Commit Graph

2011 Commits (017832be88c51542d956dba71cf85aae1df88b9a)

Author SHA1 Message Date
joev d7295959ca Remove open-uri usage in msf. 2015-03-05 23:45:28 -06:00
jvazquez-r7 64fd818364
Land #4411, @bcook-r7's support for direct, atomic registry key access in meterpreter 2015-03-04 10:01:33 -06:00
Brent Cook 0988c5e691 use the correct implementation for query_value_direct 2015-03-03 22:29:23 -06:00
Ferenc Spala c498ba64e4 Added a new pair of default Tomcat credentials. QLogic's QConvergeConsole comes with a bundled Tomcat with a hard-coded username and password for the manager app. 2015-02-19 15:08:50 -06:00
sinn3r b90639fd66
Land #4726, X360 Software actvx buffer overflow 2015-02-17 11:41:23 -06:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
Brent Cook cf0589f8c6 add support for direct reg access to pymeterpreter
When testing this, I found that the python meterpreter hangs running the
following, with or without these changes.

```
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set PythonMeterpreterDebug true
set lhost 192.168.43.1
exploit -j
sleep 5
use exploit/windows/local/trusted_service_path
set SESSION 1
check
```

This turned out to be that pymeterpreter ate all the rest of the data in the
recv socket by consuming 4k unconditionally. This would only be exposed if
there were multiple simultaneous requests so the recv buffer filled beyond a
single request, e.g. when using the registry enumeration functions.
2015-02-17 06:11:20 -06:00
Brent Cook 7e9a331087 remove unused .class files
These were added for multi/browser/java_signed_applet, but the class
files are already packaged in a jar file, which is what is actually
used.
2015-02-12 16:08:29 -06:00
Brent Cook 7ab7add721 bump meterpreter_bins to 0.0.14, update Linux binaries.
Hopefully the last manual build before packaging the Linux bins into
meterpreter_bins as well.

This includes all of the fixes and improvements over the past month.

 rapid7/meterpreter#116
 rapid7/meterpreter#117
 rapid7/meterpreter#121
 rapid7/meterpreter#124
2015-02-10 12:43:47 -06:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
jvazquez-r7 511f637b31 Call CollectGarbage 2015-02-09 14:44:31 -06:00
Brent Cook af405eeb7d
Land #4287, @timwr's exploit form CVS-2014-3153 2015-02-09 10:33:14 -06:00
Brent Cook 0e4f3b0e80 added built data/exploits/CVE-2014-3153.elf 2015-02-09 09:50:31 -06:00
jvazquez-r7 a46a53acaf Provide more space for the payload 2015-02-06 14:49:49 -06:00
jvazquez-r7 414349972f Fix comment 2015-02-06 11:34:20 -06:00
jvazquez-r7 b5e230f838 Add javascript exploit 2015-02-06 11:04:59 -06:00
scriptjunkie 5b2eb986c9
Land #4678 Add post module to phish credentials 2015-02-04 23:43:02 -06:00
Brent Cook 2fdeeb3b13 Rebuilt Java Payloads with the latest NDK/SDK and meterpreter-javapayload
Fix rapid7/meterpreter#95, rebuilt with all outstanding PRs from
rapid7/metasploit-javapayload.
2015-02-02 13:09:15 -06:00
jvazquez-r7 aa7f7d4d81 Add DLL source code 2015-02-01 19:59:10 -06:00
jvazquez-r7 d211488e5d Add Initial version 2015-02-01 19:47:58 -06:00
wez3 25ac9c1ed9 Add post module to phish windows user credentials 2015-01-30 19:50:04 +01:00
jvazquez-r7 f9dccda75d Delete unused files 2015-01-22 18:00:31 -06:00
William Vu 75e04705d5
Land #4624, Firefox 33-35 os.js support 2015-01-22 13:35:47 -06:00
Joe Vennix 5bfb88d55c
Update os.js to detect newer firefox versions. 2015-01-21 16:12:17 -06:00
Brent Cook 94fda6e617
Land #4600, jvazquez-r7's Linux meterpreter bins 2015-01-20 09:38:35 -06:00
sinn3r 76746eb209 New password from Hathaway 2015-01-19 21:45:47 -06:00
eyalgr f12c6a1624 Update meterpreter.py
Read until exactly pkt_length bytes
2015-01-18 15:45:28 +02:00
eyalgr d83c6ae215 Update meterpreter.py
Read exactly pkt_length from socket, prevents over-reading.
2015-01-18 15:29:23 +02:00
jvazquez-r7 ffc676ead0 Update linux meterp binaries 2015-01-16 17:09:38 -06:00
jvazquez-r7 26789fa76c Add JMXPayload binary classes for testing 2015-01-15 17:58:09 -06:00
Brent Cook 47cd5a3e59
Land #4562, wchen-r7's Win8 NtApphelpCacheControl privilege escalation 2015-01-15 13:52:07 -06:00
sinn3r 74e8e057dd Use RDL 2015-01-09 19:02:08 -06:00
OJ dfdf99c8f4 Remove metcli
The metcli.exe binary doesn't get used any more and the source was removed
from Meterpreter ages ago. No point in having it in the repo any more.
2015-01-10 09:21:44 +10:00
Brent Cook ce87b126c1 Update to the latest meterpreter_bins
This removes checked-in sniffer extension in favor of the gem-packaged version.
It also pulls in the changes for verifying #4411
2015-01-09 16:57:10 -06:00
sinn3r fce564cde2 Meh, not the debug build. Should be the release build. 2015-01-08 22:06:07 -06:00
sinn3r 14c54cbc22 Update DLL 2015-01-08 21:36:02 -06:00
sinn3r d3738f0d1a Add DLL 2015-01-08 17:17:55 -06:00
sinn3r 50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012 2015-01-08 16:19:55 -06:00
William Vu 3c4ec1d958
Land #4547, rm data/meterpreter/common.lib 2015-01-08 04:52:29 -06:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
Brent Cook 32ddd5ccb4 delete unused library from meterpreter dir
common.lib is only used by the build process, not MSF
2015-01-07 16:00:37 -06:00
David Maloney 5480cb81f5
add updated KoreLogic rules to john.conf
updated our shipped john.conf to include a
more up to date version of the KoreLogic JtR rules.
They add overhead to the cracking time but are
probably some of the best/most effective JtR
rules out there.
2015-01-07 12:25:04 -06:00
Brent Cook 7ae56865f1 Update linux meterpreter binaries for rapid7/meterpreter#111
This rebuilds the binaries on Ubuntu 10.04 i386 for metepreter PR #111,
improving the reliability and fixing some bugs in linux process migration.

