Commit Graph

4565 Commits (GSoC/Meterpreter_Web_Console)

Author SHA1 Message Date
Brent Cook f662049b27 clarify screenshot on android scenario 2018-03-25 07:29:39 -05:00
b0yd 7e0c255591 Formatted reg binary type to hex when displaying query results. 2018-03-23 15:56:12 -04:00
Jon Hart f09c5eafc7 Appease hound 2018-02-27 04:12:58 -06:00
Jon Hart 46299dff00 The DRDOS mixin operates on strings, so make the bindata'd NTP classes cooperate 2018-02-27 04:12:57 -06:00
Brent Cook 99965c142b remove duplicate check 2018-02-20 04:42:49 -06:00
Brent Cook bb3a11dd20 use ctrl-d to cancel input instead 2018-02-20 04:40:00 -06:00
Tim W 5083150002 fix #9112, improve error message on failure 2018-02-20 18:06:03 +08:00
Brent Cook f5f7b4d25a handle sessions still open 2018-02-20 03:31:20 -06:00
Brent Cook e995ccfc33 make this a little easier to read 2018-02-20 03:27:55 -06:00
Brent Cook e26fb49c99 if we have no more input from the console, quit 2018-02-20 03:27:38 -06:00
Brent Cook 3d8451e616
Land #8997, add local 'ls' support to Meterpreter sessions 2018-02-19 23:21:59 -06:00
Brent Cook 4e9d900a17
Land #9507, Expand paths for meterpreter's cp, mv, and rm commands 2018-02-19 21:26:03 -06:00
UserExistsError b3f26ea55f bind_named_pipe fixes 2018-02-18 10:31:57 -07:00
Brent Cook bd2af0143a properly handle when there is no stat callback specified on upload 2018-02-16 16:14:09 -06:00
Brent Cook 289277c613
Land #9516, Support Bash-Style Continuation Lines 2018-02-16 10:53:58 -06:00
Brent Cook 38b03fdfff Merge branch 'upstream-master' into land-9539- 2018-02-15 16:22:13 -06:00
a1exdandy 7e03bf838b Fix src_size view 2018-02-15 17:44:41 +05:00
a1exdandy a0c473f29e Upload memory usage optimization
Optimize xor_bytes memory usage, use small buffer for upload,
add verbosity
2018-02-15 17:05:22 +05:00
UserExistsError 8ae8a0d94b added bind_named_pipe payload 2018-02-11 18:56:50 -07:00
Spencer McIntyre 214c137b4a Don't use parenthesis around pgets 2018-02-07 15:53:11 -05:00
Spencer McIntyre 0ad7d10e05 Use a continuation flag to disable tab completion 2018-02-06 14:44:55 -05:00
Spencer McIntyre 6d7579d907 Support breaking commands into multiple lines 2018-02-06 14:29:11 -05:00
Spencer McIntyre 8b56bbc541 Update mkdir as well for path expansion 2018-02-05 16:16:53 -05:00
Spencer McIntyre c70bcb5869 Use a constant for the regex and update rmdir too 2018-02-05 16:06:16 -05:00
Spencer McIntyre f441306036 Expand paths for meterpreter's cp, mv, and rm cmds 2018-02-05 15:22:05 -05:00
Brent Cook d5ae2bb55b Fix pivot handler to not consume all packets
Packet handlers should only return true if they consume a packet.
Otherwise, they should return false so something else can consume it.
This fixes port forwards by allowing the socket handler to see packets
that were otherwise being discarded in the pivot handler.
2018-02-02 18:01:05 -06:00
zerosum0x0 c8ff2adf06 added support for smb client 2018-01-27 20:49:17 -07:00
Brent Cook 03d1523d43
Land #6611, add native DNS to Rex, MSF mixin, sample modules 2018-01-22 23:54:32 -06:00
Brent Cook 9a35c324c0
Land #9352, Pull out HTTP-specific code from PacketDispatcher 2018-01-22 16:52:24 -06:00
Pearce Barry ba75d19d34
Fix failing spec. 2018-01-19 15:52:25 -06:00
Pearce Barry 2a6b3671bf
Add connection addr+port info to http response object.
Update owa_login to use this instead of doing lookups on its own.
2018-01-19 13:37:33 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
RageLtMan c65c03722c Migrate native DNS services to Dnsruby data format
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.

Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.

Testing:
  Internal tests for resolution of different record types locally
and over pivot sessions.
2018-01-12 05:00:00 -05:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
RageLtMan f1a1e1a357 Implement specific dispatch extensions for tunnels
All meterpreter Clients are created equal, and as such they all
include the PacketDispatcher mixin and call its init methods when
a passive dispatcher is needed. However, since tunneling protocols
have different requirements for implementation, the methods which
provide protocol-specific functionality need to be mixed into the
Client before it attempts to initialize the dispatcher.

Provide a dispatch_ext option in the has passed to the client on
init from the session handler which is an Array containing mixin
references which are sent to :extend calls in the :init_meterpreter
method just prior to calling :initialize_passive_dispatcher.

Each handler implementation can thus push chains of mixins to the
client in order to provide middleware specific to the tunnel. Down
the road, this should permit stacking C2 encapsulations or tunnel
protocols/permutators to create unique session transports on the
fly.
2017-12-29 00:56:06 -05:00
RageLtMan d420bf1a6a Pull out HTTP-specific code from PacketDispatcher
PacketDispatcher has some hardcoded assumptions about utilizing
HTTP services as the async resource. With C2 and DNS tunnels in
the pipeline, these elements need to be separated from the core
functions of async packet dispatch and moved into their own module.

