Commit Graph

2088 Commits (c0093381d7b38ea62d30017171318eb299a29dc1)

Author SHA1 Message Date
OJ 121fe1adda
Land #5654 : Python Meterpreter Transport 2015-07-22 10:39:06 +10:00
wchen-r7 7113c801b1
Land #5732, reliability update for adobe_flash_hacking_team_uaf 2015-07-17 16:43:39 -05:00
wchen-r7 837eb9ea38
Land #5742, better quality coverage for adobe_flash_opaque_background_uaf 2015-07-17 16:25:14 -05:00
jvazquez-r7 255d8ed096
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
Spencer McIntyre 010e48919e Pymet immediately change transports on tcp failure 2015-07-16 11:00:43 -04:00
Spencer McIntyre 0cb5000e48 Pymet use incremental backoff for http recv pkt 2015-07-16 10:29:36 -04:00
OJ 986463e489 Fix killav post module, handle errors, better output 2015-07-16 11:35:01 +10:00
Marc-Andre Meloche 8bead8fd87 av_list.txt
it's the av_list.txt, i sure hope this works.
2015-07-15 20:26:42 -04:00
Spencer McIntyre 831cb904a9 Pymet fix the new transport position 2015-07-15 19:45:34 -04:00
jvazquez-r7 a637921305
Update swf 2015-07-15 18:35:41 -05:00
jvazquez-r7 b504f0be8e
Update adobe_flash_hacking_team_uaf 2015-07-15 18:18:04 -05:00
Spencer McIntyre 18cb55f1fa Pymet fix transport automatic roll over 2015-07-14 15:18:11 -04:00
Spencer McIntyre 00da619556 Pymet fix previous transport index logic 2015-07-14 14:32:57 -04:00
Spencer McIntyre 9f48853e00 Pymet fix the order in which transports are added 2015-07-14 14:26:27 -04:00
wchen-r7 d6565a9aee Merge branch 'bes_flash' into bapv2_flash_test 2015-07-14 00:34:54 -05:00
jvazquez-r7 b72ba7f51c
Add AS2 flash detection code 2015-07-13 18:26:02 -05:00
jvazquez-r7 8fb6bedd94
Delete as3 detecotr 2015-07-13 18:23:39 -05:00
jvazquez-r7 9116460cb0
Add prototype with AS3 2015-07-13 16:33:55 -05:00
jvazquez-r7 299978d0e2
Put again old exploiter 2015-07-11 00:36:32 -05:00
jvazquez-r7 63005a3b92
Add module for flash CVE-2015-5122
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
Tod Beardsley 3d630de353
Replace with a real CVE number 2015-07-07 14:44:12 -05:00
wchen-r7 2cdaace42f
Land #5678, Land adobe_flash_hacking_team_uaf.r 2015-07-07 12:34:59 -05:00
jvazquez-r7 d9aacf2d41
Add module for hacking team flash exploit 2015-07-07 11:19:48 -05:00
Mo Sadek 9e2e64bba1
Land #5644, Windows 10 Detection for os.js 2015-07-06 16:19:06 -05:00
Spencer McIntyre 2a89e248d7 Pymet fix send uuid logic for Python 3.x 2015-07-06 11:20:34 -04:00
joev c993c70006 Remove sleep(), clean up WritableDir usage. 2015-07-05 18:59:00 -05:00
joev a8b56bb44a Oops, need to include the binary files. 2015-07-05 18:24:45 -05:00
Spencer McIntyre 841fbddfc6 Pymet fix packet polling interval 2015-07-02 11:51:53 -04:00
Spencer McIntyre 0af397217c Merge pymet transport feature into fresh branch 2015-07-02 08:43:13 -04:00
Spencer McIntyre 6ab7c314de Pymet fix reverse_tcp transport for IPv6 addresses 2015-07-02 08:33:11 -04:00
Spencer McIntyre dbe239bc75 Pymet fix transport next and prev for one transport 2015-07-02 08:23:02 -04:00
wchen-r7 482247771d Add a fingerprint for Windows 10 + IE11 2015-07-01 18:06:25 -05:00
wchen-r7 cd688437ac Add support for Windows 10 for os.js
Resolves #4248
2015-07-01 15:02:22 -05:00
Spencer McIntyre b1b21c4bef Pymet fixes for Python 3.x 2015-07-01 14:32:12 -04:00
jvazquez-r7 1de94a6865
Add module for CVE-2015-3113 2015-07-01 13:13:57 -05:00
