Commit Graph

9821 Commits (0353602829182c61160625bc71622ad857a03361)

Author SHA1 Message Date
sinn3r e9b6a023de Fix a typo 2015-02-23 21:45:02 -06:00
jvazquez-r7 d0d124eb19 Mimic original handling 2015-02-23 20:42:49 -06:00
jvazquez-r7 32046f9c47 smb_cmd_trans_query_path_info_standard 2015-02-23 19:57:16 -06:00
William Vu 8c5ff858d0
Land #4812, hp_sys_mgmt_login configurable URIs 2015-02-23 19:04:14 -06:00
jvazquez-r7 ea483f14a1 Try to fix logic for query information levels 2015-02-23 17:17:33 -06:00
jvazquez-r7 3fca26a5de Add support for SMB_COM_TRANSACTION2 data blocks and params 2015-02-23 16:37:39 -06:00
jvazquez-r7 623d319ca7 Fix offsets 2015-02-23 14:43:06 -06:00
jvazquez-r7 2653ff9d58 Try to simplify request query and find request handling 2015-02-23 14:06:23 -06:00
HD Moore 97ccf7e23f Fixes SSL support for http_login (variable shadowing) 2015-02-23 14:00:29 -06:00
jvazquez-r7 36711e801c Fix comment 2015-02-23 13:09:23 -06:00
jvazquez-r7 99483f88f1 Fix, hopefully, dispatching 2015-02-23 13:08:45 -06:00
jvazquez-r7 87176b9b37 Redo TRANS2_QUERY_PATH_INFORMATION dispatching 2015-02-23 12:52:50 -06:00
jvazquez-r7 a06d07d6da Clean smb_cmd_trans2_query_file_information dispatching 2015-02-23 12:03:08 -06:00
sinn3r c39d6e152e
Land #4819, Normalize HTTP LoginScanner modules 2015-02-23 11:43:42 -06:00
jvazquez-r7 abe5ea42cb Clean smb_cmd_trans 2015-02-23 11:34:19 -06:00
jvazquez-r7 3d7381b62a Handle TRANS2 commands 2015-02-23 11:33:49 -06:00
jvazquez-r7 fe00cadd18 Delete require 2015-02-23 11:15:55 -06:00
jvazquez-r7 1dba961698 delete SubCommand namespace 2015-02-23 11:15:14 -06:00
jvazquez-r7 7d9f661d78 Fix includes 2015-02-23 11:14:45 -06:00
jvazquez-r7 439507d359 Move trans2 files 2015-02-23 11:13:08 -06:00
sinn3r 885469ca52
Land #4823, Meet the modern ruby style guide 2015-02-23 01:03:08 -06:00
HD Moore e5e3474af4 Handle ICMP "protocol not available" errors as connection errors 2015-02-22 16:36:53 -06:00
Joshua Smith 251c284458 modernizes some of the rpc code 2015-02-22 15:37:55 -06:00
HD Moore 29ac27f357
Lands #4813, replaces print_* with exceptions 2015-02-22 14:14:16 -06:00
HD Moore c60e2584bf Comment typo 2015-02-22 02:51:18 -06:00
HD Moore 888c718f40 Fix two typos 2015-02-22 02:45:50 -06:00
HD Moore 8e8a366889 Pass Http::Client parameters into LoginScanner::Http (see #4803) 2015-02-22 02:26:15 -06:00
Christian Mehlmauer c820431879
Land #4770, Wordpress Ultimate CSV Importer user extract module 2015-02-22 08:52:45 +01:00
William Vu 2b9ab901cb
Land #4811, creds -d documentation 2015-02-21 20:59:52 -06:00
William Vu 9f826f4caa
Land #4809, s/WtfError/ElfParseyError/ 2015-02-21 20:52:58 -06:00
William Vu b39e2bea8e
Land #4806, EXE::Custom case-sensitivity fix 2015-02-21 20:49:53 -06:00
William Vu f900d9cf26 Handle whitespace as per blank?
!~ /\S/ as per the original implementation of blank? also works.
2015-02-21 20:36:16 -06:00
rastating 708340ec5a Tidy up various bits of code 2015-02-21 12:53:33 +00:00
jvazquez-r7 80aef690a0 Do first commands refactoring 2015-02-21 01:48:47 -06:00
jvazquez-r7 52b41ab4f8 Do first Share refactoring 2015-02-21 01:00:46 -06:00
sinn3r bf2be7964b Fix #4592, print_* methods used in LoginScanner modules
Fix #4592
2015-02-20 22:46:21 -06:00
sinn3r 40c237f507 Fix #3982, allow URIs to be user configurable
Fix #3982
2015-02-20 21:54:03 -06:00
sinn3r b8cb93d712 Fix #3790, document the creds -d feature
Fix #3790
2015-02-20 21:38:26 -06:00
sinn3r b5f8ae85cf Fix #3827, Add support to rename a job
Fix #3827
2015-02-20 21:13:45 -06:00
