Commit Graph

20877 Commits (7222e3ca492f296282065b62195fa3c5a26307e5)

Author SHA1 Message Date
sinn3r 7222e3ca49 Use RopDb for ms13_055_canchor.
All targets tested.
2013-10-07 15:09:36 -05:00
sinn3r 67228bace8 Use RopDb for ie_cgenericelement_uaf.
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
sinn3r aea63130a4 Use RopDb for ie_cbutton_uaf.
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
sinn3r e016c9a62f Use RopDb msvcrt ROP chain. Tested all targets. 2013-10-07 12:27:43 -05:00
jvazquez-r7 5aa3709ca2
Land #2467, @wchen-r7's code to allow dynamic size paylods on ropdb 2013-10-06 18:18:13 -05:00
sinn3r 991e82a78a Land #2470 - Continue to run UAC level is 0 2013-10-05 23:20:55 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
jvazquez-r7 875e086d94
Land #2469, @bcoles exploit for FlashChat 2013-10-05 14:51:49 -05:00
jvazquez-r7 24efb55ba9 Clean flashchat_upload_exec 2013-10-05 14:50:51 -05:00
bcoles 08243b277a Add FlashChat Arbitrary File Upload exploit module 2013-10-05 22:30:38 +09:30
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
Tod Beardsley f9eccae391
Land #2466, don't try to lockout SMB 2013-10-04 16:47:26 -05:00
Tod Beardsley d6c74cd0ed
Land #2463, fixes to gestoip 2013-10-04 16:43:37 -05:00
James Lee 813013fef5 Make defaults sane for the lockoutable smb_login
See #2376
2013-10-04 15:53:16 -05:00
sinn3r 77cbb7cd19 Update function documentation 2013-10-04 15:18:27 -05:00
jvazquez-r7 113f89e40f First set of fixes for gestioip_exec 2013-10-04 13:29:27 -05:00
jvazquez-r7 299dfe73f1
Land #2460, @xistence's exploit for clipbucket 2013-10-04 12:26:30 -05:00
jvazquez-r7 8e0a4e08a2 Fix author order 2013-10-04 12:25:38 -05:00
Tod Beardsley ff72f0af62
Land #2461, GestioIP module 2013-10-04 11:07:08 -05:00
Tod Beardsley 9b79bb99e0 Add references, correct disclosure date 2013-10-04 09:59:26 -05:00
Tod Beardsley ab786d1466 Imply authentication when a password is set 2013-10-04 09:54:04 -05:00
Brandon Perry 0112d6253c add gestio ip module 2013-10-04 06:39:30 -07:00
jvazquez-r7 db11e88255
Land #2321, @juushya's aux module for Sentry CDU enumeration 2013-10-04 08:35:54 -05:00
sinn3r 41e87d83a6 Add rspec for Rex::Exploitation::RopDb 2013-10-04 00:54:07 -05:00
xistence 81d4a8b8c1 added clipbucket_upload_exec RCE 2013-10-04 11:43:38 +07:00
sinn3r bc8604f151 Use safe_negate_size for hxds 2013-10-03 23:15:29 -05:00
sinn3r 63d7b8c309 Use safe_negate_size for java 2013-10-03 23:13:57 -05:00
sinn3r ab62af220b Use safe_negate_size key for msvcrt (XP) 2013-10-03 23:12:58 -05:00
sinn3r 29d1c75d1c Update RopDb mixin to allow dynamic payload size for neg
This adds a new key to allow a "safe" integer value to NEG. "Safe"
means the value does not have any null bytes after the NEG instruction,
which is typically used to calculate the payload size.
2013-10-03 23:09:23 -05:00
jvazquez-r7 9df676ca7e
Land #2447, @wchen-r7's new msvcrt ROP chains without nulls 2013-10-03 22:38:29 -05:00
jvazquez-r7 646429b4dd Put ready to pull request 2013-10-03 22:15:17 -05:00
jvazquez-r7 5971fe87f5 Improve reliability 2013-10-03 17:19:53 -05:00
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
sinn3r 8059c59f15 Land #2452 - Ignore unexpected DNS answers 2013-10-03 15:54:22 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 6499178ccb
Fix Microsoft typo 2013-10-03 12:21:15 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
William Vu f1e299460f Land #2454, EOL spaces fix for astium_sqli_upload 2013-10-03 11:09:22 -05:00
Tod Beardsley fcba424308
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 11:01:27 -05:00
Karn Ganeshen 581e27f151 Merge pull request #2 from jvazquez-r7/review-pr2321
Retab and fix PR2321
2013-10-03 04:20:18 -07:00
jvazquez-r7 1fe0c50df0 Ignore unexpected answers 2013-10-02 20:41:02 -05:00
jvazquez-r7 0db93111de
Land #2445, @todb-r7's new tab warning for msftidy 2013-10-02 17:19:12 -05:00
Tabassassin 773abf0567
Pow, tab assassinated. 2013-10-02 17:16:38 -05:00
Tod Beardsley 3d6b3a4e21
Empty commit to try to sober up Travis-CI
Travis, you're drunk. You need help. Don't try to build f123cd1, because
that commit doesn't exist.

Try this one, it'll make you feel better.
2013-10-02 16:58:01 -05:00
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
sinn3r 427b4b262a Land #2441 - Update .mailmap 2013-10-02 13:20:08 -05:00
Tod Beardsley 40c313b711
Land #2450, fix UDPSweep modules for Windows 2013-10-02 12:29:52 -05:00
jvazquez-r7 758fd02619 Windows 7 SP1 and newer fail when forcing IPv6 sockets 2013-10-02 09:45:51 -05:00
jvazquez-r7 7436ea0281
Land #2449, @wchen-r7's references update 2013-10-02 08:17:12 -05:00
James Lee 56b6f0be02 Add bins for #2443
See #740 and meterpreter#26
2013-10-01 23:47:24 -05:00