Commit Graph

12278 Commits (1362bc9bd149bec96856b692e4fe2169f2b1fcb5)

Author SHA1 Message Date
David Maloney 20d7e9a7a7
remove old struct2 code in favour of gem
use the new rex-struct2 gem and remove the code form it's old location

MS-1782
2016-07-15 16:01:21 -05:00
Metasploit b13d0f879a
Bump version of framework to 4.12.14 2016-07-15 10:03:28 -07:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references"
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
2016-07-15 12:00:31 -05:00
Brendan 3ed6632f88 Let's actually delete the line.... 2016-07-15 08:47:29 -07:00
Brendan db2850b51c Changed the Burp import to import vulns with blank references 2016-07-14 13:03:24 -07:00
David Maloney b6b52952f4
set ssh to non-interactive
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password

MS-1688
2016-07-14 11:12:03 -05:00
David Maloney 01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-14 09:48:28 -05:00
caye ed8fec255e
Fixed dir download. Retry when no network even at the download start 2016-07-12 23:05:50 +00:00
William Vu 277950cc79
Land #6733, psexec StackAdjustment fix 2016-07-12 11:14:16 -05:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Pearce Barry 7b1d9596c7
Land #7068, Introduce 'mettle' - new POSIX meterpreter 2016-07-11 22:38:40 -05:00
Brent Cook 79fd648bbe don't double-encapsulate regexes on normalize 2016-07-11 22:05:00 -05:00
William Vu 108c3961e2 Make sure GATEWAY_PROBE_PORT is 0
This ensures that dst_port is set for UDPSocket#send.
2016-07-11 12:10:46 -05:00
caye a6e92034bf
Added glob to dir_files.entries search - thanks @OJ 2016-07-11 06:22:28 +00:00
caye 3c2f0e814e
'Continue' and 'tries' wget-like options for meterpreter 'download' 2016-07-10 16:24:36 +00:00
Metasploit 48410f3ab2
Bump version of framework to 4.12.13 2016-07-08 10:01:58 -07:00
James Lee 11685b7c6b
Set the server challenge key 2016-07-07 15:00:42 -05:00
James Lee cfb56211e7
Revert "Revert "Land #7009, egypt's rubyntlm cleanup""
This reverts commit 1164c025a2.
2016-07-07 15:00:41 -05:00
Metasploit 82e092c2df
Bump version of framework to 4.12.12 2016-07-05 14:57:43 -07:00
James Lee 1164c025a2 Revert "Land #7009, egypt's rubyntlm cleanup"
This reverts commit d90f0779f8, reversing
changes made to e3e360cc83.
2016-07-05 15:22:44 -05:00
Brent Cook 049b322ae4 add x86 and x64 stagers for mettle 2016-07-05 11:24:54 -05:00
Adam Cammack 0390ed4d6e Add MIPS O32 Linux support (big and little endian) 2016-07-05 11:24:54 -05:00
Adam Cammack 8de508c4e0 Add mettle module for ARM 2016-07-05 11:24:54 -05:00
Adam Cammack 2f3f655352 Add gem for mettle
This adds the gem for the mettle binaries, which contains reflective
payloads for a variety of Linux architectures (and more OSs in the
future)
2016-07-05 11:24:54 -05:00
William Vu 6e7f07f0f3 Fix off-by-one error in #6954
Props to @egypt for noticing. My bad. :-)
2016-07-05 11:12:12 -05:00
David Maloney 5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-05 10:48:38 -05:00
David Maloney 7f341336b2
Land #7067, bcook's rex tools fix
this pr fixes rex requires in the various tools that were
disrupted by the new gemification of rex
2016-07-05 10:34:59 -05:00
David Maloney 85937ab839
require new gems inside rex.rb
have the root rex namespace require the new rex gems
to prevent broken requires when things greedily require all of rex
2016-07-05 10:33:45 -05:00
Metasploit 054ac5ac19
Bump version of framework to 4.12.11 2016-07-05 07:49:37 -07:00
Brendan e29d5b9efe
Land #6954, Fix the available size of payload for exploit/.../payload_inject 2016-07-05 07:38:27 -07:00
Brent Cook 5dc7d4b16e
Land #7043, Fix-up double slash handling with the LURI parameter 2016-07-05 01:21:33 -05:00
Brent Cook 85dfec0cf5 minor whitespace 2016-07-05 01:20:54 -05:00
Brent Cook 58e37931c5
Land #7040, Decrease chance of an error when exiting a interactive shell 2016-07-05 01:15:39 -05:00
OJ ef322ab9aa
Land #7066 - revert #6581 as it causes a regression 2016-07-05 16:05:48 +10:00
Brent Cook 4b77de2174
Land #7030, Ensure 'show options' reflects correct values 2016-07-05 00:48:46 -05:00
Brent Cook b9891aab27
Land #7007, Added JCL header data to mainframe payload module 2016-07-05 00:22:20 -05:00
Brent Cook 9b4028d2d7
Revert #6581, it causes regressions
We need a more clever solution without breaking HttpUnknownRequestResponse.
2016-07-05 00:11:15 -05:00
William Webb 2e97a08954
Land #7046, Pad host field in notes -d command 2016-07-01 10:14:45 -05:00
William Webb 02d40eb576
Land #7044, Pass exploit SRVPORT in BrowserAutopwn2 2016-07-01 09:49:05 -05:00
William Vu 4b01213fb5 Rewrite the logic to be positive
unless is the devil. unless/else doubly so.
2016-07-01 09:15:42 -05:00
William Vu 6e1b6e96a9
Land #7032, rm -rf lib/rex/encoders
Dead code!
2016-06-30 16:32:14 -05:00
William Vu f0cd25dcee
Land #7035, lib/sshkey* swap to gem 2016-06-30 16:25:27 -05:00
William Vu 343f4010bd Prefer newer hash syntax 2016-06-30 15:43:06 -05:00
wchen-r7 dbcdc300e5 Fix #7019, Pad host field in notes -d command
The notes -d command is always expecting a host address, but
fileformat exploits don't have this type of information when the
exploit file is generated, therefore there isn't enough fields
provided for Rex table.

