Spencer McIntyre
6ab7c314de
Pymet fix reverse_tcp transport for IPv6 addresses
2015-07-02 08:33:11 -04:00
Spencer McIntyre
dbe239bc75
Pymet fix transport next and prev for one transport
2015-07-02 08:23:02 -04:00
wchen-r7
482247771d
Add a fingerprint for Windows 10 + IE11
2015-07-01 18:06:25 -05:00
wchen-r7
cd688437ac
Add support for Windows 10 for os.js
...
Resolves #4248
2015-07-01 15:02:22 -05:00
Spencer McIntyre
b1b21c4bef
Pymet fixes for Python 3.x
2015-07-01 14:32:12 -04:00
jvazquez-r7
1de94a6865
Add module for CVE-2015-3113
2015-07-01 13:13:57 -05:00
Spencer McIntyre
2a891c50eb
Pymet transport stabilty and correction
2015-07-01 11:12:30 -04:00
Spencer McIntyre
4b5b7c8a27
Pymet support for core_transport_remove
2015-06-30 15:46:33 -04:00
Spencer McIntyre
6a45e19636
Pymet fix bind and tcp socket cleanup logic
2015-06-30 15:25:23 -04:00
Spencer McIntyre
3d49781230
Pymet support for core_transport_sleep
2015-06-29 18:34:35 -04:00
Spencer McIntyre
9a8ffacfd1
Pymet transport changing improvements
2015-06-29 14:00:07 -04:00
Spencer McIntyre
00742ea924
Pymet cleaner transport switching with responses
2015-06-28 13:16:00 -04:00
Spencer McIntyre
f6fa462bdc
Pymet support for changing transports
2015-06-27 20:57:45 -04:00
Spencer McIntyre
175d9cdcb1
Pymet support for creating and listing transports
2015-06-26 16:52:55 -04:00
Spencer McIntyre
79185e91c6
Refactor the pymet to use transport objects
2015-06-26 14:56:31 -04:00
Spencer McIntyre
7aae9b210e
Add pymet support for core_enumextcmd
2015-06-26 11:32:51 -04:00
jvazquez-r7
ee0377ca16
Add module for CVE-2015-3105
2015-06-25 13:35:01 -05:00
OJ
ae41f2bfa0
Update exploit binaries for ms15-051
2015-06-25 09:33:15 +10:00
Brent Cook
e75287875b
hack android-specific commands back to life
2015-06-22 20:41:58 -05:00
OJ
3686accadd
Merge branch 'upstream/master' into cve-2015-1701
2015-06-22 07:52:17 +10:00
jvazquez-r7
04901baab8
Land #5572 @todb-r7's adds snowden's password to unix_passwords.txt
2015-06-19 17:01:22 -05:00
Tod Beardsley
b580f93c22
New password from Snowden
2015-06-19 15:37:48 -05:00
jvazquez-r7
d116f1efd5
Land #5566 , @wchen-r7 fixes #5565 modifying os.js
2015-06-19 11:07:00 -05:00
wchen-r7
308cad8c40
Fix #5565 , Fix os.js service pack detection
...
Fix #5565
2015-06-18 18:51:16 -05:00
jvazquez-r7
de1542e589
Add module for CVE-2015-3090
2015-06-18 12:36:14 -05:00
wchen-r7
17b8ddc68a
Land #5524 , adobe_flash_pixel_bender_bof in flash renderer
2015-06-15 02:42:16 -05:00
jvazquez-r7
72672fc8f7
Delete debug
2015-06-11 17:39:36 -05:00
jvazquez-r7
8ed13b1d1b
Add linux support for CVE-2014-0515
2015-06-11 16:18:50 -05:00
wchen-r7
ae21b0c260
Land #5523 , adobe_flash_domain_memory_uaf in the flash renderer
2015-06-10 16:59:19 -05:00
wchen-r7
4c5b1fbcef
Land #5522 , adobe_flash_worker_byte_array_uaf in the flash renderer
2015-06-10 14:49:41 -05:00
jvazquez-r7
7527aa4f34
Disable debug
2015-06-10 14:07:18 -05:00
jvazquez-r7
6c7ee10520
Update to use the new flash Exploiter
2015-06-10 13:52:43 -05:00
jvazquez-r7
7fba64ed14
Allow more search space
2015-06-10 12:26:53 -05:00
jvazquez-r7
ecbddc6ef8
Play with memory al little bit better
2015-06-10 11:54:57 -05:00
wchen-r7
d622c782ef
Land #5519 , adobe_flash_uncompress_zlib_uninitialized in the flash renderer
2015-06-10 11:52:47 -05:00
jvazquez-r7
2b4fe96cfd
Tweak Heap Spray
2015-06-10 10:56:24 -05:00
jvazquez-r7
a6fe383852
Use AS Exploiter
2015-06-10 09:32:52 -05:00
jvazquez-r7
e5d6c9a3cb
Make last code cleanup
2015-06-09 16:01:57 -05:00
jvazquez-r7
cf8c6b510b
Debug version working
2015-06-09 15:46:21 -05:00
jvazquez-r7
39851d277d
Unset debug flag
2015-06-09 11:36:09 -05:00
jvazquez-r7
b7f0fad72f
Modify CVE-2014-0569 to use the flash exploitation code
2015-06-09 11:31:39 -05:00
Tod Beardsley
f29b38b602
Add the top 20 keyboard patterns as passwords
...
See https://wpengine.com/unmasked/ for lots more, but this
covers the gif at
https://wpengine.com/unmasked/assets/images/commonkeyboardpatterns.gif
2015-06-05 16:46:08 -05:00
OJ
b291d41b76
Quick hack to remove hard-coded offsets
2015-06-05 13:19:41 +10:00
jvazquez-r7
02181addc5
Update CVE-2014-0556
2015-06-04 18:23:50 -05:00
wchen-r7
23df66bf3a
Land #5481 , no powershell. exec shellcode from the renderer process.
