sinn3r
932ed0a939
Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln
2013-10-01 20:35:17 -05:00
jvazquez-r7
ed82be6fd8
Use RopDB
2013-10-01 13:23:09 -05:00
jvazquez-r7
6483c5526a
Add module for OSVDB 93696
2013-10-01 11:42:36 -05:00
sinn3r
9abf727fa6
Land #2439 - Update description
2013-09-30 16:03:15 -05:00
sinn3r
7118f7dc4c
Land #2422 - rm methods peer & rport
...
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
jvazquez-r7
6c8f86883d
Land #2437 , @wchen-r7's exploit for CVE-2013-3893
2013-09-30 14:02:29 -05:00
Tod Beardsley
4dc88cf60f
Expand descriptions for ease of use.
2013-09-30 13:30:31 -05:00
sinn3r
c82ed33a95
Forgot Math.cos()
2013-09-30 13:29:16 -05:00
sinn3r
d6cd0e5c67
Tweak for office 2007 setup
2013-09-30 13:27:59 -05:00
sinn3r
ecf4e923e8
Change the target address for spray 1
2013-09-30 11:57:59 -05:00
sinn3r
b9aae1c93c
Higher address seems better
2013-09-29 18:45:30 -05:00
sinn3r
a5ade93ab2
Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
...
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.
The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).
To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs
b306415ecf
Tidy and updates to info
2013-09-29 17:32:39 +01:00
Meatballs
29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
...
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Meatballs
8b800cf5de
Merge and resolve conflicts
2013-09-27 18:19:23 +01:00
jvazquez-r7
6381bbfd39
Clean up freeftpd_pass
2013-09-27 09:47:39 -05:00
TecR0c
b02a2b9ce0
Added crash info and basic tidy up
2013-09-27 17:05:42 +10:00
TecR0c
7dbc3f4f87
changed seh address to work on freeFTPd 1.0.10 and below
2013-09-27 12:37:52 +10:00
TecR0c
5fc98481a7
changed seh address to work on freeFTPd 1.0.10 and below
2013-09-27 12:35:03 +10:00
TecR0c
a6e1bc61ec
updated version in exploit freeFTPd 1.0.10
2013-09-27 11:27:51 +10:00
TecR0c
3a3f1c0d05
updated requested comments for freeFTPd 1.0.10
2013-09-27 11:13:28 +10:00
Meatballs
3d812742f1
Merge upstream master
2013-09-26 21:27:44 +01:00
Meatballs
7ba846ca24
Find and replace
2013-09-26 20:34:48 +01:00
Meatballs
a25833e4d7
Fix %TEMP% path
2013-09-26 19:22:36 +01:00
TecR0c
0339c3ef48
added freeFTPd 1.0.10 (PASS Command)
2013-09-26 20:37:23 +10:00
FireFart
84ec2cbf11
remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient
2013-09-25 23:42:44 +02:00
Tod Beardsley
d91cb85a31
Not actually a typo
...
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley
ac1388368f
Typo in module name
2013-09-24 15:50:58 -05:00
Tod Beardsley
93486a627d
Whoops on trailing commas
2013-09-24 15:14:11 -05:00
William Vu
52a92a55ce
Land #2394 , ms13_005_hwnd_broadcast require fix
2013-09-24 13:43:21 -05:00
Tod Beardsley
3906d4a2ca
Fix caps that throw msftidy warnings
2013-09-24 13:03:16 -05:00
Tod Beardsley
c547e84fa7
Prefer Ruby style for single word collections
...
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley
081c279b61
Remove misleading comment
2013-09-24 11:42:31 -05:00
Tod Beardsley
8db1a389eb
Land #2304 fix post module require order
...
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley
2656c63459
Knock out a Unicode character
2013-09-23 14:22:11 -05:00
Tod Beardsley
99f145cbff
Don't split the post requires
2013-09-23 14:02:43 -05:00
Tod Beardsley
4bff8f2cdc
Update descriptions for clarity.
