Commit Graph

3002 Commits (0a61e108ea168a52fe9fb940b6679619ebc1ae1e)

Author SHA1 Message Date
Meatballs dc38212741
Fix function parsing 2014-05-05 20:53:36 +01:00
Meatballs 0b886db406
Script specs and remove unknown method 2014-05-05 19:01:36 +01:00
Meatballs 0177e51148
Finish obfu specs and use rig 2014-05-05 18:47:25 +01:00
Meatballs 6ab85027a4
More spec 2014-05-05 17:47:30 +01:00
Meatballs 162b6a8ab9
Add output spec 2014-05-05 14:48:18 +01:00
Meatballs 399928cf69
Remove unnecessary requires 2014-05-05 13:37:17 +01:00
Rob Fuller c3fb5bf614 fix a few clarical errors and typos 2014-04-29 22:42:26 -04:00
James Lee 4bd2dabfcd
Land #3121, new kiwi extension, with compiled bins
See also rapid7/meterpreter#79
2014-04-29 17:53:37 -05:00
Meatballs b860cecad6
Function spec (doesnt pass) 2014-04-28 14:09:39 +01:00
Meatballs 8031e50d35
Make Exploitation::Powershell testable
Example test
2014-04-26 13:27:25 +01:00
Meatballs 98d2b2293b
Unnecessary return 2014-04-26 13:05:47 +01:00
Meatballs be10c8e4ac
Split Rex::Exploitation::Powershell::* into individual files 2014-04-26 12:59:43 +01:00
Meatballs 206184007f
Move methods and rename file so it is run by rspec 2014-04-25 15:16:15 +01:00
Meatballs 32fa8748a8
Fix up decompress 2014-04-23 05:20:54 +01:00
Meatballs e774411b63
Revert Enum removal
.NET 4.5 has two constructors with 2 args so this becomes ambiguous
2014-04-23 02:06:14 +01:00
Meatballs d2e8e07cfe
Fix old powershell generation 2014-04-23 01:58:02 +01:00
Meatballs dd38a81dfc
Fix a @parma 2014-04-23 01:10:13 +01:00
Meatballs 647936e291
Add more yarddoc to Rex::Exploitation::Powershell
encode_code doesn't use eof
no need to unicode encode in gzip as this is handled by encode_code
2014-04-23 01:07:54 +01:00
Meatballs 86cfecdd95
Shave some chars off compression code 2014-04-22 14:52:30 +01:00
Meatballs 354311d191
No need to out-null if no windows is shown 2014-04-22 14:42:03 +01:00
Meatballs cec12edd99
Use enum integer values 2014-04-22 14:40:32 +01:00
Meatballs 71b43d392b
Dont need to specify ASCII mode 2014-04-22 14:36:02 +01:00
James Lee 49bd86f077
Clean up yardocs and a few style issues 2014-04-21 03:12:23 -05:00
Meatballs c936dc963c
Shorten compression 2014-04-19 18:55:45 +01:00
Meatballs 67f44072ca
Merge remote-tracking branch 'upstream/master' into pr2075 2014-04-19 18:45:55 +01:00
RageLtMan 9f05760c50 Merge with Meatballs' initial changes
Clean up arch detection code and dedup Msf/Rex
Reduce generated payload size
2014-04-18 00:28:48 -04:00
RageLtMan 5c3289bbc6 merge fix 2014-04-17 21:26:04 -04:00
Meatballs 38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
Conflicts:
	modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
Meatballs 02b11afddc
Merge remote-tracking branch 'upstream/master' into netapi_change_passwd
Conflicts:
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
2014-04-15 21:23:45 +01:00
Meatballs fc018eb32e
Initial commit 2014-04-15 21:05:06 +01:00
joev e09f887c4c Revert "Fixes large-string expansion in JSObfu."
This reverts commit 14fed8c610.
2014-04-11 16:51:47 -05:00
joev 4cb04b6b9a Revert "Use implicit return for assignment."
This reverts commit 49139cc07f.
2014-04-11 16:51:40 -05:00
joev 21b2697b95 Revert "Use tiny var names by default."
This reverts commit 52432ef482.
2014-04-11 16:51:34 -05:00
joev d41b3467f8 Revert "Re-add the #random_string(len) method to pass specs."
This reverts commit bd8918e4e1.
2014-04-11 16:51:21 -05:00
sinn3r a6a6ad2217
Land #3227 - Remove bundled rkelly, to Gemfile 2014-04-10 12:31:59 -05:00
sinn3r 68a50e3663
Land #3224 - Fixes large-string expansion in JSObfu 2014-04-10 12:09:22 -05:00
Joe Vennix bd8918e4e1
Re-add the #random_string(len) method to pass specs. 2014-04-09 17:44:48 -05:00
Joe Vennix 57aa1eec11
Kick rkelly out to a gem, add rkelly-remixed.
rkelly-remixed is a faster fork of rkelly that is more frequently updated
nowadays. With the new gem, jsobfu obfuscates os.js about twice as fast on
my dev environment.
2014-04-09 17:21:22 -05:00
Joe Vennix 52432ef482 Use tiny var names by default. 2014-04-09 16:54:02 -05:00
Joe Vennix 49139cc07f Use implicit return for assignment. 2014-04-09 15:48:07 -05:00
Joe Vennix 14fed8c610 Fixes large-string expansion in JSObfu. 2014-04-09 15:45:48 -05:00
Meatballs ae3ead6ef9
Land #2107 Post Enum Domain Users 2014-04-09 11:32:12 +01:00
jvazquez-r7 80b069f161 Add support for spoofed zip Central Dir names at Entry level 2014-04-07 09:21:26 -05:00
jvazquez-r7 46e6f937f1 Revert "Add central directory zip spoofing"
This reverts commit d0700e8ac4.
2014-04-07 08:50:33 -05:00
jvazquez-r7 d0700e8ac4 Add central directory zip spoofing 2014-04-07 08:49:49 -05:00
jvazquez-r7 6d72860d58
Land #3004, @m-1-k-3's linksys moon exploit 2014-04-04 14:04:48 -05:00
William Vu 9779913060
Land #3184, Rex::Proto::Http::Client IOError fix 2014-04-03 15:58:50 -05:00
joev 42d59d269e Check #closed? instead of rescuing. 2014-04-03 14:20:48 -05:00
joev 98628b814e Prevent Rex::Proto::Http::Client from raising on close. 2014-04-03 11:36:18 -05:00
HD Moore 231138da1b Fix a typo in the nexpose raw importer 2014-04-03 07:12:45 -07:00
OJ 670a0c8e0f
Merge branch 'upstream/master' into ext_server_kiwi 2014-04-02 19:36:42 +10:00
OJ e61e532223 Add support for extraction of wifi profile creds 2014-04-02 17:16:40 +10:00
OJ 1d46e65897 Update to match meterpreter changes
This also includes the ability to specify id and groups for the
golden ticket feature.
2014-04-02 12:29:35 +10:00
HD Moore 7e227581a7 Rework OS fingerprinting to match Recog changes
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.

