Commit Graph

6605 Commits (19ab71aa43a3c726e4280bd6b5851202b27bb54d)

Author SHA1 Message Date
William Vu 3c7b061e05 Use single quotes
But I like double quotes. :(
2015-03-10 14:03:13 -05:00
William Vu 72e7691300 Change print_status to print_error
And drop db_disconnect note to another line.
2015-03-10 13:31:35 -05:00
HD Moore 966848127a Refactor x86 Windows reverse_http and reverse_https stagers 2015-03-10 12:48:30 -05:00
William Vu e81f2e366c Refactor db_{status,connect} a bit
Also allow for db_connect help.
2015-03-10 12:35:58 -05:00
nstarke ee8318d5c4 Adding db_disconnect qualifying statement 2015-03-10 11:58:04 +00:00
Brent Cook 97f09b6ab0
Land #4894: hmoore-r7 cache payload sizes on start
Avoid the hit of regenerating all of the static-size payloads when
loading the framework. This will facilitate conversion of payloads to
use metasm later.
2015-03-09 23:06:55 -05:00
nstarke 187a0445f3 Issue #4868 - Adding warning message to db_connect when already connected 2015-03-10 00:02:34 +00:00
HD Moore 78456fb2e0 Correct a typo (stringified symbol loses the :) 2015-03-09 15:42:23 -05:00
HD Moore 038591497f YARD docs for the Msf::Util::PayloadCachedSize class 2015-03-09 15:39:19 -05:00
James Lee 838746b021
Add user_data_is_match? method 2015-03-09 15:35:53 -05:00
HD Moore 99e2b05597 Move the cache update logic into a utility class 2015-03-09 15:29:58 -05:00
HD Moore 8c635243d3 Fix whitespace in the regex, implements Msf::Payload.dynamic_size? 2015-03-09 13:15:06 -05:00
Brent Cook 603179176a
Land #4876, @hmoore-r7 give encoders and payloads space available 2015-03-09 11:50:46 -05:00
Samuel Huckins 08df0bfaca
Land #4858, RPC client true/truthy fix
* Misc ruby cleanup and fixing the issue that caused MSP-12235, rolling back the
full rollback of PR 4823
2015-03-09 11:35:57 -05:00
James Lee b37a975108
Use metasploit_data_models staging branch 2015-03-09 01:28:27 -05:00
HD Moore c3479ba747 Update msfvenom & PayloadGenerator to pass in available_space 2015-03-09 01:14:56 -05:00
James Lee d771f54e35
Axe unused var 2015-03-09 00:21:10 -05:00
James Lee 6baff47e98
Refactor inference into its own method 2015-03-09 00:19:57 -05:00
sinn3r a91a29d4e5 Add a comment explaining about the error key 2015-03-08 23:51:43 -05:00
HD Moore d46635ff8b Restore a comment lost in the code churn 2015-03-07 21:25:35 -06:00
HD Moore 853bf1b569 Accidental carry over from stale master 2015-03-07 20:48:22 -06:00
HD Moore 2e49791bef This implements payload size caching, speeding up framework loads 2015-03-07 20:44:19 -06:00
William Vu 5316e0f0ce
Land #4887, msfconsole -n store_loot fix 2015-03-07 17:14:21 -06:00
sinn3r f3494d9019 Correct grammar in BES 2015-03-07 16:04:06 -06:00
James Lee 8adc4646f8
Add :user_data to Msf::Module 2015-03-06 14:23:06 -06:00
joev ca3b2220b5 Check to ensure Mdm is loaded to fix store_loot. 2015-03-05 23:27:13 -06:00
Brent Cook a13cd2bcb7
Land #4880: @wchen-r7 check if module has session before comparison 2015-03-05 20:48:42 -06:00
jvazquez-r7 9f3f8bb727
Merging #3323 work 2015-03-05 15:44:15 -06:00
Samuel Huckins 7cb3e236fb
Adding back prepended colons
Don't seem to be needed but don't want to introduce that change.
2015-03-05 14:06:50 -06:00
Samuel Huckins 02d30b3d44
Changes workspace cmd ordering to updated_at asc 2015-03-05 14:05:24 -06:00
Samuel Huckins 84df403d11
Land #4852, vuln note import/export addition 2015-03-05 13:54:22 -06:00
sinn3r 31191bef39 Fix #4865, undef method 'ancestors' in lib/msf/core/payload_set.rb
Fix #4865
2015-03-05 12:49:51 -06:00
jvazquez-r7 5ede40a39d Change the variable name 2015-03-05 12:21:33 -06:00
jvazquez-r7 e0a22a6794 Add support for folder 2015-03-05 12:19:33 -06:00
HD Moore 7a354f322c Comment typo (missing i). 2015-03-04 20:11:41 -06:00
HD Moore 95f67dba7a Tell payloads and encoders how much space they have to work with 2015-03-04 19:25:04 -06:00
HD Moore 1001061a96 Initialize @capture_count 2015-03-04 18:52:18 -06:00
jvazquez-r7 36375fab28 Fix downcase path handling 2015-03-04 12:58:41 -06:00
jvazquez-r7 4de1fdd020 Make SHARE prints verbose 2015-03-04 10:57:18 -06:00
jvazquez-r7 1c064f6b46
Land #3074, @0x41414141 SMB Share mixin 2015-03-04 10:16:04 -06:00
jvazquez-r7 64fd818364
Land #4411, @bcook-r7's support for direct, atomic registry key access in meterpreter 2015-03-04 10:01:33 -06:00
David Barksdale fb74136723 Add MIPS arches to this stupid case statement 2015-03-03 15:25:08 -06:00
jvazquez-r7 a57aefb721 Add specs for QUERY information level 2015-03-03 15:24:13 -06:00
jvazquez-r7 c213ed3f5f Add specs for FIND information level 2015-03-03 14:13:36 -06:00
jvazquez-r7 4237cd2c88 Add specs for QueryPathInformation 2015-03-03 13:19:06 -06:00
jvazquez-r7 63a3ab16fe Add specs for SMB_COM_SESSION_SETUP_ANDX commands 2015-03-03 10:31:43 -06:00
jvazquez-r7 4fc08d7243 Add specs for Msf::Exploit::Remote::SMB::Server::Share::Command::ReadAndX 2015-03-02 17:32:03 -06:00
jvazquez-r7 b0bc69b832 Add @todo comment 2015-03-02 14:25:56 -06:00
jvazquez-r7 d57e220f00 Delete unnecessary case on smb_cmd_trans_query_path_info_basic 2015-03-02 14:19:20 -06:00
jvazquez-r7 2004aea7b7 Add helpers for path handling on TRANS2 requests 2015-03-02 14:15:25 -06:00
jvazquez-r7 8acde11aaf Use file_contents instead of exe_contents 2015-03-02 12:56:48 -06:00
jvazquez-r7 34bd6a4365 Add documentation for the Share mixin 2015-03-02 12:42:32 -06:00
jvazquez-r7 9a8e17508f Add documentation for QUERY information levels 2015-03-02 12:00:34 -06:00
jvazquez-r7 750022806b Add documentation for FIND information levels 2015-03-02 11:46:20 -06:00
jvazquez-r7 0d8632dae9 Add documentation for TRANSACTION2 subcommands 2015-03-02 11:19:34 -06:00
jvazquez-r7 6a5dae4549 Add documentation for SMB_COM_TRANSACTION2 handling 2015-03-02 11:12:57 -06:00
jvazquez-r7 3923589286 Add documentation for SMB_COM_SESSION_SETUP_ANDX handling 2015-03-02 11:06:41 -06:00
jvazquez-r7 e8dd9c1971 Add documentation for SMB_COM_READ_ANDX 2015-03-02 10:59:07 -06:00
jvazquez-r7 1ad3f91c50 Add documentation for SMB_COM_NT_CREATE_ANDX handling 2015-03-02 10:52:30 -06:00
jvazquez-r7 19061121b3 Add documentation for SMB_COM_NEGOTIATE handling 2015-03-02 10:45:43 -06:00
jvazquez-r7 3e8bbb6c9e Add documentation for SMB_COM_CLOSE handling 2015-03-02 10:36:13 -06:00
jvazquez-r7 227cf4500d define constants for tree connect access rights 2015-02-28 18:38:45 -06:00
jvazquez-r7 eb3aedf4a7 Define constants for WordCount in responses 2015-02-28 18:15:14 -06:00
sinn3r 5f8c14c958 Fix check for TrueClass, plus other small changes 2015-02-28 14:11:15 -06:00
sinn3r 6f4259f2de Revert #4859, temporary solution for unbreaking client
This reverts commit 7ab86be72a, reversing
changes made to 49ae173057.
2015-02-28 14:07:26 -06:00
jvazquez-r7 eb7ac02d1a Normalize handlers names 2015-02-28 12:14:58 -06:00
jvazquez-r7 1d602d38c9 Refactor SessionSetupAndx handler 2015-02-28 12:10:48 -06:00
William Vu b27c9b9efc
Land #4838, reverse_http{,s} listening service fix 2015-02-27 21:02:58 -06:00
sinn3r ac81318e7a Revert #4823, changes for ruby style guide
This reverts commit 885469ca52, reversing
changes made to fd73445d9b.

