Commit Graph

911 Commits (63612a64e98eca5aab5c24eb8845078071fb9176)

Author SHA1 Message Date
sinn3r e1859ae4b6 Merge branch 'rsmudge-armitage' 2013-03-06 19:31:44 -06:00
sinn3r a30b61e4aa Merge branch 'rsmudge-armitage' 2013-03-06 16:39:00 -06:00
Raphael Mudge 4ab8315db0 Armitage 03.06.13
Apparently, my last update came from the future. This modification
to that future update fixes an oversight preventing Armitage from
connecting to its collaboration server because it would report the
wrong application.
2013-03-04 23:11:20 -05:00
James Lee a74b576a0f Merge branch 'rapid7' into rsmudge-authproxyhttpstager 2013-03-04 17:50:48 -06:00
Raphael Mudge 59d2f05c94 Armitage 04.06.13
This update to Armitage improves its responsiveness when connected
to a team server over a high latency network. This update also adds
a publish/query/subscribe API to Cortana.
2013-03-04 18:32:45 -05:00
Michael Schierl 9e499e52e7 Make BindTCP test more robust
The BindTCP test contained a race condition: if the bind payload took
longer to load than the handler, it could result in a

ConnectException: Connection refused: connect

Work around this by retrying the connection up to 10 times, with 500ms
delay in between.
2013-03-03 21:08:06 +01:00
Michael Schierl b75d1d3b70 Antivirus can interfere with compiling
Add a note about it into COMPILING.txt.
2013-03-03 21:07:08 +01:00
RageLtMan 754b32e9db shameless plug for posterity in stager asm 2013-02-28 17:30:27 -05:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
jvazquez-r7 f04df6300a makefile updated 2013-02-21 13:44:37 +01:00
jvazquez-r7 da9e58ef79 Added the java code to get the ser file 2013-02-20 18:14:24 +01:00
jvazquez-r7 d88ad80116 Added first version of cve-2013-0431 2013-02-20 16:39:53 +01:00
sinn3r 398e6cb202 Merge branch 'rsmudge-armitage' 2013-02-13 10:38:30 -06:00
Raphael Mudge 596b62b831 Armitage 02.12.13 - Distributed Operations
This update adds the ability to manage multiple team server instances
through one Armitage client. This update also adds nickname completion
to the event log. Several bug fixes are included too.
2013-02-11 21:20:03 -05:00
scriptjunkie 447f78cb24 Handle nonstandard ports when starting new msfrpcd. 2013-02-04 17:24:41 -06:00
jvazquez-r7 ee2fed8335 Merge branch 'master' of https://github.com/booboule/metasploit-framework into booboule-master 2013-01-24 16:18:06 +01:00
booboule afa32c7552 Update external/source/exploits/cve-2012-5076_2/Makefile
Wrong directory path
2013-01-23 20:18:24 +01:00
booboule d2b75ad005 Update external/source/exploits/cve-2012-5088/Makefile 2013-01-23 12:42:33 +01:00
sinn3r e376bb6fab Merge branch 'rsmudge-armitage' 2013-01-22 22:52:35 -06:00
Raphael Mudge 8c86c49d43 Armitage 01.23.13
This update to Armitage adds the ability to assign labels to hosts
and create dynamic workspaces based on these labs. This update also
adds helpers to configure USERNAME/PASSWORD options and EXE::Custom
and EXE::Template. Several bugs were fixed as well.
2013-01-22 22:48:16 -05:00
jvazquez-r7 807bd6e88a Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl 2013-01-22 15:33:39 +01:00
jvazquez-r7 ef16a7fd24 cleanup 2013-01-17 21:45:13 +01:00
jvazquez-r7 670b4e8e06 cleanup 2013-01-17 21:39:41 +01:00
jvazquez-r7 78279a0397 Added new module for cve-2012-5076 2013-01-17 21:27:47 +01:00
jvazquez-r7 d0b9808fc7 Added module for CVE-2012-5088 2013-01-17 21:14:49 +01:00
jvazquez-r7 51f3f59d2f cve and references available 2013-01-11 00:54:53 +01:00
jvazquez-r7 e503d596ed code indention for exploit.java fixed 2013-01-10 20:34:58 +01:00
jvazquez-r7 876d889d82 added exploit for j7u10 0day 2013-01-10 20:30:43 +01:00
HD Moore 4eb35b5c1d Fix typo in license text 2013-01-07 23:29:49 -06:00
Tod Beardsley 2ae8a08db9 Add license for Byakugan, per e-mail from Lurene.
Ask pusscat@metasploit.com if you don't believe me -- got her license
statement today.
2013-01-07 22:06:20 -06:00
Tod Beardsley 7d1752d858 Merge pull request #1246 from rsmudge/armitage
Armitage Updates and Bug Fixes
2013-01-04 11:19:03 -08:00
Raphael Mudge 5348127fd2 Metasploit 4.5 Installer Environment Tweak
Armitage on Windows requires the user to specify their MSF
install folder. This tweak checks for an MSF 4.5 environment
and updates the specified folder to make everything work.

