2c1869f9df
Land #14907 , Add exploit for CVE-2021-1732
...
Merge branch 'land-14907' into upstream-master
2021-03-18 14:29:59 -05:00
f3df076067
Only upgrade the token of EProcess was found
2021-03-16 15:20:44 -04:00
c11900b9ab
Add support for Windows 2004 & 20H2
2021-03-15 17:28:38 -04:00
2e3d98a36a
Move the DLL injection code into a reusable function
2021-03-15 11:47:02 -04:00
89ce1c5229
Quick update to make the backdoor a bit stealthier by removing the extra Payload Success! message that wasn't needed
2021-03-14 00:00:17 -06:00
4f2e299d8f
Update the exploit to use Python as its payload since this is a lot more flexible, allows Meterpreter, returns a shell faster, and we are already injecting into and executing a Python file
2021-03-14 00:00:06 -06:00
7d6e636114
Initial upload of exploit code for CVE-2021-21978
2021-03-13 23:59:47 -06:00
f0a9a1deb3
Add the initial exploit for CVE-2021-1732
2021-03-12 17:30:22 -05:00
f327d30e08
First attempt at CVE-2020-7200 module, with RuboCopped module
2021-03-02 16:38:19 -06:00
b9dd1b927b
Randomize the path to the library that's loaded
2021-02-10 08:45:52 -05:00
117cdc4fd7
Populate module metadata and cleanup files
2021-02-03 18:16:13 -05:00
a00f165b6b
Clean the C code and fix the exploitation environment
2021-02-03 18:16:13 -05:00
b9413b4103
Update the exploit C code to allocate it's own PTY
2021-02-03 18:16:13 -05:00
13dd9ac10e
Initial work on CVE-2021-3156
2021-02-03 18:16:13 -05:00
c8819259ae
Land #14414 , CVE-2020-1337 - patch bypass for CVE-2020-1048
2021-01-15 19:13:14 +01:00
33bd712e0a
Land #14585 , Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP
2021-01-11 17:16:40 -05:00
50e115b414
Cleanup and edits per review from Christophe
...
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
2021-01-11 16:02:58 -06:00
3072391d00
Make second round of review edits to fix Spencer's comments
2021-01-08 12:50:52 -06:00
5e5d7b1abb
Update to execute_string to avoid the issue where an arbitrary
...
length comment is required for the exploit to work.
2021-01-06 17:08:22 -06:00
17c393f101
Land #14046 , Adding juicypotato-like privilege escalation exploit for windows
2021-01-06 16:02:05 +01:00
bf7627b33e
Adding DLL's
2021-01-06 15:59:08 +01:00
839daf93e9
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research
2021-01-05 16:12:08 -06:00
668eeae4e1
Initial push of code
2021-01-04 12:04:38 -06:00
7f4fac4548
Fix powershell issues and add comment because it is apparently magic
2020-12-16 13:57:02 -06:00
33ef352f89
Add dll
...
Compiled with Visual Studio Express 2013 with Platform Toolset v120
2020-12-15 12:42:06 +01:00
810898e97b
Rough attempt at CVE-2020-1337
...
Non-functional
2020-11-20 17:36:19 -06:00
9e111d7fdf
Add in compiled version of the exploit to meet Rapid7 compliance guidelines on having Rapid7 employees submit compiled binaries only
2020-10-23 16:01:00 -05:00
c5751a240b
Fix incorrect offset in BPF sign extension LPE
...
The uid field of the cred struct is normally the second field, followed
by the gid field. The first field is of type atomic_t, which has the
size of an int. Since the size of an int is usually 4 bytes, the uid is
normally located at an offset of 4 bytes from the start of the cred
struct, and not 8. Since the uid also is int-sized, the code set
test_uid to the gid, making the exploit fail for cases where uid != gid.
2020-10-17 19:46:35 -04:00
b932ed5225
Recompile the exploit.dll DLL for CVE-2019-1458 as per Rapid7 policies
2020-10-15 10:58:56 -05:00
12c5f4f916
CVE-2019-1458 chrome sandbox escape initial commit
2020-10-15 10:57:46 -05:00
e24a81919a
Land #13996 , Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856,
...
RCE for Safari on macOS 10.15.3 (pwn2own2020)
Merge branch 'land-13996' into upstream-master
2020-10-01 09:46:39 -05:00
f0f4da2b1e
Land #14157 , Windows update orchestrator privesc
2020-09-25 16:07:27 -05:00
2d1b378a18
Land #14122 , Jenkins Deserialization RCE (CVE-2017-1000353)
2020-09-22 12:32:09 +02:00
534e945cd0
First attempt at CVE-2020-1313
2020-09-18 15:39:12 -05:00
06f5518953
Update binaries
2020-09-16 11:41:02 -05:00
a2edcda819
Rubocop on module and update error handling on exploit C code + recompile
2020-09-16 11:17:39 -05:00
95bb6ad71a
Add new binaries
2020-09-16 11:17:39 -05:00
a5253c5674
remove old binaries before we added both x86 and x64 binaries
2020-09-16 11:17:39 -05:00
a72769909b
Change exe to take destination and source files for copy
2020-09-16 11:17:39 -05:00
17272209cc
First try at CVE-2020-1048, needs lots of work
2020-09-16 11:17:38 -05:00
ff500dd9fb
add poc
2020-09-11 12:00:16 -05:00
e592736833
Land #13992 , Add module for CVE-2020-9839, LPE for macOS <= 10.15.4
...
Merge branch 'land-13992' into upstream-master
2020-09-04 15:53:17 -05:00
5e2a3a6f65
Recompiled binary exploit file to match source
2020-09-04 15:46:52 -05:00
1693a3c787
add exploit binaries
2020-09-01 17:14:21 +08:00
9150f0bc3a
move int64.js and utils.js to javascript_utils folder
2020-09-01 16:14:31 +08:00
46db23c35e
fix int64.js and utils.js
2020-09-01 16:14:30 +08:00
c23cb63c6e
exploit binary
2020-09-01 14:10:34 +08:00
85ccac215b
Removing precompiled binaries (dll exploits).
2020-08-28 17:37:34 +02:00
3336040f2d
Adding a new privilege escalation exploit for windows.
...
New files and folders:
- metasploit-framework/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb
- metasploit-framework/data/exploits/drunkpotato/
- metasploit-framework/external/source/exploits/drunkpotato/
2020-08-25 14:27:41 +02:00
cd41d9c3c9
Land #13911 , iphone 4 on ios 7.1.2 safari jit for root
2020-08-14 16:01:14 -04:00
bwatters