Commit Graph

2178 Commits (1582d3a90261aa2e03d6f7e73dffbb98b48ba25e)

Author SHA1 Message Date
jvazquez-r7 b504f0be8e
Update adobe_flash_hacking_team_uaf 2015-07-15 18:18:04 -05:00
Spencer McIntyre 18cb55f1fa Pymet fix transport automatic roll over 2015-07-14 15:18:11 -04:00
Spencer McIntyre 00da619556 Pymet fix previous transport index logic 2015-07-14 14:32:57 -04:00
Spencer McIntyre 9f48853e00 Pymet fix the order in which transports are added 2015-07-14 14:26:27 -04:00
wchen-r7 d6565a9aee Merge branch 'bes_flash' into bapv2_flash_test 2015-07-14 00:34:54 -05:00
jvazquez-r7 b72ba7f51c
Add AS2 flash detection code 2015-07-13 18:26:02 -05:00
jvazquez-r7 8fb6bedd94
Delete as3 detecotr 2015-07-13 18:23:39 -05:00
jvazquez-r7 9116460cb0
Add prototype with AS3 2015-07-13 16:33:55 -05:00
jvazquez-r7 299978d0e2
Put again old exploiter 2015-07-11 00:36:32 -05:00
jvazquez-r7 63005a3b92
Add module for flash CVE-2015-5122
* Just a fast port for the exploit leaked
* Just tested on win7sp1 / IE11
2015-07-11 00:28:55 -05:00
Tod Beardsley 3d630de353
Replace with a real CVE number 2015-07-07 14:44:12 -05:00
wchen-r7 2cdaace42f
Land #5678, Land adobe_flash_hacking_team_uaf.r 2015-07-07 12:34:59 -05:00
jvazquez-r7 d9aacf2d41
Add module for hacking team flash exploit 2015-07-07 11:19:48 -05:00
Mo Sadek 9e2e64bba1
Land #5644, Windows 10 Detection for os.js 2015-07-06 16:19:06 -05:00
Spencer McIntyre 2a89e248d7 Pymet fix send uuid logic for Python 3.x 2015-07-06 11:20:34 -04:00
joev c993c70006 Remove sleep(), clean up WritableDir usage. 2015-07-05 18:59:00 -05:00
joev a8b56bb44a Oops, need to include the binary files. 2015-07-05 18:24:45 -05:00
Spencer McIntyre 841fbddfc6 Pymet fix packet polling interval 2015-07-02 11:51:53 -04:00
Spencer McIntyre 0af397217c Merge pymet transport feature into fresh branch 2015-07-02 08:43:13 -04:00
Spencer McIntyre 6ab7c314de Pymet fix reverse_tcp transport for IPv6 addresses 2015-07-02 08:33:11 -04:00
Spencer McIntyre dbe239bc75 Pymet fix transport next and prev for one transport 2015-07-02 08:23:02 -04:00
wchen-r7 482247771d Add a fingerprint for Windows 10 + IE11 2015-07-01 18:06:25 -05:00
wchen-r7 cd688437ac Add support for Windows 10 for os.js
Resolves #4248
2015-07-01 15:02:22 -05:00
Spencer McIntyre b1b21c4bef Pymet fixes for Python 3.x 2015-07-01 14:32:12 -04:00
jvazquez-r7 1de94a6865
Add module for CVE-2015-3113 2015-07-01 13:13:57 -05:00
Spencer McIntyre 2a891c50eb Pymet transport stabilty and correction 2015-07-01 11:12:30 -04:00
Spencer McIntyre 4b5b7c8a27 Pymet support for core_transport_remove 2015-06-30 15:46:33 -04:00
Spencer McIntyre 6a45e19636 Pymet fix bind and tcp socket cleanup logic 2015-06-30 15:25:23 -04:00
Spencer McIntyre 3d49781230 Pymet support for core_transport_sleep 2015-06-29 18:34:35 -04:00
Spencer McIntyre 9a8ffacfd1 Pymet transport changing improvements 2015-06-29 14:00:07 -04:00
Spencer McIntyre 00742ea924 Pymet cleaner transport switching with responses 2015-06-28 13:16:00 -04:00