Tested against Ubuntu 10.04 i386 and Ubuntu 14.04 x86_64:

```
meterpreter > ps
...
 55994  48270  server                   0        bcook       ../metasploit-framework/server
 56009  44199  bash                     0        bcook       -bash
 56094  56009  dummy                    0        bcook       ./dummy

meterpreter > migrate 56094
[*] Migrating to 56094
[*] Migration completed successfully.
meterpreter > sysinfo
Computer     : mint
OS           : Linux mint 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > ps
...
 55994  48270  [server] <defunct>        0        bcook
 56009  44199  bash                      0        bcook       -bash
 56094  56009  dummy                     0        bcook       ./dummy

meterpreter >
```

Verified presence of call stub when debugging a session:

```
(gdb) x/32b 0x61cc28
0x61cc28:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0x61cc30:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0x61cc38:	0x90	0x90	0x68	0x04	0x00	0x00	0x00	0x68
0x61cc40:	0xff	0xff	0xff	0xff	0xb8	0x5a	0x5a	0x5a
```
2015-01-04 10:47:44 -06:00
jvazquez-r7 69bda63ef6 Update linux meterpreter binaries 2015-01-01 20:05:36 -06:00
jvazquez-r7 dccf189600 Update binaries 2014-12-30 18:39:29 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Spencer McIntyre 0ee20561d4 Remove file exists check from stdapi_fs_delete_file 2014-12-09 11:03:57 -06:00
Spencer McIntyre 42710cc32e Error messages for the python meterpreter 2014-12-09 11:03:57 -06:00
Christian Mehlmauer 738fc78883
Land #4220, outlook gather post module 2014-12-07 22:41:28 +01:00
Christian Mehlmauer 9187a409ec
outlook post module fixes 2014-12-06 00:28:44 +01:00
Spencer McIntyre 83b0ac0209 Fix stdapi_sys_config_getenv for Python3 2014-12-04 15:58:17 -06:00
Spencer McIntyre 44816b84aa Prefer the pwd module for getuid when available 2014-12-04 15:58:17 -06:00
HD Moore fc96d011ab
Python reverse_http stager, lands #4225 2014-12-02 11:47:31 -06:00
jvazquez-r7 7a2c9c4c0d
Land #4263, @jvennix-r7's OSX Mavericks root privilege escalation
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
jvazquez-r7 7772da5e3f Change paths, add makefile and compile 2014-11-30 21:06:11 -06:00
Meatballs f5f32fac06
Add token fiddling from nishang 2014-11-28 23:02:59 +00:00
Meatballs 48a5123607
Merge remote-tracking branch 'upstream/master' into pr4233_powerdump 2014-11-27 20:08:11 +00:00
Joe Vennix 7a3fb12124
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 12:34:16 -06:00
Peter Marszalik 830af7f95e identified instances of tabs vs spaces in the original
identified 16 instances in the original code where tab was used vs spaces. updated to keep consistent.
2014-11-25 12:17:43 -06:00
Peter Marszalik 705bd42b41 tab to space change - line 296 2014-11-22 14:48:44 -06:00
Peter Marszalik 900aa9cd6b powerdump.ps1 bug - corrupt hash fix
Fixed the bug where the hashes are not being extracted correctly when LM is disabled and history is enabled. 

