Commit Graph

998 Commits (7c762ad42c76d2d954b138c2bfff941cba85649b)

Author SHA1 Message Date
sinn3r 6780566a54 Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation Module 2013-06-24 11:50:21 -05:00
Matthias Kaiser 8a96b7f9f2 added Java7u21 RCE module
Click2Play bypass doesn't seem to work anymore.
2013-06-24 02:04:38 -04:00
William Vu d05ef3ac77 Land #1947, remove JavaPayload source 2013-06-12 11:17:23 -05:00
James Lee 636b6b61ec Remove javapayload source
Replace with a README pointing at the new repo:
https://github.com/rapid7/metasploit-javapayload
2013-06-12 10:57:23 -05:00
James Lee 6fae148f9d Remove meterpreter source
Replace with a README pointing at the new repo:
https://github.com/rapid7/meterpreter
2013-06-11 16:42:30 -05:00
Tod Beardsley 7dafcc76df Remove packetfu and pcaprub libaries
These should be handled by bundler's Gemfile.
2013-06-10 14:12:18 -05:00
jvazquez-r7 7090d4609b Add module for CVE-2013-1488 2013-06-07 13:38:41 -05:00
Tod Beardsley 9c771435f2 Touchup on author credit 2013-05-30 16:13:40 -05:00
Tod Beardsley 67128a3841 Land #1821, x64_reverse_https stagers 2013-05-30 13:55:13 -05:00
jvazquez-r7 07c99f821e Land #1879, @dcbz ARM stagers 2013-05-29 17:43:37 -05:00
jvazquez-r7 e6433fc31e Add commented source code for stagers and stage 2013-05-29 14:03:46 -05:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
agix b92ae7779e change author name 2013-05-19 16:16:25 +02:00
agix 6db1fea6b9 create x64_reverse_https stagers 2013-05-13 01:41:56 +02:00
timwr fa241ab11e camera fixes and add wav header to audio record 2013-05-03 01:43:50 +01:00
timwr 2316c23f17 include javapayload in the dx build path 2013-05-02 16:17:56 +01:00
Michael Schierl a13cf53b9f Android Meterpreter bugfixes
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
  whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
timwr a2f8b3dbec Merge pull request #3 from schierlm/android-deploy-profiles
Call dx from Maven profile
2013-05-01 08:18:31 -07:00
Michael Schierl 438529d860 Call dx from Maven profile
Convert the dx calls from build.sh to equivalent exec calls in Maven
deploy profile.

While this commit takes into account differences between Windows and *nix,
it was only tested on Windows, and the resulting binaries have not been
tested at all!

In addition, I was not able to pass individual .class file names to dx
without getting a "class name does not match path" error, so I changed it
to copy all required classes into a temp directory and call dx from there.

I also changed the cross-project paths to refer to the respective Maven
classpath, so in case you do an individual project build, the library
dependencies are taken from the Maven repository instead of taking them
from the target/ directory of the projects directly.
2013-04-27 22:20:18 +02:00
Michael Schierl af0691d205 Add animal-sniffer-plugin for Android API
Include the animal-scents for Android API in this commit, so that users
who do not have Android SDK can still check meterpreter API compatibility
with Android API. Some classes, like screenshot have been excluded since
they need AWT (but they are excluded in Android Meterpreter anyway).

To regenerate the scents file, run

mvn -Dandroid.sdk.path=... -P regenerate package
2013-04-27 20:40:55 +02:00
Michael Schierl 4abeb1b162 Use 1.4 version of net_config_get_interfaces
Apparently Android API 3 does not know the getMTU() function, which was
added in Java 1.6, and in Android API Level 9 (Gingerbread). Therefore,
fall back to the 1.4 version that does not need this API.
2013-04-27 20:39:13 +02:00
timwr 2c73323ceb make android build conditional on -Dandroid.sdk.path= 2013-04-27 00:21:13 +01:00
James Lee 01d790eb54 Land #1748, fix for java meterp network prefixes
[Closes #1748]
2013-04-24 12:27:28 -05:00
Tod Beardsley 1112daaff2 Remove msfgui and armitage
This removes the Armitage and MSFGui components from the Metasploit
distribution. You can track the latest stable releases of these
alternate GUIs here:

MSFGui: http://www.scriptjunkie.us/msfgui/
Armitage: http://www.fastandeasyhacking.com/download
2013-04-22 15:26:44 -05:00
Michael Schierl e98d510deb Fix incorrect network prefix in Java Meterpreter
Apparently, getNetworkPrefixLength can return -1, which confuses the Ruby
side. Therefore fall back to guessing the prefix in this case, as we do it
for Java <= 1.6.
2013-04-20 23:10:46 +02:00
jvazquez-r7 9fca89f70b fix small issues 2013-04-20 01:43:14 -05:00
jvazquez-r7 19f2e72dbb Added module for Java 7u17 sandboxy bypass 2013-04-20 01:43:13 -05:00
timwr 0d0c728da4 fix obvious breakage 2013-04-18 10:24:50 +01:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
James Lee 8376531a32 Land #1217, java payload build system refactor
[Closes #1217]
2013-04-11 13:10:03 -05:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee b3c78f74d2 Whitespace 2013-04-10 09:28:45 -05:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
scriptjunkie 1b6398d4fd Service autoconnect, DB fixes
First check if database is connected before trying to connect.
Autologin in Kali with new token login.
2013-03-25 20:44:48 -05:00
scriptjunkie 438d348fda Kali fixes
Check the new database config location.
Don't crash on sporadic JRE style error.
2013-03-24 21:00:38 -05:00
scriptjunkie 16fad29cb0 Update creds schema. 2013-03-12 23:07:40 -05:00
sinn3r e1859ae4b6 Merge branch 'rsmudge-armitage' 2013-03-06 19:31:44 -06:00
sinn3r a30b61e4aa Merge branch 'rsmudge-armitage' 2013-03-06 16:39:00 -06:00
Raphael Mudge 4ab8315db0 Armitage 03.06.13
Apparently, my last update came from the future. This modification
to that future update fixes an oversight preventing Armitage from
connecting to its collaboration server because it would report the
wrong application.
2013-03-04 23:11:20 -05:00
James Lee a74b576a0f Merge branch 'rapid7' into rsmudge-authproxyhttpstager 2013-03-04 17:50:48 -06:00
Raphael Mudge 59d2f05c94 Armitage 04.06.13
This update to Armitage improves its responsiveness when connected
to a team server over a high latency network. This update also adds
a publish/query/subscribe API to Cortana.
2013-03-04 18:32:45 -05:00
Michael Schierl 9e499e52e7 Make BindTCP test more robust
The BindTCP test contained a race condition: if the bind payload took
longer to load than the handler, it could result in a

