OJ
232117117b
Fix missing includes
...
The powershell one broke thanks to include hierarchy changes. The others
failed in the specs only for some reason.
2015-05-05 14:24:21 +10:00
OJ
146f41992f
Fix up payload sizes
2015-05-05 13:52:20 +10:00
OJ
852961f059
Tweaking of transport behaviour, removal of patch
2015-05-05 11:45:22 +10:00
OJ
cf62d1fd7c
Remove patch and old stageless stuff
2015-05-05 09:27:01 +10:00
OJ
b42f4f5cd2
Merge branch 'upstream/master' into multi-transport-support
...
Conflicts:
lib/msf/core/payload/windows/stageless_meterpreter.rb
lib/msf/core/payload/windows/x64/stageless_meterpreter.rb
lib/rex/post/meterpreter/client_core.rb
modules/payloads/stages/linux/x86/meterpreter.rb
modules/payloads/stages/windows/meterpreter.rb
modules/payloads/stages/windows/x64/meterpreter.rb
2015-05-05 07:53:54 +10:00
Brent Cook
05e4af8162
Land #5214 , initial meterpreter session recovery support
2015-05-04 16:25:27 -05:00
Brent Cook
e6ea5511ca
update linux and windows meterpreters to use metasploit-payloads
2015-05-04 09:44:36 -05:00
OJ
c2dc4677fb
Prevent stagless from overwriting socket
...
Stageless payloads need to have the socket FD left along (ie. 0)
otherwise each of them will think that the socket is already open.
Instead we need to make sure it's left as 0 as per the configuration and
from there the stageless code will fire up a new socket based on the
transport in question.
2015-05-04 22:36:59 +10:00
OJ
e835f2b99c
Rejig transport config into module
...
Adjust a few other things along the way, including tidying of code,
removing of dead stuff.
2015-05-04 22:04:34 +10:00
OJ
93bf995b32
Reverse tcp support for POSIX
...
Ported the stager and wired in the new work to make the configuration
function.
2015-05-04 20:11:26 +10:00
OJ
9300158c9a
Initial rework of POSIX stuff to handle new configuration
2015-05-04 18:58:55 +10:00
Balazs Bucsay
0b580acfb4
\t removed
2015-05-02 21:16:50 +02:00
Balazs Bucsay
a0539cd672
new x64 bsd shellcodes (bind/reverse) ipv4/6. ipv4 shells are smaller than
...
the existing one.
2015-05-02 20:52:09 +02:00
Brent Cook
6058dee99a
explicitly require bind_tcp/reverse_tcp modules
...
This transient error was noted in the release documentation builder.
metasploit-framework/modules/payloads/singles/windows/powershell_bind_tcp.rb:37:in
`initialize': uninitialized constant Msf::Handler::BindTcp (NameError)
2015-04-27 20:57:31 -05:00
HD Moore
1fd601510c
Lands #5194 , merges in PowerShell session support & initial payloads
2015-04-26 16:01:51 -05:00
HD Moore
f56eac7f10
Cosmetic cleanup and binary mode read for powershell script
2015-04-26 15:57:51 -05:00
Ben Turner
82fe480c2e
Update session to display username and hostname
2015-04-26 21:47:49 +01:00
benpturner
f2c745d2a7
update cached sizes
2015-04-26 20:24:41 +01:00
benpturner
d19406c593
Update the payload cache size
2015-04-26 18:56:32 +01:00
benpturner
1cc167a7fb
Inserted ARCH_X86 payloads, removed interactive_powershell and updated base powershell session
2015-04-26 18:50:42 +01:00
benpturner
4cb1a6c255
Updated payload cached size
2015-04-26 09:30:41 +01:00
benpturner
e6c61c461e
Updated payloads and fixed msftidy.
2015-04-26 09:20:29 +01:00
OJ
6da8a14f62
Initial work on x64 payloads for new config
2015-04-26 13:41:31 +10:00
OJ
6ac3ecfa7c
Refactor, add reverse_winhttps support
...
Getting closer to a normalised view of what this stuff will look like.
There URL patching is slowly being removed. Reverse HTTPS works fine,
and by default HTTP should too.
Next up, x64 for the same main ones.
2015-04-26 12:11:14 +10:00
OJ
2455163d24
Refactor configuration for meterpreter payloads (x86)
...
RDI is now back to what it was before, as this leaves all the other RDI
style payloads alone. Instead we have a new Meterpreter loader which
does the stuff that is required to make meterpreter work well with the
new configuration options.