Please see: #4823 for why.
2015-02-27 17:28:00 -06:00
jvazquez-r7 e5e13108ed Refactor close handling 2015-02-26 23:50:10 -06:00
jvazquez-r7 5418cdad11 Refactor negotiate handling 2015-02-26 23:49:07 -06:00
jvazquez-r7 5ed1f8d44f Make opts optional 2015-02-26 23:39:17 -06:00
jvazquez-r7 882f0bdc0e Refactor read_andx request handling 2015-02-26 23:35:12 -06:00
jvazquez-r7 5b770f9f7a Refactor nt_create_andx requests 2015-02-26 23:31:09 -06:00
jvazquez-r7 70033576fe Refactor query information level 2015-02-26 23:22:57 -06:00
jvazquez-r7 d544da22b5 Always send answer 2015-02-26 16:47:05 -06:00
jvazquez-r7 45be95747f Refactor Find Information Levels 2015-02-26 16:46:34 -06:00
jvazquez-r7 89a033c194 Delete unnecessary paddings due to miscalculations 2015-02-26 15:54:00 -06:00
David Maloney 095431c323
fix note search conditions
note search conditions needed to know about
vuln_id or else vuln notes would get overwritten

MSP-12183
2015-02-26 15:48:04 -06:00
rastating 3669fb678d Fix parameter default value 2015-02-26 21:15:33 +00:00
William Vu 260c603ffb Fix msfconsole -L
s/rb-readline/rb-readline-r7/

Should have been in #4816 (#4128).
2015-02-26 15:14:38 -06:00
jvazquez-r7 387c966550 Fix unnecessary paddings 2015-02-26 15:00:53 -06:00
David Maloney a72d49678a
only match by CVE refs
the other refs can be non-specific and refer
to multiple distinct vulns, resulting in
incorrect refs being attached to a vuln leading to
a snowball effect with more and more vulns being
misidentified.

