Commit Graph

1028 Commits (8528a101567b236696dcfca7e8f34dc70a8cd55b)

Author SHA1 Message Date
OJ 232117117b Fix missing includes
The powershell one broke thanks to include hierarchy changes. The others
failed in the specs only for some reason.
2015-05-05 14:24:21 +10:00
OJ 146f41992f Fix up payload sizes 2015-05-05 13:52:20 +10:00
OJ 852961f059 Tweaking of transport behaviour, removal of patch 2015-05-05 11:45:22 +10:00
OJ cf62d1fd7c Remove patch and old stageless stuff 2015-05-05 09:27:01 +10:00
OJ b42f4f5cd2 Merge branch 'upstream/master' into multi-transport-support
Conflicts:
	lib/msf/core/payload/windows/stageless_meterpreter.rb
	lib/msf/core/payload/windows/x64/stageless_meterpreter.rb
	lib/rex/post/meterpreter/client_core.rb
	modules/payloads/stages/linux/x86/meterpreter.rb
	modules/payloads/stages/windows/meterpreter.rb
	modules/payloads/stages/windows/x64/meterpreter.rb
2015-05-05 07:53:54 +10:00
Brent Cook 05e4af8162
Land #5214, initial meterpreter session recovery support 2015-05-04 16:25:27 -05:00
Brent Cook e6ea5511ca update linux and windows meterpreters to use metasploit-payloads 2015-05-04 09:44:36 -05:00
OJ c2dc4677fb Prevent stagless from overwriting socket
Stageless payloads need to have the socket FD left along (ie. 0)
otherwise each of them will think that the socket is already open.
Instead we need to make sure it's left as 0 as per the configuration and
from there the stageless code will fire up a new socket based on the
transport in question.
2015-05-04 22:36:59 +10:00
OJ e835f2b99c Rejig transport config into module
Adjust a few other things along the way, including tidying of code,
removing of dead stuff.
2015-05-04 22:04:34 +10:00
OJ 93bf995b32 Reverse tcp support for POSIX
Ported the stager and wired in the new work to make the configuration
function.
2015-05-04 20:11:26 +10:00
OJ 9300158c9a Initial rework of POSIX stuff to handle new configuration 2015-05-04 18:58:55 +10:00
Balazs Bucsay 0b580acfb4 \t removed 2015-05-02 21:16:50 +02:00
Balazs Bucsay a0539cd672 new x64 bsd shellcodes (bind/reverse) ipv4/6. ipv4 shells are smaller than
the existing one.
2015-05-02 20:52:09 +02:00
Brent Cook 6058dee99a explicitly require bind_tcp/reverse_tcp modules
This transient error was noted in the release documentation builder.

metasploit-framework/modules/payloads/singles/windows/powershell_bind_tcp.rb:37:in
   `initialize': uninitialized constant Msf::Handler::BindTcp (NameError)
2015-04-27 20:57:31 -05:00
HD Moore 1fd601510c
Lands #5194, merges in PowerShell session support & initial payloads 2015-04-26 16:01:51 -05:00
HD Moore f56eac7f10 Cosmetic cleanup and binary mode read for powershell script 2015-04-26 15:57:51 -05:00
Ben Turner 82fe480c2e Update session to display username and hostname 2015-04-26 21:47:49 +01:00
benpturner f2c745d2a7 update cached sizes 2015-04-26 20:24:41 +01:00
benpturner d19406c593 Update the payload cache size 2015-04-26 18:56:32 +01:00
benpturner 1cc167a7fb Inserted ARCH_X86 payloads, removed interactive_powershell and updated base powershell session 2015-04-26 18:50:42 +01:00
benpturner 4cb1a6c255 Updated payload cached size 2015-04-26 09:30:41 +01:00
benpturner e6c61c461e Updated payloads and fixed msftidy. 2015-04-26 09:20:29 +01:00
OJ 6da8a14f62 Initial work on x64 payloads for new config 2015-04-26 13:41:31 +10:00
OJ 6ac3ecfa7c Refactor, add reverse_winhttps support
Getting closer to a normalised view of what this stuff will look like.
There URL patching is slowly being removed. Reverse HTTPS works fine,
and by default HTTP should too.

Next up, x64 for the same main ones.
2015-04-26 12:11:14 +10:00
OJ 2455163d24 Refactor configuration for meterpreter payloads (x86)
RDI is now back to what it was before, as this leaves all the other RDI
style payloads alone. Instead we have a new Meterpreter loader which
does the stuff that is required to make meterpreter work well with the
new configuration options.

