adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
70,067 Commits 27 Branches 1,043 Tags
fa1e7ae0169c1929be06febfa2d036bd81607644
Commit Graph

1465 Commits

Author SHA1 Message Date
Christophe De La Fuente 6d4ee0c071 Add exploit for CVE-2023-21768 2023-03-27 20:08:22 +02:00
cgranleese-r7 80dbbca020 Land #17371, Lenovo Diagnostics Driver Privilege Escalation (CVE-2022-3699) 2023-02-03 13:43:04 +00:00
jheysel-r7 595f34fc6f Merge branch 'master' into mac_dirty_cow 2023-02-01 16:51:09 -05:00
h00die 2c72cc145a updates to module 2023-01-31 20:05:33 -05:00
Jack Heysel 0e0f62c002 Removed 22621 2023-01-19 14:47:20 -05:00
Jack Heysel d7215b84b4 Added offsets for W11 22H2 2023-01-19 09:30:28 -05:00
Jack Heysel 63d9445911 Fix for Win Server 2022 and 2019 2023-01-19 00:52:38 -05:00
Jack Heysel 2c2bfec4a0 Tested on Windows Build 19044, 19045 and 22000 2023-01-18 01:41:30 -05:00
bwatters 158c557d58 Update LICENSE file and location of source file 2023-01-17 17:28:22 -05:00
Jack Heysel 145589f7a2 Add GetPteBaseW10 2023-01-12 01:15:23 -05:00
timwr ce260f53f3 Add CVE-2022-46689 macOS dirty cow 2022-12-28 22:46:08 +07:00
Jack Heysel 87614cf2b3 Fixed spacing updated check method 2022-12-15 14:15:06 -05:00
Jack Heysel f015d1425a Added update to common.h 2022-12-14 20:39:31 -05:00
Jack Heysel 2fa7e7b2d5 Lenovo Diagnostics Driver Privilege Escaltion (CVE-2022-3699) 2022-12-12 21:53:53 -05:00
space-r7 cf9e54909c use 2021 helper name in objective-c code too 2022-12-12 15:55:36 -06:00
space-r7 d8f2b50b07 add compiled exploit and source 2022-11-17 17:16:08 -06:00
space-r7 a9c3c61aa3 Land #17050, make osx payload fileless 2022-10-20 14:13:32 -05:00
usiegl00 bceaf5cd70 Back from the dyld: clean up mmap. 
The mmap permissions prior to mprotect during the region mapping should
be write only. I also added a few more comments detailing the usage of
structs in dyld4.
 2022-10-07 09:57:53 +09:00
usiegl00 8aa01bfbcd Back from the dyld: fix addr_main assignment. 
When using the legacy technique, addr_main was being redifined. This
caused the access to addr_main outside the if statement to segfault.
 2022-09-30 06:46:45 +09:00
usiegl00 ce75cb2afc Back from the dyld: clean up source code. 
This fixes a floating `\t` in a struct definition. This also adds more
clarity to a set of dprintf statements regarding the region. This fixes
the indentation for a comment as well.
 2022-09-29 07:58:23 +09:00
usiegl00 64231dad67 Back from the dyld: vm_allocate to fix corruption. 
This fixes the corruption incidentally resolved by assigning to an
unused variable by properly allocating memory for structs before
assigning to them. This will resolve the segfault on return issue, as
the saved return address is no longer clobbered.
 2022-09-28 20:58:48 +09:00
usiegl00 2833f504d4 Back from the dyld: a fileless loader. (Again.) 
By replicating the functionality of APIs::dlopen_from, we can bypass the
temporary file created when calling NSCreateObjectFileImageFromMemory on
macOS 12 and above. Constructing a custom JustInTimeLoader and running
through all the dyld calls required to fix it up manually results in
fileless MachO execution.
 2022-09-22 17:50:04 +09:00
Redouane NIBOUCHA e612f02ecb Add MAX_TRIES option, address the feedback of bwatters-r7 2022-08-11 13:21:14 +02:00
Redouane NIBOUCHA 011f0ac990 Add comment to make it easier to add offsets for more kernels 2022-07-26 22:20:12 +02:00
Redouane NIBOUCHA 78dae84871 Updates to the C source code (execl instead of execve, removal of some old comments) 2022-07-25 22:18:47 +02:00
Redouane NIBOUCHA 37f1fdd47b Add module docs, add Ubuntu 22.04 offsets, update check method 2022-07-22 03:30:03 +02:00
Redouane NIBOUCHA 73db035e57 Add more offsets to the exploit, clean up the exploit C source, add check method 2022-07-21 01:22:20 +02:00
Redouane NIBOUCHA fe2e413426 Add exploit for CVE-2022-34918 2022-07-20 13:51:22 +02:00
Grant Willcox e2c6c36b2b Land #1642, Add module for cve-2022-0995 2022-04-21 09:12:47 -05:00
bwatters fb4d12a558 Semicolon.... 2022-04-20 17:41:16 -05:00
bwatters 26f9175816 Update c source with argc check and CRASH notes for module 2022-04-20 17:37:48 -05:00
bwatters d9a241defb Fix overzealous source code edit and some version copy/pasta errors 2022-04-20 14:31:32 -05:00
bwatters f32443b477 Update with debug source code and options, cleanup module code per gwillcox-r7 2022-04-14 10:25:55 -05:00
usiegl00 b9052be102 Use libdyld locator to fix osx stager on monterey 
We locate the dyld_shared_cache in memory to find and resolve the
functions we need in libdyld.dylib. We retain the original dyld location
method on osx versions before Sierra.

