Commit Graph

1126 Commits (699a8e91d2fab81fc65151264c6c1e185e32123c)

Author SHA1 Message Date
Brent Cook 6ce7055130
Land #6737, Added reverse shell JCL payload for z/OS 2016-04-13 22:19:15 -05:00
Bigendian Smalls 6a4d7e3b58
Revshell cmd JCL payload for z/OS
Added a JCL-based reverse shell.  Uses the same source code as the
shellcode version does.  Source code is in
external/source/shellcode/mainframe/shell_reverse_tcp.s
2016-03-31 20:42:42 -05:00
Bigendian Smalls a6518b5273
Add generic JCL cmd payload for z/OS (mainframe)
This payload does nothing but return successfully.  It can be used to
test exploits and as a basis for other JCL cmd payloads.
2016-03-28 21:01:39 -05:00
James Lee 1375600780
Land #6644, datastore validation on assignment 2016-03-17 11:16:12 -05:00
Christian Mehlmauer 3123175ac7
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00
Brent Cook 8faae94338
Land #6592, make linux/x86/shell_reverse_tcp's shell path configurable and remove shell_reverse_tcp2 2016-03-06 15:33:53 -06:00
Brent Cook c7c0e12bb3 remove various module hacks for the datastore defaults not preserving types 2016-03-05 23:11:39 -06:00
Brent Cook d355b0e8b7
update payload sizes 2016-03-02 13:55:32 -06:00
joev c8b28d90d1 Fix old comment. 2016-02-19 19:08:38 -06:00
joev b3e8cd4f51 Save some bytes on the padded string. 2016-02-18 20:36:52 -06:00
joev 2b784a48b9 Include cached size. 2016-02-18 20:29:42 -06:00
joev e67e477362 Make x86/shell_reverse_tcp's shell path configurable.
Also removes shell_reverse_tcp2 shell.
2016-02-18 20:24:35 -06:00
Brent Cook ff1cb4a2a4 update payload sizes 2016-02-10 22:44:17 -06:00
wchen-r7 a3cafc3bae Update PHP meterpreter size 2016-01-22 15:14:18 -06:00
Brent Cook 28cf943bcb Fix a couple of missing requires in payloads.
This pops up occasionally. This fixes a couple of anecdotal reports of missing
requires that cause the loader to fail, depending on the directory sort order.

It also fixes the problem as reported in #6460
2016-01-14 13:17:26 -06:00
Brent Cook 6eda702b25
Land #6292, add reverse_tcp command shell for Z/OS (MVS) 2015-12-23 14:11:37 -06:00
wchen-r7 14b1b3a1f0
Land #6299, Stageless HTTP(S) Python Meterpreter 2015-12-04 16:16:54 -06:00
wchen-r7 644c1347cd Update payload sizes 2015-12-04 16:14:37 -06:00
jvazquez-r7 bb3a3ae8eb
Land #6176, @ganzm's fix for 64 bits windows loadlibrary payload 2015-12-01 13:18:41 -06:00
Spencer McIntyre 3b3b569d8e Fix payload CacheSize for current pymet 2015-12-01 13:00:15 -05:00
jvazquez-r7 bfe81db9a5
Update cached size 2015-12-01 11:45:45 -06:00
jvazquez-r7 2348cb7374
Update loadlibrary for 64 bits 2015-12-01 11:41:37 -06:00
Spencer McIntyre fba9715a56 Add stageless python meterpreter http & https payloads 2015-11-28 17:41:55 -05:00
Bigendian Smalls d2bfc4d8e0
Added reverse shell payload for Mainframe
This is the first and probably most useful shellcode for mainframe
platform.  Standard reverse shell works just like any other platform
reverse shell.
2015-11-26 17:07:03 -06:00
Spencer McIntyre 1b495e73ac Further reduce python reverse_http duplicate code 2015-11-26 14:31:00 -05:00
Spencer McIntyre bd25ffa48c Consolidate py reverse http uri code into a mixin 2015-11-26 13:32:50 -05:00
Brent Cook a7a89adfac
Land #6264, meterpreter per-extension init string support, update payloads to 1.0.17
This brings in the following changes:
	Changes to support maven 3.3+
	Don't fall back to 0.0.0.0
	Remove all debug builds from the Windows projects
	Add show_mount, ps_list, and some core tweaks
	Refactor TLV layout, add more debug output, token stealing
	Add incognito binding, code tidies
	Update packaged libs
	Add transport list binding
	Add transport add command to python binding
	Update python core lib archive
	change source perms back to non-executable
	First pass of stageless initialisation script
	Finalise stageless initialisation scripts
	add BOOT_COMPLETED receiver that starts the Payload
	Improve the implementation of the getuid command
	Switch to Utils.runCommand per timwr's suggestion
	Updated init script method

also bumps msgpack 0.7.1, which fixes a failure packing messages > 256k
2015-11-25 22:27:27 -06:00
Brent Cook 78e306e281 s/Initialision/Initialization/ 2015-11-25 22:07:25 -06:00
Brent Cook d984e5c781 update payload sizes 2015-11-25 22:04:52 -06:00
scriptjunkie 8703987535 Add HTTPS and new transport support for hop 2015-11-11 21:25:23 -06:00
OJ 0afc5be3bc Finalise set up of stageless init 2015-11-10 20:01:23 +10:00
OJ a28ab216d3 Adding stageless init script support 2015-11-10 19:18:47 +10:00
Matthias Ganz 6458c591e4 Update loadlibrary.rb 2015-11-02 17:16:46 +01:00
Matthias Ganz a01d7c966a Bugfix loading address of library path into rcx
Changed the following instruction:
67 48 8D 8D 00 01 00 00 lea         rcx,[ebp+100h]