This is just the case for reverse_tcp and bind_tcp so far, need to do
the other payloads too, along with all the x64 versions.
2015-04-26 09:57:30 +10:00
benpturner ded904c72c New payloads 2015-04-26 00:16:59 +01:00
benpturner a02ea90824 New payloads which work with cmd 2015-04-25 16:49:22 +01:00
benpturner 7afb6e1aa6 Removed stand-alone payloads and will push these as a seperate fork request. 2015-04-25 07:57:43 +01:00
benpturner 6be2c0beab Dynamic 2015-04-25 07:49:34 +01:00
benpturner 2273fb541a payload cached_sizes 2015-04-25 07:33:51 +01:00
benpturner 215e67bcbd Updated comments 2015-04-25 07:02:25 +01:00
benpturner 941a4ee572 updated cached size using tools/update_payload_cached_sizes.rb 2015-04-24 19:13:54 +01:00
benpturner 00d8958cc8 New payloads for reverse_tcp for powershell 2015-04-24 10:25:37 +01:00
benpturner 9e137c6403 ref 2015-04-23 23:28:33 +01:00
benpturner 468166408e ref 2015-04-23 23:28:21 +01:00
benpturner 3711b2579c new powershell session 2015-04-23 23:13:12 +01:00
benpturner 0f7442dec2 new powershell session 2015-04-23 23:12:58 +01:00
benpturner b642ddb989 interact powershell session 2015-04-23 23:12:38 +01:00
benpturner b6abd9dc8e updates to rex 2015-04-23 22:14:11 +01:00
benpturner a3710752c6 updates to rex 2015-04-23 22:14:00 +01:00
benpturner 3e693c95df update bind_tcp settings 2015-04-23 14:43:08 +01:00
OJ 19a6ae68ff Update bind_tcp sizes to dynamic
This is required due to the fact that we can now turn on/off the
closing of the listen socket.
2015-04-23 09:53:18 +10:00
benpturner 99156f1247 reverse payload 2015-04-22 20:41:45 +01:00
benpturner 4ae3c5925d bind payload 2015-04-22 20:41:35 +01:00
OJ 86957d9b07
Merge branch 'upstream/master' into connection-recovery 2015-04-21 20:01:59 +10:00
William Vu 3fbd4e2fe6
Land #5172, x64 BSD shell_{bind,reverse}_tcp 2015-04-20 15:37:29 -05:00
Meatballs b0d50dc2be
Create our own Rex connection to the endpoint
Ensure powershell process closes when module completes
Add a windows cmd interact payload
2015-04-19 23:41:28 +01:00
OJ 19f8a76475 Porting bind_tcp for posix to metasm
And supporting SO_REUSEADDR and stageless meterp
2015-04-18 19:19:40 +10:00
OJ 97912882ca Adjustments for POSIX meterpreter patching 2015-04-17 19:53:05 +10:00
OJ 0a8b29dd86 Merge branch 'upstream/master' into connection-recovery
Conflicts:
	lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
2015-04-17 14:40:21 +10:00
joev 9b6aea12e1 Oops, missed a comma. 2015-04-15 19:26:53 -05:00
joev 4a18714191 Update authors and license to original osx x86 module. 2015-04-15 14:34:26 -05:00
joev a01d98d1f5 Implement shell_bind and shell_reverse payloads for bsd x64. 2015-04-15 14:33:27 -05:00
joev 0d19b5d4c3 Fix require order issue. 2015-04-14 23:23:02 -05:00
joev e56590e1e3 DRY up common code between BSD / OSX. 2015-04-14 23:08:57 -05:00
William Vu e114c85044
Land #5127, x64 OS X prepend stubs 'n' stuff 2015-04-14 01:25:39 -05:00
joev 2d3614f647 Implement x64 BSD exec and exe template.
- Fixes bug in CachedSize due to all options being set
- Adds new payload to payload_spec.
2015-04-12 12:17:25 -05:00
joev ceadd1e6ec Update osx x86 payload cached sizes to be accurate.
- Right now there is a bug in the payload_spec, which causes the payload's
  datastore during the spec run to have things like 'PrependSetuid' => 'false',
  where 'false' is a string, which means 'if (datastore['PrependSetuid'])'
  branch will be taken, resulting in incorrect behavior.
2015-04-12 00:21:18 -05:00
OJ 91202e2447 Port of reverse_tcp payload to metasm 2015-04-10 17:46:27 +10:00
OJ fadb13b8ef Porting block api, exitfunk, bind to metasm
Also add the flag which lets the bind stager leave the listen socket
open.
2015-04-10 16:23:03 +10:00
OJ 809409d8c4 Lots of changes to support moving timeouts to common spots
Session expiry, comms timeout, retry total/wait are all now part of all
of the meterpreter payloads as these are going to be used for
maintaining access with resiliency and will aim for consistency across
the payload types.
2015-04-09 17:57:43 +10:00
OJ bc5fd4b813 A few adjustments to make bind_tcp keep listen sockets open 2015-04-09 08:46:35 +10:00
HD Moore e7a4ee637a Port windows reverse_tcp|bind_tcp to Metasm, add error handling
Conflicts:
	lib/msf/core/payload/windows/bind_tcp.rb
	modules/payloads/stagers/windows/bind_tcp.rb

