Commit Graph

704 Commits (5e31a32771c3572a3c00f918ffa9ef8082d88634)

Author SHA1 Message Date
jvazquez-r7 ebb05a64ea
Land #4357, @Meatballs1 Kerberos Support for current_user_psexec 2014-12-23 20:38:31 -06:00
Jon Cave 44084b4ef6 Correct Microsoft security bulletin for ppr_flatten_rec 2014-12-22 10:40:23 +00:00
HD Moore 4fc4866fd8 Merge code in from #2395 2014-12-12 16:22:51 -06:00
Meatballs c813c117db
Use DNS names 2014-12-10 22:25:44 +00:00
Meatballs b634bde8a1
Lateral movement through PSRemoting 2014-12-04 22:06:28 +00:00
Meatballs e471271231
Move comment 2014-12-04 20:24:37 +00:00
Meatballs c14ba11e79
If extapi dont stage payload 2014-12-04 20:17:48 +00:00
jvazquez-r7 145e610c0f Avoid shadowing new method 2014-11-17 12:22:30 -06:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 5e0993d756
Add OJ as author 2014-10-28 09:58:34 -05:00
Spencer McIntyre 830f631da4 Make the check routine less strict 2014-10-27 12:51:20 -04:00
Spencer McIntyre 46b1abac4a More robust check routine for cve-2014-4113 2014-10-27 11:19:12 -04:00
jvazquez-r7 4406972b46 Do version checking minor cleanup 2014-10-27 09:32:42 -05:00
jvazquez-r7 c319ea91b3 Delete verbose print 2014-10-26 17:31:19 -05:00
jvazquez-r7 34697a2240 Delete 'callback3' also from 32 bits version 2014-10-26 17:28:35 -05:00
Spencer McIntyre 7416c00416 Initial addition of x64 target for cve-2014-4113 2014-10-26 16:54:42 -04:00
jvazquez-r7 a75186d770 Add module for CVE-2014-4113 2014-10-23 18:51:30 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley 9f6008e275
A couple OSVDB updates for recent modules 2014-10-14 13:39:36 -05:00
Tod Beardsley 4f8801eeba
Land #3651, local Bluetooth exploit a @KoreLogic
This started life as #3653. I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
Jay Smith 7dd6a4d0d9
Merge in changes from @todb-r7. 2014-10-08 13:25:44 -04:00
sinn3r b17396931f Fixes #3876 - Move pxeexploit to local directory 2014-09-30 17:16:13 -05:00
Meatballs d5959d6bd6
Land #2585, Refactor Bypassuac with Runas Mixin 2014-09-28 09:24:22 +01:00
jvazquez-r7 9d3d25a3b3 Solve conflicts 2014-08-28 10:19:12 -05:00
Meatballs d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
Tod Beardsley cad281494f
Minor caps, grammar, desc fixes 2014-08-18 13:35:34 -05:00
Meatballs 0cc3bdfb35
Moar bad packs 2014-08-15 21:11:37 +01:00
Jay Smith b55f425ec0
Merge in changes from @todb-r7. 2014-08-14 17:22:07 -04:00
sinn3r f91116a8e8
Land #3634 - Virtual box 3D Acceleration OpenGL Host escape 2014-08-13 20:08:13 -05:00
jvazquez-r7 127d094a8d Dont share once device is opened 2014-08-13 16:13:38 -05:00
Meatballs 05a198bc96
Correct spelling 2014-08-13 14:06:25 +01:00
Meatballs 4a01c27ed4
Use get_env and good pack specifier 2014-08-13 10:59:22 +01:00
jvazquez-r7 da4b572a0d Change module name 2014-08-12 17:17:26 -05:00
jvazquez-r7 3eccc12f50 Switch from vprint to print 2014-08-12 17:11:24 -05:00
jvazquez-r7 f203fdebcb Use Msf::Exploit::Local::WindowsKernel 2014-08-12 17:09:39 -05:00
jvazquez-r7 e1debd68ad Merge to update 2014-08-12 16:21:39 -05:00
jvazquez-r7 183b27ee27 There is only one target 2014-08-12 16:14:41 -05:00
jvazquez-r7 c8e4048c19 Some style fixes 2014-08-12 16:11:31 -05:00
jvazquez-r7 ea3d2f727b Dont fail_with while checking 2014-08-12 16:09:59 -05:00
jvazquez-r7 486b5523ee Refactor set_version 2014-08-09 02:17:07 -05:00
jvazquez-r7 d959affd6e Delete debug message 2014-08-09 01:58:42 -05:00
jvazquez-r7 da04b43861 Add module for CVE-2014-0983 2014-08-09 01:56:38 -05:00
Spencer McIntyre b602e47454 Implement improvements based on feedback 2014-08-05 21:24:37 -07:00