2015-06-04 15:45:09 -05:00
jvazquez-r7
ab68d8429b
Add more targets
2015-06-04 12:11:53 -05:00
jvazquez-r7
80cb70cacf
Add support for Windows 8.1/Firefox
2015-06-03 22:46:04 -05:00
jvazquez-r7
74117a7a52
Allow to execute payload from the flash renderer
2015-06-03 16:33:41 -05:00
OJ
455a3b6b9d
Add butchered version of CVE-2015-1701
2015-06-03 21:48:23 +10:00
Brent Cook
64e86165ef
remove android meterpreter bins, update to payloads 1.0.2
...
This switches us to using the Android payload files from the
metasploit-payloads gem
2015-06-01 09:14:31 -05:00
Brent Cook
7d5af66fa0
Merge branch 'master' into land-5367-uuid-stagers
2015-05-29 13:00:35 -05:00
wchen-r7
737559bcbb
Land #5180 , VBA Powershell for Office Macro
2015-05-28 19:55:27 -05:00
jvazquez-r7
e9714bfc82
Solve conflics
2015-05-27 23:22:00 -05:00
wchen-r7
e749733eb6
Land #5419 , Fix Base64 decoding on ActionScript
2015-05-27 23:13:51 -05:00
jvazquez-r7
e5d42850c1
Add support for Linux to CVE-2015-0336
2015-05-27 17:05:10 -05:00
jvazquez-r7
801deeaddf
Fix CVE-2015-0336
2015-05-27 15:42:06 -05:00
jvazquez-r7
bd1bdf22b5
Fix CVE-2015-0359
2015-05-26 17:27:20 -05:00
jvazquez-r7
19c7445d9d
Fix CVE-2015-0336
2015-05-26 17:20:49 -05:00
jvazquez-r7
23d244b1fa
Fix CVE-2015-0313
2015-05-26 16:11:44 -05:00
jvazquez-r7
5c8c5aef37
Fix CVE-2014-8440
2015-05-26 16:05:08 -05:00
jvazquez-r7
d78d04e070
Fix CVE-2014-0569
2015-05-26 15:49:22 -05:00
jvazquez-r7
e0a1fa4ef6
Fix indentation
2015-05-26 15:38:56 -05:00
jvazquez-r7
1742876757
Fix CVE-2014-0556
2015-05-26 15:30:39 -05:00
jvazquez-r7
3e122fe87c
Fix b64 decoding
2015-05-26 15:15:33 -05:00
jvazquez-r7
29ccc8367b
Add More messages
2015-05-26 14:47:47 -05:00
jvazquez-r7
1bf1c37cfa
Add exception handling
2015-05-26 14:31:07 -05:00
jvazquez-r7
fb8a927941
Hardcode params
2015-05-26 14:20:43 -05:00
jvazquez-r7
f119da94ca
Add one more message
2015-05-26 14:14:38 -05:00
jvazquez-r7
15533fabe6
Log messages
2015-05-26 14:08:24 -05:00
jvazquez-r7
91357ee45b
Improve reliability
2015-05-26 13:47:33 -05:00
OJ
9e50114082
Merge branch 'upstream/master' into uuid-stagers
2015-05-25 11:22:35 +10:00
OJ
1c73c190fc
Add machine_id support to windows php meterp
2015-05-22 14:55:29 +10:00
jvazquez-r7
f35d7a85d3
Adjust numbers
2015-05-21 15:56:11 -05:00
jvazquez-r7
80d4f3cfb0
Update swf
2015-05-21 14:55:00 -05:00
jvazquez-r7
8d6cbf0568
Make adobe_flash_uncompress_zlib_af multiplatform
2015-05-20 18:57:37 -05:00
benpturner
c0b995cc97
new changes
2015-05-19 16:18:06 +01:00
benpturner
b513304756
new changes
2015-05-19 15:47:30 +01:00
benpturner
0cda746bfb
Updated size
2015-05-19 14:08:59 +01:00
benpturner
811c45ab90
new
2015-05-19 14:06:41 +01:00
OJ
24526c2ef9
Removed unused data files
2015-05-18 21:46:05 +10:00
OJ
9296a024e2
PHP meterpreter refactoring in prep for uuid work
2015-05-18 17:40:48 +10:00
OJ
0d56b3ee66
Stage UUIDs, generation options, php and python meterp uuid
2015-05-18 13:29:46 +10:00
Brent Cook
5cf6d28c34
Land #5426 , use RAW for TLV hash binary data
2015-05-15 11:54:45 -05:00
wchen-r7
25099dd877
Land #5212 , HTA Powershell template
2015-05-15 11:49:07 -05:00
wchen-r7
3bc3614be6
Do a check for powershell.exe before running it.
