jvazquez-r7
1ec960d8f9
Make the time to write flush configurable
2015-07-31 16:43:43 -05:00
jvazquez-r7
bf6975c01a
Fix #4558 by restoring the old wmicexec
2015-07-27 14:04:10 -05:00
Donny Maasland
e355e56539
Add check
2015-07-02 10:54:44 +02:00
Donny Maasland
56c3102603
That's what you get for making edits on github.com..
2015-07-01 17:51:57 +02:00
Donny Maasland
4847fb9830
Add a neater powershell command
2015-07-01 17:47:47 +02:00
Donny Maasland
822a46fee6
Merge branch 'master' of github:dmaasland/metasploit-framework
2015-07-01 17:47:33 +02:00
Donny Maasland
4f72df3202
Create a neater powershell command
2015-07-01 17:47:08 +02:00
Donny Maasland
ffe710af2d
Update registry_persistence.rb
...
Omg spaces
2015-07-01 17:21:12 +02:00
Donny Maasland
26e3ec0a5f
Add a switch for creating a cleanup rc file
2015-07-01 17:06:16 +02:00
Donny Maasland
20708ebc82
Add a check to prevent accidental deletion of existing registry keys
2015-07-01 16:45:03 +02:00
Donny Maasland
2e48bae71c
fixes
2015-07-01 16:15:13 +02:00
Donny Maasland
335487afa0
fixes
2015-07-01 16:09:55 +02:00
Donny Maasland
d0845b8c66
msftidy fix
2015-07-01 12:50:34 +02:00
Donny Maasland
a3db6c6ae3
Msftidy fix
2015-07-01 12:47:10 +02:00
Donny Maasland
bd94f50fb0
add registry_persistence.rb
2015-07-01 12:26:46 +02:00
jvazquez-r7
7ccc86d338
Use cmd_exec
2015-06-26 11:54:19 -05:00
Spencer McIntyre
2206a6af73
Support older targets x86 for MS15-051
2015-06-25 09:33:15 +10:00
William Vu
a149fb5710
Land #5554 , @g0tmi1k's persistence improvements
...
age aborts
age aborts
2015-06-24 14:37:25 -05:00
William Vu
e7e8135acd
Clean up module
2015-06-24 14:35:10 -05:00
wchen-r7
dedfca163d
Change check()
2015-06-22 15:05:12 -05:00
Spencer McIntyre
efece12b40
Minor clean ups for ruby strings and check method
2015-06-21 16:07:44 -04:00
g0tmi1k
0b55a889d3
persistence - better ruby/msf fu
2015-06-18 21:10:16 +01:00
g0tmi1k
a3debe1621
persistence - more options, more verbose
...
...and less bugs!
+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process
2015-06-17 13:57:06 +01:00
OJ
a6467f49ec
Update description
2015-06-03 22:17:25 +10:00
OJ
455a3b6b9d
Add butchered version of CVE-2015-1701
2015-06-03 21:48:23 +10:00
James Lee
d03ee5667b
Remove assigned but unused local vars
2015-06-01 16:45:36 -05:00
James Lee
7133f0a68e
Fix typo in author's name
2015-06-01 16:45:09 -05:00
jvazquez-r7
5bceeb4f27
Land #5349 , @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation
2015-05-22 17:14:20 -05:00
jvazquez-r7
3aa1ffb4f5
Do minor code cleanup
2015-05-22 16:20:36 -05:00
Hans-Martin Münch (h0ng10)
d99eedb1e4
Adding begin...ensure block
2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10)
acb053a2a7
CloseHandle cleanup
2015-05-17 20:39:10 +02:00
Hans-Martin Münch (h0ng10)
e075495a5b
string concatenation, clear \ handling
2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10)
94d39c5c75
remove hard coded pipe name
2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10)
bb4f5da6d9
replace client.sys.config.getenv with get_env
2015-05-15 06:33:57 +02:00
Hans-Martin Münch (h0ng10)
bba261a1cf
Initial version
2015-05-15 00:36:03 +02:00
Tod Beardsley
f423306b6f
Various post-commit fixups
...
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150 , @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys
Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192 , @joevennix's module for Safari CVE-2015-1126
Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in
Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016 ,
add SSL Labs scanner
Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101 , Add Directory Traversal for GoAhead Web Server
Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158 , OWA internal IP disclosure scanner
Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159 , WordPress Mobile Edition Plugin File Read Vuln
Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924 , @m-1-k-3's DLink CVE-2015-1187 exploit
Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131 , WordPress Slideshow Upload
Edited modules/exploits/windows/local/run_as.rb first landed in #4649 ,
improve post/windows/manage/run_as and as an exploit
(These results courtesy of a delightful git alias, here:
```
cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"
```
So that's kind of fun.