Spencer McIntyre f6fa462bdc Pymet support for changing transports 2015-06-27 20:57:45 -04:00
Spencer McIntyre 175d9cdcb1 Pymet support for creating and listing transports 2015-06-26 16:52:55 -04:00
Spencer McIntyre 79185e91c6 Refactor the pymet to use transport objects 2015-06-26 14:56:31 -04:00
Spencer McIntyre 7aae9b210e Add pymet support for core_enumextcmd 2015-06-26 11:32:51 -04:00
jvazquez-r7 ee0377ca16
Add module for CVE-2015-3105 2015-06-25 13:35:01 -05:00
OJ ae41f2bfa0 Update exploit binaries for ms15-051 2015-06-25 09:33:15 +10:00
Brent Cook e75287875b hack android-specific commands back to life 2015-06-22 20:41:58 -05:00
OJ 3686accadd
Merge branch 'upstream/master' into cve-2015-1701 2015-06-22 07:52:17 +10:00
jvazquez-r7 04901baab8
Land #5572 @todb-r7's adds snowden's password to unix_passwords.txt 2015-06-19 17:01:22 -05:00
Tod Beardsley b580f93c22
New password from Snowden 2015-06-19 15:37:48 -05:00
jvazquez-r7 d116f1efd5
Land #5566, @wchen-r7 fixes #5565 modifying os.js 2015-06-19 11:07:00 -05:00
wchen-r7 308cad8c40 Fix #5565, Fix os.js service pack detection
Fix #5565
2015-06-18 18:51:16 -05:00
jvazquez-r7 de1542e589
Add module for CVE-2015-3090 2015-06-18 12:36:14 -05:00
wchen-r7 17b8ddc68a
Land #5524, adobe_flash_pixel_bender_bof in flash renderer 2015-06-15 02:42:16 -05:00
jvazquez-r7 72672fc8f7
Delete debug 2015-06-11 17:39:36 -05:00
jvazquez-r7 8ed13b1d1b
Add linux support for CVE-2014-0515 2015-06-11 16:18:50 -05:00
wchen-r7 ae21b0c260
Land #5523, adobe_flash_domain_memory_uaf in the flash renderer 2015-06-10 16:59:19 -05:00
wchen-r7 4c5b1fbcef
Land #5522, adobe_flash_worker_byte_array_uaf in the flash renderer 2015-06-10 14:49:41 -05:00
jvazquez-r7 7527aa4f34
Disable debug 2015-06-10 14:07:18 -05:00
jvazquez-r7 6c7ee10520 Update to use the new flash Exploiter 2015-06-10 13:52:43 -05:00
jvazquez-r7 7fba64ed14
Allow more search space 2015-06-10 12:26:53 -05:00
jvazquez-r7 ecbddc6ef8
Play with memory al little bit better 2015-06-10 11:54:57 -05:00
wchen-r7 d622c782ef
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash renderer 2015-06-10 11:52:47 -05:00
jvazquez-r7 2b4fe96cfd Tweak Heap Spray 2015-06-10 10:56:24 -05:00
jvazquez-r7 a6fe383852
Use AS Exploiter 2015-06-10 09:32:52 -05:00
jvazquez-r7 e5d6c9a3cb Make last code cleanup 2015-06-09 16:01:57 -05:00
jvazquez-r7 cf8c6b510b
Debug version working 2015-06-09 15:46:21 -05:00
jvazquez-r7 39851d277d
Unset debug flag 2015-06-09 11:36:09 -05:00
jvazquez-r7 b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code 2015-06-09 11:31:39 -05:00
Tod Beardsley f29b38b602
Add the top 20 keyboard patterns as passwords
See https://wpengine.com/unmasked/ for lots more, but this
covers the gif at

https://wpengine.com/unmasked/assets/images/commonkeyboardpatterns.gif
2015-06-05 16:46:08 -05:00
OJ b291d41b76 Quick hack to remove hard-coded offsets 2015-06-05 13:19:41 +10:00
jvazquez-r7 02181addc5
Update CVE-2014-0556 2015-06-04 18:23:50 -05:00
wchen-r7 23df66bf3a
