Commit Graph

1715 Commits (5a05246682409546dc569e01eaad6a96053a3d5a)

Author SHA1 Message Date
jvazquez-r7 74554ed805
Land #3174, @wchen-r7's object detection for ie11 2014-04-02 15:27:13 -05:00
jvazquez-r7 577bd7c855
Land #3146, @wchen-r7's flash version detection code 2014-04-02 15:13:41 -05:00
sinn3r 5ffcfb22fa Add object detection for IE11
While working on some stuff with IE11, I realized this is very
necessary.
2014-04-02 02:21:16 -05:00
HD Moore 7e227581a7 Rework OS fingerprinting to match Recog changes
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.

This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
sinn3r 389ad7aca3
Land #3155 - Explib2 2014-03-28 18:31:40 -05:00
sinn3r 4f5944cfb8 Add JavaScript detection for Adobe Flash 2014-03-28 14:31:21 -05:00
jvazquez-r7 ce02f8a7c5 Allow easier control of sprayed memory 2014-03-28 11:58:41 -05:00
jvazquez-r7 b0bbe3f6a9 Add explib2 with some fixes into metasploit 2014-03-28 10:44:13 -05:00
sinn3r 4c44f69e86 Undo the IE8/IE7 objection detection 2014-03-27 15:01:03 -05:00
sinn3r fc1432fe53 This is probably the right way to do it for ie7/8 2014-03-27 13:53:24 -05:00
sinn3r 9c54421679 Update IE8/IE7 object detection 2014-03-27 13:34:07 -05:00
sinn3r 8df96a419b Make IE10 detection safer for older IEs 2014-03-27 13:31:15 -05:00
sinn3r 1f90115c8f Add default detection for IE 9 and IE 10
How it's done:

On IE10, which should come first before the IE 9 check, the nodeName
function always returns the name in uppercase.

One IE9, the "Object doesn't support property or method" error always
repeats the name of the invalid method.
2014-03-27 00:15:36 -05:00
joe 46f7e6060f Add the updated bins from timwr. 2014-03-25 09:39:53 -07:00
joe c71d52e769 Merge branch 'pr-android-bins' of https://github.com/jvennix-r7/metasploit-framework into new-android-bins 2014-03-25 09:35:25 -07:00
sinn3r 8c707b20e0 Add support for specific builds of MSIE 9 on Win 7 SP1
These IE9 versions are vulnerable to MS14-012 (see #3120). If we don't
add them, then os_detect might recognize the target as IE 8, and fail.
2014-03-19 21:54:36 -05:00
Tod Beardsley 05436dc2c5
Refresh binaries for Meterpreter
This includes:

rapid7/meterpreter#69
rapid7/meterpreter#70
rapid7/meterpreter#75
rapid7/meterpreter#77
rapid7/meterpreter#78

