jvazquez-r7
ebb05a64ea
Land #4357 , @Meatballs1 Kerberos Support for current_user_psexec
2014-12-23 20:38:31 -06:00
Jon Cave
44084b4ef6
Correct Microsoft security bulletin for ppr_flatten_rec
2014-12-22 10:40:23 +00:00
HD Moore
4fc4866fd8
Merge code in from #2395
2014-12-12 16:22:51 -06:00
Meatballs
c813c117db
Use DNS names
2014-12-10 22:25:44 +00:00
Meatballs
b634bde8a1
Lateral movement through PSRemoting
2014-12-04 22:06:28 +00:00
Meatballs
e471271231
Move comment
2014-12-04 20:24:37 +00:00
Meatballs
c14ba11e79
If extapi dont stage payload
2014-12-04 20:17:48 +00:00
jvazquez-r7
145e610c0f
Avoid shadowing new method
2014-11-17 12:22:30 -06:00
jvazquez-r7
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
jvazquez-r7
5e0993d756
Add OJ as author
2014-10-28 09:58:34 -05:00
Spencer McIntyre
830f631da4
Make the check routine less strict
2014-10-27 12:51:20 -04:00
Spencer McIntyre
46b1abac4a
More robust check routine for cve-2014-4113
2014-10-27 11:19:12 -04:00
jvazquez-r7
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
jvazquez-r7
c319ea91b3
Delete verbose print
2014-10-26 17:31:19 -05:00
jvazquez-r7
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
Spencer McIntyre
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
jvazquez-r7
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
URI Assassin
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
Tod Beardsley
9f6008e275
A couple OSVDB updates for recent modules
2014-10-14 13:39:36 -05:00
Tod Beardsley
4f8801eeba
Land #3651 , local Bluetooth exploit a @KoreLogic
...
This started life as #3653 . I'll take this out of unstable as well,
since it got there on commit b10cbe4f
2014-10-14 13:13:34 -05:00
Jay Smith
7dd6a4d0d9
Merge in changes from @todb-r7.
2014-10-08 13:25:44 -04:00
sinn3r
b17396931f
Fixes #3876 - Move pxeexploit to local directory
2014-09-30 17:16:13 -05:00
Meatballs
d5959d6bd6
Land #2585 , Refactor Bypassuac with Runas Mixin
2014-09-28 09:24:22 +01:00
jvazquez-r7
9d3d25a3b3
Solve conflicts
2014-08-28 10:19:12 -05:00
Meatballs
d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
Tod Beardsley
cad281494f
Minor caps, grammar, desc fixes
2014-08-18 13:35:34 -05:00
Meatballs
0cc3bdfb35
Moar bad packs
2014-08-15 21:11:37 +01:00
Jay Smith
b55f425ec0
Merge in changes from @todb-r7.
