c8819259ae
Land #14414 , CVE-2020-1337 - patch bypass for CVE-2020-1048
2021-01-15 19:13:14 +01:00
33bd712e0a
Land #14585 , Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP
2021-01-11 17:16:40 -05:00
50e115b414
Cleanup and edits per review from Christophe
...
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
2021-01-11 16:02:58 -06:00
3072391d00
Make second round of review edits to fix Spencer's comments
2021-01-08 12:50:52 -06:00
5e5d7b1abb
Update to execute_string to avoid the issue where an arbitrary
...
length comment is required for the exploit to work.
2021-01-06 17:08:22 -06:00
17c393f101
Land #14046 , Adding juicypotato-like privilege escalation exploit for windows
2021-01-06 16:02:05 +01:00
bf7627b33e
Adding DLL's
2021-01-06 15:59:08 +01:00
839daf93e9
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research
2021-01-05 16:12:08 -06:00
668eeae4e1
Initial push of code
2021-01-04 12:04:38 -06:00
7f4fac4548
Fix powershell issues and add comment because it is apparently magic
2020-12-16 13:57:02 -06:00
33ef352f89
Add dll
...
Compiled with Visual Studio Express 2013 with Platform Toolset v120
2020-12-15 12:42:06 +01:00
810898e97b
Rough attempt at CVE-2020-1337
...
Non-functional
2020-11-20 17:36:19 -06:00
9e111d7fdf
Add in compiled version of the exploit to meet Rapid7 compliance guidelines on having Rapid7 employees submit compiled binaries only
2020-10-23 16:01:00 -05:00
c5751a240b
Fix incorrect offset in BPF sign extension LPE
...
The uid field of the cred struct is normally the second field, followed
by the gid field. The first field is of type atomic_t, which has the
size of an int. Since the size of an int is usually 4 bytes, the uid is
normally located at an offset of 4 bytes from the start of the cred
struct, and not 8. Since the uid also is int-sized, the code set
test_uid to the gid, making the exploit fail for cases where uid != gid.
2020-10-17 19:46:35 -04:00
b932ed5225
Recompile the exploit.dll DLL for CVE-2019-1458 as per Rapid7 policies
2020-10-15 10:58:56 -05:00
12c5f4f916
CVE-2019-1458 chrome sandbox escape initial commit
2020-10-15 10:57:46 -05:00
e24a81919a
Land #13996 , Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856,
...
RCE for Safari on macOS 10.15.3 (pwn2own2020)
Merge branch 'land-13996' into upstream-master
2020-10-01 09:46:39 -05:00
f0f4da2b1e
Land #14157 , Windows update orchestrator privesc
2020-09-25 16:07:27 -05:00
2d1b378a18
Land #14122 , Jenkins Deserialization RCE (CVE-2017-1000353)
2020-09-22 12:32:09 +02:00
534e945cd0
First attempt at CVE-2020-1313
2020-09-18 15:39:12 -05:00
06f5518953
Update binaries
2020-09-16 11:41:02 -05:00
a2edcda819
Rubocop on module and update error handling on exploit C code + recompile
2020-09-16 11:17:39 -05:00
95bb6ad71a
Add new binaries
2020-09-16 11:17:39 -05:00
a5253c5674
remove old binaries before we added both x86 and x64 binaries
2020-09-16 11:17:39 -05:00
a72769909b
Change exe to take destination and source files for copy
2020-09-16 11:17:39 -05:00
17272209cc
First try at CVE-2020-1048, needs lots of work
2020-09-16 11:17:38 -05:00
ff500dd9fb
add poc
2020-09-11 12:00:16 -05:00
e592736833
Land #13992 , Add module for CVE-2020-9839, LPE for macOS <= 10.15.4
...
Merge branch 'land-13992' into upstream-master
2020-09-04 15:53:17 -05:00
5e2a3a6f65
Recompiled binary exploit file to match source
2020-09-04 15:46:52 -05:00
1693a3c787
add exploit binaries
2020-09-01 17:14:21 +08:00
9150f0bc3a
move int64.js and utils.js to javascript_utils folder
2020-09-01 16:14:31 +08:00
46db23c35e
fix int64.js and utils.js
2020-09-01 16:14:30 +08:00
c23cb63c6e
exploit binary
2020-09-01 14:10:34 +08:00
85ccac215b
Removing precompiled binaries (dll exploits).
2020-08-28 17:37:34 +02:00
3336040f2d
Adding a new privilege escalation exploit for windows.
...
New files and folders:
- metasploit-framework/modules/exploits/windows/local/bits_ntlm_token_impersonation.rb
- metasploit-framework/data/exploits/drunkpotato/
- metasploit-framework/external/source/exploits/drunkpotato/
2020-08-25 14:27:41 +02:00
cd41d9c3c9
Land #13911 , iphone 4 on ios 7.1.2 safari jit for root
2020-08-14 16:01:14 -04:00
1eaf66dab1
CVE-2020-9850
2020-08-14 16:10:34 +08:00
0b513d6c51
remove debug logging from the kernel exploit
2020-07-30 18:10:26 +08:00
79adcf7904
Add module for iOS 7.1.2
2020-07-27 15:05:31 +08:00
cbbd4fc517
Add CVE-2020-7457 exploit.c
2020-07-26 08:04:37 +00:00
586971428a
Recompile everything so we don't have the messagebox calls
2020-06-11 00:18:45 -05:00
93b28e662e
Change out template_dll solution files so that it generates the DLL with the correct name and in the correct location
2020-06-10 11:41:34 -05:00
7711cecee9
Final tweaks to make this more reliable, should be good now
2020-06-10 11:02:53 -05:00
4a9c878132
Finally fix up the hanging issue via new template DLLs and associated code
2020-06-10 11:02:53 -05:00
cb20eaf6f9
Finally fix the issue with the cleanup of the files within the exploit
2020-06-10 11:02:51 -05:00
401feb3e53
Change code so that we automatically exit Notepad upon DLL completing its work. Should help tidy things up more
2020-06-10 11:02:50 -05:00
cf17b2065c
Updated module with some output corrections, recompiled DLLs
2020-06-10 11:02:50 -05:00
ae2b40bf99
Update the output of the module to be more correct. Also upload updated DLLs
2020-06-10 11:02:49 -05:00
1607b8c342
Add initial files for CVE-2020-0787
2020-06-10 11:02:35 -05:00
c8ab30a40a
add poc code
2020-06-02 14:29:02 -05:00
Christophe De La Fuente