Commit Graph

2209 Commits (30a86a12041197e56699f049623a6b45259f95ac)

Author SHA1 Message Date
Spencer McIntyre 6ab7c314de Pymet fix reverse_tcp transport for IPv6 addresses 2015-07-02 08:33:11 -04:00
Spencer McIntyre dbe239bc75 Pymet fix transport next and prev for one transport 2015-07-02 08:23:02 -04:00
wchen-r7 482247771d Add a fingerprint for Windows 10 + IE11 2015-07-01 18:06:25 -05:00
wchen-r7 cd688437ac Add support for Windows 10 for os.js
Resolves #4248
2015-07-01 15:02:22 -05:00
Spencer McIntyre b1b21c4bef Pymet fixes for Python 3.x 2015-07-01 14:32:12 -04:00
jvazquez-r7 1de94a6865
Add module for CVE-2015-3113 2015-07-01 13:13:57 -05:00
Spencer McIntyre 2a891c50eb Pymet transport stabilty and correction 2015-07-01 11:12:30 -04:00
Spencer McIntyre 4b5b7c8a27 Pymet support for core_transport_remove 2015-06-30 15:46:33 -04:00
Spencer McIntyre 6a45e19636 Pymet fix bind and tcp socket cleanup logic 2015-06-30 15:25:23 -04:00
Spencer McIntyre 3d49781230 Pymet support for core_transport_sleep 2015-06-29 18:34:35 -04:00
Spencer McIntyre 9a8ffacfd1 Pymet transport changing improvements 2015-06-29 14:00:07 -04:00
Spencer McIntyre 00742ea924 Pymet cleaner transport switching with responses 2015-06-28 13:16:00 -04:00
Spencer McIntyre f6fa462bdc Pymet support for changing transports 2015-06-27 20:57:45 -04:00
Spencer McIntyre 175d9cdcb1 Pymet support for creating and listing transports 2015-06-26 16:52:55 -04:00
Spencer McIntyre 79185e91c6 Refactor the pymet to use transport objects 2015-06-26 14:56:31 -04:00
Spencer McIntyre 7aae9b210e Add pymet support for core_enumextcmd 2015-06-26 11:32:51 -04:00
jvazquez-r7 ee0377ca16
Add module for CVE-2015-3105 2015-06-25 13:35:01 -05:00
OJ ae41f2bfa0 Update exploit binaries for ms15-051 2015-06-25 09:33:15 +10:00
Brent Cook e75287875b hack android-specific commands back to life 2015-06-22 20:41:58 -05:00
OJ 3686accadd
Merge branch 'upstream/master' into cve-2015-1701 2015-06-22 07:52:17 +10:00
jvazquez-r7 04901baab8
Land #5572 @todb-r7's adds snowden's password to unix_passwords.txt 2015-06-19 17:01:22 -05:00
Tod Beardsley b580f93c22
New password from Snowden 2015-06-19 15:37:48 -05:00
jvazquez-r7 d116f1efd5
Land #5566, @wchen-r7 fixes #5565 modifying os.js 2015-06-19 11:07:00 -05:00
wchen-r7 308cad8c40 Fix #5565, Fix os.js service pack detection
Fix #5565
2015-06-18 18:51:16 -05:00
jvazquez-r7 de1542e589
Add module for CVE-2015-3090 2015-06-18 12:36:14 -05:00
wchen-r7 17b8ddc68a
Land #5524, adobe_flash_pixel_bender_bof in flash renderer 2015-06-15 02:42:16 -05:00
jvazquez-r7 72672fc8f7
Delete debug 2015-06-11 17:39:36 -05:00
jvazquez-r7 8ed13b1d1b
Add linux support for CVE-2014-0515 2015-06-11 16:18:50 -05:00
wchen-r7 ae21b0c260
Land #5523, adobe_flash_domain_memory_uaf in the flash renderer 2015-06-10 16:59:19 -05:00
wchen-r7 4c5b1fbcef
Land #5522, adobe_flash_worker_byte_array_uaf in the flash renderer 2015-06-10 14:49:41 -05:00
jvazquez-r7 7527aa4f34
Disable debug 2015-06-10 14:07:18 -05:00
jvazquez-r7 6c7ee10520 Update to use the new flash Exploiter 2015-06-10 13:52:43 -05:00
jvazquez-r7 7fba64ed14
Allow more search space 2015-06-10 12:26:53 -05:00
jvazquez-r7 ecbddc6ef8
Play with memory al little bit better 2015-06-10 11:54:57 -05:00
wchen-r7 d622c782ef
Land #5519, adobe_flash_uncompress_zlib_uninitialized in the flash renderer 2015-06-10 11:52:47 -05:00
jvazquez-r7 2b4fe96cfd Tweak Heap Spray 2015-06-10 10:56:24 -05:00
jvazquez-r7 a6fe383852
Use AS Exploiter 2015-06-10 09:32:52 -05:00
jvazquez-r7 e5d6c9a3cb Make last code cleanup 2015-06-09 16:01:57 -05:00
jvazquez-r7 cf8c6b510b
Debug version working 2015-06-09 15:46:21 -05:00
jvazquez-r7 39851d277d
Unset debug flag 2015-06-09 11:36:09 -05:00
jvazquez-r7 b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code 2015-06-09 11:31:39 -05:00
Tod Beardsley f29b38b602
Add the top 20 keyboard patterns as passwords
See https://wpengine.com/unmasked/ for lots more, but this
covers the gif at