This creates a new namespace for Meterpreter::HttpPacketDispatcher,
meant to be mixed in after PacketDispatcher. The module implements
only three of the original module's methods - init, shutdown, and
the :on_passive_request callback; with the first two using :super,
with the expectation of having a PacketDispatcher mixin or API
compatible namespace already in the mix.
2017-12-28 23:37:01 -05:00
Brent Cook c2bb144d0f
Land #9302, Implement ARD auth and add remote CVE-2017-13872 (iamroot) module 2017-12-28 14:11:26 -06:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart cf21d13b2e
Resolve conflict 2017-12-20 18:58:16 -08:00
William Vu 1975713a92
Land #9333, get_cookies_parsed using CGI::Cookie 2017-12-20 20:08:33 -06:00
Jon Hart d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
Jon Hart 2e62d77e36
Add new method for fetching parsed cookies from an HTTP response
This fixed #9332.
2017-12-20 16:19:44 -08:00
Brent Cook 3b78302868
Land #9327, restore transport enum used in TLVs 2017-12-20 16:11:04 -06:00
Jon Hart 741d08f604
Style cleanup 2017-12-20 13:33:47 -08:00
Jon Hart f15309bc48
Add basic framework for interacting with MQTT 2017-12-20 12:28:02 -08:00
Jeffrey Martin 9719ede3f0
restore transport enum used in TLVs 2017-12-20 13:12:24 -06:00
Brent Cook 32c486023c
Land #9308, Ensure tab completion in HWBridge sessions works 2017-12-20 11:29:11 -06:00
Puru bfa0cad8a5
Fix clipboard typo 2017-12-20 20:49:36 +05:45
Brent Cook 90b97d6581 Merge branch 'upstream-master' into land-9151- 2017-12-15 14:15:14 -06:00
Pearce Barry 084dc4470d
Ensure tab completion in HWBridge sessions works as expected. 2017-12-15 12:19:26 -06:00
jgor b99f044de5 Implement VNC security type 30 (Apple Remote Desktop) authentication 2017-12-14 13:57:38 -06:00
bwatters-r7 9ea7747a5c
Land #9233, Fix #9232 corruption of non-latin characters in W methods
Merge branch 'land-9233' into upstream-master
2017-12-14 11:54:36 -06:00
Pearce Barry 7aef0f249e
Per MS-2916, load Mettle extensions via new API. 2017-12-07 20:40:22 -06:00
William Vu 65412cd2f1
Land #9201, enhanced tab completion 2017-11-27 11:37:04 -06:00
Tim W ce9d2aff2b more osx hacks 2017-11-22 17:25:49 +08:00
Tim W 0f2bfb70c0 hacky fix for osx 2017-11-22 13:07:42 +08:00
scriptjunkie 9a81cc70dd Fix corruption of non-latin characters in W methods 2017-11-21 20:58:38 -06:00
Tim 92190403cc use full target_path 2017-11-22 05:42:01 +08:00
OJ fea28a89a5 Fix TLV defs for http headers 2017-11-21 13:47:19 -06:00
OJ a78d8f83fc Add HTTP header support for Host/Cookie/Referer
This is to start the support for things like domain fronting.
2017-11-21 13:47:18 -06:00
Spencer McIntyre bc691cbd00 Document the new tab completion functions 2017-11-11 17:17:48 -05:00
Spencer McIntyre fb7635502d Tab completion for exploit and handler commands 2017-11-11 17:11:54 -05:00
Spencer McIntyre 68a43fef36 Add the new generic tab completion functoin 2017-11-11 16:47:11 -05:00
bwatters-r7 c2a979dd3c
Land #9134, fix buggy handling of partial ingress packet data 2017-11-01 20:06:23 -05:00
William Vu 5de190f092
Land #9145, ERB/<ruby> for Meterpreter resource 2017-11-01 13:48:51 -05:00
Brent Cook 90766ceceb remove more unusual raise RuntimeError patterns 2017-11-01 05:59:12 -05:00
Pearce Barry 48975a4327
Support multiple suffixes on meterpreter extensions. 2017-10-31 10:04:34 -05:00
Pearce Barry daf2acc2b1
Initial work to support Mettle exetensions (and a sniffer).
See MS-2775.
2017-10-31 10:04:30 -05:00
Spencer McIntyre 940573ad49 Support ruby directives in Meterpreter rc scripts 2017-10-29 15:57:33 -04:00
Brent Cook d188982760 handle masked EOF from Rex sockets (TODO: kill that behavior) 2017-10-27 02:29:25 -07:00
Brent Cook 85b59c87ca fix buggy handling of partial ingress packet data
If we have more data, and the packet parser needs more data, connect the two
together rather than bailing. This fixes reverse_tcp_ssl along with probably a
lot of other higher-latency corner cases.
2017-10-27 02:15:08 -07:00
Brent Cook 1b01232624
Land #9070, Fix bug copying MACE attributes between files 2017-10-23 22:15:42 -05:00
James Lee af42f517b8 Default PromptTimeFormat to %T 2017-10-17 16:39:44 -05:00
Bradley Landherr bdc00ef2df Removing unecessary comment 2017-10-11 06:34:09 -07:00
Bradley Landherr 8dee369eb7 Fixing the -f option, removing reference to undefined 'path' variable & get_file_mace already returns a 'Time' object instance 2017-10-11 06:28:03 -07:00
William Webb 14308fb77d
Land #9045, Copy original request ID into TLV response 2017-10-09 10:58:02 -05:00
Jeffrey Martin d0a1fb6019
tlv response to ID based request with original ID
When a tlv response is created the request ID being responded to
needs to be copied into response created.
2017-10-06 13:58:38 -05:00
William Webb d9e0d891a1
Land #9010, Remove checks for hardcoded SYSTEM account name 2017-10-06 13:42:18 -05:00
Brent Cook b7e209a5f3
Land #9033, Geolocate API update 2017-10-05 16:39:09 -05:00
Tim e534d3cdc8 fix transport and sleep commands on java 2017-10-04 10:36:01 +08:00
h00die fc66683502 fixes #8928 2017-10-01 19:49:32 -04:00
loftwing f777e2ab3b Merge branch 'master' into fix_nmap_imports
bringing branch up to date
2017-09-27 12:52:27 -05:00
loftwing 51c1cddb5c Removed requirement for a host to have ports 2017-09-27 12:43:50 -05:00
OJ 3068fb6e7e
Fix getprivs and getsystem
This is a fix for crap and stupid stuff that I did half way through the
packet pivot code. I was working on some priv stuff at the same time,
and when I realised that the work I was doing was not sensible as part
of the packet pivot PR, I failed to revert my changes properly.

