sinn3r
e9b6a023de
Fix a typo
2015-02-23 21:45:02 -06:00
jvazquez-r7
d0d124eb19
Mimic original handling
2015-02-23 20:42:49 -06:00
jvazquez-r7
32046f9c47
smb_cmd_trans_query_path_info_standard
2015-02-23 19:57:16 -06:00
William Vu
8c5ff858d0
Land #4812 , hp_sys_mgmt_login configurable URIs
2015-02-23 19:04:14 -06:00
jvazquez-r7
ea483f14a1
Try to fix logic for query information levels
2015-02-23 17:17:33 -06:00
jvazquez-r7
3fca26a5de
Add support for SMB_COM_TRANSACTION2 data blocks and params
2015-02-23 16:37:39 -06:00
jvazquez-r7
623d319ca7
Fix offsets
2015-02-23 14:43:06 -06:00
jvazquez-r7
2653ff9d58
Try to simplify request query and find request handling
2015-02-23 14:06:23 -06:00
HD Moore
97ccf7e23f
Fixes SSL support for http_login (variable shadowing)
2015-02-23 14:00:29 -06:00
jvazquez-r7
36711e801c
Fix comment
2015-02-23 13:09:23 -06:00
jvazquez-r7
99483f88f1
Fix, hopefully, dispatching
2015-02-23 13:08:45 -06:00
jvazquez-r7
87176b9b37
Redo TRANS2_QUERY_PATH_INFORMATION dispatching
2015-02-23 12:52:50 -06:00
jvazquez-r7
a06d07d6da
Clean smb_cmd_trans2_query_file_information dispatching
2015-02-23 12:03:08 -06:00
sinn3r
c39d6e152e
Land #4819 , Normalize HTTP LoginScanner modules
2015-02-23 11:43:42 -06:00
jvazquez-r7
abe5ea42cb
Clean smb_cmd_trans
2015-02-23 11:34:19 -06:00
jvazquez-r7
3d7381b62a
Handle TRANS2 commands
2015-02-23 11:33:49 -06:00
jvazquez-r7
fe00cadd18
Delete require
2015-02-23 11:15:55 -06:00
jvazquez-r7
1dba961698
delete SubCommand namespace
2015-02-23 11:15:14 -06:00
jvazquez-r7
7d9f661d78
Fix includes
2015-02-23 11:14:45 -06:00
jvazquez-r7
439507d359
Move trans2 files
2015-02-23 11:13:08 -06:00
sinn3r
885469ca52
Land #4823 , Meet the modern ruby style guide
2015-02-23 01:03:08 -06:00
HD Moore
e5e3474af4
Handle ICMP "protocol not available" errors as connection errors
2015-02-22 16:36:53 -06:00
Joshua Smith
251c284458
modernizes some of the rpc code
2015-02-22 15:37:55 -06:00
HD Moore
29ac27f357
Lands #4813 , replaces print_* with exceptions
2015-02-22 14:14:16 -06:00
HD Moore
c60e2584bf
Comment typo
2015-02-22 02:51:18 -06:00
HD Moore
888c718f40
Fix two typos
2015-02-22 02:45:50 -06:00
HD Moore
8e8a366889
Pass Http::Client parameters into LoginScanner::Http (see #4803 )
2015-02-22 02:26:15 -06:00
Christian Mehlmauer
c820431879
Land #4770 , Wordpress Ultimate CSV Importer user extract module
2015-02-22 08:52:45 +01:00
William Vu
2b9ab901cb
Land #4811 , creds -d documentation
2015-02-21 20:59:52 -06:00
William Vu
9f826f4caa
Land #4809 , s/WtfError/ElfParseyError/
2015-02-21 20:52:58 -06:00
William Vu
b39e2bea8e
Land #4806 , EXE::Custom case-sensitivity fix
2015-02-21 20:49:53 -06:00
William Vu
f900d9cf26
Handle whitespace as per blank?
...
!~ /\S/ as per the original implementation of blank? also works.
2015-02-21 20:36:16 -06:00
rastating
708340ec5a
Tidy up various bits of code
2015-02-21 12:53:33 +00:00
jvazquez-r7
80aef690a0
Do first commands refactoring
2015-02-21 01:48:47 -06:00
jvazquez-r7
52b41ab4f8
Do first Share refactoring
2015-02-21 01:00:46 -06:00
sinn3r
bf2be7964b
Fix #4592 , print_* methods used in LoginScanner modules
...
Fix #4592
2015-02-20 22:46:21 -06:00
sinn3r
40c237f507
Fix #3982 , allow URIs to be user configurable
...
