86e47589b0
Add xplico remote code execution
2017-11-14 09:30:57 +03:00
5a07be9b96
Land #9041 , Add LPE on Windows using CVE-2017-8464
2017-11-08 10:09:03 -06:00
4abe8ff0d9
recompile binaries
2017-11-08 09:33:48 -06:00
9b24ed8406
Removed binaries for recompile
2017-11-08 09:26:40 -06:00
c2578c1487
Refactor GetProcessSid to remove do while FALSE
2017-11-07 19:11:24 -05:00
697031eb36
mysql UDF now multi
2017-11-03 05:26:05 -04:00
294230c455
Land #8509 , add Winsxs bypass for UAC
2017-10-11 16:24:52 -05:00
fd963245a4
Recompiled old binaries that used
...
external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp
to make sure the changes don't break them later.
2017-10-10 11:28:49 -05:00
c63d5fb4fb
Recompiled binaries
2017-10-09 12:44:58 -05:00
0bf948e906
Removed binary files before recompiling
2017-10-09 11:35:41 -05:00
7df18e378d
Fix conflicts in PR 8509 by mergeing to master
2017-10-09 10:30:21 -05:00
3f6f70f820
Move the cve-2017-8464 source to external/source
2017-10-08 13:58:51 -04:00
d0ebfa1950
Change the template technicque to work as an LPE
2017-10-05 10:30:28 -04:00
949633e816
Cleanup cve-2017-8464 template and build script
2017-10-02 15:18:13 -04:00
831b148ac6
Fix consistency issue in 'r7-metasploit' banner
...
This has bugged me for a while, finally fixing it.
2017-09-15 22:19:00 -05:00
2ee94ca3d9
made changes based on PR feedback.
2017-09-01 16:49:17 -07:00
b7fc990d17
moved project to the source directory.
2017-09-01 16:09:53 -07:00
6fb0a06672
add pastebin IoT credentials
2017-08-25 08:57:20 -05:00
d2e6af1845
sort|uniq
2017-08-25 08:54:49 -05:00
605330faf6
Land #8842 , add linux/aarch64/shell_reverse_tcp
2017-08-21 15:44:28 -05:00
e734a7923a
Land #8267 , Handle multiple entries in PSModulePath
2017-08-20 17:44:30 -05:00
d5a5321a8c
Merge remote-tracking branch 'upstream/pr/8299' into land-8267-
2017-08-20 17:43:56 -05:00
dc358dd087
unknow to unknown
2017-08-18 11:33:48 -04:00
8b4ccc66c7
add linux/aarch64/shell_reverse_tcp
2017-08-17 18:55:37 +08:00
cad266d469
added source code for CVE-2016-0040
2017-08-11 15:54:01 -04:00
33d3fd20a1
added CVE-2016-0040 privilege escalation exploit.
2017-08-03 19:12:32 -04:00
81500f7336
Updated Mutex code, reduce the number of times the payload is executed
2017-08-03 10:26:55 -05:00
c3bc27385e
Added source code for DLL template
2017-08-02 15:47:22 -05:00
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
e6e94bad4b
Replace CreateEvent with CreateMutex/WaitForSingleObject
...
Time out is set to 1500 ms to prevent running the payload multiple times
2017-08-02 15:47:22 -05:00
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
6300758c46
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
bc3b883758
Add docs, fix typo, add missing report mixin to avoid error.
2017-06-05 13:49:59 -05:00
6a3fc618a4
Add bypassuac_injection_winsxs.rb module
2017-06-03 12:59:50 +02:00
a01a2ead1a
Land #8467 , Samba CVE-2017-7494 Improvements
2017-05-30 00:15:03 -05:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
b7b0c26f4a
Reduce minimum GLIBC versions where we can
2017-05-27 19:28:41 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
d4ba28a20b
Land #8457 , Update multi/fileformat/office_word_macro to allow custom templates
2017-05-26 15:09:23 -05:00
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
0520d7cf76
First crack at Samba CVE-2017-7494
2017-05-24 19:42:04 -05:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
f3d6a8c456
split PSModulePath in multi strings with ';'
...
1、allows the HTA window to be invisible
2017-04-26 11:01:59 +08:00
5bbb4d755a
Land #8254 , Add CVE-2017-0199 - Office Word HTA Module
2017-04-24 16:05:00 -05:00
c724f0e05d
Handle multiple entries in PSModulePath
...
