Commit Graph

704 Commits (5e31a32771c3572a3c00f918ffa9ef8082d88634)

Author SHA1 Message Date
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references.
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
2016-04-23 12:32:34 -05:00
RageLtMan fce78dce44 Remove dependency on dot_net PR 2016-03-22 03:35:37 -04:00
RageLtMan 6b2421e861 Use OJ's suggestion for fail_with 2016-03-22 03:35:02 -04:00
James Lee 1375600780
Land #6644, datastore validation on assignment 2016-03-17 11:16:12 -05:00
James Lee af642379e6
Fix some OptInts 2016-03-16 14:13:18 -05:00
Christian Mehlmauer 3123175ac7
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00
Brent Cook f703fa21d6 Revert "change Metasploit3 class names"
This reverts commit 666ae14259.
2016-03-07 13:19:55 -06:00
Brent Cook 44990e9721 Revert "change Metasploit4 class names"
This reverts commit 3da9535e22.
2016-03-07 13:19:48 -06:00
Christian Mehlmauer 3da9535e22
change Metasploit4 class names 2016-03-07 09:57:22 +01:00
Christian Mehlmauer 666ae14259
change Metasploit3 class names 2016-03-07 09:56:58 +01:00
RageLtMan 4a79e75af9 Address void-in's comments
Drop session type check
Camel case advanced options
Clean up persistence, dry run, and error messages.
Clean up copyright/license clause.
2016-03-05 02:13:24 -05:00
RageLtMan 5bd43bf3d7 Powershell WMI execution post module
Powerhell provides direct interface to WMI, allowing users in UAC
or otherwise restricted context to attain privileged resources via
impersonation. Moreover, WMI allows for execution remotely, on any
endpoint attainable via DCOM. In practice, this allows foothold on
a single domain host to immediately infect every machine accessible
via DCOM either from the currently held privileged context (such as
a domain administrator) or from a new context generated by entering
acquired credentials.
Payloads, remote commands, and collection activities can be invoked
without direct IP connectivity on a remote host, and output can
be collected the same way.
Of particular note when implementing this technique is that admin
contexts resulting from this form of execution are not encapsulated
in UAC, allowing for immediate privesc to system if creating a new
session.
Old notes show that loopback exec is not stable or usable, though
this merits further research as it seems the native way to avoid
UAC altogether without any exploitation.
As with all the other powershell vectors, this mechanism provides
in-memory execution, and in all our testing walks right through the
AV currently out there since it has no service executable, on-disk
footprint, or even error log from the improper service exit that
psexec causes. Sandboxes dont cover powershell - too much runtime
entropy and some quite legitimate use of sockets and unmanaged
memory marshalling to get a good "guess" of what the code is trying
to do.
Makes for a great gift left behind in GPO startup scripts or other
latent backdoor approaches. Since a script is produced, those with
the need and craft can alter the resulting scripts to dynamically
enumerate domain hosts meeting their needs for exploitation at
runtime, as opposed to the "brute-force" approach used here.

-----

Testing:
  The internal module has been in use for over three years in our
fork. Its been instrumental in showing several clients what it
means to be "pwned" in 30s flat. This particular version has been
slightly altered for upstream consumption and should be tested
again by community and developers alike in the upstream branch.

Note:
  Word to the wise on target selection - choose carefully, it is
possible to generate more sessions than an L3 pivoted handler can
comfortably address, and having a thousand reverse_tcp sessions
going past the edge is sure to raise an eyebrow at the SOC.
2016-03-04 19:31:55 -05:00
wchen-r7 a798581fa3 Update #get_dotnet_path 2016-03-01 22:25:40 -06:00
OJ 6d88c26474 Change title, and remove requires 2016-02-18 14:26:38 +10:00
OJ 2ae1e6df7d Address concerns from @wvu-r7 2016-02-18 14:21:35 +10:00
OJ 2f4ec0af31 Add module for AppLocker bypass
This commit includes a new module that allows for payloads to be
uploaded and executed from disk while bypassing AppLocker in the
process. This module is useful for when you're attempting to generate
new shells on the target once you've already got a session. It is also
a handy way of switching between 32 and 64 bit sessions (in the case of
the InstallUtil technique).

The code is taken from Casey Smith's AppLocker bypass research (added in
the references), and includes just one technique at this point. This
technique uses the InstallUtil feature that comes with .NET. Other
techiques can be added at any time.

The code creates a C# file and uploads it to the target. The csc.exe
compiler is used to create a .NET assembly that contains an uninstaller
that gets invoked by InstallUtil behind the scenes. This function is
what contains the payload.

This was tested on Windows 7 x64. It supports running of both 32 and 64
bit payloads out of the box, and checks to make sure that .NET is
installed on the target as well as having a payload that is valid for
the machine (ie. don't run x64 on x86 OSes).

