Commit Graph

2713 Commits (61b8fb7921078e88c082a2ac3dd304f0b6dd01c8)

Author SHA1 Message Date
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Spencer McIntyre a08c420862 Add railgun definitions for local exploit relevant functions. 2013-12-12 10:26:08 -05:00
OJ 64b1e78e34 Fix page size and max results 2013-12-11 00:03:05 +10:00
OJ 8a1517fde8 Fix issues with missing params on computer enum
No more late night and rushed commits, its still and wastes people's time.

Thanks sinn3r for getting on this. Apologies for the poor quality of the PR.
2013-12-10 21:06:28 +10:00
OJ 2237419134
Merge branch 'upstream/master' into basic_adsi_support 2013-12-10 20:58:38 +10:00
Meatballs 45a0ac9e68
Land #2602, Windows Extended API
Retrieve clipboard data
Retrieve window handles
Retrieve service information
2013-12-08 19:01:35 +00:00
Meatballs e5a92a18a5
and expand path 2013-12-08 19:01:03 +00:00
Meatballs 3c67f1c6a9
Fix file download 2013-12-08 18:57:10 +00:00
OJ a3c050c8b6 Added page size setting 2013-12-08 23:29:42 +10:00
OJ 8172596c0b Fix rendering of result total 2013-12-08 20:58:03 +10:00
OJ f13736d208 Add support for general domain queries
Specific queries are just wrappers over the top of the domain query
2013-12-08 20:41:30 +10:00
OJ 35b051174c Add basic ADSI enum of users and computers 2013-12-07 00:22:54 +10:00
OJ e90b7641ca Allow self-destruct via "kill -s"
HTTP(s) payloads don't exit cleanly at the moment. This is an issue that's
being addressed through other work. However, there's a need to be able to
terminate the current HTTP(s) session forcably.

This commit add a -s option to kill, which (when specified) will kill
the current session.
2013-12-06 14:56:19 +10:00
OJ 4ca48308c1 Fix downloading of files 2013-12-06 13:40:20 +10:00
OJ 1d757c40db Remove empty parens 2013-12-04 07:10:23 +10:00
OJ 8b77da4ef7 Fix non-rubyisms 2013-12-04 07:06:32 +10:00
OJ 18e1d9ce17 Revert "Start clipboard monitor functionality"
This reverts commit ecbdfd3502.

I don't know how this got in there, as it's in another branch waiting for more work.
My bad.
2013-12-04 07:03:12 +10:00
sinn3r 4d3d02ae01
Land #2667 - Add num and dword output format 2013-12-02 13:52:17 -06:00
jvazquez-r7 0343aef7c8
Land #2695, @wchen-r7's support to detect silverlight 2013-11-27 09:40:12 -06:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
OJ 1a65566005 Add the getenv command which pulls env vars from the victim
This command will allow the attacker to grab environment variables from the
target, if they exist. Calling this function allows for one or more values
to be passed in, which should match the name of the variable required. If
the variable is found, it is returned. If it is not found, the variable
is not returned (ie. it's not present in the resulting hash).

Note 1: POSIX environment vars are case-senstive, whereas Windows is not.
Note 2: POSIX doesn't seem to cough up user environment vars, it only returns
system vars. I'm not sure why this is, but it could be because of the way
we do linking on POSIX.
2013-11-26 10:05:50 +10:00
OJ 86b6d647bf Merge branch 'upstream/master' into ext_server_extapi 2013-11-25 07:43:36 +10:00
Meatballs 20b76602a1
Merge remote-tracking branch 'upstream/master' into pr2075
Conflicts:
	lib/msf/core/exploit/powershell.rb
2013-11-22 22:41:08 +00:00
OJ 4d1c3c1f01 Start clipboard monitor functionality
Added the basics of the clipboard monitor functionality with usage
messages and stuff like that. Lots more to do.
2013-11-22 13:31:40 +10:00
corelanc0d3r 742c52711a added 2 new output types for msfencode: num and dword 2013-11-20 22:36:17 +01:00
Joe Vennix e10f9cc518 More whitespace fixes. 2013-11-20 15:07:51 -06:00
Joe Vennix 739c7b4ca2 More dead code and tweaks. 2013-11-20 14:44:53 -06:00
Joe Vennix 3ff9da5643 Remove compression options from client sockets.
I couldn't verify that it was working, as it always sends 1 compression type of NULL.
2013-11-20 14:41:45 -06:00
OJ ecbdfd3502 Start clipboard monitor functionality
Added the basics of the clipboard monitor functionality with usage
messages and stuff like that. Lots more to do.
2013-11-21 06:29:37 +10:00
Joe Vennix b70b594a2a Kill extraneous comma. 2013-11-20 13:47:47 -06:00
Joe Vennix a7b01e3b72 Put initialize params back on one line, and move attr_accessors.
As per @hdm's feedback
2013-11-20 12:29:09 -06:00
Joe Vennix e74e75fe6f Revert changes to legacy rescues. 2013-11-20 12:20:34 -06:00
Joe Vennix 9f103f8621 Whitespace tweak. 2013-11-20 01:15:15 -06:00
Joe Vennix f8b57d45cd Reenable the client SSLCompression advanced option.
Add spec for some of the additions to Rex::Proto::Http::Client
2013-11-20 01:03:13 -06:00
Joe Vennix d51b92b06f Turns out & ~ does work.
Decided not to expose this as a datastore option for the Client,
but it can be used internally to toggle the compression.
2013-11-20 00:01:48 -06:00
Joe Vennix a8c55f23a7 Remove &~ bit-clearing method in favor of defaults.
For some reason the OP_ALL & ~OP_NO_COMPRESSION method doesnt work,
but it is late and the default is false anyways.
2013-11-19 23:42:58 -06:00
Joe Vennix 109fc5a834 Add SSLCompression datastore option.
Also disables the compression by default. TLS-level compression is almost
never used by browsers, and openssl seems to be the only one that enables
it by default.

