-21 13:48:11 -05:00
Tod Beardsley c1954c458c
Just warn, don't bail
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.

If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)

For details on this module, see #2503. I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
Tod Beardsley bce8d9a90f
Update license comments with resplat. 2013-10-21 13:36:15 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
b00stfr3ak 6881774c03 Updated with comments from jlee-r7 and Meatballs1
Added fail_with instead of just print_error
figured a way to execute the cmd_psh_payload with out using gsub
added case statment for datastore['TECHNIQUE']
2013-10-20 01:15:51 -07:00
b00stfr3ak 6de279733c Merge branch 'local/ask' 2013-10-19 10:51:55 -07:00
b00stfr3ak a5dc75a82e Added PSH option to windows/local/ask exploit
Gives you the ability to use powershell to 'ask' for admin rights if the
user has them.  Using powershell makes the pop up blue instead of orange
and states that the company is Microsoft, it also doesn't drop an exe
on the system.  Looks like 32 bit https works but if you migrate out you
loose priv and if you run cachedump the session hangs.
2013-10-19 00:15:38 -07:00
Meatballs 4e4d0488ae
Rubyfy constants in privs lib 2013-10-18 18:26:07 +01:00
Meatballs 55426882d4
Further bypassuac tidyup 2013-10-18 00:08:06 +01:00
Meatballs e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs 5a662defac
Post::Privs uses Post::Registry methods 2013-10-17 23:28:07 +01:00
Meatballs b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo

Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
Tod Beardsley 07ab53ab39
Merge from master to clear conflict
Conflicts:
	modules/exploits/windows/brightstor/tape_engine_8A.rb
	modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
James Lee a54b4c7370
Land #2482, use runas when UAC is DoNotPrompt 2013-10-16 17:51:11 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
jvazquez-r7 c68319d098 Fix author 2013-10-15 12:59:19 -05:00
MrXors f345414832 Added correct spelling in info 2013-10-15 10:13:18 -07:00
jvazquez-r7 0b9cf24103 Convert vss_persistence to Local Exploit 2013-10-15 11:11:04 -05:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
Meatballs a843722ae3 Concurrent printing of the output no longer makes sense... 2013-10-10 19:01:19 +01:00
Meatballs 536c3c7b92 Use multi railgun call for a large performance increase. 2013-10-10 19:01:14 +01:00
Rob Fuller aed2490536 add some output and fixing 2013-10-07 15:42:41 -04:00
Rob Fuller 75d2abc8c2 integrate some ask functionality into bypassuac 2013-10-07 15:14:54 -04:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Meatballs 353cd9aaf5 Check payload.arch 2013-09-27 11:13:19 +01:00
Meatballs d2fa7d84a9 Tidyup includes 2013-09-27 10:12:53 +01:00
Meatballs 5fa0eb32a9 Merge upstream 2013-09-27 10:11:10 +01:00
Meatballs c3c07b5fd7 Better arch checking 2013-09-27 09:39:29 +01:00
Meatballs dfac7b57d2 Fixup SysWOW64 2013-09-27 09:10:49 +01:00
Meatballs b8df7cc496 Initialize strings fool 2013-09-27 09:01:00 +01:00
Meatballs 3d812742f1 Merge upstream master 2013-09-26 21:27:44 +01:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Meatballs a25833e4d7 Fix %TEMP% path 2013-09-26 19:22:36 +01:00
William Vu 52a92a55ce Land #2394, ms13_005_hwnd_broadcast require fix 2013-09-24 13:43:21 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley 99f145cbff Don't split the post requires 2013-09-23 14:02:43 -05:00
darknight007 6b06ed0df1 Update current_user_psexec.rb 2013-09-22 03:07:17 +05:00
sinn3r 96364c78f8 Need to catch RequestError too
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
Meatballs 6e69fe48bf Undo psexec changes 2013-09-20 22:30:00 +01:00
Meatballs 2591be503b Psh support 2013-09-20 22:07:42 +01:00
Meatballs 15885e4ef6 Change static x value 2013-09-20 20:31:14 +01:00
