Commit Graph

3535 Commits (27174e2bfdea94f1c60af778eed5e29623a8426f)

Author SHA1 Message Date
OJ 47fa97816d Code fixes as per suggestions, fix build
* Use of `ERROR_FAILURE_WINDOWS` in python meterpreter.
* Moving of constants/logic to client_core instead of
command_dispatcher.
* Fix spec include.
2015-04-02 09:05:38 +10:00
OJ 01bdf54487 Merge branch 'upstream/master' into dynamic-transport 2015-04-01 18:53:20 +10:00
OJ 79ec2e0586 Add machine ID support to the command list 2015-04-01 14:29:04 +10:00
OJ 1a313ad943 Fix up the proxy patching
Patching of the proxy details was failing, so this commit fixes that.
Also, added code that makes the proxy type check case-insensitive.
2015-04-01 11:48:22 +10:00
HD Moore a9cfd7efef Merging master back into the UUID branch 2015-03-31 12:02:03 -05:00
Brent Cook d89cd118e0 remove wininet workaround in meterpreter http/s
We had a workaround to close connections on very old wininet implementations
that would not do it themselves. With the new WinHttp API-using meterpreters
and stagers, we no longer should use this workaround. It can actually be
actively bad and prematurely close the connection.

This needs testing around different payloads, and they should be on real
networks, ideally where TCP really has to work to get data transfered.
2015-03-30 23:38:32 -05:00
Samuel Huckins 13fc498523
Land #4948, fixes several AppScan import issues 2015-03-29 23:33:01 -05:00
OJ c0f496197c Rejig code to support http payloads
* Move the uri checksum code to a spot that can be shared with rex.
* Adjust modules to make use of this new location.
* Fix up the tranpsort switcher to add the URI for those payloads.
2015-03-30 07:11:25 +10:00
OJ 1f00b595bc Hacked support for transport switching 2015-03-25 13:08:52 +10:00
jvazquez-r7 6ea42f6599
Fix description 2015-03-24 12:30:27 -05:00
jvazquez-r7 39e87f927a
Make code consistent 2015-03-24 11:44:26 -05:00
OJ 25dcfc796a Better support old binaries in rev http(s)
* Patch 256char URL if the 512char one doesn't work.
* Return an empty list in the case where the ext enum fails.
2015-03-24 10:14:44 +10:00
jvazquez-r7 04341bfc78
Support JMX_ROLE again 2015-03-23 17:32:26 -05:00
Brent Cook 1869977921
Land #4962: OJ adjusts MSF to new metsrv needs
bump meterpreter bins to 0.0.17
2015-03-23 17:18:06 -05:00
jvazquez-r7 d8d4c23d60
JMX code refactoring 2015-03-23 17:06:51 -05:00
David Maloney 60966f3d2a
handle a blank response body
sometimes the response body itself can be blank
so we need to handle that properly.

MSP-9972
2015-03-23 16:03:30 -05:00
jvazquez-r7 962bb670de
Remove old JMX mixin 2015-03-23 15:48:10 -05:00
OJ 9c9d333a1b Create verify ssl mixin, adjust some formatting 2015-03-23 13:21:08 +10:00
HD Moore bc3c73e408 Merge branch 'master' into feature/registered-payload-uuids 2015-03-22 18:51:13 -05:00
HD Moore 0d1fe37710 Ignore non-base64url characters during decode 2015-03-22 16:16:47 -05:00
HD Moore 94241b2998 First attempt at rewiring HTTP handlers to use UUIDs 2015-03-21 03:15:08 -05:00
sinn3r 97b919923e Fix undefined esize in Rex::Exploitation::Egghunter
esize is not a valid variable, and we don't need it either.
2015-03-20 21:32:46 -05:00
HD Moore 858d9b1e7a Introduce Rex::Text.(en|de)code_base64url and use it for uri_checksum 2015-03-20 21:32:08 -05:00
OJ 9d20d057dd Update Meterpreter URL length to 512 2015-03-20 13:16:43 +10:00
oj@buffered.io fd4ad9bd2e Rework changes on top of HD's PR
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
OJ 7ca91b2eb5 Add support for ssl to the patcher 2015-03-20 12:52:38 +10:00
OJ a9f74383d0 Update patch to support both ascii and wchar 2015-03-20 12:52:18 +10:00
OJ acd802c5fd Initial work for WinHTTP comms support in Meterpreter 2015-03-20 12:51:47 +10:00
Brent Cook 564962042e
Land #4925, OJ adds self-contained windows meterpreter options 2015-03-19 21:07:32 -05:00
Brent Cook 24ce0118b8 reenable UTF filtering support where needed
revert d22231bdc8
2015-03-19 16:02:21 -05:00
jvazquez-r7 ec90594f7e
Add support for Rex::Java::Serialization::ProxyClassDesc 2015-03-19 15:41:24 -05:00
OJ a582e05b6d Merge gemfile changes in master 2015-03-20 06:29:38 +10:00
OJ 040ef1e3e9
Land #4950: ls unicode and sorting in meterpreter 2015-03-20 06:28:29 +10:00
jvazquez-r7 5c3134a616
Add first support to gather information from RMI registries 2015-03-19 11:16:04 -05:00
OJ 7899881416 Update POSIX bins from master 2015-03-19 14:50:14 +10:00
HD Moore ae621c83c5 Add a URL-safe base64 encoder/decoder 2015-03-18 17:03:29 -05:00
Brent Cook c774038fe6 improve ls output by providing various new options 2015-03-18 16:02:03 -05:00
David Maloney 4293af01b1
make sure we strip leading whitespace
in the aforementiond record_request_and_response method
we need to still make sure to strip leading whitespace
from the front of our data before saving it