This commit handles the case where more than one entry exists in
the PSModulePath environment variable. The updated code will loop
through each entry in the PSModulePath checking for the presence of
powershell.exe. When one is encountered it will execute the payload
and exit the for loop.
2017-04-19 11:22:38 -04:00
637098466c
Hidden black flash windows / Close HTA windows
2017-04-16 22:53:17 -05:00
a9df917257
Fix rtf info author
2017-04-14 21:16:39 -05:00
8c662562d3
add CVE-2017-0199 format
2017-04-14 13:22:32 -05:00
437d9b6f02
Fixed newline error in powershell script.
2017-04-05 12:38:38 +02:00
64c06a512e
Land #8020 , ntfs-3g local privilege escalation
2017-04-04 09:48:15 -05:00
e80b8cb373
move sploit.c out to data folder
2017-03-31 20:51:33 -04:00
c00b9ca1e5
Land #8175 , Get into the DANGER ZOOOOOOONE
2017-03-31 14:31:22 -05:00
b5771b0f72
Get into the DANGER ZOOOOOOONE
2017-03-31 12:26:42 -05:00
1ce7bf3938
Land #8126 , Add SolarWind LEM Default SSH Pass/RCE
2017-03-31 11:21:32 -05:00
e9f816272d
Adding solarwinds lem default ssh credentials to the wordlist
2017-03-24 13:24:05 +03:00
4628dfe16b
Remove old banner + rubygems requirements
2017-03-13 17:36:21 +01:00
c9a5190726
Patching "undefined method empty?" errors + "encoding error"
2017-03-13 17:32:56 +01:00
e8257122b3
Creation of a sub-module for modules/auxiliary/crawler/msfcrawler
...
Catching links in comments
2017-03-13 17:18:39 +01:00
2fb42ff019
Fixed an issue in the powershell script
2017-03-07 13:56:18 +01:00
6965a00b45
Resolve #8023 , Support backward compatibility for Office macro
...
Resolve #8023
2017-02-27 13:02:41 -06:00
0fa0fe3bf8
Added NTDSgrab module to metasploit.
2017-02-24 10:15:13 +01:00
83cc28a091
Land #7972 , Microsoft Office Word Macro Generator OS X Edition
2017-02-21 13:26:42 -06:00
2c570b6709
Land #7942 , Microsoft SQL Server Clr Stored Procedure Payload Execution
2017-02-17 17:28:54 -06:00
3d269b46ad
Support OS X for Microsoft Office macro exploit
2017-02-16 12:28:11 -06:00
2d834a3f5a
Finalise module, and add supporting binaries
2017-02-10 12:56:40 +10:00
272d1845fa
Land #7934 , Add exploit module for OpenOffice with a malicious macro
2017-02-09 13:42:58 -06:00
047a9b17cf
Completed version of openoffice_document_macro
2017-02-08 16:29:40 -06:00
cefbee2df4
Add PoC for OpenOffice macro module
2017-02-07 10:12:23 -06:00
ccaa783a31
Add Microsoft Office Word Macro exploit
2017-02-02 17:44:55 -06:00
fb74b2d8f3
initial commit of finished product
2017-01-20 11:01:36 -06:00
4035dd7485
Land #7796 , Improve zip module windows script fallback
2017-01-17 10:59:04 -06:00
24f7959805
add binary for futex_requeue
2017-01-11 13:25:30 -06:00
2585c8c8b5
Land #7461 , convert futex_requeue (towelroot) module to use targetting and core_loadlib
2017-01-11 13:24:25 -06:00
31f85b905a
add comments
2017-01-07 12:50:11 -06:00
cdcf4cce7d
improve zip module windows script fallback
...