This is just the case for reverse_tcp and bind_tcp so far, need to do
the other payloads too, along with all the x64 versions.
2015-04-26 09:57:30 +10:00
benpturner
ded904c72c
New payloads
2015-04-26 00:16:59 +01:00
benpturner
a02ea90824
New payloads which work with cmd
2015-04-25 16:49:22 +01:00
benpturner
7afb6e1aa6
Removed stand-alone payloads and will push these as a seperate fork request.
2015-04-25 07:57:43 +01:00
benpturner
6be2c0beab
Dynamic
2015-04-25 07:49:34 +01:00
benpturner
2273fb541a
payload cached_sizes
2015-04-25 07:33:51 +01:00
benpturner
215e67bcbd
Updated comments
2015-04-25 07:02:25 +01:00
benpturner
941a4ee572
updated cached size using tools/update_payload_cached_sizes.rb
2015-04-24 19:13:54 +01:00
benpturner
00d8958cc8
New payloads for reverse_tcp for powershell
2015-04-24 10:25:37 +01:00
benpturner
9e137c6403
ref
2015-04-23 23:28:33 +01:00
benpturner
468166408e
ref
2015-04-23 23:28:21 +01:00
benpturner
3711b2579c
new powershell session
2015-04-23 23:13:12 +01:00
benpturner
0f7442dec2
new powershell session
2015-04-23 23:12:58 +01:00
benpturner
b642ddb989
interact powershell session
2015-04-23 23:12:38 +01:00
benpturner
b6abd9dc8e
updates to rex
2015-04-23 22:14:11 +01:00
benpturner
a3710752c6
updates to rex
2015-04-23 22:14:00 +01:00
benpturner
3e693c95df
update bind_tcp settings
2015-04-23 14:43:08 +01:00
OJ
19a6ae68ff
Update bind_tcp sizes to dynamic
...
This is required due to the fact that we can now turn on/off the
closing of the listen socket.
2015-04-23 09:53:18 +10:00
benpturner
99156f1247
reverse payload
2015-04-22 20:41:45 +01:00
benpturner
4ae3c5925d
bind payload
2015-04-22 20:41:35 +01:00
OJ
86957d9b07
Merge branch 'upstream/master' into connection-recovery
2015-04-21 20:01:59 +10:00
William Vu
3fbd4e2fe6
Land #5172 , x64 BSD shell_{bind,reverse}_tcp
2015-04-20 15:37:29 -05:00
Meatballs
b0d50dc2be
Create our own Rex connection to the endpoint
...
Ensure powershell process closes when module completes
Add a windows cmd interact payload
2015-04-19 23:41:28 +01:00
OJ
19f8a76475
Porting bind_tcp for posix to metasm
...
And supporting SO_REUSEADDR and stageless meterp
2015-04-18 19:19:40 +10:00
OJ
97912882ca
Adjustments for POSIX meterpreter patching
2015-04-17 19:53:05 +10:00
OJ
0a8b29dd86
Merge branch 'upstream/master' into connection-recovery
...
Conflicts:
lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
2015-04-17 14:40:21 +10:00
joev
9b6aea12e1
Oops, missed a comma.
2015-04-15 19:26:53 -05:00
joev
4a18714191
Update authors and license to original osx x86 module.
2015-04-15 14:34:26 -05:00
joev
a01d98d1f5
Implement shell_bind and shell_reverse payloads for bsd x64.
2015-04-15 14:33:27 -05:00
joev
0d19b5d4c3
Fix require order issue.
2015-04-14 23:23:02 -05:00
joev
e56590e1e3
DRY up common code between BSD / OSX.
2015-04-14 23:08:57 -05:00
William Vu
e114c85044
Land #5127 , x64 OS X prepend stubs 'n' stuff
2015-04-14 01:25:39 -05:00
joev
2d3614f647
Implement x64 BSD exec and exe template.
...
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
2015-04-12 12:17:25 -05:00
joev
ceadd1e6ec
Update osx x86 payload cached sizes to be accurate.
...
- Right now there is a bug in the payload_spec, which causes the payload's
datastore during the spec run to have things like 'PrependSetuid' => 'false',
where 'false' is a string, which means 'if (datastore['PrependSetuid'])'
branch will be taken, resulting in incorrect behavior.
2015-04-12 00:21:18 -05:00
OJ
91202e2447
Port of reverse_tcp payload to metasm
2015-04-10 17:46:27 +10:00
OJ
fadb13b8ef
Porting block api, exitfunk, bind to metasm
...