Spencer McIntyre 2a891c50eb Pymet transport stabilty and correction 2015-07-01 11:12:30 -04:00
Spencer McIntyre 4b5b7c8a27 Pymet support for core_transport_remove 2015-06-30 15:46:33 -04:00
Spencer McIntyre 6a45e19636 Pymet fix bind and tcp socket cleanup logic 2015-06-30 15:25:23 -04:00
Spencer McIntyre 3d49781230 Pymet support for core_transport_sleep 2015-06-29 18:34:35 -04:00
Spencer McIntyre 9a8ffacfd1 Pymet transport changing improvements 2015-06-29 14:00:07 -04:00
Spencer McIntyre 00742ea924 Pymet cleaner transport switching with responses 2015-06-28 13:16:00 -04:00
Spencer McIntyre f6fa462bdc Pymet support for changing transports 2015-06-27 20:57:45 -04:00
Spencer McIntyre 175d9cdcb1 Pymet support for creating and listing transports 2015-06-26 16:52:55 -04:00
Spencer McIntyre 79185e91c6 Refactor the pymet to use transport objects 2015-06-26 14:56:31 -04:00
Spencer McIntyre 7aae9b210e Add pymet support for core_enumextcmd 2015-06-26 11:32:51 -04:00
jvazquez-r7 ee0377ca16
Add module for CVE-2015-3105 2015-06-25 13:35:01 -05:00
OJ ae41f2bfa0 Update exploit binaries for ms15-051 2015-06-25 09:33:15 +10:00
Brent Cook e75287875b hack android-specific commands back to life 2015-06-22 20:41:58 -05:00
OJ 3686accadd
Merge branch 'upstream/master' into cve-2015-1701 2015-06-22 07:52:17 +10:00
jvazquez-r7 04901baab8
Land #5572 @todb-r7's adds snowden's password to unix_passwords.txt 2015-06-19 17:01:22 -05:00
Tod Beardsley b580f93c22
New password from Snowden 2015-06-19 15:37:48 -05:00
jvazquez-r7 d116f1efd5
Land #5566, @wchen-r7 fixes #5565 modifying os.js 2015-06-19 11:07:00 -05:00
wchen-r7 308cad8c40 Fix #5565, Fix os.js service pack detection
Fix #5565
2015-06-18 18:51:16 -05:00
jvazquez-r7 de1542e589
Add module for CVE-2015-3090 2015-06-18 12:36:14 -05:00
wchen-r7 17b8ddc68a
Land #5524, adobe_flash_pixel_bender_bof in flash renderer 2015-06-15 02:42:16 -05:00
jvazquez-r7 72672fc8f7
Delete debug 2015-06-11 17:39:36 -05:00
jvazquez-r7 8ed13b1d1b
Add linux support for CVE-2014-0515 2015-06-11 16:18:50 -05:00
wchen-r7 ae21b0c260
Land #5523, adobe_flash_domain_memory_uaf in the flash renderer 2015-06-10 16:59:19 -05:00
wchen-r7 4c5b1fbcef
Land #5522, adobe_flash_worker_byte_array_uaf in the flash renderer 2015-06-10 14:49:41 -05:00
jvazquez-r7 7527aa4f34
Disable debug 2015-06-10 14:07:18 -05:00
jvazquez-r7 6c7ee10520 Update to use the new flash Exploiter 2015-06-10 13:52:43 -05:00
jvazquez-r7 7fba64ed14
Allow more search space 2015-06-10 12:26:53 -05:00
jvazquez-r7 ecbddc6ef8
Play with memory al little bit better 2015-06-10 11:54:57 -05:00
wchen-r7 d622c782ef
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash renderer 2015-06-10 11:52:47 -05:00
jvazquez-r7 2b4fe96cfd Tweak Heap Spray 2015-06-10 10:56:24 -05:00
jvazquez-r7 a6fe383852
Use AS Exploiter 2015-06-10 09:32:52 -05:00
jvazquez-r7 e5d6c9a3cb Make last code cleanup 2015-06-09 16:01:57 -05:00
jvazquez-r7 cf8c6b510b
Debug version working 2015-06-09 15:46:21 -05:00
jvazquez-r7 39851d277d
Unset debug flag 2015-06-09 11:36:09 -05:00
jvazquez-r7 b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code 2015-06-09 11:31:39 -05:00
Tod Beardsley f29b38b602
Add the top 20 keyboard patterns as passwords
See https://wpengine.com/unmasked/ for lots more, but this
covers the gif at

https://wpengine.com/unmasked/assets/images/commonkeyboardpatterns.gif
2015-06-05 16:46:08 -05:00
