Spencer McIntyre
4cde008953
Add VMWare VCenter Log4Shell scan support
2021-12-15 15:13:46 -05:00
Spencer McIntyre
a694381ab1
Allow templatized URIs
2021-12-15 11:58:41 -05:00
Spencer McIntyre
b06b96731d
Support scanning multiple HTTP headers
2021-12-15 08:45:24 -05:00
Spencer McIntyre
1915b1395e
Land #15742 , Added module for CVE-2021-40444
2021-12-08 17:46:02 -05:00
Spencer McIntyre
2f6710e02e
Remove the Not_Hosted target
...
It's not currently working and Metasploit should just handle everything
2021-12-08 17:22:44 -05:00
bwatters
852230c739
Fix bug brought in by importing Msf::Post::File
...
Split out javascript to a file and deobfuscate it
Update documentation for new targets
Fix other small suggestions
2021-12-08 10:36:27 -06:00
Jake Baines
deab4ce90e
Initial commit of Dellicious port
2021-12-08 07:33:16 -08:00
Christophe De La Fuente
389fd55952
Land #15808 , Fix #15804 powershell read_file on Windows Server 2012
2021-12-07 11:59:11 +01:00
bwatters
18cc2ef516
Add support for aarch64 Ubuntu versions
2021-12-01 14:54:48 -06:00
bwatters
b1f6937542
Updated exploit to compile on target, added control over directory creation
...
Added a method to get source code for the write and compile method
2021-12-01 14:54:47 -06:00
bwatters
bf1b3b377c
Add cve-2021-3493 module
2021-12-01 14:54:47 -06:00
Tim W
e10eaec84c
fix ssl connection on Windows Server 2012
2021-11-30 06:30:59 +00:00
Tim W
47eec52f06
minor powerfun improvements
2021-11-30 06:30:58 +00:00
Grant Willcox
9f9942feb6
Make adjustments to dllmain.c from reviews and recompile the DLL again
2021-11-09 10:49:14 -06:00
Grant Willcox
780a9370a2
First draft of code, documentation, and exploit DLL plus exploit code
2021-11-09 10:36:40 -06:00
RAMELLA Sébastien
38973510f7
update modules (auxiliary and exploit)
2021-11-09 15:18:58 +04:00
Spencer McIntyre
278d940fee
Update the Python exploit code to fix a bug
2021-11-02 10:10:18 -04:00
Spencer McIntyre
9635110050
Add documentation for CVE-2021-38648
2021-10-27 12:06:01 -04:00
Spencer McIntyre
ae56ffa934
Initial exploit for CVE-2021-38648
2021-10-27 12:05:56 -04:00
surya
4d4b51d158
=> Added .gitignore
...
=> Added Deobfuscated HTML Payload
=> Removed Extra Author Credits
=> Made SRVHOST AND SRVPORT MANDATORY
=> generate_uri replaced with builtin get_uri
2021-10-08 02:50:27 +05:30
surya
3461c7aef6
Added module for CVE-2021-40444
2021-10-05 01:44:34 +05:30
sjanusz
2c7aa022d4
Add PoC for CVE-2021-22555 Netfilter Priv Escalation
2021-10-04 16:48:23 +01:00
bwatters
a7d99ebbfc
Land # 15611, ProxyShell Improvements
...
Merge branch 'land-15611' into upstream-master
2021-09-07 11:47:13 -05:00
bwatters
ff50a94348
Land #15567 , Add in Exploit for CVE-2021-3490
...
Merge branch 'land-15567' into upstream-master
2021-08-31 18:46:25 -05:00
Grant Willcox
3bca3b0bcb
Update exploit code to use & after the command to execute as root so it executes in the background and doesn't hang Metasploit. Also update the logic of the code to check the response from executing the exploit and respond accordingly and update the documentation to match
2021-08-31 15:07:37 -05:00
Spencer McIntyre
6c01a0dbea
Work off of the system mailbox
2021-08-27 14:32:26 -04:00
Spencer McIntyre
d5fdcb8fcb
Add the plumbing to enumerate email addresses
2021-08-27 11:44:27 -04:00
Grant Willcox
bd490d35ed
Add support for Linux 5.11.x on Fedora
2021-08-23 15:09:10 -05:00
Grant Willcox
e46611cffb
Add in support for exploiting Fedora 32 with Linux kernel 5.10.12
2021-08-20 18:04:59 -05:00
Grant Willcox
75ae2b76f5
Add support for Fedora 32 Linux Kernel 5.9.8-100 and also fix an error where the wrong file was being used for Fedora 32 Linux Kernel 5.8.8.
