sinn3r
660c97f512
Add module for reverse zsh payload
...
For #1985
2013-06-20 13:40:17 -05:00
jvazquez-r7
b20a38add4
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-10 12:22:52 -05:00
Tod Beardsley
f58e279066
Cleanup on module names, descriptions.
2013-06-10 10:52:22 -05:00
jvazquez-r7
e5a17ba227
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-06-05 09:41:23 -05:00
William Vu
1596fb478a
Land #1886 , awk bind shell
2013-06-05 09:05:37 -05:00
William Vu
8ffa4ac9ac
Land #1885 , awk reverse shell
2013-06-05 09:04:49 -05:00
Roberto Soares Espreto
f6977c41c3
Modifications done in each PR.
2013-06-05 07:55:05 -03:00
Roberto Soares Espreto
b20401ca8c
Modifications done in each PR.
2013-06-05 07:51:10 -03:00
Roberto Soares Espreto
34243165c5
Some changes with improvements.
2013-06-04 21:22:10 -03:00
Roberto Soares Espreto
e2988727fb
Some changes with improvements.
2013-06-04 21:10:51 -03:00
Roberto Soares Espreto
d9609fb03e
Was breaking with repeated commands
2013-05-31 18:44:48 -03:00
jvazquez-r7
48b14c09e3
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-31 01:12:46 -05:00
Tod Beardsley
9c771435f2
Touchup on author credit
2013-05-30 16:13:40 -05:00
Tod Beardsley
67128a3841
Land #1821 , x64_reverse_https stagers
2013-05-30 13:55:13 -05:00
jvazquez-r7
3361a660ba
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-29 22:01:36 -05:00
Roberto Soares Espreto
00debd01c6
Listen for a connection and spawn a command shell via AWK
2013-05-29 21:22:49 -03:00
Roberto Soares Espreto
d4a864c29f
Creates an interactive shell via AWK (reverse)
2013-05-29 21:19:08 -03:00
jvazquez-r7
07c99f821e
Land #1879 , @dcbz ARM stagers
2013-05-29 17:43:37 -05:00
jvazquez-r7
7c41e239b4
Fix author name
2013-05-29 14:19:10 -05:00
jvazquez-r7
52aae8e04c
Add small fixes for stagers
2013-05-29 14:01:59 -05:00
dcbz
2c0f0f5f04
Changed reverse payload as suggested.
2013-05-28 21:52:16 -05:00
dcbz
07c3565e3c
Made changes as suggested, forgot to remove exit() after testing was complete.
2013-05-28 21:31:36 -05:00
jvazquez-r7
66ea59b03f
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-05-28 15:22:46 -05:00
James Lee
9843dc4cb4
Land #1708 , android meterpreter
...
Conflicts:
data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
dcbz
a53ab4cff9
Moved dupandexecve.rb to shell.rb due to pull request coments.
2013-05-20 17:05:57 -05:00
dcbz
9c0814505a
Added reverse stager.
2013-05-17 21:52:10 -05:00
dcbz
14d5111b37
Added a sample stage + updated bind stager.
2013-05-17 21:03:03 -05:00
dcbz
ad95eff9d4
added bind_tcp.rb
2013-05-17 12:09:45 -05:00
agix
6db1fea6b9
create x64_reverse_https stagers
2013-05-13 01:41:56 +02:00
Michael Schierl
a13cf53b9f
Android Meterpreter bugfixes
...
- classes.dex gets mangled on windows; use binary mode when reading it
- UnknownHostExceptions on API Level 3 emulator because of trailing
whitespace after the hostname/IP
- Work around integer overflow at year 2038 when signing the payload
2013-05-01 18:01:37 +02:00
jvazquez-r7
a4632b773a
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-28 12:59:16 -05:00
sinn3r
1d9a695d2b
Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
...
[Closes #1772 ]
2013-04-28 12:17:16 -05:00
James Lee
9c8b93f1b7
Make sure LPORT is a string when subbing
...
* Gets rid of conversion errors like this:
[-] Exploit failed: can't convert Fixnum into String
* also removes comments from php meterp. Works for me with the
phpmyadmin_preg_replace bug, so seems legit.
2013-04-26 15:26:31 -05:00
James Lee
6767eee08a
Add in-line signing
...
