5fcc70bea4
Fixed issue w/ msf payloads + added timeout rescue
...
Apparently when OS X payload shells get a sudo command, it requires a full path (even though it clearly has $PATH defined in its env...) to that file. The updates here take that into account. Also, the script more directly catches a timeout error when the maximum time for sudoers file to change has passed.
2015-10-25 23:38:48 -07:00
348a0f9e3d
Cleaned up "cleanup" method and crontab check
...
The script now searches for the full line "ALL ALL=(ALL) NOPASSWD: ALL" written in the crontab file to ensure that it is successful rather than just "NOPASSWD". Additionally, the required argument used in the cleanup method was removed and simply turned into an instance method so it could be accessed without needing to call it with any arguments.
2015-10-21 22:53:32 -07:00
712f9f2c83
Deleted extra reference to exploit DB
2015-10-18 19:10:47 -07:00
b03c3be46d
Fixed some styling errors in the initializer. Switched the calls to sleep(1) to use the Rex API (Rex.sleep(1) instead).
2015-10-18 02:13:03 -07:00
3757f2e8de
Changed my author name to make sure it matches my GitHub username inside the module information.
2015-10-16 14:54:34 -07:00
95d5e5831e
Adding the updated version of the module to submit a pull request. Changes were made to ensure that the OS version check correctly determines which systems are vulnerable, giving only a warning message if not.
2015-10-16 14:39:07 -07:00
4275a65407
Update local exploit checks to follow the guidelines.
...
Please see wiki "How to write a check() method" to learn how
these checkcodes are determined.
2015-09-01 23:26:45 -05:00
9364982467
Land #5665 , Add osx rootpipe entitlements exploit for 10.10.3
2015-08-28 13:33:16 -05:00
e45347e745
Explain why vulnerable
2015-08-28 13:26:01 -05:00
423d52476d
Normal options should be all caps
2015-08-28 13:24:23 -05:00
26165ea93f
Add tpwn module
2015-08-17 17:11:11 -05:00
50c9293aab
Land #5758 , OS X DYLD_PRINT_TO_FILE privesc
2015-07-23 13:21:23 -05:00
c1a9628332
Fix some fixes
...
So you can fix while you fix.
2015-07-23 12:59:20 -05:00
6ededbd7a7
Un-ticking the output
2015-07-23 12:23:56 -05:00
9d8dd2f8bd
FIxup pr #5758
2015-07-23 12:21:36 -05:00
165cb195bf
Remove python dependency, add credit URL.
2015-07-21 22:48:23 -05:00
3013ab4724
Add osx root privilege escalation.
2015-07-21 21:50:55 -05:00
133e221dcd
Remove unnecessary steps.
2015-07-05 19:00:58 -05:00
c993c70006
Remove sleep(), clean up WritableDir usage.
2015-07-05 18:59:00 -05:00
72a1e9ad99
Add module for rootpipe+entitlements exploit for 10.10.3.
2015-07-05 18:19:46 -05:00
d98d2ffd4d
Update setuid_viscosity
...
* Use cmd_exec
2015-06-22 14:04:04 -05:00
60bdc10aed
Update setuid_tunnelblick
...
* Use cmd_exec
2015-06-22 13:57:33 -05:00
352e170624
more failure reasons
2015-04-16 22:04:11 +02:00
8c5890d506
more fixes
2015-04-16 21:56:42 +02:00
b4b8ac0849
moar fail_with's
2015-04-16 21:26:37 +02:00
13da15e434
Add default PAYLOAD again
...
PrependSetreuid doesn't work with generic/shell_reverse_tcp.
2015-04-16 02:07:02 -05:00
e114c85044
Land #5127 , x64 OS X prepend stubs 'n' stuff
2015-04-14 01:25:39 -05:00
e324819feb
Add Privileged to info hash
...
Also remove default payload. Was set for CMD.
2015-04-13 15:23:30 -05:00
bd3b6514fa
Dubbed. Whump whump.
2015-04-13 10:52:32 -05:00
d87483b28d
Squashed commit of the following:
...
commit 49f480af8b9d27e676c02006ae8873a119e1aae6
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:42:13 2015 -0500
Fix funny punctuation on rootpipe exploit title
See #5119
commit 0b439671efd6dabcf1a69fd0b089c28badf5ccff
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date: Mon Apr 13 10:37:39 2015 -0500
Fix vendor caps
Trusting the github repo README at
https://github.com/embedthis/goahead
See #5101
2015-04-13 10:46:47 -05:00
c132a3fb0a
Fix OSX prepends and implement x64 setreuid.
2015-04-11 20:04:21 -05:00
fc814a17ae
Add admin check
...
Also break out version check.
2015-04-10 11:24:49 -05:00
41885133d8
Refactor and clean
...
Finally breaking free of some stubborn old habits. :)
2015-04-10 11:22:27 -05:00
a7601c1b9a
Use zsh to avoid dropping privs
...
Also add some configurable options.
2015-04-10 11:22:00 -05:00
4cc6ac6eaa
Clarify vulnerable versions
2015-04-10 11:22:00 -05:00
c4b7b32745
Add Rootpipe exploit
2015-04-10 11:22:00 -05:00
de88908493
code style
2014-12-11 23:30:20 +01:00
79f2708a6e
Slight fixes to grammar/desc/whitespace
...
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
b357fd88a7
Add comment
2014-11-30 21:08:38 -06:00
0ab99549bd
Change ranking
2014-11-30 21:08:12 -06:00
7772da5e3f
Change paths, add makefile and compile
2014-11-30 21:06:11 -06:00
d7d1b72bce
Rename local_variables
2014-11-30 20:40:55 -06:00
d77c02fe43
Delete unnecessary metadata
2014-11-30 20:37:34 -06:00
3a5de9970f
Update description, rename xnu_ver -> osx_ver.
2014-11-25 12:38:29 -06:00
7a3fb12124
Add an OSX privilege escalation from Google's Project Zero.
2014-11-25 12:34:16 -06:00
35d3bbf74d
Fix up comment splats with the correct URI
...
See the complaint on #4039 . This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00
df44dfb01a
Add OSVDB and EDB references to Shellshock modules
2014-09-29 21:39:07 -05:00
be6552dae7
Clarifying VMware priv esc via bash module name
2014-09-25 14:34:09 -05:00
f13289ab65
remove debugging
2014-09-25 02:16:19 -04:00
8cb4ed4cb7
re-add quotes -oops
2014-09-25 02:09:12 -04:00
Sam H
Sam Handelman
wchen-r7
William Vu
Tod Beardsley
joev
jvazquez-r7
Christian Mehlmauer
Joe Vennix
URI Assassin
Samuel Huckins
Rob Fuller