infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
6,032 Commits
7 Branches
556 Tags
419 MiB
Commit Graph

308 Commits (6383ef6cfd1edac0c74a0a9202986d021e7a5f36)

Author SHA1 Message Date
Stephen Fewer c09ca4eba5 Commit all the code for the new 'screenshot' command in the stdapi extension. Screenshot will now work on NT4 - 7 on both x86 and x64 and on newer versions of Windows we can break out of session isolation (e.g. session 0 isolation for services) to screenshot the active desktop (or logon screen) without the need to migrate meterpreter. The majority of the migration code-injection stuff has been refactored out into base_inject.c so it can be shared with the new ps_inject() functionality to inject dlls. The 'ps' command now reports what session each process belongs to (if this is too verbose we can remove it or add a -v verbose switch to the ps command). The 'execute' command can now take a -s switch in order to create a process in a users session under the users privs (assuming you have the privs to do this). 
git-svn-id: file:///home/svn/framework3/trunk@8787 4d416f70-5f16-0410-b530-b9f4589650da
 2010-03-11 17:09:55 +00:00
Stephen Fewer c55e9af9ae Commit the updated APC injection stubs. fixes a nasty issue in some edge cases whereby when using APC injection for a process in another session then the current host process the injected APC can cause an access violation in kernel32 during a call the kernel32!CreateThread caused by the APC's host thread not having an initialized Activation Context inside its TEB. We now test for this and create a dummy ActivationContext entry to appease the kernel. This will both improve DLL injection reliability as well as meterpreter migration reliability. 
git-svn-id: file:///home/svn/framework3/trunk@8786 4d416f70-5f16-0410-b530-b9f4589650da
 2010-03-11 17:00:19 +00:00
Stephen Fewer 08d1850bcc Commit the new VNC x86/x64 DLL source code... 
git-svn-id: file:///home/svn/framework3/trunk@8745 4d416f70-5f16-0410-b530-b9f4589650da
 2010-03-08 14:49:45 +00:00
Stephen Fewer d0f2b589b6 Delete the old VNC source code. 
git-svn-id: file:///home/svn/framework3/trunk@8744 4d416f70-5f16-0410-b530-b9f4589650da
 2010-03-08 14:39:20 +00:00
Stephen Fewer 195d1ab4b8 Commit snojobs jpeg patch for espia with an x64 build and some minor changes on the ruby side (The 'screenshot' command is now 'screengrab' to avoid a future conflict with changes happening in stdapi). 
git-svn-id: file:///home/svn/framework3/trunk@8726 4d416f70-5f16-0410-b530-b9f4589650da
 2010-03-05 15:50:24 +00:00
Stephen Fewer 4e73d95dac Commit the JPEG-8 lib code from snowjobs patch. Added an x64 build environment and the libs directory for x86/x64 projects to link against. 
git-svn-id: file:///home/svn/framework3/trunk@8725 4d416f70-5f16-0410-b530-b9f4589650da
 2010-03-05 15:44:36 +00:00
Stephen Fewer 5f35f33cd1 Forgot the updated build.py, also add in a link to a blog post I wrote for this shellcode. 
git-svn-id: file:///home/svn/framework3/trunk@8657 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-26 14:27:13 +00:00
Stephen Fewer 88cc851a41 Commit the stager_sysenter_hook win32 kernel shellcode source and mixin patch, resolves #405. 
git-svn-id: file:///home/svn/framework3/trunk@8655 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-26 13:41:16 +00:00
Tod Beardsley d5f4ea9692 Adding TightVNC's java viewer to external/source. vnc.html works, it just needs to have the path set correctly. 
git-svn-id: file:///home/svn/framework3/trunk@8648 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-25 23:18:42 +00:00
Tod Beardsley 948d9d95d9 Deleting the winvnc java stuff. 
git-svn-id: file:///home/svn/framework3/trunk@8647 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-25 23:10:00 +00:00
Stephen Fewer 4ed9e71b76 Commit the meterpreter C side (and bins) for transparent zlib (zlib.c copied from the posix meterpreter source) compression of TLV's and channels. To use transparent compression with channels, create them with CHANNEL_FLAG_COMPRESS. To use transparent compression with any TLV value, bitwise or the TLV type with TLV_META_TYPE_COMPRESSED (Don't create the TLV type with TLV_META_TYPE_COMPRESSED as the compressed flag is removed on the remote end after compression). For consistency with the ruby side we could at a later stage add a boolean compress parameter to all the packet_add_tlv_* functions so you don't have to manually specify TLV_META_TYPE_COMPRESSED flag. 
