Commit Graph

11391 Commits (79a6f8c2ea8b12fa385c1d8e32f8c8672bf3dc7b)

Author SHA1 Message Date
sinn3r 953a96fc2e This one looks promising 2013-11-22 12:27:10 -06:00
sinn3r 8476ca872e More progress 2013-11-22 11:53:57 -06:00
sinn3r f1d181afc7 Progress 2013-11-22 04:51:55 -06:00
sinn3r 6d5c1c230c Progress 2013-11-22 03:55:40 -06:00
sinn3r 4d2253fe35 Diet 2013-11-22 02:25:09 -06:00
sinn3r 8382d31f46 More progress 2013-11-21 18:48:12 -06:00
jvazquez-r7 885fedcc3b Fix target name 2013-11-21 17:42:31 -06:00
sinn3r 22c7703e8b
Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2 2013-11-21 15:30:42 -06:00
sinn3r 56d1c545e7 Oh look, more code 2013-11-21 14:42:07 -06:00
jvazquez-r7 851cf6f0d1
Land #2650, @pnegry's exploit for DesktopCentral 8 2013-11-21 09:30:17 -06:00
jvazquez-r7 77aa665385 Add Privileged flag 2013-11-21 09:28:28 -06:00
jvazquez-r7 2ab3ab8b66 Delete empty Payload metadata section 2013-11-21 09:27:25 -06:00
jvazquez-r7 6bd3c4c887 Fix target name 2013-11-21 09:07:25 -06:00
jvazquez-r7 4c2ad4ca9a Fix metadata 2013-11-21 09:06:47 -06:00
jvazquez-r7 8e4c5dbb5e improve upload_file response check 2013-11-21 09:02:11 -06:00
jvazquez-r7 8fdfeb73db Fix use of FileDropper and improve check method 2013-11-21 09:01:41 -06:00
jvazquez-r7 4abf01c64c Clean indentation 2013-11-21 08:32:54 -06:00
sinn3r ddd5b0abb9 More progress 2013-11-21 04:27:41 -06:00
Karn Ganeshen b5011891a0 corrected rport syntax 2013-11-21 08:57:45 +03:00
Karn Ganeshen 9539972340 Module for OpenMind Message-OS portal login 2013-11-21 06:33:05 +03:00
Tod Beardsley 3926617972
Land #2664, clear EOL spaces
[SeeRM #8498]
2013-11-20 17:27:06 -06:00
joev eea811b71a
Merge branch 'landing-2601-mipsle-encoders' into upstream-master 2013-11-20 17:14:45 -06:00
sinn3r e13e457d8f Progress 2013-11-20 17:11:13 -06:00
William Vu 9f45121b23 Remove EOL spaces 2013-11-20 15:08:13 -06:00
William Vu e8eb983ae1 Resplat shell_bind_tcp_random_port 2013-11-20 14:48:53 -06:00
jvazquez-r7 cec4166766 Fix description 2013-11-20 12:49:22 -06:00
jvazquez-r7 18e69bee8c Make OGNL expressions compatible with struts 2.0.11.2 2013-11-20 12:42:10 -06:00
sinn3r 94e13a0b8a Initial commit of CVE-2013-3906 2013-11-19 23:10:32 -06:00
Thomas Hibbert 4cc20f163b Update References field to be compliant. 2013-11-20 13:01:21 +13:00
Thomas Hibbert 07c76fd3e6 Module cleaned for msftidy compliance. 2013-11-20 11:33:14 +13:00
sinn3r a9de5e2846
Land #2634 - Opt browser autopwn load list 2013-11-19 15:10:29 -06:00
jvazquez-r7 14c6ab4ca5 Add module for CVE-2013-4212 2013-11-19 10:25:52 -06:00
Tod Beardsley ded56f89c3
Fix caps in description 2013-11-18 16:15:50 -06:00
jvazquez-r7 f963f960cb Update title 2013-11-18 15:07:59 -06:00
jvazquez-r7 274247bfcd
Land #2647, @jvennix-r7's module for Gzip Memory Bomb DoS 2013-11-18 15:06:46 -06:00
joev 589660872e Kill FILEPATH datastore option. 2013-11-18 14:13:25 -06:00
jvazquez-r7 f690667294
Land #2617, @FireFart's mixin and login bruteforcer for TYPO3 2013-11-18 13:37:16 -06:00
jvazquez-r7 0391ae2bc0 Delete general reference 2013-11-18 13:19:09 -06:00
jvazquez-r7 1c4dabaf34 Beautify typo3_bruteforce module 2013-11-18 13:17:15 -06:00
sinn3r b5fc0493a5
Land #2642 - Fix titles 2013-11-18 12:14:36 -06:00
William Vu 455934a545
Land #2645, Redis spec conformity for redis_server 2013-11-18 12:00:38 -06:00
jvazquez-r7 9e46975a95
Land #2643, @ChrisJohnRiley SkipVersionCheck for exim4_dovecot_bannercheck 2013-11-18 11:28:07 -06:00
jvazquez-r7 540b85df3f Set SkipVersionCheck as not required 2013-11-18 11:27:32 -06:00
jvazquez-r7 f6f0d81149
Land #2632, @peto01 OSX VPN Manager post module 2013-11-18 09:49:14 -06:00
jvazquez-r7 0a930ef6e1 Clean osx vpn post module 2013-11-18 09:47:52 -06:00
jvazquez-r7 bddb314073 Fix usage of Retries 2013-11-18 09:09:20 -06:00
jvazquez-r7 237bb22771 Disable auto migrate 2013-11-18 08:54:22 -06:00
Thomas Hibbert 960f7c9bbb Add DesktopCentral arbitrary file upload exploit. 2013-11-18 16:11:28 +13:00
joev 8e889c61f7 Update description. 2013-11-17 15:48:27 -06:00
joev f7820139dc Add a content_type datastore option. 2013-11-17 15:38:55 -06:00
