Commit Graph

3440 Commits (661a1fef3e153b4c770c16ba6f200ae52b920a6a)

Author SHA1 Message Date
James Lee bb17d75425
Replace direct class comparison with kind_of? 2015-01-28 17:00:15 -06:00
Brent Cook 65d71a5e18 Fix #4625 Reenable channel receive packet requeueing logic
In #4475, I incorrectly interpreted the role of the 'incomplete' array
in monitor_socket, and that change should be reverted.

What appears to happen is, we play a kind of 3-card monty with the list
of received packets that are waiting for a handler to use them.
monitor_socket continually loops between putting the packets on @pqueue,
then into backlog[] to sort them, then into incomplete[] to list all of
the packets that did not have handlers, finally back into @pqueue again.
If packets don't continually get shuffled back into incomplete, they are
not copied back into @pqueue to get rescanned again.

The only reason anything should really get into incomplete[] is if we
receive a packet, but there is nothing to handle it. This scenario
sounds like a bug, but it is exactly what happens with the Tcp Client
channel - one can open a new channel, and receive a response packet back
from the channel before the subsequent read_once code runs to register a
handler to actually process it. This would be akin to your OS
speculatively accepting data on a TCP socket with no listener, then when
you open the socket for the first time, its already there.

While it would be nice if the handlers were setup before the data was
sent back, rather than relying on a handler being registered some time
between connect and PacketTimeout, this needs to get in now to stop the
bleeding. The original meterpreter crash issue from #4475 appears to be
gone as well.
2015-01-23 08:50:37 -06:00
jvazquez-r7 4311226840 Add documentation for Rex::Java::Serialization::Builder 2015-01-20 11:26:52 -06:00
jvazquez-r7 0584ae8177 Add Rex::Java::Serialization::Builder#new_object 2015-01-20 10:31:37 -06:00
jvazquez-r7 6ca86256cf Add Rex::Java::Serialization::Builder#new_array 2015-01-20 10:23:09 -06:00
jvazquez-r7 ec57387821 Add Rex::Java::Serialization::Builder#new_class 2015-01-19 11:54:12 -06:00
jvazquez-r7 4220a5e60f Use Rex::Java::Serialization::Builder#new_class 2015-01-19 11:53:53 -06:00
William Vu cb0257bec7
Land #4576, OpenVAS database import fix 2015-01-18 00:45:36 -06:00
nstarke 55a746eeb7 Changing code to catch everything extraneous 2015-01-17 15:46:26 +00:00
jvazquez-r7 697e4fbd41
Land #4584, @sgabe's fix for egghunter searchforward 2015-01-16 19:36:52 -06:00
jvazquez-r7 a42b095472 Delete heaponly option 2015-01-16 19:35:57 -06:00
jvazquez-r7 859a8978e7 Allow searchforward to be an string 2015-01-16 19:33:19 -06:00
sgabe 3297d198f3 Fix search-forward option in regular egghunter 2015-01-16 22:16:30 +01:00
sgabe 95eab85df4 Add support for heap-only search in regular egghunter 2015-01-13 21:31:13 +01:00
Jon Hart 5cc7d5d1a8
Remove errant pry 2015-01-13 10:35:05 -08:00
jvazquez-r7 0babde8c1a Fix specs 2015-01-13 10:48:23 -06:00
jvazquez-r7 4351964290 Change module filename 2015-01-13 10:46:14 -06:00
jvazquez-r7 3946b95bc3 Update rex code and specs 2015-01-13 10:45:00 -06:00
jvazquez-r7 1f0b986bf1 Change filenames 2015-01-13 10:43:27 -06:00
Jon Hart 69f03f5c5d
Move ACPP default port into Rex 2015-01-12 19:43:57 -08:00
Jon Hart d5cdfe73ed
Big style cleanup 2015-01-12 19:11:14 -08:00
nstarke 9baae6e494 Potential Fix For OpenVAS DB Import Issue 2015-01-13 02:46:13 +00:00
Jon Hart ec506af8ea
Make ACPP login work 2015-01-12 14:01:23 -08:00
Jon Hart 691ed2cf14 More cleanup
Don't validate checksums by default until they are better understood
Handle the unknowns a bit better
Make checksum failures more obvious why it failed
2015-01-12 13:08:12 -08:00
Jon Hart 97f5cbdf08 Add initial Airport ACPP login scanner 2015-01-12 13:08:12 -08:00
Jon Hart fba6945e9a Doc payload oddness. Add more checksum tests 2015-01-12 13:08:12 -08:00
Jon Hart 54eab4ea3d Checksum validation, more tests 2015-01-12 13:08:12 -08:00
Jon Hart 7e4dd4e55b Add ACPP decoding capabilities 2015-01-12 13:08:12 -08:00
Jon Hart 2af82ac987 Some preliminary Apple Airport admin protocol (ACPP?) support 2015-01-12 13:08:11 -08:00
jvazquez-r7 d59805568e Do first module refactoring try 2015-01-07 19:06:09 -06:00
jvazquez-r7 731c2f99d1 Handle better java references 2015-01-07 15:19:28 -06:00
Meatballs 0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
jvazquez-r7 ba13e9d64c Add Stream spec 2015-01-07 12:05:44 -06:00
jvazquez-r7 98ec08ae0d Add support for Ping and PingAck 2015-01-06 15:18:55 -06:00
jvazquez-r7 1e3b24f01b Add support for DbgAck 2015-01-06 15:00:17 -06:00
jvazquez-r7 6d1d300e72 Add support for ReturnData 2015-01-06 12:52:00 -06:00
jvazquez-r7 825e08f5ac Add support for Call messages 2015-01-06 12:36:06 -06:00
jvazquez-r7 f3ff42dbfb Add support for Continuation 2015-01-06 11:34:47 -06:00
William Vu 0bece137c1
Land #4494, Object.class.to_s fix 2015-01-06 02:27:35 -06:00
jvazquez-r7 757f95a24d Add support for ProtocolAck 2015-01-06 00:14:14 -06:00
jvazquez-r7 26da73ffb8 Change class name 2015-01-05 19:23:07 -06:00
jvazquez-r7 d5dfd75e71 Add initial model and support to OutputStream 2015-01-05 18:52:13 -06:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
OJ 17ff546b0f Remove unnecessary calls to expand path
When using the Meterpreter Binaries gem to locate the path to the
meterpreter DLLs, it's not necessary to use File.expand_path on
the result because the gem's code does this already.

