04506d76f3
Dont check for admin
2014-03-22 17:57:27 +00:00
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
8f2124f5da
Minor updates for release
...
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow
2014-03-13 14:13:17 -05:00
e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075
2014-03-02 20:57:02 +00:00
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-14 22:52:55 +00:00
b453362a52
Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs
2014-02-12 16:43:30 -05:00
a59ce95901
Land #2970 , @sgabe exploit for CVE-2010-2343
2014-02-12 08:10:53 -06:00
9845970e12
Use pop#ret to jump over the overwritten seh
2014-02-12 08:10:14 -06:00
11513d94f5
Add Juan as author
2014-02-12 12:17:02 +01:00
3283880d65
Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
...
This partially reverts commit 12471660e9
2014-02-12 12:09:16 +01:00
7195416a04
Increase the size of the NOP sled
2014-02-12 02:35:53 +01:00
3f09456ce8
Minor code formatting
2014-02-11 23:53:04 +01:00
7fc3511ba9
Remove unnecessary NOPs
2014-02-11 23:48:54 +01:00
12471660e9
Replace unnecessary NOP sled with random text
2014-02-11 23:48:04 +01:00
184ccb9e1e
Fix payload size
2014-02-11 23:42:58 +01:00
3717374896
Fix and improve reliability
2014-02-11 10:44:58 -06:00
79d559a0c9
Fix MIME message to_s
2014-02-10 22:23:23 -06:00
e8a3984c85
Fix ROP NOP address and reduce/remove NOPs
2014-02-11 00:29:37 +01:00
e6905837eb
Land #2960 , rand_text_alpha for amaya_bdo
2014-02-10 16:44:11 -06:00
1236a4eb07
Fixup on description and some option descrips
2014-02-10 14:41:59 -06:00
3d4d5a84b6
Land #2957 , @zeroSteiner's exploit for CVE-2013-3881
2014-02-10 13:59:45 -06:00
502dbb1370
Add references
2014-02-10 13:55:02 -06:00
08b6f74fb4
Add module for CVE-2010-2343
2014-02-10 20:46:09 +01:00
abb03d0bbe
Fixing messages
2014-02-10 13:10:42 -06:00
541bb6134e
Change exploit filename
2014-02-10 13:06:23 -06:00
2e130ce843
Make it work with Reader Sandbox
2014-02-10 13:04:13 -06:00
7c43565ea8
Include missing require for powershell
2014-02-10 11:02:53 -06:00
0ac1acda70
Upgrade toolchain to Visual Studio 2013 v120.
2014-02-10 09:35:07 -05:00
a4b451dbc0
Ensure we start in a new conhost/process
2014-02-09 23:36:25 +00:00
aa93299931
Sleep instead of noexit
2014-02-09 23:19:14 +00:00
b79bb4726d
Go for background approach
2014-02-09 19:41:24 +00:00
038aae5adb
Run as jobs
2014-02-09 19:30:16 +00:00
1c169e2935
Uniq results
2014-02-09 17:52:06 +00:00
2cea90f931
Working remoting
2014-02-09 17:43:44 +00:00
a00481beb4
Auto target psexec/psh_web
2014-02-09 11:47:15 +00:00
f1959f5313
Fixup WMI
2014-02-09 11:18:15 +00:00
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
32c02dd56a
Added some randomness
2014-02-08 11:27:25 +08:00
66cb97305c
Land #2953 - KingScada kxClientDownload.ocx ActiveX Remote Code Exec
2014-02-07 17:41:35 -06:00
bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell)
2014-02-07 17:39:06 -06:00
f686385349
Remove an unnecessary VS file and modify version check.
2014-02-07 08:45:51 -05:00
a18de35fa7
Add module for ZDI-14-011
2014-02-06 18:25:36 -06:00
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
89e1bcc0ca
Deprecate modules with date 2013-something
...
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
a58698c177
Land #2922 , multithreaded check command
2014-02-04 11:21:05 -06:00
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
a5bff638c5
Remove EOL spaces
2014-01-31 15:01:03 -06:00
cc4dea7d49
Was playing with ms08_067 check and realized I forgot this print
2014-01-25 16:15:52 -06:00
47b9bfaffc
Use opts hash for adobe_pdf_embedded_exe
...
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:16:53 -06:00
9db295769d
Land #2905 , @wchen-r7's update of exploit checks
2014-01-24 16:49:33 -06:00
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
16b8b58a84
Fix the dwSize parameter
2014-01-24 11:38:57 +01:00
8f6dcd7545
Add some randomization to the ROP chain
2014-01-24 10:28:59 +01:00
021aa77f5f
Add module for BID-46926
2014-01-24 01:48:21 +01:00
c403c521b3
Change check code
2014-01-23 11:03:40 -06:00
b3b51eb48c
Pre-release fixup
...
