9a9e9ead51
msftidy fixes
2018-03-13 01:34:26 +05:30
131ad69083
return array from connect_to_pipe
2018-03-13 01:32:17 +05:30
ef515d256d
msftidy fixes
2018-03-13 00:34:25 +05:30
6e9a4916f5
scanner update
2018-03-13 00:23:18 +05:30
fcd2bbd1de
workaround attempt to parse nil JSON string value
2018-03-12 14:29:42 -04:00
636284d530
Update session inferred vuln handling
...
Add remote vuln attempt
2018-03-12 14:26:03 -04:00
65f5eeb534
Strip :workspace from service update
2018-03-12 12:28:39 -05:00
d86dcbc237
Land #9632 , owa_login and auth_brute enhancements
2018-03-12 10:31:20 -05:00
80c7e9442b
output formatting
2018-03-09 22:16:26 +05:30
8b3e5c745b
fix pipeaudit.rb
2018-03-09 22:14:16 +05:30
2b7364a637
Add wordlist
2018-03-09 21:46:07 +05:30
1342284dc9
Add wordlist
2018-03-09 21:38:59 +05:30
7855c416c9
push latest changes
2018-03-09 14:52:53 +05:30
28f5920c9d
update module
2018-03-09 14:45:56 +05:30
5bdc0b4ecd
update mixins.rb
2018-03-09 14:18:10 +05:30
0e84026334
fix module path
2018-03-09 14:08:09 +05:30
899e03ba9b
Move pipeaudit to exploit/smb/client
2018-03-09 14:05:53 +05:30
ec7a62bc4c
move ssh platforms to lib
2018-03-08 21:23:11 -05:00
cc9fbc93ed
fix format
2018-03-09 02:19:18 +05:30
a00ab2040f
include mixin to psexec_ms17_010
2018-03-08 23:04:21 +05:30
e6a9f2609f
include mixin to psexec_ms17_010
2018-03-08 23:01:58 +05:30
780c8f0506
Fix non-scanner external modules
2018-03-07 17:11:56 -06:00
b18ed03407
Merge branch 'goliath' into MS-2909
2018-03-07 14:55:50 -06:00
c670748fe3
Update services signature
2018-03-07 13:59:09 -06:00
c52daf43bf
Forcefully delete service as fallback
2018-03-07 12:07:47 -06:00
c058d0fba0
WIP: port db_export command
2018-03-06 15:15:27 -06:00
8740eeb9d7
Replace space
2018-03-06 13:33:29 -06:00
d6871f5733
Land #9614 , Juniper post enum module
2018-03-06 10:29:56 -06:00
68d72cbfa7
Goliath Cleanup in preparation for merge to master
2018-03-06 10:21:22 -06:00
708f1da0ed
fix SSL certificate provider
2018-03-05 17:01:37 +01:00
b42c3ff654
Merge branch 'goliath' into MS-2909
2018-03-02 16:32:55 -06:00
b0012d6f36
Include hosts when returning services
2018-03-02 16:32:02 -06:00
0d07d44b14
ReLand #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
...
This reverts commit 7964868fcd
2018-03-02 16:09:52 -06:00
fd4032928e
Add services search
2018-03-02 10:57:35 -06:00
7964868fcd
Revert "Land #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm"
...
This reverts commit fcc579377f95cd149378
2018-03-02 08:29:48 -06:00
fcc579377f
Land #9565 , Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
2018-03-02 07:34:45 -06:00
f446f726ad
Land #9596 , fixes #9592 , broken NTP DRDoS modules
2018-03-01 17:12:00 -08:00
4f6b1de9a3
Merge branch 'master' into goliath
2018-03-01 14:14:39 -06:00
883654f0ea
Land #9653 , fix Y2k38 issue (until Jan 1, 2038)
2018-03-01 09:13:41 -06:00
4fec2e758d
make fix more precise, based on https://github.com/rapid7/metasploit-framework/pull/2343
2018-03-01 08:59:55 -06:00
27bd2a4a9f
workaround Y2k38 issues in java certificate generation
2018-03-01 08:41:28 -06:00
06d2482e86
Implement services update
...
NOTE: This changes functionality for the services command flags.
Previously -s and -p were used for searching for services.
Now the commands will only be used for adds/updates.
If you would like to search, please use -s and pass a search string
2018-02-28 15:12:23 -06:00
2d5f089ee6
Land #9646 , fix stale module cache issue
2018-02-28 15:17:00 -05:00
425f949bf8
Land #9638 , treat 'password must change' as a successful login
2018-02-28 11:28:38 -06:00
0949e0a501
Don't munch exception
2018-02-28 11:28:07 -06:00
cea61e7aa4
Fix bug with remove_from_cache
2018-02-28 11:21:34 -06:00
1686b82a40
Adhere to style guide by using unless
2018-02-28 11:11:26 -06:00
8b4c7b886f
Updated to use delete_if
2018-02-28 11:00:40 -06:00
964be3b5f0
Fix problem with stale module cache
2018-02-28 08:41:14 -06:00
dffbc67e71
Implement service delete
...
Also fix bug searching for services by host address
2018-02-27 17:17:07 -06:00
9597e5294d
treat MUST_CHANGE + PASSWORD_EXPIRED as valid
2018-02-27 15:21:21 -06:00
c90fabee60
Implement remote service create
2018-02-27 14:20:43 -06:00
96709600e1
Condense services to use opts instead of individual params
2018-02-27 13:38:50 -06:00
9dc6089fcf
Merge branch 'goliath' into MS-2909
2018-02-27 11:14:15 -06:00
f09c5eafc7
Appease hound
2018-02-27 04:12:58 -06:00
46299dff00
The DRDOS mixin operates on strings, so make the bindata'd NTP classes cooperate
2018-02-27 04:12:57 -06:00
d7853aaf60
Revert "update NTP drdos lib to use correct method on bindata objects"
...
