Commit Graph

355 Commits (72a0909e9b2b8a749c01b4fc7b7c2fb5e8e63a67)

Author SHA1 Message Date
Meatballs 1569a15856 Msf license 2013-07-04 10:08:29 +01:00
Meatballs 052c23b980 Add missing require 2013-07-04 09:58:48 +01:00
Meatballs 6fa60be76f Merge branch 'psexec_psh' of https://github.com/sempervictus/metasploit-framework into psexec_psh 2013-07-04 09:42:18 +01:00
James Lee 5964d36c40 Fix a syntax error
Also uses a prettier syntax for setting the filename (ternary operators
are hard to read).
2013-05-31 13:31:36 -05:00
Rob Fuller 95b0d4e5ec move filename init up to remove dup code
as suggested by @jlee-r7
2013-05-09 13:29:21 -04:00
Rob Fuller 71c68d09c1 Allow user ability to set filename for psexec service binary
This should probably be higher up for all
generate_payload_exe but would take a major edit
2013-05-07 15:26:22 -03:00
sinn3r 0ad548a777 I expect people to know what a share is. 2013-02-07 19:16:44 -06:00
RageLtMan 92ef462c34 This commit completes powershell based psexec
The original module suffered from a small problem - interactive
process notification from Desktop 0 for users currently logged in.
Although acheiving full AV evasion, we were setting off UserAlert.
This commit updates the module itself to match #1379 in R7's repo.
The size of powershell payloads has been reduced, and a wrapper
added to hide the actual payload process entirely.
2013-02-04 20:39:05 -05:00
RageLtMan 6ba85d4c06 add libs from #1379 and allow psh 1.0 exec against older hosts 2013-01-30 12:38:53 -05:00
lmercer deb9385181 Patch for smb_relay.rb to allow the share written to, to be defined in an option
As described in Redmine Feature #5455
2013-01-29 15:19:35 -05:00
RageLtMan 61cd3b55fc hide window 2013-01-24 14:43:07 -05:00
RageLtMan e6ebf772de allow psh to run in background via cmd start 2013-01-21 08:12:56 -05:00
RageLtMan 43a5322bd4 psexec_psh cleanup 2013-01-20 22:15:55 -05:00
RageLtMan cae0362aa3 Add disk-less AV bypass PSExec module using PSH
This commit rewires the existing work on PSExec performed by R3dy,
HDM, and countless others, to execute a powershell command instead
of a binary written to the disk. This particular iteration uses
PSH to call .NET, which pull in WINAPI functions to execute the
shellcode in memory. The entire PSH script is compressed with ZLIB,
given a decompressor stub, encoded in base64 and executed directly
from the command-line with powershell -EncodedCommand.

In practice, this prevents us from having to write binaries with
shellcode to the target drive, deal with removal, or AV detection
at all. Moreover, the powershell wrapper can be quickly modified
to loop execution (included), or perform other obfu/delay in order
to confuse and evade sandboxing and other HIDS mechanisms.

This module has been tested with x86/x64 reverse TCP against win6,
win7 (32 and 64), and Server 2008r2. Targets tested were using
current AV with heuristic analysis and high identification rates.
In particular, this system evaded Avast, KAV current, and MS' own
offerings without any issue. In fact, none of the tested AVs did
anything to prevent execution or warn the user.

Lastly, please note that powershell must be running in the same
architecture as the payload being executed, since it pulls system
libraries and their functions from unmanaged memory. This means
that when executing x86 payloads on x64 targets, one must set the
RUN_WOW64 flag in order to forcibly execute the 32bit PSH EXE.
2013-01-20 21:46:26 -05:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
Alexandre Maloteaux c0c3dff4e6 Several fixes for smb, mainly win 8 compatibility 2012-11-28 22:49:40 +01:00
James Lee b2db3e133d Rescue when the service is crashed
Failed exploit attempts leave the service in a state where the port is
still open but login attmempts reset the connection. Rescue that and
give the user an indication of what's going on.
2012-10-22 17:57:30 -05:00
jvazquez-r7 e461d542ac added Windows 2003 SP1 Spanish targets 2012-08-24 12:50:30 +02:00
jvazquez-r7 54ce7268ad modules/exploits/windows/smb/ms08_067_netapi.rb 2012-08-24 11:30:23 +02:00
jvazquez-r7 1a60abc7a7 Added W2003 SP2 Spanish targets 2012-08-24 11:16:08 +02:00
Tod Beardsley bd408fc27e Updating msft links to psexec
Thanks for the spot @shuckins-r7 !