Like magic.
2013-01-04 13:08:47 -05:00
Raphael Mudge a79f2fa8d1 Armitage Updates and Bug Fixes
This is Armitage release 01.04.13. This update fixes several bugs
and improves the user experience launching *_login modules from
Armitage. This update adds a Windows 8 icon and includes a fix to
better work with the Metasploit 1.45 installer's environment.
2013-01-04 12:05:09 -05:00
Michael Schierl 46a5c4f4bf Improve RC4 shellcode
ESI is not clobbered; no need to clear EDX as only DL is filled before and
it is overwritten before use.

Shellcodes in ruby modules not regenerated, but I guess you want to
regenerate them again anyway :-)
2013-01-01 11:25:17 +01:00
Michael Schierl cb06262002 Add shellcode for RC4 bind and reverse stagers
Those stagers will encrypt the initial stage with a 128-bit RC4 key and
the stage length with a XOR key. Both keys are embedded in the stager.

This should provide good evasion capabilities in addition to some
protection against MITM reversing (if the stager is sent a different
route, like in an executable on an USB key).

Note that, from a cryptanalyst's standpoint, it is a bad idea to reuse the
same stager (or stagers with the same RC4 and XOR keys) more than once
since an identical key will result in an identical keystream and make
correlation attacks easy. But I doubt that matters in practice.

Also note that since communication after the initial statging is not
encrypted, these stagers should be used in combination with additional
encryption support in the payloads (like Meterpreter).
2012-12-31 22:33:29 +01:00
Michael Schierl b4fd341fb6 Add shellcode for RC4 decoding
Provided as a block to be included into stagers and/or decoder stubs.
Also included is a test shellcode that can be used for verifying that the
algorithm is compatible to Ruby's OpenSSL RC4 algorithm.
2012-12-31 22:33:28 +01:00
Tod Beardsley daf5465bbd Whitespace Cleanup 2012-12-27 09:08:40 -06:00
Alexandre Maloteaux 91ad23f79e pcaprub typo 2012-12-25 19:33:07 +01:00
Michael Schierl ca967efee6 Add unit tests for JavaPayload
Downgrad JUnit version since JUnit 4 can only work with -target 1.5 or
higher class files.

Covered are Shell and Meterpreter stage, StreamForwarder, MemoryBuffer,
AESEncryption and Payload (Bind, Reverse, Spawn, AESPassword).
2012-12-21 19:22:41 +01:00
Michael Schierl 6401f36afb Add version compatibility checks for JavaPayload
Check JavaPayload and Java Meterpreter against version incompatibilities
for Java 1.2, 1.3, 1.4, 1.5, and 1.6.

Note that webcam_audio_record is currently excluded from the checks, as it
uses Sun proprietary API for building the WAV file and is therefore
failing the build (and will most likely crash Meterpreter if run on a JVM
of version 1.4 or later that is not based on the Sun/Oracle JVM).

