942e44ceae
Added local copies of the static content
2017-12-02 10:14:14 +01:00
86e47589b0
Add xplico remote code execution
2017-11-14 09:30:57 +03:00
4abe8ff0d9
recompile binaries
2017-11-08 09:33:48 -06:00
9b24ed8406
Removed binaries for recompile
2017-11-08 09:26:40 -06:00
c2578c1487
Refactor GetProcessSid to remove do while FALSE
2017-11-07 19:11:24 -05:00
697031eb36
mysql UDF now multi
2017-11-03 05:26:05 -04:00
3f6f70f820
Move the cve-2017-8464 source to external/source
2017-10-08 13:58:51 -04:00
d0ebfa1950
Change the template technicque to work as an LPE
2017-10-05 10:30:28 -04:00
949633e816
Cleanup cve-2017-8464 template and build script
2017-10-02 15:18:13 -04:00
2ee94ca3d9
made changes based on PR feedback.
2017-09-01 16:49:17 -07:00
b7fc990d17
moved project to the source directory.
2017-09-01 16:09:53 -07:00
dc358dd087
unknow to unknown
2017-08-18 11:33:48 -04:00
cad266d469
added source code for CVE-2016-0040
2017-08-11 15:54:01 -04:00
33d3fd20a1
added CVE-2016-0040 privilege escalation exploit.
2017-08-03 19:12:32 -04:00
81500f7336
Updated Mutex code, reduce the number of times the payload is executed
2017-08-03 10:26:55 -05:00
c3bc27385e
Added source code for DLL template
2017-08-02 15:47:22 -05:00
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
e6e94bad4b
Replace CreateEvent with CreateMutex/WaitForSingleObject
...
Time out is set to 1500 ms to prevent running the payload multiple times
2017-08-02 15:47:22 -05:00
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
a01a2ead1a
Land #8467 , Samba CVE-2017-7494 Improvements
2017-05-30 00:15:03 -05:00
38491fd7ba
Rename payloads with os+libc, shrink array inits
2017-05-27 19:50:31 -05:00
b7b0c26f4a
Reduce minimum GLIBC versions where we can
2017-05-27 19:28:41 -05:00
184c8f50f1
Rework the Samba exploit & payload model to be magic.
2017-05-27 17:03:01 -05:00
ee13195760
Update office_word_macro exploit to support template injection
2017-05-25 15:53:45 -05:00
afc804fa03
Quick Ghostscript module based on the public PoC
2017-04-28 09:56:52 -05:00
a9df917257
Fix rtf info author
2017-04-14 21:16:39 -05:00
8c662562d3
add CVE-2017-0199 format
2017-04-14 13:22:32 -05:00
64c06a512e
Land #8020 , ntfs-3g local privilege escalation
2017-04-04 09:48:15 -05:00
e80b8cb373
move sploit.c out to data folder
2017-03-31 20:51:33 -04:00
6965a00b45
Resolve #8023 , Support backward compatibility for Office macro
...