2014-08-14 17:22:07 -04:00
sinn3r
f91116a8e8
Land #3634 - Virtual box 3D Acceleration OpenGL Host escape
2014-08-13 20:08:13 -05:00
jvazquez-r7
127d094a8d
Dont share once device is opened
2014-08-13 16:13:38 -05:00
Meatballs
05a198bc96
Correct spelling
2014-08-13 14:06:25 +01:00
Meatballs
4a01c27ed4
Use get_env and good pack specifier
2014-08-13 10:59:22 +01:00
jvazquez-r7
da4b572a0d
Change module name
2014-08-12 17:17:26 -05:00
jvazquez-r7
3eccc12f50
Switch from vprint to print
2014-08-12 17:11:24 -05:00
jvazquez-r7
f203fdebcb
Use Msf::Exploit::Local::WindowsKernel
2014-08-12 17:09:39 -05:00
jvazquez-r7
e1debd68ad
Merge to update
2014-08-12 16:21:39 -05:00
jvazquez-r7
183b27ee27
There is only one target
2014-08-12 16:14:41 -05:00
jvazquez-r7
c8e4048c19
Some style fixes
2014-08-12 16:11:31 -05:00
jvazquez-r7
ea3d2f727b
Dont fail_with while checking
2014-08-12 16:09:59 -05:00
jvazquez-r7
486b5523ee
Refactor set_version
2014-08-09 02:17:07 -05:00
jvazquez-r7
d959affd6e
Delete debug message
2014-08-09 01:58:42 -05:00
jvazquez-r7
da04b43861
Add module for CVE-2014-0983
2014-08-09 01:56:38 -05:00
Spencer McIntyre
b602e47454
Implement improvements based on feedback
2014-08-05 21:24:37 -07:00
Spencer McIntyre
9cd6353246
Update mqac_write to use the mixin and restore pointers
2014-08-04 12:15:39 -07:00
Spencer McIntyre
a523898909
Apply rubocop suggestions for ms_ndproxy
2014-08-04 11:49:01 -07:00
Spencer McIntyre
86e2377218
Switch ms_ndproxy to use the new WindowsKernel mixin
2014-08-04 11:49:01 -07:00
Spencer McIntyre
58d29167e8
Refactor MS11-080 to use the mixin and for style
2014-08-04 11:49:01 -07:00
Joshua Smith
6c2b8f54cf
rubocop cleanup, long lines, etc
2014-08-03 23:19:08 -05:00
OJ
2b021e647d
Minor tidies to conform to standards
2014-08-03 23:19:08 -05:00
OJ
31c51eeb63
Move error messages to `check`
2014-08-03 23:19:08 -05:00
OJ
cbf15660bf
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-08-03 23:19:08 -05:00
b00stfr3ak
add5cefe17
Change runas method to use lib
...
Changed runas method to use the new runas lib. Also did some rubocop
changes.
2014-08-01 17:13:24 -07:00
b00stfr3ak
df98098b0c
New shell_execute_option command
...
Also removed upload option
2014-08-01 17:12:04 -07:00
b00stfr3ak
5c2b074264
Matched bypassuac to upstream
2014-08-01 14:40:23 -07:00
b00stfr3ak
def652a50e
Merge https://github.com/rapid7/metasploit-framework into bypassuac/psh_option
2014-08-01 14:32:55 -07:00
Meatballs
15c1ab64cd
Quick rubocop
2014-07-31 23:11:00 +01:00
Meatballs
d336c56b99
Merge remote-tracking branch 'upstream/master' into land_2551
2014-07-31 23:06:37 +01:00
Meatballs
53b66f3b4a
Land #2075 , Powershell Improvements
2014-07-31 00:49:39 +01:00
Joshua Smith
e00d892f99
rubocop cleanup, long lines, etc
2014-07-28 22:04:45 -05:00
OJ
210342df5b
Minor tidies to conform to standards
2014-07-25 09:32:54 +10:00
OJ
9fe2dd59aa
Move error messages to `check`
2014-07-25 07:57:09 +10:00
OJ
3ec30bdf78
Add some small fixes to the MQAC local exploit
...
* Check for `INVALID_HANDLE_VALUE` when attempting to open the
device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
support directly to make sure we don't BSOD machines (such as what
happens with SP1/SP2).
* Add a call to `check` in the exploit code.
2014-07-24 14:48:29 +10:00
Jay Smith
042278ed6a
Update code to reflect @OJ code suggestions
2014-07-23 11:01:43 -04:00
Jay Smith
534a5d964b
Add CVE-2014-4971 BthPan local privilege escalation
...