sinn3r 85871ab822 Fix #4382, Make errors more meaningful
Fix #4382
2015-02-20 20:09:58 -06:00
rastating 7e1e0f8196 Add plugin upload functionality 2015-02-21 01:20:20 +00:00
jvazquez-r7 df903120e3 Reorganize trans2_find_first2 requests 2015-02-20 18:28:49 -06:00
jvazquez-r7 52a0e6dd1c Mark a couple of handlers for later review 2015-02-20 16:28:04 -06:00
Meatballs dc4898765f
Fix EXE::Custom 2015-02-20 16:59:18 +00:00
jvazquez-r7 a91d19e0e7 Add template for SMB_QUERY_FILE_STANDARD_INFO 2015-02-20 10:58:15 -06:00
jvazquez-r7 21978a1bfe Add template for SMB_QUERY_FILE_BASIC_INFO 2015-02-20 10:40:45 -06:00
jvazquez-r7 cf63e09188 Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and SMB_FIND_FILE_NAMES_INFO_HDR 2015-02-20 09:17:51 -06:00
jvazquez-r7 f2405a5dc0 Create SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH constant 2015-02-20 00:35:26 -06:00
jvazquez-r7 571dffa317 Create template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO 2015-02-20 00:22:33 -06:00
jvazquez-r7 94ad64546c Create TRANS2_PARAMETERS template 2015-02-19 23:16:52 -06:00
jvazquez-r7 b24b94ddd3 Do first cleanup of find_first2 handlers 2015-02-19 19:08:56 -06:00
jvazquez-r7 74c43f5527 Delete more unused local variables 2015-02-19 14:39:55 -06:00
jvazquez-r7 1d5a977280 Delete a lot of verbose prints 2015-02-19 14:37:16 -06:00
jvazquez-r7 0940ceae75 Delete unused local variables 2015-02-19 14:26:46 -06:00
jvazquez-r7 c38c3519d8 Delete more unused code 2015-02-19 14:24:18 -06:00
jvazquez-r7 7487f9611b Do some extra prints 2015-02-19 14:11:27 -06:00
jvazquez-r7 d9b9de8e89 Delete unused code 2015-02-19 13:16:24 -06:00
jvazquez-r7 5510000bf1 Use constant for FLAGS2 2015-02-19 13:02:50 -06:00
jvazquez-r7 392137292e Old delete register prototype comment 2015-02-19 13:00:12 -06:00
jvazquez-r7 39ceb5b90f Update smb_error on Exploit::Remote::SMB::Server 2015-02-19 12:10:28 -06:00
Brent Cook 4781ac4b39 the http service needs to keep running to handle meterpreter loading
revert a8f44ca68f
2015-02-19 09:38:48 -06:00
jvazquez-r7 b85324435e Don't waste instance variables 2015-02-18 16:42:52 -06:00
jvazquez-r7 91d9d93fec Handle instance variables correctly 2015-02-18 16:35:20 -06:00
jvazquez-r7 438b38dfe4 Use Rex::Text 2015-02-18 16:20:47 -06:00
jvazquez-r7 a815858644 Fix setup 2015-02-18 16:19:05 -06:00
David Maloney ffa6550aec
Land #4787, HD's new Zabbix and Chef LoginScanners
Lands the new LoginScanners HD wrote for Zabbix
and the Chef WebUI
2015-02-18 14:51:16 -06:00
David Maloney 804db0ff0c
add leixcal sorting to methods
lexical sort the new methods except for
msf module entrypoint methods which should always be at
the top
2015-02-18 14:50:33 -06:00
jvazquez-r7 06dfa6b5be Fix initialize 2015-02-18 13:56:06 -06:00
jvazquez-r7 62c08094fd Delete the old FileServer mixin 2015-02-18 13:54:24 -06:00
jvazquez-r7 9068397fff Delete code commented by myself 2015-02-18 13:47:05 -06:00
jvazquez-r7 a446df95b2 Make Msf::Exploit::Remote::SMB::Server::Share a mixin 2015-02-18 13:45:48 -06:00
jvazquez-r7 874031b96d Delete require 2015-02-18 13:44:31 -06:00
jvazquez-r7 415c671416 Move Rex code, we'll redesign as mixin 2015-02-18 13:44:02 -06:00
jvazquez-r7 ff4aa1f9da Require FileServer mixin 2015-02-18 11:43:13 -06:00
jvazquez-r7 f960a77754 Solve merging conflicts 2015-02-18 11:36:47 -06:00
jvazquez-r7 01bedb7351 Merge #3074, @0x41414141 SMBFileServer mixin 2015-02-18 10:53:05 -06:00
Matt Buck a9931cd410
Land #4725, convert Rails 3 AR calls in RPC_Db
Converts Rails 3 style ActiveRecord calls in RPC_Db to their Rails 4
counterparts.

