github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-09 04:26:11 +02:00
Code Releases Activity
73,160 Commits 17 Branches 914 Tags 1.2 GiB
fefc3cb73c
Commit Graph

844 Commits

Author SHA1 Message Date
Spencer McIntyre
4cde008953 Add VMWare VCenter Log4Shell scan support 2021-12-15 15:13:46 -05:00
Spencer McIntyre
a694381ab1 Allow templatized URIs 2021-12-15 11:58:41 -05:00
Spencer McIntyre
b06b96731d Support scanning multiple HTTP headers 2021-12-15 08:45:24 -05:00
Spencer McIntyre
1915b1395e
Land #15742, Added module for CVE-2021-40444 2021-12-08 17:46:02 -05:00
Spencer McIntyre
2f6710e02e Remove the Not_Hosted target 
It's not currently working and Metasploit should just handle everything
 2021-12-08 17:22:44 -05:00
bwatters
852230c739
Fix bug brought in by importing Msf::Post::File 
Split out javascript to a file and deobfuscate it
Update documentation for new targets
Fix other small suggestions
 2021-12-08 10:36:27 -06:00
Jake Baines
deab4ce90e
Initial commit of Dellicious port 2021-12-08 07:33:16 -08:00
Christophe De La Fuente
389fd55952
Land #15808, Fix #15804 powershell read_file on Windows Server 2012 2021-12-07 11:59:11 +01:00
bwatters
18cc2ef516 Add support for aarch64 Ubuntu versions 2021-12-01 14:54:48 -06:00
bwatters
b1f6937542 Updated exploit to compile on target, added control over directory creation 
Added a method to get source code for the write and compile method
 2021-12-01 14:54:47 -06:00
bwatters
bf1b3b377c Add cve-2021-3493 module 2021-12-01 14:54:47 -06:00
Tim W
e10eaec84c fix ssl connection on Windows Server 2012 2021-11-30 06:30:59 +00:00
Tim W
47eec52f06 minor powerfun improvements 2021-11-30 06:30:58 +00:00
Grant Willcox
9f9942feb6
Make adjustments to dllmain.c from reviews and recompile the DLL again 2021-11-09 10:49:14 -06:00
Grant Willcox
780a9370a2
First draft of code, documentation, and exploit DLL plus exploit code 2021-11-09 10:36:40 -06:00
RAMELLA Sébastien
38973510f7
update modules (auxiliary and exploit) 2021-11-09 15:18:58 +04:00
Spencer McIntyre
278d940fee Update the Python exploit code to fix a bug 2021-11-02 10:10:18 -04:00
Spencer McIntyre
9635110050 Add documentation for CVE-2021-38648 2021-10-27 12:06:01 -04:00
Spencer McIntyre
ae56ffa934 Initial exploit for CVE-2021-38648 2021-10-27 12:05:56 -04:00
surya
4d4b51d158 => Added .gitignore 
=> Added Deobfuscated HTML Payload
=> Removed Extra Author Credits
=> Made SRVHOST AND SRVPORT MANDATORY
=> generate_uri replaced with builtin get_uri
 2021-10-08 02:50:27 +05:30
surya
3461c7aef6 Added module for CVE-2021-40444 2021-10-05 01:44:34 +05:30
sjanusz
2c7aa022d4
Add PoC for CVE-2021-22555 Netfilter Priv Escalation 2021-10-04 16:48:23 +01:00
bwatters
a7d99ebbfc
Land # 15611, ProxyShell Improvements 
Merge branch 'land-15611' into upstream-master
 2021-09-07 11:47:13 -05:00
bwatters
ff50a94348
Land #15567, Add in Exploit for CVE-2021-3490 
Merge branch 'land-15567' into upstream-master
 2021-08-31 18:46:25 -05:00
Grant Willcox
3bca3b0bcb
Update exploit code to use & after the command to execute as root so it executes in the background and doesn't hang Metasploit. Also update the logic of the code to check the response from executing the exploit and respond accordingly and update the documentation to match 2021-08-31 15:07:37 -05:00
Spencer McIntyre
6c01a0dbea Work off of the system mailbox 2021-08-27 14:32:26 -04:00
Spencer McIntyre
d5fdcb8fcb Add the plumbing to enumerate email addresses 2021-08-27 11:44:27 -04:00
Grant Willcox
bd490d35ed
Add support for Linux 5.11.x on Fedora 2021-08-23 15:09:10 -05:00
Grant Willcox
e46611cffb
Add in support for exploiting Fedora 32 with Linux kernel 5.10.12 2021-08-20 18:04:59 -05:00
Grant Willcox
75ae2b76f5