Rather than relying on length, LM and NT headers are checked. Four bytes at 0xa0 show if LM exists and four bytes at 0xac show if NT exists. Details on this known issue can be found in the following whitepaper from blackhat:
https://media.blackhat.com/bh-us-12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf
2014-11-18 23:10:57 -06:00
Spencer McIntyre 2b36c1bb43 Fix pymeterp bugs from testing in osx and python3 2014-11-17 14:04:30 -05:00
HD Moore 1d8b746d89 Adds new TFTP file names, submitted by Chris McNab 2014-11-16 18:47:11 -06:00
Spencer McIntyre 0bf93acf6b Pymeterp http proxy and user agent support 2014-11-16 14:29:20 -05:00
Spencer McIntyre e562883ba9 Escape inserted vars and fix core_loadlib 2014-11-15 15:06:18 -05:00
Spencer McIntyre 7c14e818f6 Patch pymeterp http settings 2014-11-14 17:12:23 -05:00
Spencer McIntyre 681ae8ce6b Pymet reverse_http stager basic implementation 2014-11-14 14:15:46 -05:00
Spencer McIntyre 6b2387b7fc Prepare for a reverse_http stager 2014-11-14 11:15:22 -05:00
jvazquez-r7 c35dc2e6b3 Add module for CVE-2014-6352 2014-11-12 01:10:49 -06:00
William Vu adad3809cc
Rename logo file 2014-11-11 16:07:44 -06:00
Joshua Smith 329ea4fe01 the masterpiece is complete 2014-11-11 15:35:36 -06:00
Spencer McIntyre 7edc248207 Don't fail if username_from_token returns None 2014-11-10 09:15:16 -05:00
Spencer McIntyre 104841babf Add getsid to the python meterpreter 2014-11-08 20:57:24 -05:00
sinn3r c2391bf011 Add an R in /Info for the trailer dictionary to make it readable 2014-11-05 22:28:37 -06:00
sinn3r 1b2554bc0d Add a default template for CVE-2010-1240 PDF exploit 2014-11-05 17:08:38 -06:00
jvazquez-r7 f43a6e9be0 Use PDWORD_PTR and DWORD_PTR 2014-10-31 17:35:50 -05:00
jvazquez-r7 8e547e27b3 Use correct types 2014-10-31 12:37:21 -05:00
HD Moore 9b61ae5f63 This is halloween.
THISISHALLOWEEN=1 ./msfconsole
2014-10-30 23:35:12 -05:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 03a84a1de3 Search the AccessToken 2014-10-30 12:17:03 -05:00
OJ 908094c3d3 Remove debug, treat warnings as errors 2014-10-28 09:04:02 +10:00
OJ 0a03b2dd48 Final code tidy 2014-10-28 08:59:33 +10:00
William Vu 626cd55b5e
Land #4073, improved banner selection 2014-10-27 14:20:10 -05:00
Spencer McIntyre 04a99f09bb
Land #4064, Win32k.sys NULL Pointer Dereference 2014-10-27 14:01:07 -04:00
jvazquez-r7 042d29b1d6 Compile binaries in house 2014-10-27 12:18:33 -05:00
jvazquez-r7 4406972b46 Do version checking minor cleanup 2014-10-27 09:32:42 -05:00
jvazquez-r7 0aaebc7872 Make GetPtiCurrent USER32 independent 2014-10-26 18:51:02 -05:00
jvazquez-r7 34697a2240 Delete 'callback3' also from 32 bits version 2014-10-26 17:28:35 -05:00
Spencer McIntyre 7416c00416 Initial addition of x64 target for cve-2014-4113 2014-10-26 16:54:42 -04:00
Spencer McIntyre 91dc875af5 Remove seemingly useless file among banners 2014-10-24 13:11:58 -04:00
Spencer McIntyre c1a61e3b4e Support an MSFLOGO env var and logo enumeration 2014-10-24 13:07:28 -04:00
Spencer McIntyre 82f41d56a6 Add [user_]logos_directory to Msf::Config 2014-10-24 10:52:05 -04:00
Joshua Smith 34f29f218c really resolve merge conflicts 2014-10-23 21:51:33 -05:00
jvazquez-r7 a75186d770 Add module for CVE-2014-4113 2014-10-23 18:51:30 -05:00
jvazquez-r7 bf8dce574a Add ppsx template 2014-10-16 17:55:22 -05:00
William Vu 056ee4f207
Land #3958, kill command for pyterp 2014-10-07 10:58:37 -05:00
Spencer McIntyre 766a69e310 Add sys_process_kill to the python meterpreter 2014-10-07 10:10:22 -04:00
James Lee a65ee6cf30
Land #3373, recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Spencer McIntyre 7da22d064d Remove an unnecessary var and fix process_close 2014-10-02 20:52:45 -04:00
sinn3r 135bed254d Update BrowserExploitServer for JSObfu 2014-09-20 17:59:36 -05:00
Joe Vennix 87aeac2b13
Fix syntax error in os.js, specs ftw. 2014-09-12 11:01:08 -05:00
Joe Vennix 8e091b6da0
Add support for ff 29 - 32 feature. 2014-09-11 22:01:36 -05:00
Tod Beardsley 4fc1ec09c7
Land #3759, Android UXSS, with ref/desc fixes
Incidentally, this also closes jvennix-r7#14 (let's see if I can close a
PR by merging from another repo!)