Possible workarounds (apart from either removing the module or changing it
to produce empty files when WAV creation is not supported) include
implementing the WAV file writer ourselves or providing raw PCM files
instead.
2012-12-21 14:37:46 +01:00
Michael Schierl d71b2c35a8 Convert Java Meterpreter project to use Maven
Functionality and build result is 1:1 the same as before. Auxiliary ant
targets have been converted to Maven profiles.
2012-12-21 01:17:57 +01:00
Michael Schierl 2d03b747c0 Convert JavaPayload project to use Maven
Functionality and build result is 1:1 the same as before. Auxiliary ant
targets have been converted to Maven profiles.
2012-12-21 00:09:06 +01:00
Michael Schierl f204a64cdd Move Java meterpreter next to JavaPayload
to make further refactoring easier
2012-12-20 22:28:25 +01:00
jvazquez-r7 133ad04452 Cleanup of #1062 2012-12-07 11:55:48 +01:00
HD Moore 1c09279bbd Add placeholder directories for PSSDK 2012-11-28 15:10:35 -08:00
jvazquez-r7 fd1557b6d2 Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated 2012-11-28 21:49:36 +01:00
Meatballs1 bc9065ad42 Move MSI source and binary location 2012-11-27 18:12:49 +00:00
Tod Beardsley 8d6289d8d6 Merge remote branch 'rsmudge/armitage' 2012-11-26 10:52:06 -06:00
Raphael Mudge a2615102c9 Armitage 11.26.12 - several usability enhancements and bug fixes. 2012-11-25 20:51:32 -05:00
scriptjunkie 39dee758e6 Remember last options used for each module, and fill them in by default. 2012-11-17 10:08:45 -06:00
jvazquez-r7 5076198ba2 fixing bperry comments 2012-11-11 20:18:19 +01:00
jvazquez-r7 08cc6d56ec updated java source 2012-11-11 20:11:33 +01:00
jvazquez-r7 c07701f61e Makefile updated 2012-11-11 17:44:27 +01:00
jvazquez-r7 1528ccf423 added Makefile for java code 2012-11-11 17:43:57 +01:00
jvazquez-r7 8619c5291b Added module for CVE-2012-5076 2012-11-11 17:05:51 +01:00
Raphael Mudge eee6248795 Armitage 10.16.12 - a lot of bug fixes. 2012-10-15 19:19:31 -04:00
HD Moore f2dd4d4e53 Upgrade KissFFT to 1.3.0 and Gemize 2012-10-09 23:57:55 -05:00
sinn3r 02617a6f3a Merge branch 'feature/redmine-7224-shellcode-cleanup' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/redmine-7224-shellcode-cleanup 2012-10-04 00:43:34 -05:00
scriptjunkie 10e1574d8a Bugfix with dragging tabbed panes when right-clicked.
Also don't displaly annoying null pointer error when no connection.
2012-09-22 16:32:18 -05:00
James Lee f38ac954b8 Update linux stagers for NX compatibility
- Adds a call to mprotect(2) to the reverse and bind stagers

- Adds accurate source for some other linux shellcode, including some
  comments to make it more maintainable

- Adds tools/module_payload.rb for listing all payloads for each exploit
  in a greppable format. Makes it easy to find out if a payload change
  causes a payload to no longer be compatible with a given exploit.

- Missing from this commit is source for reverse_ipv6_tcp
2012-09-12 18:44:00 -05:00
m m 40b383e247 I was pretty sure to have removed those fclose before 2012-09-12 13:11:24 -05:00
m m 76e05dff30 fix netstat program name 2012-09-12 13:11:24 -05:00
m m 2ec92030ae fix netstat program name 2012-09-12 13:11:24 -05:00
sinn3r c4fb285288 Merge branch 'armitage' of https://github.com/rsmudge/metasploit-framework into rsmudge-armitage 2012-09-05 13:48:09 -05:00
Raphael Mudge e8b3f0193b Armitage 09.05.12 - this release detects several user errors on startup (incorrect permissions, whitespace in the host/port/user/pass parameters, etc.). This release also cleans up the token stealing dialog. 2012-09-05 01:54:28 -04:00
James Lee 66705e4a5d Add BSD license to unixasm, thanks Ramon! 2012-09-04 15:02:00 -05:00
James Lee 7afd470eb0 Clean up linux shellcode Makefile
Now you can "make single_bind_tcp_shell", or the like, and build one
payload instead of the kludgy embedded shell script that always builds
all of them.

Need to do the same with BSD.
2012-09-04 04:23:48 -05:00
sinn3r d37b52c9d3 Update source information 2012-08-30 17:48:02 -05:00
James Lee c86b3c64a9 Whitespace at EOL 2012-08-28 17:02:37 -05:00
James Lee dd9ef0c7e5 Fix crash with long exe name in process list
Instead of invoking the Watson crashamajigger when the process
associated with a connection has a long executable name, truncate to the
length available in the buffer.

[See #609]
2012-08-28 17:02:37 -05:00
m m bcfaf577ec fix typo 2012-08-28 17:02:37 -05:00
m m c1ca9fea79 netstat and arp commands in win32/posix meterpreter 2012-08-28 17:02:37 -05:00
jvazquez-r7 363c0913ae changed dir names according to CVE 2012-08-28 16:33:01 +02:00
jvazquez-r7 52ca1083c2 Added java_jre17_exec 2012-08-27 11:25:04 +02:00
sinn3r f715527423 Improve CVE-2012-1535 2012-08-21 19:58:21 -05:00
Tod Beardsley f46545db58 Merge pull request #700 from rsmudge/armitage
Armitage 08.16.12
2012-08-18 05:55:26 -07:00
Raphael Mudge a6e50497f0 Armitage 08.16.12 - several little fixes and updates. Nothing to write home to mom about. 2012-08-17 16:25:22 -04:00
sinn3r 13df1480c8 Add exploit for CVE-2012-1535 2012-08-17 12:16:54 -05:00
James Lee 9d2c1e36dd Store the value, not the comparison
Fixes client.sys.process.execute for posix, which previously (since
2010!) would always return nil, or a single byte. This makes sense
considering the value of bytesRead would always be either 0 or 1 because
it was being assigned the result of the comparison instead of the return
value of read().