Into
90                                              nop
48 8D 8D 00 01 00 00 lea         rcx,[rbp+100h]

The old code breaks if the payload is executed from a memory area where the 4 most significant bytes are non-zero. 

The bugfix removes the Address-Size override prefix 0x67 of the lea instruction and replaces it with a nop 0x90 (to not mess up code alignment,relative addressing or jmps).
2015-11-02 12:54:44 +01:00
Brent Cook ec1682ebd9
update payload size cache 2015-10-30 17:35:05 -05:00
Spencer McIntyre b4a8f80493 Update the cached size for the current met file 2015-10-22 08:54:14 -04:00
Spencer McIntyre 23d9efb5a3 Add stageless Python Meterpreter for bind tcp 2015-10-21 18:37:37 -04:00
Spencer McIntyre 8bb694fa5c Add stageless Python Meterpreter for reverse tcp 2015-10-21 18:23:04 -04:00
jvazquez-r7 c35e99664e
Land #6003, @earthquake's x86-64 pushq signedness error fixed 2015-10-01 11:52:28 -05:00
jvazquez-r7 aa01383361
Fix comment 2015-10-01 11:51:45 -05:00
jvazquez-r7 195418b262
Update the sin_family on bind_tcp_small 2015-10-01 11:22:59 -05:00
jvazquez-r7 77ce7ef5f0
Save 3 more bytes on shell_bind_ipv6_tcp 2015-10-01 09:45:02 -05:00
jvazquez-r7 4efb3bf26c
Save 3 more bytes on shell_bind_tcp_small 2015-10-01 09:42:35 -05:00
jvazquez-r7 04879ed752
Save two bytes on shell_bind_ipv6_tcp 2015-10-01 09:33:22 -05:00
jvazquez-r7 88eecca4b1
Save two bytes on shell_bind_tcp_small 2015-10-01 09:29:39 -05:00
OJ b608abffbc Update payload cache sizes for x64 windows 2015-09-29 09:03:57 +10:00
Brent Cook 46ed129966 update to metasploit-payloads 1.0.14 2015-09-26 10:50:20 -04:00
Balazs Bucsay a863409734 x86-64 pushq signedness error fixed. Signed port numbers (2bytes) were not working properly. Fix means +6bytes in shellcode length 2015-09-24 13:07:02 +02:00
Brent Cook d2a17074b1
update payload sizes 2015-09-16 17:24:41 -05:00
Brent Cook 1440f31756
Land #5637, resiliency improvements to TCP stagers 2015-09-02 22:50:12 -05:00
OJ 3fd9e0311c Update payload sizes 2015-09-03 12:01:11 +10:00
Brent Cook 56a1cfd9c8 updated cached payload sizes 2015-09-01 18:02:16 -05:00
Brent Cook a8dd89cc0d update cached payload sizes 2015-08-27 11:43:38 -05:00
Brent Cook 593f501571 finish move of php / python meterpreters to metasploit-payloads 2015-08-27 11:34:22 -05:00
Brent Cook ca8353e1aa update to metasploit-payloads 1.0.9 2015-08-25 17:44:01 -05:00
Brent Cook 6b1e911041 Instantiate payload modules so parameter validation occurs
Calling .new on payload modules does not perform parameter validation, leading
to a number cached sizes based on invalid parameters. Most notably,
normalization does not occur either, which makes all OptBool params default to
true.
2015-08-14 11:35:39 -05:00
Brent Cook 347f48b0ec
Land #5762, adjust PHP stager to work in and outside of eval() 2015-07-24 17:43:26 -05:00
Brent Cook c30127cfe8
Land #5729, add user-agent list, MeterpreterUserAgent derives from this
Later PRs will convert modules to use this. A random user agent might be nice
for meterpreter actually.
2015-07-24 17:39:30 -05:00
OJ 728e9b19ec Update payload cached sizes 2015-07-23 15:15:13 +10:00
OJ 121fe1adda
Land #5654 : Python Meterpreter Transport 2015-07-22 10:39:06 +10:00
OJ b6e25506d0 Add a common user agent list, use the shortest for Meterpreter 2015-07-15 13:03:47 +10:00
Brent Cook a2bdd0bab9
Land #5541, add more compat fixed-cmd 64-bit BSD payloads
Merge branch 'land-5541-bsd-shellcode' into upstream-master
2015-07-13 21:01:55 -05:00
Brent Cook 226137896e updated cached payload sizes 2015-07-10 22:30:20 -05:00
Brent Cook c86d16ffb6 update payload sizes 2015-07-07 23:15:57 -05:00
Brent Cook 23abc288c8 Resolved conflicts with master 2015-07-07 22:34:30 -05:00
Spencer McIntyre e16cd08599 Update the payload CachedSize 2015-07-06 17:16:56 -04:00
Spencer McIntyre 2a89e248d7 Pymet fix send uuid logic for Python 3.x 2015-07-06 11:20:34 -04:00
Spencer McIntyre 29d45e3b18 Pymet patch in timeout info on generate_stage 2015-07-03 14:12:29 -04:00
Brent Cook d6261a54b1
Land #5608, part 2, update payload cache sizes 2015-07-01 00:31:40 -05:00
Brent Cook 6711091c70 update cached payload sizes 2015-07-01 00:31:09 -05:00
Brent Cook e99d63687f
Land #5608, android and java meterpreter transport and sleep support
This also includes stageless Windows meterpreter fixes for process migration.
2015-07-01 00:23:36 -05:00
OJ a44c31052b reverse_tcp x64 stager reliability fixes
Also includes a slight tweak to x86
2015-07-01 12:43:41 +10:00
Brent Cook bb43f7e30f use the correct transport for x64/meterpreter_reverse_https 2015-06-27 10:50:54 -05:00
OJ 007da4af41 Force :init_connect for stageless 2015-06-27 18:21:15 +10:00
OJ a773979992 Java config wiring, tweak to include block counts
This commit adjusts the way that the config block is set for java and
android because behind the scenes the stageless connect-backs need to
know what to discard. as a result of connecting back to staged listeners
we need to be able to discard a number of bytes/blocks before we can
continue process (at least in the case of TCP).
2015-06-26 13:59:09 +10:00
OJ 0493ba83a0 Add transport configuration support 2015-06-24 21:26:47 +10:00
OJ e796e56c6c Modify the staging process 2015-06-24 13:22:33 +10:00
Brent Cook 8ade66027a update cached payload sizes 2015-06-22 17:19:02 -05:00
root a99b001bd7 payloads_spec.rb modified, payloads added 2015-06-16 05:33:30 -04:00
wchen-r7 5a6a16c4ec Resolve #4326, remove msfpayload & msfencode. Use msfvenom instead!
msfpayload and msfencode are no longer in metasploit. Please use
msfvenom instead.