Signing the generated APK in the module means users don't have to have
keytool or jarsigner to create a working package.
Example usage:
./msfvenom -p android/meterpreter/reverse_tcp \
LHOST=192.168.99.1 LPORT=2222 -f raw > meterp.apk
adb install ./meterp.apk
2013-04-25 13:57:54 -05:00
jvazquez-r7
cc35591723
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-15 17:43:15 -05:00
Tod Beardsley
be39079830
Trailing whitespace fix
...
Note that this commit needed a --no-verify because of the erroneous
check in msftidy for writing to stdout. The particular syntax of this
payload makes it look like we're doing that when we're really not.
So don't sweat it.
2013-04-15 13:58:06 -05:00
Tod Beardsley
efdf4e3983
Lands #1485 , fixes for Windows-based Ruby targets
2013-04-15 13:56:41 -05:00
timwr
df9c5f4a80
remove unused resources and fix whitespace
2013-04-13 16:22:52 +01:00
timwr
32bd812bdb
android meterpreter
2013-04-12 18:57:04 +01:00
jvazquez-r7
9c0862ad7b
Merge branch 'master' of https://github.com/rapid7/metasploit-framework
2013-04-11 21:53:07 +02:00
James Lee
e3eef76372
Land #1223
...
This adds rc4-encrypting stagers for Windows.
[Closes #1223 ]
2013-04-10 12:14:52 -05:00
James Lee
6c980981db
Break up long lines and add magic encoding comment
2013-04-10 09:28:45 -05:00
Tod Beardsley
e149c8670b
Unconflicting ruby_string method
...
Looks like the conflict was created by the msftidy fixes that happened
over on the master branch. No big deal after all.
2013-03-20 15:49:23 -05:00
jvazquez-r7
6603dcd652
up to date
2013-03-12 17:04:13 +01:00
jvazquez-r7
627e7f6277
avoiding grouping options
2013-03-11 18:26:03 +01:00
jvazquez-r7
f0cee29100
modified CommandDispatcher::Exploit to have the change into account
2013-03-11 18:08:46 +01:00
jvazquez-r7
c9268c3d54
original modules renamed
2013-03-11 18:04:22 +01:00
James Lee
2160718250
Fix file header comment
...
[See #1555 ]
2013-03-07 17:53:19 -06:00
RageLtMan
7f80692457
everyone will comply, resistance is futile
2013-03-06 18:38:14 -05:00
Raphael Mudge
1cc49f75f5
move flag comment to where it's used.
2013-03-03 03:26:43 -05:00
Raphael Mudge
ecdb884b13
Make download_exec work with authenticated proxies
...
Adds INTERNET_FLAG_KEEP_CONNECTION to HttpOpenRequest flags to allow
download_exec to transparently authenticate to a proxy device through
wininet.
Fun trivia, Windows 7 systems uses Connection: keep-alive by default.
This flag benefits older targets (e.g., Windows XP).
2013-03-03 01:42:17 -05:00
Michael Schierl
4a17a30ffd
Regenerate ruby modules
...
For shellcode changes (removed unneeded instruction) committed in
46a5c4f4bf
. Saves 2 bytes per shellcode.
2013-03-03 00:14:30 +01:00
RageLtMan
3778ae09e9
This commit adds DNS resolution to rev_tcp_rc4
...
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.
The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.
Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.
Tested in x86 native and WOW64 on XP and 2k8r2 respectively.
This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.
Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge
788c96566f
Allow HTTP stager to work with authenticated proxies
...
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.
From MSDN ( http://tinyurl.com/chwt86j ):
"Uses keep-alive semantics, if available, for the connection. This
flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
and other types of authentication."
Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.
For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.
My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.
Test environment:
I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
James Lee
c423ad2583
Merge branch 'master' of github.com:rapid7/metasploit-framework into rapid7
2013-02-21 15:30:43 -06:00
jvazquez-r7
04ec4e432d
minor cleanup for shell_bind_tcp
2013-02-20 01:02:58 +01:00
jvazquez-r7
3d199fe6db
Merge branch 'mipsle-shell_bind_tcp' of https://github.com/kost/metasploit-framework into kost-mipsle-shell_bind_tcp
2013-02-20 01:00:34 +01:00
sinn3r
e9f4900beb
Merge branch 'fixgenericcustom' of github.com:rsmudge/metasploit-framework into rsmudge-fixgenericcustom
2013-02-19 14:47:18 -06:00
Raphael Mudge
06ba2ef791
Allow generic/custom payload to generate an exe
...