Land #5481, no powershell. exec shellcode from the renderer process. 2015-06-04 15:45:09 -05:00
jvazquez-r7 ab68d8429b Add more targets 2015-06-04 12:11:53 -05:00
jvazquez-r7 80cb70cacf
Add support for Windows 8.1/Firefox 2015-06-03 22:46:04 -05:00
jvazquez-r7 74117a7a52
Allow to execute payload from the flash renderer 2015-06-03 16:33:41 -05:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
Brent Cook 64e86165ef remove android meterpreter bins, update to payloads 1.0.2
This switches us to using the Android payload files from the
metasploit-payloads gem
2015-06-01 09:14:31 -05:00
Brent Cook 7d5af66fa0 Merge branch 'master' into land-5367-uuid-stagers 2015-05-29 13:00:35 -05:00
wchen-r7 737559bcbb
Land #5180, VBA Powershell for Office Macro 2015-05-28 19:55:27 -05:00
jvazquez-r7 e9714bfc82
Solve conflics 2015-05-27 23:22:00 -05:00
wchen-r7 e749733eb6
Land #5419, Fix Base64 decoding on ActionScript 2015-05-27 23:13:51 -05:00
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
jvazquez-r7 801deeaddf Fix CVE-2015-0336 2015-05-27 15:42:06 -05:00
jvazquez-r7 bd1bdf22b5
Fix CVE-2015-0359 2015-05-26 17:27:20 -05:00
jvazquez-r7 19c7445d9d
Fix CVE-2015-0336 2015-05-26 17:20:49 -05:00
jvazquez-r7 23d244b1fa
Fix CVE-2015-0313 2015-05-26 16:11:44 -05:00
jvazquez-r7 5c8c5aef37
Fix CVE-2014-8440 2015-05-26 16:05:08 -05:00
jvazquez-r7 d78d04e070
Fix CVE-2014-0569 2015-05-26 15:49:22 -05:00
jvazquez-r7 e0a1fa4ef6
Fix indentation 2015-05-26 15:38:56 -05:00
jvazquez-r7 1742876757
Fix CVE-2014-0556 2015-05-26 15:30:39 -05:00
jvazquez-r7 3e122fe87c
Fix b64 decoding 2015-05-26 15:15:33 -05:00
jvazquez-r7 29ccc8367b
Add More messages 2015-05-26 14:47:47 -05:00
jvazquez-r7 1bf1c37cfa
Add exception handling 2015-05-26 14:31:07 -05:00
jvazquez-r7 fb8a927941
Hardcode params 2015-05-26 14:20:43 -05:00
jvazquez-r7 f119da94ca
Add one more message 2015-05-26 14:14:38 -05:00
jvazquez-r7 15533fabe6
Log messages 2015-05-26 14:08:24 -05:00
jvazquez-r7 91357ee45b
Improve reliability 2015-05-26 13:47:33 -05:00
OJ 9e50114082
Merge branch 'upstream/master' into uuid-stagers 2015-05-25 11:22:35 +10:00
OJ 1c73c190fc Add machine_id support to windows php meterp 2015-05-22 14:55:29 +10:00
jvazquez-r7 f35d7a85d3
Adjust numbers 2015-05-21 15:56:11 -05:00
jvazquez-r7 80d4f3cfb0
Update swf 2015-05-21 14:55:00 -05:00
jvazquez-r7 8d6cbf0568
Make adobe_flash_uncompress_zlib_af multiplatform 2015-05-20 18:57:37 -05:00
benpturner c0b995cc97 new changes 2015-05-19 16:18:06 +01:00
benpturner b513304756 new changes 2015-05-19 15:47:30 +01:00
benpturner 0cda746bfb Updated size 2015-05-19 14:08:59 +01:00
benpturner 811c45ab90 new 2015-05-19 14:06:41 +01:00
OJ 24526c2ef9 Removed unused data files 2015-05-18 21:46:05 +10:00
OJ 9296a024e2 PHP meterpreter refactoring in prep for uuid work 2015-05-18 17:40:48 +10:00
OJ 0d56b3ee66 Stage UUIDs, generation options, php and python meterp uuid 2015-05-18 13:29:46 +10:00
Brent Cook 5cf6d28c34
Land #5426, use RAW for TLV hash binary data 2015-05-15 11:54:45 -05:00
