Commit Graph

704 Commits (5e31a32771c3572a3c00f918ffa9ef8082d88634)

Author SHA1 Message Date
jvazquez-r7 1ec960d8f9
Make the time to write flush configurable 2015-07-31 16:43:43 -05:00
jvazquez-r7 bf6975c01a
Fix #4558 by restoring the old wmicexec 2015-07-27 14:04:10 -05:00
Donny Maasland e355e56539 Add check 2015-07-02 10:54:44 +02:00
Donny Maasland 56c3102603 That's what you get for making edits on github.com.. 2015-07-01 17:51:57 +02:00
Donny Maasland 4847fb9830 Add a neater powershell command 2015-07-01 17:47:47 +02:00
Donny Maasland 822a46fee6 Merge branch 'master' of github:dmaasland/metasploit-framework 2015-07-01 17:47:33 +02:00
Donny Maasland 4f72df3202 Create a neater powershell command 2015-07-01 17:47:08 +02:00
Donny Maasland ffe710af2d Update registry_persistence.rb
Omg spaces
2015-07-01 17:21:12 +02:00
Donny Maasland 26e3ec0a5f Add a switch for creating a cleanup rc file 2015-07-01 17:06:16 +02:00
Donny Maasland 20708ebc82 Add a check to prevent accidental deletion of existing registry keys 2015-07-01 16:45:03 +02:00
Donny Maasland 2e48bae71c fixes 2015-07-01 16:15:13 +02:00
Donny Maasland 335487afa0 fixes 2015-07-01 16:09:55 +02:00
Donny Maasland d0845b8c66 msftidy fix 2015-07-01 12:50:34 +02:00
Donny Maasland a3db6c6ae3 Msftidy fix 2015-07-01 12:47:10 +02:00
Donny Maasland bd94f50fb0 add registry_persistence.rb 2015-07-01 12:26:46 +02:00
jvazquez-r7 7ccc86d338
Use cmd_exec 2015-06-26 11:54:19 -05:00
Spencer McIntyre 2206a6af73 Support older targets x86 for MS15-051 2015-06-25 09:33:15 +10:00
William Vu a149fb5710
Land #5554, @g0tmi1k's persistence improvements
age aborts
age aborts
2015-06-24 14:37:25 -05:00
William Vu e7e8135acd Clean up module 2015-06-24 14:35:10 -05:00
wchen-r7 dedfca163d Change check() 2015-06-22 15:05:12 -05:00
Spencer McIntyre efece12b40 Minor clean ups for ruby strings and check method 2015-06-21 16:07:44 -04:00
g0tmi1k 0b55a889d3 persistence - better ruby/msf fu 2015-06-18 21:10:16 +01:00
g0tmi1k a3debe1621 persistence - more options, more verbose
...and less bugs!

+ Able to define the EXE payload filename
+ Able to setup a handler job
+ Able to execute persistence payload after installing
+ Performs various checks (should be more stable now)
+ Will display various warnings if your doing something 'different'
+ Added various verbose messages during the process
2015-06-17 13:57:06 +01:00
OJ a6467f49ec Update description 2015-06-03 22:17:25 +10:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
James Lee d03ee5667b
Remove assigned but unused local vars 2015-06-01 16:45:36 -05:00
James Lee 7133f0a68e
Fix typo in author's name 2015-06-01 16:45:09 -05:00
jvazquez-r7 5bceeb4f27
Land #5349, @h0ng10's module for CVE-2015-2219 Lenovo System Update Local Privilege Escalation 2015-05-22 17:14:20 -05:00
jvazquez-r7 3aa1ffb4f5
Do minor code cleanup 2015-05-22 16:20:36 -05:00
Hans-Martin Münch (h0ng10) d99eedb1e4 Adding begin...ensure block 2015-05-17 20:48:11 +02:00
Hans-Martin Münch (h0ng10) acb053a2a7 CloseHandle cleanup 2015-05-17 20:39:10 +02:00
Hans-Martin Münch (h0ng10) e075495a5b string concatenation, clear \ handling 2015-05-15 06:51:42 +02:00
Hans-Martin Münch (h0ng10) 94d39c5c75 remove hard coded pipe name 2015-05-15 06:35:55 +02:00
Hans-Martin Münch (h0ng10) bb4f5da6d9 replace client.sys.config.getenv with get_env 2015-05-15 06:33:57 +02:00
Hans-Martin Münch (h0ng10) bba261a1cf Initial version 2015-05-15 00:36:03 +02:00
Tod Beardsley f423306b6f
Various post-commit fixups
Edited modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb first landed
in #5150, @wchen-r7's DOS module for CVE-2015-1635 HTTP.sys

Edited modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
first landed in #5192, @joevennix's module for Safari CVE-2015-1126