2021-08-20 16:50:20 -05:00
Grant Willcox
5abf407228
Add support for Fedora 32 with Linux Kernel 5.8.8-200
2021-08-20 15:42:34 -05:00
Grant Willcox
dd806a9d61
Add in support for Fedora 32 running kernel 5.7.11-200
2021-08-20 13:37:52 -05:00
Spencer McIntyre
75e63992d6
Write an exploit for ProxyShell
2021-08-18 10:50:34 -04:00
Grant Willcox
d5df47692c
Add in first copy of the exploit along with the supporting source code and binaries. Documentation to come
2021-08-17 18:01:14 -05:00
Christophe De La Fuente
ccaedd6c9a
Last additions and improvements
...
- add binaries
- add documentation
- backup `runc` binary in the exploit C file
- add `MeterpreterBackground` options to set Mettle `background` option
- add `WsfDelay` logic
- refactor code
- add cleanup logic
- add restore `runc` binary logic
2021-06-30 11:02:11 +02:00
bwatters
8e1391f098
Land #15216 , Fix targeting for CVE-2021-21551
...
Merge branch 'land-15216' into upstream-master
2021-05-21 14:56:08 -05:00
Spencer McIntyre
56388cd696
Land #15146 , Add support for extra OSes for CVE-2021-3156 (Baron Samedit)
2021-05-18 18:02:30 -04:00
Spencer McIntyre
78d47b11f2
Add targeting for Windows 10 v21H1
2021-05-18 12:56:02 -04:00
Spencer McIntyre
c5b022e2f2
Fix Windows 10 versioning by using ranges
2021-05-18 10:28:27 -04:00
Jack Heysel
eb4573164b
Addressed comments
2021-05-14 17:46:26 -05:00
Jack Heysel
e29dce4f08
Removed comments from powershell script
2021-05-14 17:45:42 -05:00
Jack Heysel
5640dac24d
Fixed sc command, updated check method, moved tokenmagic.ps1
2021-05-14 17:44:07 -05:00
Jack Heysel
ca637be0c9
Fixed powershell script, updated authors
2021-05-14 17:44:06 -05:00
Jack Heysel
1eab94cc26
beta draft
2021-05-14 17:43:44 -05:00
bwatters
8792febcf8
Land #15190 , Add Exploit For CVE-2021-21551 (Dell DBUtil_2_3 IOCTL)
...
Merge branch 'land-15190' into upstream-master
2021-05-14 13:55:12 -05:00
Spencer McIntyre
d990e884af
Add and test even more targets
2021-05-13 17:27:58 -04:00
Spencer McIntyre
eb89550f85
Clear up some target offset discrepancies
2021-05-13 16:06:15 -04:00
Spencer McIntyre
7d841a0f79
Add a target for Windows 7 x64
2021-05-13 14:24:15 -04:00
Spencer McIntyre
4825407d21
Add a target for Windows 8.1 x64
2021-05-13 12:56:47 -04:00
Spencer McIntyre
8a1341060d
Fix a couple of errors from not cleaning up
2021-05-13 12:34:14 -04:00
Spencer McIntyre
ff2516a7f2
Update CVE-2021-1732 to reduce code reuse
2021-05-12 16:41:43 -04:00
Spencer McIntyre
477749f77f
Refactor the code to be reusable and add docs
2021-05-12 16:36:17 -04:00
Spencer McIntyre
d3de52da59
The exploit is now functional for Win10 v1803-20H2
2021-05-12 16:14:59 -04:00
Justin Steven
fa73c0af3e
Add CVE-2021-22204 ExifTool ANT perl injection
2021-05-11 12:02:12 +10:00
Ashley Donaldson
fbc291bc22
Tested on various other Fedora's
2021-05-04 14:18:16 +10:00
Ashley Donaldson
0435e281d9
Updated CVE-2021-3156 documentation to reflect code changes.
2021-05-03 16:45:50 +10:00
Ashley Donaldson
b1d2c39c98
Added second CentOS 7 exploit
2021-04-30 18:30:19 +10:00
Ashley Donaldson
124d157a1c
Added CVE-2021-3156 exploits for CentOS 7 and 8
2021-04-30 17:25:59 +10:00
Ashley Donaldson
79152cafe6
Added support for Ubuntu 14.04.3 for CVE-2021-3156
2021-04-29 20:48:51 +10:00
Ashley Donaldson
0ee1d5fbe3
Ensure exploit is compatible with both python3 and python2
2021-04-29 18:52:56 +10:00
Ashley Donaldson
9d9d3ce061
Added Ubuntu 16.04-specific exploit script to CVE-2021-3156 module
...