Meatballs ee365a6b64 Some liberal sleeping 2013-09-20 19:33:27 +01:00
Meatballs 7d1c5c732a Correct powershell 2013-09-20 18:36:24 +01:00
Meatballs 9819566d94 Nearly 2013-09-20 17:18:14 +01:00
Meatballs a00f3d8b8e initial 2013-09-20 13:40:28 +01:00
Tod Beardsley ef72b30074 Include the post requires until #2354 lands
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
James Lee 9a555d8701 Fix the modules added since the branch 2013-09-17 18:25:12 -05:00
James Lee 150f0f644e Merge branch 'rapid7' into bug/osx-mods-load-order
Conflicts:
	modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
Tod Beardsley b4b7cecaf4 Various minor desc fixes, also killed some tabs. 2013-09-16 15:50:00 -05:00
James Lee 58b634dd27 Remove unnecessary requires from post mods 2013-09-12 14:36:01 -05:00
jvazquez-r7 9ad1be7318 Make junk easier 2013-09-11 09:33:01 -05:00
jvazquez-r7 825eb9d1ca Add module for OSVDB 96208 2013-09-11 00:11:00 -05:00
jvazquez-r7 4f1db80c24 Fix requires in new post modules 2013-09-10 11:13:07 -05:00
Meatballs 473f08bbb6 Register cleanup and update check 2013-09-05 22:43:26 +01:00
Meatballs 400b433267 Sort out exception handling 2013-09-05 22:21:44 +01:00
Meatballs d4043a6646 Spaces and change to filedropper 2013-09-05 20:41:37 +01:00
Meatballs c5daf939d1 Stabs tabassassin 2013-09-05 20:36:52 +01:00
Tab Assassin d0360733d7 Retab changes for PR #2282 2013-09-05 14:05:34 -05:00
Tab Assassin 49dface180 Merge for retab 2013-09-05 14:05:28 -05:00
Tab Assassin 1460474a55 Retab changes for PR #2288 2013-09-05 13:58:24 -05:00
Tab Assassin e711a495eb Merge for retab 2013-09-05 13:58:19 -05:00
Meatballs 9787bb80e7 Address @jlee-r7's feedback 2013-09-05 19:57:05 +01:00
Tab Assassin 845bf7146b Retab changes for PR #2304 2013-09-05 13:41:25 -05:00
Tab Assassin adf9ff356c Merge for retab 2013-09-05 13:41:23 -05:00
Meatballs 3066e7e19d ReverseConnectRetries ftw 2013-09-04 00:16:19 +01:00
Meatballs a8e77c56bd Updates 2013-09-03 22:46:20 +01:00
Meatballs ac0c493cf9 Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring 2013-09-03 21:33:11 +01:00
Tab Assassin 84aaf2334a Retab new material 2013-09-03 11:47:26 -05:00
Tab Assassin 0c1e6546af Update from master 2013-09-03 11:45:39 -05:00
sinn3r ac0b14e793 Add the missing CVE reference
Was looking at all the 2013 exploit modules for missing CVE references
2013-08-31 18:54:16 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
James Lee 63adde2429 Fix load order in posts, hopefully forever 2013-08-29 13:37:50 -05:00
Meatballs ff5cf396ab Remove large file and rename payload.dll 2013-08-27 00:30:27 +01:00
Meatballs 035e97523b In memory bypassuac 2013-08-27 00:13:19 +01:00
Meatballs 05f1622fcb Fix require 2013-08-26 16:21:18 +01:00
Meatballs 3b9ded5a8e BypassUAC now checks if the process is LowIntegrityLevel
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
2013-08-26 13:54:55 +01:00
HD Moore 6c1ba9c9c9 Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00
sinn3r 5128458c90 Land #2201 - Better check for ppr_flatten_rec 2013-08-09 14:44:23 -05:00
sinn3r 021c358159 Land #2203 - Fix regex for x64 detection 2013-08-09 13:23:38 -05:00
Sagi Shahar 7178633140 Fixed architecture detection in bypassuac modules 2013-08-09 03:42:02 +02:00
Meatballs 318280fea7 Add 7/2k8 RTM versions 2013-08-08 20:02:14 +01:00
Meatballs d64352652f Adds unsupported Vista versions 2013-08-08 19:58:40 +01:00
Meatballs 08c32c250f File versions 2013-08-08 19:42:14 +01:00
Tod Beardsley 40f015f596 Avoid require race with powershell 2013-08-05 09:56:32 -05:00
Tod Beardsley 5ea67586c8 Rewrite description for MS13-005
The first part of the description was copy-pasted from

http://packetstormsecurity.com/files/122588/ms13_005_hwnd_broadcast.rb.txt

which contained some grammatical errors. Please try to avoid cribbing
other researchers' descriptions directly for Metasploit modules.
