adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity
71,113 Commits 27 Branches 1,043 Tags
67770d56846d8edd7d44374525a5c054d368b8ff
Commit Graph

1627 Commits

Author SHA1 Message Date
bwatters b15d595de2 Adjust files to be better shared 2023-07-14 12:47:04 -05:00
Ashley Donaldson 6772740f86 Fix bug in HostingCLR relating to the first argument passed to a dotnet assembly. 2023-06-28 09:24:33 +10:00
Ashley Donaldson afe359281c Remove manual signature handling, and figure it out for the user. 2023-06-28 09:22:01 +10:00
Ashley Donaldson 65a4dd3c39 Change ETW bypass method, so that CLR memory can be freed. 
Fixed a crash and broken logic in hosting clr code.
 2023-06-26 09:54:00 +10:00
Ashley Donaldson 977f8732c6 Fix cleanup code. 
The _AppDomainPtr, _AssemblyPtr and _MethodInfoPtr variables are COM smart pointers which will auto-Release() when they go out of scope, so we should not directly Release() them.
 2023-06-23 14:01:45 +10:00
Ashley Donaldson a7ce4c7fa8 Free memory from the C++ side, rather than the Ruby side. 2023-06-23 09:57:53 +10:00
Ashley Donaldson 6e438d338e Modify execute_dotnet_assembly to run in existing processes (including our own process) and receive output. 2023-06-21 12:04:09 +10:00
Grant Willcox ae4e616c3b Update Navigating-And-Undstanding-Metasploits-Codebase to add new code navigation tools and debugging tools 
Move debugging info into same file and make markdown match standards

