Armitage 10.16.12 - a lot of bug fixes.
parent
45a60b6bdd
commit
eee6248795
Binary file not shown.
Binary file not shown.
|
@ -1,6 +1,23 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
16 Oct 12 (tested against msf 15972)
|
||||
---------
|
||||
- Added port 5985 to MSF Scans list.
|
||||
- Meterpreter -> Access -> Persistence sets ACTION option for you
|
||||
- Changed how LHOST and LPORT are set globally to prevent Ruby
|
||||
character encoding conversion error in the framework.
|
||||
- Pass Session, Log Keystrokes, and Persist now query module info
|
||||
in a separate thread (avoids a deadlock opportunity)
|
||||
- Armitage now shows folder/URL in a popup dialog for environments
|
||||
where JDesktop API to open them directly is not supported
|
||||
- Check all credentials option now filters the list to avoid trying
|
||||
a pair of credentials twice.
|
||||
- Armitage's exploit payload selection now selects cmd/unix/interact
|
||||
when appropriate.
|
||||
- Explore -> Processes now works with Java Meterpreter again.
|
||||
- MSF Scans feature now runs http_version against port 443
|
||||
|
||||
5 Sept 12 (tested against msf r15804)
|
||||
---------
|
||||
- Setup dialog now trims host, port, user, and pass fields.
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
<center><h1>Armitage 1.44</h1></center>
|
||||
|
||||
<p>An attack management tool for Metasploit®
|
||||
<br />Release: 5 Sept 12</p>
|
||||
<br />Release: 16 Oct 12</p>
|
||||
<br />
|
||||
<p>Developed by:</p>
|
||||
|
||||
|
|
|
@ -349,6 +349,9 @@ sub best_payload {
|
|||
else if ("java/jsp_shell_bind_tcp" in $compatible) {
|
||||
return "java/jsp_shell_bind_tcp";
|
||||
}
|
||||
else if ("cmd/unix/interact" in $compatible) {
|
||||
return "cmd/unix/interact";
|
||||
}
|
||||
else {
|
||||
return "generic/shell_bind_tcp";
|
||||
}
|
||||
|
|
|
@ -475,8 +475,13 @@ sub gotoFile {
|
|||
return lambda({
|
||||
local('$exception');
|
||||
try {
|
||||
if ([Desktop isDesktopSupported]) {
|
||||
[[Desktop getDesktop] open: $f];
|
||||
}
|
||||
else {
|
||||
ask("Browse to this file:", $f);
|
||||
}
|
||||
}
|
||||
catch $exception {
|
||||
showError("Could not open $f $+ \n $+ $exception");
|
||||
}
|
||||
|
|
|
@ -357,6 +357,16 @@ sub _launch_dialog {
|
|||
[$dialog setVisible: 0];
|
||||
}
|
||||
|
||||
# fix some module options...
|
||||
if ($command eq "windows/manage/persistence") {
|
||||
if ('REXE' in $options) {
|
||||
$options['ACTION'] = 'REXE';
|
||||
}
|
||||
else {
|
||||
$options['ACTION'] = 'TEMPLATE';
|
||||
}
|
||||
}
|
||||
|
||||
# it's go time buddy... time to filter some stuff...
|
||||
($type, $command, $options) = filter_data("user_launch", $type, $command, $options);
|
||||
|
||||
|
|
|
@ -188,7 +188,12 @@ sub main_attack_items {
|
|||
|
||||
sub gotoURL {
|
||||
return lambda({
|
||||
if ([Desktop isDesktopSupported]) {
|
||||
[[Desktop getDesktop] browse: $url];
|
||||
}
|
||||
else {
|
||||
ask("Browse to this URL:", $url);
|
||||
}
|
||||
}, $url => [[new URL: $1] toURI]);
|
||||
}
|
||||
|
||||
|
|
|
@ -191,11 +191,15 @@ sub showMeterpreterMenu {
|
|||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Persist", 'P', lambda({
|
||||
thread(lambda({
|
||||
launch_dialog("Persistence", "post", "windows/manage/persistence", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
|
||||
item($j, "Pass Session", 'S', lambda({
|
||||
thread(lambda({
|
||||
launch_dialog("Pass Session", "post", "windows/manage/payload_inject", 1, $null, %(SESSION => $sid, LPORT => %MSF_GLOBAL['LPORT'], HANDLER => "0"));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
