infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
33,841 Commits
7 Branches
556 Tags
421 MiB
Commit Graph

10709 Commits (7f27fd0cf2c4ccbd9612e39a85c4fdcece4935ff)

Author SHA1 Message Date
Samuel Huckins c0b0a95d95 Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2015-05-19 08:39:10 -05:00
OJ 9fddc21cf3 Shaved another sneaky byte off the payload 2015-05-19 21:21:07 +10:00
OJ 6e96e6d118 Shellcode golf to make the payload smaller 
Tried to implement some more of the stuff that egypt suggested, managed
to get some in, but not others. Ultimately, its smaller than it was, and
I'm sure there are ways to make it better as well.
 2015-05-19 21:17:42 +10:00
OJ 62720ab357 Fix the wininet stager for http/s 
For some reason this was only working on Windows7/2008, yet when tired
on Windows 2012 it was resulting in crashes. It was also stopping
working in exploits such as psexec_psh.

Went back to the beginning and started again. With this in place, we can
now do a bit of shellcode golf to make it a bit smaller.

Adjusted payload sizes as well.
 2015-05-19 20:03:22 +10:00
HD Moore 9d7e54f360 Add the UUID subdirectory, including initial DB class 2015-05-18 23:41:22 -05:00
HD Moore c7932855f2 Move UUIDOptions to UUID::Options 2015-05-18 23:35:18 -05:00
HD Moore 448736989d Merge branch 'master' into feature/msfvenom-smallest 2015-05-18 18:41:44 -05:00
Brent Cook 84060bbaeb
Land #5370, support specifying maximum encoder space with msfvenom 2015-05-18 16:43:12 -05:00
HD Moore 9dd82d94ae Exclude Manual ranked encoders from automatic selection, these can still be specified with -e 2015-05-18 15:47:15 -05:00
HD Moore 71eab7a236 Implements msfvenom --smallest, still some blockers 2015-05-18 15:24:59 -05:00
Brent Cook 657746c97f
Land #5364, fix endian in meterpreter config block 2015-05-18 15:23:42 -05:00
HD Moore a82168d7bb Fixes #5361 by adding --encoder-space to msfvenom 2015-05-18 14:27:52 -05:00
Samuel Huckins e2c6742c1b Merge branch 'master' of git://github.com/rapid7/metasploit-framework 2015-05-18 13:44:01 -05:00
David Maloney 7376d4d94e
account for public only credentials in #to_s 
SNMP in particular will only have a public, so we need
to account for this so we don't output poorly formed text
with a trailing ':' char

5266
 2015-05-18 13:42:15 -05:00
David Maloney c69b6b2b8b
only issue db warning once 
cache the fact that we have issued the db warning
so we do not issue it for every credential attempt
on the module run.

5266
 2015-05-18 13:41:18 -05:00
OJ e7f80042d4 Finalise work on the bind_ipv6_tcp stager for UUID support 2015-05-18 21:19:04 +10:00
OJ 593f6e5fc4 Fix issue with bind UUID 2015-05-18 20:25:15 +10:00
OJ 9296a024e2 PHP meterpreter refactoring in prep for uuid work 2015-05-18 17:40:48 +10:00
OJ 27cdc588c8
Merge module include fix from stager update 2015-05-18 15:00:05 +10:00
OJ 677acb22a4 Fix up module include in x64 winhttp 2015-05-18 14:59:49 +10:00
OJ 4488a5e634 Add uuid support to python, and rework stages/stagers 2015-05-18 14:33:35 +10:00
OJ 0d56b3ee66 Stage UUIDs, generation options, php and python meterp uuid 2015-05-18 13:29:46 +10:00
OJ bf2b113abb
Merge branch 'upstream/master' into update-x64-stagers 2015-05-18 13:28:36 +10:00
OJ 8bd41a3834
Land #5354 - transport config fallback in stager 2015-05-18 10:16:44 +10:00
OJ 8b2e5c88d9 Adjust transport config fallback to include https 2015-05-18 10:16:09 +10:00
OJ dbe4f3f1c8 Adjust single pack statement, fix up some quotes 
* Moved over to using single quotes for strings that don't need
escaping or interpolation.
* Changed one pack spec to be "more correct". Thankfully, we were only
packing 0 so the endianness isn't a problem, however it should be
correct, hence the fix.
 2015-05-18 09:29:48 +10:00
OJ 178ba50b98
Merge branch 'upstream/master' into rage-stager-transport 2015-05-17 20:09:50 +10:00
OJ d725554a87 Fix UUID code so that it always deals with 16 bytes 
Also re-add the payload ID to session validation now that the UUID stuff
is reliable.
 2015-05-17 17:49:21 +10:00
OJ 37e4d71a6a Remove check for UUID in the valid session check 
This is causing sessions to fail because meterpreter isn't doing the
right thing. I have another fix in the works which will properly solve
this, but in the short term the best way of solving the problem is to
remove this line.
 2015-05-17 17:13:54 +10:00
RageLtMan 11e715ae46 Configure transport from stager mixin 
Transport configuration for basic session types can be performed
by the stager mixin.