2015-05-15 11:48:21 -05:00
Brent Cook
c614f6059d
Merge branch 'master' into land-5326-
2015-05-15 11:29:54 -05:00
benpturner
d4798a2500
Fix spacinG
2015-05-11 09:04:03 +01:00
benpturner
c916021fc5
SSL Support for Powershell Payloads
2015-05-10 21:45:59 +01:00
Tim
d3ba84b378
Add TLV_TYPE_FILE_HASH
2015-05-10 14:18:16 +01:00
jvazquez-r7
c103779eab
Land #5080 , @bcook-r7's 'ls' and 'download' meterpreter improvements
2015-05-08 18:02:16 -05:00
William Vu
71518ef613
Land #5303 , metasploit-payloads Java binaries
2015-05-07 22:39:54 -05:00
jvazquez-r7
51bb4b5a9b
Add module for CVE-2015-0359
2015-05-07 17:00:00 -05:00
jvazquez-r7
582919acac
Add module for CVE-2015-0336
2015-05-05 17:25:19 -05:00
Brent Cook
f0c989c1b5
remove java payloads and jars
2015-05-05 15:01:00 -05:00
Brent Cook
05e4af8162
Land #5214 , initial meterpreter session recovery support
2015-05-04 16:25:27 -05:00
Brent Cook
cda7dc3494
remove old posix meterpreter bins
2015-05-04 09:44:37 -05:00
Brent Cook
d934027b3b
expand glob match
2015-05-04 03:56:15 -05:00
Brent Cook
c5c7242374
teach pymet how to glob on ls as well
2015-05-04 03:56:14 -05:00
wchen-r7
17e54fff1f
Land #5275 , Flash CVE-2014-8440
2015-04-30 12:14:06 -05:00
William Vu
cbaaea2ce4
Land #5278 , D-Link Telnet passwords
2015-04-30 11:23:33 -05:00
jvazquez-r7
dbba466b5b
Add module for CVE-2014-8440
2015-04-29 17:52:04 -05:00
m-1-k-3
f2b50e1e2f
removed empty line
2015-04-27 05:29:47 +02:00
HD Moore
1fd601510c
Lands #5194 , merges in PowerShell session support & initial payloads
2015-04-26 16:01:51 -05:00
benpturner
76e68fcf4c
session info
2015-04-26 20:13:18 +01:00
m-1-k-3
f74d385b6a
dlink telnet passwords added from firmware.re
2015-04-26 02:29:30 +02:00
benpturner
aa4dc78cba
updates to author comments in powershell script
2015-04-25 08:47:17 +01:00
benpturner
19aa668f99
updates to include reverse and bind
2015-04-22 20:41:19 +01:00
Brent Cook
5140b8cf9c
fix crash on fork with OSX Python meterpreter using SystemConfiguration
...
Calling into SystemConfiguration before forking seems to allow the child
process to use it without a null pointer dereference.
2015-04-21 17:17:27 -05:00
Meatballs
381f6ffe0a
HTA Powershell template
2015-04-20 23:19:54 +01:00
Meatballs
b0d50dc2be
Create our own Rex connection to the endpoint
...
Ensure powershell process closes when module completes
Add a windows cmd interact payload
2015-04-19 23:41:28 +01:00
Meatballs
8bd0da580d
Move script out of module
2015-04-19 21:12:44 +01:00
Meatballs
b229e87940
Create VBA powershell
2015-04-17 16:52:12 +01:00
Meatballs
15eef6e8de
Dont fork on OSX
2015-04-17 11:43:07 +01:00
jvazquez-r7
28fac60c81
Add module for CVE-2015-0556
2015-04-15 14:08:16 -05:00
William Vu
8d1126eaa5
Land #5129 , x64 BSD prepend stubs 'n' stuff
2015-04-14 01:24:50 -05:00
joev
2d3614f647
Implement x64 BSD exec and exe template.
...
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
2015-04-12 12:17:25 -05:00
joev
3313dac30f
Land #5119 , @wvu's addition of the OSX rootpipe privesc exploit.
...
orts
borts
2015-04-10 12:38:25 -05:00
William Vu
c4b7b32745
Add Rootpipe exploit
2015-04-10 11:22:00 -05:00
jvazquez-r7
91f5d0af5a
Add module for CVE-2014-0569
...
* Adobe flash, Integer overflow on casi32
2015-04-09 19:37:26 -05:00
OJ
2977cbd42a
Merge branch 'upstream/master' into dynamic-transport
2015-04-07 14:30:48 +10:00
Brent Cook
0d78834083
update meterpreter binaries
2015-04-03 05:47:18 -05:00
OJ
fc44f5b1f4
Merge branch 'upstrea/master' into dynamic-transport
...
Small merge required with the https payload proxy changes.
2015-04-03 10:14:48 +10:00
sinn3r
ec2f9e3c05
Add SSH root password 'arcsight' for HP ArcSight Logger
...
The default password for root is 'arcsight'
2015-04-02 11:04:07 -05:00
OJ
47fa97816d
Code fixes as per suggestions, fix build
...
* Use of `ERROR_FAILURE_WINDOWS` in python meterpreter.
* Moving of constants/logic to client_core instead of
command_dispatcher.
* Fix spec include.
2015-04-02 09:05:38 +10:00
Tod Beardsley
293cbfc8f3
Slightly wanged one of the text bubbles
2015-04-01 06:46:50 -05:00
OJ
01bdf54487
Merge branch 'upstream/master' into dynamic-transport
2015-04-01 18:53:20 +10:00
OJ
02383d4e90
Add machine_id functionality to python meterpreter
2015-04-01 17:50:50 +10:00
Tod Beardsley
34d637c7b8
Needs more ponies
2015-03-31 13:59:37 -05:00
sinn3r
8ea1ffc6ff
Land #5030 , CVE-2015-0313 Flash Exploit
2015-03-30 11:31:53 -05:00
jvazquez-r7
11c6f3fdca
Do reliable resolution of kernel32
2015-03-29 15:52:13 -05:00
jvazquez-r7
f84a46df63
Add module for CVE-2015-0313
2015-03-27 18:51:13 -05:00
Spencer McIntyre
10e8cefd6d
Pymet dont validate ssl certs for 2.7.9/3.4.3
2015-03-25 19:49:42 -04:00
Spencer McIntyre
7282968d8a
Python reverse HTTPS stager
2015-03-21 12:43:14 -04:00
Brent Cook
b29d2b5e84
do not die if the uid/gid of a file is > 65535
...
The meterpreter stat command is a little broken in that it assumes uid/gids
16-bit. Prevent this from erroring with python meterpreter on a system with a
large uid/gid.
2015-03-20 22:34:01 -05:00
Spencer McIntyre
8608569964
Pymet support for creating and renaming unicode paths
2015-03-20 08:49:23 -04:00
Spencer McIntyre
bac2e7c5f8
Pymet improved unicode support for working directories
2015-03-19 18:31:42 -04:00
Spencer McIntyre
f9bf4e3100
Fix pymet for unicode files and directories
...