2013-08-05 09:29:29 -05:00
Tod Beardsley e7206af5b5 OSVDB and comment doc fixes 2013-08-05 09:08:17 -05:00
jvazquez-r7 3a05993f16 Make msftidy happy and warn user about long times 2013-07-29 11:45:30 -05:00
Meatballs 234e49d982 Add type technique 2013-07-26 23:33:16 +01:00
jvazquez-r7 805a9675a7 Modify the check for Integrity Level and Allow dropt o fs 2013-07-26 14:54:50 -05:00
Meatballs 12a58c730a Small fix 2013-07-26 10:15:47 +01:00
Meatballs 6a13ed0371 Missing include 2013-07-26 03:18:17 +01:00
Meatballs 72b8891ba3 Check for low integrity 2013-07-26 03:16:45 +01:00
Meatballs 030640d5bc back to cmd 2013-07-26 03:00:36 +01:00
Meatballs d3f3e5d63e Working with psh download 2013-07-26 02:29:55 +01:00
Meatballs b99ad41a64 Add api constants and tidy 2013-07-26 01:48:39 +01:00
Meatballs 0235e6803d Initial working 2013-07-25 23:24:11 +01:00
Meatballs 44cae75af1 Cleanup 2013-07-24 19:52:59 +01:00
jvazquez-r7 ad94f434ab Avoid a fix address for the final userland payload 2013-07-05 10:21:11 -05:00
sinn3r 226f4dd8cc Use execute_shellcode for novell_client_nicm.rb 2013-07-03 13:57:41 -05:00
sinn3r f9cfba9021 Use execute_shellcode for novell_client_nwfs.rb 2013-07-03 13:55:50 -05:00
g0tmi1k 2a6056fd2a exploits/s4u_persistence~Fixed typos+default values 2013-07-03 00:38:50 +01:00
jvazquez-r7 a2b8daf149 Modify fail message when exploitation doen't success 2013-06-29 10:45:13 -05:00
jvazquez-r7 a5c3f4ca9b Modify ruby code according to comments 2013-06-29 08:54:00 -05:00
jvazquez-r7 427e26c4dc Fix current_pid 2013-06-28 21:36:49 -05:00
jvazquez-r7 32ae7ec2fa Fix error description and bad variable usage 2013-06-28 21:30:33 -05:00
jvazquez-r7 fb67002df9 Switch from print_error to print_warning 2013-06-28 21:29:20 -05:00
jvazquez-r7 3ab948209b Fix module according to @wchen-r7 feedback 2013-06-28 20:44:42 -05:00
jvazquez-r7 00416f3430 Add a new print_status 2013-06-28 18:23:49 -05:00
jvazquez-r7 7725937461 Add Module for cve-2013-3660 2013-06-28 18:18:21 -05:00
jvazquez-r7 795dd6a02a Add module for OSVDB 93718 2013-06-24 23:51:28 -05:00
Steve Tornio a920127f8c reference updates for several modules 2013-06-23 20:43:34 -05:00
jvazquez-r7 f106b6db50 Add comment with the component version 2013-06-21 17:38:30 -05:00
jvazquez-r7 5fe9a80bf0 Add module for OSVDB 46578 2013-06-21 17:31:40 -05:00
sinn3r da4b18c6a1 [FixRM:#8012] - Fix message data type to int
This patch makes sure s.message is actually an int, that way we can
properly stop or enable the service.
2013-06-06 23:49:14 -05:00
cbgabriel 1032663cd4 Fixed check for Administrators SID in whoami /group output 2013-06-04 18:34:06 -04:00
jvazquez-r7 53cb493bc9 Fix @jlee-r7's feedback 2013-05-20 18:44:21 -05:00
jvazquez-r7 85ceaa1a62 Add module for CVE-2013-2730 2013-05-18 12:44:24 -05:00
Meatballs 05426cb61b Fix dir creation 2013-04-27 21:39:29 +01:00
Meatballs 8bfaa41723 Fix x64 dll creation 2013-04-27 20:44:46 +01:00
HD Moore e2b8d5ed23 Fix from David Kennedy, enable Windows 8 support 2013-04-09 02:07:40 -05:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
Meatballs 07475e5483 Update 2013-02-22 21:22:51 +00:00
Meatballs 769ca6335f Mrg Juan's changes, stop shadowing 2013-02-22 20:09:21 +00:00
jvazquez-r7 416a7aeaa3 make msftidy happy for s4u_persistence 2013-02-18 15:23:06 +01:00
jvazquez-r7 be0feecf8f Merge branch 's4u_persistence' of https://github.com/smilingraccoon/metasploit-framework into smilingraccoon-s4u_persistence 2013-02-18 15:22:37 +01:00
Thomas McCarthy 25f8a7dcb9 Fix expire tag logic and slight clean up
Was a dumbass again and didn't fully understand how Optints worked when left blank at run time. If not 0 the expire tag will be inserted now. Also made it print the xpath if used because I believe it will be of value to the user for trouble shooting.
