Spencer McIntyre
cc32c877a9
Add CVE-2013-3881 win32k Null Page exploit
2014-02-06 17:23:38 -05:00
sinn3r
89e1bcc0ca
Deprecate modules with date 2013-something
...
These modules had an expiration date of 2013.
2014-02-04 14:49:18 -06:00
William Vu
a58698c177
Land #2922 , multithreaded check command
2014-02-04 11:21:05 -06:00
Meatballs
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
Meatballs
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
William Vu
a5bff638c5
Remove EOL spaces
2014-01-31 15:01:03 -06:00
sinn3r
cc4dea7d49
Was playing with ms08_067 check and realized I forgot this print
2014-01-25 16:15:52 -06:00
William Vu
47b9bfaffc
Use opts hash for adobe_pdf_embedded_exe
...
https://dev.metasploit.com/redmine/issues/8498
2014-01-24 20:16:53 -06:00
jvazquez-r7
9db295769d
Land #2905 , @wchen-r7's update of exploit checks
2014-01-24 16:49:33 -06:00
sinn3r
cdc425e4eb
Update some checks
2014-01-24 12:08:23 -06:00
sgabe
16b8b58a84
Fix the dwSize parameter
2014-01-24 11:38:57 +01:00
sgabe
8f6dcd7545
Add some randomization to the ROP chain
2014-01-24 10:28:59 +01:00
sgabe
021aa77f5f
Add module for BID-46926
2014-01-24 01:48:21 +01:00
sinn3r
c403c521b3
Change check code
2014-01-23 11:03:40 -06:00
Tod Beardsley
b3b51eb48c
Pre-release fixup
...
* Updated descriptions to be a little more descriptive.
* Updated store_loot calls to inform the user where the
loot is stored.
* Removed newlines in print_* statments -- these will screw
up Scanner output when dealing with multiple hosts.
Of the fixed newlines, I haven't see any output, so I'm not sure what
the actual message is going to look like -- I expect it's a whole bunch
of newlines in there so it'll be kinda ugly as is (not a blocker for
this but should clean up eventually)
2014-01-21 13:29:08 -06:00
sinn3r
fe767f3f64
Saving progress
...
Progress group 2: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-21 11:07:03 -06:00
sinn3r
e5dc6a9911
Update exploit checks
...
Progress group 1: Making sure these checks comply with the new
guidelines. Please read: "How to write a check() method" found in
the wiki.
2014-01-20 14:26:10 -06:00
dukeBarman
88c283880a
Fix bugs
2014-01-18 17:04:46 -05:00
dukeBarman
766c408d86
Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption
2014-01-18 11:07:11 -05:00
jvazquez-r7
c670259539
Fix protocol handling
2014-01-17 00:49:44 -06:00
jvazquez-r7
eaf1b0caf6
Add minor clean up
2014-01-16 17:55:45 -06:00
jvazquez-r7
f3c912bd32
Add module for ZDI-14-003
2014-01-16 17:49:49 -06:00
sgabe
b4280f2876
Very minor code formatting
2014-01-14 13:35:00 +01:00
sgabe
e7cc3a2345
Removed unnecessary target
2014-01-13 13:17:16 +01:00
sgabe
26d17c03b1
Replaced ROP chain
2014-01-13 02:54:49 +01:00
sgabe
d657a2efd3
Added DEP Bypass
2014-01-11 20:31:28 +01:00
sgabe
72d15645df
Added more references
2014-01-11 20:30:50 +01:00
sgabe
8449005b2a
Fixed CVE identifier.
2014-01-10 23:45:34 +01:00
Tod Beardsley
cd38f1ec5d
Minor touchups to recent modules.
2014-01-03 13:39:14 -06:00
William Vu
2d25781cf0
Land #2804 for real (thanks, @jvazquez-r7!)
...
It was the wrong time to mess with my workflow.