As a result I broke `getprivs` and `getsystem`. I am sorry. And I'm
ashamed.
2017-09-27 16:31:42 +10:00
Christian Mehlmauer 81406a073e
tidy up code 2017-09-27 08:01:48 +02:00
Christian Mehlmauer 41e3895424
remove checks for hardcoded name 2017-09-27 07:41:06 +02:00
Brent Cook 0d31c1c9a8
Land #8945, fix issue where we can call shutdown on a closed socket 2017-09-26 16:01:51 -05:00
Brent Cook 71f13db918 style updates 2017-09-26 15:58:43 -05:00
Josh Hale 0e59f47095 Comments and whitespace check 2017-09-24 16:37:30 -05:00
Josh Hale 23e1b5b872 Add search term support 2017-09-24 16:25:27 -05:00
Josh Hale 664fd1f7e3 Support single file path 2017-09-24 16:13:26 -05:00
Josh Hale 9f0ff3f3a3 Add in sort and order options 2017-09-23 23:14:21 -05:00
Josh Hale 2068514800 Add initial lls command 2017-09-23 21:38:53 -05:00
Brent Cook d8ee4150e6 move client core constants closer to where they are actually used 2017-09-19 03:22:13 -05:00
Brent Cook 5b579baa33 remove unused Linux migration code 2017-09-19 03:04:43 -05:00
Brent Cook 0e15b2d002 remove unneeded METERPRETER_TRANSPORT constants 2017-09-19 02:59:05 -05:00
RageLtMan 271bd4c4fe Rename METERPRETER_TRANSPORT_SSL to ..._TCP
Since OpenSSL is no longer packages with meterpreter, and transport
secrecy is handled at L7, the SSL cons name doesn't apply anymore.
Rename METERPRETER_TRANSPORT_SSL to METERPRETER_TRANSPORT_TCP for
consistency with wire-level implementation.
2017-09-17 14:31:15 -04:00
Craig Smith b218cc3c7f Merge branch 'master' into hw_auto_padding_fix 2017-09-11 18:30:34 -07:00
Craig Smith ad9329993d Added better padding and flowcontrol support. 2017-09-11 18:20:57 -07:00
RageLtMan 8d60fdf9e7 Bug - HTTP Client can call :shutdown on closed IO
When running Rex HTTP client calls across pivots, pivot sockets
can get closed by the remote server, resulting in a closed :conn
object within the client object. The clients :close method calls
self.conn.shutdown which raises an 'IOError closed stream' on what
is effectively a TCPSocket object in a closed state (under the Rex
abstraction).