Also fixes #3782 (opened by accident).
2014-09-11 14:27:51 -05:00
Joe Vennix 7793ed4fea
Add some common UXSS scripts. 2014-09-09 02:31:27 -05:00
Tom Sellers 288a891665 Add the 'guest' IPMI user
The 'guest' IPMI user exists on many Cisco Unified Computing Server (UCS) implementations.
2014-09-01 07:01:06 -05:00
Brandon Turner 05f0d09828
Merge branch staging/electro-release into master
On August 15, shuckins-r7 merged the Metasploit 4.10.0 branch
(staging/electro-release) into master.  Rather than merging with
history, he squashed all history into two commits (see
149c3ecc63 and
82760bf5b3).

We want to preserve history (for things like git blame, git log, etc.).
So on August 22, we reverted the commits above (see
19ba7772f3).

This merge commit merges the staging/electro-release branch
(62b81d6814) into master
(48f0743d1b).  It ensures that any changes
committed to master since the original squashed merge are retained.

As a side effect, you may see this merge commit in history/blame for the
time period between August 15 and August 22.
2014-08-22 10:50:38 -05:00
Brandon Turner 19ba7772f3
Revert "Various merge resolutions from master <- staging"
This reverts commit 149c3ecc63.

Conflicts:
	lib/metasploit/framework/command/base.rb
	lib/metasploit/framework/common_engine.rb
	lib/metasploit/framework/require.rb
	lib/msf/core/modules/namespace.rb
	modules/auxiliary/analyze/jtr_postgres_fast.rb
	modules/auxiliary/scanner/smb/smb_login.rb
	msfconsole
2014-08-22 10:17:44 -05:00
HD Moore 6d92d701d7 Merge feature/recog into post-electro master for this PR 2014-08-16 01:19:08 -05:00
Samuel Huckins 149c3ecc63
Various merge resolutions from master <- staging
* --ask option ported to new location
* --version option now works
* MSF version updated
* All specs passing
2014-08-15 11:33:31 -05:00
joev af3ca19ab2
Land #3501, @AnwarMohamed's android meterpreter commands. 2014-08-09 16:29:59 -05:00
Brandon Turner 91bb0b6e10 Metasploit Framework 4.9.3-2014072301
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJT0CeVAAoJEJMMBVMNnmqO/7AP/0CBRHjtgiR9VnFKSQ+iWTQV
 iPNMBevn0mpSRq/gpoKCeFBZ6b+YQYrOLXDKVk62VV9LCslkr/P8LW8ul+m+JtB0
 mM6V5esUXM1XhgGEyTnTLRx6BR/WQU1RHlb56ae3nZjQlwCuH/5zEmcy5toZxpsY
 6HO46zE0GGBoLr/VgyYlfT08bfoQ+ICyJN0H5ixoovCc3iW0K1MNqLMfdani8zBJ
 gYJaMysV7XtepumWWQMSC+b/EuertdXXzWDy2bwe0Q3cQXNXzrkPAvtMqucWG+gy
 783OLKCPtVoEZiX87xAptkwmVCRdNGPclaWH7YRZDAh1tqBfRQUg72V/TIrOHCP1
 /lYO7yp5pBQg+1UNnpH+xI2YePFfYdHpYDNT5FSQGOnQjJg30ll4SqCm7cVmo2h5
 BRSYXkPCsQeXGaFarxGERNb8e+qN/WzSrHzY45tQw8mDuhg94tlf3VtDag3FXxhj
 zCxd6bu+tdboVm7FERS85T46kxzmeIycZ4p+Sf7d8gXitl2RKbBdKFNDi1gzeK1T
 yN7bDl4sL7qtDgZLXjFrnyC8vXyAqIrAgmFr2JywMBRm6TiCGQvgnrs+sScU3RFU
 W2tblGbKQq+CwDeC59uQPqxRkm72SMUrKX9448VEQ+9XbKE3TMQ5Q4qCxmnw31Op
 aJ0QgKJz8thZgafZc89I
 =e1z9
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCgAGBQJT4pb8AAoJEA+Ckxyj7hsHn+8P/3FlEYCmoqQ/JzsVtmP3Yi4Q
 gBRva+crY831mCCQXFrPJBvWfmy5HOzVh+Zh7zWF0GQ1WuuMppHfR5ARFVwmiDs3
 qwndhXwziDzBnznf0JKSgT5eJsH23s/ots1lyWymKJvPuT6hn6MRAHUawgnNmYR9
 ttnawmHvCM9Iha2oz3nmkLcNd+83bdBfEWi5l8AQ7jJxwMC2/8VPpMscVVwXqPzd
 CoQugAYZW5VeaEiGio5+19Ix9EPkIDvs6wnfGBtfPfeaOIDZV4XOFoIFUtEeZd5o
 olvEpYvdqscy4Qujzn4C++3wX3bUxkIbHTJHgrKmlD83dI7Cu1JH716G+yfLoJo0
 pQBWTGeWYKEh6leK/9J5Bo1/tOJ/ylbcbvH0Y0tmdu4icHar6uYe1QBrCB9xIdh1
 F+xo4guYnVo616DXJQSwjIye83b5dBxACrfA3bqCnFVFgTM5jXGV1cqiBgs9Dl++
 tIDPgUJkCe/bIdQ7PntlGRzxKihHahlxhCa++YaGKqSq7gXie8Rl4qgloIrbfNZ/
 z3XsoOLNdbMGO7ip88Zjwq4Khj5WZu7ijfCtXO7GU1UJZL1tJ2yK2ic7ZDLc251Y
 8EGMSTG53+6yvZYFtWMZeQzjwD2cpuF04dOmHOKi6KGJJ7KRPhn6gpsbc6U1mbH9
 AjGcfOzhhcsY+WAQ7OG+
 =Pjob
 -----END PGP SIGNATURE-----

