Commit Graph

1176 Commits (873d048b89f96745ac5b61f14bc8a79e9531e875)

Author SHA1 Message Date
jvazquez-r7 d78d04e070
Fix CVE-2014-0569 2015-05-26 15:49:22 -05:00
jvazquez-r7 e0a1fa4ef6
Fix indentation 2015-05-26 15:38:56 -05:00
jvazquez-r7 1742876757
Fix CVE-2014-0556 2015-05-26 15:30:39 -05:00
jvazquez-r7 a1538fc3ba
Update AS code 2015-05-26 15:18:01 -05:00
jvazquez-r7 f35d7a85d3
Adjust numbers 2015-05-21 15:56:11 -05:00
jvazquez-r7 a8e9b0fb54
Update ActionScript 2015-05-21 14:58:38 -05:00
jvazquez-r7 51bb4b5a9b
Add module for CVE-2015-0359 2015-05-07 17:00:00 -05:00
jvazquez-r7 582919acac
Add module for CVE-2015-0336 2015-05-05 17:25:19 -05:00
jvazquez-r7 b07a864416
Fix as indentation 2015-04-29 19:01:11 -05:00
jvazquez-r7 dbba466b5b
Add module for CVE-2014-8440 2015-04-29 17:52:04 -05:00
jvazquez-r7 28fac60c81
Add module for CVE-2015-0556 2015-04-15 14:08:16 -05:00
jvazquez-r7 91f5d0af5a
Add module for CVE-2014-0569
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
jvazquez-r7 11c6f3fdca
Do reliable resolution of kernel32 2015-03-29 15:52:13 -05:00
jvazquez-r7 f84a46df63
Add module for CVE-2015-0313 2015-03-27 18:51:13 -05:00
rwhitcroft dab4333867 updated asm in block 2015-03-18 16:07:46 -04:00
jvazquez-r7 bb81107e51 Land #4927, @wchen-r7's exploit for Flash PCRE CVE-2015-0318 2015-03-13 23:58:05 -05:00
sinn3r 2a25e2b2e1 Update Main.as 2015-03-13 11:40:16 -05:00
sinn3r 0ee0a0da1c This seems to work 2015-03-13 04:43:06 -05:00
sinn3r 0c3329f69e Back on track 2015-03-12 15:26:55 -05:00
HD Moore b604599c8e Fix comments 2015-03-11 21:32:35 -05:00
HD Moore 479a9cc1a9 Fix missing stack variables & remove old comment 2015-03-11 21:23:27 -05:00
HD Moore 7e3b4017f0 Rename and resynced with master, ready for refactoring 2015-03-11 14:36:27 -05:00
HD Moore ea1bc69e2e Merge branch 'master' into feature/add-reverse_winhttp-stagers 2015-03-11 14:29:34 -05:00
sinn3r 43b90610b1 Temp 2015-03-11 13:53:34 -05:00
sinn3r 2a9d6e64e2 Starting point for CVE-2015-0318 2015-03-11 09:58:41 -05:00
Borja Merino 991e72a4fa HTTP stager based on WinHttp 2015-03-10 13:40:16 -05:00
jvazquez-r7 14c3848493 Delete useless comment 2015-03-09 16:59:10 -05:00
jvazquez-r7 cb72b26874 Add module for CVE-2014-0311 2015-03-09 16:52:23 -05:00
Brent Cook 5297ebc1a1 Merge branch 'master' into land-1396-http_proxy_pstore
Bring things back to the future
2015-02-20 08:50:17 -06:00
Brent Cook 4da28324e7 expound on java signer build instructions 2015-02-12 16:13:08 -06:00
Brent Cook af405eeb7d
Land #4287, @timwr's exploit form CVS-2014-3153 2015-02-09 10:33:14 -06:00
jvazquez-r7 aa7f7d4d81 Add DLL source code 2015-02-01 19:59:10 -06:00
Brent Cook 89e5a2b892 disable -no-thumb, doesn't work with latest NDK? 2015-01-30 09:36:21 -06:00
Brent Cook 47cd5a3e59
Land #4562, wchen-r7's Win8 NtApphelpCacheControl privilege escalation 2015-01-15 13:52:07 -06:00
sinn3r 7e1b8a1c83 Not needed anymore 2015-01-09 19:05:44 -06:00
sinn3r c79589509c Old comment 2015-01-09 19:04:50 -06:00
sinn3r 74e8e057dd Use RDL 2015-01-09 19:02:08 -06:00
sinn3r f998bfc246 Update exploit.cpp 2015-01-08 21:37:13 -06:00
sinn3r eea6ccee1f Source 2015-01-08 18:43:29 -06:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
Borja Merino 9791acd0bf Add stager ipknock shellcode (PR 2) 2014-12-27 22:03:45 +01:00
William Vu e34c37042a
Readd block_hidden_bind_tcp.asm
Because stager_hidden_bind_tcp.asm includes it.
2014-12-22 11:13:07 -06:00
Peregrino Gris c0fa8c0e3f Add stager for hidden bind shell payload 2014-12-22 17:21:11 +01:00
HD Moore e3943682a2
Improves linux/armle payloads, lands #3315 2014-12-13 18:27:14 -06:00
Michael Schierl e8728943ec Shave off two more bytes for HTTP(s) stagers 2014-12-13 11:49:30 -06:00
Michael Schierl 69c938f65a More shellcode golf 2014-12-13 11:49:15 -06:00
