infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
48,653 Commits
7 Branches
556 Tags
419 MiB
Commit Graph

1404 Commits (36b7fb35249fb6066df1336dcf2f4a2dd1b40ac8)

Author SHA1 Message Date
UserExistsError e19a071910 add bind_named_pipe x86 2018-02-22 19:03:37 -07:00
Brent Cook 99e278fa29
Land #9584, Fix reverse_php_ssl infinite loop 2018-02-22 07:03:52 -06:00
Trevor Sibanda 77b3673e38 Fix reverse_php_ssl infinite loop 2018-02-22 08:42:54 +00:00
Brent Cook 05e002e3c5
Land #9366, Add x64 staged Meterpreter for macOS 2018-02-19 23:15:03 -06:00
RageLtMan 354eb4092a Reverse TCP x64 RC4 via max3raza's rc4_x64 asm 
To round out the work done by mihi for x86 stages back in the day,
this PR provides x64 Windows stage encryption in RC4 via assembly
written/modified by max3raza during adjacent work on DNS tunneled
transport.

Stage encryption differs from encoding in that there is no decoder
stub or key materiel carried with the stage which can be used by
defensive systems to decode and identify the contents. Persistence
payloads, oob-delivered stage0, and other contexts benefit heavily
from this as their subsequent stage is difficult to detect/identify,
and the chance of accidental execution of the wrong payload/stage
is drastically reduced if separate keys are in play for individual
targets - acquiring the wrong stage will result in decryption
failure and prevent further execution.

For historical context, all of the RC4 stagers implement in-place
decryption via stage0 for the contents of stage1 using the provided
passphrase converted to a key and embedded in stage0 as part of the
payload.

Testing:
  In-house testing with Max - we got sessions, loaded extensions.

Notes:
  All credit for the work goes to Max3raza - big ups for getting
this knocked out.
 2018-02-16 05:15:05 -05:00
Brent Cook d28f6888b2 bump payloads, include bind_named_pipe support 2018-02-15 17:37:33 -06:00
Brent Cook 38b03fdfff Merge branch 'upstream-master' into land-9539- 2018-02-15 16:22:13 -06:00
Brent Cook 67dc579fd3
update magic numbers 2018-02-15 15:10:26 -06:00
Jeffrey Martin 3811665b69
Land #7699, Add UDP handlers and payloads (redux) 2018-02-13 14:50:09 -06:00
Jeffrey Martin d56111a33c
update cache sizes from new tests 2018-02-13 14:34:21 -06:00
Jeffrey Martin 2221779ddd
update package namespaces 2018-02-13 13:33:36 -06:00
UserExistsError bad1429989 reverted CachedSize values 2018-02-11 19:07:41 -07:00
UserExistsError 8ae8a0d94b added bind_named_pipe payload 2018-02-11 18:56:50 -07:00
Brent Cook 1af1631ef6 bump cached payload sizes 2018-02-07 08:06:37 -06:00
Tim W 0ce125ec55 more fixes 2018-01-30 17:54:10 +08:00
Tim W 39c07e2289 add references 2018-01-30 17:52:01 +08:00
RageLtMan ed47efdadc Silence tidy failures 2018-01-23 02:03:50 -05:00
RageLtMan 721163bd67 Python shell via reverse UDP 
Python-based UDP egress shell, another PoC of the protocol used
as a raw transport.
 2018-01-23 02:00:56 -05:00
RageLtMan ef1d4ddb03 Add UDP handlers and payloads (redux) 
This is a repackaging effort for the work i originally pushed in
6035. This segment of the PR provides UDP session handlers for
bind and reverse sessions, a Windows Metasm stager (really the
TCP stager with a small change), and a pair of socat payloads for
testing simple UDP shells. Netcat or any scripting language with
a sockets library is sufficient to use these sessions as they are
stateless and simple.