This commit simple removes those unnecessary calls.
2015-01-03 08:30:26 +10:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
Christian Mehlmauer 4f11dc009a
fixes #4490, class.to_s should not be used for checks 2014-12-31 10:46:24 +01:00
jvazquez-r7 722f86f361 Try to guess TMPDIR folder 2014-12-30 18:39:29 -06:00
jvazquez-r7 7596d211e9 Use length for comparision 2014-12-30 18:39:18 -06:00
jvazquez-r7 e903044fd5 Allow to provide writable dir 2014-12-30 18:36:30 -06:00
jvazquez-r7 f17a7e8a61 Better handling of the unix domain socket argument 2014-12-30 18:36:28 -06:00
jvazquez-r7 4df4e8b9d6 Add support for linux meterpreter migration 2014-12-30 18:34:24 -06:00
jvazquez-r7 56df2d0062 Add support for linux meterpreter migrate types 2014-12-30 18:30:15 -06:00
Tod Beardsley 135faeee29
Land #4095, specs for Rex::OLE 2014-12-30 14:25:09 -06:00
Tod Beardsley a8e907d68b
Land #4479, nil comparisons and missing DLLs
Also fixes #4474.
2014-12-30 13:55:54 -06:00
Brent Cook bdac5db695 remove usage of ==/!= nil
Adjust all module-loading libraries to have consistent nil?/!nil? checking and
'if' style.
2014-12-30 10:59:49 -06:00
Jon Hart d727ac5367
Alias Rex::Ui::Text::Output::Tee print_raw to write, fixes #4469 and #4363 2014-12-29 16:47:04 -08:00
sinn3r 555713b6ae
Land #4456 - MS14-068, Kerberos Checksum (plus krb protocol support) 2014-12-29 16:09:28 -06:00
Brent Cook 5d70b837ed handle nil results from MeterpreterBinaries.path
When a meterpreter binary cannot be found, give the user some hint about what
went wrong.

```
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.43.1
lhost => 192.168.43.1
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.43.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.43.252
[*] Meterpreter session 1 opened (192.168.43.1:4444 -> 192.168.43.252:49297) at 2014-12-29 12:32:37 -0600

meterpreter > use mack
Loading extension mack...
[-] Failed to load extension: No module of the name ext_server_mack.x86.dll found
```

This is also useful for not scaring away would-be developers who replaced only
half (the wrong half) of their DLLs from a fresh meterpreter build and
everything exploded. Not that thats ever happened to me :)
2014-12-29 12:34:02 -06:00
Tod Beardsley 72eb8e6503
Land #4475, inverted timeout fix 2014-12-29 11:37:28 -06:00
Brent Cook bbb41c39b8 fix backward meterpreter packet timeout logic
The current logic times out every packet almost immediately, making it possible
for almost any non-trivial meterpreter session to receive duplicate packets.

This causes problems especially with any interactions that involve passing
resource handles or pointers back and forth between MSF and meterpreter, since
meterpreter can be told to operate on freed pointers, double-closes, etc.

This probably fixes tons of heisenbugs, including #3798.

To reproduce this, I enabled all debug messages in meterpreter to slow it
down, then ran this RC script with a reverse TCP meterpreter, after linking in
the test modules:

(cd modules/post
 ln -s ../../test/modules/post/test)