MSP-9972
2015-03-18 11:23:45 -05:00
David Maloney dacaa9e82b
simplify request-response parsing in apsscan
the record_request_and_response method for the
nokogiri appscan parser was way overcomplicated
it was trying to do way too much trickiness
when the data could be very simply split and consumed

MSP-9972
2015-03-18 11:19:00 -05:00
David Maloney 3269817b29
remove bad truthiness checks
truthy checks were used here, but you'll get
an empty hash which will be treated as true causing
the test to be invalid and allowing for errors further in the method

MSP-9972
2015-03-18 10:52:24 -05:00
HD Moore 8d3cb8bde5 Fix up meterpreter patching arguments and names 2015-03-18 01:25:42 -05:00
HD Moore 390a704cc7 Cleanup proxyhost/proxyport arguments to match new names 2015-03-18 01:19:05 -05:00
jvazquez-r7 14be07a2c4
Update java_rmi_server modules 2015-03-17 21:29:52 -05:00
jvazquez-r7 6315e07312 Add specs for UniqueIdentifier 2015-03-17 20:38:43 -05:00
jvazquez-r7 87b777e923
Refactor moving code to rex 2015-03-17 17:15:32 -05:00
Brent Cook d22231bdc8 remove unicode_filter_encode calls
Let the underlying utf8 messages through to the console.
2015-03-17 11:07:07 -05:00
HD Moore 11593800b6 Move X509 PEM parsing into Rex::Parser::X509Certificate 2015-03-14 15:52:23 -05:00
Brent Cook 74ee2d8408
Land #4916, @hmoore-r7 annotate Interlock Target param as 'in' only 2015-03-13 08:59:59 -05:00
OJ 1338a55b0d Adjust error handling for extension enumeration
Make the catch case more generic for when the target doesn't support the
command for extension enumeration. This supports more than just windows
now.
2015-03-13 21:49:45 +10:00
William Vu fa2fbc387c
Land #4922, REG_MULTI_SZ for type2str 2015-03-13 01:07:27 -05:00
James Lee 14a5efce58
Add yardoc 2015-03-13 01:04:23 -05:00
HD Moore f676dc03c8
Lands #4849, prevents the target from running out of memory during NTFS reads 2015-03-12 00:01:47 -05:00
HD Moore 7252ba284a Tweak memory usage from 64Mb to 4Mb 2015-03-11 23:58:13 -05:00
HD Moore aa79b71e35 Fixes #4897 by corrected kernel32!Interlocked function definitions 2015-03-11 23:26:32 -05:00
OJ 345b5cc8e1 Add stageless meterpreter support
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.