Fix #3982
2015-02-20 21:54:03 -06:00
sinn3r
b8cb93d712
Fix #3790 , document the creds -d feature
...
Fix #3790
2015-02-20 21:38:26 -06:00
sinn3r
b5f8ae85cf
Fix #3827 , Add support to rename a job
...
Fix #3827
2015-02-20 21:13:45 -06:00
sinn3r
85871ab822
Fix #4382 , Make errors more meaningful
...
Fix #4382
2015-02-20 20:09:58 -06:00
rastating
7e1e0f8196
Add plugin upload functionality
2015-02-21 01:20:20 +00:00
jvazquez-r7
df903120e3
Reorganize trans2_find_first2 requests
2015-02-20 18:28:49 -06:00
jvazquez-r7
52a0e6dd1c
Mark a couple of handlers for later review
2015-02-20 16:28:04 -06:00
Meatballs
dc4898765f
Fix EXE::Custom
2015-02-20 16:59:18 +00:00
jvazquez-r7
a91d19e0e7
Add template for SMB_QUERY_FILE_STANDARD_INFO
2015-02-20 10:58:15 -06:00
jvazquez-r7
21978a1bfe
Add template for SMB_QUERY_FILE_BASIC_INFO
2015-02-20 10:40:45 -06:00
jvazquez-r7
cf63e09188
Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and SMB_FIND_FILE_NAMES_INFO_HDR
2015-02-20 09:17:51 -06:00
jvazquez-r7
f2405a5dc0
Create SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH constant
2015-02-20 00:35:26 -06:00
jvazquez-r7
571dffa317
Create template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO
2015-02-20 00:22:33 -06:00
jvazquez-r7
94ad64546c
Create TRANS2_PARAMETERS template
2015-02-19 23:16:52 -06:00
jvazquez-r7
b24b94ddd3
Do first cleanup of find_first2 handlers
2015-02-19 19:08:56 -06:00
jvazquez-r7
74c43f5527
Delete more unused local variables
2015-02-19 14:39:55 -06:00
jvazquez-r7
1d5a977280
Delete a lot of verbose prints
2015-02-19 14:37:16 -06:00
jvazquez-r7
0940ceae75
Delete unused local variables
2015-02-19 14:26:46 -06:00
jvazquez-r7
c38c3519d8
Delete more unused code
2015-02-19 14:24:18 -06:00
jvazquez-r7
7487f9611b
Do some extra prints
2015-02-19 14:11:27 -06:00
jvazquez-r7
d9b9de8e89
Delete unused code
2015-02-19 13:16:24 -06:00
jvazquez-r7
5510000bf1
Use constant for FLAGS2
2015-02-19 13:02:50 -06:00
jvazquez-r7
392137292e
Old delete register prototype comment
2015-02-19 13:00:12 -06:00
jvazquez-r7
39ceb5b90f
Update smb_error on Exploit::Remote::SMB::Server
2015-02-19 12:10:28 -06:00
Brent Cook
4781ac4b39
the http service needs to keep running to handle meterpreter loading
...
revert a8f44ca68f
2015-02-19 09:38:48 -06:00
jvazquez-r7
b85324435e
Don't waste instance variables
2015-02-18 16:42:52 -06:00
jvazquez-r7
91d9d93fec
Handle instance variables correctly
2015-02-18 16:35:20 -06:00
jvazquez-r7
438b38dfe4
Use Rex::Text
2015-02-18 16:20:47 -06:00
jvazquez-r7
a815858644
Fix setup
2015-02-18 16:19:05 -06:00
David Maloney
ffa6550aec
Land #4787 , HD's new Zabbix and Chef LoginScanners
...
Lands the new LoginScanners HD wrote for Zabbix
and the Chef WebUI
2015-02-18 14:51:16 -06:00
David Maloney
804db0ff0c
add leixcal sorting to methods
...
lexical sort the new methods except for
msf module entrypoint methods which should always be at
the top
2015-02-18 14:50:33 -06:00
jvazquez-r7
06dfa6b5be
Fix initialize
2015-02-18 13:56:06 -06:00
jvazquez-r7
62c08094fd
Delete the old FileServer mixin
2015-02-18 13:54:24 -06:00
jvazquez-r7
9068397fff
Delete code commented by myself
2015-02-18 13:47:05 -06:00
jvazquez-r7
a446df95b2
Make Msf::Exploit::Remote::SMB::Server::Share a mixin
2015-02-18 13:45:48 -06:00
jvazquez-r7
874031b96d
Delete require
2015-02-18 13:44:31 -06:00
jvazquez-r7
415c671416
Move Rex code, we'll redesign as mixin
2015-02-18 13:44:02 -06:00
jvazquez-r7
ff4aa1f9da
Require FileServer mixin
2015-02-18 11:43:13 -06:00
jvazquez-r7
f960a77754
Solve merging conflicts
2015-02-18 11:36:47 -06:00
jvazquez-r7
01bedb7351
Merge #3074 , @0x41414141 SMBFileServer mixin
2015-02-18 10:53:05 -06:00
Matt Buck
a9931cd410
Land #4725 , convert Rails 3 AR calls in RPC_Db
...