This reverts commit 166070e9c37a4130f976f806116881c70a8401c6.
2018-02-27 04:12:57 -06:00
bcf5918fb6
update NTP drdos lib to use correct method on bindata objects
2018-02-27 04:12:57 -06:00
66e3ac4c76
treat 'password must change' as a successful login
2018-02-26 17:57:31 -06:00
0e4fc48df4
Fix #9602 , a little defensive programming
...
Check for a nil message and unnecessary auth failures while looping.
2018-02-26 16:52:25 -06:00
847b9ba0d0
Add option to delay between runthroughs
2018-02-26 16:27:03 -06:00
4b0cb7631c
Update pipe_auditor.rb
2018-02-25 02:18:15 +05:30
3f93055a72
Add pipe_auditor
2018-02-24 11:14:03 +05:30
be77cb2a2b
Add pipe_auditor
2018-02-24 11:04:41 +05:30
1c9c1dc1fc
Add password spray option to brute force
2018-02-23 12:30:11 -06:00
c7bbc6eca4
juniper post enum module
2018-02-22 21:08:21 -05:00
e19a071910
add bind_named_pipe x86
2018-02-22 19:03:37 -07:00
ecad74cf99
Add cmd_vulns search and delete operations
2018-02-22 19:05:18 -05:00
1cee532526
Merge branch 'rapid7/master' into goliath
2018-02-22 14:49:45 -06:00
22752518ea
WIP remote vuln read, update, delete
2018-02-22 13:53:22 -05:00
7ad7188824
Fix comment typo
2018-02-22 11:29:44 -05:00
738d6ab33a
Land #9604 , Fix logged errors when running without Python 3.6 / gmpy2
2018-02-22 08:11:30 -06:00
3f88e59516
handle Python 3.5/3.6 differences so we always have a UTF-8 string
2018-02-21 21:54:27 -06:00
3880f6a65e
Finally fix "Unknown admin user ''" after 2yrs
...
The failed password auth was necessary after all. I misread the PoC. :'(
Apparently the password auth sets the username, while the backdoored
keyboard-interactive auth sets the password.
2018-02-21 20:44:35 -06:00
d4440d049d
Merge branch 'goliath' of github.com:clee-r7/metasploit-framework into goliath
2018-02-21 11:16:31 -06:00
3005a8b7ce
Merge branch 'rapid7/master' into goliath
2018-02-21 11:16:05 -06:00
78822fd799
Land #9524 , prefer 'shell' channels over 'exec' channels for ssh CommandStream
2018-02-21 06:59:09 -06:00
31cc516395
Merge branch 'goliath' into standardize_proxy_errors
2018-02-20 16:47:34 -05:00
b3642b1079
Address PR comments
2018-02-20 15:30:37 -06:00
3c9092f9a6
Complete services GET
2018-02-20 14:41:49 -06:00
09ae4ac8ac
Add more info to console output
2018-02-20 13:34:33 -06:00
99965c142b
remove duplicate check
2018-02-20 04:42:49 -06:00
bb3a11dd20
use ctrl-d to cancel input instead
2018-02-20 04:40:00 -06:00
5083150002
fix #9112 , improve error message on failure
2018-02-20 18:06:03 +08:00
f5f7b4d25a
handle sessions still open
2018-02-20 03:31:20 -06:00
e995ccfc33
make this a little easier to read
2018-02-20 03:27:55 -06:00
e26fb49c99
if we have no more input from the console, quit
2018-02-20 03:27:38 -06:00
3d8451e616
Land #8997 , add local 'ls' support to Meterpreter sessions
2018-02-19 23:21:59 -06:00
b9c1a64d20
Land #9505 , Support local knowledge base documents
2018-02-19 21:39:55 -06:00
93689f0f0e
Land #9270 , Implement plugin API for hooking database events
2018-02-19 21:36:26 -06:00
4e9d900a17
Land #9507 , Expand paths for meterpreter's cp, mv, and rm commands
2018-02-19 21:26:03 -06:00
3d67d2ed12
Land #9443 , Add warning to FileDropper for deleting CWD
2018-02-19 21:22:39 -06:00
b3f26ea55f
bind_named_pipe fixes
2018-02-18 10:31:57 -07:00
80779f73ef
Implement Michael Schierl's suggestions
2018-02-16 23:03:05 -05:00
bd2af0143a
properly handle when there is no stat callback specified on upload
2018-02-16 16:14:09 -06:00
289277c613
Land #9516 , Support Bash-Style Continuation Lines
2018-02-16 10:53:58 -06:00
354eb4092a
Reverse TCP x64 RC4 via max3raza's rc4_x64 asm
...
To round out the work done by mihi for x86 stages back in the day,
this PR provides x64 Windows stage encryption in RC4 via assembly
written/modified by max3raza during adjacent work on DNS tunneled
transport.
Stage encryption differs from encoding in that there is no decoder
stub or key materiel carried with the stage which can be used by
defensive systems to decode and identify the contents. Persistence
payloads, oob-delivered stage0, and other contexts benefit heavily
from this as their subsequent stage is difficult to detect/identify,
and the chance of accidental execution of the wrong payload/stage
is drastically reduced if separate keys are in play for individual
targets - acquiring the wrong stage will result in decryption
failure and prevent further execution.