Tim 5c50a07c0f futex_requeue 2014-12-01 03:49:22 +00:00
jvazquez-r7 7772da5e3f Change paths, add makefile and compile 2014-11-30 21:06:11 -06:00
jvazquez-r7 b6306ef7a2 Move C source to exploits folder 2014-11-30 20:42:53 -06:00
Joe Vennix 7a3fb12124
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 12:34:16 -06:00
Mark Schloesser 9e7f6728d0 update the single sources with s/SHELLARG/ARGV0/ 2014-11-19 22:22:08 +01:00
mschloesser-r7 a5aa6b2e78 add source for linux/armle/shell_bind_tcp 2014-11-19 21:53:23 +01:00
mschloesser-r7 ebc70138f6 add source for linux/armle/shell_bind_tcp 2014-11-19 21:53:23 +01:00
mschloesser-r7 8331de2265 add source for linux/armle/shell_reverse_tcp 2014-11-19 21:53:23 +01:00
jvazquez-r7 f43a6e9be0 Use PDWORD_PTR and DWORD_PTR 2014-10-31 17:35:50 -05:00
jvazquez-r7 6154b7d55f Fix style again 2014-10-31 12:51:48 -05:00
jvazquez-r7 203af90a44 Fix style 2014-10-31 12:50:23 -05:00
jvazquez-r7 0c23733722 Use hungarian notation 2014-10-31 12:47:50 -05:00
jvazquez-r7 8e547e27b3 Use correct types 2014-10-31 12:37:21 -05:00
OJ cbd616bbf5 A few sneaky style changes, but no functional ones
Changes were purely for style, and Juan was happy to let me make them
as part of the merge.
2014-10-31 09:08:11 +10:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 03a84a1de3 Search the AccessToken 2014-10-30 12:17:03 -05:00
OJ 908094c3d3 Remove debug, treat warnings as errors 2014-10-28 09:04:02 +10:00
OJ 0a03b2dd48 Final code tidy 2014-10-28 08:59:33 +10:00
OJ 6f3b373f01 More code tidy and unifying of stuff 2014-10-28 08:37:49 +10:00
OJ 0e761575c8 More code tidying, reduced x64/x86 duplication 2014-10-28 08:09:18 +10:00
OJ 062eff8ede Fix project settings, make files, start tidying of code 2014-10-28 07:58:19 +10:00
Spencer McIntyre d6a63ccc5e Remove unnecessary C debugging code for the exploit 2014-10-27 11:24:23 -04:00
Spencer McIntyre 46b1abac4a More robust check routine for cve-2014-4113 2014-10-27 11:19:12 -04:00
jvazquez-r7 4406972b46 Do version checking minor cleanup 2014-10-27 09:32:42 -05:00
jvazquez-r7 0aaebc7872 Make GetPtiCurrent USER32 independent 2014-10-26 18:51:02 -05:00
jvazquez-r7 34697a2240 Delete 'callback3' also from 32 bits version 2014-10-26 17:28:35 -05:00
Spencer McIntyre 7416c00416 Initial addition of x64 target for cve-2014-4113 2014-10-26 16:54:42 -04:00
jvazquez-r7 d8eaf3dd65 Add exploit source code 2014-10-23 18:59:58 -05:00
HD Moore 8cca4d7795 Fix the makefile to use the right directory
Reported by severos on IRC, the current output
class is in the right place, but the makefile
was broken.
2014-08-03 13:38:15 -05:00
sinn3r ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape 2014-06-26 13:48:28 -05:00
sinn3r 0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape 2014-06-26 11:45:47 -05:00
Meatballs 25ed68af6e
Land #3017, Windows x86 Shell Hidden Bind
A bind shellcode that responds as 'closed' unless the client matches the
AHOST ip.
2014-06-08 13:49:49 +01:00
Meatballs bf1a665259
Land #2657, Dynamic generation of windows service executable functions
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
jvazquez-r7 443f9f175c Update IE11Sandbox exploit source 2014-06-03 09:58:07 -05:00
jvazquez-r7 372a12b966 Restore make.msbuild permissions 2014-06-03 09:07:34 -05:00
jvazquez-r7 98a06b3d72 Restore make.msbuild 2014-06-03 09:05:26 -05:00
jvazquez-r7 f918bcc631 Use powershell instead of mshta 2014-06-03 09:01:56 -05:00
jvazquez-r7 f6862cd130 Land @OJ's updated meterpreter binaries 2014-05-30 20:27:28 -05:00
OJ d2b8706bd6
Include meterpreter bins, add Sandbox builds
This commit contains the binaries that are needed for Juan's sandbox
escape functionality (ie. the updated old libloader code). It also
contains rebuilt binaries for all meterpreter plugins.