This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
Tod Beardsley 1b0fe74da5
Use Array#sample in email generators. 2014-04-01 14:11:23 -05:00
Tod Beardsley 8ab03f3aeb
Use Array#sample in randomize_space 2014-04-01 14:09:07 -05:00
Tod Beardsley ec7bb6de54
Land #2969, random name generator for phishing 2014-04-01 13:00:55 -05:00
William Vu 8bd5d10052
Use rand_hostname in rand_mail_address 2014-03-28 16:44:49 -05:00
jvazquez-r7 8f1e55de5a Use ObfuscateJS 2014-03-28 11:08:38 -05:00
jvazquez-r7 da6a428bbf Modify libs to support explib2 2014-03-28 10:44:52 -05:00
OJ 86ddd24d26 Update to use Rex::Text and change handling a bit
This change also outputs blank creds so that users know which
accounts have blank passwords
2014-03-28 16:12:51 +10:00
OJ 65e204e834 Modify the menu item descriptions 2014-03-28 11:03:38 +10:00
OJ 3a42cb8a46 Fix typo in kiwi help 2014-03-28 11:03:03 +10:00
Tod Beardsley 8e7f12e30e
Land #3085, service_control support
This depends on rapid7/meterpreter#77 to function
2014-03-19 08:43:17 -05:00
Tod Beardsley 04b5d71fa5
Land #3061, enhance clipboard dump
This depends on rapid7/meterpreter#75 to function
2014-03-19 08:42:36 -05:00
Tod Beardsley 35b94b04bf
Land #2889, WMI support
This depends on rapid7/meterpreter#69 to actually be useful.
2014-03-19 08:42:03 -05:00
OJ 11f9bfadb1 Final bits of documentation and code tweaking 2014-03-19 18:40:53 +10:00
OJ 84728c9fc9 Code tidying and defaulting to empty strings for table format 2014-03-19 16:19:23 +10:00
OJ 959cedb9b1 Bit more code tidying 2014-03-19 16:19:05 +10:00
OJ f80c7b7b51 Fix silly typo 2014-03-19 15:55:12 +10:00
OJ 0dcf992781 Add comments to the kiwi source 2014-03-19 15:45:53 +10:00
OJ 3635fff98e Add support for kerberos ticket enumeration
Fix up a bunch of other issues and do some code tidies too.
2014-03-19 14:25:11 +10:00
OJ 91e198fd63 Add SAM key dump in LSA dumping output 2014-03-18 09:45:31 +10:00
OJ dfb4b22015
Merge branch 'upstream/master' into ext_server_kiwi 2014-03-18 08:08:45 +10:00
William Vu 9eada528d7
Land #3097, Rex::Text.uri_encode RFC 3986 fix 2014-03-14 15:38:24 -05:00
OJ a9758413c0 Add lsa secret dumps plus other tweaks 2014-03-14 19:50:01 +10:00
Tod Beardsley 520d1e69c4
Rapid7 Comma Inc
After some more discussion with Rapid7's legal fellow.
2014-03-13 09:46:20 -05:00
Tod Beardsley 9d4ceaa3a0
Let's try to be consistent about Rapid7 Inc.
According to

http://www.sec.gov/Archives/edgar/data/1560327/000156032712000001/0001560327-12-000001.txt

Rapid7 is actually "Rapid7 Inc" not "Rapid7, LLC" any more.

