Meatballs
7d7495a5dd
Large refactor of service_permissions
2013-12-15 18:00:14 +00:00
Meatballs
fe7852b524
Unworking refactor of serv_perm
2013-12-15 04:02:11 +00:00
Meatballs
2a819d4b08
Tidyup trusted_Path
...
We dont just want to escalate to SYSTEM it would be handy to know
if we can escalate to anything e.g. Domain logins etc.
2013-12-15 04:01:02 +00:00
Meatballs
ddf23ae8e8
Refactor service_list to return array of hashes
...
Update trusted_service_path, service_permissions,
net_runtime_modify and enum_services to handle change.
Refactor enum_services to tidy it up a bit
2013-12-15 03:00:29 +00:00
Meatballs
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
Meatballs
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
Meatballs
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
OJ
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
OJ
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
Meatballs
6916f7c5d2
Fixup description
2013-12-15 01:12:47 +00:00
Meatballs
3d1646d18e
Exit process when complete
2013-12-15 01:12:47 +00:00
Meatballs
dd32c2b0b8
Spawn 32bit process
2013-12-15 01:12:46 +00:00
Meatballs
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs
5eca4714c2
Renamed module
2013-12-15 01:12:46 +00:00
Meatballs
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
Meatballs
04496a539c
Fix up local wmi exploit.
2013-12-14 20:05:51 +00:00
jvazquez-r7
e8396dc37a
Delete redefinition of ntdll functions on railgun
2013-12-13 16:02:47 -06:00
jvazquez-r7
1ab3e891c9
Modify ms_ndproxy to use railgun additions
2013-12-13 15:54:34 -06:00
jvazquez-r7
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
jvazquez-r7
eb4e3f8a32
Fix os detection
2013-12-12 07:39:19 -06:00
jvazquez-r7
8b518776bc
Dont fail_with on check
2013-12-11 22:08:36 -06:00
jvazquez-r7
02915c751c
Favor unless over if not and add reference
2013-12-11 16:28:09 -06:00
jvazquez-r7
b6fa3f28b1
Modify description
2013-12-11 08:56:31 -06:00
jvazquez-r7
c4721de4a0
Add module for CVE-2013-5065
2013-12-11 08:52:35 -06:00
b00stfr3ak
0cf1b7fece
add original ask.rb
2013-12-09 14:35:31 -07:00
b00stfr3ak
1d07b2bbfa
Revert "removed ask file, already in pull request 2551"
...
This reverts commit 5ceda7c042
.
2013-12-09 14:31:43 -07:00
Meatballs
9b2ae3c447
Uncomment fail_with
2013-12-05 23:21:06 +00:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
Meatballs
1e60ff91ea
Move ExitThread patching to Msf::Util::EXE
2013-12-05 17:16:14 +00:00
Meatballs
496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2013-12-05 17:09:32 +00:00
Meatballs
dc0f2b7291
Use ExitProcess
2013-12-05 17:08:47 +00:00
OJ
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
OJ
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
Meatballs
915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
.gitmodules
external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
OJ
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Meatballs
cd68b10bcf
Broadcast needs a decent WfsDelay.
...
Due to the multi railgun changes. Because they return quickly but
the process is still broadcasting them the exploit thinks work has
finished...
2013-11-23 19:18:13 +00:00
Meatballs
6c83109422
Really fix wmi
2013-11-23 16:44:44 +00:00
Meatballs
c194fdc67e
Fixup WMI
...
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
Meatballs
ec36cebeb4
Update cmd_psh_payloads to send the architecture.
2013-11-22 23:31:33 +00:00
Meatballs
622a1dccda
Update wmi to use generated powershell command line
2013-11-22 23:18:22 +00:00
Meatballs
9835649858
Update hwnd_broadcast to use generated powershell command line.
2013-11-22 23:04:44 +00:00
William Vu
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
OJ
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ
e4fc361b37
Various tidies and fixes
...
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.
Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
OJ
40f58ce534
Finalise the local exploit for kitrap0d
...
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.
New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
OJ
82739c0315
Add extra URL for exploit detail
2013-11-11 22:07:36 +10:00
OJ
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Tod Beardsley
e488a54a06
Resplat new WMI module
2013-10-30 15:14:16 -05:00
William Vu
278dff93e7
Add missing require for Msf::Exploit::Powershell
...