Cherry-picked form @hmoore-r7's repo.
2015-04-08 16:21:10 +10:00
OJ 9ebcb27929 Merge branch 'upstream/master' into connection-recovery 2015-04-08 15:48:21 +10:00
OJ a9804dff62 Initial work to support fault-tolerant connectivity
This code adjusts the bind_tcp stager for x86 so that the listener
socket isn't close for meterpreter payloads. This means that meterpreter
can make an educated guess as to whether or not the payload was a bind
or tcp payload, and from there can attempt to establish communications
in the same way as before should something break along the way.

Some simple adjustments to the x64 meterpreter stage as well, but more
to come here.
2015-04-08 14:41:32 +10:00
OJ 9fd40870d0 Update http(s) generator functions
Methods now require a hash. I went with the hash because 1) that's what
we seem to use everywhere else, and 2) I couldn't get the new keyword
arguments working nicely with the block syntax (I'm clearly stupid).
2015-04-08 07:56:54 +10:00
OJ 8f58e08c13 Add support for stageless reverse_http payloads
This includes both x64 and x86.
2015-04-07 11:01:24 +10:00
HD Moore 78c73cc2a3 Update cached sizes with the new uri defaults 2015-04-05 22:11:12 -05:00
HD Moore c9696d3f6c Merge in stageless/transport work, deconflict 2015-04-04 11:52:26 -07:00
OJ fd043d4842 Fix up build and missing uri_checksum stuff
Somehow this made it into a merge when it shouldn't have. This fix moves
the URI checksum module to where it needs to be and updates all the
references where required. This will result in a class with the dynamic
transport branch, but I can fix that after.
2015-04-03 13:42:25 +10:00
HD Moore 34ff94e0da Fix the proxy user/pass options 2015-03-31 15:49:43 -05:00
HD Moore a39ba05383 Functional Payload UUID embedding via PayloadUUIDSeed 2015-03-31 15:44:18 -05:00
OJ 253e5d7dff Include correct module, remove specified encoder type 2015-03-31 07:23:51 +10:00
OJ c28cc66398 Add x64 bind_tcp and reverse_ipv6_tcp
Also fix up a couple of modules to use Metasploit4 instead of
Metasploit3.
2015-03-30 18:59:30 +10:00
OJ 26792975eb Refactor of code to reduce duplication
Add mixin for the stageless http preparation
2015-03-30 13:18:56 +10:00
OJ f8851551c5 Add initial x64 stageless meterrpeter module 2015-03-30 11:23:51 +10:00
OJ ce8f6d72e1 More work on x64 stageless
Testing with HD's new changes that allow for generation of larger x64
payloads
2015-03-30 09:51:04 +10:00
OJ 17dc2b184d Merging upstream/master 2015-03-30 09:12:20 +10:00
Brent Cook e0568e95c2
Land #4978 @zerosteiner adds reverse https for python meterpreter 2015-03-26 19:16:46 -05:00
Spencer McIntyre 10e8cefd6d Pymet dont validate ssl certs for 2.7.9/3.4.3 2015-03-25 19:49:42 -04:00
OJ 24d74b26e3 Beginning work for stageless x64 meterpreter 2015-03-24 06:50:06 +10:00