wchen-r7 25099dd877
Land #5212, HTA Powershell template 2015-05-15 11:49:07 -05:00
wchen-r7 3bc3614be6 Do a check for powershell.exe before running it. 2015-05-15 11:48:21 -05:00
Brent Cook c614f6059d Merge branch 'master' into land-5326- 2015-05-15 11:29:54 -05:00
benpturner d4798a2500 Fix spacinG 2015-05-11 09:04:03 +01:00
benpturner c916021fc5 SSL Support for Powershell Payloads 2015-05-10 21:45:59 +01:00
Tim d3ba84b378
Add TLV_TYPE_FILE_HASH 2015-05-10 14:18:16 +01:00
jvazquez-r7 c103779eab
Land #5080, @bcook-r7's 'ls' and 'download' meterpreter improvements 2015-05-08 18:02:16 -05:00
William Vu 71518ef613
Land #5303, metasploit-payloads Java binaries 2015-05-07 22:39:54 -05:00
jvazquez-r7 51bb4b5a9b
Add module for CVE-2015-0359 2015-05-07 17:00:00 -05:00
jvazquez-r7 582919acac
Add module for CVE-2015-0336 2015-05-05 17:25:19 -05:00
Brent Cook f0c989c1b5 remove java payloads and jars 2015-05-05 15:01:00 -05:00
Brent Cook 05e4af8162
Land #5214, initial meterpreter session recovery support 2015-05-04 16:25:27 -05:00
Brent Cook cda7dc3494 remove old posix meterpreter bins 2015-05-04 09:44:37 -05:00
Brent Cook d934027b3b expand glob match 2015-05-04 03:56:15 -05:00
Brent Cook c5c7242374 teach pymet how to glob on ls as well 2015-05-04 03:56:14 -05:00
wchen-r7 17e54fff1f
Land #5275, Flash CVE-2014-8440 2015-04-30 12:14:06 -05:00
William Vu cbaaea2ce4
Land #5278, D-Link Telnet passwords 2015-04-30 11:23:33 -05:00
jvazquez-r7 dbba466b5b
Add module for CVE-2014-8440 2015-04-29 17:52:04 -05:00
m-1-k-3 f2b50e1e2f removed empty line 2015-04-27 05:29:47 +02:00
HD Moore 1fd601510c
Lands #5194, merges in PowerShell session support & initial payloads 2015-04-26 16:01:51 -05:00
benpturner 76e68fcf4c session info 2015-04-26 20:13:18 +01:00
m-1-k-3 f74d385b6a dlink telnet passwords added from firmware.re 2015-04-26 02:29:30 +02:00
benpturner aa4dc78cba updates to author comments in powershell script 2015-04-25 08:47:17 +01:00
benpturner 19aa668f99 updates to include reverse and bind 2015-04-22 20:41:19 +01:00
Brent Cook 5140b8cf9c fix crash on fork with OSX Python meterpreter using SystemConfiguration
Calling into SystemConfiguration before forking seems to allow the child
process to use it without a null pointer dereference.
2015-04-21 17:17:27 -05:00
Meatballs 381f6ffe0a
HTA Powershell template 2015-04-20 23:19:54 +01:00
Meatballs b0d50dc2be
Create our own Rex connection to the endpoint
Ensure powershell process closes when module completes
Add a windows cmd interact payload
2015-04-19 23:41:28 +01:00
Meatballs 8bd0da580d
Move script out of module 2015-04-19 21:12:44 +01:00
Meatballs b229e87940
Create VBA powershell 2015-04-17 16:52:12 +01:00
Meatballs 15eef6e8de
Dont fork on OSX 2015-04-17 11:43:07 +01:00
jvazquez-r7 28fac60c81
Add module for CVE-2015-0556 2015-04-15 14:08:16 -05:00
William Vu 8d1126eaa5
Land #5129, x64 BSD prepend stubs 'n' stuff 2015-04-14 01:24:50 -05:00
joev 2d3614f647 Implement x64 BSD exec and exe template.