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
b00stfr3ak
5ceda7c042
removed ask file, already in pull request 2551
2013-10-25 14:46:50 -07:00
b00stfr3ak
84999115d7
Added PSH option if UAC is turned off
...
This will give the option to drop an exe or use psh if uac is turned
off. The lib can be used for post exploitation to drop an exe or use
powershell and then execute it with the runas command. I have used the
lib for both bypassuac and ask.
2013-10-25 14:37:12 -07:00
b00stfr3ak
868b70c9ed
Added priv lib and runas lib
...
Cleaned up code with using the new lib files
2013-10-25 14:05:33 -07:00
Meatballs
6fdf5cab15
Update bypassuac_injection inline with latest privs lib
2013-10-23 21:15:41 +01:00
Meatballs
e6a2a1006f
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows/priv.rb
modules/exploits/windows/local/bypassuac.rb
2013-10-23 21:02:32 +01:00
b00stfr3ak
a06c0a9575
Merge branch 'local/ask'
2013-10-22 16:06:16 -07:00
b00stfr3ak
69131323af
Merge remote-tracking branch 'upstream/master'
2013-10-22 16:05:19 -07:00
sinn3r
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
sinn3r
af174639cd
Land #2468 - Hwnd Broadcast Performance
2013-10-22 17:03:02 -05:00
Meatballs
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
sinn3r
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
b00stfr3ak
9695b2d662
Added check method
...
The method checks to see if the user is a part of the admin group. If
the user is the exploit continues, if not the exploit stops because it
will prompt the user for a password instead of just clicking ok.
2013-10-21 11:57:50 -07:00
sinn3r
1599d1171d
Land #2558 - Release fixes
2013-10-21 13:48:11 -05:00
Tod Beardsley
c1954c458c
Just warn, don't bail
...
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.
If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)
For details on this module, see #2503 . I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
Tod Beardsley
bce8d9a90f
Update license comments with resplat.
2013-10-21 13:36:15 -05:00
sinn3r
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
b00stfr3ak
6881774c03
Updated with comments from jlee-r7 and Meatballs1
...
Added fail_with instead of just print_error
figured a way to execute the cmd_psh_payload with out using gsub
added case statment for datastore['TECHNIQUE']
2013-10-20 01:15:51 -07:00
b00stfr3ak
6de279733c
Merge branch 'local/ask'
2013-10-19 10:51:55 -07:00
b00stfr3ak
a5dc75a82e
Added PSH option to windows/local/ask exploit
...
Gives you the ability to use powershell to 'ask' for admin rights if the
user has them. Using powershell makes the pop up blue instead of orange
and states that the company is Microsoft, it also doesn't drop an exe
on the system. Looks like 32 bit https works but if you migrate out you
loose priv and if you run cachedump the session hangs.
2013-10-19 00:15:38 -07:00
Meatballs
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
Meatballs
55426882d4
Further bypassuac tidyup
2013-10-18 00:08:06 +01:00
Meatballs
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
Meatballs
b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
...
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
Tod Beardsley
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
James Lee
a54b4c7370
Land #2482 , use runas when UAC is DoNotPrompt
2013-10-16 17:51:11 -05:00
Tod Beardsley
5d86ab4ab8
Catch mis-formatted bracket comments.
2013-10-15 14:52:12 -05:00
Tod Beardsley
c83262f4bd
Resplat another common boilerplate.
2013-10-15 14:07:48 -05:00
Tod Beardsley
23d058067a
Redo the boilerplate / splat
...
[SeeRM #8496 ]
2013-10-15 13:51:57 -05:00
jvazquez-r7
c68319d098
Fix author
2013-10-15 12:59:19 -05:00
MrXors
f345414832
Added correct spelling in info
2013-10-15 10:13:18 -07:00
jvazquez-r7
0b9cf24103
Convert vss_persistence to Local Exploit
2013-10-15 11:11:04 -05:00
Meatballs
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
Meatballs
a843722ae3
Concurrent printing of the output no longer makes sense...
2013-10-10 19:01:19 +01:00
Meatballs
536c3c7b92
Use multi railgun call for a large performance increase.
2013-10-10 19:01:14 +01:00
Rob Fuller
aed2490536
add some output and fixing
2013-10-07 15:42:41 -04:00
Rob Fuller
75d2abc8c2
integrate some ask functionality into bypassuac
2013-10-07 15:14:54 -04:00
trustedsec
0799766faa
Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
...