Add support for Fedora 32 Linux Kernel 5.9.8-100 and also fix an error where the wrong file was being used for Fedora 32 Linux Kernel 5.8.8. 2021-08-20 16:50:20 -05:00
Grant Willcox
5abf407228
Add support for Fedora 32 with Linux Kernel 5.8.8-200 2021-08-20 15:42:34 -05:00
Grant Willcox
dd806a9d61
Add in support for Fedora 32 running kernel 5.7.11-200 2021-08-20 13:37:52 -05:00
Spencer McIntyre
75e63992d6 Write an exploit for ProxyShell 2021-08-18 10:50:34 -04:00
Grant Willcox
d5df47692c
Add in first copy of the exploit along with the supporting source code and binaries. Documentation to come 2021-08-17 18:01:14 -05:00
Christophe De La Fuente
ccaedd6c9a Last additions and improvements 
- add binaries
- add documentation
- backup `runc` binary in the exploit C file
- add `MeterpreterBackground` options to set Mettle `background` option
- add `WsfDelay` logic
- refactor code
- add cleanup logic
- add restore `runc` binary logic
 2021-06-30 11:02:11 +02:00
bwatters
8e1391f098
Land #15216, Fix targeting for CVE-2021-21551 
Merge branch 'land-15216' into upstream-master
 2021-05-21 14:56:08 -05:00
Spencer McIntyre
56388cd696
Land #15146, Add support for extra OSes for CVE-2021-3156 (Baron Samedit) 2021-05-18 18:02:30 -04:00
Spencer McIntyre
78d47b11f2 Add targeting for Windows 10 v21H1 2021-05-18 12:56:02 -04:00
Spencer McIntyre
c5b022e2f2 Fix Windows 10 versioning by using ranges 2021-05-18 10:28:27 -04:00
Jack Heysel
eb4573164b
Addressed comments 2021-05-14 17:46:26 -05:00
Jack Heysel
e29dce4f08
Removed comments from powershell script 2021-05-14 17:45:42 -05:00
Jack Heysel
5640dac24d
Fixed sc command, updated check method, moved tokenmagic.ps1 2021-05-14 17:44:07 -05:00
Jack Heysel
ca637be0c9
Fixed powershell script, updated authors 2021-05-14 17:44:06 -05:00
Jack Heysel
1eab94cc26
beta draft 2021-05-14 17:43:44 -05:00
bwatters
8792febcf8
Land #15190, Add Exploit For CVE-2021-21551 (Dell DBUtil_2_3 IOCTL) 
Merge branch 'land-15190' into upstream-master
 2021-05-14 13:55:12 -05:00
Spencer McIntyre
d990e884af Add and test even more targets 2021-05-13 17:27:58 -04:00
Spencer McIntyre
eb89550f85 Clear up some target offset discrepancies 2021-05-13 16:06:15 -04:00
Spencer McIntyre
7d841a0f79 Add a target for Windows 7 x64 2021-05-13 14:24:15 -04:00
Spencer McIntyre
4825407d21 Add a target for Windows 8.1 x64 2021-05-13 12:56:47 -04:00
Spencer McIntyre
8a1341060d Fix a couple of errors from not cleaning up 2021-05-13 12:34:14 -04:00
Spencer McIntyre
ff2516a7f2 Update CVE-2021-1732 to reduce code reuse 2021-05-12 16:41:43 -04:00
Spencer McIntyre
477749f77f Refactor the code to be reusable and add docs 2021-05-12 16:36:17 -04:00
Spencer McIntyre
d3de52da59 The exploit is now functional for Win10 v1803-20H2 2021-05-12 16:14:59 -04:00
Justin Steven
fa73c0af3e
Add CVE-2021-22204 ExifTool ANT perl injection 2021-05-11 12:02:12 +10:00
Ashley Donaldson
fbc291bc22
Tested on various other Fedora's 2021-05-04 14:18:16 +10:00
Ashley Donaldson
0435e281d9
Updated CVE-2021-3156 documentation to reflect code changes. 2021-05-03 16:45:50 +10:00
Ashley Donaldson
b1d2c39c98
Added second CentOS 7 exploit 2021-04-30 18:30:19 +10:00
Ashley Donaldson
124d157a1c
Added CVE-2021-3156 exploits for CentOS 7 and 8 2021-04-30 17:25:59 +10:00
Ashley Donaldson
79152cafe6
Added support for Ubuntu 14.04.3 for CVE-2021-3156 2021-04-29 20:48:51 +10:00
Ashley Donaldson
0ee1d5fbe3
Ensure exploit is compatible with both python3 and python2 2021-04-29 18:52:56 +10:00
Ashley Donaldson
9d9d3ce061
Added Ubuntu 16.04-specific exploit script to CVE-2021-3156 module 
The generic approach used for other targets doesn't work for 16.04, as that one relies on tcache bins, which are not present in glibc 2.23.