2012-08-13 15:28:04 -05:00
HD Moore 44e56c87f1 Make super sure that blank creds are not reported 2012-07-15 20:56:31 -05:00
HD Moore 3bb7405b09 Only report auth if the username is not blank 2012-07-02 04:11:29 -05:00
HD Moore fb7f6b49f0 This mega-diff adds better error classification to existing modules 2012-06-19 12:59:15 -05:00
sinn3r 18c8314d79 Change unknown authors to "Unknown".
Since "Anonymous" has become a well known organization, the meaning of the
term also may cause confusion.  In order to clarify, we correct unknown
authors to simply "Unknown".
2012-05-26 15:23:09 -05:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
Tod Beardsley 9144c33345 MSFTidy check for capitalization in modules
And also fixes up a dozen or so failing modules.
2012-03-15 16:38:12 -05:00
HD Moore 99177e9d5e Small commit to fix bad reference and old comment 2012-03-06 01:44:26 -06:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00
sinn3r aa44eb955e Correct author e-mail format 2012-02-02 11:27:43 -06:00
Tod Beardsley 8ce47ab832 Changing license for KillBill module
Talked with Solar Eclipse, and he's consented to change his module
license from GPL to BSD, thus striking a blow for freedom. Thanks!
2012-01-19 11:39:56 -06:00
Rob Fuller c411c216c0 Solved most of msftidy issues with the /modules directory 2011-11-28 17:10:29 -06:00
David Maloney c8142043e9 Fixes to credential handling to downcase usernames whenever they are not case sensitive.
Also report_auth_info now checks to see if a non-case sensitive version of the cred
may already exist.
2011-11-14 22:50:52 -08:00
Wei Chen e767214411 Fix: whitespaces, svn propset, author e-mail format
git-svn-id: file:///home/svn/framework3/trunk@14175 4d416f70-5f16-0410-b530-b9f4589650da
2011-11-06 22:02:26 +00:00
David Rude 521aec205b Return on error
git-svn-id: file:///home/svn/framework3/trunk@14006 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-19 19:55:04 +00:00
Tod Beardsley 3c36b0c975 Msftidy: knocking out all those trailing spaces. Screw those guys.
git-svn-id: file:///home/svn/framework3/trunk@13967 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-17 03:49:49 +00:00
HD Moore cf8524b1b4 Fixes #5414 by applying Joshua Taylor's patch that corrects bad reference types
git-svn-id: file:///home/svn/framework3/trunk@13949 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-16 09:53:53 +00:00
HD Moore 3d8a18cfd1 Fix tab indent
git-svn-id: file:///home/svn/framework3/trunk@13836 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-08 18:39:23 +00:00
Joshua Drake 2e7edeff81 See #3585: Happy Third Birthday MS08-067!
Adds an AlwaysOn DEP bypass for XP SP2 and SP3

git-svn-id: file:///home/svn/framework3/trunk@13835 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-08 07:26:37 +00:00
amaloteaux 9cfba23558 psexec: allow o upload payload in a subfolder
git-svn-id: file:///home/svn/framework3/trunk@13638 4d416f70-5f16-0410-b530-b9f4589650da
2011-08-25 22:30:46 +00:00
Wei Chen f47a2c7565 Format dictatorship round 2: Fix author e-mail format for all exploit modules
git-svn-id: file:///home/svn/framework3/trunk@13297 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-22 20:17:58 +00:00
HD Moore 7dbb56b38b No longer default a target for XP systems; some obscure builds of XP Embedded SP1 have a different offset and not good way to differentiate
git-svn-id: file:///home/svn/framework3/trunk@13214 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-19 01:40:26 +00:00
HD Moore 764bb36f44 Wait a little longer for a session (5 seconds)
git-svn-id: file:///home/svn/framework3/trunk@13208 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-18 16:05:51 +00:00
HD Moore 8887fe86b8 Either the offset or the env page moves around for this exploit on some non-english systems, do not default the target for 2003 SP0
git-svn-id: file:///home/svn/framework3/trunk@13206 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-18 14:59:55 +00:00
David Rude a8b6c43636 reverting the disclosure dates for now need to clean up the patch
git-svn-id: file:///home/svn/framework3/trunk@12540 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-04 20:43:19 +00:00