MSP-12183
2015-02-26 14:57:16 -06:00
jvazquez-r7 500e4707ab Use smb_error 2015-02-26 14:35:52 -06:00
jvazquez-r7 c73ffea1b9 Do minor cleanup 2015-02-26 12:50:45 -06:00
David Maloney 8351920d1e
don't match based on URL refs
multiple vulns may be listed for
the same URL making matches based on
these refs entirely unreliable

MSP-12183
2015-02-26 11:40:15 -06:00
jvazquez-r7 b1e6de2eeb Add todo 2015-02-26 11:39:17 -06:00
jvazquez-r7 26bfebf1bb Add dummy wildcard handling 2015-02-26 11:39:05 -06:00
jvazquez-r7 d0ab9206b9 Do minor cleanup 2015-02-26 10:58:36 -06:00
jvazquez-r7 970f0c94b2 Create CREATE_ANDX constants 2015-02-26 10:44:07 -06:00
Matthew Hall ab1bb0e50d bugfixes to https://github.com/jvazquez-r7/metasploit-framework/tree/review_3074_clean_server
to provide consistent support for various exploits and OS SMB Commands.

Reintroduces smb_cmd_trans_query_path_info_network for use with the Struts2 JSP injection vulnerability.
Reintroduces smb_cmd_trans_query_file_info_basic for common use with rundll32.
Corrects some issues with filename formatting and pattern matching for file requests (can still be improved).
2015-02-26 16:10:34 +00:00
jvazquez-r7 993c75ec77 Update Offset counts with constants 2015-02-25 16:25:16 -06:00
jvazquez-r7 ee18cf592b Calculate ParamCount and DataCount 2015-02-25 16:00:26 -06:00
jvazquez-r7 df50aa0f06 Use constants for DataCount and DataCountTotal 2015-02-25 14:11:38 -06:00
jvazquez-r7 f35e03b21b Use constants 2015-02-25 13:44:56 -06:00
jvazquez-r7 f21959a8a2 Add constants for session setup actions 2015-02-25 13:31:57 -06:00
jvazquez-r7 e967cfbfb3 Create Access rights constants 2015-02-25 13:22:16 -06:00
jvazquez-r7 1caffbea2d Add constants for Negotiation Capabilities 2015-02-25 12:50:33 -06:00
jvazquez-r7 50d50d5353 Define constants for SMB Flags 2015-02-25 12:28:25 -06:00
jvazquez-r7 e5d9bb0a47 Update from master 2015-02-25 11:37:13 -06:00
jvazquez-r7 ec9be4531b Add SMB_CREATE_ANDX_RES_PKT template 2015-02-25 11:33:08 -06:00
jvazquez-r7 50f8731980 Parse SMB_CMD_CREATE requests 2015-02-25 11:09:14 -06:00
William Vu 0ad3473ebb Implement case-insensitive datastore.delete 2015-02-24 20:47:00 -06:00
jvazquez-r7 d10385cfed Add template for SMB_TREE_CONN_ANDX_RES_PKT 2015-02-24 19:27:25 -06:00
jvazquez-r7 1f1d95bb37 Delete one more extra comment 2015-02-24 18:27:39 -06:00
jvazquez-r7 aeb7f05158 Delete extra comment 2015-02-24 18:27:21 -06:00
jvazquez-r7 bb36899699 Do templates names consistent 2015-02-24 18:26:46 -06:00
jvazquez-r7 744e338ddc Do cleanup 2015-02-24 18:15:55 -06:00
jvazquez-r7 ec53e27249 Do better handling of TRAN2_QUERY_FILE_INFORMATION requests 2015-02-24 17:20:41 -06:00
jvazquez-r7 d29e9fc20b Parse TRAN2_FIND_FIRST2 commands 2015-02-24 17:02:49 -06:00
rastating 06cb30a20a Remove duplicated code 2015-02-24 22:43:59 +00:00
jvazquez-r7 231a2f3110 Fix handlers 2015-02-24 16:03:13 -06:00
David Maloney e4a58a2ec5
import notes attached to vulns
add the ability to import notes that
are attached to vulns instead of hosts

MSP-12183
2015-02-24 13:36:57 -06:00
David Maloney 389bcbd343
refactor note import into sep method
we will now be importing notes from multiple
place within the XML document. the importing
of notes has been refactored into a seperate
method to be easily reused in this fashion

MSP-12183
2015-02-24 12:18:32 -06:00
David Maloney 2389185376
export notes associated to a vuln
in addition to ntoes asscoiated directly
to a host, the XML export will now
export notes that are tied to a vuln

MSP-12183
2015-02-24 12:17:44 -06:00
Brent Cook c5d36ec24d remove unused handler methods
already defined in the base class
2015-02-24 11:23:08 -06:00
jvazquez-r7 ca7aabe9bc handle SMB_QUERY_FILE_NETWORK_OPEN_INFO 2015-02-24 11:13:18 -06:00
Brent Cook 3bed2d5136 fix for properly stopping the reverse_http/https handler
The issue seems to be at the root of #4669 is that reverse_http
registers an HTTP service but never releases its reference to it. If
we stop it directly, there may be a session already connected to it that
we kill, so we can't do that. Instead, track if we got a connection or
not, and conditionally release our reference based on whether the
connection succeeded.