* Updated descriptions to be a little more descriptive.
* Updated store_loot calls to inform the user where the
loot is stored.
* Removed newlines in print_* statments -- these will screw
up Scanner output when dealing with multiple hosts.
Of the fixed newlines, I haven't see any output, so I'm not sure what
the actual message is going to look like -- I expect it's a whole bunch
of newlines in there so it'll be kinda ugly as is (not a blocker for
this but should clean up eventually)
2014-01-21 13:29:08 -06:00
fe767f3f64
Saving progress
...
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
88c283880a
Fix bugs
2014-01-18 17:04:46 -05:00
766c408d86
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption
2014-01-18 11:07:11 -05:00
c670259539
Fix protocol handling
2014-01-17 00:49:44 -06:00
eaf1b0caf6
Add minor clean up
2014-01-16 17:55:45 -06:00
f3c912bd32
Add module for ZDI-14-003
2014-01-16 17:49:49 -06:00
b4280f2876
Very minor code formatting
2014-01-14 13:35:00 +01:00
e7cc3a2345
Removed unnecessary target
2014-01-13 13:17:16 +01:00
26d17c03b1
Replaced ROP chain
2014-01-13 02:54:49 +01:00
d657a2efd3
Added DEP Bypass
2014-01-11 20:31:28 +01:00
72d15645df
Added more references
2014-01-11 20:30:50 +01:00
8449005b2a
Fixed CVE identifier.
2014-01-10 23:45:34 +01:00
cd38f1ec5d
Minor touchups to recent modules.
2014-01-03 13:39:14 -06:00
2d25781cf0
Land #2804 for real (thanks, @jvazquez-r7!)
...
It was the wrong time to mess with my workflow.
2014-01-02 16:39:02 -06:00
1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path
2014-01-03 08:14:02 +10:00
67a796021d
Land #2804 , IBM Forms Viewer 4.0 exploit
2014-01-02 16:10:02 -06:00
eaeb457d5e
Fix disclosure date and newline as pointed by @wvu-r7
2014-01-02 16:08:44 -06:00
d291cd92d7
Land #2817 , icofx_bof random things
2014-01-01 22:01:48 -06:00
b4439a263b
Make things random
2013-12-31 16:06:25 -06:00
184bd1e0b2
Land #2815 - Change gsub hardtabs
2013-12-31 15:58:21 -06:00
2252a037a5
Fix disclosure date
2013-12-31 14:51:43 -06:00
3775b6ce91
Add module for CVE-2013-4988
2013-12-31 14:43:45 -06:00
841f67d392
Make adobe_reader_u3d also compliant
2013-12-31 11:07:31 -06:00
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
80a1e85235
Add :config => false to sysax_ssh_username
2013-12-30 18:13:49 -06:00
57d60c66f9
Add masqform version as comment
2013-12-27 10:59:23 -06:00
341e3c0370
Use rexml
2013-12-27 10:55:36 -06:00
ee35f9ac30
Add module for zdi-13-274
2013-12-27 10:20:44 -06:00
367dce505b
Minor details
2013-12-24 00:39:15 -06:00
f687a14539
Added support for opening via menu.
2013-12-24 03:12:49 +01:00
287271cf98
Fixed date format.
2013-12-22 01:32:16 +01:00
0ac495fef8
Replaced hex with plain text.
2013-12-22 01:31:37 +01:00
44ab583611
Added newline to end of file.
2013-12-20 22:40:45 +01:00
62f71f6282
Added module for CVE-2013-6877
2013-12-20 22:37:09 +01:00
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 20:32:27 -06:00
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
f88a3a55b6
More slight updates.
2013-12-16 15:05:39 -06:00
afcee93309
Land #2771 - Fix description
2013-12-16 15:01:32 -06:00
04b7e8b174
Fix module title and add vendor patch information
2013-12-16 14:59:00 -06:00
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
533accaa87
Add module for CVE-2013-3346
2013-12-16 14:13:47 -06:00
435cc9b93f
Add single quote encapsulation
...
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
6916f7c5d2
Fixup description
2013-12-15 01:12:47 +00:00
3d1646d18e
Exit process when complete
2013-12-15 01:12:47 +00:00
dd32c2b0b8
Spawn 32bit process
2013-12-15 01:12:46 +00:00
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
5eca4714c2
Renamed module
2013-12-15 01:12:46 +00:00
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
04496a539c
Fix up local wmi exploit.