This does not address the few copyright/license statements around
"Metasploit LLC," whatever that is.
2014-03-12 11:20:17 -05:00
sinn3r b431bf3da9
Land #3052 - Fix nil error in BES 2014-03-11 12:51:03 -05:00
OJ 1d70411ea7 Support service_control and new status field in query
This code adds support for the new service_control feature in meterpreter
and also supports the status field that comes from the service_query function.
2014-03-11 14:50:19 +10:00
sinn3r c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack 2014-03-07 10:29:56 -06:00
Joe Vennix 9638bc7061 Allow a custom .app bundle.
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
William Vu 096d6ad951
Land #3055, heapLib2 integration 2014-03-05 15:48:13 -06:00
Joe Vennix 5790547d34 Start undoing some work. 2014-03-04 17:01:53 -06:00
Tod Beardsley 6e88bbd827
No need for that kind of language 2014-03-04 14:34:50 -06:00
OJ 0bdce4836f Modify clipboard dump to support new format from Meterpreter 2014-03-04 19:37:57 +10:00
Joe Vennix 3360f7004d Update form_post vars, add Expires to cookie. 2014-03-03 23:29:02 -06:00
Joe Vennix 6c3b667152 Kill extra comma. 2014-03-03 16:48:02 -06:00
Joe Vennix bfecf9525d Add Rex::RandomIdentifierGenerator. 2014-03-03 16:43:49 -06:00
Joe Vennix 517a85d141 Remove unneeded quotes. 2014-03-03 15:42:46 -06:00
Joe Vennix b3ab8f7ce1 Make random_var_name public, add specs for it. 2014-03-03 15:39:56 -06:00
Joe Vennix ae9ce962c0 Add future reserved words.
Gotta stay ahead of the game.
2014-03-03 14:59:46 -06:00
Joe Vennix dd86a9188c Prevent jsobfu from generating duplicate/reserved tokens.
I got an error from a script that tried to 'set void = 1'.
2014-03-03 14:56:50 -06:00
sinn3r ee1209b7fb This should work 2014-03-03 11:53:51 -06:00
OJ e0438f570b
Merge branch 'upstream/master' into ext_server_kiwi 2014-03-03 17:28:44 +10:00
Joe Vennix b458b8ad63 Add specs for new methods. 2014-03-02 20:23:20 -06:00
Joe Vennix 46f27289ed Reorganizes form_post into separate file. 2014-03-02 19:55:21 -06:00
Meatballs 8dee9b22c3
Reinstate to_byte_array 2014-03-02 22:07:47 +00:00
Meatballs 2acd0a1b1e
Reinstance encode_code 2014-03-02 21:03:31 +00:00
Meatballs 2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075 2014-03-02 20:57:02 +00:00
Meatballs c9a2135959
Merge in semperv 2014-03-02 19:07:13 +00:00
sinn3r 8cf5c3b97e Add heaplib2
[SeeRM #8769] Add heapLib2 for browser exploitation
2014-03-02 11:47:18 -06:00
FireFart 8543da0fbd Corrected uri_encode 2014-03-01 11:30:50 +01:00
jvazquez-r7 6c490af75e Add randomization to Rex::Zip::Jar and java_signed_applet 2014-02-27 12:38:52 -06:00
Michael Messner dbbd080fc1 a first try of the cmd stager, wget in a seperated module included 2014-02-23 20:59:17 +01:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
Meatballs 6f988209ab
Merge remote-tracking branch 'upstream/master' into enum_domain_users_update 2014-02-18 20:02:39 +00:00
Tod Beardsley 8e0a4aaa58
Land #2983, webcam_chat for Meterpreter 2014-02-18 13:43:42 -06:00
sinn3r 0519abb558 Fix the wrong conversion 2014-02-17 23:17:19 -06:00
jvazquez-r7 f07efc91a8 Land #2915, @Meatballs1 improvements for LDAP post mixin 2014-02-17 19:14:59 -06:00
Meatballs f5c401bee7
Yarddocs 2014-02-14 22:59:36 +00:00
Meatballs b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075 2014-02-14 22:52:55 +00:00
sinn3r d606be5efb That's funny I changed the wrong method 2014-02-13 16:41:18 -06:00
sinn3r 5d3eed8600 Add info about browser requirements in help 2014-02-13 16:37:05 -06:00
sinn3r 9c48335764 Change to google.com 2014-02-13 16:30:44 -06:00
sinn3r a44f235a8d Fix things based on Tod's feedback 2014-02-13 16:13:42 -06:00
RageLtMan 29bf296b61 import rex powershell 2014-02-12 16:45:57 -05:00
RageLtMan b453362a52 Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs 2014-02-12 16:43:30 -05:00
jvazquez-r7 ff267a64b1 Have into account the Content-Transfer-Encoding header 2014-02-12 12:40:11 -06:00
sinn3r 45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb 2014-02-12 11:14:25 -06:00
sinn3r 750ce3c4db Make server configurable 2014-02-11 23:07:43 -06:00
OJ beca4b8bc3 Fix issue with getenv failing
The call to `getenv` failed when `%` or `$` were used because of the
differences between Meterpreter handling and MSF handling.

