Commit Graph

695 Commits (11515fc75c1bb9ef86baf85296f47ab3dd0e5b82)

Author SHA1 Message Date
Spencer McIntyre 2d69174c5b Initial commit of the python meterpreter. 2013-08-05 23:38:49 -04:00
Tod Beardsley bddcb33507 Update description for reverse_https_proxy 2013-08-05 09:35:14 -05:00
sinn3r 10e9b97a88 Land #2180 - Accepting args for x64 osx exec payload 2013-08-02 00:45:09 -05:00
Joe Vennix 592176137a Rewrite osx x64 cmd payload to accept args.
[SeeRM #8260]
2013-07-31 08:50:28 -05:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
jvazquez-r7 4a0b33241f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-25 18:41:50 -05:00
sinn3r 7b7603a5e7 Land #2104 - reverse_https_proxy 2013-07-25 17:26:56 -05:00
sinn3r 8dae114c7c msftidy happiness 2013-07-25 17:25:36 -05:00
jvazquez-r7 1a5e0e10a5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 13:53:57 -05:00
sinn3r b64d0429ac Format fix
Just to make this more pleasing to the eyes
2013-07-18 13:36:31 -05:00
Joe Vennix cd2e352971 Kill extra whitespace. 2013-07-18 11:30:54 -05:00
Joe Vennix 766a8d5817 Shellwords! Now you can use exec to get you a perl shell 2013-07-17 21:16:04 -05:00
Joe Vennix 9c1228067c Change to += syntax. 2013-07-17 21:11:24 -05:00
Joe Vennix ab088712ba Removes unnecessary copy-to-stack. Fixes arg-order issue.
* Now I simply point to the string in instruction-memory, which saves a few bytes.
2013-07-17 20:27:20 -05:00
Joe Vennix 5ab81e7e37 Convert to readable asm. Adds support for arguments.
* shellcode appears to do an unnecessary copy-to-stack, so will look into
  improving that.
2013-07-17 19:20:47 -05:00
Alexandre Maloteaux e28dd42992 add http authentification and socks 2013-07-15 15:36:58 +01:00
Alexandre Maloteaux f48c70d468 enable tor and small fix 2013-07-13 17:59:49 +01:00
corelanc0d3r e8983a21c5 New meterpreter payload reverse_https_proxy 2013-07-12 16:45:16 -04:00
jvazquez-r7 785639148c Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-20 17:18:42 -05:00
William Vu 589b4be384 Land #1999, zsh bind shell 2013-06-20 13:51:48 -05:00
sinn3r 86fc101c1f Add payload module bind zsh
For #1984
2013-06-20 13:45:02 -05:00
sinn3r 660c97f512 Add module for reverse zsh payload
For #1985
2013-06-20 13:40:17 -05:00
jvazquez-r7 b20a38add4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-10 12:22:52 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 e5a17ba227 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-05 09:41:23 -05:00
William Vu 1596fb478a Land #1886, awk bind shell 2013-06-05 09:05:37 -05:00
William Vu 8ffa4ac9ac Land #1885, awk reverse shell 2013-06-05 09:04:49 -05:00
Roberto Soares Espreto f6977c41c3 Modifications done in each PR. 2013-06-05 07:55:05 -03:00
Roberto Soares Espreto b20401ca8c Modifications done in each PR. 2013-06-05 07:51:10 -03:00
Roberto Soares Espreto 34243165c5 Some changes with improvements. 2013-06-04 21:22:10 -03:00
Roberto Soares Espreto e2988727fb Some changes with improvements. 2013-06-04 21:10:51 -03:00
Roberto Soares Espreto d9609fb03e Was breaking with repeated commands 2013-05-31 18:44:48 -03:00
jvazquez-r7 48b14c09e3 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-31 01:12:46 -05:00
Tod Beardsley 9c771435f2 Touchup on author credit 2013-05-30 16:13:40 -05:00
Tod Beardsley 67128a3841 Land #1821, x64_reverse_https stagers 2013-05-30 13:55:13 -05:00
jvazquez-r7 3361a660ba Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-29 22:01:36 -05:00
Roberto Soares Espreto 00debd01c6 Listen for a connection and spawn a command shell via AWK 2013-05-29 21:22:49 -03:00
Roberto Soares Espreto d4a864c29f Creates an interactive shell via AWK (reverse) 2013-05-29 21:19:08 -03:00
jvazquez-r7 07c99f821e Land #1879, @dcbz ARM stagers 2013-05-29 17:43:37 -05:00
jvazquez-r7 7c41e239b4 Fix author name 2013-05-29 14:19:10 -05:00
jvazquez-r7 52aae8e04c Add small fixes for stagers 2013-05-29 14:01:59 -05:00
dcbz 2c0f0f5f04 Changed reverse payload as suggested. 2013-05-28 21:52:16 -05:00
dcbz 07c3565e3c Made changes as suggested, forgot to remove exit() after testing was complete. 2013-05-28 21:31:36 -05:00
jvazquez-r7 66ea59b03f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-28 15:22:46 -05:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
dcbz a53ab4cff9 Moved dupandexecve.rb to shell.rb due to pull request coments. 2013-05-20 17:05:57 -05:00
dcbz 9c0814505a Added reverse stager. 2013-05-17 21:52:10 -05:00
dcbz 14d5111b37 Added a sample stage + updated bind stager. 2013-05-17 21:03:03 -05:00
dcbz ad95eff9d4 added bind_tcp.rb 2013-05-17 12:09:45 -05:00
agix 6db1fea6b9 create x64_reverse_https stagers 2013-05-13 01:41:56 +02:00
Michael Schierl a13cf53b9f Android Meterpreter bugfixes
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
  whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
jvazquez-r7 a4632b773a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-28 12:59:16 -05:00
sinn3r 1d9a695d2b Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
[Closes #1772]
2013-04-28 12:17:16 -05:00
James Lee 9c8b93f1b7 Make sure LPORT is a string when subbing
* Gets rid of conversion errors like this:
    [-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
  phpmyadmin_preg_replace bug, so seems legit.
2013-04-26 15:26:31 -05:00
James Lee 6767eee08a Add in-line signing
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.