This appears to work fine with both staged and stageless payloads.
2016-02-18 13:46:32 +10:00
wchen-r7 3c72135a2f No to_i
What happens here is it converts to a Fixnum, and then it converts
back to a String anway because it's in a String.
2015-11-18 15:25:18 -06:00
sammbertram a484b318eb Update registry_persistence.rb 2015-11-18 16:13:18 +00:00
sammbertram 1fe8bc9cea Added a SLEEP_TIME option
Added a SLEEP_TIME options which is the number of seconds to sleep prior to executing the initial IEX request. This is useful in cases where a machine would have to establish a VPN connection, initiated by the user, after a reboot. 

Alternatively, as opposed to a sleep time, it could have a loop that attempts to retry for a certain period of item.
2015-11-18 11:17:57 +00:00
wchen-r7 154fb585f4 Remove bad references (dead links)
These links are no longer available. They are dead links.
2015-10-27 12:41:32 -05:00
OJ 7451cf390c Add Windows 10 "support" to bypassuac_injection 2015-10-01 11:16:18 +10:00
wchen-r7 c7afe4f663
Land #5930, MS15-078 (atmfd.dll buffer overflow) 2015-09-16 15:33:38 -05:00
jvazquez-r7 24af3fa12e
Add rop chains 2015-09-15 14:46:45 -05:00
jvazquez-r7 0d52a0617c
Verify win32k 6.3.9600.17837 is working 2015-09-12 15:27:50 -05:00
jvazquez-r7 9626596f85
Clean template code 2015-09-12 13:43:05 -05:00
jvazquez-r7 53f995b9c3
Do first prototype 2015-09-10 19:35:26 -05:00
jvazquez-r7 329e6f4633
Fix title 2015-09-08 15:31:14 -05:00
jvazquez-r7 ef6df5bc26
Use get_target_arch 2015-09-03 16:30:46 -05:00
jvazquez-r7 2588439246
Add references for the win32k info leak 2015-09-03 15:35:41 -05:00
jvazquez-r7 697a6cd335
Rescue the process execute 2015-09-03 13:03:36 -05:00
jvazquez-r7 80a1e32339
Set Manual Ranking 2015-09-03 12:24:45 -05:00
HD Moore 9b51352c62
Land #5639, adds registry persistence 2015-09-03 11:26:38 -05:00
jvazquez-r7 dbe901915e
Improve version detection 2015-09-03 09:54:38 -05:00
jvazquez-r7 de25a6c23c
Add metadata 2015-09-02 18:32:45 -05:00
jvazquez-r7 8f70ec8256
Fix Disclosure date 2015-09-02 18:21:36 -05:00
jvazquez-r7 b912e3ce65
Add exploit template 2015-09-02 17:28:35 -05:00
HD Moore 4090c2c8ea
Land #5880, adds ScriptHost UAC bypass for Win7/2008 2015-09-02 14:14:18 -05:00
Meatballs 582cc795ac
Remove newlines 2015-09-02 19:42:04 +01:00
Meatballs 8f25a006a8
Change to automatic target 2015-09-02 09:13:25 +01:00
wchen-r7 4275a65407 Update local exploit checks to follow the guidelines.
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
Meatballs 27775fbe58
Restrict to 7 and 2k8 2015-09-01 22:23:37 +01:00
jvazquez-r7 da4b360202
Fix typo 2015-08-26 15:29:34 -05:00
jvazquez-r7 5d0ed797a3
Update DLL 2015-08-26 15:15:32 -05:00
jvazquez-r7 dd529013f6
Update ruby side 2015-08-26 15:12:09 -05:00
Brent Cook b1ef560264
Merge payload_inject 64-bit inject fix from @Meatballs1 2015-08-24 09:26:00 -05:00
Meatballs 1c91b126f1
X64 compat for payload_inject 2015-08-23 22:03:57 +01:00
Meatballs 228087dced
Initial working scripthost bypass uac 2015-08-23 20:16:15 +01:00
wchen-r7 45c7e4760a Support x64 payloads 2015-08-20 02:09:58 -05:00
Meatballs 6f31183904
Fix VSS Persistance to check integrity level 2015-08-01 23:13:05 +01:00
Meatballs a6a8117e46 Revert "Land #5777, fix #4558 vss_persistence"
This reverts commit ba4b2fbbea, reversing
changes made to affc86bfd9.
2015-08-01 22:35:24 +01:00
jvazquez-r7 1ec960d8f9
Make the time to write flush configurable 2015-07-31 16:43:43 -05:00
jvazquez-r7 bf6975c01a
Fix #4558 by restoring the old wmicexec 2015-07-27 14:04:10 -05:00
Donny Maasland e355e56539 Add check 2015-07-02 10:54:44 +02:00
Donny Maasland 56c3102603 That's what you get for making edits on github.com.. 2015-07-01 17:51:57 +02:00
Donny Maasland 4847fb9830 Add a neater powershell command 2015-07-01 17:47:47 +02:00
Donny Maasland 822a46fee6 Merge branch 'master' of github:dmaasland/metasploit-framework 2015-07-01 17:47:33 +02:00
Donny Maasland 4f72df3202 Create a neater powershell command 2015-07-01 17:47:08 +02:00
Donny Maasland ffe710af2d Update registry_persistence.rb
Omg spaces
2015-07-01 17:21:12 +02:00
Donny Maasland 26e3ec0a5f Add a switch for creating a cleanup rc file 2015-07-01 17:06:16 +02:00
Donny Maasland 20708ebc82 Add a check to prevent accidental deletion of existing registry keys 2015-07-01 16:45:03 +02:00
Donny Maasland 2e48bae71c fixes 2015-07-01 16:15:13 +02:00
Donny Maasland 335487afa0 fixes 2015-07-01 16:09:55 +02:00
Donny Maasland d0845b8c66 msftidy fix 2015-07-01 12:50:34 +02:00
Donny Maasland a3db6c6ae3 Msftidy fix 2015-07-01 12:47:10 +02:00
Donny Maasland bd94f50fb0 add registry_persistence.rb 2015-07-01 12:26:46 +02:00
jvazquez-r7 7ccc86d338
Use cmd_exec 2015-06-26 11:54:19 -05:00
Spencer McIntyre 2206a6af73 Support older targets x86 for MS15-051 2015-06-25 09:33:15 +10:00
William Vu a149fb5710
Land #5554, @g0tmi1k's persistence improvements
age aborts
age aborts
2015-06-24 14:37:25 -05:00
William Vu e7e8135acd Clean up module 2015-06-24 14:35:10 -05:00
wchen-r7 dedfca163d Change check() 2015-06-22 15:05:12 -05:00
Spencer McIntyre efece12b40 Minor clean ups for ruby strings and check method 2015-06-21 16:07:44 -04:00
g0tmi1k 0b55a889d3 persistence - better ruby/msf fu 2015-06-18 21:10:16 +01:00
g0tmi1k a3debe1621 persistence - more options, more verbose
...and less bugs!