I've also added command line build scripts for the sandbox escapes
and added that to the "exploits" build.
2014-05-31 08:12:34 +10:00
jvazquez-r7 c1368dbb4c Use %windir% 2014-05-30 09:06:41 -05:00
jvazquez-r7 75777cb3f9 Add IE11SandboxEscapes source 2014-05-29 11:38:43 -05:00
Florian Gaultier bb4e9e2d4d correct error in block service_change_description 2014-05-13 16:04:39 +02:00
Florian Gaultier 6332957bd2 Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work... 2014-05-13 16:04:39 +02:00
Florian Gaultier bdbb70ab71 up block_service_stopped.asm 2014-05-13 16:04:39 +02:00
Florian Gaultier e269c1e4f1 Improve service_block with service_stopped block to cleanly terminate service 2014-05-13 16:04:38 +02:00
Florian Gaultier c43e3cf581 Improve block_create_remote_process to point on shellcode everytime 2014-05-13 16:04:38 +02:00
Florian Gaultier 25d48b7300 Add create_remote_process block, now used in exe_service generation 2014-05-13 16:04:38 +02:00
Florian Gaultier 0bdf7904ff Change author of single_service_stuff.asm 2014-05-13 16:04:38 +02:00
Florian Gaultier 513f3de0f8 new service exe creation refreshed 2014-05-13 16:04:36 +02:00
jvazquez-r7 58c46cc73d Add compilation instructions for the AS 2014-05-08 16:48:42 -05:00
jvazquez-r7 5fd732d24a Add module for CVE-2014-0515 2014-05-07 17:13:16 -05:00
sinn3r 6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution 2014-05-05 10:39:26 -05:00
OJ 7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) 2014-05-04 16:41:17 +10:00
jvazquez-r7 b4c7c5ed1f Add module for CVE-2014-0497 2014-05-03 20:04:46 -05:00
Meatballs 850f6b0276
Address OJ's comments 2014-05-02 13:33:55 +01:00
jvazquez-r7 60e7e9f515 Add module for CVE-2013-5331 2014-04-27 10:40:46 -05:00
sinn3r 5c0664fb3b
Land #3292 - Mac OS X NFS Mount Privilege Escalation Exploit 2014-04-24 13:43:20 -05:00
Joe Vennix 143aede19c
Add osx nfs_mount module. 2014-04-23 02:32:42 -05:00
jvazquez-r7 acb12a8bef Beautify and fix both ruby an AS 2014-04-17 23:32:29 -05:00
jvazquez-r7 abd76c5000 Add module for CVE-2014-0322 2014-04-15 17:55:24 -05:00
OJ 409787346e
Bring build tools up to date, change some project settings
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
Tod Beardsley 520d1e69c4
Rapid7 Comma Inc
After some more discussion with Rapid7's legal fellow.
2014-03-13 09:46:20 -05:00
Tod Beardsley 9d4ceaa3a0
Let's try to be consistent about Rapid7 Inc.
According to