Fix #7019
2016-06-30 15:38:58 -05:00
wchen-r7 118caa13bf Fix #7021, Pass exploit SRVPORT in BrowserAutopwn2
In BrowserAutoPwn2, the mixin forgets to pass the SRVPORT datastore
option to the exploits, so they always use the default 8080. As a
result, if a different SRVPORT is set, BAP2 would be serving the
target machine with bad exploit links.

Fix #7021
2016-06-30 14:20:53 -05:00
HD Moore 23399326c2 Fix up double slashes, tweak syntax 2016-06-30 12:56:29 -05:00
ssyy201506 0a85f1d233 Fix an error when exiting a interactive shell 2016-06-30 16:19:10 +09:00
Pearce Barry 5e39f895cf Fix exception on msf 'db_export' cmd (see #7008)
Users reported (in GitHub issue #7008) hitting an exception when attempting to export the contents of the msf database (i.e. workspaces, hosts, events, etc.) via the 'db_export' command.  After some digging, it appears there were a few ActiveRecord changes with the new Rails upgrade that require a couple mods to the way we are querying.
2016-06-29 16:02:31 -05:00
David Maloney 80563b2c0f
Merge branch 'master' into feature/MS-1700/sshkey-gem 2016-06-29 09:44:57 -05:00
David Maloney a796a1bc63
wierd namespace issues? 2016-06-28 16:13:49 -05:00
David Maloney 2dba09a9ce
unvendor sshkey gem
use the actual maintained gem rather than our vendored
copy

MS-1700
2016-06-28 16:10:48 -05:00
David Maloney dcddd2d671
use the bit-struct gem
removed vendored copy of bit-struct and use the gem
instead

MS-1699
2016-06-28 15:58:47 -05:00
David Maloney 39fa8bf2d4
missing require 2016-06-28 15:40:56 -05:00
David Maloney 3d93c55174
move sshfactory into a mixin method
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention

MS-1688
2016-06-28 15:23:12 -05:00
David Maloney ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-06-28 15:00:35 -05:00
David Maloney 356f4fd54d
delete deprecated lib/rex/encoders
this directory is all dead code and has been replaced with
the lib/rex/encoder directory. these files should have been
purge a long time ago for cleanlieness