Edited modules/auxiliary/gather/java_rmi_registry.rb first landed in

Edited modules/auxiliary/gather/ssllabs_scan.rb first landed in #5016,
add SSL Labs scanner

Edited modules/auxiliary/scanner/http/goahead_traversal.rb first landed
in #5101, Add Directory Traversal for GoAhead Web Server

Edited modules/auxiliary/scanner/http/owa_iis_internal_ip.rb first
landed in #5158, OWA internal IP disclosure scanner

Edited modules/auxiliary/scanner/http/wp_mobileedition_file_read.rb
first landed in #5159, WordPress Mobile Edition Plugin File Read Vuln

Edited modules/exploits/linux/http/multi_ncc_ping_exec.rb first landed
in #4924, @m-1-k-3's DLink CVE-2015-1187 exploit

Edited modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb first
landed in #5131, WordPress Slideshow Upload

Edited modules/exploits/windows/local/run_as.rb first landed in #4649,
improve post/windows/manage/run_as and as an exploit

(These results courtesy of a delightful git alias, here:

```
  cleanup-prs = !"for i in `git status | grep modules | sed
s/#.*modules/modules/`; do echo -n \"Edited $i first landed in \" && git
log --oneline --first-parent $i | tail -1 | sed 's/.*Land //' && echo
''; done"