 2021-04-29 18:28:13 +10:00
Ashley Donaldson
fcd17ed3b1
Port sudoedit exploit to Python 
It's assumed that Python is more likely to be present on the target system
than gcc, so is better as a dependency.
 2021-04-29 13:17:32 +10:00
bwatters
2c1869f9df
Land #14907, Add exploit for CVE-2021-1732 
Merge branch 'land-14907' into upstream-master
 2021-03-18 14:29:59 -05:00
Spencer McIntyre
f3df076067 Only upgrade the token of EProcess was found 2021-03-16 15:20:44 -04:00
Spencer McIntyre
c11900b9ab Add support for Windows 2004 & 20H2 2021-03-15 17:28:38 -04:00
Spencer McIntyre
2e3d98a36a Move the DLL injection code into a reusable function 2021-03-15 11:47:02 -04:00
Grant Willcox
89ce1c5229
Quick update to make the backdoor a bit stealthier by removing the extra Payload Success! message that wasn't needed 2021-03-14 00:00:17 -06:00
Grant Willcox
4f2e299d8f
Update the exploit to use Python as its payload since this is a lot more flexible, allows Meterpreter, returns a shell faster, and we are already injecting into and executing a Python file 2021-03-14 00:00:06 -06:00
Grant Willcox
7d6e636114
Initial upload of exploit code for CVE-2021-21978 2021-03-13 23:59:47 -06:00
Spencer McIntyre
f0a9a1deb3 Add the initial exploit for CVE-2021-1732 2021-03-12 17:30:22 -05:00
Grant Willcox
f327d30e08
First attempt at CVE-2020-7200 module, with RuboCopped module 2021-03-02 16:38:19 -06:00
Spencer McIntyre
b9dd1b927b Randomize the path to the library that's loaded 2021-02-10 08:45:52 -05:00
Spencer McIntyre
117cdc4fd7 Populate module metadata and cleanup files 2021-02-03 18:16:13 -05:00
Spencer McIntyre
a00f165b6b Clean the C code and fix the exploitation environment 2021-02-03 18:16:13 -05:00
Spencer McIntyre
b9413b4103 Update the exploit C code to allocate it's own PTY 2021-02-03 18:16:13 -05:00
Spencer McIntyre
13dd9ac10e Initial work on CVE-2021-3156 2021-02-03 18:16:13 -05:00
Christophe De La Fuente
c8819259ae
Land #14414, CVE-2020-1337 - patch bypass for CVE-2020-1048 2021-01-15 19:13:14 +01:00
Spencer McIntyre
33bd712e0a
Land #14585, Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP 2021-01-11 17:16:40 -05:00
bwatters
50e115b414
Cleanup and edits per review from Christophe 
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
 2021-01-11 16:02:58 -06:00
Grant Willcox
3072391d00
Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00
bwatters
5e5d7b1abb
Update to execute_string to avoid the issue where an arbitrary 
length comment is required for the exploit to work.
 2021-01-06 17:08:22 -06:00
Christophe De La Fuente
17c393f101
Land #14046, Adding juicypotato-like privilege escalation exploit for windows 2021-01-06 16:02:05 +01:00
Christophe De La Fuente
bf7627b33e
Adding DLL's 2021-01-06 15:59:08 +01:00
Grant Willcox
839daf93e9
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research 2021-01-05 16:12:08 -06:00
Grant Willcox
668eeae4e1
Initial push of code 2021-01-04 12:04:38 -06:00
bwatters
7f4fac4548
Fix powershell issues and add comment because it is apparently magic 2020-12-16 13:57:02 -06:00
Christophe De La Fuente
33ef352f89
Add dll 
Compiled with Visual Studio Express 2013 with Platform Toolset v120
 2020-12-15 12:42:06 +01:00
bwatters
810898e97b
Rough attempt at CVE-2020-1337 
Non-functional
 2020-11-20 17:36:19 -06:00
Grant Willcox
9e111d7fdf
Add in compiled version of the exploit to meet Rapid7 compliance guidelines on having Rapid7 employees submit compiled binaries only 2020-10-23 16:01:00 -05:00
Gustaf Blomqvist
c5751a240b Fix incorrect offset in BPF sign extension LPE 
The uid field of the cred struct is normally the second field, followed
by the gid field. The first field is of type atomic_t, which has the
size of an int. Since the size of an int is usually 4 bytes, the uid is
normally located at an offset of 4 bytes from the start of the cred
struct, and not 8. Since the uid also is int-sized, the code set
test_uid to the gid, making the exploit fail for cases where uid != gid.