MS-1692
2016-06-28 14:43:39 -05:00
David Maloney 0a83b34a85
Land #7025, dev's PR for rex-java
lands the pr for moving Rex::Java into it's own gem
2016-06-28 14:40:02 -05:00
David Maloney d90f0779f8
Land #7009, egypt's rubyntlm cleanup
Land egypt's PR to replace all of our NTLM code with
the rubyntlm gem
2016-06-28 14:15:34 -05:00
David Maloney 97f9ca4028
Merge branch 'master' into egypt/ruby-ntlm 2016-06-28 14:14:56 -05:00
Metasploit e3e360cc83
Bump version of framework to 4.12.10 2016-06-28 12:13:26 -07:00
Louis Sato d5d0b9e9b8 Revert "Land #6729, Speed up the datastore"
This reverts commit c6b1955a5a, reversing
changes made to 4fb7472391.
2016-06-28 13:39:52 -05:00
Pearce Barry 0660880332 Ensure 'show options' reflects correct values.
Small fix here to ensure that, even when boolean 'option' variables have a default value of 'true', that their current value is correctly reflected via the 'show options' command.  This change should play fine with all other option variable types, I believe.

Current behavior:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEW_VERSION false
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEW_VERSION
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```

New behavior with this change:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEWVERSION
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    false            no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    false            no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```
2016-06-28 13:12:34 -05:00
dmohanty-r7 c2f3d411c3
Replace rex/java with rex-java gem 2016-06-27 14:52:49 -05:00
Metasploit fd07da3519
Bump version of framework to 4.12.9 2016-06-27 11:54:04 -07:00
James Lee 058115c21f
Land #7015, sdavis' swagger exploit 2016-06-24 16:13:51 -05:00
James Lee 5d4cc7ab40
Add nodejs to list of defaults 2016-06-24 16:06:50 -05:00
David Maloney 5bc513d6cd
get ssh sessions working properly
ssh sessions now working correctly

MD-1688
2016-06-24 12:14:48 -05:00
David Maloney 3e94abe555
put net:ssh::commandstream back
this was apparently our own creation for doing
ssh sessions

MD-1688
2016-06-22 15:02:36 -05:00
David Maloney 6072697126
continued 2016-06-22 14:54:00 -05:00
David Maloney 140621ad9b
start to move to canonical net-ssh
removed vendored net::ssh
pulled in net:ssh gem
made Rex::Socket::SSHFactory clas to bridge rex sockets in
Renamed getpeername to getpeername-as_array to not override
core socket behaviour

MS-1688
2016-06-22 14:52:33 -05:00
James Lee 0126ec61d8
Style 2016-06-22 10:15:23 -05:00
James Lee b3f59ebd19
Whitespace 2016-06-22 10:15:23 -05:00
James Lee 07f7e5e148
Convert non-loginscanner MSSQL to rubyntlm 2016-06-22 10:15:22 -05:00
James Lee 4b3f6c5d29
Use rubyntlm for mssql login scanner 2016-06-22 10:15:22 -05:00
James Lee 039e8f5899
Use rubyntlm for HTTP Negotiate auth 2016-06-22 10:15:22 -05:00
James Lee c2a063c8ae
Start using rubyntlm for ssp auth 2016-06-22 10:15:16 -05:00
David Maloney 1e053c110a
Merge branch 'master' into feature/rex-cleanup/first-gems 2016-06-22 09:20:44 -05:00
Bigendian Smalls 3842753ce4
Added JCL header data to mainframe payload module
Currently any existing and future JCL payload has to have a 'job card'
basically data that defines the job to z/OS.  It has information about
the job's owner, place it will run, output creation, etc.  All JCL
shares the same job card format.  As such, creating a shared payload
method that allows this text to be imported into any JCL payload.
Additionally, that job card is now parameterized, allowing the
exploit/payload user to edit these job card values-as this may be needed
in order to run the job sucessfully on any given system.

