Commit Graph

1205 Commits (d08aff2dcc0deea190a2db8c9f5705c89897f160)

Author SHA1 Message Date
William Webb 31b593ac67
Land #7402, Add Linux local privilege escalation via overlayfs 2016-11-01 12:46:40 -05:00
h00die 0d1fe20ae5 revamped 2016-10-15 20:57:31 -04:00
h00die 12493d5c06 moved c code to external sources 2016-10-13 20:37:03 -04:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
OJ 0e82ced082
Add LPE exploit module for the capcom driver flaw
This commit includes:

* RDI binary that abuses the SMEP bypass and userland function pointer
  invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.

This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
William Webb 21e6211e8d add exploit for cve-2016-0189 2016-08-01 13:26:35 -05:00
Pearce Barry 7b1d9596c7
Land #7068, Introduce 'mettle' - new POSIX meterpreter 2016-07-11 22:38:40 -05:00
William Webb b4b3a84fa5 refactor ms16-016 code 2016-07-05 20:50:43 -05:00
Adam Cammack 0390ed4d6e Add MIPS O32 Linux support (big and little endian) 2016-07-05 11:24:54 -05:00
Adam Cammack 8de508c4e0 Add mettle module for ARM 2016-07-05 11:24:54 -05:00
EarthQuake 3147553d4f armeb comments modified 2016-06-10 19:59:59 +02:00
EarthQuake 26680f58ca Original shellcode added for Linux ARM big endian bind ipv4 tcp 2016-06-10 19:19:16 +02:00
James Lee f1857d6350
Kill defanged mode 2016-03-28 09:02:07 -05:00
Brent Cook 6eda702b25
Land #6292, add reverse_tcp command shell for Z/OS (MVS) 2015-12-23 14:11:37 -06:00
Brent Cook 5a19caf10a remove temp file 2015-12-23 11:42:09 -06:00
dmohanty-r7 eb4611642d Add Jenkins CLI Java serialization exploit module
CVE-2015-8103
2015-12-11 14:57:10 -06:00
jvazquez-r7 bb3a3ae8eb
Land #6176, @ganzm's fix for 64 bits windows loadlibrary payload 2015-12-01 13:18:41 -06:00
Bigendian Smalls 09d63de502
Added revshell shellcode source
Put shell_reverse_tcp.s shellcode source for mainframe reverse shell
into external/source/shellcode/mainframe
2015-12-01 08:26:42 -06:00
Brent Cook 1b951b36fe remove -db / -pcap / -all gemspecs, merge into one 2015-11-11 15:01:50 -06:00
William Vu e6202e3eda Revert "Land #6060, Gemfile/gemspec updates"
This reverts commit 8f4046da40, reversing
changes made to 2df149b0a5.
2015-11-08 19:32:15 -06:00
Brent Cook 7c7eb06058 remove unused kissfft library 2015-11-04 08:35:45 -06:00
Matthias Ganz 4eaf1ace81 Bugfix loading address of library path into rcx
The old code breaks if the payload is executed from a memory area where the 4 most significant bytes are non-zero.
2015-11-02 16:56:07 +01:00
William Vu 77fae28cd4 Add -q option to msfd to disable banner 2015-10-07 01:57:58 -05:00
jvazquez-r7 9444c8c410
Fix #5988, windows x64 stagers
* Also, use mov esi, esi to save an extra byte
* Also, modify the block_recv.asm code, just to have it up to date
2015-09-28 15:52:50 -05:00
jvazquez-r7 2c9734f178
Add exploit source 2015-09-15 14:54:05 -05:00
jvazquez-r7 6e857568e0
Delete comments 2015-09-03 13:33:40 -05:00
jvazquez-r7 b39575928e
Update reflective exploit 2015-09-03 11:01:41 -05:00
jvazquez-r7 ecf3fb61d6
Replace external source 2015-08-26 15:32:50 -05:00
William Vu d54249370b Move tpwn source to external/source/exploits 2015-08-17 18:27:47 -05:00
wchen-r7 7113c801b1
Land #5732, reliability update for adobe_flash_hacking_team_uaf 2015-07-17 16:43:39 -05:00
jvazquez-r7 255d8ed096
Improve adobe_flash_opaque_background_uaf 2015-07-16 14:56:32 -05:00
jvazquez-r7 ab5c7a806e
Update flash exploiter 2015-07-15 18:32:45 -05:00
jvazquez-r7 bd5d372436
Add build comment 2015-07-15 18:30:05 -05:00
jvazquez-r7 138789b77c
Fix indentation 2015-07-15 18:29:28 -05:00
jvazquez-r7 b504f0be8e
Update adobe_flash_hacking_team_uaf 2015-07-15 18:18:04 -05:00
wchen-r7 d6565a9aee Merge branch 'bes_flash' into bapv2_flash_test 2015-07-14 00:34:54 -05:00
jvazquez-r7 b72ba7f51c
Add AS2 flash detection code 2015-07-13 18:26:02 -05:00
jvazquez-r7 8fb6bedd94
Delete as3 detecotr 2015-07-13 18:23:39 -05:00
jvazquez-r7 9116460cb0
Add prototype with AS3 2015-07-13 16:33:55 -05:00
jvazquez-r7 299978d0e2
Put again old exploiter 2015-07-11 00:36:32 -05:00
jvazquez-r7 63005a3b92
Add module for flash CVE-2015-5122
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
Tod Beardsley 3d630de353
Replace with a real CVE number 2015-07-07 14:44:12 -05:00
jvazquez-r7 d9aacf2d41
Add module for hacking team flash exploit 2015-07-07 11:19:48 -05:00
jvazquez-r7 1de94a6865
Add module for CVE-2015-3113 2015-07-01 13:13:57 -05:00
jvazquez-r7 e49c36998c
Fix indentation 2015-06-25 14:12:23 -05:00
jvazquez-r7 a87d4e5764
Add flash_exploiter template 2015-06-25 13:52:57 -05:00
jvazquez-r7 ee0377ca16
Add module for CVE-2015-3105 2015-06-25 13:35:01 -05:00
Spencer McIntyre 2206a6af73 Support older targets x86 for MS15-051 2015-06-25 09:33:15 +10:00
OJ 3686accadd
Merge branch 'upstream/master' into cve-2015-1701 2015-06-22 07:52:17 +10:00
OJ b78ba55c25
Merge minor CVE-2015-1701 from zeroSteiner 2015-06-22 07:50:26 +10:00