https://wpengine.com/unmasked/assets/images/commonkeyboardpatterns.gif
2015-06-05 16:46:08 -05:00
OJ b291d41b76 Quick hack to remove hard-coded offsets 2015-06-05 13:19:41 +10:00
jvazquez-r7 02181addc5
Update CVE-2014-0556 2015-06-04 18:23:50 -05:00
wchen-r7 23df66bf3a
Land #5481, no powershell. exec shellcode from the renderer process. 2015-06-04 15:45:09 -05:00
jvazquez-r7 ab68d8429b Add more targets 2015-06-04 12:11:53 -05:00
jvazquez-r7 80cb70cacf
Add support for Windows 8.1/Firefox 2015-06-03 22:46:04 -05:00
jvazquez-r7 74117a7a52
Allow to execute payload from the flash renderer 2015-06-03 16:33:41 -05:00
OJ 455a3b6b9d
Add butchered version of CVE-2015-1701 2015-06-03 21:48:23 +10:00
Brent Cook 64e86165ef remove android meterpreter bins, update to payloads 1.0.2
This switches us to using the Android payload files from the
metasploit-payloads gem
2015-06-01 09:14:31 -05:00
Brent Cook 7d5af66fa0 Merge branch 'master' into land-5367-uuid-stagers 2015-05-29 13:00:35 -05:00
wchen-r7 737559bcbb
Land #5180, VBA Powershell for Office Macro 2015-05-28 19:55:27 -05:00
jvazquez-r7 e9714bfc82
Solve conflics 2015-05-27 23:22:00 -05:00
wchen-r7 e749733eb6
Land #5419, Fix Base64 decoding on ActionScript 2015-05-27 23:13:51 -05:00
jvazquez-r7 e5d42850c1
Add support for Linux to CVE-2015-0336 2015-05-27 17:05:10 -05:00
jvazquez-r7 801deeaddf Fix CVE-2015-0336 2015-05-27 15:42:06 -05:00
jvazquez-r7 bd1bdf22b5
Fix CVE-2015-0359 2015-05-26 17:27:20 -05:00
jvazquez-r7 19c7445d9d
Fix CVE-2015-0336 2015-05-26 17:20:49 -05:00
jvazquez-r7 23d244b1fa
Fix CVE-2015-0313 2015-05-26 16:11:44 -05:00
jvazquez-r7 5c8c5aef37
Fix CVE-2014-8440 2015-05-26 16:05:08 -05:00
jvazquez-r7 d78d04e070
Fix CVE-2014-0569 2015-05-26 15:49:22 -05:00
jvazquez-r7 e0a1fa4ef6
Fix indentation 2015-05-26 15:38:56 -05:00
jvazquez-r7 1742876757
Fix CVE-2014-0556 2015-05-26 15:30:39 -05:00
jvazquez-r7 3e122fe87c
Fix b64 decoding 2015-05-26 15:15:33 -05:00
jvazquez-r7 29ccc8367b
Add More messages 2015-05-26 14:47:47 -05:00
jvazquez-r7 1bf1c37cfa
Add exception handling 2015-05-26 14:31:07 -05:00
jvazquez-r7 fb8a927941
Hardcode params 2015-05-26 14:20:43 -05:00
jvazquez-r7 f119da94ca
Add one more message 2015-05-26 14:14:38 -05:00
jvazquez-r7 15533fabe6
Log messages 2015-05-26 14:08:24 -05:00
jvazquez-r7 91357ee45b
Improve reliability 2015-05-26 13:47:33 -05:00
OJ 9e50114082
Merge branch 'upstream/master' into uuid-stagers 2015-05-25 11:22:35 +10:00
OJ 1c73c190fc Add machine_id support to windows php meterp 2015-05-22 14:55:29 +10:00
jvazquez-r7 f35d7a85d3
Adjust numbers 2015-05-21 15:56:11 -05:00
jvazquez-r7 80d4f3cfb0
Update swf 2015-05-21 14:55:00 -05:00
jvazquez-r7 8d6cbf0568
Make adobe_flash_uncompress_zlib_af multiplatform 2015-05-20 18:57:37 -05:00
benpturner c0b995cc97 new changes 2015-05-19 16:18:06 +01:00
benpturner b513304756 new changes 2015-05-19 15:47:30 +01:00
benpturner 0cda746bfb Updated size 2015-05-19 14:08:59 +01:00
benpturner 811c45ab90 new 2015-05-19 14:06:41 +01:00
OJ 24526c2ef9 Removed unused data files 2015-05-18 21:46:05 +10:00
OJ 9296a024e2 PHP meterpreter refactoring in prep for uuid work 2015-05-18 17:40:48 +10:00
OJ 0d56b3ee66 Stage UUIDs, generation options, php and python meterp uuid 2015-05-18 13:29:46 +10:00
Brent Cook 5cf6d28c34
Land #5426, use RAW for TLV hash binary data 2015-05-15 11:54:45 -05:00
wchen-r7 25099dd877
Land #5212, HTA Powershell template 2015-05-15 11:49:07 -05:00
wchen-r7 3bc3614be6 Do a check for powershell.exe before running it. 2015-05-15 11:48:21 -05:00
Brent Cook c614f6059d Merge branch 'master' into land-5326- 2015-05-15 11:29:54 -05:00
benpturner d4798a2500 Fix spacinG 2015-05-11 09:04:03 +01:00
benpturner c916021fc5 SSL Support for Powershell Payloads 2015-05-10 21:45:59 +01:00
Tim d3ba84b378
Add TLV_TYPE_FILE_HASH 2015-05-10 14:18:16 +01:00
jvazquez-r7 c103779eab
Land #5080, @bcook-r7's 'ls' and 'download' meterpreter improvements 2015-05-08 18:02:16 -05:00
William Vu 71518ef613
Land #5303, metasploit-payloads Java binaries 2015-05-07 22:39:54 -05:00
jvazquez-r7 51bb4b5a9b
Add module for CVE-2015-0359 2015-05-07 17:00:00 -05:00
jvazquez-r7 582919acac
Add module for CVE-2015-0336 2015-05-05 17:25:19 -05:00
Brent Cook f0c989c1b5 remove java payloads and jars 2015-05-05 15:01:00 -05:00
Brent Cook 05e4af8162
Land #5214, initial meterpreter session recovery support 2015-05-04 16:25:27 -05:00
Brent Cook cda7dc3494 remove old posix meterpreter bins 2015-05-04 09:44:37 -05:00
Brent Cook d934027b3b expand glob match 2015-05-04 03:56:15 -05:00
Brent Cook c5c7242374 teach pymet how to glob on ls as well 2015-05-04 03:56:14 -05:00
wchen-r7 17e54fff1f
Land #5275, Flash CVE-2014-8440 2015-04-30 12:14:06 -05:00
William Vu cbaaea2ce4
Land #5278, D-Link Telnet passwords 2015-04-30 11:23:33 -05:00
jvazquez-r7 dbba466b5b
Add module for CVE-2014-8440 2015-04-29 17:52:04 -05:00
m-1-k-3 f2b50e1e2f removed empty line 2015-04-27 05:29:47 +02:00
HD Moore 1fd601510c
Lands #5194, merges in PowerShell session support & initial payloads 2015-04-26 16:01:51 -05:00
benpturner 76e68fcf4c session info 2015-04-26 20:13:18 +01:00
m-1-k-3 f74d385b6a dlink telnet passwords added from firmware.re 2015-04-26 02:29:30 +02:00
benpturner aa4dc78cba updates to author comments in powershell script 2015-04-25 08:47:17 +01:00
benpturner 19aa668f99 updates to include reverse and bind 2015-04-22 20:41:19 +01:00