This PR sets up the mf module - next PRs will update the existing
payloads to use this module.
2016-06-21 22:06:44 -05:00
David Maloney 69e2d05a5d
rip out old rex code and replace with gems
rex-text, rex-random_identifier, rex-powershell, rex-zip, and rex-registry
are now being pulled in as gems instead of part of the spgehtti code that is lib/rex
2016-06-21 13:56:36 -05:00
wchen-r7 129b449355 Add Msf::Util::EXE.to_zip
This adds a new method in Msf::Util::EXE to be able to create a
zip file with an array of binary data.
2016-06-20 13:36:59 -05:00
William Webb 98ad2489db
Land #6970, #make_fast_nops for HUGE nop chunks 2016-06-17 12:56:26 -05:00
wchen-r7 c6b1955a5a
Land #6729, Speed up the datastore 2016-06-15 17:55:42 -05:00
thao doan f5bfc84453 Land #6977, Add a more verbose message when generating module documentation 2016-06-15 14:55:55 -07:00
h00die 78775f7833 first attempt at 6964 2016-06-15 07:44:32 -04:00
William Webb 563b8206c5
Land #6962, Apache Continuum Exploit 2016-06-13 16:41:53 -05:00
wchen-r7 337e48dc07 Create #make_fast_nops for huge NOP chunks
This creates a new method called #make_fast_nops for exploits that
actually need large chunks of NOPs.
2016-06-13 15:25:46 -05:00
William Vu f7d261516d
Land #6968, get_uri URIPORT fix (again) 2016-06-13 10:52:29 -05:00
William Vu b7139da624 Clean up whitespace 2016-06-13 10:51:38 -05:00
Trenton Ivey 776dd57803 get_uri missing port fix 2016-06-12 19:27:34 -05:00
h00die 7831cb53c5 print status of opening browser at file 2016-06-11 21:13:31 -04:00
William Vu 5adc360b2a Make opts truly optional 2016-06-10 20:35:40 -05:00
Metasploit fd4a51cadb
Bump version of framework to 4.12.8 2016-06-10 10:01:27 -07:00
wchen-r7 0d7b587b5d Avoid printing rhost:rport from AuthBrute
When AuthBurte is mixed with other modules using the TCP mixin,
rhost:rport is printed twice. This info should come from the
protocol level mixin.
2016-06-08 14:32:58 -05:00
Metasploit 815685992a
Bump version of framework to 4.12.7 2016-06-07 13:14:34 -07:00
Brian Patterson 6d72b5b19f
Land #6946 Fix a bug with OptPort validation when not req 2016-06-07 14:43:10 -05:00
David Maloney 53b989f283
fix normalisation so we don't coerce to 0
don't coerce nil to 0
2016-06-07 14:29:13 -05:00
David Maloney 16030cda30
simpler fix
talking with adam shows that there is a simpler solution
to this problem
2016-06-07 14:13:10 -05:00
David Maloney 9de27e0b9c
add more specific normalise method to otpport
add a normalise method that prevents emtpy string
from being converted to 0 for OptPort avoiding
a bad behaviour
2016-06-07 14:03:34 -05:00
David Maloney 27b5d961fd
fixes a bug with OptPort validation when not req
OptPort lost the check for whether the option was required causing it
to incorrectly return false in certain cases

MS-1633
2016-06-07 13:48:57 -05:00
Louis Sato d3a13f4b0c Merge pull request #6942 from acammack-r7/bug/MS-1517/fix-acunetix-again
Fix Acunetix import with a blacklist
2016-06-05 23:00:48 -05:00
Adam Cammack 08f1e68487
Fix Acunetix import with a blacklist
If a host is blacklisted, we won't create the service for it. If we
don't create the service, we don't want to create entries for the web
pages.

MS-1517
2016-06-03 19:40:29 -05:00
Brent Cook da532ecc5e
Land #6919, Move LURI into a full URI for a new 'Payload opts" column in jobs output 2016-06-03 13:57:47 -05:00
James Barnett e0cf4721c5
Land #6927, Fix exception handling in #exploit_simple 2016-06-02 11:15:25 -05:00
David Maloney ffa4177575
missed a few joins
missed a few joins statements before

MS-1593
2016-06-01 15:32:51 -05:00
David Maloney 2047475901
host tags commands eagerloaded instead of joining
someone tried to fix a rails deprecation warning by doing an
eager load, but caused an actual exception instead. switching to
propper joins makes everything work properly

MS-1593
2016-06-01 13:50:38 -05:00
David Maloney a27d10c200
fixes the exception handling in #exploit_simple
The exception handling in the #exploit_simple method tries to set
error on exploit but exploit is defined within the begin block
causing a noMethodError on nilClass

MS-1608
2016-05-31 11:46:05 -05:00
Metasploit c35322ec3f
Bump version of framework to 4.12.6 2016-05-30 22:34:13 -07:00
wchen-r7 61f9cc360b Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00
wchen-r7 4dcddb2399 Fix #4885, Support basic and form auth at the same time
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.

