OJ
defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
...
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
OJ
468654d2b5
Add RDI submodule, port Kitrap0d
...
This commit is the first in a series that will move all the exploits that use RDI
over to the R7 fork. The RDI source will be in a single known location and each
exploit will have to work from that location.
The kitrap0d exploit has been migrated over to use this submodule so that there's
one example of how it's done for future contributions to follow.
2013-11-27 16:04:41 +10:00
jvazquez-r7
31b4e72196
Switch to soft tabs the cs code
2013-11-23 23:06:52 -06:00
jvazquez-r7
9f539bafae
Add README on the source code dir
2013-11-22 17:56:05 -06:00
jvazquez-r7
25eb13cb3c
Small fix to interface
2013-11-22 17:02:08 -06:00
jvazquez-r7
288a1080db
Add MS13-022 Silverlight app code
2013-11-22 16:53:06 -06:00
OJ
506a4d9e67
Remove genericity, x64 and renamed stuff
...
As per discussion on the github issue, the following changes were made:
* Project renamed from elevate to kitrap0d, implying that this is not
intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
is passed in to the exploit entry point. The exploit is now responsible
for executing the payload if the exploit is successful. This removes
the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
OJ
40f58ce534
Finalise the local exploit for kitrap0d
...
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.
New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
OJ
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Meatballs
b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
...
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
Meatballs
2764bfc1b4
Remove opensdf
2013-09-27 10:19:16 +01:00
Meatballs
c3c07b5fd7
Better arch checking
2013-09-27 09:39:29 +01:00
Meatballs
dfac7b57d2
Fixup SysWOW64
2013-09-27 09:10:49 +01:00
Meatballs
b8df7cc496
Initialize strings fool
2013-09-27 09:01:00 +01:00
Meatballs
5bd414d4b4
Submodule
2013-09-26 23:19:13 +01:00
Meatballs
fc5e389708
Small changes to proj
2013-09-05 22:27:36 +01:00
Meatballs
81c78efaea
Example submodule
2013-09-05 22:00:04 +01:00
Meatballs
280f78c249
Update source
2013-08-30 10:48:47 +01:00
Meatballs
ff5cf396ab
Remove large file and rename payload.dll
2013-08-27 00:30:27 +01:00
Meatballs
035e97523b
In memory bypassuac
2013-08-27 00:13:19 +01:00
jvazquez-r7
795ad70eab
Change directory names
2013-08-15 22:52:42 -05:00
jvazquez-r7
cc5804f5f3
Add Port for OSVDB 96277
2013-08-15 18:34:51 -05:00
jvazquez-r7
c7361043ae
up to date
2013-07-17 11:47:06 -05:00
Meatballs
2634d33832
Forgot C changes
2013-07-06 09:30:09 +01:00
Meatballs
66c2b79177
Initial commit
2013-07-05 19:48:27 +01:00
jvazquez-r7
a4d353fcb3
Clean a little more the VS project
2013-06-29 15:15:27 -05:00
jvazquez-r7
de245113af
Wrap Reflective DLL Readme.md to 80 columns
2013-06-29 09:29:09 -05:00
jvazquez-r7
6878534d4b
Clean Visual Studio Project
2013-06-29 09:20:40 -05:00
jvazquez-r7
7725937461
Add Module for cve-2013-3660
2013-06-28 18:18:21 -05:00
jvazquez-r7
3c1af8217b
Land #2011 , @matthiaskaiser's exploit for cve-2013-2460
2013-06-26 14:35:22 -05:00
jvazquez-r7
b400c0fb8a
Delete project files
2013-06-25 12:58:39 -05:00
jvazquez-r7
d25e1ba44e
Make fixes proposed by review and clean
2013-06-25 12:58:00 -05:00
jvazquez-r7
b32513b1b8
Fix CVE-2013-2171 with @jlee-r7 feedback
2013-06-25 10:40:55 -05:00
sinn3r
74825af933
Add Makefile
2013-06-24 16:08:22 -05:00
sinn3r
6780566a54
Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation Module
2013-06-24 11:50:21 -05:00
Matthias Kaiser
8a96b7f9f2
added Java7u21 RCE module
...
Click2Play bypass doesn't seem to work anymore.
2013-06-24 02:04:38 -04:00
jvazquez-r7
7090d4609b
Add module for CVE-2013-1488
2013-06-07 13:38:41 -05:00
jvazquez-r7
9fca89f70b
fix small issues
2013-04-20 01:43:14 -05:00
jvazquez-r7
c225d8244e
Added module for CVE-2013-1493
2013-03-26 22:30:18 +01:00
jvazquez-r7
f04df6300a
makefile updated
2013-02-21 13:44:37 +01:00
jvazquez-r7
da9e58ef79
Added the java code to get the ser file
2013-02-20 18:14:24 +01:00
jvazquez-r7
d88ad80116
Added first version of cve-2013-0431
2013-02-20 16:39:53 +01:00
jvazquez-r7
ee2fed8335
Merge branch 'master' of https://github.com/booboule/metasploit-framework into booboule-master
2013-01-24 16:18:06 +01:00
booboule
afa32c7552
Update external/source/exploits/cve-2012-5076_2/Makefile
...