For historical context, all of the RC4 stagers implement in-place
decryption via stage0 for the contents of stage1 using the provided
passphrase converted to a key and embedded in stage0 as part of the
payload.
Testing:
In-house testing with Max - we got sessions, loaded extensions.
Notes:
All credit for the work goes to Max3raza - big ups for getting
this knocked out.
2018-02-16 05:15:05 -05:00
6734e532f5
Land #9562 , avoid an error with aux module command dispatcher
2018-02-15 17:46:58 -06:00
a197997aca
avoid chinese finger trap logic, put it all on one side
2018-02-15 17:45:09 -06:00
38b03fdfff
Merge branch 'upstream-master' into land-9539-
2018-02-15 16:22:13 -06:00
2d3aef9031
Land #9533 , Add output file support to the vulns command
2018-02-15 15:52:25 -06:00
93450b87dd
use common retry options for UDP
2018-02-15 14:36:21 -06:00
6fe8691528
Fix #9090 , honoring retry counts for x86/64 payloads
...
Fix #9090
2018-02-15 13:52:34 -06:00
0f656d6b5b
Land #9563 : improve memory usage on meterpreter file upload
2018-02-15 12:07:19 -06:00
7e03bf838b
Fix src_size view
2018-02-15 17:44:41 +05:00
a0c473f29e
Upload memory usage optimization
...
Optimize xor_bytes memory usage, use small buffer for upload,
add verbosity
2018-02-15 17:05:22 +05:00
177e1321ae
Aux command dispatcher in exploit ctx with action
...
The Auxiliary command dispatcher checks modules for passive actions
expecting them to have included Msf::Module::HasActions mixin. The
mixin is included in post and aux modules already, but not in
exploits. When the aux dispatcher handles an exploit module, it
may get upset along the lines of:
```
[-] Error while running command exploit: undefined method 'passive'
for #<Msf::Modules::M...3::MetasploitModule:0x0000000d83de0428>
Did you mean? passive?
Call stack:
/opt/metasploit4/msf4/lib/msf/ui/console/command_dispatcher/
auxiliary.rb:106:in `cmd_run'
```
Avoid this mess by having the conditional which checks the methods
included by that mixin depend on the module having included the
mixin in the first place.
Testing:
In local fork (hence the lineno) it seems to fix the problem.
The problem condition and fix should be independently tested
upstream.
2018-02-15 04:20:09 -05:00
9a293cd30e
Fix #8120 , Fix undef method 'gsub' in bavision_cam_login
...
Fix #8120
2018-02-14 11:03:03 -06:00
3811665b69
Land #7699 , Add UDP handlers and payloads (redux)
2018-02-13 14:50:09 -06:00
f5768e7ced
gate session reported when using bind udp
...
While this method here is somewhat noisy on the network it eliminates
a poor user experience when the handler is started but the payload is
not yet running on the target.
When a target is sent a udp packet and it is not rejected push down
an initial "echo syn" command that will respond with output. This
allows framework to be aware that the payload is what is running on
the server port instead of assuming a non-existent target is a valid
session.
2018-02-13 14:44:57 -06:00
8ae8a0d94b
added bind_named_pipe payload
2018-02-11 18:56:50 -07:00
b9faa9e92b
Fix a typo
2018-02-09 20:28:55 -06:00
81e0d56261
Always write the file as long as the option is set
2018-02-09 20:28:12 -06:00
958513bd86
Fix #9522 , Add output file support to the vulns command
...
This adds a new feature for the vulns command for msfconsole. It
allows the user to be able to save the vulnerability as a CSV
file.
Fix #9522
2018-02-09 19:45:46 -06:00
efd23d37c3
Use common error handling
2018-02-09 16:24:45 -06:00
c612dbfdbf
Also fix GitHub related pull request links
2018-02-09 15:16:10 -05:00
b2d617bde7
Fix a bug in the markdown docs references
2018-02-09 13:41:39 -05:00
c50b8b5c4f
Store loot data as-is, not base64
2018-02-08 18:15:31 -06:00
bbd25fc97b
WIP: getting services add working
2018-02-08 17:20:50 -06:00
effd0c3db2
Fix bug when not updating type
2018-02-08 16:07:20 -06:00
f12405191e
Fix a few bugs and PR comments
2018-02-08 15:10:44 -06:00
f114092445
Merge branch 'goliath' into MS-2833
2018-02-08 14:32:03 -06:00
be1ce573e7
Fix style issue
2018-02-08 13:35:28 -06:00
1d2af0658c
Fix bug with updating loot type
2018-02-08 13:26:40 -06:00
c642d420c2
Land #9489 , Add scanner for the Bleichenbacker oracle (AKA: ROBOT)
2018-02-08 12:55:02 -06:00
de0c4c0572
Allow update of host workspace
2018-02-08 13:19:27 -05:00
b1d0529161
prefer 'shell' channels over 'exec' channels for ssh
...
If a command is not specified to CommandStream, request a "shell"
session rather than running exec. This allows targets that do not have a
true "shell" which supports exec to instead return a raw shell session.