Testing of this PR requires rex/core #1 and rex/socket #2

The SSL testing which was being done on 6035 is backed out, left
for a later time when we can do DTLS properly.
 2018-01-23 02:00:55 -05:00
Brent Cook aae77fc1a4
Land #9349, GoAhead LD_PRELOAD CGI Module 2018-01-22 23:10:36 -06:00
Brent Cook 69818aea22 update payload sizes 2018-01-21 08:03:07 -06:00
Brent Cook 7849743789
update stageless python sizes 2018-01-18 00:41:58 -06:00
Tim W 550e9a3d31 fix payload cached size 2018-01-10 15:06:08 +08:00
Tim W cf893c2962 fix LHOST 2018-01-10 11:48:41 +08:00
Tim W e225e29add fix default LHOST 2018-01-10 11:34:51 +08:00
Brent Cook f125e13278
python meterpreter whitespace normalization 2018-01-09 16:08:52 -05:00
Tim W beda2d1efb add retries and error checking to osx stager 2018-01-05 03:59:12 +08:00
Tim W 46a45550fd add osx x64 stager 2018-01-03 14:04:14 +08:00
Tim W 44fbb171a6 osx stager 2017-12-29 11:13:25 +08:00
HD Moore ab8886e25c Updated payloads and addition of payload stubs 2017-12-28 16:21:37 -06:00
Brent Cook 24907938bb
bump payloads, various fixes 2017-12-20 16:47:37 -06:00
Brent Cook df4f62cde9 bump to mettle 0.3.3 2017-12-20 15:58:17 -06:00
Brent Cook 210f137b7b Merge branch 'upstream-master' into land-9296- 2017-12-20 12:07:53 -06:00
Brent Cook 6b216f2a20
Land #9290, Fix OverrideLHOST/LPORT with http/s Meterpreter payloads 2017-12-20 00:26:06 -06:00
Tim 358aca9435
apple_ios/aarch64/shell_reverse_tcp 2017-12-19 15:42:21 +08:00
Brent Cook 2a94a4417a bump payloads 2017-12-18 10:01:10 -06:00
Tim c4e20e01e3 iOS meterpreter 2017-12-12 23:23:21 +08:00
Brent Cook 3f6846c332 update payloads with python retry fix 2017-12-12 03:13:38 -06:00
Brent Cook 8645a518b3 add mettle support for custom headers 2017-11-24 20:27:34 -06:00
Brent Cook a7932ffe0e fix sizes 2017-11-21 14:31:14 -06:00
Brent Cook 4050985649
update payloads 2017-11-21 13:53:33 -06:00
Brent Cook 1fd7f7c8bc prefix MeterpreterUserAgent and PayloadProxy* with Http for consistency, 
this also adds aliases where needed
 2017-11-21 13:47:19 -06:00
Patrick Webster 2f6da89674 Change author name to nick. 2017-11-09 03:00:24 +11:00
Jeffrey Martin 7a21cfdfa6
add cached sizes for ppce500v2 2017-11-01 13:08:15 -05:00
Brent Cook 56eb828cc5 add e500v2 payloads 2017-10-30 14:04:10 -05:00
Brent Cook 22f9626186
update sizes 2017-10-30 05:26:29 -05:00
Jeffrey Martin cd755b05d5
update powershell specs for rex-powershell 0.1.77 2017-10-26 15:03:10 -05:00
Brent Cook 50c533a452 update cached sizes 2017-10-23 23:04:02 -05:00
mumbai 19859f834d re-add payload 2017-10-23 10:20:19 -04:00
itsmeroy2012 9afc8b589c Updating the payload sizes 2017-10-14 11:05:44 +05:30
itsmeroy2012 a0abffb6c4 Adding functionality of StagerRetryWait and StagerRetryCount 2017-10-12 22:25:00 +05:30
itsmeroy2012 374c139d33 Increasing the functionality of the nodejs shell_reverse_tcp payload 2017-10-12 19:05:59 +05:30
Jeffrey Martin b76c1f3647
remove invalid 'client' object reference in nodejs 
fix #9063 by removing invalid object reference introduced in PR #8825
 2017-10-11 11:09:28 -05:00
bwatters-r7 f996597bcf update cached payload sizes 2017-10-06 13:19:00 -05:00
Brent Cook c701a53def
Land #9018, Add Bind Shell JCL Payload for z/OS 2017-10-05 17:24:50 -05:00
bigendiansmalls 8af2e5a7ee
Cleanup revshell for zos 
remove unused code, extra comments
align code, etc. no functionality changes
 2017-09-29 18:27:29 -05:00
bigendiansmalls 9ae8bdda1c
Added Bind Shell JCL Payload for mainframe 
The bind shell is the companion payload to the reverse_shell_jcl
payload for the mainframe platform.
 2017-09-29 16:52:36 -05:00
Brent Cook cad36ee14e
Land #8952, suhosin compatibility added to staged payload 2017-09-26 15:22:36 -05:00
h00die c90f885938 Finished spelling issues 2017-09-17 16:00:04 -04:00
Anant Shrivastava 86726978ed
payload size updated 2017-09-12 19:23:31 +05:30
Jeffrey Martin a58552daad
Land #8825, Handle missing util.pump in nodejs shell payloads 2017-09-11 15:32:21 -05:00
Brent Cook 9877a61eff bump payloads 2017-09-07 01:36:25 -05:00
OJ 816e78b6f6 First pass of named pipe code for pivots 2017-09-07 01:33:53 -05:00
Adam Cammack 195c1e041f Update payload specs and sizes 
Adds the new Aarch64 and R payloads