2014-01-02 16:39:02 -06:00
OJ
1cb671b02e
Merge branch 'adjust_getenv_api' into stop_abusing_expand_path
2014-01-03 08:14:02 +10:00
William Vu
67a796021d
Land #2804 , IBM Forms Viewer 4.0 exploit
2014-01-02 16:10:02 -06:00
jvazquez-r7
eaeb457d5e
Fix disclosure date and newline as pointed by @wvu-r7
2014-01-02 16:08:44 -06:00
William Vu
d291cd92d7
Land #2817 , icofx_bof random things
2014-01-01 22:01:48 -06:00
jvazquez-r7
b4439a263b
Make things random
2013-12-31 16:06:25 -06:00
sinn3r
184bd1e0b2
Land #2815 - Change gsub hardtabs
2013-12-31 15:58:21 -06:00
jvazquez-r7
2252a037a5
Fix disclosure date
2013-12-31 14:51:43 -06:00
jvazquez-r7
3775b6ce91
Add module for CVE-2013-4988
2013-12-31 14:43:45 -06:00
jvazquez-r7
841f67d392
Make adobe_reader_u3d also compliant
2013-12-31 11:07:31 -06:00
jvazquez-r7
7f9f4ba4db
Make gsubs compliant with the new indentation standard
2013-12-31 11:06:53 -06:00
William Vu
80a1e85235
Add :config => false to sysax_ssh_username
2013-12-30 18:13:49 -06:00
jvazquez-r7
57d60c66f9
Add masqform version as comment
2013-12-27 10:59:23 -06:00
jvazquez-r7
341e3c0370
Use rexml
2013-12-27 10:55:36 -06:00
jvazquez-r7
ee35f9ac30
Add module for zdi-13-274
2013-12-27 10:20:44 -06:00
sinn3r
367dce505b
Minor details
2013-12-24 00:39:15 -06:00
sgabe
f687a14539
Added support for opening via menu.
2013-12-24 03:12:49 +01:00
sgabe
287271cf98
Fixed date format.
2013-12-22 01:32:16 +01:00
sgabe
0ac495fef8
Replaced hex with plain text.
2013-12-22 01:31:37 +01:00
sgabe
44ab583611
Added newline to end of file.
2013-12-20 22:40:45 +01:00
sgabe
62f71f6282
Added module for CVE-2013-6877
2013-12-20 22:37:09 +01:00
OJ
9fb081cb2d
Add getenvs, update getenv, change extract_path use
...
Stacks of modules were using `extract_path` where it wasn't really semantically correct
because this was the only way to expand environment variables. This commit fixes that
up a bit.
Also, I changed the existing `getenv` function in `stdapi` to `getenvs`, and had it
support the splat operator. I added a `getenv` function which is used just for a
single variable and uses `getenvs` behind the scenes.
The meterpreter console `getenv` command now uses `getenvs`
2013-12-19 11:54:34 +10:00
sinn3r
4bddd077ec
Land #2762 - Use new ntdll railgun functions
2013-12-18 15:18:47 -06:00
Meatballs
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
sinn3r
ad2ec497c2
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 20:32:27 -06:00
jvazquez-r7
52cb43e6a8
Fix typo
2013-12-16 20:28:49 -06:00
jvazquez-r7
84759a552a
Save one variable
2013-12-16 16:49:44 -06:00
jvazquez-r7
042bd4f80b
Fix ms_ndproxy to work under a sandboxed Reader
2013-12-16 16:19:17 -06:00
Tod Beardsley
f88a3a55b6
More slight updates.
2013-12-16 15:05:39 -06:00
sinn3r
afcee93309
Land #2771 - Fix description
2013-12-16 15:01:32 -06:00
sinn3r
04b7e8b174
Fix module title and add vendor patch information
2013-12-16 14:59:00 -06:00
Tod Beardsley
040619c373
Minor description changes
...
No code changes (one comment made on play_youtube to suggest xdg-open
rather than firefox for linux targets).
2013-12-16 14:57:33 -06:00
jvazquez-r7
533accaa87
Add module for CVE-2013-3346
2013-12-16 14:13:47 -06:00
Meatballs
3dec7f61a5
Check in sysnative if wow64
2013-12-15 01:12:52 +00:00
Meatballs
2dc4faad72
Resplat license
2013-12-15 01:12:51 +00:00
Meatballs
8203274256
Small fixes
...
Remove " from service command if it is quoted.