2018-02-08 02:21:16 -06:00
542e8a3538
Remove unneeded workspace
2018-02-07 19:51:23 -06:00
b88eff7e97
Switch the docs search order
2018-02-07 16:43:15 -05:00
214c137b4a
Don't use parenthesis around pgets
2018-02-07 15:53:11 -05:00
352cf295b5
Merge branch 'goliath' into MS-2833
2018-02-07 14:38:26 -06:00
5b35662dbf
Address PR comments
2018-02-07 14:21:31 -06:00
cb093d8063
Use proper logging
2018-02-07 10:25:56 -06:00
52b8f405bd
Refactor change host methods, remove debug output
2018-02-06 18:54:05 -05:00
74f811d865
Add TODOs
2018-02-06 17:31:42 -06:00
5bc38206c0
Few more loot bugs
2018-02-06 17:22:09 -06:00
0dfc10b1ec
Fix a couple of bugs in loot servlet
2018-02-06 17:02:17 -06:00
6e2503bbd8
Add loot update
2018-02-06 16:16:22 -06:00
629f79ebf7
WIP remote host update
2018-02-06 16:11:46 -05:00
0ad7d10e05
Use a continuation flag to disable tab completion
2018-02-06 14:44:55 -05:00
6d7579d907
Support breaking commands into multiple lines
2018-02-06 14:29:11 -05:00
49b88dbef7
Pass loot search using query string
2018-02-05 18:15:05 -06:00
c72c41e7f3
Move loot search to db_manager
2018-02-05 16:43:02 -06:00
f176e339bc
Merge pull request #12 from clee-r7/ms-2911
...
Ms 2911
2018-02-05 15:46:28 -06:00
8b56bbc541
Update mkdir as well for path expansion
2018-02-05 16:16:53 -05:00
c70bcb5869
Use a constant for the regex and update rmdir too
2018-02-05 16:06:16 -05:00
1759621b03
Make 8080 default service port
2018-02-05 15:01:03 -06:00
f441306036
Expand paths for meterpreter's cp, mv, and rm cmds
2018-02-05 15:22:05 -05:00
020a28f5c7
Unify data service command
2018-02-05 13:28:17 -06:00
2a79319dad
Support local knowledge base documents
2018-02-05 11:13:05 -05:00
d5ae2bb55b
Fix pivot handler to not consume all packets
...
Packet handlers should only return true if they consume a packet.
Otherwise, they should return false so something else can consume it.
This fixes port forwards by allowing the socket handler to see packets
that were otherwise being discarded in the pivot handler.
2018-02-02 18:01:05 -06:00
e8b29af208
Merge branch 'goliath' into MS-2833
2018-02-02 17:32:17 -06:00
0a3fe0c608
fix html escaping for UTF-8 module metadata
2018-02-02 16:35:50 -06:00
dcf4171cfb
Fix query array encoding issue
2018-02-02 17:16:12 -05:00
326fdacc41
couple of fixes
...
- Handle bug with hostless loot
- include host data in the JSON
2018-02-02 15:44:42 -06:00
02e81d166d
Add Enum-type options for external modules
2018-02-02 14:40:04 -06:00
f52cf28e56
cmd_loot now queries on loot directly
2018-02-02 14:07:58 -06:00
ab36b5dd5d
Add support for single-IP external scanners
2018-02-02 14:01:16 -06:00
67b7af3385
Add tag conditions to host search
2018-02-02 01:33:15 -05:00
c9473f8cbc
Land #9473 , new MS17-010 aux and exploit modules
2018-02-01 23:56:29 -06:00
afef1948bf
catch exception for patched Vista
2018-02-01 21:39:25 -07:00
5a899d5126
Renamed msfdb to avoid omnibus collision, removed inline data service startup code
2018-02-01 16:28:36 -06:00
3bc0608579
Finish POC cleanup
2018-02-01 13:59:15 -06:00
59bc1a34d5
Remove 'puts' logging and cleanup AWS poc
2018-02-01 13:38:20 -06:00
fc7ab6cbff
Merge branch 'externalize-host-data-search' into MS-2833
2018-02-01 11:24:11 -06:00
469209a2b3
prefer x64 dynamite
2018-01-31 17:19:09 -07:00
6d7b48382e
fix print arch key
2018-01-31 17:17:53 -07:00
ec26f01360
fix x64 typo
2018-01-31 17:12:07 -07:00
da23432745
Update cleanup method to check CWD
2018-01-31 16:19:43 -06:00
e60aeca2db
Pass in session to CWD check
...
Oops, used to this being accessible universally. Not the case here.
2018-01-31 16:19:43 -06:00
199a7cc134
Check for subdirectories and relative paths
2018-01-31 16:19:43 -06:00
09d931e392
Split assignment across two lines for clarity
...
