367c760927
window move is now directly in the template
2017-08-20 17:48:59 -05:00
e734a7923a
Land #8267 , Handle multiple entries in PSModulePath
2017-08-20 17:44:30 -05:00
da3ca9eb90
update some documentation
2017-08-03 17:09:44 -05:00
ddd841c0a8
code style cleanup + add automatic targeting based on payload
2017-08-03 00:27:54 -05:00
b62429f6fa
handle drive letters specified like E: nicely
2017-08-03 00:27:22 -05:00
46ec04dd15
Removed This PC ItemID & increased timeout in WaitForSingleObject
...
Remove the This PC ItemID to bypass (some) AV.
Timeout for WaitForSingleObject is set to 2,5s. After this timeout a
mutex is released allowed a new payload to be executed.
2017-08-02 15:47:22 -05:00
e51e1d9638
Added new DLL templates to prevent crashing of Explorer
2017-08-02 15:47:21 -05:00
3229320ba9
Code review feedback from @nixawk
2017-08-02 15:46:51 -05:00
565a3355be
CVE-2017-8464 LNK Remote Code Execution Vulnerability
...
This module exploits a vulnerability in the handling of Windows
Shortcut files (.LNK) that contain a dynamic icon, loaded from a
malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The
created LNK file is similar except in an additional
SpecialFolderDataBlock is included. The folder ID set in this
SpecialFolderDataBlock is set to the Control Panel. This is enought to
bypass the CPL whitelist. This bypass can be used to trick Windows into
loading an arbitrary DLL file.
2017-08-02 15:46:30 -05:00
bf4dce19fb
I added the SSD advisory
2017-07-24 14:25:10 -07:00
b099196172
deregistered SSL, added the HTA dodgy try/catch feature
2017-07-24 10:28:03 -07:00
17b28388e9
Added the advisory, opps
2017-07-24 10:09:21 -07:00
14ca2ed325
Added a icon loading trick by Brendan
2017-07-24 10:06:20 -07:00
b2a002adc0
Brendan is an evil genius\!
2017-07-24 09:58:23 -07:00
cc8dc002e9
Added CVE-2017-7442
2017-07-24 08:21:59 -07:00
6300758c46
use https for metaploit.com links
2017-07-24 06:26:21 -07:00
ef826b3f2c
OCD - print_good & print_error
2017-07-19 12:48:52 +01:00
b8d80d87f1
Remove last newline after class - Make @wvu-r7 happy
2017-07-19 11:19:49 +01:00
3d4feffc62
OCD - Spaces & headings
2017-07-19 11:04:15 +01:00
4720d1a31e
OCD fixes - Spaces
2017-07-14 08:46:59 +01:00
fd843f364b
Removed extra lines
2017-07-14 08:17:16 +01:00
424522147e
OCD fixes - Start of *.rb files
2017-07-13 23:53:59 +01:00
162a660d45
Remove the old windows/fileformat/office_word_macro
...
windows/fileformat/office_word_macro.rb has been deprecated and
it should have been removed on March 16th.
If you want to create a Microsoft Office macro exploit, please
use the multi/fileformat/office_word_macro exploit instead, which
supports multiple platforms, and will support template injection.
2017-05-26 07:33:46 -05:00
841f63ad20
make office_word_hta backward compat with older Rubies
2017-05-08 15:10:48 -05:00
64452de06d
Fix msf/core and self.class msftidy warnings
...
Also fixed rex requires.
2017-05-03 15:44:51 -05:00
56685bbfaa
Update office_word_hta.rb
2017-04-26 11:05:21 +08:00
6029a9ee2b
Use a built-in HTA server and update doc
2017-04-24 16:04:27 -05:00
3d082814cb
Fix default options
2017-04-17 01:09:48 -05:00
fb001180c4
Fix generate_uri
2017-04-14 21:52:31 -05:00
590816156f
rename exp module
2017-04-14 21:32:48 -05:00
1952529a87
Format Code
2017-04-14 21:30:26 -05:00
8ab0b448fd
CVE-2017-0199 exploit module
2017-04-14 13:22:59 -05:00
70f7dccf62
copy and paste fail
2017-02-23 17:11:08 -06:00
5d0b532b20
Fix #8002 , Use post/windows/manage/priv_migrate instead of migrate -f
...
Because migrate -f uses a meterpreter script, and meterpreter scripts
are deprecated, we should be replacing with a post module
Fix #8002
2017-02-23 17:04:36 -06:00
1f23b44003
I modified windows/fileformat/office_word_macro the wrong way
2017-02-16 23:16:06 -06:00
7503f643cc
Deprecate windows/fileformat/office_word_macro
...
Please use exploits/multi/fileformat/office_word_macro instead,
because the new one supports OS X.
2017-02-16 12:32:14 -06:00
3d269b46ad
Support OS X for Microsoft Office macro exploit
2017-02-16 12:28:11 -06:00
c73c189a61
Set DisablePayloadHandler default to true
2017-02-03 11:25:50 -06:00
ccaa783a31
Add Microsoft Office Word Macro exploit
2017-02-02 17:44:55 -06:00
f69b4a330e
handle Ruby 2.4 Fixnum/Bignum -> Integer deprecations
2017-01-22 10:20:03 -06:00
d1be2d735f
Land #7578 , pdf-shaper exploit
...
Land lsato's work on the pdf-shaper buffer overflow
exploit
2016-11-30 11:13:12 -06:00
005d34991b
update architecture
2016-11-20 19:09:33 -06:00
920ecf6fc5
finishing metacoms work for pdf-shaper-bo
2016-11-18 11:36:02 -06:00
3c1f642c7b
Moved PPSX to data/exploits folder
2016-11-08 16:04:46 +01:00
b7049939d9
Fixed more build errors
2016-08-09 12:55:18 +02:00
22054ce85c
Fixed build errors
2016-08-09 12:47:08 +02:00
b935e3df2e
Office OLE Multiple DLL Side Loading Vulnerabilities
...
Multiple DLL side loading vulnerabilities were found in various COM
components.
These issues can be exploited by loading various these components as an
embedded
OLE object. When instantiating a vulnerable object Windows will try to
load one
or more DLLs from the current working directory. If an attacker
convinces the
victim to open a specially crafted (Office) document from a directory
also
containing the attacker's DLL file, it is possible to execute arbitrary
code with
the privileges of the target user. This can potentially result in the
attacker
taking complete control of the affected system.
2016-08-09 12:29:08 +02:00
b08d1ad8d8
Revert "Land #6812 , remove broken OSVDB references"
...
This reverts commit 2b016e02167b1d9596c7
2016-07-15 12:00:31 -05:00
816bc91e45
Resolve #6807 , remove all OSVDB references.
...
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.
Resolve #6807
2016-04-23 12:32:34 -05:00
1375600780
Land #6644 , datastore validation on assignment
2016-03-17 11:16:12 -05:00
Brent Cook