Fix #4885
2016-05-27 16:25:42 -05:00
James Lee f7382f5b3b
Make `jobs` display a full uri
Addresses the problem of LURI taking the place of URIPATH, which has
different semantics.

See #4623
2016-05-27 11:15:12 -05:00
Brendan Watters 00b18c8ac5
Land #6917, Fix minor issues with the RC4 stager 2016-05-26 10:12:54 -05:00
Brent Cook a3d2cba698
Land #6906, Improve msfvenom error handling and spec coverage 2016-05-26 07:58:37 -05:00
Brent Cook 96c459c71d fix #6915, handle nil payloads and alert to the user 2016-05-26 07:22:09 -05:00
Brent Cook 8612eaa553 remove senduuid for now, give RC4PASSWORD a default 2016-05-26 06:34:51 -05:00
Brent Cook c65401026a wip fixup rc4 2016-05-25 06:17:02 -05:00
wchen-r7 05680ab6f3
Land #6887, add a missing postgresql 9.4.1-5 matching case 2016-05-24 22:19:03 -05:00
James Lee 5921ac7b47
Add a spec and fix ReverseHttp#luri 2016-05-24 17:22:14 -05:00
William Vu 3dfdf1d936
Land #6528, tilde expansion and more for OptPath 2016-05-24 16:01:59 -05:00
Jon Hart a23ce05752
File.exists? must cease to exist 2016-05-24 13:53:26 -07:00
wchen-r7 14cb85250e
Land #6912, use the correct variable for cookie expiration in BAP2 2016-05-24 14:19:03 -05:00
wchen-r7 ff4d150449 Show IP for print_* 2016-05-24 14:12:54 -05:00
wchen-r7 b5987e1d51
Land #6907, Fix check command with an IP or IP range 2016-05-24 11:37:56 -05:00
James Lee 9807f9b796
Move Rex::Job into its own file 2016-05-24 11:24:47 -05:00
Metasploit 54f4389d31
Bump version of framework to 4.12.5 2016-05-24 08:54:14 -07:00
Brendan Watters 77a62ff7c0
Land #6905 RC4 Stagers 2016-05-24 09:34:32 -05:00
Brendan Watters 43f79f34a9 Removed superfluous instruction 2016-05-24 09:03:14 -05:00
Brent Cook 3bc020178f use the correct variable for cookie expiration 2016-05-24 07:16:55 -05:00
Brent Cook 76e8e8f6c7 really fix regex 2016-05-23 20:08:38 -05:00
Brent Cook eb26202961 fix regex 2016-05-23 17:33:06 -05:00
Louis Sato d0b87131a9
fixing import of zip workspace
MS-1528
2016-05-23 16:09:22 -05:00
Brent Cook 6af9a093d2 update bool 2016-05-23 15:48:03 -05:00
darkbushido 5e059e0c5b
updating the error message
changing the exception to be a little more specific.
2016-05-23 15:40:32 -05:00
darkbushido d3cdcd5f99
Having the payload generator check the payload size
Payload generator will raise an error if the payload is larger then the size option
2016-05-23 15:17:41 -05:00
Brent Cook fe1b24e666 allow nil assignment to the datastore 2016-05-23 14:56:19 -05:00
Brent Cook f29463f119 include {peer} in the context of the command dispatcher 2016-05-23 14:55:58 -05:00
RageLtMan efc64eaa5f Implement reverse_tcp_rc4_dns payload in metasm
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.

For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly
2016-05-23 14:27:11 -05:00
RageLtMan 0e69040a6a Implement reverse_tcp_dns as metasm payload
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.

Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly

Misc:
  Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
2016-05-23 14:27:11 -05:00
RageLtMan df2346d9e0 Implement RC4 metasm payloads for tcp bind and rev
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.

Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.

Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.

