Commit Graph

774 Commits (8f2e444aca057869d1d42c317aadebf7201d0917)

Author SHA1 Message Date
sinn3r 660c97f512 Add module for reverse zsh payload
For #1985
2013-06-20 13:40:17 -05:00
jvazquez-r7 b20a38add4 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-10 12:22:52 -05:00
Tod Beardsley f58e279066 Cleanup on module names, descriptions. 2013-06-10 10:52:22 -05:00
jvazquez-r7 e5a17ba227 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-05 09:41:23 -05:00
William Vu 1596fb478a Land #1886, awk bind shell 2013-06-05 09:05:37 -05:00
William Vu 8ffa4ac9ac Land #1885, awk reverse shell 2013-06-05 09:04:49 -05:00
Roberto Soares Espreto f6977c41c3 Modifications done in each PR. 2013-06-05 07:55:05 -03:00
Roberto Soares Espreto b20401ca8c Modifications done in each PR. 2013-06-05 07:51:10 -03:00
Roberto Soares Espreto 34243165c5 Some changes with improvements. 2013-06-04 21:22:10 -03:00
Roberto Soares Espreto e2988727fb Some changes with improvements. 2013-06-04 21:10:51 -03:00
Roberto Soares Espreto d9609fb03e Was breaking with repeated commands 2013-05-31 18:44:48 -03:00
jvazquez-r7 48b14c09e3 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-31 01:12:46 -05:00
Tod Beardsley 9c771435f2 Touchup on author credit 2013-05-30 16:13:40 -05:00
Tod Beardsley 67128a3841 Land #1821, x64_reverse_https stagers 2013-05-30 13:55:13 -05:00
jvazquez-r7 3361a660ba Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-29 22:01:36 -05:00
Roberto Soares Espreto 00debd01c6 Listen for a connection and spawn a command shell via AWK 2013-05-29 21:22:49 -03:00
Roberto Soares Espreto d4a864c29f Creates an interactive shell via AWK (reverse) 2013-05-29 21:19:08 -03:00
jvazquez-r7 07c99f821e Land #1879, @dcbz ARM stagers 2013-05-29 17:43:37 -05:00
jvazquez-r7 7c41e239b4 Fix author name 2013-05-29 14:19:10 -05:00
jvazquez-r7 52aae8e04c Add small fixes for stagers 2013-05-29 14:01:59 -05:00
dcbz 2c0f0f5f04 Changed reverse payload as suggested. 2013-05-28 21:52:16 -05:00
dcbz 07c3565e3c Made changes as suggested, forgot to remove exit() after testing was complete. 2013-05-28 21:31:36 -05:00
jvazquez-r7 66ea59b03f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-28 15:22:46 -05:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
dcbz a53ab4cff9 Moved dupandexecve.rb to shell.rb due to pull request coments. 2013-05-20 17:05:57 -05:00
dcbz 9c0814505a Added reverse stager. 2013-05-17 21:52:10 -05:00
dcbz 14d5111b37 Added a sample stage + updated bind stager. 2013-05-17 21:03:03 -05:00
dcbz ad95eff9d4 added bind_tcp.rb 2013-05-17 12:09:45 -05:00
agix 6db1fea6b9 create x64_reverse_https stagers 2013-05-13 01:41:56 +02:00
Michael Schierl a13cf53b9f Android Meterpreter bugfixes
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
  whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
jvazquez-r7 a4632b773a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-28 12:59:16 -05:00
sinn3r 1d9a695d2b Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
[Closes #1772]
2013-04-28 12:17:16 -05:00
James Lee 9c8b93f1b7 Make sure LPORT is a string when subbing
* Gets rid of conversion errors like this:
    [-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
  phpmyadmin_preg_replace bug, so seems legit.
2013-04-26 15:26:31 -05:00
James Lee 6767eee08a Add in-line signing
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.

Example usage:
  ./msfvenom -p android/meterpreter/reverse_tcp \
    LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
  adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
jvazquez-r7 cc35591723 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-15 17:43:15 -05:00
Tod Beardsley be39079830 Trailing whitespace fix
Note that this commit needed a --no-verify because of the erroneous
check in msftidy for writing to stdout. The particular syntax of this
payload makes it look like we're doing that when we're really not.

So don't sweat it.
2013-04-15 13:58:06 -05:00
Tod Beardsley efdf4e3983 Lands #1485, fixes for Windows-based Ruby targets 2013-04-15 13:56:41 -05:00
timwr df9c5f4a80 remove unused resources and fix whitespace 2013-04-13 16:22:52 +01:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
jvazquez-r7 9c0862ad7b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-11 21:53:07 +02:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee 6c980981db Break up long lines and add magic encoding comment 2013-04-10 09:28:45 -05:00
Tod Beardsley e149c8670b Unconflicting ruby_string method
Looks like the conflict was created by the msftidy fixes that happened
over on the master branch. No big deal after all.
2013-03-20 15:49:23 -05:00
jvazquez-r7 6603dcd652 up to date 2013-03-12 17:04:13 +01:00
jvazquez-r7 627e7f6277 avoiding grouping options 2013-03-11 18:26:03 +01:00
jvazquez-r7 f0cee29100 modified CommandDispatcher::Exploit to have the change into account 2013-03-11 18:08:46 +01:00
jvazquez-r7 c9268c3d54 original modules renamed 2013-03-11 18:04:22 +01:00
James Lee 2160718250 Fix file header comment
[See #1555]
2013-03-07 17:53:19 -06:00
RageLtMan 7f80692457 everyone will comply, resistance is futile 2013-03-06 18:38:14 -05:00
Raphael Mudge 1cc49f75f5 move flag comment to where it's used. 2013-03-03 03:26:43 -05:00
Raphael Mudge ecdb884b13 Make download_exec work with authenticated proxies
Adds INTERNET_FLAG_KEEP_CONNECTION to HttpOpenRequest flags to allow
download_exec to transparently authenticate to a proxy device through
wininet.

Fun trivia, Windows 7 systems uses Connection: keep-alive by default.
This flag benefits older targets (e.g., Windows XP).
2013-03-03 01:42:17 -05:00
Michael Schierl 4a17a30ffd Regenerate ruby modules
For shellcode changes (removed unneeded instruction) committed in
46a5c4f4bf. Saves 2 bytes per shellcode.
2013-03-03 00:14:30 +01:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
James Lee c423ad2583 Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7 2013-02-21 15:30:43 -06:00
jvazquez-r7 04ec4e432d minor cleanup for shell_bind_tcp 2013-02-20 01:02:58 +01:00
jvazquez-r7 3d199fe6db Merge branch 'mipsle-shell_bind_tcp' of https://github.com/kost/metasploit-framework into kost-mipsle-shell_bind_tcp 2013-02-20 01:00:34 +01:00
sinn3r e9f4900beb Merge branch 'fixgenericcustom' of github.com:rsmudge/metasploit-framework into rsmudge-fixgenericcustom 2013-02-19 14:47:18 -06:00
Raphael Mudge 06ba2ef791 Allow generic/custom payload to generate an exe
The datastore value of ARCH has no effect on the array of
architectures the generic/custom payload is compatible with.
This commit forces the payload to update its list of compatible
architectures on generation if the ARCH value is set in the
datastore.

