25f50e607c
Reduce code, be more permissive
...
This makes a few changes that should enable the module to function
better should it be dropped into a fresh MSF installation on its own.
2022-07-15 16:29:17 -05:00
c5f2507ee0
Fix up usage of the word columns where attributes was more appropriate. Also update the multi query logic to match new data format as it was broken before as a result of changes to file format. Finally remove extra parameters that are no longer needed.
2022-07-15 16:28:43 -05:00
8c236e789e
Rename files to follow proper format. Add in documentation for examples. Then update code so we use Msf::Config.get_config_root to store the config file that we parse to get the actions outside of a Git tracked location. We will still use the default file to populate this non-git tracked location if its not already populated though.
2022-07-15 16:28:43 -05:00
3c56e272a1
Remove default actions and move them to default.yaml, then update code accordingly. Also update the initialization code so it will now load the possible actions dynamically from default.yaml.
2022-07-15 16:28:37 -05:00
c751ef46c9
Land #16635 , Add 0-day MSWord RCE #Follina CVE-2022-30190
...
Merge branch 'land-16635' into upstream-master
2022-06-06 14:41:31 -05:00
97921b4ed9
fix chmod 644
2022-05-30 22:11:35 +04:00
dfc226cf5f
add. Supposed 0day MSWord RCE
2022-05-30 21:23:18 +04:00
246a3604b8
set the org to be 0x400000
2022-05-13 10:50:19 +08:00
934f193dc0
Land #16484 , Add vcenter_forge_saml_token aux module
...
Merge branch 'land-16484' into upstream-master
2022-05-12 17:36:20 -05:00
7190a967ce
Refactor MKII vcenter_forge_saml_token
2022-04-25 11:44:39 -04:00
3e07b8c99b
Refactor MKI vcenter_forge_saml_token.rb
...
Extensive refactoring to move away from directly manipulating datastore
options and use local variables instead.
The initial template generation method has been redesigned to use an
external file via Erubi::Engine which is much cleaner vs. jamming a
multiline string into the module.
Response HTML from vCenter is now parsed with Nokogiri HTML vs. pulling
it out with regex.
Registered options have been reworked, following suggestions and
feedback. The use of VHOST in particular eliminates the need to pass
RHOSTS to the template and makes the module behave more closely to "real"
vCenter (i.e., always uses FQDN for the destination).
Added advanced datastore options to control the token lifetime
NOT_BEFORE and NOT_AFTER skew, in seconds. This also uncovered a bug with
the way I was deriving Zulu time which skewed based on the local system
time zone offset from Zulu; this has been fixed.
Corrected a stupid typo in the validate_fqdn method (don't need to check
for capital letters if the test string is always downcase...)
validate_idp_options now uses File.binread and can process certs in keys
in DER or PEM instead of just PEM.
Code optimization, particularly around error handling; other minor
tweaks based on improved understanding of the Framework's capabilities.
Many style changes and modifications based on suggestions and feedback.
Documentation was updated to reflect reality.
2022-04-23 19:42:24 -04:00
e2c6c36b2b
Land #1642 , Add module for cve-2022-0995
2022-04-21 09:12:47 -05:00
26f9175816
Update c source with argc check and CRASH notes for module
2022-04-20 17:37:48 -05:00
54f8d44639
add osx binary
2022-04-18 09:42:40 -05:00
96d86944da
Added precompiled binary and option to strip output, fixed comment-strip bug
2022-04-07 17:09:35 -05:00
5de966cfb1
Land #16382 , CVE-2022-26904 SuperProfile LPE
2022-04-07 12:52:39 -04:00
9e2d7f655b
Update data to fix more things found during review process
2022-04-05 12:48:11 -05:00
db4b22df5e
Update the exploit code to output errors in a better format, and fix a potential issue when trying to delete folders recursively. Also update exploit module to try kill msiexec.exe if its still running to prevent it holding onto handles when it shouldn't be.
