h00die
c6e18ee469
cve-2022-1329
2022-10-02 15:59:58 -04:00
bwatters
c17c78bc0f
Land #16995 , Add TrustedSec's COFFLoader as Meterpreter Extension
...
Merge branch 'land-16995' into upstream-master
2022-09-30 14:14:39 -05:00
bwatters
e27dbd2787
Land #16794,Add exploit for CVE-2022-34918
...
Merge branch 'land-16794' into upstream-master
2022-09-27 16:37:52 -05:00
Spencer McIntyre
37d3c296ad
Add compiler support when mingw is available
2022-09-15 16:06:25 -04:00
Grant Willcox
a41ec9388f
Land #16725 , Add ManageEngine ADAudit Plus and DataSecurity Plus Xnode enum modules, docs and mixin (CVE-2020–11532)
2022-09-01 08:46:36 -05:00
Grant Willcox
9dcbf55ea8
Update ldap_query logic to handle binary data
2022-08-29 15:34:18 -05:00
Spencer McIntyre
ae5a9bd41b
Land #16734 , Add rtf support to cve-2022-30190
...
Add rtf support to cve-2022-30190 AKA Follina
2022-08-25 17:26:46 -04:00
Grant Willcox
109065e7c7
Fix up LDAP query syntax for some queries
2022-08-24 16:59:13 -05:00
Spencer McIntyre
e03f479659
Add a couple of ADCS related queries
2022-08-24 15:13:19 -04:00
Spencer McIntyre
3c495770b8
Allow configuring a base_dn prefix
2022-08-24 15:13:16 -04:00
Grant Willcox
97bce45e69
Land #16915 , Add exploit for CVE-2022-23277 (Exchange RCE)
2022-08-19 11:11:46 -05:00
Spencer McIntyre
62ab42b797
Update vulnerable version numbers and docs
2022-08-17 08:55:46 -04:00
bcoles
e6d4a80e0f
data: powershell: msflag.ps1: Remove "from Metasploit" from flag message
2022-08-12 17:30:40 +10:00
bcoles
4d4f7b8c55
mv scripts/ps/msflag.ps1 data/post/powershell/msflag.ps1
2022-08-08 18:00:36 +10:00
ErikWynter
d6dabd4bfb
additional code review improvements for xnode auxiliary modules/lib/docs
2022-07-28 15:12:00 +03:00
Redouane NIBOUCHA
78dae84871
Updates to the C source code (execl instead of execve, removal of some old comments)
2022-07-25 22:18:47 +02:00
Grant Willcox
14e3c694ff
Fix default LDAP query descriptions due to some typos
2022-07-22 12:13:14 -05:00
Redouane NIBOUCHA
37f1fdd47b
Add module docs, add Ubuntu 22.04 offsets, update check method
2022-07-22 03:30:03 +02:00
Redouane NIBOUCHA
73db035e57
Add more offsets to the exploit, clean up the exploit C source, add check method
2022-07-21 01:22:20 +02:00
Redouane NIBOUCHA
fe2e413426
Add exploit for CVE-2022-34918
2022-07-20 13:51:22 +02:00
Spencer McIntyre
25f50e607c
Reduce code, be more permissive
...
This makes a few changes that should enable the module to function
better should it be dropped into a fresh MSF installation on its own.
2022-07-15 16:29:17 -05:00
Grant Willcox
c5f2507ee0
Fix up usage of the word columns where attributes was more appropriate. Also update the multi query logic to match new data format as it was broken before as a result of changes to file format. Finally remove extra parameters that are no longer needed.
2022-07-15 16:28:43 -05:00
Grant Willcox
8c236e789e
Rename files to follow proper format. Add in documentation for examples. Then update code so we use Msf::Config.get_config_root to store the config file that we parse to get the actions outside of a Git tracked location. We will still use the default file to populate this non-git tracked location if its not already populated though.
2022-07-15 16:28:43 -05:00
Grant Willcox
3c56e272a1
Remove default actions and move them to default.yaml, then update code accordingly. Also update the initialization code so it will now load the possible actions dynamically from default.yaml.
2022-07-15 16:28:37 -05:00
bwatters
ef9f5ca463
Add rtf support to cve-2022-30190 AKA Follina
2022-06-30 17:30:06 -05:00
kalba-security
ba83b1bdf5
add manageengine adaudit plus and datasecurity plus xnode enum modles and manageengine_xnode lib
2022-06-10 10:32:25 -04:00
bwatters
c751ef46c9
Land #16635 , Add 0-day MSWord RCE #Follina CVE-2022-30190
...