Wrong directory path
2013-01-23 20:18:24 +01:00
booboule
d2b75ad005
Update external/source/exploits/cve-2012-5088/Makefile
2013-01-23 12:42:33 +01:00
jvazquez-r7
807bd6e88a
Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl
2013-01-22 15:33:39 +01:00
jvazquez-r7
ef16a7fd24
cleanup
2013-01-17 21:45:13 +01:00
jvazquez-r7
670b4e8e06
cleanup
2013-01-17 21:39:41 +01:00
jvazquez-r7
78279a0397
Added new module for cve-2012-5076
2013-01-17 21:27:47 +01:00
jvazquez-r7
d0b9808fc7
Added module for CVE-2012-5088
2013-01-17 21:14:49 +01:00
jvazquez-r7
51f3f59d2f
cve and references available
2013-01-11 00:54:53 +01:00
jvazquez-r7
e503d596ed
code indention for exploit.java fixed
2013-01-10 20:34:58 +01:00
jvazquez-r7
876d889d82
added exploit for j7u10 0day
2013-01-10 20:30:43 +01:00
jvazquez-r7
133ad04452
Cleanup of #1062
2012-12-07 11:55:48 +01:00
jvazquez-r7
fd1557b6d2
Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated
2012-11-28 21:49:36 +01:00
Meatballs1
bc9065ad42
Move MSI source and binary location
2012-11-27 18:12:49 +00:00
jvazquez-r7
5076198ba2
fixing bperry comments
2012-11-11 20:18:19 +01:00
jvazquez-r7
08cc6d56ec
updated java source
2012-11-11 20:11:33 +01:00
jvazquez-r7
c07701f61e
Makefile updated
2012-11-11 17:44:27 +01:00
jvazquez-r7
1528ccf423
added Makefile for java code
2012-11-11 17:43:57 +01:00
jvazquez-r7
8619c5291b
Added module for CVE-2012-5076
2012-11-11 17:05:51 +01:00
sinn3r
d37b52c9d3
Update source information
2012-08-30 17:48:02 -05:00
jvazquez-r7
363c0913ae
changed dir names according to CVE
2012-08-28 16:33:01 +02:00
jvazquez-r7
52ca1083c2
Added java_jre17_exec
2012-08-27 11:25:04 +02:00
sinn3r
f715527423
Improve CVE-2012-1535
2012-08-21 19:58:21 -05:00
sinn3r
13df1480c8
Add exploit for CVE-2012-1535
2012-08-17 12:16:54 -05:00
sinn3r
54576a9bbd
Last touch-up
...
The contents of this pull request are very similar to what the msf
dev had in private, so everybody is credited for the effort.
2012-07-10 00:37:07 -05:00
LittleLightLittleFire
956ec9d1da
added Makefile for CVE-2012-1723
2012-07-10 14:12:07 +10:00
LittleLightLittleFire
e9ac90f7b0
added CVE-2012-1723
2012-07-10 12:20:37 +10:00
jvazquez-r7
38abeeb235
changes on openfire_auth_bypass
2012-06-27 23:16:07 +02:00
jvazquez-r7
245205c6c9
changes on openfire_auth_bypass
2012-06-27 23:15:40 +02:00
h0ng10
6cc8390da9
Module rewrite, included Java support, direct upload, plugin deletion
2012-06-26 11:56:44 -04:00
h0ng10
65197e79e2
added Exploit for CVE-2008-6508 (Openfire Auth bypass)
2012-06-24 07:35:38 -04:00
jvazquez-r7
b891e868f5
Added actionscript and swf needed
2012-06-23 08:36:35 +02:00
Steven Seeley
fcf42d3e7b
added adobe flashplayer array indexing exploit (CVE-2011-2110)
2012-06-20 12:52:37 +10:00
jvazquez-r7
14d8ba00af
Added batik svg java module
2012-05-17 16:48:38 +02:00
sinn3r
f5e8f57497
Minor fixes
2012-04-19 18:07:35 -05:00
sinn3r
835d8b209d
clear whitespace
2012-04-12 01:08:22 -05:00
0a2940
654701f1b2
new file: data/exploits/CVE-2008-5499.swf
...
new file: external/source/exploits/CVE-2008-5499/Exploit.as
new file: modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb
2012-04-10 20:58:22 +01:00
James Lee
6b996ed9de
Add checks for data being null, too, just in case
2012-03-30 16:46:49 -06:00
James Lee
b424475774
Add a makefile
...