David Rude 3b7ea08f6a Fixes a ton of Disclosure Date discrepencies in various modules, thanks a ton to Michael Baker for spending the time to ensure accuracy
git-svn-id: file:///home/svn/framework3/trunk@12539 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-04 19:17:31 +00:00
James Lee b5e0962e3e return the appropriate check codes instead of just printing stuff. add some error checks to avoid stack traces against samba and non-existant hosts
git-svn-id: file:///home/svn/framework3/trunk@12314 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-13 23:26:07 +00:00
David Rude 39f4c0c42f Added MS08-067 check method thanks staylor =)
git-svn-id: file:///home/svn/framework3/trunk@12294 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-11 16:32:59 +00:00
amaloteaux 8e61c108d3 typo fix
git-svn-id: file:///home/svn/framework3/trunk@12229 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-03 23:11:02 +00:00
Joshua Drake 8a627758f3 update description to remove blurb about ATSVC pipe, since it is no longer used
git-svn-id: file:///home/svn/framework3/trunk@12226 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-03 20:53:54 +00:00
HD Moore 9594829357 Remove the no longer needed require
git-svn-id: file:///home/svn/framework3/trunk@12181 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-29 18:11:39 +00:00
HD Moore e0e8d986e7 Fix up psexec by adding a reqwuire for the wbemexec mixin
git-svn-id: file:///home/svn/framework3/trunk@12180 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-29 16:35:26 +00:00
HD Moore 904dd863d1 Remove the WBEM mixin until its actually checked in
git-svn-id: file:///home/svn/framework3/trunk@12179 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-29 15:26:08 +00:00
amaloteaux 3a6a02e43c add wbem exec method for psexec as optional, fix #3972, thanks to pbk-df3 for patch
git-svn-id: file:///home/svn/framework3/trunk@12171 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-29 01:07:32 +00:00
amaloteaux 46cf938475 fix typo
git-svn-id: file:///home/svn/framework3/trunk@12112 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-23 20:47:49 +00:00
amaloteaux c0a0e3f217 small fix
git-svn-id: file:///home/svn/framework3/trunk@12110 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-23 19:02:38 +00:00
amaloteaux e706051bda psexec : allow exploit to succeed on any r/w share
git-svn-id: file:///home/svn/framework3/trunk@12109 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-23 18:53:32 +00:00
David Rude eeb1aae9d0 Added Japanese NO NX Target
git-svn-id: file:///home/svn/framework3/trunk@11985 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-16 07:58:50 +00:00
amaloteaux dce7dd13fe type fix on psexec
git-svn-id: file:///home/svn/framework3/trunk@11926 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-10 18:46:58 +00:00
Jonathan Cran 79da0ead08 applying description update from zeknox -- thanks!
git-svn-id: file:///home/svn/framework3/trunk@11923 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-10 05:36:17 +00:00
amaloteaux 5f6995e8d3 enable ntlmv2 and signing for smb client stack (pth implementation is coming), fixes #11678 and #152
git-svn-id: file:///home/svn/framework3/trunk@11893 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-07 19:57:53 +00:00
Joshua Drake 160c683f18 Add WbemExec mixin, modify MS10-061 to use MOF technique
git-svn-id: file:///home/svn/framework3/trunk@11766 4d416f70-5f16-0410-b530-b9f4589650da
2011-02-17 19:22:11 +00:00
Joshua Drake 41f0c2eaa5 typo
git-svn-id: file:///home/svn/framework3/trunk@11762 4d416f70-5f16-0410-b530-b9f4589650da
2011-02-17 03:56:15 +00:00
Joshua Drake ae33e3ac71 Fixes #3571, normalize 2k3r2 and fix language defaulting
git-svn-id: file:///home/svn/framework3/trunk@11614 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-21 04:09:48 +00:00
Joshua Drake ffbea6199f Do not wait for the DCERPC call to timeout
git-svn-id: file:///home/svn/framework3/trunk@11545 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-11 17:56:27 +00:00
Tod Beardsley 0204cedca6 Makes the print_status displays more consistent between smb_login and psexec by moving some of the domain display functions up into exploit/smb proper.