http://www.sec.gov/Archives/edgar/data/1560327/000156032712000001/0001560327-12-000001.txt

Rapid7 is actually "Rapid7 Inc" not "Rapid7, LLC" any more.

This does not address the few copyright/license statements around
"Metasploit LLC," whatever that is.
2014-03-12 11:20:17 -05:00
kyuzo 41720428e4 Refactoring exploit and adding build files for dll. 2014-03-12 10:25:52 +00:00
root 1fda6b86a1 Changed cmp eax by inc eax. Saved one byte 2014-03-10 12:13:10 +01:00
kyuzo 2a1e96165c Adding MS013-058 for Windows7 x86 2014-03-06 18:39:34 +00:00
somename11111 99cd36c036 Fix description of Input 2014-03-06 03:16:55 +01:00
somename11111 689523a26f Clean Code based on jlee-r7's comments
- Put allocations in loop

- Decomment exitfunc

- Aligned comments

- Some more code cleaning
2014-03-06 02:44:24 +01:00
somename11111 83929facc4 Fix bug on Windows XP
Correct the addresses of functions in pstorec.dll.

Successfully tested on Server 2003 and XP.
2014-03-06 02:35:44 +01:00
somename11111 4aca648faf Correct file information 2014-03-06 02:35:36 +01:00
somename11111 ba31e304b5 Clean the code
Remove debugging functions from block_get_pstore_proxy_auth.asm.
Reduce allocation size to 1kB.
2014-03-06 02:35:25 +01:00
somename11111 b6b46abe9f Add new stager stager_reverse_http_proxy_pstore
This stager looks for proxy credentials in windows protected storage. If it finds proxy credentials, it will use them to connect back. If it does not find credentials, it will do the same as stager_reverse_http.

Works on:

- Windows Server 2003

- Windows XP

- Internet Explorer versions 4 to 6
2014-03-06 02:35:12 +01:00
Meatballs 7877589537
Delete correctly 2014-02-23 02:47:13 +00:00
Meatballs 6127ff92ce
Fix race condition
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
David Maloney 9d9149d9d8
remove some dead code paths
refactor some dead conditionals and a case/switch
that wasn't doing anything
2014-02-27 11:45:57 -06:00
OJ 4b924659b2 Adjust project config
* Remove editbin usage for console apps
* Remove whole program optimisation
2014-02-26 17:14:14 +10:00
OJ 10829299f5 Add make support for command line builds 2014-02-26 16:40:54 +10:00
OJ eb3da1ce87 Editbin and post build steps 2014-02-26 16:36:55 +10:00
OJ 712f47cb4e Remove Palm configuration from bypassuac config 2014-02-26 16:07:22 +10:00
OJ 9159512a3d Fix VS 2013 build, remove old files, rejig project config
This wasn't building cleanly for a few reasons with VS 2013 on my desktop.
This commit fixes this problems with the configuration and makes things fit
with the way we're now doing things (ie. output locations, etc).

