Commit Graph

745 Commits (7fdf84ac4532e2f6f3afcd11616d372b83666cbd)

Author SHA1 Message Date
James Lee 8376531a32 Land #1217, java payload build system refactor
[Closes #1217]
2013-04-11 13:10:03 -05:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee b3c78f74d2 Whitespace 2013-04-10 09:28:45 -05:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
scriptjunkie 1b6398d4fd Service autoconnect, DB fixes
First check if database is connected before trying to connect.
Autologin in Kali with new token login.
2013-03-25 20:44:48 -05:00
scriptjunkie 438d348fda Kali fixes
Check the new database config location.
Don't crash on sporadic JRE style error.
2013-03-24 21:00:38 -05:00
scriptjunkie 16fad29cb0 Update creds schema. 2013-03-12 23:07:40 -05:00
sinn3r e1859ae4b6 Merge branch 'rsmudge-armitage' 2013-03-06 19:31:44 -06:00
sinn3r a30b61e4aa Merge branch 'rsmudge-armitage' 2013-03-06 16:39:00 -06:00
Raphael Mudge 4ab8315db0 Armitage 03.06.13
Apparently, my last update came from the future. This modification
to that future update fixes an oversight preventing Armitage from
connecting to its collaboration server because it would report the
wrong application.
2013-03-04 23:11:20 -05:00
James Lee a74b576a0f Merge branch 'rapid7' into rsmudge-authproxyhttpstager 2013-03-04 17:50:48 -06:00
Raphael Mudge 59d2f05c94 Armitage 04.06.13
This update to Armitage improves its responsiveness when connected
to a team server over a high latency network. This update also adds
a publish/query/subscribe API to Cortana.
2013-03-04 18:32:45 -05:00
Michael Schierl 9e499e52e7 Make BindTCP test more robust
The BindTCP test contained a race condition: if the bind payload took
longer to load than the handler, it could result in a

ConnectException: Connection refused: connect

Work around this by retrying the connection up to 10 times, with 500ms
delay in between.
2013-03-03 21:08:06 +01:00
Michael Schierl b75d1d3b70 Antivirus can interfere with compiling
Add a note about it into COMPILING.txt.
2013-03-03 21:07:08 +01:00
RageLtMan 754b32e9db shameless plug for posterity in stager asm 2013-02-28 17:30:27 -05:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
jvazquez-r7 f04df6300a makefile updated 2013-02-21 13:44:37 +01:00
jvazquez-r7 da9e58ef79 Added the java code to get the ser file 2013-02-20 18:14:24 +01:00
jvazquez-r7 d88ad80116 Added first version of cve-2013-0431 2013-02-20 16:39:53 +01:00
sinn3r 398e6cb202 Merge branch 'rsmudge-armitage' 2013-02-13 10:38:30 -06:00
Raphael Mudge 596b62b831 Armitage 02.12.13 - Distributed Operations
This update adds the ability to manage multiple team server instances
through one Armitage client. This update also adds nickname completion
to the event log. Several bug fixes are included too.
2013-02-11 21:20:03 -05:00
scriptjunkie 447f78cb24 Handle nonstandard ports when starting new msfrpcd. 2013-02-04 17:24:41 -06:00
jvazquez-r7 ee2fed8335 Merge branch 'master' of https://github.com/booboule/metasploit-framework into booboule-master 2013-01-24 16:18:06 +01:00
booboule afa32c7552 Update external/source/exploits/cve-2012-5076_2/Makefile
Wrong directory path
2013-01-23 20:18:24 +01:00
booboule d2b75ad005 Update external/source/exploits/cve-2012-5088/Makefile 2013-01-23 12:42:33 +01:00
sinn3r e376bb6fab Merge branch 'rsmudge-armitage' 2013-01-22 22:52:35 -06:00
Raphael Mudge 8c86c49d43 Armitage 01.23.13
This update to Armitage adds the ability to assign labels to hosts
and create dynamic workspaces based on these labs. This update also
adds helpers to configure USERNAME/PASSWORD options and EXE::Custom
and EXE::Template. Several bugs were fixed as well.
2013-01-22 22:48:16 -05:00
jvazquez-r7 807bd6e88a Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl 2013-01-22 15:33:39 +01:00
jvazquez-r7 ef16a7fd24 cleanup 2013-01-17 21:45:13 +01:00
jvazquez-r7 670b4e8e06 cleanup 2013-01-17 21:39:41 +01:00
jvazquez-r7 78279a0397 Added new module for cve-2012-5076 2013-01-17 21:27:47 +01:00
jvazquez-r7 d0b9808fc7 Added module for CVE-2012-5088 2013-01-17 21:14:49 +01:00
jvazquez-r7 51f3f59d2f cve and references available 2013-01-11 00:54:53 +01:00
jvazquez-r7 e503d596ed code indention for exploit.java fixed 2013-01-10 20:34:58 +01:00
jvazquez-r7 876d889d82 added exploit for j7u10 0day 2013-01-10 20:30:43 +01:00
HD Moore 4eb35b5c1d Fix typo in license text 2013-01-07 23:29:49 -06:00
Tod Beardsley 2ae8a08db9 Add license for Byakugan, per e-mail from Lurene.
Ask pusscat@metasploit.com if you don't believe me -- got her license
statement today.
2013-01-07 22:06:20 -06:00
Raphael Mudge 5348127fd2 Metasploit 4.5 Installer Environment Tweak
Armitage on Windows requires the user to specify their MSF
install folder. This tweak checks for an MSF 4.5 environment
and updates the specified folder to make everything work.