git-svn-id: file:///home/svn/framework3/trunk@11204 4d416f70-5f16-0410-b530-b9f4589650da
2010-12-02 17:29:26 +00:00
Joshua Drake e9faf75503 fix some more titles with periods
git-svn-id: file:///home/svn/framework3/trunk@11127 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-24 19:35:38 +00:00
Joshua Drake 3b6edefe44 fix up auto targeting to not assign to "target"
git-svn-id: file:///home/svn/framework3/trunk@11072 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-19 18:33:34 +00:00
Tod Beardsley 996cc49408 Be more accomodating for SMB domains when bruteforcing SMB hosts.
git-svn-id: file:///home/svn/framework3/trunk@10977 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-11 02:07:31 +00:00
Joshua Drake ede859f60e use Msf::WindowsError, see #2214
git-svn-id: file:///home/svn/framework3/trunk@10607 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-08 19:51:50 +00:00
Joshua Drake b36e383581 clean up exceptions a bit further
git-svn-id: file:///home/svn/framework3/trunk@10557 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-05 23:23:17 +00:00
Joshua Drake 74db9d7fe4 demote to manual ranking due to domain requirement
git-svn-id: file:///home/svn/framework3/trunk@10554 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-05 19:29:10 +00:00
Joshua Drake d2c5d62606 do not wait for WfsDelay if unable to enum printers
git-svn-id: file:///home/svn/framework3/trunk@10553 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-05 19:03:52 +00:00
Joshua Drake 6f18c4a468 do not wait for WfsDelay if unable to bind
git-svn-id: file:///home/svn/framework3/trunk@10545 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-04 20:48:48 +00:00
HD Moore 2f344fe7c8 Moving to ManualRanking since it requires user/pass
git-svn-id: file:///home/svn/framework3/trunk@10503 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-28 15:23:14 +00:00
HD Moore 3ee6117219 Default to english, in the end, this is still the most common language pack
git-svn-id: file:///home/svn/framework3/trunk@10471 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-25 03:18:08 +00:00
Joshua Drake 3acede0f3c fix indent
git-svn-id: file:///home/svn/framework3/trunk@10442 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-23 02:15:40 +00:00
Joshua Drake a0b193f9d3 note psexec release date
git-svn-id: file:///home/svn/framework3/trunk@10405 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-21 01:50:50 +00:00
Joshua Drake 8e5cf31e9a big exe/dll update, see #2017
NOTE: These changes specifically affect payload encoding via RPC, "use
payload", and msfencode

1. consolidate user-specified exe generation routine (now
Msf::Util::EXE.to_executable_fmt)
2. supported format types are now queried/checked using arrays
3. cleaned up and standardized exe option passing
4. rename data store options for EXE mixin
5. add generate_payload_exe_service for psexec/smb_relay
6. reworked default template handling in Msf::Util::EXE
  a. added template search path option (not used if template includes
a path separator)
  b. "fallback" flag to enable using default if specified file doesn't
exist
7. added Msf::Util::EXE.to_win64pe_dll
8. improved error messages from exe generation



git-svn-id: file:///home/svn/framework3/trunk@10404 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-21 00:13:30 +00:00
Joshua Drake 4590844871 tons of indentation fixes, some other style tweaks
git-svn-id: file:///home/svn/framework3/trunk@10394 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 08:06:27 +00:00
Joshua Drake 0149ec0253 bump exe name to 14 chars to avoid randomly smashing existing bins
git-svn-id: file:///home/svn/framework3/trunk@10391 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 05:06:51 +00:00
Joshua Drake 21d88b36c1 rename generate_exe -> generate_payload_exe
git-svn-id: file:///home/svn/framework3/trunk@10388 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 04:37:25 +00:00
HD Moore 3dae16482f Required admin creds == ManualRanking
git-svn-id: file:///home/svn/framework3/trunk@10384 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 02:56:29 +00:00
HD Moore ad4bf32a45 Move to the SMB directory
git-svn-id: file:///home/svn/framework3/trunk@10370 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-18 17:56:22 +00:00
Joshua Drake 9dae361383 typo fixes
git-svn-id: file:///home/svn/framework3/trunk@10332 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-16 16:23:46 +00:00
Joshua Drake 467861ceb7 style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@10190 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-30 20:40:05 +00:00
Joshua Drake 330281eadd see #684, adds checksum support, updates modules to use it, fixes some wfs_delay/WfsDelay issues
git-svn-id: file:///home/svn/framework3/trunk@10150 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-25 20:55:37 +00:00
Joshua Drake 9cc66b39dd indicate not to attempt to read a resposne
git-svn-id: file:///home/svn/framework3/trunk@10039 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-18 17:21:56 +00:00
Tod Beardsley 6d6a547b34 Fixes #2412. Adds a creds table, modifies the db_report_auth API, adds the db_creds and db_add_cred commands.