https://github.com/bbatsov/ruby-style-guide#use-if-case-returns
2018-01-31 16:19:43 -06:00
15ff70fbda
Add warning to FileDropper for deleting CWD
2018-01-31 16:19:43 -06:00
5c38207a8e
WIP externalize host data search
2018-01-31 16:34:42 -05:00
3ff613db8f
"fix" adding loot from the command line
2018-01-31 10:31:09 -06:00
e1b61b8180
Merge branch 'goliath' into MS-2833
2018-01-31 10:06:36 -06:00
d5d3769517
more robust Windows XP SP0/SP1 fix
2018-01-30 18:11:07 -07:00
a9fa1b6a4d
catch TypeError for matched pairs Frag leak
2018-01-30 10:32:59 -07:00
bbeccdd024
more trace and more flexible tolerance for SP0/SP1
2018-01-29 19:57:43 -07:00
9ea64db26f
Fix proxy authentication
2018-01-30 11:55:04 +09:00
7007bc1444
hopefully fixed XP SP0/SP1 issues
2018-01-29 19:11:30 -07:00
cfb7aa6de7
NULL pointer checks on read/write primitives
2018-01-29 18:10:01 -07:00
b5a88e3c8b
remove VERBOSE req for prints in DBGTRACE
2018-01-29 15:01:37 -07:00
9b7c19db08
fix exception
2018-01-29 07:57:08 -07:00
a15befe94b
squelch ::Rex::Proto::SMB::Exceptions::NoReply
2018-01-29 07:48:00 -07:00
6d35d241de
fix pack error for xp
2018-01-29 07:45:07 -07:00
1a74c60339
fix output
2018-01-29 02:21:01 -07:00
0c23c5fcad
notes
2018-01-29 01:37:03 -07:00
24a79ae7b3
clean up DBGTRACE
2018-01-29 01:18:49 -07:00
a321a70349
clean up token for earlier versions of windows
2018-01-29 01:09:31 -07:00
4bc3b31550
properly scope cleanup
2018-01-29 00:49:38 -07:00
bfef87a445
fixed up indentations
2018-01-29 00:19:42 -07:00
42dbab763b
increased leak attempts
2018-01-28 23:27:19 -07:00
7b19951317
fix the danger zone
2018-01-28 22:32:00 -07:00
9df4075d96
win10 needs full path to IPC$, should fix in Rex too
2018-01-28 21:15:13 -07:00
7cc00c0e10
fixed padding/offsets for win 10
2018-01-28 21:10:51 -07:00
237c3f7b2c
crash 10.14393... should fail to leak transaction
2018-01-28 18:52:43 -07:00
2723b328aa
misc tidying, added more randomness
2018-01-28 18:20:18 -07:00
6c2d5b1fc2
semi-completed exploit files
2018-01-28 18:13:25 -07:00
c8ff2adf06
added support for smb client
2018-01-27 20:49:17 -07:00
3a01a16dcb
Fix issue with workspace in query data
2018-01-25 17:29:58 -05:00
309deb9ee7
Land #9446 , Post API fix for setuid_nmap
2018-01-25 16:00:40 -06:00
7f1803590e
Fixed on_db_*_state db events
...
Missed arguments for on_db_host_state and on_db_service_state methods.
Call these methods only when host/service state changed and pass the
old state as argument `ostate` (not sure about what `ostate` meens..)
2018-01-25 21:47:38 +01:00
4989e94e68
Add HTTP PUT request method
2018-01-25 10:40:57 -05:00
858981d814
Convert hosts delete to use id method
2018-01-24 17:38:51 -06:00
5505996518
Add loot delete
2018-01-24 16:42:16 -06:00
fd4d5756bf
Land #9335 , Added socket bind port option for reverse tcp payload.
...
Merge branch 'land-9335' into upstream-master
2018-01-24 11:50:10 -06:00
6caba521d3
Land #9424 , Add SharknAT&To external scanner
2018-01-24 12:40:29 -05:00
2ffd627c56
Merge branch 'goliath' into add_https
2018-01-23 18:59:59 -05:00
bfcb7f2e50
Add long option for cert.
2018-01-23 17:10:10 -06:00
d08510596f
Keep reading external messages on stderr eof
2018-01-23 10:46:06 -06:00
dd65141a22
Merge branch 'goliath' into MS-2891
2018-01-23 10:45:44 -06:00
df633247bb
expose linux/osx process rename functionality
2018-01-23 09:56:12 -06:00
18b8fc2e0e
Add Msf::Post::File#setuid?
2018-01-23 02:05:26 -06:00
ef1d4ddb03
Add UDP handlers and payloads (redux)
...
This is a repackaging effort for the work i originally pushed in
6035. This segment of the PR provides UDP session handlers for
bind and reverse sessions, a Windows Metasm stager (really the
TCP stager with a small change), and a pair of socat payloads for
testing simple UDP shells. Netcat or any scripting language with
a sockets library is sufficient to use these sessions as they are
stateless and simple.
Testing of this PR requires rex/core #1 and rex/socket #2
The SSL testing which was being done on 6035 is backed out, left
for a later time when we can do DTLS properly.
2018-01-23 02:00:55 -05:00
03d1523d43
Land #6611 , add native DNS to Rex, MSF mixin, sample modules
2018-01-22 23:54:32 -06:00
afaf832034
remove verbose error from library, bubble consistent exceptions to the module instead
2018-01-22 23:52:20 -06:00
aae77fc1a4
Land #9349 , GoAhead LD_PRELOAD CGI Module
2018-01-22 23:10:36 -06:00
670055da4b
Prevent leaked sockets in edge cases
2018-01-22 22:14:16 -06:00
c76fa2c58f
Vendor async_timeout
2018-01-22 22:12:28 -06:00
964810146a
Python library style fixes
2018-01-22 22:10:32 -06:00
d10cd2d92a
Add verification methods to HTTPS
...
This commit enables peer verification for SSL.
It also gives the user options to verify the server if the server uses a self-signed cert.
There is an override to skip verification as well.
2018-01-22 18:08:16 -06:00
9a35c324c0
Land #9352 , Pull out HTTP-specific code from PacketDispatcher
2018-01-22 16:52:24 -06:00
10fde42adc
Land #9431 , Fix owa_login to handle inserting credentials for a hostname
2018-01-22 16:46:39 -06:00
6ffae7f6ad
Merge pull request #9 from clee-r7/correct-api-url
...
Update API URLs
2018-01-22 15:17:09 -06:00
2521c941d4
Ported singleton calls
2018-01-22 14:57:28 -06:00
27a007fb57
Land #9432 , cmd_edit improvements (again!)