This also kills some ruby < 1.9.3 code.
2013-11-19 22:34:39 -06:00
jvazquez-r7 647c867c2d
Land #1681, @sempervictus Rex::Text::Ui::Table [] method 2013-11-19 16:30:09 -06:00
jvazquez-r7 e1eddc84aa Check for inexistent column names 2013-11-19 16:02:52 -06:00
jvazquez-r7 162d433014 Use snake_case for variables 2013-11-19 15:46:11 -06:00
jvazquez-r7 6a13a0eee6 fix indentation 2013-11-19 15:42:12 -06:00
jvazquez-r7 7435d74c59
Land #2093, @sempervictus MaxChar for Rex::Ui::Text::Table cols 2013-11-19 13:34:45 -06:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
sinn3r 2fc43182be
Land #2622 - Fix up proxy/socks4a.rb 2013-11-12 18:22:32 -06:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
William Vu 8d4d7dae50 Restore comment header and remove carriage returns 2013-11-11 12:16:14 -06:00
sinn3r d483f2ad79
Land #2618 - rm shebangs 2013-11-11 11:55:23 -06:00
Jonathan 36064ca886 remove EOL carriage return from socks4a.rb 2013-11-11 12:47:41 -05:00
OJ 6a25ba18be Move kitrap0d exploit from getsystem to local exploit
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Jonathan 26482f9ebd reset head~2 and removed shebang from unattend.rb 2013-11-09 15:05:56 -05:00
Tod Beardsley cc9ac7695d
Land #2592, add getproxy
Needed for new functionality in #2612
2013-11-08 13:20:20 -06:00
Jonathan 575072585f removed shebangs from files within rex 2013-11-07 18:51:59 -05:00
scriptjunkie 7615264b17 Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix 2013-11-07 10:35:00 -06:00
sinn3r 991240a87e Support java version detection 2013-11-07 00:54:52 -06:00
OJ 1dacf7e57e Last lot of shebangs removed 2013-11-07 07:35:51 +10:00
OJ 6422e1d6e8 Remove shebang, code tidy, as per @jlee-r7's gripes 2013-11-07 07:32:04 +10:00
OJ 7dcb071f11 Remote shebang and fix pxexeploit 2013-11-06 07:10:25 +10:00
sinn3r 5f2d8358c0 Be more browser specific with Javascript generation 2013-11-05 01:04:52 -06:00
OJ d1e008387a Stop auto preview, code clean
Removed the auto preview of captured images from the clipboard.

Removed parens from calls to print_line.
2013-11-05 07:15:31 +10:00
OJ f62247e731 Fix comments, indenting and pxexploit module
Updated the comments and indentation so they're not blatantly wrong.

Adjusted the pxexploit module so that it doesn't break any more as
a result of the refactoring.
2013-11-05 06:35:50 +10:00
OJ ff78082004 Refactor lanattacks ruby code, add command dispatcher
The lanattacks module didn't seem to have a command dispatcher, and
hence loading the module would always result in a failure. This
commit fixes this problem.

