Commit Graph

3687 Commits (ef73ca537f567e9985a501285c3c0c701803c00c)

Author SHA1 Message Date
jvazquez-r7 c8ceaa25c6
Land #2589, @wvu-r7's exploit for OSVDB 98714 2013-10-29 14:56:30 -05:00
jvazquez-r7 9f81aeb4ad Fix style 2013-10-29 14:55:16 -05:00
William Vu 5af42f2c28 Add short comment on why the padding is necessary 2013-10-29 11:46:10 -05:00
William Vu e368cb0a5e Add Win7 SP1 to WinXP SP3 target 2013-10-29 10:45:14 -05:00
William Vu ea7bba4035 Add Beetel Connection Manager NetConfig.ini BOF 2013-10-28 22:52:02 -05:00
Tod Beardsley 9045eb06b0
Various title and description updates 2013-10-28 14:00:19 -05:00
William Vu 278dff93e7 Add missing require for Msf::Exploit::Powershell
Thanks for the report, @mubix.
2013-10-25 21:41:24 -05:00
jvazquez-r7 b69ee1fc67 [FixRM #8419] Add module platform to ms04_011_pct 2013-10-25 09:29:19 -05:00
William Vu bea04cceeb Remove the trailing slash from the ZDI ref 2013-10-23 11:05:33 -05:00
Booboule 7d84fa487e Correct ZDI ref to match new scheme 2013-10-23 11:44:44 +02:00
sinn3r acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel 2013-10-22 17:16:26 -05:00
sinn3r af174639cd
Land #2468 - Hwnd Broadcast Performance 2013-10-22 17:03:02 -05:00
Tod Beardsley dc0d9ae21d
Land #2560, ZDI references
[FixRM #8513]
2013-10-22 15:58:21 -05:00
Meatballs 8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac 2013-10-22 21:42:36 +01:00
sinn3r ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers 2013-10-22 15:39:32 -05:00
root 85479f5994 removed PrependMigrate, introduced migrate -f 2013-10-22 16:11:19 -04:00
jvazquez-r7 11b2719ccc Change module plate 2013-10-22 12:36:58 -05:00
jvazquez-r7 df42dfe863
Land #2536, @ddouhine's exploit for ZDI-11-061 2013-10-22 12:35:40 -05:00
jvazquez-r7 c34155b8be Clean replication_manager_exec 2013-10-22 12:34:35 -05:00
William Vu 2aed8a3aea Update modules to use new ZDI reference 2013-10-21 15:13:46 -05:00
sinn3r 1599d1171d
Land #2558 - Release fixes 2013-10-21 13:48:11 -05:00
Tod Beardsley c1954c458c
Just warn, don't bail
Even if the OS detection returns non-Win7, maybe it's Win 8 or something
where it'll still work. We rarely bail out on checks like these.

If I'm crazy, feel free to skip or revert this commit (it shouldn't hold
up the release at all)