As of commit: 45bcbd13a1e0215647f6a61631652b686931bba8
2014-03-19 08:57:04 -05:00
joev 8e4708b51b Add support for firefox 28. 2014-03-18 11:26:24 -05:00
OJ 409787346e
Bring build tools up to date, change some project settings
This commit brings the source into line with the general format/settings
that are used in other exploits.
2014-03-14 22:57:16 +10:00
James Lee 6438b9372c
Land #3067, python meterp net.config additions 2014-03-13 13:03:43 -05:00
Tod Beardsley 6309c4a193
Metasploit LLC transferred assets to Rapid7
The license texts should reflect this.
2014-03-13 09:47:52 -05:00
Spencer McIntyre 5ea26688d7 Fix a syntax error for Python 2.4 2014-03-11 15:22:52 -04:00
Spencer McIntyre f3493ce220 Merge branch 'master' into pymeterpreter-net
Conflicts:
	data/meterpreter/ext_server_stdapi.py
2014-03-11 15:15:02 -04:00
Spencer McIntyre e874223421
Land #3083, fix pymet when ctypes isn't available 2014-03-11 14:31:44 -04:00
Joe Vennix 679cb03ac3 Yank armeabi-v7a bins. 2014-03-11 13:09:50 -05:00
sinn3r b431bf3da9
Land #3052 - Fix nil error in BES 2014-03-11 12:51:03 -05:00
James Lee b87c2dca0b
Use older hash modules when hashlib isn't there 2014-03-11 12:25:54 -05:00
Tim 4f31eba7f4 android payload golf 2014-03-10 21:50:00 -05:00
joe 66ff5998a5 New multi-arch stagers. 2014-03-10 21:49:56 -05:00
joe 60b5191873 New meterpreter bins for testing. 2014-03-10 21:49:14 -05:00
joe 667bed8905 New multi-arch stagers. 2014-03-10 18:50:27 -07:00
James Lee 75c94cc5d7
Derp 2014-03-10 16:30:55 -05:00
James Lee e508079aff
Don't crash when ctypes isn't available 2014-03-10 16:10:24 -05:00
joe 6616d36d63 New meterpreter bins for testing. 2014-03-07 13:21:30 -08:00
kyuzo 2a1e96165c Adding MS013-058 for Windows7 x86 2014-03-06 18:39:34 +00:00
Joe Vennix 05067b4e33 Oops. Need to init the profile before accessed. 2014-03-06 11:48:54 -06:00
Joe Vennix 3d7bc6c589 Remove form_post.js. 2014-03-05 23:35:54 -06:00
William Vu 096d6ad951
Land #3055, heapLib2 integration 2014-03-05 15:48:13 -06:00
Spencer McIntyre 1dea1c030e Add interface support via OSX SystemConfiguration 2014-03-05 13:59:13 -05:00
Joe Vennix 5790547d34 Start undoing some work. 2014-03-04 17:01:53 -06:00
Spencer McIntyre 0834102e2b Support tcp server channels and add a python MeterpreterSocket 2014-03-04 13:31:29 -05:00
Joe Vennix 3360f7004d Update form_post vars, add Expires to cookie. 2014-03-03 23:29:02 -06:00
Spencer McIntyre 7111e8aa59 Support retrieving interface information via GetAdaptersAddresses 2014-03-03 21:01:16 -05:00
Joe Vennix 6825fd2486 Whitespace tweaks and cleanup. 2014-03-02 19:57:48 -06:00
Joe Vennix 46f27289ed Reorganizes form_post into separate file. 2014-03-02 19:55:21 -06:00
Joe Vennix e8226f9d40 Use a keyed cookie. Moves AJAX call to a form post. 2014-03-02 19:47:24 -06:00
sinn3r 8cf5c3b97e Add heaplib2
[SeeRM #8769] Add heapLib2 for browser exploitation
2014-03-02 11:47:18 -06:00
Spencer McIntyre 699e534149 Add missing return statement. 2014-03-02 00:18:46 -05:00
Spencer McIntyre 1c9390c9cf Support retrieving interface information via windows mib functions. 2014-03-02 00:17:00 -05:00
Spencer McIntyre 733a86ec74 Support retrieving interface information via netlink. 2014-03-01 22:34:38 -05:00
Spencer McIntyre 284d99aa6c Add pymeterp TLV types for additional network functions. 2014-02-28 13:56:51 -05:00
jvazquez-r7 8922f6457b
Land #3045, @wchen-r7's fix for browser autopwn 2014-02-28 12:55:32 -06:00
Spencer McIntyre 99e272e463 Return true in EOF when tell() > stat.st_size 2014-02-27 20:45:38 -05:00
David Maloney 9d9149d9d8
remove some dead code paths
refactor some dead conditionals and a case/switch
that wasn't doing anything
2014-02-27 11:45:57 -06:00
sinn3r 0c3891c0f9 Add more IE targets 2014-02-27 11:01:03 -06:00
sinn3r 151646156d Check navigator.oscpu for FF
If we don't check navigator.oscpu, IE 11 is detected as FF.
2014-02-27 10:54:38 -06:00
David Maloney 2e512abd31 put new binaries in place
after cleaning up the source a bit and