Spawn SYSWOW64 notepad.
2013-12-15 01:12:51 +00:00
OJ
f2e2147065
Change unless with else to if with else
2013-12-15 01:12:50 +00:00
OJ
cff7008500
Fix final issues with merge
...
Hopefully this will be the last of the changes.
2013-12-15 01:12:50 +00:00
OJ
41c538856a
Re-add RDI mixin changes
2013-12-15 01:12:49 +00:00
OJ
db29af0f97
First batch of submodule refactorings
2013-12-15 01:12:48 +00:00
Meatballs
6916f7c5d2
Fixup description
2013-12-15 01:12:47 +00:00
Meatballs
3d1646d18e
Exit process when complete
2013-12-15 01:12:47 +00:00
Meatballs
dd32c2b0b8
Spawn 32bit process
2013-12-15 01:12:46 +00:00
Meatballs
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs
5eca4714c2
Renamed module
2013-12-15 01:12:46 +00:00
Meatballs
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs
c6623b380a
Initial commit
2013-12-15 01:12:45 +00:00
Meatballs
04496a539c
Fix up local wmi exploit.
2013-12-14 20:05:51 +00:00
jvazquez-r7
e8396dc37a
Delete redefinition of ntdll functions on railgun
2013-12-13 16:02:47 -06:00
sinn3r
ba1a70b72e
Update Microsoft patch information
2013-12-13 15:59:15 -06:00
jvazquez-r7
1ab3e891c9
Modify ms_ndproxy to use railgun additions
2013-12-13 15:54:34 -06:00
jvazquez-r7
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
jvazquez-r7
eb4e3f8a32
Fix os detection
2013-12-12 07:39:19 -06:00
jvazquez-r7
8b518776bc
Dont fail_with on check
2013-12-11 22:08:36 -06:00
jvazquez-r7
02915c751c
Favor unless over if not and add reference
2013-12-11 16:28:09 -06:00
jvazquez-r7
b6fa3f28b1
Modify description
2013-12-11 08:56:31 -06:00
jvazquez-r7
c4721de4a0
Add module for CVE-2013-5065
2013-12-11 08:52:35 -06:00
sinn3r
3a9ac303f0
Use rexml for XML data generation
2013-12-10 15:37:44 -06:00
jvazquez-r7
230fcd87a5
Add module for zdi-13-259
2013-12-10 08:45:08 -06:00
Meatballs
6f02744d46
Land #2730 Typo in mswin_tiff_overflow
2013-12-06 12:32:37 +00:00
Meatballs
3aebe968bb
Land #2721 Reflective DLL Mixin
...
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
sinn3r
89ef1d4720
Fix a typo in mswin_tiff_overflow
2013-12-06 00:44:12 -06:00
Meatballs
9b2ae3c447
Uncomment fail_with
2013-12-05 23:21:06 +00:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
Meatballs
1e60ff91ea
Move ExitThread patching to Msf::Util::EXE
2013-12-05 17:16:14 +00:00
Meatballs
496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2013-12-05 17:09:32 +00:00
Meatballs
dc0f2b7291
Use ExitProcess
2013-12-05 17:08:47 +00:00
OJ
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
OJ
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
sinn3r
230db6451b
Remove @peer for modules that use HttpClient
...
The HttpClient mixin has a peer() method, therefore these modules
should not have to make their own. Also new module writers won't
repeat the same old code again.
2013-12-03 12:58:16 -06:00
sinn3r
ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
...
Also [SeeRM #8140 ]
2013-12-03 10:51:58 -06:00
jvazquez-r7
2d77ed58d5
Land #2648 , @pnegry's exploit for Kaseya File Upload
2013-12-03 09:35:05 -06:00
jvazquez-r7
2606a6ff0e
Do minor clean up for kaseya_uploadimage_file_upload
2013-12-03 09:34:25 -06:00
Thomas Hibbert
21bb8fd25a
Update based on jvazquez's suggestions.
2013-12-03 13:49:31 +13:00
Tod Beardsley
55847ce074
Fixup for release
...
Notably, adds a description for the module landed in #2709 .