Converts Rails 3 style ActiveRecord calls in RPC_Db to their Rails 4
counterparts.
Fixes #4725 , also see MSP-12017
2015-02-18 09:59:40 -06:00
William Vu
6a9d15a8d5
Land #4785 , Rex::Proto::Http::Client context fixes
2015-02-18 03:47:26 -06:00
William Vu
bda96f46e6
Land #4780 , stop HTTP service with HTTP handler
2015-02-18 03:34:03 -06:00
HD Moore
2847507f03
Add a chef brute force module
2015-02-17 23:49:57 -06:00
HD Moore
27d5ab45b4
Add a zabbix brute force module
2015-02-17 22:56:08 -06:00
HD Moore
85fd139ab0
Add missing context and a normalize_uri helper method
2015-02-17 22:55:53 -06:00
sinn3r
8ce1db5081
Fix #4783 , raise exception if the payload arch is incompatible
...
Fix #4783
2015-02-17 21:47:17 -06:00
HD Moore
16932372db
Calls to Rex::Proto::Http::Client.new were passing in empty context
2015-02-17 20:44:37 -06:00
rastating
e0d87a8886
Update to use store_loot for CSV export
2015-02-17 19:21:31 +00:00
Brent Cook
bed40a83ee
fix #4337 : gracefully handle resolve_sid failure when enumerating user profiles
...
Rather than throwing a backtrace with an unresolvable SID, try to get as
much profile data as possible if resolve_sid fails.
```
[*] Determining session platform and type...
[-] Unexpected windows error 1332
[*] Checking for Firefox directory in:
C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
[*] Post module execution completed
```
2015-02-17 13:03:12 -06:00
Brent Cook
a8f44ca68f
stop the http service when the reverse http handler stops
2015-02-17 12:38:20 -06:00
Matthew Hall
547d4d1950
Merge with master
2015-02-17 17:23:19 +00:00
Matthew Hall
9e2a483977
Add example usage to Msf::Exploit::Remote::SMBFileServer documentation
2015-02-17 17:23:18 +00:00
Matthew Hall
cec817902f
Add yardoc documentation for Msf::Exploit::Remote::SMBFileServer
2015-02-17 17:23:18 +00:00
Matthew Hall
5cf8833697
Tidy lib/msf/core/exploit/smb.rb following feedback from jlee-r7.
...
* Doc comments wrap at 78 chars to follow yardoc convention
* Remove unused :server and SERVER vals
* Use Utils class directly
* Stop server within an ensure
* Change SRVHOST to an OptAddress
2015-02-17 17:23:18 +00:00
Matthew Hall
8beed5652d
Implement SMBFileServer mixin.
...
In order to accomplish remote file injection (e.g. DLL) this module
emulates an SMB service process to allow clients to load a file from a
network share.
This commit implements the SMBFileServer exploit module utilising the
::Rex::Proto::SMB::Server module to export the "start_smb_server"
function.
Utilising the module (example):
include Msf::Exploit::Remote::SMBFileServer
exe = generate_payload_dll
@exe_file = rand_text_alpha(7) + ".dll"
@share = rand_text_alpha(5)
my_host = (datastore['SRVHOST'] == '0.0.0.0') ?
Rex::Socket.source_address : datastore['SRVHOST']
@unc = "\\#{my_host}\#{@share}\#{@exe_file}"
start_smb_server(@unc, exe, @exe_file)
// Inject DLL
handle
A separate commit will provide a sample implementation of utilising this
module within a generic webserver DLL injection exploit:
./exploits/windows/http/generic_http_dllinject.rb
2015-02-17 17:23:18 +00:00
Matthew Hall
934af4cee9
Merge branch 'master' into module-smbfileserver
2015-02-17 17:01:44 +00:00
Matthew Hall
49971a6bc3
Add two more contants and handlers seen during testing.