Merge tag '2014072301' into staging/electro-release

Conflicts:
	Gemfile.lock
	modules/post/windows/gather/credentials/gpp.rb

This removes the active flag in the gpp.rb module.  According to Lance,
the active flag is no longer used.
2014-08-06 15:58:12 -05:00
Joe Vennix 2b46e76e85
Recompiled again. 2014-07-27 22:23:26 -07:00
Joe Vennix ae1f498aae
Check in new android binaries. 2014-07-27 13:22:12 -07:00
Sam 8cabc753a9 Replace hpricot by nokogiri 2014-07-17 00:14:07 +02:00
David Maloney 52a29856b3
Merge branch 'master' into staging/electro-release
Conflicts:
	Gemfile
	Gemfile.lock
2014-07-16 09:38:44 -05:00
OJ 77be5d3e0a
Land #3520 : Update Linux Meterpreter Binaries
Includes fixes for the sniffer which stop it breaking on x64 and make
it work with the `any` interface.

[FixRM #6355]
2014-07-15 09:27:30 +10:00
James Lee de22aeba41
Land #3481, meterpreter bins 2014-07-14 15:57:52 -05:00
jvazquez-r7 31c447e217 Update binaries 2014-07-14 08:50:30 -05:00
jvazquez-r7 074632043f Update meterpreter binaries 2014-07-10 16:36:48 -05:00
Tod Beardsley 038d1e210a
Merge upstream/master to deconflict.
Conflicts:
	Gemfile.lock
2014-07-09 17:43:42 -05:00
AnwarMohamed 34dcb609e2 android extension 2014-07-08 04:52:06 +02:00
David Maloney aeda74f394
Merge branch 'master' into staging/electro-release
Conflicts:
	Gemfile
	Gemfile.lock
2014-07-07 16:41:23 -05:00
OJ bdf27b1834 Fix up the TLVs that are now QWORD values in MSF
Various values were adjusted to become QWORD values in MSF an windows
meterpreter, but the changes were not ported over to python, php and
java. This commit fixes this inconsistency.
2014-07-07 10:42:58 -05:00
HD Moore ab7848a895
Merge master for testing of #2809 2014-07-06 22:27:58 -05:00
HD Moore 43d65cc93a Merge branch 'master' into feature/recog
Resolves conflicts:
	Gemfile
	data/js/detect/os.js
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-07-06 09:17:44 -05:00
James Lee 41cd5527c8
Close the server socket in php bind stager
This was previously left dangling, which leaves the port open, but
doesn't do anything with subsequent connections.
2014-07-03 16:52:09 -05:00
James Lee 9246f7a0ce
Strip the NULL that PHP no longer strips
As of PHP 5.5.0, unpack("a", ...) no longer strips the NULL byte from
the end of the string. A new format specifier, Z, was introduced to
perform the old behavior, but we don't have a good way to test for its
existence. Instead, just remove it with str_replace
2014-07-03 15:58:05 -05:00
Tod Beardsley 8b63d3d467 Revert the revert of #3446
This reverts commit 9b35b0e13a.

This should not land on master until the Metasploit Pro folks (@trosen-r7
and friends) get their Meterpreter path specifications working the
same way as Framework's does.
2014-06-29 17:22:21 -05:00
David Maloney b680674b95
Merge branch 'master' into staging/electro-release 2014-06-27 11:55:57 -05:00
sinn3r ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape 2014-06-26 13:48:28 -05:00
sinn3r 0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape 2014-06-26 11:45:47 -05:00
Chris Doughty 9b35b0e13a Revert "Land #3446 -- Meterpreter bins gem switch" due to build failures
This reverts commit bba8bd3498, reversing
changes made to 002234993f.
2014-06-25 13:24:07 -05:00
Tod Beardsley fbb6808b1a
Re-add common.lib and ext_server_sniffer DLLs
These are not currently included in meterpreter_bins. Figure this out
with @cdoughty-r7 , probably just an oversight.
2014-06-19 16:10:22 -05:00
Tod Beardsley 88b482118d
Remove local Meterpreter Windows binaries 2014-06-19 16:05:53 -05:00
James Lee b606448976
Merge branch 'feature/MSP-9689/jtr_cracker' into staging/electro-release 2014-06-19 10:14:57 -05:00
navs 1c5cfeebb3 adding template and src for elf 64 shared object payload target 2014-06-19 00:38:16 -05:00
David Maloney 41f7bc1372
add common root words wordlist
this adds a new wordlist to the data directory.
This wordlist is compiled from statistical analysis of
common Numeric passwords and Common rootwords across
6 years of colleted password breach dumps. Every word in
this list has been seen thousands of times in password
breaches
2014-06-14 14:13:59 -05:00
Tod Beardsley af9028e867
Add Meterpreter bins for PR76
These are the binaries generated for rapid7/meterpreter#76 , against
commit 2776adb8b91d9967983033c0e770c46a10a68002