die.rc:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.1
exploit -j
sleep 5
use post/test/services
set SESSION 1
run
2014-12-29 08:15:51 -06:00
jvazquez-r7 d148848d31 Support Kerberos error codes 2014-12-24 18:05:48 -06:00
jvazquez-r7 05a9ec05e8 raise NotImplementedError 2014-12-23 19:59:37 -06:00
jvazquez-r7 4493b3285c Raise NoMethodError for methods designed to be overriden 2014-12-23 19:51:41 -06:00
jvazquez-r7 fee033d6df Use Rex::Text.md5_raw 2014-12-23 19:30:23 -06:00
Matthew Hall 3c10b04673 add start of rspec tests 2014-12-23 16:35:27 +00:00
Matthew Hall fca0484639 fix a few bugs with the code cleanup 2014-12-23 15:28:00 +00:00
Matthew Hall 6b98a7d444 Tidy up by removing some duplicate code; add framework to track payload requests through the file id 2014-12-23 14:14:06 +00:00
Meatballs b41e259252
Move it to a common method 2014-12-23 11:16:07 +00:00
jvazquez-r7 13ec578d1a Revert "Back to Create OpenSSL::BN from string"
This reverts commit 635a54ca94.
2014-12-22 23:17:03 -06:00
jvazquez-r7 635a54ca94 Revert "Create OpenSSL::BN from string"
This reverts commit fe99b65a62.
2014-12-22 19:14:07 -06:00
jvazquez-r7 fe99b65a62 Create OpenSSL::BN from string 2014-12-22 18:44:47 -06:00
jvazquez-r7 d12b43d257 Use Intege.new 2014-12-22 18:37:07 -06:00
jvazquez-r7 ad97457a39 Move more constants to Crypto 2014-12-22 15:27:16 -06:00
jvazquez-r7 75a2846377 Add more PAC constants 2014-12-22 15:14:46 -06:00
jvazquez-r7 5a6c915123 Clean options 2014-12-22 14:37:37 -06:00
jvazquez-r7 ff208002d7 Reorganize the Crypto mixin 2014-12-22 11:57:35 -06:00
jvazquez-r7 9f1403a63e Add initial specs for Msf::Kerberos::Client::TgsResponse 2014-12-20 20:29:00 -06:00
jvazquez-r7 5f0c3ebb2b Add documentation for Msf::Kerberos::Client::TgsResponse and TgsRequest 2014-12-20 19:32:38 -06:00
jvazquez-r7 e35218b6f1 Add documentation for Msf::Kerberos::Client::CacheCredential 2014-12-20 18:28:36 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
jvazquez-r7 fad08d7fca Add specs for Rex Kerberos client 2014-12-19 12:14:33 -06:00
jvazquez-r7 f4037b1003 Clean Kerberos Rex client code 2014-12-19 11:08:48 -06:00
jvazquez-r7 dfa92da287 Add TODO 2014-12-19 01:13:56 -06:00
jvazquez-r7 77e2d4d90d Add documentation for the Kerberos PAC support classes 2014-12-19 01:12:14 -06:00
jvazquez-r7 fda4cd3440 Fix some Rex Kerberos model documentation 2014-12-18 19:30:12 -06:00
jvazquez-r7 c426cf32d0 Add specs for Rex::Proto::Kerberos::CredentialCache::Principal 2014-12-18 17:40:06 -06:00
jvazquez-r7 16d5ee1aae Add documentation for the rex credential cache support 2014-12-18 17:12:58 -06:00
jvazquez-r7 7275f5a5f2 Allow Rex to load credential_cache 2014-12-18 16:32:21 -06:00
jvazquez-r7 f325d2f60e Add support for cache credentials in the mixin 2014-12-18 16:31:46 -06:00
jvazquez-r7 0a61e108ea Add code skeleton for credential_cache 2014-12-18 00:30:47 -06:00
jvazquez-r7 0f19f3cf2e Add classes templates 2014-12-17 23:16:58 -06:00
jvazquez-r7 f3f6a64f02 Add some AS response methods to a mixin 2014-12-17 19:50:42 -06:00
jvazquez-r7 8e570cc19b Initial support to send TGS-REQ 2014-12-17 18:55:30 -06:00
jvazquez-r7 594b9bcfc2 Add support for AuthorizationData 2014-12-16 23:21:13 -06:00
HD Moore 9de4137aa7 Patch UA/Proxy settings during migration, lands #3632 2014-12-16 22:21:48 -06:00
Sean Verity 1930eb1bf8 Refactors metsrv patching in reverse_http.rb 2014-12-17 10:04:43 -05:00
jvazquez-r7 2649d482fe Add support for KRB_AP_REQ 2014-12-16 18:39:42 -06:00
jvazquez-r7 0f55a98450 Add support for Authenticator encoding 2014-12-16 17:45:54 -06:00
jvazquez-r7 dde45a7f53 Add support for Checksum encoding 2014-12-16 17:05:35 -06:00
jvazquez-r7 a93cbac7bf Support ticket encoding 2014-12-16 16:04:13 -06:00
jvazquez-r7 ce6b53b44c Fix attribute description 2014-12-16 11:39:04 -06:00
jvazquez-r7 a5f8b4319f Add support to encode PAC-TYPE 2014-12-16 11:31:27 -06:00
jvazquez-r7 1721641138 Add support for PAC-LOGON-INFO 2014-12-16 09:32:47 -06:00
Sean Verity 52b3025351 Reworked to avoid extending String class on blob per hdm's rec. 2014-12-15 21:40:41 -05:00
jvazquez-r7 c1114c180a Add support for PAC-CLIENT-INFO 2014-12-15 17:32:51 -06:00
jvazquez-r7 64a0162e3f Add support for PAC-SERVER-CHECKSUM 2014-12-15 17:16:43 -06:00
jvazquez-r7 482c883d36 Add the parent class for pac elements 2014-12-15 17:13:52 -06:00
jvazquez-r7 2c7139b936 Add support for PAC-PRIVSRV-CHECKSUM 2014-12-15 17:13:22 -06:00
jvazquez-r7 147ff13080 Add support to decode the encryption part of as responses 2014-12-15 11:47:08 -06:00