The datastore value of ARCH has no effect on the array of
architectures the generic/custom payload is compatible with.
This commit forces the payload to update its list of compatible
architectures on generation if the ARCH value is set in the
datastore.
See:
http://dev.metasploit.com/redmine/issues/7755
2013-02-17 20:39:54 -05:00
HD Moore
cae6661574
Handle invalid commands gracefully (dont exit)
2013-02-12 11:33:23 -08:00
HD Moore
4c2bddc452
Fix a typo and always treat ports as integers:
2013-02-12 08:59:11 -08:00
HD Moore
a33d1ef877
This allows the ruby payloads to work properly on Windows
2013-02-12 08:55:37 -08:00
HD Moore
47f3c09616
Fix typo that snuck in during merge
2013-02-03 17:38:19 -06:00
HD Moore
5be4d41420
This is redundant/less-reliable than reverse_openssl
2013-02-03 17:35:14 -06:00
RageLtMan
ffb88baf4a
initial module import from SV rev_ssl branch
2013-02-03 15:06:24 -05:00
HD Moore
c3801ad083
This adds an openssl CMD payload and handler
2013-02-03 04:44:25 -06:00
James Lee
92c736a6a9
Move fork stuff out of exploit into payload mixin
...
Tested xml against 3.2.10 and json against 3.0.19
2013-01-28 21:34:39 -06:00
Kacper Nowak
f691652594
attempt to fix cmd/windows/reverse_perl payload
2013-01-23 11:21:44 +00:00
scriptjunkie
52251867d8
Ensure Windows single payloads use payload backend
...
This means the singles that define their own assembly will use the payload backend to generate it.
2013-01-18 16:34:39 -06:00
James Lee
c89b2b2ec6
Once more, with feeling
2013-01-10 15:29:54 -06:00
James Lee
7fd3440c1a
Fix hd's attempt to rename ruby payloads
2013-01-10 15:25:50 -06:00
James Lee
4fcb8b6f8d
Revert "Rename again to be consistent with payload naming"
...
This reverts commit 0fa2fcd811
.
2013-01-10 15:24:25 -06:00
HD Moore
0fa2fcd811
Rename again to be consistent with payload naming
2013-01-10 14:16:37 -06:00
HD Moore
88b08087bf
Renamed and made more robust
2013-01-10 14:05:29 -06:00
HD Moore
e05f4ba927
Thread wrappers were causing instant session closure
2013-01-10 00:41:58 -06:00
HD Moore
4c1e501ed0
Exploit for CVE-2013-0156 and new ruby-platform modules
2013-01-09 23:10:13 -06:00
Christian Mehlmauer
8f2dd8e2ce
msftidy: Remove $Revision$
2013-01-04 00:48:10 +01:00
Christian Mehlmauer
25aaf7a676
msftidy: Remove $Id$
2013-01-04 00:41:44 +01:00
Michael Schierl
269e507f68
Add stager modules for RC4 bind and reverse stagers
...
See the commit message of my last commit for caveats.
2012-12-31 22:33:30 +01:00
sinn3r
0822e8eae2
Merge branch 'kost-mipsle-shell_reverse_tcp'
2012-12-24 10:52:19 -06:00
jvazquez-r7
26f561795d
fix cmd windows ruby payloads
2012-12-20 00:50:02 +01:00
sinn3r
7145078e63
Merge branch 'mipsle-shell_reverse_tcp' of git://github.com/kost/metasploit-framework into kost-mipsle-shell_reverse_tcp
2012-12-18 11:50:41 -06:00
Raphael Mudge
482846942a
Fix: download_exec appends an extra / to request
...
The download_exec module parses the provided URL and appends an
unnecessary, nay--damaging I say!!!! '/' to the parsed URI. This
renders the module unusable for those who want a payload to
download and execute a file.