These bins are need to make #3416 actually functional
2014-06-12 14:29:40 -05:00
sinn3r 2a7227f443
Land #3427 - Adds webcam module for firefox privileged sessions on OSX 2014-06-11 22:27:25 -05:00
Meatballs d868294d5b
MEM_RESERVE too 2014-06-08 17:37:57 +01:00
jvazquez-r7 9d08ebe273 Fix VirtualAlloc call on PSH old template 2014-06-08 11:09:03 -05:00
joev a33de66da4 Fix transparent background, add VISIBLE option. 2014-06-06 16:52:00 -05:00
joev d990fb4999
Remove a number of stray edits and bs. 2014-06-06 16:24:45 -05:00
joev 7c762ad42c Fix some minor bugs in webrtc stuff, inline API code. 2014-06-06 16:18:39 -05:00
Brandon Turner d9a5002bd3
Merge branch 'release'
Updates meterpreter bins and closes #3425 and #3423.
2014-06-05 17:33:11 -05:00
Tod Beardsley 97a70e49c8
Roll back the jar/py changes 2014-06-05 17:31:02 -05:00
Tod Beardsley 737f06f600
Add Meterpreter bins for release branch.
This contains the same bins as #3423, but it is targeted at the release
branch for rapid7/metasploit-framework.
2014-06-05 17:17:32 -05:00
William Vu 6c7fd3642a
Land #3411, Python 3.[34] Meterpreter support 2014-06-03 11:34:22 -05:00
jvazquez-r7 b8a2cf776b Do test 2014-06-03 09:52:01 -05:00
jvazquez-r7 05ed2340dc Use powershell 2014-06-03 09:29:04 -05:00
jvazquez-r7 f918bcc631 Use powershell instead of mshta 2014-06-03 09:01:56 -05:00
jvazquez-r7 7f4702b65e Update from rapid7 master 2014-06-02 17:41:41 -05:00
Tod Beardsley d0d389598a
Land #3086, Android Java Meterpreter updates
w00t.
2014-06-02 17:28:38 -05:00
jvazquez-r7 4840a05ada Update from rapid7 master 2014-06-02 17:17:00 -05:00
Spencer McIntyre b84297980d Pymeterpreter use print_exc and not print_exception 2014-06-02 16:50:54 -04:00
OJ d2b8706bd6
Include meterpreter bins, add Sandbox builds
This commit contains the binaries that are needed for Juan's sandbox
escape functionality (ie. the updated old libloader code). It also
contains rebuilt binaries for all meterpreter plugins.