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
2015-04-12 12:17:25 -05:00
joev 3313dac30f
Land #5119, @wvu's addition of the OSX rootpipe privesc exploit.
orts
borts
2015-04-10 12:38:25 -05:00
William Vu c4b7b32745 Add Rootpipe exploit 2015-04-10 11:22:00 -05:00
jvazquez-r7 91f5d0af5a
Add module for CVE-2014-0569
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
OJ 2977cbd42a Merge branch 'upstream/master' into dynamic-transport 2015-04-07 14:30:48 +10:00
Brent Cook 0d78834083 update meterpreter binaries 2015-04-03 05:47:18 -05:00
OJ fc44f5b1f4 Merge branch 'upstrea/master' into dynamic-transport
Small merge required with the https payload proxy changes.
2015-04-03 10:14:48 +10:00
sinn3r ec2f9e3c05 Add SSH root password 'arcsight' for HP ArcSight Logger
The default password for root is 'arcsight'
2015-04-02 11:04:07 -05:00
OJ 47fa97816d Code fixes as per suggestions, fix build
* Use of `ERROR_FAILURE_WINDOWS` in python meterpreter.
* Moving of constants/logic to client_core instead of
command_dispatcher.
* Fix spec include.
2015-04-02 09:05:38 +10:00
Tod Beardsley 293cbfc8f3
Slightly wanged one of the text bubbles 2015-04-01 06:46:50 -05:00
OJ 01bdf54487 Merge branch 'upstream/master' into dynamic-transport 2015-04-01 18:53:20 +10:00
OJ 02383d4e90 Add machine_id functionality to python meterpreter 2015-04-01 17:50:50 +10:00
Tod Beardsley 34d637c7b8
Needs more ponies 2015-03-31 13:59:37 -05:00
sinn3r 8ea1ffc6ff
Land #5030, CVE-2015-0313 Flash Exploit 2015-03-30 11:31:53 -05:00
jvazquez-r7 11c6f3fdca
Do reliable resolution of kernel32 2015-03-29 15:52:13 -05:00
jvazquez-r7 f84a46df63
Add module for CVE-2015-0313 2015-03-27 18:51:13 -05:00
Spencer McIntyre 10e8cefd6d Pymet dont validate ssl certs for 2.7.9/3.4.3 2015-03-25 19:49:42 -04:00
Spencer McIntyre 7282968d8a Python reverse HTTPS stager 2015-03-21 12:43:14 -04:00
Brent Cook b29d2b5e84 do not die if the uid/gid of a file is > 65535
The meterpreter stat command is a little broken in that it assumes uid/gids
16-bit. Prevent this from erroring with python meterpreter on a system with a
large uid/gid.
2015-03-20 22:34:01 -05:00
Spencer McIntyre 8608569964 Pymet support for creating and renaming unicode paths 2015-03-20 08:49:23 -04:00
Spencer McIntyre bac2e7c5f8 Pymet improved unicode support for working directories 2015-03-19 18:31:42 -04:00
Spencer McIntyre f9bf4e3100 Fix pymet for unicode files and directories
Closes #4958
2015-03-19 17:23:00 -04:00
Brent Cook 35d29f5d08 update linux meterpreter bins 2015-03-18 23:24:32 -05:00
Spencer McIntyre 076f15f933
Land #4792 @jakxx Publish It PUI file exploit 2015-03-18 20:59:54 -04:00
jakxx 085e6cc815 Implemented Recommended Changes
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
jvazquez-r7 bb81107e51 Land #4927, @wchen-r7's exploit for Flash PCRE CVE-2015-0318 2015-03-13 23:58:05 -05:00
sinn3r 0ee0a0da1c This seems to work 2015-03-13 04:43:06 -05:00
sinn3r 0c3329f69e Back on track 2015-03-12 15:26:55 -05:00
sinn3r 215c209f88
Land #4901, CVE-2014-0311, Flash ByteArray Uncompress UAF 2015-03-11 14:04:17 -05:00
sinn3r 43b90610b1 Temp 2015-03-11 13:53:34 -05:00
sinn3r 2a9d6e64e2 Starting point for CVE-2015-0318 2015-03-11 09:58:41 -05:00
jvazquez-r7 cb72b26874 Add module for CVE-2014-0311 2015-03-09 16:52:23 -05:00
Tod Beardsley df80d56fda
Land #4898, prefer URI to open-uri 2015-03-09 09:14:10 -05:00
joev d7295959ca Remove open-uri usage in msf. 2015-03-05 23:45:28 -06:00
jvazquez-r7 64fd818364
Land #4411, @bcook-r7's support for direct, atomic registry key access in meterpreter 2015-03-04 10:01:33 -06:00
Brent Cook 0988c5e691 use the correct implementation for query_value_direct 2015-03-03 22:29:23 -06:00
Ferenc Spala c498ba64e4 Added a new pair of default Tomcat credentials. QLogic's QConvergeConsole comes with a bundled Tomcat with a hard-coded username and password for the manager app. 2015-02-19 15:08:50 -06:00
sinn3r b90639fd66
Land #4726, X360 Software actvx buffer overflow 2015-02-17 11:41:23 -06:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
Brent Cook cf0589f8c6 add support for direct reg access to pymeterpreter
When testing this, I found that the python meterpreter hangs running the
following, with or without these changes.