Fixes #4725, also see MSP-12017
2015-02-18 09:59:40 -06:00
William Vu 6a9d15a8d5
Land #4785, Rex::Proto::Http::Client context fixes 2015-02-18 03:47:26 -06:00
William Vu bda96f46e6
Land #4780, stop HTTP service with HTTP handler 2015-02-18 03:34:03 -06:00
HD Moore 2847507f03 Add a chef brute force module 2015-02-17 23:49:57 -06:00
HD Moore 27d5ab45b4 Add a zabbix brute force module 2015-02-17 22:56:08 -06:00
HD Moore 85fd139ab0 Add missing context and a normalize_uri helper method 2015-02-17 22:55:53 -06:00
sinn3r 8ce1db5081 Fix #4783, raise exception if the payload arch is incompatible
Fix #4783
2015-02-17 21:47:17 -06:00
HD Moore 16932372db Calls to Rex::Proto::Http::Client.new were passing in empty context 2015-02-17 20:44:37 -06:00
rastating e0d87a8886 Update to use store_loot for CSV export 2015-02-17 19:21:31 +00:00
Brent Cook bed40a83ee fix #4337: gracefully handle resolve_sid failure when enumerating user profiles
Rather than throwing a backtrace with an unresolvable SID, try to get as
much profile data as possible if resolve_sid fails.

```
[*] Determining session platform and type...
[-] Unexpected windows error 1332
[*] Checking for Firefox directory in:
C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
[*] Post module execution completed
```
2015-02-17 13:03:12 -06:00
Brent Cook a8f44ca68f stop the http service when the reverse http handler stops 2015-02-17 12:38:20 -06:00
Matthew Hall 547d4d1950 Merge with master 2015-02-17 17:23:19 +00:00
Matthew Hall 9e2a483977 Add example usage to Msf::Exploit::Remote::SMBFileServer documentation 2015-02-17 17:23:18 +00:00
Matthew Hall cec817902f Add yardoc documentation for Msf::Exploit::Remote::SMBFileServer 2015-02-17 17:23:18 +00:00
Matthew Hall 5cf8833697 Tidy lib/msf/core/exploit/smb.rb following feedback from jlee-r7.
* Doc comments wrap at 78 chars to follow yardoc convention
 * Remove unused :server and SERVER vals
 * Use Utils class directly
 * Stop server within an ensure
 * Change SRVHOST to an OptAddress
2015-02-17 17:23:18 +00:00
Matthew Hall 8beed5652d Implement SMBFileServer mixin.
In order to accomplish remote file injection (e.g. DLL) this module
emulates an SMB service process to allow clients to load a file from a
network share.

This commit implements the SMBFileServer exploit module utilising the
::Rex::Proto::SMB::Server module to export the "start_smb_server"
function.

Utilising the module (example):
 include Msf::Exploit::Remote::SMBFileServer
 exe = generate_payload_dll
 @exe_file = rand_text_alpha(7) + ".dll"
 @share = rand_text_alpha(5)
 my_host = (datastore['SRVHOST'] == '0.0.0.0') ?
 Rex::Socket.source_address : datastore['SRVHOST']
 @unc = "\\#{my_host}\#{@share}\#{@exe_file}"
 start_smb_server(@unc, exe, @exe_file)
 // Inject DLL
 handle