Resolves #4326
2015-06-08 11:30:04 -05:00
HD Moore 1f11cd5470
Lands #5446, support for 64-bit native powershell payloads 2015-06-07 14:16:19 -05:00
benpturner dddbf3886b Updated payload spec to be in the correct order and updated payload cached size 2015-06-02 18:33:06 +01:00
Tim ac2a52b522
fix android/java reverse_tcp 2015-06-02 10:54:49 +01:00
Brent Cook 449ce32f07 update for new UUID namespace 2015-06-01 15:16:04 -05:00
benpturner 9d1a7cead4 New modules to support 64bit process powershell. 2015-06-01 16:11:23 +01:00
Brent Cook 64e86165ef remove android meterpreter bins, update to payloads 1.0.2
This switches us to using the Android payload files from the
metasploit-payloads gem
2015-06-01 09:14:31 -05:00
Brent Cook 70ef1b83f9 Merge branch 'master' into land-5366-android 2015-06-01 09:07:55 -05:00
OJ 3dd3ef5edb
Merge branch 'upstrea/master' into winhttp-ie-proxy 2015-05-30 08:03:43 +10:00
Brent Cook b8a8e65c2c Merge branch 'master' into land-5394-uuid-tracker 2015-05-29 16:22:45 -05:00
OJ 307dcd09dd Update payload cache sizes again 2015-05-25 20:12:20 +10:00
OJ 7f59a7482e Update authors and stuff 2015-05-25 12:02:52 +10:00
OJ e103b2365a Update payload sizes and add new payloads to spec 2015-05-25 11:31:15 +10:00
OJ 9042f141ff Implement the IPv6 UUID bind stagers 2015-05-25 11:21:28 +10:00
HD Moore c17ee64d81 Merge branch 'master' into feature/uuid-registration 2015-05-22 00:29:16 -05:00
OJ 1c73c190fc Add machine_id support to windows php meterp 2015-05-22 14:55:29 +10:00
Tim 7a9e875a25
use uuid aware generate_uri_uuid_mode 2015-05-22 05:21:08 +01:00
OJ 5963a5833a Fix up php stageless payload includes 2015-05-20 16:50:00 +10:00
Tim 96a30118e2
add https cert validation 2015-05-20 07:27:59 +01:00
OJ d0a5b803e8 Use generate_payload_uuid instead of manual obj creation 2015-05-20 16:25:52 +10:00
OJ 289873c25f
Merge all the stager changes 2015-05-20 16:02:37 +10:00