2015-05-06 11:39:15 -05:00
jvazquez-r7
4224008709
Delete print_debug/vprint_debug
2015-04-21 11:14:03 -05:00
Christian Mehlmauer
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
Christian Mehlmauer
ba6548db75
be consistent about naming
2015-04-16 21:44:56 +02:00
William Vu
ef8c0aac69
Land #5020 , spelling fixes for some modules
2015-03-28 00:36:04 -05:00
sinn3r
9cfafdd8b8
Land #4649 , improve post/windows/manage/run_as and as an exploit
2015-03-27 17:31:30 -05:00
C-P
f129347b51
Filed vs Failed fix
2015-03-27 11:28:50 -07:00
Tod Beardsley
49a6057f74
Grammaring harder
2015-03-24 11:10:36 -05:00
sinn3r
0c2ed21e90
Land #4318 , Lateral movement through PSRemoting
2015-03-20 11:39:35 -05:00
sinn3r
23d8479683
Fix typo
2015-03-20 11:39:00 -05:00
sinn3r
0da79edb9c
Add a print_status to let the user know the module is over
...
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
Meatballs
6ceab3d02d
Add a DisclosureDate
2015-03-18 23:51:18 +00:00
jvazquez-r7
1ead57a80d
Land #4928 , @h0ng10's local exploit for iPass Mobile Client
2015-03-13 16:58:45 -05:00
jvazquez-r7
9894a3dc54
Change module filename
2015-03-13 16:53:17 -05:00
jvazquez-r7
b4de3ce42b
Do minor cleanup
2015-03-13 16:52:26 -05:00
Hans-Martin Münch (h0ng10)
b0e730d5ae
Typo
2015-03-13 20:41:14 +01:00
Hans-Martin Münch (h0ng10)
726f01b8cc
Initial version
2015-03-13 20:33:45 +01:00
Sigurd Jervelund Hansen
c6cb1e840d
Fixes persistence module by revering changes to the value returned by the write_script_to_target function, which screws up the path that is used for startup. Currently an escaped path "C://Users//..." is being used instead of using windows standards "C:\Users\...".
2015-03-10 10:26:03 +01:00
William Vu
ff73b4d51a
Fix duplicate hash key "DefaultOptions"
...
In modules/exploits/windows/local/pxeexploit.rb.
2015-02-24 05:19:48 -06:00
sinn3r
aa8a82f44f
Update MS15-001 reference
2015-02-21 08:39:21 -06:00
Jay Smith
e40772efe2
Fixed open device issue for non-priv users
...
Fixed the open_device call to work for users without Administrator
privileges
2015-02-18 12:44:58 -05:00
Tod Beardsley
e78d08e20d
Fix up titles, descriptions
2015-02-12 12:11:40 -06:00
William Vu
309159d876
Land #4753 , updated ms14_070_tcpip_ioctl info
2015-02-12 09:57:29 -06:00
Spencer McIntyre
8ab469d3bd
Update ms14-070 module information and references
2015-02-12 09:51:01 -05:00
William Vu
b894050bba
Fix local/pxeexploit datastore
2015-02-11 12:19:56 -06:00
Spencer McIntyre
4e0a62cb3a
Land #4664 , MS14-070 Server 2003 tcpip.sys priv esc
2015-02-05 18:49:15 -05:00
Spencer McIntyre
a359fe9acc
Minor fixup on the ms14-070 module description
2015-02-05 18:41:58 -05:00
Spencer McIntyre
dc13446536
Forgot to comment ret instruction
2015-02-05 14:09:01 -05:00
Spencer McIntyre
5a39ba32f6
Make the ret instruction for token stealing optional
2015-02-05 14:00:38 -05:00
Spencer McIntyre
dabc163076
Modify the shellcode stub to save the process
2015-02-05 13:54:52 -05:00
Tod Beardsley
c633c710bc
Mostly caps/grammar/spelling, GoodRanking on MBAM
2015-02-05 12:36:47 -06:00
Spencer McIntyre
aebf5056ac
Dont compare a string to an integer
2015-02-04 16:55:43 -05:00
jvazquez-r7
d211488e5d
Add Initial version
2015-02-01 19:47:58 -06:00
Jay Smith
6c529f8f6b
Addressed feedback from @OJ and @zeroSteiner
2015-01-29 11:57:03 -05:00
Jay Smith
064ca2d02e
Updated version checking
2015-01-28 18:25:30 -05:00
Jay Smith
37c08128dc
Add in MS14-070 Priv Escalation for Windows 2003
2015-01-28 13:24:39 -05:00
Meatballs
c9ca85fba8
Bail out as SYSTEM
2015-01-27 17:23:57 +00:00
Meatballs
b7e9c69f72
Fix x64 injection
2015-01-27 16:34:06 +00:00
Meatballs
215a590940
Refactor and fixes for post module
2015-01-27 16:14:59 +00:00
Meatballs
ea25869312
Refactor to common module
2015-01-27 10:47:02 +00:00
Meatballs
93537765d0
Add TODO
2015-01-26 15:59:22 +00:00
Meatballs
5ae65a723f
Initial
2015-01-26 15:57:52 +00:00
Brent Cook
a2a1a90678
Land #4316 , Meatballs1 streamlines payload execution for exploits/windows/local/wmi
...