2013-02-17 22:35:52 -05:00
Thomas McCarthy a8d574e4ce Updated one print_status 2013-02-17 14:08:33 -05:00
Thomas McCarthy 7b2c1afadb I'm an idiot, fix logon xpath 2013-02-14 09:16:47 -05:00
smilingraccoon e78cbdd14d missed one line 2013-02-13 18:17:38 -05:00
smilingraccoon bbf8fe0213 Use Post::File methods and fail_with 2013-02-13 18:10:05 -05:00
jvazquez-r7 42a6d96ff4 using Post::File methods plus little more cleanup 2013-02-12 01:33:07 +01:00
jvazquez-r7 97edbb7868 using always a vbs file to drop exe 2013-02-12 00:58:26 +01:00
Carlos Perez 5edb138a8f fixed nil issue 2013-02-11 11:51:33 -04:00
smilingraccoon 3a499b1a6d added s4u_persistence.rb 2013-02-10 14:22:36 -05:00
Carlos Perez fea84cad10 Fix additional typos per recomendation 2013-02-08 14:47:16 -04:00
Carlos Perez b8f0a94c3f Fixed typos mentioned by Egypt 2013-02-08 14:42:10 -04:00
Carlos Perez c131b7ef0e Added exception handing and return checking as requested by Sinn3r 2013-02-07 21:06:05 -04:00
Carlos Perez 19e989dff9 Initial commit fo the migrated module 2013-02-07 19:11:44 -04:00
jvazquez-r7 174ab31010 Moving reused methods to Accounts mixin 2013-01-31 12:59:55 +01:00
Tod Beardsley aaf18f0257 EOL whitespace, yo. 2013-01-29 14:22:30 -06:00
jvazquez-r7 3faf4b3aca adding sinn3r as author 2013-01-24 18:13:30 +01:00
sinn3r 2cedcad810 Check PID 2013-01-24 10:46:23 -06:00
sinn3r ad108900d5 Why yes I know it's a module 2013-01-23 16:23:41 -06:00
sinn3r 22f7619892 Improve Carlos' payload injection module - See #1201
Lots of changes, mainly:
* Description update
* Avoid accessing protected methods
* More careful exception & return value handling
2013-01-23 16:15:14 -06:00
sinn3r e93b7ffcaf Add Carlos Perez's payload injection module
See #1201
2013-01-23 14:07:48 -06:00
Meatballs1 1bc5fd3758 Changed to warnings 2013-01-20 00:29:38 +00:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
Meatballs1 fde267bea4 Break on session 2013-01-03 20:21:05 +00:00
Meatballs1 54e4557855 Leave handler running for reboot 2013-01-03 20:07:41 +00:00
Meatballs1 df21836aa0 Use fail_with 2013-01-03 19:43:25 +00:00
Meatballs1 861951f7fd Add exception handling around get_imperstoken 2012-12-30 14:58:39 +00:00
Meatballs1 e09c33faa4 Merge remote changes 2012-12-30 14:36:54 +00:00
Meatballs1 90dd90a304 Add Startup Manual to Check method 2012-12-30 14:32:17 +00:00
Meatballs1 6b0c3eadb2 Merge branch 'master' of https://github.com/rapid7/metasploit-framework into local_win_priv_keyring 2012-12-30 14:17:46 +00:00
sinn3r 9b768a2c62 Merge branch 'cleanup/post-windows-services' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-cleanup/post-windows-services 2012-12-21 23:42:17 -06:00
Meatballs 0963b5ee84 Use custom exist? 2012-12-13 23:00:26 +00:00
Meatballs 522a80875e Borrowed enum_dirperms checking. 2012-12-13 22:16:39 +00:00
jvazquez-r7 17518f035c support for local exploits on file_dropper 2012-11-28 22:17:27 +01:00
jvazquez-r7 85ed074674 Final cleanup on always_install_elevated 2012-11-28 21:50:08 +01:00
jvazquez-r7 fd1557b6d2 Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated 2012-11-28 21:49:36 +01:00
Meatballs1 7fea0d4af6 Add initial auto run script 2012-11-28 16:38:31 +00:00
Meatballs1 a3fbf276f9 Reinstated cleanup 2012-11-28 11:23:08 +00:00