More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
James Lee cd5699dc39
Sort cases and add specs 2015-03-08 23:27:32 -05:00
James Lee 0440e19cc1
Add REG_MULTI_SZ 2015-03-08 22:48:24 -05:00
jvazquez-r7 1c064f6b46
Land #3074, @0x41414141 SMB Share mixin 2015-03-04 10:16:04 -06:00
jvazquez-r7 64fd818364
Land #4411, @bcook-r7's support for direct, atomic registry key access in meterpreter 2015-03-04 10:01:33 -06:00
jvazquez-r7 cdf5fec474 Fix style 2015-03-04 09:57:39 -06:00
jvazquez-r7 8328c5c5e9 Add specs for SMB_FIND_FILE_BOTH_DIRECTORY_INFO requests 2015-03-03 12:43:41 -06:00
jvazquez-r7 eb3aedf4a7 Define constants for WordCount in responses 2015-02-28 18:15:14 -06:00
jvazquez-r7 89a033c194 Delete unnecessary paddings due to miscalculations 2015-02-26 15:54:00 -06:00
Bazin Danil 3aa68c30b0 => not => ! 2015-02-26 21:31:01 +01:00
Bazin Danil a427e417a3 -consomation +consumption 2015-02-26 21:23:09 +01:00
William Vu 0a51ca12a5 Download all of every file implicitly 2015-02-26 14:10:53 -06:00
William Vu d0ca1b2dc6 Delete a thing I added for no reason 2015-02-26 14:06:10 -06:00
William Vu 5996256ccc Fix formatting 2015-02-26 14:05:50 -06:00
jvazquez-r7 c73ffea1b9 Do minor cleanup 2015-02-26 12:50:45 -06:00
jvazquez-r7 970f0c94b2 Create CREATE_ANDX constants 2015-02-26 10:44:07 -06:00
Matthew Hall ab1bb0e50d bugfixes to https://github.com/jvazquez-r7/metasploit-framework/tree/review_3074_clean_server
to provide consistent support for various exploits and OS SMB Commands.