Also add the flag which lets the bind stager leave the listen socket
open.
2015-04-10 16:23:03 +10:00
OJ
809409d8c4
Lots of changes to support moving timeouts to common spots
...
Session expiry, comms timeout, retry total/wait are all now part of all
of the meterpreter payloads as these are going to be used for
maintaining access with resiliency and will aim for consistency across
the payload types.
2015-04-09 17:57:43 +10:00
OJ
bc5fd4b813
A few adjustments to make bind_tcp keep listen sockets open
2015-04-09 08:46:35 +10:00
HD Moore
e7a4ee637a
Port windows reverse_tcp|bind_tcp to Metasm, add error handling
...
Conflicts:
lib/msf/core/payload/windows/bind_tcp.rb
modules/payloads/stagers/windows/bind_tcp.rb
Cherry-picked form @hmoore-r7's repo.
2015-04-08 16:21:10 +10:00
OJ
9ebcb27929
Merge branch 'upstream/master' into connection-recovery
2015-04-08 15:48:21 +10:00
OJ
a9804dff62
Initial work to support fault-tolerant connectivity
...
This code adjusts the bind_tcp stager for x86 so that the listener
socket isn't close for meterpreter payloads. This means that meterpreter
can make an educated guess as to whether or not the payload was a bind
or tcp payload, and from there can attempt to establish communications
in the same way as before should something break along the way.
Some simple adjustments to the x64 meterpreter stage as well, but more
to come here.
2015-04-08 14:41:32 +10:00
OJ
9fd40870d0
Update http(s) generator functions
...
Methods now require a hash. I went with the hash because 1) that's what
we seem to use everywhere else, and 2) I couldn't get the new keyword
arguments working nicely with the block syntax (I'm clearly stupid).
2015-04-08 07:56:54 +10:00
OJ
8f58e08c13
Add support for stageless reverse_http payloads
...
This includes both x64 and x86.
2015-04-07 11:01:24 +10:00
HD Moore
78c73cc2a3
Update cached sizes with the new uri defaults
2015-04-05 22:11:12 -05:00
HD Moore
c9696d3f6c
Merge in stageless/transport work, deconflict
2015-04-04 11:52:26 -07:00
OJ
fd043d4842
Fix up build and missing uri_checksum stuff
...
Somehow this made it into a merge when it shouldn't have. This fix moves
the URI checksum module to where it needs to be and updates all the
references where required. This will result in a class with the dynamic
transport branch, but I can fix that after.
2015-04-03 13:42:25 +10:00
HD Moore
34ff94e0da
Fix the proxy user/pass options
2015-03-31 15:49:43 -05:00
HD Moore
a39ba05383
Functional Payload UUID embedding via PayloadUUIDSeed
2015-03-31 15:44:18 -05:00
OJ
253e5d7dff
Include correct module, remove specified encoder type
2015-03-31 07:23:51 +10:00
OJ
c28cc66398
Add x64 bind_tcp and reverse_ipv6_tcp
...
Also fix up a couple of modules to use Metasploit4 instead of
Metasploit3.
2015-03-30 18:59:30 +10:00
OJ
26792975eb
Refactor of code to reduce duplication
...
Add mixin for the stageless http preparation
2015-03-30 13:18:56 +10:00
OJ
f8851551c5
Add initial x64 stageless meterrpeter module
2015-03-30 11:23:51 +10:00
OJ
ce8f6d72e1
More work on x64 stageless
...
Testing with HD's new changes that allow for generation of larger x64
payloads
2015-03-30 09:51:04 +10:00
OJ
17dc2b184d
Merging upstream/master
2015-03-30 09:12:20 +10:00
Brent Cook
e0568e95c2
Land #4978 @zerosteiner adds reverse https for python meterpreter
2015-03-26 19:16:46 -05:00
Spencer McIntyre
10e8cefd6d
Pymet dont validate ssl certs for 2.7.9/3.4.3
2015-03-25 19:49:42 -04:00
OJ
24d74b26e3
Beginning work for stageless x64 meterpreter
2015-03-24 06:50:06 +10:00
OJ
9c9d333a1b
Create verify ssl mixin, adjust some formatting
2015-03-23 13:21:08 +10:00
Spencer McIntyre
a407bc8d65
Fix the reverse_https stager CachedSize for the spec
2015-03-21 13:05:44 -04:00
Spencer McIntyre
7282968d8a
Python reverse HTTPS stager
2015-03-21 12:43:14 -04:00
oj@buffered.io
fd4ad9bd2e
Rework changes on top of HD's PR
...
