adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
69,996 Commits 27 Branches 1,043 Tags
e2e8568860e381fc09e1ecedd5ddfc6fdfa3ce99
Commit Graph

1617 Commits

Author SHA1 Message Date
cgranleese-r7 80dbbca020 Land #17371, Lenovo Diagnostics Driver Privilege Escalation (CVE-2022-3699) 2023-02-03 13:43:04 +00:00
jheysel-r7 595f34fc6f Merge branch 'master' into mac_dirty_cow 2023-02-01 16:51:09 -05:00
h00die 2c72cc145a updates to module 2023-01-31 20:05:33 -05:00
Jack Heysel 022760d24a Land #17300, linux LPE cve-2022-22942 module 
This PR adds a linux priv esc against VMWare virtual machines
 with kernel 4.14-rc1 - 5.17-rc1 due to a VMWare driver bug.
 2023-01-31 14:07:55 -05:00
Grant Willcox dcda0c2ebc Fix up text so we capitalize all words of Metasploit Framework 2023-01-20 17:05:20 -06:00
Jack Heysel 0e0f62c002 Removed 22621 2023-01-19 14:47:20 -05:00
Jack Heysel d7215b84b4 Added offsets for W11 22H2 2023-01-19 09:30:28 -05:00
Jack Heysel 63d9445911 Fix for Win Server 2022 and 2019 2023-01-19 00:52:38 -05:00
Jack Heysel 2c2bfec4a0 Tested on Windows Build 19044, 19045 and 22000 2023-01-18 01:41:30 -05:00
bwatters 158c557d58 Update LICENSE file and location of source file 2023-01-17 17:28:22 -05:00
Jack Heysel 145589f7a2 Add GetPteBaseW10 2023-01-12 01:15:23 -05:00
timwr ce260f53f3 Add CVE-2022-46689 macOS dirty cow 2022-12-28 22:46:08 +07:00
Jack Heysel 87614cf2b3 Fixed spacing updated check method 2022-12-15 14:15:06 -05:00
Jack Heysel f015d1425a Added update to common.h 2022-12-14 20:39:31 -05:00
Christophe De La Fuente d6a5590c06 Land #17265, Add Exploit for CVE-2020-25736 2022-12-13 18:49:56 +01:00
Jack Heysel 2fa7e7b2d5 Lenovo Diagnostics Driver Privilege Escaltion (CVE-2022-3699) 2022-12-12 21:53:53 -05:00
space-r7 cf9e54909c use 2021 helper name in objective-c code too 2022-12-12 15:55:36 -06:00
h00die b866917ee1 review 2022-11-22 16:57:01 -05:00
space-r7 d8f2b50b07 add compiled exploit and source 2022-11-17 17:16:08 -06:00
space-r7 a9c3c61aa3 Land #17050, make osx payload fileless 2022-10-20 14:13:32 -05:00
usiegl00 bceaf5cd70 Back from the dyld: clean up mmap. 
The mmap permissions prior to mprotect during the region mapping should
be write only. I also added a few more comments detailing the usage of
structs in dyld4.
 2022-10-07 09:57:53 +09:00
usiegl00 8aa01bfbcd Back from the dyld: fix addr_main assignment. 
When using the legacy technique, addr_main was being redifined. This
caused the access to addr_main outside the if statement to segfault.
 2022-09-30 06:46:45 +09:00
usiegl00 ce75cb2afc Back from the dyld: clean up source code. 
This fixes a floating `\t` in a struct definition. This also adds more
clarity to a set of dprintf statements regarding the region. This fixes
the indentation for a comment as well.
 2022-09-29 07:58:23 +09:00
usiegl00 64231dad67 Back from the dyld: vm_allocate to fix corruption. 
This fixes the corruption incidentally resolved by assigning to an
unused variable by properly allocating memory for structs before
assigning to them. This will resolve the segfault on return issue, as
the saved return address is no longer clobbered.
 2022-09-28 20:58:48 +09:00
bwatters e27dbd2787 Land #16794,Add exploit for CVE-2022-34918 
Merge branch 'land-16794' into upstream-master
 2022-09-27 16:37:52 -05:00
usiegl00 2833f504d4 Back from the dyld: a fileless loader. (Again.) 
By replicating the functionality of APIs::dlopen_from, we can bypass the
temporary file created when calling NSCreateObjectFileImageFromMemory on
macOS 12 and above. Constructing a custom JustInTimeLoader and running
through all the dyld calls required to fix it up manually results in
fileless MachO execution.
 2022-09-22 17:50:04 +09:00
Grant Willcox 2966ec3504 Add in ruby/debug to Gemfile and also provide example of how to create a launch.json file to use it with vscode-rdbg 2022-09-01 13:35:08 -05:00
Spencer McIntyre ff46659dd4 Fix a typo in _msfvenom 
Fixes #16838
 2022-08-25 16:28:04 -05:00
Redouane NIBOUCHA e612f02ecb Add MAX_TRIES option, address the feedback of bwatters-r7 2022-08-11 13:21:14 +02:00
Redouane NIBOUCHA 011f0ac990 Add comment to make it easier to add offsets for more kernels 2022-07-26 22:20:12 +02:00
Redouane NIBOUCHA 78dae84871 Updates to the C source code (execl instead of execve, removal of some old comments) 2022-07-25 22:18:47 +02:00
Redouane NIBOUCHA 37f1fdd47b Add module docs, add Ubuntu 22.04 offsets, update check method 2022-07-22 03:30:03 +02:00
Redouane NIBOUCHA 73db035e57 Add more offsets to the exploit, clean up the exploit C source, add check method 2022-07-21 01:22:20 +02:00
Redouane NIBOUCHA fe2e413426 Add exploit for CVE-2022-34918 2022-07-20 13:51:22 +02:00
Grant Willcox e2c6c36b2b Land #1642, Add module for cve-2022-0995 2022-04-21 09:12:47 -05:00
bwatters fb4d12a558 Semicolon.... 2022-04-20 17:41:16 -05:00
bwatters 26f9175816 Update c source with argc check and CRASH notes for module 2022-04-20 17:37:48 -05:00
bwatters d9a241defb Fix overzealous source code edit and some version copy/pasta errors 2022-04-20 14:31:32 -05:00
bwatters f32443b477 Update with debug source code and options, cleanup module code per gwillcox-r7 2022-04-14 10:25:55 -05:00
usiegl00 b9052be102 Use libdyld locator to fix osx stager on monterey 
We locate the dyld_shared_cache in memory to find and resolve the
functions we need in libdyld.dylib. We retain the original dyld location
method on osx versions before Sierra.