The commit contains a bit of a refactor of the lanattacks code to be
a little more modular. It also has a shiny new dispatcher which breaks
the DHCP and TFTP functionality up into separate areas.
2013-11-04 17:37:42 +10:00
joev bccbed2757 Rename :use_xhr_shim to :inject_xhr_shim. 2013-11-02 16:52:04 -05:00
joev 90d8da6a21 Fix some bugs in my edits, add a spec. 2013-11-02 16:46:33 -05:00
joev c7c1fcfa98 Pull shared XHR shim out, add option to static Js module method.
* Moves shim to data/js/network/xhr_shim.js
* Add some yardoc comments
2013-11-02 14:52:50 -05:00
OJ d658fa46b4 Updated help, removed binaries 2013-11-02 23:10:16 +10:00
OJ 67fbeacbf0 Add support for optional image downloading
Without -d, `CF_DIB` types will just show image dimensions. Running
with -d will result in the image being looted.
2013-11-02 23:07:13 +10:00
sinn3r 6e7e5a0ff9 Put postInfo() in the js directory 2013-10-31 13:55:22 -05:00
William Vu f5d1d8eace chmod -x .rb files without #! in modules and lib
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
OJ 2fbac9b129 Add `getproxy` command
This command pulls out system proxy details on windows machines.
2013-10-30 18:40:51 +10:00
OJ 1f6c320bb3
Tidy up of extapi code, new bins
* Rename methods to remove redundancy.
* Update bins to freshly compiled version.
* Use the Rex Table functionality instead of custom look.
* Use the `usage` feature of the Arguments class for help.
2013-10-29 21:22:05 +10:00
OJ 606411de81 Fix mimikatz error when password is nil
In some cases the password value that comes out of mimikatz results
is `nil`, instead of an empty string. This fixes this so that if
the string is `nil` is falls back to an empty string, resulting in
the call to `gsub` working instead of failing.
2013-10-29 15:13:32 +10:00
Tod Beardsley b5f26455a3
Land #2545, javascript library overhaul 2013-10-23 16:12:49 -05:00
sinn3r ee95ca5e2b
Land #2158 - Fix NoMethodError undefined method `split' for nil:NilClass 2013-10-22 16:01:27 -05:00
sinn3r e1c4aef805
Land #1789 - Windows SSO Post Module 2013-10-22 15:48:15 -05:00
sinn3r afcce8a511 Merge osdetect and addonsdetect 2013-10-22 01:11:11 -05:00
sinn3r 19615ac4b7 Apparently I missed a lot of stuff 2013-10-21 21:02:01 -05:00
sinn3r fcba529ea5 Update coding format 2013-10-21 20:54:25 -05:00
sinn3r ea56c4914c Need this file 2013-10-21 20:17:38 -05:00
sinn3r 9a3e719233 Rework the naming style 2013-10-21 20:16:37 -05:00
OJ cf65f59a28 Retry shell without thread impersonation
In certain scenarios on Windows XP there are times when creating a
shell fails with the error `ERROR_PRIVILEGE_NOT_HELD`. When this
happens the user will usuall fallback to a non-impersonated shell
via the command: `execute -f cmd.exe -H -i -c`

This patch catches the error, warns the use of the failure and then retries
to create the interactive shell without the `-t` flag.
2013-10-21 15:29:19 +10:00
OJ 4e90394c7f
Add support for CF_DIB clipboard formats
Image data copied to the clipboard, such as a screenshot, is converted to a JPEG using GDI+, and downloaded to the local loot folder.

This feature doesn't work with W2K as a result, but that doesn't really bother me. The code is simpler and much smaller as a result and doesn't require the inclusion of the jpeg library code.
2013-10-21 00:05:42 +10:00
sinn3r 2d24824e78 Use data_directory instead of install_root 2013-10-19 17:55:03 -05:00
sinn3r 8a94df7dcd Change category name for base64 2013-10-18 21:20:16 -05:00
sinn3r 62dadc80d3 Make sure the data type for the return value is a string 2013-10-18 21:08:46 -05:00
sinn3r 298f23c91c Fix extra slashes that cause browser autopwn to fail. 2013-10-18 20:43:39 -05:00
Tod Beardsley ffcb86eba2
Land #2541, Outpost24 importer
Sample data is currently secret. If we get a hold of non-secret sample
data, it'll be tacked on to the Redmine bug referenced below.

[FixRM #8384]
2013-10-18 13:21:58 -05:00
Tod Beardsley f6675f3120
Reordered case statements 2013-10-18 13:21:28 -05:00
sinn3r 8579cb8322 Use obfuscation 2013-10-18 13:06:19 -05:00
William Vu 93ff9ec501 Create methods for start_element for readability 2013-10-18 12:20:43 -05:00
William Vu ff69e9fd05 Move product info code to a better location 2013-10-18 12:07:34 -05:00
sinn3r 3af38b9602 I bet "../" will drive people crazy, avoid that. 2013-10-18 11:56:03 -05:00
William Vu e6cccedad0 Append vuln info to vuln description 2013-10-18 11:31:54 -05:00
sinn3r b0d614bc6a Cleaning up requires 2013-10-18 01:47:27 -05:00
sinn3r c926fa710b Move all exploitation-related JavaScript to their new home 2013-10-17 16:43:29 -05:00
William Vu 12151650e4 Add product info to hosts and services :) 2013-10-17 16:18:27 -05:00
William Vu 06c7943f54 Import hostnames without breaking everything 2013-10-17 15:31:48 -05:00
William Vu 920e406526 Import CVE refs and db.emit all the things 2013-10-17 14:29:54 -05:00
OJ d4d4839dc2
Add size (bytes) of the files on the clipboard
Output of the `clipboard_get_data` call now includes the size
of each file in bytes.
2013-10-16 22:54:55 +10:00
OJ afc5e282a9
Add CF_HDROP file support to the clipboard
`clipboard_get_data` has been changed so that raw text is supported and file listings are supported.