jvazquez-r7 643279b54b Add support to decode the encryption part of as responses 2014-12-15 11:46:11 -06:00
jvazquez-r7 d81cdd6cbb Add KdcResponse spec first draft 2014-12-14 21:20:54 -06:00
jvazquez-r7 c3a2bcf956 Make KdcResponse decoding better 2014-12-14 21:01:09 -06:00
jvazquez-r7 442adb080f Add first support to decode tickets 2014-12-14 20:51:26 -06:00
jvazquez-r7 35742873c7 Delete references to deleted namespaces 2014-12-14 19:23:21 -06:00
jvazquez-r7 78c76092dd Delete namespaces from model classes 2014-12-14 19:18:30 -06:00
jvazquez-r7 13ae624738 Delete namespaces 2014-12-14 19:15:57 -06:00
jvazquez-r7 2d0cb5acd8 Move elements to model dir 2014-12-14 19:11:21 -06:00
jvazquez-r7 328e9f62e8 Add first draft for Kerberos responses 2014-12-14 19:09:41 -06:00
jvazquez-r7 483c273e17 Add support to decode responses on the Rex client 2014-12-14 17:54:17 -06:00
jvazquez-r7 883bfd1f46 Add support to retrieve e-data 2014-12-14 17:23:37 -06:00
jvazquez-r7 7067f2ea83 Modify Rex::Proto::Kerberos::Client to read responses 2014-12-14 16:32:25 -06:00
jvazquez-r7 c5dc065fde Add support for decoding KrbError 2014-12-14 16:26:18 -06:00
jvazquez-r7 704781d0ce Modify exception message 2014-12-14 12:11:09 -06:00
jvazquez-r7 8435328af7 Fix create_tcp_connection 2014-12-14 00:54:26 -06:00
jvazquez-r7 0abf5d147e Add some documentation 2014-12-14 00:51:44 -06:00
HD Moore 00590f9f26
Adds Java serialization support, lands #4327 2014-12-13 17:47:53 -06:00
HD Moore 19adfca8ce Updated stubs from source 2014-12-13 12:55:41 -06:00
jvazquez-r7 bde8c380c2 Make mixin run 2014-12-13 02:46:00 -06:00
HD Moore f676b72767
Add Kademlia scanner, lands #4210 2014-12-12 16:40:58 -06:00
jvazquez-r7 78eb3325bc Add initial Rex Client and mixin 2014-12-12 01:20:14 -06:00
Brent Cook 8140ed4a45 Merge branch 'upstream-master' into land-3175 2014-12-11 22:03:03 -06:00
jvazquez-r7 20836c1789 Refactor crypto usage 2014-12-11 18:18:37 -06:00
jvazquez-r7 0b2fd7ffec Update PreAuthEncTimeStamp#encrypt documentation 2014-12-11 17:08:04 -06:00
jvazquez-r7 424ce6ad53 Add constant with CRYPTO_MSG_TYPE 2014-12-11 17:03:46 -06:00
jvazquez-r7 38a0506f2d Refactor Crypto 2014-12-11 17:00:46 -06:00
jvazquez-r7 35f02e6796 Add support to encode KdcRequest 2014-12-11 15:51:54 -06:00
jvazquez-r7 d96206b813 Support KdcRequest#encode 2014-12-11 12:44:17 -06:00
jvazquez-r7 3f12c5c9c5 Redo decode_asn1 2014-12-11 12:34:47 -06:00
jvazquez-r7 8d6e41fae3 Add documentation for KdcRequest 2014-12-11 12:27:26 -06:00
jvazquez-r7 162d2d39b5 Add support for KdcRequestBody decoding 2014-12-11 12:19:26 -06:00
jvazquez-r7 39ffc0c58a Add support for PreAuthData#encode 2014-12-10 19:48:44 -06:00
jvazquez-r7 b89dee03c6 Add PreAuthEncTimeStamp#encode support 2014-12-10 19:30:21 -06:00
jvazquez-r7 3accdb705b Add support for PreAuthPacRequest#encode 2014-12-10 19:18:19 -06:00
jvazquez-r7 96c1370334 Add EncryptedData#encode support 2014-12-10 19:12:24 -06:00
jvazquez-r7 543ec35a01 Refactor PrincipalName#encode 2014-12-10 18:57:23 -06:00
jvazquez-r7 5d2ff5982e Add support for PreAuthEncTimeStamp decoding/decrypting 2014-12-10 18:33:46 -06:00
Tod Beardsley 0eea9a02a1
Land #3144, psexec refactoring 2014-12-10 17:30:39 -06:00
jvazquez-r7 785ff60d8e Add inital support for PreAuthEncTimeStamp 2014-12-10 11:25:48 -06:00
jvazquez-r7 8ec403af89 Add support for PA-PAC-REQUEST 2014-12-10 10:51:37 -06:00
jvazquez-r7 6ebfbe7271 Prefix coding 2014-12-10 09:54:57 -06:00
jvazquez-r7 11acba3324 Prefix coding 2014-12-10 09:52:23 -06:00
jvazquez-r7 6653502e68 Support pa_data parsing on kdc_request 2014-12-10 09:47:31 -06:00
jvazquez-r7 cc909ba402 Add documentation for PreAuthData 2014-12-09 19:57:16 -06:00
jvazquez-r7 18819ad6b9 Prefix Rex 2014-12-09 19:37:42 -06:00
jvazquez-r7 0a6e42968b Add inital support for padata 2014-12-09 19:28:40 -06:00
jvazquez-r7 e62628f1cc Make specs pass 2014-12-09 18:52:42 -06:00
jvazquez-r7 2557780e7c Add initial support to decode kdc requests 2014-12-09 18:48:08 -06:00
jvazquez-r7 bed1e06d13 Mark EncryptedData encode as unsupported atm 2014-12-09 17:06:51 -06:00
jvazquez-r7 82549315ff Mark KdcRequestBody encode as unsupported atm 2014-12-09 17:05:20 -06:00
jvazquez-r7 b84840a596 Add support to decode TGS_REQ body 2014-12-09 16:51:34 -06:00
jvazquez-r7 f236438290 Add initial support for EncryptedData 2014-12-09 16:40:44 -06:00
jvazquez-r7 2725235bc1 Add require for EncryptedData 2014-12-09 16:28:37 -06:00
jvazquez-r7 c5865c6fec Add initial design draft 2014-12-09 15:53:29 -06:00
Luke Imhoff 5f730277cf
Fix prompt coloring on Windows
MSP-11669