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:
Here is prior to the change on a fully patched Windows 8 machine:
msf exploit(bypassuac) > exploit
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) >
Here's the module when running with the most recent changes that are being proposed:
[*] Started reverse handler on 172.16.21.156:4444
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400
meterpreter >
With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
Meatballs
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
Meatballs
b306415ecf
Tidy and updates to info
2013-09-29 17:32:39 +01:00
Meatballs
29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
...
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Meatballs
353cd9aaf5
Check payload.arch
2013-09-27 11:13:19 +01:00
Meatballs
d2fa7d84a9
Tidyup includes
2013-09-27 10:12:53 +01:00
Meatballs
5fa0eb32a9
Merge upstream
2013-09-27 10:11:10 +01:00
Meatballs
c3c07b5fd7
Better arch checking
2013-09-27 09:39:29 +01:00
Meatballs
dfac7b57d2
Fixup SysWOW64
2013-09-27 09:10:49 +01:00
Meatballs
b8df7cc496
Initialize strings fool
2013-09-27 09:01:00 +01:00
Meatballs
3d812742f1
Merge upstream master
2013-09-26 21:27:44 +01:00
Meatballs
7ba846ca24
Find and replace
2013-09-26 20:34:48 +01:00
Meatballs
a25833e4d7
Fix %TEMP% path
2013-09-26 19:22:36 +01:00
William Vu
52a92a55ce
Land #2394 , ms13_005_hwnd_broadcast require fix
2013-09-24 13:43:21 -05:00
Tod Beardsley
8db1a389eb
Land #2304 fix post module require order
...
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley
99f145cbff
Don't split the post requires
2013-09-23 14:02:43 -05:00
darknight007
6b06ed0df1
Update current_user_psexec.rb
2013-09-22 03:07:17 +05:00
sinn3r
96364c78f8
Need to catch RequestError too
...
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
Meatballs
6e69fe48bf
Undo psexec changes
2013-09-20 22:30:00 +01:00
Meatballs
2591be503b
Psh support
2013-09-20 22:07:42 +01:00
Meatballs
15885e4ef6
Change static x value
2013-09-20 20:31:14 +01:00
Meatballs
ee365a6b64
Some liberal sleeping
2013-09-20 19:33:27 +01:00
Meatballs
7d1c5c732a
Correct powershell
2013-09-20 18:36:24 +01:00
Meatballs
9819566d94
Nearly
2013-09-20 17:18:14 +01:00
Meatballs
a00f3d8b8e
initial
2013-09-20 13:40:28 +01:00
Tod Beardsley
ef72b30074
Include the post requires until #2354 lands
...
Another one that needs the manual require. See #2354
2013-09-19 09:47:01 -05:00
James Lee
9a555d8701
Fix the modules added since the branch
2013-09-17 18:25:12 -05:00
James Lee
150f0f644e
Merge branch 'rapid7' into bug/osx-mods-load-order
...
Conflicts:
modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
Tod Beardsley
b4b7cecaf4
Various minor desc fixes, also killed some tabs.
2013-09-16 15:50:00 -05:00
James Lee
58b634dd27
Remove unnecessary requires from post mods
2013-09-12 14:36:01 -05:00
jvazquez-r7
9ad1be7318
Make junk easier
2013-09-11 09:33:01 -05:00
jvazquez-r7
825eb9d1ca
Add module for OSVDB 96208
2013-09-11 00:11:00 -05:00
jvazquez-r7
4f1db80c24
Fix requires in new post modules
2013-09-10 11:13:07 -05:00
Meatballs
473f08bbb6
Register cleanup and update check
2013-09-05 22:43:26 +01:00
Meatballs
400b433267
Sort out exception handling
2013-09-05 22:21:44 +01:00
Meatballs
d4043a6646
Spaces and change to filedropper
2013-09-05 20:41:37 +01:00
Meatballs
c5daf939d1
Stabs tabassassin
2013-09-05 20:36:52 +01:00
Tab Assassin
d0360733d7
Retab changes for PR #2282
2013-09-05 14:05:34 -05:00
Tab Assassin
49dface180
Merge for retab
2013-09-05 14:05:28 -05:00
Tab Assassin
1460474a55
Retab changes for PR #2288
2013-09-05 13:58:24 -05:00
Tab Assassin
e711a495eb
Merge for retab
2013-09-05 13:58:19 -05:00
Meatballs
9787bb80e7
Address @jlee-r7's feedback
2013-09-05 19:57:05 +01:00
Tab Assassin
845bf7146b
Retab changes for PR #2304
2013-09-05 13:41:25 -05:00
Tab Assassin
adf9ff356c
Merge for retab
2013-09-05 13:41:23 -05:00
Meatballs
3066e7e19d
ReverseConnectRetries ftw
2013-09-04 00:16:19 +01:00
Meatballs
a8e77c56bd
Updates
2013-09-03 22:46:20 +01:00
Meatballs
ac0c493cf9
Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring
2013-09-03 21:33:11 +01:00
Tab Assassin
84aaf2334a
Retab new material
2013-09-03 11:47:26 -05:00
Tab Assassin
0c1e6546af
Update from master
2013-09-03 11:45:39 -05:00
sinn3r
ac0b14e793
Add the missing CVE reference
...
