15d267a233
Land #17826 , post module for CVE-2023-21768
...
This adds an exploit module for CVE-2023-21768 that
achieves local privilege escalation on Windows 11 2H22.
2023-03-30 12:27:28 -04:00
152ef4a86b
Update modules/exploits/windows/local/cve_2023_21768_afd_lpe.rb
2023-03-30 11:28:46 -04:00
6f400052b1
Update modules/exploits/windows/local/cve_2023_21768_afd_lpe.rb
2023-03-30 11:00:55 -04:00
f3c12ba176
Land #17808 , Update broken secunia references
...
The Secunia links in the framework were dead. They have
now been restored using the wayback machine to grab
replacement links from the earliest date possible.
2023-03-27 17:20:13 -04:00
6d4ee0c071
Add exploit for CVE-2023-21768
2023-03-27 20:08:22 +02:00
3ca177eb1f
Add the exploit for CVE-2022-38108
2023-03-23 17:28:58 -04:00
d04c8e1bce
Update broken secunia references
2023-03-23 10:43:57 +00:00
43b4ee268c
Land #17592 , Fix bypassuac_injection_winsxs for x64
2023-02-09 11:41:51 -06:00
e6f4e96544
Close hFindFile
2023-02-09 11:43:20 -05:00
508f5c7e52
Land #17619 , Run rubocop on exploit modules
2023-02-09 10:11:53 +00:00
01a78f972c
Land #17567 , ManageEngine Endpoint Central RCE (CVE-2022-47966)
...
Merge branch 'land-17567' into upstream-master
2023-02-08 13:06:53 -06:00
656ded4b86
Add module notes
2023-02-08 15:46:07 +00:00
25ee41df68
Run rubocop on exploit modules
2023-02-08 15:20:32 +00:00
f2e5e77e27
Fix bypassuac_injection_winsxs for x64
...
Tested on Windows 8.1, prior to these chagnes the bad railgun definition
would cause the session to crash.
2023-02-03 13:02:53 -05:00
80dbbca020
Land #17371 , Lenovo Diagnostics Driver Privilege Escalation (CVE-2022-3699)
2023-02-03 13:43:04 +00:00
014bdddd1a
Land #17564 , Fixed AnyConnect IPC message format
2023-02-01 16:34:44 +00:00
a2f4a27614
updated module and added documentation
2023-01-29 10:06:14 +00:00
bf10b29a84
first drop module
2023-01-29 07:47:22 +00:00
a7ae3c9389
Fixed AnyConnect IPC message format:
...
- Made an error in the original research where the TLV had a type
and a index, when it only has a type and a modifier that makes
it into a TV (Type and Value, no Length).
- A TV has its value where the Length would be on a TLV.
- Also added a note on the endieness being correct/working because
endieness has no impact in the message being used to exploit the
vulnerability.
2023-01-28 09:08:51 +00:00
672fb9ce9f
Land #17460 , add support for feature kerberos authentication
2023-01-26 17:47:27 +00:00
6ac0d9ba27
Trailing whitespace corrected
2023-01-19 22:16:54 -05:00
0e0f62c002
Removed 22621
2023-01-19 14:47:20 -05:00
4da94325f3
Rubocop
2023-01-19 13:52:58 -05:00
63d9445911
Fix for Win Server 2022 and 2019
2023-01-19 00:52:38 -05:00
3ddcf73c2b
Remove the QUICK option altogether
...
Use blocks to check whether each service is exploitable as they are
enumerated. With this change, it is the service and path enumeration
halts once an exploitable one is found that yields a session.
Also all files are registered for cleanup.
2023-01-13 17:06:42 -05:00
f98d1d838b
unquoted service path tweaks to check
2023-01-13 17:06:42 -05:00
90a12cf3b0
unquoted service path tweaks
2023-01-13 17:06:42 -05:00
a6ec7762ea
unquoted service path tweaks
2023-01-13 17:06:42 -05:00
c52eb09cbb
unquoted service path tweaks
2023-01-13 17:06:42 -05:00
145589f7a2
Add GetPteBaseW10
2023-01-12 01:15:23 -05:00
868072e6c8
Land #17317 , Fix various WinRM modules
2023-01-03 19:57:07 +01:00
45c0af48c2
Suggested changes from code review
2023-01-03 11:26:07 +11:00
3204caf618
Make use of session platform
2022-12-15 14:28:19 -05:00
28bd03f971
Apply suggestions from code review
...
Co-authored-by: adfoster-r7 <60357436+adfoster-r7@users.noreply.github.com >
2022-12-15 14:50:10 +11:00
57152fdd5f
Use framework's thread mechanism for background keepalive worker
2022-12-15 14:44:57 +11:00
2fa7e7b2d5
Lenovo Diagnostics Driver Privilege Escaltion (CVE-2022-3699)
2022-12-12 21:53:53 -05:00
d09aef7dc5
Land #17350 , Remove unnecesary sleep
...
Remove unnecesary sleep in several bypassuac modules
2022-12-12 17:45:10 -05:00
5a66666b4d
Fix check methods by using #present?
2022-12-12 16:53:34 -05:00
8d097e0fd0
Fixes bug in s4u_persistence module
2022-12-09 11:24:16 +11:00
c54109586c
Remove unnecesary sleep in several bypassuac modules
2022-12-09 11:09:19 +11:00
aaef7726db
Land #17330 , Fix enumerating emails via ProxyShell
2022-12-06 14:02:53 +01:00
8e9e8468f2
Land #17338 , Lint modules
2022-12-05 13:17:40 +00:00
14d05c9c6c
Lint modules
2022-12-05 10:41:31 +00:00
c1ff9337c8
dnn_cookie_deserialization_rce: Remove empty 'Payload' Hash key
2022-12-04 17:50:24 +11:00
431804ef15
Fix typos: Replace 'the the' with 'the'
2022-12-04 17:41:24 +11:00
96da805014
Fix enumerating emails via ProxyShell
...
The ResolveNames endpoint used to gather emails addresses for targeting
only returns 100 at a time. This updates the module to check if the
search result contains all entries and when it does, it recurses into
itself with a refined search prefix. All results are returned to match
the original functionality instead of enumerating and halting once one
that's suitable for exploitation has been found.
2022-12-02 15:58:50 -05:00
d3057f15b2
Land #17275 , Add Exploit For CVE-2022-41082 (ProxyNotShell)
2022-11-30 18:16:19 +01:00
0323d45737
More correct approach to encoding for command line
2022-11-30 11:54:42 +11:00
5fce80ed1d
Added comments to most functions
2022-11-30 11:53:57 +11:00
1231eefe55
Fixed WQL module while I'm at it
2022-11-30 10:26:19 +11:00
Jack Heysel