5ecebc3427
Add options `SERVICE_NAME` and `SERVICE_DISPLAYNAME` to psexec and correct service payload generation
2014-05-13 16:04:37 +02:00
ca7a2c7a36
Add string_to_pushes to use non fixed size service_name
2014-05-13 16:04:37 +02:00
513f3de0f8
new service exe creation refreshed
2014-05-13 16:04:36 +02:00
5f523e8a04
Rex::Text::uri_encode - make 'hex-all' really mean all.
...
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
557cd56d92
fixed some ruby warnings
2014-05-10 23:31:02 +02:00
f56ea01988
Add module
2014-05-09 10:27:41 -05:00
6b41a4e2d9
Test Flash 13.0.0.182
2014-05-07 17:39:22 -05:00
5fd732d24a
Add module for CVE-2014-0515
2014-05-07 17:13:16 -05:00
e8bc89af30
Land #3337 , release fixes
2014-05-05 14:03:48 -05:00
c97c827140
Adjust desc and ranking on ms13-053
...
Since it's likely to crash winlogin.exe in the normal use case
(eventually), I've kicked this down to Average ranking.
2014-05-05 13:46:19 -05:00
3072c2f08a
Update CVEs for RootedCon Yokogawa modules
...
Noticed they were nicely documented at
http://chemical-facility-security-news.blogspot.com/2014/03/ics-cert-publishes-yokogawa-advisory.html
We apparently never updated with CVE numbers.
2014-05-05 13:25:55 -05:00
6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution
2014-05-05 10:39:26 -05:00
7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)
2014-05-04 16:41:17 +10:00
5b150a04c6
Add testing information to description
2014-05-03 20:08:00 -05:00
b4c7c5ed1f
Add module for CVE-2014-0497
2014-05-03 20:04:46 -05:00
56c5eac823
Message correction
2014-05-02 14:18:18 +01:00
69915c0de5
Message correction
2014-05-02 14:17:27 +01:00
8b138b2d37
Fix unquoted path in cleanup script
2014-04-30 16:34:33 -05:00
6b740b727b
Changes PATH to proper case
...
This changes PATH to Path
2014-04-30 17:26:36 -04:00
fdc81b198f
Adds the ability to specify path
...
This update allows an explicit path to be set rather
than purely relying on the TEMP environment variable.
2014-04-30 16:08:48 -04:00
4c0a692678
Land #3312 - Update ms14-012
2014-04-28 18:48:20 -05:00
b1ac0cbdc7
Land #3239 - Added target 6.1 to module
2014-04-28 18:28:14 -05:00
1c88dea7d6
Exploitation also works with flash 13
2014-04-28 16:23:05 -05:00
d530c9c128
Land #3304 - Adobe Flash Player Type Confusion Remote Code Execution
2014-04-28 15:06:50 -05:00
1b4fe90003
Fix msftidy warnings on wireshark exploits
2014-04-28 19:51:38 +01:00
9ce5545034
Fix comments
2014-04-27 20:13:46 -05:00
60e7e9f515
Add module for CVE-2013-5331
2014-04-27 10:40:46 -05:00
656e60c35c
Land #3254 - Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack BoF
2014-04-24 13:20:50 -05:00
cde9080a6a
Move module to fileformat
2014-04-24 13:17:08 -05:00
a39855e20d
Works for XP SP3 too
2014-04-24 13:16:24 -05:00
ba8d7801f4
Remove default target because there is no auto-select
2014-04-24 13:15:49 -05:00
2e76db01d7
Try to stick to the 100 columns per line rule
2014-04-24 13:15:12 -05:00
fd95d9ef38
Added english windows xp sp2 target
2014-04-23 17:32:56 +01:00
e514ff3607
Description and print_status fixes for release
...
@cdoughty-r7, I choose you! Or @wvu-r7.