Meatballs1 b5b47152fc Changed to static msi filename 2012-11-28 11:21:02 +00:00
Meatballs1 76f7abe5b6 Little tidy up 2012-11-27 23:58:58 +00:00
Meatballs1 81c2182424 Msftidy 2012-11-27 23:33:07 +00:00
Meatballs1 9741d55724 Moved to agnostic post module commands 2012-11-27 23:26:19 +00:00
Meatballs1 6fe378b594 Minor changes to description 2012-11-27 20:56:52 +00:00
Meatballs1 d067b040a0 Minor changes to description 2012-11-27 20:55:36 +00:00
Meatballs1 7727f3d6e8 Msftidy 2012-11-27 18:31:54 +00:00
Meatballs1 889c8ac12d Add build instructions and removed binary 2012-11-27 18:18:20 +00:00
Meatballs1 bc9065ad42 Move MSI source and binary location 2012-11-27 18:12:49 +00:00
Tod Beardsley f1fedee63b EOL space, deleted 2012-11-26 14:19:40 -06:00
Meatballs1 579126c777 Remove redundant sleep 2012-11-22 10:44:41 +00:00
Meatballs1 021e0f37e9 Cleanup s 2012-11-22 10:34:05 +00:00
Meatballs1 7936fce7cf Remove auto migrate - we probably dont want to migrate away from a SYSTEM process. 2012-11-22 10:29:58 +00:00
Meatballs1 128eafe22c Changed to Local Exploit 2012-11-22 10:26:23 +00:00
Rob Fuller e18acf2103 remove debugging code 2012-11-14 23:56:32 -05:00
Rob Fuller 7d41f1f9a0 add admin already and admin group checks 2012-11-14 23:54:01 -05:00
Meatballs1 063661c320 Address some initial feedback thanks bperry 2012-11-11 19:33:32 +00:00
Meatballs1 ac6048837b msftidy 2012-11-11 15:12:18 +00:00
Meatballs1 142cef6182 Dont cleanup dll when reboot is required. 2012-11-11 15:11:00 +00:00
Meatballs1 ca95973b8f Null check 2012-11-11 14:56:26 +00:00
Meatballs1 19fe29e820 Merge remote-tracking branch 'upstream/master' into local_win_priv_keyring 2012-11-11 14:43:31 +00:00
Meatballs1 933515dae2 Msftidy 2012-11-11 14:42:49 +00:00
Meatballs1 f60aa562b7 Working x86 2012-11-11 14:39:41 +00:00
James Lee 34bc92584b Refactor WindowsServices
* Pulls common code up from several methods into #open_sc_manager
* Deprecates the name Windows::WindowsServices in favor of
  Windows::Services. The platform is already clear from the namespace.
* Makes the post/test/services test module actually work

[See #1007]
[See #1012]
2012-11-06 17:30:04 -06:00
Meatballs1 cae0aa9c31 Check architecture, fix cleanup etc 2012-11-05 23:55:49 +00:00
sagishahar 53c7479d70 Add Windows 8 support
Verified with Windows 8 Enterprise Evaluation
2012-10-29 20:12:47 +02:00
sinn3r f1423bf0b4 If a message is clearly a warning, then use print_warning 2012-10-24 00:44:53 -05:00
Tod Beardsley be9a954405 Merge remote branch 'jlee-r7/cleanup/post-requires' 2012-10-23 15:08:25 -05:00
Michael Schierl 910644400d References EDB cleanup
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
Michael Schierl 21f6127e29 Platform windows cleanup
Change all Platform 'windows' to 'win', as it internally is an alias
anyway and only causes unnecessary confusion to have two platform names
that mean the same.
2012-10-23 20:33:01 +02:00
James Lee 9c95c7992b Require's for all the include's 2012-10-23 13:24:05 -05:00
sinn3r 33ce74fe8c Merge branch 'msftidy-1' of git://github.com/schierlm/metasploit-framework into schierlm-msftidy-1 2012-10-23 02:10:56 -05:00
Rob Fuller 7437d9844b standardizing author info 2012-10-22 17:01:58 -04:00
Michael Schierl 5b18a34ad4 References cleanup
Uppercase MSB, spaces in URLs.