Example usage:
  ./msfvenom -p android/meterpreter/reverse_tcp \
    LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
  adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
jvazquez-r7 cc35591723 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-15 17:43:15 -05:00
Tod Beardsley be39079830 Trailing whitespace fix
Note that this commit needed a --no-verify because of the erroneous
check in msftidy for writing to stdout. The particular syntax of this
payload makes it look like we're doing that when we're really not.

So don't sweat it.
2013-04-15 13:58:06 -05:00
Tod Beardsley efdf4e3983 Lands #1485, fixes for Windows-based Ruby targets 2013-04-15 13:56:41 -05:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
jvazquez-r7 9c0862ad7b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-11 21:53:07 +02:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee 6c980981db Break up long lines and add magic encoding comment 2013-04-10 09:28:45 -05:00
Tod Beardsley e149c8670b Unconflicting ruby_string method
Looks like the conflict was created by the msftidy fixes that happened
over on the master branch. No big deal after all.
2013-03-20 15:49:23 -05:00
jvazquez-r7 6603dcd652 up to date 2013-03-12 17:04:13 +01:00
jvazquez-r7 627e7f6277 avoiding grouping options 2013-03-11 18:26:03 +01:00
jvazquez-r7 f0cee29100 modified CommandDispatcher::Exploit to have the change into account 2013-03-11 18:08:46 +01:00
jvazquez-r7 c9268c3d54 original modules renamed 2013-03-11 18:04:22 +01:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
RageLtMan 7f80692457 everyone will comply, resistance is futile 2013-03-06 18:38:14 -05:00
Raphael Mudge 1cc49f75f5 move flag comment to where it's used. 2013-03-03 03:26:43 -05:00
Raphael Mudge ecdb884b13 Make download_exec work with authenticated proxies
Adds INTERNET_FLAG_KEEP_CONNECTION to HttpOpenRequest flags to allow
download_exec to transparently authenticate to a proxy device through
wininet.