2022-04-04 17:58:52 -05:00
8daecca5c3
Update code with latest changes
2022-04-01 12:11:05 -05:00
d29f5690a1
Add in backup code to DLL template to fall back to old way of executing things in case the BREAKAWAY_FROM_JOB flag cannot be used
2022-03-31 14:28:29 -05:00
743138abed
Add in initial fixes from review and remove extra BREAKAWAY_FROM_JOB code changes not directly related to this PR as we'll raise a separate PR for those
2022-03-31 12:13:29 -05:00
bd3e0c1b53
Add in support for exploiting domain joined systems
2022-03-28 16:14:19 -05:00
e5c0259723
Add CREATE_BREAKAWAY_FROM_JOB flag to source files related to DLL generation, update the exploit source to denote how to clean up in case the payload can't clean up
2022-03-23 19:38:32 -05:00
a25b3a70ad
Update permissions on template DLLs
2022-03-23 17:49:03 -05:00
b1ce05f97c
Add in updated Ruby code and also update the DLLs and prepend_migrate.rb to use the CREATE_BREAKAWAY_FROM_JOB flag with CreateProcess to break away from the job if the job has the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit set to allow breakaway jobs
2022-03-23 17:47:25 -05:00
da16aad96a
Land #16298 , Add the capture plugin
2022-03-21 20:03:16 -04:00
715082a960
Update exploit and module with new delay timing and latest copy of DLL
2022-03-21 12:05:48 -05:00
c1d6dced8d
Update library code to read exchange versions from exchange_versions.json and populate exchange_versions.json with initial info
2022-03-17 11:29:01 -05:00
9074d7b2bd
Reformatted yaml file to be more flexible in future
2022-03-17 08:47:10 +11:00
b34189e24c
Take more parameters from a config file
2022-03-11 15:10:08 +11:00
b747e55dda
Land #16303 , add Dirty Pipe exploit
2022-03-10 11:16:28 -06:00
2102c7daca
add binaries for pre-compiled option
2022-03-10 08:50:48 -06:00
955cc9c986
fix cross compiling
2022-03-09 06:59:25 +00:00
676c4a6f4f
improve fork behaviour
2022-03-08 10:24:25 +00:00
7ca6a28c05
embed payload inside exploit and add check method
2022-03-08 09:51:49 +00:00
e4f5d5a539
Merge branch 'master' into hash_capture
2022-03-08 07:57:42 +11:00
7a9d30e5b1
Land #16227 , add wp masterstudy privesc module
2022-03-07 10:58:23 -06:00
5bd48d0a7d
initial commit of dirtypipe
2022-03-07 15:49:27 +00:00
02bb5234a3
Update help, fix POP3S port and disable DNS (broken) and WPAD (not actually useful)
2022-03-07 21:40:31 +11:00
6be3443680
Land #16103 , LPE in polkit's pkexec (CVE-2021-4034)
2022-03-03 09:24:11 -05:00
6bffa663a9
Don't try to launch UDP services remotely.
...
Use normal capitalisation when showing service names to users.
2022-03-02 14:00:41 +11:00
75c0951fc9
Track capture jobs by session, and support stopping captures per-session
2022-03-02 09:59:56 +11:00
8dd459edbb
Read some config in from a file
2022-03-01 15:29:50 +11:00
0d10409d67
Land #16131 , add modern events calendar sqli
2022-02-28 12:27:45 -06:00
9799d87ec9
update exploitable plugins
2022-02-25 17:00:34 -05:00
b69db83398
Land #16202 , Add exploit for CVE-2022-21882 (Win32k LPE)
...
Merge branch 'land-16202' into upstream-master
2022-02-25 15:55:48 -06:00
9e9ae9a8cc
Remove unneeded files
2022-02-18 16:33:39 -06:00
3ea032472d
Updated exploit with better check method, added OnSessionCmd option
...
to run a command when a session is bootstrapped, added more
documentation.
2022-02-18 16:30:47 -06:00
443bf1249a
Remove all the old CVE-2021-1732 data
2022-02-18 15:25:39 -05:00
d92259f868
One exploit for CVE-2021-1732 and CVE-2022-21882
2022-02-18 15:23:38 -05:00
Spencer McIntyre