+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process
2015-06-17 13:57:06 +01:00
OJ a6467f49ec Update description 2015-06-03 22:17:25 +10:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
James Lee d03ee5667b
Remove assigned but unused local vars 2015-06-01 16:45:36 -05:00
James Lee 7133f0a68e
Fix typo in author's name 2015-06-01 16:45:09 -05:00
jvazquez-r7 5bceeb4f27
Land #5349, @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation 2015-05-22 17:14:20 -05:00
jvazquez-r7 3aa1ffb4f5
Do minor code cleanup 2015-05-22 16:20:36 -05:00
Hans-Martin Münch (h0ng10) d99eedb1e4 Adding begin...ensure block 2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10) acb053a2a7 CloseHandle cleanup 2015-05-17 20:39:10 +02:00
Hans-Martin Münch (h0ng10) e075495a5b string concatenation, clear \ handling 2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10) 94d39c5c75 remove hard coded pipe name 2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10) bb4f5da6d9 replace client.sys.config.getenv with get_env 2015-05-15 06:33:57 +02:00
Hans-Martin Münch (h0ng10) bba261a1cf Initial version 2015-05-15 00:36:03 +02:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
William Vu ef8c0aac69
Land #5020, spelling fixes for some modules 2015-03-28 00:36:04 -05:00
sinn3r 9cfafdd8b8
Land #4649, improve post/windows/manage/run_as and as an exploit 2015-03-27 17:31:30 -05:00
C-P f129347b51 Filed vs Failed fix 2015-03-27 11:28:50 -07:00
Tod Beardsley 49a6057f74
Grammaring harder 2015-03-24 11:10:36 -05:00
sinn3r 0c2ed21e90
Land #4318, Lateral movement through PSRemoting 2015-03-20 11:39:35 -05:00
sinn3r 23d8479683 Fix typo 2015-03-20 11:39:00 -05:00
sinn3r 0da79edb9c Add a print_status to let the user know the module is over
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
Meatballs 6ceab3d02d
Add a DisclosureDate 2015-03-18 23:51:18 +00:00
jvazquez-r7 1ead57a80d
Land #4928, @h0ng10's local exploit for iPass Mobile Client 2015-03-13 16:58:45 -05:00
jvazquez-r7 9894a3dc54 Change module filename 2015-03-13 16:53:17 -05:00
jvazquez-r7 b4de3ce42b Do minor cleanup 2015-03-13 16:52:26 -05:00