Fun trivia, Windows 7 systems uses Connection: keep-alive by default.
This flag benefits older targets (e.g., Windows XP).
2013-03-03 01:42:17 -05:00
Michael Schierl 4a17a30ffd Regenerate ruby modules
For shellcode changes (removed unneeded instruction) committed in
46a5c4f4bf. Saves 2 bytes per shellcode.
2013-03-03 00:14:30 +01:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
James Lee c423ad2583 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-02-21 15:30:43 -06:00
jvazquez-r7 04ec4e432d minor cleanup for shell_bind_tcp 2013-02-20 01:02:58 +01:00
jvazquez-r7 3d199fe6db Merge branch 'mipsle-shell_bind_tcp' of https://github.com/kost/metasploit-framework into kost-mipsle-shell_bind_tcp 2013-02-20 01:00:34 +01:00
sinn3r e9f4900beb Merge branch 'fixgenericcustom' of github.com:rsmudge/metasploit-framework into rsmudge-fixgenericcustom 2013-02-19 14:47:18 -06:00
Raphael Mudge 06ba2ef791 Allow generic/custom payload to generate an exe
The datastore value of ARCH has no effect on the array of
architectures the generic/custom payload is compatible with.
This commit forces the payload to update its list of compatible
architectures on generation if the ARCH value is set in the
datastore.

See:

http://dev.metasploit.com/redmine/issues/7755
2013-02-17 20:39:54 -05:00
HD Moore cae6661574 Handle invalid commands gracefully (dont exit) 2013-02-12 11:33:23 -08:00
HD Moore 4c2bddc452 Fix a typo and always treat ports as integers: 2013-02-12 08:59:11 -08:00
HD Moore a33d1ef877 This allows the ruby payloads to work properly on Windows 2013-02-12 08:55:37 -08:00
HD Moore 47f3c09616 Fix typo that snuck in during merge 2013-02-03 17:38:19 -06:00
HD Moore 5be4d41420 This is redundant/less-reliable than reverse_openssl 2013-02-03 17:35:14 -06:00
RageLtMan ffb88baf4a initial module import from SV rev_ssl branch 2013-02-03 15:06:24 -05:00
HD Moore c3801ad083 This adds an openssl CMD payload and handler 2013-02-03 04:44:25 -06:00
James Lee 92c736a6a9 Move fork stuff out of exploit into payload mixin
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
Kacper Nowak f691652594 attempt to fix cmd/windows/reverse_perl payload 2013-01-23 11:21:44 +00:00
scriptjunkie 52251867d8 Ensure Windows single payloads use payload backend
This means the singles that define their own assembly will use the payload backend to generate it.
2013-01-18 16:34:39 -06:00
James Lee c89b2b2ec6 Once more, with feeling 2013-01-10 15:29:54 -06:00
James Lee 7fd3440c1a Fix hd's attempt to rename ruby payloads 2013-01-10 15:25:50 -06:00
James Lee 4fcb8b6f8d Revert "Rename again to be consistent with payload naming"
This reverts commit 0fa2fcd811.
2013-01-10 15:24:25 -06:00
HD Moore 0fa2fcd811 Rename again to be consistent with payload naming 2013-01-10 14:16:37 -06:00
HD Moore 88b08087bf Renamed and made more robust 2013-01-10 14:05:29 -06:00
HD Moore e05f4ba927 Thread wrappers were causing instant session closure 2013-01-10 00:41:58 -06:00
HD Moore 4c1e501ed0 Exploit for CVE-2013-0156 and new ruby-platform modules 2013-01-09 23:10:13 -06:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
Michael Schierl 269e507f68 Add stager modules for RC4 bind and reverse stagers
See the commit message of my last commit for caveats.
2012-12-31 22:33:30 +01:00
sinn3r 0822e8eae2 Merge branch 'kost-mipsle-shell_reverse_tcp' 2012-12-24 10:52:19 -06:00
jvazquez-r7 26f561795d fix cmd windows ruby payloads 2012-12-20 00:50:02 +01:00
sinn3r 7145078e63 Merge branch 'mipsle-shell_reverse_tcp' of git://github.com/kost/metasploit-framework into kost-mipsle-shell_reverse_tcp 2012-12-18 11:50:41 -06:00
Raphael Mudge 482846942a Fix: download_exec appends an extra / to request
The download_exec module parses the provided URL and appends an
unnecessary, nay--damaging I say!!!! '/' to the parsed URI. This
renders the module unusable for those who want a payload to
download and execute a file.