```

So that's kind of fun.
2015-05-06 11:39:15 -05:00
jvazquez-r7 4224008709
Delete print_debug/vprint_debug 2015-04-21 11:14:03 -05:00
Christian Mehlmauer 352e170624
more failure reasons 2015-04-16 22:04:11 +02:00
Christian Mehlmauer ba6548db75
be consistent about naming 2015-04-16 21:44:56 +02:00
William Vu ef8c0aac69
Land #5020, spelling fixes for some modules 2015-03-28 00:36:04 -05:00
sinn3r 9cfafdd8b8
Land #4649, improve post/windows/manage/run_as and as an exploit 2015-03-27 17:31:30 -05:00
C-P f129347b51 Filed vs Failed fix 2015-03-27 11:28:50 -07:00
Tod Beardsley 49a6057f74
Grammaring harder 2015-03-24 11:10:36 -05:00
sinn3r 0c2ed21e90
Land #4318, Lateral movement through PSRemoting 2015-03-20 11:39:35 -05:00
sinn3r 23d8479683 Fix typo 2015-03-20 11:39:00 -05:00
sinn3r 0da79edb9c Add a print_status to let the user know the module is over
If I have to run the module as a job, sometimes I can't tell if
the module has finished running or not.
2015-03-20 11:35:18 -05:00
Meatballs 6ceab3d02d
Add a DisclosureDate 2015-03-18 23:51:18 +00:00
jvazquez-r7 1ead57a80d
Land #4928, @h0ng10's local exploit for iPass Mobile Client 2015-03-13 16:58:45 -05:00
jvazquez-r7 9894a3dc54 Change module filename 2015-03-13 16:53:17 -05:00
jvazquez-r7 b4de3ce42b Do minor cleanup 2015-03-13 16:52:26 -05:00
Hans-Martin Münch (h0ng10) b0e730d5ae Typo 2015-03-13 20:41:14 +01:00
Hans-Martin Münch (h0ng10) 726f01b8cc Initial version 2015-03-13 20:33:45 +01:00
Sigurd Jervelund Hansen c6cb1e840d Fixes persistence module by revering changes to the value returned by the write_script_to_target function, which screws up the path that is used for startup. Currently an escaped path "C://Users//..." is being used instead of using windows standards "C:\Users\...". 2015-03-10 10:26:03 +01:00
William Vu ff73b4d51a Fix duplicate hash key "DefaultOptions"
In modules/exploits/windows/local/pxeexploit.rb.
2015-02-24 05:19:48 -06:00
sinn3r aa8a82f44f Update MS15-001 reference 2015-02-21 08:39:21 -06:00
Jay Smith e40772efe2
Fixed open device issue for non-priv users
Fixed the open_device call to work for users without Administrator
privileges
2015-02-18 12:44:58 -05:00
Tod Beardsley e78d08e20d
Fix up titles, descriptions 2015-02-12 12:11:40 -06:00
William Vu 309159d876
Land #4753, updated ms14_070_tcpip_ioctl info 2015-02-12 09:57:29 -06:00
Spencer McIntyre 8ab469d3bd Update ms14-070 module information and references 2015-02-12 09:51:01 -05:00
William Vu b894050bba Fix local/pxeexploit datastore 2015-02-11 12:19:56 -06:00
Spencer McIntyre 4e0a62cb3a
Land #4664, MS14-070 Server 2003 tcpip.sys priv esc 2015-02-05 18:49:15 -05:00
Spencer McIntyre a359fe9acc Minor fixup on the ms14-070 module description 2015-02-05 18:41:58 -05:00
Spencer McIntyre dc13446536 Forgot to comment ret instruction 2015-02-05 14:09:01 -05:00
Spencer McIntyre 5a39ba32f6 Make the ret instruction for token stealing optional 2015-02-05 14:00:38 -05:00
Spencer McIntyre dabc163076 Modify the shellcode stub to save the process 2015-02-05 13:54:52 -05:00
Tod Beardsley c633c710bc
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 12:36:47 -06:00
Spencer McIntyre aebf5056ac Dont compare a string to an integer 2015-02-04 16:55:43 -05:00
jvazquez-r7 d211488e5d Add Initial version 2015-02-01 19:47:58 -06:00
Jay Smith 6c529f8f6b
Addressed feedback from @OJ and @zeroSteiner 2015-01-29 11:57:03 -05:00
Jay Smith 064ca2d02e
Updated version checking 2015-01-28 18:25:30 -05:00
Jay Smith 37c08128dc
Add in MS14-070 Priv Escalation for Windows 2003 2015-01-28 13:24:39 -05:00
Meatballs c9ca85fba8
Bail out as SYSTEM 2015-01-27 17:23:57 +00:00
Meatballs b7e9c69f72
Fix x64 injection 2015-01-27 16:34:06 +00:00
Meatballs 215a590940
Refactor and fixes for post module 2015-01-27 16:14:59 +00:00
Meatballs ea25869312
Refactor to common module 2015-01-27 10:47:02 +00:00
Meatballs 93537765d0
Add TODO 2015-01-26 15:59:22 +00:00
Meatballs 5ae65a723f
Initial 2015-01-26 15:57:52 +00:00
Brent Cook a2a1a90678
Land #4316, Meatballs1 streamlines payload execution for exploits/windows/local/wmi
also fixes a typo bug in WMIC
2015-01-16 11:16:22 -06:00
Brent Cook c1e604f201
Land #4562: wchen-r7's CVE addition 2015-01-15 14:34:37 -06:00
Brent Cook 47cd5a3e59
Land #4562, wchen-r7's Win8 NtApphelpCacheControl privilege escalation 2015-01-15 13:52:07 -06:00
sinn3r 09eaf80a90 Add CVE 2015-01-15 13:22:00 -06:00
sinn3r 34bbc5be90 print error message about limitation 2015-01-11 20:12:40 -06:00
sinn3r 46d1616994 Hello ARCH_X86_64 2015-01-10 06:16:22 -06:00
sinn3r 3c8be9e36d Just x86 2015-01-09 19:12:51 -06:00
sinn3r 74e8e057dd Use RDL 2015-01-09 19:02:08 -06:00
sinn3r ee5c249c89 Add EDB reference 2015-01-09 00:19:12 -06:00
sinn3r 75de792558 Add a basic check 2015-01-09 00:03:39 -06:00
sinn3r 4911127fe2 Match the title and change the description a little bit 2015-01-08 21:48:01 -06:00
sinn3r b7b3ae4d2a A little randomness 2015-01-08 21:25:55 -06:00
sinn3r b65013c5c5 Another update 2015-01-08 18:39:04 -06:00
sinn3r b2ff5425bc Some changes 2015-01-08 18:33:30 -06:00