2013-09-23 13:48:23 -05:00
William Vu
a46ac7533d
Land #2407 , require fix for current_user_psexec
2013-09-23 11:57:19 -05:00
jvazquez-r7
8417b916c7
Complete MS13-071 Information
2013-09-21 21:22:34 -05:00
darknight007
6b06ed0df1
Update current_user_psexec.rb
2013-09-22 03:07:17 +05:00
sinn3r
8381bf8646
Land #2404 - Add powershell support for current_user_psexec
2013-09-20 17:14:55 -05:00
sinn3r
96364c78f8
Need to catch RequestError too
...
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
Meatballs
6e69fe48bf
Undo psexec changes
2013-09-20 22:30:00 +01:00
Meatballs
2591be503b
Psh support
2013-09-20 22:07:42 +01:00
Meatballs
15885e4ef6
Change static x value
2013-09-20 20:31:14 +01:00
Meatballs
ee365a6b64
Some liberal sleeping
2013-09-20 19:33:27 +01:00
Meatballs
7d1c5c732a
Correct powershell
2013-09-20 18:36:24 +01:00
sinn3r
bb7b57cad9
Land #2370 - PCMAN FTP Server post-auth stack buffer overflow
2013-09-20 12:29:10 -05:00
sinn3r
feb76ea767
Modify check
...
Since auth is required, check function needs to look into that too
2013-09-20 12:28:21 -05:00
sinn3r
2d6c76d0ad
Rename pcman module
...
Because this is clearly a msf module, we don't need 'msf' as a
filename. The shorter the better.
2013-09-20 12:18:24 -05:00
sinn3r
6690e35761
Account for username length
...
Username is part of the overflowing string, need to account for that
2013-09-20 12:17:34 -05:00
sinn3r
9d67cbb4db
Retabbed
2013-09-20 11:58:53 -05:00
Meatballs
9819566d94
Nearly
2013-09-20 17:18:14 +01:00
jvazquez-r7
6f5e528699
Remove author, all the credits go to corelanc0der and sinn3r
2013-09-20 10:27:37 -05:00
sinn3r
83f54d71ea
Add MS13-069 (CVE-2013-3205) IE ccaret object use-after-free
...
This module exploits a use-after-free vulnerability found in Internet Explorer,
specifically in how the browser handles the caret (text cursor) object. In IE's
standards mode, the caret handling's vulnerable state can be triggered by first
setting up an editable page with an input field, and then we can force the caret
to update in an onbeforeeditfocus event by setting the body's innerHTML property.
In this event handler, mshtml!CCaret::`vftable' can be freed using a document.write()
function, however, mshtml!CCaret::UpdateScreenCaret remains unaware aware of this
change, and still uses the same reference to the CCaret object. When the function
tries to use this invalid reference to call a virtual function at offset 0x2c, it
finally results a crash. Precise control of the freed object allows arbitrary code
execution under the context of the user.
The vuln works against IE8 on Win 7, but the current version of the custom spray
doesn't actually work well against that target. More work is needed before we can
add that target for sure. The reason a custom spray is needed is because the
document.write() function erases the typical spray routines we use like
js_property_spray, or the heaplib + substring one. Tried using an iframe too,
but onbeforeeditfocus event doesn't seem to work well in an iframe (does not
fire when innerHTML is used.)
2013-09-20 10:20:35 -05:00
Meatballs
a00f3d8b8e
initial
2013-09-20 13:40:28 +01:00
Rick Flores (nanotechz9l)
7d17eef7a7
Updated several msftidy [WARNING] Spaces at EOL issues.
2013-09-19 20:35:08 -07:00
sinn3r
955365d605
Land #2391 - MS13-071 Microsoft Windows Theme File Handling Vulnerability
2013-09-19 22:21:09 -05:00
jvazquez-r7
9b486e1dbb
Add comment about the smb_* methods
2013-09-19 13:23:46 -05:00
William Vu
628cfe8e67
Land #2393 , tape_engine_8A filename disambiguation
2013-09-19 10:31:40 -05:00
Tod Beardsley
ef72b30074
Include the post requires until #2354 lands
...