2015-02-17 16:48:11 +00:00
sinn3r
6eaa3c264c
Land #4763 , LSBackgroundOnly for safari_user_assisted_download_launch
2015-02-17 10:41:59 -06:00
Brent Cook
e08206d192
Land #4768 , jvazquez-r7 reorganizes the SMB mixins
2015-02-17 10:36:19 -06:00
sinn3r
0597d2defb
Land #4560 , Massive Java RMI update
2015-02-17 10:07:07 -06:00
Brent Cook
b4cf2f5d8c
use correct response filter TLV_TYPE_VALUE_NAME
2015-02-17 08:46:25 -06:00
Matthew Hall
1f6aebe3df
Move to using constant values.
...
This commit adds several constants for TRANS2, QUERY_PATH_INFO, MAX_DATA_COUNT,
and NT2 FLAG2 Bits to smb/constants.rb, which have then been utilised in smb/server.rb
to reduce the use of magic values.
2015-02-17 14:31:31 +00:00
Brent Cook
8f74f8eeed
pass down the new permissions parameters
2015-02-17 06:11:20 -06:00
Brent Cook
503f58375b
add direct registry access methods
...
Rather than operating on a passed-in HKEY, these open and close the registry
key directly for each operation.
This pattern better reflects the actual API usage within msf, and removes extra
round-trips to open and close the registry key, reducing traffic and increasing
performance. I did not add direct versions of every registry operation.
There was no benefit for more rarely-used operations, other than requiring more
churn in the meterpreters.
The primary beneficiary of this is post exploitation modules that do registry
or service enumeration. See #3693 for test cases.
2015-02-17 06:11:20 -06:00
Matthew Hall
3110c7b40f
Adds smb_cmd_trans_find_first2_full to respond to "Find File Full Directory Info" FIND_FIRST2 requests,
...
as seen when using "type \\ip\share\file".
2015-02-17 11:37:44 +00:00
rastating
a22f5c1287
Add extra readme check for case sensitive servers
2015-02-14 23:43:04 +00:00
jvazquez-r7
2c842ee6d7
Fix namespaces on Server
2015-02-13 17:34:55 -06:00
jvazquez-r7
9b7bbc220b
Fix namespaces on Client
2015-02-13 17:33:41 -06:00
jvazquez-r7
46c6ac9ca1
Redefine namespaces and requires
2015-02-13 17:09:06 -06:00
jvazquez-r7
df1daff673
Move clients
2015-02-13 17:07:03 -06:00
jvazquez-r7
067aadf3a4
Fix namespaces
2015-02-13 17:05:46 -06:00
jvazquez-r7
f1ab7ed343
Mode smb.rb
2015-02-13 17:04:55 -06:00
jvazquez-r7
7367402bf1
Add requires
2015-02-13 17:03:48 -06:00
jvazquez-r7
ccabf30531
Move smb_server.rb
2015-02-13 16:58:19 -06:00
Samuel Huckins
ce688f4247
Land #4765 , Rails4 compatible finder conversion
...
* find_or_initialize_by_DYNAMIC
2015-02-13 15:56:09 -06:00
Samuel Huckins
7b7a6340c0
Land #4766 , fixes vuln import finder query
2015-02-13 14:29:04 -06:00
Christian Catalan
dc6a365a13
Fix finder query in Msf::DBManager::Vuln
...
MSP-12152
* This is part of updating finder queries to be Rails 4 compatibile
* In #find_vuln_by_details, pass in conditons hash crit rather than symbol :crit
2015-02-13 13:21:25 -06:00
sinn3r
6b99103cec
Land #4690 - Update Nessus plugin to support the latest REST API
...
Resolves #4447
2015-02-13 12:46:01 -06:00
Sonny Gonzalez
dc1eab377c
Rails 4 finder conversion: convert find_or_initialize_by_x_and_y
...
MSP-12153
* convert to where(conditions).first_or_initialize
2015-02-13 12:39:44 -06:00
sinn3r
f5e0dddd3c
Correct authentication
...
Can't always be true
2015-02-13 11:48:10 -06:00
joev
49c9c02b53
Hide the dropped osx app.
2015-02-12 23:08:46 -06:00
jvazquez-r7
3ae3d56caa
Land #4745 , fixes #4711 , BrowserAutoPwn failing due to getpeername
2015-02-12 16:51:09 -06:00
William Vu
39c0065560
Land #4758 , SMTPDeliver DATA header fix
2015-02-12 15:07:31 -06:00
Matt Buck
f0bf881cc3
Land #4720 , update Rails 3-style .find(:first)
...
Eliminate the Rails 3-style .find(:first) calls, and replace with
Rails 4-compatible .first().
Fixes #4720 , also see MSP-12012
2015-02-12 14:30:13 -06:00
David Maloney
72878e0c14
fixes bug with smtp header order
...