updateing it for 2013, compiled new BINs.
These BINS avoid almost all current AV detections
and have been tested to ensure they still work.
2014-02-23 15:24:55 -06:00
Meatballs 7877589537
Delete correctly 2014-02-23 02:47:13 +00:00
Meatballs 6127ff92ce
Fix race condition
Wait for Sysprep to ExitProcess before cleaning up the DLLs...
2014-03-03 23:41:25 +00:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
David Maloney b1dfed8577
rebuilt template DLLs
x86 dll template was way out of date and
did not match the x64 tempalte. rebuilt them both
2014-02-25 15:34:42 -06:00
David Maloney 3c773f031c
add new binaries compiled from latest src
compiled and added new binaries to make sure
most up to date source is used
2014-02-25 14:06:57 -06:00
David Maloney 289580777c remove unneccsary logging elements
update soloutions for VS2013
remove the CLogger
Remove Print Usage
this removes unneccsary strings that can
be used to easily identify our executable
2014-02-20 20:00:19 -06:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
Tod Beardsley 8e0a4aaa58
Land #2983, webcam_chat for Meterpreter 2014-02-18 13:43:42 -06:00
sinn3r e8f95c6cc0 Change error msg 2014-02-18 00:02:16 -06:00
sinn3r 608f800274 Support error handling in the message box 2014-02-18 00:01:44 -06:00
scriptjunkie 022c52d087
Added bundling to handle many sessions at once. 2014-02-15 15:37:22 -06:00
scriptjunkie a6a731c8ee Keep stage until replaced, nil check, prettify. 2014-02-15 15:21:16 -06:00
scriptjunkie 5f7a0e162c Add reverse_hop_http stager and handler 2014-02-15 15:21:16 -06:00
Spencer McIntyre 3299b68adf
Landing #2767, @Meatballs1 Powershell Reflective Payload 2014-02-14 16:12:46 -05:00
sinn3r 00ba0b5208
Land #2987 - Add ff 27 support to os.js 2014-02-13 15:20:53 -06:00
Joe Vennix 51f3ab1690 Add ff 27 support to os.js 2014-02-12 15:32:47 -06:00
sinn3r 750ce3c4db Make server configurable 2014-02-11 23:07:43 -06:00
sinn3r 7eb20a37d4 offerer's interface gets a makeover 2014-02-11 19:43:52 -06:00
sinn3r 2bb15d3a87 answerer's interface gets a makeover 2014-02-11 02:15:22 -06:00
sinn3r 1114913298 Automatically turn on webcam in Firefox 2014-02-10 17:05:08 -06:00
Meatballs a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-10 21:43:56 +00:00
sinn3r 575ee09b77 Change messages 2014-02-10 14:59:44 -06:00
jvazquez-r7 3d4d5a84b6
Land #2957, @zeroSteiner's exploit for CVE-2013-3881 2014-02-10 13:59:45 -06:00
jvazquez-r7 78e1683f2d Add binary compiled on vs2013 2014-02-10 13:52:27 -06:00
sinn3r 93ef3c784d Update some JavaScript and other things 2014-02-08 22:23:19 -06:00
sinn3r 8edafc8c4c Restore the original API 2014-02-08 20:06:26 -06:00
sinn3r be8538f3bd Tweak video attributes 2014-02-08 19:56:43 -06:00
sinn3r 8d55104712 Random channel 2014-02-08 19:36:33 -06:00
sinn3r ccd12e66a7 Unwanted console.debug 2014-02-08 19:16:42 -06:00
sinn3r e25767ceab More progress 2014-02-08 17:28:15 -06:00
sinn3r 325214e37f Fix bugs and stuff 2014-02-08 15:41:44 -06:00
sinn3r e8ec6d1062 Rename command name 2014-02-08 03:53:49 -06:00
sinn3r 526bf9f6bc This should work 2014-02-07 22:17:42 -06:00
Meatballs 103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-07 20:07:04 +00:00
sinn3r bab9a5522b You will go deaf with the default volume value. No thanks. 2014-02-07 11:35:57 -06:00
sinn3r 3c3bd11aca Oh look, more progress 2014-02-07 11:25:20 -06:00
Spencer McIntyre 01f41a209c Remove the DLL and add make.msbuild for easier compiling. 2014-02-07 10:05:05 -05:00
sinn3r 43be99f31b Save some progress 2014-02-07 03:06:52 -06:00
Spencer McIntyre cc32c877a9 Add CVE-2013-3881 win32k Null Page exploit 2014-02-06 17:23:38 -05:00
William Vu 19fff3c33e
Land #2942, @jvennix-r7's Android awesomesauce
Also, thanks to @jduck for testing!
2014-02-06 11:53:11 -06:00
sinn3r f66fc15b9e Add support for webrtc in meterpreter 2014-02-06 10:44:24 -06:00
OJ 096e06baa6 Added binaries from Meterpreter PR #74
Meterpreter PR https://github.com/rapid7/meterpreter/pull/74 was landed,