 2020-10-17 19:46:35 -04:00
Grant Willcox
b932ed5225
Recompile the exploit.dll DLL for CVE-2019-1458 as per Rapid7 policies 2020-10-15 10:58:56 -05:00
Tim W
12c5f4f916
CVE-2019-1458 chrome sandbox escape initial commit 2020-10-15 10:57:46 -05:00
bwatters
e24a81919a
Land #13996, Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856, 
RCE for Safari on macOS 10.15.3 (pwn2own2020)

Merge branch 'land-13996' into upstream-master
 2020-10-01 09:46:39 -05:00
Shelby Pace
f0f4da2b1e
Land #14157, Windows update orchestrator privesc 2020-09-25 16:07:27 -05:00
Christophe De La Fuente
2d1b378a18
Land #14122, Jenkins Deserialization RCE (CVE-2017-1000353) 2020-09-22 12:32:09 +02:00
bwatters
534e945cd0
First attempt at CVE-2020-1313 2020-09-18 15:39:12 -05:00
bwatters
06f5518953
Update binaries 2020-09-16 11:41:02 -05:00
bwatters
a2edcda819 Rubocop on module and update error handling on exploit C code + recompile 2020-09-16 11:17:39 -05:00
bwatters
95bb6ad71a Add new binaries 2020-09-16 11:17:39 -05:00
bwatters
a5253c5674 remove old binaries before we added both x86 and x64 binaries 2020-09-16 11:17:39 -05:00
bwatters
a72769909b Change exe to take destination and source files for copy 2020-09-16 11:17:39 -05:00
bwatters
17272209cc First try at CVE-2020-1048, needs lots of work 2020-09-16 11:17:38 -05:00
Shelby Pace
ff500dd9fb
add poc 2020-09-11 12:00:16 -05:00
bwatters
e592736833
Land #13992, Add module for CVE-2020-9839, LPE for macOS <= 10.15.4 
Merge branch 'land-13992' into upstream-master
 2020-09-04 15:53:17 -05:00
bwatters
5e2a3a6f65
Recompiled binary exploit file to match source 2020-09-04 15:46:52 -05:00
Tim W
1693a3c787 add exploit binaries 2020-09-01 17:14:21 +08:00
Tim W
9150f0bc3a move int64.js and utils.js to javascript_utils folder 2020-09-01 16:14:31 +08:00
Tim W
46db23c35e fix int64.js and utils.js 2020-09-01 16:14:30 +08:00
Tim W
c23cb63c6e exploit binary 2020-09-01 14:10:34 +08:00
C4ssandre
85ccac215b Removing precompiled binaries (dll exploits). 2020-08-28 17:37:34 +02:00
C4ssandre
3336040f2d Adding a new privilege escalation exploit for windows. 