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
Tod Beardsley
fb72e7f02a
Disambiguate tape_engine_8A as tape_engine_0x8a
...
This will reopen #2358 to avoid filename collisions on Windows, Rubymine
environments, etc.
2013-09-19 09:35:31 -05:00
Rick Flores (nanotechz9l)
058e0fdd80
Changed ret to push esp C:\WINDOWS\system32\msvcrt.dll
2013-09-19 07:21:51 -07:00
James Lee
8fe9132159
Land #2358 , deprecate funny names
2013-09-18 14:55:33 -05:00
Rick Flores (nanotechz9l)
766e96510d
Added minor indentation updates
2013-09-18 12:12:35 -07:00
jvazquez-r7
60d448f600
Add minor cleanup
2013-09-18 14:10:13 -05:00
Rick Flores (nanotechz9l)
db8881966e
Merge remote-tracking branch 'upstream/master'
2013-09-18 12:02:01 -07:00
jvazquez-r7
68647c7363
Add module for MS13-071
2013-09-18 13:40:35 -05:00
Tod Beardsley
8728a9a3b7
Bumping out deprecation date
...
Pray I don't alter the deprecation date further.
2013-09-18 11:00:35 -05:00
Rick Flores (nanotechz9l)
6cbe371381
minor change
2013-09-17 20:33:46 -07:00
Rick Flores (nanotechz9l)
0052f9712b
Updated hard tabs per new requirement
2013-09-17 17:42:01 -07:00
James Lee
9a555d8701
Fix the modules added since the branch
2013-09-17 18:25:12 -05:00
James Lee
150f0f644e
Merge branch 'rapid7' into bug/osx-mods-load-order
...
Conflicts:
modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
Rick Flores (nanotechz9l)
52a1b5fa57
updated pcman_stor_msf.rb module with community feedback.
2013-09-16 17:43:10 -07:00
Rick Flores (nanotechz9l)
226a75b5da
updated pcman_stor_msf.rb module with community feedback.
2013-09-16 17:37:29 -07:00
Tod Beardsley
b4b7cecaf4
Various minor desc fixes, also killed some tabs.
2013-09-16 15:50:00 -05:00
Rick Flores (nanotechz9l)
d4f2e72b9c
updated module to include msftidy.rb
2013-09-16 12:46:13 -07:00
Rick Flores (nanotechz9l)
82e3910959
added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)
2013-09-16 12:40:36 -07:00
Rick Flores (nanotechz9l)
92cf886e49
updated module to include msftidy.rb
2013-09-16 12:38:00 -07:00
Rick Flores
4c83336944
Delete pcman_stor_msf.rb
...
delete because of commit issues.
2013-09-16 12:25:39 -07:00
Rick Flores (nanotechz9l)
f657f4d145
added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)
2013-09-16 09:57:27 -07:00
sinn3r
67cd62f306
Land #2366 - HP ProCurve Manager SNAC UpdateCertificatesServlet File Upload
2013-09-16 01:44:23 -05:00
jvazquez-r7
54e9cd81f3
Add module for ZDI-13-226
2013-09-13 17:31:51 -05:00
jvazquez-r7
10303a8c2a
Delete debug print_status
2013-09-13 17:05:23 -05:00
jvazquez-r7
dca4351303
Add check function
2013-09-13 16:51:14 -05:00
jvazquez-r7
f7c4e081bb
Add module for ZDI-13-225
2013-09-13 16:40:28 -05:00
sinn3r
4847976995
Update information about original discovery
...
Update info about original discovoery. See #2337 too.
2013-09-13 10:42:11 -05:00
Tod Beardsley
76f27ecde8
Require the deprecation mixin in all modules
...
Because rememberin to require it, and hoping against a race is not how we
roll any more.
2013-09-12 15:49:33 -05:00
Tod Beardsley
761042f14b
require the deprecated mixin
2013-09-12 15:42:01 -05:00
Tod Beardsley
968f299772
Deprecate A-PDF exploit for filename change
...