See:

http://dev.metasploit.com/redmine/issues/7755
2013-02-17 20:39:54 -05:00
HD Moore cae6661574 Handle invalid commands gracefully (dont exit) 2013-02-12 11:33:23 -08:00
HD Moore 4c2bddc452 Fix a typo and always treat ports as integers: 2013-02-12 08:59:11 -08:00
HD Moore a33d1ef877 This allows the ruby payloads to work properly on Windows 2013-02-12 08:55:37 -08:00
HD Moore 47f3c09616 Fix typo that snuck in during merge 2013-02-03 17:38:19 -06:00
HD Moore 5be4d41420 This is redundant/less-reliable than reverse_openssl 2013-02-03 17:35:14 -06:00
RageLtMan ffb88baf4a initial module import from SV rev_ssl branch 2013-02-03 15:06:24 -05:00
HD Moore c3801ad083 This adds an openssl CMD payload and handler 2013-02-03 04:44:25 -06:00
James Lee 92c736a6a9 Move fork stuff out of exploit into payload mixin
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
Kacper Nowak f691652594 attempt to fix cmd/windows/reverse_perl payload 2013-01-23 11:21:44 +00:00
scriptjunkie 52251867d8 Ensure Windows single payloads use payload backend
This means the singles that define their own assembly will use the payload backend to generate it.
2013-01-18 16:34:39 -06:00
James Lee c89b2b2ec6 Once more, with feeling 2013-01-10 15:29:54 -06:00
James Lee 7fd3440c1a Fix hd's attempt to rename ruby payloads 2013-01-10 15:25:50 -06:00
James Lee 4fcb8b6f8d Revert "Rename again to be consistent with payload naming"
This reverts commit 0fa2fcd811.
2013-01-10 15:24:25 -06:00
HD Moore 0fa2fcd811 Rename again to be consistent with payload naming 2013-01-10 14:16:37 -06:00
HD Moore 88b08087bf Renamed and made more robust 2013-01-10 14:05:29 -06:00
HD Moore e05f4ba927 Thread wrappers were causing instant session closure 2013-01-10 00:41:58 -06:00
HD Moore 4c1e501ed0 Exploit for CVE-2013-0156 and new ruby-platform modules 2013-01-09 23:10:13 -06:00
Christian Mehlmauer 8f2dd8e2ce msftidy: Remove $Revision$ 2013-01-04 00:48:10 +01:00
Christian Mehlmauer 25aaf7a676 msftidy: Remove $Id$ 2013-01-04 00:41:44 +01:00
Michael Schierl 269e507f68 Add stager modules for RC4 bind and reverse stagers
See the commit message of my last commit for caveats.
2012-12-31 22:33:30 +01:00
sinn3r 0822e8eae2 Merge branch 'kost-mipsle-shell_reverse_tcp' 2012-12-24 10:52:19 -06:00
jvazquez-r7 26f561795d fix cmd windows ruby payloads 2012-12-20 00:50:02 +01:00
sinn3r 7145078e63 Merge branch 'mipsle-shell_reverse_tcp' of git://github.com/kost/metasploit-framework into kost-mipsle-shell_reverse_tcp 2012-12-18 11:50:41 -06:00
Raphael Mudge 482846942a Fix: download_exec appends an extra / to request
The download_exec module parses the provided URL and appends an
unnecessary, nay--damaging I say!!!! '/' to the parsed URI. This
renders the module unusable for those who want a payload to
download and execute a file.

Before and after access.log snippets are in the redmine ticket

http://dev.metasploit.com/redmine/issues/7592
2012-12-12 14:01:31 -06:00
Vlatko Kosturjak 4ac79c91a6 Remove spaces at EOL 2012-11-17 12:00:59 +01:00
sinn3r 8648d21b3c Merge branch 'dns_txt_query_exe' of git://github.com/corelanc0d3r/metasploit-framework into corelanc0d3r-dns_txt_query_exe 2012-11-16 11:52:57 -06:00
corelanc0d3r 0bf92b5d97 improved payload dns_txt_query_exec 2012-11-13 00:55:32 +01:00
corelanc0d3r cad7eb0130 renamed and optimized download_exec payload 2012-11-13 00:02:49 +01:00
Vlatko Kosturjak bda7f68b02 Add zero byte on the end of the /bin/sh string 2012-11-08 02:00:49 +01:00
Vlatko Kosturjak ce82b37289 Few removals of unneccessary zero bytes in sc 2012-10-28 21:22:33 +01:00
Vlatko Kosturjak 2affb31958 Initial import of linux-mipsle shell_bind_tcp 2012-10-28 20:51:45 +01:00
Daniel Miller 8deead3bd2 Fix payload ambiguity with php/bind_tcp_ipv6 stager
Was seeing this in framework.log:

[w(0)] core: The module php/meterpreter/bind_tcp is ambiguous with
php/meterpreter/bind_tcp.

Added handler_type_alias based on windows/bind_ipv6_tcp stager.
2012-10-23 12:31:14 -05:00
sinn3r 201518b66f msftidy corrections 2012-10-17 17:22:26 -05:00
jvazquez-r7 6f227dddff Related to #885 , allow Prepend* for osx/x86/exec payload 2012-10-16 16:26:18 +02:00
HD Moore 64f29952dc Merge branch 'master' into feature/updated-mobile 2012-10-07 00:32:02 -05:00
sinn3r 02617a6f3a Merge branch 'feature/redmine-7224-shellcode-cleanup' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/redmine-7224-shellcode-cleanup 2012-10-04 00:43:34 -05:00
Tod Beardsley a38724f53b Adds an apparently spurious require
SeeRM #7276

Sticking this in a branch for now while I ask Egypt and limhoff for a
second opinion.
2012-10-01 07:49:58 -05:00
Tod Beardsley 60b4190e4a Avoids a race on requires
Applies Raphael's patch.