Reintroduces smb_cmd_trans_query_path_info_network for use with the Struts2 JSP injection vulnerability.
Reintroduces smb_cmd_trans_query_file_info_basic for common use with rundll32.
Corrects some issues with filename formatting and pattern matching for file requests (can still be improved).
2015-02-26 16:10:34 +00:00
William Vu ed9213eb4c Add fsquery check to fs{download,delete} methods 2015-02-25 17:37:20 -06:00
William Vu ea5b6f66d4 Add UEL to fsdownload method 2015-02-25 17:35:34 -06:00
William Vu 5d3c7f3b4a Add fsquery method 2015-02-25 17:18:23 -06:00
William Vu 1f981dd336 Add FSQUERY constant 2015-02-25 17:00:27 -06:00
jvazquez-r7 993c75ec77 Update Offset counts with constants 2015-02-25 16:25:16 -06:00
William Vu 91f0713056 Add fsdelete method 2015-02-25 15:41:40 -06:00
William Vu a096a17e21 Add FSDELETE constant 2015-02-25 15:39:51 -06:00
William Vu 80d8491d09 Add fsdownload method 2015-02-25 15:00:31 -06:00
William Vu e8c2c3687d Replace "pathname" with "path"
This always bothered me, since I usually say "path."
2015-02-25 15:00:18 -06:00
William Vu 02ea7a0282 Add FSDOWNLOAD constant 2015-02-25 15:00:11 -06:00
jvazquez-r7 df50aa0f06 Use constants for DataCount and DataCountTotal 2015-02-25 14:11:38 -06:00
jvazquez-r7 f21959a8a2 Add constants for session setup actions 2015-02-25 13:31:57 -06:00
jvazquez-r7 e967cfbfb3 Create Access rights constants 2015-02-25 13:22:16 -06:00
jvazquez-r7 1caffbea2d Add constants for Negotiation Capabilities 2015-02-25 12:50:33 -06:00
jvazquez-r7 50d50d5353 Define constants for SMB Flags 2015-02-25 12:28:25 -06:00
jvazquez-r7 e5d9bb0a47 Update from master 2015-02-25 11:37:13 -06:00
jvazquez-r7 ec9be4531b Add SMB_CREATE_ANDX_RES_PKT template 2015-02-25 11:33:08 -06:00
jvazquez-r7 d10385cfed Add template for SMB_TREE_CONN_ANDX_RES_PKT 2015-02-24 19:27:25 -06:00
jvazquez-r7 642765aeb5 Delete comments 2015-02-24 18:27:02 -06:00
jvazquez-r7 bb36899699 Do templates names consistent 2015-02-24 18:26:46 -06:00
Jon Hart b3787ded6b Add mDNS mixins, update query module to use them 2015-02-24 15:37:38 -08:00
Jon Hart 7917a70216 Initial commit of some code for LLMNR research
This is largely useless right now because LLMNR is only supposed to
work in the same multicast/broadcast domain and implementations are
supposed to ignore requests with an IP TTL != 1.
2015-02-24 15:37:37 -08:00
jvazquez-r7 d29e9fc20b Parse TRAN2_FIND_FIRST2 commands 2015-02-24 17:02:49 -06:00
William Vu 5f0aeda0be
Land #4835, new hex format for msfvenom 2015-02-24 10:56:47 -06:00
Christian Mehlmauer 5880702552
added new hex format 2015-02-24 16:05:02 +01:00
Brent Cook ab4a416958 comment out duplicate keys that can only be used for reference
ruby is ignoring all but the second instances, and 2.2 still throws a
warning
2015-02-24 08:50:02 -06:00
William Vu 5eec07d4d1 Fix duplicate hash key "jpeg"
In lib/rex/proto/http/server.rb.
2015-02-24 05:19:42 -06:00
jvazquez-r7 ea483f14a1 Try to fix logic for query information levels 2015-02-23 17:17:33 -06:00
jvazquez-r7 3fca26a5de Add support for SMB_COM_TRANSACTION2 data blocks and params 2015-02-23 16:37:39 -06:00
jvazquez-r7 a06d07d6da Clean smb_cmd_trans2_query_file_information dispatching 2015-02-23 12:03:08 -06:00
jvazquez-r7 3d7381b62a Handle TRANS2 commands 2015-02-23 11:33:49 -06:00
HD Moore e5e3474af4 Handle ICMP "protocol not available" errors as connection errors 2015-02-22 16:36:53 -06:00
BAZIN-HSC d8132f86ff ajust buffer size 2015-02-22 08:51:16 +01:00
sinn3r 85871ab822 Fix #4382, Make errors more meaningful
Fix #4382
2015-02-20 20:09:58 -06:00
jvazquez-r7 52a0e6dd1c Mark a couple of handlers for later review 2015-02-20 16:28:04 -06:00
BAZIN-HSC 0d53dc1d13 use a buffer to avoid memory use on victims machine
use a buffer to avoid memory use on victims machine
use attacker memory to store files
avoid bugs on large files
2015-02-20 20:02:09 +01:00
jvazquez-r7 a91d19e0e7 Add template for SMB_QUERY_FILE_STANDARD_INFO 2015-02-20 10:58:15 -06:00
jvazquez-r7 21978a1bfe Add template for SMB_QUERY_FILE_BASIC_INFO 2015-02-20 10:40:45 -06:00
jvazquez-r7 cf63e09188 Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and SMB_FIND_FILE_NAMES_INFO_HDR 2015-02-20 09:17:51 -06:00
BAZIN-HSC fe75a31a59 NTFS parser optimisation
NTFS Parser does not gather automaticaly non resident attribute
that were not necessary
Railgun is called 17 times instead of 32 on an examples on ntds.dit
2015-02-20 13:11:53 +01:00
jvazquez-r7 f2405a5dc0 Create SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH constant 2015-02-20 00:35:26 -06:00
jvazquez-r7 571dffa317 Create template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO 2015-02-20 00:22:33 -06:00
jvazquez-r7 94ad64546c Create TRANS2_PARAMETERS template 2015-02-19 23:16:52 -06:00
jvazquez-r7 b24b94ddd3 Do first cleanup of find_first2 handlers 2015-02-19 19:08:56 -06:00
jvazquez-r7 874031b96d Delete require 2015-02-18 13:44:31 -06:00
jvazquez-r7 415c671416 Move Rex code, we'll redesign as mixin 2015-02-18 13:44:02 -06:00
jvazquez-r7 f960a77754 Solve merging conflicts 2015-02-18 11:36:47 -06:00
Matthew Hall 934af4cee9 Merge branch 'master' into module-smbfileserver 2015-02-17 17:01:44 +00:00
Matthew Hall 49971a6bc3 Add two more contants and handlers seen during testing. 2015-02-17 16:48:11 +00:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
Brent Cook b4cf2f5d8c use correct response filter TLV_TYPE_VALUE_NAME 2015-02-17 08:46:25 -06:00
Matthew Hall 1f6aebe3df Move to using constant values.
This commit adds several constants for TRANS2, QUERY_PATH_INFO, MAX_DATA_COUNT,
and NT2 FLAG2 Bits to smb/constants.rb, which have then been utilised in smb/server.rb
to reduce the use of magic values.
2015-02-17 14:31:31 +00:00
Brent Cook 8f74f8eeed pass down the new permissions parameters 2015-02-17 06:11:20 -06:00
Brent Cook 503f58375b add direct registry access methods
Rather than operating on a passed-in HKEY, these open and close the registry
key directly for each operation.

This pattern better reflects the actual API usage within msf, and removes extra
round-trips to open and close the registry key, reducing traffic and increasing
performance. I did not add direct versions of every registry operation.
There was no benefit for more rarely-used operations, other than requiring more
churn in the meterpreters.

The primary beneficiary of this is post exploitation modules that do registry
or service enumeration. See #3693 for test cases.
2015-02-17 06:11:20 -06:00
Matthew Hall 3110c7b40f Adds smb_cmd_trans_find_first2_full to respond to "Find File Full Directory Info" FIND_FIRST2 requests,
as seen when using "type \\ip\share\file".
2015-02-17 11:37:44 +00:00
sinn3r 50c72125a4 ::Errno::EINVAL, disable obfuscation, revoke ms14-064 2015-02-12 11:54:01 -06:00
sinn3r 22811257db Fix #4711 - Errno::EINVA (getpeername(2)) BrowserAutoPwn Fix
This patch fixes #4711.