This should fix #4669
2015-02-24 11:06:50 -06:00
William Vu 5f0aeda0be
Land #4835, new hex format for msfvenom 2015-02-24 10:56:47 -06:00
jvazquez-r7 31d1ba7100 Simplify debug to inspect smb_cmd_trans_query_file_info_network 2015-02-24 10:54:45 -06:00
Christian Mehlmauer 1d2fc989bd
remove newline 2015-02-24 17:35:53 +01:00
William Vu c3c9b233dd
Land #4834, a few more duplicate hash key fixes 2015-02-24 10:32:55 -06:00
Christian Mehlmauer 906c4a9024
use + instead of << 2015-02-24 17:18:41 +01:00
sinn3r 12a99ecee5
Land #4796, Handle incompatible payload architecture in BES 2015-02-24 10:02:25 -06:00
Christian Mehlmauer 5880702552
added new hex format 2015-02-24 16:05:02 +01:00
William Vu 7b32b8b58c
Land #4810, support for job renaming in msfconsole 2015-02-24 08:51:06 -06:00
Brent Cook ab4a416958 comment out duplicate keys that can only be used for reference
ruby is ignoring all but the second instances, and 2.2 still throws a
warning
2015-02-24 08:50:02 -06:00
William Vu 285c138f80 Add tab completion for rename_job 2015-02-24 04:25:36 -06:00
William Vu 500b6229be Clean up whitespace 2015-02-24 04:13:59 -06:00
sinn3r e9b6a023de Fix a typo 2015-02-23 21:45:02 -06:00
jvazquez-r7 d0d124eb19 Mimic original handling 2015-02-23 20:42:49 -06:00
jvazquez-r7 32046f9c47 smb_cmd_trans_query_path_info_standard 2015-02-23 19:57:16 -06:00
jvazquez-r7 ea483f14a1 Try to fix logic for query information levels 2015-02-23 17:17:33 -06:00
jvazquez-r7 3fca26a5de Add support for SMB_COM_TRANSACTION2 data blocks and params 2015-02-23 16:37:39 -06:00
jvazquez-r7 623d319ca7 Fix offsets 2015-02-23 14:43:06 -06:00
jvazquez-r7 2653ff9d58 Try to simplify request query and find request handling 2015-02-23 14:06:23 -06:00
jvazquez-r7 36711e801c Fix comment 2015-02-23 13:09:23 -06:00
jvazquez-r7 99483f88f1 Fix, hopefully, dispatching 2015-02-23 13:08:45 -06:00
jvazquez-r7 87176b9b37 Redo TRANS2_QUERY_PATH_INFORMATION dispatching 2015-02-23 12:52:50 -06:00
jvazquez-r7 a06d07d6da Clean smb_cmd_trans2_query_file_information dispatching 2015-02-23 12:03:08 -06:00
sinn3r c39d6e152e
Land #4819, Normalize HTTP LoginScanner modules 2015-02-23 11:43:42 -06:00
jvazquez-r7 abe5ea42cb Clean smb_cmd_trans 2015-02-23 11:34:19 -06:00
jvazquez-r7 3d7381b62a Handle TRANS2 commands 2015-02-23 11:33:49 -06:00
jvazquez-r7 fe00cadd18 Delete require 2015-02-23 11:15:55 -06:00
jvazquez-r7 1dba961698 delete SubCommand namespace 2015-02-23 11:15:14 -06:00
jvazquez-r7 7d9f661d78 Fix includes 2015-02-23 11:14:45 -06:00
jvazquez-r7 439507d359 Move trans2 files 2015-02-23 11:13:08 -06:00
HD Moore bdd5276524 This fixes a number of issues with the Capture mixin
* The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1)
 * The hackey code around #each_packet is no longer necessary in newer Ruby versions
 * The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies
 * The arp() function now tries up to three times to get a reply (helpful with lossy L2)
 * GC.start is extraneous and should be removed
 * Increased timeouts
2015-02-22 21:53:47 -06:00
HD Moore 615d71de6e Remove extraneous calls to GC.start() 2015-02-22 21:51:33 -06:00
Joshua Smith 251c284458 modernizes some of the rpc code 2015-02-22 15:37:55 -06:00
rastating 37a55cce74 Abstracted version comparison code 2015-02-22 16:20:46 +00:00
rastating 3d38d46729 Add extra version checking methods
Added the ability to check style.css for theme versions as version
tagging in style.css is a requirement of WordPress theme development.
Also updated existing readme checking to allow for a nil fixed_version
parameter in scenarios where all versions are vulnerable in an EOL
product.
2015-02-22 16:20:46 +00:00
HD Moore 888c718f40 Fix two typos 2015-02-22 02:45:50 -06:00
HD Moore 8e8a366889 Pass Http::Client parameters into LoginScanner::Http (see #4803) 2015-02-22 02:26:15 -06:00
Christian Mehlmauer c820431879
Land #4770, Wordpress Ultimate CSV Importer user extract module 2015-02-22 08:52:45 +01:00
William Vu 2b9ab901cb
Land #4811, creds -d documentation 2015-02-21 20:59:52 -06:00
William Vu b39e2bea8e
Land #4806, EXE::Custom case-sensitivity fix 2015-02-21 20:49:53 -06:00
William Vu f900d9cf26 Handle whitespace as per blank?
!~ /\S/ as per the original implementation of blank? also works.
2015-02-21 20:36:16 -06:00
rastating 708340ec5a Tidy up various bits of code 2015-02-21 12:53:33 +00:00
jvazquez-r7 80aef690a0 Do first commands refactoring 2015-02-21 01:48:47 -06:00
jvazquez-r7 52b41ab4f8 Do first Share refactoring 2015-02-21 01:00:46 -06:00
sinn3r b8cb93d712 Fix #3790, document the creds -d feature
Fix #3790
2015-02-20 21:38:26 -06:00
sinn3r b5f8ae85cf Fix #3827, Add support to rename a job
Fix #3827
2015-02-20 21:13:45 -06:00
rastating 7e1e0f8196 Add plugin upload functionality 2015-02-21 01:20:20 +00:00
jvazquez-r7 df903120e3 Reorganize trans2_find_first2 requests 2015-02-20 18:28:49 -06:00
jvazquez-r7 52a0e6dd1c Mark a couple of handlers for later review 2015-02-20 16:28:04 -06:00
Meatballs dc4898765f
Fix EXE::Custom 2015-02-20 16:59:18 +00:00
jvazquez-r7 a91d19e0e7 Add template for SMB_QUERY_FILE_STANDARD_INFO 2015-02-20 10:58:15 -06:00
jvazquez-r7 21978a1bfe Add template for SMB_QUERY_FILE_BASIC_INFO 2015-02-20 10:40:45 -06:00
jvazquez-r7 cf63e09188 Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and SMB_FIND_FILE_NAMES_INFO_HDR 2015-02-20 09:17:51 -06:00
jvazquez-r7 f2405a5dc0 Create SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH constant 2015-02-20 00:35:26 -06:00
jvazquez-r7 571dffa317 Create template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO 2015-02-20 00:22:33 -06:00
jvazquez-r7 94ad64546c Create TRANS2_PARAMETERS template 2015-02-19 23:16:52 -06:00
jvazquez-r7 b24b94ddd3 Do first cleanup of find_first2 handlers 2015-02-19 19:08:56 -06:00
jvazquez-r7 74c43f5527 Delete more unused local variables 2015-02-19 14:39:55 -06:00
jvazquez-r7 1d5a977280 Delete a lot of verbose prints 2015-02-19 14:37:16 -06:00
jvazquez-r7 0940ceae75 Delete unused local variables 2015-02-19 14:26:46 -06:00
jvazquez-r7 c38c3519d8 Delete more unused code 2015-02-19 14:24:18 -06:00
jvazquez-r7 7487f9611b Do some extra prints 2015-02-19 14:11:27 -06:00
jvazquez-r7 d9b9de8e89 Delete unused code 2015-02-19 13:16:24 -06:00
jvazquez-r7 5510000bf1 Use constant for FLAGS2 2015-02-19 13:02:50 -06:00
jvazquez-r7 392137292e Old delete register prototype comment 2015-02-19 13:00:12 -06:00
jvazquez-r7 39ceb5b90f Update smb_error on Exploit::Remote::SMB::Server 2015-02-19 12:10:28 -06:00
Brent Cook 4781ac4b39 the http service needs to keep running to handle meterpreter loading
revert a8f44ca68f
2015-02-19 09:38:48 -06:00
jvazquez-r7 b85324435e Don't waste instance variables 2015-02-18 16:42:52 -06:00
jvazquez-r7 91d9d93fec Handle instance variables correctly 2015-02-18 16:35:20 -06:00
jvazquez-r7 438b38dfe4 Use Rex::Text 2015-02-18 16:20:47 -06:00
jvazquez-r7 a815858644 Fix setup 2015-02-18 16:19:05 -06:00
jvazquez-r7 06dfa6b5be Fix initialize 2015-02-18 13:56:06 -06:00
jvazquez-r7 62c08094fd Delete the old FileServer mixin 2015-02-18 13:54:24 -06:00
jvazquez-r7 9068397fff Delete code commented by myself 2015-02-18 13:47:05 -06:00
jvazquez-r7 a446df95b2 Make Msf::Exploit::Remote::SMB::Server::Share a mixin 2015-02-18 13:45:48 -06:00
jvazquez-r7 415c671416 Move Rex code, we'll redesign as mixin 2015-02-18 13:44:02 -06:00
jvazquez-r7 ff4aa1f9da Require FileServer mixin 2015-02-18 11:43:13 -06:00
jvazquez-r7 f960a77754 Solve merging conflicts 2015-02-18 11:36:47 -06:00
Matt Buck a9931cd410
Land #4725, convert Rails 3 AR calls in RPC_Db
Converts Rails 3 style ActiveRecord calls in RPC_Db to their Rails 4
counterparts.

