81f9fc7608
Refactor arbitrary payload support
2020-02-05 17:01:54 -06:00
dae06ab0c9
Reword comments in morris_sendmail_debug
...
Not sure why I used singular, but it was probably reading too much RFC.
2020-02-05 14:23:29 -06:00
a154efa250
Land #12887 , add dlink ssdpcgi cmd inject
2020-02-05 13:19:05 -06:00
9db6b5184b
Land #12894 , Add Windscribe WindscribeService Named Pipe Privilege Escalation
...
Merge branch 'land-12894' into upstream-master
2020-02-05 12:37:34 -06:00
ddec8a58a1
disables payload padding and describes shell code
2020-02-05 18:09:39 +00:00
de25920f30
The written word "through" is modified
2020-02-05 11:53:51 -03:00
25c23073c8
Modify disclosure URL, remove printf...
...
... as stager flavor and silence msftidy error.
2020-02-04 15:20:57 -03:00
5f7004cf7c
Remove 'HttpClient', 'Payload' and 'RHOST'; ...
...
... replace 'Targets' for a new option, and format 'header', as suggested in the review.
2020-02-04 14:04:23 -03:00
22a75c7bee
Revert "Fix style"
...
This reverts commit 9f81aeb4ad
2020-02-04 10:10:46 -06:00
d76546f8ee
clarifies inserted shell code's function
2020-02-04 15:14:36 +00:00
671f2e9616
msfTidy: set disclosure date to proper format
2020-02-04 11:55:39 +00:00
37065f5ffe
PR Changes: More Cleanup
2020-02-04 10:59:02 +00:00
4fd865f3a9
PR Changes: Comments, fail_with, and cleanup
2020-02-04 10:57:41 +00:00
303bddbb37
add cleanup code and modified options
2020-02-03 16:24:48 -06:00
7175126319
Update title for smb_doublepulsar_rce
2020-02-03 11:19:20 -06:00
fa6573f8e7
Note arch in supported target
2020-02-03 11:16:16 -06:00
a3717e13f6
Unf*ck PAYLOAD being set for neutralization
2020-02-03 11:16:16 -06:00
e12d993027
Move SMB DOPU module to match new naming scheme
2020-02-03 11:16:16 -06:00
f49ee7c60e
Prefer exploit.rb's rand_text wrapper
2020-02-03 11:16:16 -06:00
d64eb10b17
Update credit
2020-02-03 11:16:16 -06:00
548529e1d4
Clean up parsing
2020-02-03 11:16:16 -06:00
9e690414a1
Update ping response parsing with new information
...
Found the struct that corresponds to the ping response!
2020-02-03 11:16:16 -06:00
6241555531
Fix service pack
2020-02-03 11:16:16 -06:00
2ce49456a7
Fix arch detection and add product type
...
Thanks to @tsellers-r7 for testing XP and producing output to compare
against. Without a 32-bit test, the architecture guess was incorrect.
Additionally, product type had yet to be determined. The trailing bytes
were indeed significant! Thanks, Tom!
2020-02-03 11:16:16 -06:00
992a386ece
Use build_data_tpdu and note channelJoinConfirm
2020-02-03 11:16:16 -06:00
4d21b0e88e
Update prints in check for visibility
...
vprint_good should be print_warning, and most vprints should be print,
even if in check, since check is critical functionality.
2020-02-03 11:16:16 -06:00
7ba7221a8f
Parse ping response into version, build, and arch
2020-02-03 11:16:16 -06:00
db1a201885
Add RDP DOUBLEPULSAR RCE module
2020-02-03 11:16:16 -06:00
2ce3cb9e86
updated description
2020-02-03 17:09:56 +00:00
1ef34283eb
obtain session unreliably
2020-02-03 11:07:36 -06:00
6b229177f1
Add crosschex buffer overflow exploit
2020-02-03 17:02:04 +00:00
6f453a0f83
Module rewrite to include Cron exploitation
2020-02-02 17:29:39 -08:00
e2d0d8f011
Cleanup module and permit alternate payload scheme
...
The original Qualys exploit uses an inline-shell for loop to read
and thereby consume lines from the input stream preceeding the
intended script for execution in the body section. Payloads which
do not contain bad characters (encoded or coincidentally simple)
can be placed directly into the FROM field and executed in place
of the original for loop filter.
2020-02-01 15:04:22 -05:00
34621c0adc
Add Windscribe WindscribeService Named Pipe Privilege Escalation
2020-02-01 00:41:07 +00:00
8d4637a42b
can now add printers
2020-01-31 15:07:56 -06:00
312a3466ee
Update 2020-7247 to execute from body
...
Using method from
https://www.openwall.com/lists/oss-security/2020/01/28/3
Attempted several other line readers via awk, while, for. Tried
without pipes or `>` in the strings. It appears other characters
are also illegal (conditional brackets likely culprits).
Initial testing on wide-open-configured opensmtpd on OpenBSD 6.6
libvirt Vagrant image produces shells, python meterpreter sessions,
and executes generic commands.
2020-01-31 04:32:03 -05:00
b05fe7453f
add improved check method
2020-01-30 11:40:24 -06:00
394e99fbe9
Land #12568 , Fix exploit/windows/local/ms16_032_secondary_logon_handle_privesc
2020-01-30 11:57:56 +01:00
9da4555509
Move clean-up code to cleanup method ( #2 )
...
Move clean-up code to cleanup method
2020-01-29 17:11:07 +01:00
81b8d5b58a
Add OpenSMTPD MAIL FROM RCE
2020-01-29 05:10:43 -06:00
8e0e21d337
Exploit for CVE-2019-20215
...
Staged, uses meterpreter
2020-01-28 16:15:24 -03:00
d4bd195a3d
Land #12871 , fix osx/local/persistence removal commands and payload options
2020-01-28 17:39:02 +08:00
0b0d4c8633
add x64 option to osx/local/persistence and update removal commands
2020-01-28 17:18:23 +08:00
3491da7da0
Add a random sentinel to close channel when terminates ( #1 )
...
* Add a random sentinel to close channel when terminates
* Replace spaces with tabs to be consistent
* Remove unnecessary escaped quotes and use include? instead of regex
2020-01-25 23:30:49 +01:00
2414fda288
add initial check/metadata
2020-01-24 16:14:51 -06:00
0d8d17c63d
Land #12736 , Add support for PPID spoofing
2020-01-24 08:49:51 -06:00
cfffb65a21
Land #12859 , update AF_PACKET chocobo_root linux LPE
2020-01-24 17:30:13 +08:00
355ddba6c9
Prefer exploit.rb's rand_text wrapper
2020-01-22 16:37:36 -06:00
6f6cc00871
Land #12751 , add Linux RDS socket NP deref privesc
2020-01-22 07:08:47 -06:00
06843d0ea5
update removal commands for osx/local/persistence
...
fixes #12870
2020-01-21 16:53:11 +01:00
William Vu