Before and after access.log snippets are in the redmine ticket

http://dev.metasploit.com/redmine/issues/7592
2012-12-12 14:01:31 -06:00
Vlatko Kosturjak 4ac79c91a6 Remove spaces at EOL 2012-11-17 12:00:59 +01:00
sinn3r 8648d21b3c Merge branch 'dns_txt_query_exe' of git://github.com/corelanc0d3r/metasploit-framework into corelanc0d3r-dns_txt_query_exe 2012-11-16 11:52:57 -06:00
corelanc0d3r 0bf92b5d97 improved payload dns_txt_query_exec 2012-11-13 00:55:32 +01:00
corelanc0d3r cad7eb0130 renamed and optimized download_exec payload 2012-11-13 00:02:49 +01:00
Vlatko Kosturjak bda7f68b02 Add zero byte on the end of the /bin/sh string 2012-11-08 02:00:49 +01:00
Vlatko Kosturjak ce82b37289 Few removals of unneccessary zero bytes in sc 2012-10-28 21:22:33 +01:00
Vlatko Kosturjak 2affb31958 Initial import of linux-mipsle shell_bind_tcp 2012-10-28 20:51:45 +01:00
Daniel Miller 8deead3bd2 Fix payload ambiguity with php/bind_tcp_ipv6 stager
Was seeing this in framework.log:

[w(0)] core: The module php/meterpreter/bind_tcp is ambiguous with
php/meterpreter/bind_tcp.

Added handler_type_alias based on windows/bind_ipv6_tcp stager.
2012-10-23 12:31:14 -05:00
sinn3r 201518b66f msftidy corrections 2012-10-17 17:22:26 -05:00
jvazquez-r7 6f227dddff Related to #885 , allow Prepend* for osx/x86/exec payload 2012-10-16 16:26:18 +02:00
HD Moore 64f29952dc Merge branch 'master' into feature/updated-mobile 2012-10-07 00:32:02 -05:00
sinn3r 02617a6f3a Merge branch 'feature/redmine-7224-shellcode-cleanup' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/redmine-7224-shellcode-cleanup 2012-10-04 00:43:34 -05:00
Tod Beardsley a38724f53b Adds an apparently spurious require
SeeRM #7276

Sticking this in a branch for now while I ask Egypt and limhoff for a
second opinion.
2012-10-01 07:49:58 -05:00
Tod Beardsley 60b4190e4a Avoids a race on requires
Applies Raphael's patch.

[FixRM #7261]
2012-09-27 13:18:50 -05:00
sinn3r c0387f1441 Have a matching option like the post module
And make sure nemo won't get harassed by people because they
think he hacked into everyone's mac.
2012-09-24 18:33:13 -05:00
sinn3r 2769a88f9e Code cleanup 2012-09-24 17:47:14 -05:00
dcbz 202a78dd3f Added say.rb: uses /usr/bin/say to output a string 2012-09-22 09:13:29 -05:00
dcbz 09b8a6d87f Added reverse_tcp stager payload, and updated bind 2012-09-22 08:31:42 -05:00
dcbz 81ceff7370 Added a tcp stager, and a small exec for testing 2012-09-22 07:24:51 -05:00
dcbz dccb8d235d Adding OSX 64-bit find-tag module. 2012-09-21 15:39:35 -05:00
sinn3r 776d24d8a9 cleanup 2012-09-20 16:16:30 -05:00
sinn3r 311c01be46 Cleanup, improve option handlingg 2012-09-20 16:14:15 -05:00
dcbz f5df7e0e8a Added 2 payload modules (reverse and bind tcp shells) 2012-09-19 16:59:26 -05:00
Ramon de C Valle 11f82de098 Update author information 2012-09-19 14:00:51 -03:00
James Lee 3c6319b75f Add nonx stagers for linux
[See #784]
2012-09-13 15:15:38 -05:00
James Lee f38ac954b8 Update linux stagers for NX compatibility
- Adds a call to mprotect(2) to the reverse and bind stagers

- Adds accurate source for some other linux shellcode, including some
  comments to make it more maintainable

- Adds tools/module_payload.rb for listing all payloads for each exploit
  in a greppable format. Makes it easy to find out if a payload change
  causes a payload to no longer be compatible with a given exploit.