git-svn-id: file:///home/svn/framework3/trunk@8515 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-16 14:56:24 +00:00
Stephen Fewer e732ef6872 Commit the Meterpreter C side for the UDP socket pivoting. (+1 bug fix for the TCP client socket notify event function) 
git-svn-id: file:///home/svn/framework3/trunk@8430 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-09 16:43:33 +00:00
Stephen Fewer a80d1ad2ee Commit the new TCP server channel support on the meterpreter end as well as some fixes to TCP client channels. 
git-svn-id: file:///home/svn/framework3/trunk@8383 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-06 17:55:41 +00:00
et a40817ea67 Finally the Wmap patch for ratproxy for new db schema. Based on Albert School patch 
git-svn-id: file:///home/svn/framework3/trunk@8332 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-31 04:15:31 +00:00
HD Moore 42b331b47f Fix #790. Initialize the client state to be alive, tweak a few things on the meterpreter side 
git-svn-id: file:///home/svn/framework3/trunk@8327 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-29 18:52:44 +00:00
Stephen Fewer 7a32f9f2e2 fix ps so an x64 process's path is returned correctly when ps is run from a wow64 meterpeter. 
git-svn-id: file:///home/svn/framework3/trunk@8322 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-29 12:00:45 +00:00
Stephen Fewer 3824a2938c ...update the project files. I have added in an extra post build step for elevator.dll so it can work on NT4 (when used with rundll32.exe for getsystem technique #2). The post build step uses the editbin.exe to set the major OS/Subsystem version to 4 instead of 5 so NT4 will load it, (visual c++ 2008 cant build NT4 binaries, only 2000 and above). 
git-svn-id: file:///home/svn/framework3/trunk@8318 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-29 01:12:35 +00:00
Stephen Fewer 0e08aa0094 Add in KiTrap0D to the priv getsystem command. 
git-svn-id: file:///home/svn/framework3/trunk@8317 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-29 01:09:57 +00:00
HD Moore 284af1260a Disable debug tracing 
git-svn-id: file:///home/svn/framework3/trunk@8312 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 23:10:58 +00:00
HD Moore f3408fd327 Fixes #744. The core issue was the migrate code waiting on SetEvent, but the migrate stub was blocked on a WSASocket due to a pending packet_receive in the main server thread. Simply settin the thread termination signal did not work, as the SSL_read was already in progress. This change forcible terminates the main server thread before waiting on the event in order to bypass this deadlock. The downside is a failed migrate has no way to recover if it makes it this far. 
git-svn-id: file:///home/svn/framework3/trunk@8309 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 22:55:41 +00:00
natron 69ad365b46 Added STDERR to pure java payload, cleaned up user's view. 
git-svn-id: file:///home/svn/framework3/trunk@8308 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 22:53:36 +00:00
Stephen Fewer 5793ab128c modularize the source for each technique in elevator too. 
git-svn-id: file:///home/svn/framework3/trunk@8299 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 16:30:09 +00:00
Stephen Fewer 8eb036d704 modularize the source for each technique, making it cleaner to add in new techniques at a later stage. 
git-svn-id: file:///home/svn/framework3/trunk@8298 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 15:04:27 +00:00
Stephen Fewer 62c1a99c8e update the workspace files. 
git-svn-id: file:///home/svn/framework3/trunk@8295 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 13:46:51 +00:00
Stephen Fewer fad278566b Add in the elevator dll, used by getsystem for a number of things. 
git-svn-id: file:///home/svn/framework3/trunk@8294 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 13:45:31 +00:00
Stephen Fewer e58847009c Add in the new getsystem command to the priv extension. 
git-svn-id: file:///home/svn/framework3/trunk@8293 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 13:40:55 +00:00
Stephen Fewer f82b6c5952 Update RDI by adding in the LoadRemoteLibraryR function to use RDI to inject into arbitrary processes. Current limitation is it only works on x86->x86 and x64->x64 scenarios, due to the offsets used in parsing the PE file being determined at compile time (e.g. if we compile LoadRemoteLibraryR into an x86 binary it wont be able to load x64 images). Solution is to not rely on compiler for the offset but to do it manually which shouldn't be too much work. 
git-svn-id: file:///home/svn/framework3/trunk@8292 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 13:37:55 +00:00
Stephen Fewer 9f4332ce60 bug fix for the stdapi command rev2self. was not playing nice with new thread token stuff. 
git-svn-id: file:///home/svn/framework3/trunk@8291 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 13:33:24 +00:00
Stephen Fewer 095b6ee7ed move these macros from base_dispatch.c to common.h as they are useful to use elsewhere. 