The problem here is that the browser sometimes will shutdown some of our
exploit's connections (in my testing, all Java), and that will cause Ruby
to call a rb_sys_fail with "getpeername(2)". The error goes all the
way to Rex::IO::StreamServer's monitor_listener method, which triggers a
"break" to quit monitoring. And then this causes another chain of reactions
that eventually forces BrowserAutoPwn to quit completely (while the
JavaScript on the browser is still running)
2015-02-10 18:28:02 -06:00
Meatballs 33560a2657 Refactor Msf::Exploit::Powershell to Rex::Powershell to allow for
msfvenom usage.
2015-02-10 20:53:46 +00:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
Meatballs 133ae4cd04
Land #4679, Windows Post Gather File from raw NTFS. 2015-02-08 18:50:50 +00:00
Bazin Danil 8cefe637df bug with testing Win2k8 correction 2015-02-08 17:28:33 +01:00
Meatballs 358ab2590e
Small tidyup 2015-02-07 11:35:47 +00:00
Bazin Danil 970c5d115a spellcheck 2015-02-05 22:08:39 +01:00
HD Moore ffe0e52cb6 The iax2 stack now works properly with asterisk 1.8
Note that the requirecalltoken=no setting is still required in the asterisk configuration at this point.
2015-02-02 22:29:13 -06:00
HD Moore 0ba34422d5 Pass the debugging option for IAX2 Client 2015-02-02 21:08:16 -06:00
Bazin Danil fbb85c0391 using string concatenation for performence 2015-01-31 05:13:44 +01:00
Bazin Danil d9c64397fd shorter the line, using more variables 2015-01-31 04:32:32 +01:00
Bazin Danil 0fce908045 add constant class 2015-01-31 04:19:27 +01:00
Bazin Danil f4ec6bdc78 - use non-native pack/unpack directives
- coding: binary
- use constant for data_attribute
2015-01-31 03:59:23 +01:00
Bazin Danil 68b735dbda Add a NTFS parser and a post module to dump files
This commit add a draft of an NTFS Parser and a post module
to gather file using the raw NTFS device (\\.\C:)
bypassing restriction like already open file with lock
Can be used to retreive file like NTDS.DIT without volume shadow copy
2015-01-30 19:16:44 +01:00
Meatballs 02864b4401 Railgun DWORD handling 2015-01-30 11:20:03 +00:00
William Vu aec0067d14
Land #4673, screenshot -v hardcoded false fix 2015-01-29 19:40:15 -06:00
sinn3r 823c75908d Fix #4672 - Fix Hardcoded false for screenshot -v
Fix #4672
2015-01-29 16:54:41 -06:00
Brent Cook 212aeb9106 Improve utility of meterpreter file upload command
Rather than assume that the destination argument is a directory, check
first, and then do the same thing that 'cp' would do.

 - If dest exists and is a directory, copy to the directory.
 - If dest exists and is a file, copy over the file.
 - If dest does not exist and is a directory, fail.
 - If dest does not exist and is a file, create the file.
2015-01-29 13:45:15 -06:00
James Lee bb17d75425
Replace direct class comparison with kind_of? 2015-01-28 17:00:15 -06:00
Brent Cook 65d71a5e18 Fix #4625 Reenable channel receive packet requeueing logic
In #4475, I incorrectly interpreted the role of the 'incomplete' array
in monitor_socket, and that change should be reverted.

What appears to happen is, we play a kind of 3-card monty with the list
of received packets that are waiting for a handler to use them.
monitor_socket continually loops between putting the packets on @pqueue,
then into backlog[] to sort them, then into incomplete[] to list all of
the packets that did not have handlers, finally back into @pqueue again.
If packets don't continually get shuffled back into incomplete, they are
not copied back into @pqueue to get rescanned again.

The only reason anything should really get into incomplete[] is if we
receive a packet, but there is nothing to handle it. This scenario
sounds like a bug, but it is exactly what happens with the Tcp Client
channel - one can open a new channel, and receive a response packet back
from the channel before the subsequent read_once code runs to register a
handler to actually process it. This would be akin to your OS
speculatively accepting data on a TCP socket with no listener, then when
you open the socket for the first time, its already there.