|
||||
setupMenu($j, "meterpreter_access", @($sid));
|
||||
|
@ -241,7 +245,9 @@ sub showMeterpreterMenu {
|
|||
item($j, "Show Processes", 'P', lambda({ createProcessBrowser($sid); }, $sid => "$sid"));
|
||||
if ("*win*" iswm $platform) {
|
||||
item($j, "Log Keystrokes", 'K', lambda({
|
||||
thread(lambda({
|
||||
launch_dialog("Log Keystrokes", "post", "windows/capture/keylog_recorder", 1, $null, %(SESSION => $sid, MIGRATE => 1, ShowKeystrokes => 1));
|
||||
}, \$sid));
|
||||
}, $sid => "$sid"));
|
||||
}
|
||||
|
||||
|
@ -305,6 +311,9 @@ sub launch_msf_scans {
|
|||
if ('RPORT' in %o) {
|
||||
$port = %o['RPORT']['default'];
|
||||
push(%ports[$port], $scanner);
|
||||
if ($port == 80) {
|
||||
push(%ports['443'], $scanner);
|
||||
}
|
||||
}
|
||||
|
||||
safetyCheck();
|
||||
|
@ -313,7 +322,7 @@ sub launch_msf_scans {
|
|||
|
||||
# add these ports to our list of ports to scan.. these come from querying all of Metasploit's modules
|
||||
# for the default ports
|
||||
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902)) {
|
||||
foreach $port (@(50000, 21, 1720, 80, 443, 143, 3306, 1521, 110, 5432, 50013, 25, 161, 22, 23, 17185, 135, 8080, 4848, 1433, 5560, 512, 513, 514, 445, 5900, 5038, 111, 139, 49, 515, 7787, 2947, 7144, 9080, 8812, 2525, 2207, 3050, 5405, 1723, 1099, 5555, 921, 10001, 123, 3690, 548, 617, 6112, 6667, 3632, 783, 10050, 38292, 12174, 2967, 5168, 3628, 7777, 6101, 10000, 6504, 41523, 41524, 2000, 1900, 10202, 6503, 6070, 6502, 6050, 2103, 41025, 44334, 2100, 5554, 12203, 26000, 4000, 1000, 8014, 5250, 34443, 8028, 8008, 7510, 9495, 1581, 8000, 18881, 57772, 9090, 9999, 81, 3000, 8300, 8800, 8090, 389, 10203, 5093, 1533, 13500, 705, 623, 4659, 20031, 16102, 6080, 6660, 11000, 19810, 3057, 6905, 1100, 10616, 10628, 5051, 1582, 65535, 105, 22222, 30000, 113, 1755, 407, 1434, 2049, 689, 3128, 20222, 20034, 7580, 7579, 38080, 12401, 910, 912, 11234, 46823, 5061, 5060, 2380, 69, 5800, 62514, 42, 5631, 902, 5985)) {
|
||||
$temp = %ports[$port];
|
||||
}
|
||||
|
||||
|
@ -343,11 +352,16 @@ sub launch_msf_scans {
|
|||
if ($port in %ports) {
|
||||
$modules = %ports[$port];
|
||||
foreach $module ($modules) {
|
||||
if ($port == 443) {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24, SSL => "1")));
|
||||
}
|
||||
else {
|
||||
push(@launch, @($module, %(RHOSTS => join(", ", $hosts), RPORT => $port, THREADS => 24)));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($text ismatch '... Scanned \d+ of \d+ hosts .100. complete.' && size(@launch) > 0) {
|
||||
[$queue append: "\n[*] " . size(@launch) . " scan" . iff(size(@launch) != 1, "s") . " to go..."];
|
||||
|
|
|
@ -297,19 +297,24 @@ sub show_login_dialog {
|
|||
}
|
||||
|
||||
sub createUserPassFile {
|
||||
local('$handle $user $pass $type $row $2 $name');
|
||||
local('$handle $user $pass $type $row $2 $name %entries');
|
||||
$name = "userpass" . rand(10000) . ".txt";
|
||||
|
||||
$handle = openf("> $+ $name");
|
||||
# loop through our entries and store them
|
||||
%entries = ohash();
|
||||
foreach $row ($1) {
|
||||
($user, $pass, $type) = values($row, @("user", "pass", "ptype"));
|
||||
if ($type eq "password" || $type eq $2) {
|
||||
println($handle, "$user $pass");
|
||||
%entries["$user $pass"] = "$user $pass";
|
||||
}
|
||||
else {
|
||||
println($handle, "$user");
|
||||
%entries[$user] = $user;
|
||||
}
|
||||
}
|
||||
|
||||
# print out unique entry values
|
||||
$handle = openf("> $+ $name");
|
||||
printAll($handle, values(%entries));
|
||||
closef($handle);