[FixRM #7261]
2012-09-27 13:18:50 -05:00
sinn3r c0387f1441 Have a matching option like the post module
And make sure nemo won't get harassed by people because they
think he hacked into everyone's mac.
2012-09-24 18:33:13 -05:00
sinn3r 2769a88f9e Code cleanup 2012-09-24 17:47:14 -05:00
dcbz 202a78dd3f Added say.rb: uses /usr/bin/say to output a string 2012-09-22 09:13:29 -05:00
dcbz 09b8a6d87f Added reverse_tcp stager payload, and updated bind 2012-09-22 08:31:42 -05:00
dcbz 81ceff7370 Added a tcp stager, and a small exec for testing 2012-09-22 07:24:51 -05:00
dcbz dccb8d235d Adding OSX 64-bit find-tag module. 2012-09-21 15:39:35 -05:00
sinn3r 776d24d8a9 cleanup 2012-09-20 16:16:30 -05:00
sinn3r 311c01be46 Cleanup, improve option handlingg 2012-09-20 16:14:15 -05:00
dcbz f5df7e0e8a Added 2 payload modules (reverse and bind tcp shells) 2012-09-19 16:59:26 -05:00
Ramon de C Valle 11f82de098 Update author information 2012-09-19 14:00:51 -03:00
James Lee 3c6319b75f Add nonx stagers for linux
[See #784]
2012-09-13 15:15:38 -05:00
James Lee f38ac954b8 Update linux stagers for NX compatibility
- Adds a call to mprotect(2) to the reverse and bind stagers

- Adds accurate source for some other linux shellcode, including some
  comments to make it more maintainable

- Adds tools/module_payload.rb for listing all payloads for each exploit
  in a greppable format. Makes it easy to find out if a payload change
  causes a payload to no longer be compatible with a given exploit.

- Missing from this commit is source for reverse_ipv6_tcp
2012-09-12 18:44:00 -05:00
HD Moore c901002e75 Add ssh login module for cydia / ios defaults 2012-09-10 19:36:20 -05:00
James Lee 828f37701d Fix linux shell_bind_tcp payload
It was calling bind(2) with a family of 0x02ff, which makes no sense and
causes execution to fall off the end and segfault.  Fix it by replacing
0x02ff with the appropriate 0x0002, or AF_INET.

[Fixrm #7216]
2012-09-04 04:23:48 -05:00
Tod Beardsley a93c7836bd Fixes load order with reverse http
This was originally intended to fix #664.

SEERM #7141 also.
2012-08-23 12:16:47 -05:00
James Lee aac56fc29b Fix load order issue
[See #664][SeeRM #7141]
2012-08-23 10:54:23 -05:00
sinn3r b3791b1545 I missed one 2012-08-14 16:51:55 -05:00
sinn3r 6a0271fb11 Correct OSX naming. See ticket #7182 2012-08-14 15:29:21 -05:00
sinn3r b46fb260a6 Comply with msftidy
*Knock, knock!*  Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
bcoles 8d3700cc3c Add Zenoss <= 3.2.1 exploit and Python payload
- modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
 - modules/payloads/singles/cmd/unix/reverse_python.rb
2012-07-30 01:24:27 +09:30
HD Moore 6cdd044e10 Remove a buggy payload that doesn't have NX support 2012-07-12 12:15:57 -05:00
jvazquez-r7 59bb9ac23b quoting ip to avoid php complaining 2012-06-25 18:52:26 +02:00
Michael Schierl 34ecc7fd18 Adding @schierlm 's AES encryption for Java
Tested with and without AES, works as advertised. Set an AESPassword,
get encryptification. Score.

Squashed commit of the following:

commit cca6c5c36ca51d585b8d2fd0840ba34776bc0668
Author: Michael Schierl <schierlm@gmx.de>
Date:   Wed Apr 4 00:45:24 2012 +0200

    Do not break other architectures
    even when using `setg AESPassword`

commit 422d1e341b3865b02591d4c135427903c8da8ac5
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:50:42 2012 +0200

    binaries

commit 27368b5675222cc1730ac22e4b7a387b88d0d2b3
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:49:10 2012 +0200

    Add AES support to Java stager

    This is compatible to the AES mode of the JavaPayload project.

    I'm pretty sure the way I did it in the handlers (Rex::Socket::tcp_socket_pair())
    is not the supposed way, but it works :-)
2012-06-11 16:13:25 -05:00
HD Moore 881ec8d920 Make the description clear that it only reads 4k, default datastore['FD'] to 1 2012-06-10 13:20:02 -05:00
sinn3r 15fa178a66 Add the MSF license text (since MSF_LICENSE is already set) 2012-06-10 02:07:27 -05:00
linuxgeek247 2b67c5132c Adding read_file linux shellcode 2012-06-09 20:36:47 -04:00
sinn3r 462a91b005 Massive whitespace destruction
Remove tabs at the end of the line
2012-06-06 00:44:38 -05:00
sinn3r 3f0431cf51 Massive whitespace destruction
Remove whitespace found at the end of the line
2012-06-06 00:36:17 -05:00
sinn3r c30af98b53 Massive whitespace destruction
Remove all the lines that have nothing but whitespace
2012-06-06 00:22:36 -05:00
sinn3r 2565888ec5 Change how we handle the password complexity failure 2012-06-03 13:13:44 -05:00
Chris John Riley a51df5fc3a Altered description to include information on the password complexity check
Altered the default password to meet the complexity checks

Note: The complexity checks (even if they fail) don't prevent the payload from running. At this point it only raises an warning and continues on. I can change this if it's more desirable however!
2012-06-03 09:22:48 +02:00
Chris John Riley ea66deb779 Added WMIC and complexity checks 2012-06-02 19:41:12 +02:00
Chris John Riley bada88cdf0 Added WMIC and complexity checks 2012-06-02 19:38:37 +02:00
Tod Beardsley 86500aad47 Author is always singular. 2012-05-08 08:47:52 -05:00
HD Moore 1a30e221a0 See #362 by changing the exitfunc arguments to be the correct type 2012-05-07 02:42:29 -05:00
James Lee dd7bc23d16 Whitespace 2012-05-02 18:06:39 -06:00
Tod Beardsley bd4819e8f2 Merge pull request #238 from mak/linux-x64-find-port
linux/x64/shell_find_port payload
2012-03-29 05:54:54 -07:00
Tod Beardsley 8fbf4cf6d9 Grammar on dns_txt_query_exec payload name and desc 2012-03-26 16:23:54 -05:00
sinn3r 182f3744de Cosmetic cleanup 2012-03-26 09:23:14 -05:00
corelanc0d3r ad32911b1a probably safer to use regex 2012-03-26 09:01:40 -05:00
James Lee 2d29184adc Use interpolation to ensure LPORT is a string for gsub
[Fixes #6542]
2012-03-21 21:05:05 -06:00
Tod Beardsley 31228ed65a Comment indentation 2012-03-21 15:21:10 -05:00
Peter Van Eeckhoutte 89d7363a8f fixed crash 2012-03-21 10:39:05 +01:00
Peter Van Eeckhoutte f81730a7e1 changes to the way jmp to payload is done 2012-03-21 09:52:22 +01:00
corelanc0d3r 45ef7fc35d reset author 2012-03-20 20:43:56 +01:00
Peter Van Eeckhoutte a3035dc6d0 Adding corelandc0d3r's http/https/ftp payload
Picks up the one http/https/ftp payload, but not the other two DNS
payloads listed as part of the original pull request.