2012-10-22 22:37:01 +02:00
Michael Schierl 657d527f8d DisclosureDate cleanup: Try parsing all dates
Fix all dates unparsable by `Date.strptime(value, '%b %d %Y')`
2012-10-22 20:04:21 +02:00
Meatballs1 344f32d6ba Initial commit - non working :( 2012-10-20 00:23:41 +01:00
Tod Beardsley 9192a01803 All exploits need a disclosure date. 2012-10-15 16:29:12 -05:00
sinn3r 529f88c66d Some msftidy fixes 2012-10-14 19:16:54 -05:00
sinn3r 97ac7fa184 Merge branch 'module-wle-service-permissions' of git://github.com/zeroSteiner/metasploit-framework 2012-10-14 18:27:32 -05:00
Spencer McIntyre 3ab24cdbb9 added exploits/windows/local/service_permissions 2012-10-11 22:42:36 -04:00
sinn3r e02adc1f35 Merge branch 'mubix-bypassuac_uac_check' 2012-10-06 02:09:16 -05:00
sinn3r 33429c37fd Change print_error to print_debug as a warning 2012-10-06 02:08:19 -05:00
Rob Fuller 55474dd8bf add simple UAC checks to bypassuac 2012-10-06 00:59:54 -04:00
Rob Fuller b984d33996 add RunAs ask module 2012-10-06 00:51:44 -04:00
Rob Fuller 0ae7756d26 fixed missing > on author 2012-10-05 11:13:40 -04:00
Rob Fuller 8520cbf218 fixes spotted by @jlee-r7 2012-10-04 17:34:35 -04:00
Tod Beardsley 4400cb94b5 Removing trailing spaces 2012-10-04 14:58:53 -05:00
Rob Fuller 3f2fe8d5b4 port bypassuac from post module to local exploit 2012-10-04 14:31:23 -04:00
sinn3r e36507fc05 Code cleanup and make msftidy happy 2012-10-02 12:00:23 -05:00
Spencer McIntyre 21e832ac1c add call to memory protect to fix DEP environments 2012-10-01 18:49:18 -04:00
Spencer McIntyre c93692b06d add a check to verify session is not already system for MS11-080 2012-09-27 08:36:13 -04:00
Spencer McIntyre 8648953747 added MS11-080 AFD JoinLeaf Windows Local Exploit 2012-09-26 11:01:30 -04:00
sinn3r ac2e3dd44e Merge branch 'master' of github.com:rapid7/metasploit-framework 2012-08-15 14:47:22 -05:00
sinn3r 54146b8e99 Add another ref about the technique 2012-08-15 14:46:51 -05:00
Tod Beardsley f325d47659 Fix up description a little 2012-08-15 13:57:24 -05:00
Tod Beardsley 586d937161 Msftidy fix and adding OSVDB 2012-08-15 13:43:50 -05:00
sinn3r dc5f8b874d Found a bug with retrying. 2012-08-14 17:04:17 -05:00
sinn3r 3e0e5a1a75 No manual stuff, probably prones to failure anyway. 2012-08-14 10:58:57 -05:00
sinn3r 612848df6f Add priv escalation mod for exploiting trusted service path 2012-08-14 01:55:03 -05:00
Tod Beardsley bd408fc27e Updating msft links to psexec
Thanks for the spot @shuckins-r7 !
2012-08-13 15:28:04 -05:00
James Lee 67cdea1788 Fix load order issues (again)
This is getting annoying.  Some day we'll have autoload and never have
to deal with this.
2012-08-10 13:52:54 -06:00
Tod Beardsley d5b165abbb Msftidy.rb cleanup on recent modules.
Notably, DisclosureDate is required for other module parsers, so let's
not ignore those, even if you have to guess at the disclosure or call
the module's publish date the disclosure date.
2012-08-04 12:18:00 -05:00
James Lee 227d0dbc47 Add jabra to authors. I'm a jerk 2012-08-02 11:13:53 -06:00
James Lee 1a2a1e70f7 Replace load with require, *facepalm* 2012-08-01 22:51:36 -06:00
James Lee 0707730fe0 Remove superfluous method
Obsoleted by session.session_host, which does the same thing
2012-08-01 01:07:21 -06:00
James Lee 47eb387886 Add current_user_psexec module
Tested against a 2k8 domain controller.
2012-08-01 01:05:10 -06:00
James Lee ebe48ecf16 Add Rank for schelevator, update sock_sendpage's 2012-07-18 11:16:29 -06:00
James Lee 1fbe5742bd Axe some copy-pasta 2012-06-12 23:58:20 -06:00
James Lee 9f78a9e18e Port ms10-092 to the new Exploit::Local format 2012-06-12 23:58:20 -06:00