also fixes a typo bug in WMIC
2015-01-16 11:16:22 -06:00
Brent Cook
c1e604f201
Land #4562 : wchen-r7's CVE addition
2015-01-15 14:34:37 -06:00
Brent Cook
47cd5a3e59
Land #4562 , wchen-r7's Win8 NtApphelpCacheControl privilege escalation
2015-01-15 13:52:07 -06:00
sinn3r
09eaf80a90
Add CVE
2015-01-15 13:22:00 -06:00
sinn3r
34bbc5be90
print error message about limitation
2015-01-11 20:12:40 -06:00
sinn3r
46d1616994
Hello ARCH_X86_64
2015-01-10 06:16:22 -06:00
sinn3r
3c8be9e36d
Just x86
2015-01-09 19:12:51 -06:00
sinn3r
74e8e057dd
Use RDL
2015-01-09 19:02:08 -06:00
sinn3r
ee5c249c89
Add EDB reference
2015-01-09 00:19:12 -06:00
sinn3r
75de792558
Add a basic check
2015-01-09 00:03:39 -06:00
sinn3r
4911127fe2
Match the title and change the description a little bit
2015-01-08 21:48:01 -06:00
sinn3r
b7b3ae4d2a
A little randomness
2015-01-08 21:25:55 -06:00
sinn3r
b65013c5c5
Another update
2015-01-08 18:39:04 -06:00
sinn3r
b2ff5425bc
Some changes
2015-01-08 18:33:30 -06:00
sinn3r
53e6f42d99
This works
2015-01-08 17:57:14 -06:00
sinn3r
7ed6b3117a
Update
2015-01-08 17:18:14 -06:00
Brent Cook
fb5170e8b3
Land #2766 , Meatballs1's refactoring of ExtAPI services
...
- Many code duplications are eliminated from modules in favor of shared
implementations in the framework.
- Paths are properly quoted in shell operations and duplicate operations are
squashed.
- Various subtle bugs in error handling are fixed.
- Error handling is simpler.
- Windows services API is revised and modules are updated to use it.
- various API docs added
- railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
sinn3r
0e6c7181b1
"Stash" it
2015-01-08 14:13:14 -06:00
Meatballs
a9fee9c022
Fall back to runas if UAC disabled
2015-01-08 11:07:57 +00:00
OJ
844460dd87
Update bypass UAC to work on 8.1 and 2012
...
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.