Add a default transport_config method to Msf::Payload::Stager by
mixing in Msf::Payload::TransportConfig and attempting to guess
the default tranport and direction types from the currently loaded
module's (MSF module) refname.

Users with custom payloads will no longer need to update them with
transport_config methods unless they use a non standard transport,
direction, or other innovation which affects the default approach.

Testing:
  Tested with payloads lacking transport_config methods or access
to the TransportConfig module (Ruby) namespace. This also resolves
problems with the RC4 payloads in upstream as they can't currently
generate stagers for meterpreter.
 2015-05-17 03:03:17 -04:00
Brent Cook b1507f6d2a
Land #5339, support for 'sleep' with meterpreter sessions 2015-05-15 18:14:37 -05:00
Brent Cook fb3a2079f2 Merge branch 'master' into land-5339-sleep 2015-05-15 18:00:52 -05:00
David Maloney 7d44d6d67a
client side for new sysinfo fields 
added Domain and Logged On Users fields to
the meterpreter sysinfo command

MSP-12715
 2015-05-15 15:09:33 -05:00
Brent Cook 5cf6d28c34
Land #5426, use RAW for TLV hash binary data 2015-05-15 11:54:45 -05:00
Brent Cook 93ba08738c add backward compatibility for hash responses 2015-05-15 11:53:12 -05:00
jvazquez-r7 3c92d5365e
Lnad #5334, @wchen-r7's deletes unnecessary check on mysql_drop_and_create_sys_exec 2015-05-15 11:51:21 -05:00
wchen-r7 25099dd877
Land #5212, HTA Powershell template 2015-05-15 11:49:07 -05:00
wchen-r7 3bc3614be6 Do a check for powershell.exe before running it. 2015-05-15 11:48:21 -05:00
jvazquez-r7 4c1558b398
Land #5331, @wchen-r7's fixes #5330 by using print_warning 2015-05-15 11:42:57 -05:00
jvazquez-r7 b7b00666fa
Use parenthesis 2015-05-15 11:41:14 -05:00
jvazquez-r7 d05cae5faf
Land #5329, @wchen-r7's add configurable options to jenkins_login 2015-05-15 11:38:21 -05:00
Brent Cook c614f6059d Merge branch 'master' into land-5326- 2015-05-15 11:29:54 -05:00
David Maloney ac04b8d1e7
a little bit of cleanup 
constantise some of the magic numbers in
the NTDS Account class