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
OJ
7b4161bdb4
Update code to handle cert validation properly
...
This code contains duplication from HD's PR. Once his has been landed
this code can be fixed up a bit so that duplication is removed.
2015-03-20 12:52:47 +10:00
OJ
7899881416
Update POSIX bins from master
2015-03-19 14:50:14 +10:00
HD Moore
346b1d539f
Revert Java back to static size for cache purposes (less cpu usage on startup)
2015-03-18 16:24:01 -05:00
HD Moore
33bbf7cb7e
Dynamic URI generation for python/java http(s) stagers
2015-03-18 16:08:11 -05:00
rwhitcroft
7ae97393e0
fix x64/reverse_https stager shellcode
2015-03-18 15:34:31 -04:00
HD Moore
b62da42927
Merge branch 'master' into feature/add-proxies-to-wininet
2015-03-18 01:51:15 -05:00
HD Moore
ef443c83b9
Fix overgreed search/replace
2015-03-18 01:21:53 -05:00
HD Moore
f7a06d8e44
Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax
2015-03-18 01:15:32 -05:00
HD Moore
87a489907c
Place an IPv6 proxy IP between brackets
2015-03-18 01:01:16 -05:00
HD Moore
259db269bd
Remove user/pass and invalid class from the options
2015-03-18 01:01:16 -05:00
HD Moore
2ab14e7e79
Adds IPv6 and option-related issues with the previous patch
2015-03-18 01:01:10 -05:00
HD Moore
0601946830
Don't mandate and default PROXY_HOST (miscopy from the proxy stager)
2015-03-18 01:00:04 -05:00
HD Moore
85fb534e63
Fix up the offset detection again, cleanup redundant code
2015-03-18 00:59:25 -05:00
HD Moore
2f13988d7b
Use OptPort vs OptInt and cleanup the description
2015-03-18 00:59:25 -05:00
HD Moore
a01be365b0
Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
...
This also cleans up the windows reverse_https_proxy stager.
2015-03-18 00:59:13 -05:00
Brent Cook
abb8a32e68
update spec for dynamic meterpreter payloads
2015-03-16 18:08:13 -05:00
HD Moore
7e89281485
Adds proxy (with authentication) support to reverse_http(s)
2015-03-16 00:03:31 -05:00
Brent Cook
b68e05e536
Land #4914 , @hmoore-r7 and @BorjaMerino winhttp stagers
2015-03-13 08:24:11 -05:00
OJ
35cfdf051a
Add support for meterpreter_reverse_ipv6_tcp
...
New payload added, makes use of existing functionality.
2015-03-13 20:15:31 +10:00
HD Moore
744b1a680e
Reworks how payload prepends work internally, see #1674
2015-03-12 02:30:06 -05:00
OJ
345b5cc8e1
Add stageless meterpreter support
...
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.
More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
HD Moore
c3f2536ef6
Make the stager clear in the payload descriptions
2015-03-11 21:30:02 -05:00
HD Moore
b105a88b95
Fix https convention
2015-03-11 21:26:31 -05:00
HD Moore
8bae58d631
Updated cache sizes
2015-03-11 21:25:12 -05:00
HD Moore
1135e5e073
First take on WinHTTP stagers, untested
2015-03-11 16:27:14 -05:00
HD Moore
7e3b4017f0
Rename and resynced with master, ready for refactoring
2015-03-11 14:36:27 -05:00
HD Moore
ea1bc69e2e
Merge branch 'master' into feature/add-reverse_winhttp-stagers
2015-03-11 14:29:34 -05:00
Brent Cook
ceeee4446f
Land #4904 , @hmoore-r7 reworks reverse_http/s stagers
...
They are now assembled dynamically and support more flexible options,
such as long URLs.
2015-03-11 10:41:59 -05:00
HD Moore
ad39adf9c2
Missing comma
2015-03-11 00:49:07 -05:00
HD Moore
a89926b663
Exclude vncinject from http stagers (depends on sockedi)
2015-03-11 00:46:04 -05:00
Brent Cook
9ade107325
disable reverse_http methods from upexec and shell payloads
...
These don't work over http and don't appear to have ever, as far back as
I could test. They appear to be an accident perhaps.