Before and after access.log snippets are in the redmine ticket
http://dev.metasploit.com/redmine/issues/7592
2012-12-12 14:01:31 -06:00
Vlatko Kosturjak
4ac79c91a6
Remove spaces at EOL
2012-11-17 12:00:59 +01:00
sinn3r
8648d21b3c
Merge branch 'dns_txt_query_exe' of git://github.com/corelanc0d3r/metasploit-framework into corelanc0d3r-dns_txt_query_exe
2012-11-16 11:52:57 -06:00
corelanc0d3r
0bf92b5d97
improved payload dns_txt_query_exec
2012-11-13 00:55:32 +01:00
corelanc0d3r
cad7eb0130
renamed and optimized download_exec payload
2012-11-13 00:02:49 +01:00
Vlatko Kosturjak
bda7f68b02
Add zero byte on the end of the /bin/sh string
2012-11-08 02:00:49 +01:00
Vlatko Kosturjak
ce82b37289
Few removals of unneccessary zero bytes in sc
2012-10-28 21:22:33 +01:00
Vlatko Kosturjak
2affb31958
Initial import of linux-mipsle shell_bind_tcp
2012-10-28 20:51:45 +01:00
Daniel Miller
8deead3bd2
Fix payload ambiguity with php/bind_tcp_ipv6 stager
...
Was seeing this in framework.log:
[w(0)] core: The module php/meterpreter/bind_tcp is ambiguous with
php/meterpreter/bind_tcp.
Added handler_type_alias based on windows/bind_ipv6_tcp stager.
2012-10-23 12:31:14 -05:00
sinn3r
201518b66f
msftidy corrections
2012-10-17 17:22:26 -05:00
jvazquez-r7
6f227dddff
Related to #885 , allow Prepend* for osx/x86/exec payload
2012-10-16 16:26:18 +02:00
HD Moore
64f29952dc
Merge branch 'master' into feature/updated-mobile
2012-10-07 00:32:02 -05:00
sinn3r
02617a6f3a
Merge branch 'feature/redmine-7224-shellcode-cleanup' of https://github.com/jlee-r7/metasploit-framework into jlee-r7-feature/redmine-7224-shellcode-cleanup
2012-10-04 00:43:34 -05:00
Tod Beardsley
a38724f53b
Adds an apparently spurious require
...
SeeRM #7276
Sticking this in a branch for now while I ask Egypt and limhoff for a
second opinion.
2012-10-01 07:49:58 -05:00
Tod Beardsley
60b4190e4a
Avoids a race on requires
...
Applies Raphael's patch.
[FixRM #7261 ]
2012-09-27 13:18:50 -05:00
sinn3r
c0387f1441
Have a matching option like the post module
...
And make sure nemo won't get harassed by people because they
think he hacked into everyone's mac.
2012-09-24 18:33:13 -05:00
sinn3r
2769a88f9e
Code cleanup
2012-09-24 17:47:14 -05:00
dcbz
202a78dd3f
Added say.rb: uses /usr/bin/say to output a string
2012-09-22 09:13:29 -05:00
dcbz
09b8a6d87f
Added reverse_tcp stager payload, and updated bind
2012-09-22 08:31:42 -05:00
dcbz
81ceff7370
Added a tcp stager, and a small exec for testing
2012-09-22 07:24:51 -05:00
dcbz
dccb8d235d
Adding OSX 64-bit find-tag module.
2012-09-21 15:39:35 -05:00
sinn3r
776d24d8a9
cleanup
2012-09-20 16:16:30 -05:00
sinn3r
311c01be46
Cleanup, improve option handlingg
2012-09-20 16:14:15 -05:00
dcbz
f5df7e0e8a
Added 2 payload modules (reverse and bind tcp shells)
2012-09-19 16:59:26 -05:00
Ramon de C Valle
11f82de098
Update author information
2012-09-19 14:00:51 -03:00
James Lee
3c6319b75f
Add nonx stagers for linux
...
[See #784 ]
2012-09-13 15:15:38 -05:00
James Lee
f38ac954b8
Update linux stagers for NX compatibility
...
