-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post-exploitation exploitation #611
Commits on Jun 13, 2012
-
Make the Exploit::Local class useful
This commit is the main infrastructure needed to run exploits in a local context, gluing the Exploit and Post module classes together.
Configuration menu - View commit details
-
Copy full SHA for 5717f52 - Browse repository at this point
Copy the full SHA 5717f52View commit details -
Configuration menu - View commit details
-
Copy full SHA for 8707df3 - Browse repository at this point
Copy the full SHA 8707df3View commit details -
Add a post-exploitation exploit for suid nmap
Tested on Ubuntu with nmap 6.00 and nmap 5.00
Configuration menu - View commit details
-
Copy full SHA for 0e8fb0f - Browse repository at this point
Copy the full SHA 0e8fb0fView commit details -
Configuration menu - View commit details
-
Copy full SHA for 9f78a9e - Browse repository at this point
Copy the full SHA 9f78a9eView commit details -
Configuration menu - View commit details
-
Copy full SHA for 2e4231d - Browse repository at this point
Copy the full SHA 2e4231dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1fbe574 - Browse repository at this point
Copy the full SHA 1fbe574View commit details -
Configuration menu - View commit details
-
Copy full SHA for d2d37f7 - Browse repository at this point
Copy the full SHA d2d37f7View commit details -
Configuration menu - View commit details
-
Copy full SHA for c39a42d - Browse repository at this point
Copy the full SHA c39a42dView commit details
Commits on Jun 21, 2012
-
Configuration menu - View commit details
-
Copy full SHA for 815d80a - Browse repository at this point
Copy the full SHA 815d80aView commit details
Commits on Jun 22, 2012
-
Add the first bits of a sock_sendpage exploit
This can currently build an executable that creates a socket, opens a temporary file, truncates that file with ftruncate(2) and calls sendfile. Still needs to mmap NULL and figure out ring0 shellcode. Baby steps.
Configuration menu - View commit details
-
Copy full SHA for fd8b163 - Browse repository at this point
Copy the full SHA fd8b163View commit details -
More progress on syscall wrappers
Something is still broken, my socket() is returning EAFNOSUPPORT whereas what looks like the same syscall in wunderbar_emporium's exploit.c is returning a socket. Similarly, my __mmap2() is returning EFAULT when trying to map anything, not just NULL.
Configuration menu - View commit details
-
Copy full SHA for 6913440 - Browse repository at this point
Copy the full SHA 6913440View commit details
Commits on Jul 8, 2012
-
Configuration menu - View commit details
-
Copy full SHA for 6d6b4bf - Browse repository at this point
Copy the full SHA 6d6b4bfView commit details
Commits on Jul 9, 2012
-
Configuration menu - View commit details
-
Copy full SHA for c82037d - Browse repository at this point
Copy the full SHA c82037dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 8d91867 - Browse repository at this point
Copy the full SHA 8d91867View commit details
Commits on Jul 16, 2012
-
Add an exploit for sock_sendpage
Unfortunately, adds a dep on bionic for runtime compilation. Gets ring0, sets the (res)uid to 0 and jumps to the payload. Still some payload issues because linux stagers don't mprotect(2) the buffer they read(2) into. Single payloads work fine, though. Also cleans up and improves local exploits' ability to compile C. [SEERM rapid7#3038]
Configuration menu - View commit details
-
Copy full SHA for 7091d1c - Browse repository at this point
Copy the full SHA 7091d1cView commit details -
Configuration menu - View commit details
-
Copy full SHA for efe478f - Browse repository at this point
Copy the full SHA efe478fView commit details
Commits on Jul 17, 2012
-
Configuration menu - View commit details
-
Copy full SHA for 6b0196e - Browse repository at this point
Copy the full SHA 6b0196eView commit details