While it would be nice if the handlers were setup before the data was
sent back, rather than relying on a handler being registered some time
between connect and PacketTimeout, this needs to get in now to stop the
bleeding. The original meterpreter crash issue from #4475 appears to be
gone as well.
2015-01-23 08:50:37 -06:00
jvazquez-r7 4311226840 Add documentation for Rex::Java::Serialization::Builder 2015-01-20 11:26:52 -06:00
jvazquez-r7 0584ae8177 Add Rex::Java::Serialization::Builder#new_object 2015-01-20 10:31:37 -06:00
jvazquez-r7 6ca86256cf Add Rex::Java::Serialization::Builder#new_array 2015-01-20 10:23:09 -06:00
jvazquez-r7 ec57387821 Add Rex::Java::Serialization::Builder#new_class 2015-01-19 11:54:12 -06:00
jvazquez-r7 4220a5e60f Use Rex::Java::Serialization::Builder#new_class 2015-01-19 11:53:53 -06:00
William Vu cb0257bec7
Land #4576, OpenVAS database import fix 2015-01-18 00:45:36 -06:00
nstarke 55a746eeb7 Changing code to catch everything extraneous 2015-01-17 15:46:26 +00:00
jvazquez-r7 697e4fbd41
Land #4584, @sgabe's fix for egghunter searchforward 2015-01-16 19:36:52 -06:00
jvazquez-r7 a42b095472 Delete heaponly option 2015-01-16 19:35:57 -06:00
jvazquez-r7 859a8978e7 Allow searchforward to be an string 2015-01-16 19:33:19 -06:00
sgabe 3297d198f3 Fix search-forward option in regular egghunter 2015-01-16 22:16:30 +01:00
sgabe 95eab85df4 Add support for heap-only search in regular egghunter 2015-01-13 21:31:13 +01:00
Jon Hart 5cc7d5d1a8
Remove errant pry 2015-01-13 10:35:05 -08:00
jvazquez-r7 0babde8c1a Fix specs 2015-01-13 10:48:23 -06:00
jvazquez-r7 4351964290 Change module filename 2015-01-13 10:46:14 -06:00
jvazquez-r7 3946b95bc3 Update rex code and specs 2015-01-13 10:45:00 -06:00
jvazquez-r7 1f0b986bf1 Change filenames 2015-01-13 10:43:27 -06:00
Jon Hart 69f03f5c5d
Move ACPP default port into Rex 2015-01-12 19:43:57 -08:00
Jon Hart d5cdfe73ed
Big style cleanup 2015-01-12 19:11:14 -08:00
nstarke 9baae6e494 Potential Fix For OpenVAS DB Import Issue 2015-01-13 02:46:13 +00:00
Jon Hart ec506af8ea
Make ACPP login work 2015-01-12 14:01:23 -08:00
Jon Hart 691ed2cf14 More cleanup
Don't validate checksums by default until they are better understood
Handle the unknowns a bit better
Make checksum failures more obvious why it failed
2015-01-12 13:08:12 -08:00
Jon Hart 97f5cbdf08 Add initial Airport ACPP login scanner 2015-01-12 13:08:12 -08:00
Jon Hart fba6945e9a Doc payload oddness. Add more checksum tests 2015-01-12 13:08:12 -08:00
Jon Hart 54eab4ea3d Checksum validation, more tests 2015-01-12 13:08:12 -08:00
Jon Hart 7e4dd4e55b Add ACPP decoding capabilities 2015-01-12 13:08:12 -08:00
Jon Hart 2af82ac987 Some preliminary Apple Airport admin protocol (ACPP?) support 2015-01-12 13:08:11 -08:00
jvazquez-r7 d59805568e Do first module refactoring try 2015-01-07 19:06:09 -06:00
jvazquez-r7 731c2f99d1 Handle better java references 2015-01-07 15:19:28 -06:00
Meatballs 0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
jvazquez-r7 ba13e9d64c Add Stream spec 2015-01-07 12:05:44 -06:00
jvazquez-r7 98ec08ae0d Add support for Ping and PingAck 2015-01-06 15:18:55 -06:00
jvazquez-r7 1e3b24f01b Add support for DbgAck 2015-01-06 15:00:17 -06:00
jvazquez-r7 6d1d300e72 Add support for ReturnData 2015-01-06 12:52:00 -06:00
jvazquez-r7 825e08f5ac Add support for Call messages 2015-01-06 12:36:06 -06:00
jvazquez-r7 f3ff42dbfb Add support for Continuation 2015-01-06 11:34:47 -06:00
William Vu 0bece137c1
Land #4494, Object.class.to_s fix 2015-01-06 02:27:35 -06:00
jvazquez-r7 757f95a24d Add support for ProtocolAck 2015-01-06 00:14:14 -06:00
jvazquez-r7 26da73ffb8 Change class name 2015-01-05 19:23:07 -06:00
jvazquez-r7 d5dfd75e71 Add initial model and support to OutputStream 2015-01-05 18:52:13 -06:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
OJ 17ff546b0f Remove unnecessary calls to expand path
When using the Meterpreter Binaries gem to locate the path to the
meterpreter DLLs, it's not necessary to use File.expand_path on
the result because the gem's code does this already.