MSP-12358
 2015-05-15 10:47:31 -05:00
Brent Cook 1653acd527
Land #5344, print payload size from msfvenom 2015-05-15 09:49:05 -05:00
Samuel Huckins 3d905418f4 Merge branch 'master' of github.com:rapid7/metasploit-framework 2015-05-15 00:20:59 -05:00
OJ 7b2aee2a60
Merge branch 'upstream/master' into update-x64-stagers 2015-05-15 12:27:40 +10:00
OJ 1ff6d6298e Remove stray comma causing help to be incorrect 2015-05-15 09:23:55 +10:00
OJ 7c013c0486
Merge branch 'upstream/master' into add-transport-sleep 2015-05-15 08:00:04 +10:00
David Maloney 92799266c6
fix typo 
you happy now?
 2015-05-14 15:06:01 -05:00
David Maloney 724b7c6f16
save the ntlm hases as creds 
the last step is now complete. the current and historical
hashes are all saved to the database for cracking and/or
replay

MSP-12358
 2015-05-14 13:52:11 -05:00
David Maloney 452fc6b149
Merge branch 'feature/MSP-12357/meterp-ntds' into feature/MSP-12358/ntds-dump-module 2015-05-14 10:31:28 -05:00
David Maloney 6e813f6abd
Merge branch 'master' into feature/MSP-12357/meterp-ntds 2015-05-14 10:30:48 -05:00
Samuel Huckins a5c5360afd Merge branch 'master' of github.com:rapid7/metasploit-framework 2015-05-14 08:45:53 -05:00
OJ 83fbd41970 Merge branch 'upstream/master' into multi-transport-support 
Conflicts:
	Gemfile.lock
	modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
 2015-05-14 14:50:25 +10:00
HD Moore 5f3947312d
Lands #5327, SSL support + refactor for PowerShell 2015-05-13 23:25:15 -05:00
wchen-r7 2e61973411 Resolve #5343, Print payload size 
Resolve #5343. Prints payload size
 2015-05-13 16:33:22 -05:00
David Maloney 9308da7956
2003 code path working 
using VSS directly on server 2003 and repairing
the database with esentutl is now working

MSP-12358
 2015-05-13 12:25:44 -05:00
benpturner 1f294eac0b Updated to remove dup code 2015-05-13 17:26:21 +01:00
Samuel Huckins 9fafb645dd
Updating Rails version comment 2015-05-13 09:37:32 -05:00
OJ 60d331fe0c Add support for a "sleep" command 
This makes meterpeter shut down it's comms and sleep for a while before
it attempts to open communications again. This is effectively the same
as doing a transport change back to the same transport, but with
a timeout.
 2015-05-13 10:13:08 +10:00
Brent Cook 9549d572cc
Land #5280, update to Ruby on Rails 4.0 
This upgrades a number of other gems as a side-effect.
 2015-05-12 16:48:49 -05:00
HD Moore b1b8f86aae
Lands #5270, improvements to Msf::ModuleSet 2015-05-12 11:01:23 -05:00
OJ 06dfdbcc2c Merge updated transport changes 
Discard changes that were made for reverse_https transport in x64 as
they no longer apply here.
 2015-05-12 10:26:39 +10:00
OJ 836feaa2d8 Fix uuid setting, fix reverse_https x64 payload 
The payload changes in this PR will be fixed up/removed in the
update-x64-stagers PR.
 2015-05-12 10:24:11 +10:00
OJ 5f735c917c Add condition before overwriting payload_uuid 2015-05-12 09:56:55 +10:00
OJ 51e6c13bc4 Adjust transport configuration include for x64/reverse_http 
Not sure how I missed this, but I did!
 2015-05-12 09:54:08 +10:00
OJ 489afd5aa1 Remove redundant check for ascii_str setting 2015-05-12 09:50:58 +10:00
OJ 849f904711 Finalise style changes as per suggestions in PR 2015-05-12 09:48:50 +10:00
OJ 474461d2a4 Merge format and structure changes from multi transport 2015-05-12 09:46:02 +10:00
OJ 69d2b8ffb1 Various code format, style changes, file moves 
As per Egypt's suggestions.
 2015-05-12 09:43:41 +10:00
OJ 42f94e70c7 Add `nil` default to exit_types, transport param order swap 
This allows for checking against exit types to be super easy instead of
having to have extra checks in place. Also changed the order of scope_id
and uri in the transport URI generation. The net effect of this is NOP
because these things only appear separately.
 2015-05-12 09:05:58 +10:00
OJ 5dfab1f426 Fix exitfunk module for x64 
The exitfunk module was using asm keywords that are considered invalid
by metasm. This commit removes these keywords and also adjusts one of
the label names to reduce the chance of a collision with other files.
 2015-05-12 08:44:03 +10:00
wchen-r7 12038ed3e1 Fix #5244, Remove unnecessary check for mysql_drop_and_create_sys_exec 
Fix #5244, MySQL is always return OK so it doesn't seem to be so
important to check res for DROP FUNCTION IF EXISTS sys_exe
 2015-05-11 14:17:51 -05:00
David Maloney f3effe5fbb
some minor cleanup 
cleanup based on feedback from Kronicdeth

