bwatters-r7
7df18e378d
Fix conflicts in PR 8509 by mergeing to master
2017-10-09 10:30:21 -05:00
Spencer McIntyre
3f6f70f820
Move the cve-2017-8464 source to external/source
2017-10-08 13:58:51 -04:00
Kirk Swidowski
2ee94ca3d9
made changes based on PR feedback.
2017-09-01 16:49:17 -07:00
Kirk Swidowski
b7fc990d17
moved project to the source directory.
2017-09-01 16:09:53 -07:00
Tim
ffbf21cb1c
cleanup
2017-08-31 18:35:18 +08:00
Tim
7b71f60ea1
fix the stack
2017-08-31 18:35:18 +08:00
Tim
26f4fa3b09
setup stack
2017-08-31 18:35:17 +08:00
Tim
a2396991f0
stager not setting up stack
2017-08-31 18:35:17 +08:00
Tim
6dbe00158f
fix stager
2017-08-31 18:35:17 +08:00
David Tomaschik
ef6c20ce51
Update README
...
Meterpreter repo now redirects to metasploit-payloads.
2017-08-27 10:26:35 -07:00
Tim
d6d6c67f33
add stage_shell.s and cleanup
2017-08-21 14:42:30 +08:00
Tim
ac6495a7eb
formatting
2017-08-21 12:35:13 +08:00
Tim
9768a89bcd
aarch64 staged shell
2017-08-21 11:14:42 +08:00
Tim
8b4ccc66c7
add linux/aarch64/shell_reverse_tcp
2017-08-17 18:55:37 +08:00
Brent Cook
59086af261
Land #8771 , rewrite linux x64 stagers with Metasm
2017-08-14 02:32:29 -04:00
tkmru
f961d7da13
update src
2017-07-29 21:08:52 +09:00
tkmru
6c5d8279ca
change to generate payload from metasm
2017-07-16 19:21:09 +09:00
tkmru
4e046db9b3
add retry to linux reverse tcp x86
2017-07-14 12:47:32 +09:00
tkmru
62533509c6
fit source to shellcode prev change
2017-07-12 16:26:00 +09:00
Tim
db8698e82b
Land #8655 , add error handling to mipsle linux reverse tcp stager
2017-07-11 22:33:54 +08:00
Tim
b9f5ebcf66
update comment
2017-07-11 00:58:03 +08:00
Tim
75c571de83
Land #8653 , add error handling to mipsbe linux reverse tcp stager
2017-07-09 19:36:15 +08:00
Tim
cd0c2c213f
pedantic tweaks
2017-07-09 19:36:03 +08:00
tkmru
a4a959266b
update cachedSize
2017-07-06 17:43:27 +09:00
tkmru
adeffd6600
add error handling to stager_sock_reverse src on mipsle
2017-07-06 17:07:11 +09:00
tkmru
2d8a71de6f
tab to space
2017-07-05 18:22:06 +09:00
tkmru
d02d6826a9
fix reverse tcp stager src
2017-07-05 17:56:59 +09:00
tkmru
d1f08a80bd
add error handling to reverse_tcp on mipsbe
2017-07-05 17:50:49 +09:00
tkmru
084b211e9b
add x64 stager_sock_reverse src
2017-06-25 16:31:37 +09:00
Tim
03116d7933
Land #8543 , add error handling to ARM linux reverse tcp stager
2017-06-18 15:38:16 +08:00
Tim
210a4cb299
fix indent
2017-06-18 15:35:23 +08:00
tkmru
1773a5f188
fix indent
2017-06-16 15:57:09 +09:00
Tim
9cf9d22bae
fix mmap return cmp
2017-06-16 06:26:40 +08:00
RaMMicHaeL
f17b28930d
Update executex64.asm
2017-06-04 13:18:50 +03:00
L3cr0f
6a3fc618a4
Add bypassuac_injection_winsxs.rb module
2017-06-03 12:59:50 +02:00
RaMMicHaeL
ca5b20f4d0
Fixed an elusive bug on AMD CPUs
...
