Commit Graph

270 Commits (5bd414d4b4a28d4a5b6768a852adef5c4a514123)

Author SHA1 Message Date
Tab Assassin 41e4375e43 Retab modules 2013-08-30 16:28:54 -05:00
violet 4cbdf38377 updated contact info
MASTER OF DISASTER

ULTRA LASER

:::::::-.  :::::::..        :::::::-.      ...         ...     .        :
 ;;,   `';,;;;;``;;;;        ;;,   `';, .;;;;;;;.   .;;;;;;;.  ;;,.    ;;;
 `[[     [[ [[[,/[[['        `[[     [[,[[     \[[,,[[     \[[,[[[[, ,[[[[,
  $$,    $$ $$$$$$c           $$,    $$$$$,     $$$$$$,     $$$$$$$$$$$"$$$
  888_,o8P' 888b "88bo,d8b    888_,o8P'"888,_ _,88P"888,_ _,88P888 Y88" 888o
  MMMMP"`   MMMM   "W" YMP    MMMMP"`    "YMMMMMP"   "YMMMMMP" MMM  M'  "MMM
2013-08-26 16:14:49 -07:00
HD Moore 6c1ba9c9c9 Switch to Failure vs Exploit::Failure 2013-08-15 14:14:46 -05:00
James Lee f81369a10d Don't make promises about AV detection 2013-07-12 16:13:02 -05:00
James Lee bc88732400 Prints don't need to be rescued 2013-07-12 15:56:04 -05:00
Meatballs cd159960e1 Tidy 2013-07-04 12:02:32 +01:00
Meatballs 9c1a43a417 Check payload arch 2013-07-04 11:46:34 +01:00
Meatballs 83bc32abb4 Remove Exploit::Exe 2013-07-04 11:01:01 +01:00
Meatballs 7d6a78bf1f Remove report aux 2013-07-04 10:36:32 +01:00
Meatballs 555140b85a Add warning for persist 2013-07-04 10:30:03 +01:00
Meatballs 44cdc0a1c8 Move options to lib 2013-07-04 10:25:37 +01:00
Meatballs 1368c1c27f Move options to lib 2013-07-04 10:25:08 +01:00
Meatballs 8590720890 Use fail_with 2013-07-04 10:21:24 +01:00
Meatballs 3eab7107b8 Remove opt supplied by lib 2013-07-04 10:16:03 +01:00
Meatballs 7d273b2c8b Refactor to psexec lib 2013-07-04 10:11:13 +01:00
Meatballs 1569a15856 Msf license 2013-07-04 10:08:29 +01:00
Meatballs 052c23b980 Add missing require 2013-07-04 09:58:48 +01:00
Meatballs 6fa60be76f Merge branch 'psexec_psh' of https://github.com/sempervictus/metasploit-framework into psexec_psh 2013-07-04 09:42:18 +01:00
James Lee 5964d36c40 Fix a syntax error
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
Rob Fuller 95b0d4e5ec move filename init up to remove dup code
as suggested by @jlee-r7
2013-05-09 13:29:21 -04:00
Rob Fuller 71c68d09c1 Allow user ability to set filename for psexec service binary
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
sinn3r 0ad548a777 I expect people to know what a share is. 2013-02-07 19:16:44 -06:00
RageLtMan 92ef462c34 This commit completes powershell based psexec
The original module suffered from a small problem - interactive
process notification from Desktop 0 for users currently logged in.
Although acheiving full AV evasion, we were setting off UserAlert.
This commit updates the module itself to match #1379 in R7's repo.
The size of powershell payloads has been reduced, and a wrapper
added to hide the actual payload process entirely.
2013-02-04 20:39:05 -05:00
RageLtMan 6ba85d4c06 add libs from #1379 and allow psh 1.0 exec against older hosts 2013-01-30 12:38:53 -05:00
lmercer deb9385181 Patch for smb_relay.rb to allow the share written to, to be defined in an option
As described in Redmine Feature #5455
2013-01-29 15:19:35 -05:00
RageLtMan 61cd3b55fc hide window 2013-01-24 14:43:07 -05:00
RageLtMan e6ebf772de allow psh to run in background via cmd start 2013-01-21 08:12:56 -05:00
RageLtMan 43a5322bd4 psexec_psh cleanup 2013-01-20 22:15:55 -05:00
RageLtMan cae0362aa3 Add disk-less AV bypass PSExec module using PSH
This commit rewires the existing work on PSExec performed by R3dy,
HDM, and countless others, to execute a powershell command instead
of a binary written to the disk. This particular iteration uses
PSH to call .NET, which pull in WINAPI functions to execute the
shellcode in memory. The entire PSH script is compressed with ZLIB,
given a decompressor stub, encoded in base64 and executed directly
from the command-line with powershell -EncodedCommand.