- Adds a call to mprotect(2) to the reverse and bind stagers
- Adds accurate source for some other linux shellcode, including some
comments to make it more maintainable
- Adds tools/module_payload.rb for listing all payloads for each exploit
in a greppable format. Makes it easy to find out if a payload change
causes a payload to no longer be compatible with a given exploit.
- Missing from this commit is source for reverse_ipv6_tcp
2012-09-12 18:44:00 -05:00
HD Moore
c901002e75
Add ssh login module for cydia / ios defaults
2012-09-10 19:36:20 -05:00
James Lee
828f37701d
Fix linux shell_bind_tcp payload
...
It was calling bind(2) with a family of 0x02ff, which makes no sense and
causes execution to fall off the end and segfault. Fix it by replacing
0x02ff with the appropriate 0x0002, or AF_INET.
[Fixrm #7216 ]
2012-09-04 04:23:48 -05:00
Tod Beardsley
a93c7836bd
Fixes load order with reverse http
...
This was originally intended to fix #664 .
SEERM #7141 also.
2012-08-23 12:16:47 -05:00
James Lee
aac56fc29b
Fix load order issue
...
[See #664 ][SeeRM #7141 ]
2012-08-23 10:54:23 -05:00
sinn3r
b3791b1545
I missed one
2012-08-14 16:51:55 -05:00
sinn3r
6a0271fb11
Correct OSX naming. See ticket #7182
2012-08-14 15:29:21 -05:00
sinn3r
b46fb260a6
Comply with msftidy
...
*Knock, knock!* Who's there? Me, the msftidy nazi!
2012-08-07 15:59:01 -05:00
bcoles
8d3700cc3c
Add Zenoss <= 3.2.1 exploit and Python payload
...
- modules/exploits/linux/http/zenoss_3.2.1_showdaemonxmlconfig_exec.rb
- modules/payloads/singles/cmd/unix/reverse_python.rb
2012-07-30 01:24:27 +09:30
HD Moore
6cdd044e10
Remove a buggy payload that doesn't have NX support
2012-07-12 12:15:57 -05:00
jvazquez-r7
59bb9ac23b
quoting ip to avoid php complaining
2012-06-25 18:52:26 +02:00
Michael Schierl
34ecc7fd18
Adding @schierlm 's AES encryption for Java
...
Tested with and without AES, works as advertised. Set an AESPassword,
get encryptification. Score.
Squashed commit of the following:
commit cca6c5c36ca51d585b8d2fd0840ba34776bc0668
Author: Michael Schierl <schierlm@gmx.de>
Date: Wed Apr 4 00:45:24 2012 +0200
Do not break other architectures
even when using `setg AESPassword`
commit 422d1e341b3865b02591d4c135427903c8da8ac5
Author: Michael Schierl <schierlm@gmx.de>
Date: Tue Apr 3 21:50:42 2012 +0200
binaries
commit 27368b5675222cc1730ac22e4b7a387b88d0d2b3
Author: Michael Schierl <schierlm@gmx.de>
Date: Tue Apr 3 21:49:10 2012 +0200
Add AES support to Java stager
This is compatible to the AES mode of the JavaPayload project.
I'm pretty sure the way I did it in the handlers (Rex::Socket::tcp_socket_pair())
is not the supposed way, but it works :-)
2012-06-11 16:13:25 -05:00
HD Moore
881ec8d920
Make the description clear that it only reads 4k, default datastore['FD'] to 1
2012-06-10 13:20:02 -05:00
sinn3r
15fa178a66
Add the MSF license text (since MSF_LICENSE is already set)
2012-06-10 02:07:27 -05:00
linuxgeek247
2b67c5132c
Adding read_file linux shellcode
2012-06-09 20:36:47 -04:00
sinn3r
462a91b005
Massive whitespace destruction
...
Remove tabs at the end of the line
2012-06-06 00:44:38 -05:00
sinn3r
3f0431cf51
Massive whitespace destruction
...
Remove whitespace found at the end of the line
2012-06-06 00:36:17 -05:00
sinn3r
c30af98b53
Massive whitespace destruction
...
Remove all the lines that have nothing but whitespace
2012-06-06 00:22:36 -05:00
sinn3r
2565888ec5
Change how we handle the password complexity failure
2012-06-03 13:13:44 -05:00
Chris John Riley
a51df5fc3a
Altered description to include information on the password complexity check
...