2013-12-02 16:19:05 -06:00
Meatballs
915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
.gitmodules
external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
sinn3r
8817c0eee0
Change description a bit
...
Try to make this sound smoother
2013-11-28 12:19:42 -06:00
jvazquez-r7
807e2dfd31
Fix title
2013-11-28 10:53:12 -06:00
jvazquez-r7
7dee4ffd4d
Add module for ZDI-13-270
2013-11-28 10:47:04 -06:00
Thomas Hibbert
d1e4975f76
Use res.get_cookies instead of homebrew parse. Use _cgi
2013-11-28 16:35:36 +13:00
OJ
0b879d8f39
Comments for WfsDelay, adjustment to injection
...
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
2013-11-28 08:42:16 +10:00
OJ
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
Thomas Hibbert
bb0753fcdd
Updated module to comply with indentation standard and to use suggestions from reviewers
2013-11-27 16:00:00 +13:00
sinn3r
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
sinn3r
a914fbc400
Land #2693 - case sensitive
2013-11-26 11:16:57 -06:00
Tod Beardsley
671c0d9473
Fix nokogiri typo
...
[SeeRM #8730 ]
2013-11-26 10:54:31 -06:00
jvazquez-r7
253719d70c
Fix title
2013-11-26 08:11:29 -06:00
jvazquez-r7
6cb63cdad6
Land #2679 , @wchen-r7's exploit for cve-2013-3906
2013-11-25 22:04:26 -06:00
jvazquez-r7
0079413e81
Full revert the change
2013-11-25 22:04:02 -06:00
sinn3r
fa97c9fa7c
Revert this change
2013-11-25 20:54:39 -06:00
sinn3r
3247106626
Heap spray adjustment by @jvazquez-r7
2013-11-25 20:50:53 -06:00
jvazquez-r7
4c249bb6e9
Fix heap spray
2013-11-25 20:06:42 -06:00
sinn3r
385381cde2
Change target address
...
This one tends to work better with our boxes
2013-11-25 17:21:39 -06:00
sinn3r
8005826160
Land #2644 - MS13-090 CardSpaceClaimCollection vuln
2013-11-25 13:06:09 -06:00
Meatballs
a3c7dccfc0
Add disconnect option to psexec
...
Allow the module to prevent the mixin from ending the SMB session.
2013-11-24 16:37:25 +00:00
Meatballs
dd9bb459bf
PSEXEC Refactor
...
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
sinn3r
9987ec0883
Hmm, change ranking
2013-11-23 00:51:58 -06:00
sinn3r
6ccc3e3c48
Make payload execution more stable
2013-11-23 00:47:45 -06:00
sinn3r
d748fd4003
Final commit
2013-11-22 23:35:26 -06:00
sinn3r
f871452b97
Slightly change the description
...
Because it isn't that slow
2013-11-22 19:27:00 -06:00
sinn3r
eddedd4746
Working version
2013-11-22 19:14:56 -06:00
jvazquez-r7
7e4487b93b
Update description
2013-11-22 17:37:23 -06:00
sinn3r
c8fd761c53
Progress
2013-11-22 16:57:29 -06:00
jvazquez-r7
a7ad107e88
Add ruby code for ms13-022
2013-11-22 16:41:56 -06:00
sinn3r
953a96fc2e
This one looks promising
2013-11-22 12:27:10 -06:00
sinn3r
8476ca872e
More progress
2013-11-22 11:53:57 -06:00
sinn3r
f1d181afc7
Progress
2013-11-22 04:51:55 -06:00
sinn3r
6d5c1c230c
Progress
2013-11-22 03:55:40 -06:00
sinn3r
4d2253fe35
Diet
2013-11-22 02:25:09 -06:00
sinn3r
8382d31f46
More progress
2013-11-21 18:48:12 -06:00
jvazquez-r7
885fedcc3b
Fix target name
2013-11-21 17:42:31 -06:00
sinn3r
56d1c545e7
Oh look, more code
2013-11-21 14:42:07 -06:00
jvazquez-r7
851cf6f0d1
Land #2650 , @pnegry's exploit for DesktopCentral 8
2013-11-21 09:30:17 -06:00
jvazquez-r7
77aa665385
Add Privileged flag
2013-11-21 09:28:28 -06:00
jvazquez-r7
2ab3ab8b66
Delete empty Payload metadata section
2013-11-21 09:27:25 -06:00
jvazquez-r7
6bd3c4c887
Fix target name
2013-11-21 09:07:25 -06:00
jvazquez-r7
4c2ad4ca9a
Fix metadata
2013-11-21 09:06:47 -06:00
jvazquez-r7
8e4c5dbb5e
improve upload_file response check
2013-11-21 09:02:11 -06:00
jvazquez-r7
8fdfeb73db
Fix use of FileDropper and improve check method
2013-11-21 09:01:41 -06:00
jvazquez-r7
4abf01c64c
Clean indentation
2013-11-21 08:32:54 -06:00
sinn3r
ddd5b0abb9
More progress
2013-11-21 04:27:41 -06:00
sinn3r
e13e457d8f
Progress
2013-11-20 17:11:13 -06:00
sinn3r
94e13a0b8a
Initial commit of CVE-2013-3906
2013-11-19 23:10:32 -06:00
Thomas Hibbert
4cc20f163b
Update References field to be compliant.