Was looking at all the 2013 exploit modules for missing CVE references
2013-08-31 18:54:16 -05:00
Tab Assassin
41e4375e43
Retab modules
2013-08-30 16:28:54 -05:00
James Lee
63adde2429
Fix load order in posts, hopefully forever
2013-08-29 13:37:50 -05:00
Meatballs
ff5cf396ab
Remove large file and rename payload.dll
2013-08-27 00:30:27 +01:00
Meatballs
035e97523b
In memory bypassuac
2013-08-27 00:13:19 +01:00
Meatballs
05f1622fcb
Fix require
2013-08-26 16:21:18 +01:00
Meatballs
3b9ded5a8e
BypassUAC now checks if the process is LowIntegrityLevel
...
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
2013-08-26 13:54:55 +01:00
HD Moore
6c1ba9c9c9
Switch to Failure vs Exploit::Failure
2013-08-15 14:14:46 -05:00
sinn3r
5128458c90
Land #2201 - Better check for ppr_flatten_rec
2013-08-09 14:44:23 -05:00
sinn3r
021c358159
Land #2203 - Fix regex for x64 detection
2013-08-09 13:23:38 -05:00
Sagi Shahar
7178633140
Fixed architecture detection in bypassuac modules
2013-08-09 03:42:02 +02:00
Meatballs
318280fea7
Add 7/2k8 RTM versions
2013-08-08 20:02:14 +01:00
Meatballs
d64352652f
Adds unsupported Vista versions
2013-08-08 19:58:40 +01:00
Meatballs
08c32c250f
File versions
2013-08-08 19:42:14 +01:00
Tod Beardsley
40f015f596
Avoid require race with powershell
2013-08-05 09:56:32 -05:00
Tod Beardsley
5ea67586c8
Rewrite description for MS13-005
...
The first part of the description was copy-pasted from
http://packetstormsecurity.com/files/122588/ms13_005_hwnd_broadcast.rb.txt
which contained some grammatical errors. Please try to avoid cribbing
other researchers' descriptions directly for Metasploit modules.
2013-08-05 09:29:29 -05:00
Tod Beardsley
e7206af5b5
OSVDB and comment doc fixes
2013-08-05 09:08:17 -05:00
jvazquez-r7
3a05993f16
Make msftidy happy and warn user about long times
2013-07-29 11:45:30 -05:00
Meatballs
234e49d982
Add type technique
2013-07-26 23:33:16 +01:00
jvazquez-r7
805a9675a7
Modify the check for Integrity Level and Allow dropt o fs
2013-07-26 14:54:50 -05:00
Meatballs
12a58c730a
Small fix
2013-07-26 10:15:47 +01:00
Meatballs
6a13ed0371
Missing include
2013-07-26 03:18:17 +01:00
Meatballs
72b8891ba3
Check for low integrity
2013-07-26 03:16:45 +01:00
Meatballs
030640d5bc
back to cmd
2013-07-26 03:00:36 +01:00
Meatballs
d3f3e5d63e
Working with psh download
2013-07-26 02:29:55 +01:00
Meatballs
b99ad41a64
Add api constants and tidy
2013-07-26 01:48:39 +01:00
Meatballs
0235e6803d
Initial working
2013-07-25 23:24:11 +01:00
Meatballs
44cae75af1
Cleanup
2013-07-24 19:52:59 +01:00
jvazquez-r7
ad94f434ab
Avoid a fix address for the final userland payload
2013-07-05 10:21:11 -05:00
sinn3r
226f4dd8cc
Use execute_shellcode for novell_client_nicm.rb
