Commit Graph

943 Commits (7eb20a37d452b929fc99bf519117d584ce765193)

Author SHA1 Message Date
jvazquez-r7 a056d937e7 Fluch data cache and improve documentation 2014-01-14 14:06:01 -06:00
jvazquez-r7 a8806887e9 Add support for MIPS reverse shell staged payloads 2014-01-14 12:25:11 -06:00
OJ 0db062a1ce
Merge branch 'meatballs-vncdll-submodule' 2013-12-20 18:29:27 +10:00
OJ 0ebef33345 Quick fix to x64 kitrap0d project
Stops errors on debug builds, not that anyone cares.
2013-12-20 09:51:24 +10:00
OJ 34cdec5155
Update project VS 2013, clean CLI build
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
OJ e22b4ba88c Add make script for nvidia nvsvc 2013-12-15 01:12:49 +00:00
OJ 0c82817445 Final changes before PR 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs be4dae7db9 Forgot C changes 2013-12-15 01:12:48 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
Meatballs ab1ddac0c8
Merge remote-tracking branch 'upstream/master' into submodule
Conflicts:
	external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
2013-12-08 18:25:03 +00:00
Meatballs 6edd9aa736
Update for new ReflectiveDLL Submodule 2013-11-30 20:12:08 +00:00
Meatballs 57342a9c0c
Merge remote-tracking branch 'upstream/master' into submodule
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:07:54 +00:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
OJ 468654d2b5 Add RDI submodule, port Kitrap0d
This commit is the first in a series that will move all the exploits that use RDI
over to the R7 fork. The RDI source will be in a single known location and each
exploit will have to work from that location.

The kitrap0d exploit has been migrated over to use this submodule so that there's
one example of how it's done for future contributions to follow.
2013-11-27 16:04:41 +10:00
jvazquez-r7 31b4e72196 Switch to soft tabs the cs code 2013-11-23 23:06:52 -06:00
jvazquez-r7 9f539bafae Add README on the source code dir 2013-11-22 17:56:05 -06:00
jvazquez-r7 25eb13cb3c Small fix to interface 2013-11-22 17:02:08 -06:00
jvazquez-r7 288a1080db Add MS13-022 Silverlight app code 2013-11-22 16:53:06 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Geyslan G. Bem 030fbba539 Merge branch 'master' of https://github.com/geyslan/metasploit-framework 2013-11-11 14:22:00 -03:00
Tod Beardsley 81a7b1a9bf
Fixes for #2350, random bind shellcode
* Moved shortlink to a reference.
  * Reformat e-mail address.
  * Fixed whitespace
  * Use multiline quote per most other module descriptions

Still need to resplat the modules, but it's no big thang to do that
after landing. Also, References do not seem to appear for post modules
in the normal msfconsole. This is a bug in the UI, not for these modules
-- many payloads would benefit from being explicit on their references,
so may as well start with these.
2013-11-11 10:33:15 -06:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Geyslan G. Bem 6492bde1c7 New Payload
Merge remote-tracking branch 'origin'
2013-10-05 09:17:14 -03:00
Ryan Wincey 38691445af Fixed memory alignment for x64 reverse_http stager 2013-09-16 16:51:37 -04:00
Geyslan G. Bem fd7b633d35 add payload source 2013-09-13 15:36:31 -03:00
Meatballs f51531f9f8 Add IncludeDirectory 2013-09-07 15:19:25 +01:00
Meatballs 9b3a42b6b4 Use common RDL files in vncdll 2013-09-07 14:59:37 +01:00
Meatballs fc5e389708 Small changes to proj 2013-09-05 22:27:36 +01:00
Meatballs 81c78efaea Example submodule 2013-09-05 22:00:04 +01:00
jvazquez-r7 795ad70eab Change directory names 2013-08-15 22:52:42 -05:00
jvazquez-r7 cc5804f5f3 Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00
Alexandre Maloteaux e28dd42992 add http authentification and socks 2013-07-15 15:36:58 +01:00
corelanc0d3r e8983a21c5 New meterpreter payload reverse_https_proxy 2013-07-12 16:45:16 -04:00
jvazquez-r7 a4d353fcb3 Clean a little more the VS project 2013-06-29 15:15:27 -05:00
jvazquez-r7 de245113af Wrap Reflective DLL Readme.md to 80 columns 2013-06-29 09:29:09 -05:00
jvazquez-r7 6878534d4b Clean Visual Studio Project 2013-06-29 09:20:40 -05:00
jvazquez-r7 7725937461 Add Module for cve-2013-3660 2013-06-28 18:18:21 -05:00
jvazquez-r7 3c1af8217b Land #2011, @matthiaskaiser's exploit for cve-2013-2460 2013-06-26 14:35:22 -05:00
jvazquez-r7 b400c0fb8a Delete project files 2013-06-25 12:58:39 -05:00
jvazquez-r7 d25e1ba44e Make fixes proposed by review and clean 2013-06-25 12:58:00 -05:00
jvazquez-r7 b32513b1b8 Fix CVE-2013-2171 with @jlee-r7 feedback 2013-06-25 10:40:55 -05:00
sinn3r 74825af933 Add Makefile 2013-06-24 16:08:22 -05:00
sinn3r 6780566a54 Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation Module 2013-06-24 11:50:21 -05:00
Matthias Kaiser 8a96b7f9f2 added Java7u21 RCE module
Click2Play bypass doesn't seem to work anymore.
2013-06-24 02:04:38 -04:00
William Vu d05ef3ac77 Land #1947, remove JavaPayload source 2013-06-12 11:17:23 -05:00
James Lee 636b6b61ec Remove javapayload source
Replace with a README pointing at the new repo:
https://github.com/rapid7/metasploit-javapayload
2013-06-12 10:57:23 -05:00
James Lee 6fae148f9d Remove meterpreter source
Replace with a README pointing at the new repo:
https://github.com/rapid7/meterpreter
2013-06-11 16:42:30 -05:00