If files are on the clipboard, those files and folders are listed when this command is run. To download the files, pass in the `-d` option.
2013-10-16 17:46:22 +10:00
sinn3r 0081e186f7 Make sure i var is local 2013-10-15 23:59:23 -05:00
William Vu ad8af02021 Add my wonderfully simplistic Outpost24 parser 2013-10-15 16:34:46 -05:00
sinn3r 4c91f2e0f5 Add detection code MS Office
Add detection code for MS Office XP, 2003, 2007, 2010, and 2012.

[SeeRM #8413]
2013-10-15 16:27:23 -05:00
sinn3r 41ab4739e3
Land #2520 - Add detection for FF 22 - 24 2013-10-15 15:17:43 -05:00
OJ 414a814d5d
Add the start of clipboard support
This commit adds support for getting text-based information from the
victim's clipboard and for setting text-based data to the victim's
clipboard. Early days, with much wiggle room left for extra fun
functionality.
2013-10-15 23:57:33 +10:00
OJ ea89b5e880
Add support for child window enumeration
Children of windows can now be enumerated via the -p parameter, which
specifies the handle of the parent window to enumerate.

There is also a -u parameter which includes unknown/untitled windows
in the result set.
2013-10-15 18:02:27 +10:00
joev 711fac08b7 Don't throw exception if createElement is missing. 2013-10-14 14:15:13 -05:00
joev 183940308b Add another nil check, just to be safe. 2013-10-14 13:55:54 -05:00
joev 20a145f1e7 Check for prop in prototype, not constructor. 2013-10-14 13:51:45 -05:00
joev 488ed5bd4a Add new feature detection logic for FF 23 and 24. 2013-10-14 13:41:26 -05:00
Meatballs cad717a186
Use NDR 32bit syntax.
Compatible with both x86 and x64 systems.
Tidy up the module...
2013-10-12 18:52:45 +01:00
Tod Beardsley 876d4e0aa8
Land #1420, WDS scanner 2013-10-11 16:53:25 -05:00
OJ b99af52279 Improve extapi ruby structure, add bins
The extapi project will get bigger over time so this change allows for the code to get
bigger without becoming a headache before it starts.

Added binaries to this commit as well.
2013-10-11 09:52:23 +10:00
Tod Beardsley 85112e8704
Land #2413, axe callcc
This is the only time callcc is used in the entire codebase, too, so
this apparently removes a roadblack to non-MRI Rubies, so that's nice.
2013-10-10 14:55:55 -05:00
Meatballs 378f403fab
Land #2453, Add stdapi_net_resolve_host(s) to Python Meterpreter.
Moves resolve_host post module to multi and depreciates Windows module.
Resolve will now return nil for failed lookups instead of an empty
string.
2013-10-10 20:13:06 +01:00
OJ cbaeebeff7 Add service_query to ext_server_extapi
Once the user has queried the list of services they can now use the
`service_query` function to get more detail about a specific service.
2013-10-11 01:02:51 +10:00
OJ 23340e9df0 Add service_enum to the ext_server_extapi extension
This commit adds the ability to enumerate services on the target machine,
showing the PID, the service name, the display name and an indication of
the service's ability to interact with the desktop.

Some other small code tidies were done too.
2013-10-10 21:23:23 +10:00
kernelsmith adbcace9dd
Land #2458, OJ's Meterpreter railgun multi call fix
also [FixRM #8269]
2013-10-10 00:38:44 -05:00
Spencer McIntyre 6c382c8eb7 Return nil on error, and move the module to post/multi. 2013-10-09 16:52:53 -04:00
OJ 47801c17b3 MSF started to the extended API with window enum
Decided to kick off a new extended API extension with mubix and
kernelsmith to include some more advanced enumeration stuff. The goal of
this extension is to take stuff that wouldn't be part of the std api but
is rather useful for enumeration of a target once meterpreter has been
established.

This commit kicks things off with enumeration of top level windows on the
current desktop.
2013-10-09 22:25:43 +10:00
Markus Wulftange e895a17722 Add 'no quotes' option for CmdStagerPrintf
Exploit developers can use the ':noquotes => true' option to avoid
single quotes surrounding the octal escapes argument.
2013-10-08 21:04:28 +02:00
jvazquez-r7 2593c06e7c
Land #2412, @mwulftange's printf cmd stager 2013-10-08 09:08:29 -05:00
Markus Wulftange 6f7d513f6e Another clean up and simplification of CmdStagerPrintf 2013-10-08 07:22:09 +02:00
Markus Wulftange 836ff24998 Clean and fix CmdStagerPrintf
Clean up of the CmdStagerPrintf as discussed in mwulftange#1
2013-10-05 10:39:55 +02:00
sinn3r 77cbb7cd19 Update function documentation 2013-10-04 15:18:27 -05:00
sinn3r 29d1c75d1c Update RopDb mixin to allow dynamic payload size for neg
This adds a new key to allow a "safe" integer value to NEG. "Safe"
means the value does not have any null bytes after the NEG instruction,
which is typically used to calculate the payload size.
2013-10-03 23:09:23 -05:00
OJ 21afa9defe Meterpreter railgun multi call fix
Modifications accommodate changes in the multi-call railgun code that
were made to Meterpreter.