2013-11-20 13:01:21 +13:00
Thomas Hibbert
c76fa32345
Fixed reference format
2013-11-20 12:53:21 +13:00
Thomas Hibbert
26a5e37266
Use MSF::Exploit:FileDropper to register the uploaded file for cleanup.
2013-11-20 12:27:22 +13:00
Thomas Hibbert
07c76fd3e6
Module cleaned for msftidy compliance.
2013-11-20 11:33:14 +13:00
sinn3r
a9de5e2846
Land #2634 - Opt browser autopwn load list
2013-11-19 15:10:29 -06:00
jvazquez-r7
bddb314073
Fix usage of Retries
2013-11-18 09:09:20 -06:00
jvazquez-r7
237bb22771
Disable auto migrate
2013-11-18 08:54:22 -06:00
Thomas Hibbert
960f7c9bbb
Add DesktopCentral arbitrary file upload exploit.
2013-11-18 16:11:28 +13:00
Thomas Hibbert
60a245b0c3
Fix the arch declaration in uploaded module.
2013-11-18 14:49:03 +13:00
Thomas Hibbert
636fdfe2d2
Added Kaseya uploadImage exploit.
2013-11-18 14:23:34 +13:00
Tod Beardsley
89d0b3c41c
Return the splat and require on a module.
2013-11-15 12:19:53 -06:00
jvazquez-r7
cbb7eb192c
Add module for CVE-2013-3918
2013-11-15 10:38:52 -06:00
William Vu
2c485c509e
Fix caps on module titles (first pass)
2013-11-15 00:03:42 -06:00
jvazquez-r7
4cf16cf360
Land #2633 , @OJ's port of Kitrap0d as local exploit
2013-11-14 09:27:10 -06:00
jvazquez-r7
fe2cd93a65
Delete ms13_037_svg_dashstyle from the browser_autopwn list
2013-11-13 23:46:50 -06:00
OJ
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
jvazquez-r7
8771b163f0
Solve conflicts with aladdin_choosefilepath_bof
2013-11-12 23:11:42 -06:00
OJ
e4fc361b37
Various tidies and fixes
...
* Change ranking.
* Update references to comply with correct approach.
* Update messages to better describe what should happen.
* Update the Windows version regex to match XP.
* Update `check` function to use `unless`.
Thanks again @jvazquez-r7 for the feedback!
2013-11-13 10:38:48 +10:00
jvazquez-r7
ef6d9db48f
Land #2613 , @wchen-r7's BrowserExploitServer mixin
2013-11-12 17:33:12 -06:00
jvazquez-r7
004c1bac78
Reduce number of modules available on BrowserAutopwn
2013-11-12 12:37:29 -06:00
OJ
40f58ce534
Finalise the local exploit for kitrap0d
...
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.