git-svn-id: file:///home/svn/framework3/trunk@8290 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-28 13:32:16 +00:00
natron cd5e5880d2 Initial commit of Msf::Exploit::Java mixin and multi/browser/java_signed_applet exploit. 
git-svn-id: file:///home/svn/framework3/trunk@8267 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-27 19:46:39 +00:00
HD Moore cf26fcb9ad Fixes #784. Adds .NET server support 
git-svn-id: file:///home/svn/framework3/trunk@8256 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-27 07:02:07 +00:00
pusscat 227dd5ba12 Remove test trap ;) 
git-svn-id: file:///home/svn/framework3/trunk@8243 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-26 20:20:16 +00:00
Joshua Drake e765288c6c lol, fix funny $Id$ replacement 
git-svn-id: file:///home/svn/framework3/trunk@8241 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-26 20:10:56 +00:00
HD Moore 4b637c4912 Updated with new target system, signature for 2000 SP4, fixed SP4 usage, but the priv esclation is non-functional, use twunk16/debug depending on what is available. 
git-svn-id: file:///home/svn/framework3/trunk@8240 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-26 19:13:28 +00:00
HD Moore a898901ad3 Switch to twunk_16 for Windows 7 compatibility 
git-svn-id: file:///home/svn/framework3/trunk@8230 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-25 18:07:48 +00:00
HD Moore 9f37906ba9 Tweaks for reliability 
git-svn-id: file:///home/svn/framework3/trunk@8226 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-25 16:55:53 +00:00
Stephen Fewer 4e4a65b9a4 Complete overhaul of process migration. Migration across x86->x86, x64->x64, wow64->x64 and x64->wow64 all supported using a number of techniques. 
git-svn-id: file:///home/svn/framework3/trunk@8198 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-22 19:46:18 +00:00
Stephen Fewer cfcbfd5d3c bug fix x64 migrate shellcodes for wow64->x64 migration. 
git-svn-id: file:///home/svn/framework3/trunk@8197 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-22 19:37:10 +00:00
Stephen Fewer 538a647671 The stub for wow64->x64 migration. 
git-svn-id: file:///home/svn/framework3/trunk@8195 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-22 17:12:41 +00:00
Stephen Fewer 1e63f357cb For now just adding in the new APC migrate stubs and the wow64->x64 exec stub. (fix up the build scripts and use a dedicated migrate directory for this stuff). 
git-svn-id: file:///home/svn/framework3/trunk@8193 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-22 14:03:53 +00:00
HD Moore c419511386 Minor changes to make scripting easier and allow it to escalate a specific pid 
git-svn-id: file:///home/svn/framework3/trunk@8168 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 22:30:15 +00:00
HD Moore 752f8db83b Add KiTrap0d to the external/source/ as a reference 
git-svn-id: file:///home/svn/framework3/trunk@8167 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 22:22:19 +00:00
Stephen Fewer f3fd2eae80 Commit the new x64 migrate stub. Compatible with x64->x64 migration (and x86->x64 migration once the remote thread issue is resolved) 
git-svn-id: file:///home/svn/framework3/trunk@8163 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 18:39:56 +00:00
Stephen Fewer d032955959 Commit the new x86 migrate stub. Compatible with x86->x86 migration and x64->x86 migration, on NT4 and up (where applicable). 
git-svn-id: file:///home/svn/framework3/trunk@8160 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 12:55:24 +00:00
Stephen Fewer 159e240f3a updated stapi project file. 
git-svn-id: file:///home/svn/framework3/trunk@8158 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 11:07:21 +00:00
Stephen Fewer 757276d70f First cut for improved process listing. Now works well on NT4 and up. One issue with getting the path for x64 processes on an x86 meterpreter. 
git-svn-id: file:///home/svn/framework3/trunk@8156 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 10:40:02 +00:00
Stephen Fewer 0286a67f1e small bug fix to get getuid working on NT4 
git-svn-id: file:///home/svn/framework3/trunk@8155 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 10:36:12 +00:00
HD Moore 55dc3aa192 Support for slackware's mktemp, fixes #762 
git-svn-id: file:///home/svn/framework3/trunk@8112 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-14 12:48:30 +00:00
HD Moore 42b3a5774d Adds the process username to the ps output (when possible). 
git-svn-id: file:///home/svn/framework3/trunk@8056 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-02 03:41:21 +00:00
HD Moore 4d7aec7c2d Fixes #745. This commit changes how token manipulation works, adds the steal_token, drop_token, and getprivs commands. Tested on NT 4.0, 2000 SP4, XP SP3, 2003 SP2, Vista, and Windows 7 
git-svn-id: file:///home/svn/framework3/trunk@8055 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-02 00:35:10 +00:00