 Robin Wood
|
89f4d3e2d7
|
Fix for issue #14678
Stops the printing of a rogue nil when exploit completes.
See https://github.com/rapid7/metasploit-framework/issues/14678
|
2021-01-29 11:17:38 +00:00 |
|
|
bwatters
|
9174958489
|
Land #14627, Add PRTG Network Monitor RCE (CVE-2018-9276)
Merge branch 'land-14627' into upstream-master
|
2021-01-27 15:48:27 -06:00 |
|
|
Julien Bedel
|
b9800b087f
|
Change notification name
From "Exploit" to a random alphanumeric String in order to make it less fingerprintable.
Co-authored-by: acammack-r7 <adam_cammack@rapid7.com>
|
2021-01-21 18:32:05 +01:00 |
|
|
dwelch-r7
|
d6896dadc0
|
remove msf folder requires
|
2021-01-18 14:21:54 +00:00 |
|
|
dwelch-r7
|
d437a32374
|
remove msf/util requires
|
2021-01-18 14:21:54 +00:00 |
|
|
JulienBedel
|
14f24b258d
|
Add PRTG Network Monitor RCE (CVE-2018-9276)
|
2021-01-18 12:01:44 +01:00 |
|
|
Christophe De La Fuente
|
c8819259ae
|
Land #14414, CVE-2020-1337 - patch bypass for CVE-2020-1048
|
2021-01-15 19:13:14 +01:00 |
|
|
bwatters
|
9beb570ca3
|
Remove unnecessary require that broke things
|
2021-01-15 08:32:05 -06:00 |
|
|
Spencer McIntyre
|
ea154717aa
|
Use an absolute assembly path for the CVE-2020-17136 exploit
|
2021-01-14 08:53:11 -05:00 |
|
|
Grant Willcox
|
6fc4518625
|
Land #14600, Refactor and document some of the FileSystem mixin methods
|
2021-01-12 16:10:23 -06:00 |
|
|
bwatters
|
d8e68e6487
|
Specify you must be SYSTEM for dll removal in docs and removed unused variable in the module
|
2021-01-12 11:45:53 -06:00 |
|
|
Spencer McIntyre
|
33bd712e0a
|
Land #14585, Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP
|
2021-01-11 17:16:40 -05:00 |
|
|
bwatters
|
50e115b414
|
Cleanup and edits per review from Christophe
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
|
2021-01-11 16:02:58 -06:00 |
|
|
Spencer McIntyre
|
829bacbef6
|
Refactor and document some of the FileSystem mixin methods
|
2021-01-08 16:10:36 -05:00 |
|
|
Grant Willcox
|
3072391d00
|
Make second round of review edits to fix Spencer's comments
|
2021-01-08 12:50:52 -06:00 |
|
|
Grant Willcox
|
d5bb36c530
|
Fix up code to use built in cd() and mkdir() commands, and adjust code to not overwrite datastore hash. Also use service_hash over manually starting the service.
|
2021-01-07 17:39:30 -06:00 |
|
|
bwatters
|
7d81b4826d
|
Update credits
|
2021-01-07 16:30:19 -06:00 |
|
|
bwatters
|
5e5d7b1abb
|
Update to execute_string to avoid the issue where an arbitrary
length comment is required for the exploit to work.
|
2021-01-06 17:08:22 -06:00 |
|
|
Grant Willcox
|
3e52debd8b
|
Update the exploit a bit more to remove excess options and also update the documentation accordingly.
|
2021-01-06 12:16:06 -06:00 |
|
|
Grant Willcox
|
5262e16694
|
Make adjustments since the exploit can currently only target x64 systems
|
2021-01-06 11:40:02 -06:00 |
|
|
Christophe De La Fuente
|
17c393f101
|
Land #14046, Adding juicypotato-like privilege escalation exploit for windows
|
2021-01-06 16:02:05 +01:00 |
|
|
Grant Willcox
|
863417fca7
|
Second round of updates and some rubocop changes to conform to standards.
|
2021-01-06 01:30:40 -06:00 |
|
|
Grant Willcox
|
81ee149ea2
|
Add check code support to module and update the documentation accordingly, plus rework the module description
|
2021-01-06 01:06:08 -06:00 |
|
|
Grant Willcox
|
839daf93e9
|
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research
|
2021-01-05 16:12:08 -06:00 |
|
|
Grant Willcox
|
668eeae4e1
|
Initial push of code
|
2021-01-04 12:04:38 -06:00 |
|
|
CSharperMantle
|
d99c2ac783
|
linguistic fixes of 'does not exists'
|
2020-12-23 11:36:38 +08:00 |
|
|
C4ssandre
|
57c57a398d
|
Adding new check to filter out Windows 7 and Windows XP. Indeed, lab experiments has shown that BITS does not attempt to connect to WinRM port, making those systems not vulnerable.