Add CVE-2014-4971 BthPan local privilege escalation for Windows XP SP3
2014-07-22 18:17:06 -04:00
Jay Smith
0db3a0ec97
Update code to reflect @jlee-r7's code review
2014-07-22 15:14:24 -04:00
Jay Smith
125b2df8f5
Update code to reflect @hdmoore code suggestions
2014-07-22 14:53:24 -04:00
Spencer McIntyre
7f79e58e7f
Lots and cleanups based on PR feed back
2014-07-22 14:45:00 -04:00
Spencer McIntyre
5d9c6bea9d
Fix a typo and use the execute_shellcode function
2014-07-22 13:06:57 -04:00
Spencer McIntyre
12904edf83
Remove unnecessary target info and add url reference
2014-07-22 11:20:07 -04:00
Spencer McIntyre
ca0dcf23b0
Add a simple check method for cve-2014-4971
2014-07-22 10:54:10 -04:00
Spencer McIntyre
6a545c2642
Clean up the mqac escalation module
2014-07-22 10:39:34 -04:00
Spencer McIntyre
da4eb0e08f
First commit of MQAC arbitrary write priv escalation
2014-07-22 10:04:12 -04:00
Meatballs
b0a596b4a1
Update newer modules
2014-07-20 21:59:10 +01:00
Meatballs
474ee81807
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-20 21:01:54 +01:00
Jay Smith
2be6eb16a2
Add in exploit check and version checks
...
Move the initial checking for the vboxguest device and os checks
into the MSF check routine.
2014-07-17 14:56:34 -04:00
William Vu
25f74b79b8
Land #3484 , bad pack/unpack specifier fix
2014-07-16 14:52:23 -05:00
Meatballs
7583ed4950
Merge remote-tracking branch 'upstream/master' into pr2075
2014-07-16 20:34:34 +01:00
Jay Smith
6d49f6ecdd
Update code to reflect hdmoore's code review.
2014-07-16 14:29:17 -04:00
Jay Smith
cef2c257dc
Add CVE-2014-2477 local privilege escalation
2014-07-16 05:49:19 -04:00
Meatballs
05c9757624
Merge in #3488
2014-07-04 20:37:09 +01:00
sinn3r
21f6e7bf6c
Change description
2014-07-01 10:44:21 -05:00
HD Moore
c9b6c05eab
Fix improper use of host-endian or signed pack/unpack
...
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.
When in doubt, please use:
```
ri pack
```
2014-06-30 02:50:10 -05:00
sinn3r
ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape
2014-06-26 13:48:28 -05:00
sinn3r
0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape
2014-06-26 11:45:47 -05:00
jvazquez-r7
a081beacc2
Use Gem::Version for string versions comparison
2014-06-20 09:44:29 -05:00
OJ
5879ca3340
Merge branch 'upstream/master' into meatballs x64_injection
2014-06-18 10:24:33 +10:00
HD Moore
d5b32e31f8
Fix a typo where platform was 'windows' not 'win'
...
This was reported by dracu on freenode
2014-06-11 15:10:33 -05:00
jvazquez-r7
43699b1dfb
Don't clean env variable before using it
2014-06-03 09:56:19 -05:00
jvazquez-r7
b8a2cf776b
Do test
2014-06-03 09:52:01 -05:00
jvazquez-r7
05ed2340dc
Use powershell
2014-06-03 09:29:04 -05:00
jvazquez-r7
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
jvazquez-r7
9574a327f8
use the new check also in exploit()
2014-06-02 14:38:33 -05:00
jvazquez-r7
3c38c0d87c
Dont be confident about string comparision
2014-06-02 14:37:29 -05:00
jvazquez-r7
d0241cf4c1
Add check method
2014-06-02 08:14:40 -05:00
jvazquez-r7
31af8ef07b
Check .NET version
2014-06-01 20:58:08 -05:00
Meatballs
3c5fae3706
Use correct include
2014-06-01 11:51:06 +01:00
Meatballs
4801a7fca0
Allow x86->x64 injection
2014-06-01 11:50:13 +01:00
jvazquez-r7
3ae4a16717
Clean environment variables
2014-05-30 12:21:23 -05:00
jvazquez-r7
b99b577705
Clean environment variable
2014-05-30 12:20:00 -05:00
jvazquez-r7
b27a95c008
Delete unused code
2014-05-30 12:08:55 -05:00
jvazquez-r7
e215bd6e39
Delete unnecessary code and use get_env
2014-05-30 12:07:59 -05:00
jvazquez-r7
1dbd36a3dd
Check for the .NET dfsvc and use %windir%
2014-05-30 09:02:43 -05:00
jvazquez-r7
ffbcbe8cc1
Use cmd_psh_payload
2014-05-29 18:12:18 -05:00
jvazquez-r7
03889ed31f
Use cmd_psh_payload
2014-05-29 18:11:22 -05:00
jvazquez-r7
e145298c13
Add module for CVE-2014-0257
2014-05-29 11:45:19 -05:00
jvazquez-r7
6e122e683a
Add module for CVE-2013-5045
2014-05-29 11:42:54 -05:00
Meatballs
52b182d212
Add a small note to bypassuac_injection concerning EXE::Custom
2014-05-19 22:00:35 +01:00
Meatballs
b84379ab3b
Note about EXE::Custom
2014-05-19 22:00:09 +01:00
Tod Beardsley
c97c827140
Adjust desc and ranking on ms13-053
...