Altered the default password to meet the complexity checks
Note: The complexity checks (even if they fail) don't prevent the payload from running. At this point it only raises an warning and continues on. I can change this if it's more desirable however!
2012-06-03 09:22:48 +02:00
Chris John Riley
ea66deb779
Added WMIC and complexity checks
2012-06-02 19:41:12 +02:00
Chris John Riley
bada88cdf0
Added WMIC and complexity checks
2012-06-02 19:38:37 +02:00
Tod Beardsley
86500aad47
Author is always singular.
2012-05-08 08:47:52 -05:00
HD Moore
1a30e221a0
See #362 by changing the exitfunc arguments to be the correct type
2012-05-07 02:42:29 -05:00
James Lee
dd7bc23d16
Whitespace
2012-05-02 18:06:39 -06:00
Tod Beardsley
bd4819e8f2
Merge pull request #238 from mak/linux-x64-find-port
...
linux/x64/shell_find_port payload
2012-03-29 05:54:54 -07:00
Tod Beardsley
8fbf4cf6d9
Grammar on dns_txt_query_exec payload name and desc
2012-03-26 16:23:54 -05:00
sinn3r
182f3744de
Cosmetic cleanup
2012-03-26 09:23:14 -05:00
corelanc0d3r
ad32911b1a
probably safer to use regex
2012-03-26 09:01:40 -05:00
James Lee
2d29184adc
Use interpolation to ensure LPORT is a string for gsub
...
[Fixes #6542 ]
2012-03-21 21:05:05 -06:00
Tod Beardsley
31228ed65a
Comment indentation
2012-03-21 15:21:10 -05:00
Peter Van Eeckhoutte
89d7363a8f
fixed crash
2012-03-21 10:39:05 +01:00
Peter Van Eeckhoutte
f81730a7e1
changes to the way jmp to payload is done
2012-03-21 09:52:22 +01:00
corelanc0d3r
45ef7fc35d
reset author
2012-03-20 20:43:56 +01:00
Peter Van Eeckhoutte
a3035dc6d0
Adding corelandc0d3r's http/https/ftp payload
...
Picks up the one http/https/ftp payload, but not the other two DNS
payloads listed as part of the original pull request.
[Closes #173 ]
2012-03-19 16:50:59 -05:00
sinn3r
aeb691bbee
Massive whitespace cleanup
2012-03-18 00:07:27 -05:00
Maciej Kotowicz
0389e47dfe
fix little mistake
2012-03-15 16:21:00 +01:00
Maciej Kotowicz
f91b894375
added posibilities for generating payload from asm to more arch's
...
added linux/x64/shell_find_port payload
2012-03-14 22:39:56 +01:00
Joshua J. Drake
ab01a19f92
Fixes #6483 : Correct the include for the handler (was copypasta)
2012-03-07 11:23:44 -06:00
James Lee
70162fde73
A few more author typos
2012-03-05 13:28:46 -07:00
Tod Beardsley
6c0f8636ec
Merge pull request #217 from rapid7/reverse-http-randomness
...
Reverse http randomness
2012-03-02 16:36:26 -08:00
HD Moore
b70b41091b
Tested fairly well - this randomizes the URLs and removes the user-agent string from the request
2012-03-02 17:44:23 -06:00
Tod Beardsley
96e03d2556
Merge pull request #44 from linuxgeek247/armle-bind-shell
...
Adding armle bind shellcode based on existing reverse shellcode
2012-03-02 14:25:43 -08:00
James Lee
624e19fd8b
Merge session-host-rework branch back to master
...
Squashed commit of the following:
commit 2f4e8df33c5b4baa8d6fd67b400778a3f93482aa
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:31:03 2012 -0700
Clean up some rdoc comments
This adds categories for the various interfaces that meterpreter and
shell sessions implement so they are grouped logically in the docs.
commit 9d31bc1b35845f7279148412f49bda56a39c9d9d
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 13:00:25 2012 -0700
Combine the docs into one output dir
There's really no need to separate the API sections into their own
directory. Combining them makes it much easier to read.
commit eadd7fc136a9e7e4d9652d55dfb86e6f318332e0
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 08:27:22 2012 -0700
Keep the order of iface attributes the same accross rubies
1.8 doesn't maintain insertion order for Hash keys like 1.9 does so we
end up with ~random order for the display with the previous technique.