2014-04-21 14:00:03 -05:00
66b1c79da9
Update rop chain for versions 6.2 and 6.1
2014-04-21 13:27:14 -04:00
e25ca64641
It's solved the crash when double-click on the pcap file
2014-04-21 17:49:40 +01:00
3861541204
Add more rand_text_alpha functions
2014-04-19 18:37:58 +01:00
7bc546e69a
Add rand_text_alpha function
2014-04-19 17:45:28 +01:00
feea4c1fa6
ROP chain changed
2014-04-18 19:05:53 +01:00
7d801e3acc
Land #3200 , goodbye LORCON modules :(
2014-04-18 12:32:22 -05:00
acb12a8bef
Beautify and fix both ruby an AS
2014-04-17 23:32:29 -05:00
91d9f9ea7f
Update from master
2014-04-17 15:32:49 -05:00
749e141fc8
Do first clean up
2014-04-17 15:31:56 -05:00
23c2a071cd
Small name change
2014-04-15 18:35:00 -05:00
abd76c5000
Add module for CVE-2014-0322
2014-04-15 17:55:24 -05:00
e811e169dc
Cambios en el exploit
2014-04-14 16:31:54 +01:00
da26a39634
Add CVE-2014-2219 exploit for windows XP SP3
2014-04-14 16:16:10 +01:00
c99f6654e8
Added target 6.1 to module
2014-04-11 09:59:11 -04:00
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
3f6c8afbe3
Fix typo of MSCOMCTL not MCCOMCTL
2014-04-08 14:52:18 -04:00
85197dffe6
MS14-017 Word RTF listoverridecount memory corruption
2014-04-08 14:44:20 -04:00
17ddbccc34
Remove the broken lorcon module set
...
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.
I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.
Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.
````
msf auxiliary(wifun) > show options
Module options (auxiliary/dos/wifi/wifun):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL 11 yes The initial channel
DRIVER autodetect yes The name of the wireless driver
for lorcon
INTERFACE wlan0 yes The name of the wireless
interface
msf auxiliary(wifun) > run
[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
7572d6612e
Spelling and grammar on new release modules
2014-04-07 12:18:13 -05:00
56bd35c8ce
Add module for WinRAR spoofing vulnerability
2014-04-07 09:21:49 -05:00
a85d451904
Add module for CVE-2014-2314
2014-04-02 14:49:31 -05:00
4a575d57ab
Try to fix Meatballs1 suggestions : optional service_description change call
2014-04-02 20:33:09 +01:00
b636a679ae
Erf, sorry, fixed now
2014-04-02 20:33:08 +01:00
631a7b9c48
Adapt to new psexec mixin (first try :D)
2014-04-02 20:33:08 +01:00
978bdbb676
Custom Service Description
2014-04-02 20:33:07 +01:00
cf2589ba8d
Land #3162 , Microsoft module name changes
2014-03-28 23:10:27 -05:00
d7ca537a41
Microsoft module name changes
...
So after making changes for MSIE modules (see #3161 ), I decided to
take a look at all MS modules, and then I ended up changing all of
them. Reason is the same: if you list modules in an ordered list
, this is a little bit easier to see for your eyes.
2014-03-28 20:56:53 -05:00
466096f637
Add MSB number to name
2014-03-28 20:33:40 -05:00
f7b1874e7d
Land #3151 , @wchen-r7's use of BrowserExploitServer in ms13-59's exploit
2014-03-28 14:43:38 -05:00
8ec10f7438
Use BrowserExploitServer for MS13-059 module
2014-03-26 17:49:01 -05:00
19918e3207
Land #3143 , @wchen-r7's switch to BrowserExploitServer on ie_setmousecapture_uaf
2014-03-26 14:16:35 -05:00
fdc355147f
Use BrowserExploitServer mixin for ie_setmousecapture_uaf.rb
2014-03-25 18:41:47 -05:00
6c206e4ced
Add a comment about what this build version range is covering
2014-03-25 11:43:13 -05:00
7108d2b90a
Add ua_ver and mshtml_build requirements
...
This vulnerability is specific to certain builds of IE9.
2014-03-25 11:35:35 -05:00
cfdd64d5b1
Title, description grammar and spelling
2014-03-24 12:16:59 -05:00
a5afd929b4
Land #3120 , @wchen-r7's exploit for CVE-2014-0307
2014-03-20 11:16:40 -05:00
8cb7bc3cbe
Fix typo
2014-03-20 11:13:57 -05:00
c5158a3ccc
Update CVE
2014-03-19 22:13:23 -05:00
d27264b402
Land #2782 , fix expand_path abuse
2014-03-19 08:41:28 -05:00
2e76faa076
Add MS14-012 Internet Explorer Use-After-Free Exploit Module
...
Add MS14-012 IE UAF.
2014-03-18 17:55:56 -05:00
8f2124f5da
Minor updates for release
...
Fixes some title/desc action.
Adds a print_status on the firefox module so it's not just silent.
Avoids the use of "puts" in the description b/c this freaks out msftidy
(it's a false positive but easily worked around).
2014-03-17 13:26:26 -05:00
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
409787346e
Bring build tools up to date, change some project settings
...