Explicitly set length for osx x64 initial stage

The rdx register, used for passing the payload length, is being
clobbered by a system call in the new MacOS version. Instead of relying
on the register being untouched, we set it equal to the payload length.
 2022-04-12 11:27:23 +09:00
bwatters 4fada9570c Remove extra file 2022-04-07 17:12:37 -05:00
bwatters 96d86944da Added precompiled binary and option to strip output, fixed comment-strip bug 2022-04-07 17:09:35 -05:00
bwatters db89fc5e7a Add module for cve-2022-0995 2022-04-06 13:35:14 -05:00
Grant Willcox 9e2d7f655b Update data to fix more things found during review process 2022-04-05 12:48:11 -05:00
Grant Willcox db4b22df5e Update the exploit code to output errors in a better format, and fix a potential issue when trying to delete folders recursively. Also update exploit module to try kill msiexec.exe if its still running to prevent it holding onto handles when it shouldn't be. 2022-04-04 17:58:52 -05:00
Grant Willcox 8daecca5c3 Update code with latest changes 2022-04-01 12:11:05 -05:00
Grant Willcox 24342e764c Update solution file so that we can only build the DLL for x64 bit platforms since that is the only one we support at this time 2022-03-31 12:31:55 -05:00
Grant Willcox 743138abed Add in initial fixes from review and remove extra BREAKAWAY_FROM_JOB code changes not directly related to this PR as we'll raise a separate PR for those 2022-03-31 12:13:29 -05:00
Grant Willcox 5695863901 Add in updated source code for exploiting domain joined systems 2022-03-28 16:17:58 -05:00
Grant Willcox bab215fccb Remove .vs directory and associated files as there is no need for us to ship those files 2022-03-25 14:11:17 -05:00
Grant Willcox 3d871e0ea9 Remove unneeded DLL from source code 2022-03-24 11:59:20 -05:00
Grant Willcox b504585979 Add in source code 2022-03-24 11:56:18 -05:00
Spencer McIntyre 443bf1249a Remove all the old CVE-2021-1732 data 2022-02-18 15:25:39 -05:00
Spencer McIntyre d92259f868 One exploit for CVE-2021-1732 and CVE-2022-21882 2022-02-18 15:23:38 -05:00
RageLtMan 5eb2c3233d Authors cleanup 2021-12-29 10:56:44 -05:00
RageLtMan 4f07a2fbea First "working" 2021-44228 exploit module state 
Clean up the Java code for PayloadFactory - the `main()` function
is actually not required, the error seen on initial attempts to
compile was some sort of PEBKAC or weird things in classpaths.

Update the module to start the HTTP server before issuing the HTTP
request starting the call chain which eventually executes the Java
PayloadFactory - that chain is quick and races with the service's
startup time to get the JAR containing the Payload and its factory.

Minor misc cleanup.
Give credit where due: we stand on the shoulders of giants.

Testing:
  LDAP request is serviced with response containing our JAR URL and
trigger parameters for the factory to instantiate Payload.class and
call its `main()` function.
  HTTP request is serviced to deliver the JAR.
  Payload handler on MSF-side is tripped with incoming connection.
 2021-12-29 09:10:07 -05:00