Switch to an Array instead of a Hash so it's always the same.
commit 6f66dd40f39959711f9bacbda99717253a375d21
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 08:23:35 2012 -0700
Fix a few more compiler warnings
commit f39cb536a80c5000a5b9ca1fec5902300ae4b440
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 08:17:39 2012 -0700
Fix a type-safety warning
commit 1e52785f38146515409da3724f858b9603d19454
Author: James Lee <egypt@metasploit.com>
Date: Mon Feb 27 15:21:36 2012 -0700
LHOST should be OptAddress, not OptAddressRange
commit acef978aa4233c7bd0b00ef63646eb4da5457f67
Author: James Lee <egypt@metasploit.com>
Date: Sun Feb 26 17:45:59 2012 -0700
Fix a couple of warnings and a typo
commit 29d87f88790aa1b3e5db6df650ecfb3fb93c675b
Author: HD Moore <hdm@digitaloffense.net>
Date: Mon Feb 27 11:54:29 2012 -0600
Fix ctype vs content_type typo
commit 83b5400356c47dd1973e6be3aa343084dfd09c73
Author: Gregory Man <man.gregory@gmail.com>
Date: Sun Feb 26 15:38:33 2012 +0200
Fixed scripts/meterpreter/enum_firefox to work with firefox > 3.6.x
commit 49c2c80b347820d02348d694cc71f1b3028b4365
Author: Steve Tornio <swtornio@gmail.com>
Date: Sun Feb 26 07:13:13 2012 -0600
add osvdb ref
commit e18e1fe97b89c3a2b8c22bc6c18726853d2c2bee
Author: Matt Andreko <mandreko@gmail.com>
Date: Sat Feb 25 18:02:56 2012 -0500
Added aspx target to msfvenom. This in turn added it to msfencode as well.
Ref: https://github.com/rapid7/metasploit-framework/pull/188
Tested on winxp with IIS in .net 1.1 and 2.0 modes
commit e6aa5072112d79bbf8a4d2289cf8d301db3932f5
Author: Joshua J. Drake <github.jdrake@qoop.org>
Date: Sat Feb 25 13:00:48 2012 -0600
Fixes #6308 : Fall back to 127.0.0.1 when SocketError is raised from the resolver
commit b3371e8bfeea4d84f9d0cba100352b57d7e9e78b
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 17:07:42 2012 -0700
Simplify logic for whether an inner iface has the same address
commit 5417419f35a40d1c08ca11ca40744722692d3b0d
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:58:16 2012 -0700
Whitespace
commit 9036875c2918439ae23e11ee7b958e30ccc29545
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:53:45 2012 -0700
Set session info before worrying about address
get_interfaces can take a while on Linux, grab uid and hostname earlier
so we can give the user an idea of what they popped as soon as possible.
commit f34b51c6291031ab25b5bfb1ac6307a516ab0ee9
Author: James Lee <egypt@metasploit.com>
Date: Tue Feb 28 16:48:42 2012 -0700
Clean up rdoc
commit e61a0663454400ec66f59a80d18b0baff4cb8cd9
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 04:54:45 2012 -0600
Ensure the architecture is only the first word (not the full WOW64
message in some cases)
commit 4c701610976a92298c1182eecc9291a1b301e43b
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 04:49:17 2012 -0600
More paranoia code, just in case RHOST is set to whitespace
commit c5ff89fe3dc9061e0fa9f761e6530f6571989d28
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 04:47:01 2012 -0600
A few more small bug fixes to handle cases with an empty string target
host resulting in a bad address
commit 462d0188a1298f29ac83b10349aec6737efc5b19
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Feb 28 03:55:10 2012 -0600
Fix up the logic (reversed by accident)
commit 2b2b0adaec2448423dbd3ec54d90a5721965e2df
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 23:29:52 2012 -0600
Automatically parse system information and populate the db, identify and
report NAT when detected, show the real session_host in the sessions -l
listing
commit 547a4ab4c62dc3248f847dd5d305ad3b74157348
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:16:03 2012 -0600
Fix typo introduced
commit 27a7b7961e61894bdecd55310a8f45d0917c5a5c
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:11:38 2012 -0600
More session.session_host tweaks
commit e447302a1a9915795e89b5e29c89ff2ab9b6209b
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:08:20 2012 -0600
Additional tunnel_peer changes
commit 93369fcffaf8c6b00d992526b4083acfce036bb3
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:06:21 2012 -0600
Additional changes to session.session_host
commit c3552f66d158685909e2c8b51dfead7c240c4f40
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Feb 27 22:00:19 2012 -0600
Merge changes into the new branch
2012-02-28 18:29:39 -07:00
Joshua J. Drake
65ed4bfa8b
Fixes #6308 : Fall back to 127.0.0.1 when SocketError is raised from the resolver
2012-02-25 13:00:48 -06:00
HD Moore
ceb4888772
Fix up the boilerplate comment to use a better url
2012-02-20 19:40:50 -06:00
Tod Beardsley
e371f0f64c
MSFTidy commits
...