Set output stream for RbReadline (rl_outstream) to the
Rex::Ui::Text::Output::Stdio, which will use translate the ANSI color
escapes to set_color calls in Windows.
2014-12-08 14:31:00 -06:00
jvazquez-r7 564da4446e Add print friendly to_s 2014-12-07 17:52:09 -06:00
jvazquez-r7 2c290e2004 Use classes short name 2014-12-05 20:16:50 -06:00
jvazquez-r7 8f403f3eea Update documentation 2014-12-05 20:11:45 -06:00
jvazquez-r7 03740df931 Support serialization 2014-12-05 19:55:52 -06:00
jvazquez-r7 785006b684 Use references 2014-12-05 19:12:05 -06:00
jvazquez-r7 ae608b1311 Add references to stream when possible 2014-12-05 17:35:38 -06:00
jvazquez-r7 13d8058fe5 Fill stream attribute 2014-12-05 17:14:37 -06:00
jvazquez-r7 ca164cd99f Support the stream attribute 2014-12-05 16:52:59 -06:00
jvazquez-r7 90e2bbbff5 Refactor Contents 2014-12-05 16:05:35 -06:00
jvazquez-r7 2241653cb6 Delete self.stream initialization 2014-12-05 12:44:04 -06:00
jvazquez-r7 f5a19b9b41 Add support to decode TC_REFERENCE 2014-12-05 12:42:27 -06:00
jvazquez-r7 1653101da4 Add support for Arrays of Objects 2014-12-04 20:31:38 -06:00
jvazquez-r7 8e5dc27546 Support Objects with super classes 2014-12-04 19:19:42 -06:00
jvazquez-r7 4b8bdad44b Refactor contents serialization 2014-12-04 18:28:25 -06:00
jvazquez-r7 08f69da41a Undo to_s methods 2014-12-04 12:48:05 -06:00
jvazquez-r7 b80f6c34c0 Add tool to deserialize streams from files 2014-12-04 12:47:02 -06:00
jvazquez-r7 08fe467452 Add Stream specs 2014-12-03 19:31:46 -06:00
jvazquez-r7 2c8f66bba2 Add support for Reset 2014-12-03 18:50:56 -06:00
jvazquez-r7 fb246ac943 Add support for (de)serialization of contents 2014-12-03 18:50:31 -06:00
jvazquez-r7 3e8b8390dd Add support for Java Streams 2014-12-03 17:59:00 -06:00
jvazquez-r7 6cb6252914 Add YARD documentation for NewObject 2014-12-03 17:34:12 -06:00
jvazquez-r7 d0fcbf2cdb Add support for simple Objects really 2014-12-03 17:22:23 -06:00
jvazquez-r7 2b91d5013e Add support for simple Objects 2014-12-03 17:21:11 -06:00
jvazquez-r7 fbea369043 Check nils before encoding 2014-12-03 15:06:28 -06:00
jvazquez-r7 0560cc2fe9 Fix typos 2014-12-03 14:59:38 -06:00
jvazquez-r7 268157d42f Add support for Java Enums 2014-12-03 14:50:03 -06:00
jvazquez-r7 f0139d6aad Fix some docu typos 2014-12-03 14:34:17 -06:00
jvazquez-r7 0cd51553ed Raise error on unsupported ClassDesc 2014-12-03 14:00:10 -06:00
jvazquez-r7 6deb88af6b Add support for arrays 2014-12-03 13:55:12 -06:00
jvazquez-r7 b9023e8fcc Split ClassDescription into ClassDesc and NewClassDesc 2014-12-03 00:38:27 -06:00
jvazquez-r7 db45f4c620 Delete ClassDescription 2014-12-02 23:56:55 -06:00
jvazquez-r7 1f535a41ca Move types to the Serialization module 2014-12-02 20:02:42 -06:00
jvazquez-r7 2c070c450b Add support for ClassDescription 2014-12-02 17:31:53 -06:00
jvazquez-r7 e9e584e107 Raise exceptions when unserialization isn't possible 2014-12-02 15:31:31 -06:00
HD Moore fc96d011ab
Python reverse_http stager, lands #4225 2014-12-02 11:47:31 -06:00
jvazquez-r7 622a18bc22 Add support for annotations 2014-12-02 11:42:41 -06:00
jvazquez-r7 a68540cfa2 Add support for Data Block Long 2014-12-02 10:49:15 -06:00
jvazquez-r7 9c5d7e66d4 Add block data support 2014-12-02 10:46:29 -06:00
jvazquez-r7 8923b87def Don't redefine the static decode method 2014-12-02 09:02:24 -06:00
jvazquez-r7 ef2bf5b935 Add support for long-utf 2014-12-01 19:50:33 -06:00
jvazquez-r7 705cd4c308 Add initial requiring file 2014-12-01 19:08:16 -06:00
jvazquez-r7 5f11c70d7f Add initial support for Java serialization 2014-12-01 19:07:45 -06:00
HD Moore 335d1ef287 Only cache auto-generated certificates 2014-11-26 21:23:08 -06:00
Jon Hart c0dab54925
Add minor missing doc 2014-11-25 07:37:49 -08:00
Jon Hart bedf7ed44b
Doc cleanup 2014-11-24 14:34:20 -08:00
Jon Hart 0ed356f71c
Move Kademlia stuff to a more OO model, etc, per reviews