A separate commit will provide a sample implementation of utilising this
module within a generic webserver DLL injection exploit:
./exploits/windows/http/generic_http_dllinject.rb
2015-02-17 17:23:18 +00:00
Matthew Hall 934af4cee9 Merge branch 'master' into module-smbfileserver 2015-02-17 17:01:44 +00:00
Matthew Hall 49971a6bc3 Add two more contants and handlers seen during testing. 2015-02-17 16:48:11 +00:00
sinn3r 6eaa3c264c
Land #4763, LSBackgroundOnly for safari_user_assisted_download_launch 2015-02-17 10:41:59 -06:00
Brent Cook e08206d192
Land #4768, jvazquez-r7 reorganizes the SMB mixins 2015-02-17 10:36:19 -06:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
Brent Cook b4cf2f5d8c use correct response filter TLV_TYPE_VALUE_NAME 2015-02-17 08:46:25 -06:00
Matthew Hall 1f6aebe3df Move to using constant values.
This commit adds several constants for TRANS2, QUERY_PATH_INFO, MAX_DATA_COUNT,
and NT2 FLAG2 Bits to smb/constants.rb, which have then been utilised in smb/server.rb
to reduce the use of magic values.
2015-02-17 14:31:31 +00:00
Brent Cook 8f74f8eeed pass down the new permissions parameters 2015-02-17 06:11:20 -06:00
Brent Cook 503f58375b add direct registry access methods
Rather than operating on a passed-in HKEY, these open and close the registry
key directly for each operation.

This pattern better reflects the actual API usage within msf, and removes extra
round-trips to open and close the registry key, reducing traffic and increasing
performance. I did not add direct versions of every registry operation.
There was no benefit for more rarely-used operations, other than requiring more
churn in the meterpreters.

The primary beneficiary of this is post exploitation modules that do registry
or service enumeration. See #3693 for test cases.
2015-02-17 06:11:20 -06:00
Matthew Hall 3110c7b40f Adds smb_cmd_trans_find_first2_full to respond to "Find File Full Directory Info" FIND_FIRST2 requests,
as seen when using "type \\ip\share\file".
2015-02-17 11:37:44 +00:00
rastating a22f5c1287 Add extra readme check for case sensitive servers 2015-02-14 23:43:04 +00:00
jvazquez-r7 2c842ee6d7 Fix namespaces on Server 2015-02-13 17:34:55 -06:00
jvazquez-r7 9b7bbc220b Fix namespaces on Client 2015-02-13 17:33:41 -06:00
jvazquez-r7 46c6ac9ca1 Redefine namespaces and requires 2015-02-13 17:09:06 -06:00
jvazquez-r7 df1daff673 Move clients 2015-02-13 17:07:03 -06:00
jvazquez-r7 067aadf3a4 Fix namespaces 2015-02-13 17:05:46 -06:00
jvazquez-r7 f1ab7ed343 Mode smb.rb 2015-02-13 17:04:55 -06:00
jvazquez-r7 7367402bf1 Add requires 2015-02-13 17:03:48 -06:00
jvazquez-r7 ccabf30531 Move smb_server.rb 2015-02-13 16:58:19 -06:00
Samuel Huckins ce688f4247
Land #4765, Rails4 compatible finder conversion
* find_or_initialize_by_DYNAMIC
2015-02-13 15:56:09 -06:00
Samuel Huckins 7b7a6340c0
Land #4766, fixes vuln import finder query 2015-02-13 14:29:04 -06:00
Christian Catalan dc6a365a13
Fix finder query in Msf::DBManager::Vuln
MSP-12152

* This is part of updating finder queries to be Rails 4 compatibile
* In #find_vuln_by_details, pass in conditons hash crit rather than symbol :crit
2015-02-13 13:21:25 -06:00
sinn3r 6b99103cec
Land #4690 - Update Nessus plugin to support the latest REST API
Resolves #4447
2015-02-13 12:46:01 -06:00
Sonny Gonzalez dc1eab377c
Rails 4 finder conversion: convert find_or_initialize_by_x_and_y
MSP-12153

* convert to where(conditions).first_or_initialize
2015-02-13 12:39:44 -06:00
sinn3r f5e0dddd3c Correct authentication
Can't always be true
2015-02-13 11:48:10 -06:00
joev 49c9c02b53 Hide the dropped osx app. 2015-02-12 23:08:46 -06:00
jvazquez-r7 3ae3d56caa
Land #4745, fixes #4711, BrowserAutoPwn failing due to getpeername 2015-02-12 16:51:09 -06:00
William Vu 39c0065560
Land #4758, SMTPDeliver DATA header fix 2015-02-12 15:07:31 -06:00
Matt Buck f0bf881cc3
Land #4720, update Rails 3-style .find(:first)
Eliminate the Rails 3-style .find(:first) calls, and replace with
Rails 4-compatible .first().

Fixes #4720, also see MSP-12012
2015-02-12 14:30:13 -06:00
David Maloney 72878e0c14
fixes bug with smtp header order
SMTP servers that support pipelining will not accept any
commands other than MAILFROM and RCPTTO before the DATA
command. We were sending Date and Subject before Data
which would cause some mailservers to suddenly drop
the connection refusing to send the mail.

