adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
59,500 Commits 27 Branches 1,043 Tags
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
Commit Graph

1367 Commits

Author SHA1 Message Date
Spencer McIntyre 33bd712e0a Land #14585, Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP 2021-01-11 17:16:40 -05:00
Grant Willcox 3072391d00 Make second round of review edits to fix Spencer's comments 2021-01-08 12:50:52 -06:00
Christophe De La Fuente 17c393f101 Land #14046, Adding juicypotato-like privilege escalation exploit for windows 2021-01-06 16:02:05 +01:00
Grant Willcox b916789041 Add in source for the compiled exploit 2021-01-04 12:17:52 -06:00
Tim W 7af996ae4c add offsets 2020-12-14 14:54:54 +00:00
Tim 69a26bfb6c fix external/source/exploits/CVE-2020-1054/dllmain.cpp placeholder 
Co-authored-by: cdelafuente-r7 <56716719+cdelafuente-r7@users.noreply.github.com>
 2020-12-14 14:54:54 +00:00
Tim W a30cdfc892 Fix #14254, Add CVE-2020-1054, win32k DrawIconEx OOB Write LPE 2020-12-14 14:54:54 +00:00
C4ssandre 4bfd9e4b2a Fixing a little error. 2020-12-10 05:15:37 -05:00
C4ssandre 4883050f7f Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001). 2020-12-10 03:53:06 -05:00
C4ssandre 61f76b77b9 Removing useless token verification batch of code. 2020-12-08 13:43:32 -05:00
C4ssandre d997b07ded Fixing inconsistency in flags for spnego token processes. 2020-12-08 13:35:40 -05:00
C4ssandre bda377cb7e Passing "notepad.exe" to const. 2020-12-08 13:19:56 -05:00
C4ssandre 43b49672d3 Removing old commented code. 2020-12-08 13:16:10 -05:00
C4ssandre b903595443 Improving function in charge of isolate B64 negotiate token from NTLM1 request. 2020-12-08 13:14:45 -05:00
C4ssandre 58997efe9d Complete change of IsTokenSystem function. Now the function uses windows built in API to check if token is system instead of checking username wstring. I did that because I noticed that in foreign language, SYSTEM account can be called differently such as "système" in french. Moreover, the original function was buggy and the exploit only succeeded because the tested account was called "système", and the function checked that the account is different from "SYSTEM". 2020-12-08 10:39:45 -05:00
C4ssandre b39eb0658a Reorganizing code in order to free allocated memory space. 2020-12-08 00:11:49 -05:00
C4ssandre 6821e52095 Adding a calloc check. 2020-12-07 23:45:12 -05:00
C4ssandre 669e668b65 Fixing potential buffer overflow. 2020-12-07 23:42:04 -05:00
C4ssandre c7d9d02490 Initializing service at zero. 2020-12-07 23:26:36 -05:00
C4ssandre e58c14add7 Removing old and weird commented code. 2020-12-07 23:25:59 -05:00
C4ssandre 60638160a7 Replacing all manual zero initializations by one ZeroMemory at start of constructor. 2020-12-07 23:24:54 -05:00
C4ssandre 6bdbdd7f62 Removing a useless call to WTSGetActiveConsoleSessionId 2020-12-07 21:39:07 -05:00
C4ssandre ff8981c4ee Various little corrections. 2020-12-07 21:38:55 -05:00
C4ssandre 8a3790f265 Adding process informations to hide notepad.exe when launching. 2020-12-07 21:38:30 -05:00
C4ssandre 46f59a76f0 Removing powershell payload serving method, and replacing it by just writing and executing in remote SYSTEM process. 2020-12-07 21:37:35 -05:00
C4ssandre b935842cc5 Updating an outdated comment. 2020-12-07 21:37:24 -05:00
C4ssandre d05bffdab3 Adding more detailed debug messages. 2020-12-07 21:36:34 -05:00
C4ssandre c7f832526d Fixing unfree-ed allocated memory space. 2020-11-30 14:54:19 +00:00
C4ssandre 381d371e8e Adding a check after memory allocation for localNegotiator object. 2020-11-30 14:47:20 +00:00
C4ssandre 08a744c1a6 Fixing a bad return code (ERROR_HEAP_ALLOC_FAILURE -> ERROR_NOT_ENOUGH_PRIVILEGES). 2020-11-30 14:44:20 +00:00
C4ssandre 0ce9d585cb Adding a line of dprintf for debugging. 2020-11-30 14:42:22 +00:00
C4ssandre 9d298c4059 Change code line for improving readability. 2020-11-30 14:39:10 +00:00
Spencer McIntyre 0ccb50ac02 Adjust how HostingCLR arguments are packed 2020-11-09 12:24:55 -05:00
b4rtik ddd9af83b9 Update 2020-10-29 22:49:41 +01:00
C4ssandre 49dbff8c27 Correction of a little wrong error code in return value. 2020-10-28 16:05:51 +00:00
C4ssandre 53d358dd33 Update of a comment. 2020-10-28 16:00:28 +00:00
C4ssandre f9b0aecc8f Changing debug system. Now, dprintf prints readable and filterable output logs. Debug boolean defined in entry point was removed. 2020-10-28 15:52:18 +00:00
C4ssandre 6fddb3be6a Updates of visual studio files. 2020-10-25 21:52:46 +00:00
C4ssandre 7ec20cfb0e Integration of powershell module into exploit. Now, metasploit is in charge of creating the powershell payload and transmit it to running exploit (instead of raw shellcode transformed into powershell previously). 2020-10-25 19:50:45 +00:00
C4ssandre d93c2d03fb Fixing a bug preventing to serve very large powershell payloads. 2020-10-25 19:00:39 +00:00
C4ssandre 64cbd7de49 Fixing typos in comments. 2020-10-25 18:57:56 +00:00
C4ssandre 868f406c2d Improvement by setting all buffers explicitly to 0 at initialization. 2020-10-25 18:52:12 +00:00
C4ssandre 567367c0ac Fixing a bug caused by base64 functions writing a long in an area expecting a short. 2020-10-25 18:41:11 +00:00
C4ssandre 8d9a0c1926 Removing extra ";" 2020-10-25 18:30:13 +00:00
b4rtik 9779bbef77 Fix parameter managing 
Fix a problem running assemblies with Main signature (string[] args) and no passed parameters
 2020-10-23 21:14:10 +02:00
Tim W 12c5f4f916 CVE-2019-1458 chrome sandbox escape initial commit 2020-10-15 10:57:46 -05:00
bwatters e24a81919a Land #13996, Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856, 
RCE for Safari on macOS 10.15.3 (pwn2own2020)

Merge branch 'land-13996' into upstream-master
 2020-10-01 09:46:39 -05:00
C4ssandre 37dffaf703 Removing old ReflectiveLoader source files and linking to metasploit-framework embedded ones. 2020-09-29 00:19:09 +00:00
C4ssandre 03b7c00fce Replacing a malloc by a calloc for more reliability. 2020-09-29 00:07:37 +00:00
C4ssandre cbb07ec208 Replacing old base64 encoding and decoding "homemade" function by wincrypt.h functions (CryptBinaryToStringA and CryptStringToBinaryA). Adding some little adjustments in calling functions of elevator server. 2020-09-29 00:05:49 +00:00