This also includes a fix for Redmine 8269, so the Windows constants
now work correctly with the multi-calls.
2013-10-04 12:04:18 +10:00
jvazquez-r7 758fd02619 Windows 7 SP1 and newer fail when forcing IPv6 sockets 2013-10-02 09:45:51 -05:00
OJ 82162ef486 Add error message support to railgun
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of https://github.com/rapid7/metasploit-framework/pull/740

I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.

This PR is the MSF side of https://github.com/rapid7/meterpreter/pull/26
2013-10-01 17:23:08 +10:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley 63d638888d Get rid of interior tabs 2013-09-27 16:04:03 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tab Assassin c94e8a616f Retabbed to catch new bad tabs 2013-09-27 13:34:13 -05:00
Tod Beardsley 869c10af04
Land #2396, aspx-exe shellcode generator
Looks good to me, specs are all happy (also added a #to_h spec)
2013-09-27 11:42:16 -05:00
Joshua J. Drake d04c47d2b7 Remove comment since it was addressed in 4500d09c2f 2013-09-26 19:47:54 -05:00
Tod Beardsley 701410f608
Land #2414, portfwd teardown and recreate
[FixRM #8240]
2013-09-25 17:40:47 -05:00
Tod Beardsley 1a515093cb Idiomatic Ruby
Assuming this gets accepted, this should [FixRM #8240]. Take a look, and
if you're good with it, I'll land on master. Everything seems to work
out on this end.
2013-09-25 17:26:00 -05:00
jvazquez-r7 9cc446ae2a Get cookies with empty values 2013-09-25 14:31:34 -05:00
jvazquez-r7 58d4096e0f Resolv conflicts on #2267 2013-09-25 13:06:14 -05:00
joev 99e46d2cdb Merge branch 'master' into cve-2013-4660_js_yaml_code_exec
Conflicts:
	modules/exploits/multi/handler.rb
2013-09-25 00:32:56 -05:00
Meatballs f1e563d375 Merge branch 'master' of github.com:rapid7/metasploit-framework into enum_ad_perf 2013-09-24 19:08:52 +01:00
OJ 0038bb90b1 Remove unncessary counter var 2013-09-24 13:35:29 +10:00
OJ b91e344815 Add code to recreate the forwards after migration
* Feels like a bit of a hack job, but it works.
2013-09-24 13:27:58 +10:00
James Lee 487f68f4d2 Get rid of callcc
[SeeRM 8407]
2013-09-23 19:36:26 -05:00
FireFart 7c4708b1df -) Fix get_cookies to return multiple cookies. Before it only returned the first cookie
-) Bugfix
2013-09-23 23:59:45 +02:00
Tod Beardsley e885ab45b6
Land #1734 Metasploit side for ip resolv 2013-09-23 16:18:40 -05:00
Markus Wulftange 10252ca6f4 Just Rex::Text.to_octal is probably better 2013-09-23 23:03:38 +02:00
Markus Wulftange 9353929945 Add CmdStagerPrintf 2013-09-23 22:02:29 +02:00
sinn3r b6c7116890 Land #1778 - Mimikatz Fix for table.print and x86 warning 2013-09-20 16:13:53 -05:00
Meatballs 5add142789 Choose smallest smallest 2013-09-20 13:47:51 +01:00
Tod Beardsley e9e1b28ba8
Land #2371, echo -e cmd stager 2013-09-19 14:47:39 -05:00
Meatballs 11bdf5d332 New pull 2013-09-19 19:57:38 +01:00
Meatballs 72155f8e9e Comment update 2013-09-19 19:46:05 +01:00
OJ 598e85a8d9 Fix for dangling port forwards
Code tears down the port forwards prior to migrating so that we don't end up with dangling connections that don't work.
2013-09-19 19:27:54 +10:00
Tod Beardsley f4e2e0ac11 Clear report_data on each host report 2013-09-18 17:11:22 -05:00
jvazquez-r7 dd7010d272 Fix @todb-r7 feedback 2013-09-17 20:54:19 -05:00
Tod Beardsley dae8847c4d
Land #2374, more complete 32/64 migrate fix
[FixRM #8395]
2013-09-17 14:52:04 -05:00
James Lee 21055f6856 Add x86 to meterpreter's binary suffix
This makes x86 more consistent with x64.

Also replaces a bunch of instances of:
  File.join(Msf::Config.install_root, 'data', ...)
with the simpler
  File.join(Msf::Config.data_directory, ...)

