d6565a9aee
Merge branch 'bes_flash' into bapv2_flash_test
2015-07-14 00:34:54 -05:00
b72ba7f51c
Add AS2 flash detection code
2015-07-13 18:26:02 -05:00
8fb6bedd94
Delete as3 detecotr
2015-07-13 18:23:39 -05:00
9116460cb0
Add prototype with AS3
2015-07-13 16:33:55 -05:00
299978d0e2
Put again old exploiter
2015-07-11 00:36:32 -05:00
63005a3b92
Add module for flash CVE-2015-5122
...
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
3d630de353
Replace with a real CVE number
2015-07-07 14:44:12 -05:00
d9aacf2d41
Add module for hacking team flash exploit
2015-07-07 11:19:48 -05:00
1de94a6865
Add module for CVE-2015-3113
2015-07-01 13:13:57 -05:00
e49c36998c
Fix indentation
2015-06-25 14:12:23 -05:00
a87d4e5764
Add flash_exploiter template
2015-06-25 13:52:57 -05:00
ee0377ca16
Add module for CVE-2015-3105
2015-06-25 13:35:01 -05:00
2206a6af73
Support older targets x86 for MS15-051
2015-06-25 09:33:15 +10:00
3686accadd
Merge branch 'upstream/master' into cve-2015-1701
2015-06-22 07:52:17 +10:00
b78ba55c25
Merge minor CVE-2015-1701 from zeroSteiner
2015-06-22 07:50:26 +10:00
d73a3a4a5f
Dont call ExitProcess because it might kill the shell
2015-06-21 16:16:33 -04:00
27a583853c
Fix one more line indentation
2015-06-18 12:40:30 -05:00
55f077fa9e
Fix indentation
2015-06-18 12:38:36 -05:00
de1542e589
Add module for CVE-2015-3090
2015-06-18 12:36:14 -05:00
17b8ddc68a
Land #5524 , adobe_flash_pixel_bender_bof in flash renderer
2015-06-15 02:42:16 -05:00
72672fc8f7
Delete debug
2015-06-11 17:39:36 -05:00
8ed13b1d1b
Add linux support for CVE-2014-0515
2015-06-11 16:18:50 -05:00
ae21b0c260
Land #5523 , adobe_flash_domain_memory_uaf in the flash renderer
2015-06-10 16:59:19 -05:00
4c5b1fbcef
Land #5522 , adobe_flash_worker_byte_array_uaf in the flash renderer
2015-06-10 14:49:41 -05:00
af31112646
Fix exploit indentation
2015-06-10 14:19:36 -05:00
64562565fb
Fix method indentation
2015-06-10 14:16:47 -05:00
2bb3a5059c
Fix else indentation
2015-06-10 14:15:58 -05:00
1d05ce1cdc
Fix for indentation
2015-06-10 14:14:29 -05:00
7202e27918
Fix indentation
2015-06-10 14:12:26 -05:00
ab132290d7
Add Exploiter AS
2015-06-10 13:53:45 -05:00
6c7ee10520
Update to use the new flash Exploiter
2015-06-10 13:52:43 -05:00
0d2454de93
Fix indentation
2015-06-10 12:27:52 -05:00
7fba64ed14
Allow more search space
2015-06-10 12:26:53 -05:00
ecbddc6ef8
Play with memory al little bit better
2015-06-10 11:54:57 -05:00
d622c782ef
Land #5519 , adobe_flash_uncompress_zlib_uninitialized in the flash renderer
2015-06-10 11:52:47 -05:00
667db8bc30
Land #5517 , adobe_flash_casi32_int_overflow (exec from the flash renderer)
2015-06-10 11:39:13 -05:00
2b4fe96cfd
Tweak Heap Spray
2015-06-10 10:56:24 -05:00
a6fe383852
Use AS Exploiter
2015-06-10 09:32:52 -05:00
64b486eeac
Change filename
2015-06-10 09:12:52 -05:00
d95a0f432d
Update AS codE
2015-06-10 09:12:25 -05:00
e5d6c9a3cb
Make last code cleanup
2015-06-09 16:01:57 -05:00
d9db45690f
Delete debug messages
2015-06-09 15:47:59 -05:00
cf8c6b510b
Debug version working
2015-06-09 15:46:21 -05:00
f4649cb3fb
Delete old AS
2015-06-09 14:50:59 -05:00
4f1ee3fcdf
Really fix indentation
2015-06-09 12:42:32 -05:00
5bab1cfc68
Fix indentation
2015-06-09 12:38:24 -05:00
39851d277d
Unset debug flag
2015-06-09 11:36:09 -05:00
b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code
2015-06-09 11:31:39 -05:00
5a6a16c4ec
Resolve #4326 , remove msfpayload & msfencode. Use msfvenom instead!
...
msfpayload and msfencode are no longer in metasploit. Please use
msfvenom instead.