Brent Cook 5140b8cf9c fix crash on fork with OSX Python meterpreter using SystemConfiguration
Calling into SystemConfiguration before forking seems to allow the child
process to use it without a null pointer dereference.
2015-04-21 17:17:27 -05:00
Meatballs 381f6ffe0a
HTA Powershell template 2015-04-20 23:19:54 +01:00
Meatballs b0d50dc2be
Create our own Rex connection to the endpoint
Ensure powershell process closes when module completes
Add a windows cmd interact payload
2015-04-19 23:41:28 +01:00
Meatballs 8bd0da580d
Move script out of module 2015-04-19 21:12:44 +01:00
Meatballs b229e87940
Create VBA powershell 2015-04-17 16:52:12 +01:00
Meatballs 15eef6e8de
Dont fork on OSX 2015-04-17 11:43:07 +01:00
jvazquez-r7 28fac60c81
Add module for CVE-2015-0556 2015-04-15 14:08:16 -05:00
William Vu 8d1126eaa5
Land #5129, x64 BSD prepend stubs 'n' stuff 2015-04-14 01:24:50 -05:00
joev 2d3614f647 Implement x64 BSD exec and exe template.
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
2015-04-12 12:17:25 -05:00
joev 3313dac30f
Land #5119, @wvu's addition of the OSX rootpipe privesc exploit.
orts
borts
2015-04-10 12:38:25 -05:00
William Vu c4b7b32745 Add Rootpipe exploit 2015-04-10 11:22:00 -05:00
jvazquez-r7 91f5d0af5a
Add module for CVE-2014-0569
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
OJ 2977cbd42a Merge branch 'upstream/master' into dynamic-transport 2015-04-07 14:30:48 +10:00
Brent Cook 0d78834083 update meterpreter binaries 2015-04-03 05:47:18 -05:00
OJ fc44f5b1f4 Merge branch 'upstrea/master' into dynamic-transport
Small merge required with the https payload proxy changes.
2015-04-03 10:14:48 +10:00
sinn3r ec2f9e3c05 Add SSH root password 'arcsight' for HP ArcSight Logger
The default password for root is 'arcsight'
2015-04-02 11:04:07 -05:00
OJ 47fa97816d Code fixes as per suggestions, fix build
* Use of `ERROR_FAILURE_WINDOWS` in python meterpreter.
* Moving of constants/logic to client_core instead of
command_dispatcher.
* Fix spec include.
2015-04-02 09:05:38 +10:00
Tod Beardsley 293cbfc8f3
Slightly wanged one of the text bubbles 2015-04-01 06:46:50 -05:00
OJ 01bdf54487 Merge branch 'upstream/master' into dynamic-transport 2015-04-01 18:53:20 +10:00
OJ 02383d4e90 Add machine_id functionality to python meterpreter 2015-04-01 17:50:50 +10:00
Tod Beardsley 34d637c7b8
Needs more ponies 2015-03-31 13:59:37 -05:00
sinn3r 8ea1ffc6ff
Land #5030, CVE-2015-0313 Flash Exploit 2015-03-30 11:31:53 -05:00
jvazquez-r7 11c6f3fdca
Do reliable resolution of kernel32 2015-03-29 15:52:13 -05:00
jvazquez-r7 f84a46df63
Add module for CVE-2015-0313 2015-03-27 18:51:13 -05:00
Spencer McIntyre 10e8cefd6d Pymet dont validate ssl certs for 2.7.9/3.4.3 2015-03-25 19:49:42 -04:00
Spencer McIntyre 7282968d8a Python reverse HTTPS stager 2015-03-21 12:43:14 -04:00
Brent Cook b29d2b5e84 do not die if the uid/gid of a file is > 65535
The meterpreter stat command is a little broken in that it assumes uid/gids
16-bit. Prevent this from erroring with python meterpreter on a system with a
large uid/gid.
2015-03-20 22:34:01 -05:00
Spencer McIntyre 8608569964 Pymet support for creating and renaming unicode paths 2015-03-20 08:49:23 -04:00
Spencer McIntyre bac2e7c5f8 Pymet improved unicode support for working directories 2015-03-19 18:31:42 -04:00
Spencer McIntyre f9bf4e3100 Fix pymet for unicode files and directories
Closes #4958
2015-03-19 17:23:00 -04:00
Brent Cook 35d29f5d08 update linux meterpreter bins 2015-03-18 23:24:32 -05:00
Spencer McIntyre 076f15f933
Land #4792 @jakxx Publish It PUI file exploit 2015-03-18 20:59:54 -04:00
jakxx 085e6cc815 Implemented Recommended Changes
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
jvazquez-r7 bb81107e51 Land #4927, @wchen-r7's exploit for Flash PCRE CVE-2015-0318 2015-03-13 23:58:05 -05:00
sinn3r 0ee0a0da1c This seems to work 2015-03-13 04:43:06 -05:00
sinn3r 0c3329f69e Back on track 2015-03-12 15:26:55 -05:00
sinn3r 215c209f88
Land #4901, CVE-2014-0311, Flash ByteArray Uncompress UAF 2015-03-11 14:04:17 -05:00
sinn3r 43b90610b1 Temp 2015-03-11 13:53:34 -05:00
sinn3r 2a9d6e64e2 Starting point for CVE-2015-0318 2015-03-11 09:58:41 -05:00
jvazquez-r7 cb72b26874 Add module for CVE-2014-0311 2015-03-09 16:52:23 -05:00
Tod Beardsley df80d56fda
Land #4898, prefer URI to open-uri 2015-03-09 09:14:10 -05:00
joev d7295959ca Remove open-uri usage in msf. 2015-03-05 23:45:28 -06:00
jvazquez-r7 64fd818364
Land #4411, @bcook-r7's support for direct, atomic registry key access in meterpreter 2015-03-04 10:01:33 -06:00
Brent Cook 0988c5e691 use the correct implementation for query_value_direct 2015-03-03 22:29:23 -06:00
Ferenc Spala c498ba64e4 Added a new pair of default Tomcat credentials. QLogic's QConvergeConsole comes with a bundled Tomcat with a hard-coded username and password for the manager app. 2015-02-19 15:08:50 -06:00
sinn3r b90639fd66
Land #4726, X360 Software actvx buffer overflow 2015-02-17 11:41:23 -06:00
sinn3r 0597d2defb
Land #4560, Massive Java RMI update 2015-02-17 10:07:07 -06:00
Brent Cook cf0589f8c6 add support for direct reg access to pymeterpreter
When testing this, I found that the python meterpreter hangs running the
following, with or without these changes.

```
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set PythonMeterpreterDebug true
set lhost 192.168.43.1
exploit -j
sleep 5
use exploit/windows/local/trusted_service_path
set SESSION 1
check
```