[Closes #173]
2012-03-19 16:50:59 -05:00
sinn3r aeb691bbee Massive whitespace cleanup 2012-03-18 00:07:27 -05:00
Maciej Kotowicz 0389e47dfe fix little mistake 2012-03-15 16:21:00 +01:00
Maciej Kotowicz f91b894375 added posibilities for generating payload from asm to more arch's
added linux/x64/shell_find_port payload
2012-03-14 22:39:56 +01:00
Joshua J. Drake ab01a19f92 Fixes #6483: Correct the include for the handler (was copypasta) 2012-03-07 11:23:44 -06:00
James Lee 70162fde73 A few more author typos 2012-03-05 13:28:46 -07:00
Tod Beardsley 6c0f8636ec Merge pull request #217 from rapid7/reverse-http-randomness
Reverse http randomness
2012-03-02 16:36:26 -08:00
HD Moore b70b41091b Tested fairly well - this randomizes the URLs and removes the user-agent string from the request 2012-03-02 17:44:23 -06:00
Tod Beardsley 96e03d2556 Merge pull request #44 from linuxgeek247/armle-bind-shell
Adding armle bind shellcode based on existing reverse shellcode
2012-03-02 14:25:43 -08:00
James Lee 624e19fd8b Merge session-host-rework branch back to master
Squashed commit of the following:

commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:31:03 2012 -0700

    Clean up some rdoc comments

    This adds categories for the various interfaces that meterpreter and
    shell sessions implement so they are grouped logically in the docs.

commit 9d31bc1b35845f7279148412f49bda56a39c9d9d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 13:00:25 2012 -0700

    Combine the docs into one output dir

    There's really no need to separate the API sections into their own
    directory.  Combining them makes it much easier to read.

commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:27:22 2012 -0700

    Keep the order of iface attributes the same accross rubies

    1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we
    end up with ~random order for the display with the previous technique.
    Switch to an Array instead of a Hash so it's always the same.

commit 6f66dd40f39959711f9bacbda99717253a375d21
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:23:35 2012 -0700

    Fix a few more compiler warnings

commit f39cb536a80c5000a5b9ca1fec5902300ae4b440
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 08:17:39 2012 -0700

    Fix a type-safety warning

commit 1e52785f38146515409da3724f858b9603d19454
Author: James Lee <egypt@metasploit.com>
Date:   Mon Feb 27 15:21:36 2012 -0700

    LHOST should be OptAddress, not OptAddressRange

commit acef978aa4233c7bd0b00ef63646eb4da5457f67
Author: James Lee <egypt@metasploit.com>
Date:   Sun Feb 26 17:45:59 2012 -0700

    Fix a couple of warnings and a typo

commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b
Author: HD Moore <hdm@digitaloffense.net>
Date:   Mon Feb 27 11:54:29 2012 -0600

    Fix ctype vs content_type typo

commit 83b5400356c47dd1973e6be3aa343084dfd09c73
Author: Gregory Man <man.gregory@gmail.com>
Date:   Sun Feb 26 15:38:33 2012 +0200

    Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x

commit 49c2c80b347820d02348d694cc71f1b3028b4365
Author: Steve Tornio <swtornio@gmail.com>
Date:   Sun Feb 26 07:13:13 2012 -0600

    add osvdb ref

commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee
Author: Matt Andreko <mandreko@gmail.com>
Date:   Sat Feb 25 18:02:56 2012 -0500

    Added aspx target to msfvenom.  This in turn added it to msfencode as well.
    Ref: https://github.com/rapid7/metasploit-framework/pull/188
    Tested on winxp with IIS in .net 1.1 and 2.0 modes

commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5
Author: Joshua J. Drake <github.jdrake@qoop.org>
Date:   Sat Feb 25 13:00:48 2012 -0600

    Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver

commit b3371e8bfeea4d84f9d0cba100352b57d7e9e78b
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 17:07:42 2012 -0700

    Simplify logic for whether an inner iface has the same address

commit 5417419f35a40d1c08ca11ca40744722692d3b0d
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:58:16 2012 -0700

    Whitespace

commit 9036875c2918439ae23e11ee7b958e30ccc29545
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:53:45 2012 -0700

    Set session info before worrying about address

    get_interfaces can take a while on Linux, grab uid and hostname earlier
    so we can give the user an idea of what they popped as soon as possible.

commit f34b51c6291031ab25b5bfb1ac6307a516ab0ee9
Author: James Lee <egypt@metasploit.com>
Date:   Tue Feb 28 16:48:42 2012 -0700

    Clean up rdoc

commit e61a0663454400ec66f59a80d18b0baff4cb8cd9
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:54:45 2012 -0600

    Ensure the architecture is only the first word (not the full WOW64
    message in some cases)

commit 4c701610976a92298c1182eecc9291a1b301e43b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:49:17 2012 -0600

    More paranoia code, just in case RHOST is set to whitespace

commit c5ff89fe3dc9061e0fa9f761e6530f6571989d28
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 04:47:01 2012 -0600

    A few more small bug fixes to handle cases with an empty string target
    host resulting in a bad address

commit 462d0188a1298f29ac83b10349aec6737efc5b19
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Feb 28 03:55:10 2012 -0600

    Fix up the logic (reversed by accident)

commit 2b2b0adaec2448423dbd3ec54d90a5721965e2df
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 23:29:52 2012 -0600

    Automatically parse system information and populate the db, identify and
    report NAT when detected, show the real session_host in the sessions -l
    listing

commit 547a4ab4c62dc3248f847dd5d305ad3b74157348
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:16:03 2012 -0600

    Fix typo introduced

commit 27a7b7961e61894bdecd55310a8f45d0917c5a5c
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:11:38 2012 -0600

    More session.session_host tweaks

commit e447302a1a9915795e89b5e29c89ff2ab9b6209b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:08:20 2012 -0600

    Additional tunnel_peer changes

commit 93369fcffaf8c6b00d992526b4083acfce036bb3
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:06:21 2012 -0600

    Additional changes to session.session_host

commit c3552f66d158685909e2c8b51dfead7c240c4f40
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Feb 27 22:00:19 2012 -0600

    Merge changes into the new branch
2012-02-28 18:29:39 -07:00
Joshua J. Drake 65ed4bfa8b Fixes #6308: Fall back to 127.0.0.1 when SocketError is raised from the resolver 2012-02-25 13:00:48 -06:00
HD Moore ceb4888772 Fix up the boilerplate comment to use a better url 2012-02-20 19:40:50 -06:00
Tod Beardsley e371f0f64c MSFTidy commits
Whitespace fixes, grammar fixes, and breaking up a multiline SOAP
request.

