Commit Graph

38458 Commits (5921ac7b47dd28c006ea3ff8cb641c07ecb01a9e)

Author SHA1 Message Date
James Lee 5921ac7b47
Add a spec and fix ReverseHttp#luri 2016-05-24 17:22:14 -05:00
James Lee 9807f9b796
Move Rex::Job into its own file 2016-05-24 11:24:47 -05:00
Metasploit 54f4389d31
Bump version of framework to 4.12.5 2016-05-24 08:54:14 -07:00
wchen-r7 5cfaef899e
Land #6913, fix spec warnings 2016-05-24 10:27:43 -05:00
Brendan Watters 77a62ff7c0
Land #6905 RC4 Stagers 2016-05-24 09:34:32 -05:00
Brendan Watters af86d63498 Updated Cache size 2016-05-24 09:07:05 -05:00
Brendan Watters f0b945e4c4 Updated cache size 2016-05-24 09:06:46 -05:00
Brendan Watters d328258db4 Updated Cache size 2016-05-24 09:06:28 -05:00
Brendan Watters 43f79f34a9 Removed superfluous instruction 2016-05-24 09:03:14 -05:00
Brent Cook d709229f52 fix spec warnings 2016-05-24 07:51:36 -05:00
Brent Cook 5c6b93c1cf
Land #6883, Add Ubiquiti airOS exploit 2016-05-24 07:26:40 -05:00
Brent Cook e382b2e468
Land #6908, Fix importing of a zipped workspace 2016-05-24 01:10:24 -05:00
Brent Cook c7b684dbd7
Land #6910, Update allwinner_backdoor report_vuln hash 2016-05-24 01:02:24 -05:00
William Vu ca76e8f290 Update allwinner_backdoor report_vuln hash 2016-05-24 00:57:37 -05:00
Brent Cook 5bf8891c54
Land #6882, fix moodle_cmd_exec HTML parsing to use REX 2016-05-23 23:25:22 -05:00
Brent Cook 928a706135
Land #6890, Allwinner CPU kernel module local privilege escalation 2016-05-23 22:00:52 -05:00
Brent Cook 2f8562fba4 added documentation and minor style tweaks 2016-05-23 21:59:44 -05:00
Louis Sato 77a81b2e78
bump metasploit credential version 2016-05-23 17:03:10 -05:00
h00die 4242bbdf55 change report_note to report_vuln per note 2016-05-23 17:36:50 -04:00
Louis Sato d0b87131a9
fixing import of zip workspace
MS-1528
2016-05-23 16:09:22 -05:00
Brent Cook 2694907b79 update cached payload size 2016-05-23 14:30:43 -05:00
RageLtMan cf62218139 Update payload sizes 2016-05-23 14:27:11 -05:00
RageLtMan efc64eaa5f Implement reverse_tcp_rc4_dns payload in metasm
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.

For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly
2016-05-23 14:27:11 -05:00
RageLtMan 0e69040a6a Implement reverse_tcp_dns as metasm payload
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.

Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly

Misc:
  Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
2016-05-23 14:27:11 -05:00
RageLtMan df2346d9e0 Implement RC4 metasm payloads for tcp bind and rev
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.

Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.

Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.

Testing:
 Tested against Win2k8r2, Win7x64, and WinXPx86

ToDo:
 Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
2016-05-23 14:27:11 -05:00
Spencer McIntyre 7e34d1e1cf
Land #6897, use sendall python rtcp shell with ssl 2016-05-21 16:51:10 -04:00
William Vu 6581fbd294 Add note about "mf" malware
This is the malware I found upon shelling my friend's device.
2016-05-20 23:09:10 -05:00
Brent Cook 9fc07eeb99
Land #6902, Respect SSLCipher in server mixins 2016-05-20 17:34:38 -05:00
Adam Cammack fda4c62c1f
Respect SSLCipher in server mixins
This allows us to set a sane cipher spec for SSL-enabled server modules.
2016-05-20 16:59:36 -05:00
Brent Cook b613dfefb4
Land #6896, fix spelling in caidao_bruteforce_login 2016-05-19 21:54:06 -05:00
root a71e853c2a Fixed cache size for python/shell_reverse_tcp_ssl 2016-05-20 02:32:37 +00:00
root 87398d5195 Fixed python reverse shell ssl send for EOF occurred in violation of protocol error 2016-05-20 01:49:04 +00:00
wchen-r7 506356e15d
Land #6889, check #nil? and #empty? instead of #empty? 2016-05-19 19:23:04 -05:00
wchen-r7 99a573a013 Do unless instead "if !" to follow the Ruby guideline 2016-05-19 19:21:45 -05:00
h00die 706d51389e spelling fix 2016-05-19 19:30:18 -04:00
William Vu a16f4b5167 Return nil properly in rescue
Missed this because I copypasta'd myself.
2016-05-19 15:35:38 -05:00
William Vu d018bba301 Store SSH key as a note
I know, I know, it should use the creds model. >:[
2016-05-19 15:12:58 -05:00
William Vu 9f738c3e41 Add note about overwritten files 2016-05-19 15:07:27 -05:00
William Vu 8fccb26446 Add Ubiquiti airOS exploit
Thanks to my friend wolf359 for providing a test device!
2016-05-19 14:50:20 -05:00
h00die c621f689b2 more descriptive note per @sempervictus 2016-05-18 19:08:01 -04:00
Metasploit 100300c819
Bump version of framework to 4.12.4 2016-05-18 07:04:09 -07:00
Chris Doughty 34d0fc07bc Merge pull request #6891 from bcook-r7/prod-rails-app-boot
only set log_level in the Metasploit Framework context
2016-05-18 08:55:29 -05:00
Brent Cook 39cc1fee1c only set log_level in the Metasploit Framework context
when including framework as a gem, this app is undefined

MS-1518
2016-05-18 08:42:32 -05:00
Vex Woo b5284375a7 osb_uname_jlist - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:16:53 -05:00
Vex Woo 11fedd7353 ca_totaldefense_regeneratereports - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:15:28 -05:00
Vex Woo a6405beeda ams_hndlrsvc - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:13:40 -05:00
Vex Woo 41bcdcce61 fix struts_code_exec_exception_delegator - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:11:57 -05:00
Vex Woo bc257ea628 fix struts_code_exec - NoMethodError undefined method 'empty?' for nil:NilClass 2016-05-18 00:10:32 -05:00
Vex Woo 68b83c6e3a datastore['CMD'].blank? 2016-05-17 23:56:59 -05:00
h00die 815a2600a8 additional description 2016-05-17 22:07:33 -04:00