Details:
http://blog.rewolf.pl/blog/?p=1484
rwfpl/rewolf-wow64ext@8771485
2017-06-03 11:30:11 +03:00
zerosum0x0
bdf121e1c0
x86 kernels will safely ret instead of BSOD
2017-05-17 23:48:14 -06:00
zerosum0x0
4f3a98d434
add arch detection to shellcode
2017-05-17 23:36:17 -06:00
zerosum0x0
a5c391dae2
multi-arch ring0->ring3 shellcode .asm file (work in progress)
2017-05-17 23:29:05 -06:00
Brent Cook
176e88f293
Land #7835 , Add Windows Local Privilege Escalation exploit stub
2017-03-08 06:20:58 -05:00
William Webb
83cc28a091
Land #7972 , Microsoft Office Word Macro Generator OS X Edition
2017-02-21 13:26:42 -06:00
wchen-r7
3d269b46ad
Support OS X for Microsoft Office macro exploit
2017-02-16 12:28:11 -06:00
OJ
1c62559e55
Add v1 of SQL Clr stored proc payload module
2017-02-10 10:28:22 +10:00
wchen-r7
ccaa783a31
Add Microsoft Office Word Macro exploit
2017-02-02 17:44:55 -06:00
OJ
b6e882c8eb
Add a Windows LPE exploit template for x64/x86
2017-01-17 11:20:14 +10:00
OJ
32173b9701
Move execute_payload to the kernel lib
2017-01-17 11:19:26 +10:00
Brent Cook
2585c8c8b5
Land #7461 , convert futex_requeue (towelroot) module to use targetting and core_loadlib
2017-01-11 13:24:25 -06:00
Tim
25a8283af3
fork early and use WfsDelay
2016-12-20 00:59:27 +08:00
Tim
f1efa760df
more fixes
2016-12-20 00:52:11 +08:00
Tim
e6d4c0001c
hide debug printing
2016-12-20 00:52:11 +08:00
Tim
7ac3859393
convert futex_requeue module to use targetting and core_loadlib
2016-12-20 00:52:11 +08:00
Tim
3afa20a1af
fix double \n in printf
2016-12-13 17:02:23 +08:00
Tim
fe9972cc25
fork early and use WfsDelay
2016-12-13 17:02:23 +08:00
Tim
891fccb4e2
add pattern for GT-S7392
2016-12-13 17:02:23 +08:00
Tim
07ce7f3aed
fix make run
2016-12-13 17:02:23 +08:00
Tim
9ece45a180
dont exit(0) when exploit fails
2016-12-13 17:02:23 +08:00
Tim
ebf7ae0739
add CVE-2013-6282, put_user/get_user exploit for Android
2016-12-13 17:02:23 +08:00
William Webb
31b593ac67
Land #7402 , Add Linux local privilege escalation via overlayfs
2016-11-01 12:46:40 -05:00
h00die
0d1fe20ae5
revamped
2016-10-15 20:57:31 -04:00
h00die
12493d5c06
moved c code to external sources
2016-10-13 20:37:03 -04:00
RageLtMan
36b989e6d7
Initial import of .NET compiler and persistence
...
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.
Add compiler modules for payloads and custom .NET code/blocks.
==============
Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).
C# templates for simple binaries and a service executable with
its own install wrapper.
==============
Generic .NET compiler post module
Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.
Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.
==============
Concept:
Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.
This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.
Usage notes:
Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.
Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).
==============
On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
OJ
0e82ced082
Add LPE exploit module for the capcom driver flaw
...
This commit includes:
* RDI binary that abuses the SMEP bypass and userland function pointer
invocation that is provided by the driver.
* Related metasploit module.
* Associated make.build to build from command line.
* Updated command line build file.
This also includes the beginnings of a new set of functions that help
with the management/automation of kernel-related work on Windows for
local priv esc exploits.
2016-09-27 22:37:45 +10:00
William Webb
21e6211e8d
add exploit for cve-2016-0189
2016-08-01 13:26:35 -05:00
Pearce Barry
7b1d9596c7
Land #7068 , Introduce 'mettle' - new POSIX meterpreter
2016-07-11 22:38:40 -05:00
William Webb
b4b3a84fa5
refactor ms16-016 code
2016-07-05 20:50:43 -05:00
Adam Cammack
0390ed4d6e
Add MIPS O32 Linux support (big and little endian)
2016-07-05 11:24:54 -05:00
Adam Cammack
8de508c4e0
Add mettle module for ARM
2016-07-05 11:24:54 -05:00
EarthQuake
3147553d4f
armeb comments modified
2016-06-10 19:59:59 +02:00
EarthQuake
26680f58ca
Original shellcode added for Linux ARM big endian bind ipv4 tcp
2016-06-10 19:19:16 +02:00
James Lee
f1857d6350
Kill defanged mode
2016-03-28 09:02:07 -05:00
Brent Cook
6eda702b25
Land #6292 , add reverse_tcp command shell for Z/OS (MVS)
2015-12-23 14:11:37 -06:00
Brent Cook
5a19caf10a
remove temp file
2015-12-23 11:42:09 -06:00
dmohanty-r7
eb4611642d
Add Jenkins CLI Java serialization exploit module
...
CVE-2015-8103
2015-12-11 14:57:10 -06:00
jvazquez-r7
bb3a3ae8eb
Land #6176 , @ganzm's fix for 64 bits windows loadlibrary payload
2015-12-01 13:18:41 -06:00
Bigendian Smalls
09d63de502
Added revshell shellcode source
...