I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
sinn3r
c60b6969bc
Oh so that's it
2015-01-07 10:39:46 -06:00
Meatballs
dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2015-01-05 22:18:44 +00:00
sinn3r
3c755a6dfa
Template
2015-01-02 11:31:28 -06:00
jvazquez-r7
ebb05a64ea
Land #4357 , @Meatballs1 Kerberos Support for current_user_psexec
2014-12-23 20:38:31 -06:00
Jon Cave
44084b4ef6
Correct Microsoft security bulletin for ppr_flatten_rec
2014-12-22 10:40:23 +00:00
HD Moore
4fc4866fd8
Merge code in from #2395
2014-12-12 16:22:51 -06:00
Meatballs
c813c117db
Use DNS names
2014-12-10 22:25:44 +00:00
Meatballs
b634bde8a1
Lateral movement through PSRemoting
2014-12-04 22:06:28 +00:00
Meatballs
e471271231
Move comment
2014-12-04 20:24:37 +00:00
Meatballs
c14ba11e79
If extapi dont stage payload
2014-12-04 20:17:48 +00:00
jvazquez-r7
145e610c0f
Avoid shadowing new method
2014-11-17 12:22:30 -06:00
jvazquez-r7
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
jvazquez-r7
5e0993d756
Add OJ as author
2014-10-28 09:58:34 -05:00
Spencer McIntyre
830f631da4
Make the check routine less strict
2014-10-27 12:51:20 -04:00
Spencer McIntyre
46b1abac4a
More robust check routine for cve-2014-4113
2014-10-27 11:19:12 -04:00
jvazquez-r7
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
jvazquez-r7
c319ea91b3
Delete verbose print
2014-10-26 17:31:19 -05:00
jvazquez-r7
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
Spencer McIntyre
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
jvazquez-r7
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
URI Assassin
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
Tod Beardsley
4f8801eeba
Land #3651 , local Bluetooth exploit a @KoreLogic
...
This started life as #3653 . I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
Jay Smith
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
sinn3r
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00
Meatballs
d5959d6bd6
Land #2585 , Refactor Bypassuac with Runas Mixin
2014-09-28 09:24:22 +01:00
jvazquez-r7
9d3d25a3b3
Solve conflicts
2014-08-28 10:19:12 -05:00
Meatballs
d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
Tod Beardsley
cad281494f
Minor caps, grammar, desc fixes
2014-08-18 13:35:34 -05:00
Meatballs
0cc3bdfb35
Moar bad packs
2014-08-15 21:11:37 +01:00
Jay Smith
b55f425ec0
Merge in changes from @todb-r7.
2014-08-14 17:22:07 -04:00
sinn3r
f91116a8e8
Land #3634 - Virtual box 3D Acceleration OpenGL Host escape
2014-08-13 20:08:13 -05:00
jvazquez-r7
127d094a8d
Dont share once device is opened
2014-08-13 16:13:38 -05:00
Meatballs
05a198bc96
Correct spelling
2014-08-13 14:06:25 +01:00
Meatballs
4a01c27ed4
Use get_env and good pack specifier
2014-08-13 10:59:22 +01:00
jvazquez-r7
da4b572a0d
Change module name
2014-08-12 17:17:26 -05:00
jvazquez-r7
3eccc12f50
Switch from vprint to print
2014-08-12 17:11:24 -05:00
jvazquez-r7
f203fdebcb
Use Msf::Exploit::Local::WindowsKernel
2014-08-12 17:09:39 -05:00
jvazquez-r7
e1debd68ad
Merge to update
2014-08-12 16:21:39 -05:00
jvazquez-r7
183b27ee27
There is only one target
2014-08-12 16:14:41 -05:00
jvazquez-r7
c8e4048c19
Some style fixes
2014-08-12 16:11:31 -05:00
jvazquez-r7
ea3d2f727b
Dont fail_with while checking
2014-08-12 16:09:59 -05:00
jvazquez-r7
486b5523ee
Refactor set_version
2014-08-09 02:17:07 -05:00
jvazquez-r7
d959affd6e
Delete debug message
2014-08-09 01:58:42 -05:00
jvazquez-r7
da04b43861
Add module for CVE-2014-0983
2014-08-09 01:56:38 -05:00
Spencer McIntyre
b602e47454
Implement improvements based on feedback
2014-08-05 21:24:37 -07:00
Spencer McIntyre
9cd6353246
Update mqac_write to use the mixin and restore pointers
2014-08-04 12:15:39 -07:00
Spencer McIntyre
a523898909
Apply rubocop suggestions for ms_ndproxy
2014-08-04 11:49:01 -07:00
Spencer McIntyre
86e2377218
Switch ms_ndproxy to use the new WindowsKernel mixin
2014-08-04 11:49:01 -07:00
Spencer McIntyre
58d29167e8
Refactor MS11-080 to use the mixin and for style
2014-08-04 11:49:01 -07:00
Joshua Smith
6c2b8f54cf
rubocop cleanup, long lines, etc
2014-08-03 23:19:08 -05:00
OJ
2b021e647d
Minor tidies to conform to standards
2014-08-03 23:19:08 -05:00
OJ
31c51eeb63
Move error messages to `check`
2014-08-03 23:19:08 -05:00