In practice, this prevents us from having to write binaries with
shellcode to the target drive, deal with removal, or AV detection
at all. Moreover, the powershell wrapper can be quickly modified
to loop execution (included), or perform other obfu/delay in order
to confuse and evade sandboxing and other HIDS mechanisms.

This module has been tested with x86/x64 reverse TCP against win6,
win7 (32 and 64), and Server 2008r2. Targets tested were using
current AV with heuristic analysis and high identification rates.
In particular, this system evaded Avast, KAV current, and MS' own
offerings without any issue. In fact, none of the tested AVs did
anything to prevent execution or warn the user.

Lastly, please note that powershell must be running in the same
architecture as the payload being executed, since it pulls system
libraries and their functions from unmanaged memory. This means
that when executing x86 payloads on x64 targets, one must set the
RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-20 21:46:26 -05:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
Alexandre Maloteaux c0c3dff4e6 Several fixes for smb, mainly win 8 compatibility 2012-11-28 22:49:40 +01:00
James Lee b2db3e133d Rescue when the service is crashed
Failed exploit attempts leave the service in a state where the port is
still open but login attmempts reset the connection. Rescue that and
give the user an indication of what's going on.
2012-10-22 17:57:30 -05:00
jvazquez-r7 e461d542ac added Windows 2003 SP1 Spanish targets 2012-08-24 12:50:30 +02:00
jvazquez-r7 54ce7268ad modules/exploits/windows/smb/ms08_067_netapi.rb 2012-08-24 11:30:23 +02:00
jvazquez-r7 1a60abc7a7 Added W2003 SP2 Spanish targets 2012-08-24 11:16:08 +02:00
Tod Beardsley bd408fc27e Updating msft links to psexec
Thanks for the spot @shuckins-r7 !
2012-08-13 15:28:04 -05:00
HD Moore 44e56c87f1 Make super sure that blank creds are not reported 2012-07-15 20:56:31 -05:00
HD Moore 3bb7405b09 Only report auth if the username is not blank 2012-07-02 04:11:29 -05:00
HD Moore fb7f6b49f0 This mega-diff adds better error classification to existing modules 2012-06-19 12:59:15 -05:00
sinn3r 18c8314d79 Change unknown authors to "Unknown".
Since "Anonymous" has become a well known organization, the meaning of the
term also may cause confusion.  In order to clarify, we correct unknown
authors to simply "Unknown".
2012-05-26 15:23:09 -05:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
Tod Beardsley 9144c33345 MSFTidy check for capitalization in modules
And also fixes up a dozen or so failing modules.
2012-03-15 16:38:12 -05:00
HD Moore 99177e9d5e Small commit to fix bad reference and old comment 2012-03-06 01:44:26 -06:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00
sinn3r aa44eb955e Correct author e-mail format 2012-02-02 11:27:43 -06:00
Tod Beardsley 8ce47ab832 Changing license for KillBill module
Talked with Solar Eclipse, and he's consented to change his module
license from GPL to BSD, thus striking a blow for freedom. Thanks!
2012-01-19 11:39:56 -06:00
Rob Fuller c411c216c0 Solved most of msftidy issues with the /modules directory 2011-11-28 17:10:29 -06:00
David Maloney c8142043e9 Fixes to credential handling to downcase usernames whenever they are not case sensitive.
Also report_auth_info now checks to see if a non-case sensitive version of the cred
may already exist.
2011-11-14 22:50:52 -08:00
Wei Chen e767214411 Fix: whitespaces, svn propset, author e-mail format
git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da
2011-11-06 22:02:26 +00:00