Resolve #8023
2017-02-27 13:02:41 -06:00
3d269b46ad
Support OS X for Microsoft Office macro exploit
2017-02-16 12:28:11 -06:00
272d1845fa
Land #7934 , Add exploit module for OpenOffice with a malicious macro
2017-02-09 13:42:58 -06:00
047a9b17cf
Completed version of openoffice_document_macro
2017-02-08 16:29:40 -06:00
cefbee2df4
Add PoC for OpenOffice macro module
2017-02-07 10:12:23 -06:00
ccaa783a31
Add Microsoft Office Word Macro exploit
2017-02-02 17:44:55 -06:00
fb74b2d8f3
initial commit of finished product
2017-01-20 11:01:36 -06:00
24f7959805
add binary for futex_requeue
2017-01-11 13:25:30 -06:00
2585c8c8b5
Land #7461 , convert futex_requeue (towelroot) module to use targetting and core_loadlib
2017-01-11 13:24:25 -06:00
2652f347fa
add module binary
2016-12-22 03:25:10 -06:00
e6d4c0001c
hide debug printing
2016-12-20 00:52:11 +08:00
1dae206fde
Land #7379 , Linux Kernel BPF Priv Esc (CVE-2016-4557)
2016-11-11 16:50:20 -06:00
268a72f210
Land #7193 Office DLL hijack module
2016-11-08 23:15:27 -06:00
3c1f642c7b
Moved PPSX to data/exploits folder
2016-11-08 16:04:46 +01:00
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
d918e25bde
Land #7439 , Add Ghostscript support to ImageMagick Exploit
2016-10-28 17:07:13 -05:00
43fd0a8813
Land #7436 , Put Rex-exploitation Gem Back
2016-10-18 16:03:54 -05:00
0d1fe20ae5
revamped
2016-10-15 20:57:31 -04:00
9fbe1ddd9d
Land #7384 , CVE-2016-6415 - Cisco IKE Information Disclosure
2016-10-14 08:41:34 -05:00
9b15899d91
Add PS template
2016-10-13 17:40:15 -05:00
6f4f2bfa5f
Add PS target and remove MIFF
2016-10-13 17:39:55 -05:00
7894d5b2c1
Revert "Revert "use the new rex-exploitation gem""
...
This reverts commit f3166070ba
2016-10-11 17:40:43 -05:00
d1a11f46e8
Land #7418 , Linux recvmmsg Priv Esc (CVE-2014-0038)
2016-10-09 18:37:52 -05:00
2dfebe586e
working cve-2014-0038
2016-10-08 23:58:09 -04:00
f3166070ba
Revert "use the new rex-exploitation gem"
...
This reverts commit 52f6265d2e
2016-10-08 21:55:16 -05:00
52f6265d2e
use the new rex-exploitation gem
...
use the new rex-exploitation gem instead of the packaged in lbirary code
cleans up a huge ammount of space in framework
MS-1709
2016-10-05 09:05:27 -05:00
27cf5c65c4
working module
2016-10-04 23:21:53 -04:00
7368b995f2
CVE-2016-6415 Cisco - sendpacket.raw
2016-09-29 22:24:55 -05:00
c036c258a9
cve-2016-4557
2016-09-29 05:23:12 -04:00
0e82ced082
Add LPE exploit module for the capcom driver flaw
...
This commit includes:
* RDI binary that abuses the SMEP bypass and userland function pointer
invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.
This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
23e5556a4c
binary drops work!
2016-09-24 21:31:00 -04:00
21e6211e8d
add exploit for cve-2016-0189
2016-08-01 13:26:35 -05:00
322fc11225
Fix whitespace
2016-07-27 12:37:14 -05:00
dbe31766af
Update CVE-2016-0099 Powershell
2016-07-27 12:35:43 -05:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
8f928c6ca1
Land #7006 , Add MS16-032 Local Priv Esc Exploit
2016-07-12 15:22:35 -05:00
621f3fa5a9
Change naming style
2016-07-12 15:18:18 -05:00
2b016e0216
Land #6812 , remove broken OSVDB references
2016-07-11 22:59:11 -05:00
b4b3a84fa5
refactor ms16-016 code
2016-07-05 20:50:43 -05:00
df1a9bee13
Move ps1, Use Env var, Fix license, New Cleanup
...
MS16-032 ps1 moved to external file. This ps1 will now detect windir
to find cmd.exe. The module now also detects windir to find
powershell.exe. The license is now BSD_LICENSE, and the required
copyright has been moved to the ps1. The previous optional cleanup stage
is now standard. The optional 'W_PATH' assignment is corrected to
select the user's variable unless 'W_PATH' is nil.
2016-06-22 09:25:48 -04:00
ab27c1b701
Merge pull request #6940 from samvartaka/master
...
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too)
2016-06-08 11:25:51 -05:00
5260031991
Modifications based on suggestions by @wchen-r7
2016-06-08 01:17:15 +02:00
9128ba3e57
Add popen() vuln to ImageMagick exploit
...