New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
Tod Beardsley
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
jvazquez-r7
b01d8c50e0
Restore module crash documentation
2013-11-11 17:09:41 -06:00
jvazquez-r7
30de61168d
Support heap spray obfuscation
2013-11-11 17:05:54 -06:00
jvazquez-r7
922f0eb900
Switch aladdin_choosefilepath_bof2 to use BrowserExploitServer
2013-11-11 17:01:09 -06:00
sinn3r
b887ed68b5
Land #2608 - Allow guest login option for psexec.
2013-11-11 10:09:41 -06:00
OJ
82739c0315
Add extra URL for exploit detail
2013-11-11 22:07:36 +10:00
OJ
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
jvazquez-r7
d419c73488
Land #2517 , @3v0lver's exploit for cve-2008-2286
2013-11-08 08:41:04 -06:00
jvazquez-r7
fddb69edb3
Use instance variables for 1-time injections
2013-11-08 08:30:35 -06:00
jvazquez-r7
69b261a9f2
Clean post exploitation code
2013-11-07 18:11:54 -06:00
jvazquez-r7
9f51268d21
Make xp_shell_enable instance variable
2013-11-07 17:53:28 -06:00
jvazquez-r7
aa1000df72
Clean check method
2013-11-07 17:44:22 -06:00
jvazquez-r7
c2662d28e0
Move module to the misc folder
2013-11-07 17:34:22 -06:00
jvazquez-r7
b068e4beb5
Fix indentation and refactor send_update_computer
2013-11-07 17:33:35 -06:00
scriptjunkie
7615264b17
Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix
2013-11-07 10:35:00 -06:00
root
944528e633
Updated for temporal pathing with TEMP variable
2013-11-07 01:34:55 -05:00
scriptjunkie
61e4700832
Allow guest login option.
...
This enables obtaining or maintaining access to properly misconfigured
systems through the Guest account.
2013-11-06 11:28:13 -06:00
OJ
7dcb071f11
Remote shebang and fix pxexeploit
2013-11-06 07:10:25 +10:00
Tod Beardsley
84572c58a8
Minor fixup for release
...
* Adds some new refs.
* Fixes a typo in a module desc.
* Fixes a weird slash continuation for string building (See #2589 )
2013-11-04 12:10:38 -06:00
root
5c923757e8
Removed generic command execution capability
2013-10-30 21:35:24 -04:00
Tod Beardsley
e488a54a06
Resplat new WMI module
2013-10-30 15:14:16 -05:00
jvazquez-r7
c8ceaa25c6
Land #2589 , @wvu-r7's exploit for OSVDB 98714
2013-10-29 14:56:30 -05:00
jvazquez-r7
9f81aeb4ad
Fix style
2013-10-29 14:55:16 -05:00
William Vu
5af42f2c28
Add short comment on why the padding is necessary
2013-10-29 11:46:10 -05:00
William Vu
e368cb0a5e
Add Win7 SP1 to WinXP SP3 target
2013-10-29 10:45:14 -05:00
William Vu
ea7bba4035
Add Beetel Connection Manager NetConfig.ini BOF
2013-10-28 22:52:02 -05:00
Tod Beardsley
9045eb06b0
Various title and description updates
2013-10-28 14:00:19 -05:00
William Vu
278dff93e7
Add missing require for Msf::Exploit::Powershell
...
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
jvazquez-r7
b69ee1fc67
[FixRM #8419 ] Add module platform to ms04_011_pct
2013-10-25 09:29:19 -05:00
Meatballs
6fdf5cab15
Update bypassuac_injection inline with latest privs lib
2013-10-23 21:15:41 +01:00
Meatballs
e6a2a1006f
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows/priv.rb
modules/exploits/windows/local/bypassuac.rb
2013-10-23 21:02:32 +01:00
William Vu
bea04cceeb
Remove the trailing slash from the ZDI ref
2013-10-23 11:05:33 -05:00
Booboule
7d84fa487e
Correct ZDI ref to match new scheme
2013-10-23 11:44:44 +02:00
sinn3r
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
sinn3r
af174639cd
Land #2468 - Hwnd Broadcast Performance
2013-10-22 17:03:02 -05:00
Tod Beardsley
dc0d9ae21d
Land #2560 , ZDI references
...