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
Meatballs
0db22c5c57
Use library method
2014-05-05 13:24:33 +01:00
Meatballs
c474ff4465
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
modules/exploits/windows/local/service_permissions.rb
modules/post/windows/manage/rpcapd_start.rb
2014-05-05 13:19:25 +01:00
OJ
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
Meatballs
56c5eac823
Message correction
2014-05-02 14:18:18 +01:00
Meatballs
69915c0de5
Message correction
2014-05-02 14:17:27 +01:00
William Vu
8b138b2d37
Fix unquoted path in cleanup script
2014-04-30 16:34:33 -05:00
kaospunk
6b740b727b
Changes PATH to proper case
...
This changes PATH to Path
2014-04-30 17:26:36 -04:00
kaospunk
fdc81b198f
Adds the ability to specify path
...
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
Meatballs
d73854ff17
Fix wmi and add automatic target
2014-04-22 14:28:27 +01:00
Meatballs
3019cb99c1
Update cmd_upgrade module
2014-04-19 19:13:48 +01:00
Meatballs
00234aeec3
Remove powershell remoting
2014-04-19 19:03:18 +01:00
RageLtMan
5c3289bbc6
merge fix
2014-04-17 21:26:04 -04:00
Meatballs
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
Tod Beardsley
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
sinn3r
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
Meatballs
b524507e4e
Merge remote-tracking branch 'upstream/master' into land_2551
...
Conflicts:
modules/exploits/windows/local/ask.rb
2014-03-22 18:14:45 +00:00
Meatballs
7b2f0a64fc
Tidy up
2014-03-22 18:07:57 +00:00
Meatballs
04506d76f3
Dont check for admin
2014-03-22 17:57:27 +00:00
OJ
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
kyuzo
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
OJ
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
kyuzo
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
kyuzo
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
OJ
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
Meatballs
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
Meatballs
2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075
2014-03-02 20:57:02 +00:00
David Maloney
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
David Maloney
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
David Maloney
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
David Maloney
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
Meatballs
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
Meatballs
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
Meatballs
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
Meatballs
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
David Maloney
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
James Lee
4c557a1401
Add Post::Windows::Services#each_service
...
Also cleans up some style issues and adds yardoc comments for some stuff
in Post::File
Note that windows/local/service_permissions is still using
`service_list` because it now builds a Rex::Table, which has to have
all the data up front, anyway.