Spencer McIntyre 9cd6353246 Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00
Spencer McIntyre a523898909 Apply rubocop suggestions for ms_ndproxy 2014-08-04 11:49:01 -07:00
Spencer McIntyre 86e2377218 Switch ms_ndproxy to use the new WindowsKernel mixin 2014-08-04 11:49:01 -07:00
Spencer McIntyre 58d29167e8 Refactor MS11-080 to use the mixin and for style 2014-08-04 11:49:01 -07:00
Joshua Smith 6c2b8f54cf rubocop cleanup, long lines, etc 2014-08-03 23:19:08 -05:00
OJ 2b021e647d Minor tidies to conform to standards 2014-08-03 23:19:08 -05:00
OJ 31c51eeb63 Move error messages to `check` 2014-08-03 23:19:08 -05:00
OJ cbf15660bf Add some small fixes to the MQAC local exploit
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
  device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
  support directly to make sure we don't BSOD machines (such as what
  happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-08-03 23:19:08 -05:00
b00stfr3ak add5cefe17 Change runas method to use lib
Changed runas method to use the new runas lib.  Also did some rubocop
changes.
2014-08-01 17:13:24 -07:00
b00stfr3ak df98098b0c New shell_execute_option command
Also removed upload option
2014-08-01 17:12:04 -07:00
b00stfr3ak 5c2b074264 Matched bypassuac to upstream 2014-08-01 14:40:23 -07:00
b00stfr3ak def652a50e Merge https://github.com/rapid7/metasploit-framework into bypassuac/psh_option 2014-08-01 14:32:55 -07:00
Meatballs 15c1ab64cd Quick rubocop 2014-07-31 23:11:00 +01:00
Meatballs d336c56b99
Merge remote-tracking branch 'upstream/master' into land_2551 2014-07-31 23:06:37 +01:00
Meatballs 53b66f3b4a Land #2075, Powershell Improvements 2014-07-31 00:49:39 +01:00
Joshua Smith e00d892f99 rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00
OJ 210342df5b Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00
OJ 9fe2dd59aa Move error messages to `check` 2014-07-25 07:57:09 +10:00
OJ 3ec30bdf78 Add some small fixes to the MQAC local exploit
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
  device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
  support directly to make sure we don't BSOD machines (such as what
  happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-07-24 14:48:29 +10:00
Jay Smith 042278ed6a
Update code to reflect @OJ code suggestions 2014-07-23 11:01:43 -04:00
Jay Smith 534a5d964b
Add CVE-2014-4971 BthPan local privilege escalation
Add CVE-2014-4971 BthPan local privilege escalation for Windows XP SP3
2014-07-22 18:17:06 -04:00
Jay Smith 0db3a0ec97
Update code to reflect @jlee-r7's code review 2014-07-22 15:14:24 -04:00
Jay Smith 125b2df8f5
Update code to reflect @hdmoore code suggestions 2014-07-22 14:53:24 -04:00
Spencer McIntyre 7f79e58e7f Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00
Spencer McIntyre 5d9c6bea9d Fix a typo and use the execute_shellcode function 2014-07-22 13:06:57 -04:00
Spencer McIntyre 12904edf83 Remove unnecessary target info and add url reference 2014-07-22 11:20:07 -04:00
Spencer McIntyre ca0dcf23b0 Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00
Spencer McIntyre 6a545c2642 Clean up the mqac escalation module 2014-07-22 10:39:34 -04:00
Spencer McIntyre da4eb0e08f First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
Meatballs b0a596b4a1
Update newer modules 2014-07-20 21:59:10 +01:00
Meatballs 474ee81807
Merge remote-tracking branch 'upstream/master' into pr2075 2014-07-20 21:01:54 +01:00
Jay Smith 2be6eb16a2
Add in exploit check and version checks
Move the initial checking for the vboxguest device and os checks
into the MSF check routine.