Resolves #4326
2015-06-08 11:30:04 -05:00
b291d41b76
Quick hack to remove hard-coded offsets
2015-06-05 13:19:41 +10:00
51d98e1008
Update AS code
2015-06-04 18:34:08 -05:00
02181addc5
Update CVE-2014-0556
2015-06-04 18:23:50 -05:00
23df66bf3a
Land #5481 , no powershell. exec shellcode from the renderer process.
2015-06-04 15:45:09 -05:00
75454f05c4
Update AS source code
2015-06-04 12:12:49 -05:00
80cb70cacf
Add support for Windows 8.1/Firefox
2015-06-03 22:46:04 -05:00
74117a7a52
Allow to execute payload from the flash renderer
2015-06-03 16:33:41 -05:00
455a3b6b9d
Add butchered version of CVE-2015-1701
2015-06-03 21:48:23 +10:00
e9714bfc82
Solve conflics
2015-05-27 23:22:00 -05:00
e749733eb6
Land #5419 , Fix Base64 decoding on ActionScript
2015-05-27 23:13:51 -05:00
e5d42850c1
Add support for Linux to CVE-2015-0336
2015-05-27 17:05:10 -05:00
801deeaddf
Fix CVE-2015-0336
2015-05-27 15:42:06 -05:00
bd1bdf22b5
Fix CVE-2015-0359
2015-05-26 17:27:20 -05:00
19c7445d9d
Fix CVE-2015-0336
2015-05-26 17:20:49 -05:00
23d244b1fa
Fix CVE-2015-0313
2015-05-26 16:11:44 -05:00
5c8c5aef37
Fix CVE-2014-8440
2015-05-26 16:05:08 -05:00
da362914e2
Fix indentation
2015-05-26 15:50:31 -05:00
d78d04e070
Fix CVE-2014-0569
2015-05-26 15:49:22 -05:00
e0a1fa4ef6
Fix indentation
2015-05-26 15:38:56 -05:00
1742876757
Fix CVE-2014-0556
2015-05-26 15:30:39 -05:00
a1538fc3ba
Update AS code
2015-05-26 15:18:01 -05:00
f35d7a85d3
Adjust numbers
2015-05-21 15:56:11 -05:00
a8e9b0fb54
Update ActionScript
2015-05-21 14:58:38 -05:00
51bb4b5a9b
Add module for CVE-2015-0359
2015-05-07 17:00:00 -05:00
582919acac
Add module for CVE-2015-0336
2015-05-05 17:25:19 -05:00
b07a864416
Fix as indentation
2015-04-29 19:01:11 -05:00
dbba466b5b
Add module for CVE-2014-8440
2015-04-29 17:52:04 -05:00
28fac60c81
Add module for CVE-2015-0556
2015-04-15 14:08:16 -05:00
91f5d0af5a
Add module for CVE-2014-0569
...
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
11c6f3fdca
Do reliable resolution of kernel32
2015-03-29 15:52:13 -05:00
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
dab4333867
updated asm in block
2015-03-18 16:07:46 -04:00
bb81107e51
Land #4927 , @wchen-r7's exploit for Flash PCRE CVE-2015-0318
2015-03-13 23:58:05 -05:00
2a25e2b2e1
Update Main.as
2015-03-13 11:40:16 -05:00
0ee0a0da1c
This seems to work
2015-03-13 04:43:06 -05:00
0c3329f69e
Back on track
2015-03-12 15:26:55 -05:00
b604599c8e
Fix comments
2015-03-11 21:32:35 -05:00
479a9cc1a9
Fix missing stack variables & remove old comment
2015-03-11 21:23:27 -05:00
7e3b4017f0
Rename and resynced with master, ready for refactoring
2015-03-11 14:36:27 -05:00
ea1bc69e2e
Merge branch 'master' into feature/add-reverse_winhttp-stagers
2015-03-11 14:29:34 -05:00
43b90610b1
Temp
2015-03-11 13:53:34 -05:00
2a9d6e64e2
Starting point for CVE-2015-0318
2015-03-11 09:58:41 -05:00
991e72a4fa
HTTP stager based on WinHttp
2015-03-10 13:40:16 -05:00
14c3848493
Delete useless comment
2015-03-09 16:59:10 -05:00
cb72b26874
Add module for CVE-2014-0311
2015-03-09 16:52:23 -05:00
b223dbdfcf
Nuke external LORCON code from orbit
2015-02-26 14:52:01 -06:00
5297ebc1a1
Merge branch 'master' into land-1396-http_proxy_pstore
...
Bring things back to the future
2015-02-20 08:50:17 -06:00
4da28324e7
expound on java signer build instructions
2015-02-12 16:13:08 -06:00
af405eeb7d
Land #4287 , @timwr's exploit form CVS-2014-3153
2015-02-09 10:33:14 -06:00
aa7f7d4d81
Add DLL source code
2015-02-01 19:59:10 -06:00
89e5a2b892
disable -no-thumb, doesn't work with latest NDK?
2015-01-30 09:36:21 -06:00
8f54e4d611
Implement "-" for msfconsole -r from stdin
...
More predictable than /dev/stdin, which is usually a symlink to
/proc/self/fd/0 or /dev/fd/0, but the feature is not guaranteed to be
present.