ConnectException: Connection refused: connect

Work around this by retrying the connection up to 10 times, with 500ms
delay in between.
2013-03-03 21:08:06 +01:00
Michael Schierl b75d1d3b70 Antivirus can interfere with compiling
Add a note about it into COMPILING.txt.
2013-03-03 21:07:08 +01:00
RageLtMan 754b32e9db shameless plug for posterity in stager asm 2013-02-28 17:30:27 -05:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
jvazquez-r7 f04df6300a makefile updated 2013-02-21 13:44:37 +01:00
jvazquez-r7 da9e58ef79 Added the java code to get the ser file 2013-02-20 18:14:24 +01:00
jvazquez-r7 d88ad80116 Added first version of cve-2013-0431 2013-02-20 16:39:53 +01:00
sinn3r 398e6cb202 Merge branch 'rsmudge-armitage' 2013-02-13 10:38:30 -06:00
Raphael Mudge 596b62b831 Armitage 02.12.13 - Distributed Operations
This update adds the ability to manage multiple team server instances
through one Armitage client. This update also adds nickname completion
to the event log. Several bug fixes are included too.
2013-02-11 21:20:03 -05:00
scriptjunkie 447f78cb24 Handle nonstandard ports when starting new msfrpcd. 2013-02-04 17:24:41 -06:00
jvazquez-r7 ee2fed8335 Merge branch 'master' of https://github.com/booboule/metasploit-framework into booboule-master 2013-01-24 16:18:06 +01:00
booboule afa32c7552 Update external/source/exploits/cve-2012-5076_2/Makefile
Wrong directory path
2013-01-23 20:18:24 +01:00
booboule d2b75ad005 Update external/source/exploits/cve-2012-5088/Makefile 2013-01-23 12:42:33 +01:00
sinn3r e376bb6fab Merge branch 'rsmudge-armitage' 2013-01-22 22:52:35 -06:00
Raphael Mudge 8c86c49d43 Armitage 01.23.13
This update to Armitage adds the ability to assign labels to hosts
and create dynamic workspaces based on these labs. This update also
adds helpers to configure USERNAME/PASSWORD options and EXE::Custom
and EXE::Template. Several bugs were fixed as well.
2013-01-22 22:48:16 -05:00
jvazquez-r7 807bd6e88a Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl 2013-01-22 15:33:39 +01:00
jvazquez-r7 ef16a7fd24 cleanup 2013-01-17 21:45:13 +01:00
jvazquez-r7 670b4e8e06 cleanup 2013-01-17 21:39:41 +01:00
jvazquez-r7 78279a0397 Added new module for cve-2012-5076 2013-01-17 21:27:47 +01:00
jvazquez-r7 d0b9808fc7 Added module for CVE-2012-5088 2013-01-17 21:14:49 +01:00
jvazquez-r7 51f3f59d2f cve and references available 2013-01-11 00:54:53 +01:00
jvazquez-r7 e503d596ed code indention for exploit.java fixed 2013-01-10 20:34:58 +01:00
jvazquez-r7 876d889d82 added exploit for j7u10 0day 2013-01-10 20:30:43 +01:00
HD Moore 4eb35b5c1d Fix typo in license text 2013-01-07 23:29:49 -06:00
Tod Beardsley 2ae8a08db9 Add license for Byakugan, per e-mail from Lurene.
Ask pusscat@metasploit.com if you don't believe me -- got her license
statement today.
2013-01-07 22:06:20 -06:00
Tod Beardsley 7d1752d858 Merge pull request #1246 from rsmudge/armitage
Armitage Updates and Bug Fixes
2013-01-04 11:19:03 -08:00
Raphael Mudge 5348127fd2 Metasploit 4.5 Installer Environment Tweak
Armitage on Windows requires the user to specify their MSF
install folder. This tweak checks for an MSF 4.5 environment
and updates the specified folder to make everything work.

Like magic.
2013-01-04 13:08:47 -05:00
Raphael Mudge a79f2fa8d1 Armitage Updates and Bug Fixes
This is Armitage release 01.04.13. This update fixes several bugs
and improves the user experience launching *_login modules from
Armitage. This update adds a Windows 8 icon and includes a fix to
better work with the Metasploit 1.45 installer's environment.
2013-01-04 12:05:09 -05:00
Michael Schierl 46a5c4f4bf Improve RC4 shellcode
ESI is not clobbered; no need to clear EDX as only DL is filled before and
it is overwritten before use.

Shellcodes in ruby modules not regenerated, but I guess you want to
regenerate them again anyway :-)
2013-01-01 11:25:17 +01:00
Michael Schierl cb06262002 Add shellcode for RC4 bind and reverse stagers
Those stagers will encrypt the initial stage with a 128-bit RC4 key and
the stage length with a XOR key. Both keys are embedded in the stager.