...
We seem to enjoy refactoring this method.
2018-01-22 12:38:08 -06:00
a255586750
Refactor to use guard clauses
2018-01-22 12:38:02 -06:00
e927c97652
Land #9434 , Fix timing issue with rspec
2018-01-22 09:42:07 -06:00
95e9707349
Call db event handlers
...
Implemented plugins handlers defined in
lib/msf/core/database_event.rb:
- on_db_client
- on_db_host
- on_db_service
- on_db_vuln
- on_db_host_state
- on_db_ref
- on_db_service_state
2018-01-21 19:35:55 +01:00
7ad296d511
bump payloads, fix cmd_exec meterpreter logic
2018-01-21 07:56:24 -06:00
2211459b9d
Correct workspace_associations_counts API path
2018-01-20 14:54:14 -05:00
b7e5b0f161
Update API URLs per design discussion
2018-01-20 14:50:59 -05:00
8022294d1d
Fix bug with -s flag
2018-01-19 16:18:20 -06:00
ba75d19d34
Fix failing spec.
2018-01-19 15:52:25 -06:00
cb4999c1ac
Add URI query data option to request methods
2018-01-19 16:51:49 -05:00
4f3ee6dd83
Address PR comments regarding command options
2018-01-19 15:46:24 -06:00
d5978803eb
Fix all failing rspec for goliath
2018-01-19 15:16:19 -06:00
2a6b3671bf
Add connection addr+port info to http response object.
...
Update owa_login to use this instead of doing lookups on its own.
2018-01-19 13:37:33 -06:00
b8296a809c
Merge branch 'goliath' into add_https
2018-01-19 13:33:24 -06:00
ff9c69c7c8
Merge branch 'rapid7/master' into goliath
2018-01-19 13:28:17 -06:00
764ecf6562
Land #6 JSON to MDM
...
Deserialize JSON returned from a remote data service to an in-memory MDM object
2018-01-18 17:21:10 -05:00
87f8b68099
Ensure config directory always exist, seems to be timing issue in rspec
2018-01-18 14:56:07 -06:00
0654979be6
Remove separate code path for openstruct for creds.
...
Also fix RemoteCredentialDataService to work with json_to_mdm
2018-01-18 13:27:33 -06:00
df71defdea
fix library-specific error messages to not appear with modules
2018-01-18 05:55:51 -06:00
b4bb1b5ed1
fix whitespace patchups for current python meterpreter
2018-01-18 00:28:04 -06:00
86c927edb7
fix msfvenom referencing a nil typed_module_set
2018-01-18 00:16:42 -06:00
7fe237abe1
Land #9220 , Module cache improvements
2018-01-17 22:34:51 -06:00
06459e2dee
cowardly continue using ~/.msf4 until we have an actual reason to switch
2018-01-17 22:01:56 -06:00
facecb40d7
change default prompt for users who use '-q'
2018-01-17 22:01:34 -06:00
cbd1a2a505
update default startup with version info
2018-01-17 21:59:53 -06:00
08f622b0ce
update version
2018-01-17 17:24:15 -06:00
0f0b116751
Rename scanner bits to avoid confusion
2018-01-17 14:46:31 -06:00
37bf68869f
Add scanner for the open proxy from 'SharknAT&To'
2018-01-16 21:05:19 -06:00
a5be16f74e
Add batch scanner external module type
2018-01-16 21:05:19 -06:00
fb41eea8cc
Add vuln reporting to external module API
2018-01-16 21:05:19 -06:00
9527c6ffcf
Ensure all messages are read from external modules
2018-01-16 21:05:19 -06:00
3363bcf629
Add DataStore serialization that preserves Arrays
2018-01-16 21:05:19 -06:00
de411e764a
Msf DNS server - add :use_resolver? method
2018-01-13 02:40:53 -05:00
ee218658b6
Cleanup Msf server and add dnsruby to gemspec
2018-01-13 02:30:08 -05:00
2916c5ae45
Rescue Rex::Proto::SunRPC::RPCTimeout
...
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
bab9b66521
Only send back one object for host create
2018-01-12 10:52:16 -06:00
c65c03722c
Migrate native DNS services to Dnsruby data format
...
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.
Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.
Testing:
Internal tests for resolution of different record types locally
and over pivot sessions.
2018-01-12 05:00:00 -05:00
809d3d28c7
Merge branch 'rapid7/master' into goliath
2018-01-11 16:18:41 -06:00
b2666ad3f2
Update host delete method to return full objects of deleted hosts
2018-01-11 16:12:25 -06:00
18f16e7c66
Bump version of framework to 4.16.32
2018-01-11 10:03:16 -08:00
e964e8bcbb
Fix incorrect HTTP request method calls
2018-01-10 23:59:53 -05:00
f895169c7f
Fix incorrect HTTP request method calls
2018-01-10 23:53:24 -05:00
4b225c30fd
Land #9368 , ye olde NIS ypserv map dumper
2018-01-10 22:02:36 -06:00
1a8ffed5e3
Land #9369 , register_dir{,s}_for_cleanup
2018-01-10 22:02:15 -06:00
b1cecd4193
Bump TIMEOUT in Msf::Exploit::Remote::SunRPC
2018-01-10 20:36:35 -06:00
1c1f3b161e
Rescue XDR errors in Msf::Exploit::Remote::SunRPC
2018-01-10 20:11:30 -06:00
3c73892a70
Use json_to_mdm for Credentials.
