adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
73,452 Commits 27 Branches 1,043 Tags
3da170a43c7f288fe9bc88fe325da488733acac3
Commit Graph

7658 Commits

Author SHA1 Message Date
William Vu 7417aa8a30 Rename module and note kill target in description 2019-09-30 14:18:41 -05:00
William Vu 0392521887 Fix same multiplex ID meaning implant not detected 2019-09-30 14:18:41 -05:00
William Vu 33d7a2a818 Remove SMB::Client::Authenticated 
They're fine as advanced options, since this targets a null session.
 2019-09-30 14:18:41 -05:00
William Vu 6b4cf4970e Don't support x86 at the moment 2019-09-30 14:18:41 -05:00
William Vu aa2f7d378a Create method for kernel shellcode size 2019-09-30 14:18:41 -05:00
William Vu 8190e7067a Calculate kernel shellcode size 2019-09-30 14:18:41 -05:00
William Vu 05b83ff5da Calculate max payload size automagically 2019-09-30 14:18:41 -05:00
William Vu 8cae04f194 Use constant for maximum shellcode size 2019-09-30 14:18:41 -05:00
William Vu fb1bb0fd2f Don't use NOPs because Peter would be sad 2019-09-30 14:18:41 -05:00
William Vu 530bf9bc0c Finish RCE with Jacob's help 2019-09-30 14:18:41 -05:00
William Vu 3a5a05f3a9 Use recently enhanced Rex::Text.xor 2019-09-30 14:18:41 -05:00
William Vu 90cb0e039f Add DOUBLEPULSAR payload execution 2019-09-30 14:18:41 -05:00
Brent Cook c0be631bf0 tweak groombase for vmware 15.1 2019-09-23 11:01:04 -05:00
Brent Cook acb351ac44 add a few more vmware targets (emphasising the fragility here) 2019-09-19 07:02:02 -05:00
Brent Cook 67ee46ec03 add additional target, set default target GROOMSIZE to 100M (thanks aconite33) 2019-09-19 06:05:08 -05:00
Brent Cook 8138e2f185 remove email 2019-09-19 06:05:08 -05:00
Brent Cook 458dc59594 move kernel shellcode comments to the correct place 2019-09-19 06:05:08 -05:00
Brent Cook d80ad89160 resolve msftidy error 2019-09-19 06:05:08 -05:00
Brent Cook 7e4a99689a remove separate PoC and shellcode files, replaced with new integrated module 2019-09-19 06:05:08 -05:00
Brent Cook 51c0c24c20 add and update documentation from original PoC 2019-09-19 06:05:08 -05:00
Brent Cook fb729b5f11 add bare metal target 2019-09-19 06:05:08 -05:00
Brent Cook 02ba21a0a0 remove WinVer 2019-09-19 06:05:08 -05:00
Brent Cook 4677e0f389 include internal OS version in target names 2019-09-19 06:05:08 -05:00
William Vu cdd3378acc Clean up BlueKeep exploit 2019-09-19 06:05:08 -05:00
Brent Cook e32409b379 merge Win 7/2008 targets 2019-09-19 06:05:08 -05:00
Brent Cook f2c475454a tag targets for Virtualbox, add Windows 2008R2 2019-09-19 06:05:08 -05:00
Brent Cook 15ce66cb02 adjust to ManualRanking 2019-09-19 06:05:08 -05:00
Brent Cook 35e3704526 add current caveats and notes from zerosum0x0 2019-09-19 06:05:08 -05:00
Brent Cook e243e1a50d add a more likely arch with the default fingerprint target 2019-09-19 06:05:08 -05:00
Brent Cook f3a9af2ea8 rename for consistency with scanner module 2019-09-19 06:05:08 -05:00
Brent Cook 855281b0ac add auto-target by default, only scan and show a user message for now 2019-09-19 06:05:08 -05:00
Brent Cook b860cafddf remove 'COMPACT' mode since it's not needed here 2019-09-19 06:05:08 -05:00
Brent Cook 49cb6204e5 explicit short jump no longer needed with relative address fixes 2019-09-19 06:05:08 -05:00
Brent Cook 559901865e add PR ref 2019-09-19 06:05:08 -05:00
Brent Cook 9e321dc30e move hack into fixup code 2019-09-19 06:05:08 -05:00
Brent Cook 9150ab4e1a add pre/post processor phase to address metasm limits 
This adds a pre/post processor phase that allows specifying relative
label offsets when loading effective addresses from metasm-generated
code.
 2019-09-19 06:05:08 -05:00
Brent Cook 6522866071 specify short jump opcodes explicitly 2019-09-19 06:05:08 -05:00
OJ f479ed2d73 Small refactors, comments and tidying up 2019-09-19 06:05:08 -05:00
William Vu 725bff5e2d Add CheckScanner and ForceExploit 2019-09-19 06:05:08 -05:00
Brent Cook 49762084f2 minor cleanup of debug code and remove some fixed encodings (still need a couple) 2019-09-19 06:05:08 -05:00
Brent Cook a529866e1a first working metasm shellcode 2019-09-19 06:05:08 -05:00
Brent Cook 6225c5c31f skip payload encoding, be a bit more self-documenting 2019-09-19 06:05:08 -05:00
Brent Cook 4edf91d0b2 add debug writes (to be removed later) 2019-09-19 06:05:08 -05:00
Brent Cook 121e337e13 fix incorrect bytes in kernel shellcode 2019-09-19 06:05:08 -05:00
OJ c76e773b8f Another attempt to get bluekeep working 
For some reason the existing kernel payload doesn't work with the
exploit as it currently stands, which is very odd given that everything
else seems to be in order.

Hoping to get some help from the rest of the MSF folks as right now
I don't think I can trust the tools that I'm using.
 2019-09-19 06:05:08 -05:00
OJ 8412ff319a Fix disconnect PDU message and start work on payloads 2019-09-19 06:05:08 -05:00
OJ edcc423eea Lots more RDP mixin changes, and first pass of ruby exploit 
This code is at the point where we SHOULD see a crash (given that the
payloads in use for kernel/user are both just As and Bs (deliberate at
this point).

Unforunately the exploit does not result in a crash. Things just keep
on going! I've looked at the difference in the traffic across the two
different exploits (py and rb) and what's clear is that the mixin is
doing a lot more work at the start.

Also, the mixin generates packets of smaller size in the way that it
encodes data (ie. it doesn't always use 2 bytes for a short value, it'll
use 1 instead if only 1 is required).

Pretty sure that the size issues aren't the problem, I think there's
something else in play. I'm at the point where diving into the RDP stuff
even more isn't inspiring so I'm hoping that opening this up to collab
will help us move forward.
 2019-09-19 06:05:08 -05:00
Brent Cook b9cb6d8820 Allow specifying TLS version via 'SSLVersion' opt 2019-09-19 06:03:17 -05:00
William Vu 9e235edd88 chmod +x so it loads as an external module 2019-09-19 06:02:22 -05:00
Tod Beardsley 5ae1c8ef49 Payload shellcode for Bluekeep from zerosum 
Not sure where these should go, adjust to taste.
 2019-09-19 06:02:22 -05:00