|
||||
|
||||
if ($client !is $mclient) {
|
||||
|
|
|
@ -27,6 +27,12 @@ sub parseProcessList {
|
|||
# REMOVEME--this is a backwards compatability hack.
|
||||
@rows = parseTextTable($2, @("PID", "Name", "Arch", "Session", "User", "Path"));
|
||||
}
|
||||
|
||||
# this is the format for Java meterpreter
|
||||
if (size(@rows) == 0) {
|
||||
@rows = parseTextTable($2, @("PID", "Name", "Arch", "User", "Path"));
|
||||
}
|
||||
|
||||
foreach $row (@rows) {
|
||||
[%processes[$1] addEntry: $row];
|
||||
}
|
||||
|
|
|
@ -355,7 +355,7 @@ sub client {
|
|||
|
||||
sub main {
|
||||
global('$client $mclient');
|
||||
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle');
|
||||
local('$server %sessions $sess_lock $read_lock $poll_lock $lock_lock %locks %readq $id @events $error $auth %cache $cach_lock $client_cache $handle $console');
|
||||
|
||||
$auth = unpack("H*", digest(rand() . ticks(), "MD5"))[0];
|
||||
|
||||
|
@ -400,9 +400,6 @@ sub main {
|
|||
$mclient = $client;
|
||||
initConsolePool(); # this needs to happen... right now.
|
||||
|
||||
# set the LHOST to whatever the user specified
|
||||
call_async($client, "core.setg", "LHOST", $host);
|
||||
|
||||
# we need this global to be set so our reverse listeners work as expected.
|
||||
$MY_ADDRESS = $host;
|
||||
|
||||
|
@ -423,6 +420,13 @@ sub main {
|
|||
$lock_lock = semaphore(1);
|
||||
$cach_lock = semaphore(1);
|
||||
|
||||
# set the LHOST to whatever the user specified (use console.write to make the string not UTF-8)
|
||||
$console = createConsole($client);
|
||||
call($client, "console.write", $console, "setg LHOST $host $+ \n");
|
||||
sleep(2000);
|
||||
# absorb the output of this command which is LHOST => ...
|
||||
call($client, "console.read", $console);
|
||||
|
||||
#
|
||||
# create a thread to push console messages to the event queue for all clients.
|
||||
#
|
||||
|
@ -437,7 +441,7 @@ sub main {
|
|||
release($poll_lock);
|
||||
}
|
||||
}
|
||||
}, \$client, \$poll_lock, \@events, $console => createConsole($client));
|
||||
}, \$client, \$poll_lock, \@events, \$console);
|
||||
|
||||
#
|
||||
# Create a shared hash that contains a thread for each session...
|
||||
|
|
|
@ -152,7 +152,10 @@ sub createConsoleTab {
|
|||
|
||||
sub setg {
|
||||
%MSF_GLOBAL[$1] = $2;
|
||||
call_async($client, "core.setg", $1, $2);
|
||||
local('$c');
|
||||
$c = createConsole($client);
|
||||
call_async($client, "console.write", $c, "setg $1 $2 $+ \n");
|
||||
call_async($client, "console.release", $c);
|
||||
}
|
||||
|
||||
sub createDefaultHandler {
|
||||
|
|
|
@ -104,6 +104,9 @@ public class ConsoleClient implements Runnable, ActionListener {
|
|||
if (destroyCommand != null) {
|
||||
((RpcAsync)connection).execute_async(destroyCommand, new Object[] { session });
|
||||
}
|
||||
|
||||
/* we don't need to keep reading from this console */
|
||||
kill();
|
||||
}
|
||||
|
||||
protected void finalize() {
|
||||
|
|
|
@ -1,6 +1,23 @@
|
|||
Armitage Changelog
|
||||
==================
|
||||
|
||||
16 Oct 12 (tested against msf 15972)
|
||||
---------
|
||||
- Added port 5985 to MSF Scans list.
|
||||
- Meterpreter -> Access -> Persistence sets ACTION option for you
|
||||
- Changed how LHOST and LPORT are set globally to prevent Ruby
|
||||
character encoding conversion error in the framework.
|
||||
- Pass Session, Log Keystrokes, and Persist now query module info
|
||||
in a separate thread (avoids a deadlock opportunity)
|
||||
- Armitage now shows folder/URL in a popup dialog for environments
|
||||
where JDesktop API to open them directly is not supported
|
||||
- Check all credentials option now filters the list to avoid trying
|
||||
a pair of credentials twice.
|
||||
- Armitage's exploit payload selection now selects cmd/unix/interact
|
||||
when appropriate.
|
||||
- Explore -> Processes now works with Java Meterpreter again.
|
||||
- MSF Scans feature now runs http_version against port 443
|
||||
|
||||
5 Sept 12 (tested against msf r15804)
|
||||
---------
|
||||
- Setup dialog now trims host, port, user, and pass fields.
|
||||
|
|
Loading…
Reference in New Issue