2018-01-10 16:58:44 -06:00
4a377af5e6
Deserialize JSON to Mdm Object
2018-01-09 15:18:49 -06:00
cb82015c87
Land #9387 , Check exploit stance for array as well as string
2018-01-09 03:52:59 -05:00
333d57461a
Check exploit stance for array as well as string
...
An exploit can be both aggressive and passive.
2018-01-08 13:52:04 -06:00
461f1c12e6
Fix nil bug(s) by moving arrays to initialize
2018-01-06 02:31:16 -06:00
14143c2b90
Fix missed file_dropper_win_path
2018-01-06 01:44:25 -06:00
173705ad35
Add error handling when no data returned from server
2018-01-05 11:44:25 -06:00
51e5fb450f
Detect and return on bad VNC negotiations
2018-01-05 10:12:13 -06:00
27f96110d1
Moved socket struct inside conditional
2018-01-04 21:29:49 -05:00
16cdf1c9f4
Add help text to cmd_add_data_service
2018-01-04 16:41:42 -06:00
9fbddd6474
Land #9374 , fix HTML parsing problems for info -d
...
Land #9374
2018-01-04 16:08:56 -06:00
67e7ea4df9
Fix markdown premature less-than sign escape
2018-01-04 15:51:05 -05:00
3a7a539c84
Bump version of framework to 4.16.31
2018-01-04 12:17:08 -08:00
78872be2ad
Merge released '4.x'
2018-01-04 14:13:18 -06:00
d4de9eef9b
Bump version of framework to 4.16.30
2018-01-04 10:03:21 -08:00
50f4ebb3b2
Add register_dirs_for_cleanup to FileDropper
2018-01-04 11:06:32 -06:00
d7c826b5e8
Add rm_rf to Post::File
2018-01-03 23:14:21 -06:00
16fa3b99ef
Land #9350 , Improve fake SSL cert details
2018-01-03 15:32:27 -06:00
5058c2d36f
Merge branch 'goliath' into add_https
2018-01-03 10:51:22 -06:00
92e435898b
Missed a file in the merge somehow
2018-01-02 17:38:41 -06:00
4aac8f5c39
Merge branch 'rapid7/master' into goliath
2018-01-02 17:34:40 -06:00
40d15bf3e6
Hash#each style correction
2018-01-02 12:25:14 -05:00
f015b926da
Merge branch 'goliath' into add_https
2018-01-02 10:38:48 -06:00
a444bdb329
handle no datastore
2017-12-29 15:26:28 -06:00
198aeda2c8
rename option
2017-12-29 12:31:56 -06:00
e546598cf1
Implement a method for command shells to register a post-session cleanup command
2017-12-29 12:14:34 -06:00
c32ef4a3be
Require msf/core/cert_provider in framework.rb
...
Add an explicit require for the new cert_provider in framework.rb
in case it has not yet been loaded.
This should address the Travis failure on initial PR, although the
gem version in socket has not been updated, so this might take a
bit to propagate. In the end, if the dependency already gives us
this functionality by the time we call Rex::Socket::Ssl then this
commit can safely be dropped
2017-12-29 02:14:48 -05:00
f1a1e1a357
Implement specific dispatch extensions for tunnels
...
All meterpreter Clients are created equal, and as such they all
include the PacketDispatcher mixin and call its init methods when
a passive dispatcher is needed. However, since tunneling protocols
have different requirements for implementation, the methods which
provide protocol-specific functionality need to be mixed into the
Client before it attempts to initialize the dispatcher.
Provide a dispatch_ext option in the has passed to the client on
init from the session handler which is an Array containing mixin
references which are sent to :extend calls in the :init_meterpreter
method just prior to calling :initialize_passive_dispatcher.
Each handler implementation can thus push chains of mixins to the
client in order to provide middleware specific to the tunnel. Down
the road, this should permit stacking C2 encapsulations or tunnel
protocols/permutators to create unique session transports on the
fly.
2017-12-29 00:56:06 -05:00
d420bf1a6a
Pull out HTTP-specific code from PacketDispatcher
...
PacketDispatcher has some hardcoded assumptions about utilizing
HTTP services as the async resource. With C2 and DNS tunnels in
the pipeline, these elements need to be separated from the core
functions of async packet dispatch and moved into their own module.
This creates a new namespace for Meterpreter::HttpPacketDispatcher,
meant to be mixed in after PacketDispatcher. The module implements
only three of the original module's methods - init, shutdown, and
the :on_passive_request callback; with the first two using :super,
with the expectation of having a PacketDispatcher mixin or API
compatible namespace already in the mix.
2017-12-28 23:37:01 -05:00
18f3815147
Update TLS certificate generation routines
...
Msf relies on Rex::Socket to create TLS certificates for services
hosted in the framework and used by some payloads. These certs are
flagged by NIDS - snort sid 1-34864 and such.
Now that Rex::Socket can accept a @@cert_provider from the Msf
namespace, a more robust generation routine can be used by all TLS
socket services, provided down from Msf to Rex, using dependencies
which Rex does not include.
This work adds the faker gem into runtime dependencies, creates an
Msf::Exploit::Remote::Ssl::CertProvider namespace, and provides
API compatible method invocations with the Rex version, but able
to generate higher entropy certs with more variables, options, etc.
This should reduce the hit rate against NIDS on the wire, reducing
pesky blue team interference until we slip up some other way. Also,
with the ability to generate different cert types, we may want to
look at extending this effort to probide a more comprehensive key
oracle to Framework and consumers.
Testing:
None yet, internal tests pending.
Travis should fail as this requires rex-socket #8 .