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
243fa4f56a
Land #2910 - MPlayer Lite M3U Buffer Overflow
2014-03-13 14:13:17 -05:00
e832be9eeb
Update description and change ranking
...
The exploit requires the targeted user to open the malicious in
specific ways.
2014-03-13 14:09:37 -05:00
41720428e4
Refactoring exploit and adding build files for dll.
2014-03-12 10:25:52 +00:00
517f264000
Add last chunk of fixes
2014-03-11 12:46:44 -05:00
25ebb05093
Add next chunk of fixes
...
Going roughly a third at a time.
2014-03-11 12:23:59 -05:00
3ea3968d88
Merge branch 'upstream/master' into stop_abusing_expand_path
...
Conflicts:
lib/msf/core/post/windows/shadowcopy.rb
modules/exploits/windows/local/bypassuac.rb
modules/post/windows/gather/wmic_command.rb
modules/post/windows/manage/persistence.rb
2014-03-11 23:13:39 +10:00
bc8590dbb9
Change DoS module location
2014-03-10 16:12:20 +01:00
1061036cb9
Use nick instead of name
2014-03-10 16:11:58 +01:00
5485028501
Add 3 Yokogawa SCADA vulns
...
These represent our part for public disclosure of the issues listed
here:
http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf
Yokogawa is calling these YSAR-14-0001E, and I think that they map
thusly:
YSAR-14-0001E Vulnerability 1 :: R7-2013-19.1
YSAR-14-0001E Vulnerability 2 :: R7-2013-19.3
YSAR-14-0001E Vulnerability 3 :: R7-2013-19.4
@jvazquez-r7 if you could confirm, I'd be delighted to land these and
get your disclosure blog post published at:
https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities
Thanks for all the work on these!
2014-03-10 09:33:54 -05:00
257c121c75
Adding MS013-058 for Windows7 x86
2014-03-06 20:34:01 +00:00
2a1e96165c
Adding MS013-058 for Windows7 x86
2014-03-06 18:39:34 +00:00
df2bdad4f9
Include 'msf/core/exploit/powershell'
...
Prevent:
```
[-] /pentest/exploit/metasploit-framework/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb: NameError uninitialized constant Msf::Exploit::Powershell
```
2014-03-06 12:57:43 +11:00
9d0743ae85
Land #3030 - SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-03-05 16:34:54 -06:00
1ea35887db
Add OSVDB reference
2014-03-06 01:40:15 +10:30
4e9350a82b
Add module for ZDI-14-008
2014-03-05 03:25:13 -06:00
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
f8310b86d1
Land #3059 - ALLPlayer M3U Buffer Overfloww
2014-03-04 11:29:52 -06:00
db76962b4a
Land #2764 , WMIC Post Mixin changes
...
lands Meatballs WMIC changes
2014-03-04 10:21:46 -06:00
408fedef93
Add module for OSVDB-98283
2014-03-04 00:51:01 +01:00
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
de6be50d64
Minor cleanup and finger-wagging about a for loop
2014-03-03 14:12:22 -06:00
f008c77f26
Write payload to startup for Vista+
2014-03-02 18:10:10 +10:30
63751c1d1a
Small msftidies
2014-02-28 22:18:59 +00:00
7117d50fa4
Land #3028 - bypassuac revamp
2014-02-28 09:12:02 +10:00
f531d61255
Land #3036 - Total Video Player buffer overflow
2014-02-27 14:28:53 -06:00
7625dc4880
Fix syntax error due to the missing ,
2014-02-27 14:25:52 -06:00
49ded452a9
Add OSVDB reference
2014-02-27 14:22:56 -06:00
e72250f08f
Rename Total Video Player module
...
The filename shouldn't include the version, because the exploit should
be able to target multiple versions if it has to.
2014-02-27 14:20:26 -06:00
b952b103bd
cleanup tior and .tmp files
...
bypassuac module now also cleans
the tior.exe and all the .tmp files so we have a
clean environemnt afterwards
2014-02-27 13:18:34 -06:00
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
a8e0c3c255
remove copypasta mistake
2014-02-27 10:05:53 -06:00
63f74bddae
2° update total_video_player_131_ini_bof
2014-02-27 16:41:35 +01:00
96b611104e
cleanup methods in bypassuac module
...
apply the same sort of method cleanup as in
Meatballs injection based module.