Like magic.
2013-01-04 13:08:47 -05:00
Raphael Mudge a79f2fa8d1 Armitage Updates and Bug Fixes
This is Armitage release 01.04.13. This update fixes several bugs
and improves the user experience launching *_login modules from
Armitage. This update adds a Windows 8 icon and includes a fix to
better work with the Metasploit 1.45 installer's environment.
2013-01-04 12:05:09 -05:00
Michael Schierl 46a5c4f4bf Improve RC4 shellcode
ESI is not clobbered; no need to clear EDX as only DL is filled before and
it is overwritten before use.

Shellcodes in ruby modules not regenerated, but I guess you want to
regenerate them again anyway :-)
2013-01-01 11:25:17 +01:00
Michael Schierl cb06262002 Add shellcode for RC4 bind and reverse stagers
Those stagers will encrypt the initial stage with a 128-bit RC4 key and
the stage length with a XOR key. Both keys are embedded in the stager.

This should provide good evasion capabilities in addition to some
protection against MITM reversing (if the stager is sent a different
route, like in an executable on an USB key).

Note that, from a cryptanalyst's standpoint, it is a bad idea to reuse the
same stager (or stagers with the same RC4 and XOR keys) more than once
since an identical key will result in an identical keystream and make
correlation attacks easy. But I doubt that matters in practice.

Also note that since communication after the initial statging is not
encrypted, these stagers should be used in combination with additional
encryption support in the payloads (like Meterpreter).
2012-12-31 22:33:29 +01:00
Michael Schierl b4fd341fb6 Add shellcode for RC4 decoding
Provided as a block to be included into stagers and/or decoder stubs.
Also included is a test shellcode that can be used for verifying that the
algorithm is compatible to Ruby's OpenSSL RC4 algorithm.
2012-12-31 22:33:28 +01:00
Michael Schierl ca967efee6 Add unit tests for JavaPayload
Downgrad JUnit version since JUnit 4 can only work with -target 1.5 or
higher class files.

Covered are Shell and Meterpreter stage, StreamForwarder, MemoryBuffer,
AESEncryption and Payload (Bind, Reverse, Spawn, AESPassword).
2012-12-21 19:22:41 +01:00
Michael Schierl 6401f36afb Add version compatibility checks for JavaPayload
Check JavaPayload and Java Meterpreter against version incompatibilities
for Java 1.2, 1.3, 1.4, 1.5, and 1.6.

Note that webcam_audio_record is currently excluded from the checks, as it
uses Sun proprietary API for building the WAV file and is therefore
failing the build (and will most likely crash Meterpreter if run on a JVM
of version 1.4 or later that is not based on the Sun/Oracle JVM).

Possible workarounds (apart from either removing the module or changing it
to produce empty files when WAV creation is not supported) include
implementing the WAV file writer ourselves or providing raw PCM files
instead.
2012-12-21 14:37:46 +01:00
Michael Schierl d71b2c35a8 Convert Java Meterpreter project to use Maven
Functionality and build result is 1:1 the same as before. Auxiliary ant
targets have been converted to Maven profiles.
2012-12-21 01:17:57 +01:00
Michael Schierl 2d03b747c0 Convert JavaPayload project to use Maven
Functionality and build result is 1:1 the same as before. Auxiliary ant
targets have been converted to Maven profiles.
2012-12-21 00:09:06 +01:00
Michael Schierl f204a64cdd Move Java meterpreter next to JavaPayload
to make further refactoring easier
2012-12-20 22:28:25 +01:00
jvazquez-r7 133ad04452 Cleanup of #1062 2012-12-07 11:55:48 +01:00
HD Moore 1c09279bbd Add placeholder directories for PSSDK 2012-11-28 15:10:35 -08:00