2013-12-14 20:05:51 +00:00
e8396dc37a
Delete redefinition of ntdll functions on railgun
2013-12-13 16:02:47 -06:00
ba1a70b72e
Update Microsoft patch information
2013-12-13 15:59:15 -06:00
1ab3e891c9
Modify ms_ndproxy to use railgun additions
2013-12-13 15:54:34 -06:00
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
eb4e3f8a32
Fix os detection
2013-12-12 07:39:19 -06:00
8b518776bc
Dont fail_with on check
2013-12-11 22:08:36 -06:00
02915c751c
Favor unless over if not and add reference
2013-12-11 16:28:09 -06:00
b6fa3f28b1
Modify description
2013-12-11 08:56:31 -06:00
c4721de4a0
Add module for CVE-2013-5065
2013-12-11 08:52:35 -06:00
3a9ac303f0
Use rexml for XML data generation
2013-12-10 15:37:44 -06:00
230fcd87a5
Add module for zdi-13-259
2013-12-10 08:45:08 -06:00
6f02744d46
Land #2730 Typo in mswin_tiff_overflow
2013-12-06 12:32:37 +00:00
3aebe968bb
Land #2721 Reflective DLL Mixin
...
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
89ef1d4720
Fix a typo in mswin_tiff_overflow
2013-12-06 00:44:12 -06:00
9b2ae3c447
Uncomment fail_with
2013-12-05 23:21:06 +00:00
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
1e60ff91ea
Move ExitThread patching to Msf::Util::EXE
2013-12-05 17:16:14 +00:00
496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2013-12-05 17:09:32 +00:00
dc0f2b7291
Use ExitProcess
2013-12-05 17:08:47 +00:00
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
...
Also [SeeRM #8140 ]
2013-12-03 10:51:58 -06:00
2d77ed58d5
Land #2648 , @pnegry's exploit for Kaseya File Upload
2013-12-03 09:35:05 -06:00
2606a6ff0e
Do minor clean up for kaseya_uploadimage_file_upload
2013-12-03 09:34:25 -06:00
21bb8fd25a
Update based on jvazquez's suggestions.
2013-12-03 13:49:31 +13:00
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
.gitmodules
external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
8817c0eee0
Change description a bit
...
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
807e2dfd31
Fix title
2013-11-28 10:53:12 -06:00
7dee4ffd4d
Add module for ZDI-13-270
2013-11-28 10:47:04 -06:00
d1e4975f76
Use res.get_cookies instead of homebrew parse. Use _cgi
2013-11-28 16:35:36 +13:00
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
bb0753fcdd
Updated module to comply with indentation standard and to use suggestions from reviewers
2013-11-27 16:00:00 +13:00
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
a914fbc400
Land #2693 - case sensitive
2013-11-26 11:16:57 -06:00
671c0d9473
Fix nokogiri typo
...
[SeeRM #8730 ]
2013-11-26 10:54:31 -06:00
253719d70c
Fix title
2013-11-26 08:11:29 -06:00
6cb63cdad6
Land #2679 , @wchen-r7's exploit for cve-2013-3906
2013-11-25 22:04:26 -06:00
0079413e81
Full revert the change
2013-11-25 22:04:02 -06:00
fa97c9fa7c
Revert this change
2013-11-25 20:54:39 -06:00
3247106626
Heap spray adjustment by @jvazquez-r7
2013-11-25 20:50:53 -06:00
4c249bb6e9
Fix heap spray
2013-11-25 20:06:42 -06:00
385381cde2
Change target address
...
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln
2013-11-25 13:06:09 -06:00
a3c7dccfc0
Add disconnect option to psexec
...
Allow the module to prevent the mixin from ending the SMB session.
2013-11-24 16:37:25 +00:00
dd9bb459bf
PSEXEC Refactor
...
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
cd68b10bcf
Broadcast needs a decent WfsDelay.
...
Due to the multi railgun changes. Because they return quickly but
the process is still broadcasting them the exploit thinks work has
finished...
2013-11-23 19:18:13 +00:00
6c83109422
Really fix wmi
2013-11-23 16:44:44 +00:00
9987ec0883
Hmm, change ranking
2013-11-23 00:51:58 -06:00
6ccc3e3c48
Make payload execution more stable
2013-11-23 00:47:45 -06:00
d748fd4003
Final commit
2013-11-22 23:35:26 -06:00
f871452b97
Slightly change the description
...
Because it isn't that slow
2013-11-22 19:27:00 -06:00
eddedd4746
Working version
2013-11-22 19:14:56 -06:00
c194fdc67e
Fixup WMI
...
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
ec36cebeb4
Update cmd_psh_payloads to send the architecture.
2013-11-22 23:31:33 +00:00
622a1dccda
Update wmi to use generated powershell command line
2013-11-22 23:18:22 +00:00
Meatballs
jvazquez-r7
sinn3r
Tod Beardsley
David Maloney
OJ
kyuzo
William Vu
Brendan Coles
sgabe
Fr330wn4g3
xistence
Philip OKeefe
RageLtMan
Spencer McIntyre
David Maciejak
dukeBarman
Thomas Hibbert