This should provide good evasion capabilities in addition to some
protection against MITM reversing (if the stager is sent a different
route, like in an executable on an USB key).

Note that, from a cryptanalyst's standpoint, it is a bad idea to reuse the
same stager (or stagers with the same RC4 and XOR keys) more than once
since an identical key will result in an identical keystream and make
correlation attacks easy. But I doubt that matters in practice.

Also note that since communication after the initial statging is not
encrypted, these stagers should be used in combination with additional
encryption support in the payloads (like Meterpreter).
2012-12-31 22:33:29 +01:00
Michael Schierl b4fd341fb6 Add shellcode for RC4 decoding
Provided as a block to be included into stagers and/or decoder stubs.
Also included is a test shellcode that can be used for verifying that the
algorithm is compatible to Ruby's OpenSSL RC4 algorithm.
2012-12-31 22:33:28 +01:00
Tod Beardsley daf5465bbd Whitespace Cleanup 2012-12-27 09:08:40 -06:00
Alexandre Maloteaux 91ad23f79e pcaprub typo 2012-12-25 19:33:07 +01:00
Michael Schierl ca967efee6 Add unit tests for JavaPayload
Downgrad JUnit version since JUnit 4 can only work with -target 1.5 or
higher class files.

Covered are Shell and Meterpreter stage, StreamForwarder, MemoryBuffer,
AESEncryption and Payload (Bind, Reverse, Spawn, AESPassword).
2012-12-21 19:22:41 +01:00
Michael Schierl 6401f36afb Add version compatibility checks for JavaPayload
Check JavaPayload and Java Meterpreter against version incompatibilities
for Java 1.2, 1.3, 1.4, 1.5, and 1.6.

Note that webcam_audio_record is currently excluded from the checks, as it
uses Sun proprietary API for building the WAV file and is therefore
failing the build (and will most likely crash Meterpreter if run on a JVM
of version 1.4 or later that is not based on the Sun/Oracle JVM).

Possible workarounds (apart from either removing the module or changing it
to produce empty files when WAV creation is not supported) include
implementing the WAV file writer ourselves or providing raw PCM files
instead.
2012-12-21 14:37:46 +01:00
Michael Schierl d71b2c35a8 Convert Java Meterpreter project to use Maven
Functionality and build result is 1:1 the same as before. Auxiliary ant
targets have been converted to Maven profiles.
2012-12-21 01:17:57 +01:00
Michael Schierl 2d03b747c0 Convert JavaPayload project to use Maven
Functionality and build result is 1:1 the same as before. Auxiliary ant
targets have been converted to Maven profiles.
2012-12-21 00:09:06 +01:00
Michael Schierl f204a64cdd Move Java meterpreter next to JavaPayload
to make further refactoring easier
2012-12-20 22:28:25 +01:00
jvazquez-r7 133ad04452 Cleanup of #1062 2012-12-07 11:55:48 +01:00
HD Moore 1c09279bbd Add placeholder directories for PSSDK 2012-11-28 15:10:35 -08:00
jvazquez-r7 fd1557b6d2 Merge branch 'msi_elevated' of https://github.com/Meatballs1/metasploit-framework into Meatballs1-msi_elevated 2012-11-28 21:49:36 +01:00
Meatballs1 bc9065ad42 Move MSI source and binary location 2012-11-27 18:12:49 +00:00
Tod Beardsley 8d6289d8d6 Merge remote branch 'rsmudge/armitage' 2012-11-26 10:52:06 -06:00
Raphael Mudge a2615102c9 Armitage 11.26.12 - several usability enhancements and bug fixes. 2012-11-25 20:51:32 -05:00
scriptjunkie 39dee758e6 Remember last options used for each module, and fill them in by default. 2012-11-17 10:08:45 -06:00
jvazquez-r7 5076198ba2 fixing bperry comments 2012-11-11 20:18:19 +01:00
jvazquez-r7 08cc6d56ec updated java source 2012-11-11 20:11:33 +01:00
jvazquez-r7 c07701f61e Makefile updated 2012-11-11 17:44:27 +01:00
jvazquez-r7 1528ccf423 added Makefile for java code 2012-11-11 17:43:57 +01:00
jvazquez-r7 8619c5291b Added module for CVE-2012-5076 2012-11-11 17:05:51 +01:00
Raphael Mudge eee6248795 Armitage 10.16.12 - a lot of bug fixes. 2012-10-15 19:19:31 -04:00
HD Moore f2dd4d4e53 Upgrade KissFFT to 1.3.0 and Gemize 2012-10-09 23:57:55 -05:00
sinn3r 02617a6f3a Merge branch 'feature/redmine-7224-shellcode-cleanup' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/redmine-7224-shellcode-cleanup 2012-10-04 00:43:34 -05:00
scriptjunkie 10e1574d8a Bugfix with dragging tabbed panes when right-clicked.
Also don't displaly annoying null pointer error when no connection.
2012-09-22 16:32:18 -05:00
James Lee f38ac954b8 Update linux stagers for NX compatibility
- Adds a call to mprotect(2) to the reverse and bind stagers