OJ b291d41b76 Quick hack to remove hard-coded offsets 2015-06-05 13:19:41 +10:00
jvazquez-r7 02181addc5
Update CVE-2014-0556 2015-06-04 18:23:50 -05:00
wchen-r7 23df66bf3a
Land #5481, no powershell. exec shellcode from the renderer process. 2015-06-04 15:45:09 -05:00
jvazquez-r7 ab68d8429b Add more targets 2015-06-04 12:11:53 -05:00
jvazquez-r7 80cb70cacf
Add support for Windows 8.1/Firefox 2015-06-03 22:46:04 -05:00
jvazquez-r7 74117a7a52
Allow to execute payload from the flash renderer 2015-06-03 16:33:41 -05:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
Brent Cook 64e86165ef remove android meterpreter bins, update to payloads 1.0.2
This switches us to using the Android payload files from the
metasploit-payloads gem
2015-06-01 09:14:31 -05:00
Brent Cook 7d5af66fa0 Merge branch 'master' into land-5367-uuid-stagers 2015-05-29 13:00:35 -05:00
wchen-r7 737559bcbb
Land #5180, VBA Powershell for Office Macro 2015-05-28 19:55:27 -05:00
jvazquez-r7 e9714bfc82
Solve conflics 2015-05-27 23:22:00 -05:00
wchen-r7 e749733eb6
Land #5419, Fix Base64 decoding on ActionScript 2015-05-27 23:13:51 -05:00
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
jvazquez-r7 801deeaddf Fix CVE-2015-0336 2015-05-27 15:42:06 -05:00
jvazquez-r7 bd1bdf22b5
Fix CVE-2015-0359 2015-05-26 17:27:20 -05:00
jvazquez-r7 19c7445d9d
Fix CVE-2015-0336 2015-05-26 17:20:49 -05:00
jvazquez-r7 23d244b1fa
Fix CVE-2015-0313 2015-05-26 16:11:44 -05:00
jvazquez-r7 5c8c5aef37
Fix CVE-2014-8440 2015-05-26 16:05:08 -05:00
jvazquez-r7 d78d04e070
Fix CVE-2014-0569 2015-05-26 15:49:22 -05:00
jvazquez-r7 e0a1fa4ef6
Fix indentation 2015-05-26 15:38:56 -05:00
jvazquez-r7 1742876757
Fix CVE-2014-0556 2015-05-26 15:30:39 -05:00
jvazquez-r7 3e122fe87c
Fix b64 decoding 2015-05-26 15:15:33 -05:00
jvazquez-r7 29ccc8367b
Add More messages 2015-05-26 14:47:47 -05:00
jvazquez-r7 1bf1c37cfa
Add exception handling 2015-05-26 14:31:07 -05:00
jvazquez-r7 fb8a927941
Hardcode params 2015-05-26 14:20:43 -05:00
jvazquez-r7 f119da94ca
Add one more message 2015-05-26 14:14:38 -05:00
jvazquez-r7 15533fabe6
Log messages 2015-05-26 14:08:24 -05:00
jvazquez-r7 91357ee45b
Improve reliability 2015-05-26 13:47:33 -05:00
OJ 9e50114082
Merge branch 'upstream/master' into uuid-stagers 2015-05-25 11:22:35 +10:00
OJ 1c73c190fc Add machine_id support to windows php meterp 2015-05-22 14:55:29 +10:00
jvazquez-r7 f35d7a85d3
Adjust numbers 2015-05-21 15:56:11 -05:00
jvazquez-r7 80d4f3cfb0
Update swf 2015-05-21 14:55:00 -05:00
jvazquez-r7 8d6cbf0568
Make adobe_flash_uncompress_zlib_af multiplatform 2015-05-20 18:57:37 -05:00
benpturner c0b995cc97 new changes 2015-05-19 16:18:06 +01:00
benpturner b513304756 new changes 2015-05-19 15:47:30 +01:00
benpturner 0cda746bfb Updated size 2015-05-19 14:08:59 +01:00
benpturner 811c45ab90 new 2015-05-19 14:06:41 +01:00
OJ 24526c2ef9 Removed unused data files 2015-05-18 21:46:05 +10:00
OJ 9296a024e2 PHP meterpreter refactoring in prep for uuid work 2015-05-18 17:40:48 +10:00
OJ 0d56b3ee66 Stage UUIDs, generation options, php and python meterp uuid 2015-05-18 13:29:46 +10:00
Brent Cook 5cf6d28c34
Land #5426, use RAW for TLV hash binary data 2015-05-15 11:54:45 -05:00
wchen-r7 25099dd877
Land #5212, HTA Powershell template 2015-05-15 11:49:07 -05:00
wchen-r7 3bc3614be6 Do a check for powershell.exe before running it. 2015-05-15 11:48:21 -05:00