Fixes #4725, also see MSP-12017
2015-02-18 09:59:40 -06:00
William Vu bda96f46e6
Land #4780, stop HTTP service with HTTP handler 2015-02-18 03:34:03 -06:00
sinn3r 8ce1db5081 Fix #4783, raise exception if the payload arch is incompatible
Fix #4783
2015-02-17 21:47:17 -06:00
rastating e0d87a8886 Update to use store_loot for CSV export 2015-02-17 19:21:31 +00:00
Brent Cook bed40a83ee fix #4337: gracefully handle resolve_sid failure when enumerating user profiles
Rather than throwing a backtrace with an unresolvable SID, try to get as
much profile data as possible if resolve_sid fails.

```
[*] Determining session platform and type...
[-] Unexpected windows error 1332
[*] Checking for Firefox directory in:
C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
[*] Post module execution completed
```
2015-02-17 13:03:12 -06:00
Brent Cook a8f44ca68f stop the http service when the reverse http handler stops 2015-02-17 12:38:20 -06:00
Matthew Hall 547d4d1950 Merge with master 2015-02-17 17:23:19 +00:00
Matthew Hall 9e2a483977 Add example usage to Msf::Exploit::Remote::SMBFileServer documentation 2015-02-17 17:23:18 +00:00
Matthew Hall cec817902f Add yardoc documentation for Msf::Exploit::Remote::SMBFileServer 2015-02-17 17:23:18 +00:00
Matthew Hall 5cf8833697 Tidy lib/msf/core/exploit/smb.rb following feedback from jlee-r7.
* Doc comments wrap at 78 chars to follow yardoc convention
 * Remove unused :server and SERVER vals
 * Use Utils class directly
 * Stop server within an ensure
 * Change SRVHOST to an OptAddress
2015-02-17 17:23:18 +00:00
Matthew Hall 8beed5652d Implement SMBFileServer mixin.
In order to accomplish remote file injection (e.g. DLL) this module
emulates an SMB service process to allow clients to load a file from a
network share.

This commit implements the SMBFileServer exploit module utilising the
::Rex::Proto::SMB::Server module to export the "start_smb_server"
function.