All of the work is done in rex.  The msf mixin just prevents the
desire to call rex directly from the module
2014-11-24 14:03:43 -08:00
HD Moore 8becf417a7 Qualify ::File to prevent a stacktrace 2014-11-22 17:16:13 -06:00
HD Moore 673e21cfaf Rework meterpreter SSL & pass datastore to handle_connection()
This allows HandlerSSLCert to be used to pass a SSL certificate into the Meterpreter handler. The datastore has to be passed into handle_connection() for this to work, as SSL needs to be initialized on Session.new. This still doesn't pass the datastore into Meterpreter directly, but allows the Session::Meterpreter code to extract and pass down the :ssl_cert option if it was specified. This also fixes SSL certificate caching by expiring the cached cert from the class variables if the configuration has changed. A final change is to create a new SSL SessionID for each connection versus reusing the SSL context, which is incorrect and may lead to problems in the future (if not already).
2014-11-22 15:35:00 -06:00
HD Moore ba9c763f7e Auto-generated SSL certs now match "snakeoil" defaults
This change emulates the auto-generated snakeoil certificate from Ubuntu 14.04. The main changes including moving to 2048-bit RSA, SHA256, a single name CN for subject/issuer, and the removal of most certificate extensions.
2014-11-21 18:25:04 -06:00
jvazquez-r7 90ae9a3ff8
Land #4173, @wchen-r7's fix for SMB find_first
* Fixes #4119, SMB find_first("\\*") does not return accurate results
* It missed initialization of sid
2014-11-21 09:51:57 -06:00
Jon Hart e255db9429
Partial commit 2014-11-20 13:49:36 -08:00
Jon Hart 5d2c02f402 Initial commit of more OO version of Rex/Aux Kademlia support 2014-11-20 13:28:01 -08:00
Jon Hart 94e5ba13a4 YARD and spec cleanup 2014-11-20 13:28:01 -08:00
Jon Hart df36ac910d Mostly complete Kademlia PING / BOOTSTRAP scanner 2014-11-20 13:28:01 -08:00
Jon Hart f5aa3ecb57 Add proper peer decoding 2014-11-20 13:28:01 -08:00
Jon Hart ab49d01a1b Add beginnings of Kademlia gather module and protocol support 2014-11-20 13:28:00 -08:00
HD Moore d530046164 Bugfix. Chrome is a liar (chain certs properly) 2014-11-19 16:08:03 -06:00
HD Moore 0d091f1c03 Support SSL intermediate certs, closes #4238
Note that this does not apply to reverse_tcp meterpreter clients yet, as
they do not allow certificates to be supplied. I abstracted out the SSL
certificate generation and parsing methods so that we can address this
next.
2014-11-19 15:56:49 -06:00
Meatballs 7004c501f8
Merge remote-tracking branch 'upstream/master' into psexec_refactor_round2
Conflicts:
	modules/exploits/windows/smb/psexec.rb
2014-11-19 14:40:50 +00:00
Jon Hart d94ca2b89a
Add doc for Rex::Proto::Steam 2014-11-18 11:46:28 -08:00
Spencer McIntyre 2b36c1bb43 Fix pymeterp bugs from testing in osx and python3 2014-11-17 14:04:30 -05:00
Jon Hart 7098d89058 Introduce new ::Rex::Proto::SunRPC::RPCError, making run_host cleaner 2014-11-17 10:41:17 -08:00
William Vu a521d469ed
Land #4194, Quake protocol support 2014-11-15 17:44:19 -06:00
Jon Hart 57aef9a6f5
Land #4177, @hmoore-r7's fix for #4169 2014-11-13 18:29:57 -08:00
Jon Hart ebf6fe4e56
Minor style cleanup 2014-11-12 16:44:43 -08:00
Trevor Rosen f658efe144
Add the ability to specify mode in Rex output file
* Because sometimes you might want to append
* Preserves original hardcoded 'wb' as default
* http://pubs.opengroup.org/onlinepubs/009695399/functions/fopen.html
2014-11-12 16:08:03 -06:00
Jon Hart 07a1653e57
Add gather module for Quake servers 2014-11-12 13:32:56 -08:00
HD Moore 6b4eb9a8e2 Differentiate failed binds from connects, closes #4169
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
sinn3r 719db5d2b1 Fix #4119 - SMB lost search ID (sid) in find_first method
This will fix issue #4119. A bug in the find_first method in rex
SMB.