2015-03-10 17:08:58 -05:00
HD Moore
db351317a5
Merge with PR branch
2015-03-10 14:08:35 -05:00
HD Moore
0f763c2cb3
First step to reworking the winhttp stagers
2015-03-10 14:07:25 -05:00
Borja Merino
991e72a4fa
HTTP stager based on WinHttp
2015-03-10 13:40:16 -05:00
HD Moore
966848127a
Refactor x86 Windows reverse_http and reverse_https stagers
2015-03-10 12:48:30 -05:00
HD Moore
618fbf075a
Update CachedSize for the fixed stager
2015-03-09 16:57:14 -05:00
HD Moore
746f18d9bb
Fallback to a localhost variant to make the length predictable
2015-03-09 16:56:25 -05:00
HD Moore
6543c3c36f
Update CachedSize for the fixed stager
2015-03-09 16:54:57 -05:00
HD Moore
c676ac1499
Fallback to a localhost variant to make the length predictable
2015-03-09 16:53:28 -05:00
HD Moore
d0324e8ad3
Final cleanup, passing specs
2015-03-09 15:50:57 -05:00
HD Moore
da81f6b2a0
Correct the :dynamic cache sizes
2015-03-09 15:44:14 -05:00
HD Moore
02509d02e4
The result of running ./tools/update_payload_cached_sizes.rb
2015-03-09 15:31:04 -05:00
William Vu
a648e74c4b
Remove unnecessary semicolon
2015-03-02 15:36:45 -06:00
William Vu
80169de4d0
Remove -i from shell in reverse_python
2015-03-02 15:29:50 -06:00
Brent Cook
5297ebc1a1
Merge branch 'master' into land-1396-http_proxy_pstore
...
Bring things back to the future
2015-02-20 08:50:17 -06:00
Brent Cook
91b4a59fc7
msftidy fixes
2015-02-20 08:42:54 -06:00
Tod Beardsley
bae19405a7
Various grammar, spelling, word choice fixes
2015-01-26 11:00:07 -06:00
Borja Merino
d14413579c
HTTP stager based on WinHttp
2015-01-19 13:01:56 +01:00
eyalgr
7a2f0553a8
Update reverse_tcp.rb
...
prevent over-reading from socket
2015-01-18 17:32:53 +02:00
eyalgr
9c12fcc2f1
Update bind_tcp.rb
...
Read exactly l bytes
2015-01-18 15:42:09 +02:00
eyalgr
18e15a109a
Update bind_tcp.rb
...
Prevent over reading from socket
2015-01-18 15:35:56 +02:00
Borja Merino
9791acd0bf
Add stager ipknock shellcode (PR 2)
2014-12-27 22:03:45 +01:00
William Vu
93be828738
Fix invalid URL in splat
2014-12-22 11:26:20 -06:00
William Vu
f1b9862665
Align shellcode in bind_hidden_tcp
2014-12-22 11:17:14 -06:00
root
9a7e431a4a
New block_api applied
2014-12-22 17:21:13 +01:00
Peregrino Gris
42636fb3c0
Handler and block_hidden_bind_tcp deleted
2014-12-22 17:21:13 +01:00
root
fa8e944e34
AHOST OptAddress moved to the payload
2014-12-22 17:21:11 +01:00
Peregrino Gris
c0fa8c0e3f
Add stager for hidden bind shell payload
2014-12-22 17:21:11 +01:00
sinn3r
2c0c732967
Fix #4414 & #4415 - exitfunc and proper null-terminated string
...
This patch fixes the following for messagebox.rb
Issue 1 (#4415 )
When exitfunc is none, the payload will not be able to generate
due to an "invalid opcode" error.
Issue 2: (#4414 )
After "user32.dll" is pushed onto the stack for the LoadLibrary
call, the payload does not actually ensure bl is a null byte, it
just assumes it is and uses it to modify the stack to get a
null-terminated string.
Fix #4414
Fix #4415
2014-12-19 03:19:06 -06:00
HD Moore
e3943682a2
Improves linux/armle payloads, lands #3315
2014-12-13 18:27:14 -06:00
HD Moore
5a645c5eba
Stagers updated from source
2014-12-13 12:50:47 -06:00
HD Moore
92490ab5e8
Singles updated from the source
2014-12-13 12:22:07 -06:00
Tod Beardsley
79f2708a6e
Slight fixes to grammar/desc/whitespace
...
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
HD Moore
fc96d011ab
Python reverse_http stager, lands #4225
2014-12-02 11:47:31 -06:00
HD Moore
7fe72fd118
Cosmetic tweaks for #4225
2014-12-02 11:47:14 -06:00