Meterpreter effectively ignores (ie. strips out) the platform-specific
characters which are used for environment variables. In the `getenv`
call, MSF was invoking `getenvs` and getting a full hash of values, then
attempting to index into the hash using a string which may be "polluted"
with those platform-specific characters. This meant that there was a
discrepency between what was returned and what was used to index and
as a result, the value would come out as `nil`.

For example, calling `getenv('%FOO%')` would result in a hash with
`{'FOO'=>'bar'}`, so looking for '%FOO%' in this result would yield
nothing.

This commit changes this so that the name is ignored and the first
value is returned.
2014-02-12 13:51:30 +10:00
jvazquez-r7 51df2d8b51 Use the fixed API on the mediawiki exploit 2014-02-11 08:28:58 -06:00
sinn3r 2bb15d3a87 answerer's interface gets a makeover 2014-02-11 02:15:22 -06:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
sinn3r fdd696fc31 Drop Opera support
It's sad nobody is actually using it. See article: "Across desktop and
mobile, Chrome is used more than Firefox, IE, and Opera combined" -
thenextweb.com
2014-02-10 18:03:42 -06:00
sinn3r 1414f6794c Change the name of the video chat command 2014-02-10 17:44:47 -06:00
sinn3r 44282d8a83 Add an exception handling 2014-02-10 17:06:56 -06:00
sinn3r 1114913298 Automatically turn on webcam in Firefox 2014-02-10 17:05:08 -06:00
sinn3r 48fdb08164 Add flag --use-fake-ui-for-media-stream
Thanks Joev!!
2014-02-10 14:47:25 -06:00
Matteo Cantoni 427fece52c Add random mail address function 2014-02-10 21:04:44 +01:00
jvazquez-r7 57320a59f1 Do small clean up for mediawiki_thumb pr 2014-02-10 08:57:09 -06:00
sinn3r 93ef3c784d Update some JavaScript and other things 2014-02-08 22:23:19 -06:00
sinn3r b279c45db5 Update open_webrtc_browser method 2014-02-08 20:47:02 -06:00
sinn3r 0d24f06109 Not adding remote support for Linux meterpreter, here's why 2014-02-08 20:30:53 -06:00
sinn3r be8538f3bd Tweak video attributes 2014-02-08 19:56:43 -06:00
sinn3r 8d55104712 Random channel 2014-02-08 19:36:33 -06:00
sinn3r e25767ceab More progress 2014-02-08 17:28:15 -06:00
sinn3r 3f9ad8a6d5 Fix bugs and stuff 2014-02-08 16:11:39 -06:00
Meatballs c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075 2014-02-08 22:11:31 +00:00
Meatballs c76862b391
Reduce payload size 2014-02-08 22:11:17 +00:00
sinn3r 22cc665115 More error handling 2014-02-08 16:06:51 -06:00
sinn3r 07ad99ba3a Remove unnecessary methods 2014-02-08 15:51:33 -06:00
sinn3r a70c77c9eb Handle some more exceptions 2014-02-08 15:51:11 -06:00
sinn3r 325214e37f Fix bugs and stuff 2014-02-08 15:41:44 -06:00
Meatballs b10df54dbb
Dont need to encode the compress payload 2014-02-08 21:34:51 +00:00
Meatballs 09c48358f4
Retab rex powershell 2014-02-08 20:43:04 +00:00
sinn3r e8ec6d1062 Rename command name 2014-02-08 03:53:49 -06:00
sinn3r ee1900c273 progress 2014-02-08 03:29:15 -06:00
sinn3r b188943bd1 Progress 2014-02-08 02:57:49 -06:00
sinn3r 526bf9f6bc This should work 2014-02-07 22:17:42 -06:00
Meatballs 103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-07 20:07:04 +00:00
sinn3r 36f3a82b5c A wise man once said do not abuse the power of expand_path 2014-02-07 12:10:58 -06:00
sinn3r bab9a5522b You will go deaf with the default volume value. No thanks. 2014-02-07 11:35:57 -06:00
sinn3r 3c3bd11aca Oh look, more progress 2014-02-07 11:25:20 -06:00
grimmlin 2d93b38e2a Fixed java_signed_applet for Java 7u51 2014-02-07 16:29:50 +01:00
sinn3r 43be99f31b Save some progress 2014-02-07 03:06:52 -06:00
sinn3r f66fc15b9e Add support for webrtc in meterpreter 2014-02-06 10:44:24 -06:00
Meatballs 76515092ce
Small mime changes 2014-02-03 23:28:26 +00:00
Meatballs 595e5fd8b1
Correct mime logic 2014-02-03 21:59:17 +00:00
Meatballs 83925da2f1
Refactor form_data code 2014-02-03 21:16:58 +00:00
Meatballs 8b33ef1874
Not html its form-data... 2014-02-02 13:57:29 +00:00
Meatballs 9f35407a0c
Add MIME to_html method 2014-02-01 00:37:01 +00:00
OJ b60398b020 Merge branch 'upstream/master' into clipboard_monitor
Conflicts:
	lib/rex/post/meterpreter/extensions/extapi/tlv.rb
2014-01-29 23:07:05 +10:00
OJ ad1dce38d2 Final fixes before the monitor PR 2014-01-29 23:04:43 +10:00
OJ 2ef0e7e2a5 Small tidy of code 2014-01-29 17:07:06 +10:00