2013-07-03 13:57:41 -05:00
sinn3r
f9cfba9021
Use execute_shellcode for novell_client_nwfs.rb
2013-07-03 13:55:50 -05:00
g0tmi1k
2a6056fd2a
exploits/s4u_persistence~Fixed typos+default values
2013-07-03 00:38:50 +01:00
jvazquez-r7
a2b8daf149
Modify fail message when exploitation doen't success
2013-06-29 10:45:13 -05:00
jvazquez-r7
a5c3f4ca9b
Modify ruby code according to comments
2013-06-29 08:54:00 -05:00
jvazquez-r7
427e26c4dc
Fix current_pid
2013-06-28 21:36:49 -05:00
jvazquez-r7
32ae7ec2fa
Fix error description and bad variable usage
2013-06-28 21:30:33 -05:00
jvazquez-r7
fb67002df9
Switch from print_error to print_warning
2013-06-28 21:29:20 -05:00
jvazquez-r7
3ab948209b
Fix module according to @wchen-r7 feedback
2013-06-28 20:44:42 -05:00
jvazquez-r7
00416f3430
Add a new print_status
2013-06-28 18:23:49 -05:00
jvazquez-r7
7725937461
Add Module for cve-2013-3660
2013-06-28 18:18:21 -05:00
jvazquez-r7
795dd6a02a
Add module for OSVDB 93718
2013-06-24 23:51:28 -05:00
Steve Tornio
a920127f8c
reference updates for several modules
2013-06-23 20:43:34 -05:00
jvazquez-r7
f106b6db50
Add comment with the component version
2013-06-21 17:38:30 -05:00
jvazquez-r7
5fe9a80bf0
Add module for OSVDB 46578
2013-06-21 17:31:40 -05:00
sinn3r
da4b18c6a1
[FixRM:#8012] - Fix message data type to int
...
This patch makes sure s.message is actually an int, that way we can
properly stop or enable the service.
2013-06-06 23:49:14 -05:00
cbgabriel
1032663cd4
Fixed check for Administrators SID in whoami /group output
2013-06-04 18:34:06 -04:00
jvazquez-r7
53cb493bc9
Fix @jlee-r7's feedback
2013-05-20 18:44:21 -05:00
jvazquez-r7
85ceaa1a62
Add module for CVE-2013-2730
2013-05-18 12:44:24 -05:00
Meatballs
05426cb61b
Fix dir creation
2013-04-27 21:39:29 +01:00
Meatballs
8bfaa41723
Fix x64 dll creation
2013-04-27 20:44:46 +01:00
HD Moore
e2b8d5ed23
Fix from David Kennedy, enable Windows 8 support
2013-04-09 02:07:40 -05:00
James Lee
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
Meatballs
07475e5483
Update
2013-02-22 21:22:51 +00:00
Meatballs
769ca6335f
Mrg Juan's changes, stop shadowing
2013-02-22 20:09:21 +00:00
jvazquez-r7
416a7aeaa3
make msftidy happy for s4u_persistence
2013-02-18 15:23:06 +01:00
jvazquez-r7
be0feecf8f
Merge branch 's4u_persistence' of https://github.com/smilingraccoon/metasploit-framework into smilingraccoon-s4u_persistence
2013-02-18 15:22:37 +01:00
Thomas McCarthy
25f8a7dcb9
Fix expire tag logic and slight clean up
...
Was a dumbass again and didn't fully understand how Optints worked when left blank at run time. If not 0 the expire tag will be inserted now. Also made it print the xpath if used because I believe it will be of value to the user for trouble shooting.