Put shell_reverse_tcp.s shellcode source for mainframe reverse shell
into external/source/shellcode/mainframe
2015-12-01 08:26:42 -06:00
Brent Cook
1b951b36fe
remove -db / -pcap / -all gemspecs, merge into one
2015-11-11 15:01:50 -06:00
William Vu
e6202e3eda
Revert "Land #6060 , Gemfile/gemspec updates"
...
This reverts commit 8f4046da40
, reversing
changes made to 2df149b0a5
.
2015-11-08 19:32:15 -06:00
Brent Cook
7c7eb06058
remove unused kissfft library
2015-11-04 08:35:45 -06:00
Matthias Ganz
4eaf1ace81
Bugfix loading address of library path into rcx
...
The old code breaks if the payload is executed from a memory area where the 4 most significant bytes are non-zero.
2015-11-02 16:56:07 +01:00
William Vu
77fae28cd4
Add -q option to msfd to disable banner
2015-10-07 01:57:58 -05:00
jvazquez-r7
9444c8c410
Fix #5988 , windows x64 stagers
...
* Also, use mov esi, esi to save an extra byte
* Also, modify the block_recv.asm code, just to have it up to date
2015-09-28 15:52:50 -05:00
jvazquez-r7
2c9734f178
Add exploit source
2015-09-15 14:54:05 -05:00
jvazquez-r7
6e857568e0
Delete comments
2015-09-03 13:33:40 -05:00
jvazquez-r7
b39575928e
Update reflective exploit
2015-09-03 11:01:41 -05:00
jvazquez-r7
ecf3fb61d6
Replace external source
2015-08-26 15:32:50 -05:00
William Vu
d54249370b
Move tpwn source to external/source/exploits
2015-08-17 18:27:47 -05:00
wchen-r7
7113c801b1
Land #5732 , reliability update for adobe_flash_hacking_team_uaf
2015-07-17 16:43:39 -05:00
jvazquez-r7
255d8ed096
Improve adobe_flash_opaque_background_uaf
2015-07-16 14:56:32 -05:00
jvazquez-r7
ab5c7a806e
Update flash exploiter
2015-07-15 18:32:45 -05:00
jvazquez-r7
bd5d372436
Add build comment
2015-07-15 18:30:05 -05:00
jvazquez-r7
138789b77c
Fix indentation
2015-07-15 18:29:28 -05:00
jvazquez-r7
b504f0be8e
Update adobe_flash_hacking_team_uaf
2015-07-15 18:18:04 -05:00
wchen-r7
d6565a9aee
Merge branch 'bes_flash' into bapv2_flash_test
2015-07-14 00:34:54 -05:00
jvazquez-r7
b72ba7f51c
Add AS2 flash detection code
2015-07-13 18:26:02 -05:00
jvazquez-r7
8fb6bedd94
Delete as3 detecotr
2015-07-13 18:23:39 -05:00
jvazquez-r7
9116460cb0
Add prototype with AS3
2015-07-13 16:33:55 -05:00
jvazquez-r7
299978d0e2
Put again old exploiter
2015-07-11 00:36:32 -05:00
jvazquez-r7
63005a3b92
Add module for flash CVE-2015-5122
...
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
Tod Beardsley
3d630de353
Replace with a real CVE number
2015-07-07 14:44:12 -05:00
jvazquez-r7
d9aacf2d41
Add module for hacking team flash exploit
2015-07-07 11:19:48 -05:00
jvazquez-r7
1de94a6865
Add module for CVE-2015-3113
2015-07-01 13:13:57 -05:00
jvazquez-r7
e49c36998c
Fix indentation
2015-06-25 14:12:23 -05:00
jvazquez-r7
a87d4e5764
Add flash_exploiter template
2015-06-25 13:52:57 -05:00
jvazquez-r7
ee0377ca16
Add module for CVE-2015-3105
2015-06-25 13:35:01 -05:00
Spencer McIntyre
2206a6af73
Support older targets x86 for MS15-051
2015-06-25 09:33:15 +10:00
OJ
3686accadd
Merge branch 'upstream/master' into cve-2015-1701
2015-06-22 07:52:17 +10:00
OJ
b78ba55c25
Merge minor CVE-2015-1701 from zeroSteiner
2015-06-22 07:50:26 +10:00
Spencer McIntyre
d73a3a4a5f
Dont call ExitProcess because it might kill the shell
2015-06-21 16:16:33 -04:00
jvazquez-r7
27a583853c
Fix one more line indentation
2015-06-18 12:40:30 -05:00
jvazquez-r7
55f077fa9e
Fix indentation