MSP-12133
2015-02-12 14:13:39 -06:00
sinn3r 50c72125a4 ::Errno::EINVAL, disable obfuscation, revoke ms14-064 2015-02-12 11:54:01 -06:00
root 199dca75a6 Implement db_import and finalize plugin 2015-02-12 13:32:49 +05:00
Sonny Gonzalez 7c57b9fb57
Fix Master - Pro build
MSP-12138

* revert to previous Rails 3 syntax.
2015-02-11 12:02:34 -06:00
root 64b69d597a Add report_download and db_scan APIs 2015-02-11 14:11:10 +05:00
sinn3r 22811257db Fix #4711 - Errno::EINVA (getpeername(2)) BrowserAutoPwn Fix
This patch fixes #4711.

The problem here is that the browser sometimes will shutdown some of our
exploit's connections (in my testing, all Java), and that will cause Ruby
to call a rb_sys_fail with "getpeername(2)". The error goes all the
way to Rex::IO::StreamServer's monitor_listener method, which triggers a
"break" to quit monitoring. And then this causes another chain of reactions
that eventually forces BrowserAutoPwn to quit completely (while the
JavaScript on the browser is still running)
2015-02-10 18:28:02 -06:00
jvazquez-r7 29c68ef1ec
End fixing namespaces 2015-02-10 11:55:14 -06:00
jvazquez-r7 6e635211b3
Modify include 2015-02-10 10:59:56 -06:00
jvazquez-r7 dba67bd1ee Do more code reorganization 2015-02-10 10:58:57 -06:00
jvazquez-r7 aa9e686965 Reorganize Java related mixin code 2015-02-10 10:52:44 -06:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
root e5fd9e70eb clean plugin/nessus.rb implement additional APIs 2015-02-10 12:40:20 +05:00
Tod Beardsley 0a42ac947a
Land #4737, fix Socket Context usages 2015-02-09 17:34:03 -06:00
Matt Buck 9a445e2027
Land #4707, updates to finder syntax
Updates some Rails 3 style ActiveRecord calls to use the Rails 4 Arel
syntax, in preparation for our move to Rails 4.

Fixes #4707, also see MSP-12018
2015-02-09 16:01:38 -06:00
Spencer McIntyre 2a3855c5af Skip the psh prepend sleep time error when it is 0 2015-02-09 14:20:04 -05:00
Meatballs 133ae4cd04
Land #4679, Windows Post Gather File from raw NTFS. 2015-02-08 18:50:50 +00:00
Bazin Danil 8cefe637df bug with testing Win2k8 correction 2015-02-08 17:28:33 +01:00
HD Moore 8d982e3286 Pass the framework/module down into LoginScanner 2015-02-07 11:50:30 -06:00
HD Moore 985641dbc4 Add missing Context, fixes #4723 2015-02-07 11:27:57 -06:00
Meatballs 358ab2590e
Small tidyup 2015-02-07 11:35:47 +00:00
sinn3r c20a81217c More work for nessus-xmlrpc.rb 2015-02-07 00:09:02 -06:00
sinn3r e8ba0b7c31 Fix broken commands 2015-02-06 19:07:43 -06:00
Matt Buck 531743eff1
Land #4697, updates to finder syntax
Updates some Rails 3 style ActiveRecord calls to use the Rails 4 Arel
syntax, in preparation for our move to Rails 4.

Fixes #4697, also see MSP-12016
2015-02-06 15:41:11 -06:00
Sonny Gonzalez 0fc4e09466
Rails 4 finder conversions
MSP-12017

* covert all(options), mapping options hashes to the
  appropirate Rails 4 methods
2015-02-06 13:51:48 -06:00
Sonny Gonzalez 1051f0fb82
Rails 4 finder conversion
MSP-12012

* convert find(:first, options) by mapping options
  to methods
2015-02-06 10:15:50 -06:00
Sonny Gonzalez 9a53859a77
Rails 4 finder conversion
MSP-12012

* covert find(:first) to first
2015-02-06 10:13:14 -06:00
Spencer McIntyre 4e0a62cb3a
Land #4664, MS14-070 Server 2003 tcpip.sys priv esc 2015-02-05 18:49:15 -05:00
Bazin Danil 970c5d115a spellcheck 2015-02-05 22:08:39 +01:00
Spencer McIntyre 5a39ba32f6 Make the ret instruction for token stealing optional 2015-02-05 14:00:38 -05:00