Incremental builds are disabled as they were causing problems, but this isn't
a concern for a project as small as this.
2014-02-26 16:05:24 +10:00
OJ d37774e12d Remove ARM config, add build to make for all exploits 2014-02-26 10:57:15 +10:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
David Maloney 289580777c remove unneccsary logging elements
update soloutions for VS2013
remove the CLogger
Remove Print Usage
this removes unneccsary strings that can
be used to easily identify our executable
2014-02-20 20:00:19 -06:00
root b4a22aa25d hidden bind shell payload 2014-02-20 16:19:40 +01:00
jvazquez-r7 1f0020a61c
Land #2946, @jlee-r7's optimization of the x86 block_api code 2014-02-11 15:00:00 -06:00
Spencer McIntyre 0ac1acda70 Upgrade toolchain to Visual Studio 2013 v120. 2014-02-10 09:35:07 -05:00
Spencer McIntyre 01f41a209c Remove the DLL and add make.msbuild for easier compiling. 2014-02-07 10:05:05 -05:00
Spencer McIntyre f686385349 Remove an unnecessary VS file and modify version check. 2014-02-07 08:45:51 -05:00
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
James Lee c70680cf1c
Fix infinite-retry bug
Derp, block_api clobbers ecx
2014-02-04 11:59:16 -06:00
James Lee 9c3664bd45
Unify reverse_http and reverse_https
This will make copy-pasta less painful in the future.  There's still the
problem of reverse_https_proxy being very similar, but the logic in how
it gets generated in the module is more than i want to tackle right now
2014-02-04 09:09:12 -06:00
James Lee 6d53570c22
Fix abysmal mixed indentedness. 2014-02-03 11:39:03 -06:00
James Lee c29c6be212 Shave 3 bytes off of block_api 2014-02-03 11:34:41 -06:00
James Lee bfc0ac4dd4 Golf a few bytes off of reverse_http(s) 2014-02-03 11:33:55 -06:00
jvazquez-r7 a056d937e7 Fluch data cache and improve documentation 2014-01-14 14:06:01 -06:00
jvazquez-r7 a8806887e9 Add support for MIPS reverse shell staged payloads 2014-01-14 12:25:11 -06:00
Meatballs ea349e6618
Rm redundant solution file 2013-12-20 16:03:08 +00:00
OJ 0db062a1ce
Merge branch 'meatballs-vncdll-submodule' 2013-12-20 18:29:27 +10:00
OJ 0ebef33345 Quick fix to x64 kitrap0d project
Stops errors on debug builds, not that anyone cares.
2013-12-20 09:51:24 +10:00
OJ 34cdec5155
Update project VS 2013, clean CLI build
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
OJ e22b4ba88c Add make script for nvidia nvsvc 2013-12-15 01:12:49 +00:00
OJ 0c82817445 Final changes before PR 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs be4dae7db9 Forgot C changes 2013-12-15 01:12:48 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
Meatballs ab1ddac0c8
Merge remote-tracking branch 'upstream/master' into submodule
Conflicts:
	external/source/exploits/cve-2013-3660/dll/reflective_dll.vcxproj
2013-12-08 18:25:03 +00:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
Meatballs 6edd9aa736
Update for new ReflectiveDLL Submodule 2013-11-30 20:12:08 +00:00
Meatballs cf12826d2c
Dont use xp toolchain
and dont bother editbin
2013-11-30 20:04:00 +00:00
Meatballs d3a0199539
Update for new Reflective DLL Submodule
Update to VS2013 Toolsets
Include .msbuild and make.bat
Tidyup of if { }
Post build step to copy to output directory
2013-11-30 19:58:25 +00:00
Meatballs 915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
Meatballs 57342a9c0c
Merge remote-tracking branch 'upstream/master' into submodule
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:07:54 +00:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
OJ 468654d2b5 Add RDI submodule, port Kitrap0d
This commit is the first in a series that will move all the exploits that use RDI
over to the R7 fork. The RDI source will be in a single known location and each
exploit will have to work from that location.