SMTP servers that support pipelining will not accept any
commands other than MAILFROM and RCPTTO before the DATA
command. We were sending Date and Subject before Data
which would cause some mailservers to suddenly drop
the connection refusing to send the mail.
MSP-12133
2015-02-12 14:13:39 -06:00
sinn3r
50c72125a4
::Errno::EINVAL, disable obfuscation, revoke ms14-064
2015-02-12 11:54:01 -06:00
root
199dca75a6
Implement db_import and finalize plugin
2015-02-12 13:32:49 +05:00
Sonny Gonzalez
7c57b9fb57
Fix Master - Pro build
...
MSP-12138
* revert to previous Rails 3 syntax.
2015-02-11 12:02:34 -06:00
root
64b69d597a
Add report_download and db_scan APIs
2015-02-11 14:11:10 +05:00
sinn3r
22811257db
Fix #4711 - Errno::EINVA (getpeername(2)) BrowserAutoPwn Fix
...
This patch fixes #4711 .
The problem here is that the browser sometimes will shutdown some of our
exploit's connections (in my testing, all Java), and that will cause Ruby
to call a rb_sys_fail with "getpeername(2)". The error goes all the
way to Rex::IO::StreamServer's monitor_listener method, which triggers a
"break" to quit monitoring. And then this causes another chain of reactions
that eventually forces BrowserAutoPwn to quit completely (while the
JavaScript on the browser is still running)
2015-02-10 18:28:02 -06:00
jvazquez-r7
29c68ef1ec
End fixing namespaces
2015-02-10 11:55:14 -06:00
jvazquez-r7
6e635211b3
Modify include
2015-02-10 10:59:56 -06:00
jvazquez-r7
dba67bd1ee
Do more code reorganization
2015-02-10 10:58:57 -06:00
jvazquez-r7
aa9e686965
Reorganize Java related mixin code
2015-02-10 10:52:44 -06:00
jvazquez-r7
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
root
e5fd9e70eb
clean plugin/nessus.rb implement additional APIs
2015-02-10 12:40:20 +05:00
Tod Beardsley
0a42ac947a
Land #4737 , fix Socket Context usages
2015-02-09 17:34:03 -06:00
Matt Buck
9a445e2027
Land #4707 , updates to finder syntax
...
Updates some Rails 3 style ActiveRecord calls to use the Rails 4 Arel
syntax, in preparation for our move to Rails 4.
Fixes #4707 , also see MSP-12018
2015-02-09 16:01:38 -06:00
Spencer McIntyre
2a3855c5af
Skip the psh prepend sleep time error when it is 0
2015-02-09 14:20:04 -05:00
Meatballs
133ae4cd04
Land #4679 , Windows Post Gather File from raw NTFS.
2015-02-08 18:50:50 +00:00
Bazin Danil
8cefe637df
bug with testing Win2k8 correction
2015-02-08 17:28:33 +01:00
HD Moore
8d982e3286
Pass the framework/module down into LoginScanner
2015-02-07 11:50:30 -06:00
HD Moore
985641dbc4
Add missing Context, fixes #4723
2015-02-07 11:27:57 -06:00
Meatballs
358ab2590e
Small tidyup
2015-02-07 11:35:47 +00:00
sinn3r
c20a81217c
More work for nessus-xmlrpc.rb
2015-02-07 00:09:02 -06:00
sinn3r
e8ba0b7c31
Fix broken commands
2015-02-06 19:07:43 -06:00
Matt Buck
531743eff1
Land #4697 , updates to finder syntax
...
Updates some Rails 3 style ActiveRecord calls to use the Rails 4 Arel
syntax, in preparation for our move to Rails 4.
Fixes #4697 , also see MSP-12016
2015-02-06 15:41:11 -06:00
Sonny Gonzalez
0fc4e09466
Rails 4 finder conversions
...
MSP-12017
* covert all(options), mapping options hashes to the
appropirate Rails 4 methods
2015-02-06 13:51:48 -06:00
Sonny Gonzalez
1051f0fb82
Rails 4 finder conversion
...
MSP-12012
* convert find(:first, options) by mapping options
to methods
2015-02-06 10:15:50 -06:00
Sonny Gonzalez
9a53859a77
Rails 4 finder conversion
...
MSP-12012
* covert find(:first) to first
2015-02-06 10:13:14 -06:00
Spencer McIntyre
4e0a62cb3a
Land #4664 , MS14-070 Server 2003 tcpip.sys priv esc
2015-02-05 18:49:15 -05:00
Bazin Danil
970c5d115a
spellcheck
2015-02-05 22:08:39 +01:00
Spencer McIntyre
5a39ba32f6
Make the ret instruction for token stealing optional
2015-02-05 14:00:38 -05:00