This turned out to be that pymeterpreter ate all the rest of the data in the
recv socket by consuming 4k unconditionally. This would only be exposed if
there were multiple simultaneous requests so the recv buffer filled beyond a
single request, e.g. when using the registry enumeration functions.
2015-02-17 06:11:20 -06:00
Brent Cook 7e9a331087 remove unused .class files
These were added for multi/browser/java_signed_applet, but the class
files are already packaged in a jar file, which is what is actually
used.
2015-02-12 16:08:29 -06:00
Brent Cook 7ab7add721 bump meterpreter_bins to 0.0.14, update Linux binaries.
Hopefully the last manual build before packaging the Linux bins into
meterpreter_bins as well.

This includes all of the fixes and improvements over the past month.

 rapid7/meterpreter#116
 rapid7/meterpreter#117
 rapid7/meterpreter#121
 rapid7/meterpreter#124
2015-02-10 12:43:47 -06:00
jvazquez-r7 1f4fdb5d18
Update from master 2015-02-10 10:47:17 -06:00
jvazquez-r7 511f637b31 Call CollectGarbage 2015-02-09 14:44:31 -06:00
Brent Cook af405eeb7d
Land #4287, @timwr's exploit form CVS-2014-3153 2015-02-09 10:33:14 -06:00
Brent Cook 0e4f3b0e80 added built data/exploits/CVE-2014-3153.elf 2015-02-09 09:50:31 -06:00
jvazquez-r7 a46a53acaf Provide more space for the payload 2015-02-06 14:49:49 -06:00
jvazquez-r7 414349972f Fix comment 2015-02-06 11:34:20 -06:00
jvazquez-r7 b5e230f838 Add javascript exploit 2015-02-06 11:04:59 -06:00
scriptjunkie 5b2eb986c9
Land #4678 Add post module to phish credentials 2015-02-04 23:43:02 -06:00
Brent Cook 2fdeeb3b13 Rebuilt Java Payloads with the latest NDK/SDK and meterpreter-javapayload
Fix rapid7/meterpreter#95, rebuilt with all outstanding PRs from
rapid7/metasploit-javapayload.
2015-02-02 13:09:15 -06:00
jvazquez-r7 aa7f7d4d81 Add DLL source code 2015-02-01 19:59:10 -06:00
jvazquez-r7 d211488e5d Add Initial version 2015-02-01 19:47:58 -06:00
wez3 25ac9c1ed9 Add post module to phish windows user credentials 2015-01-30 19:50:04 +01:00
jvazquez-r7 f9dccda75d Delete unused files 2015-01-22 18:00:31 -06:00
William Vu 75e04705d5
Land #4624, Firefox 33-35 os.js support 2015-01-22 13:35:47 -06:00
Joe Vennix 5bfb88d55c
Update os.js to detect newer firefox versions. 2015-01-21 16:12:17 -06:00
Brent Cook 94fda6e617
Land #4600, jvazquez-r7's Linux meterpreter bins 2015-01-20 09:38:35 -06:00
sinn3r 76746eb209 New password from Hathaway 2015-01-19 21:45:47 -06:00
eyalgr f12c6a1624 Update meterpreter.py
Read until exactly pkt_length bytes
2015-01-18 15:45:28 +02:00
eyalgr d83c6ae215 Update meterpreter.py
Read exactly pkt_length from socket, prevents over-reading.
2015-01-18 15:29:23 +02:00
jvazquez-r7 ffc676ead0 Update linux meterp binaries 2015-01-16 17:09:38 -06:00
jvazquez-r7 26789fa76c Add JMXPayload binary classes for testing 2015-01-15 17:58:09 -06:00
Brent Cook 47cd5a3e59
Land #4562, wchen-r7's Win8 NtApphelpCacheControl privilege escalation 2015-01-15 13:52:07 -06:00
sinn3r 74e8e057dd Use RDL 2015-01-09 19:02:08 -06:00
OJ dfdf99c8f4 Remove metcli
The metcli.exe binary doesn't get used any more and the source was removed
from Meterpreter ages ago. No point in having it in the repo any more.
2015-01-10 09:21:44 +10:00
Brent Cook ce87b126c1 Update to the latest meterpreter_bins
This removes checked-in sniffer extension in favor of the gem-packaged version.
It also pulls in the changes for verifying #4411
2015-01-09 16:57:10 -06:00
sinn3r fce564cde2 Meh, not the debug build. Should be the release build. 2015-01-08 22:06:07 -06:00
sinn3r 14c54cbc22 Update DLL 2015-01-08 21:36:02 -06:00
sinn3r d3738f0d1a Add DLL 2015-01-08 17:17:55 -06:00
sinn3r 50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012 2015-01-08 16:19:55 -06:00
William Vu 3c4ec1d958
Land #4547, rm data/meterpreter/common.lib 2015-01-08 04:52:29 -06:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
Brent Cook 32ddd5ccb4 delete unused library from meterpreter dir
common.lib is only used by the build process, not MSF
2015-01-07 16:00:37 -06:00
David Maloney 5480cb81f5
add updated KoreLogic rules to john.conf
updated our shipped john.conf to include a
more up to date version of the KoreLogic JtR rules.
They add overhead to the cracking time but are
probably some of the best/most effective JtR
rules out there.
2015-01-07 12:25:04 -06:00
Brent Cook 7ae56865f1 Update linux meterpreter binaries for rapid7/meterpreter#111
This rebuilds the binaries on Ubuntu 10.04 i386 for metepreter PR #111,
improving the reliability and fixing some bugs in linux process migration.