|
2020-12-19 02:51:48 +01:00 |
|
|
bwatters
|
222d510e44
|
Rubocop fixes
|
2020-12-16 13:59:47 -06:00 |
|
|
bwatters
|
7f4fac4548
|
Fix powershell issues and add comment because it is apparently magic
|
2020-12-16 13:57:02 -06:00 |
|
|
Tim W
|
9c47803609
|
increase wfsdelay
|
2020-12-14 14:54:54 +00:00 |
|
|
Tim W
|
7af996ae4c
|
add offsets
|
2020-12-14 14:54:54 +00:00 |
|
|
Tim W
|
a30cdfc892
|
Fix #14254, Add CVE-2020-1054, win32k DrawIconEx OOB Write LPE
|
2020-12-14 14:54:54 +00:00 |
|
|
C4ssandre
|
1fec224bae
|
Adding a new check raised by an unforeseen usecase. I tested the usecase of a webserver on which a malicious user succeeded to upload a meterpreter .exe and execute it by calling its url. The meterpreter sessions belongs to IUSRS, which is not allowed to enumerate services. Thus the exploit fails, but checks pass. So added new checks for filtering this usecase.
|
2020-12-11 05:22:37 -05:00 |
|
|
C4ssandre
|
d1956199aa
|
Updating a warning message.
|
2020-12-11 03:58:14 -05:00 |
|
|
C4ssandre
|
53a12a7984
|
Updating doc.
|
2020-12-11 03:53:25 -05:00 |
|
|
Brendan Coles
|
a9e231ad0a
|
Use CVE-2020-5752 path traversal bypass for CVE-2019-3999
|
2020-12-10 12:14:47 +00:00 |
|
|
C4ssandre
|
38cd5817d7
|
Updating authors.
|
2020-12-10 02:09:24 -05:00 |
|
|
C4ssandre
|
c005492ee9
|
Updating doc.
|
2020-12-10 00:58:53 -05:00 |
|
|
C4ssandre
|
b7bf7fcc86
|
Updating functions comments.
|
2020-12-10 04:08:49 -05:00 |
|
|
C4ssandre
|
4883050f7f
|
Adding new options to module. Now it is possible to choose which process to launch as SYSTEM, as well as the port the exploit will listen (because on some Windows configuration, WinRM should listen on port 47001).
|
2020-12-10 03:53:06 -05:00 |
|
|
Spencer McIntyre
|
367c5e747f
|
Land #14470, Fix ssi template for some sharepoint versions
|
2020-12-09 16:23:34 -05:00 |
|
|
Tim W
|
fb9b1c5de4
|
Land #14409, add weak services technique to the service permissions LPE
|
2020-12-09 17:16:53 +00:00 |
|
|
C4ssandre
|
f8a7517633
|
Improving description of SHUTDOWN_SERVICES option.
|
2020-12-09 08:01:56 +00:00 |
|
|
C4ssandre
|
7a358cf577
|
Giving to the user the choice for if the module should attempt or not to shutdown WinRM and BITS services.
|
2020-12-09 07:43:32 +00:00 |
|
|
C4ssandre
|
d2db1fba4a
|
Updating exploit metatdata.
|
2020-12-09 07:06:31 +00:00 |
|
|
C4ssandre
|
8f72102116
|
Updating exploit description (got by "info" command).
|
2020-12-09 06:55:17 +00:00 |
|
|
C4ssandre
|
d43fba1ae1
|
Adding new check functionalities. Now, ruby module check through the previous meterpreter session if BITS and WinRM are currently running, and tries to shutdown them if they are. It is not necessary anymore to deal with windows versions to know if target is vulnerable: the module can guess it reliably by its own.
|
2020-12-09 06:47:29 +00:00 |
|
|
Spencer McIntyre
|
175d4a5c43
|
Add a check to see if the session is already running as SYSTEM
|
2020-12-08 18:05:28 -05:00 |
|
|
Spencer McIntyre
|
6d7c6c054a
|
Update the module docs with more details for the registry technique
|
2020-12-08 17:39:34 -05:00 |
|
|
adfoster-r7
|
85a9accbee
|
Land #14202, Add initial zeitwerk autoloader approach for lib/msf/core
|
2020-12-08 12:53:02 +00:00 |
|