I've also added command line build scripts for the sandbox escapes
and added that to the "exploits" build.
2014-05-31 08:12:34 +10:00
Spencer McIntyre 77eac38b01 Pymeterpreter fix processes_via_proc for Python v3 2014-05-30 16:32:03 -04:00
Spencer McIntyre 4f5ab2c596 Pymeterpreter support process channels for Python v3 2014-05-30 14:35:47 -04:00
Spencer McIntyre e2cc2fece0 Pymeterpreter update win reg functions for python v3 2014-05-30 10:51:36 -04:00
jvazquez-r7 1dbd36a3dd Check for the .NET dfsvc and use %windir% 2014-05-30 09:02:43 -05:00
Spencer McIntyre 04e94b0c07 Fix meterpreter and file tests for Python v3.4 on Win 2014-05-29 16:42:28 -04:00
Spencer McIntyre 15dc33591b In pymeterpreter use a MeterpreterFile obj for Py v3 2014-05-29 15:09:09 -04:00
Spencer McIntyre d8dcfd8f41 Update pymeterpreter netlink to support python3 2014-05-29 13:48:15 -04:00
jvazquez-r7 e145298c13 Add module for CVE-2014-0257 2014-05-29 11:45:19 -05:00
jvazquez-r7 6e122e683a Add module for CVE-2013-5045 2014-05-29 11:42:54 -05:00
Spencer McIntyre 145776db4d Add a DEBUGGING option to the python meterpreter 2014-05-29 10:52:49 -04:00
Spencer McIntyre 15b1c79039 Adjust whitespace and set bytes to str for Python 2 2014-05-28 16:30:27 -04:00
HD Moore eda8a90cea Fix merge issues with os.js 2014-05-19 13:04:36 -05:00
HD Moore ddc8a4f103 Merge branch 'master' of github.com:rapid7/metasploit-framework into feature/recog 2014-05-19 11:42:30 -05:00
Tonimir Kisasondi 9b29c572a7 Comments dont work with auth_brute.rb 2014-05-18 21:14:17 +02:00
Tonimir Kisasondi c9bb2d5165 Added headers to files 2014-05-18 20:55:50 +02:00
Tonimir Kisasondi 97b63d708c Corrected naming to be in line with msf convention 2014-05-18 18:18:23 +02:00
Tonimir Kisasondi 7d79f8a4c2 Removed wrongly named list. 2014-05-18 18:15:17 +02:00
Tonimir Kisasondi d7bf66973c Fixed userpass delimiters. 2014-05-18 18:13:03 +02:00
HD Moore a844b5c30a Merge branch 'master' of github.com:hmoore-r7/metasploit-framework into feature/recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
2014-05-18 10:50:32 -05:00
Tonimir Kisasondi 6ec926b573 Added separate users/pass/userpass dictionaries 2014-05-18 10:18:07 +02:00
Tonimir Kisasondi af82ae262c Added a large default password list for services. 2014-05-16 23:27:18 +02:00
jvazquez-r7 5fd732d24a Add module for CVE-2014-0515 2014-05-07 17:13:16 -05:00
sinn3r 6bfc9a8aa0
Land #3333 - Adobe Flash Player Integer Underflow Remote Code Execution 2014-05-05 10:39:26 -05:00
OJ 7e37939bf2
Land #3090 - Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) 2014-05-04 16:41:17 +10:00
jvazquez-r7 b4c7c5ed1f Add module for CVE-2014-0497 2014-05-03 20:04:46 -05:00
Meatballs 06c8082187
Use signed binary 2014-05-02 14:45:14 +01:00
James Lee 4bd2dabfcd
Land #3121, new kiwi extension, with compiled bins
See also rapid7/meterpreter#79
2014-04-29 17:53:37 -05:00
jvazquez-r7 60e7e9f515 Add module for CVE-2013-5331 2014-04-27 10:40:46 -05:00
sinn3r 5c0664fb3b
Land #3292 - Mac OS X NFS Mount Privilege Escalation Exploit 2014-04-24 13:43:20 -05:00
Joe Vennix 143aede19c
Add osx nfs_mount module. 2014-04-23 02:32:42 -05:00
jvazquez-r7 acb12a8bef Beautify and fix both ruby an AS 2014-04-17 23:32:29 -05:00
jvazquez-r7 91d9f9ea7f Update from master 2014-04-17 15:32:49 -05:00
jvazquez-r7 749e141fc8 Do first clean up 2014-04-17 15:31:56 -05:00
jvazquez-r7 abd76c5000 Add module for CVE-2014-0322 2014-04-15 17:55:24 -05:00
joev 0b23fc2c40 Revert "Use actual vars so that jsobfu can randomize."
This reverts commit b9284c5635.
2014-04-11 16:51:29 -05:00
sinn3r 68a50e3663
Land #3224 - Fixes large-string expansion in JSObfu 2014-04-10 12:09:22 -05:00
Joe Vennix b9284c5635 Use actual vars so that jsobfu can randomize. 2014-04-09 16:56:10 -05:00
Spencer McIntyre 85197dffe6 MS14-017 Word RTF listoverridecount memory corruption 2014-04-08 14:44:20 -04:00
joev 2e4c2b1637 Disable Android 4.0, add arch detection.
Android 4.0, it turns out, has a different echo builtin than the other androids.
Until we can figure out how to drop a payload on a 4.0 shell, we cannot support it.

Arch detection allows mips/x86/arm ndkstagers to work, unfortunately
x86 ndkstager was not working, so it is disabled for now.
2014-04-07 09:44:43 -05:00
sinn3r 4d69f80728 Update explib2.js
Remove a few lines
2014-04-02 23:07:29 -05:00
jvazquez-r7 74554ed805
Land #3174, @wchen-r7's object detection for ie11 2014-04-02 15:27:13 -05:00
jvazquez-r7 577bd7c855
Land #3146, @wchen-r7's flash version detection code 2014-04-02 15:13:41 -05:00
sinn3r 5ffcfb22fa Add object detection for IE11
While working on some stuff with IE11, I realized this is very
necessary.
2014-04-02 02:21:16 -05:00
HD Moore 7e227581a7 Rework OS fingerprinting to match Recog changes
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.

This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
sinn3r 389ad7aca3
Land #3155 - Explib2 2014-03-28 18:31:40 -05:00
sinn3r 4f5944cfb8 Add JavaScript detection for Adobe Flash 2014-03-28 14:31:21 -05:00
jvazquez-r7 ce02f8a7c5 Allow easier control of sprayed memory 2014-03-28 11:58:41 -05:00
jvazquez-r7 b0bbe3f6a9 Add explib2 with some fixes into metasploit 2014-03-28 10:44:13 -05:00
sinn3r 4c44f69e86 Undo the IE8/IE7 objection detection 2014-03-27 15:01:03 -05:00
sinn3r fc1432fe53 This is probably the right way to do it for ie7/8 2014-03-27 13:53:24 -05:00
sinn3r 9c54421679 Update IE8/IE7 object detection 2014-03-27 13:34:07 -05:00
sinn3r 8df96a419b Make IE10 detection safer for older IEs 2014-03-27 13:31:15 -05:00
sinn3r 1f90115c8f Add default detection for IE 9 and IE 10
How it's done:

On IE10, which should come first before the IE 9 check, the nodeName
function always returns the name in uppercase.

