Commit Graph

1487 Commits (b1dfed8577c45f9b1fccce5ecfb460caeb201a8c)

Author SHA1 Message Date
David Maloney b1dfed8577
rebuilt template DLLs
x86 dll template was way out of date and
did not match the x64 tempalte. rebuilt them both
2014-02-25 15:34:42 -06:00
David Maloney 3c773f031c
add new binaries compiled from latest src
compiled and added new binaries to make sure
most up to date source is used
2014-02-25 14:06:57 -06:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
sinn3r ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
Also [SeeRM #8140]
2013-12-03 10:51:58 -06:00
Meatballs cf12826d2c
Dont use xp toolchain
and dont bother editbin
2013-11-30 20:04:00 +00:00
Meatballs d3a0199539
Update for new Reflective DLL Submodule
Update to VS2013 Toolsets
Include .msbuild and make.bat
Tidyup of if { }
Post build step to copy to output directory
2013-11-30 19:58:25 +00:00
Meatballs 915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
jvazquez-r7 0343aef7c8
Land #2695, @wchen-r7's support to detect silverlight 2013-11-27 09:40:12 -06:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
James Lee 25b1ec5b75
Land #2689, getenv 2013-11-26 23:33:25 -06:00
OJ 72813c1f3e
Merge branch 'egypt/feature/getenv-php' into getenv_cmd 2013-11-27 15:22:15 +10:00
James Lee a3337e5de5
Add PHP side for meterpreter getenv 2013-11-26 23:16:28 -06:00
OJ a0f703ee44 Add getenv support to python meterpreter
This change adds support for `getenv` to python meterpreter. Nothing too
complex going on here. I tidied up the definitions of the TLVs as well
so that they look nice.
2013-11-27 11:19:26 +10:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
jvazquez-r7 6cb63cdad6
Land #2679, @wchen-r7's exploit for cve-2013-3906 2013-11-25 22:04:26 -06:00
jvazquez-r7 25eb13cb3c Small fix to interface 2013-11-22 17:02:08 -06:00
jvazquez-r7 136c18c070 Add binary objects for MS13-022 2013-11-22 16:45:07 -06:00
sinn3r 94e13a0b8a Initial commit of CVE-2013-3906 2013-11-19 23:10:32 -06:00
OJ 0b413aa0b8 Remove extapi binaries
These were committed in the flurry of merges last night by me. They
should be removed until the extapi PR has been fully reviewed and
merged. This commit just removes the binaries from master, they'll
be re-added when appropriate.
2013-11-15 06:24:00 +10:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
OJ 4bd0900359
Updated meterpreter binaries
Includes the following:

* Clean builds
* Removal of kitrap0d from getsystem
* Doc updates
* Webcam crash fix
* Schedular and channel refactor
* Posix crash fix for post modules
2013-11-15 01:14:14 +10:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
sinn3r 62102dd1f9
Land #2544 - Vbs minimize 2013-11-11 11:14:56 -06:00
sinn3r 33f65dd611
Land #2577 - Use base64 to reduce psh-net payload size 2013-11-11 10:21:20 -06:00
William Vu f402f4c16e
Land #2614, another default OWA URL 2013-11-08 17:20:20 -06:00
Rob Fuller cdc6a863dd Add another default owa url
Its not default, but not uncommon to find /exchange/ NTLM protected
2013-11-07 08:50:22 -05:00
sinn3r b34b4ac2b6 Update the java stuff again 2013-11-07 00:57:20 -06:00
sinn3r 991240a87e Support java version detection 2013-11-07 00:54:52 -06:00
OJ 715fdc05ec
Updated meterpreter binaries
Includes the following changes:

* Security cleanup - remove use of insecure functions
* Windows 8/8.1/2012 R2 support to sysinfo
* VS 2013 upgrade
* Command dispatcher refactor
* Getproxy command added (needs MSF side too)
2013-11-07 14:31:54 +10:00
sinn3r cf5d9c7f01 Add case for IE10 + Win 7 SP1 detection 2013-11-06 11:41:36 -06:00
sinn3r 5f2d8358c0 Be more browser specific with Javascript generation 2013-11-05 01:04:52 -06:00
joev 5f85ede389 Prevent xhr shim from leaking. 2013-11-02 16:47:50 -05:00
joev 90d8da6a21 Fix some bugs in my edits, add a spec. 2013-11-02 16:46:33 -05:00
joev c7c1fcfa98 Pull shared XHR shim out, add option to static Js module method.
* Moves shim to data/js/network/xhr_shim.js
* Add some yardoc comments
2013-11-02 14:52:50 -05:00
sinn3r 391360d67f Update xmlhttprequest 2013-10-31 16:09:05 -05:00
sinn3r 6e7e5a0ff9 Put postInfo() in the js directory 2013-10-31 13:55:22 -05:00
joev 4425cf1dc1 Add support for firefox 25.
Also replaces a bunch of missing semicolons.
2013-10-30 12:19:22 -05:00
jvazquez-r7 2b5e2df94e
Land #2568, @h0ng10's update of SAP url's wordlist 2013-10-28 09:01:33 -05:00
jvazquez-r7 e88e523eaa Delete newline 2013-10-28 09:01:00 -05:00
Meatballs e18dd3ec0b
Use base64 to reduce size 2013-10-25 01:19:43 +01:00
Tod Beardsley 27739a0351
Meterpreter bins after Meterpreter PR 32
Protects against potential BOFs due to strcpy usage.

These binaries were built against meterpreter master after
https://github.com/rapid7/meterpreter/pull/32 landed.

The CI tests can be seen here:

https://ci.metasploit.com/view/Meterpreter/job/MeterpreterWin/75/

Note, this commit is signed. Your merge commit should be signed, too, so
people can be assured that nobody is backdooring Meterpreter on the sly.
2013-10-24 15:15:49 -05:00
Tod Beardsley b5f26455a3
Land #2545, javascript library overhaul 2013-10-23 16:12:49 -05:00
Meatballs e6a2a1006f
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows/priv.rb
	modules/exploits/windows/local/bypassuac.rb
2013-10-23 21:02:32 +01:00
h0ng10 a834fec889 Added URL for PT-2013-13/SAP Note 1820894 2013-10-23 21:20:18 +02:00
h0ng10 e02bf0cce6 Added /AdapterFramework/version/version.jsp 2013-10-23 21:09:19 +02:00
sinn3r 19615ac4b7 Apparently I missed a lot of stuff 2013-10-21 21:02:01 -05:00
Tod Beardsley 824dd84982 Merge remote-tracking branch 'upstream/pr/2500' into temp 2013-10-21 14:26:05 -05:00