```
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set PythonMeterpreterDebug true
set lhost 192.168.43.1
exploit -j
sleep 5
use exploit/windows/local/trusted_service_path
set SESSION 1
check
```

This turned out to be that pymeterpreter ate all the rest of the data in the
recv socket by consuming 4k unconditionally. This would only be exposed if
there were multiple simultaneous requests so the recv buffer filled beyond a
single request, e.g. when using the registry enumeration functions.
2015-02-17 06:11:20 -06:00
Brent Cook 7e9a331087 remove unused .class files
These were added for multi/browser/java_signed_applet, but the class
files are already packaged in a jar file, which is what is actually
used.
2015-02-12 16:08:29 -06:00
Brent Cook 7ab7add721 bump meterpreter_bins to 0.0.14, update Linux binaries.
Hopefully the last manual build before packaging the Linux bins into
meterpreter_bins as well.

This includes all of the fixes and improvements over the past month.

 rapid7/meterpreter#116
 rapid7/meterpreter#117
 rapid7/meterpreter#121
 rapid7/meterpreter#124
2015-02-10 12:43:47 -06:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
jvazquez-r7 511f637b31 Call CollectGarbage 2015-02-09 14:44:31 -06:00
Brent Cook af405eeb7d
Land #4287, @timwr's exploit form CVS-2014-3153 2015-02-09 10:33:14 -06:00
Brent Cook 0e4f3b0e80 added built data/exploits/CVE-2014-3153.elf 2015-02-09 09:50:31 -06:00
jvazquez-r7 a46a53acaf Provide more space for the payload 2015-02-06 14:49:49 -06:00
jvazquez-r7 414349972f Fix comment 2015-02-06 11:34:20 -06:00
jvazquez-r7 b5e230f838 Add javascript exploit 2015-02-06 11:04:59 -06:00
scriptjunkie 5b2eb986c9
Land #4678 Add post module to phish credentials 2015-02-04 23:43:02 -06:00
Brent Cook 2fdeeb3b13 Rebuilt Java Payloads with the latest NDK/SDK and meterpreter-javapayload
Fix rapid7/meterpreter#95, rebuilt with all outstanding PRs from
rapid7/metasploit-javapayload.
2015-02-02 13:09:15 -06:00
jvazquez-r7 aa7f7d4d81 Add DLL source code 2015-02-01 19:59:10 -06:00
jvazquez-r7 d211488e5d Add Initial version 2015-02-01 19:47:58 -06:00
wez3 25ac9c1ed9 Add post module to phish windows user credentials 2015-01-30 19:50:04 +01:00
jvazquez-r7 f9dccda75d Delete unused files 2015-01-22 18:00:31 -06:00
William Vu 75e04705d5
Land #4624, Firefox 33-35 os.js support 2015-01-22 13:35:47 -06:00
Joe Vennix 5bfb88d55c
Update os.js to detect newer firefox versions. 2015-01-21 16:12:17 -06:00
Brent Cook 94fda6e617
Land #4600, jvazquez-r7's Linux meterpreter bins 2015-01-20 09:38:35 -06:00
sinn3r 76746eb209 New password from Hathaway 2015-01-19 21:45:47 -06:00
eyalgr f12c6a1624 Update meterpreter.py
Read until exactly pkt_length bytes
2015-01-18 15:45:28 +02:00
eyalgr d83c6ae215 Update meterpreter.py
Read exactly pkt_length from socket, prevents over-reading.