OJ 9c9d333a1b Create verify ssl mixin, adjust some formatting 2015-03-23 13:21:08 +10:00
Spencer McIntyre a407bc8d65 Fix the reverse_https stager CachedSize for the spec 2015-03-21 13:05:44 -04:00
Spencer McIntyre 7282968d8a Python reverse HTTPS stager 2015-03-21 12:43:14 -04:00
oj@buffered.io fd4ad9bd2e Rework changes on top of HD's PR
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
OJ 7b4161bdb4 Update code to handle cert validation properly
This code contains duplication from HD's PR. Once his has been landed
this code can be fixed up a bit so that duplication is removed.
2015-03-20 12:52:47 +10:00
OJ 7899881416 Update POSIX bins from master 2015-03-19 14:50:14 +10:00
HD Moore 346b1d539f Revert Java back to static size for cache purposes (less cpu usage on startup) 2015-03-18 16:24:01 -05:00
HD Moore 33bbf7cb7e Dynamic URI generation for python/java http(s) stagers 2015-03-18 16:08:11 -05:00
rwhitcroft 7ae97393e0 fix x64/reverse_https stager shellcode 2015-03-18 15:34:31 -04:00
HD Moore b62da42927 Merge branch 'master' into feature/add-proxies-to-wininet 2015-03-18 01:51:15 -05:00
HD Moore ef443c83b9 Fix overgreed search/replace 2015-03-18 01:21:53 -05:00
HD Moore f7a06d8e44 Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax 2015-03-18 01:15:32 -05:00
HD Moore 87a489907c Place an IPv6 proxy IP between brackets 2015-03-18 01:01:16 -05:00
HD Moore 259db269bd Remove user/pass and invalid class from the options 2015-03-18 01:01:16 -05:00
HD Moore 2ab14e7e79 Adds IPv6 and option-related issues with the previous patch 2015-03-18 01:01:10 -05:00
HD Moore 0601946830 Don't mandate and default PROXY_HOST (miscopy from the proxy stager) 2015-03-18 01:00:04 -05:00
HD Moore 85fb534e63 Fix up the offset detection again, cleanup redundant code 2015-03-18 00:59:25 -05:00
HD Moore 2f13988d7b Use OptPort vs OptInt and cleanup the description 2015-03-18 00:59:25 -05:00
HD Moore a01be365b0 Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
This also cleans up the windows reverse_https_proxy stager.
2015-03-18 00:59:13 -05:00
Brent Cook abb8a32e68 update spec for dynamic meterpreter payloads 2015-03-16 18:08:13 -05:00
HD Moore 7e89281485 Adds proxy (with authentication) support to reverse_http(s) 2015-03-16 00:03:31 -05:00
Brent Cook b68e05e536
Land #4914, @hmoore-r7 and @BorjaMerino winhttp stagers 2015-03-13 08:24:11 -05:00
OJ 35cfdf051a Add support for meterpreter_reverse_ipv6_tcp
New payload added, makes use of existing functionality.
2015-03-13 20:15:31 +10:00
HD Moore 744b1a680e Reworks how payload prepends work internally, see #1674 2015-03-12 02:30:06 -05:00
OJ 345b5cc8e1 Add stageless meterpreter support
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.