- Missing from this commit is source for reverse_ipv6_tcp
2012-09-12 18:44:00 -05:00
HD Moore c901002e75 Add ssh login module for cydia / ios defaults 2012-09-10 19:36:20 -05:00
James Lee 828f37701d Fix linux shell_bind_tcp payload
It was calling bind(2) with a family of 0x02ff, which makes no sense and
causes execution to fall off the end and segfault.  Fix it by replacing
0x02ff with the appropriate 0x0002, or AF_INET.

[Fixrm #7216]
2012-09-04 04:23:48 -05:00
Tod Beardsley a93c7836bd Fixes load order with reverse http
This was originally intended to fix #664.

SEERM #7141 also.
2012-08-23 12:16:47 -05:00
James Lee aac56fc29b Fix load order issue
[See #664][SeeRM #7141]
2012-08-23 10:54:23 -05:00
sinn3r b3791b1545 I missed one 2012-08-14 16:51:55 -05:00
sinn3r 6a0271fb11 Correct OSX naming. See ticket #7182 2012-08-14 15:29:21 -05:00
sinn3r b46fb260a6 Comply with msftidy
*Knock, knock!*  Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
bcoles 8d3700cc3c Add Zenoss <= 3.2.1 exploit and Python payload
- modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
 - modules/payloads/singles/cmd/unix/reverse_python.rb
2012-07-30 01:24:27 +09:30
HD Moore 6cdd044e10 Remove a buggy payload that doesn't have NX support 2012-07-12 12:15:57 -05:00
jvazquez-r7 59bb9ac23b quoting ip to avoid php complaining 2012-06-25 18:52:26 +02:00
Michael Schierl 34ecc7fd18 Adding @schierlm 's AES encryption for Java
Tested with and without AES, works as advertised. Set an AESPassword,
get encryptification. Score.

Squashed commit of the following:

commit cca6c5c36ca51d585b8d2fd0840ba34776bc0668
Author: Michael Schierl <schierlm@gmx.de>
Date:   Wed Apr 4 00:45:24 2012 +0200

    Do not break other architectures
    even when using `setg AESPassword`

commit 422d1e341b3865b02591d4c135427903c8da8ac5
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:50:42 2012 +0200

    binaries

commit 27368b5675222cc1730ac22e4b7a387b88d0d2b3
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:49:10 2012 +0200

    Add AES support to Java stager

    This is compatible to the AES mode of the JavaPayload project.

    I'm pretty sure the way I did it in the handlers (Rex::Socket::tcp_socket_pair())
    is not the supposed way, but it works :-)
2012-06-11 16:13:25 -05:00
HD Moore 881ec8d920 Make the description clear that it only reads 4k, default datastore['FD'] to 1 2012-06-10 13:20:02 -05:00
sinn3r 15fa178a66 Add the MSF license text (since MSF_LICENSE is already set) 2012-06-10 02:07:27 -05:00
linuxgeek247 2b67c5132c Adding read_file linux shellcode 2012-06-09 20:36:47 -04:00
sinn3r 462a91b005 Massive whitespace destruction
Remove tabs at the end of the line
2012-06-06 00:44:38 -05:00
sinn3r 3f0431cf51 Massive whitespace destruction
Remove whitespace found at the end of the line
2012-06-06 00:36:17 -05:00
sinn3r c30af98b53 Massive whitespace destruction
Remove all the lines that have nothing but whitespace
2012-06-06 00:22:36 -05:00
sinn3r 2565888ec5 Change how we handle the password complexity failure 2012-06-03 13:13:44 -05:00
Chris John Riley a51df5fc3a Altered description to include information on the password complexity check
Altered the default password to meet the complexity checks

