Commit Graph

3995 Commits (b710014ece52f76eb4ff5f0efc11436261b5941d)

Author SHA1 Message Date
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
sinn3r 89e1bcc0ca Deprecate modules with date 2013-something
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
William Vu a58698c177
Land #2922, multithreaded check command 2014-02-04 11:21:05 -06:00
Meatballs 08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
Conflicts:
	lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
Meatballs 95eb758642
Initial commit 2014-02-02 19:04:38 +00:00
William Vu a5bff638c5 Remove EOL spaces 2014-01-31 15:01:03 -06:00
sinn3r cc4dea7d49 Was playing with ms08_067 check and realized I forgot this print 2014-01-25 16:15:52 -06:00
William Vu 47b9bfaffc Use opts hash for adobe_pdf_embedded_exe
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:16:53 -06:00
jvazquez-r7 9db295769d
Land #2905, @wchen-r7's update of exploit checks 2014-01-24 16:49:33 -06:00
sinn3r cdc425e4eb Update some checks 2014-01-24 12:08:23 -06:00
sgabe 16b8b58a84 Fix the dwSize parameter 2014-01-24 11:38:57 +01:00
sgabe 8f6dcd7545 Add some randomization to the ROP chain 2014-01-24 10:28:59 +01:00
sgabe 021aa77f5f Add module for BID-46926 2014-01-24 01:48:21 +01:00
sinn3r c403c521b3 Change check code 2014-01-23 11:03:40 -06:00
Tod Beardsley b3b51eb48c
Pre-release fixup
* Updated descriptions to be a little more descriptive.

  * Updated store_loot calls to inform the user where the
loot is stored.

  * Removed newlines in print_* statments -- these will screw
up Scanner output when dealing with multiple hosts.

Of the fixed newlines, I haven't see any output, so I'm not sure what
the actual message is going to look like -- I expect it's a whole bunch
of newlines in there so it'll be kinda ugly as is (not a blocker for
this but should clean up eventually)
2014-01-21 13:29:08 -06:00
sinn3r fe767f3f64 Saving progress
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
sinn3r e5dc6a9911 Update exploit checks
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
dukeBarman 88c283880a Fix bugs 2014-01-18 17:04:46 -05:00
dukeBarman 766c408d86 Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 11:07:11 -05:00
jvazquez-r7 c670259539 Fix protocol handling 2014-01-17 00:49:44 -06:00
jvazquez-r7 eaf1b0caf6 Add minor clean up 2014-01-16 17:55:45 -06:00
jvazquez-r7 f3c912bd32 Add module for ZDI-14-003 2014-01-16 17:49:49 -06:00
sgabe b4280f2876 Very minor code formatting 2014-01-14 13:35:00 +01:00
sgabe e7cc3a2345 Removed unnecessary target 2014-01-13 13:17:16 +01:00
sgabe 26d17c03b1 Replaced ROP chain 2014-01-13 02:54:49 +01:00
sgabe d657a2efd3 Added DEP Bypass 2014-01-11 20:31:28 +01:00
sgabe 72d15645df Added more references 2014-01-11 20:30:50 +01:00
sgabe 8449005b2a Fixed CVE identifier. 2014-01-10 23:45:34 +01:00
Tod Beardsley cd38f1ec5d
Minor touchups to recent modules. 2014-01-03 13:39:14 -06:00
William Vu 2d25781cf0
Land #2804 for real (thanks, @jvazquez-r7!)
It was the wrong time to mess with my workflow.
2014-01-02 16:39:02 -06:00
OJ 1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path 2014-01-03 08:14:02 +10:00
William Vu 67a796021d
Land #2804, IBM Forms Viewer 4.0 exploit 2014-01-02 16:10:02 -06:00
jvazquez-r7 eaeb457d5e Fix disclosure date and newline as pointed by @wvu-r7 2014-01-02 16:08:44 -06:00
William Vu d291cd92d7
Land #2817, icofx_bof random things 2014-01-01 22:01:48 -06:00
jvazquez-r7 b4439a263b Make things random 2013-12-31 16:06:25 -06:00
sinn3r 184bd1e0b2
Land #2815 - Change gsub hardtabs 2013-12-31 15:58:21 -06:00
jvazquez-r7 2252a037a5 Fix disclosure date 2013-12-31 14:51:43 -06:00
jvazquez-r7 3775b6ce91 Add module for CVE-2013-4988 2013-12-31 14:43:45 -06:00
jvazquez-r7 841f67d392 Make adobe_reader_u3d also compliant 2013-12-31 11:07:31 -06:00
jvazquez-r7 7f9f4ba4db Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00
William Vu 80a1e85235 Add :config => false to sysax_ssh_username 2013-12-30 18:13:49 -06:00
jvazquez-r7 57d60c66f9 Add masqform version as comment 2013-12-27 10:59:23 -06:00
jvazquez-r7 341e3c0370 Use rexml 2013-12-27 10:55:36 -06:00
jvazquez-r7 ee35f9ac30 Add module for zdi-13-274 2013-12-27 10:20:44 -06:00
sinn3r 367dce505b Minor details 2013-12-24 00:39:15 -06:00
sgabe f687a14539 Added support for opening via menu. 2013-12-24 03:12:49 +01:00
sgabe 287271cf98 Fixed date format. 2013-12-22 01:32:16 +01:00
sgabe 0ac495fef8 Replaced hex with plain text. 2013-12-22 01:31:37 +01:00
sgabe 44ab583611 Added newline to end of file. 2013-12-20 22:40:45 +01:00
sgabe 62f71f6282 Added module for CVE-2013-6877 2013-12-20 22:37:09 +01:00
OJ 9fb081cb2d Add getenvs, update getenv, change extract_path use
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.

Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.

The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
sinn3r 4bddd077ec
Land #2762 - Use new ntdll railgun functions 2013-12-18 15:18:47 -06:00
Meatballs 3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
Conflicts:
	lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
sinn3r ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader 2013-12-16 20:32:27 -06:00
jvazquez-r7 52cb43e6a8 Fix typo 2013-12-16 20:28:49 -06:00
jvazquez-r7 84759a552a Save one variable 2013-12-16 16:49:44 -06:00
jvazquez-r7 042bd4f80b Fix ms_ndproxy to work under a sandboxed Reader 2013-12-16 16:19:17 -06:00
Tod Beardsley f88a3a55b6
More slight updates. 2013-12-16 15:05:39 -06:00
sinn3r afcee93309
Land #2771 - Fix description 2013-12-16 15:01:32 -06:00
sinn3r 04b7e8b174 Fix module title and add vendor patch information 2013-12-16 14:59:00 -06:00
Tod Beardsley 040619c373
Minor description changes
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
jvazquez-r7 533accaa87 Add module for CVE-2013-3346 2013-12-16 14:13:47 -06:00
Meatballs 3dec7f61a5 Check in sysnative if wow64 2013-12-15 01:12:52 +00:00
Meatballs 2dc4faad72 Resplat license 2013-12-15 01:12:51 +00:00
Meatballs 8203274256 Small fixes
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ f2e2147065 Change unless with else to if with else 2013-12-15 01:12:50 +00:00
OJ cff7008500 Fix final issues with merge
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ 41c538856a Re-add RDI mixin changes 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs 6916f7c5d2 Fixup description 2013-12-15 01:12:47 +00:00
Meatballs 3d1646d18e Exit process when complete 2013-12-15 01:12:47 +00:00
Meatballs dd32c2b0b8 Spawn 32bit process 2013-12-15 01:12:46 +00:00
Meatballs 819ba30a33 msftidy
Conflicts:
	lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs 5eca4714c2 Renamed module 2013-12-15 01:12:46 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
Meatballs 04496a539c
Fix up local wmi exploit. 2013-12-14 20:05:51 +00:00
jvazquez-r7 e8396dc37a Delete redefinition of ntdll functions on railgun 2013-12-13 16:02:47 -06:00
sinn3r ba1a70b72e Update Microsoft patch information 2013-12-13 15:59:15 -06:00
jvazquez-r7 1ab3e891c9 Modify ms_ndproxy to use railgun additions 2013-12-13 15:54:34 -06:00
jvazquez-r7 5c1ca97e21 Create a new process to host the final payload 2013-12-12 08:26:44 -06:00
jvazquez-r7 eb4e3f8a32 Fix os detection 2013-12-12 07:39:19 -06:00
jvazquez-r7 8b518776bc Dont fail_with on check 2013-12-11 22:08:36 -06:00
jvazquez-r7 02915c751c Favor unless over if not and add reference 2013-12-11 16:28:09 -06:00
jvazquez-r7 b6fa3f28b1 Modify description 2013-12-11 08:56:31 -06:00
jvazquez-r7 c4721de4a0 Add module for CVE-2013-5065 2013-12-11 08:52:35 -06:00
sinn3r 3a9ac303f0 Use rexml for XML data generation 2013-12-10 15:37:44 -06:00
jvazquez-r7 230fcd87a5 Add module for zdi-13-259 2013-12-10 08:45:08 -06:00
Meatballs 6f02744d46
Land #2730 Typo in mswin_tiff_overflow 2013-12-06 12:32:37 +00:00
Meatballs 3aebe968bb
Land #2721 Reflective DLL Mixin
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.

Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
sinn3r 89ef1d4720 Fix a typo in mswin_tiff_overflow 2013-12-06 00:44:12 -06:00
Meatballs 9b2ae3c447
Uncomment fail_with 2013-12-05 23:21:06 +00:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
Meatballs 1e60ff91ea
Move ExitThread patching to Msf::Util::EXE 2013-12-05 17:16:14 +00:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
sinn3r 230db6451b Remove @peer for modules that use HttpClient
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
sinn3r ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
Also [SeeRM #8140]
2013-12-03 10:51:58 -06:00
jvazquez-r7 2d77ed58d5
Land #2648, @pnegry's exploit for Kaseya File Upload 2013-12-03 09:35:05 -06:00
jvazquez-r7 2606a6ff0e Do minor clean up for kaseya_uploadimage_file_upload 2013-12-03 09:34:25 -06:00
Thomas Hibbert 21bb8fd25a Update based on jvazquez's suggestions. 2013-12-03 13:49:31 +13:00
Tod Beardsley 55847ce074
Fixup for release
Notably, adds a description for the module landed in #2709.
2013-12-02 16:19:05 -06:00
Meatballs 915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
sinn3r 8817c0eee0 Change description a bit
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
jvazquez-r7 807e2dfd31 Fix title 2013-11-28 10:53:12 -06:00
jvazquez-r7 7dee4ffd4d Add module for ZDI-13-270 2013-11-28 10:47:04 -06:00
Thomas Hibbert d1e4975f76 Use res.get_cookies instead of homebrew parse. Use _cgi 2013-11-28 16:35:36 +13:00
OJ 0b879d8f39 Comments for WfsDelay, adjustment to injection
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.