2014-02-18 18:24:23 -06:00
James Lee
684c45a5ff
Merge remote-tracking branch 'upstream/pr/2766' into merge-2766
2014-02-18 17:36:13 -06:00
Meatballs
b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-14 22:52:55 +00:00
RageLtMan
b453362a52
Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs
2014-02-12 16:43:30 -05:00
jvazquez-r7
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00
jvazquez-r7
502dbb1370
Add references
2014-02-10 13:55:02 -06:00
jvazquez-r7
abb03d0bbe
Fixing messages
2014-02-10 13:10:42 -06:00
jvazquez-r7
541bb6134e
Change exploit filename
2014-02-10 13:06:23 -06:00
jvazquez-r7
2e130ce843
Make it work with Reader Sandbox
2014-02-10 13:04:13 -06:00
Tod Beardsley
7c43565ea8
Include missing require for powershell
2014-02-10 11:02:53 -06:00
Spencer McIntyre
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
Meatballs
a4b451dbc0
Ensure we start in a new conhost/process
2014-02-09 23:36:25 +00:00
Meatballs
aa93299931
Sleep instead of noexit
2014-02-09 23:19:14 +00:00
Meatballs
b79bb4726d
Go for background approach
2014-02-09 19:41:24 +00:00
Meatballs
038aae5adb
Run as jobs
2014-02-09 19:30:16 +00:00
Meatballs
1c169e2935
Uniq results
2014-02-09 17:52:06 +00:00
Meatballs
2cea90f931
Working remoting
2014-02-09 17:43:44 +00:00
Meatballs
f1959f5313
Fixup WMI
2014-02-09 11:18:15 +00:00
Meatballs
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
Spencer McIntyre
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
Spencer McIntyre
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
Meatballs
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
Meatballs
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
sinn3r
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
sinn3r
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
Meatballs
c426946886
Final tidyups
2014-01-03 15:55:03 +00:00
Meatballs
9028060f7d
Refactor service_create
2014-01-03 15:44:59 +00:00
Meatballs
5adc9e93f4
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2014-01-03 14:39:55 +00:00
OJ
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
sinn3r
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
Meatballs
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
Meatballs
c3aee714af
shadowcopy should use service_restart
2013-12-18 12:12:34 +00:00
Meatballs
42bc5ab75f
Use Services calls in enable_rdp
...
Update calls to change_service_config to check success
2013-12-18 11:34:12 +00:00
Meatballs
55a5a7e032
Fix typo
2013-12-18 11:06:03 +00:00
Meatballs
bce7fab2cd
Fixup IKEEXT
2013-12-18 00:08:01 +00:00
Meatballs
0bac2415ca
Some post testing fixes
...
Also deprecate net escalate as it is covered by service_permissions
as a generic exploit
2013-12-18 00:00:14 +00:00
Meatballs
067e6d89bb
Use service_restart in IKEEXT and ServicePermissions
...
Service_restart is aggressive so should attempt to leave as Auto
2013-12-17 17:21:35 +00:00
jvazquez-r7
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
Meatballs
c2dd174e3c
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2013-12-17 01:54:24 +00:00
Meatballs
a33721f444
service_change_config keys should match extapi
2013-12-17 01:48:09 +00:00
Meatballs
101e5a8ccf
Tidyup trusted_service_path
...
Use filedropper, use service exe, dont migrate
2013-12-17 01:46:45 +00:00
Meatballs
560080fa21
Update start_service return value
...
Add service_restart
2013-12-17 00:43:35 +00:00
Meatballs
f39bc0b07a
Update service_stop return
2013-12-17 00:22:37 +00:00
jvazquez-r7
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
jvazquez-r7
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
Tod Beardsley
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
Meatballs
5be9622782
Tidy and constants
2013-12-16 18:35:24 +00:00
Meatballs
435cc9b93f
Add single quote encapsulation
...
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
Meatballs
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
Meatballs
87fe6ecfaa
Fixup modules
2013-12-15 18:43:55 +00:00
Meatballs
f10a35ed08
Use :display correctly
2013-12-15 18:28:29 +00:00
Meatballs
cd837ebe16
ikeext_service service_info fixup
2013-12-15 18:28:06 +00:00
Meatballs
c89b7cb4ee
nvidia_nvsvc service_info fixup
2013-12-15 18:20:25 +00:00
Meatballs
375103b930
trusted_service_path service_info fixup
2013-12-15 18:15:48 +00:00
Meatballs
7d7495a5dd
Large refactor of service_permissions
2013-12-15 18:00:14 +00:00
Meatballs
fe7852b524
Unworking refactor of serv_perm
2013-12-15 04:02:11 +00:00
Meatballs
2a819d4b08
Tidyup trusted_Path
...
