* Moved shortlink to a reference.
* Reformat e-mail address.
* Fixed whitespace
* Use multiline quote per most other module descriptions
Still need to resplat the modules, but it's no big thang to do that
after landing. Also, References do not seem to appear for post modules
in the normal msfconsole. This is a bug in the UI, not for these modules
-- many payloads would benefit from being explicit on their references,
so may as well start with these.
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
Convert the dx calls from build.sh to equivalent exec calls in Maven
deploy profile.
While this commit takes into account differences between Windows and *nix,
it was only tested on Windows, and the resulting binaries have not been
tested at all!
In addition, I was not able to pass individual .class file names to dx
without getting a "class name does not match path" error, so I changed it
to copy all required classes into a temp directory and call dx from there.
I also changed the cross-project paths to refer to the respective Maven
classpath, so in case you do an individual project build, the library
dependencies are taken from the Maven repository instead of taking them
from the target/ directory of the projects directly.
Include the animal-scents for Android API in this commit, so that users
who do not have Android SDK can still check meterpreter API compatibility
with Android API. Some classes, like screenshot have been excluded since
they need AWT (but they are excluded in Android Meterpreter anyway).
To regenerate the scents file, run
mvn -Dandroid.sdk.path=... -P regenerate package
Apparently Android API 3 does not know the getMTU() function, which was
added in Java 1.6, and in Android API Level 9 (Gingerbread). Therefore,
fall back to the 1.4 version that does not need this API.
Apparently, getNetworkPrefixLength can return -1, which confuses the Ruby
side. Therefore fall back to guessing the prefix in this case, as we do it
for Java <= 1.6.
Apparently, my last update came from the future. This modification
to that future update fixes an oversight preventing Armitage from
connecting to its collaboration server because it would report the
wrong application.
This update to Armitage improves its responsiveness when connected
to a team server over a high latency network. This update also adds
a publish/query/subscribe API to Cortana.
The BindTCP test contained a race condition: if the bind payload took
longer to load than the handler, it could result in a
ConnectException: Connection refused: connect
Work around this by retrying the connection up to 10 times, with 500ms
delay in between.
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.
The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.
Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.
Tested in x86 native and WOW64 on XP and 2k8r2 respectively.
This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.
Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.
From MSDN ( http://tinyurl.com/chwt86j ):
"Uses keep-alive semantics, if available, for the connection. This
flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
and other types of authentication."
Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.
For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.
My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.
Test environment:
I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
This update adds the ability to manage multiple team server instances
through one Armitage client. This update also adds nickname completion
to the event log. Several bug fixes are included too.
This update to Armitage adds the ability to assign labels to hosts
and create dynamic workspaces based on these labs. This update also
adds helpers to configure USERNAME/PASSWORD options and EXE::Custom
and EXE::Template. Several bugs were fixed as well.
Geyslan G. Bem
Tod Beardsley
OJ
Meatballs
Ryan Wincey
jvazquez-r7
Alexandre Maloteaux
corelanc0d3r
sinn3r
Matthias Kaiser
William Vu
James Lee
agix
timwr
Michael Schierl
scriptjunkie
sinn3r
Raphael Mudge
RageLtMan
booboule
HD Moore
Tod Beardsley