Squashed commit of the following:

commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:58:53 2012 -0600

    Break up the multiline SOAP thing

commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:48:16 2012 -0600

    More whitespace and indent

commit 12c42aa1efdbf633773096418172e60277162e22
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:39:36 2012 -0600

    Whitespace fixes

commit 32d57444132fef3306ba2bc42743bfa063e498df
Author: Tod Beardsley <todb@metasploit.com>
Date:   Wed Feb 1 10:35:37 2012 -0600

    Grammar fixes for new modules.
2012-02-01 10:59:58 -06:00
HD Moore 0c2a18d765 Fix up reverse_tcp ipv6 stager for freebsd 2012-02-01 01:41:24 -06:00
HD Moore 29d8feaa24 Use the ADDR6 type, not ADDR 2012-02-01 00:58:08 -06:00
HD Moore aed27a2f82 Add missing trailing quote 2012-02-01 00:54:42 -06:00
HD Moore 45a785fde0 Adds BSD IPv6 payloads and stagers 2012-02-01 00:54:42 -06:00
HD Moore ec5fd723ba Merge in additional IPv6 support for PHP payloads 2012-01-31 01:11:55 -06:00
Patroklos Argyroudis 4e1029ae8b Execute (execve) arbitrary command payload for Mac OS X x64 2012-01-30 11:01:57 +02:00
Patroklos Argyroudis c6eb104132 bug fix for hardcoded max command length 2012-01-23 10:24:22 +02:00
scriptjunkie 9fe18cdc86 Add x64 LoadLibraryA payload. Because it should exist. 2012-01-17 21:16:26 -06:00
sinn3r 5761035371 This payload shouldn't be in here. Instead of adding a new one, exec.rb should be fixed 2012-01-16 22:41:27 -06:00
sinn3r 17ffc06f60 Merge branch 'osx_mozilla_mchannel' of https://github.com/argp/metasploit-framework into argp-osx_mozilla_mchannel 2012-01-16 19:35:29 -06:00
sinn3r 8eee54d1d0 Add e-mail addr for corelanc0d3r (found it in auxiliary/fuzzers/ftp/client_ftp.rb) 2012-01-09 14:23:37 -06:00
Patroklos Argyroudis 5a20b7d7ac Fixed small typo 2012-01-09 14:19:00 +02:00
Patroklos Argyroudis 9a62b41ab7 Mac OS X x86 payload that executes Calculator.app 2012-01-09 12:12:20 +02:00
sinn3r b202c29153 Correct e-mail format 2011-12-29 11:27:10 -06:00
HD Moore 8dc85f1cc5 Fix up some nascent typos 2011-12-14 00:30:31 -06:00
HD Moore 866e2b6bf3 Additional IPv6 payload support 2011-12-14 00:27:38 -06:00
HD Moore 17cc89ebad Add IPv6 specific HTTP(S) handlers and payloads (simplifies
options/usage)
2011-12-11 13:26:48 -06:00
HD Moore 2d3064c1ec Default the scope ID to 0, explicitly 2011-12-10 13:46:16 -06:00
Christopher McBee 100d8803f6 Adding armle bind shellcode based on existing reverse shellcode 2011-12-05 18:16:02 -05:00
Rob Fuller c411c216c0 Solved most of msftidy issues with the /modules directory 2011-11-28 17:10:29 -06:00
Joshua Drake 62c8c6ea9f big msftidy pass, ping me if there are issues
git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-23 11:56:13 +00:00
Joshua Drake ac916baac5 Fixes #5581: Stop hardcoding MIPS reverse shell IP/port
git-svn-id: file:///home/svn/framework3/trunk@13999 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-18 22:50:12 +00:00
Tod Beardsley 30ac88694f More msftidy fixes. Now I'm going to get a little more surgical to get this to move faster.
git-svn-id: file:///home/svn/framework3/trunk@13963 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-17 02:58:53 +00:00
James Lee 7e4826bae4 silly patch fail
git-svn-id: file:///home/svn/framework3/trunk@13742 4d416f70-5f16-0410-b530-b9f4589650da
2011-09-16 21:11:57 +00:00
James Lee c6c133673f add reverse_https support for java meterpreter, fixes #5288; thanks mihi!
git-svn-id: file:///home/svn/framework3/trunk@13741 4d416f70-5f16-0410-b530-b9f4589650da
2011-09-16 21:10:11 +00:00
James Lee 851bc8d7b8 add a single shell payload for java, partially reverts r13213
git-svn-id: file:///home/svn/framework3/trunk@13588 4d416f70-5f16-0410-b530-b9f4589650da
2011-08-19 16:31:19 +00:00
Wei Chen 76ea2ea2a3 That was weird. Id didn't set. Trying again.
git-svn-id: file:///home/svn/framework3/trunk@13403 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-29 02:31:18 +00:00
Wei Chen 9f80b8d862 These modules forgot to do svn propset
git-svn-id: file:///home/svn/framework3/trunk@13402 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-29 02:28:46 +00:00
James Lee 3c261c346f add support for java/meterpreter/reverse_http. assuming i didn't miss any files, fixes #4946, thanks mihi!
git-svn-id: file:///home/svn/framework3/trunk@13213 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-18 23:15:06 +00:00
Matt Weeks 7122ccbbd1 wscript necessary in certain contexts.
Also can avoid warnings in certain cases.



git-svn-id: file:///home/svn/framework3/trunk@13166 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-14 02:35:33 +00:00
James Lee ff53057965 Use consistent case for Spawn option
git-svn-id: file:///home/svn/framework3/trunk@13130 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-08 20:08:40 +00:00
Matt Weeks afbf445a87 Custom payload.
Fixes #4708



git-svn-id: file:///home/svn/framework3/trunk@13058 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-29 01:26:24 +00:00
HD Moore 9220506ba2 Merge in recent meterpreter work. These are not the commits you are looking for (more info on what all this is later this week).
git-svn-id: file:///home/svn/framework3/trunk@13053 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-28 21:26:43 +00:00
Matt Weeks 5faaa7db07 Update cmd vbs download payloads.
Use : instead of longer echo statements.
Add eval version.