Closes #4958
2015-03-19 17:23:00 -04:00
Brent Cook
35d29f5d08
update linux meterpreter bins
2015-03-18 23:24:32 -05:00
Spencer McIntyre
076f15f933
Land #4792 @jakxx Publish It PUI file exploit
2015-03-18 20:59:54 -04:00
jakxx
085e6cc815
Implemented Recommended Changes
...
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
2015-03-17 16:39:56 -04:00
jvazquez-r7
bb81107e51
Land #4927 , @wchen-r7's exploit for Flash PCRE CVE-2015-0318
2015-03-13 23:58:05 -05:00
sinn3r
0ee0a0da1c
This seems to work
2015-03-13 04:43:06 -05:00
sinn3r
0c3329f69e
Back on track
2015-03-12 15:26:55 -05:00
sinn3r
215c209f88
Land #4901 , CVE-2014-0311, Flash ByteArray Uncompress UAF
2015-03-11 14:04:17 -05:00
sinn3r
43b90610b1
Temp
2015-03-11 13:53:34 -05:00
sinn3r
2a9d6e64e2
Starting point for CVE-2015-0318
2015-03-11 09:58:41 -05:00
jvazquez-r7
cb72b26874
Add module for CVE-2014-0311
2015-03-09 16:52:23 -05:00
Tod Beardsley
df80d56fda
Land #4898 , prefer URI to open-uri
2015-03-09 09:14:10 -05:00
joev
d7295959ca
Remove open-uri usage in msf.
2015-03-05 23:45:28 -06:00
jvazquez-r7
64fd818364
Land #4411 , @bcook-r7's support for direct, atomic registry key access in meterpreter
2015-03-04 10:01:33 -06:00
Brent Cook
0988c5e691
use the correct implementation for query_value_direct
2015-03-03 22:29:23 -06:00
Ferenc Spala
c498ba64e4
Added a new pair of default Tomcat credentials. QLogic's QConvergeConsole comes with a bundled Tomcat with a hard-coded username and password for the manager app.
2015-02-19 15:08:50 -06:00
sinn3r
b90639fd66
Land #4726 , X360 Software actvx buffer overflow
2015-02-17 11:41:23 -06:00
sinn3r
0597d2defb
Land #4560 , Massive Java RMI update
2015-02-17 10:07:07 -06:00
Brent Cook
cf0589f8c6
add support for direct reg access to pymeterpreter
...
When testing this, I found that the python meterpreter hangs running the
following, with or without these changes.
```
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set PythonMeterpreterDebug true
set lhost 192.168.43.1
exploit -j
sleep 5
use exploit/windows/local/trusted_service_path
set SESSION 1
check
```
This turned out to be that pymeterpreter ate all the rest of the data in the
recv socket by consuming 4k unconditionally. This would only be exposed if
there were multiple simultaneous requests so the recv buffer filled beyond a
single request, e.g. when using the registry enumeration functions.
2015-02-17 06:11:20 -06:00
Brent Cook
7e9a331087
remove unused .class files
...
These were added for multi/browser/java_signed_applet, but the class
files are already packaged in a jar file, which is what is actually
used.
2015-02-12 16:08:29 -06:00
Brent Cook
7ab7add721
bump meterpreter_bins to 0.0.14, update Linux binaries.
...
Hopefully the last manual build before packaging the Linux bins into
meterpreter_bins as well.
This includes all of the fixes and improvements over the past month.
rapid7/meterpreter#116
rapid7/meterpreter#117
rapid7/meterpreter#121
rapid7/meterpreter#124
2015-02-10 12:43:47 -06:00
jvazquez-r7
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
jvazquez-r7
511f637b31
Call CollectGarbage
2015-02-09 14:44:31 -06:00
Brent Cook
af405eeb7d
Land #4287 , @timwr's exploit form CVS-2014-3153
2015-02-09 10:33:14 -06:00
Brent Cook
0e4f3b0e80
added built data/exploits/CVE-2014-3153.elf
2015-02-09 09:50:31 -06:00
jvazquez-r7
a46a53acaf
Provide more space for the payload
2015-02-06 14:49:49 -06:00
jvazquez-r7
414349972f
Fix comment
2015-02-06 11:34:20 -06:00
jvazquez-r7
b5e230f838
Add javascript exploit
2015-02-06 11:04:59 -06:00
scriptjunkie
5b2eb986c9
Land #4678 Add post module to phish credentials
2015-02-04 23:43:02 -06:00
Brent Cook
2fdeeb3b13
Rebuilt Java Payloads with the latest NDK/SDK and meterpreter-javapayload
...
Fix rapid7/meterpreter#95 , rebuilt with all outstanding PRs from
rapid7/metasploit-javapayload.
2015-02-02 13:09:15 -06:00
jvazquez-r7
aa7f7d4d81
Add DLL source code
2015-02-01 19:59:10 -06:00
jvazquez-r7
d211488e5d
Add Initial version
2015-02-01 19:47:58 -06:00
wez3
25ac9c1ed9
Add post module to phish windows user credentials
2015-01-30 19:50:04 +01:00
jvazquez-r7
f9dccda75d
Delete unused files
2015-01-22 18:00:31 -06:00
William Vu
75e04705d5
Land #4624 , Firefox 33-35 os.js support
2015-01-22 13:35:47 -06:00
Joe Vennix
5bfb88d55c
Update os.js to detect newer firefox versions.
2015-01-21 16:12:17 -06:00
Brent Cook
94fda6e617
Land #4600 , jvazquez-r7's Linux meterpreter bins
2015-01-20 09:38:35 -06:00
sinn3r
76746eb209
New password from Hathaway
2015-01-19 21:45:47 -06:00
eyalgr
f12c6a1624
Update meterpreter.py
...
Read until exactly pkt_length bytes
2015-01-18 15:45:28 +02:00
eyalgr
d83c6ae215
Update meterpreter.py
...
Read exactly pkt_length from socket, prevents over-reading.