[See rapid7/meterpreter#19]
2013-09-16 21:52:04 -05:00
Joe Vennix d954d64f69 Add NODEJS arch constants. 2013-09-16 21:33:44 -05:00
Joe Vennix 217449a836 Ensures termination of inner while loop and cleans up #map.
* Tested working against ubuntu target using the sshexec test script.
2013-09-16 20:42:20 -05:00
jvazquez-r7 edec022957 Use shellwords, as recommended by @jvennix-r7 2013-09-16 16:35:45 -05:00
James Lee d6954e9ce7 Fix migrate from 32- to 64-bit processes
In some cases, it was possible to end up in a situation where the x64
reflective library hadn't been loaded by the time a user typed migrate.
If the target process was 64-bit, msfconsole would error out with a
NoMethodError and much sadness would ensue.

[See #2356]
2013-09-16 16:04:50 -05:00
jvazquez-r7 a5049df320 Add echo CmdStager 2013-09-16 11:35:05 -05:00
Meatballs b4d1fd6ff8 Fixup rex text 2013-09-13 21:15:28 +01:00
Meatballs 9ade4cb671 Refactor 2013-09-13 20:43:09 +01:00
HD Moore 72dff03426 FixRM #8396 change all lib use of regex to 8-bit pattern 2013-09-12 16:58:49 -05:00
Tab Assassin 8bc83f4922 Retab changes for PR #1420 2013-09-05 16:21:26 -05:00
Tab Assassin d6a7ce5328 Merge for retab 2013-09-05 16:21:13 -05:00
Tab Assassin b3b8cee870 Retab changes for PR #1473 2013-09-05 16:19:05 -05:00
Tab Assassin 0ba4e1da65 Merge for retab 2013-09-05 16:18:56 -05:00
Tab Assassin 3c1df47314 Retab changes for PR #1681 2013-09-05 16:10:40 -05:00
Tab Assassin a231e85293 Merge for retab 2013-09-05 16:10:28 -05:00
Tab Assassin 2e9096d427 Retab changes for PR #1734 2013-09-05 14:59:41 -05:00
Tab Assassin 322ed35bb4 Merge for retab 2013-09-05 14:59:34 -05:00
Tab Assassin 2846a5d680 Retab changes for PR #1770 2013-09-05 14:57:40 -05:00
Tab Assassin 269c1a26cb Merge for retab 2013-09-05 14:57:32 -05:00
Tab Assassin 701513a212 Retab changes for PR #1778 2013-09-05 14:56:35 -05:00
Tab Assassin 3788bab8e5 Merge for retab 2013-09-05 14:56:30 -05:00
Tab Assassin 26b8364dcb Retab changes for PR #1789 2013-09-05 14:44:21 -05:00
Tab Assassin 789be1fe3e Merge for retab 2013-09-05 14:44:14 -05:00
Tab Assassin 81479a6ade Retab changes for PR #2093 2013-09-05 14:31:10 -05:00
Tab Assassin 8a76b3390d Merge for retab 2013-09-05 14:31:05 -05:00
Tab Assassin 874ed2ac17 Retab changes for PR #2107 2013-09-05 14:30:08 -05:00
Tab Assassin 27564b2de2 Merge for retab 2013-09-05 14:30:03 -05:00
Tab Assassin daed98931e Retab changes for PR #2158 2013-09-05 14:19:55 -05:00
Tab Assassin 27fd54092a Merge for retab 2013-09-05 14:19:49 -05:00
Meatballs 051ef0bdfa Refactor to common post module 2013-09-02 20:24:54 +01:00
Tab Assassin 7e5e0f7fc8 Retab lib 2013-08-30 16:28:33 -05:00
Meatballs 1ea3d91f48 Lands #2244 Python Meterpreter
[Closes #2244]
2013-08-30 14:33:35 +01:00
Meatballs 526e504531 More fix 2013-08-25 12:21:37 +01:00
Meatballs d45d37bc38 Really fix... 2013-08-25 00:18:50 +01:00
Meatballs 83da0b3a57 Correct fname 2013-08-25 00:17:26 +01:00
Meatballs 19e47d5e82 Really fix war 2013-08-25 00:06:31 +01:00
Meatballs b4b59aa065 Add guards against empty payloads 2013-08-24 11:59:59 +01:00
Meatballs 09ceeb5de2 Fix war generation 2013-08-23 20:06:57 +01:00
Meatballs 41b1b30438 vba transform 2013-08-23 18:00:19 +01:00
Meatballs 7370fc3f4e vbs transform 2013-08-23 16:26:03 +01:00
Meatballs 5040347521 Fix psh and add powershell transform 2013-08-23 15:59:19 +01:00
Spencer McIntyre e276b57ee7 Merge remote-tracking branch 'upstream/master' into python-meterpreter-dev 2013-08-19 08:37:12 -04:00
James Lee ed00b8c19e Ensure checksum* methods return a Fixnum
Fixes a bug in reverse_http* stagers where requests for the root URI
(i.e., "/") cause a NoMethodError on nil returned by checksum8.