Add more info on Pry debugging using Alan David Foster's explaination

Fix up broken URL links and format new URL links correctly

Fix up formatting and add information on Debug.gem supported commands
 2023-06-09 09:17:46 -05:00
Grant Willcox e5c636f931 Move folder descriptions into README.md files 2023-05-03 14:06:13 -05:00
Christophe De La Fuente 6d4ee0c071 Add exploit for CVE-2023-21768 2023-03-27 20:08:22 +02:00
cgranleese-r7 80dbbca020 Land #17371, Lenovo Diagnostics Driver Privilege Escalation (CVE-2022-3699) 2023-02-03 13:43:04 +00:00
jheysel-r7 595f34fc6f Merge branch 'master' into mac_dirty_cow 2023-02-01 16:51:09 -05:00
h00die 2c72cc145a updates to module 2023-01-31 20:05:33 -05:00
Jack Heysel 022760d24a Land #17300, linux LPE cve-2022-22942 module 
This PR adds a linux priv esc against VMWare virtual machines
 with kernel 4.14-rc1 - 5.17-rc1 due to a VMWare driver bug.
 2023-01-31 14:07:55 -05:00
Grant Willcox dcda0c2ebc Fix up text so we capitalize all words of Metasploit Framework 2023-01-20 17:05:20 -06:00
Jack Heysel 0e0f62c002 Removed 22621 2023-01-19 14:47:20 -05:00
Jack Heysel d7215b84b4 Added offsets for W11 22H2 2023-01-19 09:30:28 -05:00
Jack Heysel 63d9445911 Fix for Win Server 2022 and 2019 2023-01-19 00:52:38 -05:00
Jack Heysel 2c2bfec4a0 Tested on Windows Build 19044, 19045 and 22000 2023-01-18 01:41:30 -05:00
bwatters 158c557d58 Update LICENSE file and location of source file 2023-01-17 17:28:22 -05:00
Jack Heysel 145589f7a2 Add GetPteBaseW10 2023-01-12 01:15:23 -05:00
timwr ce260f53f3 Add CVE-2022-46689 macOS dirty cow 2022-12-28 22:46:08 +07:00
Jack Heysel 87614cf2b3 Fixed spacing updated check method 2022-12-15 14:15:06 -05:00
Jack Heysel f015d1425a Added update to common.h 2022-12-14 20:39:31 -05:00
Christophe De La Fuente d6a5590c06 Land #17265, Add Exploit for CVE-2020-25736 2022-12-13 18:49:56 +01:00
Jack Heysel 2fa7e7b2d5 Lenovo Diagnostics Driver Privilege Escaltion (CVE-2022-3699) 2022-12-12 21:53:53 -05:00
space-r7 cf9e54909c use 2021 helper name in objective-c code too 2022-12-12 15:55:36 -06:00
h00die b866917ee1 review 2022-11-22 16:57:01 -05:00
space-r7 d8f2b50b07 add compiled exploit and source 2022-11-17 17:16:08 -06:00
space-r7 a9c3c61aa3 Land #17050, make osx payload fileless 2022-10-20 14:13:32 -05:00
usiegl00 bceaf5cd70 Back from the dyld: clean up mmap. 
The mmap permissions prior to mprotect during the region mapping should
be write only. I also added a few more comments detailing the usage of
structs in dyld4.
 2022-10-07 09:57:53 +09:00
usiegl00 8aa01bfbcd Back from the dyld: fix addr_main assignment. 
When using the legacy technique, addr_main was being redifined. This
caused the access to addr_main outside the if statement to segfault.
 2022-09-30 06:46:45 +09:00
usiegl00 ce75cb2afc Back from the dyld: clean up source code. 
This fixes a floating `\t` in a struct definition. This also adds more
clarity to a set of dprintf statements regarding the region. This fixes
the indentation for a comment as well.
 2022-09-29 07:58:23 +09:00
usiegl00 64231dad67 Back from the dyld: vm_allocate to fix corruption. 
This fixes the corruption incidentally resolved by assigning to an
unused variable by properly allocating memory for structs before
assigning to them. This will resolve the segfault on return issue, as
the saved return address is no longer clobbered.
 2022-09-28 20:58:48 +09:00
bwatters e27dbd2787 Land #16794,Add exploit for CVE-2022-34918 
Merge branch 'land-16794' into upstream-master
 2022-09-27 16:37:52 -05:00
usiegl00 2833f504d4 Back from the dyld: a fileless loader. (Again.) 
By replicating the functionality of APIs::dlopen_from, we can bypass the
temporary file created when calling NSCreateObjectFileImageFromMemory on
macOS 12 and above. Constructing a custom JustInTimeLoader and running
through all the dyld calls required to fix it up manually results in
fileless MachO execution.
 2022-09-22 17:50:04 +09:00
Grant Willcox 2966ec3504 Add in ruby/debug to Gemfile and also provide example of how to create a launch.json file to use it with vscode-rdbg 2022-09-01 13:35:08 -05:00
Spencer McIntyre ff46659dd4 Fix a typo in _msfvenom 
Fixes #16838
 2022-08-25 16:28:04 -05:00
Redouane NIBOUCHA e612f02ecb Add MAX_TRIES option, address the feedback of bwatters-r7 2022-08-11 13:21:14 +02:00
Redouane NIBOUCHA 011f0ac990 Add comment to make it easier to add offsets for more kernels 2022-07-26 22:20:12 +02:00
Redouane NIBOUCHA 78dae84871 Updates to the C source code (execl instead of execve, removal of some old comments) 2022-07-25 22:18:47 +02:00
Redouane NIBOUCHA 37f1fdd47b Add module docs, add Ubuntu 22.04 offsets, update check method 2022-07-22 03:30:03 +02:00
Redouane NIBOUCHA 73db035e57 Add more offsets to the exploit, clean up the exploit C source, add check method 2022-07-21 01:22:20 +02:00
Redouane NIBOUCHA fe2e413426 Add exploit for CVE-2022-34918 2022-07-20 13:51:22 +02:00
Grant Willcox e2c6c36b2b Land #1642, Add module for cve-2022-0995 2022-04-21 09:12:47 -05:00
bwatters fb4d12a558 Semicolon.... 2022-04-20 17:41:16 -05:00
bwatters 26f9175816 Update c source with argc check and CRASH notes for module 2022-04-20 17:37:48 -05:00
bwatters d9a241defb Fix overzealous source code edit and some version copy/pasta errors 2022-04-20 14:31:32 -05:00
bwatters f32443b477 Update with debug source code and options, cleanup module code per gwillcox-r7 2022-04-14 10:25:55 -05:00
usiegl00 b9052be102 Use libdyld locator to fix osx stager on monterey 
We locate the dyld_shared_cache in memory to find and resolve the
functions we need in libdyld.dylib. We retain the original dyld location
method on osx versions before Sierra.

Explicitly set length for osx x64 initial stage

The rdx register, used for passing the payload length, is being
clobbered by a system call in the new MacOS version. Instead of relying
on the register being untouched, we set it equal to the payload length.
 2022-04-12 11:27:23 +09:00