Resolve by moving the self.conn.closed? check into the conditional
just above the :shutdown call, and remove if from the underlying
:close call as calling :close on an already closed TCPSocket
returns nil as opposed to throwing an exception like the :shutdown
method.
2017-09-10 03:09:59 -04:00
Brent Cook c365db135a pull in GUID fixes from #8818 2017-09-07 01:39:49 -05:00
OJ b38a962c09 Fix default session GUID when not specified
This resolves an issue with stategless HTTP sessions
2017-09-07 01:36:25 -05:00
OJ 5294722b96 Prevent socket-like behaviours during migrate on pivoted sessions 2017-09-07 01:36:24 -05:00
OJ bfdea35aca A few UI touch ups 2017-09-07 01:36:23 -05:00
OJ 75270af9e7 Tweaking of the pivot list output 2017-09-07 01:36:23 -05:00
OJ 8b8e5e4cb5 First iteration of the pivot menu for meterpreter 2017-09-07 01:36:23 -05:00
OJ d525b015f0 Enable keepalive for pivoted sessions 2017-09-07 01:36:22 -05:00
OJ 7acd772c10 Pivot session stability, display and handling 2017-09-07 01:36:21 -05:00
OJ fdc9864b61 First working packet pivot session! 2017-09-07 01:36:20 -05:00
OJ e3de01219a Pushed on with more pivot code 2017-09-07 01:33:54 -05:00
OJ abc80655b7 Progress in named pipe pivots, more to come 2017-09-07 01:33:54 -05:00
OJ 816e78b6f6 First pass of named pipe code for pivots 2017-09-07 01:33:53 -05:00
Brent Cook f7071818b1 more updates 2017-08-28 14:10:51 -05:00
Brent Cook a0e04760b5 rewrite timestomp command dispatcher to deal with file args properly 2017-08-28 08:25:42 -05:00
Brent Cook 429824b5c9 guid is hex values 2017-08-21 03:44:02 -05:00
Brent Cook 8700a36858 make session_guid default with the correct length 2017-08-21 03:24:37 -05:00
Brent Cook 5e8c2200ac Merge branch 'master' into land-8625-crypttlv2 2017-08-20 18:54:51 -05:00
h00die dc358dd087 unknow to unknown 2017-08-18 11:33:48 -04:00
OJ fa292dce96
Fix issue with truncated values when unpacking packets 2017-08-16 11:01:54 +10:00
Brent Cook 0ab6dd46d3
Land #8762, add initial Rex FTP protocol implementation 2017-08-14 01:59:53 -04:00
OJ d7e8b32312
Merge branch 'upstream/master' into transport-agnostic-packet-encryption 2017-08-08 17:30:51 +10:00
Pearce Barry cfd377fbd4 Support padding on the CAN bus.
Also use a hash for passing options around instead of individual params.
2017-08-06 18:05:59 -05:00
Brent Cook 24d323d4ed remove more instances of positive? 2017-08-02 12:47:34 -05:00
Tabish Imran f1b07b5c6d Add send_cmd_data function from /lib/metasploit/framework/ftp/client.rb to class 2017-08-02 01:14:08 +05:30
Tabish Imran 0b001fdea6 Modify to reduce rubocop offenses 2017-07-25 17:46:05 +05:30
Tabish Imran da8cb48639 Add FTP protocol client implementation 2017-07-25 00:56:34 +05:30
Tabish Imran ab37ccb173 Add FTP protocol support 2017-07-25 00:56:19 +05:30
Brent Cook cdfb6782a8
Land #8639, Add mic audio streaming to Linux/OSX native meterpreter 2017-07-24 07:01:00 -07:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
Pearce Barry 6a686a277b
Land #8742, HWBRIDGE RFTRANSCEIVER ADD LOWBALL SUPPORT 2017-07-21 11:46:21 -05:00
Pearce Barry 3043218a7f
Indention and missing comma fixup. 2017-07-21 11:43:49 -05:00
Corey Harding 22e8f1cb48 HWBRIDGE RFTRANSCEIVER ADD LOWBALL SUPPORT 2017-07-20 05:09:00 -04:00
Brent Cook f5e76092d6 Merge branch 'master' into land-8439- 2017-07-18 08:25:18 -05:00
James Lee 5c17f363be
Default opts to an empty hash instead of nil
Fixes #8709
2017-07-13 15:40:08 -05:00
bwatters-r7 99bb091488
Land #8690, Fix #8636, [] for NilClass in session.fs.file.download_file 2017-07-12 13:43:12 -05:00
William Webb aa0fca9dd1
Land #8631, Add railgun support to Python Meterpreter for the OSX
platform
2017-07-11 16:05:16 -05:00
wchen-r7 d5d9e88851 Fix #8636, [] for NilClass in session.fs.file.download_file
This fixes a [] for NilClass bug in the download_file API.
The opts argument is not checked for nil before the code looks for
the block_size key.

Fix #8636
2017-07-07 19:00:33 -05:00
Pearce Barry baead02efc
Addressing PR feedback.
Removing the audio_stream_pool.rb class file for now, we can recreate for MS-2749 if we really need one.
2017-07-04 09:28:38 -05:00
Pearce Barry ef1145c6b7
Use common code to delete non-applicable cmds. 2017-07-03 09:11:04 -05:00
OJ 4f054d25fc
Fix packet spec problems 2017-07-03 18:12:38 +10:00
OJ 999d90687e
Make encryption flags 32 bit
This changes the encryption flags on the meterpreter session so that
it's 32 bits (and hence changes the packet header). This also supports
the idea that sessions may use encryption that isn't AES256, so the
flags field will ultimately indicate that. A type flag has been added so
that MSF knows the type that should be done on the wire.