For details on this module, see #2503. I don't see any comments about
this line in particular
2013-10-21 13:39:45 -05:00
Tod Beardsley bce8d9a90f
Update license comments with resplat. 2013-10-21 13:36:15 -05:00
sinn3r 4c14595525
Land #2535 - Use %PATH% for notepad 2013-10-21 13:14:44 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
sinn3r 6430fa3354
Land #2539 - Support Windows CMD generic payload
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
sinn3r 45d06dd28d Change plate 2013-10-21 11:24:30 -05:00
sinn3r 8c05f8cf51
Land #2550 - Add HP Intelligent Managemetn UploadServlet dir traversal 2013-10-21 11:14:22 -05:00
sinn3r d22e4ac2f1 Check timeout condition 2013-10-21 11:13:48 -05:00
sinn3r 36dace26fa
Land #2538 - Fix redirect URLs 2013-10-21 11:08:03 -05:00
jvazquez-r7 27078eb5a6 Add support for HP imc /BIMS 5.1 2013-10-20 18:18:34 -05:00
jvazquez-r7 b0d32a308a Update version information 2013-10-19 00:52:22 -05:00
jvazquez-r7 7d8a0fc06c Add BID reference 2013-10-19 00:29:43 -05:00
jvazquez-r7 cf239c2234 Add module for ZDI-13-238 2013-10-19 00:05:09 -05:00
jvazquez-r7 dbd74bceed Add the ARCH_CMD target 2013-10-18 16:35:22 -05:00
Meatballs 4e4d0488ae
Rubyfy constants in privs lib 2013-10-18 18:26:07 +01:00
root 2e0a14d719 Introduced PrependMigrate, PPID killing and general clean-up 2013-10-18 12:24:50 -04:00
Norbert Szetei 9d6031acdb Reverting payload_inject because of x64 shellcode
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
Meatballs 55426882d4
Further bypassuac tidyup 2013-10-18 00:08:06 +01:00
Meatballs e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs 5a662defac
Post::Privs uses Post::Registry methods 2013-10-17 23:28:07 +01:00
James Lee 94db3f511a Avoid extra slash in redirect URI
[SeeRM #8507]
2013-10-17 14:10:15 -05:00
jvazquez-r7 be1d6ee0d3 Support Windows CMD generic payload 2013-10-17 14:07:27 -05:00
Tod Beardsley 07ab53ab39
Merge from master to clear conflict
Conflicts:
	modules/exploits/windows/brightstor/tape_engine_8A.rb
	modules/exploits/windows/fileformat/a-pdf_wav_to_mp3.rb
2013-10-17 13:29:24 -05:00
jvazquez-r7 7f6dadac16 Merge for sync 2013-10-17 10:40:01 -05:00
Davy Douhine b03783baec minors fixes and rand for endstring 2013-10-17 17:10:05 +02:00
Davy Douhine 22eb2ba163 randstring and fixes 2013-10-17 16:51:34 +02:00
Norbert Szetei 563bf4e639 Fix bug #8502, used %PATH% for notepad invocation
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
sinn3r 7a0671eba9
Land #2531 - rm deprecated mods 2013-10-16 20:02:58 -05:00
James Lee a54b4c7370
Land #2482, use runas when UAC is DoNotPrompt 2013-10-16 17:51:11 -05:00
Tod Beardsley f1a67ecafe
Remove overdue deprecated modules
[See PT #56795804]
[See PT #56796034]
2013-10-16 17:02:28 -05:00
sinn3r 0ce221274b Change JS comments in Ruby. 2013-10-16 16:40:54 -05:00
Tod Beardsley ba2c52c5de
Fixed up some more weird splat formatting. 2013-10-16 16:25:48 -05:00
James Lee 4fa3b8f820 Add support for IE7 on XP 2013-10-16 15:56:34 -05:00
sinn3r 06a212207e Put PrependMigrate on hold because of #1674
But I will probably still want this.
2013-10-16 09:24:46 -05:00
sinn3r ac78f1cc5b Use Base64 encoding for OS parameter
I didn't even realize we already added this in server.rb. So instead
of just escaping the OS parameter, we also encode the data in base64.
I also added prependmigrate to avoid unstable conditions for the payload.
2013-10-15 23:37:11 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
jvazquez-r7 c68319d098 Fix author 2013-10-15 12:59:19 -05:00
jvazquez-r7 f60b29c7a6
Land #2503, @MrXors's local exploit using VSS 2013-10-15 12:35:26 -05:00
MrXors f345414832 Added correct spelling in info 2013-10-15 10:13:18 -07:00
jvazquez-r7 0b9cf24103 Convert vss_persistence to Local Exploit 2013-10-15 11:11:04 -05:00
William Vu 31dc7c0c08 Land #2522, @todb-r7's pre-release module fixes 2013-10-14 15:37:23 -05:00
Tod Beardsley 63e40f9fba
Release time fixes to modules
* Period at the end of a description.
  * Methods shouldn't be meth_name! unless the method is destructive.
  * "Setup" is a noun, "set up" is a verb.
  * Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
sinn3r 15e8c3bcd6 [FixRM #8470] - can't convert nil into String
Target selection bug in ms13_069_caret.rb. Happens when the target
is Win 7 + IE8, which actually isn't a suitable target.