See PT 56796034
See PT 56795804
2013-09-12 15:30:26 -05:00
James Lee
58b634dd27
Remove unnecessary requires from post mods
2013-09-12 14:36:01 -05:00
Tod Beardsley
d47de46d94
Deprecate brightstor/tape_engine_8A
...
This module is getting renamed to 8a, instead of 8A.
2013-09-12 13:59:44 -05:00
jvazquez-r7
9ad1be7318
Make junk easier
2013-09-11 09:33:01 -05:00
jvazquez-r7
825eb9d1ca
Add module for OSVDB 96208
2013-09-11 00:11:00 -05:00
jvazquez-r7
4f1db80c24
Fix requires in new post modules
2013-09-10 11:13:07 -05:00
Tod Beardsley
aff35a615b
Grammar fixes in descriptions
2013-09-09 15:09:53 -05:00
jvazquez-r7
791b6f69c2
Land #2337 , @wchen-r7's exploit for MS13-055
2013-09-09 11:12:03 -05:00
sinn3r
0ee0168556
Retabbed
...
One kills a man, one is an assassin; one kills millions, one is a
conqueror; one kills a tab, one is a Metasploit dev.
2013-09-09 10:01:01 -05:00
sinn3r
6ab905e9e0
Less alignment
2013-09-09 09:39:02 -05:00
sinn3r
992bdcf530
Not from the future
2013-09-09 00:36:28 -05:00
sinn3r
c3db41334b
Add MS13-055 Internet Explorer Use-After-Free Vulnerability
...
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.
This bug is specific to Internet Explorer 8 only. It was originally discovered by
Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update, so
no CVE as of now.
2013-09-08 20:02:23 -05:00
jvazquez-r7
7d4bf0c739
Retab changes for PR #2327
2013-09-05 23:25:41 -05:00
jvazquez-r7
34b499588b
Merge for retab
2013-09-05 23:24:22 -05:00
Meatballs
473f08bbb6
Register cleanup and update check
2013-09-05 22:43:26 +01:00
Meatballs
400b433267
Sort out exception handling
2013-09-05 22:21:44 +01:00
Meatballs
d4043a6646
Spaces and change to filedropper
2013-09-05 20:41:37 +01:00
Meatballs
c5daf939d1
Stabs tabassassin
2013-09-05 20:36:52 +01:00
Tab Assassin
d0360733d7
Retab changes for PR #2282
2013-09-05 14:05:34 -05:00
Tab Assassin
49dface180
Merge for retab
2013-09-05 14:05:28 -05:00
Meatballs
9787bb80e7
Address @jlee-r7's feedback
2013-09-05 19:57:05 +01:00
Tab Assassin
845bf7146b
Retab changes for PR #2304
2013-09-05 13:41:25 -05:00
Tab Assassin
adf9ff356c
Merge for retab
2013-09-05 13:41:23 -05:00
jvazquez-r7
5c06a471f9
Get the call result
2013-09-05 08:33:35 -05:00
jvazquez-r7
3681955f68
Use Msf::Config.data_directory
2013-09-05 08:28:50 -05:00
jvazquez-r7
6b1d7545d6
Refactor, avoid duplicate code
2013-09-05 08:26:49 -05:00
jvazquez-r7
b6245eea72
Update target info
2013-09-04 16:43:26 -05:00
jvazquez-r7
34b3ee5e17
Update ranking and description
2013-09-04 16:10:15 -05:00
jvazquez-r7
94125a434b
Add module for ZDI-13-205
2013-09-04 15:57:22 -05:00
Meatballs
3066e7e19d
ReverseConnectRetries ftw
2013-09-04 00:16:19 +01:00
Meatballs
a8e77c56bd
Updates
2013-09-03 22:46:20 +01:00
Meatballs
ac0c493cf9
Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring
2013-09-03 21:33:11 +01:00
Tab Assassin
84aaf2334a
Retab new material
2013-09-03 11:47:26 -05:00
Tab Assassin
0c1e6546af
Update from master
2013-09-03 11:45:39 -05:00
Tod Beardsley
ca8dacb93b
Minor module description updates for grammar.