2014-07-17 14:56:34 -04:00
William Vu 25f74b79b8
Land #3484, bad pack/unpack specifier fix 2014-07-16 14:52:23 -05:00
Meatballs 7583ed4950
Merge remote-tracking branch 'upstream/master' into pr2075 2014-07-16 20:34:34 +01:00
Jay Smith 6d49f6ecdd
Update code to reflect hdmoore's code review. 2014-07-16 14:29:17 -04:00
Jay Smith cef2c257dc
Add CVE-2014-2477 local privilege escalation 2014-07-16 05:49:19 -04:00
Meatballs 05c9757624
Merge in #3488 2014-07-04 20:37:09 +01:00
sinn3r 21f6e7bf6c Change description 2014-07-01 10:44:21 -05:00
HD Moore c9b6c05eab Fix improper use of host-endian or signed pack/unpack
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.

When in doubt, please use:

```
ri pack
```
2014-06-30 02:50:10 -05:00
sinn3r ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape 2014-06-26 13:48:28 -05:00
sinn3r 0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape 2014-06-26 11:45:47 -05:00
jvazquez-r7 a081beacc2 Use Gem::Version for string versions comparison 2014-06-20 09:44:29 -05:00
OJ 5879ca3340
Merge branch 'upstream/master' into meatballs x64_injection 2014-06-18 10:24:33 +10:00
HD Moore d5b32e31f8 Fix a typo where platform was 'windows' not 'win'
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
jvazquez-r7 43699b1dfb Don't clean env variable before using it 2014-06-03 09:56:19 -05:00
jvazquez-r7 b8a2cf776b Do test 2014-06-03 09:52:01 -05:00
jvazquez-r7 05ed2340dc Use powershell 2014-06-03 09:29:04 -05:00
jvazquez-r7 f918bcc631 Use powershell instead of mshta 2014-06-03 09:01:56 -05:00
jvazquez-r7 9574a327f8 use the new check also in exploit() 2014-06-02 14:38:33 -05:00
jvazquez-r7 3c38c0d87c Dont be confident about string comparision 2014-06-02 14:37:29 -05:00
jvazquez-r7 d0241cf4c1 Add check method 2014-06-02 08:14:40 -05:00
jvazquez-r7 31af8ef07b Check .NET version 2014-06-01 20:58:08 -05:00
Meatballs 3c5fae3706
Use correct include 2014-06-01 11:51:06 +01:00
Meatballs 4801a7fca0
Allow x86->x64 injection 2014-06-01 11:50:13 +01:00
jvazquez-r7 3ae4a16717 Clean environment variables 2014-05-30 12:21:23 -05:00
jvazquez-r7 b99b577705 Clean environment variable 2014-05-30 12:20:00 -05:00
jvazquez-r7 b27a95c008 Delete unused code 2014-05-30 12:08:55 -05:00
jvazquez-r7 e215bd6e39 Delete unnecessary code and use get_env 2014-05-30 12:07:59 -05:00
jvazquez-r7 1dbd36a3dd Check for the .NET dfsvc and use %windir% 2014-05-30 09:02:43 -05:00
jvazquez-r7 ffbcbe8cc1 Use cmd_psh_payload 2014-05-29 18:12:18 -05:00
jvazquez-r7 03889ed31f Use cmd_psh_payload 2014-05-29 18:11:22 -05:00
jvazquez-r7 e145298c13 Add module for CVE-2014-0257 2014-05-29 11:45:19 -05:00
jvazquez-r7 6e122e683a Add module for CVE-2013-5045 2014-05-29 11:42:54 -05:00
Meatballs 52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom 2014-05-19 22:00:35 +01:00
Meatballs b84379ab3b
Note about EXE::Custom 2014-05-19 22:00:09 +01:00
Tod Beardsley c97c827140
Adjust desc and ranking on ms13-053
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
Meatballs 0db22c5c57
Use library method 2014-05-05 13:24:33 +01:00
Meatballs c474ff4465
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	modules/exploits/windows/local/service_permissions.rb
	modules/post/windows/manage/rpcapd_start.rb
2014-05-05 13:19:25 +01:00
OJ 7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) 2014-05-04 16:41:17 +10:00
Meatballs 56c5eac823
Message correction 2014-05-02 14:18:18 +01:00
Meatballs 69915c0de5
Message correction 2014-05-02 14:17:27 +01:00