This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Thomas Hibbert bb0753fcdd Updated module to comply with indentation standard and to use suggestions from reviewers 2013-11-27 16:00:00 +13:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
sinn3r a914fbc400
Land #2693 - case sensitive 2013-11-26 11:16:57 -06:00
Tod Beardsley 671c0d9473
Fix nokogiri typo
[SeeRM #8730]
2013-11-26 10:54:31 -06:00
jvazquez-r7 253719d70c Fix title 2013-11-26 08:11:29 -06:00
jvazquez-r7 6cb63cdad6
Land #2679, @wchen-r7's exploit for cve-2013-3906 2013-11-25 22:04:26 -06:00
jvazquez-r7 0079413e81 Full revert the change 2013-11-25 22:04:02 -06:00
sinn3r fa97c9fa7c Revert this change 2013-11-25 20:54:39 -06:00
sinn3r 3247106626 Heap spray adjustment by @jvazquez-r7 2013-11-25 20:50:53 -06:00
jvazquez-r7 4c249bb6e9 Fix heap spray 2013-11-25 20:06:42 -06:00
sinn3r 385381cde2 Change target address
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
sinn3r 8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln 2013-11-25 13:06:09 -06:00
Meatballs a3c7dccfc0
Add disconnect option to psexec
Allow the module to prevent the mixin from ending the SMB session.
2013-11-24 16:37:25 +00:00
Meatballs dd9bb459bf
PSEXEC Refactor
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
sinn3r 9987ec0883 Hmm, change ranking 2013-11-23 00:51:58 -06:00
sinn3r 6ccc3e3c48 Make payload execution more stable 2013-11-23 00:47:45 -06:00
sinn3r d748fd4003 Final commit 2013-11-22 23:35:26 -06:00
sinn3r f871452b97 Slightly change the description
Because it isn't that slow
2013-11-22 19:27:00 -06:00
sinn3r eddedd4746 Working version 2013-11-22 19:14:56 -06:00
jvazquez-r7 7e4487b93b Update description 2013-11-22 17:37:23 -06:00
sinn3r c8fd761c53 Progress 2013-11-22 16:57:29 -06:00
jvazquez-r7 a7ad107e88 Add ruby code for ms13-022 2013-11-22 16:41:56 -06:00
sinn3r 953a96fc2e This one looks promising 2013-11-22 12:27:10 -06:00
sinn3r 8476ca872e More progress 2013-11-22 11:53:57 -06:00
sinn3r f1d181afc7 Progress 2013-11-22 04:51:55 -06:00
sinn3r 6d5c1c230c Progress 2013-11-22 03:55:40 -06:00
sinn3r 4d2253fe35 Diet 2013-11-22 02:25:09 -06:00
sinn3r 8382d31f46 More progress 2013-11-21 18:48:12 -06:00
jvazquez-r7 885fedcc3b Fix target name 2013-11-21 17:42:31 -06:00
sinn3r 56d1c545e7 Oh look, more code 2013-11-21 14:42:07 -06:00
jvazquez-r7 851cf6f0d1
Land #2650, @pnegry's exploit for DesktopCentral 8 2013-11-21 09:30:17 -06:00
jvazquez-r7 77aa665385 Add Privileged flag 2013-11-21 09:28:28 -06:00
jvazquez-r7 2ab3ab8b66 Delete empty Payload metadata section 2013-11-21 09:27:25 -06:00
jvazquez-r7 6bd3c4c887 Fix target name 2013-11-21 09:07:25 -06:00
jvazquez-r7 4c2ad4ca9a Fix metadata 2013-11-21 09:06:47 -06:00
jvazquez-r7 8e4c5dbb5e improve upload_file response check 2013-11-21 09:02:11 -06:00
jvazquez-r7 8fdfeb73db Fix use of FileDropper and improve check method 2013-11-21 09:01:41 -06:00
jvazquez-r7 4abf01c64c Clean indentation 2013-11-21 08:32:54 -06:00
sinn3r ddd5b0abb9 More progress 2013-11-21 04:27:41 -06:00
sinn3r e13e457d8f Progress 2013-11-20 17:11:13 -06:00
sinn3r 94e13a0b8a Initial commit of CVE-2013-3906 2013-11-19 23:10:32 -06:00
Thomas Hibbert 4cc20f163b Update References field to be compliant. 2013-11-20 13:01:21 +13:00
Thomas Hibbert c76fa32345 Fixed reference format 2013-11-20 12:53:21 +13:00
Thomas Hibbert 26a5e37266 Use MSF::Exploit:FileDropper to register the uploaded file for cleanup. 2013-11-20 12:27:22 +13:00
Thomas Hibbert 07c76fd3e6 Module cleaned for msftidy compliance. 2013-11-20 11:33:14 +13:00
sinn3r a9de5e2846
Land #2634 - Opt browser autopwn load list 2013-11-19 15:10:29 -06:00
jvazquez-r7 bddb314073 Fix usage of Retries 2013-11-18 09:09:20 -06:00
jvazquez-r7 237bb22771 Disable auto migrate 2013-11-18 08:54:22 -06:00
Thomas Hibbert 960f7c9bbb Add DesktopCentral arbitrary file upload exploit. 2013-11-18 16:11:28 +13:00
Thomas Hibbert 60a245b0c3 Fix the arch declaration in uploaded module. 2013-11-18 14:49:03 +13:00
Thomas Hibbert 636fdfe2d2 Added Kaseya uploadImage exploit. 2013-11-18 14:23:34 +13:00
Tod Beardsley 89d0b3c41c
Return the splat and require on a module. 2013-11-15 12:19:53 -06:00
jvazquez-r7 cbb7eb192c Add module for CVE-2013-3918 2013-11-15 10:38:52 -06:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
jvazquez-r7 fe2cd93a65 Delete ms13_037_svg_dashstyle from the browser_autopwn list 2013-11-13 23:46:50 -06:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
jvazquez-r7 8771b163f0 Solve conflicts with aladdin_choosefilepath_bof 2013-11-12 23:11:42 -06:00
OJ e4fc361b37 Various tidies and fixes
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.

Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
jvazquez-r7 004c1bac78 Reduce number of modules available on BrowserAutopwn 2013-11-12 12:37:29 -06:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
jvazquez-r7 b01d8c50e0 Restore module crash documentation 2013-11-11 17:09:41 -06:00
jvazquez-r7 30de61168d Support heap spray obfuscation 2013-11-11 17:05:54 -06:00
jvazquez-r7 922f0eb900 Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer 2013-11-11 17:01:09 -06:00
sinn3r b887ed68b5
Land #2608 - Allow guest login option for psexec. 2013-11-11 10:09:41 -06:00
OJ 82739c0315 Add extra URL for exploit detail 2013-11-11 22:07:36 +10:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
jvazquez-r7 d419c73488
Land #2517, @3v0lver's exploit for cve-2008-2286 2013-11-08 08:41:04 -06:00
jvazquez-r7 fddb69edb3 Use instance variables for 1-time injections 2013-11-08 08:30:35 -06:00
jvazquez-r7 69b261a9f2 Clean post exploitation code 2013-11-07 18:11:54 -06:00
jvazquez-r7 9f51268d21 Make xp_shell_enable instance variable 2013-11-07 17:53:28 -06:00
jvazquez-r7 aa1000df72 Clean check method 2013-11-07 17:44:22 -06:00
jvazquez-r7 c2662d28e0 Move module to the misc folder 2013-11-07 17:34:22 -06:00
jvazquez-r7 b068e4beb5 Fix indentation and refactor send_update_computer 2013-11-07 17:33:35 -06:00
scriptjunkie 7615264b17 Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix 2013-11-07 10:35:00 -06:00
root 944528e633 Updated for temporal pathing with TEMP variable 2013-11-07 01:34:55 -05:00
scriptjunkie 61e4700832
Allow guest login option.
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
OJ 7dcb071f11 Remote shebang and fix pxexeploit 2013-11-06 07:10:25 +10:00
Tod Beardsley 84572c58a8
Minor fixup for release
* Adds some new refs.
  * Fixes a typo in a module desc.
  * Fixes a weird slash continuation for string building (See #2589)
2013-11-04 12:10:38 -06:00
root 5c923757e8 Removed generic command execution capability 2013-10-30 21:35:24 -04:00
Tod Beardsley e488a54a06
Resplat new WMI module 2013-10-30 15:14:16 -05:00
jvazquez-r7 c8ceaa25c6
Land #2589, @wvu-r7's exploit for OSVDB 98714 2013-10-29 14:56:30 -05:00
jvazquez-r7 9f81aeb4ad Fix style 2013-10-29 14:55:16 -05:00
William Vu 5af42f2c28 Add short comment on why the padding is necessary 2013-10-29 11:46:10 -05:00
William Vu e368cb0a5e Add Win7 SP1 to WinXP SP3 target 2013-10-29 10:45:14 -05:00
William Vu ea7bba4035 Add Beetel Connection Manager NetConfig.ini BOF 2013-10-28 22:52:02 -05:00
Tod Beardsley 9045eb06b0
Various title and description updates 2013-10-28 14:00:19 -05:00
William Vu 278dff93e7 Add missing require for Msf::Exploit::Powershell
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
jvazquez-r7 b69ee1fc67 [FixRM #8419] Add module platform to ms04_011_pct 2013-10-25 09:29:19 -05:00
Meatballs 6fdf5cab15
Update bypassuac_injection inline with latest privs lib 2013-10-23 21:15:41 +01:00
Meatballs e6a2a1006f
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows/priv.rb
	modules/exploits/windows/local/bypassuac.rb
2013-10-23 21:02:32 +01:00
William Vu bea04cceeb Remove the trailing slash from the ZDI ref 2013-10-23 11:05:33 -05:00
Booboule 7d84fa487e Correct ZDI ref to match new scheme 2013-10-23 11:44:44 +02:00
sinn3r acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel 2013-10-22 17:16:26 -05:00
sinn3r af174639cd
Land #2468 - Hwnd Broadcast Performance 2013-10-22 17:03:02 -05:00
Tod Beardsley dc0d9ae21d
Land #2560, ZDI references
[FixRM #8513]
2013-10-22 15:58:21 -05:00
Meatballs 8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac 2013-10-22 21:42:36 +01:00
sinn3r ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers 2013-10-22 15:39:32 -05:00
root 85479f5994 removed PrependMigrate, introduced migrate -f 2013-10-22 16:11:19 -04:00
jvazquez-r7 11b2719ccc Change module plate 2013-10-22 12:36:58 -05:00
jvazquez-r7 df42dfe863
Land #2536, @ddouhine's exploit for ZDI-11-061 2013-10-22 12:35:40 -05:00
jvazquez-r7 c34155b8be Clean replication_manager_exec 2013-10-22 12:34:35 -05:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
sinn3r 1599d1171d
Land #2558 - Release fixes 2013-10-21 13:48:11 -05:00
Tod Beardsley c1954c458c
Just warn, don't bail
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.