Testing:
 Tested against Win2k8r2, Win7x64, and WinXPx86

ToDo:
 Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
2016-05-23 14:27:11 -05:00
Brent Cook 9fc07eeb99
Land #6902, Respect SSLCipher in server mixins 2016-05-20 17:34:38 -05:00
Adam Cammack fda4c62c1f
Respect SSLCipher in server mixins
This allows us to set a sane cipher spec for SSL-enabled server modules.
2016-05-20 16:59:36 -05:00
Metasploit 100300c819
Bump version of framework to 4.12.4 2016-05-18 07:04:09 -07:00
Brent Cook 6a4a9742e8 handle bad user 2016-05-17 17:24:46 -05:00
Brent Cook c6db5bf34a add a missing postgresql 9.4.1-5 matching case 2016-05-17 17:12:47 -05:00
Jenkins c9dd863085
Bump version of framework to 4.12.3 2016-05-17 10:18:08 -07:00
Jon Hart 8bccfef571
Fix merge conflict 2016-05-16 17:29:45 -07:00
wchen-r7 04d70640b1
Land #6868, Add axis2 payload generator for msfvenom 2016-05-16 17:48:50 -05:00
David Maloney c40b8ea3fb
Land #6864, Meterp Suspend 2016-05-16 11:13:43 -05:00
Jenkins 621a908b2d
Bump version of framework to 4.12.2 2016-05-13 12:51:58 -07:00
David Maloney ba4bfca806 Revert "arg bad build, resetting version back one"
This reverts commit d86392e96b.
2016-05-13 14:48:35 -05:00
David Maloney d86392e96b
arg bad build, resetting version back one 2016-05-13 14:44:02 -05:00
Jenkins b6a83f734d
Bump version of framework to 4.12.1 2016-05-13 12:39:43 -07:00
David Maloney 31050a8da7
Rails upgrade to 4.2.6
lands all of the rails 4.2 upgrade work
Merge branch 'staging/rails-upgrade'
2016-05-13 14:34:50 -05:00
Jenkins 6c11054d5a
Bump version of framework to 4.12.0 2016-05-13 11:46:03 -07:00
Christian Mehlmauer 7fcddd5a05
Add axis2 payload generator 2016-05-12 22:48:07 +02:00
David Maloney d9abb06a5a
Merge branch 'master' into staging/rails-upgrade 2016-05-12 11:18:51 -05:00
David Maloney 7edaa2abcc
still trying to fix these migrations
seeing odd behaviour with mgirations in
rspec
2016-05-11 14:54:40 -05:00
David Maloney 2fb3123ef2
fix migration crazieness
MS-1486
2016-05-11 14:05:34 -05:00
David Maloney 993709e076
Land #6862, jar payloads
lands FireFarts jar payload pr
2016-05-11 09:56:41 -05:00
Brent Cook af84e85174 fix exception suspending channels from meterpreter 2016-05-10 04:21:31 -05:00
Christian Mehlmauer e2dd844e34
reenable jar format 2016-05-09 21:25:23 +02:00
David Maloney 6142d2cef1
Merge branch 'master' into staging/rails-upgrade 2016-05-09 09:27:17 -05:00
Brent Cook 7b1148c438 disambiguate NetBSD/OpenBSD 2016-05-09 05:11:47 -05:00
Brent Cook 71a674434a Solaris 11 2016-05-09 05:11:09 -05:00
Brent Cook bbe35ac21a match solaris uname 2016-05-09 05:06:59 -05:00
Brent Cook 1a97042a0d include running CPU architecture in platform string 2016-05-09 05:06:37 -05:00
Brent Cook f466464e80 set a recommended number of threads per session type 2016-05-08 22:39:41 -05:00
Brent Cook 9268f66540 auto-set the meterpreter platform based on the sysinfo os 2016-05-08 22:39:41 -05:00
Jenkins 805f98f599
Bump version of framework to 4.11.27 2016-05-06 11:32:46 -07:00
David Maloney 1ffab935cc
pull dep mgirations from credential
credential pulls mdm, so we don't combine these
2016-05-06 11:57:40 -05:00
David Maloney a763863ff3
remove #truncate_session_desc
this method was absed around a char limit
for the desc column which no longer exists
trying to perform this operation generates an error
removing the method since it is not needed
2016-05-06 09:36:12 -05:00
Adam Cammack f75009a9c6
Don't duplicate headers when sending emails
If Date: and Subject: are present, we should not try to add them again.
This made Amazon SES puke, and that made us sad :(.