- Adds accurate source for some other linux shellcode, including some
  comments to make it more maintainable

- Adds tools/module_payload.rb for listing all payloads for each exploit
  in a greppable format. Makes it easy to find out if a payload change
  causes a payload to no longer be compatible with a given exploit.

- Missing from this commit is source for reverse_ipv6_tcp
2012-09-12 18:44:00 -05:00
m m 40b383e247 I was pretty sure to have removed those fclose before 2012-09-12 13:11:24 -05:00
m m 76e05dff30 fix netstat program name 2012-09-12 13:11:24 -05:00
m m 2ec92030ae fix netstat program name 2012-09-12 13:11:24 -05:00
sinn3r c4fb285288 Merge branch 'armitage' of https://github.com/rsmudge/metasploit-framework into rsmudge-armitage 2012-09-05 13:48:09 -05:00
Raphael Mudge e8b3f0193b Armitage 09.05.12 - this release detects several user errors on startup (incorrect permissions, whitespace in the host/port/user/pass parameters, etc.). This release also cleans up the token stealing dialog. 2012-09-05 01:54:28 -04:00
James Lee 66705e4a5d Add BSD license to unixasm, thanks Ramon! 2012-09-04 15:02:00 -05:00
James Lee 7afd470eb0 Clean up linux shellcode Makefile
Now you can "make single_bind_tcp_shell", or the like, and build one
payload instead of the kludgy embedded shell script that always builds
all of them.

Need to do the same with BSD.
2012-09-04 04:23:48 -05:00
sinn3r d37b52c9d3 Update source information 2012-08-30 17:48:02 -05:00
James Lee c86b3c64a9 Whitespace at EOL 2012-08-28 17:02:37 -05:00
James Lee dd9ef0c7e5 Fix crash with long exe name in process list
Instead of invoking the Watson crashamajigger when the process
associated with a connection has a long executable name, truncate to the
length available in the buffer.

[See #609]
2012-08-28 17:02:37 -05:00
m m bcfaf577ec fix typo 2012-08-28 17:02:37 -05:00
m m c1ca9fea79 netstat and arp commands in win32/posix meterpreter 2012-08-28 17:02:37 -05:00
jvazquez-r7 363c0913ae changed dir names according to CVE 2012-08-28 16:33:01 +02:00
jvazquez-r7 52ca1083c2 Added java_jre17_exec 2012-08-27 11:25:04 +02:00
sinn3r f715527423 Improve CVE-2012-1535 2012-08-21 19:58:21 -05:00
Tod Beardsley f46545db58 Merge pull request #700 from rsmudge/armitage
Armitage 08.16.12
2012-08-18 05:55:26 -07:00
Raphael Mudge a6e50497f0 Armitage 08.16.12 - several little fixes and updates. Nothing to write home to mom about. 2012-08-17 16:25:22 -04:00
sinn3r 13df1480c8 Add exploit for CVE-2012-1535 2012-08-17 12:16:54 -05:00
James Lee 9d2c1e36dd Store the value, not the comparison
Fixes client.sys.process.execute for posix, which previously (since
2010!) would always return nil, or a single byte. This makes sense
considering the value of bytesRead would always be either 0 or 1 because
it was being assigned the result of the comparison instead of the return
value of read().