fix merge
 2017-08-31 18:48:56 +08:00
Tim 7b71f60ea1 fix the stack 2017-08-31 18:35:18 +08:00
Tim 26f4fa3b09 setup stack 2017-08-31 18:35:17 +08:00
Tim a2396991f0 stager not setting up stack 2017-08-31 18:35:17 +08:00
Tim 6dbe00158f fix stager 2017-08-31 18:35:17 +08:00
Brent Cook 582b2e238e update mettle payload to 0.2.2, add background and single-thread http comms 2017-08-28 05:31:44 -05:00
Brent Cook 15ec40f5c6 update R cached sizes 2017-08-28 05:31:42 -05:00
Jeffrey Martin cba4d36df2
provide missing bits for R platform 2017-08-23 16:58:48 -05:00
Brent Cook 031f48725f
add missing quotes 2017-08-21 16:16:03 -05:00
Brent Cook c14daf3fcc
Land #8857, Reverse and bind shells in R 2017-08-21 15:49:24 -05:00
Brent Cook 605330faf6
Land #8842, add linux/aarch64/shell_reverse_tcp 2017-08-21 15:44:28 -05:00
Brent Cook 430251b8f6
fix compatibility with php meterpreter 2017-08-21 15:37:31 -05:00
RageLtMan 2873a899db Address msftidy complaint 2017-08-21 03:39:03 -04:00
Tim d6d6c67f33 add stage_shell.s and cleanup 2017-08-21 14:42:30 +08:00
Tim e1a7494724 linux payloads should default to /bin/sh 2017-08-21 12:25:27 +08:00
Tim 9768a89bcd aarch64 staged shell 2017-08-21 11:14:42 +08:00
RageLtMan 7ab097a784 Unix cmd versions of R payloads 
Use R to connect back from a unix shell.

Notes:
  We need to DRY this up - tons of copy pasta here, when we should
  really be instantiating the language specific payloads and just
  wrapping them with CLI execution strings.

Testing:
  None, yet, just did the quick port to wrap this and push to CI
  now that rex-arch #4 is in.
 2017-08-20 21:25:57 -04:00
Brent Cook b864083cbd
update payload sizes 2017-08-20 19:03:53 -05:00
RageLtMan d76616e8e8 Reverse and bind shells in R 
Initial implementation of bind and reverse TCP shells in R.
Supports IPv4 and 6, provides stateless sessions which wont change
the cwd when cd is invoked since each command invocation actually
spawns a pipe to execute that specific line's invocation.

R injections are common in academic software written in a hurry by
students or lab administrators. The language runtimes are also
commonly found adjacent to valuable data, and often used by teams
which are not directly responsible for information security.

Testing:
  Local testing with netcat bind and rev handlers.

TODO:
  Add the appropriate platform/language library definitions
 2017-08-19 06:12:05 -04:00
Tim 8b4ccc66c7 add linux/aarch64/shell_reverse_tcp 2017-08-17 18:55:37 +08:00
Brent Cook df98c2a3dd update cached sizes again 2017-08-15 08:02:51 -04:00
Brent Cook debbc31142 use separate module names for x86 and x64 generators 2017-08-15 08:02:01 -04:00
tkmru 4dbf94556e update CacheSize 2017-08-15 12:54:30 +09:00
Brent Cook 59086af261
Land #8771, rewrite linux x64 stagers with Metasm 2017-08-14 02:32:29 -04:00
Patrick Thomas 25764397ba Update CachedSizes for changed nodejs payloads 
Fixes test failures
 2017-08-12 23:21:54 -07:00
tkmru 14507747d0 update CachedSize 2017-07-29 23:42:43 +09:00
tkmru b1e26dd17e Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x86_retry 2017-07-29 17:24:59 +09:00
tkmru eb536ba67c Merge branch 'master' of https://github.com/rapid7/metasploit-framework into feature/linux_reverse_tcp_x64_retry 2017-07-26 09:48:17 +09:00
Brent Cook 6300758c46 use https for metaploit.com links 2017-07-24 06:26:21 -07:00
Brent Cook 838b066abe Merge branch 'master' into land-8716 2017-07-24 05:51:44 -07:00
Brent Cook 8444038c62
Add eval alternative to PHP Meterpreter to bypass suhosin 
See https://suhosin.org/stories/index.html for more information on this system.
 2017-07-23 22:04:09 -07:00
Brent Cook b75530b978 Fix an issue where 'sleep' with Python Meterpreter appears to fail. 2017-07-23 05:38:06 -07:00
Brent Cook 399557124f
update payload cached sizes 2017-07-23 05:28:32 -07:00
g0tmi1k b8d80d87f1 Remove last newline after class - Make @wvu-r7 happy 2017-07-19 11:19:49 +01:00
g0tmi1k 3d4feffc62 OCD - Spaces & headings 2017-07-19 11:04:15 +01:00
g0tmi1k a008f8e795 BruteForce - > Brute Force 2017-07-19 10:39:58 +01:00
Brent Cook cc3168933f update mettle payloads, template generator 2017-07-18 13:13:38 -05:00