Compiles with an old -target so it will work on older JVMs
2012-03-30 16:25:47 -06:00
sinn3r
e018c6604f
Modify CVE-2012-0507
2012-03-30 02:06:56 -05:00
sinn3r
791ebdb679
Add CVE-2012-0507 (Java)
2012-03-29 10:31:14 -05:00
sinn3r
befb60217c
Add CVE-2012-0754 .as source
2012-03-07 19:25:51 -06:00
juan
e69037959f
Added CVE-2010-0842
2012-02-15 23:32:31 +01:00
scriptjunkie
1e811aed02
Adds scriptjunkie's multilingual admin fie for pxexploit
...
Also removes duplicated code between external/source/exploits/pxesploit
and external/source/pxesploit.
[Closes #63 ]
Squashed commit of the following:
commit 325f52527233ded1bf6506c366ec8cb9efdc2610
Author: scriptjunkie <scriptjunkie@scriptjunkie.us>
Date: Fri Dec 16 12:14:18 2011 -0600
Jetzt auf Deutsch! y español! 中國人!
[update pxexploit to resolve administrators' group name rather than assume the English 'Administrators']
Also remove duplicate/old pxexploit source code from the tree.
2011-12-23 12:24:45 -06:00
sinn3r
e7c179d0b5
The more description the better
2011-12-01 03:03:37 -06:00
sinn3r
9e71be8ed0
Add source for CVE-2011-3544
2011-11-29 18:04:31 -06:00
Matt Buck
16f45fc894
Add empty directories from svn repo.
2011-11-09 18:41:40 -06:00
Matt Weeks
971b6f96f6
pxesploit update; compatibility with x64, compatibility with different windows versions.
...
Still no custom payload yet.
git-svn-id: file:///home/svn/framework3/trunk@12430 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-25 02:51:07 +00:00
David Rude
8c614a9296
made the shellcode request random to avoid signatures
...
git-svn-id: file:///home/svn/framework3/trunk@12148 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-26 16:00:52 +00:00
David Rude
ff3659aa37
Lots of work to make this a lot more reliable =)
...
git-svn-id: file:///home/svn/framework3/trunk@12146 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-26 06:35:28 +00:00
Joshua Drake
fb6107ffb5
enable java payloads, currently via one-off method
...
git-svn-id: file:///home/svn/framework3/trunk@12012 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-17 23:57:11 +00:00
Joshua Drake
4644110962
add exploit for cve-2010-4452, currently windows only and no payloads :(
...
git-svn-id: file:///home/svn/framework3/trunk@11982 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-16 04:50:25 +00:00
HD Moore
5d23306f01
Add bypassuac source to the tree
...
git-svn-id: file:///home/svn/framework3/trunk@11484 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-06 17:30:20 +00:00
James Lee
6f7af42667
add an exploit for cve-2010-3563, thanks Matthias Kaiser
...
git-svn-id: file:///home/svn/framework3/trunk@11078 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-19 23:02:35 +00:00
James Lee
85126af521
add an exploit module for cve-2010-0094, thanks Matthias Kaiser.
...
git-svn-id: file:///home/svn/framework3/trunk@10255 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-08 08:20:55 +00:00
James Lee
b35cea94cd
add source code for cve-2010-0840
...
git-svn-id: file:///home/svn/framework3/trunk@10095 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-21 07:27:26 +00:00
James Lee
50914a1e68
add a makefile so i don't forget how to compile this stuff
...
git-svn-id: file:///home/svn/framework3/trunk@9901 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-21 07:27:15 +00:00
James Lee
119f9328fc
remove debug prints. =/
...
git-svn-id: file:///home/svn/framework3/trunk@9875 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 00:57:03 +00:00
James Lee
08d705c1db
add java meterpreter and update java_calendar_deserialize to be able to use it, see #406
...
git-svn-id: file:///home/svn/framework3/trunk@9874 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 00:53:24 +00:00
Joshua Drake
b37c34579b
add exploit module for cve-2009-3869
...
NOTE: no policy change is required for this exploit to succeed.
git-svn-id: file:///home/svn/framework3/trunk@7899 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-17 04:52:40 +00:00
Joshua Drake
255724d640
compile java applet with 1.3, Fixes #685
...
git-svn-id: file:///home/svn/framework3/trunk@7850 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-14 17:26:19 +00:00
Joshua Drake
34408c5e3e
add exploit module for CVE-2009-3867 (JRE getSoundbank)
...
git-svn-id: file:///home/svn/framework3/trunk@7827 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-11 21:18:31 +00:00
HD Moore
b8efb1bbf9
Add Stephen Fewer's shiny exploit for the Java deserialization flaw
...
git-svn-id: file:///home/svn/framework3/trunk@6664 4d416f70-5f16-0410-b530-b9f4589650da
2009-06-16 17:19:44 +00:00