[FixRM #8513 ]
2013-10-22 15:58:21 -05:00
Meatballs
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
sinn3r
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
root
85479f5994
removed PrependMigrate, introduced migrate -f
2013-10-22 16:11:19 -04:00
jvazquez-r7
11b2719ccc
Change module plate
2013-10-22 12:36:58 -05:00
jvazquez-r7
df42dfe863
Land #2536 , @ddouhine's exploit for ZDI-11-061
2013-10-22 12:35:40 -05:00
jvazquez-r7
c34155b8be
Clean replication_manager_exec
2013-10-22 12:34:35 -05:00
William Vu
2aed8a3aea
Update modules to use new ZDI reference
2013-10-21 15:13:46 -05:00
sinn3r
1599d1171d
Land #2558 - Release fixes
2013-10-21 13:48:11 -05:00
Tod Beardsley
c1954c458c
Just warn, don't bail
...
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.
If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)
For details on this module, see #2503 . I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
Tod Beardsley
bce8d9a90f
Update license comments with resplat.
2013-10-21 13:36:15 -05:00
sinn3r
4c14595525
Land #2535 - Use %PATH% for notepad
2013-10-21 13:14:44 -05:00
sinn3r
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
sinn3r
6430fa3354
Land #2539 - Support Windows CMD generic payload
...
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
sinn3r
45d06dd28d
Change plate
2013-10-21 11:24:30 -05:00
sinn3r
8c05f8cf51
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal
2013-10-21 11:14:22 -05:00
sinn3r
d22e4ac2f1
Check timeout condition
2013-10-21 11:13:48 -05:00
sinn3r
36dace26fa
Land #2538 - Fix redirect URLs
2013-10-21 11:08:03 -05:00
jvazquez-r7
27078eb5a6
Add support for HP imc /BIMS 5.1
2013-10-20 18:18:34 -05:00
jvazquez-r7
b0d32a308a
Update version information
2013-10-19 00:52:22 -05:00
jvazquez-r7
7d8a0fc06c
Add BID reference
2013-10-19 00:29:43 -05:00
jvazquez-r7
cf239c2234
Add module for ZDI-13-238
2013-10-19 00:05:09 -05:00
jvazquez-r7
dbd74bceed
Add the ARCH_CMD target
2013-10-18 16:35:22 -05:00
Meatballs
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
root
2e0a14d719
Introduced PrependMigrate, PPID killing and general clean-up
2013-10-18 12:24:50 -04:00
Norbert Szetei
9d6031acdb
Reverting payload_inject because of x64 shellcode
...
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
Meatballs
55426882d4
Further bypassuac tidyup
2013-10-18 00:08:06 +01:00
Meatballs
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
Meatballs
b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
...
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
James Lee
94db3f511a
Avoid extra slash in redirect URI
...
[SeeRM #8507 ]
2013-10-17 14:10:15 -05:00
jvazquez-r7
be1d6ee0d3
Support Windows CMD generic payload
2013-10-17 14:07:27 -05:00
Tod Beardsley
07ab53ab39
Merge from master to clear conflict
...
Conflicts:
modules/exploits/windows/brightstor/tape_engine_8A.rb
modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
jvazquez-r7
7f6dadac16
Merge for sync
2013-10-17 10:40:01 -05:00
Davy Douhine
b03783baec
minors fixes and rand for endstring
2013-10-17 17:10:05 +02:00
Davy Douhine
22eb2ba163
randstring and fixes
2013-10-17 16:51:34 +02:00
Norbert Szetei
563bf4e639
Fix bug #8502 , used %PATH% for notepad invocation
...
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
sinn3r
7a0671eba9
Land #2531 - rm deprecated mods
2013-10-16 20:02:58 -05:00
James Lee
a54b4c7370
Land #2482 , use runas when UAC is DoNotPrompt
2013-10-16 17:51:11 -05:00
Tod Beardsley
f1a67ecafe
Remove overdue deprecated modules
...
[See PT #56795804 ]
[See PT #56796034 ]
2013-10-16 17:02:28 -05:00
sinn3r
0ce221274b
Change JS comments in Ruby.
2013-10-16 16:40:54 -05:00