This isn't *terribly* useful, but it can be. -x is recommended, but it
doesn't allow for ERB directives. This is mostly for hax.
2015-01-29 19:26:56 -06:00
47cd5a3e59
Land #4562 , wchen-r7's Win8 NtApphelpCacheControl privilege escalation
2015-01-15 13:52:07 -06:00
7e1b8a1c83
Not needed anymore
2015-01-09 19:05:44 -06:00
c79589509c
Old comment
2015-01-09 19:04:50 -06:00
74e8e057dd
Use RDL
2015-01-09 19:02:08 -06:00
f998bfc246
Update exploit.cpp
2015-01-08 21:37:13 -06:00
eea6ccee1f
Source
2015-01-08 18:43:29 -06:00
844460dd87
Update bypass UAC to work on 8.1 and 2012
...
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.
I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
9791acd0bf
Add stager ipknock shellcode (PR 2)
2014-12-27 22:03:45 +01:00
e34c37042a
Readd block_hidden_bind_tcp.asm
...
Because stager_hidden_bind_tcp.asm includes it.
2014-12-22 11:13:07 -06:00
c0fa8c0e3f
Add stager for hidden bind shell payload
2014-12-22 17:21:11 +01:00
e3943682a2
Improves linux/armle payloads, lands #3315
2014-12-13 18:27:14 -06:00
e8728943ec
Shave off two more bytes for HTTP(s) stagers
2014-12-13 11:49:30 -06:00
69c938f65a
More shellcode golf
2014-12-13 11:49:15 -06:00
5c50a07c0f
futex_requeue
2014-12-01 03:49:22 +00:00
7772da5e3f
Change paths, add makefile and compile
2014-11-30 21:06:11 -06:00
b6306ef7a2
Move C source to exploits folder
2014-11-30 20:42:53 -06:00
7a3fb12124
Add an OSX privilege escalation from Google's Project Zero.
2014-11-25 12:34:16 -06:00
9e7f6728d0
update the single sources with s/SHELLARG/ARGV0/
2014-11-19 22:22:08 +01:00
a5aa6b2e78
add source for linux/armle/shell_bind_tcp
2014-11-19 21:53:23 +01:00
ebc70138f6
add source for linux/armle/shell_bind_tcp
2014-11-19 21:53:23 +01:00
8331de2265
add source for linux/armle/shell_reverse_tcp
2014-11-19 21:53:23 +01:00
f43a6e9be0
Use PDWORD_PTR and DWORD_PTR
2014-10-31 17:35:50 -05:00
6154b7d55f
Fix style again
2014-10-31 12:51:48 -05:00
203af90a44
Fix style
2014-10-31 12:50:23 -05:00
0c23733722
Use hungarian notation
2014-10-31 12:47:50 -05:00
8e547e27b3
Use correct types
2014-10-31 12:37:21 -05:00
cbd616bbf5
A few sneaky style changes, but no functional ones
...
Changes were purely for style, and Juan was happy to let me make them
as part of the merge.
2014-10-31 09:08:11 +10:00
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
03a84a1de3
Search the AccessToken
2014-10-30 12:17:03 -05:00
908094c3d3
Remove debug, treat warnings as errors
2014-10-28 09:04:02 +10:00
0a03b2dd48
Final code tidy
2014-10-28 08:59:33 +10:00
6f3b373f01
More code tidy and unifying of stuff
2014-10-28 08:37:49 +10:00
0e761575c8
More code tidying, reduced x64/x86 duplication
2014-10-28 08:09:18 +10:00
062eff8ede
Fix project settings, make files, start tidying of code
2014-10-28 07:58:19 +10:00
d6a63ccc5e
Remove unnecessary C debugging code for the exploit
2014-10-27 11:24:23 -04:00
46b1abac4a
More robust check routine for cve-2014-4113
2014-10-27 11:19:12 -04:00
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
0aaebc7872
Make GetPtiCurrent USER32 independent
2014-10-26 18:51:02 -05:00
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
d8eaf3dd65
Add exploit source code
2014-10-23 18:59:58 -05:00
3181d4e080
Add zsh completion definitions for utilities
2014-09-27 20:12:02 -04:00
8cca4d7795
Fix the makefile to use the right directory
...
Reported by severos on IRC, the current output
class is in the right place, but the makefile
was broken.
2014-08-03 13:38:15 -05:00
ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape
2014-06-26 13:48:28 -05:00
0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape
2014-06-26 11:45:47 -05:00
25ed68af6e
Land #3017 , Windows x86 Shell Hidden Bind
...
A bind shellcode that responds as 'closed' unless the client matches the
AHOST ip.
2014-06-08 13:49:49 +01:00
bf1a665259
Land #2657 , Dynamic generation of windows service executable functions
...
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
443f9f175c
Update IE11Sandbox exploit source
2014-06-03 09:58:07 -05:00
372a12b966
Restore make.msbuild permissions
2014-06-03 09:07:34 -05:00
wchen-r7