Tested against Ubuntu 10.04 i386 and Ubuntu 14.04 x86_64:

```
meterpreter > ps
...
 55994  48270  server                   0        bcook       ../metasploit-framework/server
 56009  44199  bash                     0        bcook       -bash
 56094  56009  dummy                    0        bcook       ./dummy

meterpreter > migrate 56094
[*] Migrating to 56094
[*] Migration completed successfully.
meterpreter > sysinfo
Computer     : mint
OS           : Linux mint 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > ps
...
 55994  48270  [server] <defunct>        0        bcook
 56009  44199  bash                      0        bcook       -bash
 56094  56009  dummy                     0        bcook       ./dummy

meterpreter >
```

Verified presence of call stub when debugging a session:

```
(gdb) x/32b 0x61cc28
0x61cc28:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0x61cc30:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0x61cc38:	0x90	0x90	0x68	0x04	0x00	0x00	0x00	0x68
0x61cc40:	0xff	0xff	0xff	0xff	0xb8	0x5a	0x5a	0x5a
```
2015-01-04 10:47:44 -06:00
jvazquez-r7 69bda63ef6 Update linux meterpreter binaries 2015-01-01 20:05:36 -06:00
jvazquez-r7 dccf189600 Update binaries 2014-12-30 18:39:29 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Spencer McIntyre 0ee20561d4 Remove file exists check from stdapi_fs_delete_file 2014-12-09 11:03:57 -06:00
Spencer McIntyre 42710cc32e Error messages for the python meterpreter 2014-12-09 11:03:57 -06:00
Christian Mehlmauer 738fc78883
Land #4220, outlook gather post module 2014-12-07 22:41:28 +01:00
Christian Mehlmauer 9187a409ec
outlook post module fixes 2014-12-06 00:28:44 +01:00
Spencer McIntyre 83b0ac0209 Fix stdapi_sys_config_getenv for Python3 2014-12-04 15:58:17 -06:00
Spencer McIntyre 44816b84aa Prefer the pwd module for getuid when available 2014-12-04 15:58:17 -06:00
HD Moore fc96d011ab
Python reverse_http stager, lands #4225 2014-12-02 11:47:31 -06:00
jvazquez-r7 7a2c9c4c0d
Land #4263, @jvennix-r7's OSX Mavericks root privilege escalation
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
jvazquez-r7 7772da5e3f Change paths, add makefile and compile 2014-11-30 21:06:11 -06:00
Meatballs f5f32fac06
Add token fiddling from nishang 2014-11-28 23:02:59 +00:00
Meatballs 48a5123607
Merge remote-tracking branch 'upstream/master' into pr4233_powerdump 2014-11-27 20:08:11 +00:00
Joe Vennix 7a3fb12124
Add an OSX privilege escalation from Google's Project Zero. 2014-11-25 12:34:16 -06:00
Peter Marszalik 830af7f95e identified instances of tabs vs spaces in the original
identified 16 instances in the original code where tab was used vs spaces. updated to keep consistent.
2014-11-25 12:17:43 -06:00
Peter Marszalik 705bd42b41 tab to space change - line 296 2014-11-22 14:48:44 -06:00
Peter Marszalik 900aa9cd6b powerdump.ps1 bug - corrupt hash fix
Fixed the bug where the hashes are not being extracted correctly when LM is disabled and history is enabled. 