[FixRM #8470]
2013-10-14 14:10:08 -05:00
William Vu eab90e1a2e Land #2491, missing platform info update 2013-10-14 10:38:25 -05:00
root de156dc8da new exploit module for CVE-2008-2286, Altiris DS 2013-10-13 22:39:49 -04:00
jvazquez-r7 3dbdc9f848
Land #2510, @wchen-r7's exploit for cve-2013-3897 2013-10-12 20:06:41 -05:00
sinn3r 9725918be8 Remove junk variables/params 2013-10-12 18:51:57 -05:00
sinn3r bc317760dc Make the GET params a little bit harder to read. 2013-10-12 16:37:49 -05:00
jvazquez-r7 172c6b9b8f Escape dots on regexs 2013-10-12 16:15:10 -05:00
sinn3r b139757021 Correct a typo in description 2013-10-12 13:24:36 -05:00
sinn3r 79c612cd67 Add MS13-080 (CVE-2013-3897): Internet Explorer CDisplayPointer Use-After-Free
This module exploits a vulnerability found in Microsoft Internet Explorer.
It was originally found being exploited in the wild targeting Japanese and
Korean IE8 users on Windows XP, around the same time frame as CVE-2013-3893,
except this was kept out of the public eye by multiple research companies and
the vendor until the October patch release.

This issue is a use-after-free vulnerability in CDisplayPointer via the use of
a "onpropertychange" event handler. To setup the appropriate buggy conditions,
we first craft the DOM tree in a specific order, where a CBlockElement comes after
the CTextArea element. If we use a select() function for the CTextArea element,
two important things will happen: a CDisplayPointer object will be created for
CTextArea, and it will also trigger another event called "onselect". The "onselect"
event will allow us to setup for the actual event handler we want to abuse -
the "onpropertychange" event. Since the CBlockElement is a child of CTextArea,
if we do a node swap of CBlockElement in "onselect", this will trigger
"onpropertychange".  During "onpropertychange" event handling, a free of the
CDisplayPointer object can be forced by using an "Unslect" (other approaches
also apply), but a reference of this freed memory will still be kept by
CDoc::ScrollPointerIntoView, specifically after the CDoc::GetLineInfo call,
because it is still trying to use that to update CDisplayPointer's position.
When this invalid reference arrives in QIClassID, a crash finally occurs due to
accessing the freed memory. By controling this freed memory, it is possible to
achieve arbitrary code execution under the context of the user.
2013-10-12 13:01:17 -05:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
Meatballs a843722ae3 Concurrent printing of the output no longer makes sense... 2013-10-10 19:01:19 +01:00
Meatballs 536c3c7b92 Use multi railgun call for a large performance increase. 2013-10-10 19:01:14 +01:00
jvazquez-r7 f10078088c Add module for ZDI-13-130 2013-10-10 10:06:17 -05:00
jvazquez-r7 e3014a1e91 Fix ZDI Reference 2013-10-09 14:56:42 -05:00
jvazquez-r7 4fd599b7e0
Land #2483, @wchen-r7's patch for [SeeRM #8458] 2013-10-09 14:32:26 -05:00
sinn3r 1e3b84d39b Update ie_cgenericelement_uaf 2013-10-09 13:40:48 -05:00
Winterspite 0acb170ee8 Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00
sinn3r 199bd20b95 Update CVE-2013-3893's Microsoft reference
Official patch is out:
http://technet.microsoft.com/en-us/security/bulletin/MS13-080
2013-10-08 13:00:03 -05:00
sinn3r f4000d35ba Use RopDb for ms13_069
Target tested
2013-10-07 15:24:01 -05:00
sinn3r 7222e3ca49 Use RopDb for ms13_055_canchor.
All targets tested.
2013-10-07 15:09:36 -05:00
sinn3r 67228bace8 Use RopDb for ie_cgenericelement_uaf.
All targets tested except for Vista, so additional testing will need
to be done during review.
2013-10-07 14:51:34 -05:00
Rob Fuller aed2490536 add some output and fixing 2013-10-07 15:42:41 -04:00
Rob Fuller 75d2abc8c2 integrate some ask functionality into bypassuac 2013-10-07 15:14:54 -04:00
sinn3r aea63130a4 Use RopDb for ie_cbutton_uaf.
All targets tested except for Vista. Will need additional testing
during review.
2013-10-07 14:03:07 -05:00
Tod Beardsley 219bef41a7
Decaps Siemens (consistent with other modules) 2013-10-07 13:12:32 -05:00
sinn3r e016c9a62f Use RopDb msvcrt ROP chain. Tested all targets. 2013-10-07 12:27:43 -05:00
trustedsec 0799766faa Fix UAC is not enabled, no reason to run module when UAC is enabled and vulnerable
The new changes when calling uac_level = open_key.query_value('ConsentPromptBehaviorAdmin') breaks UAC on Windows 7 and Windows 8 and shows that UAC is not enabled when it is:

Here is prior to the change on a fully patched Windows 8 machine:

msf exploit(bypassuac) > exploit

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[-] UAC is not enabled, no reason to run module
[-] Run exploit/windows/local/ask to elevate
msf exploit(bypassuac) > 

Here's the module when running with the most recent changes that are being proposed:

[*] Started reverse handler on 172.16.21.156:4444 
[*] UAC is Enabled, checking level...
[!] Could not determine UAC level - attempting anyways...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (770048 bytes) to 172.16.21.128
[*] Meterpreter session 6 opened (172.16.21.156:4444 -> 172.16.21.128:49394) at 2013-10-05 15:49:23 -0400

meterpreter > 

With the new changes and not having a return on when 0 (will not always return 0 - just in certain cases where you cannot query) - it works.
2013-10-05 15:56:55 -04:00
sinn3r a8de9d5c8b Land #2459 - Add HP LoadRunner magentproc.exe Overflow 2013-10-04 19:45:44 -05:00
jvazquez-r7 646429b4dd Put ready to pull request 2013-10-03 22:15:17 -05:00
jvazquez-r7 5971fe87f5 Improve reliability 2013-10-03 17:19:53 -05:00
jvazquez-r7 39eb20e33a Add module for ZDI-13-169 2013-10-03 16:52:20 -05:00
sinn3r c87e7b3cc1 Land #2451 - Don't overwrite default timeout on get_once 2013-10-03 15:44:40 -05:00
Tod Beardsley 539a22a49e
Typo on Microsoft 2013-10-03 12:20:47 -05:00
jvazquez-r7 77d0236b4e Don't overwrite defaul timeout 2013-10-02 16:15:14 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
sinn3r 23b0c3b723 Add Metasploit blog references
These modules have blogs from the Rapid7 community, we should add them.
2013-10-01 20:50:16 -05:00
sinn3r 932ed0a939 Land #2444 - Add SIEMENS Solid Edge ST4 SEListCtrlX ActiveX Vuln 2013-10-01 20:35:17 -05:00
jvazquez-r7 ed82be6fd8 Use RopDB 2013-10-01 13:23:09 -05:00
jvazquez-r7 6483c5526a Add module for OSVDB 93696 2013-10-01 11:42:36 -05:00
sinn3r 9abf727fa6 Land #2439 - Update description 2013-09-30 16:03:15 -05:00
sinn3r 7118f7dc4c Land #2422 - rm methods peer & rport
Because they're already defined in the HttpClient mixin
2013-09-30 16:01:59 -05:00
jvazquez-r7 6c8f86883d
Land #2437, @wchen-r7's exploit for CVE-2013-3893 2013-09-30 14:02:29 -05:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
sinn3r c82ed33a95 Forgot Math.cos() 2013-09-30 13:29:16 -05:00
sinn3r d6cd0e5c67 Tweak for office 2007 setup 2013-09-30 13:27:59 -05:00
sinn3r ecf4e923e8 Change the target address for spray 1 2013-09-30 11:57:59 -05:00
sinn3r b9aae1c93c Higher address seems better 2013-09-29 18:45:30 -05:00
sinn3r a5ade93ab2 Add CVE-2013-3893 Internet Explorer SetMouseCapture Use-After-Free
This module exploits a use-after-free vulnerability that currents
targets Internet Explorer 9 on Windows 7, but the flaw should exist in
versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but
other regions such as English, Chinese, Korean, etc, were targeted as
well.

The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function
handles a reference during an event. An attacker first can setup two
elements, where the second is the child of the first, and then setup a
onlosecapture event handler for the parent element. The onlosecapture
event seems to require two setCapture() calls to trigger, one for the parent
element, one for the child. When the setCapture() call for the child element
is called, it finally triggers the event, which allows the attacker to cause
an arbitrary memory release using document.write(), which in particular frees
up a 0x54-byte memory. The exact size of this memory may differ based on the
version of IE. After the free, an invalid reference will still be kept and pass
on to more functions, eventuall this arrives in function
MSHTML!CTreeNode::GetInterface, and causes a crash (or arbitrary code execution)
when this function attempts to use this reference to call what appears to be a
PrivateQueryInterface due to the offset (0x00).