Note: The complexity checks (even if they fail) don't prevent the payload from running. At this point it only raises an warning and continues on. I can change this if it's more desirable however!
2012-06-03 09:22:48 +02:00
Chris John Riley ea66deb779 Added WMIC and complexity checks 2012-06-02 19:41:12 +02:00
Chris John Riley bada88cdf0 Added WMIC and complexity checks 2012-06-02 19:38:37 +02:00
Tod Beardsley 86500aad47 Author is always singular. 2012-05-08 08:47:52 -05:00
HD Moore 1a30e221a0 See #362 by changing the exitfunc arguments to be the correct type 2012-05-07 02:42:29 -05:00
James Lee dd7bc23d16 Whitespace 2012-05-02 18:06:39 -06:00
Tod Beardsley bd4819e8f2 Merge pull request #238 from mak/linux-x64-find-port
linux/x64/shell_find_port payload
2012-03-29 05:54:54 -07:00
Tod Beardsley 8fbf4cf6d9 Grammar on dns_txt_query_exec payload name and desc 2012-03-26 16:23:54 -05:00
sinn3r 182f3744de Cosmetic cleanup 2012-03-26 09:23:14 -05:00
corelanc0d3r ad32911b1a probably safer to use regex 2012-03-26 09:01:40 -05:00
James Lee 2d29184adc Use interpolation to ensure LPORT is a string for gsub
[Fixes #6542]
2012-03-21 21:05:05 -06:00
Tod Beardsley 31228ed65a Comment indentation 2012-03-21 15:21:10 -05:00
Peter Van Eeckhoutte 89d7363a8f fixed crash 2012-03-21 10:39:05 +01:00
Peter Van Eeckhoutte f81730a7e1 changes to the way jmp to payload is done 2012-03-21 09:52:22 +01:00
corelanc0d3r 45ef7fc35d reset author 2012-03-20 20:43:56 +01:00
Peter Van Eeckhoutte a3035dc6d0 Adding corelandc0d3r's http/https/ftp payload
Picks up the one http/https/ftp payload, but not the other two DNS
payloads listed as part of the original pull request.

[Closes #173]
2012-03-19 16:50:59 -05:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
Maciej Kotowicz 0389e47dfe fix little mistake 2012-03-15 16:21:00 +01:00
Maciej Kotowicz f91b894375 added posibilities for generating payload from asm to more arch's
added linux/x64/shell_find_port payload
2012-03-14 22:39:56 +01:00
Joshua J. Drake ab01a19f92 Fixes #6483: Correct the include for the handler (was copypasta) 2012-03-07 11:23:44 -06:00
James Lee 70162fde73 A few more author typos 2012-03-05 13:28:46 -07:00
Tod Beardsley 6c0f8636ec Merge pull request #217 from rapid7/reverse-http-randomness
Reverse http randomness
2012-03-02 16:36:26 -08:00
HD Moore b70b41091b Tested fairly well - this randomizes the URLs and removes the user-agent string from the request 2012-03-02 17:44:23 -06:00
Tod Beardsley 96e03d2556 Merge pull request #44 from linuxgeek247/armle-bind-shell
Adding armle bind shellcode based on existing reverse shellcode
2012-03-02 14:25:43 -08:00
James Lee 624e19fd8b Merge session-host-rework branch back to master
Squashed commit of the following:

commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:31:03 2012 -0700

    Clean up some rdoc comments

    This adds categories for the various interfaces that meterpreter and
    shell sessions implement so they are grouped logically in the docs.

commit 9d31bc1b35845f7279148412f49bda56a39c9d9d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 13:00:25 2012 -0700

    Combine the docs into one output dir

    There's really no need to separate the API sections into their own
    directory.  Combining them makes it much easier to read.

commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:27:22 2012 -0700

    Keep the order of iface attributes the same accross rubies

    1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we
    end up with ~random order for the display with the previous technique.
    Switch to an Array instead of a Hash so it's always the same.

commit 6f66dd40f39959711f9bacbda99717253a375d21
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:23:35 2012 -0700

    Fix a few more compiler warnings

commit f39cb536a80c5000a5b9ca1fec5902300ae4b440
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:17:39 2012 -0700