2013-02-17 22:35:52 -05:00
Thomas McCarthy
a8d574e4ce
Updated one print_status
2013-02-17 14:08:33 -05:00
Thomas McCarthy
7b2c1afadb
I'm an idiot, fix logon xpath
2013-02-14 09:16:47 -05:00
smilingraccoon
e78cbdd14d
missed one line
2013-02-13 18:17:38 -05:00
smilingraccoon
bbf8fe0213
Use Post::File methods and fail_with
2013-02-13 18:10:05 -05:00
jvazquez-r7
42a6d96ff4
using Post::File methods plus little more cleanup
2013-02-12 01:33:07 +01:00
jvazquez-r7
97edbb7868
using always a vbs file to drop exe
2013-02-12 00:58:26 +01:00
Carlos Perez
5edb138a8f
fixed nil issue
2013-02-11 11:51:33 -04:00
smilingraccoon
3a499b1a6d
added s4u_persistence.rb
2013-02-10 14:22:36 -05:00
Carlos Perez
fea84cad10
Fix additional typos per recomendation
2013-02-08 14:47:16 -04:00
Carlos Perez
b8f0a94c3f
Fixed typos mentioned by Egypt
2013-02-08 14:42:10 -04:00
Carlos Perez
c131b7ef0e
Added exception handing and return checking as requested by Sinn3r
2013-02-07 21:06:05 -04:00
Carlos Perez
19e989dff9
Initial commit fo the migrated module
2013-02-07 19:11:44 -04:00
jvazquez-r7
174ab31010
Moving reused methods to Accounts mixin
2013-01-31 12:59:55 +01:00
Tod Beardsley
aaf18f0257
EOL whitespace, yo.
2013-01-29 14:22:30 -06:00
jvazquez-r7
3faf4b3aca
adding sinn3r as author
2013-01-24 18:13:30 +01:00
sinn3r
2cedcad810
Check PID
2013-01-24 10:46:23 -06:00
sinn3r
ad108900d5
Why yes I know it's a module
2013-01-23 16:23:41 -06:00
sinn3r
22f7619892
Improve Carlos' payload injection module - See #1201
...
Lots of changes, mainly:
* Description update
* Avoid accessing protected methods
* More careful exception & return value handling
2013-01-23 16:15:14 -06:00
sinn3r
e93b7ffcaf
Add Carlos Perez's payload injection module
...
See #1201
2013-01-23 14:07:48 -06:00
Meatballs1
1bc5fd3758
Changed to warnings
2013-01-20 00:29:38 +00:00
Christian Mehlmauer
8f2dd8e2ce
msftidy: Remove $Revision$
2013-01-04 00:48:10 +01:00
Christian Mehlmauer
25aaf7a676
msftidy: Remove $Id$
2013-01-04 00:41:44 +01:00
Meatballs1
fde267bea4
Break on session
2013-01-03 20:21:05 +00:00
Meatballs1
54e4557855
Leave handler running for reboot
2013-01-03 20:07:41 +00:00
Meatballs1
df21836aa0
Use fail_with
2013-01-03 19:43:25 +00:00
Meatballs1
861951f7fd
Add exception handling around get_imperstoken
2012-12-30 14:58:39 +00:00
Meatballs1
e09c33faa4
Merge remote changes
2012-12-30 14:36:54 +00:00
Meatballs1
90dd90a304
Add Startup Manual to Check method
2012-12-30 14:32:17 +00:00
Meatballs1
6b0c3eadb2
Merge branch 'master' of https://github.com/rapid7/metasploit-framework into local_win_priv_keyring
2012-12-30 14:17:46 +00:00
sinn3r
9b768a2c62
Merge branch 'cleanup/post-windows-services' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-cleanup/post-windows-services
2012-12-21 23:42:17 -06:00
Meatballs
0963b5ee84
Use custom exist?
2012-12-13 23:00:26 +00:00
Meatballs
522a80875e
Borrowed enum_dirperms checking.
2012-12-13 22:16:39 +00:00
jvazquez-r7
17518f035c
support for local exploits on file_dropper
2012-11-28 22:17:27 +01:00
jvazquez-r7
85ed074674
Final cleanup on always_install_elevated
2012-11-28 21:50:08 +01:00
jvazquez-r7
fd1557b6d2
Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated
2012-11-28 21:49:36 +01:00
Meatballs1
7fea0d4af6
Add initial auto run script
2012-11-28 16:38:31 +00:00
Meatballs1
a3fbf276f9
Reinstated cleanup
2012-11-28 11:23:08 +00:00
Meatballs1
b5b47152fc
Changed to static msi filename
2012-11-28 11:21:02 +00:00
Meatballs1
76f7abe5b6
Little tidy up
2012-11-27 23:58:58 +00:00
Meatballs1
81c2182424
Msftidy
2012-11-27 23:33:07 +00:00
Meatballs1
9741d55724
Moved to agnostic post module commands
2012-11-27 23:26:19 +00:00
Meatballs1
6fe378b594
Minor changes to description
2012-11-27 20:56:52 +00:00
Meatballs1
d067b040a0
Minor changes to description
2012-11-27 20:55:36 +00:00
Meatballs1
7727f3d6e8
Msftidy
2012-11-27 18:31:54 +00:00
Meatballs1
889c8ac12d
Add build instructions and removed binary
2012-11-27 18:18:20 +00:00
Meatballs1
bc9065ad42
Move MSI source and binary location
2012-11-27 18:12:49 +00:00
Tod Beardsley
f1fedee63b
EOL space, deleted
2012-11-26 14:19:40 -06:00
Meatballs1
579126c777
Remove redundant sleep
2012-11-22 10:44:41 +00:00
Meatballs1
021e0f37e9
Cleanup s
2012-11-22 10:34:05 +00:00
Meatballs1
7936fce7cf
Remove auto migrate - we probably dont want to migrate away from a SYSTEM process.