this adds the binaries from that PR.
2014-02-06 11:47:29 +10:00
Joe Vennix 636d7016a8 Fix android detection in os.js. 2014-02-04 02:31:46 -06:00
Meatballs 486a9d5e19
Use msf branded djvu 2014-02-01 00:37:28 +00:00
dukeBarman 766c408d86 Add CVE-2013-0634: Adobe Flash Player 11.5 memory corruption 2014-01-18 11:07:11 -05:00
OJ 80c4a6e9eb
Updated binaries for Meterpreter
This includes changes up to commit hash e77c87cdb79a2732108be937e056622b45cb093c
2014-01-17 09:02:48 +10:00
Joe Vennix 96e97d4768 Oops, the default bufsize is 0 anyways. 2014-01-05 18:57:56 -06:00
Joe Vennix b64df51fa0 Fixes #8732 by reading until EOF reached.
* use a lambda for cleaner iterator.
* also disables buffering, since we are reading byte-by-byte in the first place
and maintaining our own buffer (#data).
2014-01-05 18:36:22 -06:00
Meatballs dc87575b9d
Retab and whitespace 2013-12-22 21:04:44 +00:00
Meatballs f112e78de9
Fixes .war file creation 2013-12-22 20:58:21 +00:00
OJ 0db062a1ce
Merge branch 'meatballs-vncdll-submodule' 2013-12-20 18:29:27 +10:00
OJ 34cdec5155
Update project VS 2013, clean CLI build
* Project system updated to VS 2013.
* Clean builds, had to remove a bunch of warnings.
* `make.bat` for building from the command line.
* Removed RDI stuff that shouldn't be there any more.
* Renamed the x86 DLL to include the platform name.
2013-12-20 09:49:15 +10:00
OJ a4811bd0c3
Land #2760 2013-12-18 17:17:10 +10:00
jvazquez-r7 533accaa87 Add module for CVE-2013-3346 2013-12-16 14:13:47 -06:00
Meatballs 14c0096115
Update template
Use Copy instead of memset
Remove | Out-Null
2013-12-16 13:38:14 +00:00
Meatballs 25b84217ac
Correctly VAlloc 2013-12-16 12:47:03 +00:00
Meatballs 8dfcc8aa77
WaitForThread 2013-12-16 12:44:58 +00:00
Meatballs 0a29176855
Update psh_web_delivery for reflection 2013-12-16 09:08:01 +00:00
Meatballs 7cc99d76ad
Merge remote-tracking branch 'upstream/master' into powershell_auto_arch
Conflicts:
	lib/msf/util/exe.rb
2013-12-16 09:07:08 +00:00
OJ 0c82817445 Final changes before PR 2013-12-15 01:12:49 +00:00
OJ db29af0f97 First batch of submodule refactorings 2013-12-15 01:12:48 +00:00
Meatballs 3d1646d18e Exit process when complete 2013-12-15 01:12:47 +00:00
Meatballs c6623b380a Initial commit 2013-12-15 01:12:45 +00:00
zeknox 6931c918af removed bogus urls that are throwing errors 2013-12-13 12:13:23 -06:00
zeknox 554cd41403 added dns_cache_scraper and useful wordlists 2013-12-12 20:18:18 -06:00
sinn3r bf831616e5
Land #2749 - Add firefox 26 feature detection support to detect/os.js 2013-12-10 16:30:33 -06:00
Joe Vennix 6cd315da64 Add ff26 feature detection support. 2013-12-10 10:47:11 -06:00
Meatballs 45a0ac9e68
Land #2602, Windows Extended API
Retrieve clipboard data
Retrieve window handles
Retrieve service information
2013-12-08 19:01:35 +00:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
OJ c8e2c8d085 Add binaries from Meterpreter 9e33acf3a283f1df62f264e557e1f6161d8c2999
This is a new set of binaries for Meterpreter as of commit hash
9e33acf3a283f1df62f264e557e1f6161d8c2999. We haven't yet finalised
the process we'll be using for releasing bins from Meterpreter to MSF
so this is hopefully the last time we will have to do it the old way.
2013-12-04 16:23:03 +10:00
sinn3r ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
Also [SeeRM #8140]
2013-12-03 10:51:58 -06:00
Meatballs cf12826d2c
Dont use xp toolchain
and dont bother editbin
2013-11-30 20:04:00 +00:00
Meatballs d3a0199539
Update for new Reflective DLL Submodule
Update to VS2013 Toolsets
Include .msbuild and make.bat
Tidyup of if { }
Post build step to copy to output directory
2013-11-30 19:58:25 +00:00
Meatballs 915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
OJ bcab716ec0
Add the binaries from the meterpreter repo
Given this is a new extension, building bins and including them in this
PR can't cause any issues regarding lost functionality (like it can
with existing bins).