    Fix a type-safety warning

commit 1e52785f38146515409da3724f858b9603d19454
Author: James Lee <egypt@metasploit.com>
Date:   Mon Feb 27 15:21:36 2012 -0700

    LHOST should be OptAddress, not OptAddressRange

commit acef978aa4233c7bd0b00ef63646eb4da5457f67
Author: James Lee <egypt@metasploit.com>
Date:   Sun Feb 26 17:45:59 2012 -0700

    Fix a couple of warnings and a typo

commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b
Author: HD Moore <hdm@digitaloffense.net>
Date:   Mon Feb 27 11:54:29 2012 -0600

    Fix ctype vs content_type typo

commit 83b5400356c47dd1973e6be3aa343084dfd09c73
Author: Gregory Man <man.gregory@gmail.com>
Date:   Sun Feb 26 15:38:33 2012 +0200

    Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x

commit 49c2c80b347820d02348d694cc71f1b3028b4365
Author: Steve Tornio <swtornio@gmail.com>
Date:   Sun Feb 26 07:13:13 2012 -0600

    add osvdb ref

commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee
Author: Matt Andreko <mandreko@gmail.com>
Date:   Sat Feb 25 18:02:56 2012 -0500

    Added aspx target to msfvenom.  This in turn added it to msfencode as well.
    Ref: https://github.com/rapid7/metasploit-framework/pull/188
    Tested on winxp with IIS in .net 1.1 and 2.0 modes

commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5
Author: Joshua J. Drake <github.jdrake@qoop.org>
Date:   Sat Feb 25 13:00:48 2012 -0600

    Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver

commit b3371e8bfeea4d84f9d0cba100352b57d7e9e78b
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 17:07:42 2012 -0700

    Simplify logic for whether an inner iface has the same address

commit 5417419f35a40d1c08ca11ca40744722692d3b0d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:58:16 2012 -0700

    Whitespace

commit 9036875c2918439ae23e11ee7b958e30ccc29545
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:53:45 2012 -0700

    Set session info before worrying about address

    get_interfaces can take a while on Linux, grab uid and hostname earlier
    so we can give the user an idea of what they popped as soon as possible.

commit f34b51c6291031ab25b5bfb1ac6307a516ab0ee9
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:48:42 2012 -0700

    Clean up rdoc

commit e61a0663454400ec66f59a80d18b0baff4cb8cd9
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:54:45 2012 -0600

    Ensure the architecture is only the first word (not the full WOW64
    message in some cases)

commit 4c701610976a92298c1182eecc9291a1b301e43b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:49:17 2012 -0600

    More paranoia code, just in case RHOST is set to whitespace

commit c5ff89fe3dc9061e0fa9f761e6530f6571989d28
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:47:01 2012 -0600

    A few more small bug fixes to handle cases with an empty string target
    host resulting in a bad address

commit 462d0188a1298f29ac83b10349aec6737efc5b19
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 03:55:10 2012 -0600

    Fix up the logic (reversed by accident)

commit 2b2b0adaec2448423dbd3ec54d90a5721965e2df
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 23:29:52 2012 -0600

    Automatically parse system information and populate the db, identify and
    report NAT when detected, show the real session_host in the sessions -l
    listing

commit 547a4ab4c62dc3248f847dd5d305ad3b74157348
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:16:03 2012 -0600

    Fix typo introduced

commit 27a7b7961e61894bdecd55310a8f45d0917c5a5c
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:11:38 2012 -0600

    More session.session_host tweaks

commit e447302a1a9915795e89b5e29c89ff2ab9b6209b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:08:20 2012 -0600

    Additional tunnel_peer changes

commit 93369fcffaf8c6b00d992526b4083acfce036bb3
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:06:21 2012 -0600

    Additional changes to session.session_host

commit c3552f66d158685909e2c8b51dfead7c240c4f40
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:00:19 2012 -0600

    Merge changes into the new branch
2012-02-28 18:29:39 -07:00
Joshua J. Drake 65ed4bfa8b Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver 2012-02-25 13:00:48 -06:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00
Tod Beardsley e371f0f64c MSFTidy commits
Whitespace fixes, grammar fixes, and breaking up a multiline SOAP
request.