git-svn-id: file:///home/svn/framework3/trunk@10034 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-18 00:58:20 +00:00
Joshua Drake 4f9ed0e4e9 style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@10022 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-16 17:12:16 +00:00
Joshua Drake 6243d8fe2a change existing to_win*pe_service uses to pass a hash instead of a string, r10016+this fixes #2398
git-svn-id: file:///home/svn/framework3/trunk@10017 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-14 20:43:43 +00:00
HD Moore 040a292181 Create a new mixin that changes SMBUser/SMBPass to normal options, include this mixin within SMB modules that more often than not require authentication
git-svn-id: file:///home/svn/framework3/trunk@9981 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-12 15:00:58 +00:00
Joshua Drake f6033b9bd6 change some print_status to print_error, rename a few msft modules using msb convention
git-svn-id: file:///home/svn/framework3/trunk@9929 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-25 21:37:54 +00:00
Joshua Drake 136c8d2ecc change print_status to print_error
git-svn-id: file:///home/svn/framework3/trunk@9919 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-24 21:38:57 +00:00
Joshua Drake 9e360f19e0 ignore timeout errors, see #2260
git-svn-id: file:///home/svn/framework3/trunk@9839 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-15 20:54:03 +00:00
Joshua Drake b73e13bd62 add xpsp1-jp target from Masashi, fixes #2255
git-svn-id: file:///home/svn/framework3/trunk@9838 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-15 20:18:34 +00:00
Joshua Drake 7d945ed9dc add lots of disclosure dates from OSVDB
git-svn-id: file:///home/svn/framework3/trunk@9669 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-03 03:13:45 +00:00
Joshua Drake 0882838491 ensure binary mode when opening files, whitespace fixes
git-svn-id: file:///home/svn/framework3/trunk@9653 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-01 23:33:07 +00:00
Joshua Drake b5aac2860c add DEP bypass targets for XPSP2 and 2k3SP1, add 2k3 SP0 target
git-svn-id: file:///home/svn/framework3/trunk@9632 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-28 16:01:23 +00:00
Joshua Drake 2c91164494 allow x64 payloads to be used with psexec
git-svn-id: file:///home/svn/framework3/trunk@9565 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-21 03:49:39 +00:00
Joshua Drake a8186ae6ae add suggestion when auto-targeting fails, see #2022
git-svn-id: file:///home/svn/framework3/trunk@9396 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 16:29:14 +00:00
Steve Tornio 365f13551b added refs. I think all the auxiliary and exploit modules should now be covered.
git-svn-id: file:///home/svn/framework3/trunk@9298 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-13 16:53:50 +00:00
HD Moore d65146ae0c Downgrade MS04_011 to Great, as we have better exploits
git-svn-id: file:///home/svn/framework3/trunk@9291 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-12 16:36:45 +00:00
Joshua Drake 128e0515ef stop perpetuating the ambiguity!
git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-09 17:45:00 +00:00
Joshua Drake 0ea6eca4bc big module whitespace/formatting cleanup pass
git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-30 08:40:19 +00:00
Tod Beardsley bd94145d8d Allows reporting auth credentials to be optional with exploit/windows/smb/psexec. Sometimes you don't want this, especially if you already have an auth credential via smb_login.
For auxiliary/scanner/smb/smb_login, if a password hash is used instead of a password, record it as a :hash instead of a :pass when reporting to the DB.



git-svn-id: file:///home/svn/framework3/trunk@9116 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-22 17:23:29 +00:00
Joshua Drake d03eacc386 move exploit specific stuff back to exploit method
git-svn-id: file:///home/svn/framework3/trunk@9094 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-16 05:30:27 +00:00
Joshua Drake 74a344ce7a unbreak the module, oops
git-svn-id: file:///home/svn/framework3/trunk@9093 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-16 05:10:36 +00:00
Joshua Drake a402a69de6 make error more friendly and clean up whitespace
git-svn-id: file:///home/svn/framework3/trunk@9092 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-16 04:51:08 +00:00
HD Moore 7af2fdf42e Remove silly cases of print_good
git-svn-id: file:///home/svn/framework3/trunk@9021 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-05 23:34:10 +00:00
HD Moore 22cb5a6bea 1.9 compatibility fixes for lpd exploits, clarification in the print messages that we are *trying* to exploit something, not absolutely doing so
git-svn-id: file:///home/svn/framework3/trunk@8916 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-25 14:52:35 +00:00
James Lee a27c941714 targ_host -> target_host
git-svn-id: file:///home/svn/framework3/trunk@8909 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-25 01:09:04 +00:00
Stephen Fewer b4339930e7 rename this module with the updated MSB and swap out the hard coded kernel stager for the new kernel stager mixin.