When the SMB client requests a TRANS2_FIND_FIRST2 for retriving
information about what items a directory has, the server returns
a response that contains an SID - a search identifier for the
transaction. If the SMB client wants more data, it must send a
TRANS2_FIND_NEXT2 request with the same SID. And then the server
will continue sending more until it runs out.

The root cause of this bug is that after the TRANS2_FIND_FIRST2
request is sent, our SMB's find_first method forgets the SID at
the end of the loop (out of scope).
2014-11-11 12:35:07 -06:00
Jon Hart 5b1b7c22bb Minor test/style cleanup 2014-11-11 10:18:56 -08:00
Jon Hart 51e84ce548 Add unit tests, complete extraction/cleanup 2014-11-11 10:18:49 -08:00
Joshua Smith 03a988b5dc
Land #4150, adds getsid command
Fixes #3787
2014-11-09 22:10:22 -06:00
OJ eb830cb361 Idiomaticise the rubies 2014-11-10 07:44:36 +10:00
sinn3r 8f3b1e71b3 Fix #4156 - NoMethodError undefined method `stop'
This will fix #4156. It also fixes NoMethodError payload_exe
when I was trying to fix the undef 'stop' one
2014-11-09 14:07:02 -06:00
sinn3r cd0dbc0e24 Missed another 2014-11-09 14:06:39 -06:00
sinn3r e54442af36 Fix #4089 - undefined method `downcase' for nil:NilClass 2014-11-07 02:45:22 -06:00
Joshua Smith 709ff1bbdb touch up lib/rex/mime/message.rb 2014-11-06 22:48:34 -06:00
OJ 08e707225c Add support for the getsid command
There has been Meterpreter work done as well to support this. But this
commit allows for a new 'getsid' command which tells you the sid of the
current process/thread. This can be used for things like determining
whether the current process is running as system. It could also be used
for golden ticket creation, among other things.
2014-11-07 10:38:22 +10:00
jvazquez-r7 741f99f118 Delete starting empty line
When header is empty it shouldn't add an starting empty
new line
2014-11-05 11:42:42 -06:00
jvazquez-r7 41800163dd Fix recursive call to find_by_sid 2014-11-03 14:25:29 -06:00
Tod Beardsley 0199e4d658
Land #3770, resolve random stager bugs 2014-11-03 14:15:14 -06:00
James Lee 867329d4b3 Fix readline by mucking with load path 2014-10-29 22:14:49 -05:00
Meatballs 4f61710c9a
Merge remote-tracking branch 'upstream/master' into psexec_refactor_round2 2014-10-28 20:26:44 +00:00
Tim Wright 22fc6496ac Merge branch 'pr/3401' into landing-3401 2014-10-22 19:23:01 +01:00
Jon Hart 7b33ff1363
Land #3767, @jvazquez-r7's specs for Rex::Encoder::XDR 2014-10-22 09:22:53 -07:00
sinn3r 79d393c5aa Resolve merge conflicts
Conflicts:
	lib/msf/core/exploit/smb.rb
	lib/msf/core/exploit/tcp.rb
	modules/auxiliary/scanner/http/axis_login.rb
2014-10-21 13:06:35 -05:00
OJ 52cbbe3677 Add some documentation to the ADSI functions 2014-10-21 10:34:47 +10:00
OJ 8329a15cb0
Merge branch 'upstream/master' into group_tlv_refactors 2014-10-21 09:54:55 +10:00
Jon Hart 82de2eb1f3
Fix Rex::Encoder::XDR.decode_int! to properly handle short data 2014-10-20 11:30:13 -07:00
HD Moore 935a23296d
Updates to NAT-PMP, lands #4041 2014-10-20 11:26:26 -05:00
James Lee 6498ed0dc8
Report the actual host that failed to connect
Instead of the eventual target where our proxy chain will connect. In
the usual case (no Proxies set), this will be the same output as before.
When proxies are given, the user will see that the first proxy
connection is actually what failed.
2014-10-17 17:37:04 -05:00
Tod Beardsley d5a0b81680
Land #4024, auto-negotiate SSL versions
Thanks @hmoore-r7!
2014-10-15 16:04:38 -05:00
HD Moore fcd9b4b293 Allow non-SSLv3 Meterpreters (auto-negotiate) 2014-10-15 13:57:51 -05:00
HD Moore cb3a4afac5 Typo: request -> requested in message 2014-10-15 13:48:22 -05:00
HD Moore 7516512650 Raise an ArgumentError vs RuntimeError for backwards compatibility 2014-10-15 13:30:38 -05:00
HD Moore a762d871bf Autonegotiate SSL/TLS versions when not explicit 2014-10-15 13:26:40 -05:00
Tod Beardsley c4d1a4c7dc
Revert #4022, as the solution is incomplete
Revert "Land 4022, datastore should default TLS1 vs SSL3"

