60cf48c94b
move cve-2020-29583 to a better file
2021-02-05 17:43:34 -05:00
117cdc4fd7
Populate module metadata and cleanup files
2021-02-03 18:16:13 -05:00
a00f165b6b
Clean the C code and fix the exploitation environment
2021-02-03 18:16:13 -05:00
b9413b4103
Update the exploit C code to allocate it's own PTY
2021-02-03 18:16:13 -05:00
13dd9ac10e
Initial work on CVE-2021-3156
2021-02-03 18:16:13 -05:00
c3a58f93ec
cve-2020-29583
2021-01-18 09:52:09 -05:00
ea4cade5c8
cve-2020-29583
2021-01-18 09:49:53 -05:00
c8819259ae
Land #14414 , CVE-2020-1337 - patch bypass for CVE-2020-1048
2021-01-15 19:13:14 +01:00
0bc05ae2e8
Land #14606 , Add banner celebrating the awesome teams who joined us in the 2020 ctf
2021-01-13 10:53:57 -05:00
33bd712e0a
Land #14585 , Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP
2021-01-11 17:16:40 -05:00
50e115b414
Cleanup and edits per review from Christophe
...
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
2021-01-11 16:02:58 -06:00
b4a8f364b3
Add banner celebrating the awesome teams who joined us in the 2020
...
Metasploit CTF. (Except the one team with an F-bomb in it)
2021-01-11 11:09:38 -06:00
3072391d00
Make second round of review edits to fix Spencer's comments
2021-01-08 12:50:52 -06:00
5e5d7b1abb
Update to execute_string to avoid the issue where an arbitrary
...
length comment is required for the exploit to work.
2021-01-06 17:08:22 -06:00
17c393f101
Land #14046 , Adding juicypotato-like privilege escalation exploit for windows
2021-01-06 16:02:05 +01:00
bf7627b33e
Adding DLL's
2021-01-06 15:59:08 +01:00
839daf93e9
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research
2021-01-05 16:12:08 -06:00
668eeae4e1
Initial push of code
2021-01-04 12:04:38 -06:00
7f4fac4548
Fix powershell issues and add comment because it is apparently magic
2020-12-16 13:57:02 -06:00
33ef352f89
Add dll
...
Compiled with Visual Studio Express 2013 with Platform Toolset v120
2020-12-15 12:42:06 +01:00
9376accc05
Land #14410 , Add synchronization to the DLL payload template
2020-12-04 16:08:18 -06:00
15b5a811e4
update check external scripts and wordpress files
2020-11-21 11:52:18 -05:00
810898e97b
Rough attempt at CVE-2020-1337
...
Non-functional
2020-11-20 17:36:19 -06:00
efa125bb23
Document the synchronization procedure
2020-11-16 16:13:35 -05:00
3586644b62
Increase the payload space to 4096 within the DLL template
2020-11-16 15:58:59 -05:00
2d367b867d
Add a synchronization primitive to the DLL template
2020-11-16 15:57:27 -05:00
c6304704f4
Cleanup inconsistent whitespace in the DLL template
2020-11-16 11:26:15 -05:00
76ab0ee849
Land #14304 , execute_dotnet_assembly fix parameters management
2020-11-10 09:56:18 -05:00
0ccb50ac02
Adjust how HostingCLR arguments are packed
2020-11-09 12:24:55 -05:00
ddd9af83b9
Update
2020-10-29 22:49:41 +01:00
65fcf67ca5
Land #14279 , Fix incorrect offset in BPF sign extension LPE
2020-10-23 16:02:13 -05:00
9e111d7fdf
Add in compiled version of the exploit to meet Rapid7 compliance guidelines on having Rapid7 employees submit compiled binaries only
2020-10-23 16:01:00 -05:00
9779bbef77
Fix parameter managing
...
Fix a problem running assemblies with Main signature (string[] args) and no passed parameters
2020-10-23 21:14:10 +02:00
3970b69734
Land #14229 , Telerik UI for ASP.NET AJAX exploit
...
CVE-2017-11317 && CVE-2019-18935
2020-10-20 13:24:35 -05:00
c5751a240b
Fix incorrect offset in BPF sign extension LPE
...
The uid field of the cred struct is normally the second field, followed
by the gid field. The first field is of type atomic_t, which has the
size of an int. Since the size of an int is usually 4 bytes, the uid is
normally located at an offset of 4 bytes from the start of the cred
struct, and not 8. Since the uid also is int-sized, the code set
test_uid to the gid, making the exploit fail for cases where uid != gid.
2020-10-17 19:46:35 -04:00
b932ed5225
Recompile the exploit.dll DLL for CVE-2019-1458 as per Rapid7 policies
2020-10-15 10:58:56 -05:00
12c5f4f916
CVE-2019-1458 chrome sandbox escape initial commit
2020-10-15 10:57:46 -05:00
adfc8f89c4
Implement version enumeration and report CVE-2017-11317 for Telerik
2020-10-07 10:27:50 -04:00
d6e1eee635
Add a new Mixed Mode Assembly DLL payload template
2020-10-05 15:19:40 -04:00
e24a81919a
Land #13996 , Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856,
...
RCE for Safari on macOS 10.15.3 (pwn2own2020)
Merge branch 'land-13996' into upstream-master
2020-10-01 09:46:39 -05:00
f0f4da2b1e
Land #14157 , Windows update orchestrator privesc
2020-09-25 16:07:27 -05:00
2d1b378a18
Land #14122 , Jenkins Deserialization RCE (CVE-2017-1000353)
2020-09-22 12:32:09 +02:00
534e945cd0
First attempt at CVE-2020-1313
2020-09-18 15:39:12 -05:00
06f5518953
Update binaries
2020-09-16 11:41:02 -05:00
a2edcda819
Rubocop on module and update error handling on exploit C code + recompile
2020-09-16 11:17:39 -05:00
95bb6ad71a
Add new binaries
2020-09-16 11:17:39 -05:00
a5253c5674
remove old binaries before we added both x86 and x64 binaries
2020-09-16 11:17:39 -05:00
a72769909b
Change exe to take destination and source files for copy
2020-09-16 11:17:39 -05:00
17272209cc
First try at CVE-2020-1048, needs lots of work
2020-09-16 11:17:38 -05:00
ff500dd9fb
add poc
2020-09-11 12:00:16 -05:00
h00die