Squashed commit of the following:

commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:58:53 2012 -0600

    Break up the multiline SOAP thing

commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:48:16 2012 -0600

    More whitespace and indent

commit 12c42aa1efdbf633773096418172e60277162e22
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:39:36 2012 -0600

    Whitespace fixes

commit 32d57444132fef3306ba2bc42743bfa063e498df
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:35:37 2012 -0600

    Grammar fixes for new modules.
2012-02-01 10:59:58 -06:00
HD Moore 0c2a18d765 Fix up reverse_tcp ipv6 stager for freebsd 2012-02-01 01:41:24 -06:00
HD Moore 29d8feaa24 Use the ADDR6 type, not ADDR 2012-02-01 00:58:08 -06:00
HD Moore aed27a2f82 Add missing trailing quote 2012-02-01 00:54:42 -06:00
HD Moore 45a785fde0 Adds BSD IPv6 payloads and stagers 2012-02-01 00:54:42 -06:00
HD Moore ec5fd723ba Merge in additional IPv6 support for PHP payloads 2012-01-31 01:11:55 -06:00
Patroklos Argyroudis 4e1029ae8b Execute (execve) arbitrary command payload for Mac OS X x64 2012-01-30 11:01:57 +02:00
Patroklos Argyroudis c6eb104132 bug fix for hardcoded max command length 2012-01-23 10:24:22 +02:00
scriptjunkie 9fe18cdc86 Add x64 LoadLibraryA payload. Because it should exist. 2012-01-17 21:16:26 -06:00
sinn3r 5761035371 This payload shouldn't be in here. Instead of adding a new one, exec.rb should be fixed 2012-01-16 22:41:27 -06:00
sinn3r 17ffc06f60 Merge branch 'osx_mozilla_mchannel' of https://github.com/argp/metasploit-framework into argp-osx_mozilla_mchannel 2012-01-16 19:35:29 -06:00
sinn3r 8eee54d1d0 Add e-mail addr for corelanc0d3r (found it in auxiliary/fuzzers/ftp/client_ftp.rb) 2012-01-09 14:23:37 -06:00
Patroklos Argyroudis 5a20b7d7ac Fixed small typo 2012-01-09 14:19:00 +02:00
Patroklos Argyroudis 9a62b41ab7 Mac OS X x86 payload that executes Calculator.app 2012-01-09 12:12:20 +02:00
sinn3r b202c29153 Correct e-mail format 2011-12-29 11:27:10 -06:00
HD Moore 8dc85f1cc5 Fix up some nascent typos 2011-12-14 00:30:31 -06:00
HD Moore 866e2b6bf3 Additional IPv6 payload support 2011-12-14 00:27:38 -06:00
HD Moore 17cc89ebad Add IPv6 specific HTTP(S) handlers and payloads (simplifies
options/usage)
2011-12-11 13:26:48 -06:00
HD Moore 2d3064c1ec Default the scope ID to 0, explicitly 2011-12-10 13:46:16 -06:00
Christopher McBee 100d8803f6 Adding armle bind shellcode based on existing reverse shellcode 2011-12-05 18:16:02 -05:00
Rob Fuller c411c216c0 Solved most of msftidy issues with the /modules directory 2011-11-28 17:10:29 -06:00
Joshua Drake 62c8c6ea9f big msftidy pass, ping me if there are issues
git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-23 11:56:13 +00:00
Joshua Drake ac916baac5 Fixes #5581: Stop hardcoding MIPS reverse shell IP/port
git-svn-id: file:///home/svn/framework3/trunk@13999 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-18 22:50:12 +00:00
Tod Beardsley 30ac88694f More msftidy fixes. Now I'm going to get a little more surgical to get this to move faster.
git-svn-id: file:///home/svn/framework3/trunk@13963 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-17 02:58:53 +00:00
James Lee 7e4826bae4 silly patch fail
git-svn-id: file:///home/svn/framework3/trunk@13742 4d416f70-5f16-0410-b530-b9f4589650da
2011-09-16 21:11:57 +00:00