2017-12-28 21:00:03 -05:00
7254130b77
Bump version of framework to 4.16.29
2017-12-28 15:19:22 -08:00
66ca61f636
Merge released '4.x'
2017-12-28 17:15:29 -06:00
258ce2ceb2
Allow stub payloads to be autoselected when compatible
2017-12-28 16:19:22 -06:00
c2bb144d0f
Land #9302 , Implement ARD auth and add remote CVE-2017-13872 (iamroot) module
2017-12-28 14:11:26 -06:00
c681c7881d
Bump version of framework to 4.16.28
2017-12-28 10:03:39 -08:00
6f1196d30c
clarify what's happening when there is a connection failure
2017-12-27 22:32:08 -06:00
6c3dbfa275
Remove debug output and cleanup of delete_host
2017-12-27 16:49:53 -05:00
bbed7db13c
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-27 13:08:44 -08:00
8ea50572df
Land #9329 , Add basic framework for interacting with MQTT
2017-12-27 14:59:34 -06:00
331c09ab1b
Fix issue in currently unused delete_host option
2017-12-27 14:35:20 -05:00
5e4836b1e9
Implement hosts remote data store delete
...
Also, resolve an issue when adding a host where the client-side
raises an exception.
2017-12-26 23:09:23 -05:00
e6de25d63b
Land #9316 Cambium modules and mixins, tx @juushya
...
These cover several of the CVEs mentioned in
https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/
2017-12-26 12:39:51 -06:00
8b0f2214b1
few more updates
2017-12-23 03:04:11 +05:30
038119d9df
Use of get_cookies_parsed, changing dirs, marking deprecated in 2 mods, more
2017-12-23 00:14:27 +05:30
0b6e41d65b
Attempting to fix cached size errors.
2017-12-22 12:49:02 -05:00
0f5ff6ead3
Added bytes to required size
2017-12-22 12:28:37 -05:00
add26ca405
Cleaned up
2017-12-22 12:17:15 -05:00
d4bc98c13f
Merge branch 'upstream-master' into feature/mqtt-login
2017-12-22 08:07:40 -08:00
caae33b417
Land #9170 , Linux UDF for mysql_udf_payload
2017-12-21 20:48:24 -06:00
909caa0425
Bump version of framework to 4.16.27
2017-12-21 13:27:52 -08:00
9d8cb8a8d0
Merge branch '4.x' into upstream-master
2017-12-21 15:17:38 -06:00
a7fbe71a93
Added socket bind port option for reverse tcp payload.
2017-12-21 14:10:41 -05:00
ee2f10efc5
Bump version of framework to 4.16.26
2017-12-21 10:04:38 -08:00
becc05b4f1
Cleaner client_id handling
2017-12-21 06:57:33 -08:00
157d973194
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 19:13:34 -08:00
82bdce683b
Remove to_s
2017-12-20 19:13:12 -08:00
adca42f311
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 19:11:52 -08:00
b78f1105f7
Add missing port
2017-12-20 19:11:33 -08:00
bedc276225
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 19:09:51 -08:00
ddb2566f3b
Remove duplicate options, set less suspicious client_id
2017-12-20 19:09:35 -08:00
962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 18:58:36 -08:00
cf21d13b2e
Resolve conflict
2017-12-20 18:58:16 -08:00
1975713a92
Land #9333 , get_cookies_parsed using CGI::Cookie
2017-12-20 20:08:33 -06:00
d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
...
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
2e62d77e36
Add new method for fetching parsed cookies from an HTTP response
...
This fixed #9332 .
2017-12-20 16:19:44 -08:00
3b78302868
Land #9327 , restore transport enum used in TLVs
2017-12-20 16:11:04 -06:00
5fe9dba4dd
Land #9296 , add iOS meterpreter support
2017-12-20 16:09:41 -06:00
7723933fa9
Merge branch 'feature/mqtt' into feature/mqtt-login
2017-12-20 13:42:16 -08:00
741d08f604
Style cleanup
2017-12-20 13:33:47 -08:00
8cd7185a7f
Land #9313 , Add DirectAdmin login_scanner module
2017-12-20 15:23:24 -06:00
7f8a5d3834
improved credential reporting
2017-12-20 15:09:11 -06:00
ac1daaf10e
Fix rubocop warning
2017-12-20 12:41:44 -08:00
b4262662dc
Add missing mqtt login helper
2017-12-20 12:33:49 -08:00
f15309bc48
Add basic framework for interacting with MQTT
2017-12-20 12:28:02 -08:00
9719ede3f0
restore transport enum used in TLVs
2017-12-20 13:12:24 -06:00
31042d4171
Land #9324 , AutoRunScript with resource scripts
2017-12-20 13:52:53 -05:00
210f137b7b
Merge branch 'upstream-master' into land-9296-
2017-12-20 12:07:53 -06:00
3339c3b74d
remove magic, because it causes complications with complex RC scripts
2017-12-20 11:49:42 -06:00
Auxilus
Matthew Kienow
James Barnett
Brent Cook
h00die
Adam Cammack
christopher lee
dcylabs
bwatters-r7
Jon Hart
Sonny Gonzalez
Jeffrey Martin
William Vu
UserExistsError
Jacob Robles
Tim W
RageLtMan
Wei Chen
a1exdandy
UserExistsError
Spencer McIntyre
jbarnett-r7
zerosum0x0
ssyy201506
zerosum0x0
Sliim
Pearce Barry
Matthew Kienow
Metasploit
jgor
b0yd
HD Moore
Tod Beardsley
juushya