Utilising the module (example):
 include Msf::Exploit::Remote::SMBFileServer
 exe = generate_payload_dll
 @exe_file = rand_text_alpha(7) + ".dll"
 @share = rand_text_alpha(5)
 my_host = (datastore['SRVHOST'] == '0.0.0.0') ?
 Rex::Socket.source_address : datastore['SRVHOST']
 @unc = "\\#{my_host}\#{@share}\#{@exe_file}"
 start_smb_server(@unc, exe, @exe_file)
 // Inject DLL
 handle

A separate commit will provide a sample implementation of utilising this
module within a generic webserver DLL injection exploit:
./exploits/windows/http/generic_http_dllinject.rb
2015-02-17 17:23:18 +00:00
sinn3r 6eaa3c264c
Land #4763, LSBackgroundOnly for safari_user_assisted_download_launch 2015-02-17 10:41:59 -06:00
Brent Cook e08206d192
Land #4768, jvazquez-r7 reorganizes the SMB mixins 2015-02-17 10:36:19 -06:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
Brent Cook b4cf2f5d8c use correct response filter TLV_TYPE_VALUE_NAME 2015-02-17 08:46:25 -06:00
Brent Cook 503f58375b add direct registry access methods
Rather than operating on a passed-in HKEY, these open and close the registry
key directly for each operation.

This pattern better reflects the actual API usage within msf, and removes extra
round-trips to open and close the registry key, reducing traffic and increasing
performance. I did not add direct versions of every registry operation.
There was no benefit for more rarely-used operations, other than requiring more
churn in the meterpreters.

The primary beneficiary of this is post exploitation modules that do registry
or service enumeration. See #3693 for test cases.
2015-02-17 06:11:20 -06:00
rastating a22f5c1287 Add extra readme check for case sensitive servers 2015-02-14 23:43:04 +00:00
jvazquez-r7 2c842ee6d7 Fix namespaces on Server 2015-02-13 17:34:55 -06:00
jvazquez-r7 9b7bbc220b Fix namespaces on Client 2015-02-13 17:33:41 -06:00
jvazquez-r7 46c6ac9ca1 Redefine namespaces and requires 2015-02-13 17:09:06 -06:00
jvazquez-r7 df1daff673 Move clients 2015-02-13 17:07:03 -06:00
jvazquez-r7 067aadf3a4 Fix namespaces 2015-02-13 17:05:46 -06:00
jvazquez-r7 f1ab7ed343 Mode smb.rb 2015-02-13 17:04:55 -06:00
jvazquez-r7 7367402bf1 Add requires 2015-02-13 17:03:48 -06:00
jvazquez-r7 ccabf30531 Move smb_server.rb 2015-02-13 16:58:19 -06:00
Samuel Huckins ce688f4247
Land #4765, Rails4 compatible finder conversion
* find_or_initialize_by_DYNAMIC
2015-02-13 15:56:09 -06:00
Christian Catalan dc6a365a13
Fix finder query in Msf::DBManager::Vuln
MSP-12152

* This is part of updating finder queries to be Rails 4 compatibile
* In #find_vuln_by_details, pass in conditons hash crit rather than symbol :crit
2015-02-13 13:21:25 -06:00
Sonny Gonzalez dc1eab377c
Rails 4 finder conversion: convert find_or_initialize_by_x_and_y
MSP-12153

* convert to where(conditions).first_or_initialize
2015-02-13 12:39:44 -06:00
joev 49c9c02b53 Hide the dropped osx app. 2015-02-12 23:08:46 -06:00
William Vu 39c0065560
Land #4758, SMTPDeliver DATA header fix 2015-02-12 15:07:31 -06:00
Matt Buck f0bf881cc3
Land #4720, update Rails 3-style .find(:first)
Eliminate the Rails 3-style .find(:first) calls, and replace with
Rails 4-compatible .first().

Fixes #4720, also see MSP-12012
2015-02-12 14:30:13 -06:00
David Maloney 72878e0c14
fixes bug with smtp header order
SMTP servers that support pipelining will not accept any
commands other than MAILFROM and RCPTTO before the DATA
command. We were sending Date and Subject before Data
which would cause some mailservers to suddenly drop
the connection refusing to send the mail.

MSP-12133
2015-02-12 14:13:39 -06:00
Sonny Gonzalez 7c57b9fb57
Fix Master - Pro build
MSP-12138

* revert to previous Rails 3 syntax.
2015-02-11 12:02:34 -06:00
jvazquez-r7 29c68ef1ec
End fixing namespaces 2015-02-10 11:55:14 -06:00
jvazquez-r7 6e635211b3
Modify include 2015-02-10 10:59:56 -06:00
jvazquez-r7 dba67bd1ee Do more code reorganization 2015-02-10 10:58:57 -06:00
jvazquez-r7 aa9e686965 Reorganize Java related mixin code 2015-02-10 10:52:44 -06:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
Tod Beardsley 0a42ac947a
Land #4737, fix Socket Context usages 2015-02-09 17:34:03 -06:00
Matt Buck 9a445e2027
Land #4707, updates to finder syntax
Updates some Rails 3 style ActiveRecord calls to use the Rails 4 Arel
syntax, in preparation for our move to Rails 4.

Fixes #4707, also see MSP-12018
2015-02-09 16:01:38 -06:00
Spencer McIntyre 2a3855c5af Skip the psh prepend sleep time error when it is 0 2015-02-09 14:20:04 -05:00
HD Moore 985641dbc4 Add missing Context, fixes #4723 2015-02-07 11:27:57 -06:00
Matt Buck 531743eff1
Land #4697, updates to finder syntax
Updates some Rails 3 style ActiveRecord calls to use the Rails 4 Arel
syntax, in preparation for our move to Rails 4.