[Fixes #681]
2012-08-09 18:18:45 -06:00
James Lee c19102c6f1 Return the PID as handle in posix
Fixes some TypeError exceptions when attempting most operations on
spawned processes, e.g.:

  p = client.sys.process.execute("/bin/sh", nil, "Channelized"=>true)
  p.close
  # raises TypeError: can't convert nil into Integer

[FIXRM #7005]
2012-08-08 15:23:00 -06:00
HD Moore fac4ba270c Merge pull request #662 from rsmudge/armitage
Armitage 08.02.12 - adds Cortana scripting technology.
2012-08-02 14:31:11 -07:00
Raphael Mudge 32ee1263f9 Armitage 08.02.12 - adds Cortana scripting technology. 2012-08-02 13:24:15 -04:00
m m 5531fd18a0 Really limit packet count and data in linux sniffer
Squashed commit of the following:

commit 57795ff9c33a53167fca85845b96b82b5c92315f
Author: James Lee <egypt@metasploit.com>
Date:   Wed Aug 1 14:13:20 2012 -0600

    Add recompiled sniffer bin for linux

commit 0e11fdb06fcb9771a11eb631e6f10ec7a2d315f3
Author: m m <gaspmat@gmail.com>
Date:   Thu Jul 12 15:08:10 2012 +0200

    really limit packet count and data in linux sniffer

[Closes #605]
2012-08-01 14:16:00 -06:00
James Lee e200f43183 Squashed commit of the following:
commit 1de16b41c8808df2919706eaa8cc89ae44d9b591
Author: m m <gaspmat@gmail.com>
Date:   Mon Jul 9 21:55:32 2012 +0200

    typo

commit a396b55018175f3eb2a83baecb1ec601cc99eef4
Author: m m <gaspmat@gmail.com>
Date:   Mon Jul 9 21:51:32 2012 +0200

    various posix meterpreter bugfixes

[Closes #584]
[FIXRM #7042]
2012-07-19 15:56:47 -06:00
m m 6605e2910c Squashed commit of the following:
commit f0a1d2ad004e5c77cc4d5dcc71935aa530f1729f
Author: m m <gaspmat@gmail.com>
Date:   Tue Jul 17 11:56:43 2012 +0200

    linux meterpreter : correct netmask computation

[Closes #613]
2012-07-19 14:22:39 -06:00
sinn3r 54576a9bbd Last touch-up
The contents of this pull request are very similar to what the msf
dev had in private, so everybody is credited for the effort.
2012-07-10 00:37:07 -05:00
LittleLightLittleFire 956ec9d1da added Makefile for CVE-2012-1723 2012-07-10 14:12:07 +10:00
LittleLightLittleFire e9ac90f7b0 added CVE-2012-1723 2012-07-10 12:20:37 +10:00
sinn3r 6dee4781df Merge branch 'armitage' of https://github.com/rsmudge/metasploit-framework into rsmudge-armitage 2012-07-05 18:47:07 -05:00
Raphael Mudge 6c53dffa50 Armitage 07.05.12
This release fixes a few small bugs.
2012-07-05 18:19:59 -04:00
Stephen Fewer df7a093eb8 force the eip() function to never be inlined under x64 in order to avoid an error being introduced when some unexpected compiler flags are being used. Now the compiler flags used (/O1, /O2, ...) shouldnt pose any problem 2012-07-02 17:40:57 +01:00
HD Moore c31f70cfb6 Switch to METERPRETER_UA as intended 2012-07-02 00:02:47 -05:00
HD Moore 27bdf78a5a Add support for user-agent control 2012-06-30 23:00:08 -05:00
jvazquez-r7 38abeeb235 changes on openfire_auth_bypass 2012-06-27 23:16:07 +02:00
jvazquez-r7 245205c6c9 changes on openfire_auth_bypass 2012-06-27 23:15:40 +02:00
jvazquez-r7 6ec990ed85 Merge branch 'Openfire-auth-bypass' of https://github.com/h0ng10/metasploit-framework into h0ng10-Openfire-auth-bypass 2012-06-27 23:09:26 +02:00
h0ng10 6cc8390da9 Module rewrite, included Java support, direct upload, plugin deletion 2012-06-26 11:56:44 -04:00
HD Moore 6556eecfda Update project 2012-06-24 14:03:58 -05:00
HD Moore 211b722ec1 Update project 2012-06-24 14:03:57 -05:00