At some point soon we'll add something that makes sure that the packet
encryption type always matches the encryption type expected in MSF, this
will hopefully avoid the risk of having packets injected into the stream
by external entities.
2017-07-03 16:52:58 +10:00
Pearce Barry e21ae88b55
Update wave file header with actual length.
Fixes MS-2759.
2017-06-30 22:48:42 -05:00
James Lee ada954aab9
Land #8624, fix mis-ordered kiwi output 2017-06-30 14:23:24 -05:00
Pearce Barry d2098137a9
Grab last bit of audio from target when done.
Also remove module that needs work (we can create later).
2017-06-30 10:56:49 -05:00
Pearce Barry 48e7e8397e Make listen focus on prerecorded items. 2017-06-29 16:52:17 -05:00
Pearce Barry e8468a5c99 Cleanup. 2017-06-29 16:52:17 -05:00
Pearce Barry 5c5044a80f Stream audio data via channel (MS-2725). 2017-06-29 16:52:16 -05:00
dmohanty-r7 dd7726b894 Change to Audio Mic 2017-06-29 16:52:16 -05:00
dmohanty-r7 1bfa9366e6 Bring back to working 2017-06-29 16:52:15 -05:00
dmohanty-r7 bd9c15713d Bring polling back in 2017-06-29 16:52:15 -05:00
dmohanty-r7 3d51301b98 Seperation of concerns 2017-06-29 16:52:15 -05:00
dmohanty-r7 c7b71a2b32 Seperate concerns of console/mic 2017-06-29 16:52:14 -05:00
dmohanty-r7 9ca74d69f1 add sleep 2017-06-29 16:52:14 -05:00
dmohanty-r7 d2cccae2a1 Use webrtc browser 2017-06-29 16:52:13 -05:00
dmohanty-r7 56b3b0e00d Add more parameterization 2017-06-29 16:52:13 -05:00
dmohanty-r7 d9e1d21c56 Spacing 2017-06-29 16:52:13 -05:00
dmohanty-r7 d62f0cfd98 Add the mic stop command 2017-06-29 16:52:12 -05:00
dmohanty-r7 40ce03b85f Parameterize playback configurations 2017-06-29 16:52:12 -05:00
dmohanty-r7 6f8f85df61 Open player for listening to audio 2017-06-29 16:52:12 -05:00
dmohanty-r7 60e009de8f Use large datasize 2017-06-29 16:52:11 -05:00
dmohanty-r7 16a13723d0 Remove debug 2017-06-29 16:52:11 -05:00
dmohanty-r7 fa4ebadf0f Make mic audio device stream work with mettle 2017-06-29 16:52:10 -05:00
dmohanty-r7 0a0e6c8576 Use audio stream pool 2017-06-29 16:52:10 -05:00
dmohanty-r7 197d377424 Fix commands to mic 2017-06-29 16:52:10 -05:00
Dev Mohanty ebf967db3e Add audio-channel 2017-06-29 16:52:09 -05:00
Anderson 959f9fe2d2 Updated lib/rex/proto/http/client_request.rb to ensure that the host header is formatted 2017-06-29 12:05:02 -07:00
Spencer McIntyre 52211ab6ae Continue refactoring removal of "DLL" references 2017-06-27 18:00:01 -04:00
Spencer McIntyre 0da9f4d64a Refactor railgun "DLL" references to library 2017-06-27 17:34:06 -04:00
Brent Cook e08bd84038 Merge branch 'upstream-master' into land-8603- 2017-06-27 04:03:31 -05:00
OJ 8e1e505730
Fix output of MSV creds dumping in Kiwi
The data being pulled out of the MSV credential dump was not being
rendered propertly because it was assumed that all accounts would
provide the same set of hashes/details for each entry found. However,
this was not the case. Some have NTLM & SHA1, others have LM & NTLM,
some have DPAPI when others don't.

This code generates tables based on the values found, and renders those
values in the appropriate columns, and if the values don't exist for
a given account, the column is left blank.

Fixes #8620
2017-06-27 15:43:40 +10:00
OJ 49e34d70c3
Remove uses of multi-char args for meterpreter commands 2017-06-27 13:06:10 +10:00
Spencer McIntyre ea83cb0bb6 Make the railgun def class names platform specific 2017-06-26 19:53:19 -04:00
OJ 25e323fc4b
Support AES renegotiation after session migration 2017-06-26 20:50:12 +10:00
OJ 9f2be21eb7
Ignore missing method error when doing aes negotiation
This means that meterpreter instances that don't support will continue
to work.
2017-06-26 15:22:56 +10:00
OJ bdcea7bd22
Fix http AES packet dispatching 2017-06-25 19:51:25 +10:00
OJ 494d389aa2
Merge upstream/master into packet encryption 2017-06-25 19:06:31 +10:00
OJ 67b1a19aa1
Finalised MSF-side of AES key negotiation over RSA 2017-06-25 10:24:00 +10:00
William Webb bf85386acf
add help switch 2017-06-24 17:45:53 -05:00
James Lee 6a8d54a93c
Land #8545, `ps` table output fixes 2017-06-24 14:43:51 -05:00
Brent Cook 1762fe56c9
Land #8589, Fix 64-bit support for the winpmem extension 2017-06-23 19:27:31 -05:00
RageLtMan 1a253f92a1 Finalize DNS spoofing module
DNS spoofing module should be feature complete, with forwarding of
requests which do not have cached answers (can be disabled same as
the native server module), empty replies to reduce client wait on
outstanding DNS requests, and post-send output in verbose mode
to reduce garbage and execution time in the critical/racy path.

This module is best used in conditions where MITM is achieved by
way of MAC spoofing, route interception, or compromise of an inline
host on the datapath. The attacker should avoid forwarding
original requests to the intended destination, or if this is not
possible, prevent replies from traversing the MITM space in order
to avoid race conditions between the spoofer and victim.

Example iptables configuration on MITM host:
 iptables -t nat -A POSTROUTING -o eth0 -p udp ! --dport 53 -j ...

Testing:
  Internal testing in Virtualbox local network, atop 802.11, and
mostly in Neutron (with port security disabled on the VIFs) atop
OpenStack Liberty ML2+OVS.
2017-06-23 19:59:02 -04:00
RageLtMan deef4a94fe Allow DNS::Server::Cache to find '*' names
Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.

Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.

Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
2017-06-23 19:59:01 -04:00
RageLtMan 07dd59fb85 Import native DNS spoofing module and cleanup
Import PCAP-based DNS spoofing server module:
This module uses the Capture mixin to sniff and parse packets off
the wire, then match answers to sniffed requests from static
entries in the server's cache. If answers are found, they are
appended to a cloned packet with reverse saddr/daddr pairs at
layers 2-4, the qr bit is set, and it is injected back into the
interface from where it came.