Rather than relying on length, LM and NT headers are checked. Four bytes at 0xa0 show if LM exists and four bytes at 0xac show if NT exists. Details on this known issue can be found in the following whitepaper from blackhat:
https://media.blackhat.com/bh-us-12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf
2014-11-18 23:10:57 -06:00
Spencer McIntyre 2b36c1bb43 Fix pymeterp bugs from testing in osx and python3 2014-11-17 14:04:30 -05:00
HD Moore 1d8b746d89 Adds new TFTP file names, submitted by Chris McNab 2014-11-16 18:47:11 -06:00
Spencer McIntyre 0bf93acf6b Pymeterp http proxy and user agent support 2014-11-16 14:29:20 -05:00
Spencer McIntyre e562883ba9 Escape inserted vars and fix core_loadlib 2014-11-15 15:06:18 -05:00
Spencer McIntyre 7c14e818f6 Patch pymeterp http settings 2014-11-14 17:12:23 -05:00
Spencer McIntyre 681ae8ce6b Pymet reverse_http stager basic implementation 2014-11-14 14:15:46 -05:00
Spencer McIntyre 6b2387b7fc Prepare for a reverse_http stager 2014-11-14 11:15:22 -05:00
jvazquez-r7 c35dc2e6b3 Add module for CVE-2014-6352 2014-11-12 01:10:49 -06:00
William Vu adad3809cc
Rename logo file 2014-11-11 16:07:44 -06:00
Joshua Smith 329ea4fe01 the masterpiece is complete 2014-11-11 15:35:36 -06:00
Spencer McIntyre 7edc248207 Don't fail if username_from_token returns None 2014-11-10 09:15:16 -05:00
Spencer McIntyre 104841babf Add getsid to the python meterpreter 2014-11-08 20:57:24 -05:00
sinn3r c2391bf011 Add an R in /Info for the trailer dictionary to make it readable 2014-11-05 22:28:37 -06:00
sinn3r 1b2554bc0d Add a default template for CVE-2010-1240 PDF exploit 2014-11-05 17:08:38 -06:00
jvazquez-r7 f43a6e9be0 Use PDWORD_PTR and DWORD_PTR 2014-10-31 17:35:50 -05:00
jvazquez-r7 8e547e27b3 Use correct types 2014-10-31 12:37:21 -05:00
HD Moore 9b61ae5f63 This is halloween.
THISISHALLOWEEN=1 ./msfconsole
2014-10-30 23:35:12 -05:00
jvazquez-r7 6574db5dbb Fix the 64 bits code 2014-10-30 17:01:59 -05:00
jvazquez-r7 03a84a1de3 Search the AccessToken 2014-10-30 12:17:03 -05:00
OJ 908094c3d3 Remove debug, treat warnings as errors 2014-10-28 09:04:02 +10:00
OJ 0a03b2dd48 Final code tidy 2014-10-28 08:59:33 +10:00
William Vu 626cd55b5e
Land #4073, improved banner selection 2014-10-27 14:20:10 -05:00
Spencer McIntyre 04a99f09bb
Land #4064, Win32k.sys NULL Pointer Dereference 2014-10-27 14:01:07 -04:00
jvazquez-r7 042d29b1d6 Compile binaries in house 2014-10-27 12:18:33 -05:00
jvazquez-r7 4406972b46 Do version checking minor cleanup 2014-10-27 09:32:42 -05:00
jvazquez-r7 0aaebc7872 Make GetPtiCurrent USER32 independent 2014-10-26 18:51:02 -05:00
jvazquez-r7 34697a2240 Delete 'callback3' also from 32 bits version 2014-10-26 17:28:35 -05:00
Spencer McIntyre 7416c00416 Initial addition of x64 target for cve-2014-4113 2014-10-26 16:54:42 -04:00
Spencer McIntyre 91dc875af5 Remove seemingly useless file among banners 2014-10-24 13:11:58 -04:00
Spencer McIntyre c1a61e3b4e Support an MSFLOGO env var and logo enumeration 2014-10-24 13:07:28 -04:00
Spencer McIntyre 82f41d56a6 Add [user_]logos_directory to Msf::Config 2014-10-24 10:52:05 -04:00
Joshua Smith 34f29f218c really resolve merge conflicts 2014-10-23 21:51:33 -05:00
jvazquez-r7 a75186d770 Add module for CVE-2014-4113 2014-10-23 18:51:30 -05:00
jvazquez-r7 bf8dce574a Add ppsx template 2014-10-16 17:55:22 -05:00
William Vu 056ee4f207
Land #3958, kill command for pyterp 2014-10-07 10:58:37 -05:00
Spencer McIntyre 766a69e310 Add sys_process_kill to the python meterpreter 2014-10-07 10:10:22 -04:00
James Lee a65ee6cf30
Land #3373, recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Spencer McIntyre 7da22d064d Remove an unnecessary var and fix process_close 2014-10-02 20:52:45 -04:00
sinn3r 135bed254d Update BrowserExploitServer for JSObfu 2014-09-20 17:59:36 -05:00
Joe Vennix 87aeac2b13
Fix syntax error in os.js, specs ftw. 2014-09-12 11:01:08 -05:00
Joe Vennix 8e091b6da0
Add support for ff 29 - 32 feature. 2014-09-11 22:01:36 -05:00
Tod Beardsley 4fc1ec09c7
Land #3759, Android UXSS, with ref/desc fixes
Incidentally, this also closes jvennix-r7#14 (let's see if I can close a
PR by merging from another repo!)

Also fixes #3782 (opened by accident).
2014-09-11 14:27:51 -05:00
Joe Vennix 7793ed4fea
Add some common UXSS scripts. 2014-09-09 02:31:27 -05:00
Tom Sellers 288a891665 Add the 'guest' IPMI user
The 'guest' IPMI user exists on many Cisco Unified Computing Server (UCS) implementations.
2014-09-01 07:01:06 -05:00
Brandon Turner 05f0d09828
Merge branch staging/electro-release into master
On August 15, shuckins-r7 merged the Metasploit 4.10.0 branch
(staging/electro-release) into master.  Rather than merging with
history, he squashed all history into two commits (see
149c3ecc63 and
82760bf5b3).

We want to preserve history (for things like git blame, git log, etc.).
So on August 22, we reverted the commits above (see
19ba7772f3).