The generic approach used for other targets doesn't work for 16.04, as that one relies on tcache bins, which are not present in glibc 2.23.
2021-04-29 18:28:13 +10:00
Ashley Donaldson
fcd17ed3b1
Port sudoedit exploit to Python
...
It's assumed that Python is more likely to be present on the target system
than gcc, so is better as a dependency.
2021-04-29 13:17:32 +10:00
bwatters
2c1869f9df
Land #14907 , Add exploit for CVE-2021-1732
...
Merge branch 'land-14907' into upstream-master
2021-03-18 14:29:59 -05:00
Spencer McIntyre
f3df076067
Only upgrade the token of EProcess was found
2021-03-16 15:20:44 -04:00
Spencer McIntyre
c11900b9ab
Add support for Windows 2004 & 20H2
2021-03-15 17:28:38 -04:00
Spencer McIntyre
2e3d98a36a
Move the DLL injection code into a reusable function
2021-03-15 11:47:02 -04:00
Grant Willcox
89ce1c5229
Quick update to make the backdoor a bit stealthier by removing the extra Payload Success! message that wasn't needed
2021-03-14 00:00:17 -06:00
Grant Willcox
4f2e299d8f
Update the exploit to use Python as its payload since this is a lot more flexible, allows Meterpreter, returns a shell faster, and we are already injecting into and executing a Python file
2021-03-14 00:00:06 -06:00
Grant Willcox
7d6e636114
Initial upload of exploit code for CVE-2021-21978
2021-03-13 23:59:47 -06:00
Spencer McIntyre
f0a9a1deb3
Add the initial exploit for CVE-2021-1732
2021-03-12 17:30:22 -05:00
Grant Willcox
f327d30e08
First attempt at CVE-2020-7200 module, with RuboCopped module
2021-03-02 16:38:19 -06:00
Spencer McIntyre
b9dd1b927b
Randomize the path to the library that's loaded
2021-02-10 08:45:52 -05:00
Spencer McIntyre
117cdc4fd7
Populate module metadata and cleanup files
2021-02-03 18:16:13 -05:00
Spencer McIntyre
a00f165b6b
Clean the C code and fix the exploitation environment
2021-02-03 18:16:13 -05:00
Spencer McIntyre
b9413b4103
Update the exploit C code to allocate it's own PTY
2021-02-03 18:16:13 -05:00
Spencer McIntyre
13dd9ac10e
Initial work on CVE-2021-3156
2021-02-03 18:16:13 -05:00
Christophe De La Fuente
c8819259ae
Land #14414 , CVE-2020-1337 - patch bypass for CVE-2020-1048
2021-01-15 19:13:14 +01:00
Spencer McIntyre
33bd712e0a
Land #14585 , Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP
2021-01-11 17:16:40 -05:00
bwatters
50e115b414
Cleanup and edits per review from Christophe
...
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
2021-01-11 16:02:58 -06:00
Grant Willcox
3072391d00
Make second round of review edits to fix Spencer's comments
2021-01-08 12:50:52 -06:00
bwatters
5e5d7b1abb
Update to execute_string to avoid the issue where an arbitrary
...
length comment is required for the exploit to work.
2021-01-06 17:08:22 -06:00
Christophe De La Fuente
17c393f101
Land #14046 , Adding juicypotato-like privilege escalation exploit for windows
2021-01-06 16:02:05 +01:00
Christophe De La Fuente
bf7627b33e
Adding DLL's
2021-01-06 15:59:08 +01:00
Grant Willcox
839daf93e9
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research
2021-01-05 16:12:08 -06:00
Grant Willcox
668eeae4e1
Initial push of code
2021-01-04 12:04:38 -06:00
bwatters
7f4fac4548
Fix powershell issues and add comment because it is apparently magic
2020-12-16 13:57:02 -06:00
Christophe De La Fuente
33ef352f89
Add dll
...
Compiled with Visual Studio Express 2013 with Platform Toolset v120
2020-12-15 12:42:06 +01:00
bwatters
810898e97b
Rough attempt at CVE-2020-1337
...
Non-functional
2020-11-20 17:36:19 -06:00
Grant Willcox
9e111d7fdf
Add in compiled version of the exploit to meet Rapid7 compliance guidelines on having Rapid7 employees submit compiled binaries only
2020-10-23 16:01:00 -05:00
Gustaf Blomqvist
c5751a240b
Fix incorrect offset in BPF sign extension LPE
...