2015-06-18 12:38:36 -05:00
jvazquez-r7
de1542e589
Add module for CVE-2015-3090
2015-06-18 12:36:14 -05:00
wchen-r7
17b8ddc68a
Land #5524 , adobe_flash_pixel_bender_bof in flash renderer
2015-06-15 02:42:16 -05:00
jvazquez-r7
72672fc8f7
Delete debug
2015-06-11 17:39:36 -05:00
jvazquez-r7
8ed13b1d1b
Add linux support for CVE-2014-0515
2015-06-11 16:18:50 -05:00
wchen-r7
ae21b0c260
Land #5523 , adobe_flash_domain_memory_uaf in the flash renderer
2015-06-10 16:59:19 -05:00
wchen-r7
4c5b1fbcef
Land #5522 , adobe_flash_worker_byte_array_uaf in the flash renderer
2015-06-10 14:49:41 -05:00
jvazquez-r7
af31112646
Fix exploit indentation
2015-06-10 14:19:36 -05:00
jvazquez-r7
64562565fb
Fix method indentation
2015-06-10 14:16:47 -05:00
jvazquez-r7
2bb3a5059c
Fix else indentation
2015-06-10 14:15:58 -05:00
jvazquez-r7
1d05ce1cdc
Fix for indentation
2015-06-10 14:14:29 -05:00
jvazquez-r7
7202e27918
Fix indentation
2015-06-10 14:12:26 -05:00
jvazquez-r7
ab132290d7
Add Exploiter AS
2015-06-10 13:53:45 -05:00
jvazquez-r7
6c7ee10520
Update to use the new flash Exploiter
2015-06-10 13:52:43 -05:00
jvazquez-r7
0d2454de93
Fix indentation
2015-06-10 12:27:52 -05:00
jvazquez-r7
7fba64ed14
Allow more search space
2015-06-10 12:26:53 -05:00
jvazquez-r7
ecbddc6ef8
Play with memory al little bit better
2015-06-10 11:54:57 -05:00
wchen-r7
d622c782ef
Land #5519 , adobe_flash_uncompress_zlib_uninitialized in the flash renderer
2015-06-10 11:52:47 -05:00
wchen-r7
667db8bc30
Land #5517 , adobe_flash_casi32_int_overflow (exec from the flash renderer)
2015-06-10 11:39:13 -05:00
jvazquez-r7
2b4fe96cfd
Tweak Heap Spray
2015-06-10 10:56:24 -05:00
jvazquez-r7
a6fe383852
Use AS Exploiter
2015-06-10 09:32:52 -05:00
jvazquez-r7
64b486eeac
Change filename
2015-06-10 09:12:52 -05:00
jvazquez-r7
d95a0f432d
Update AS codE
2015-06-10 09:12:25 -05:00
jvazquez-r7
e5d6c9a3cb
Make last code cleanup
2015-06-09 16:01:57 -05:00
jvazquez-r7
d9db45690f
Delete debug messages
2015-06-09 15:47:59 -05:00
jvazquez-r7
cf8c6b510b
Debug version working
2015-06-09 15:46:21 -05:00
jvazquez-r7
f4649cb3fb
Delete old AS
2015-06-09 14:50:59 -05:00
jvazquez-r7
4f1ee3fcdf
Really fix indentation
2015-06-09 12:42:32 -05:00
jvazquez-r7
5bab1cfc68
Fix indentation
2015-06-09 12:38:24 -05:00
jvazquez-r7
39851d277d
Unset debug flag
2015-06-09 11:36:09 -05:00
jvazquez-r7
b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code
2015-06-09 11:31:39 -05:00
wchen-r7
5a6a16c4ec
Resolve #4326 , remove msfpayload & msfencode. Use msfvenom instead!
...
msfpayload and msfencode are no longer in metasploit. Please use
msfvenom instead.
Resolves #4326
2015-06-08 11:30:04 -05:00
OJ
b291d41b76
Quick hack to remove hard-coded offsets
2015-06-05 13:19:41 +10:00
jvazquez-r7
51d98e1008
Update AS code
2015-06-04 18:34:08 -05:00
jvazquez-r7
02181addc5
Update CVE-2014-0556
2015-06-04 18:23:50 -05:00
wchen-r7
23df66bf3a
Land #5481 , no powershell. exec shellcode from the renderer process.
2015-06-04 15:45:09 -05:00
jvazquez-r7
75454f05c4
Update AS source code
2015-06-04 12:12:49 -05:00
jvazquez-r7
80cb70cacf
Add support for Windows 8.1/Firefox
2015-06-03 22:46:04 -05:00
jvazquez-r7
74117a7a52
Allow to execute payload from the flash renderer
2015-06-03 16:33:41 -05:00
OJ
455a3b6b9d
Add butchered version of CVE-2015-1701
2015-06-03 21:48:23 +10:00
jvazquez-r7
e9714bfc82
Solve conflics
2015-05-27 23:22:00 -05:00