The kitrap0d exploit has been migrated over to use this submodule so that there's
one example of how it's done for future contributions to follow.
2013-11-27 16:04:41 +10:00
jvazquez-r7 31b4e72196 Switch to soft tabs the cs code 2013-11-23 23:06:52 -06:00
jvazquez-r7 9f539bafae Add README on the source code dir 2013-11-22 17:56:05 -06:00
jvazquez-r7 25eb13cb3c Small fix to interface 2013-11-22 17:02:08 -06:00
jvazquez-r7 288a1080db Add MS13-022 Silverlight app code 2013-11-22 16:53:06 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Geyslan G. Bem 030fbba539 Merge branch 'master' of https://github.com/geyslan/metasploit-framework 2013-11-11 14:22:00 -03:00
Tod Beardsley 81a7b1a9bf
Fixes for #2350, random bind shellcode
* Moved shortlink to a reference.
  * Reformat e-mail address.
  * Fixed whitespace
  * Use multiline quote per most other module descriptions

Still need to resplat the modules, but it's no big thang to do that
after landing. Also, References do not seem to appear for post modules
in the normal msfconsole. This is a bug in the UI, not for these modules
-- many payloads would benefit from being explicit on their references,
so may as well start with these.
2013-11-11 10:33:15 -06:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Meatballs b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo

Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
Geyslan G. Bem 6492bde1c7 New Payload
Merge remote-tracking branch 'origin'
2013-10-05 09:17:14 -03:00
Meatballs 2764bfc1b4 Remove opensdf 2013-09-27 10:19:16 +01:00
Meatballs 5fa0eb32a9 Merge upstream 2013-09-27 10:11:10 +01:00
Meatballs c3c07b5fd7 Better arch checking 2013-09-27 09:39:29 +01:00
Meatballs dfac7b57d2 Fixup SysWOW64 2013-09-27 09:10:49 +01:00
Meatballs b8df7cc496 Initialize strings fool 2013-09-27 09:01:00 +01:00
Meatballs 5bd414d4b4 Submodule 2013-09-26 23:19:13 +01:00
Ryan Wincey 38691445af Fixed memory alignment for x64 reverse_http stager 2013-09-16 16:51:37 -04:00
Geyslan G. Bem fd7b633d35 add payload source 2013-09-13 15:36:31 -03:00
Meatballs f51531f9f8 Add IncludeDirectory 2013-09-07 15:19:25 +01:00
Meatballs 9b3a42b6b4 Use common RDL files in vncdll 2013-09-07 14:59:37 +01:00
Meatballs fc5e389708 Small changes to proj 2013-09-05 22:27:36 +01:00
Meatballs 81c78efaea Example submodule 2013-09-05 22:00:04 +01:00
Meatballs 280f78c249 Update source 2013-08-30 10:48:47 +01:00
Meatballs ff5cf396ab Remove large file and rename payload.dll 2013-08-27 00:30:27 +01:00
Meatballs 035e97523b In memory bypassuac 2013-08-27 00:13:19 +01:00
jvazquez-r7 795ad70eab Change directory names 2013-08-15 22:52:42 -05:00
jvazquez-r7 cc5804f5f3 Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00
Alexandre Maloteaux e28dd42992 add http authentification and socks 2013-07-15 15:36:58 +01:00
corelanc0d3r e8983a21c5 New meterpreter payload reverse_https_proxy 2013-07-12 16:45:16 -04:00
jvazquez-r7 a4d353fcb3 Clean a little more the VS project 2013-06-29 15:15:27 -05:00
jvazquez-r7 de245113af Wrap Reflective DLL Readme.md to 80 columns 2013-06-29 09:29:09 -05:00
jvazquez-r7 6878534d4b Clean Visual Studio Project 2013-06-29 09:20:40 -05:00
jvazquez-r7 7725937461 Add Module for cve-2013-3660 2013-06-28 18:18:21 -05:00
jvazquez-r7 3c1af8217b Land #2011, @matthiaskaiser's exploit for cve-2013-2460 2013-06-26 14:35:22 -05:00
jvazquez-r7 b400c0fb8a Delete project files 2013-06-25 12:58:39 -05:00
jvazquez-r7 d25e1ba44e Make fixes proposed by review and clean 2013-06-25 12:58:00 -05:00
jvazquez-r7 b32513b1b8 Fix CVE-2013-2171 with @jlee-r7 feedback 2013-06-25 10:40:55 -05:00
sinn3r 74825af933 Add Makefile 2013-06-24 16:08:22 -05:00
sinn3r 6780566a54 Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation Module 2013-06-24 11:50:21 -05:00
Matthias Kaiser 8a96b7f9f2 added Java7u21 RCE module
Click2Play bypass doesn't seem to work anymore.
2013-06-24 02:04:38 -04:00
William Vu d05ef3ac77 Land #1947, remove JavaPayload source 2013-06-12 11:17:23 -05:00
James Lee 636b6b61ec Remove javapayload source
Replace with a README pointing at the new repo:
https://github.com/rapid7/metasploit-javapayload
2013-06-12 10:57:23 -05:00
James Lee 6fae148f9d Remove meterpreter source
Replace with a README pointing at the new repo:
https://github.com/rapid7/meterpreter
2013-06-11 16:42:30 -05:00
jvazquez-r7 7090d4609b Add module for CVE-2013-1488 2013-06-07 13:38:41 -05:00
Tod Beardsley 9c771435f2 Touchup on author credit 2013-05-30 16:13:40 -05:00
Tod Beardsley 67128a3841 Land #1821, x64_reverse_https stagers 2013-05-30 13:55:13 -05:00
jvazquez-r7 07c99f821e Land #1879, @dcbz ARM stagers 2013-05-29 17:43:37 -05:00
jvazquez-r7 e6433fc31e Add commented source code for stagers and stage 2013-05-29 14:03:46 -05:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
agix b92ae7779e change author name 2013-05-19 16:16:25 +02:00
agix 6db1fea6b9 create x64_reverse_https stagers 2013-05-13 01:41:56 +02:00
timwr fa241ab11e camera fixes and add wav header to audio record 2013-05-03 01:43:50 +01:00
timwr 2316c23f17 include javapayload in the dx build path 2013-05-02 16:17:56 +01:00
Michael Schierl a13cf53b9f Android Meterpreter bugfixes
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
  whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
timwr a2f8b3dbec Merge pull request #3 from schierlm/android-deploy-profiles
Call dx from Maven profile
2013-05-01 08:18:31 -07:00
Michael Schierl 438529d860 Call dx from Maven profile
Convert the dx calls from build.sh to equivalent exec calls in Maven
deploy profile.

While this commit takes into account differences between Windows and *nix,
it was only tested on Windows, and the resulting binaries have not been
tested at all!

In addition, I was not able to pass individual .class file names to dx
without getting a "class name does not match path" error, so I changed it
to copy all required classes into a temp directory and call dx from there.

I also changed the cross-project paths to refer to the respective Maven
classpath, so in case you do an individual project build, the library
dependencies are taken from the Maven repository instead of taking them
from the target/ directory of the projects directly.
2013-04-27 22:20:18 +02:00
Michael Schierl af0691d205 Add animal-sniffer-plugin for Android API
Include the animal-scents for Android API in this commit, so that users
who do not have Android SDK can still check meterpreter API compatibility
with Android API. Some classes, like screenshot have been excluded since
they need AWT (but they are excluded in Android Meterpreter anyway).