2015-01-18 15:29:23 +02:00
jvazquez-r7
ffc676ead0
Update linux meterp binaries
2015-01-16 17:09:38 -06:00
jvazquez-r7
26789fa76c
Add JMXPayload binary classes for testing
2015-01-15 17:58:09 -06:00
Brent Cook
47cd5a3e59
Land #4562 , wchen-r7's Win8 NtApphelpCacheControl privilege escalation
2015-01-15 13:52:07 -06:00
sinn3r
74e8e057dd
Use RDL
2015-01-09 19:02:08 -06:00
OJ
dfdf99c8f4
Remove metcli
...
The metcli.exe binary doesn't get used any more and the source was removed
from Meterpreter ages ago. No point in having it in the repo any more.
2015-01-10 09:21:44 +10:00
Brent Cook
ce87b126c1
Update to the latest meterpreter_bins
...
This removes checked-in sniffer extension in favor of the gem-packaged version.
It also pulls in the changes for verifying #4411
2015-01-09 16:57:10 -06:00
sinn3r
fce564cde2
Meh, not the debug build. Should be the release build.
2015-01-08 22:06:07 -06:00
sinn3r
14c54cbc22
Update DLL
2015-01-08 21:36:02 -06:00
sinn3r
d3738f0d1a
Add DLL
2015-01-08 17:17:55 -06:00
sinn3r
50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012
2015-01-08 16:19:55 -06:00
William Vu
3c4ec1d958
Land #4547 , rm data/meterpreter/common.lib
2015-01-08 04:52:29 -06:00
OJ
844460dd87
Update bypass UAC to work on 8.1 and 2012
...
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.
I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
Brent Cook
32ddd5ccb4
delete unused library from meterpreter dir
...
common.lib is only used by the build process, not MSF
2015-01-07 16:00:37 -06:00
David Maloney
5480cb81f5
add updated KoreLogic rules to john.conf
...
updated our shipped john.conf to include a
more up to date version of the KoreLogic JtR rules.
They add overhead to the cracking time but are
probably some of the best/most effective JtR
rules out there.
2015-01-07 12:25:04 -06:00
Brent Cook
7ae56865f1
Update linux meterpreter binaries for rapid7/meterpreter#111
...
This rebuilds the binaries on Ubuntu 10.04 i386 for metepreter PR #111 ,
improving the reliability and fixing some bugs in linux process migration.
Tested against Ubuntu 10.04 i386 and Ubuntu 14.04 x86_64:
```
meterpreter > ps
...
55994 48270 server 0 bcook ../metasploit-framework/server
56009 44199 bash 0 bcook -bash
56094 56009 dummy 0 bcook ./dummy
meterpreter > migrate 56094
[*] Migrating to 56094
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : mint
OS : Linux mint 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter > ps
...
55994 48270 [server] <defunct> 0 bcook
56009 44199 bash 0 bcook -bash
56094 56009 dummy 0 bcook ./dummy
meterpreter >
```
Verified presence of call stub when debugging a session:
```
(gdb) x/32b 0x61cc28
0x61cc28: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x61cc30: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x61cc38: 0x90 0x90 0x68 0x04 0x00 0x00 0x00 0x68
0x61cc40: 0xff 0xff 0xff 0xff 0xb8 0x5a 0x5a 0x5a
```
2015-01-04 10:47:44 -06:00
jvazquez-r7
69bda63ef6
Update linux meterpreter binaries
2015-01-01 20:05:36 -06:00
jvazquez-r7
dccf189600
Update binaries
2014-12-30 18:39:29 -06:00
Tod Beardsley
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
Spencer McIntyre
0ee20561d4
Remove file exists check from stdapi_fs_delete_file
2014-12-09 11:03:57 -06:00
Spencer McIntyre
42710cc32e
Error messages for the python meterpreter
2014-12-09 11:03:57 -06:00
Christian Mehlmauer
738fc78883
Land #4220 , outlook gather post module
2014-12-07 22:41:28 +01:00
Christian Mehlmauer
9187a409ec
outlook post module fixes
2014-12-06 00:28:44 +01:00
Spencer McIntyre
83b0ac0209
Fix stdapi_sys_config_getenv for Python3
2014-12-04 15:58:17 -06:00
Spencer McIntyre
44816b84aa
Prefer the pwd module for getuid when available
2014-12-04 15:58:17 -06:00
HD Moore
fc96d011ab
Python reverse_http stager, lands #4225
2014-12-02 11:47:31 -06:00
jvazquez-r7
7a2c9c4c0d
Land #4263 , @jvennix-r7's OSX Mavericks root privilege escalation
...
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
jvazquez-r7
7772da5e3f
Change paths, add makefile and compile
2014-11-30 21:06:11 -06:00
Meatballs
f5f32fac06
Add token fiddling from nishang
2014-11-28 23:02:59 +00:00
Meatballs
48a5123607
Merge remote-tracking branch 'upstream/master' into pr4233_powerdump
2014-11-27 20:08:11 +00:00
Joe Vennix
7a3fb12124
Add an OSX privilege escalation from Google's Project Zero.
2014-11-25 12:34:16 -06:00
Peter Marszalik
830af7f95e
identified instances of tabs vs spaces in the original
...
identified 16 instances in the original code where tab was used vs spaces. updated to keep consistent.
2014-11-25 12:17:43 -06:00
Peter Marszalik
705bd42b41
tab to space change - line 296
2014-11-22 14:48:44 -06:00
Peter Marszalik
900aa9cd6b
powerdump.ps1 bug - corrupt hash fix
...
Fixed the bug where the hashes are not being extracted correctly when LM is disabled and history is enabled.