The uid field of the cred struct is normally the second field, followed
by the gid field. The first field is of type atomic_t, which has the
size of an int. Since the size of an int is usually 4 bytes, the uid is
normally located at an offset of 4 bytes from the start of the cred
struct, and not 8. Since the uid also is int-sized, the code set
test_uid to the gid, making the exploit fail for cases where uid != gid.
2020-10-17 19:46:35 -04:00
Grant Willcox
b932ed5225
Recompile the exploit.dll DLL for CVE-2019-1458 as per Rapid7 policies
2020-10-15 10:58:56 -05:00
Tim W
12c5f4f916
CVE-2019-1458 chrome sandbox escape initial commit
2020-10-15 10:57:46 -05:00
bwatters
e24a81919a
Land #13996 , Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856,
...
RCE for Safari on macOS 10.15.3 (pwn2own2020)
Merge branch 'land-13996' into upstream-master
2020-10-01 09:46:39 -05:00
Shelby Pace
f0f4da2b1e
Land #14157 , Windows update orchestrator privesc
2020-09-25 16:07:27 -05:00
Christophe De La Fuente
2d1b378a18
Land #14122 , Jenkins Deserialization RCE (CVE-2017-1000353)
2020-09-22 12:32:09 +02:00
bwatters
534e945cd0
First attempt at CVE-2020-1313
2020-09-18 15:39:12 -05:00
bwatters
06f5518953
Update binaries
2020-09-16 11:41:02 -05:00
bwatters
a2edcda819
Rubocop on module and update error handling on exploit C code + recompile
2020-09-16 11:17:39 -05:00
bwatters
95bb6ad71a
Add new binaries
2020-09-16 11:17:39 -05:00
bwatters
a5253c5674
remove old binaries before we added both x86 and x64 binaries
2020-09-16 11:17:39 -05:00
bwatters
a72769909b
Change exe to take destination and source files for copy
2020-09-16 11:17:39 -05:00
bwatters
17272209cc
First try at CVE-2020-1048, needs lots of work
2020-09-16 11:17:38 -05:00
Shelby Pace
ff500dd9fb
add poc
2020-09-11 12:00:16 -05:00
bwatters
e592736833
Land #13992 , Add module for CVE-2020-9839, LPE for macOS <= 10.15.4
...
Merge branch 'land-13992' into upstream-master
2020-09-04 15:53:17 -05:00
bwatters
5e2a3a6f65
Recompiled binary exploit file to match source
2020-09-04 15:46:52 -05:00
Tim W
1693a3c787
add exploit binaries
2020-09-01 17:14:21 +08:00
Tim W
9150f0bc3a
move int64.js and utils.js to javascript_utils folder
2020-09-01 16:14:31 +08:00
Tim W
46db23c35e
fix int64.js and utils.js
2020-09-01 16:14:30 +08:00
Tim W
c23cb63c6e
exploit binary
2020-09-01 14:10:34 +08:00
C4ssandre
85ccac215b
Removing precompiled binaries (dll exploits).
2020-08-28 17:37:34 +02:00
C4ssandre
3336040f2d
Adding a new privilege escalation exploit for windows.
...
New files and folders:
- metasploit-framework/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb
- metasploit-framework/data/exploits/drunkpotato/
- metasploit-framework/external/source/exploits/drunkpotato/
2020-08-25 14:27:41 +02:00
h00die
cd41d9c3c9
Land #13911 , iphone 4 on ios 7.1.2 safari jit for root
2020-08-14 16:01:14 -04:00
Tim W
1eaf66dab1
CVE-2020-9850
2020-08-14 16:10:34 +08:00
Tim W
0b513d6c51
remove debug logging from the kernel exploit
2020-07-30 18:10:26 +08:00
Tim W
79adcf7904
Add module for iOS 7.1.2
2020-07-27 15:05:31 +08:00
Brendan Coles
cbbd4fc517
Add CVE-2020-7457 exploit.c
2020-07-26 08:04:37 +00:00
gwillcox-r7
586971428a
Recompile everything so we don't have the messagebox calls
2020-06-11 00:18:45 -05:00
gwillcox-r7
93b28e662e
Change out template_dll solution files so that it generates the DLL with the correct name and in the correct location
2020-06-10 11:41:34 -05:00
gwillcox-r7
7711cecee9
Final tweaks to make this more reliable, should be good now
2020-06-10 11:02:53 -05:00
gwillcox-r7
4a9c878132
Finally fix up the hanging issue via new template DLLs and associated code
2020-06-10 11:02:53 -05:00
gwillcox-r7
cb20eaf6f9
Finally fix the issue with the cleanup of the files within the exploit
2020-06-10 11:02:51 -05:00
gwillcox-r7
401feb3e53
Change code so that we automatically exit Notepad upon DLL completing its work. Should help tidy things up more
2020-06-10 11:02:50 -05:00
gwillcox-r7
cf17b2065c
Updated module with some output corrections, recompiled DLLs
2020-06-10 11:02:50 -05:00
gwillcox-r7
ae2b40bf99
Update the output of the module to be more correct. Also upload updated DLLs
2020-06-10 11:02:49 -05:00
gwillcox-r7
1607b8c342
Add initial files for CVE-2020-0787
2020-06-10 11:02:35 -05:00
Shelby Pace
c8ab30a40a
add poc code
2020-06-02 14:29:02 -05:00
William Vu
8473662e32
Land #13463 , Oracle WebLogic CVE-2020-2555 exploit
2020-05-20 23:21:07 -05:00
Brendan Coles
8631babcbb
Update CVE-2019-13272 pre-compiled exploit
2020-05-11 13:36:41 +00:00
Brendan Coles
dbc2b8b006
Update CVE-2019-13272 exploit C code to prefer auto targeting
...