To regenerate the scents file, run

mvn -Dandroid.sdk.path=... -P regenerate package
2013-04-27 20:40:55 +02:00
Michael Schierl 4abeb1b162 Use 1.4 version of net_config_get_interfaces
Apparently Android API 3 does not know the getMTU() function, which was
added in Java 1.6, and in Android API Level 9 (Gingerbread). Therefore,
fall back to the 1.4 version that does not need this API.
2013-04-27 20:39:13 +02:00
timwr 2c73323ceb make android build conditional on -Dandroid.sdk.path= 2013-04-27 00:21:13 +01:00
James Lee 01d790eb54 Land #1748, fix for java meterp network prefixes
[Closes #1748]
2013-04-24 12:27:28 -05:00
Tod Beardsley 1112daaff2 Remove msfgui and armitage
This removes the Armitage and MSFGui components from the Metasploit
distribution. You can track the latest stable releases of these
alternate GUIs here:

MSFGui: http://www.scriptjunkie.us/msfgui/
Armitage: http://www.fastandeasyhacking.com/download
2013-04-22 15:26:44 -05:00
Michael Schierl e98d510deb Fix incorrect network prefix in Java Meterpreter
Apparently, getNetworkPrefixLength can return -1, which confuses the Ruby
side. Therefore fall back to guessing the prefix in this case, as we do it
for Java <= 1.6.
2013-04-20 23:10:46 +02:00
jvazquez-r7 9fca89f70b fix small issues 2013-04-20 01:43:14 -05:00
jvazquez-r7 19f2e72dbb Added module for Java 7u17 sandboxy bypass 2013-04-20 01:43:13 -05:00
timwr 0d0c728da4 fix obvious breakage 2013-04-18 10:24:50 +01:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
James Lee 8376531a32 Land #1217, java payload build system refactor
[Closes #1217]
2013-04-11 13:10:03 -05:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee b3c78f74d2 Whitespace 2013-04-10 09:28:45 -05:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
scriptjunkie 1b6398d4fd Service autoconnect, DB fixes
First check if database is connected before trying to connect.
Autologin in Kali with new token login.
2013-03-25 20:44:48 -05:00
scriptjunkie 438d348fda Kali fixes
Check the new database config location.
Don't crash on sporadic JRE style error.
2013-03-24 21:00:38 -05:00
scriptjunkie 16fad29cb0 Update creds schema. 2013-03-12 23:07:40 -05:00
sinn3r e1859ae4b6 Merge branch 'rsmudge-armitage' 2013-03-06 19:31:44 -06:00
sinn3r a30b61e4aa Merge branch 'rsmudge-armitage' 2013-03-06 16:39:00 -06:00
Raphael Mudge 4ab8315db0 Armitage 03.06.13
Apparently, my last update came from the future. This modification
to that future update fixes an oversight preventing Armitage from
connecting to its collaboration server because it would report the
wrong application.
2013-03-04 23:11:20 -05:00
James Lee a74b576a0f Merge branch 'rapid7' into rsmudge-authproxyhttpstager 2013-03-04 17:50:48 -06:00
Raphael Mudge 59d2f05c94 Armitage 04.06.13
This update to Armitage improves its responsiveness when connected
to a team server over a high latency network. This update also adds
a publish/query/subscribe API to Cortana.
2013-03-04 18:32:45 -05:00
Michael Schierl 9e499e52e7 Make BindTCP test more robust
The BindTCP test contained a race condition: if the bind payload took
longer to load than the handler, it could result in a

ConnectException: Connection refused: connect

Work around this by retrying the connection up to 10 times, with 500ms
delay in between.
2013-03-03 21:08:06 +01:00
Michael Schierl b75d1d3b70 Antivirus can interfere with compiling
Add a note about it into COMPILING.txt.
2013-03-03 21:07:08 +01:00
RageLtMan 754b32e9db shameless plug for posterity in stager asm 2013-02-28 17:30:27 -05:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
jvazquez-r7 f04df6300a makefile updated 2013-02-21 13:44:37 +01:00
jvazquez-r7 da9e58ef79 Added the java code to get the ser file 2013-02-20 18:14:24 +01:00