2012-11-22 10:29:58 +00:00
Meatballs1
128eafe22c
Changed to Local Exploit
2012-11-22 10:26:23 +00:00
Rob Fuller
e18acf2103
remove debugging code
2012-11-14 23:56:32 -05:00
Rob Fuller
7d41f1f9a0
add admin already and admin group checks
2012-11-14 23:54:01 -05:00
Meatballs1
063661c320
Address some initial feedback thanks bperry
2012-11-11 19:33:32 +00:00
Meatballs1
ac6048837b
msftidy
2012-11-11 15:12:18 +00:00
Meatballs1
142cef6182
Dont cleanup dll when reboot is required.
2012-11-11 15:11:00 +00:00
Meatballs1
ca95973b8f
Null check
2012-11-11 14:56:26 +00:00
Meatballs1
19fe29e820
Merge remote-tracking branch 'upstream/master' into local_win_priv_keyring
2012-11-11 14:43:31 +00:00
Meatballs1
933515dae2
Msftidy
2012-11-11 14:42:49 +00:00
Meatballs1
f60aa562b7
Working x86
2012-11-11 14:39:41 +00:00
James Lee
34bc92584b
Refactor WindowsServices
...
* Pulls common code up from several methods into #open_sc_manager
* Deprecates the name Windows::WindowsServices in favor of
Windows::Services. The platform is already clear from the namespace.
* Makes the post/test/services test module actually work
[See #1007 ]
[See #1012 ]
2012-11-06 17:30:04 -06:00
Meatballs1
cae0aa9c31
Check architecture, fix cleanup etc
2012-11-05 23:55:49 +00:00
sagishahar
53c7479d70
Add Windows 8 support
...
Verified with Windows 8 Enterprise Evaluation
2012-10-29 20:12:47 +02:00
sinn3r
f1423bf0b4
If a message is clearly a warning, then use print_warning
2012-10-24 00:44:53 -05:00
Tod Beardsley
be9a954405
Merge remote branch 'jlee-r7/cleanup/post-requires'
2012-10-23 15:08:25 -05:00
Michael Schierl
910644400d
References EDB cleanup
...
All other types of references use String arguments, but approximately half
of the EDB references use Fixnums. Fix this by using Strings here too.
2012-10-23 21:02:09 +02:00
Michael Schierl
21f6127e29
Platform windows cleanup
...
Change all Platform 'windows' to 'win', as it internally is an alias
anyway and only causes unnecessary confusion to have two platform names
that mean the same.
2012-10-23 20:33:01 +02:00
James Lee
9c95c7992b
Require's for all the include's
2012-10-23 13:24:05 -05:00
sinn3r
33ce74fe8c
Merge branch 'msftidy-1' of git://github.com/schierlm/metasploit-framework into schierlm-msftidy-1
2012-10-23 02:10:56 -05:00
Rob Fuller
7437d9844b
standardizing author info
2012-10-22 17:01:58 -04:00
Michael Schierl
5b18a34ad4
References cleanup
...
Uppercase MSB, spaces in URLs.
2012-10-22 22:37:01 +02:00
Michael Schierl
657d527f8d
DisclosureDate cleanup: Try parsing all dates
...
Fix all dates unparsable by `Date.strptime(value, '%b %d %Y')`
2012-10-22 20:04:21 +02:00
Meatballs1
344f32d6ba
Initial commit - non working :(
2012-10-20 00:23:41 +01:00
Tod Beardsley
9192a01803
All exploits need a disclosure date.