This commit simple removes those unnecessary calls.
2015-01-03 08:30:26 +10:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
Christian Mehlmauer 4f11dc009a
fixes #4490, class.to_s should not be used for checks 2014-12-31 10:46:24 +01:00
jvazquez-r7 722f86f361 Try to guess TMPDIR folder 2014-12-30 18:39:29 -06:00
jvazquez-r7 7596d211e9 Use length for comparision 2014-12-30 18:39:18 -06:00
jvazquez-r7 e903044fd5 Allow to provide writable dir 2014-12-30 18:36:30 -06:00
jvazquez-r7 f17a7e8a61 Better handling of the unix domain socket argument 2014-12-30 18:36:28 -06:00
jvazquez-r7 4df4e8b9d6 Add support for linux meterpreter migration 2014-12-30 18:34:24 -06:00
jvazquez-r7 56df2d0062 Add support for linux meterpreter migrate types 2014-12-30 18:30:15 -06:00
Tod Beardsley 135faeee29
Land #4095, specs for Rex::OLE 2014-12-30 14:25:09 -06:00
Tod Beardsley a8e907d68b
Land #4479, nil comparisons and missing DLLs
Also fixes #4474.
2014-12-30 13:55:54 -06:00
Brent Cook bdac5db695 remove usage of ==/!= nil
Adjust all module-loading libraries to have consistent nil?/!nil? checking and
'if' style.
2014-12-30 10:59:49 -06:00
Jon Hart d727ac5367
Alias Rex::Ui::Text::Output::Tee print_raw to write, fixes #4469 and #4363 2014-12-29 16:47:04 -08:00
sinn3r 555713b6ae
Land #4456 - MS14-068, Kerberos Checksum (plus krb protocol support) 2014-12-29 16:09:28 -06:00
Brent Cook 5d70b837ed handle nil results from MeterpreterBinaries.path
When a meterpreter binary cannot be found, give the user some hint about what
went wrong.

```
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.43.1
lhost => 192.168.43.1
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.43.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.43.252
[*] Meterpreter session 1 opened (192.168.43.1:4444 -> 192.168.43.252:49297) at 2014-12-29 12:32:37 -0600

meterpreter > use mack
Loading extension mack...
[-] Failed to load extension: No module of the name ext_server_mack.x86.dll found
```

This is also useful for not scaring away would-be developers who replaced only
half (the wrong half) of their DLLs from a fresh meterpreter build and
everything exploded. Not that thats ever happened to me :)
2014-12-29 12:34:02 -06:00
Tod Beardsley 72eb8e6503
Land #4475, inverted timeout fix 2014-12-29 11:37:28 -06:00
Brent Cook bbb41c39b8 fix backward meterpreter packet timeout logic
The current logic times out every packet almost immediately, making it possible
for almost any non-trivial meterpreter session to receive duplicate packets.

This causes problems especially with any interactions that involve passing
resource handles or pointers back and forth between MSF and meterpreter, since
meterpreter can be told to operate on freed pointers, double-closes, etc.

This probably fixes tons of heisenbugs, including #3798.

To reproduce this, I enabled all debug messages in meterpreter to slow it
down, then ran this RC script with a reverse TCP meterpreter, after linking in
the test modules:

(cd modules/post
 ln -s ../../test/modules/post/test)