William Vu 8b138b2d37
Fix unquoted path in cleanup script 2014-04-30 16:34:33 -05:00
kaospunk 6b740b727b Changes PATH to proper case
This changes PATH to Path
2014-04-30 17:26:36 -04:00
kaospunk fdc81b198f Adds the ability to specify path
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
Meatballs d73854ff17
Fix wmi and add automatic target 2014-04-22 14:28:27 +01:00
Meatballs 3019cb99c1
Update cmd_upgrade module 2014-04-19 19:13:48 +01:00
Meatballs 00234aeec3
Remove powershell remoting 2014-04-19 19:03:18 +01:00
RageLtMan 5c3289bbc6 merge fix 2014-04-17 21:26:04 -04:00
Meatballs 38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
Conflicts:
	modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
Tod Beardsley 062175128b
Update @Meatballs and @FireFart in authors.rb 2014-04-09 10:46:10 -05:00
sinn3r d7ca537a41 Microsoft module name changes
So after making changes for MSIE modules (see #3161), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
Meatballs b524507e4e
Merge remote-tracking branch 'upstream/master' into land_2551
Conflicts:
	modules/exploits/windows/local/ask.rb
2014-03-22 18:14:45 +00:00
Meatballs 7b2f0a64fc
Tidy up 2014-03-22 18:07:57 +00:00
Meatballs 04506d76f3
Dont check for admin 2014-03-22 17:57:27 +00:00
OJ 409787346e
Bring build tools up to date, change some project settings
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
kyuzo 41720428e4 Refactoring exploit and adding build files for dll. 2014-03-12 10:25:52 +00:00
OJ 3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
Conflicts:
	lib/msf/core/post/windows/shadowcopy.rb
	modules/exploits/windows/local/bypassuac.rb
	modules/post/windows/gather/wmic_command.rb
	modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
kyuzo 257c121c75 Adding MS013-058 for Windows7 x86 2014-03-06 20:34:01 +00:00
kyuzo 2a1e96165c Adding MS013-058 for Windows7 x86 2014-03-06 18:39:34 +00:00
OJ a1aef92652
Land #2431 - In-memory bypass uac 2014-03-05 11:15:54 +10:00
Meatballs 32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post 2014-03-03 21:56:31 +00:00
Meatballs 2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075 2014-03-02 20:57:02 +00:00
David Maloney b952b103bd
cleanup tior and .tmp files
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
David Maloney f66709b5bb
make bypassuac module clean itself up
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
David Maloney a8e0c3c255
remove copypasta mistake 2014-02-27 10:05:53 -06:00
David Maloney 96b611104e cleanup methods in bypassuac module
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
Meatballs 6127ff92ce
Fix race condition
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs d396be963a
Use new cmd_exec_get_pid 2014-02-28 20:53:13 +00:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs e0fa1d532c
Dont think this works on vista/8 2014-02-26 23:14:17 +00:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs 1f08ad48a4 Fix payload_path method 2014-02-25 22:11:23 +00:00
Meatballs 6687ef80ee
Further bypassuac tidies
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney 23381ea2cb
code tidying
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
James Lee 4c557a1401
Add Post::Windows::Services#each_service
Also cleans up some style issues and adds yardoc comments for some stuff
in Post::File

Note that windows/local/service_permissions is still using
`service_list` because it now builds a Rex::Table, which has to have
all the data up front, anyway.