[See #2216]
2013-08-14 14:09:37 -05:00
James Lee 3827b14103 Land #1726, ssl verify mode
Conflicts:
	lib/rex/socket/parameters.rb
Fix doc strings
2013-08-12 17:57:10 -05:00
Meatballs 08c32c250f File versions 2013-08-08 19:42:14 +01:00
Spencer McIntyre 2d69174c5b Initial commit of the python meterpreter. 2013-08-05 23:38:49 -04:00
RageLtMan 7c46e95e8f Merge branch 'master' of https://github.com/rapid7/metasploit-framework into powershell_import 2013-07-31 18:34:57 -04:00
Tod Beardsley 7e539332db Reverting disaster merge to 593363c5f with diff
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).

What this commit does is simulate a hard reset, by doing thing:

 git checkout -b reset-hard-ohmu
 git reset --hard 593363c5f9
 git checkout upstream-master
 git checkout -b revert-via-diff
 git diff --no-prefix upstream-master..reset-hard-ohmy > patch
 patch -p0 < patch

Since there was one binary change, also did this:

 git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf

Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.
2013-07-29 21:47:52 -05:00
jvazquez-r7 455569aee8 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-29 12:10:12 -05:00
Meatballs b99ad41a64 Add api constants and tidy 2013-07-26 01:48:39 +01:00
Meatballs 0235e6803d Initial working 2013-07-25 23:24:11 +01:00
Meatballs 1d2d4b5345 Add some null checks 2013-07-25 18:35:11 +01:00
jvazquez-r7 47c21dfe85 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-24 11:42:11 -05:00
Tod Beardsley 00630376c3 Revert the default call to firefox
This reverts commit 0928a370f3.

No, no, you guys are right in the comments for #2148. The call to
system is inside the else, but the tabbing made my eyes cross.
Sorry about that. Someday soon, @tabassassin will save us all from these
kinds of screw ups in mental parsing.
2013-07-23 16:13:02 -05:00
William Vu d493346691 Land #2137, fixes and specs for Opt containers 2013-07-23 15:58:09 -05:00
David Maloney 621568bf8f Another Error Type needs caught
Different systems throw a different error
Need to rescue that error too
2013-07-23 15:47:42 -05:00
William Vu 86ab942435 Land #2146, Unix and Windows path normalization 2013-07-23 15:23:41 -05:00
Tod Beardsley 0928a370f3 Adding back default firefox
the default is triggered only outside the case statement, which itself
is totally bizarre. I can't tell if anyone is relying on this behavior
right now, but it's too premature to just remove it out at this point.
2013-07-23 14:43:30 -05:00
Tod Beardsley 53c3fd2ce7 Update comment docs on Rex::Compat.open_browser 2013-07-23 14:38:04 -05:00
ZeroChaos ce5742461a update open_browser functionality
open_browser didn't support xdg-open or firefox-bin.  xdg-open was made the default as it is the most likely to succeed afaik.

the fallback to firefox was removed because since we check for the existence of firefox is makes no sense to try to run it after we failed to find it.  This will silently fail if no supported browser is found due to suggestions from the msf team:

< Zero_Chaos> more importantly, it would be great if someone told me how to spit out a message to the user
< Zero_Chaos> because I have no clue :-)
<@egypt> Zero_Chaos: it's in rex, so the answer is "don't"
2013-07-23 14:58:16 -04:00
Tod Beardsley bb16683415 Land #2087, @egypt's random ID generator 2013-07-23 13:52:08 -05:00
sinn3r 958a4edd73 Keep the trailing slash if the user wishes 2013-07-22 20:46:18 -05:00
sinn3r 359009583f Drop support for UNC path parsing in normalize_win_path
Not really a good idea to try to parse UNC format. Confuses the
purpose of the function.
2013-07-22 20:20:45 -05:00
sinn3r 4b3fce9349 Add functions to normalize Winodws & Unix paths
The purpose of these functions is to be able to join file/dir paths
safely without trailing slashes, basically for the same reason as
normalize_uri.  Some modules are really buggy when merging paths,
so instead of letting them do it, it's better to use these functions.
2013-07-22 19:26:04 -05:00
jvazquez-r7 15b0e39617 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-21 13:47:40 -05:00
RageLtMan dc15c5b505 Merge branch 'master' into powershell_import
Resolve conflicts from old code being pulled into master.

