Given this is a new extension, building bins and including them in this
PR can't cause any issues regarding lost functionality (like it can
with existing bins).
Adding to this PR so that it's easier to test and land.
Adds a Reflective DLL submodule in external pointing at the Rapid7 fork
Updates kitrap0d to use above submodule
Adds a make.bat file to create kitrap0d
As mentioned here https://community.rapid7.com/thread/3788 the metsvc
script was still looking for the old file name for metsrv.dll, which
was causing the script to fail.
This commit fixes this issue. A hash is used to indicate local and remote
file names so that the remote can continue to use metsrv.dll, but it
is correctly located on disk locally.
I had inteded to add the `WfsDelay` as Meatballs suggested, but for locl
exploits this doesn't appear to work as expected. After speaking to HDM
we've decided to leave the sleep in there and figure out the `WsfDelay`
thing later.
This also includes a slight refactor which puts the payload and the
exploit in the same chunk of allocated memory. Minor optimisation, but
worth it.
* Make PROTOCOL an Enum
* Move path override options to advanced section
* More Enumerable rework
* Move one-off regexes back to inline, pull out protocol list
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:
* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.
Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:
* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
This commit is the first in a series that will move all the exploits that use RDI
over to the R7 fork. The RDI source will be in a single known location and each
exploit will have to work from that location.
The kitrap0d exploit has been migrated over to use this submodule so that there's
one example of how it's done for future contributions to follow.
This change adds support for `getenv` to python meterpreter. Nothing too
complex going on here. I tidied up the definitions of the TLVs as well
so that they look nice.
jvazquez-r7
Sven Vetsch / Disenchant
Karn Ganeshen
sinn3r
OJ
Meatballs
Jeff Jarmoc
Thomas Hibbert
Joshua Harper
Jeff Jarmoc
Peter Toth
William Vu
joev
James Lee