git-svn-id: file:///home/svn/framework3/trunk@12912 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-11 20:37:08 +00:00
HD Moore 3e0f3639ef This adds a quick windows/loadlibrary payload for folks who have a need for such things. The library path can be a UNC location and works fine over WebDAV...
git-svn-id: file:///home/svn/framework3/trunk@12765 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-30 03:44:59 +00:00
Wei Chen 56b4a092d6 Added Linux x64 payloads. Modified exe.rb to support elf x64 payloads.
git-svn-id: file:///home/svn/framework3/trunk@12676 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-20 23:51:19 +00:00
Stephen Fewer c48633cff0 Merge in a rewritten windows x86 reverse_ipv6_tcp stager (The previous one seems hosed since r6744 due to new host/port offsets[1] but the shellcode blob remained the same after modification[2]) - This new one uses the block_api_call technique, is 37 bytes smaller and can handle arbitrary size stages.
[1] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb
[2] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm

git-svn-id: file:///home/svn/framework3/trunk@12562 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-08 01:44:08 +00:00
HD Moore 7cb8e56cfe Fix upexec handle_connection_stage arguments
git-svn-id: file:///home/svn/framework3/trunk@12511 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-02 18:54:02 +00:00
Joshua Drake 94fa25ee7a remove crufty method
git-svn-id: file:///home/svn/framework3/trunk@12491 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-01 22:07:49 +00:00
Mario Ceballos 0522b69de2 s instead of n
git-svn-id: file:///home/svn/framework3/trunk@12488 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-01 13:31:08 +00:00
James Lee 6dd44fa516 massive keywords cleanup
git-svn-id: file:///home/svn/framework3/trunk@12196 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-01 00:51:33 +00:00
HD Moore c679de9d7a Closes #3976 by merging in an ARM adduser payload from Jonathan Salwan
git-svn-id: file:///home/svn/framework3/trunk@12045 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-21 01:26:14 +00:00
amaloteaux 78396e94f9 move linux meterpreter bin to the correct place
git-svn-id: file:///home/svn/framework3/trunk@11938 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-11 20:29:25 +00:00
Mario Ceballos 631af16d9f revert back.
git-svn-id: file:///home/svn/framework3/trunk@11900 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-08 22:48:39 +00:00
Mario Ceballos 54382c6080 patch recieved from Peter Van Eeckhout
git-svn-id: file:///home/svn/framework3/trunk@11898 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-08 22:23:13 +00:00
Joshua Drake a944cbc50d style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@11612 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-20 20:40:47 +00:00
HD Moore 4971a0d7af Add Skylined's "You Got Pwned" payload
git-svn-id: file:///home/svn/framework3/trunk@11485 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-06 17:34:09 +00:00
James Lee f0cc6ff596 big commit for converting meterpreter scripts to modules, see #3377. also fixes payload tab-completion and 'show payloads' after TARGET has changed
git-svn-id: file:///home/svn/framework3/trunk@11421 4d416f70-5f16-0410-b530-b9f4589650da
2010-12-27 17:46:42 +00:00
Joshua Drake 32c26f18f3 style compliance fixes, set test exploits to manual rank, fix s/ranking/rank/ in some exploits
git-svn-id: file:///home/svn/framework3/trunk@11039 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-14 19:03:24 +00:00
Joshua Drake a6bade8795 convert to use metasm, also fixes silly off-by-one bug
git-svn-id: file:///home/svn/framework3/trunk@11000 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-11 23:07:50 +00:00
Joshua Drake 9fb0e1a0bb fix comments
git-svn-id: file:///home/svn/framework3/trunk@10995 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-11 22:19:34 +00:00
James Lee 0d664c3a71 add a Spawn advanced option to java stagers, see #3009
git-svn-id: file:///home/svn/framework3/trunk@10946 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-08 06:08:09 +00:00
James Lee 56839ccf36 stupid debug prints
git-svn-id: file:///home/svn/framework3/trunk@10782 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-22 10:24:28 +00:00
James Lee f33d7cc670 revamp java payloads and make shells work with tomcat_mgr_deploy. tested java_trusted_chain and java_tester to verify that this doesn't break other java payload usage. see #3009 and #2973, meterpreter doesn't work yet, so not marking resolved.
git-svn-id: file:///home/svn/framework3/trunk@10781 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-22 10:19:51 +00:00
Joshua Drake 04858c69fc style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@10758 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-19 22:54:19 +00:00
HD Moore 79c8e18e6b Add a wfs_delay for reverse_https. This fixes #2508 and fixes #1764. This should prevent the race condition that was the root cause of both issues.
git-svn-id: file:///home/svn/framework3/trunk@10716 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-17 02:33:47 +00:00
HD Moore 9902dcb9cc Fixes #2661 by removing exitfunc as a parameter, since it needs to be ExitProcess
git-svn-id: file:///home/svn/framework3/trunk@10714 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-16 22:01:01 +00:00
HD Moore 5e1d181da5 Fixes #2132 by removing patchup version of vnc inject
git-svn-id: file:///home/svn/framework3/trunk@10708 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-16 18:10:10 +00:00
Stephen Fewer df8b9f8e95 Merge in the IPv6 Teredo patch.
git-svn-id: file:///home/svn/framework3/trunk@10543 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-04 11:02:46 +00:00
Joshua Drake 0f65deaf72 add messagebox payload from corelanc0d3r
git-svn-id: file:///home/svn/framework3/trunk@10495 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-27 13:31:48 +00:00
pks 14cabd2611 Allow debugging to be enabled.
This will make it easier to hopefully track down bugs.

exploitme-posix.c - make complete stack executable. On some kernel versions, execstack doesn't do the trick.

git-svn-id: file:///home/svn/framework3/trunk@10485 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-26 05:58:59 +00:00
pks 1392ef78d7 Use exit() instead of exit_group()
git-svn-id: file:///home/svn/framework3/trunk@10483 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-26 05:58:41 +00:00
pks 740e2c1ab2 Change base from 0x90040000 to 0x20040000.
This is more portable across kernel versions / patches it seems. This
will be better for SEGMEXEC compatibility as well.