2015-01-18 15:29:23 +02:00
jvazquez-r7 ffc676ead0 Update linux meterp binaries 2015-01-16 17:09:38 -06:00
jvazquez-r7 26789fa76c Add JMXPayload binary classes for testing 2015-01-15 17:58:09 -06:00
Brent Cook 47cd5a3e59
Land #4562, wchen-r7's Win8 NtApphelpCacheControl privilege escalation 2015-01-15 13:52:07 -06:00
sinn3r 74e8e057dd Use RDL 2015-01-09 19:02:08 -06:00
OJ dfdf99c8f4 Remove metcli
The metcli.exe binary doesn't get used any more and the source was removed
from Meterpreter ages ago. No point in having it in the repo any more.
2015-01-10 09:21:44 +10:00
Brent Cook ce87b126c1 Update to the latest meterpreter_bins
This removes checked-in sniffer extension in favor of the gem-packaged version.
It also pulls in the changes for verifying #4411
2015-01-09 16:57:10 -06:00
sinn3r fce564cde2 Meh, not the debug build. Should be the release build. 2015-01-08 22:06:07 -06:00
sinn3r 14c54cbc22 Update DLL 2015-01-08 21:36:02 -06:00
sinn3r d3738f0d1a Add DLL 2015-01-08 17:17:55 -06:00
sinn3r 50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012 2015-01-08 16:19:55 -06:00
William Vu 3c4ec1d958
Land #4547, rm data/meterpreter/common.lib 2015-01-08 04:52:29 -06:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
Brent Cook 32ddd5ccb4 delete unused library from meterpreter dir
common.lib is only used by the build process, not MSF
2015-01-07 16:00:37 -06:00
David Maloney 5480cb81f5
add updated KoreLogic rules to john.conf
updated our shipped john.conf to include a
more up to date version of the KoreLogic JtR rules.
They add overhead to the cracking time but are
probably some of the best/most effective JtR
rules out there.
2015-01-07 12:25:04 -06:00
Brent Cook 7ae56865f1 Update linux meterpreter binaries for rapid7/meterpreter#111
This rebuilds the binaries on Ubuntu 10.04 i386 for metepreter PR #111,
improving the reliability and fixing some bugs in linux process migration.

Tested against Ubuntu 10.04 i386 and Ubuntu 14.04 x86_64:

```
meterpreter > ps
...
 55994  48270  server                   0        bcook       ../metasploit-framework/server
 56009  44199  bash                     0        bcook       -bash
 56094  56009  dummy                    0        bcook       ./dummy

meterpreter > migrate 56094
[*] Migrating to 56094
[*] Migration completed successfully.
meterpreter > sysinfo
Computer     : mint
OS           : Linux mint 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > ps
...
 55994  48270  [server] <defunct>        0        bcook
 56009  44199  bash                      0        bcook       -bash
 56094  56009  dummy                     0        bcook       ./dummy

meterpreter >
```

Verified presence of call stub when debugging a session:

```
(gdb) x/32b 0x61cc28
0x61cc28:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0x61cc30:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0x61cc38:	0x90	0x90	0x68	0x04	0x00	0x00	0x00	0x68
0x61cc40:	0xff	0xff	0xff	0xff	0xb8	0x5a	0x5a	0x5a
```
2015-01-04 10:47:44 -06:00
jvazquez-r7 69bda63ef6 Update linux meterpreter binaries 2015-01-01 20:05:36 -06:00
jvazquez-r7 dccf189600 Update binaries 2014-12-30 18:39:29 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Spencer McIntyre 0ee20561d4 Remove file exists check from stdapi_fs_delete_file 2014-12-09 11:03:57 -06:00
Spencer McIntyre 42710cc32e Error messages for the python meterpreter 2014-12-09 11:03:57 -06:00
Christian Mehlmauer 738fc78883
Land #4220, outlook gather post module 2014-12-07 22:41:28 +01:00
Christian Mehlmauer 9187a409ec
outlook post module fixes 2014-12-06 00:28:44 +01:00
Spencer McIntyre 83b0ac0209 Fix stdapi_sys_config_getenv for Python3 2014-12-04 15:58:17 -06:00
Spencer McIntyre 44816b84aa Prefer the pwd module for getuid when available 2014-12-04 15:58:17 -06:00
HD Moore fc96d011ab
Python reverse_http stager, lands #4225 2014-12-02 11:47:31 -06:00
jvazquez-r7 7a2c9c4c0d
Land #4263, @jvennix-r7's OSX Mavericks root privilege escalation
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
jvazquez-r7 7772da5e3f Change paths, add makefile and compile 2014-11-30 21:06:11 -06:00
Meatballs f5f32fac06
Add token fiddling from nishang 2014-11-28 23:02:59 +00:00
Meatballs 48a5123607
Merge remote-tracking branch 'upstream/master' into pr4233_powerdump 2014-11-27 20:08:11 +00:00
Joe Vennix 7a3fb12124
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 12:34:16 -06:00
Peter Marszalik 830af7f95e identified instances of tabs vs spaces in the original
identified 16 instances in the original code where tab was used vs spaces. updated to keep consistent.