2014-02-18 18:24:23 -06:00
James Lee 684c45a5ff Merge remote-tracking branch 'upstream/pr/2766' into merge-2766 2014-02-18 17:36:13 -06:00
Meatballs b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075 2014-02-14 22:52:55 +00:00
RageLtMan b453362a52 Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs 2014-02-12 16:43:30 -05:00
jvazquez-r7 3d4d5a84b6
Land #2957, @zeroSteiner's exploit for CVE-2013-3881 2014-02-10 13:59:45 -06:00
jvazquez-r7 502dbb1370 Add references 2014-02-10 13:55:02 -06:00
jvazquez-r7 abb03d0bbe Fixing messages 2014-02-10 13:10:42 -06:00
jvazquez-r7 541bb6134e Change exploit filename 2014-02-10 13:06:23 -06:00
jvazquez-r7 2e130ce843 Make it work with Reader Sandbox 2014-02-10 13:04:13 -06:00
Tod Beardsley 7c43565ea8
Include missing require for powershell 2014-02-10 11:02:53 -06:00
Spencer McIntyre 0ac1acda70 Upgrade toolchain to Visual Studio 2013 v120. 2014-02-10 09:35:07 -05:00
Meatballs a4b451dbc0
Ensure we start in a new conhost/process 2014-02-09 23:36:25 +00:00
Meatballs aa93299931
Sleep instead of noexit 2014-02-09 23:19:14 +00:00
Meatballs b79bb4726d
Go for background approach 2014-02-09 19:41:24 +00:00
Meatballs 038aae5adb
Run as jobs 2014-02-09 19:30:16 +00:00
Meatballs 1c169e2935
Uniq results 2014-02-09 17:52:06 +00:00
Meatballs 2cea90f931
Working remoting 2014-02-09 17:43:44 +00:00
Meatballs f1959f5313
Fixup WMI 2014-02-09 11:18:15 +00:00
Meatballs c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075 2014-02-08 22:11:31 +00:00
Spencer McIntyre f686385349 Remove an unnecessary VS file and modify version check. 2014-02-07 08:45:51 -05:00
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
Meatballs 08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
Conflicts:
	lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
Meatballs 95eb758642
Initial commit 2014-02-02 19:04:38 +00:00
sinn3r cdc425e4eb Update some checks 2014-01-24 12:08:23 -06:00
sinn3r e5dc6a9911 Update exploit checks
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
Meatballs c426946886
Final tidyups 2014-01-03 15:55:03 +00:00
Meatballs 9028060f7d
Refactor service_create 2014-01-03 15:44:59 +00:00
Meatballs 5adc9e93f4
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2014-01-03 14:39:55 +00:00
OJ 9fb081cb2d Add getenvs, update getenv, change extract_path use
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
sinn3r 4bddd077ec
Land #2762 - Use new ntdll railgun functions 2013-12-18 15:18:47 -06:00
Meatballs 3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
Conflicts:
	lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
Meatballs c3aee714af
shadowcopy should use service_restart 2013-12-18 12:12:34 +00:00
Meatballs 42bc5ab75f
Use Services calls in enable_rdp
Update calls to change_service_config to check success
2013-12-18 11:34:12 +00:00
Meatballs 55a5a7e032
Fix typo 2013-12-18 11:06:03 +00:00
Meatballs bce7fab2cd
Fixup IKEEXT 2013-12-18 00:08:01 +00:00
Meatballs 0bac2415ca
Some post testing fixes
Also deprecate net escalate as it is covered by service_permissions
as a generic exploit
2013-12-18 00:00:14 +00:00
Meatballs 067e6d89bb
Use service_restart in IKEEXT and ServicePermissions
Service_restart is aggressive so should attempt to leave as Auto
2013-12-17 17:21:35 +00:00
jvazquez-r7 52cb43e6a8 Fix typo 2013-12-16 20:28:49 -06:00
Meatballs c2dd174e3c Merge remote-tracking branch 'upstream/master' into extapi_service_post 2013-12-17 01:54:24 +00:00
Meatballs a33721f444
service_change_config keys should match extapi 2013-12-17 01:48:09 +00:00
Meatballs 101e5a8ccf
Tidyup trusted_service_path
Use filedropper, use service exe, dont migrate
2013-12-17 01:46:45 +00:00
Meatballs 560080fa21
Update start_service return value
Add service_restart
2013-12-17 00:43:35 +00:00
Meatballs f39bc0b07a
Update service_stop return 2013-12-17 00:22:37 +00:00
jvazquez-r7 84759a552a Save one variable 2013-12-16 16:49:44 -06:00
jvazquez-r7 042bd4f80b Fix ms_ndproxy to work under a sandboxed Reader 2013-12-16 16:19:17 -06:00
Tod Beardsley 040619c373
Minor description changes
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
Meatballs 5be9622782
Tidy and constants 2013-12-16 18:35:24 +00:00
Meatballs 435cc9b93f
Add single quote encapsulation
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
Meatballs b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075 2013-12-16 14:29:05 +00:00
Meatballs 87fe6ecfaa
Fixup modules 2013-12-15 18:43:55 +00:00
Meatballs f10a35ed08
Use :display correctly 2013-12-15 18:28:29 +00:00
Meatballs cd837ebe16
ikeext_service service_info fixup 2013-12-15 18:28:06 +00:00
Meatballs c89b7cb4ee
nvidia_nvsvc service_info fixup 2013-12-15 18:20:25 +00:00
Meatballs 375103b930
trusted_service_path service_info fixup 2013-12-15 18:15:48 +00:00
Meatballs 7d7495a5dd
Large refactor of service_permissions 2013-12-15 18:00:14 +00:00
Meatballs fe7852b524
Unworking refactor of serv_perm 2013-12-15 04:02:11 +00:00
Meatballs 2a819d4b08
Tidyup trusted_Path
We dont just want to escalate to SYSTEM it would be handy to know
if we can escalate to anything e.g. Domain logins etc.