More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
HD Moore c3f2536ef6 Make the stager clear in the payload descriptions 2015-03-11 21:30:02 -05:00
HD Moore b105a88b95 Fix https convention 2015-03-11 21:26:31 -05:00
HD Moore 8bae58d631 Updated cache sizes 2015-03-11 21:25:12 -05:00
HD Moore 1135e5e073 First take on WinHTTP stagers, untested 2015-03-11 16:27:14 -05:00
HD Moore 7e3b4017f0 Rename and resynced with master, ready for refactoring 2015-03-11 14:36:27 -05:00
HD Moore ea1bc69e2e Merge branch 'master' into feature/add-reverse_winhttp-stagers 2015-03-11 14:29:34 -05:00
Brent Cook ceeee4446f
Land #4904, @hmoore-r7 reworks reverse_http/s stagers
They are now assembled dynamically and support more flexible options,
such as long URLs.
2015-03-11 10:41:59 -05:00
HD Moore ad39adf9c2 Missing comma 2015-03-11 00:49:07 -05:00
HD Moore a89926b663 Exclude vncinject from http stagers (depends on sockedi) 2015-03-11 00:46:04 -05:00
Brent Cook 9ade107325 disable reverse_http methods from upexec and shell payloads
These don't work over http and don't appear to have ever, as far back as
I could test. They appear to be an accident perhaps.
2015-03-10 17:08:58 -05:00
HD Moore db351317a5 Merge with PR branch 2015-03-10 14:08:35 -05:00
HD Moore 0f763c2cb3 First step to reworking the winhttp stagers 2015-03-10 14:07:25 -05:00
Borja Merino 991e72a4fa HTTP stager based on WinHttp 2015-03-10 13:40:16 -05:00
HD Moore 966848127a Refactor x86 Windows reverse_http and reverse_https stagers 2015-03-10 12:48:30 -05:00
HD Moore 618fbf075a Update CachedSize for the fixed stager 2015-03-09 16:57:14 -05:00
HD Moore 746f18d9bb Fallback to a localhost variant to make the length predictable 2015-03-09 16:56:25 -05:00
HD Moore 6543c3c36f Update CachedSize for the fixed stager 2015-03-09 16:54:57 -05:00
HD Moore c676ac1499 Fallback to a localhost variant to make the length predictable 2015-03-09 16:53:28 -05:00
HD Moore d0324e8ad3 Final cleanup, passing specs 2015-03-09 15:50:57 -05:00
HD Moore da81f6b2a0 Correct the :dynamic cache sizes 2015-03-09 15:44:14 -05:00
HD Moore 02509d02e4 The result of running ./tools/update_payload_cached_sizes.rb 2015-03-09 15:31:04 -05:00
William Vu a648e74c4b Remove unnecessary semicolon 2015-03-02 15:36:45 -06:00
William Vu 80169de4d0 Remove -i from shell in reverse_python 2015-03-02 15:29:50 -06:00
Brent Cook 5297ebc1a1 Merge branch 'master' into land-1396-http_proxy_pstore
Bring things back to the future
2015-02-20 08:50:17 -06:00
Brent Cook 91b4a59fc7 msftidy fixes 2015-02-20 08:42:54 -06:00
Tod Beardsley bae19405a7
Various grammar, spelling, word choice fixes 2015-01-26 11:00:07 -06:00
Borja Merino d14413579c HTTP stager based on WinHttp 2015-01-19 13:01:56 +01:00
eyalgr 7a2f0553a8 Update reverse_tcp.rb
prevent over-reading from socket
2015-01-18 17:32:53 +02:00
eyalgr 9c12fcc2f1 Update bind_tcp.rb
Read exactly l bytes
2015-01-18 15:42:09 +02:00
eyalgr 18e15a109a Update bind_tcp.rb
Prevent over reading from socket
2015-01-18 15:35:56 +02:00
Borja Merino 9791acd0bf Add stager ipknock shellcode (PR 2) 2014-12-27 22:03:45 +01:00
William Vu 93be828738
Fix invalid URL in splat 2014-12-22 11:26:20 -06:00
William Vu f1b9862665
Align shellcode in bind_hidden_tcp 2014-12-22 11:17:14 -06:00
root 9a7e431a4a New block_api applied 2014-12-22 17:21:13 +01:00
Peregrino Gris 42636fb3c0 Handler and block_hidden_bind_tcp deleted 2014-12-22 17:21:13 +01:00
root fa8e944e34 AHOST OptAddress moved to the payload 2014-12-22 17:21:11 +01:00
Peregrino Gris c0fa8c0e3f Add stager for hidden bind shell payload 2014-12-22 17:21:11 +01:00
sinn3r 2c0c732967 Fix #4414 & #4415 - exitfunc and proper null-terminated string
This patch fixes the following for messagebox.rb

Issue 1 (#4415)
When exitfunc is none, the payload will not be able to generate
due to an "invalid opcode" error.

Issue 2: (#4414)
After "user32.dll" is pushed onto the stack for the LoadLibrary
call, the payload does not actually ensure bl is a null byte, it
just assumes it is and uses it to modify the stack to get a
null-terminated string.

Fix #4414
Fix #4415
2014-12-19 03:19:06 -06:00
HD Moore e3943682a2
Improves linux/armle payloads, lands #3315 2014-12-13 18:27:14 -06:00
HD Moore 5a645c5eba Stagers updated from source 2014-12-13 12:50:47 -06:00
HD Moore 92490ab5e8 Singles updated from the source 2014-12-13 12:22:07 -06:00
Tod Beardsley 79f2708a6e
Slight fixes to grammar/desc/whitespace
Note that the format_all_drives module had a pile of CRLFs that should
have been caught by msftidy. Not sure why it didn't.
2014-12-04 13:11:33 -06:00
HD Moore fc96d011ab
Python reverse_http stager, lands #4225 2014-12-02 11:47:31 -06:00
HD Moore 7fe72fd118 Cosmetic tweaks for #4225 2014-12-02 11:47:14 -06:00