Minor cleanup in the Rex::Proto::DNS::Server::Cache class to allow
multiple address->name pairs and fix issues when adding multiple
static entries.
2017-06-23 19:58:43 -04:00
RageLtMan b60990c19c Use a MockDnsClient object for request state
In order to handle TCP and UDP clients in a common manner, the
DNS server created a Rex::Socket::Udp object to represent the
client object allowing for a client.write(response) approach to
returning results for both TCP and UDP clients. During work on
the common socket abstractions (#6692) it became apparent that
remote pivoted sockets cannot be created with the same exact param
set used on the server socket - sockets dont reuse with localhost
and localport params being the same, an exception is raised from
the Windows side of the pivot abstraction. Creating a new socket
for every request is also needless overhead and noise.

Create the MockDnsClient class to  consume peerhost, peerport, and
the DNS server's UDP socket as arguments in order to execute a
sendto() from the existing socket when sending a response. A write
method is provided in the class for common interface between the
UDP and TCP request handlers.

This has been tested in conjunction with #6692 and shown to be
successful as serving remote requests from the IO.select polled
pivot socket running on a Windows host via Meterpreter.
2017-06-23 19:58:42 -04:00
RageLtMan fec23cf0fd Remove setsockopt calls from DNS server 2017-06-23 19:58:42 -04:00
RageLtMan d64962994c Packet.valid_hostname? should be a class method 2017-06-23 19:58:40 -04:00
RageLtMan a555ee716e Fix typo in Rex DNS Server 2017-06-23 19:58:40 -04:00
RageLtMan e86ca56dd1 add :closed? method to Meterpreter Channel
Implement a check for self.cid.nil? in Meterpreter's Channel class
in the :closed? method for compatibility with the Socket's :closed?

Touch up the Rex DNS server's stop method using this method on
pivot sockets.

Add SOL_SOCKET and SO_REUSEADDR options to the Rex UDP sockets
created by the DNS components - the server socket, as well as the
client abstraction socket.
2017-06-23 19:58:39 -04:00
RageLtMan 570987aecd Missing lines from Proto::DNS::Packet 2017-06-23 19:58:39 -04:00
RageLtMan 00611e97fb Rex::Proto::DNS::Packet generate req/resp
Create default generator methods for DNS request and response in
the Packet module.

Packet.generate_request is directly adapted from
Net::DNS::Resolver.make_query_packet with conveniences added from
the local namespace.

Packet.generate_response is a convenience wrapper for attaching
responses to request, flipping the qr bit, and adjusting the rCode
for NXDomain or NoError depending on whether the response has any
answers or not. Existing responses being passed into this method
with new answers or an empty array will have their rCode updated
accordingly for NoError and NXDomain.

Clean up Rex::Proto::DNS::Server by use of the convenience method
and removal of the :validate method (as its now in Packet).

Add Packet.valid_hostname? as a wrapper for matching against the
Rex::Proto::DNS::Constants::MATCH_HOSTNAME regex.
2017-06-23 19:58:38 -04:00
RageLtMan 3b7c1955c8 Rex::Proto::DNS::Packet::Raw convenience methods
Add convenience methods for little and big endian operations on
DNS packet contents. Use the convenience methods for quick ID
and request length extraction without full packet parsing.
2017-06-23 19:58:38 -04:00
RageLtMan de0867aaba Address wchen-r7's initial comments
Advanced options are now camel cased
Use :blank? on datastore options instead of serial checks for :nil?
and :empty?
Rex::Proto::DNS::Server :on_client_data updated to ask the tcp_sock
to close this client if it exists in the rescue clause.
2017-06-23 19:58:38 -04:00
RageLtMan 2347c8df99 Create basic packet manipulation modules
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.

The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.

Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.

Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.

-----

Testing:
  Tested running the RC provided in the pull request
  Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
2017-06-23 19:58:37 -04:00
RageLtMan 2679c26e88 Create and implement Rex::IO::GramServer mixin
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.

Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.

Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.

-----

Change calling conventions in Rex::Proto::DNS::Server to match
other components.

Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.

Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".

-----

Testing:
  Basic functional tests in Pry for now.
2017-06-23 19:58:37 -04:00
RageLtMan a9f1fcec7f Set resolver comm and ctx manually 2017-06-23 19:58:36 -04:00
RageLtMan b5c89c4ffe Server::Cache.cache_record graceful failure
Bail out early unless the monitor thread is running since pruning
will not automatically occur. Continue to raise an exception when
invalid cache attempts are made. If this behavior is not desired,
override the method or create a descendant with altered behavior.
2017-06-23 19:58:35 -04:00
RageLtMan 4467cef902 Allow Server to start without caching 2017-06-23 19:58:34 -04:00
RageLtMan 3afc5d2da1 Add running? check to Server 2017-06-23 19:58:34 -04:00
RageLtMan 7b370622c4 Resolver - add accessors for comm and ctx 2017-06-23 19:58:34 -04:00
RageLtMan 332862bfea Server needs a resolver to perform fwd lookups
Dont send requests to a nil object for lookups, it's not very good
at that.
2017-06-23 19:58:33 -04:00
RageLtMan b1b43555cf Fixup Resolver socket creation slop 2017-06-23 19:58:33 -04:00
RageLtMan 6e86ac6e1b Tweak Server and Resolver
Create default_dispatch_request method in Server to allow an
intercepted dispatch request to fall back into default exec flow.