This merge commit merges the staging/electro-release branch
(62b81d6814) into master
(48f0743d1b).  It ensures that any changes
committed to master since the original squashed merge are retained.

As a side effect, you may see this merge commit in history/blame for the
time period between August 15 and August 22.
2014-08-22 10:50:38 -05:00
Brandon Turner 19ba7772f3
Revert "Various merge resolutions from master <- staging"
This reverts commit 149c3ecc63.

Conflicts:
	lib/metasploit/framework/command/base.rb
	lib/metasploit/framework/common_engine.rb
	lib/metasploit/framework/require.rb
	lib/msf/core/modules/namespace.rb
	modules/auxiliary/analyze/jtr_postgres_fast.rb
	modules/auxiliary/scanner/smb/smb_login.rb
	msfconsole
2014-08-22 10:17:44 -05:00
HD Moore 6d92d701d7 Merge feature/recog into post-electro master for this PR 2014-08-16 01:19:08 -05:00
Samuel Huckins 149c3ecc63
Various merge resolutions from master <- staging
* --ask option ported to new location
* --version option now works
* MSF version updated
* All specs passing
2014-08-15 11:33:31 -05:00
joev af3ca19ab2
Land #3501, @AnwarMohamed's android meterpreter commands. 2014-08-09 16:29:59 -05:00
Brandon Turner 91bb0b6e10 Metasploit Framework 4.9.3-2014072301
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJT0CeVAAoJEJMMBVMNnmqO/7AP/0CBRHjtgiR9VnFKSQ+iWTQV
 iPNMBevn0mpSRq/gpoKCeFBZ6b+YQYrOLXDKVk62VV9LCslkr/P8LW8ul+m+JtB0
 mM6V5esUXM1XhgGEyTnTLRx6BR/WQU1RHlb56ae3nZjQlwCuH/5zEmcy5toZxpsY
 6HO46zE0GGBoLr/VgyYlfT08bfoQ+ICyJN0H5ixoovCc3iW0K1MNqLMfdani8zBJ
 gYJaMysV7XtepumWWQMSC+b/EuertdXXzWDy2bwe0Q3cQXNXzrkPAvtMqucWG+gy
 783OLKCPtVoEZiX87xAptkwmVCRdNGPclaWH7YRZDAh1tqBfRQUg72V/TIrOHCP1
 /lYO7yp5pBQg+1UNnpH+xI2YePFfYdHpYDNT5FSQGOnQjJg30ll4SqCm7cVmo2h5
 BRSYXkPCsQeXGaFarxGERNb8e+qN/WzSrHzY45tQw8mDuhg94tlf3VtDag3FXxhj
 zCxd6bu+tdboVm7FERS85T46kxzmeIycZ4p+Sf7d8gXitl2RKbBdKFNDi1gzeK1T
 yN7bDl4sL7qtDgZLXjFrnyC8vXyAqIrAgmFr2JywMBRm6TiCGQvgnrs+sScU3RFU
 W2tblGbKQq+CwDeC59uQPqxRkm72SMUrKX9448VEQ+9XbKE3TMQ5Q4qCxmnw31Op
 aJ0QgKJz8thZgafZc89I
 =e1z9
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCgAGBQJT4pb8AAoJEA+Ckxyj7hsHn+8P/3FlEYCmoqQ/JzsVtmP3Yi4Q
 gBRva+crY831mCCQXFrPJBvWfmy5HOzVh+Zh7zWF0GQ1WuuMppHfR5ARFVwmiDs3
 qwndhXwziDzBnznf0JKSgT5eJsH23s/ots1lyWymKJvPuT6hn6MRAHUawgnNmYR9
 ttnawmHvCM9Iha2oz3nmkLcNd+83bdBfEWi5l8AQ7jJxwMC2/8VPpMscVVwXqPzd
 CoQugAYZW5VeaEiGio5+19Ix9EPkIDvs6wnfGBtfPfeaOIDZV4XOFoIFUtEeZd5o
 olvEpYvdqscy4Qujzn4C++3wX3bUxkIbHTJHgrKmlD83dI7Cu1JH716G+yfLoJo0
 pQBWTGeWYKEh6leK/9J5Bo1/tOJ/ylbcbvH0Y0tmdu4icHar6uYe1QBrCB9xIdh1
 F+xo4guYnVo616DXJQSwjIye83b5dBxACrfA3bqCnFVFgTM5jXGV1cqiBgs9Dl++
 tIDPgUJkCe/bIdQ7PntlGRzxKihHahlxhCa++YaGKqSq7gXie8Rl4qgloIrbfNZ/
 z3XsoOLNdbMGO7ip88Zjwq4Khj5WZu7ijfCtXO7GU1UJZL1tJ2yK2ic7ZDLc251Y
 8EGMSTG53+6yvZYFtWMZeQzjwD2cpuF04dOmHOKi6KGJJ7KRPhn6gpsbc6U1mbH9
 AjGcfOzhhcsY+WAQ7OG+
 =Pjob
 -----END PGP SIGNATURE-----

Merge tag '2014072301' into staging/electro-release

Conflicts:
	Gemfile.lock
	modules/post/windows/gather/credentials/gpp.rb

This removes the active flag in the gpp.rb module.  According to Lance,
the active flag is no longer used.
2014-08-06 15:58:12 -05:00
Joe Vennix 2b46e76e85
Recompiled again. 2014-07-27 22:23:26 -07:00
Joe Vennix ae1f498aae
Check in new android binaries. 2014-07-27 13:22:12 -07:00
Sam 8cabc753a9 Replace hpricot by nokogiri 2014-07-17 00:14:07 +02:00
David Maloney 52a29856b3
Merge branch 'master' into staging/electro-release
Conflicts:
	Gemfile
	Gemfile.lock
2014-07-16 09:38:44 -05:00
OJ 77be5d3e0a
Land #3520 : Update Linux Meterpreter Binaries
Includes fixes for the sniffer which stop it breaking on x64 and make
it work with the `any` interface.