[Fixes #681]
2012-08-09 18:18:45 -06:00
James Lee c19102c6f1 Return the PID as handle in posix
Fixes some TypeError exceptions when attempting most operations on
spawned processes, e.g.:

  p = client.sys.process.execute("/bin/sh", nil, "Channelized"=>true)
  p.close
  # raises TypeError: can't convert nil into Integer

[FIXRM #7005]
2012-08-08 15:23:00 -06:00
HD Moore fac4ba270c Merge pull request #662 from rsmudge/armitage
Armitage 08.02.12 - adds Cortana scripting technology.
2012-08-02 14:31:11 -07:00
Raphael Mudge 32ee1263f9 Armitage 08.02.12 - adds Cortana scripting technology. 2012-08-02 13:24:15 -04:00
m m 5531fd18a0 Really limit packet count and data in linux sniffer
Squashed commit of the following:

commit 57795ff9c33a53167fca85845b96b82b5c92315f
Author: James Lee <egypt@metasploit.com>
Date:   Wed Aug 1 14:13:20 2012 -0600

    Add recompiled sniffer bin for linux

commit 0e11fdb06fcb9771a11eb631e6f10ec7a2d315f3
Author: m m <gaspmat@gmail.com>
Date:   Thu Jul 12 15:08:10 2012 +0200

    really limit packet count and data in linux sniffer

[Closes #605]
2012-08-01 14:16:00 -06:00
James Lee e200f43183 Squashed commit of the following:
commit 1de16b41c8808df2919706eaa8cc89ae44d9b591
Author: m m <gaspmat@gmail.com>
Date:   Mon Jul 9 21:55:32 2012 +0200

    typo

commit a396b55018175f3eb2a83baecb1ec601cc99eef4
Author: m m <gaspmat@gmail.com>
Date:   Mon Jul 9 21:51:32 2012 +0200

    various posix meterpreter bugfixes

[Closes #584]
[FIXRM #7042]
2012-07-19 15:56:47 -06:00
m m 6605e2910c Squashed commit of the following:
commit f0a1d2ad004e5c77cc4d5dcc71935aa530f1729f
Author: m m <gaspmat@gmail.com>
Date:   Tue Jul 17 11:56:43 2012 +0200