If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)

For details on this module, see #2503. I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
Tod Beardsley bce8d9a90f
Update license comments with resplat. 2013-10-21 13:36:15 -05:00
sinn3r 4c14595525
Land #2535 - Use %PATH% for notepad 2013-10-21 13:14:44 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
sinn3r 6430fa3354
Land #2539 - Support Windows CMD generic payload
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
sinn3r 45d06dd28d Change plate 2013-10-21 11:24:30 -05:00
sinn3r 8c05f8cf51
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal 2013-10-21 11:14:22 -05:00
sinn3r d22e4ac2f1 Check timeout condition 2013-10-21 11:13:48 -05:00
sinn3r 36dace26fa
Land #2538 - Fix redirect URLs 2013-10-21 11:08:03 -05:00
jvazquez-r7 27078eb5a6 Add support for HP imc /BIMS 5.1 2013-10-20 18:18:34 -05:00
jvazquez-r7 b0d32a308a Update version information 2013-10-19 00:52:22 -05:00
jvazquez-r7 7d8a0fc06c Add BID reference 2013-10-19 00:29:43 -05:00
jvazquez-r7 cf239c2234 Add module for ZDI-13-238 2013-10-19 00:05:09 -05:00
jvazquez-r7 dbd74bceed Add the ARCH_CMD target 2013-10-18 16:35:22 -05:00
Meatballs 4e4d0488ae
Rubyfy constants in privs lib 2013-10-18 18:26:07 +01:00
root 2e0a14d719 Introduced PrependMigrate, PPID killing and general clean-up 2013-10-18 12:24:50 -04:00
Norbert Szetei 9d6031acdb Reverting payload_inject because of x64 shellcode
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
Meatballs 55426882d4
Further bypassuac tidyup 2013-10-18 00:08:06 +01:00
Meatballs e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs 5a662defac
Post::Privs uses Post::Registry methods 2013-10-17 23:28:07 +01:00
Meatballs b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo

Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
James Lee 94db3f511a Avoid extra slash in redirect URI
[SeeRM #8507]
2013-10-17 14:10:15 -05:00
jvazquez-r7 be1d6ee0d3 Support Windows CMD generic payload 2013-10-17 14:07:27 -05:00
Tod Beardsley 07ab53ab39
Merge from master to clear conflict
Conflicts:
	modules/exploits/windows/brightstor/tape_engine_8A.rb
	modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
jvazquez-r7 7f6dadac16 Merge for sync 2013-10-17 10:40:01 -05:00
Davy Douhine b03783baec minors fixes and rand for endstring 2013-10-17 17:10:05 +02:00
Davy Douhine 22eb2ba163 randstring and fixes 2013-10-17 16:51:34 +02:00
Norbert Szetei 563bf4e639 Fix bug #8502, used %PATH% for notepad invocation
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
sinn3r 7a0671eba9
Land #2531 - rm deprecated mods 2013-10-16 20:02:58 -05:00
James Lee a54b4c7370
Land #2482, use runas when UAC is DoNotPrompt 2013-10-16 17:51:11 -05:00
Tod Beardsley f1a67ecafe
Remove overdue deprecated modules
[See PT #56795804]
[See PT #56796034]
2013-10-16 17:02:28 -05:00
sinn3r 0ce221274b Change JS comments in Ruby. 2013-10-16 16:40:54 -05:00