adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
54,859 Commits 27 Branches 1,043 Tags
703dc797101fa4a2fed65e87cccbe13e9dbf2c57
Commit Graph

6335 Commits

Author SHA1 Message Date
bwatters-r7 7f3c0c9314 Land #12906, Add module for CVE-2019-19363 
Merge branch 'land-12906' into upstream-master
 2020-02-06 15:22:17 -06:00
Shelby Pace 9a8d9c6c88 check arch 2020-02-06 14:11:42 -06:00
Shelby Pace e736588795 change method of exploitation for reliability 
This commit changes a few things:
  1. The module first writes the dll to a
     temp location.
  2. The module writes a batch file to a
     temp location.
  3. The batch file copies the dll until
     the copy command fails (presumably
     because the dll is now in use by
     PrintIsolationHost.exe).
  4. The dropped files are deleted.
  5. Docs updated to reflect changes.
 2020-02-06 12:51:36 -06:00
bwatters-r7 9db6b5184b Land #12894, Add Windscribe WindscribeService Named Pipe Privilege Escalation 
Merge branch 'land-12894' into upstream-master
 2020-02-05 12:37:34 -06:00
William Vu 22a75c7bee Revert "Fix style" 
This reverts commit 9f81aeb4ad.
 2020-02-04 10:10:46 -06:00
Shelby Pace 303bddbb37 add cleanup code and modified options 2020-02-03 16:24:48 -06:00
William Vu 7175126319 Update title for smb_doublepulsar_rce 2020-02-03 11:19:20 -06:00
William Vu fa6573f8e7 Note arch in supported target 2020-02-03 11:16:16 -06:00
William Vu a3717e13f6 Unf*ck PAYLOAD being set for neutralization 2020-02-03 11:16:16 -06:00
William Vu e12d993027 Move SMB DOPU module to match new naming scheme 2020-02-03 11:16:16 -06:00
William Vu f49ee7c60e Prefer exploit.rb's rand_text wrapper 2020-02-03 11:16:16 -06:00
William Vu d64eb10b17 Update credit 2020-02-03 11:16:16 -06:00
William Vu 548529e1d4 Clean up parsing 2020-02-03 11:16:16 -06:00
William Vu 9e690414a1 Update ping response parsing with new information 
Found the struct that corresponds to the ping response!
 2020-02-03 11:16:16 -06:00
William Vu 6241555531 Fix service pack 2020-02-03 11:16:16 -06:00
William Vu 2ce49456a7 Fix arch detection and add product type 
Thanks to @tsellers-r7 for testing XP and producing output to compare
against. Without a 32-bit test, the architecture guess was incorrect.
Additionally, product type had yet to be determined. The trailing bytes
were indeed significant! Thanks, Tom!
 2020-02-03 11:16:16 -06:00
William Vu 992a386ece Use build_data_tpdu and note channelJoinConfirm 2020-02-03 11:16:16 -06:00
William Vu 4d21b0e88e Update prints in check for visibility 
vprint_good should be print_warning, and most vprints should be print,
even if in check, since check is critical functionality.
 2020-02-03 11:16:16 -06:00
William Vu 7ba7221a8f Parse ping response into version, build, and arch 2020-02-03 11:16:16 -06:00
William Vu db1a201885 Add RDP DOUBLEPULSAR RCE module 2020-02-03 11:16:16 -06:00
Shelby Pace 1ef34283eb obtain session unreliably 2020-02-03 11:07:36 -06:00
Brendan Coles 34621c0adc Add Windscribe WindscribeService Named Pipe Privilege Escalation 2020-02-01 00:41:07 +00:00
Shelby Pace 8d4637a42b can now add printers 2020-01-31 15:07:56 -06:00
Shelby Pace b05fe7453f add improved check method 2020-01-30 11:40:24 -06:00
Christophe De La Fuente 394e99fbe9 Land #12568, Fix exploit/windows/local/ms16_032_secondary_logon_handle_privesc 2020-01-30 11:57:56 +01:00
cdelafuente-r7 9da4555509 Move clean-up code to cleanup method (#2) 
Move clean-up code to cleanup method
 2020-01-29 17:11:07 +01:00
cdelafuente-r7 3491da7da0 Add a random sentinel to close channel when terminates (#1) 
* Add a random sentinel to close channel when terminates

* Replace spaces with tabs to be consistent

* Remove unnecessary escaped quotes and use include? instead of regex
 2020-01-25 23:30:49 +01:00
Shelby Pace 2414fda288 add initial check/metadata 2020-01-24 16:14:51 -06:00
bwatters-r7 0d8d17c63d Land #12736, Add support for PPID spoofing 2020-01-24 08:49:51 -06:00
William Vu 355ddba6c9 Prefer exploit.rb's rand_text wrapper 2020-01-22 16:37:36 -06:00
bwatters-r7 ee5e9dc922 Land #12832, DisablePayloadHandler replace strings with bools 
Merge branch 'land-12832' into upstream-master
 2020-01-16 12:10:34 -06:00
Spencer McIntyre 033a0d1868 Land #12782, add the Plantronics LPE module 2020-01-15 11:17:41 -05:00
Dave York 7b14442ab0 replace strings with bools 2020-01-14 20:47:27 -05:00
Brent Cook 20cf419e18 Land #12797, improve BlueKeep over remote networks 2020-01-12 17:15:29 -06:00
Brent Cook 33dadefd53 move rdp_move_mouse to rdp library, add GROOMDELAY 2020-01-12 08:19:44 -06:00
zerosum0x0 b76f2a9e08 inject mouse move events, verbose groom progress/elapsed time, danger zone warnings 2020-01-06 23:42:01 -07:00
Leo Le Bouter 756879d3d6 Fix msftidy 2020-01-06 18:14:58 +01:00
leo-lb f1ae217bb0 Single-core machines are safe from this exploit. 2020-01-06 05:21:51 +01:00
Brendan Coles 326fd26219 Check for nil response due to connection failure 2020-01-05 21:39:34 +00:00
Brendan Coles c8fb76182c Use PROGRAMDATA environment variable 2020-01-03 20:32:01 +00:00
Brendan Coles b3e9d9aee9 Add Plantronics Hub SpokesUpdateService Privilege Escalation 2020-01-03 20:13:27 +00:00
Brent Cook ce991071e4 Land #12524, update most python code with python 3 compatibility 2019-12-23 14:49:08 -06:00
Shelby Pace 894927d960 Land #12693, add Comahawk privilege escalation 2019-12-18 15:40:51 -06:00
bwatters-r7 b36c191fc7 With feeling... 2019-12-18 14:33:13 -06:00
bwatters-r7 f9fbe96145 more bcoles suggestions 2019-12-18 14:25:43 -06:00
Francesco Soncina 671f80896a Update payload_inject.rb 2019-12-18 16:06:26 +01:00
Francesco Soncina 664b196388 Update payload_inject.rb 2019-12-17 01:35:24 +01:00
Francesco Soncina 64c1f557c6 add support for PPID spoofing to payload_inject 2019-12-17 01:19:45 +01:00
Brent Cook fde942bc37 Land #12517, replace CheckScanner mixin with CheckModule, which works with anything 2019-12-16 17:40:10 -06:00
bwatters-r7 66dcbc5d99 Stupid typo... 2019-12-16 12:54:48 -06:00