Conflicts:
	lib/msf/core/exploit/powershell.rb
	modules/exploits/windows/smb/psexec_psh.rb
2013-07-20 19:29:55 -04:00
sinn3r 757cf18bb4 Land #2135 - Update FF detection 2013-07-20 13:10:14 -05:00
Joe Vennix 92ae90b828 Whitespace fixes. 2013-07-19 17:27:27 -05:00
Joe Vennix 2e838d7be3 Fix minor bugs discovered when testing. 2013-07-19 17:18:39 -05:00
Joe Vennix 7e2fc147f1 Add updated versions of firefox. 2013-07-18 16:35:57 -05:00
David Maloney ec82644bd3 mo fixes mo specs
SEERM #7536
SEERM #7537
2013-07-18 15:00:57 -05:00
jvazquez-r7 58229ff8b7 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-17 20:18:48 -05:00
James Lee 9d56e58e84 Rely on object detection for '5716599'
[SeeRM #7252]
2013-07-17 15:47:25 -05:00
jvazquez-r7 458ac5f289 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-17 15:02:33 -05:00
jvazquez-r7 11f8b351c0 Merge branch 'nvidia' of https://github.com/Meatballs1/metasploit-framework 2013-07-17 11:44:42 -05:00
William Vu 54af2929f5 Land #2109, kill stray character 2013-07-16 11:11:06 -05:00
Joe Vennix 34e732eabd Kill stray character in whitespace gutter. 2013-07-16 10:14:41 -05:00
RageLtMan 987d6a671f Allow passing MaxChar to Rex::Ui::Text::Table cols
Passing MaxChar allows setting the maximum number of characters
printed within a specific column during the row_to_s method.
This does not affect CSV output nor truncate the actual data.
Meant for tidying up long console ouput.

Example: cleaned up cmd_creds to show proof and not maul tables
with unix session data.
2013-07-10 20:00:40 -04:00
James Lee 85affe4d47 Land #2089, smb last_filename can be nil 2013-07-10 14:18:00 -05:00
James Lee 4cc179a24c Store inverted hash for better lookups
Also clarifies comment about infinite loops
2013-07-10 12:38:42 -05:00
sinn3r 71974a8535 to_addr_hex_dump is never used and is too similar to to_hex_dump
Not so much value in to_addr_hex_dump, as Meatballs1 suggested, we
should remove this.
2013-07-10 11:09:47 -05:00
sinn3r add294d999 Fix potential nil in last_filename
Replacing #2060.  It is possible to get a nil in last_filename if
the sub! function doesn't find any 0x00s to replace, so instead
it's best to use sub(), which should at least return the original
filename.  To make sure we don't hit any other unknown conditions
that may result in nil last_filename, it's also convert with to_s
to make sure it's always a string.
2013-07-09 12:50:19 -05:00
James Lee afa6a36df3 Make first char's character class configurable 2013-07-09 02:50:28 -05:00
James Lee 273046d8f0 Add a class for generating random identifiers
Will be useful for all kinds of things, but brought about in discussions
specifically for Util::EXE in #2037.
2013-07-09 02:06:44 -05:00
Meatballs 0ce3fe2e7c Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
2013-07-05 22:25:04 +01:00
RageLtMan 4554cc6e51 Import Powershell libs and modules (again)
Add Rex powershell parser:
 reads PSH, determines functions, variables, blocks
 compresses and cleans up the code it's read, obfuscates
 handles string literals and reserved variable names
 extracts code blocks and functions for reuse
  turns powersploit into a useful sub-component for MSF
Rewire Msf powershell modules
 Make use of Rex parser
 Handles payload generation, substituions
 Brings convenience methods - byte array generation and download
 Re-add .NET compiler
  Compiles .NET code (C#/VB.NET) in memory
  Can generate binary output file (dynamic persistence)
  Handles code-signing (steal cert with mimikatz, sign your bin)
  Not detected by AV (still...)
 Update payload generation
  GZip compression and decompression (see Rex module as well)
  msftidy violations for space efficiency - each char counts
Re-submit psexec-psh
 Makes use of updated Msf and Rex modules
 Runs shellcode in-memory (in a hidden PSH window)
 Completely bypasses all AVs tested for the last year...
2013-07-04 14:04:19 -04:00
William Vu 28a4a05991 Land #2046, base argument for to_hex_dump 2013-07-02 12:11:05 -05:00
sinn3r 98c214d2fb Allow 0 base address, and dynamic left column length 2013-07-02 11:40:23 -05:00
jvazquez-r7 2ceb404f7d Land #2047, @hmoore-r7 ipmi related work 2013-07-02 11:13:25 -05:00
sinn3r 9eb32ea9af Allow "base" argument for to_hex_dump
[SeeRM:#8121] - For debugging purposes, it's useful to be able to
specify a base.
2013-07-01 23:56:51 -05:00
jvazquez-r7 2751470c71 Add @jlee-r7's feedback to sapni proxies support 2013-07-01 21:37:53 -05:00
jvazquez-r7 9c4d869ed8 Land #1018, @nmonkee's support for sap router proxies 2013-07-01 21:36:02 -05:00
HD Moore 8e4dd29a4c Add cipher zero scanner 2013-06-30 02:35:37 -05:00
HD Moore 4fb6fa67f2 Fix require for constants, trim useless fields from banner 2013-06-26 09:59:40 -05:00