die.rc:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.1
exploit -j
sleep 5
use post/test/services
set SESSION 1
run
2014-12-29 08:15:51 -06:00
jvazquez-r7 d148848d31 Support Kerberos error codes 2014-12-24 18:05:48 -06:00
jvazquez-r7 05a9ec05e8 raise NotImplementedError 2014-12-23 19:59:37 -06:00
jvazquez-r7 4493b3285c Raise NoMethodError for methods designed to be overriden 2014-12-23 19:51:41 -06:00
jvazquez-r7 fee033d6df Use Rex::Text.md5_raw 2014-12-23 19:30:23 -06:00
Matthew Hall 3c10b04673 add start of rspec tests 2014-12-23 16:35:27 +00:00
Matthew Hall fca0484639 fix a few bugs with the code cleanup 2014-12-23 15:28:00 +00:00
Matthew Hall 6b98a7d444 Tidy up by removing some duplicate code; add framework to track payload requests through the file id 2014-12-23 14:14:06 +00:00
Meatballs b41e259252
Move it to a common method 2014-12-23 11:16:07 +00:00
jvazquez-r7 13ec578d1a Revert "Back to Create OpenSSL::BN from string"
This reverts commit 635a54ca94.
2014-12-22 23:17:03 -06:00
jvazquez-r7 635a54ca94 Revert "Create OpenSSL::BN from string"
This reverts commit fe99b65a62.
2014-12-22 19:14:07 -06:00
jvazquez-r7 fe99b65a62 Create OpenSSL::BN from string 2014-12-22 18:44:47 -06:00
jvazquez-r7 d12b43d257 Use Intege.new 2014-12-22 18:37:07 -06:00
jvazquez-r7 ad97457a39 Move more constants to Crypto 2014-12-22 15:27:16 -06:00
jvazquez-r7 75a2846377 Add more PAC constants 2014-12-22 15:14:46 -06:00
jvazquez-r7 5a6c915123 Clean options 2014-12-22 14:37:37 -06:00
jvazquez-r7 ff208002d7 Reorganize the Crypto mixin 2014-12-22 11:57:35 -06:00
jvazquez-r7 9f1403a63e Add initial specs for Msf::Kerberos::Client::TgsResponse 2014-12-20 20:29:00 -06:00
jvazquez-r7 5f0c3ebb2b Add documentation for Msf::Kerberos::Client::TgsResponse and TgsRequest 2014-12-20 19:32:38 -06:00
jvazquez-r7 e35218b6f1 Add documentation for Msf::Kerberos::Client::CacheCredential 2014-12-20 18:28:36 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
jvazquez-r7 fad08d7fca Add specs for Rex Kerberos client 2014-12-19 12:14:33 -06:00
jvazquez-r7 f4037b1003 Clean Kerberos Rex client code 2014-12-19 11:08:48 -06:00
jvazquez-r7 dfa92da287 Add TODO 2014-12-19 01:13:56 -06:00
jvazquez-r7 77e2d4d90d Add documentation for the Kerberos PAC support classes 2014-12-19 01:12:14 -06:00
jvazquez-r7 fda4cd3440 Fix some Rex Kerberos model documentation 2014-12-18 19:30:12 -06:00
jvazquez-r7 c426cf32d0 Add specs for Rex::Proto::Kerberos::CredentialCache::Principal 2014-12-18 17:40:06 -06:00
jvazquez-r7 16d5ee1aae Add documentation for the rex credential cache support 2014-12-18 17:12:58 -06:00
jvazquez-r7 7275f5a5f2 Allow Rex to load credential_cache 2014-12-18 16:32:21 -06:00
jvazquez-r7 f325d2f60e Add support for cache credentials in the mixin 2014-12-18 16:31:46 -06:00
jvazquez-r7 0a61e108ea Add code skeleton for credential_cache 2014-12-18 00:30:47 -06:00
jvazquez-r7 0f19f3cf2e Add classes templates 2014-12-17 23:16:58 -06:00
jvazquez-r7 f3f6a64f02 Add some AS response methods to a mixin 2014-12-17 19:50:42 -06:00
jvazquez-r7 8e570cc19b Initial support to send TGS-REQ 2014-12-17 18:55:30 -06:00
jvazquez-r7 594b9bcfc2 Add support for AuthorizationData 2014-12-16 23:21:13 -06:00
HD Moore 9de4137aa7 Patch UA/Proxy settings during migration, lands #3632 2014-12-16 22:21:48 -06:00
Sean Verity 1930eb1bf8 Refactors metsrv patching in reverse_http.rb 2014-12-17 10:04:43 -05:00
jvazquez-r7 2649d482fe Add support for KRB_AP_REQ 2014-12-16 18:39:42 -06:00
jvazquez-r7 0f55a98450 Add support for Authenticator encoding 2014-12-16 17:45:54 -06:00
jvazquez-r7 dde45a7f53 Add support for Checksum encoding 2014-12-16 17:05:35 -06:00
jvazquez-r7 a93cbac7bf Support ticket encoding 2014-12-16 16:04:13 -06:00
jvazquez-r7 ce6b53b44c Fix attribute description 2014-12-16 11:39:04 -06:00
jvazquez-r7 a5f8b4319f Add support to encode PAC-TYPE 2014-12-16 11:31:27 -06:00
jvazquez-r7 1721641138 Add support for PAC-LOGON-INFO 2014-12-16 09:32:47 -06:00
Sean Verity 52b3025351 Reworked to avoid extending String class on blob per hdm's rec. 2014-12-15 21:40:41 -05:00
jvazquez-r7 c1114c180a Add support for PAC-CLIENT-INFO 2014-12-15 17:32:51 -06:00