* Fixes a bug in shikata where input greater than 0xffff length would
still use 16-bit counter
* Short circuits finding bad xor keys if there are no bad characters to
avoid
* Fixes huge performance issue with large inputs to xor-based encoders
due to the use of String#+ instead of String#<< in a loop. It now
takes ~3 seconds on modern hardware to encode a 750kB buffer with
shikata where it used to take more than 10 minutes. The decoding side
takes a similar amount of time and will increase the wait between
sending the second stage and opening a usable session by several
seconds.
I believe this addresses the intent of pull request 905
[See #905]
[FixRM #7539] - The valid?() function will first normalize() the
user-supplied input before validation. The problem is that the
normalize() function will ALWAYS convert data to integer, therefore
whatever you validate, you will always get true. For example:
when I do "yomama".to_i, that returns 0, and of course will pass
integer validation.
When db_disconnect is issued, this funtion does not update the status
of self.migrated to false. So when another reload command is used,
the update_module_details function will still try to connect to the
database, which causes the "Failed to reload" error.
If BufferRegister is in lower-case, then gen_decoder_prefix will
return nil. When the return value is nil, other functions like
gen_decoder() will backtrace due to a "undefined method "+" for nil"
error. Therefore, this input should NOT be case-sensitive.
Also, if for some reason the user supplies an invalid BufferRegister,
the function should be aware of that and warn the user about the
bad input.
-changed the suspend/resume loop logic to reduce code duplication.
-fixed up some print_*'s to remove embedded \n's
-changed formatting on some error messages
-switched comment to a TODO:
-change host_processes.select (blah} to use .find instead
-adjusted code due to remvoal of the pids.dup, resulting in arr_pids
disappearing
in validate_pids no longer need dup as conversion to ints was cleaned
up to use map. Which also improved readability and allowed adding uniq
and compact, thanks egypt.
YARD doc on cmd_suspend was incorrectly organized
This fully fixes RM7223 and adds the suspend command to the meterpreter
interface.
Suspend allows you to suspend and resume running processes on the
targethost. It was originally written as a post module (and the dll
version will be submitted as such later), but egypt suggested I add it
to meterpreter
also adds YARD doc to cmd_migrate in collusion with egypt.
low threat change, but still tested on Win7-32 sp0, ruby 1.9.3-p125,
Framework Version: 4.6.0-dev just for kicks
Netsparker puts requests, responses, and info for vulns inside a cdata
(which makes sense because it's usually html snippets). This commit
handles that so report_web_vuln will actually be somewhat useful. Note
that the request is ignored by report_web_vuln despite there being a
place for it in the WebVuln model.
[SeeRM #7665]
* This mixin standardizes the previously ad-hoc deprecation warnings on
modules that have been moved.
* Uses the mixin in 3 existing modules that already have (or should have
had) deprecation warnings.
* Adds Exploit::EXE to windows/postgres/postgres_payload. This gives us
the ability to use generate_payload_dll() which generates a generic dll
that spawns rundll32 and runs the shellcode in that process. This is
basically what the linux version accomplishes by compiling the .so on
the fly. On major advantage of this is that the resulting DLL will
work on pretty much any version of postgres
* Adds Exploit::FileDropper to windows version as well. This gives us
the ability to delete the dll via the resulting session, which works
because the template dll contains code to shove the shellcode into a
new rundll32 process and exit, thus leaving the file closed after
Postgres calls FreeLibrary.
* Adds pre-auth fingerprints for 9.1.5 and 9.1.6 on Ubuntu and 9.2.1 on
Windows
* Adds a check method to both Windows and Linux versions that simply
makes sure that the given credentials work against the target service.
* Replaces the version-specific lo_create method with a generic
technique that works on both 9.x and 8.x
* Fixes a bug when targeting 9.x; "language C" in the UDF creation query
gets downcased and subsequently causes postgres to error out before
opening the DLL
* Cleans up lots of rdoc in Exploit::Postgres
Note that only a custom module that allows for users to pass arguments
to nmap would be capable of hitting the error condition. Right now, only
auxiliary/scanner/oracle/oracle_login traverses the codepath, and that
doesn't allow for arbitrary args passed to nmap.
So... without contriving an example, it should be impossible to
experience or test.
[FixRM #7641]
created a new advanced option "HttpUknownRequestResponse" that will be sent back in the HTML body of unknown requests instead of the old static "No site configured at this address" message.
James Lee
Tod Beardsley
sinn3r
HD Moore
kernelsmith
Royce Davis
jvazquez-r7
Tasos Laskos
Rob Fuller
Charlie Eriksen
Meatballs1
jvennix-r7
Brandon Turner
David Maloney
Sherif Eldeeb