git-svn-id: file:///home/svn/framework3/trunk@8656 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-26 13:42:17 +00:00
Joshua Drake 81f93d48e7 add german target from contributor, thx!
git-svn-id: file:///home/svn/framework3/trunk@8601 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-23 17:23:05 +00:00
HD Moore 7aa7995da9 Autodetect and exploit 2003 SP0
git-svn-id: file:///home/svn/framework3/trunk@8479 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-13 20:04:24 +00:00
Joshua Drake 57fd341f4a added auto targeting, XPSP1 target, updated 2ksp4 target, notes, description
git-svn-id: file:///home/svn/framework3/trunk@8023 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-29 19:22:43 +00:00
HD Moore 922cef26fa Store the domain name in the SMB client object, along with other fields provided by NTLMSSP responses. Show the domain name and netbios name in the version scanner. Update MS06-070 to remove the default target, use the domain name from the server response, and use a more reliable return address for 2000 SP4.
git-svn-id: file:///home/svn/framework3/trunk@8022 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-29 14:00:49 +00:00
Joshua Drake 6170998ba3 add exploit module for cve-2006-4691
git-svn-id: file:///home/svn/framework3/trunk@8021 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-29 05:13:57 +00:00
HD Moore 364880fb4d Bump the session wait to 10 seconds
git-svn-id: file:///home/svn/framework3/trunk@8004 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-28 14:27:33 +00:00
HD Moore 92c703ba6f Wait a second before deleting the file, catch an exception on delete, combined these reduce some of the issues around psexec
git-svn-id: file:///home/svn/framework3/trunk@7954 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-23 04:02:59 +00:00
James Lee b933f49ec3 this exploit always uses an exe, so default EXITFUNC to process so we don't leave processes lying around
git-svn-id: file:///home/svn/framework3/trunk@7950 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-23 01:29:16 +00:00
Joshua Drake 6219116ebf removed exit calls
git-svn-id: file:///home/svn/framework3/trunk@7940 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-21 23:03:03 +00:00
James Lee 2570fcee15 get rid of some more ^Ms
git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-15 18:47:29 +00:00
Joshua Drake 21cbb87fac fixup whitespace
git-svn-id: file:///home/svn/framework3/trunk@7804 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-10 18:07:16 +00:00
Joshua Drake d8a4926a22 add framework tag comments to top
git-svn-id: file:///home/svn/framework3/trunk@7803 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-10 17:35:40 +00:00
Joshua Drake 6c98f3c03d add exploit module for cve-2009-1394
git-svn-id: file:///home/svn/framework3/trunk@7797 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-10 08:24:37 +00:00
Joshua Drake ff83f1cd2f add ranking to every exploit module, pfew!
git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-06 05:50:37 +00:00
HD Moore 9ebcd40a4e Updated references to work better with NeXpose integration
git-svn-id: file:///home/svn/framework3/trunk@7683 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-03 15:27:29 +00:00
Joshua Drake e3a1a7958e cleaned up the descriptions
git-svn-id: file:///home/svn/framework3/trunk@7615 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-25 20:05:18 +00:00
HD Moore bd28e044f0 Handle instances where the pipe does not exist gracefully
git-svn-id: file:///home/svn/framework3/trunk@7531 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-16 15:20:50 +00:00
HD Moore aa09862813 Fixes #401. Ends up Windows NT doesn't like DCERPC requests to be partially written by SMB writes, this patches the min write size to be at least as big as the DCERPC request. The DCERPC::max_frag_size parameter can still be used for more evasion.
[*] Started reverse handler
[*] Detected a Windows NT 4.0 target
[*] Adjusting the SMB/DCERPC parameters for Windows NT
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.0.128[\BROWSER] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.0.128[\BROWSER] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Sending stage (719360 bytes)
[*] Meterpreter session 1 opened (192.168.0.136:4444 -> 192.168.0.128:1485)

meterpreter > sysinfo
Computer: VMNT4
OS      : Windows NT 4.0 (Build 1381, Service Pack 6).