2012-10-15 16:29:12 -05:00
sinn3r
529f88c66d
Some msftidy fixes
2012-10-14 19:16:54 -05:00
sinn3r
97ac7fa184
Merge branch 'module-wle-service-permissions' of git://github.com/zeroSteiner/metasploit-framework
2012-10-14 18:27:32 -05:00
Spencer McIntyre
3ab24cdbb9
added exploits/windows/local/service_permissions
2012-10-11 22:42:36 -04:00
sinn3r
e02adc1f35
Merge branch 'mubix-bypassuac_uac_check'
2012-10-06 02:09:16 -05:00
sinn3r
33429c37fd
Change print_error to print_debug as a warning
2012-10-06 02:08:19 -05:00
Rob Fuller
55474dd8bf
add simple UAC checks to bypassuac
2012-10-06 00:59:54 -04:00
Rob Fuller
b984d33996
add RunAs ask module
2012-10-06 00:51:44 -04:00
Rob Fuller
0ae7756d26
fixed missing > on author
2012-10-05 11:13:40 -04:00
Rob Fuller
8520cbf218
fixes spotted by @jlee-r7
2012-10-04 17:34:35 -04:00
Tod Beardsley
4400cb94b5
Removing trailing spaces
2012-10-04 14:58:53 -05:00
Rob Fuller
3f2fe8d5b4
port bypassuac from post module to local exploit
2012-10-04 14:31:23 -04:00
sinn3r
e36507fc05
Code cleanup and make msftidy happy
2012-10-02 12:00:23 -05:00
Spencer McIntyre
21e832ac1c
add call to memory protect to fix DEP environments
2012-10-01 18:49:18 -04:00
Spencer McIntyre
c93692b06d
add a check to verify session is not already system for MS11-080
2012-09-27 08:36:13 -04:00
Spencer McIntyre
8648953747
added MS11-080 AFD JoinLeaf Windows Local Exploit
2012-09-26 11:01:30 -04:00
sinn3r
ac2e3dd44e
Merge branch 'master' of github.com:rapid7/metasploit-framework
2012-08-15 14:47:22 -05:00
sinn3r
54146b8e99
Add another ref about the technique
2012-08-15 14:46:51 -05:00
Tod Beardsley
f325d47659
Fix up description a little
2012-08-15 13:57:24 -05:00
Tod Beardsley
586d937161
Msftidy fix and adding OSVDB
2012-08-15 13:43:50 -05:00
sinn3r
dc5f8b874d
Found a bug with retrying.
2012-08-14 17:04:17 -05:00
sinn3r
3e0e5a1a75
No manual stuff, probably prones to failure anyway.
2012-08-14 10:58:57 -05:00
sinn3r
612848df6f
Add priv escalation mod for exploiting trusted service path
2012-08-14 01:55:03 -05:00
Tod Beardsley
bd408fc27e
Updating msft links to psexec
...
Thanks for the spot @shuckins-r7 !
2012-08-13 15:28:04 -05:00
James Lee
67cdea1788
Fix load order issues (again)
...
This is getting annoying. Some day we'll have autoload and never have
to deal with this.
2012-08-10 13:52:54 -06:00
Tod Beardsley
d5b165abbb
Msftidy.rb cleanup on recent modules.
...
Notably, DisclosureDate is required for other module parsers, so let's
not ignore those, even if you have to guess at the disclosure or call
the module's publish date the disclosure date.
2012-08-04 12:18:00 -05:00
James Lee
227d0dbc47
Add jabra to authors. I'm a jerk
2012-08-02 11:13:53 -06:00
James Lee
1a2a1e70f7
Replace load with require, *facepalm*
2012-08-01 22:51:36 -06:00
James Lee
0707730fe0
Remove superfluous method
...
Obsoleted by session.session_host, which does the same thing
2012-08-01 01:07:21 -06:00
James Lee
47eb387886
Add current_user_psexec module
...
Tested against a 2k8 domain controller.
2012-08-01 01:05:10 -06:00
James Lee
ebe48ecf16
Add Rank for schelevator, update sock_sendpage's
2012-07-18 11:16:29 -06:00
James Lee
1fbe5742bd
Axe some copy-pasta
2012-06-12 23:58:20 -06:00
James Lee
9f78a9e18e
Port ms10-092 to the new Exploit::Local format
2012-06-12 23:58:20 -06:00