This reverts commit 4c8662c6c1, reversing
changes made to 0937f32ff9.
2014-10-15 12:32:08 -05:00
Tod Beardsley 1754b23ffb
Datastore options should default to TLS1, not SSL3
Otherwise, we risk getting our connections killed by particularly
aggressive DPI devices (IPS, firewalls, etc)

Squashed commit of the following:

commit 5e203851d5c9dce1fe984b106ce3031a3653e54b
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Wed Oct 15 10:19:04 2014 -0500

    Whoops missed one

commit 477b15a08e06e74d725f1c45486b37e4b403e3c2
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Wed Oct 15 10:16:59 2014 -0500

    Other datastore options also want TLS1 as default

commit 8d397bd9b500ff6a8462170b4c39849228494795
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Wed Oct 15 10:12:06 2014 -0500

    TCP datastore opts default to TLS1

    Old encryption is old. See also: POODLE
2014-10-15 10:28:53 -05:00
Jon Hart ea6824c46f WIP of NAT-PMP rework 2014-10-14 14:20:24 -07:00
James Lee a65ee6cf30
Land #3373, recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
	modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
Samuel Huckins 0dfd8e25b8
Land #3846, Rex::ImageSource specs 2014-10-02 12:33:56 -05:00
jvazquez-r7 e1f00a83bc Fix Rex because domainname and domain_name were duplicated 2014-09-26 13:40:52 -05:00
jvazquez-r7 a31b4ecad9
Merge branch 'review_3893' into test_land_3893 2014-09-26 08:41:43 -05:00
James Lee 86f85a356d
Add DHCP server module for CVE-2014-6271 2014-09-26 01:24:42 -05:00
Ramon de C Valle 5dde73bb51 Add domain name and url options to DHCP server 2014-09-25 19:58:42 -03:00
jvazquez-r7 a677749f5b Add specs for #read_asciiz and fix bugs there 2014-09-22 12:14:21 -05:00
Joe Vennix 8e1b00ce95
Adds JSObfu.disabled for spec stubbing, fixes BES specs. 2014-09-19 20:42:05 -05:00
Joe Vennix 0f4be63903
Move JSObfu a gem then pull it into the Rex namespace. 2014-09-19 19:10:39 -05:00
Sean Verity 4bd14ed5ea Uses a hash for options as opposed to numerous methods on blob 2014-09-17 14:11:37 -04:00
Sean Verity 3c11251432 Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 17:05:54 -04:00
Sean Verity e55dab3914 Refactored expiration and timeout logic in client_core.rb 2014-09-15 01:01:23 -04:00
HD Moore 6bd3675f03 Land #3680, add specs for Rex::MIME 2014-09-13 00:34:39 -05:00
HD Moore 6a2a85d2c4 Land #3789, adds specs for Rex::Proto::Http::Packet::Header
orts
2014-09-13 00:21:43 -05:00
James Lee f68628c487 Add minimal specs for rex/proto/http/packet/header 2014-09-12 14:30:27 -05:00
sinn3r 12e3cb3c6a
Land #3764 - Add specs for Rex::Encoder::NonAlpha 2014-09-12 12:09:55 -05:00
Sascha Schirra be0c68d8bb BUGFIX: wrong imagebase used 2014-09-11 12:33:09 +02:00
Sascha Schirra 88cacd000e flags for phdr.p_flags added 2014-09-11 12:31:44 +02:00
HD Moore 71228b48a0 Update 3 more encoders to be StageEncoder compatible
This could probably use some DRY love via a mixin
2014-09-10 20:21:35 -05:00
sinn3r 1b4ceec4f9
Land #3743 - Add specs for Rex::Arch::X86 2014-09-09 17:24:08 -05:00
jvazquez-r7 11ca383d4f Add specs for .encode_byte 2014-09-08 14:24:03 -05:00
William Vu ae5a8f449c
Land #3691, gdbserver hax 2014-09-08 11:48:39 -05:00
HD Moore af24e30ae9 Return instead of crashing if no challenge is received 2014-09-06 15:51:50 -05:00
jvazquez-r7 a1823b6c1e Add more specs for Rex::Arch::X86 2014-09-02 18:17:14 -05:00
HD Moore ba1f7c3bf6 Land #3687, reworks the nat-pmp portscanner 2014-08-26 14:34:46 -05:00
Jon Hart 5ad090e833 Add unit test for and correct parsing of NAT-PMP port map responses 2014-08-26 10:49:53 -07:00
Jon Hart 32a14cfc43 Missed the file... 2014-08-26 10:49:53 -07:00
Jon Hart bfa89bb3a5 Enforce binary encoding on non-modules, no encoding on modules 2014-08-25 13:12:29 -07:00
Jon Hart 6185721a61 Address @hmoore-r7's feedback regarding binary encoding 2014-08-25 13:11:22 -07:00
Jon Hart 637f86f37d Gut SIP UDP stuff, use Msf::Auxiliary::UDPScanner 2014-08-25 13:11:21 -07:00
Jon Hart c2e70446ed Move SIP module stuff to Msf::Exploit::Remote::SIP 2014-08-25 13:11:21 -07:00
Jon Hart fc67aed174 Correct style and doc issues, tidy failure message when not SIP 2014-08-25 13:11:21 -07:00
Jon Hart e3753e3649 Refactor SIP response parsing for future improvements 2014-08-25 13:11:21 -07:00
Jon Hart 02e41c27e7 Split SIP response parsing out on its own, add unit tests.
Passes rspec but fails in framework. WIP.
2014-08-25 13:11:20 -07:00
Jon Hart d4ea3e9f29 Pass protocol down to parse_reply for report_* purposes 2014-08-25 13:09:39 -07:00
Jon Hart a2e2e37a69 Fix SIP options scanning 2014-08-25 13:09:39 -07:00
Sean Verity b7714c9661 Cleaned up indents. 2014-08-25 13:03:23 -04:00