adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
69,996 Commits 27 Branches 1,043 Tags
e2e8568860e381fc09e1ecedd5ddfc6fdfa3ce99
Commit Graph

7422 Commits

Author SHA1 Message Date
Grant Willcox 43b4ee268c Land #17592, Fix bypassuac_injection_winsxs for x64 2023-02-09 11:41:51 -06:00
Spencer McIntyre e6f4e96544 Close hFindFile 2023-02-09 11:43:20 -05:00
cgranleese-r7 508f5c7e52 Land #17619, Run rubocop on exploit modules 2023-02-09 10:11:53 +00:00
bwatters 01a78f972c Land #17567, ManageEngine Endpoint Central RCE (CVE-2022-47966) 
Merge branch 'land-17567' into upstream-master
 2023-02-08 13:06:53 -06:00
adfoster-r7 656ded4b86 Add module notes 2023-02-08 15:46:07 +00:00
adfoster-r7 25ee41df68 Run rubocop on exploit modules 2023-02-08 15:20:32 +00:00
Spencer McIntyre f2e5e77e27 Fix bypassuac_injection_winsxs for x64 
Tested on Windows 8.1, prior to these chagnes the bad railgun definition
would cause the session to crash.
 2023-02-03 13:02:53 -05:00
cgranleese-r7 80dbbca020 Land #17371, Lenovo Diagnostics Driver Privilege Escalation (CVE-2022-3699) 2023-02-03 13:43:04 +00:00
adfoster-r7 014bdddd1a Land #17564, Fixed AnyConnect IPC message format 2023-02-01 16:34:44 +00:00
h00die-gr3y a2f4a27614 updated module and added documentation 2023-01-29 10:06:14 +00:00
h00die-gr3y bf10b29a84 first drop module 2023-01-29 07:47:22 +00:00
Duarte Silva a7ae3c9389 Fixed AnyConnect IPC message format: 
- Made an error in the original research where the TLV had a type
  and a index, when it only has a type and a modifier that makes
  it into a TV (Type and Value, no Length).
- A TV has its value where the Length would be on a TLV.
- Also added a note on the endieness being correct/working because
  endieness has no impact in the message being used to exploit the
  vulnerability.
 2023-01-28 09:08:51 +00:00
adfoster-r7 672fb9ce9f Land #17460, add support for feature kerberos authentication 2023-01-26 17:47:27 +00:00
Jack Heysel 6ac0d9ba27 Trailing whitespace corrected 2023-01-19 22:16:54 -05:00
Jack Heysel 0e0f62c002 Removed 22621 2023-01-19 14:47:20 -05:00
Jack Heysel 4da94325f3 Rubocop 2023-01-19 13:52:58 -05:00
Jack Heysel 63d9445911 Fix for Win Server 2022 and 2019 2023-01-19 00:52:38 -05:00
Spencer McIntyre 3ddcf73c2b Remove the QUICK option altogether 
Use blocks to check whether each service is exploitable as they are
enumerated. With this change, it is the service and path enumeration
halts once an exploitable one is found that yields a session.

Also all files are registered for cleanup.
 2023-01-13 17:06:42 -05:00
h00die f98d1d838b unquoted service path tweaks to check 2023-01-13 17:06:42 -05:00
h00die 90a12cf3b0 unquoted service path tweaks 2023-01-13 17:06:42 -05:00
h00die a6ec7762ea unquoted service path tweaks 2023-01-13 17:06:42 -05:00
h00die c52eb09cbb unquoted service path tweaks 2023-01-13 17:06:42 -05:00
Jack Heysel 145589f7a2 Add GetPteBaseW10 2023-01-12 01:15:23 -05:00
Christophe De La Fuente 868072e6c8 Land #17317, Fix various WinRM modules 2023-01-03 19:57:07 +01:00
Ashley Donaldson 45c0af48c2 Suggested changes from code review 2023-01-03 11:26:07 +11:00
Jack Heysel 3204caf618 Make use of session platform 2022-12-15 14:28:19 -05:00
Ashley Donaldson 28bd03f971 Apply suggestions from code review 
Co-authored-by: adfoster-r7 <60357436+adfoster-r7@users.noreply.github.com>
 2022-12-15 14:50:10 +11:00
Ashley Donaldson 57152fdd5f Use framework's thread mechanism for background keepalive worker 2022-12-15 14:44:57 +11:00
Jack Heysel 2fa7e7b2d5 Lenovo Diagnostics Driver Privilege Escaltion (CVE-2022-3699) 2022-12-12 21:53:53 -05:00
Spencer McIntyre d09aef7dc5 Land #17350, Remove unnecesary sleep 
Remove unnecesary sleep in several bypassuac modules
 2022-12-12 17:45:10 -05:00
Spencer McIntyre 5a66666b4d Fix check methods by using #present? 2022-12-12 16:53:34 -05:00
Ashley Donaldson 8d097e0fd0 Fixes bug in s4u_persistence module 2022-12-09 11:24:16 +11:00
Ashley Donaldson c54109586c Remove unnecesary sleep in several bypassuac modules 2022-12-09 11:09:19 +11:00
Christophe De La Fuente aaef7726db Land #17330, Fix enumerating emails via ProxyShell 2022-12-06 14:02:53 +01:00
cgranleese-r7 8e9e8468f2 Land #17338, Lint modules 2022-12-05 13:17:40 +00:00
adfoster-r7 14d05c9c6c Lint modules 2022-12-05 10:41:31 +00:00
bcoles c1ff9337c8 dnn_cookie_deserialization_rce: Remove empty 'Payload' Hash key 2022-12-04 17:50:24 +11:00
bcoles 431804ef15 Fix typos: Replace 'the the' with 'the' 2022-12-04 17:41:24 +11:00
Spencer McIntyre 96da805014 Fix enumerating emails via ProxyShell 
The ResolveNames endpoint used to gather emails addresses for targeting
only returns 100 at a time. This updates the module to check if the
search result contains all entries and when it does, it recurses into
itself with a refined search prefix. All results are returned to match
the original functionality instead of enumerating and halting once one
that's suitable for exploitation has been found.
 2022-12-02 15:58:50 -05:00
Christophe De La Fuente d3057f15b2 Land #17275, Add Exploit For CVE-2022-41082 (ProxyNotShell) 2022-11-30 18:16:19 +01:00
Ashley Donaldson 0323d45737 More correct approach to encoding for command line 2022-11-30 11:54:42 +11:00
Ashley Donaldson 5fce80ed1d Added comments to most functions 2022-11-30 11:53:57 +11:00
Ashley Donaldson 1231eefe55 Fixed WQL module while I'm at it 2022-11-30 10:26:19 +11:00
Ashley Donaldson 0d68ec5d1b Fix formatting of winrm_script_exec 2022-11-30 07:48:30 +11:00
Ashley Donaldson 6a040e2ee5 #11456 Winrm Script Exec works again 2022-11-30 07:39:38 +11:00
Spencer McIntyre 264d45e04a Appease rubocop 2022-11-28 10:16:55 -05:00
Spencer McIntyre f24df8a051 Change an exception class and drop DOMAIN passing 2022-11-28 10:06:14 -05:00
Spencer McIntyre 3f58bfe11e Check that the target is Exchange Server 2019 2022-11-23 10:47:10 -05:00
h00die 7227bec259 set autocheck false 2022-11-21 15:53:37 -05:00
bwatters 8c9e2c9fc7 Add check method, update hosting IP/port 2022-11-21 15:53:37 -05:00