Explicitly set length for osx x64 initial stage

The rdx register, used for passing the payload length, is being
clobbered by a system call in the new MacOS version. Instead of relying
on the register being untouched, we set it equal to the payload length.
 2022-04-12 11:27:23 +09:00
bwatters 4fada9570c Remove extra file 2022-04-07 17:12:37 -05:00
bwatters 96d86944da Added precompiled binary and option to strip output, fixed comment-strip bug 2022-04-07 17:09:35 -05:00
bwatters db89fc5e7a Add module for cve-2022-0995 2022-04-06 13:35:14 -05:00
Grant Willcox 9e2d7f655b Update data to fix more things found during review process 2022-04-05 12:48:11 -05:00
Grant Willcox db4b22df5e Update the exploit code to output errors in a better format, and fix a potential issue when trying to delete folders recursively. Also update exploit module to try kill msiexec.exe if its still running to prevent it holding onto handles when it shouldn't be. 2022-04-04 17:58:52 -05:00
Grant Willcox 8daecca5c3 Update code with latest changes 2022-04-01 12:11:05 -05:00
Grant Willcox 24342e764c Update solution file so that we can only build the DLL for x64 bit platforms since that is the only one we support at this time 2022-03-31 12:31:55 -05:00
Grant Willcox 743138abed Add in initial fixes from review and remove extra BREAKAWAY_FROM_JOB code changes not directly related to this PR as we'll raise a separate PR for those 2022-03-31 12:13:29 -05:00
Grant Willcox 5695863901 Add in updated source code for exploiting domain joined systems 2022-03-28 16:17:58 -05:00
Grant Willcox bab215fccb Remove .vs directory and associated files as there is no need for us to ship those files 2022-03-25 14:11:17 -05:00