To mimic the same exploit found in the wild, this module will try to use the
same DLL from Microsoft Office 2007 or 2010 to leverage the attack.
2013-09-29 18:24:13 -05:00
Meatballs b306415ecf
Tidy and updates to info 2013-09-29 17:32:39 +01:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Meatballs 8b800cf5de Merge and resolve conflicts 2013-09-27 18:19:23 +01:00
jvazquez-r7 6381bbfd39 Clean up freeftpd_pass 2013-09-27 09:47:39 -05:00
TecR0c b02a2b9ce0 Added crash info and basic tidy up 2013-09-27 17:05:42 +10:00
TecR0c 7dbc3f4f87 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:37:52 +10:00
TecR0c 5fc98481a7 changed seh address to work on freeFTPd 1.0.10 and below 2013-09-27 12:35:03 +10:00
TecR0c a6e1bc61ec updated version in exploit freeFTPd 1.0.10 2013-09-27 11:27:51 +10:00
TecR0c 3a3f1c0d05 updated requested comments for freeFTPd 1.0.10 2013-09-27 11:13:28 +10:00
Meatballs 3d812742f1 Merge upstream master 2013-09-26 21:27:44 +01:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Meatballs a25833e4d7 Fix %TEMP% path 2013-09-26 19:22:36 +01:00
TecR0c 0339c3ef48 added freeFTPd 1.0.10 (PASS Command) 2013-09-26 20:37:23 +10:00
FireFart 84ec2cbf11 remove peer methods since it is already defined in Msf::Exploit::Remote::HttpClient 2013-09-25 23:42:44 +02:00
Tod Beardsley d91cb85a31
Not actually a typo
Turns out, the object name is "CCaret," though we're talking about the
"caret." Confuz0ring!
2013-09-24 15:55:52 -05:00
Tod Beardsley ac1388368f
Typo in module name 2013-09-24 15:50:58 -05:00
Tod Beardsley 93486a627d Whoops on trailing commas 2013-09-24 15:14:11 -05:00
William Vu 52a92a55ce Land #2394, ms13_005_hwnd_broadcast require fix 2013-09-24 13:43:21 -05:00
Tod Beardsley 3906d4a2ca Fix caps that throw msftidy warnings 2013-09-24 13:03:16 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley 081c279b61 Remove misleading comment 2013-09-24 11:42:31 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley 2656c63459 Knock out a Unicode character 2013-09-23 14:22:11 -05:00
Tod Beardsley 99f145cbff Don't split the post requires 2013-09-23 14:02:43 -05:00
Tod Beardsley 4bff8f2cdc Update descriptions for clarity. 2013-09-23 13:48:23 -05:00
William Vu a46ac7533d Land #2407, require fix for current_user_psexec 2013-09-23 11:57:19 -05:00
jvazquez-r7 8417b916c7 Complete MS13-071 Information 2013-09-21 21:22:34 -05:00
darknight007 6b06ed0df1 Update current_user_psexec.rb 2013-09-22 03:07:17 +05:00
sinn3r 8381bf8646 Land #2404 - Add powershell support for current_user_psexec 2013-09-20 17:14:55 -05:00
sinn3r 96364c78f8 Need to catch RequestError too
Because a meterpreter session may throw that
2013-09-20 17:13:35 -05:00
Meatballs 6e69fe48bf Undo psexec changes 2013-09-20 22:30:00 +01:00
Meatballs 2591be503b Psh support 2013-09-20 22:07:42 +01:00
Meatballs 15885e4ef6 Change static x value 2013-09-20 20:31:14 +01:00
Meatballs ee365a6b64 Some liberal sleeping 2013-09-20 19:33:27 +01:00
Meatballs 7d1c5c732a Correct powershell 2013-09-20 18:36:24 +01:00
sinn3r bb7b57cad9 Land #2370 - PCMAN FTP Server post-auth stack buffer overflow 2013-09-20 12:29:10 -05:00