Arch    : x86
Language: en_US



git-svn-id: file:///home/svn/framework3/trunk@7296 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-28 16:37:18 +00:00
HD Moore e3f68f2639 Another large number of warnings fixed by Yoann Guillot
git-svn-id: file:///home/svn/framework3/trunk@7248 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-25 17:18:23 +00:00
HD Moore b38a74c961 Another mega-patch from Yoann Guillot: fixes warnings generated by method calls with a space betwee the method and the parans, corrects a problem with the alpha encoders that causes them to overwrite the allowed charset, hardcodes the metasm output size of some modules in order to reduce load time, more to come
git-svn-id: file:///home/svn/framework3/trunk@7246 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-25 16:40:19 +00:00
HD Moore a0fbc2914f Remove the milw0rm references, as the links are no longer valid.
git-svn-id: file:///home/svn/framework3/trunk@7237 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-24 18:13:07 +00:00
HD Moore 5ea99ac421 Remove from the db_autopwn set for now
git-svn-id: file:///home/svn/framework3/trunk@7183 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-18 09:31:17 +00:00
HD Moore d3aa513773 Fixes #339. Cleans up author names for the most part - there are still some stragglers, but this should fix up the frequent contributors
git-svn-id: file:///home/svn/framework3/trunk@7173 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-17 05:55:15 +00:00
HD Moore 07efe98f6d Whitespace and svn properties set
git-svn-id: file:///home/svn/framework3/trunk@7087 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-28 10:54:07 +00:00
Stephen Fewer 360cdaab2e rename the smb2 module to something more specific.
git-svn-id: file:///home/svn/framework3/trunk@7086 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-28 10:23:28 +00:00
Stephen Fewer 50bd91688c Add coverage for the SMBv2 vuln.
git-svn-id: file:///home/svn/framework3/trunk@7085 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-28 08:12:30 +00:00
HD Moore 71d644e72e Fix the Payload->Space to match the new max size limit for the EXE generator. Thanks for catching it MC
git-svn-id: file:///home/svn/framework3/trunk@7022 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-09 21:23:11 +00:00
HD Moore 876a80f601 Updated osvdb references from Steve Tornio, updated capture/eth_spoof modules
git-svn-id: file:///home/svn/framework3/trunk@6907 4d416f70-5f16-0410-b530-b9f4589650da
2009-07-27 14:05:23 +00:00
kris d3e65b3363 svn:keywords run
git-svn-id: file:///home/svn/framework3/trunk@6876 4d416f70-5f16-0410-b530-b9f4589650da
2009-07-23 02:55:51 +00:00
HD Moore 4c4a8a764c Let the XP SP0/SP1 and 2000 targets automatically run
git-svn-id: file:///home/svn/framework3/trunk@6865 4d416f70-5f16-0410-b530-b9f4589650da
2009-07-22 12:59:08 +00:00
Mario Ceballos 4691f2b0e5 added exploit module netidentity_xtierrpcpipe.rb
git-svn-id: file:///home/svn/framework3/trunk@6850 4d416f70-5f16-0410-b530-b9f4589650da
2009-07-21 01:04:48 +00:00
HD Moore f8c2a203fd OSVDB references updates from Steve Tornio
git-svn-id: file:///home/svn/framework3/trunk@6812 4d416f70-5f16-0410-b530-b9f4589650da
2009-07-16 16:02:24 +00:00
HD Moore 2ec7693d94 Fix up the modules to pass in the framework object into the new API call
git-svn-id: file:///home/svn/framework3/trunk@6687 4d416f70-5f16-0410-b530-b9f4589650da
2009-06-20 18:18:04 +00:00
HD Moore 2283e0ffe4 Update executable template and API
git-svn-id: file:///home/svn/framework3/trunk@6682 4d416f70-5f16-0410-b530-b9f4589650da
2009-06-20 17:42:17 +00:00
HD Moore 697f0946e1 Reference correction
git-svn-id: file:///home/svn/framework3/trunk@6637 4d416f70-5f16-0410-b530-b9f4589650da
2009-06-11 23:23:58 +00:00
HD Moore a5f567e76e Massive OSVDB reference update from Steve Tornio.
git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da
2009-06-07 20:20:42 +00:00