MSP-12357
 2015-05-11 11:17:58 -05:00
wchen-r7 730135705d Resolve #5330, change print_error to print_warning for report_auth_info 
Resolve #5330 for more consistent deprecation style.
 2015-05-11 11:01:45 -05:00
wchen-r7 1cc44cfc31 An alternative for normalize_uri 
normalize_uri doesn't seem to work very well in our case, so
we do our own thing here.
 2015-05-11 10:42:26 -05:00
wchen-r7 10982f0a1a Login url should normalize too 2015-05-11 10:18:09 -05:00
wchen-r7 d8cc2c19d3 Fix #5315, User configurable options for jenkins_login 
Fix #5315. This patch allows the user to configure the HTTP method
for the login, as well as the URL.
 2015-05-11 10:15:49 -05:00
OJ e99d885b6b Final work on reverse_winhttps 2015-05-11 22:21:22 +10:00
OJ 68eadd9f51 More work on reverse_winhttps 2015-05-11 21:38:26 +10:00
OJ e69e6c4a73 Implement winhttp for x64 
Still has some quirks to fix up, but we're getting there. Everything
seems to work except for reverse_winhttps. I can't see why at this
point.
 2015-05-11 17:27:47 +10:00
OJ 800ab11abd Payload size adjustment, typo fix 
Woot, this somehow reduces the payload sizes by 2 bytes... woot.. or
something.
 2015-05-11 17:24:32 +10:00
OJ cbf06fcb02 Tweak reverse_winhttp to fix small issues 
Now working fine with proxy settings.
 2015-05-11 17:24:32 +10:00
OJ 679bb46f86 Refactoring, exitfunk fix, block_api_hash func 2015-05-11 17:24:32 +10:00
OJ 99fdfe31f1 More tidying/refactoring of the stagers 2015-05-11 17:24:31 +10:00
OJ 4686691753 Interim commit while juggling some other code 2015-05-11 17:24:31 +10:00
OJ 0820bc5dd5 Small bits of tidying up for reverse_winhttp/s 
Refactoring, ready to get the proxy stuff going.
 2015-05-11 17:24:31 +10:00
OJ 21397b46aa Add proxy user/pass to x64 reverse_http/s 2015-05-11 17:24:31 +10:00
OJ 9312c0ea46 Add proxy host support to x64 reverse_http/s 
Proxy user/pass coming shortly.
 2015-05-11 17:24:31 +10:00
OJ b922da8f80 Add support for x64 reverse_http 
Still need to bake in support for proxies in the stagers, but wer'e
getting there.
 2015-05-11 17:24:31 +10:00
OJ 15e9fb7e40 Port reverse_https (wininet) x64 to metasm 
This laid the groundwork for implementation of reverse_http as well.
 2015-05-11 17:24:31 +10:00
OJ 29649ff881 Fix proxy config not making it through 2015-05-11 17:24:02 +10:00
Tim d3ba84b378
Add TLV_TYPE_FILE_HASH 2015-05-10 14:18:16 +01:00
Meatballs 706e304849
Land 5299, implement shell_command for PS sessions 2015-05-09 11:23:43 +01:00
Meatballs 98d531e053
Check if session responds to response_timeout 2015-05-09 11:21:45 +01:00
Brent Cook 1a98c5ddc5
Land #5320, fix SSL weak cipher results 
This adds a fallback for deprecated ciphers that are no longer exported
current SSL libraries.
 2015-05-08 18:19:25 -05:00
Brent Cook d3730ae18c include a list of deprecated ciphers in the sslscan result 
Allow recording remote deprecated cipher support even if the local OpenSSL
library does not support negotiating that cipher.
 2015-05-08 18:05:00 -05:00
jvazquez-r7 c103779eab
Land #5080, @bcook-r7's 'ls' and 'download' meterpreter improvements 2015-05-08 18:02:16 -05:00
jvazquez-r7 422e261b36
Use parenthesis 2015-05-08 17:59:04 -05:00
Brent Cook 2f9205abc3 recover consistent parenthesis usage 2015-05-08 14:15:06 -05:00
Brent Cook 8d5ef42c2d be sure to pass the pattern more than one level deep 2015-05-08 14:03:12 -05:00
OJ 79753f719f Slight fix to the transport config 2015-05-08 18:36:30 +10:00
OJ ba3266803a Add transport configuration to reverse_http/s 2015-05-08 18:32:48 +10:00
OJ 5111abdd09 Add transport config entry to reverse_winhttp 2015-05-08 18:15:24 +10:00
William Vu 508574970c
Land #5307, Brocade login scanner resurrection 2015-05-07 22:43:39 -05:00
William Vu 8d3737d13c Fix some stylistic issues 2015-05-07 22:43:23 -05:00
William Vu 71518ef613
Land #5303, metasploit-payloads Java binaries 2015-05-07 22:39:54 -05:00
William Vu 2f2169af90 Use single quotes consistently 2015-05-07 22:39:36 -05:00
benpturner ef59d1f7c4 Markers 2015-05-07 22:50:09 +01:00
wchen-r7 7b5da6f266
Land #5241, sqlmap parsing fixes 2015-05-07 14:21:20 -05:00
benpturner 24abe597e4 numeric 2015-05-07 19:23:25 +01:00
benpturner 01c2bc0287 Buff 2015-05-07 19:10:33 +01:00
benpturner c234714013 Start and End Markers 2015-05-07 19:06:36 +01:00
OJ fd827db6dd Fix up bind stager payload sizes 2015-05-07 10:13:27 +10:00
Brent Cook 78c58088fe
Land #5314, set snmp defaults for constrained values 2015-05-06 16:27:41 -05:00
OJ 9d7a7cb68d Merge branch 'upstream/master' into multi-transport-support 
Conflicts:
	lib/msf/core/payload/linux/bind_tcp.rb
 2015-05-07 07:24:22 +10:00
OJ 60e25170fa
Land #5313 : fixup bind_tcp stager 2015-05-07 07:09:19 +10:00
William Vu 669df591f2 Pull default connection_timeout into constant 2015-05-06 13:18:00 -05:00
William Vu d4aed08260 Fix typo 2015-05-06 13:17:58 -05:00
William Vu 0939bbc710 Set default retries/version for SNMP LoginScanner 
Set in snmp_login but missed in the LoginScanner.