Adding to this PR so that it's easier to test and land.
2013-11-29 09:02:07 +10:00
jvazquez-r7 0343aef7c8
Land #2695, @wchen-r7's support to detect silverlight 2013-11-27 09:40:12 -06:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
James Lee 25b1ec5b75
Land #2689, getenv 2013-11-26 23:33:25 -06:00
OJ 72813c1f3e
Merge branch 'egypt/feature/getenv-php' into getenv_cmd 2013-11-27 15:22:15 +10:00
James Lee a3337e5de5
Add PHP side for meterpreter getenv 2013-11-26 23:16:28 -06:00
OJ a0f703ee44 Add getenv support to python meterpreter
This change adds support for `getenv` to python meterpreter. Nothing too
complex going on here. I tidied up the definitions of the TLVs as well
so that they look nice.
2013-11-27 11:19:26 +10:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
jvazquez-r7 6cb63cdad6
Land #2679, @wchen-r7's exploit for cve-2013-3906 2013-11-25 22:04:26 -06:00
jvazquez-r7 25eb13cb3c Small fix to interface 2013-11-22 17:02:08 -06:00
jvazquez-r7 136c18c070 Add binary objects for MS13-022 2013-11-22 16:45:07 -06:00
sinn3r 94e13a0b8a Initial commit of CVE-2013-3906 2013-11-19 23:10:32 -06:00
OJ 0b413aa0b8 Remove extapi binaries
These were committed in the flurry of merges last night by me. They
should be removed until the extapi PR has been fully reviewed and
merged. This commit just removes the binaries from master, they'll
be re-added when appropriate.
2013-11-15 06:24:00 +10:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
OJ 4bd0900359
Updated meterpreter binaries
Includes the following:

* Clean builds
* Removal of kitrap0d from getsystem
* Doc updates
* Webcam crash fix
* Schedular and channel refactor
* Posix crash fix for post modules
2013-11-15 01:14:14 +10:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00