Brent Cook c614f6059d Merge branch 'master' into land-5326- 2015-05-15 11:29:54 -05:00
benpturner d4798a2500 Fix spacinG 2015-05-11 09:04:03 +01:00
benpturner c916021fc5 SSL Support for Powershell Payloads 2015-05-10 21:45:59 +01:00
Tim d3ba84b378
Add TLV_TYPE_FILE_HASH 2015-05-10 14:18:16 +01:00
jvazquez-r7 c103779eab
Land #5080, @bcook-r7's 'ls' and 'download' meterpreter improvements 2015-05-08 18:02:16 -05:00
William Vu 71518ef613
Land #5303, metasploit-payloads Java binaries 2015-05-07 22:39:54 -05:00
jvazquez-r7 51bb4b5a9b
Add module for CVE-2015-0359 2015-05-07 17:00:00 -05:00
jvazquez-r7 582919acac
Add module for CVE-2015-0336 2015-05-05 17:25:19 -05:00
Brent Cook f0c989c1b5 remove java payloads and jars 2015-05-05 15:01:00 -05:00
Brent Cook 05e4af8162
Land #5214, initial meterpreter session recovery support 2015-05-04 16:25:27 -05:00
Brent Cook cda7dc3494 remove old posix meterpreter bins 2015-05-04 09:44:37 -05:00
Brent Cook d934027b3b expand glob match 2015-05-04 03:56:15 -05:00
Brent Cook c5c7242374 teach pymet how to glob on ls as well 2015-05-04 03:56:14 -05:00
wchen-r7 17e54fff1f
Land #5275, Flash CVE-2014-8440 2015-04-30 12:14:06 -05:00
William Vu cbaaea2ce4
Land #5278, D-Link Telnet passwords 2015-04-30 11:23:33 -05:00
jvazquez-r7 dbba466b5b
Add module for CVE-2014-8440 2015-04-29 17:52:04 -05:00
m-1-k-3 f2b50e1e2f removed empty line 2015-04-27 05:29:47 +02:00
HD Moore 1fd601510c
Lands #5194, merges in PowerShell session support & initial payloads 2015-04-26 16:01:51 -05:00
benpturner 76e68fcf4c session info 2015-04-26 20:13:18 +01:00
m-1-k-3 f74d385b6a dlink telnet passwords added from firmware.re 2015-04-26 02:29:30 +02:00
benpturner aa4dc78cba updates to author comments in powershell script 2015-04-25 08:47:17 +01:00
benpturner 19aa668f99 updates to include reverse and bind 2015-04-22 20:41:19 +01:00
Brent Cook 5140b8cf9c fix crash on fork with OSX Python meterpreter using SystemConfiguration
Calling into SystemConfiguration before forking seems to allow the child
process to use it without a null pointer dereference.
2015-04-21 17:17:27 -05:00
Meatballs 381f6ffe0a
HTA Powershell template 2015-04-20 23:19:54 +01:00
Meatballs b0d50dc2be
Create our own Rex connection to the endpoint
Ensure powershell process closes when module completes
Add a windows cmd interact payload
2015-04-19 23:41:28 +01:00
Meatballs 8bd0da580d
Move script out of module 2015-04-19 21:12:44 +01:00
Meatballs b229e87940
Create VBA powershell 2015-04-17 16:52:12 +01:00
Meatballs 15eef6e8de
Dont fork on OSX 2015-04-17 11:43:07 +01:00
jvazquez-r7 28fac60c81
Add module for CVE-2015-0556 2015-04-15 14:08:16 -05:00
William Vu 8d1126eaa5
Land #5129, x64 BSD prepend stubs 'n' stuff 2015-04-14 01:24:50 -05:00
joev 2d3614f647 Implement x64 BSD exec and exe template.
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
2015-04-12 12:17:25 -05:00
joev 3313dac30f
Land #5119, @wvu's addition of the OSX rootpipe privesc exploit.
orts
borts
2015-04-10 12:38:25 -05:00
William Vu c4b7b32745 Add Rootpipe exploit 2015-04-10 11:22:00 -05:00
jvazquez-r7 91f5d0af5a
Add module for CVE-2014-0569
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
OJ 2977cbd42a Merge branch 'upstream/master' into dynamic-transport 2015-04-07 14:30:48 +10:00
Brent Cook 0d78834083 update meterpreter binaries 2015-04-03 05:47:18 -05:00