    linux meterpreter : correct netmask computation

[Closes #613]
2012-07-19 14:22:39 -06:00
sinn3r 54576a9bbd Last touch-up
The contents of this pull request are very similar to what the msf
dev had in private, so everybody is credited for the effort.
2012-07-10 00:37:07 -05:00
LittleLightLittleFire 956ec9d1da added Makefile for CVE-2012-1723 2012-07-10 14:12:07 +10:00
LittleLightLittleFire e9ac90f7b0 added CVE-2012-1723 2012-07-10 12:20:37 +10:00
sinn3r 6dee4781df Merge branch 'armitage' of https://github.com/rsmudge/metasploit-framework into rsmudge-armitage 2012-07-05 18:47:07 -05:00
Raphael Mudge 6c53dffa50 Armitage 07.05.12
This release fixes a few small bugs.
2012-07-05 18:19:59 -04:00
Stephen Fewer df7a093eb8 force the eip() function to never be inlined under x64 in order to avoid an error being introduced when some unexpected compiler flags are being used. Now the compiler flags used (/O1, /O2, ...) shouldnt pose any problem 2012-07-02 17:40:57 +01:00
HD Moore c31f70cfb6 Switch to METERPRETER_UA as intended 2012-07-02 00:02:47 -05:00
HD Moore 27bdf78a5a Add support for user-agent control 2012-06-30 23:00:08 -05:00
jvazquez-r7 38abeeb235 changes on openfire_auth_bypass 2012-06-27 23:16:07 +02:00
jvazquez-r7 245205c6c9 changes on openfire_auth_bypass 2012-06-27 23:15:40 +02:00
jvazquez-r7 6ec990ed85 Merge branch 'Openfire-auth-bypass' of https://github.com/h0ng10/metasploit-framework into h0ng10-Openfire-auth-bypass 2012-06-27 23:09:26 +02:00
h0ng10 6cc8390da9 Module rewrite, included Java support, direct upload, plugin deletion 2012-06-26 11:56:44 -04:00
HD Moore 6556eecfda Update project 2012-06-24 14:03:58 -05:00
HD Moore 211b722ec1 Update project 2012-06-24 14:03:57 -05:00
HD Moore c1d143e580 Remove left over debug statements 2012-06-24 14:03:56 -05:00
HD Moore 3c7e87bacf Add missing project files 2012-06-24 14:03:54 -05:00
HD Moore 11b875d84d Checkin new code 2012-06-24 14:03:53 -05:00
HD Moore 2d0d5287d2 Commit EncodePointer stubs as a reference (temporary) 2012-06-24 14:03:52 -05:00
h0ng10 65197e79e2 added Exploit for CVE-2008-6508 (Openfire Auth bypass) 2012-06-24 07:35:38 -04:00
sinn3r 54309c3c3d Merge branch 'armitage' of https://github.com/rsmudge/metasploit-framework into rsmudge-armitage 2012-06-24 02:25:38 -05:00
Raphael Mudge 322e0766a1 Armitage 06.23.12 2012-06-23 13:03:55 -04:00
jvazquez-r7 b891e868f5 Added actionscript and swf needed 2012-06-23 08:36:35 +02:00
HD Moore a648c24b4e Move builds to VC10 2012-06-21 23:51:46 -05:00
HD Moore c5e9e5d374 Add Windows 8 / Server 2012 support to sysinfo 2012-06-21 23:50:29 -05:00
Steven Seeley fcf42d3e7b added adobe flashplayer array indexing exploit (CVE-2011-2110) 2012-06-20 12:52:37 +10:00
Michael Schierl 34ecc7fd18 Adding @schierlm 's AES encryption for Java
Tested with and without AES, works as advertised. Set an AESPassword,
get encryptification. Score.

Squashed commit of the following:

commit cca6c5c36ca51d585b8d2fd0840ba34776bc0668
Author: Michael Schierl <schierlm@gmx.de>
Date:   Wed Apr 4 00:45:24 2012 +0200

    Do not break other architectures
    even when using `setg AESPassword`

commit 422d1e341b3865b02591d4c135427903c8da8ac5
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:50:42 2012 +0200

    binaries

commit 27368b5675222cc1730ac22e4b7a387b88d0d2b3
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:49:10 2012 +0200

    Add AES support to Java stager

    This is compatible to the AES mode of the JavaPayload project.

    I'm pretty sure the way I did it in the handlers (Rex::Socket::tcp_socket_pair())
    is not the supposed way, but it works :-)
2012-06-11 16:13:25 -05:00
James Lee 1be9ce8649 Fixes command parsing in Post::Common
The meterpreter API wants arguments in a seperate string (not an array,
mind you) just so it can concatenate them on the server side.
Originally, I worked around that by using Shellwords.shellwords to pull
out the first token. But! Shellwords.shellwords inexplicably and
inexcusably removes backslashes in ways that make it impossible to quote
things on Windows. This commit works around both of those things.
2012-06-07 22:24:59 -06:00