So... we've actually been sitting on this vuln for a while now. Now that
the cat's out of the bag [1], I'm updating the module. :)
Thanks to @hdm for his sharp eye. ;x
[1] http://permalink.gmane.org/gmane.comp.security.oss.general/19669
2016-06-02 11:35:37 -05:00
2bac46097f
Remove url() for MVG
...
Technically unnecessary here.
2016-05-05 14:18:42 -05:00
334c432901
Force https://localhost for SVG and MVG
...
https: is all that's needed to trigger the bug, but we don't want wget
and curl to gripe. localhost should be a safe host to request.
2016-05-05 14:18:42 -05:00
decd770a0b
Encode the entire SVG string
...
Because why not? Not like people care about what's around the command.
2016-05-05 14:18:42 -05:00
232cc114de
Change placeholder text to something useful
...
A la Shellshock. :)
2016-05-05 14:18:42 -05:00
5c04db7a09
Add ImageMagick exploit
2016-05-05 14:18:42 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
57ab974737
File.exists? must die
2016-04-21 00:47:07 -04:00
e29fc5987f
Add missing stream.raw for hp_sitescope_dns_tool
...
This adds the missing stream.raw.
2016-03-15 11:06:06 -05:00
eb4611642d
Add Jenkins CLI Java serialization exploit module
...
CVE-2015-8103
2015-12-11 14:57:10 -06:00
c7afe4f663
Land #5930 , MS15-078 (atmfd.dll buffer overflow)
2015-09-16 15:33:38 -05:00
9626596f85
Clean template code
2015-09-12 13:43:05 -05:00
53f995b9c3
Do first prototype
2015-09-10 19:35:26 -05:00
122d57fc20
Land #5945 , Add auto-accept to osx/enum_keychain
2015-09-08 10:56:08 -05:00
1b320bae6a
Add auto-accept to osx/enum_keychain.
2015-09-07 21:17:49 -05:00
b39575928e
Update reflective exploit
2015-09-03 11:01:41 -05:00
b912e3ce65
Add exploit template
2015-09-02 17:28:35 -05:00
4090c2c8ea
Land #5880 , adds ScriptHost UAC bypass for Win7/2008
2015-09-02 14:14:18 -05:00
9364982467
Land #5665 , Add osx rootpipe entitlements exploit for 10.10.3
2015-08-28 13:33:16 -05:00
11db9c2112
Land #5896 , Update ms15_004_tswbproxy to use a Reflective DLL
2015-08-27 17:11:26 -05:00
a2d5511e39
Land #5379 , new post modules to load into powershell sessions
2015-08-26 17:11:40 -05:00
5d0ed797a3
Update DLL
2015-08-26 15:15:32 -05:00
228087dced
Initial working scripthost bypass uac
2015-08-23 20:16:15 +01:00
129edd8b2e
Original bypass script
2015-08-23 19:46:24 +01:00
d54249370b
Move tpwn source to external/source/exploits
2015-08-17 18:27:47 -05:00
efc980074c
Add tpwn exploit files
2015-08-17 17:11:07 -05:00
7113c801b1
Land #5732 , reliability update for adobe_flash_hacking_team_uaf
2015-07-17 16:43:39 -05:00
255d8ed096
Improve adobe_flash_opaque_background_uaf
2015-07-16 14:56:32 -05:00
a637921305
Update swf
2015-07-15 18:35:41 -05:00
Yorick Koster
Mehmet İnce
bwatters-r7
Spencer McIntyre
h00die
Kirk Swidowski
Kirk Swidowski
Brent Cook
HD Moore
wchen-r7
nixawk
William Webb
Tim
Pearce Barry
scriptjunkie
Yorick Koster
dmohanty-r7
William Vu
David Maloney
OJ
khr0x40sh
samvartaka
l0gan
jvazquez-r7
joev
HD Moore
Meatballs