Add attr_reader to the records hash in Cache

Provide Resolver and Server with comm option for their sockets.
2017-06-23 19:58:33 -04:00
RageLtMan e3c372834e Update Resolver's use of Rex Sockets
Compose configuration hashes for the Rex Sockets used in requests
based on the Resolver's own configuration, including passing the
Framework context, and CHOST/CPORT options in from Msf namespaces.
2017-06-23 19:58:32 -04:00
RageLtMan a8c3adf19c Move recursion bit logic into the fwd lookup 2017-06-23 19:58:32 -04:00
RageLtMan 136cc964f5 Accessors, cache stop lock fix, and resp header
Missed the attr_accessors in first commit - added.

Updated Cache stop method to iterate over the resulting Array of
records without holding a write lock over it (:each vs :map).

Glanced over https://www.ietf.org/rfc/rfc1035.txt and set proper
bits for the response and recursion fields prior to passing off the
data for return.

TODO:
  Write mixin for easier packet manipulation with configurable
response builders which can determine proper settings for header
fields based on server/resolver configuration. Document to allow
exploit/vector developers to make use of the functionality...
2017-06-23 19:58:32 -04:00
RageLtMan 9f49903b14 Initial implementation of Rex::Proto::DNS
Add Rex::Proto::DNS and Rex::Proto::DNS::Constants namespaces
Create Rex::Proto::DNS::Resolver from Net::DNS::Resolver
Create Rex::Proto::DNS::Server and Rex::Proto::DNS::Server::Cache

Constants -
  A Rex::Socket style MATCH_HOSTNAME regex has been added to
help validate DNS names.

Resolver -
  Based off of old work creating Rex socket overrides in the
Net::DNS::Resolver as well as allowing for proxying and making
automatic adjustments to use TCP for proxied connections. This
resolver pivots with MSF, uses proxies, and doesnt pull in the
default /etc/resolv.conf information which can lead to info leak.
  Automatically sends Net::DNS::Packet and Resolv::DNS::Message
objects to the appropriate nameservers.
  TODO: Review for potential low level concurrent resolution impl.

Server::Cache -
  Threadsafe wrapper around a Hash which holds Net::DNS::RR keys
with Time.to_i values for counting eviction/stale time without
altering the original record.
  Takes records with a TTL of < 1 as static entries which are not
flushed or pruned by the monitor thread.

Server -
  A standard Rex level server allowing for client connections with
TCP and UDP listeners. Provides common framework for handling the
different transports by creating a "client" type object as a Rex
UDP socket and passing it back to the dispatch/sender methods.
This server can host listeners on remote pivot targets since it
utilizes Rex sockets, and should not leak internal information
from the resolver as easily either.
  Can be configured with a custom resolver regardless of its own
listener configuration (UDP/TCP mix is fine), and carries a
threadsafe wrapper for swapping the resolvers nameservers under
a Mutex.synchronize. Since listeners and resolvers can pivot,
a compromised host in one environment can serve DNS information
obtained by the resolver pivoting through a completely different
target.
  The server takes blocks for dispatch and send functions which
when defined, will intercept the standard execution flow which is
to parse the request, check the cache for corresponding records,
then forward the remaining questions in a request via the resolver,
and build + send a response back to the client.
  The accessors for dispatch and send, resolver, and cache are
accessible at runtime, though it is likely unsafe to replace the
cache and resolver while they are accessed from other threads.

-----

Testing:
  Initial testing performed in IRB/Pry generating manual requests.
  Subsequent checks performed using the running server as the sys
resolver.
  Additional testing is needed - the default dispatch_request
behavior may not be correct (i need to check the RFCs for this) as
it handles multiple questions for A records. This should be tuned
to be RFC compliant, with inheriting classes changing behavior as
needed. We also need to ensure that we're not leaking our own DNS
information to our targets, so all sorts of abuse is in order.

-----

TODO:
  Create Msf::Exploit::DNS namespace utilizing this functionality.
  - Move the threaded enum_dns work, as well as work from 6187,
into the namespace
  - Review existing modules for functional overlap and move here
as needed. This should be done in separate commits/PRs.
  Create specific DNS servers for spoofing, exploit delivery, and
finally handling DNS tunnels (the primary reason for this work).
  Write spec
  - Convince/coerce a friendly soul in the community to handle
spec for this fiasco while building further functionality.
2017-06-23 19:58:29 -04:00
Brent Cook c3090a4f9c
Land #8601, make session logging more useful, don't lose characters 2017-06-23 17:36:01 -05:00
William Webb 9eeb3dc143
use typical command option and TLV scheme instead of dumb stuff for keyscan_start 2017-06-23 13:11:12 -05:00
Dirkjan Mollema 24379f907e Fixed timestamped logger cutting off last character (fixes #8597) 2017-06-23 13:19:16 +02:00
OJ a3607c6802
Update to Mimikatz 2.1.1 20170608 to include changntlm 2017-06-23 13:40:01 +10:00
James Lee 283f36f79a
Compare headers w/process keys instead of themselves
Also clarifies a bunch of old bad variable names
2017-06-22 21:43:11 -05:00
Brent Cook 2617ae7609
Land #8513, check extapi commands for dependencies 2017-06-22 20:21:26 -05:00
Brent Cook fda2e8c73d
Land #8523, Add support for session GUIDs 2017-06-22 20:10:10 -05:00
Brent Cook 0eaffde4b3 fix rex arguments parser to handle adjacent flags, update accordingly 2017-06-22 09:54:03 -05:00
William Webb 47a659f554
Land #8185, Convert ntp modules to bindata 2017-06-22 09:37:58 -05:00
Brent Cook eb4c4c911b
Land #8587, Add android wakelock command to turn the screen on 2017-06-21 14:48:20 -05:00
Spencer McIntyre 717f9aad12 Add more OSX Railgun defs and better CDECL support 2017-06-21 08:59:42 -04:00
OJ a9e03c1efd
Initial working version of AES encryption of TLVs 2017-06-21 21:01:59 +10:00
Brent Cook d81d0ea4ba print a friendlier status msg 2017-06-21 03:09:42 -05:00
Brent Cook b9904572f9 update winpmem dump handler for 64-bit support 2017-06-21 03:02:50 -05:00
OJ 2129959d2d
Begin rework of packet handling
This moves some of the packet-specific stuff to the packet class itself
2017-06-20 19:18:37 +10:00
Spencer McIntyre f7c133cdf7 Add OSX support to railgun 2017-06-19 11:11:55 -04:00
OJ cec87a3e4f
Start of support for AES packet encryption 2017-06-19 22:27:51 +10:00
OJ a48f0fcec6
Remove references to Meterpreter CRYPTO TLVs
This feature wasn't supported, and so the TLVs are no longer needed.
2017-06-19 16:53:33 +10:00
RageLtMan 32fbad7fca Style changes for cmd_ps cleanup 2017-06-14 01:28:21 -04:00
RageLtMan 762427b447 Clean up cmd_ps table output for Mettle
Mettle can run in all sorts of environments where some colums of a
process table will be nil. The existing implementation compacts
rows going into the table while providing filtering for the colum
contents only by checking the output of the first row in the proc
table.