MSP-12668
 2015-05-06 13:17:40 -05:00
Brent Cook 5a8b6e90f2 restore ecx after setting the socket options, set default size 2015-05-06 11:56:07 -05:00
wchen-r7 97807e09ca
Lad #5125, Group Policy startup exploit 2015-05-06 11:17:01 -05:00
Brent Cook 93c785560b remove brocade_telnet scanner, extend telnet 
Rather than duplicate the entire telnet scanner, add a pre-login hook that a
module can use to extend the behavior on connect. This also adds a local
pass-through print_error method like http has.
 2015-05-05 21:19:46 -05:00
root 6b5aaa5479 brocade enable command bruteforcer 2015-05-05 21:16:23 -05:00
OJ 95e9057854 Remove typo'd stuff that shouldn't have made it past merge 2015-05-06 08:07:07 +10:00
Brent Cook 710a2a007b fix format error 2015-05-05 15:27:06 -05:00
Brent Cook a0c806c213 Update java meterpreter and payload references to use metasploit-payloads 2015-05-05 15:01:00 -05:00
benpturner 982b2381ed New shell_command markers 2015-05-05 19:20:03 +01:00
William Vu 013781fb9c
Land #5292, WordPress custom file version check 2015-05-05 11:21:18 -05:00
William Vu 18791ce933 Clean up code 2015-05-05 11:19:40 -05:00
David Maloney 1a8e8c624c
Merge branch 'master' into feature/MSP-12357/meterp-ntds 2015-05-05 11:07:36 -05:00
darkbushido 26e7fe15f9
Merge branch 'upstream' into staging/rails-4.0 
Conflicts:
	Gemfile.lock
 2015-05-05 11:00:38 -05:00
benpturner 22d2275ecb || session.type == 'powershell' 2015-05-05 09:31:43 +01:00
OJ 62fa14326d Merge branch 'upstream/master' into multi-transport-support 
Merged with HD's stuff as he fixed up a few things that I had done too.