Rather than relying on length, LM and NT headers are checked. Four bytes at 0xa0 show if LM exists and four bytes at 0xac show if NT exists. Details on this known issue can be found in the following whitepaper from blackhat:
https://media.blackhat.com/bh-us-12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf
2014-11-18 23:10:57 -06:00
Spencer McIntyre
2b36c1bb43
Fix pymeterp bugs from testing in osx and python3
2014-11-17 14:04:30 -05:00
HD Moore
1d8b746d89
Adds new TFTP file names, submitted by Chris McNab
2014-11-16 18:47:11 -06:00
Spencer McIntyre
0bf93acf6b
Pymeterp http proxy and user agent support
2014-11-16 14:29:20 -05:00
Spencer McIntyre
e562883ba9
Escape inserted vars and fix core_loadlib
2014-11-15 15:06:18 -05:00
Spencer McIntyre
7c14e818f6
Patch pymeterp http settings
2014-11-14 17:12:23 -05:00
Spencer McIntyre
681ae8ce6b
Pymet reverse_http stager basic implementation
2014-11-14 14:15:46 -05:00
Spencer McIntyre
6b2387b7fc
Prepare for a reverse_http stager
2014-11-14 11:15:22 -05:00
jvazquez-r7
c35dc2e6b3
Add module for CVE-2014-6352
2014-11-12 01:10:49 -06:00
William Vu
adad3809cc
Rename logo file
2014-11-11 16:07:44 -06:00
Joshua Smith
329ea4fe01
the masterpiece is complete
2014-11-11 15:35:36 -06:00
Spencer McIntyre
7edc248207
Don't fail if username_from_token returns None
2014-11-10 09:15:16 -05:00
Spencer McIntyre
104841babf
Add getsid to the python meterpreter
2014-11-08 20:57:24 -05:00
sinn3r
c2391bf011
Add an R in /Info for the trailer dictionary to make it readable
2014-11-05 22:28:37 -06:00
sinn3r
1b2554bc0d
Add a default template for CVE-2010-1240 PDF exploit
2014-11-05 17:08:38 -06:00
jvazquez-r7
f43a6e9be0
Use PDWORD_PTR and DWORD_PTR
2014-10-31 17:35:50 -05:00
jvazquez-r7
8e547e27b3
Use correct types
2014-10-31 12:37:21 -05:00
HD Moore
9b61ae5f63
This is halloween.
...
THISISHALLOWEEN=1 ./msfconsole
2014-10-30 23:35:12 -05:00
jvazquez-r7
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
jvazquez-r7
03a84a1de3
Search the AccessToken
2014-10-30 12:17:03 -05:00
OJ
908094c3d3
Remove debug, treat warnings as errors
2014-10-28 09:04:02 +10:00
OJ
0a03b2dd48
Final code tidy
2014-10-28 08:59:33 +10:00
William Vu
626cd55b5e
Land #4073 , improved banner selection
2014-10-27 14:20:10 -05:00
Spencer McIntyre
04a99f09bb
Land #4064 , Win32k.sys NULL Pointer Dereference
2014-10-27 14:01:07 -04:00
jvazquez-r7
042d29b1d6
Compile binaries in house
2014-10-27 12:18:33 -05:00
jvazquez-r7
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
jvazquez-r7
0aaebc7872
Make GetPtiCurrent USER32 independent
2014-10-26 18:51:02 -05:00
jvazquez-r7
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
Spencer McIntyre
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
Spencer McIntyre
91dc875af5
Remove seemingly useless file among banners
2014-10-24 13:11:58 -04:00
Spencer McIntyre
c1a61e3b4e
Support an MSFLOGO env var and logo enumeration
2014-10-24 13:07:28 -04:00
Spencer McIntyre
82f41d56a6
Add [user_]logos_directory to Msf::Config
2014-10-24 10:52:05 -04:00
Joshua Smith
34f29f218c
really resolve merge conflicts
2014-10-23 21:51:33 -05:00
jvazquez-r7
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
jvazquez-r7
bf8dce574a
Add ppsx template
2014-10-16 17:55:22 -05:00
William Vu
056ee4f207
Land #3958 , kill command for pyterp
2014-10-07 10:58:37 -05:00
Spencer McIntyre
766a69e310
Add sys_process_kill to the python meterpreter
2014-10-07 10:10:22 -04:00
James Lee
a65ee6cf30
Land #3373 , recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Spencer McIntyre
7da22d064d
Remove an unnecessary var and fix process_close
2014-10-02 20:52:45 -04:00
sinn3r
135bed254d
Update BrowserExploitServer for JSObfu
2014-09-20 17:59:36 -05:00
Joe Vennix
87aeac2b13
Fix syntax error in os.js, specs ftw.
2014-09-12 11:01:08 -05:00
Joe Vennix
8e091b6da0
Add support for ff 29 - 32 feature.
2014-09-11 22:01:36 -05:00
Tod Beardsley
4fc1ec09c7
Land #3759 , Android UXSS, with ref/desc fixes
...
Incidentally, this also closes jvennix-r7#14 (let's see if I can close a
PR by merging from another repo!)
Also fixes #3782 (opened by accident).
2014-09-11 14:27:51 -05:00
Joe Vennix
7793ed4fea
Add some common UXSS scripts.
2014-09-09 02:31:27 -05:00
Tom Sellers
288a891665
Add the 'guest' IPMI user
...
The 'guest' IPMI user exists on many Cisco Unified Computing Server (UCS) implementations.
2014-09-01 07:01:06 -05:00
Brandon Turner
05f0d09828
Merge branch staging/electro-release into master
...
On August 15, shuckins-r7 merged the Metasploit 4.10.0 branch
(staging/electro-release) into master. Rather than merging with
history, he squashed all history into two commits (see
149c3ecc63
and
82760bf5b3
).
We want to preserve history (for things like git blame, git log, etc.).
So on August 22, we reverted the commits above (see
19ba7772f3
).
This merge commit merges the staging/electro-release branch
(62b81d6814
) into master
(48f0743d1b
). It ensures that any changes
committed to master since the original squashed merge are retained.
As a side effect, you may see this merge commit in history/blame for the
time period between August 15 and August 22.