- handle non-English locales
- wait more reliably, handle network paths where FS info gets stale
- use absolute paths correctly
2017-01-07 12:27:03 -06:00
2652f347fa
add module binary
2016-12-22 03:25:10 -06:00
e6d4c0001c
hide debug printing
2016-12-20 00:52:11 +08:00
1dae206fde
Land #7379 , Linux Kernel BPF Priv Esc (CVE-2016-4557)
2016-11-11 16:50:20 -06:00
268a72f210
Land #7193 Office DLL hijack module
2016-11-08 23:15:27 -06:00
3c1f642c7b
Moved PPSX to data/exploits folder
2016-11-08 16:04:46 +01:00
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
43fd0a8813
Land #7436 , Put Rex-exploitation Gem Back
2016-10-18 16:03:54 -05:00
0d1fe20ae5
revamped
2016-10-15 20:57:31 -04:00
741c4b8916
updated android payload gem, removed unused extension jar
2016-10-14 09:59:06 -05:00
9fbe1ddd9d
Land #7384 , CVE-2016-6415 - Cisco IKE Information Disclosure
2016-10-14 08:41:34 -05:00
9b15899d91
Add PS template
2016-10-13 17:40:15 -05:00
6f4f2bfa5f
Add PS target and remove MIFF
2016-10-13 17:39:55 -05:00
7894d5b2c1
Revert "Revert "use the new rex-exploitation gem""
...
This reverts commit f3166070ba
2016-10-11 17:40:43 -05:00
d1a11f46e8
Land #7418 , Linux recvmmsg Priv Esc (CVE-2014-0038)
2016-10-09 18:37:52 -05:00
2dfebe586e
working cve-2014-0038
2016-10-08 23:58:09 -04:00
f3166070ba
Revert "use the new rex-exploitation gem"
...
This reverts commit 52f6265d2e
2016-10-08 21:55:16 -05:00
3b3185069f
Land #7408 , Mirai botnet wordlists
2016-10-06 10:07:20 -05:00
83548a0dde
added mirai user/pass to unhash set
2016-10-05 22:24:11 +02:00
7ce73be936
Add linux.mirai wordlists
2016-10-05 17:57:08 +02:00
52f6265d2e
use the new rex-exploitation gem
...
use the new rex-exploitation gem instead of the packaged in lbirary code
cleans up a huge ammount of space in framework
MS-1709
2016-10-05 09:05:27 -05:00
27cf5c65c4
working module
2016-10-04 23:21:53 -04:00
af4f3e7a0d
use templates from the gem for psh
...
use the templates now contained within the magical
gem of rex-powershell
7309
MS-2106
2016-10-04 14:14:25 -05:00
dcc77fda5b
Add back accidentally-deleted nasm comment.
2016-10-03 23:47:13 -05:00
eff85e4118
Just remove DT_HASH.
2016-10-03 23:43:19 -05:00
8828060886
Fix linux x64 elf-so template.
...
Previously the elf-so would crash when loaded with LD_PRELOAD,
due to not enough room for the symbol table.
2016-10-03 23:24:31 -05:00
7368b995f2
CVE-2016-6415 Cisco - sendpacket.raw
2016-09-29 22:24:55 -05:00
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
0e82ced082
Add LPE exploit module for the capcom driver flaw
...
This commit includes:
* RDI binary that abuses the SMEP bypass and userland function pointer
invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.
This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
6382fffc75
Land #7326 , Linux Kernel Netfilter Privesc
2016-09-26 12:38:50 -05:00
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
dbf66f27d5
Add a browser-based exploit module for CVE-2015-3864
2016-09-23 11:14:31 -05:00
726079c6e7
diffed with fuzzdb
...
https://github.com/fuzzdb-project/fuzzdb/blob/master/discovery/predictable-filepaths/webservers-appservers/SAP.txt
2016-09-21 00:20:46 -04:00
4c4f2e45d6
Land #7283 , add jsp payload generator
2016-09-16 14:37:59 -05:00
6cb331e74d
Land 7281, add vagrant default password to wordlist
2016-09-07 13:01:01 +01:00
96f81b4817
add root:vagrant to root_userpass
2016-09-07 12:59:12 +01:00
c6012e7947
add jsp payload generator
2016-09-06 22:17:21 +02:00
9d5a276e91
Fix recent metasploit-framework.gemspec conflict.
2016-09-06 13:10:28 -05:00
23a5d737fc
Add password "vagrant" to wordlists
...
The password "vagrant" is often used in Metasploitable3.
