Commit Graph

39947 Commits (74baffd463e643c66a5ba1391be2b11f5e1677fa)

Author SHA1 Message Date
Brent Cook 74e0256448
Revert "remove leftover cruft"
This reverts commit 2be551cbd3.
2016-10-08 21:55:22 -05:00
Brent Cook f3166070ba
Revert "use the new rex-exploitation gem"
This reverts commit 52f6265d2e.
2016-10-08 21:55:16 -05:00
Brent Cook b77a910205
Land #7355, allwinner post to local exploit conversion 2016-10-08 21:38:54 -05:00
Brent Cook e074669406
Land #7296, Added a SCADA module for detecting Profinet devices, e.g. Siemens controllers 2016-10-08 21:34:40 -05:00
Brent Cook 7e2e98f96c
Land #7413, Add KB for post/firefox/gather/passwords 2016-10-08 21:31:27 -05:00
Brent Cook f6353b1a60
Land #5393, add remote .NET code compilation and persistence 2016-10-08 21:21:57 -05:00
Brent Cook bd24e7eba0 more cleanups and print output on auto-run 2016-10-08 21:14:26 -05:00
Brent Cook 63bf93be1b code and style cleanups 2016-10-08 21:04:15 -05:00
Brent Cook df597a7bb7 add module documentation 2016-10-08 20:17:54 -05:00
Brent Cook 5284db6b58 module cleanup 2016-10-08 20:17:29 -05:00
Brent Cook 7c1fa3eb51 fix 'info -d module', it assumed active module only 2016-10-08 19:31:00 -05:00
Brent Cook 199bf8e726 cleanups and update to require 4.0 CLR by default 2016-10-08 15:24:13 -05:00
RageLtMan 44c5fc3250 Sync build_net_code post module upstream
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.

Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
wchen-r7 0e57808914 Update to class name MetasploitModule 2016-10-08 14:06:35 -05:00
RageLtMan 47b1320d08 Add options to cmd_psh_payload
Fill in validated datastore options for generating custom PSH
payloads
2016-10-08 14:06:35 -05:00
RageLtMan fb8e025aa5 Force datastore validation by option set
cmd_psh_payload relies on datastore options to have a proper
data type down the call chain. When modules are created with string
values for all data store options, a conditional naively checking
what should be a boolean value for false/nil? would return true
for a string representation of "false."

Ensure that datastore options are validated prior to using them
to set variables passed into Rex methods.
2016-10-08 14:06:35 -05:00
RageLtMan f24bfe7d4e Import Powershell::exec_in_place
Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.
2016-10-08 14:06:35 -05:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
William Vu 1b06e6279b
Land #7414, cmd_bash fix for netbsd_mail_local 2016-10-07 21:42:12 -05:00
h00die 7c20f20493 remove unneeded bash 2016-10-07 21:12:27 -04:00
Daniel Werner 86465710e2 Add KB for post/firefox/gather/passwords. 2016-10-08 01:19:26 +02:00
Spencer McIntyre 2f5cdd814a
Land #7412, Add zeroSteiner to author.rb 2016-10-07 18:36:14 -04:00
William Vu 1f36583db2 Add zeroSteiner to author.rb 2016-10-07 12:51:22 -05:00
Metasploit 8a6426df48
Bump version of framework to 4.12.32 2016-10-07 10:04:32 -07:00
Spencer McIntyre bbdb58eb00 Add an HTA server module using powershell 2016-10-06 19:25:22 -04:00
Metasploit a0ebf5ea2d
Bump version of framework to 4.12.31 2016-10-06 11:23:08 -07:00
William Vu 3b3185069f
Land #7408, Mirai botnet wordlists 2016-10-06 10:07:20 -05:00
Pearce Barry a41281034a
Bump to latest rex-powershell gem... 2016-10-05 18:10:13 -05:00
funkypickle fb0a438fdf Perform a version check to determine exploitability for graphite pickle 2016-10-05 16:08:02 -07:00
William Vu e8c3a61e72
Land #7405, nil fix for ntp_protocol_fuzzer 2016-10-05 15:26:39 -05:00
Tonimir Kisasondi 83548a0dde added mirai user/pass to unhash set 2016-10-05 22:24:11 +02:00
William Vu 60ea0bd94e
Land #7407, nil fix for auxiliary/dos/tcp/synflood 2016-10-05 15:11:46 -05:00
“lvarela” 8749eaf097 Fix the default num to be 0 when not specified. 2016-10-05 14:52:43 -05:00
Jon Hart b95cc7bbbe
Set correct default options; fix usage on OS X
Fixes 7404
2016-10-05 09:51:31 -07:00
Tonimir Kisasondi 7ce73be936 Add linux.mirai wordlists 2016-10-05 17:57:08 +02:00
dmohanty-r7 55597d7370
Land #7394, Gemify rex/exploitation and associated data files into rex-exploitation 2016-10-05 10:55:21 -05:00
William Vu 035e688a69
Land #7401, refresh support for sysinfo 2016-10-05 10:17:48 -05:00
David Maloney 2be551cbd3 remove leftover cruft
some files that got left behind in previous
gemifications that should have been removed
2016-10-05 09:05:27 -05:00
David Maloney 52f6265d2e use the new rex-exploitation gem
use the new rex-exploitation gem instead of the packaged in lbirary code
cleans up a huge ammount of space in framework

MS-1709
2016-10-05 09:05:27 -05:00
William Vu a89607bbdb Prefer keyword argument 2016-10-04 23:14:14 -05:00
Brent Cook b7ea465855 refresh sysinfo when explicitly requested on a session 2016-10-04 22:06:06 -05:00
Pearce Barry 548efc3e98
Land #7374, use templates from the gem for psh 2016-10-04 14:27:45 -05:00
Pearce Barry a68e9d33e1
Bump rex-powershell gem to latest. 2016-10-04 14:25:10 -05:00
David Maloney af4f3e7a0d use templates from the gem for psh
use the templates now contained within the magical
gem of rex-powershell

7309
MS-2106
2016-10-04 14:14:25 -05:00
William Vu 63ed5624ff
Land #7395, Ninja Forms module update 2016-10-04 11:14:30 -05:00
William Vu f60d575d62 Add EOF newline back in 2016-10-04 11:14:15 -05:00
Brent Cook b30e380e54
Land #7398, fix linux x64 elf-so template with LD_PRELOAD 2016-10-04 09:54:11 -05:00
Brent Cook 705d15037a
Land #7396, Add Meterpreter API to list installed drivers 2016-10-04 07:17:10 -05:00
Brent Cook 55d267730e
bump metasploit-payloads 2016-10-04 07:16:39 -05:00
Brent Cook 6ac63f02f7
Land #7399, add missing reverse_tcp require to stageless android meterpreter payload 2016-10-04 04:30:10 -05:00