OJ e27707cac3 More tweaking of the clipboard monitor with dump/purge 2014-01-29 14:51:03 +10:00
OJ 10ac7a22af
Land #2897 Sane address resolution [FixRM #7259] 2014-01-28 23:09:44 +10:00
Meatballs 6d9e395d40
Use LPVOID to avoid ptr trunc 2014-01-24 23:27:56 +00:00
Tod Beardsley 1ff063d7de
Test the object not the class duhhh 2014-01-24 11:46:48 -06:00
Tod Beardsley 37b11ce2e1
Use Class#kind_of? instead of == 2014-01-24 11:31:04 -06:00
Meatballs 9fce617462
Fixup railgun utils
Implement DsGetDcNamea to return current domain using example
railgun utils techniques.
2014-01-24 16:22:05 +00:00
Tod Beardsley 4bac297f66
Land #1473, add LDAP hotness 2014-01-23 18:11:39 -06:00
Joe Vennix de06480f4f Add a defined? check to fix older versions of OpenSSL.
Older versions of OpenSSL did not export the OP_NO_COMPRESSION constant,
so users running metasploit on systems with old copies of openssl
would throw a NameError since the constant did not exist.
2014-01-23 14:51:47 -06:00
Meatballs 9acd0f4b56
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-22 21:46:50 +00:00
Tod Beardsley 636c43dcdc
Land #2736, basic ADSI support via meterp extapi 2014-01-22 15:24:01 -06:00
Tod Beardsley 90207628cc
Land #2666, SSLCompression option
[SeeRM #823], where Stephen was asking for SSL compression for
Meterpreter -- this isn't that, but it's at least now possible for other
Metasploit functionality.
2014-01-22 10:42:13 -06:00
OJ 83358fbbf0 More work on the clipboard monitor 2014-01-22 22:56:13 +10:00
OJ a7d4aa5d46 Merge branch 'upstream/master' into clipboard_monitor
Conflicts:
	lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb
2014-01-22 11:51:10 +10:00
James Lee e9ccec4755
Refactor load_session_info
All of this code is in sore need of some specs but I think this change
makes it a bit easier to understand what it is supposed to be doing.
2014-01-21 18:55:54 -06:00
Tod Beardsley 0b6e03df75
More comment docs on SSLCompression 2014-01-21 16:48:26 -06:00
Meatballs 720f892e2f
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-21 21:00:51 +00:00
William Vu dc4b4218b3 Make {COUNT,SIZE}_MAX more readable
Good suggestion, @jlee-r7.
2014-01-21 12:13:14 -06:00
William Vu 6a16cf96ba Fix bug in fsupload
Badchar analysis: file may contain form feeds.
2014-01-21 11:36:24 -06:00
OJ 524bbceb1a
Merge branch 'upstream/master' into ext_server_kiwi 2014-01-17 11:53:07 +10:00
OJ 9212013c3e Add error message support
This commit enables returning of error messages based on the HRESULT.
They still aren't nice, but they're better than nothing.
2014-01-17 11:42:07 +10:00
jvazquez-r7 ac9e634cbb
Land #2874, @mandreko's sercomm exploit fixes 2014-01-16 16:35:32 -06:00
sinn3r a1eba03d1f
Land #2725 - Rex::Proto::PJL plus modules 2014-01-16 15:57:38 -06:00
William Vu 9bf90b836b Add environment variables support 2014-01-16 14:53:25 -06:00
William Vu 0915212249 Fix socket timeout bug 2014-01-16 11:58:37 -06:00
jvazquez-r7 0b9ff43217 Make slice_up_payload easier 2014-01-16 11:03:22 -06:00
jvazquez-r7 f41849c921 Clean CmdStagerEcho 2014-01-16 11:00:57 -06:00
OJ 8e1d3c9c2a Final tweaks for WMI support 2014-01-16 22:02:28 +10:00
OJ 69abffaff6 First pass of WMI support
Close but more to do.
2014-01-16 13:47:46 +10:00
William Vu 311704fc0a Perform final cleanup 2014-01-15 13:49:37 -06:00
OJ 870349acd0
Merge branch 'upstream/master' into basic_adsi_support 2014-01-15 19:57:07 +10:00
Matt Andreko b7b1ddf1e8 Sercomm Exploit module fixes
Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
Added functionality to the CmdStagerEcho mix-in to support encoding via
octal instead of hex based on the :enc_type option. This is because many
devices would not output hex encoded values properly.
Added options on a per-target basis for the PackFormat (endian pack()
values for communication), UploadPath (because /tmp wasn't always
writable), and PayloadEncode (previously mentioned octal encoding
option)
Note for some reason, some devices communicate over one endianness, but
then require a payload for the other endianess. I'm not sure what's
causing this, but if those specific combinations are not used, the
exploit fails. More research may be required for this.
2014-01-13 16:58:32 -05:00
sinn3r cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells 2014-01-10 14:29:32 -06:00