One IE9, the "Object doesn't support property or method" error always
repeats the name of the invalid method.
2014-03-27 00:15:36 -05:00
joe 46f7e6060f Add the updated bins from timwr. 2014-03-25 09:39:53 -07:00
joe c71d52e769 Merge branch 'pr-android-bins' of https://github.com/jvennix-r7/metasploit-framework into new-android-bins 2014-03-25 09:35:25 -07:00
sinn3r 8c707b20e0 Add support for specific builds of MSIE 9 on Win 7 SP1
These IE9 versions are vulnerable to MS14-012 (see #3120). If we don't
add them, then os_detect might recognize the target as IE 8, and fail.
2014-03-19 21:54:36 -05:00
Tod Beardsley 05436dc2c5
Refresh binaries for Meterpreter
This includes:

rapid7/meterpreter#69
rapid7/meterpreter#70
rapid7/meterpreter#75
rapid7/meterpreter#77
rapid7/meterpreter#78

As of commit: 45bcbd13a1e0215647f6a61631652b686931bba8
2014-03-19 08:57:04 -05:00
joev 8e4708b51b Add support for firefox 28. 2014-03-18 11:26:24 -05:00
OJ 409787346e
Bring build tools up to date, change some project settings
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
James Lee 6438b9372c
Land #3067, python meterp net.config additions 2014-03-13 13:03:43 -05:00
Tod Beardsley 6309c4a193
Metasploit LLC transferred assets to Rapid7
The license texts should reflect this.
2014-03-13 09:47:52 -05:00
Spencer McIntyre 5ea26688d7 Fix a syntax error for Python 2.4 2014-03-11 15:22:52 -04:00
Spencer McIntyre f3493ce220 Merge branch 'master' into pymeterpreter-net
Conflicts:
	data/meterpreter/ext_server_stdapi.py
2014-03-11 15:15:02 -04:00
Spencer McIntyre e874223421
Land #3083, fix pymet when ctypes isn't available 2014-03-11 14:31:44 -04:00
Joe Vennix 679cb03ac3 Yank armeabi-v7a bins. 2014-03-11 13:09:50 -05:00
sinn3r b431bf3da9
Land #3052 - Fix nil error in BES 2014-03-11 12:51:03 -05:00
James Lee b87c2dca0b
Use older hash modules when hashlib isn't there 2014-03-11 12:25:54 -05:00
Tim 4f31eba7f4 android payload golf 2014-03-10 21:50:00 -05:00
joe 66ff5998a5 New multi-arch stagers. 2014-03-10 21:49:56 -05:00
joe 60b5191873 New meterpreter bins for testing. 2014-03-10 21:49:14 -05:00
joe 667bed8905 New multi-arch stagers. 2014-03-10 18:50:27 -07:00
James Lee 75c94cc5d7
Derp 2014-03-10 16:30:55 -05:00
James Lee e508079aff
Don't crash when ctypes isn't available 2014-03-10 16:10:24 -05:00
joe 6616d36d63 New meterpreter bins for testing. 2014-03-07 13:21:30 -08:00
kyuzo 2a1e96165c Adding MS013-058 for Windows7 x86 2014-03-06 18:39:34 +00:00
Joe Vennix 05067b4e33 Oops. Need to init the profile before accessed. 2014-03-06 11:48:54 -06:00
Joe Vennix 3d7bc6c589 Remove form_post.js. 2014-03-05 23:35:54 -06:00
William Vu 096d6ad951
Land #3055, heapLib2 integration 2014-03-05 15:48:13 -06:00
Spencer McIntyre 1dea1c030e Add interface support via OSX SystemConfiguration 2014-03-05 13:59:13 -05:00
Joe Vennix 5790547d34 Start undoing some work. 2014-03-04 17:01:53 -06:00
Spencer McIntyre 0834102e2b Support tcp server channels and add a python MeterpreterSocket 2014-03-04 13:31:29 -05:00
Joe Vennix 3360f7004d Update form_post vars, add Expires to cookie. 2014-03-03 23:29:02 -06:00
Spencer McIntyre 7111e8aa59 Support retrieving interface information via GetAdaptersAddresses 2014-03-03 21:01:16 -05:00
Joe Vennix 6825fd2486 Whitespace tweaks and cleanup. 2014-03-02 19:57:48 -06:00
Joe Vennix 46f27289ed Reorganizes form_post into separate file. 2014-03-02 19:55:21 -06:00
Joe Vennix e8226f9d40 Use a keyed cookie. Moves AJAX call to a form post. 2014-03-02 19:47:24 -06:00
sinn3r 8cf5c3b97e Add heaplib2
[SeeRM #8769] Add heapLib2 for browser exploitation
2014-03-02 11:47:18 -06:00
Spencer McIntyre 699e534149 Add missing return statement. 2014-03-02 00:18:46 -05:00
Spencer McIntyre 1c9390c9cf Support retrieving interface information via windows mib functions. 2014-03-02 00:17:00 -05:00
Spencer McIntyre 733a86ec74 Support retrieving interface information via netlink. 2014-03-01 22:34:38 -05:00
Spencer McIntyre 284d99aa6c Add pymeterp TLV types for additional network functions. 2014-02-28 13:56:51 -05:00
jvazquez-r7 8922f6457b
Land #3045, @wchen-r7's fix for browser autopwn 2014-02-28 12:55:32 -06:00
Spencer McIntyre 99e272e463 Return true in EOF when tell() > stat.st_size 2014-02-27 20:45:38 -05:00
David Maloney 9d9149d9d8
remove some dead code paths
refactor some dead conditionals and a case/switch
that wasn't doing anything
2014-02-27 11:45:57 -06:00