[FixRM #6355]
2014-07-15 09:27:30 +10:00
James Lee de22aeba41
Land #3481, meterpreter bins 2014-07-14 15:57:52 -05:00
jvazquez-r7 31c447e217 Update binaries 2014-07-14 08:50:30 -05:00
jvazquez-r7 074632043f Update meterpreter binaries 2014-07-10 16:36:48 -05:00
Tod Beardsley 038d1e210a
Merge upstream/master to deconflict.
Conflicts:
	Gemfile.lock
2014-07-09 17:43:42 -05:00
AnwarMohamed 34dcb609e2 android extension 2014-07-08 04:52:06 +02:00
David Maloney aeda74f394
Merge branch 'master' into staging/electro-release
Conflicts:
	Gemfile
	Gemfile.lock
2014-07-07 16:41:23 -05:00
OJ bdf27b1834 Fix up the TLVs that are now QWORD values in MSF
Various values were adjusted to become QWORD values in MSF an windows
meterpreter, but the changes were not ported over to python, php and
java. This commit fixes this inconsistency.
2014-07-07 10:42:58 -05:00
HD Moore ab7848a895
Merge master for testing of #2809 2014-07-06 22:27:58 -05:00
HD Moore 43d65cc93a Merge branch 'master' into feature/recog
Resolves conflicts:
	Gemfile
	data/js/detect/os.js
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-07-06 09:17:44 -05:00
James Lee 41cd5527c8
Close the server socket in php bind stager
This was previously left dangling, which leaves the port open, but
doesn't do anything with subsequent connections.
2014-07-03 16:52:09 -05:00
James Lee 9246f7a0ce
Strip the NULL that PHP no longer strips
As of PHP 5.5.0, unpack("a", ...) no longer strips the NULL byte from
the end of the string. A new format specifier, Z, was introduced to
perform the old behavior, but we don't have a good way to test for its
existence. Instead, just remove it with str_replace
2014-07-03 15:58:05 -05:00
Tod Beardsley 8b63d3d467 Revert the revert of #3446
This reverts commit 9b35b0e13a.

This should not land on master until the Metasploit Pro folks (@trosen-r7
and friends) get their Meterpreter path specifications working the
same way as Framework's does.
2014-06-29 17:22:21 -05:00
David Maloney b680674b95
Merge branch 'master' into staging/electro-release 2014-06-27 11:55:57 -05:00
sinn3r ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape 2014-06-26 13:48:28 -05:00
sinn3r 0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape 2014-06-26 11:45:47 -05:00
Chris Doughty 9b35b0e13a Revert "Land #3446 -- Meterpreter bins gem switch" due to build failures
This reverts commit bba8bd3498, reversing
changes made to 002234993f.
2014-06-25 13:24:07 -05:00
Tod Beardsley fbb6808b1a
Re-add common.lib and ext_server_sniffer DLLs
These are not currently included in meterpreter_bins. Figure this out
with @cdoughty-r7 , probably just an oversight.
2014-06-19 16:10:22 -05:00
Tod Beardsley 88b482118d
Remove local Meterpreter Windows binaries 2014-06-19 16:05:53 -05:00
James Lee b606448976
Merge branch 'feature/MSP-9689/jtr_cracker' into staging/electro-release 2014-06-19 10:14:57 -05:00
navs 1c5cfeebb3 adding template and src for elf 64 shared object payload target 2014-06-19 00:38:16 -05:00
David Maloney 41f7bc1372
add common root words wordlist
this adds a new wordlist to the data directory.
This wordlist is compiled from statistical analysis of
common Numeric passwords and Common rootwords across
6 years of colleted password breach dumps. Every word in
this list has been seen thousands of times in password
breaches
2014-06-14 14:13:59 -05:00
Tod Beardsley af9028e867
Add Meterpreter bins for PR76
These are the binaries generated for rapid7/meterpreter#76 , against
commit 2776adb8b91d9967983033c0e770c46a10a68002

These bins are need to make #3416 actually functional
2014-06-12 14:29:40 -05:00
sinn3r 2a7227f443
Land #3427 - Adds webcam module for firefox privileged sessions on OSX 2014-06-11 22:27:25 -05:00
Meatballs d868294d5b
MEM_RESERVE too 2014-06-08 17:37:57 +01:00
jvazquez-r7 9d08ebe273 Fix VirtualAlloc call on PSH old template 2014-06-08 11:09:03 -05:00
joev a33de66da4 Fix transparent background, add VISIBLE option. 2014-06-06 16:52:00 -05:00
joev d990fb4999
Remove a number of stray edits and bs. 2014-06-06 16:24:45 -05:00
joev 7c762ad42c Fix some minor bugs in webrtc stuff, inline API code. 2014-06-06 16:18:39 -05:00
Brandon Turner d9a5002bd3
Merge branch 'release'
Updates meterpreter bins and closes #3425 and #3423.
2014-06-05 17:33:11 -05:00
Tod Beardsley 97a70e49c8
Roll back the jar/py changes 2014-06-05 17:31:02 -05:00
Tod Beardsley 737f06f600
Add Meterpreter bins for release branch.
This contains the same bins as #3423, but it is targeted at the release
branch for rapid7/metasploit-framework.
2014-06-05 17:17:32 -05:00
William Vu 6c7fd3642a
Land #3411, Python 3.[34] Meterpreter support 2014-06-03 11:34:22 -05:00
jvazquez-r7 b8a2cf776b Do test 2014-06-03 09:52:01 -05:00
jvazquez-r7 05ed2340dc Use powershell 2014-06-03 09:29:04 -05:00
jvazquez-r7 f918bcc631 Use powershell instead of mshta 2014-06-03 09:01:56 -05:00
jvazquez-r7 7f4702b65e Update from rapid7 master 2014-06-02 17:41:41 -05:00