OJ 0f722cbe6d Add ext_server_kiwi, which is Mimikatz v2
This is a separate extension because the new version doesn't support
as many operating systems as the old version, but it does have more
new features which are really funky.
2014-01-10 16:51:01 +10:00
William Vu b43a221959
Land #2855, Rex::Socket refactor and specs 2014-01-09 16:20:50 -06:00
James Lee ba252ec0c3
Use 'unless' instead of 'if not' 2014-01-09 16:01:58 -06:00
James Lee 7cb6836209
Replace unused var with purpose-revealing comment 2014-01-09 15:07:04 -06:00
James Lee 27133257a4 Better docs, more accurate var names 2014-01-09 15:05:19 -06:00
James Lee 20a5bf45f5
Fix beug with #next raising after the end
... instead of the old behavior or just returning nil again
2014-01-09 15:03:11 -06:00
William Vu 1893cbca0e
Land #2843, RangeWalker resolution failure bug fix 2014-01-09 14:36:32 -06:00
James Lee 1519af33f5
Refactor `getaddress` in terms of `getaddresses` 2014-01-09 11:03:24 -06:00
jvazquez-r7 85203c2f2a
Land #2823, @mandreko's exploit module for OSVDB 101653 2014-01-09 10:27:44 -06:00
James Lee 01f350964f
Add specs for some stuff in Rex::Socket 2014-01-09 10:19:19 -06:00
William Vu 27f079ad7c Move {begin,end}_job from libs to modules 2014-01-09 01:03:01 -06:00
William Vu 025fc79683 Refactor commands for modularity 2014-01-09 01:03:01 -06:00
William Vu 3fca11e5ac Replace magic numbers with constants 2014-01-09 01:03:01 -06:00
William Vu 2f2823e323 Remove newline from end_job to conform to spec 2014-01-09 01:03:01 -06:00
William Vu d3bbe5b5d0 Add filesystem commands and new PoC modules
This commit also refactors some of the code.
2014-01-09 01:03:01 -06:00
William Vu af66310e3a Address @jlee-r7's comments 2014-01-09 01:03:01 -06:00
William Vu bab32d15f3 Address @wchen-r7's comments 2014-01-09 01:03:00 -06:00
William Vu 1c889beada Add Rex::Proto::PJL and PoC modules 2014-01-09 01:03:00 -06:00
Matt Andreko d2458bcd2a Code Review Feedback
Migrated the Sercomm module to use the CmdStager mixin to provide
uploading of the ELF binary.
Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in
this case, the device messed up when it was used, and would actually
write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-08 22:21:32 -05:00
James Lee 4bfe6b1b08
Remove pointless checks and add some docs 2014-01-08 14:37:40 -06:00
James Lee 4ba0020934
Simplify the logic deciding when we're finished 2014-01-08 14:22:44 -06:00
James Lee 22bdca92f4
Remove the ipv6 attr on Range
Makes more sense in the option hash.
2014-01-07 16:52:34 -06:00
James Lee 9c23910b69
Refactor Socket::Range
There was really no reason for it to inherit from Array. Also adds a few
more specs and gets coverage up to a more respectable percentage.
2014-01-07 16:31:55 -06:00
James Lee 2ed9772080
Fix unhandled exceptions when resolution fails 2014-01-07 12:00:04 -06:00
OJ e3b90f3c4e Fix issue with incorrect parameter parsing
Code was looking for -s instead of -a when dealing with domain
queries. This commit fixes that.
2014-01-05 20:06:47 +10:00
Tod Beardsley bd2033c587
Land #2814, streaming webcam STDAPI add 2014-01-03 12:09:25 -06:00
OJ ef281bf31d Adjust the getenv API
The getenv call in sys/config was renamed to getenvs and now uses
the splat operator so that arrays don't have to be passed in. A
new function called getenv was added which takes a single argument
and returns a single value back (for ease of use).
2014-01-03 08:05:45 +10:00
Joe Vennix 694cb11025 Add firefox platform, architecture, and payload.
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
sinn3r e6823c39c2 Incorrect variable used 2014-01-02 00:50:32 -06:00
sinn3r 92a0ff1096 Add webcam livestream feature for meterpreter
[SeeRM #8729] - This meterpreter command allows the attacker to observe the target at real-time
by turning their webcam live. There is also a HTML-based player provided, which does not require
a plugin or anything, just open it with a browser. The HTML-based player also allows the attacker
to put livestream on the web (evil? yeah, kind of.)
2013-12-30 18:38:13 -06:00
Tod Beardsley feaf6c23cf
Merge and Unconflict client.rb, new module splat
The only conflict was the regex option for no encoding, which was added
after @Meatballs1's original PR for rapid7/metasploit-framework#1421