Fixes #4697, also see MSP-12016
2015-02-06 15:41:11 -06:00
Sonny Gonzalez 0fc4e09466
Rails 4 finder conversions
MSP-12017

* covert all(options), mapping options hashes to the
  appropirate Rails 4 methods
2015-02-06 13:51:48 -06:00
Sonny Gonzalez 1051f0fb82
Rails 4 finder conversion
MSP-12012

* convert find(:first, options) by mapping options
  to methods
2015-02-06 10:15:50 -06:00
Sonny Gonzalez 9a53859a77
Rails 4 finder conversion
MSP-12012

* covert find(:first) to first
2015-02-06 10:13:14 -06:00
Spencer McIntyre 4e0a62cb3a
Land #4664, MS14-070 Server 2003 tcpip.sys priv esc 2015-02-05 18:49:15 -05:00
Spencer McIntyre 5a39ba32f6 Make the ret instruction for token stealing optional 2015-02-05 14:00:38 -05:00
sinn3r 434bca0b27
Land #4613, auxiliary/server/capture/smb credential creation 2015-02-04 22:45:36 -06:00
sinn3r df22ed2132
Land #4702, Fix bug in Firefox XPCOM payload on Linux 2015-02-03 21:36:01 -06:00
jvazquez-r7 c0e1440572
Land #4685, @FireFart's module for Wordpress Platform Theme RCE 2015-02-03 17:35:59 -06:00
Christian Catalan 3deac54d3f
Convert find_or_initialize_by_X to Rails 4 compatible.
MSP-12018
2015-02-03 16:09:49 -06:00
joev ee1af83cc8 Go ahead and trim whitespace on all commands coming in. 2015-02-02 16:56:22 -06:00
Christian Catalan 797b5d0d55 Convert #find_or_create_by_x to #where().first_or_create
MSP-12016
2015-02-02 12:22:26 -06:00
Trevor Rosen dda87667c9
Land #4688, fix for pcap magic number on 2.x 2015-02-02 11:00:13 -06:00
William Vu 7f0af0211d
Land #4682, exploit/http/server.rb breakup 2015-02-01 01:44:43 -06:00
Christian Catalan 7d1090baca Convert #find(:all) to #where or #all 2015-02-01 00:31:58 -06:00
Brandon Turner ad374c2e4f
Use ASCII-8BIT for comparing pcap magic number
In Ruby 2, source files are read as UTF-8 by default.  When comparing
PCAP headers, we should use ASCII-8BIT or else the comparison will not
work.  This should be backwards compatible with Ruby 1.9.

MSP-12092
2015-01-31 23:57:49 -06:00
Christian Catalan 8740fd9015 Convert #find_all_by_X to #where 2015-01-31 21:07:50 -06:00
Christian Mehlmauer 2c956c0a0f
add wordpress platform theme rce 2015-01-31 22:02:44 +01:00
Brent Cook cf891efc14
Land #4674, @wvu-r7 teaches msfconsole to read stdin as - 2015-01-30 18:25:09 -06:00
William Vu fdf88b9563
Land #4639, incorrect use of #class fixes
case uses === internally. :)
2015-01-30 16:57:59 -06:00
Brent Cook 253d8e60dd
Land #4388, Meatballs1's golden ticket post module 2015-01-30 16:26:04 -06:00
James Lee 1fbed1dcfc
Autoload instead of require 2015-01-30 15:42:16 -06:00
James Lee 062529ce3b
Move HttpServer::HTML into its own file 2015-01-30 15:24:15 -06:00
James Lee 3572ce9a37
Break PHPInclude into its own file 2015-01-30 15:16:54 -06:00
William Vu 3954c0e3aa
Land #4654, test module fixes 2015-01-30 15:00:54 -06:00
jvazquez-r7 03169f231b Handle one redirection on wordpress_and_online? 2015-01-30 10:26:23 -06:00
jvazquez-r7 c098de27ee Do safer body check 2015-01-30 10:22:43 -06:00
jvazquez-r7 bc65d2f526 Make filename compatible with namespace 2015-01-30 10:22:07 -06:00
Christian Mehlmauer 7504358db3
code style and typos 2015-01-30 15:57:32 +01:00
Christian Mehlmauer a0eaf2f626
add wordpress ghost scanner module 2015-01-30 15:29:51 +01:00
Meatballs 39004d265b Increase default buffer sizes to reduce railgun calls 2015-01-30 11:20:03 +00:00
Meatballs 6b97618fb2 Improve resolve_sid API calls 2015-01-30 11:20:03 +00:00
Meatballs 044e3bd608 Golden Ticketz Post module 2015-01-30 11:20:02 +00:00
William Vu 8f54e4d611
Implement "-" for msfconsole -r from stdin
More predictable than /dev/stdin, which is usually a symlink to
/proc/self/fd/0 or /dev/fd/0, but the feature is not guaranteed to be
present.

This isn't *terribly* useful, but it can be. -x is recommended, but it
doesn't allow for ERB directives. This is mostly for hax.
2015-01-29 19:26:56 -06:00
William Vu 6ecb36df52
Land #4653, get/set/unset description improvement 2015-01-29 13:28:06 -06:00
sinn3r cc7be4a9c1
Land #4643 - Fix blank username bug in creds -u
Fix #4634
2015-01-28 15:31:54 -06:00
sinn3r f0742a38e2 The get command too 2015-01-28 12:59:51 -06:00
sinn3r 457598eb02 print_error about unknown request.uri 2015-01-27 20:21:18 -06:00
sinn3r acf02647fb Add a check for Custom404 2015-01-27 20:18:10 -06:00
sinn3r 66703bfe5a Allow custom 404 as an option for BrowserExploitServer
When something fails, the target is given a hardcoded 404 message
generated by the framework. But the user (attacker) now can configure
this. When the Custom404 option is set, the mixin will actually
redirect (302) to that URL.

