eb4573164b
Addressed comments
2021-05-14 17:46:26 -05:00
e29dce4f08
Removed comments from powershell script
2021-05-14 17:45:42 -05:00
5640dac24d
Fixed sc command, updated check method, moved tokenmagic.ps1
2021-05-14 17:44:07 -05:00
ca637be0c9
Fixed powershell script, updated authors
2021-05-14 17:44:06 -05:00
1eab94cc26
beta draft
2021-05-14 17:43:44 -05:00
8792febcf8
Land #15190 , Add Exploit For CVE-2021-21551 (Dell DBUtil_2_3 IOCTL)
...
Merge branch 'land-15190' into upstream-master
2021-05-14 13:55:12 -05:00
d990e884af
Add and test even more targets
2021-05-13 17:27:58 -04:00
eb89550f85
Clear up some target offset discrepancies
2021-05-13 16:06:15 -04:00
7d841a0f79
Add a target for Windows 7 x64
2021-05-13 14:24:15 -04:00
4825407d21
Add a target for Windows 8.1 x64
2021-05-13 12:56:47 -04:00
8a1341060d
Fix a couple of errors from not cleaning up
2021-05-13 12:34:14 -04:00
ff2516a7f2
Update CVE-2021-1732 to reduce code reuse
2021-05-12 16:41:43 -04:00
477749f77f
Refactor the code to be reusable and add docs
2021-05-12 16:36:17 -04:00
d3de52da59
The exploit is now functional for Win10 v1803-20H2
2021-05-12 16:14:59 -04:00
fa73c0af3e
Add CVE-2021-22204 ExifTool ANT perl injection
2021-05-11 12:02:12 +10:00
2c1869f9df
Land #14907 , Add exploit for CVE-2021-1732
...
Merge branch 'land-14907' into upstream-master
2021-03-18 14:29:59 -05:00
f3df076067
Only upgrade the token of EProcess was found
2021-03-16 15:20:44 -04:00
c11900b9ab
Add support for Windows 2004 & 20H2
2021-03-15 17:28:38 -04:00
2e3d98a36a
Move the DLL injection code into a reusable function
2021-03-15 11:47:02 -04:00
89ce1c5229
Quick update to make the backdoor a bit stealthier by removing the extra Payload Success! message that wasn't needed
2021-03-14 00:00:17 -06:00
4f2e299d8f
Update the exploit to use Python as its payload since this is a lot more flexible, allows Meterpreter, returns a shell faster, and we are already injecting into and executing a Python file
2021-03-14 00:00:06 -06:00
7d6e636114
Initial upload of exploit code for CVE-2021-21978
2021-03-13 23:59:47 -06:00
f0a9a1deb3
Add the initial exploit for CVE-2021-1732
2021-03-12 17:30:22 -05:00
f327d30e08
First attempt at CVE-2020-7200 module, with RuboCopped module
2021-03-02 16:38:19 -06:00
b9dd1b927b
Randomize the path to the library that's loaded
2021-02-10 08:45:52 -05:00
117cdc4fd7
Populate module metadata and cleanup files
2021-02-03 18:16:13 -05:00
a00f165b6b
Clean the C code and fix the exploitation environment
2021-02-03 18:16:13 -05:00
b9413b4103
Update the exploit C code to allocate it's own PTY
2021-02-03 18:16:13 -05:00
13dd9ac10e
Initial work on CVE-2021-3156
2021-02-03 18:16:13 -05:00
c8819259ae
Land #14414 , CVE-2020-1337 - patch bypass for CVE-2020-1048
2021-01-15 19:13:14 +01:00
33bd712e0a
Land #14585 , Create module for CVE-2020-17136: Cloud Filter Arbitrary File Creation EoP
2021-01-11 17:16:40 -05:00
50e115b414
Cleanup and edits per review from Christophe
...
Removed unused method from ps script
Cleaned up some code in the module
Added removal instructions to the documentation
2021-01-11 16:02:58 -06:00
3072391d00
Make second round of review edits to fix Spencer's comments
2021-01-08 12:50:52 -06:00
5e5d7b1abb
Update to execute_string to avoid the issue where an arbitrary
...
length comment is required for the exploit to work.
2021-01-06 17:08:22 -06:00
17c393f101
Land #14046 , Adding juicypotato-like privilege escalation exploit for windows
2021-01-06 16:02:05 +01:00
bf7627b33e
Adding DLL's
2021-01-06 15:59:08 +01:00
839daf93e9
Update the compiled DLL and redo a lot of the module to get it into its first ready state using a different DLL hijack I found during research
2021-01-05 16:12:08 -06:00
668eeae4e1
Initial push of code
2021-01-04 12:04:38 -06:00
7f4fac4548
Fix powershell issues and add comment because it is apparently magic
2020-12-16 13:57:02 -06:00
33ef352f89
Add dll
...
Compiled with Visual Studio Express 2013 with Platform Toolset v120
2020-12-15 12:42:06 +01:00
810898e97b
Rough attempt at CVE-2020-1337
...
Non-functional
2020-11-20 17:36:19 -06:00
9e111d7fdf
Add in compiled version of the exploit to meet Rapid7 compliance guidelines on having Rapid7 employees submit compiled binaries only
2020-10-23 16:01:00 -05:00
c5751a240b
Fix incorrect offset in BPF sign extension LPE
...
The uid field of the cred struct is normally the second field, followed
by the gid field. The first field is of type atomic_t, which has the
size of an int. Since the size of an int is usually 4 bytes, the uid is
normally located at an offset of 4 bytes from the start of the cred
struct, and not 8. Since the uid also is int-sized, the code set
test_uid to the gid, making the exploit fail for cases where uid != gid.
2020-10-17 19:46:35 -04:00
b932ed5225
Recompile the exploit.dll DLL for CVE-2019-1458 as per Rapid7 policies
2020-10-15 10:58:56 -05:00
12c5f4f916
CVE-2019-1458 chrome sandbox escape initial commit
2020-10-15 10:57:46 -05:00
e24a81919a
Land #13996 , Add module for CVE-2020-9801, CVE-2020-9850 and CVE-2020-9856,
...
RCE for Safari on macOS 10.15.3 (pwn2own2020)
Merge branch 'land-13996' into upstream-master
2020-10-01 09:46:39 -05:00
f0f4da2b1e
Land #14157 , Windows update orchestrator privesc
2020-09-25 16:07:27 -05:00
2d1b378a18
Land #14122 , Jenkins Deserialization RCE (CVE-2017-1000353)
2020-09-22 12:32:09 +02:00
534e945cd0
First attempt at CVE-2020-1313
2020-09-18 15:39:12 -05:00
06f5518953
Update binaries
2020-09-16 11:41:02 -05:00
Jack Heysel