07954c0ce2
Land #12902 , Add exploit module for crosschex buffer overflow
2020-02-13 15:48:10 +00:00
0e55e20c9c
Land #12902 , Add exploit module for crosschex buffer overflow
2020-02-13 15:43:38 +00:00
2ca2b5c7bb
replaces magic numbers with target fields
2020-02-13 14:17:23 +00:00
fce70c9284
Adjusting print method to better reflect the situation.
2020-02-13 08:02:02 +09:00
cbcf8a2a68
adds to_i and removes default options
2020-02-12 12:04:15 +00:00
6d73b572c7
Update vulnerable systems documentation.
...
Feedback from bcoles.
2020-02-12 08:22:43 +09:00
8fd3b483d3
improves option descriptions & timeout handling
2020-02-11 15:05:24 +00:00
946e244c8c
Updates docs and adds basic options
2020-02-11 13:40:51 +00:00
a7a80e08a8
Updated docs with platform info
2020-02-11 12:55:07 +00:00
3395b91c83
adds module documentation
2020-02-10 16:45:44 +00:00
25d863d912
Updating regex in exploit windows version check.
...
This addresses issue #12698 , where the Windows OS and build was not
being parsed correctly due to changes in the client.sys.config lib.
Tested against Windows 10 (patched):
```
msf5 exploit(windows/local/ms16_075_reflection_juicy) > rcheck
[*] Reloading module...
[-] Target appears to be patched or not vulnerable (Windows 10 (10.0
Build 18363).)
[*] The target is not exploitable.
```
2020-02-10 15:32:02 +09:00
7f3c0c9314
Land #12906 , Add module for CVE-2019-19363
...
Merge branch 'land-12906' into upstream-master
2020-02-06 15:22:17 -06:00
9a8d9c6c88
check arch
2020-02-06 14:11:42 -06:00
e736588795
change method of exploitation for reliability
...
This commit changes a few things:
1. The module first writes the dll to a
temp location.
2. The module writes a batch file to a
temp location.
3. The batch file copies the dll until
the copy command fails (presumably
because the dll is now in use by
PrintIsolationHost.exe).
4. The dropped files are deleted.
5. Docs updated to reflect changes.
2020-02-06 12:51:36 -06:00
9db6b5184b
Land #12894 , Add Windscribe WindscribeService Named Pipe Privilege Escalation
...
Merge branch 'land-12894' into upstream-master
2020-02-05 12:37:34 -06:00
ddec8a58a1
disables payload padding and describes shell code
2020-02-05 18:09:39 +00:00
22a75c7bee
Revert "Fix style"
...
This reverts commit 9f81aeb4ad
2020-02-04 10:10:46 -06:00
d76546f8ee
clarifies inserted shell code's function
2020-02-04 15:14:36 +00:00
671f2e9616
msfTidy: set disclosure date to proper format
2020-02-04 11:55:39 +00:00
2360b0e2ff
clean up module using msftidy
2020-02-04 13:14:03 +02:00
37065f5ffe
PR Changes: More Cleanup
2020-02-04 10:59:02 +00:00
4fd865f3a9
PR Changes: Comments, fail_with, and cleanup
2020-02-04 10:57:41 +00:00
20386f1aa4
Add apache_activemq_traversal_upload module and documentation
2020-02-04 12:01:41 +02:00
303bddbb37
add cleanup code and modified options
2020-02-03 16:24:48 -06:00
7175126319
Update title for smb_doublepulsar_rce
2020-02-03 11:19:20 -06:00
fa6573f8e7
Note arch in supported target
2020-02-03 11:16:16 -06:00
a3717e13f6
Unf*ck PAYLOAD being set for neutralization
2020-02-03 11:16:16 -06:00
e12d993027
Move SMB DOPU module to match new naming scheme
2020-02-03 11:16:16 -06:00
f49ee7c60e
Prefer exploit.rb's rand_text wrapper
2020-02-03 11:16:16 -06:00
d64eb10b17
Update credit
2020-02-03 11:16:16 -06:00
548529e1d4
Clean up parsing
2020-02-03 11:16:16 -06:00
9e690414a1
Update ping response parsing with new information
...
Found the struct that corresponds to the ping response!
2020-02-03 11:16:16 -06:00
6241555531
Fix service pack
2020-02-03 11:16:16 -06:00
2ce49456a7
Fix arch detection and add product type
...
Thanks to @tsellers-r7 for testing XP and producing output to compare
against. Without a 32-bit test, the architecture guess was incorrect.
Additionally, product type had yet to be determined. The trailing bytes
were indeed significant! Thanks, Tom!
2020-02-03 11:16:16 -06:00
992a386ece
Use build_data_tpdu and note channelJoinConfirm
2020-02-03 11:16:16 -06:00
4d21b0e88e
Update prints in check for visibility
...
vprint_good should be print_warning, and most vprints should be print,
even if in check, since check is critical functionality.
2020-02-03 11:16:16 -06:00
7ba7221a8f
Parse ping response into version, build, and arch
2020-02-03 11:16:16 -06:00
db1a201885
Add RDP DOUBLEPULSAR RCE module
2020-02-03 11:16:16 -06:00
2ce3cb9e86
updated description
2020-02-03 17:09:56 +00:00
1ef34283eb
obtain session unreliably
2020-02-03 11:07:36 -06:00
6b229177f1
Add crosschex buffer overflow exploit
2020-02-03 17:02:04 +00:00
34621c0adc
Add Windscribe WindscribeService Named Pipe Privilege Escalation
2020-02-01 00:41:07 +00:00
8d4637a42b
can now add printers
2020-01-31 15:07:56 -06:00
b05fe7453f
add improved check method
2020-01-30 11:40:24 -06:00
394e99fbe9
Land #12568 , Fix exploit/windows/local/ms16_032_secondary_logon_handle_privesc
2020-01-30 11:57:56 +01:00
9da4555509
Move clean-up code to cleanup method ( #2 )
...
Move clean-up code to cleanup method
2020-01-29 17:11:07 +01:00
3491da7da0
Add a random sentinel to close channel when terminates ( #1 )
...
* Add a random sentinel to close channel when terminates
* Replace spaces with tabs to be consistent
* Remove unnecessary escaped quotes and use include? instead of regex
2020-01-25 23:30:49 +01:00
2414fda288
add initial check/metadata
2020-01-24 16:14:51 -06:00
0d8d17c63d
Land #12736 , Add support for PPID spoofing
2020-01-24 08:49:51 -06:00
355ddba6c9
Prefer exploit.rb's rand_text wrapper
2020-01-22 16:37:36 -06:00
dwelch-r7