adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
60,845 Commits 27 Branches 1,043 Tags
5b3edd4cb2accbf2bd8eb835470f6e9cd59cd2f6
Commit Graph

1395 Commits

Author SHA1 Message Date
bwatters 8e1391f098 Land #15216, Fix targeting for CVE-2021-21551 
Merge branch 'land-15216' into upstream-master
 2021-05-21 14:56:08 -05:00
bwatters 72375d1f67 Land #15024, Add RCE Exploit For CVE-2020-0796 (SMBGhost) 
Merge branch 'land-15024' into upstream-master
 2021-05-20 17:02:04 -05:00
Spencer McIntyre 5e13fdb7dc Couple of minor cleanups for the assembly stub 2021-05-20 17:20:57 -04:00
Spencer McIntyre 78d47b11f2 Add targeting for Windows 10 v21H1 2021-05-18 12:56:02 -04:00
Spencer McIntyre c5b022e2f2 Fix Windows 10 versioning by using ranges 2021-05-18 10:28:27 -04:00
Spencer McIntyre d990e884af Add and test even more targets 2021-05-13 17:27:58 -04:00
Spencer McIntyre eb89550f85 Clear up some target offset discrepancies 2021-05-13 16:06:15 -04:00
Spencer McIntyre 7d841a0f79 Add a target for Windows 7 x64 2021-05-13 14:24:15 -04:00
Spencer McIntyre 4825407d21 Add a target for Windows 8.1 x64 2021-05-13 12:56:47 -04:00
Spencer McIntyre 8a1341060d Fix a couple of errors from not cleaning up 2021-05-13 12:34:14 -04:00
Spencer McIntyre ff2516a7f2 Update CVE-2021-1732 to reduce code reuse 2021-05-12 16:41:43 -04:00
Spencer McIntyre 477749f77f Refactor the code to be reusable and add docs 2021-05-12 16:36:17 -04:00
Spencer McIntyre d3de52da59 The exploit is now functional for Win10 v1803-20H2 2021-05-12 16:14:59 -04:00
Spencer McIntyre 5b39cead93 Add the UpgradeToken functionality 2021-05-12 14:53:41 -04:00
Spencer McIntyre 7f0a1d1707 Initial commit of CVE-2021-21551 
This is still a work in progress but the initial requirements are
falling into place.
 2021-05-12 12:28:20 -04:00
Spencer McIntyre a9d3120aa9 Combine the shellcode move operations 2021-04-13 16:46:26 -04:00
Spencer McIntyre ec962cf2be Adjust the hal heap base address calculation 2021-04-13 13:11:24 -04:00
Spencer McIntyre 0e117cc83a Update the LPE exploit paths in Visual Studio 2021-04-09 14:15:11 -04:00
Spencer McIntyre d8bed16d4d Refactor constants into a proper target hash 2021-04-09 14:15:11 -04:00
Spencer McIntyre c4055f348c Restructure and refactor the kernel mode shellcode 2021-04-09 14:15:11 -04:00
Spencer McIntyre f3df076067 Only upgrade the token of EProcess was found 2021-03-16 15:20:44 -04:00
Spencer McIntyre c11900b9ab Add support for Windows 2004 & 20H2 2021-03-15 17:28:38 -04:00
Spencer McIntyre f0a9a1deb3 Add the initial exploit for CVE-2021-1732 2021-03-12 17:30:22 -05:00
Grant Willcox adbb6f164f Add source code for generating emp.ser 2021-03-03 10:14:48 -06:00
Christophe De La Fuente ab9dd177b7 Add kernel file version check to avoid BSOD on Win10 x86 2021-02-15 21:10:10 +01:00
Christophe De La Fuente eaa550fa97 Changes compiler subsystem to window 2021-02-02 17:57:52 +01:00
Christophe De La Fuente 4b3379a821 Remove CRT library from the Template 2021-01-28 19:59:46 +01:00
Christophe De La Fuente 8af5ee8a32 Add Process Herpaderping evasion module and binaries 2021-01-22 18:33:10 +01:00
Spencer McIntyre 33bd712e0a Land #14585, Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP 2021-01-11 17:16:40 -05:00
Grant Willcox 3072391d00 Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00
Christophe De La Fuente 17c393f101 Land #14046, Adding juicypotato-like privilege escalation exploit for windows 2021-01-06 16:02:05 +01:00
Grant Willcox b916789041 Add in source for the compiled exploit 2021-01-04 12:17:52 -06:00
Tim W 7af996ae4c add offsets 2020-12-14 14:54:54 +00:00
Tim 69a26bfb6c fix external/source/exploits/CVE-2020-1054/dllmain.cpp placeholder 
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
 2020-12-14 14:54:54 +00:00
Tim W a30cdfc892 Fix #14254, Add CVE-2020-1054, win32k DrawIconEx OOB Write LPE 2020-12-14 14:54:54 +00:00
C4ssandre 4bfd9e4b2a Fixing a little error. 2020-12-10 05:15:37 -05:00
C4ssandre 4883050f7f Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001). 2020-12-10 03:53:06 -05:00
C4ssandre 61f76b77b9 Removing useless token verification batch of code. 2020-12-08 13:43:32 -05:00
C4ssandre d997b07ded Fixing inconsistency in flags for spnego token processes. 2020-12-08 13:35:40 -05:00
C4ssandre bda377cb7e Passing "notepad.exe" to const. 2020-12-08 13:19:56 -05:00
C4ssandre 43b49672d3 Removing old commented code. 2020-12-08 13:16:10 -05:00
C4ssandre b903595443 Improving function in charge of isolate B64 negotiate token from NTLM1 request. 2020-12-08 13:14:45 -05:00
C4ssandre 58997efe9d Complete change of IsTokenSystem function. Now the function uses windows built in API to check if token is system instead of checking username wstring. I did that because I noticed that in foreign language, SYSTEM account can be called differently such as "système" in french. Moreover, the original function was buggy and the exploit only succeeded because the tested account was called "système", and the function checked that the account is different from "SYSTEM". 2020-12-08 10:39:45 -05:00
C4ssandre b39eb0658a Reorganizing code in order to free allocated memory space. 2020-12-08 00:11:49 -05:00
C4ssandre 6821e52095 Adding a calloc check. 2020-12-07 23:45:12 -05:00
C4ssandre 669e668b65 Fixing potential buffer overflow. 2020-12-07 23:42:04 -05:00
C4ssandre c7d9d02490 Initializing service at zero. 2020-12-07 23:26:36 -05:00
C4ssandre e58c14add7 Removing old and weird commented code. 2020-12-07 23:25:59 -05:00
C4ssandre 60638160a7 Replacing all manual zero initializations by one ZeroMemory at start of constructor. 2020-12-07 23:24:54 -05:00
C4ssandre 6bdbdd7f62 Removing a useless call to WTSGetActiveConsoleSessionId 2020-12-07 21:39:07 -05:00