Check column filters against all rows to ensure proper table init.
Check columns going into table for match against header.
Do not compact nil values in the table rows - some things, like
kthreads/workers dont have a path while other PIDs will.
2017-06-12 01:20:59 -04:00
OJ c4288fb35a
Update branch to include chances from upstream/master 2017-06-09 17:18:57 +10:00
OJ 6131e4bd82
Fix download lambda function to take correct param count
This is an emergency fix as a result of something being broken in
master. This is also being pushed straight to master because github is
down and the PR process isn't possible. This commit was reviewed by
@wvu-r7 prior to being pushed.
2017-06-07 09:37:24 +10:00
OJ 37b9cd07a2
Add support for the session GUID in the UI
The Session GUID will identify active sessions, and is the beginning of
work that will allow for tracking of sessions that have come back alive
after failing or switching transports.
2017-06-06 17:15:57 +10:00
Tim 871c30c0b3 refactor stdapi and lanattacks to use filter_commands 2017-06-06 14:05:07 +08:00
Tim e9c9c852ab check_commands -> filter_commands 2017-06-06 13:56:38 +08:00
Tim 7625d36c1c fix #8199, check extapi for dependencies 2017-06-05 14:56:59 +08:00
OJ cc0ff8f3db
Enable adaptive download with variable block sizes
The aim of this commit is to allow users of Meterpreter in high-latency
environments have better control over the behaviour of the download
function. This code contains two new options that manage the block size
of the downloads and the ability to set "adaptive" which means that the
block size will adjust on the fly of things continue to fail.
2017-06-02 17:16:58 +10:00
Brent Cook a01a2ead1a
Land #8467, Samba CVE-2017-7494 Improvements 2017-05-30 00:15:03 -05:00
Brent Cook 11b3fd9067
Land #8468, Update system info after running getsystem 2017-05-26 23:37:00 -05:00
TheNaterz 53cbbbacd8 getsystem update session info 2017-05-26 17:28:11 -06:00
HD Moore e8b5cc3397 Avoid a stacktrace by verifying that the share is known 2017-05-26 17:01:44 -05:00
Tim a9e6df6f15 fix shell command on osx meterpreter 2017-05-26 15:55:14 +08:00
OJ 86aad6b7c3
Fix proxy_type references to handle nil case 2017-05-22 21:47:37 +10:00
Pearce Barry a6f416e8df
Land #8290, Hwbridge Automotive Fix and Extension Enhancements 2017-05-19 13:46:54 -05:00
Pearce Barry d0b13544dd
Agreed-upon feedback updates. 2017-05-17 10:57:39 -05:00
James Lee e3f4cc0dfd
Land #8345, WordPress PHPMailer Exim injection
CVE-2016-10033
2017-05-16 15:07:21 -05:00
Brent Cook 123462bdca
Land #8293, add initial multi-platform railgun support 2017-05-11 22:32:23 -05:00
William Vu ee55516e06 Allow lowercase HTTP in command strings 2017-05-10 15:17:20 -05:00
William Vu 3a45c2f321 Allow complete override of Host header 2017-05-10 15:17:20 -05:00
William Vu e026a8c663
Fix typo (s/Remote/Reverse/) in portfwd -L
Found by ThePortWhisperer on IRC.
2017-04-29 00:10:13 -05:00
William Vu 7a6a124272
Land #8279, POSIX Meterpreter replaced by Mettle 2017-04-26 18:32:17 -05:00
Brent Cook 43ac2c339e
Land #8291, Acunetix XML import improvements 2017-04-26 17:38:52 -05:00
Brent Cook 353191992f move mettle payloads to meterpreter, add reverse_http/s stageless 2017-04-26 17:06:34 -05:00
Pearce Barry c4f1130619
Acunetix XML import improvements.
This patch updates the MSF db_import functionality  w.r.t. importing Acunetix XML files to do the following:

 - import web vulnerabilities identified by Acunetix
 - import all services for each scanned host
  - does not pull in the specifc program/version name of each service, as that's pretty loosely formatted in the Acunetix XML
2017-04-26 12:16:20 -05:00