2014-11-25 12:17:43 -06:00
Peter Marszalik 705bd42b41 tab to space change - line 296 2014-11-22 14:48:44 -06:00
Peter Marszalik 900aa9cd6b powerdump.ps1 bug - corrupt hash fix
Fixed the bug where the hashes are not being extracted correctly when LM is disabled and history is enabled. 

Rather than relying on length, LM and NT headers are checked. Four bytes at 0xa0 show if LM exists and four bytes at 0xac show if NT exists. Details on this known issue can be found in the following whitepaper from blackhat:
https://media.blackhat.com/bh-us-12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf
2014-11-18 23:10:57 -06:00
Spencer McIntyre 2b36c1bb43 Fix pymeterp bugs from testing in osx and python3 2014-11-17 14:04:30 -05:00
HD Moore 1d8b746d89 Adds new TFTP file names, submitted by Chris McNab 2014-11-16 18:47:11 -06:00
Spencer McIntyre 0bf93acf6b Pymeterp http proxy and user agent support 2014-11-16 14:29:20 -05:00
Spencer McIntyre e562883ba9 Escape inserted vars and fix core_loadlib 2014-11-15 15:06:18 -05:00
Spencer McIntyre 7c14e818f6 Patch pymeterp http settings 2014-11-14 17:12:23 -05:00
Spencer McIntyre 681ae8ce6b Pymet reverse_http stager basic implementation 2014-11-14 14:15:46 -05:00
Spencer McIntyre 6b2387b7fc Prepare for a reverse_http stager 2014-11-14 11:15:22 -05:00
jvazquez-r7 c35dc2e6b3 Add module for CVE-2014-6352 2014-11-12 01:10:49 -06:00
William Vu adad3809cc
Rename logo file 2014-11-11 16:07:44 -06:00
Joshua Smith 329ea4fe01 the masterpiece is complete 2014-11-11 15:35:36 -06:00
Spencer McIntyre 7edc248207 Don't fail if username_from_token returns None 2014-11-10 09:15:16 -05:00
Spencer McIntyre 104841babf Add getsid to the python meterpreter 2014-11-08 20:57:24 -05:00
sinn3r c2391bf011 Add an R in /Info for the trailer dictionary to make it readable 2014-11-05 22:28:37 -06:00
sinn3r 1b2554bc0d Add a default template for CVE-2010-1240 PDF exploit 2014-11-05 17:08:38 -06:00
jvazquez-r7 f43a6e9be0 Use PDWORD_PTR and DWORD_PTR 2014-10-31 17:35:50 -05:00
jvazquez-r7 8e547e27b3 Use correct types 2014-10-31 12:37:21 -05:00
HD Moore 9b61ae5f63 This is halloween.
THISISHALLOWEEN=1 ./msfconsole
2014-10-30 23:35:12 -05:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 03a84a1de3 Search the AccessToken 2014-10-30 12:17:03 -05:00
OJ 908094c3d3 Remove debug, treat warnings as errors 2014-10-28 09:04:02 +10:00
OJ 0a03b2dd48 Final code tidy 2014-10-28 08:59:33 +10:00
William Vu 626cd55b5e
Land #4073, improved banner selection 2014-10-27 14:20:10 -05:00