Commit Graph

1045 Commits (e1d1ff17fd0bdd73b88b380ea560beefc6f1abf7)

Author SHA1 Message Date
jvazquez-r7 7772da5e3f Change paths, add makefile and compile 2014-11-30 21:06:11 -06:00
jvazquez-r7 b6306ef7a2 Move C source to exploits folder 2014-11-30 20:42:53 -06:00
Joe Vennix 7a3fb12124
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 12:34:16 -06:00
jvazquez-r7 f43a6e9be0 Use PDWORD_PTR and DWORD_PTR 2014-10-31 17:35:50 -05:00
jvazquez-r7 6154b7d55f Fix style again 2014-10-31 12:51:48 -05:00
jvazquez-r7 203af90a44 Fix style 2014-10-31 12:50:23 -05:00
jvazquez-r7 0c23733722 Use hungarian notation 2014-10-31 12:47:50 -05:00
jvazquez-r7 8e547e27b3 Use correct types 2014-10-31 12:37:21 -05:00
OJ cbd616bbf5 A few sneaky style changes, but no functional ones
Changes were purely for style, and Juan was happy to let me make them
as part of the merge.
2014-10-31 09:08:11 +10:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 03a84a1de3 Search the AccessToken 2014-10-30 12:17:03 -05:00
OJ 908094c3d3 Remove debug, treat warnings as errors 2014-10-28 09:04:02 +10:00
OJ 0a03b2dd48 Final code tidy 2014-10-28 08:59:33 +10:00
OJ 6f3b373f01 More code tidy and unifying of stuff 2014-10-28 08:37:49 +10:00
OJ 0e761575c8 More code tidying, reduced x64/x86 duplication 2014-10-28 08:09:18 +10:00
OJ 062eff8ede Fix project settings, make files, start tidying of code 2014-10-28 07:58:19 +10:00
Spencer McIntyre d6a63ccc5e Remove unnecessary C debugging code for the exploit 2014-10-27 11:24:23 -04:00
Spencer McIntyre 46b1abac4a More robust check routine for cve-2014-4113 2014-10-27 11:19:12 -04:00
jvazquez-r7 4406972b46 Do version checking minor cleanup 2014-10-27 09:32:42 -05:00
jvazquez-r7 0aaebc7872 Make GetPtiCurrent USER32 independent 2014-10-26 18:51:02 -05:00
jvazquez-r7 34697a2240 Delete 'callback3' also from 32 bits version 2014-10-26 17:28:35 -05:00
Spencer McIntyre 7416c00416 Initial addition of x64 target for cve-2014-4113 2014-10-26 16:54:42 -04:00
jvazquez-r7 d8eaf3dd65 Add exploit source code 2014-10-23 18:59:58 -05:00
Spencer McIntyre 3181d4e080 Add zsh completion definitions for utilities 2014-09-27 20:12:02 -04:00
HD Moore 8cca4d7795 Fix the makefile to use the right directory
Reported by severos on IRC, the current output
class is in the right place, but the makefile
was broken.
2014-08-03 13:38:15 -05:00
sinn3r ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape 2014-06-26 13:48:28 -05:00
sinn3r 0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape 2014-06-26 11:45:47 -05:00
Meatballs 25ed68af6e
Land #3017, Windows x86 Shell Hidden Bind
A bind shellcode that responds as 'closed' unless the client matches the
AHOST ip.
2014-06-08 13:49:49 +01:00
Meatballs bf1a665259
Land #2657, Dynamic generation of windows service executable functions
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
jvazquez-r7 443f9f175c Update IE11Sandbox exploit source 2014-06-03 09:58:07 -05:00
jvazquez-r7 372a12b966 Restore make.msbuild permissions 2014-06-03 09:07:34 -05:00
jvazquez-r7 98a06b3d72 Restore make.msbuild 2014-06-03 09:05:26 -05:00
jvazquez-r7 f918bcc631 Use powershell instead of mshta 2014-06-03 09:01:56 -05:00
jvazquez-r7 f6862cd130 Land @OJ's updated meterpreter binaries 2014-05-30 20:27:28 -05:00
OJ d2b8706bd6
Include meterpreter bins, add Sandbox builds
This commit contains the binaries that are needed for Juan's sandbox
escape functionality (ie. the updated old libloader code). It also
contains rebuilt binaries for all meterpreter plugins.

I've also added command line build scripts for the sandbox escapes
and added that to the "exploits" build.
2014-05-31 08:12:34 +10:00
jvazquez-r7 c1368dbb4c Use %windir% 2014-05-30 09:06:41 -05:00
jvazquez-r7 75777cb3f9 Add IE11SandboxEscapes source 2014-05-29 11:38:43 -05:00
Florian Gaultier bb4e9e2d4d correct error in block service_change_description 2014-05-13 16:04:39 +02:00
Florian Gaultier 6332957bd2 Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work... 2014-05-13 16:04:39 +02:00
Florian Gaultier bdbb70ab71 up block_service_stopped.asm 2014-05-13 16:04:39 +02:00
Florian Gaultier e269c1e4f1 Improve service_block with service_stopped block to cleanly terminate service 2014-05-13 16:04:38 +02:00
Florian Gaultier c43e3cf581 Improve block_create_remote_process to point on shellcode everytime 2014-05-13 16:04:38 +02:00
Florian Gaultier 25d48b7300 Add create_remote_process block, now used in exe_service generation 2014-05-13 16:04:38 +02:00
Florian Gaultier 0bdf7904ff Change author of single_service_stuff.asm 2014-05-13 16:04:38 +02:00
Florian Gaultier 513f3de0f8 new service exe creation refreshed 2014-05-13 16:04:36 +02:00
jvazquez-r7 58c46cc73d Add compilation instructions for the AS 2014-05-08 16:48:42 -05:00
jvazquez-r7 5fd732d24a Add module for CVE-2014-0515 2014-05-07 17:13:16 -05:00
sinn3r 6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution 2014-05-05 10:39:26 -05:00
OJ 7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) 2014-05-04 16:41:17 +10:00
jvazquez-r7 b4c7c5ed1f Add module for CVE-2014-0497 2014-05-03 20:04:46 -05:00