We dont just want to escalate to SYSTEM it would be handy to know
if we can escalate to anything e.g. Domain logins etc.
2013-12-15 04:01:02 +00:00
Meatballs
ddf23ae8e8
Refactor service_list to return array of hashes
...
Update trusted_service_path, service_permissions,
net_runtime_modify and enum_services to handle change.
Refactor enum_services to tidy it up a bit
2013-12-15 03:00:29 +00:00
Meatballs
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
Meatballs
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
Meatballs
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
OJ
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
OJ
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
Meatballs
6916f7c5d2
Fixup description
2013-12-15 01:12:47 +00:00
Meatballs
3d1646d18e
Exit process when complete
2013-12-15 01:12:47 +00:00
Meatballs
dd32c2b0b8
Spawn 32bit process
2013-12-15 01:12:46 +00:00
Meatballs
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs
5eca4714c2
Renamed module
2013-12-15 01:12:46 +00:00
Meatballs
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
Meatballs
04496a539c
Fix up local wmi exploit.
2013-12-14 20:05:51 +00:00
jvazquez-r7
e8396dc37a
Delete redefinition of ntdll functions on railgun
2013-12-13 16:02:47 -06:00
jvazquez-r7
1ab3e891c9
Modify ms_ndproxy to use railgun additions
2013-12-13 15:54:34 -06:00
jvazquez-r7
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
jvazquez-r7
eb4e3f8a32
Fix os detection
2013-12-12 07:39:19 -06:00
jvazquez-r7
8b518776bc
Dont fail_with on check
2013-12-11 22:08:36 -06:00
jvazquez-r7
02915c751c
Favor unless over if not and add reference
2013-12-11 16:28:09 -06:00
jvazquez-r7
b6fa3f28b1
Modify description
2013-12-11 08:56:31 -06:00
jvazquez-r7
c4721de4a0
Add module for CVE-2013-5065
2013-12-11 08:52:35 -06:00
b00stfr3ak
0cf1b7fece
add original ask.rb
2013-12-09 14:35:31 -07:00
b00stfr3ak
1d07b2bbfa
Revert "removed ask file, already in pull request 2551"
...
This reverts commit 5ceda7c042
.
2013-12-09 14:31:43 -07:00
Meatballs
9b2ae3c447
Uncomment fail_with
2013-12-05 23:21:06 +00:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
Meatballs
1e60ff91ea
Move ExitThread patching to Msf::Util::EXE
2013-12-05 17:16:14 +00:00
Meatballs
496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2013-12-05 17:09:32 +00:00
Meatballs
dc0f2b7291
Use ExitProcess
2013-12-05 17:08:47 +00:00
OJ
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
OJ
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
Meatballs
915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
.gitmodules
external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
OJ
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Meatballs
cd68b10bcf
Broadcast needs a decent WfsDelay.
...
Due to the multi railgun changes. Because they return quickly but
the process is still broadcasting them the exploit thinks work has
finished...
2013-11-23 19:18:13 +00:00
Meatballs
6c83109422
Really fix wmi
2013-11-23 16:44:44 +00:00
Meatballs
c194fdc67e
Fixup WMI
...
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
Meatballs
ec36cebeb4
Update cmd_psh_payloads to send the architecture.
2013-11-22 23:31:33 +00:00
Meatballs
622a1dccda
Update wmi to use generated powershell command line
2013-11-22 23:18:22 +00:00
Meatballs
9835649858
Update hwnd_broadcast to use generated powershell command line.
2013-11-22 23:04:44 +00:00
William Vu
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
OJ
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ
e4fc361b37
Various tidies and fixes
...
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.
Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00