New files and folders:

- metasploit-framework/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb

- metasploit-framework/data/exploits/drunkpotato/

- metasploit-framework/external/source/exploits/drunkpotato/
 2020-08-25 14:27:41 +02:00
h00die
cd41d9c3c9
Land #13911, iphone 4 on ios 7.1.2 safari jit for root 2020-08-14 16:01:14 -04:00
Tim W
1eaf66dab1 CVE-2020-9850 2020-08-14 16:10:34 +08:00
Tim W
0b513d6c51 remove debug logging from the kernel exploit 2020-07-30 18:10:26 +08:00
Tim W
79adcf7904 Add module for iOS 7.1.2 2020-07-27 15:05:31 +08:00
Brendan Coles
cbbd4fc517 Add CVE-2020-7457 exploit.c 2020-07-26 08:04:37 +00:00
gwillcox-r7
586971428a
Recompile everything so we don't have the messagebox calls 2020-06-11 00:18:45 -05:00
gwillcox-r7
93b28e662e
Change out template_dll solution files so that it generates the DLL with the correct name and in the correct location 2020-06-10 11:41:34 -05:00
gwillcox-r7
7711cecee9
Final tweaks to make this more reliable, should be good now 2020-06-10 11:02:53 -05:00
gwillcox-r7
4a9c878132
Finally fix up the hanging issue via new template DLLs and associated code 2020-06-10 11:02:53 -05:00
gwillcox-r7
cb20eaf6f9
Finally fix the issue with the cleanup of the files within the exploit 2020-06-10 11:02:51 -05:00
gwillcox-r7
401feb3e53
Change code so that we automatically exit Notepad upon DLL completing its work. Should help tidy things up more 2020-06-10 11:02:50 -05:00
gwillcox-r7
cf17b2065c
Updated module with some output corrections, recompiled DLLs 2020-06-10 11:02:50 -05:00
gwillcox-r7
ae2b40bf99
Update the output of the module to be more correct. Also upload updated DLLs 2020-06-10 11:02:49 -05:00
gwillcox-r7
1607b8c342
Add initial files for CVE-2020-0787 2020-06-10 11:02:35 -05:00
Shelby Pace
c8ab30a40a
add poc code 2020-06-02 14:29:02 -05:00
William Vu
8473662e32
Land #13463, Oracle WebLogic CVE-2020-2555 exploit 2020-05-20 23:21:07 -05:00
Brendan Coles
8631babcbb Update CVE-2019-13272 pre-compiled exploit 2020-05-11 13:36:41 +00:00
Brendan Coles
dbc2b8b006 Update CVE-2019-13272 exploit C code to prefer auto targeting 
Previously, the exploit would attempt to use a hardcoded list of
known useful helpers and fall back to automatic targeting. This
logic has been reversed, preferring automatic targeting first.
 2020-05-09 03:59:31 +00:00
Spencer McIntyre
9769e04b6e
Land #13322, CVE-2020-0668 Service tracing file junction overwrite 2020-05-07 09:47:20 -04:00
gwillcox-r7
a1275845ec
Land #13200, CVE-2019-0808 LPE for Windows 7 x86 SP0 and SP1 2020-05-06 17:23:52 -05:00
gwillcox-r7
1c79674620
Recompile DLL and alter vcxproj file to automatically place generated DLL in right folder 2020-05-06 16:33:01 -05:00
Shelby Pace
587fc0ff09
add PoC 2020-05-04 11:08:38 -05:00
Tim W
b8dc843b48 add binary 2020-05-01 19:02:54 +08:00
bwatters-r7
7213d379ec
Add Uso dll 2020-04-23 15:18:22 -05:00
bwatters-r7
0bbb822fe4
Working through mountpoint issues 2020-04-21 09:54:45 -05:00
h00die
e1f1ad45bc working exploit 2020-04-19 15:19:19 -04:00
h00die
58074dc6bb waiting on metasm question 2020-04-18 20:26:45 -04:00
Spencer McIntyre
3392fa18d4 Add the x64 LPE exploit for CVE-2020-0796 2020-04-02 17:22:00 -04:00
Brent Cook
f59ec03c42
Land #12465, add Android Binder UAF (CVE-2019-2215) 2020-02-23 01:06:33 -08:00
Christophe De La Fuente
394e99fbe9
Land #12568, Fix exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2020-01-30 11:57:56 +01:00
cdelafuente-r7
3491da7da0 Add a random sentinel to close channel when terminates (#1) 
* Add a random sentinel to close channel when terminates

* Replace spaces with tabs to be consistent

* Remove unnecessary escaped quotes and use include? instead of regex
 2020-01-25 23:30:49 +01:00
Tim W
cfffb65a21
Land #12859, update AF_PACKET chocobo_root linux LPE 2020-01-24 17:30:13 +08:00
Brent Cook
6f6cc00871
Land #12751, add Linux RDS socket NP deref privesc 2020-01-22 07:08:47 -06:00
Brendan Coles
19b1f567b2 Update AF_PACKET chocobo_root Privilege Escalation module 2020-01-19 11:51:01 +00:00
Brendan Coles
36b6ceb56f Add rds_atomic_free_op_null_pointer_deref_priv_esc (CVE-2018-5333) 2020-01-18 08:34:52 +00:00
Shelby Pace
894927d960
Land #12693, add Comahawk privilege escalation 2019-12-18 15:40:51 -06:00
bwatters-r7
7e05642a1b
Randomize container name 2019-12-12 07:48:01 -06:00
bwatters-r7
0257861c4f
Remove debug statements and extra c/ruby libraries 2019-12-11 18:42:36 -06:00
bwatters-r7
942d1e3962
Trim exploit code and de-pasta-fy module 
Better check for build number
 2019-12-10 18:09:08 -06:00