joev 43d2711b98 Default to 1 round compression. 2013-11-17 15:35:35 -06:00
joev 1e3860d648 Add gzip bomb dos aux module. 2013-11-17 14:44:33 -06:00
jvazquez-r7 7d22312cd8 Fix redis communication 2013-11-15 19:36:18 -06:00
Tod Beardsley 89d0b3c41c
Return the splat and require on a module. 2013-11-15 12:19:53 -06:00
Tod Beardsley 36db6a4d59
Land #2616, SuperMicro close_window BOF 2013-11-15 11:34:53 -06:00
jvazquez-r7 cbb7eb192c Add module for CVE-2013-3918 2013-11-15 10:38:52 -06:00
Chris John Riley 5bd5eacd77 Added option to ignore banner checks 2013-11-15 15:01:11 +01:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
Peter Toth 7db42efdd4 Code restructure and more robust error handling 2013-11-14 13:44:49 +01:00
jvazquez-r7 fe2cd93a65 Delete ms13_037_svg_dashstyle from the browser_autopwn list 2013-11-13 23:46:50 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
James Lee 5b96ad595f
Skip reg values with no secretes
Also update header comment to match new standard
2013-11-13 19:05:16 -06:00
James Lee cb10b4783b
Mark XP hashes as mscash for JtR to recognize 2013-11-13 19:04:16 -06:00
James Lee 0aef145f64 Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa 2013-11-13 18:11:21 -06:00
James Lee 8471f74b75
Refactor ivar to a more reasonable method
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
James Lee 8bb72764ec
Rename credentials/lsa -> lsa_secrets
Secrets are not necessarily credentials
2013-11-13 15:23:15 -06:00
James Lee 16627c1bd3
Add spec for capture_lsa_key 2013-11-13 15:16:34 -06:00
William Vu 334a93af45
Land #2638, refs for android_htmlfileprovider 2013-11-13 14:51:46 -06:00
joev 0612f340f1 Commas are good. 2013-11-13 14:38:50 -06:00
joev ad5f82d211 Add missing refs to aux/gather/android_htmlfileprovider. 2013-11-13 14:36:18 -06:00
jvazquez-r7 2594427999
Land #2631, @peto01's osx screen capture post module 2013-11-13 13:58:03 -06:00
jvazquez-r7 2b19490095 Fix Exception handling 2013-11-13 13:57:15 -06:00
jvazquez-r7 95f371a1a6 Move screen_capture to the capture folder 2013-11-13 13:41:11 -06:00
jvazquez-r7 f65e82523b Clean screen_capture 2013-11-13 13:40:41 -06:00
James Lee 3168359a82
Refactor lsa and add a spec for its crypto methods 2013-11-13 11:55:39 -06:00
Peter Toth f5760d5e4c Removed unnecessary delay 2013-11-13 16:25:47 +01:00
Peter Toth c4a8bfb175 Tighter error handling 2013-11-13 16:19:38 +01:00
Peter Toth 78199409dd Changes according to feedback 2013-11-13 14:13:40 +01:00
Peter Toth 92da6760ef Modified module to use windows/screen_spy code 2013-11-13 13:30:20 +01:00
Peter Toth 3fdaf4de94 Work in progress 2013-11-13 13:11:27 +01:00
Peter Toth d9c402c035 Fixed the module name 2013-11-13 08:57:50 +01:00
jvazquez-r7 8771b163f0 Solve conflicts with aladdin_choosefilepath_bof 2013-11-12 23:11:42 -06:00
Peter Toth 2d9e8e09e6 Minor bugfix 2013-11-13 02:07:06 +01:00
Peter Toth 1fed50c96a General improvements according to feedback 2013-11-13 01:54:42 +01:00
OJ e4fc361b37 Various tidies and fixes
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.

Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
Peter Toth 6e12553393 Changed option SNAP_FILETYPE to FILETYPE 2013-11-13 00:51:58 +01:00
Peter Toth 779cb48b76 General improvements addressing feedback 2013-11-13 00:42:00 +01:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
William Vu da25785eba
Land #2350, shell_bind_tcp_random_port for Linux 2013-11-12 16:06:37 -06:00
jvazquez-r7 004c1bac78 Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00
sinn3r 970e70a853
Land #2626 - Add wordpress scanner 2013-11-12 11:30:23 -06:00
sinn3r 6a28f1f2a7
Change 4-space tabs to 2-space tabs 2013-11-12 11:29:28 -06:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Peter Toth c5f21ef463 added osx vpn module 2013-11-12 12:47:33 +01:00
Peter Toth b722fee15c added OSX module screen_capture 2013-11-12 12:32:30 +01:00
Tod Beardsley 65993704c3
Actually commit the mode change. 2013-11-11 22:16:29 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
jvazquez-r7 b01d8c50e0 Restore module crash documentation 2013-11-11 17:09:41 -06:00
jvazquez-r7 30de61168d Support heap spray obfuscation 2013-11-11 17:05:54 -06:00