2014-08-22 10:50:38 -05:00
Brandon Turner
19ba7772f3
Revert "Various merge resolutions from master <- staging"
...
This reverts commit 149c3ecc63
.
Conflicts:
lib/metasploit/framework/command/base.rb
lib/metasploit/framework/common_engine.rb
lib/metasploit/framework/require.rb
lib/msf/core/modules/namespace.rb
modules/auxiliary/analyze/jtr_postgres_fast.rb
modules/auxiliary/scanner/smb/smb_login.rb
msfconsole
2014-08-22 10:17:44 -05:00
HD Moore
6d92d701d7
Merge feature/recog into post-electro master for this PR
2014-08-16 01:19:08 -05:00
Samuel Huckins
149c3ecc63
Various merge resolutions from master <- staging
...
* --ask option ported to new location
* --version option now works
* MSF version updated
* All specs passing
2014-08-15 11:33:31 -05:00
joev
af3ca19ab2
Land #3501 , @AnwarMohamed's android meterpreter commands.
2014-08-09 16:29:59 -05:00
Brandon Turner
91bb0b6e10
Metasploit Framework 4.9.3-2014072301
...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJT0CeVAAoJEJMMBVMNnmqO/7AP/0CBRHjtgiR9VnFKSQ+iWTQV
iPNMBevn0mpSRq/gpoKCeFBZ6b+YQYrOLXDKVk62VV9LCslkr/P8LW8ul+m+JtB0
mM6V5esUXM1XhgGEyTnTLRx6BR/WQU1RHlb56ae3nZjQlwCuH/5zEmcy5toZxpsY
6HO46zE0GGBoLr/VgyYlfT08bfoQ+ICyJN0H5ixoovCc3iW0K1MNqLMfdani8zBJ
gYJaMysV7XtepumWWQMSC+b/EuertdXXzWDy2bwe0Q3cQXNXzrkPAvtMqucWG+gy
783OLKCPtVoEZiX87xAptkwmVCRdNGPclaWH7YRZDAh1tqBfRQUg72V/TIrOHCP1
/lYO7yp5pBQg+1UNnpH+xI2YePFfYdHpYDNT5FSQGOnQjJg30ll4SqCm7cVmo2h5
BRSYXkPCsQeXGaFarxGERNb8e+qN/WzSrHzY45tQw8mDuhg94tlf3VtDag3FXxhj
zCxd6bu+tdboVm7FERS85T46kxzmeIycZ4p+Sf7d8gXitl2RKbBdKFNDi1gzeK1T
yN7bDl4sL7qtDgZLXjFrnyC8vXyAqIrAgmFr2JywMBRm6TiCGQvgnrs+sScU3RFU
W2tblGbKQq+CwDeC59uQPqxRkm72SMUrKX9448VEQ+9XbKE3TMQ5Q4qCxmnw31Op
aJ0QgKJz8thZgafZc89I
=e1z9
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCgAGBQJT4pb8AAoJEA+Ckxyj7hsHn+8P/3FlEYCmoqQ/JzsVtmP3Yi4Q
gBRva+crY831mCCQXFrPJBvWfmy5HOzVh+Zh7zWF0GQ1WuuMppHfR5ARFVwmiDs3
qwndhXwziDzBnznf0JKSgT5eJsH23s/ots1lyWymKJvPuT6hn6MRAHUawgnNmYR9
ttnawmHvCM9Iha2oz3nmkLcNd+83bdBfEWi5l8AQ7jJxwMC2/8VPpMscVVwXqPzd
CoQugAYZW5VeaEiGio5+19Ix9EPkIDvs6wnfGBtfPfeaOIDZV4XOFoIFUtEeZd5o
olvEpYvdqscy4Qujzn4C++3wX3bUxkIbHTJHgrKmlD83dI7Cu1JH716G+yfLoJo0
pQBWTGeWYKEh6leK/9J5Bo1/tOJ/ylbcbvH0Y0tmdu4icHar6uYe1QBrCB9xIdh1
F+xo4guYnVo616DXJQSwjIye83b5dBxACrfA3bqCnFVFgTM5jXGV1cqiBgs9Dl++
tIDPgUJkCe/bIdQ7PntlGRzxKihHahlxhCa++YaGKqSq7gXie8Rl4qgloIrbfNZ/
z3XsoOLNdbMGO7ip88Zjwq4Khj5WZu7ijfCtXO7GU1UJZL1tJ2yK2ic7ZDLc251Y
8EGMSTG53+6yvZYFtWMZeQzjwD2cpuF04dOmHOKi6KGJJ7KRPhn6gpsbc6U1mbH9
AjGcfOzhhcsY+WAQ7OG+
=Pjob
-----END PGP SIGNATURE-----
Merge tag '2014072301' into staging/electro-release
Conflicts:
Gemfile.lock
modules/post/windows/gather/credentials/gpp.rb
This removes the active flag in the gpp.rb module. According to Lance,
the active flag is no longer used.
2014-08-06 15:58:12 -05:00
Joe Vennix
2b46e76e85
Recompiled again.
2014-07-27 22:23:26 -07:00
Joe Vennix
ae1f498aae
Check in new android binaries.
2014-07-27 13:22:12 -07:00
Sam
8cabc753a9
Replace hpricot by nokogiri
2014-07-17 00:14:07 +02:00
David Maloney
52a29856b3
Merge branch 'master' into staging/electro-release
...
Conflicts:
Gemfile
Gemfile.lock
2014-07-16 09:38:44 -05:00
OJ
77be5d3e0a
Land #3520 : Update Linux Meterpreter Binaries
...
Includes fixes for the sniffer which stop it breaking on x64 and make
it work with the `any` interface.