Conflicts:
	lib/msf/base/sessions/meterpreter_options.rb
	lib/rex/post/meterpreter/client_core.rb
	lib/rex/post/meterpreter/packet_dispatcher.rb
 2015-05-05 17:18:01 +10:00
OJ c540ba4b98
Land #5297 : Track machine_id and dead sessions 2015-05-05 17:08:39 +10:00
OJ 2949bf053a Remove old comment from ASM 2015-05-05 13:09:13 +10:00
OJ 852961f059 Tweaking of transport behaviour, removal of patch 2015-05-05 11:45:22 +10:00
OJ cf62d1fd7c Remove patch and old stageless stuff 2015-05-05 09:27:01 +10:00
OJ b42f4f5cd2 Merge branch 'upstream/master' into multi-transport-support 
Conflicts:
	lib/msf/core/payload/windows/stageless_meterpreter.rb
	lib/msf/core/payload/windows/x64/stageless_meterpreter.rb
	lib/rex/post/meterpreter/client_core.rb
	modules/payloads/stages/linux/x86/meterpreter.rb
	modules/payloads/stages/windows/meterpreter.rb
	modules/payloads/stages/windows/x64/meterpreter.rb
 2015-05-05 07:53:54 +10:00
OJ e45bf5cf51 Remove the URI patcher now that it's not used at all 2015-05-05 07:35:49 +10:00
Brent Cook 05e4af8162
Land #5214, initial meterpreter session recovery support 2015-05-04 16:25:27 -05:00
benpturner 453b1fce50 Spaces 2015-05-04 22:17:08 +01:00
benpturner 658958d8e7 Allow sessions -c command on powershell 2015-05-04 22:07:22 +01:00
Brent Cook d90c25ecea
Land #5287, RPC API fixes 2015-05-04 15:44:15 -05:00
jvazquez-r7 0ca0d3d045
Improve nt_create_andx path parsing 2015-05-04 15:20:51 -05:00
Brent Cook e6ea5511ca update linux and windows meterpreters to use metasploit-payloads 2015-05-04 09:44:36 -05:00
OJ c2dc4677fb Prevent stagless from overwriting socket 
Stageless payloads need to have the socket FD left along (ie. 0)
otherwise each of them will think that the socket is already open.
Instead we need to make sure it's left as 0 as per the configuration and
from there the stageless code will fire up a new socket based on the
transport in question.
 2015-05-04 22:36:59 +10:00
OJ e835f2b99c Rejig transport config into module 
Adjust a few other things along the way, including tidying of code,
removing of dead stuff.
 2015-05-04 22:04:34 +10:00
OJ 93bf995b32 Reverse tcp support for POSIX 
Ported the stager and wired in the new work to make the configuration
function.
 2015-05-04 20:11:26 +10:00
Brent Cook f42334414a add recursion limit 2015-05-04 04:00:58 -05:00