2013-12-15 04:01:02 +00:00
Meatballs ddf23ae8e8
Refactor service_list to return array of hashes
Update trusted_service_path, service_permissions,
net_runtime_modify and enum_services to handle change.

Refactor enum_services to tidy it up a bit
2013-12-15 03:00:29 +00:00
Meatballs 3dec7f61a5 Check in sysnative if wow64 2013-12-15 01:12:52 +00:00
Meatballs 2dc4faad72 Resplat license 2013-12-15 01:12:51 +00:00
Meatballs 8203274256 Small fixes
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ f2e2147065 Change unless with else to if with else 2013-12-15 01:12:50 +00:00
OJ cff7008500 Fix final issues with merge
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ 41c538856a Re-add RDI mixin changes 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs 6916f7c5d2 Fixup description 2013-12-15 01:12:47 +00:00
Meatballs 3d1646d18e Exit process when complete 2013-12-15 01:12:47 +00:00
Meatballs dd32c2b0b8 Spawn 32bit process 2013-12-15 01:12:46 +00:00
Meatballs 819ba30a33 msftidy
Conflicts:
	lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs 5eca4714c2 Renamed module 2013-12-15 01:12:46 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
Meatballs 04496a539c
Fix up local wmi exploit. 2013-12-14 20:05:51 +00:00
jvazquez-r7 e8396dc37a Delete redefinition of ntdll functions on railgun 2013-12-13 16:02:47 -06:00
jvazquez-r7 1ab3e891c9 Modify ms_ndproxy to use railgun additions 2013-12-13 15:54:34 -06:00
jvazquez-r7 5c1ca97e21 Create a new process to host the final payload 2013-12-12 08:26:44 -06:00
jvazquez-r7 eb4e3f8a32 Fix os detection 2013-12-12 07:39:19 -06:00
jvazquez-r7 8b518776bc Dont fail_with on check 2013-12-11 22:08:36 -06:00
jvazquez-r7 02915c751c Favor unless over if not and add reference 2013-12-11 16:28:09 -06:00
jvazquez-r7 b6fa3f28b1 Modify description 2013-12-11 08:56:31 -06:00
jvazquez-r7 c4721de4a0 Add module for CVE-2013-5065 2013-12-11 08:52:35 -06:00
b00stfr3ak 0cf1b7fece add original ask.rb 2013-12-09 14:35:31 -07:00
b00stfr3ak 1d07b2bbfa Revert "removed ask file, already in pull request 2551"
This reverts commit 5ceda7c042.
2013-12-09 14:31:43 -07:00
Meatballs 9b2ae3c447
Uncomment fail_with 2013-12-05 23:21:06 +00:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
Meatballs 1e60ff91ea
Move ExitThread patching to Msf::Util::EXE 2013-12-05 17:16:14 +00:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
Meatballs 915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
OJ 0b879d8f39 Comments for WfsDelay, adjustment to injection
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.

This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Meatballs cd68b10bcf
Broadcast needs a decent WfsDelay.
Due to the multi railgun changes. Because they return quickly but
the process is still broadcasting them the exploit thinks work has
finished...
2013-11-23 19:18:13 +00:00
Meatballs 6c83109422
Really fix wmi 2013-11-23 16:44:44 +00:00
Meatballs c194fdc67e
Fixup WMI
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
Meatballs ec36cebeb4
Update cmd_psh_payloads to send the architecture. 2013-11-22 23:31:33 +00:00
Meatballs 622a1dccda
Update wmi to use generated powershell command line 2013-11-22 23:18:22 +00:00
Meatballs 9835649858
Update hwnd_broadcast to use generated powershell command line. 2013-11-22 23:04:44 +00:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ e4fc361b37 Various tidies and fixes
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.

Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00