git-svn-id: file:///home/svn/framework3/trunk@10455 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-24 04:06:28 +00:00
Joshua Drake 4590844871 tons of indentation fixes, some other style tweaks
git-svn-id: file:///home/svn/framework3/trunk@10394 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 08:06:27 +00:00
Joshua Drake d8fb8e5c49 merge in another posix meterpreter update from philip, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10307 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-13 14:44:00 +00:00
Joshua Drake 5de3146533 style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@10273 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-09 15:47:35 +00:00
Joshua Drake 3b67eefe4e sync up with Philip's code, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10202 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-31 15:10:41 +00:00
Joshua Drake 4651a0ad33 style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@10160 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-26 20:21:41 +00:00
Joshua Drake 2d14c0054f add two contributed linux armle payloads, thx guys!
git-svn-id: file:///home/svn/framework3/trunk@10152 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-25 21:44:33 +00:00
Joshua Drake d7e9a25bc7 add two windows cmd payloads from scriptjunkie, fixes #1876
git-svn-id: file:///home/svn/framework3/trunk@10122 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-23 22:50:24 +00:00
Joshua Drake 2572bb6919 add svn:keywords property
git-svn-id: file:///home/svn/framework3/trunk@10121 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-23 22:49:43 +00:00
James Lee eda50fc89e spawn out into another process so killing the browser won't drop our shell
git-svn-id: file:///home/svn/framework3/trunk@10091 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-21 06:28:29 +00:00
James Lee 871a6185b8 refactor
git-svn-id: file:///home/svn/framework3/trunk@10077 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-20 07:15:23 +00:00
James Lee 5d95f48848 add preliminary support for the new java payloads. Working meterpreter and shell stages with tcp bind and reverse stagers, see #406
git-svn-id: file:///home/svn/framework3/trunk@10073 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-20 07:01:23 +00:00
Joshua Drake 2482a83526 style compliance fixes
git-svn-id: file:///home/svn/framework3/trunk@9927 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-25 19:14:00 +00:00
James Lee 2a2f6fde56 not a command shell, it's a stager
git-svn-id: file:///home/svn/framework3/trunk@9912 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-22 16:29:01 +00:00
James Lee 929163834a change the name to not lie
git-svn-id: file:///home/svn/framework3/trunk@9889 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 20:21:54 +00:00
HD Moore a066ebc85b Remove rescue
git-svn-id: file:///home/svn/framework3/trunk@9886 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 14:16:12 +00:00
HD Moore 2ce616fa1a Hide this exception until loader.jar is checked in
git-svn-id: file:///home/svn/framework3/trunk@9880 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 03:10:15 +00:00
James Lee 08d705c1db add java meterpreter and update java_calendar_deserialize to be able to use it, see #406
git-svn-id: file:///home/svn/framework3/trunk@9874 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 00:53:24 +00:00
Joshua Drake dec6bfee0a add missing includes
git-svn-id: file:///home/svn/framework3/trunk@9856 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-19 04:28:09 +00:00
James Lee 2a8a058519 add a bind stager for php
git-svn-id: file:///home/svn/framework3/trunk@9855 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-17 22:42:12 +00:00
Joshua Drake 2f5970e30b set keywords property
git-svn-id: file:///home/svn/framework3/trunk@9655 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-01 23:46:05 +00:00
Joshua Drake 0882838491 ensure binary mode when opening files, whitespace fixes
git-svn-id: file:///home/svn/framework3/trunk@9653 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-01 23:33:07 +00:00
James Lee 42f540258a really, actually commit the meterpreter stage
git-svn-id: file:///home/svn/framework3/trunk@9638 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-30 23:51:29 +00:00
James Lee 920710a5fd actually commit the stager, see #2128
git-svn-id: file:///home/svn/framework3/trunk@9595 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-23 22:24:50 +00:00
James Lee c3d183c98d split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128
git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-23 20:00:27 +00:00
Joshua Drake 171543624a fix typos
git-svn-id: file:///home/svn/framework3/trunk@9581 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 16:11:02 +00:00
James Lee ef5c0f77eb move copy-paste into a mixin
git-svn-id: file:///home/svn/framework3/trunk@9576 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 00:46:52 +00:00
James Lee d1d2f8af0a explain to the user that we couldn't find a vncviewer
git-svn-id: file:///home/svn/framework3/trunk@9575 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 00:14:08 +00:00
James Lee 6fb4a5630a explain to the user that we couldn't find a vncviewer
git-svn-id: file:///home/svn/framework3/trunk@9574 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 00:13:43 +00:00
James Lee c5203f72a0 missed deleting this when moving it to meterpreter_reverse_tcp
git-svn-id: file:///home/svn/framework3/trunk@9557 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-18 21:33:21 +00:00
James Lee b03047094d make the payload name match the standard
git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-16 16:55:05 +00:00
Joshua Drake e32abab8dc a HTTP -> an HTTP (http://www.english-zone.com/grammar/a-anlessn.html)
git-svn-id: file:///home/svn/framework3/trunk@9488 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-11 16:12:05 +00:00
HD Moore faefb09b8c Only gsub datastore variables if they aren't nil
git-svn-id: file:///home/svn/framework3/trunk@9403 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-03 01:23:02 +00:00
James Lee 9dc298f56d make it work for more than localhost...
git-svn-id: file:///home/svn/framework3/trunk@9401 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-03 00:21:24 +00:00
James Lee f974f59c32 make sure we have reverse_tcp
git-svn-id: file:///home/svn/framework3/trunk@9400 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 23:20:45 +00:00
James Lee 2470470405 stupid debug print
git-svn-id: file:///home/svn/framework3/trunk@9394 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 08:31:44 +00:00
James Lee fe43e91bad initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)



git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 08:28:39 +00:00
HD Moore a1ee346d59 Try a little harder to read the full image
git-svn-id: file:///home/svn/framework3/trunk@9379 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-29 02:20:23 +00:00
Ramon de C Valle 34f12a38ec Change the base value used for calculating the system call numbers and
arguments to avoid null bytes in newer versions of AIX.



git-svn-id: file:///home/svn/framework3/trunk@9347 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-23 19:47:48 +00:00
Joshua Drake 0e72894e58 more cleanups
git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-03 17:13:09 +00:00
Joshua Drake 0ea6eca4bc big module whitespace/formatting cleanup pass
git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-30 08:40:19 +00:00
Joshua Drake 321404e2fe add payload/generic/tight_loop - x86 debug payload
git-svn-id: file:///home/svn/framework3/trunk@9070 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-14 07:40:04 +00:00
HD Moore 11c10518b3 Bug fixes for better windows OS compatibility
git-svn-id: file:///home/svn/framework3/trunk@9002 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 14:57:51 +00:00
HD Moore cd2760f2c2 Bug fixes and size improvements for the reverse_https stager
git-svn-id: file:///home/svn/framework3/trunk@9001 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 13:53:35 +00:00
HD Moore e968c3894e More size tweaks
git-svn-id: file:///home/svn/framework3/trunk@8999 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 08:03:28 +00:00
HD Moore c8defe9716 Size tweaks to bring the ssl stager + encoder + target_id to exactly 400 bytes
git-svn-id: file:///home/svn/framework3/trunk@8998 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 07:48:53 +00:00
HD Moore d2f44f4a22 Keywords
git-svn-id: file:///home/svn/framework3/trunk@8986 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 05:22:20 +00:00
HD Moore b50d9049f0 Add the actual stager
git-svn-id: file:///home/svn/framework3/trunk@8985 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 05:21:42 +00:00
HD Moore c6c956ab46 Small patch to enable a new stager
git-svn-id: file:///home/svn/framework3/trunk@8984 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 05:21:15 +00:00
HD Moore 5d0fb434b7 Adds a reverse_tcp_dns stager
git-svn-id: file:///home/svn/framework3/trunk@8983 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 03:38:57 +00:00
Stephen Fewer 75661291fa and the bins, tiny modification to the ruby side and update the README.
git-svn-id: file:///home/svn/framework3/trunk@8891 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-24 00:03:32 +00:00
Stephen Fewer 46cc8e538f The new x64 VNC inject payload stage.
git-svn-id: file:///home/svn/framework3/trunk@8746 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-08 14:51:43 +00:00
Joshua Drake a0d5ce473b add (staged) to the descriptions of staged payloads, fixes #955
git-svn-id: file:///home/svn/framework3/trunk@8733 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-06 05:27:13 +00:00
Joshua Drake 138d45d095 more missing constant errors fixed, fixes #975
git-svn-id: file:///home/svn/framework3/trunk@8642 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-25 21:11:12 +00:00
Joshua Drake 75533423dd add requires for 2 stages missing them
git-svn-id: file:///home/svn/framework3/trunk@8634 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-25 06:05:02 +00:00
Joshua Drake 7d99a33b20 remove double-on_session call from generic payloads
git-svn-id: file:///home/svn/framework3/trunk@8621 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-24 20:57:09 +00:00
Joshua Drake b391abd32d adds scripting for command shell sessions
1. InitialAutoRunScript and AutoRunScript vars work
2. scripts/shells was created to hold them
3. *_shell methods were renamed shell_*
4. added "shell_command" method to command shell sessions
5. converted all uses of *_shell to shell_*
6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions



git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-24 01:19:59 +00:00
Joshua Drake f8ca490b98 move meterpreter on_session functionality into a mixin
git-svn-id: file:///home/svn/framework3/trunk@8586 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-22 21:05:08 +00:00
Joshua Drake 17bd4b8b7d fixed aix payloads to REALLY do variable substitution
git-svn-id: file:///home/svn/framework3/trunk@8418 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-08 22:41:36 +00:00
Joshua Drake d68efa61d2 initial commit of aix cmsd exploit (not fully working yet)
git-svn-id: file:///home/svn/framework3/trunk@8397 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-08 00:44:37 +00:00
Joshua Drake 31949c4343 svn keywords fixups
fixed a bunch of $Id$ and $Revision$ typos
added keywords property to files missing it



git-svn-id: file:///home/svn/framework3/trunk@8242 4d416f70-5f16-0410-b530-b9f4589650da
2010-01-26 20:12:13 +00:00
HD Moore 831833667a Minor tweak (run inside of sh -c '')
git-svn-id: file:///home/svn/framework3/trunk@8107 4d416f70-5f16-0410-b530-b9f4589650da
2010-01-13 20:19:51 +00:00
Joshua Drake 2283e029db crossing fingers, big cr removal batch
git-svn-id: file:///home/svn/framework3/trunk@8038 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-30 22:24:22 +00:00
HD Moore bcdb44b835 See #667. This adds InitialAutoRunScript support, to be defaulted by browser modules (and others)
git-svn-id: file:///home/svn/framework3/trunk@7904 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-17 06:00:14 +00:00
Joshua Drake b1c9b7e927 a few more svn:keywords fixes
git-svn-id: file:///home/svn/framework3/trunk@7870 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-15 02:11:42 +00:00
James Lee 5ddfffc94f only accept one connection for bind_perl shells. fixes 669
git-svn-id: file:///home/svn/framework3/trunk@7790 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-09 23:49:50 +00:00
HD Moore 61e233df91 Keywords on all modules, plugins, and scripts
git-svn-id: file:///home/svn/framework3/trunk@7550 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-17 00:05:19 +00:00
HD Moore dc0dc98771 Fixes #517. Disables meterpreter stages for passivex stagers
git-svn-id: file:///home/svn/framework3/trunk@7546 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-16 22:45:33 +00:00
Stephen Fewer 6142f5d509 re-enable the passivex stager. we still need to force the meterpreter stage to be incompatible with this stager as their is a known issue between the two.
git-svn-id: file:///home/svn/framework3/trunk@7544 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-16 19:34:14 +00:00
Stephen Fewer 159ca526b4 Fixed a null pointer dereference bug (occurring in stages loaded by the PassiveX stager) that was being caused when an invalid exit funk was being patched into the stage by the PassiveX stager. This happened because the PassiveX stager uses the old type exit funks while the stages use the new type. This fix ensures the PassiveX stager gets the expected old exit funk value while the chosen stage gets the new exit funk value. This patch does not fix Bug #291 (PassiveX broken). Also I have left the PassiveX stager disabled until we can resolve the rest of the problems.
git-svn-id: file:///home/svn/framework3/trunk@7448 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-10 16:07:01 +00:00
James Lee d9b5d62a3e disable passivex for the rc1 until we can figure out why it doesn't work. see #291
git-svn-id: file:///home/svn/framework3/trunk@7419 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-09 04:32:22 +00:00
HD Moore b38a74c961 Another mega-patch from Yoann Guillot: fixes warnings generated by method calls with a space betwee the method and the parans, corrects a problem with the alpha encoders that causes them to overwrite the allowed charset, hardcodes the metasm output size of some modules in order to reduce load time, more to come
git-svn-id: file:///home/svn/framework3/trunk@7246 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-25 16:40:19 +00:00
Stephen Fewer 995745d642 Commit a jsp bind shell payload (and add a missing require to the jsp reverse shell).
git-svn-id: file:///home/svn/framework3/trunk@7220 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-20 23:11:28 +00:00
HD Moore 00b2915554 Fixes #342. Set ReverseConnectRetries to a value between 1 and 255 (default is 5). On failure it will ExitProcess (still better than a cpu spin)
git-svn-id: file:///home/svn/framework3/trunk@7217 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-20 20:31:14 +00:00
HD Moore 5972666f63 See #339. Massive cleanup of author names, make them consistent across modules
git-svn-id: file:///home/svn/framework3/trunk@7075 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-27 21:30:45 +00:00
Stephen Fewer 1a220d6dc5 add java payload jsp_shell_reverse_tcp.
git-svn-id: file:///home/svn/framework3/trunk@7071 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-27 18:35:07 +00:00
James Lee 6a7a023844 I will not commit when sleep deprived. I will not commit when sleep deprived. I will not commit...
git-svn-id: file:///home/svn/framework3/trunk@7061 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 06:40:42 +00:00
James Lee bc2c38c332 shave an instruction from the new allports stager
git-svn-id: file:///home/svn/framework3/trunk@7060 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 06:13:13 +00:00
HD Moore b47b46e7c0 Set keywords
git-svn-id: file:///home/svn/framework3/trunk@7059 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 05:45:03 +00:00
HD Moore ee9a8f4f76 Adds support for the reverse_tcp_allports stager for Windows. This payload tries to connect back on all ports, one at a time, from LPORT to 65535. This is incredibly slow (depends on the default socket timeout) and requires the user to forward all TCP ports of LHOST to a single listening port in the handler. Inspired by a few user requests and this blog post: http://clinicallyawesome.com/post/196352889/blind-connect-back-through-restrictive-firewall
git-svn-id: file:///home/svn/framework3/trunk@7058 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 05:44:50 +00:00
James Lee e30e850ba7 shave a few bytes off of the windows stagers
git-svn-id: file:///home/svn/framework3/trunk@7035 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-14 08:45:01 +00:00
James Lee 782f830abf make cd work by special-casing it to call chdir()
git-svn-id: file:///home/svn/framework3/trunk@7027 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-10 06:19:10 +00:00
James Lee 0f957f236e make cd work by special-casing it to call chdir()
git-svn-id: file:///home/svn/framework3/trunk@7026 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-10 06:11:47 +00:00