Also fixes the module with the new license splat.

Conflicts:
	lib/rex/proto/smb/client.rb
2013-12-30 16:53:13 -06:00
jvazquez-r7 8986659861
Land #2804, @rcvalle's support for disasm on msfelfscan 2013-12-30 12:24:22 -06:00
Ramon de C Valle c1f377fda6 Add disasm option to msfelfscan 2013-12-26 16:26:45 -02:00
Meatballs 3ef1c0ecd6 Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2013-12-19 14:25:07 +00:00
Meatballs 244cf3b3f6 Merge remote-tracking branch 'upstream/pr/2736' into enum_ad_perf 2013-12-19 13:59:57 +00:00
Meatballs b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075 2013-12-16 14:29:05 +00:00
Meatballs ca1c887e68 Add missing ] 2013-12-15 01:12:50 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Spencer McIntyre a08c420862 Add railgun definitions for local exploit relevant functions. 2013-12-12 10:26:08 -05:00
OJ 64b1e78e34 Fix page size and max results 2013-12-11 00:03:05 +10:00
OJ 8a1517fde8 Fix issues with missing params on computer enum
No more late night and rushed commits, its still and wastes people's time.

Thanks sinn3r for getting on this. Apologies for the poor quality of the PR.
2013-12-10 21:06:28 +10:00
OJ 2237419134
Merge branch 'upstream/master' into basic_adsi_support 2013-12-10 20:58:38 +10:00
Meatballs 45a0ac9e68
Land #2602, Windows Extended API
Retrieve clipboard data
Retrieve window handles
Retrieve service information
2013-12-08 19:01:35 +00:00
Meatballs e5a92a18a5
and expand path 2013-12-08 19:01:03 +00:00
Meatballs 3c67f1c6a9
Fix file download 2013-12-08 18:57:10 +00:00
OJ a3c050c8b6 Added page size setting 2013-12-08 23:29:42 +10:00
OJ 8172596c0b Fix rendering of result total 2013-12-08 20:58:03 +10:00
OJ f13736d208 Add support for general domain queries
Specific queries are just wrappers over the top of the domain query
2013-12-08 20:41:30 +10:00
OJ 35b051174c Add basic ADSI enum of users and computers 2013-12-07 00:22:54 +10:00
OJ e90b7641ca Allow self-destruct via "kill -s"
HTTP(s) payloads don't exit cleanly at the moment. This is an issue that's
being addressed through other work. However, there's a need to be able to
terminate the current HTTP(s) session forcably.

This commit add a -s option to kill, which (when specified) will kill
the current session.
2013-12-06 14:56:19 +10:00
OJ 4ca48308c1 Fix downloading of files 2013-12-06 13:40:20 +10:00
OJ 1d757c40db Remove empty parens 2013-12-04 07:10:23 +10:00
OJ 8b77da4ef7 Fix non-rubyisms 2013-12-04 07:06:32 +10:00
OJ 18e1d9ce17 Revert "Start clipboard monitor functionality"
This reverts commit ecbdfd3502.

I don't know how this got in there, as it's in another branch waiting for more work.
My bad.
2013-12-04 07:03:12 +10:00
sinn3r 4d3d02ae01
Land #2667 - Add num and dword output format 2013-12-02 13:52:17 -06:00
jvazquez-r7 0343aef7c8
Land #2695, @wchen-r7's support to detect silverlight 2013-11-27 09:40:12 -06:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
OJ 1a65566005 Add the getenv command which pulls env vars from the victim
This command will allow the attacker to grab environment variables from the
target, if they exist. Calling this function allows for one or more values
to be passed in, which should match the name of the variable required. If
the variable is found, it is returned. If it is not found, the variable
is not returned (ie. it's not present in the resulting hash).

Note 1: POSIX environment vars are case-senstive, whereas Windows is not.
Note 2: POSIX doesn't seem to cough up user environment vars, it only returns
system vars. I'm not sure why this is, but it could be because of the way
we do linking on POSIX.
2013-11-26 10:05:50 +10:00
OJ 86b6d647bf Merge branch 'upstream/master' into ext_server_extapi 2013-11-25 07:43:36 +10:00
Meatballs 20b76602a1
Merge remote-tracking branch 'upstream/master' into pr2075
Conflicts:
	lib/msf/core/exploit/powershell.rb
2013-11-22 22:41:08 +00:00
OJ 4d1c3c1f01 Start clipboard monitor functionality
Added the basics of the clipboard monitor functionality with usage
messages and stuff like that. Lots more to do.
2013-11-22 13:31:40 +10:00
corelanc0d3r 742c52711a added 2 new output types for msfencode: num and dword 2013-11-20 22:36:17 +01:00
Joe Vennix e10f9cc518 More whitespace fixes. 2013-11-20 15:07:51 -06:00
Joe Vennix 739c7b4ca2 More dead code and tweaks. 2013-11-20 14:44:53 -06:00
Joe Vennix 3ff9da5643 Remove compression options from client sockets.
I couldn't verify that it was working, as it always sends 1 compression type of NULL.
2013-11-20 14:41:45 -06:00
OJ ecbdfd3502 Start clipboard monitor functionality
Added the basics of the clipboard monitor functionality with usage
messages and stuff like that. Lots more to do.
2013-11-21 06:29:37 +10:00
Joe Vennix b70b594a2a Kill extraneous comma. 2013-11-20 13:47:47 -06:00
Joe Vennix a7b01e3b72 Put initialize params back on one line, and move attr_accessors.
As per @hdm's feedback
2013-11-20 12:29:09 -06:00
Joe Vennix e74e75fe6f Revert changes to legacy rescues. 2013-11-20 12:20:34 -06:00
Joe Vennix 9f103f8621 Whitespace tweak. 2013-11-20 01:15:15 -06:00
Joe Vennix f8b57d45cd Reenable the client SSLCompression advanced option.
Add spec for some of the additions to Rex::Proto::Http::Client
2013-11-20 01:03:13 -06:00
Joe Vennix d51b92b06f Turns out & ~ does work.
Decided not to expose this as a datastore option for the Client,
but it can be used internally to toggle the compression.
2013-11-20 00:01:48 -06:00
Joe Vennix a8c55f23a7 Remove &~ bit-clearing method in favor of defaults.
For some reason the OP_ALL & ~OP_NO_COMPRESSION method doesnt work,
but it is late and the default is false anyways.
2013-11-19 23:42:58 -06:00
Joe Vennix 109fc5a834 Add SSLCompression datastore option.
Also disables the compression by default. TLS-level compression is almost
never used by browsers, and openssl seems to be the only one that enables
it by default.

