ff2516a7f2
Update CVE-2021-1732 to reduce code reuse
2021-05-12 16:41:43 -04:00
477749f77f
Refactor the code to be reusable and add docs
2021-05-12 16:36:17 -04:00
d3de52da59
The exploit is now functional for Win10 v1803-20H2
2021-05-12 16:14:59 -04:00
fa73c0af3e
Add CVE-2021-22204 ExifTool ANT perl injection
2021-05-11 12:02:12 +10:00
fbc291bc22
Tested on various other Fedora's
2021-05-04 14:18:16 +10:00
0435e281d9
Updated CVE-2021-3156 documentation to reflect code changes.
2021-05-03 16:45:50 +10:00
b1d2c39c98
Added second CentOS 7 exploit
2021-04-30 18:30:19 +10:00
124d157a1c
Added CVE-2021-3156 exploits for CentOS 7 and 8
2021-04-30 17:25:59 +10:00
79152cafe6
Added support for Ubuntu 14.04.3 for CVE-2021-3156
2021-04-29 20:48:51 +10:00
0ee1d5fbe3
Ensure exploit is compatible with both python3 and python2
2021-04-29 18:52:56 +10:00
9d9d3ce061
Added Ubuntu 16.04-specific exploit script to CVE-2021-3156 module
...
The generic approach used for other targets doesn't work for 16.04, as that one relies on tcache bins, which are not present in glibc 2.23.
2021-04-29 18:28:13 +10:00
fcd17ed3b1
Port sudoedit exploit to Python
...
It's assumed that Python is more likely to be present on the target system
than gcc, so is better as a dependency.
2021-04-29 13:17:32 +10:00
2c1869f9df
Land #14907 , Add exploit for CVE-2021-1732
...
Merge branch 'land-14907' into upstream-master
2021-03-18 14:29:59 -05:00
f3df076067
Only upgrade the token of EProcess was found
2021-03-16 15:20:44 -04:00
c11900b9ab
Add support for Windows 2004 & 20H2
2021-03-15 17:28:38 -04:00
2e3d98a36a
Move the DLL injection code into a reusable function
2021-03-15 11:47:02 -04:00
89ce1c5229
Quick update to make the backdoor a bit stealthier by removing the extra Payload Success! message that wasn't needed
2021-03-14 00:00:17 -06:00
4f2e299d8f
Update the exploit to use Python as its payload since this is a lot more flexible, allows Meterpreter, returns a shell faster, and we are already injecting into and executing a Python file
2021-03-14 00:00:06 -06:00
7d6e636114
Initial upload of exploit code for CVE-2021-21978
2021-03-13 23:59:47 -06:00
f0a9a1deb3
Add the initial exploit for CVE-2021-1732
2021-03-12 17:30:22 -05:00
f327d30e08
First attempt at CVE-2020-7200 module, with RuboCopped module
2021-03-02 16:38:19 -06:00
b9dd1b927b
Randomize the path to the library that's loaded
2021-02-10 08:45:52 -05:00
117cdc4fd7
Populate module metadata and cleanup files
2021-02-03 18:16:13 -05:00
a00f165b6b
Clean the C code and fix the exploitation environment
2021-02-03 18:16:13 -05:00
b9413b4103
Update the exploit C code to allocate it's own PTY
2021-02-03 18:16:13 -05:00
13dd9ac10e
Initial work on CVE-2021-3156
2021-02-03 18:16:13 -05:00
c8819259ae
Land #14414 , CVE-2020-1337 - patch bypass for CVE-2020-1048
2021-01-15 19:13:14 +01:00
33bd712e0a
Land #14585 , Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP
2021-01-11 17:16:40 -05:00
50e115b414
Cleanup and edits per review from Christophe
...
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
2021-01-11 16:02:58 -06:00
3072391d00
Make second round of review edits to fix Spencer's comments
2021-01-08 12:50:52 -06:00
5e5d7b1abb
Update to execute_string to avoid the issue where an arbitrary
...
length comment is required for the exploit to work.
2021-01-06 17:08:22 -06:00
17c393f101
Land #14046 , Adding juicypotato-like privilege escalation exploit for windows
2021-01-06 16:02:05 +01:00
bf7627b33e
Adding DLL's
2021-01-06 15:59:08 +01:00
839daf93e9
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research
2021-01-05 16:12:08 -06:00
668eeae4e1
Initial push of code
2021-01-04 12:04:38 -06:00
7f4fac4548
Fix powershell issues and add comment because it is apparently magic
2020-12-16 13:57:02 -06:00
33ef352f89
Add dll
...
Compiled with Visual Studio Express 2013 with Platform Toolset v120
2020-12-15 12:42:06 +01:00
810898e97b
Rough attempt at CVE-2020-1337
...
Non-functional
2020-11-20 17:36:19 -06:00
9e111d7fdf
Add in compiled version of the exploit to meet Rapid7 compliance guidelines on having Rapid7 employees submit compiled binaries only
2020-10-23 16:01:00 -05:00
c5751a240b
Fix incorrect offset in BPF sign extension LPE
...
The uid field of the cred struct is normally the second field, followed
by the gid field. The first field is of type atomic_t, which has the
size of an int. Since the size of an int is usually 4 bytes, the uid is
normally located at an offset of 4 bytes from the start of the cred
struct, and not 8. Since the uid also is int-sized, the code set
test_uid to the gid, making the exploit fail for cases where uid != gid.
2020-10-17 19:46:35 -04:00
b932ed5225
Recompile the exploit.dll DLL for CVE-2019-1458 as per Rapid7 policies
2020-10-15 10:58:56 -05:00
12c5f4f916
CVE-2019-1458 chrome sandbox escape initial commit
2020-10-15 10:57:46 -05:00
e24a81919a
Land #13996 , Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856,
...
RCE for Safari on macOS 10.15.3 (pwn2own2020)
Merge branch 'land-13996' into upstream-master
2020-10-01 09:46:39 -05:00
f0f4da2b1e
Land #14157 , Windows update orchestrator privesc
2020-09-25 16:07:27 -05:00
2d1b378a18
Land #14122 , Jenkins Deserialization RCE (CVE-2017-1000353)
2020-09-22 12:32:09 +02:00
534e945cd0
First attempt at CVE-2020-1313
2020-09-18 15:39:12 -05:00
06f5518953
Update binaries
2020-09-16 11:41:02 -05:00
a2edcda819
Rubocop on module and update error handling on exploit C code + recompile
2020-09-16 11:17:39 -05:00
95bb6ad71a
Add new binaries
2020-09-16 11:17:39 -05:00
a5253c5674
remove old binaries before we added both x86 and x64 binaries
2020-09-16 11:17:39 -05:00
Spencer McIntyre