MS-1476
2016-05-05 10:47:21 -05:00
David Maloney 19af279ce9
Merge branch 'master' into staging/rails-upgrade 2016-05-05 10:46:12 -05:00
dmohanty-r7 f096c3bb99
Land #6821 Fix send_request_cgi! redirection 2016-05-05 09:09:30 -05:00
David Maloney 55b38ad089
Land #6398, content length header
lands wei's content length header pr
2016-05-04 11:53:46 -05:00
Jenkins e7ff4665e1
Bump version of framework to 4.11.26 2016-05-04 09:44:18 -07:00
Rob Fuller 4c9eba333e
Land #6753, MSF-side support for reverse port forwards
Huge thanks to @OJ for making this happen.
Tested targets Win7,10,2008,2012
Tested payloads Win32 native, Win64 native, python
2016-05-04 07:39:05 -04:00
Jenkins 7490ab1c78
Bump version of framework to 4.11.25 2016-05-03 17:09:07 -07:00
OJ 60f81a69ea Remove the pfservice close call on shutdown 2016-05-03 12:03:37 +10:00
OJ d136844d3b Add error handling around double-bind of ports 2016-05-03 10:42:41 +10:00
wchen-r7 ffc91a193c Fix #6841, info -d [module path] not spawning module documentation
Fix #6841
2016-05-02 14:23:29 -05:00
Brian Patterson be363411de
Land #6317, Add delay(with jitter) option to auxiliary scanner and portscan modules 2016-05-02 13:09:40 -05:00
David Maloney fb5b228984
Merge branch 'master' into staging/rails-upgrade 2016-05-02 11:33:35 -05:00
dmaloney-r7 3b893cf740 Merge pull request #6581 from bcook-r7/uuidretry
don't send a response on invalid UUID, allow stagers to survive another day
2016-05-02 11:23:02 -05:00
Jenkins d4f1c78c5c
Bump version of framework to 4.11.24 2016-04-29 13:38:06 -07:00
dmohanty-r7 20ec56d06a Do not parse empty web_sites
MS-255
2016-04-28 13:17:03 -05:00
dmohanty-r7 5a4e70fdf0 Fixes indentation in check_msf_xml_version!
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 f4f607d815 Correct comments to use Nokogiri::XML::Element
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 56fd5a745e Do not parse element if empty
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 050061762b Fix db_manager rspec tests
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 0e568674d7 Add comments on parse functions
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 0759848ad5 Use Nokogiri Reader in zip import
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 83ff60c111 Force encoding on import xml
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 e4fcaefc8c Unpack and pack an unsigned integer per 8 bytes
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 e6a8d69b0b Force encoding of XML import
MS-255
2016-04-28 13:17:00 -05:00
dmohanty-r7 f1d8e1d693 Parse web_data in xml import
MS-255
2016-04-28 13:17:00 -05:00
dmohanty-r7 802dfabbe3 Converts XML importer to use Nokogiri Reader
MS-255
2016-04-28 13:17:00 -05:00
wchen-r7 d4b89edf9c Fix #6398, Missing Content-Length header in HTTP POST
RFC-7230 states that a Content-Length header is normally sent in
a POST request even when the value (length) is 0, indicating an
empty payload body. Rex HTTP client failed to follow this spec,
and caused some modules to fail (such as winrm_login).

Fix #6398
2016-04-28 11:44:10 -05:00
OJ c15a2e8787
Merge branch 'upstream/master' into reverse-port-forward
Signed-off-by: OJ <oj@buffered.io>
2016-04-26 09:48:40 +10:00
wchen-r7 47d52a250e Fix #6806 and #6820 - Fix send_request_cgi! redirection
This patch fixes two problems:

1. 6820 - If the HTTP server returns a relative path
   (example: /test), there is no host to extract, therefore the HOST
   header in the HTTP request ends up being empty. When the web
   server sees this, it might return an HTTP 400 Bad Request, and
   the redirection fails.

2. 6806 - If the HTTP server returns a relative path that begins
   with a dot, send_request_cgi! will literally send that in the
   GET request. Since that isn't a valid GET request path format,
   the redirection fails.

Fix #6806
Fix #6820
2016-04-25 14:30:46 -05:00
wchen-r7 4676d70918 rm osvdb condition 2016-04-24 18:36:33 -05:00