This also kills some ruby < 1.9.3 code.
2013-11-19 22:34:39 -06:00
jvazquez-r7 647c867c2d
Land #1681, @sempervictus Rex::Text::Ui::Table [] method 2013-11-19 16:30:09 -06:00
jvazquez-r7 e1eddc84aa Check for inexistent column names 2013-11-19 16:02:52 -06:00
jvazquez-r7 162d433014 Use snake_case for variables 2013-11-19 15:46:11 -06:00
jvazquez-r7 6a13a0eee6 fix indentation 2013-11-19 15:42:12 -06:00
jvazquez-r7 7435d74c59
Land #2093, @sempervictus MaxChar for Rex::Ui::Text::Table cols 2013-11-19 13:34:45 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
sinn3r 2fc43182be
Land #2622 - Fix up proxy/socks4a.rb 2013-11-12 18:22:32 -06:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
William Vu 8d4d7dae50 Restore comment header and remove carriage returns 2013-11-11 12:16:14 -06:00
sinn3r d483f2ad79
Land #2618 - rm shebangs 2013-11-11 11:55:23 -06:00
Jonathan 36064ca886 remove EOL carriage return from socks4a.rb 2013-11-11 12:47:41 -05:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Jonathan 26482f9ebd reset head~2 and removed shebang from unattend.rb 2013-11-09 15:05:56 -05:00
Tod Beardsley cc9ac7695d
Land #2592, add getproxy
Needed for new functionality in #2612
2013-11-08 13:20:20 -06:00
Jonathan 575072585f removed shebangs from files within rex 2013-11-07 18:51:59 -05:00
scriptjunkie 7615264b17 Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix 2013-11-07 10:35:00 -06:00
sinn3r 991240a87e Support java version detection 2013-11-07 00:54:52 -06:00
OJ 1dacf7e57e Last lot of shebangs removed 2013-11-07 07:35:51 +10:00
OJ 6422e1d6e8 Remove shebang, code tidy, as per @jlee-r7's gripes 2013-11-07 07:32:04 +10:00
OJ 7dcb071f11 Remote shebang and fix pxexeploit 2013-11-06 07:10:25 +10:00
sinn3r 5f2d8358c0 Be more browser specific with Javascript generation 2013-11-05 01:04:52 -06:00
OJ d1e008387a Stop auto preview, code clean
Removed the auto preview of captured images from the clipboard.

Removed parens from calls to print_line.
2013-11-05 07:15:31 +10:00
OJ f62247e731 Fix comments, indenting and pxexploit module
Updated the comments and indentation so they're not blatantly wrong.

Adjusted the pxexploit module so that it doesn't break any more as
a result of the refactoring.
2013-11-05 06:35:50 +10:00
OJ ff78082004 Refactor lanattacks ruby code, add command dispatcher
The lanattacks module didn't seem to have a command dispatcher, and
hence loading the module would always result in a failure. This
commit fixes this problem.

The commit contains a bit of a refactor of the lanattacks code to be
a little more modular. It also has a shiny new dispatcher which breaks
the DHCP and TFTP functionality up into separate areas.
2013-11-04 17:37:42 +10:00
joev bccbed2757 Rename :use_xhr_shim to :inject_xhr_shim. 2013-11-02 16:52:04 -05:00
joev 90d8da6a21 Fix some bugs in my edits, add a spec. 2013-11-02 16:46:33 -05:00
joev c7c1fcfa98 Pull shared XHR shim out, add option to static Js module method.
* Moves shim to data/js/network/xhr_shim.js
* Add some yardoc comments
2013-11-02 14:52:50 -05:00
OJ d658fa46b4 Updated help, removed binaries 2013-11-02 23:10:16 +10:00