2013-09-03 10:31:45 -05:00
sinn3r
ac0b14e793
Add the missing CVE reference
...
Was looking at all the 2013 exploit modules for missing CVE references
2013-08-31 18:54:16 -05:00
sinn3r
0736677a01
Land #2299 - Add powershell support & removes ADODB.Stream requirement
2013-08-31 00:32:23 -05:00
Tab Assassin
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
jvazquez-r7
5b32c63a42
Land #2308 , @wchen-r7's exploit for MS13-059
2013-08-30 10:59:36 -05:00
jvazquez-r7
ea8cd2dc46
Update authors list
2013-08-30 10:52:39 -05:00
sinn3r
a283f1d4fa
Correct module title
2013-08-30 10:50:35 -05:00
sinn3r
f4e09100bd
Correct file name
2013-08-30 10:50:05 -05:00
sinn3r
38dbab9dd0
Fix typos
2013-08-30 10:43:26 -05:00
sinn3r
0a1b078bd8
Add CVE-2013-3184 (MS13-058) CFlatMarkupPointer Use After Free
...
Please see module description for more info.
2013-08-30 03:16:28 -05:00
jvazquez-r7
657be3a3d9
Fix typo
2013-08-29 14:42:59 -05:00
jvazquez-r7
4a6bf1da7f
Add module for ZDI-13-207
2013-08-29 14:09:45 -05:00
James Lee
63adde2429
Fix load order in posts, hopefully forever
2013-08-29 13:37:50 -05:00
Meatballs
a12f5092dd
Encode the powershell cmd
2013-08-28 22:37:11 +01:00
Meatballs
aa0563244b
Update unsafe scripting module
2013-08-28 22:30:46 +01:00
sinn3r
b0226cab79
Land #2290 - HP LoadRunner lrFileIOService ActiveX Vulnerability
2013-08-27 11:19:43 -05:00
jvazquez-r7
997c5e5516
Land #2291 , @todb-r7's patch for oracle_endeca_exec's requires
2013-08-27 11:01:21 -05:00
Tod Beardsley
15b741bb5f
Require the powershell mixin explicitly
2013-08-27 10:36:51 -05:00
jvazquez-r7
f59f57e148
Randomize object id
2013-08-27 10:35:06 -05:00
jvazquez-r7
66fa1b41aa
Fix logic to spray correctly IE9
2013-08-27 09:57:55 -05:00
sinn3r
7a4d781538
Land #2274 - Firefox XMLSerializer Use After Free
2013-08-26 20:53:42 -05:00
violet
4cbdf38377
updated contact info
...
MASTER OF DISASTER
ULTRA LASER
:::::::-. :::::::.. :::::::-. ... ... . :
;;, `';,;;;;``;;;; ;;, `';, .;;;;;;;. .;;;;;;;. ;;,. ;;;
`[[ [[ [[[,/[[[' `[[ [[,[[ \[[,,[[ \[[,[[[[, ,[[[[,
$$, $$ $$$$$$c $$, $$$$$, $$$$$$, $$$$$$$$$$$"$$$
888_,o8P' 888b "88bo,d8b 888_,o8P'"888,_ _,88P"888,_ _,88P888 Y88" 888o
MMMMP"` MMMM "W" YMP MMMMP"` "YMMMMMP" "YMMMMMP" MMM M' "MMM
2013-08-26 16:14:49 -07:00
Tod Beardsley
6b15a079ea
Update for grammar in descriptions on new modules.
2013-08-26 14:52:51 -05:00
Meatballs
05f1622fcb
Fix require
2013-08-26 16:21:18 +01:00
Meatballs
3b9ded5a8e
BypassUAC now checks if the process is LowIntegrityLevel
...
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
2013-08-26 13:54:55 +01:00
jvazquez-r7
f8d1d29648
Add module for ZDI-13-182
2013-08-25 23:07:08 -05:00
jvazquez-r7
82cf812311
Switch to PrependMigrate
2013-08-24 10:46:04 -05:00