Commit Graph

20837 Commits (868b70c9edd74aec28e8193d310fbe981ac91c55)

Author SHA1 Message Date
b00stfr3ak 868b70c9ed Added priv lib and runas lib
Cleaned up code with using the new lib files
2013-10-25 14:05:33 -07:00
b00stfr3ak 9695b2d662 Added check method
The method checks to see if the user is a part of the admin group.  If
the user is the exploit continues, if not the exploit stops because it
will prompt the user for a password instead of just clicking ok.
2013-10-21 11:57:50 -07:00
b00stfr3ak 6881774c03 Updated with comments from jlee-r7 and Meatballs1
Added fail_with instead of just print_error
figured a way to execute the cmd_psh_payload with out using gsub
added case statment for datastore['TECHNIQUE']
2013-10-20 01:15:51 -07:00
b00stfr3ak a5dc75a82e Added PSH option to windows/local/ask exploit
Gives you the ability to use powershell to 'ask' for admin rights if the
user has them.  Using powershell makes the pop up blue instead of orange
and states that the company is Microsoft, it also doesn't drop an exe
on the system.  Looks like 32 bit https works but if you migrate out you
loose priv and if you run cachedump the session hangs.
2013-10-19 00:15:38 -07:00
sinn3r 8059c59f15 Land #2452 - Ignore unexpected DNS answers 2013-10-03 15:54:22 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 6499178ccb
Fix Microsoft typo 2013-10-03 12:21:15 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
William Vu f1e299460f Land #2454, EOL spaces fix for astium_sqli_upload 2013-10-03 11:09:22 -05:00
Tod Beardsley fcba424308
Kill off EOL spaces on astium_sqli_upload. 2013-10-03 11:01:27 -05:00
jvazquez-r7 1fe0c50df0 Ignore unexpected answers 2013-10-02 20:41:02 -05:00
jvazquez-r7 0db93111de
Land #2445, @todb-r7's new tab warning for msftidy 2013-10-02 17:19:12 -05:00
Tabassassin 773abf0567
Pow, tab assassinated. 2013-10-02 17:16:38 -05:00
Tod Beardsley 3d6b3a4e21
Empty commit to try to sober up Travis-CI
Travis, you're drunk. You need help. Don't try to build f123cd1, because
that commit doesn't exist.

Try this one, it'll make you feel better.
2013-10-02 16:58:01 -05:00
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
sinn3r 427b4b262a Land #2441 - Update .mailmap 2013-10-02 13:20:08 -05:00
Tod Beardsley 40c313b711
Land #2450, fix UDPSweep modules for Windows 2013-10-02 12:29:52 -05:00
jvazquez-r7 758fd02619 Windows 7 SP1 and newer fail when forcing IPv6 sockets 2013-10-02 09:45:51 -05:00
jvazquez-r7 7436ea0281
Land #2449, @wchen-r7's references update 2013-10-02 08:17:12 -05:00
James Lee 56b6f0be02 Add bins for #2443
See #740 and meterpreter#26
2013-10-01 23:47:24 -05:00
James Lee 9436b6df08
Land #2443, railgun error messages
See #740 and meterpreter#26
2013-10-01 23:44:43 -05:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
sinn3r 81365855fc Land #2446 - Use ROP chains from ROPDb
Now that we have successfully imported the Office 2007/2010 ROP chains
to ROPDb, this exploit can be the first to use it.
2013-10-01 20:28:59 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 981212a034
Land #2442, @wchen-r7's rop chains for Office 2013-10-01 13:21:30 -05:00
Tod Beardsley 36d058b28c
Warn for tabbed indentation 2013-10-01 12:22:46 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
OJ 82162ef486 Add error message support to railgun
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of https://github.com/rapid7/metasploit-framework/pull/740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.

This PR is the MSF side of https://github.com/rapid7/meterpreter/pull/26
2013-10-01 17:23:08 +10:00
sinn3r 7c6c8291e2 Add ROP chains for Office 2007 and Office 2010 (hxds.dll)
This adds two ROP chains for Office 2007 and Office 2010 based on
hxds.dll.
2013-10-01 01:33:35 -05:00
Tod Beardsley 301c370b68 Add William and alphabetize correctly 2013-09-30 17:04:57 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
Tod Beardsley 49187e8a31 Alphabetize for real (case insensitive) 2013-09-30 15:23:20 -05:00
Tod Beardsley 9c4510940f Alphabetize 2013-09-30 15:21:09 -05:00
Tod Beardsley 9610f74ff9 Prefer github usernames 2013-09-30 15:19:56 -05:00
Tod Beardsley 96f7ea7b75
Update bperry and chao-mu in .mailmap 2013-09-30 15:16:21 -05:00
Brandon Turner 3cfee5a7c0
Land #2440, remaining tabassassin changes 2013-09-30 14:30:50 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Tab Assassin 0ecba377f5 Avoid retabbing things in .git/ 2013-09-30 13:45:34 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
Tod Beardsley 9ada96ac51
Fix sqlmap accidental codepoint
See http://www.ruby-doc.org/core-1.9.3/String.html#method-i-3C-3C

Apparently, String#<< uses Integer#chr, not Integer#to_s. News to me.

Fixed originally by @TsCl in PR #2435, but fixing seperately in order to
avoid screwing up his downstream tracking. Note, this isn't a merge, so
using Closes tag on the commit message.

[Closes #2435]
2013-09-30 11:23:17 -05:00
Tod Beardsley bce2f12375
Land #2436, Fixups to AlwaysInstallElevated 2013-09-30 11:12:06 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00