Previously, the exploit would attempt to use a hardcoded list of
known useful helpers and fall back to automatic targeting. This
logic has been reversed, preferring automatic targeting first.
2020-05-09 03:59:31 +00:00
Spencer McIntyre
9769e04b6e
Land #13322 , CVE-2020-0668 Service tracing file junction overwrite
2020-05-07 09:47:20 -04:00
gwillcox-r7
a1275845ec
Land #13200 , CVE-2019-0808 LPE for Windows 7 x86 SP0 and SP1
2020-05-06 17:23:52 -05:00
gwillcox-r7
1c79674620
Recompile DLL and alter vcxproj file to automatically place generated DLL in right folder
2020-05-06 16:33:01 -05:00
Shelby Pace
587fc0ff09
add PoC
2020-05-04 11:08:38 -05:00
Tim W
b8dc843b48
add binary
2020-05-01 19:02:54 +08:00
bwatters-r7
7213d379ec
Add Uso dll
2020-04-23 15:18:22 -05:00
bwatters-r7
0bbb822fe4
Working through mountpoint issues
2020-04-21 09:54:45 -05:00
h00die
e1f1ad45bc
working exploit
2020-04-19 15:19:19 -04:00
h00die
58074dc6bb
waiting on metasm question
2020-04-18 20:26:45 -04:00
Spencer McIntyre
3392fa18d4
Add the x64 LPE exploit for CVE-2020-0796
2020-04-02 17:22:00 -04:00
Brent Cook
f59ec03c42
Land #12465 , add Android Binder UAF (CVE-2019-2215)
2020-02-23 01:06:33 -08:00
Christophe De La Fuente
394e99fbe9
Land #12568 , Fix exploit/windows/local/ms16_032_secondary_logon_handle_privesc
2020-01-30 11:57:56 +01:00
cdelafuente-r7
3491da7da0
Add a random sentinel to close channel when terminates ( #1 )
...
* Add a random sentinel to close channel when terminates
* Replace spaces with tabs to be consistent
* Remove unnecessary escaped quotes and use include? instead of regex
2020-01-25 23:30:49 +01:00
Tim W
cfffb65a21
Land #12859 , update AF_PACKET chocobo_root linux LPE
2020-01-24 17:30:13 +08:00
Brent Cook
6f6cc00871
Land #12751 , add Linux RDS socket NP deref privesc
2020-01-22 07:08:47 -06:00
Brendan Coles
19b1f567b2
Update AF_PACKET chocobo_root Privilege Escalation module
2020-01-19 11:51:01 +00:00
Brendan Coles
36b6ceb56f
Add rds_atomic_free_op_null_pointer_deref_priv_esc (CVE-2018-5333)
2020-01-18 08:34:52 +00:00
Shelby Pace
894927d960
Land #12693 , add Comahawk privilege escalation
2019-12-18 15:40:51 -06:00
bwatters-r7
7e05642a1b
Randomize container name
2019-12-12 07:48:01 -06:00
bwatters-r7
0257861c4f
Remove debug statements and extra c/ruby libraries
2019-12-11 18:42:36 -06:00
bwatters-r7
942d1e3962
Trim exploit code and de-pasta-fy module
...
Better check for build number
2019-12-10 18:09:08 -06:00