Commit Graph

3482 Commits (5c365337424575e3f3fdb93339da6179d28472d5)

Author SHA1 Message Date
sinn3r 199bd20b95 Update CVE-2013-3893's Microsoft reference
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
Tod Beardsley 219bef41a7
Decaps Siemens (consistent with other modules) 2013-10-07 13:12:32 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
jvazquez-r7 646429b4dd Put ready to pull request 2013-10-03 22:15:17 -05:00
jvazquez-r7 5971fe87f5 Improve reliability 2013-10-03 17:19:53 -05:00
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
jvazquez-r7 6381bbfd39 Clean up freeftpd_pass 2013-09-27 09:47:39 -05:00
TecR0c b02a2b9ce0 Added crash info and basic tidy up 2013-09-27 17:05:42 +10:00
TecR0c 7dbc3f4f87 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:37:52 +10:00
TecR0c 5fc98481a7 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:35:03 +10:00
TecR0c a6e1bc61ec updated version in exploit freeFTPd 1.0.10 2013-09-27 11:27:51 +10:00
TecR0c 3a3f1c0d05 updated requested comments for freeFTPd 1.0.10 2013-09-27 11:13:28 +10:00
TecR0c 0339c3ef48 added freeFTPd 1.0.10 (PASS Command) 2013-09-26 20:37:23 +10:00
FireFart 84ec2cbf11 remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:42:44 +02:00
Tod Beardsley d91cb85a31
Not actually a typo
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley ac1388368f
Typo in module name 2013-09-24 15:50:58 -05:00
Tod Beardsley 93486a627d Whoops on trailing commas 2013-09-24 15:14:11 -05:00
William Vu 52a92a55ce Land #2394, ms13_005_hwnd_broadcast require fix 2013-09-24 13:43:21 -05:00
Tod Beardsley 3906d4a2ca Fix caps that throw msftidy warnings 2013-09-24 13:03:16 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley 081c279b61 Remove misleading comment 2013-09-24 11:42:31 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley 2656c63459 Knock out a Unicode character 2013-09-23 14:22:11 -05:00
Tod Beardsley 99f145cbff Don't split the post requires 2013-09-23 14:02:43 -05:00
Tod Beardsley 4bff8f2cdc Update descriptions for clarity. 2013-09-23 13:48:23 -05:00
William Vu a46ac7533d Land #2407, require fix for current_user_psexec 2013-09-23 11:57:19 -05:00
jvazquez-r7 8417b916c7 Complete MS13-071 Information 2013-09-21 21:22:34 -05:00
darknight007 6b06ed0df1 Update current_user_psexec.rb 2013-09-22 03:07:17 +05:00
sinn3r 8381bf8646 Land #2404 - Add powershell support for current_user_psexec 2013-09-20 17:14:55 -05:00
sinn3r 96364c78f8 Need to catch RequestError too
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
Meatballs 2591be503b Psh support 2013-09-20 22:07:42 +01:00