Merge branch 'land-16635' into upstream-master
2022-06-06 14:41:31 -05:00
RAMELLA Sébastien
97921b4ed9
fix chmod 644
2022-05-30 22:11:35 +04:00
RAMELLA Sébastien
dfc226cf5f
add. Supposed 0day MSWord RCE
2022-05-30 21:23:18 +04:00
ssst0n3
246a3604b8
set the org to be 0x400000
2022-05-13 10:50:19 +08:00
bwatters
934f193dc0
Land #16484 , Add vcenter_forge_saml_token aux module
...
Merge branch 'land-16484' into upstream-master
2022-05-12 17:36:20 -05:00
npm-cesium137-io
7190a967ce
Refactor MKII vcenter_forge_saml_token
2022-04-25 11:44:39 -04:00
npm-cesium137-io
3e07b8c99b
Refactor MKI vcenter_forge_saml_token.rb
...
Extensive refactoring to move away from directly manipulating datastore
options and use local variables instead.
The initial template generation method has been redesigned to use an
external file via Erubi::Engine which is much cleaner vs. jamming a
multiline string into the module.
Response HTML from vCenter is now parsed with Nokogiri HTML vs. pulling
it out with regex.
Registered options have been reworked, following suggestions and
feedback. The use of VHOST in particular eliminates the need to pass
RHOSTS to the template and makes the module behave more closely to "real"
vCenter (i.e., always uses FQDN for the destination).
Added advanced datastore options to control the token lifetime
NOT_BEFORE and NOT_AFTER skew, in seconds. This also uncovered a bug with
the way I was deriving Zulu time which skewed based on the local system
time zone offset from Zulu; this has been fixed.
Corrected a stupid typo in the validate_fqdn method (don't need to check
for capital letters if the test string is always downcase...)
validate_idp_options now uses File.binread and can process certs in keys
in DER or PEM instead of just PEM.
Code optimization, particularly around error handling; other minor
tweaks based on improved understanding of the Framework's capabilities.
Many style changes and modifications based on suggestions and feedback.
Documentation was updated to reflect reality.
2022-04-23 19:42:24 -04:00
Grant Willcox
e2c6c36b2b
Land #1642 , Add module for cve-2022-0995
2022-04-21 09:12:47 -05:00
bwatters
26f9175816
Update c source with argc check and CRASH notes for module
2022-04-20 17:37:48 -05:00
space-r7
54f8d44639
add osx binary
2022-04-18 09:42:40 -05:00
bwatters
96d86944da
Added precompiled binary and option to strip output, fixed comment-strip bug
2022-04-07 17:09:35 -05:00
Spencer McIntyre
5de966cfb1
Land #16382 , CVE-2022-26904 SuperProfile LPE
2022-04-07 12:52:39 -04:00
Grant Willcox
9e2d7f655b
Update data to fix more things found during review process
2022-04-05 12:48:11 -05:00
Grant Willcox
db4b22df5e
Update the exploit code to output errors in a better format, and fix a potential issue when trying to delete folders recursively. Also update exploit module to try kill msiexec.exe if its still running to prevent it holding onto handles when it shouldn't be.
2022-04-04 17:58:52 -05:00
Grant Willcox
8daecca5c3
Update code with latest changes
2022-04-01 12:11:05 -05:00
Grant Willcox
d29f5690a1
Add in backup code to DLL template to fall back to old way of executing things in case the BREAKAWAY_FROM_JOB flag cannot be used
2022-03-31 14:28:29 -05:00
Grant Willcox
743138abed
Add in initial fixes from review and remove extra BREAKAWAY_FROM_JOB code changes not directly related to this PR as we'll raise a separate PR for those
2022-03-31 12:13:29 -05:00
Grant Willcox
bd3e0c1b53
Add in support for exploiting domain joined systems
2022-03-28 16:14:19 -05:00
Grant Willcox
e5c0259723
Add CREATE_BREAKAWAY_FROM_JOB flag to source files related to DLL generation, update the exploit source to denote how to clean up in case the payload can't clean up
2022-03-23 19:38:32 -05:00
Grant Willcox
a25b3a70ad
Update permissions on template DLLs
2022-03-23 17:49:03 -05:00
Grant Willcox
b1ce05f97c
Add in updated Ruby code and also update the DLLs and prepend_migrate.rb to use the CREATE_BREAKAWAY_FROM_JOB flag with CreateProcess to break away from the job if the job has the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit set to allow breakaway jobs
2022-03-23 17:47:25 -05:00
Spencer McIntyre
da16aad96a
Land #16298 , Add the capture plugin
2022-03-21 20:03:16 -04:00
Grant Willcox
715082a960
Update exploit and module with new delay timing and latest copy of DLL
2022-03-21 12:05:48 -05:00
Grant Willcox
c1d6dced8d
Update library code to read exchange versions from exchange_versions.json and populate exchange_versions.json with initial info
2022-03-17 11:29:01 -05:00