There are several scenarios that can trigger a 404 by BES (custom or
default):

* When the browser doesn't allow javascript
* When the browser directly visits the exploit URL, which is forbidden.
  If this actually happens, it probably means the attacker gave the
  wrong URL.
* The attacker doesn't allow the browser auto-recovery to retry the
  URL.
* If some browser requirements aren't met.
* The browser attempts to go to access a resource not set up by the
  mixin.
2015-01-27 18:53:02 -06:00
Meatballs c2d15f2b31
Add yarddoc note about handles 2015-01-27 21:05:00 +00:00
Meatballs c7534446aa
Add yarddocs to runas mixin 2015-01-27 20:35:55 +00:00
James Lee 895284cd12
Fix logic around empty usernames or passwords
See #4634 and #4642
2015-01-27 14:16:26 -06:00
sinn3r d29a74cd8f Fix #4641 - Explain the set/unset command a little bit better
Sometimes we forget the set command is context specific. For example,
if run from a module's context, it will set the value in the module's
datastore.

Fix #4641
2015-01-27 13:35:05 -06:00
Brent Cook f2edf21b9d fix MSF::Post::File::rename_file with meterpreter
Modify rename_file to fit the pattern of the other file methods.
Otherwise, calling this yields a backtrace in the logs and it fails.

Steps to verify:
rc script:
```
loadpath test/modules
use exploit/multi/handler
set lhost 172.28.128.1
set lport 8081
set payload windows/meterpreter/reverse_http
run -j
sleep 5
resource test/scripts/test-sessions.rc

Before:
```
[-] FAILED: should move files
[-] Exception: TypeError : true is not a symbol

log file:
[01/27/2015 13:17:23] [d(0)] core: Call stack:
/home/bcook/projects/metasploit-framework/lib/msf/core/post/file.rb:357:in
`rename_file'
/home/bcook/projects/metasploit-framework/test/modules/post/test/file.rb:115:in
`block in test_file'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`call'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`it'
...
```

After, passing sessions instead:
```
post/test/file
SESSION => 1
Setup: changing working directory to %TEMP%
[*] Running against session 1
[*] Session type is meterpreter and platform is x86/win32
[+] should test for file existence
[+] should test for directory existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[*] Passed: 11; Failed: 0
```
2015-01-27 13:19:33 -06:00
Meatballs 02da5b5c1b
Remove unnecessary get_env call 2015-01-27 17:27:56 +00:00
Meatballs b367b01998
Remove unneccessary logonuser 2015-01-27 17:07:49 +00:00
Meatballs 215a590940
Refactor and fixes for post module 2015-01-27 16:14:59 +00:00
James Lee a2c7ebc2b1
Simplify logic 2015-01-27 09:05:11 -06:00
James Lee eac7b11a87
Merge remote-tracking branch 'upstream/master' into bug/4634/blank-username
Conflicts:
	lib/msf/ui/console/command_dispatcher/db.rb
	spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
2015-01-27 08:40:07 -06:00
Meatballs 12542eb938
Working 2015-01-27 14:10:35 +00:00
Meatballs ea25869312
Refactor to common module 2015-01-27 10:47:02 +00:00
sinn3r ee922d141c Fix #4646 - get_module_resource should check nil before using get_resource
Fix #4646. The get_module_resource needs to check nil first before
using the get_resource method (from HttpServer)
2015-01-27 00:21:43 -06:00
James Lee f2e0bd364a
Always include Service and Host
See #4643
2015-01-26 20:22:11 -06:00
James Lee 8dd56bb759
Do all the filtering in SQL instead of Ruby
This also has the advantage of reducing the number of queries from at
least 3 for every Core we find to more like a total of 3.
2015-01-26 20:21:55 -06:00
Tod Beardsley 2294ea0e93
Squash commit for blank creds search and test
This should fix up #4642 with respect to #4504.

Squashed commit of the following:

commit 124d53ccb00cd200bede092e893dda7e033d3e17
Merge: cb2bef8 ccad159
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 16:23:03 2015 -0600

    Merge branch 'feature/creds-blank-finders' into temp

commit ccad159222eaa949d76e22b588d1ac7709fb2f27
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 15:58:02 2015 -0600

    Clean out whitespace, make vars more meaningful

commit 266b45dff26e2778e43d8e4750d212b5aee5a009
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 15:54:32 2015 -0600

    Add some specs for regular users and blank users

commit 2e51503f76e9a2f6921c57e86a2f98527f80c874
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 15:04:03 2015 -0600

    Users should be able to find blank user/pass
2015-01-26 16:26:30 -06:00
Jon Hart cb2bef878b
Land #4504, @disenchant's get/getg improvement 2015-01-26 12:49:34 -08:00
Christian Mehlmauer bb07ec8666
fix incorrect usage of .class 2015-01-26 15:46:58 +01:00
sinn3r c62beacd31 Revert #4473 - Log backtraces by default 2015-01-24 02:44:29 -06:00
Brent Cook 52ca6b54b1 remove entire 'default' attribute acccessor override method
This reverts us to the state before
725a17c70b, making OptRegexp simply
inherit from OptBase again.
2015-01-23 14:18:05 -06:00
sinn3r f3a2d6663f Fix #4616 and Fix #3798 - Correctly use OptRegexp
This patch fixes a problem with OptRegexp. The OptRegexp class is
always forcing the value to be converted to a string first, which
causes the EXCLUDE option in browser_autopwn to kick in and match
every found autopwn module, so it ignores all of them and you load
nothing (#4616).

It is important to understand that nil actually represents an option
not being set, which is a completely different behavior than having
an empty value (technically "" is still a value, and if there's a
value, it means the option is set). We need to watcher for these
scenarios.

I am restoring the #default method to avoid forcing a to_s, which should
fix the browser autopwn loading problem. And then I changed scraper.rb's
default value for datastore option PATTERN to a string, because still
fixes #3798. The way I see it, #3798 is actually a module-specific issue.

Fix #4616
Fix #3798
2015-01-23 02:38:26 -06:00
jvazquez-r7 c507e73a02 Comment to clarify serialVersionUID fields 2015-01-22 18:40:52 -06:00
jvazquez-r7 e377ed3f83 Document the 'null' UnicastRef ObjId on the discovery package 2015-01-22 18:39:12 -06:00