[FixRM #6355 ]
2014-07-15 09:27:30 +10:00
James Lee
de22aeba41
Land #3481 , meterpreter bins
2014-07-14 15:57:52 -05:00
jvazquez-r7
31c447e217
Update binaries
2014-07-14 08:50:30 -05:00
jvazquez-r7
074632043f
Update meterpreter binaries
2014-07-10 16:36:48 -05:00
Tod Beardsley
038d1e210a
Merge upstream/master to deconflict.
...
Conflicts:
Gemfile.lock
2014-07-09 17:43:42 -05:00
AnwarMohamed
34dcb609e2
android extension
2014-07-08 04:52:06 +02:00
David Maloney
aeda74f394
Merge branch 'master' into staging/electro-release
...
Conflicts:
Gemfile
Gemfile.lock
2014-07-07 16:41:23 -05:00
OJ
bdf27b1834
Fix up the TLVs that are now QWORD values in MSF
...
Various values were adjusted to become QWORD values in MSF an windows
meterpreter, but the changes were not ported over to python, php and
java. This commit fixes this inconsistency.
2014-07-07 10:42:58 -05:00
HD Moore
ab7848a895
Merge master for testing of #2809
2014-07-06 22:27:58 -05:00
HD Moore
43d65cc93a
Merge branch 'master' into feature/recog
...
Resolves conflicts:
Gemfile
data/js/detect/os.js
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-07-06 09:17:44 -05:00
James Lee
41cd5527c8
Close the server socket in php bind stager
...
This was previously left dangling, which leaves the port open, but
doesn't do anything with subsequent connections.
2014-07-03 16:52:09 -05:00
James Lee
9246f7a0ce
Strip the NULL that PHP no longer strips
...
As of PHP 5.5.0, unpack("a", ...) no longer strips the NULL byte from
the end of the string. A new format specifier, Z, was introduced to
perform the old behavior, but we don't have a good way to test for its
existence. Instead, just remove it with str_replace
2014-07-03 15:58:05 -05:00
Tod Beardsley
8b63d3d467
Revert the revert of #3446
...
This reverts commit 9b35b0e13a
.
This should not land on master until the Metasploit Pro folks (@trosen-r7
and friends) get their Meterpreter path specifications working the
same way as Framework's does.
2014-06-29 17:22:21 -05:00
David Maloney
b680674b95
Merge branch 'master' into staging/electro-release
2014-06-27 11:55:57 -05:00
sinn3r
ce5d3b12e7
Land #3403 - MS13-097 Registry Symlink IE Sandbox Escape
2014-06-26 13:48:28 -05:00
sinn3r
0b6f7e4483
Land #3404 - MS14-009 .NET Deployment Service IE Sandbox Escape
2014-06-26 11:45:47 -05:00
Chris Doughty
9b35b0e13a
Revert "Land #3446 -- Meterpreter bins gem switch" due to build failures
...
This reverts commit bba8bd3498
, reversing
changes made to 002234993f
.
2014-06-25 13:24:07 -05:00
Tod Beardsley
fbb6808b1a
Re-add common.lib and ext_server_sniffer DLLs
...
These are not currently included in meterpreter_bins. Figure this out
with @cdoughty-r7 , probably just an oversight.
2014-06-19 16:10:22 -05:00
Tod Beardsley
88b482118d
Remove local Meterpreter Windows binaries
2014-06-19 16:05:53 -05:00
James Lee
b606448976
Merge branch 'feature/MSP-9689/jtr_cracker' into staging/electro-release
2014-06-19 10:14:57 -05:00
navs
1c5cfeebb3
adding template and src for elf 64 shared object payload target
2014-06-19 00:38:16 -05:00
David Maloney
41f7bc1372
add common root words wordlist
...
this adds a new wordlist to the data directory.
This wordlist is compiled from statistical analysis of
common Numeric passwords and Common rootwords across
6 years of colleted password breach dumps. Every word in
this list has been seen thousands of times in password
breaches
2014-06-14 14:13:59 -05:00
Tod Beardsley
af9028e867
Add Meterpreter bins for PR76
...
These are the binaries generated for rapid7/meterpreter#76 , against
commit 2776adb8b91d9967983033c0e770c46a10a68002
These bins are need to make #3416 actually functional
2014-06-12 14:29:40 -05:00
sinn3r
2a7227f443
Land #3427 - Adds webcam module for firefox privileged sessions on OSX
2014-06-11 22:27:25 -05:00
Meatballs
d868294d5b
MEM_RESERVE too
2014-06-08 17:37:57 +01:00
jvazquez-r7
9d08ebe273
Fix VirtualAlloc call on PSH old template
2014-06-08 11:09:03 -05:00
joev
a33de66da4
Fix transparent background, add VISIBLE option.
2014-06-06 16:52:00 -05:00
joev
d990fb4999
Remove a number of stray edits and bs.
2014-06-06 16:24:45 -05:00
joev
7c762ad42c
Fix some minor bugs in webrtc stuff, inline API code.
2014-06-06 16:18:39 -05:00
Brandon Turner
d9a5002bd3
Merge branch 'release'
...
Updates meterpreter bins and closes #3425 and #3423 .
2014-06-05 17:33:11 -05:00
Tod Beardsley
97a70e49c8
Roll back the jar/py changes
2014-06-05 17:31:02 -05:00
Tod Beardsley
737f06f600
Add Meterpreter bins for release branch.
...
This contains the same bins as #3423 , but it is targeted at the release
branch for rapid7/metasploit-framework.
2014-06-05 17:17:32 -05:00
William Vu
6c7fd3642a
Land #3411 , Python 3.[34] Meterpreter support
2014-06-03 11:34:22 -05:00
jvazquez-r7
b8a2cf776b
Do test
2014-06-03 09:52:01 -05:00
jvazquez-r7
05ed2340dc
Use powershell
2014-06-03 09:29:04 -05:00
jvazquez-r7
f918bcc631
Use powershell instead of mshta
2014-06-03 09:01:56 -05:00
jvazquez-r7
7f4702b65e
Update from rapid7 master
2014-06-02 17:41:41 -05:00