sinn3r 53e6f42d99 This works 2015-01-08 17:57:14 -06:00
sinn3r 7ed6b3117a Update 2015-01-08 17:18:14 -06:00
Brent Cook fb5170e8b3
Land #2766, Meatballs1's refactoring of ExtAPI services
- Many code duplications are eliminated from modules in favor of shared
   implementations in the framework.
 - Paths are properly quoted in shell operations and duplicate operations are
   squashed.
 - Various subtle bugs in error handling are fixed.
 - Error handling is simpler.
 - Windows services API is revised and modules are updated to use it.
 - various API docs added
 - railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
sinn3r 0e6c7181b1 "Stash" it 2015-01-08 14:13:14 -06:00
Meatballs a9fee9c022
Fall back to runas if UAC disabled 2015-01-08 11:07:57 +00:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
sinn3r c60b6969bc Oh so that's it 2015-01-07 10:39:46 -06:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
sinn3r 3c755a6dfa Template 2015-01-02 11:31:28 -06:00
jvazquez-r7 ebb05a64ea
Land #4357, @Meatballs1 Kerberos Support for current_user_psexec 2014-12-23 20:38:31 -06:00
Jon Cave 44084b4ef6 Correct Microsoft security bulletin for ppr_flatten_rec 2014-12-22 10:40:23 +00:00
HD Moore 4fc4866fd8 Merge code in from #2395 2014-12-12 16:22:51 -06:00
Meatballs c813c117db
Use DNS names 2014-12-10 22:25:44 +00:00
Meatballs b634bde8a1
Lateral movement through PSRemoting 2014-12-04 22:06:28 +00:00
Meatballs e471271231
Move comment 2014-12-04 20:24:37 +00:00
Meatballs c14ba11e79
If extapi dont stage payload 2014-12-04 20:17:48 +00:00
jvazquez-r7 145e610c0f Avoid shadowing new method 2014-11-17 12:22:30 -06:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 5e0993d756
Add OJ as author 2014-10-28 09:58:34 -05:00
Spencer McIntyre 830f631da4 Make the check routine less strict 2014-10-27 12:51:20 -04:00
Spencer McIntyre 46b1abac4a More robust check routine for cve-2014-4113 2014-10-27 11:19:12 -04:00
jvazquez-r7 4406972b46 Do version checking minor cleanup 2014-10-27 09:32:42 -05:00
jvazquez-r7 c319ea91b3 Delete verbose print 2014-10-26 17:31:19 -05:00
jvazquez-r7 34697a2240 Delete 'callback3' also from 32 bits version 2014-10-26 17:28:35 -05:00
Spencer McIntyre 7416c00416 Initial addition of x64 target for cve-2014-4113 2014-10-26 16:54:42 -04:00
jvazquez-r7 a75186d770 Add module for CVE-2014-4113 2014-10-23 18:51:30 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley 9f6008e275
A couple OSVDB updates for recent modules 2014-10-14 13:39:36 -05:00
Tod Beardsley 4f8801eeba
Land #3651, local Bluetooth exploit a @KoreLogic
This started life as #3653. I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
Jay Smith 7dd6a4d0d9
Merge in changes from @todb-r7. 2014-10-08 13:25:44 -04:00
sinn3r b17396931f Fixes #3876 - Move pxeexploit to local directory 2014-09-30 17:16:13 -05:00
Meatballs d5959d6bd6
Land #2585, Refactor Bypassuac with Runas Mixin 2014-09-28 09:24:22 +01:00
jvazquez-r7 9d3d25a3b3 Solve conflicts 2014-08-28 10:19:12 -05:00
Meatballs d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
Tod Beardsley cad281494f
Minor caps, grammar, desc fixes 2014-08-18 13:35:34 -05:00
Meatballs 0cc3bdfb35
Moar bad packs 2014-08-15 21:11:37 +01:00
Jay Smith b55f425ec0
Merge in changes from @todb-r7. 2014-08-14 17:22:07 -04:00
sinn3r f91116a8e8
Land #3634 - Virtual box 3D Acceleration OpenGL Host escape 2014-08-13 20:08:13 -05:00
jvazquez-r7 127d094a8d Dont share once device is opened 2014-08-13 16:13:38 -05:00
Meatballs 05a198bc96
Correct spelling 2014-08-13 14:06:25 +01:00
Meatballs 4a01c27ed4
Use get_env and good pack specifier 2014-08-13 10:59:22 +01:00
jvazquez-r7 da4b572a0d Change module name 2014-08-12 17:17:26 -05:00
jvazquez-r7 3eccc12f50 Switch from vprint to print 2014-08-12 17:11:24 -05:00
jvazquez-r7 f203fdebcb Use Msf::Exploit::Local::WindowsKernel 2014-08-12 17:09:39 -05:00
jvazquez-r7 e1debd68ad Merge to update 2014-08-12 16:21:39 -05:00
jvazquez-r7 183b27ee27 There is only one target 2014-08-12 16:14:41 -05:00
jvazquez-r7 c8e4048c19 Some style fixes 2014-08-12 16:11:31 -05:00
jvazquez-r7 ea3d2f727b Dont fail_with while checking 2014-08-12 16:09:59 -05:00
jvazquez-r7 486b5523ee Refactor set_version 2014-08-09 02:17:07 -05:00
jvazquez-r7 d959affd6e Delete debug message 2014-08-09 01:58:42 -05:00
jvazquez-r7 da04b43861 Add module for CVE-2014-0983 2014-08-09 01:56:38 -05:00
Spencer McIntyre b602e47454 Implement improvements based on feedback 2014-08-05 21:24:37 -07:00
Spencer McIntyre 9cd6353246 Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00
Spencer McIntyre a523898909 Apply rubocop suggestions for ms_ndproxy 2014-08-04 11:49:01 -07:00
Spencer McIntyre 86e2377218 Switch ms_ndproxy to use the new WindowsKernel mixin 2014-08-04 11:49:01 -07:00
Spencer McIntyre 58d29167e8 Refactor MS11-080 to use the mixin and for style 2014-08-04 11:49:01 -07:00
Joshua Smith 6c2b8f54cf rubocop cleanup, long lines, etc 2014-08-03 23:19:08 -05:00
OJ 2b021e647d Minor tidies to conform to standards 2014-08-03 23:19:08 -05:00
OJ 31c51eeb63 Move error messages to `check` 2014-08-03 23:19:08 -05:00