adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77,971 Commits 27 Branches 1,043 Tags
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
Commit Graph

1534 Commits

Author SHA1 Message Date
Spencer McIntyre 477749f77f Refactor the code to be reusable and add docs 2021-05-12 16:36:17 -04:00
Spencer McIntyre d3de52da59 The exploit is now functional for Win10 v1803-20H2 2021-05-12 16:14:59 -04:00
Spencer McIntyre 5b39cead93 Add the UpgradeToken functionality 2021-05-12 14:53:41 -04:00
Spencer McIntyre 7f0a1d1707 Initial commit of CVE-2021-21551 
This is still a work in progress but the initial requirements are
falling into place.
 2021-05-12 12:28:20 -04:00
Spencer McIntyre a9d3120aa9 Combine the shellcode move operations 2021-04-13 16:46:26 -04:00
Spencer McIntyre ec962cf2be Adjust the hal heap base address calculation 2021-04-13 13:11:24 -04:00
Spencer McIntyre 0e117cc83a Update the LPE exploit paths in Visual Studio 2021-04-09 14:15:11 -04:00
Spencer McIntyre d8bed16d4d Refactor constants into a proper target hash 2021-04-09 14:15:11 -04:00
Spencer McIntyre c4055f348c Restructure and refactor the kernel mode shellcode 2021-04-09 14:15:11 -04:00
Spencer McIntyre f3df076067 Only upgrade the token of EProcess was found 2021-03-16 15:20:44 -04:00
Spencer McIntyre c11900b9ab Add support for Windows 2004 & 20H2 2021-03-15 17:28:38 -04:00
Spencer McIntyre f0a9a1deb3 Add the initial exploit for CVE-2021-1732 2021-03-12 17:30:22 -05:00
Grant Willcox adbb6f164f Add source code for generating emp.ser 2021-03-03 10:14:48 -06:00
Christophe De La Fuente ab9dd177b7 Add kernel file version check to avoid BSOD on Win10 x86 2021-02-15 21:10:10 +01:00
Christophe De La Fuente eaa550fa97 Changes compiler subsystem to window 2021-02-02 17:57:52 +01:00
Christophe De La Fuente 4b3379a821 Remove CRT library from the Template 2021-01-28 19:59:46 +01:00
Christophe De La Fuente 8af5ee8a32 Add Process Herpaderping evasion module and binaries 2021-01-22 18:33:10 +01:00
Spencer McIntyre 33bd712e0a Land #14585, Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP 2021-01-11 17:16:40 -05:00
Grant Willcox 3072391d00 Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00
Christophe De La Fuente 17c393f101 Land #14046, Adding juicypotato-like privilege escalation exploit for windows 2021-01-06 16:02:05 +01:00
Grant Willcox b916789041 Add in source for the compiled exploit 2021-01-04 12:17:52 -06:00
Tim W 7af996ae4c add offsets 2020-12-14 14:54:54 +00:00
Tim 69a26bfb6c fix external/source/exploits/CVE-2020-1054/dllmain.cpp placeholder 
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
 2020-12-14 14:54:54 +00:00
Tim W a30cdfc892 Fix #14254, Add CVE-2020-1054, win32k DrawIconEx OOB Write LPE 2020-12-14 14:54:54 +00:00
C4ssandre 4bfd9e4b2a Fixing a little error. 2020-12-10 05:15:37 -05:00
C4ssandre 4883050f7f Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001). 2020-12-10 03:53:06 -05:00
C4ssandre 61f76b77b9 Removing useless token verification batch of code. 2020-12-08 13:43:32 -05:00
C4ssandre d997b07ded Fixing inconsistency in flags for spnego token processes. 2020-12-08 13:35:40 -05:00
C4ssandre bda377cb7e Passing "notepad.exe" to const. 2020-12-08 13:19:56 -05:00
C4ssandre 43b49672d3 Removing old commented code. 2020-12-08 13:16:10 -05:00
C4ssandre b903595443 Improving function in charge of isolate B64 negotiate token from NTLM1 request. 2020-12-08 13:14:45 -05:00
C4ssandre 58997efe9d Complete change of IsTokenSystem function. Now the function uses windows built in API to check if token is system instead of checking username wstring. I did that because I noticed that in foreign language, SYSTEM account can be called differently such as "système" in french. Moreover, the original function was buggy and the exploit only succeeded because the tested account was called "système", and the function checked that the account is different from "SYSTEM". 2020-12-08 10:39:45 -05:00
C4ssandre b39eb0658a Reorganizing code in order to free allocated memory space. 2020-12-08 00:11:49 -05:00
C4ssandre 6821e52095 Adding a calloc check. 2020-12-07 23:45:12 -05:00
C4ssandre 669e668b65 Fixing potential buffer overflow. 2020-12-07 23:42:04 -05:00
C4ssandre c7d9d02490 Initializing service at zero. 2020-12-07 23:26:36 -05:00
C4ssandre e58c14add7 Removing old and weird commented code. 2020-12-07 23:25:59 -05:00
C4ssandre 60638160a7 Replacing all manual zero initializations by one ZeroMemory at start of constructor. 2020-12-07 23:24:54 -05:00
C4ssandre 6bdbdd7f62 Removing a useless call to WTSGetActiveConsoleSessionId 2020-12-07 21:39:07 -05:00
C4ssandre ff8981c4ee Various little corrections. 2020-12-07 21:38:55 -05:00
C4ssandre 8a3790f265 Adding process informations to hide notepad.exe when launching. 2020-12-07 21:38:30 -05:00
C4ssandre 46f59a76f0 Removing powershell payload serving method, and replacing it by just writing and executing in remote SYSTEM process. 2020-12-07 21:37:35 -05:00
C4ssandre b935842cc5 Updating an outdated comment. 2020-12-07 21:37:24 -05:00
C4ssandre d05bffdab3 Adding more detailed debug messages. 2020-12-07 21:36:34 -05:00
C4ssandre c7f832526d Fixing unfree-ed allocated memory space. 2020-11-30 14:54:19 +00:00
C4ssandre 381d371e8e Adding a check after memory allocation for localNegotiator object. 2020-11-30 14:47:20 +00:00
C4ssandre 08a744c1a6 Fixing a bad return code (ERROR_HEAP_ALLOC_FAILURE -> ERROR_NOT_ENOUGH_PRIVILEGES). 2020-11-30 14:44:20 +00:00
C4ssandre 0ce9d585cb Adding a line of dprintf for debugging. 2020-11-30 14:42:22 +00:00
C4ssandre 9d298c4059 Change code line for improving readability. 2020-11-30 14:39:10 +00:00
Spencer McIntyre 0ccb50ac02 Adjust how HostingCLR arguments are packed 2020-11-09 12:24:55 -05:00