2016-09-06 12:36:02 -05:00
83160b7e49
Land #7173 , Add post module to compress (zip) a file or directory
2016-08-24 09:38:04 -05:00
e154aafaaa
On Error Resume Next for zip.vbs
2016-08-17 17:08:38 -05:00
8bece28d00
remove *scan bins as well
...
all *scan bins need to be removed as the rex-bin_tools
gem will now handle these and put them in PATH
MS-1691
2016-08-15 14:04:00 -05:00
8f7d0eae0c
Fix #7155 - Add post module to compress (zip) a file or directory
...
Fix #7155
2016-08-02 14:44:58 -05:00
21e6211e8d
add exploit for cve-2016-0189
2016-08-01 13:26:35 -05:00
d1f65b27b8
Land #7151 , Improve CVE-2016-0099 reliability
2016-07-29 09:22:11 -05:00
ee40c9d809
Land #6625 , Send base64ed shellcode and decode with certutil (Actually MSXML)
2016-07-28 13:01:05 -07:00
322fc11225
Fix whitespace
2016-07-27 12:37:14 -05:00
dbe31766af
Update CVE-2016-0099 Powershell
2016-07-27 12:35:43 -05:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
8f928c6ca1
Land #7006 , Add MS16-032 Local Priv Esc Exploit
2016-07-12 15:22:35 -05:00
621f3fa5a9
Change naming style
2016-07-12 15:18:18 -05:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
b4b3a84fa5
refactor ms16-016 code
2016-07-05 20:50:43 -05:00
df1a9bee13
Move ps1, Use Env var, Fix license, New Cleanup
...
MS16-032 ps1 moved to external file. This ps1 will now detect windir
to find cmd.exe. The module now also detects windir to find
powershell.exe. The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
is now standard. The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
ba72d3fd92
Land #6988 , Update banners to metasploit.com, not .pro
2016-06-17 15:29:30 -05:00
cd207df6b8
adding karaf to unix lists per 4358
2016-06-15 20:31:48 -04:00
fe4cfd7e3e
Update banners to metasploit.com, not .pro
2016-06-14 15:11:04 -05:00
ab27c1b701
Merge pull request #6940 from samvartaka/master
...
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
5260031991
Modifications based on suggestions by @wchen-r7
2016-06-08 01:17:15 +02:00
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
7b024d1a72
Land #6914 , add siem to the namelist
2016-05-24 14:22:44 -05:00
9d545b0a05
Update namelist.txt
2016-05-24 13:00:59 -04:00
2bac46097f
Remove url() for MVG
...
Technically unnecessary here.
2016-05-05 14:18:42 -05:00
334c432901
Force https://localhost for SVG and MVG
...
https: is all that's needed to trigger the bug, but we don't want wget
and curl to gripe. localhost should be a safe host to request.
2016-05-05 14:18:42 -05:00
decd770a0b
Encode the entire SVG string
...
Because why not? Not like people care about what's around the command.
2016-05-05 14:18:42 -05:00
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
71c8ad555e
Resolve #6839 , Make Knowledge Base as default
...
Resolve #6839
2016-05-02 14:12:09 -05:00
d80d2bb8d3
Land #6825 , Fixed borders on code boxes
2016-04-27 11:59:52 -07:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
57ab974737
File.exists? must die
2016-04-21 00:47:07 -04:00
22831695dd
Land #6721 , Add additional SOLMAN default creds
2016-03-30 10:48:53 -05:00
4f84c5a3b7
Add additional SOLMAN default creds
2016-03-29 15:53:15 +01:00
629bc00696
Use MSXML decoder instead
2016-03-25 22:52:16 +09:00
57984706b8
Resolve merge conflict with Gemfile
2016-03-24 18:13:31 -05:00
Mehmet İnce
bwatters-r7
Spencer McIntyre
h00die
james
Kirk Swidowski
Kirk Swidowski
Brent Cook
Tim
Yorick Koster
Pearce Barry
L3cr0f
HD Moore
William Webb
wchen-r7
anhilo
Brandon Knight
nixawk
Koen Riepe
dmohanty-r7
Jon P
OJ
scriptjunkie
Yorick Koster
William Vu
David Maloney
Tonimir Kisasondi
mach-0
Joshua J. Drake
Adam Muntner
Christian Mehlmauer
khr0x40sh
h00die
Tod Beardsley
samvartaka
x90" * 365
Meatballs
f7b053223a9e