2014-02-26 11:00:55 -06:00
b81642d8ad
Update total_video_player_131_ini_bof
2014-02-26 11:37:04 +01:00
a7cacec0c3
Add module for EDB 29799
2014-02-25 23:07:28 +01:00
96ffb1db47
Delete extra comma
2014-02-25 15:29:46 -06:00
cb18639b66
Add small fixes and clean up
2014-02-25 15:25:01 -06:00
1d4b2ea60d
Add module for ZDI-14-015
2014-02-25 15:07:09 -06:00
a45c8c2b4a
Land #3029 , @xistence Symantec endpoint exploit
2014-02-25 07:59:35 -06:00
bfe0fdb776
Move module
2014-02-25 07:58:00 -06:00
ab167baf56
Added randomness instead of payload and xxe keywords
2014-02-25 15:23:10 +07:00
4908d80d6c
Clean up module
2014-02-24 16:00:54 -06:00
c9f0885c54
Apply @jlee-r7's feedback
2014-02-24 10:49:13 -06:00
a29c6cd2b4
Add SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write
2014-02-25 02:57:25 +10:30
5485759353
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:04:37 +07:00
8e3f70851d
Added Symantec Endpoint Protection Manager RCE
2014-02-24 15:01:13 +07:00
fdd0d91817
Updated the Ultra Minit HTTP bof exploit
...
After exploiting this application manually I decided to make this
an MSF exploit, only to find that other people had beaten me to it.
However, the existing exploit was broken in a few ways, and this
commit makes those problems go away. They include:
* Correct use of alpha chars in the buffer leading up to the payload
which results in bad chars being avoided. Bad chars muck with the
offsets because they get expanded.
* Adjustment of the payload so that it runs in another thread instead
of in the thread of the request handler. This prevents the session
from being killed after the hard-coded 60-second timeout that is
baked into the application.
* The handler thread terminates itself so that the process doesn't
crash.
* Extra targets were added based on the machines I had access to.
2014-02-23 21:23:41 +10:00
2f7f344be3
Copy original sleep
2014-02-23 04:53:48 +00:00
6127ff92ce
Fix race condition
...
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
d396be963a
Use new cmd_exec_get_pid
2014-02-28 20:53:13 +00:00
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
e0fa1d532c
Dont think this works on vista/8
2014-02-26 23:14:17 +00:00
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
1f08ad48a4
Fix payload_path method
2014-02-25 22:11:23 +00:00
6687ef80ee
Further bypassuac tidies
...
Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00
23381ea2cb
code tidying
...
break big exploit method up into
smaller methods for better maintainability
2014-02-25 14:07:48 -06:00
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
721e153c7f
Land #3005 to the fixup-release branch
...
Prefer the intel on #3005 over my own made up 0day guess. Thanks @wvu!
Conflicts:
modules/exploits/windows/fileformat/audiotran_pls_1424.rb
2014-02-18 14:08:54 -06:00
a863d0a526
Pre-release fixes, including msftidy errors.
2014-02-18 14:02:37 -06:00
28dc742bcf
Fix references and disclosure date
2014-02-18 13:59:58 -06:00
98958bc7bc
Making audiotran_pls_1424 more readable and adding comments
2014-02-17 13:40:03 -05:00
c60ea58257
added audiotran_pls_1424 fileformat for Windows
2014-02-16 16:20:50 -05:00
a59ce95901
Land #2970 , @sgabe exploit for CVE-2010-2343
2014-02-12 08:10:53 -06:00
9845970e12
Use pop#ret to jump over the overwritten seh
2014-02-12 08:10:14 -06:00
11513d94f5
Add Juan as author
2014-02-12 12:17:02 +01:00
3283880d65
Partially revert "Replace unnecessary NOP sled with random text" to improve reliability.
...
This partially reverts commit 12471660e9
2014-02-12 12:09:16 +01:00
7195416a04
Increase the size of the NOP sled
2014-02-12 02:35:53 +01:00
3f09456ce8
Minor code formatting
2014-02-11 23:53:04 +01:00
7fc3511ba9
Remove unnecessary NOPs
2014-02-11 23:48:54 +01:00
12471660e9
Replace unnecessary NOP sled with random text
2014-02-11 23:48:04 +01:00
184ccb9e1e
Fix payload size
2014-02-11 23:42:58 +01:00
3717374896
Fix and improve reliability
2014-02-11 10:44:58 -06:00
Florian Gaultier
Jeff Jarmoc
Christian Mehlmauer
jvazquez-r7
William Vu
Tod Beardsley
sinn3r
OJ
Meatballs
kaospunk
JoseMi
Ken Smith
Spencer McIntyre
agix
David Maloney
kyuzo
Brendan Coles
sgabe
Fr330wn4g3
xistence
Philip OKeefe