Whitespace fixes, grammar fixes, and breaking up a multiline SOAP
request.
Squashed commit of the following:
commit 2dfd2472f7afc1a05d3647c7ace0d031797c03d9
Author: Tod Beardsley <todb@metasploit.com>
Date: Wed Feb 1 10:58:53 2012 -0600
Break up the multiline SOAP thing
commit 747e62c5be2e6ba99f70c03ecd436fc444fda99e
Author: Tod Beardsley <todb@metasploit.com>
Date: Wed Feb 1 10:48:16 2012 -0600
More whitespace and indent
commit 12c42aa1efdbf633773096418172e60277162e22
Author: Tod Beardsley <todb@metasploit.com>
Date: Wed Feb 1 10:39:36 2012 -0600
Whitespace fixes
commit 32d57444132fef3306ba2bc42743bfa063e498df
Author: Tod Beardsley <todb@metasploit.com>
Date: Wed Feb 1 10:35:37 2012 -0600
Grammar fixes for new modules.
2012-02-01 10:59:58 -06:00
HD Moore
0c2a18d765
Fix up reverse_tcp ipv6 stager for freebsd
2012-02-01 01:41:24 -06:00
HD Moore
29d8feaa24
Use the ADDR6 type, not ADDR
2012-02-01 00:58:08 -06:00
HD Moore
aed27a2f82
Add missing trailing quote
2012-02-01 00:54:42 -06:00
HD Moore
45a785fde0
Adds BSD IPv6 payloads and stagers
2012-02-01 00:54:42 -06:00
HD Moore
ec5fd723ba
Merge in additional IPv6 support for PHP payloads
2012-01-31 01:11:55 -06:00
Patroklos Argyroudis
4e1029ae8b
Execute (execve) arbitrary command payload for Mac OS X x64
2012-01-30 11:01:57 +02:00
Patroklos Argyroudis
c6eb104132
bug fix for hardcoded max command length
2012-01-23 10:24:22 +02:00
scriptjunkie
9fe18cdc86
Add x64 LoadLibraryA payload. Because it should exist.
2012-01-17 21:16:26 -06:00
sinn3r
5761035371
This payload shouldn't be in here. Instead of adding a new one, exec.rb should be fixed
2012-01-16 22:41:27 -06:00
sinn3r
17ffc06f60
Merge branch 'osx_mozilla_mchannel' of https://github.com/argp/metasploit-framework into argp-osx_mozilla_mchannel
2012-01-16 19:35:29 -06:00
sinn3r
8eee54d1d0
Add e-mail addr for corelanc0d3r (found it in auxiliary/fuzzers/ftp/client_ftp.rb)
2012-01-09 14:23:37 -06:00
Patroklos Argyroudis
5a20b7d7ac
Fixed small typo
2012-01-09 14:19:00 +02:00
Patroklos Argyroudis
9a62b41ab7
Mac OS X x86 payload that executes Calculator.app
2012-01-09 12:12:20 +02:00
sinn3r
b202c29153
Correct e-mail format
2011-12-29 11:27:10 -06:00
HD Moore
8dc85f1cc5
Fix up some nascent typos
2011-12-14 00:30:31 -06:00
HD Moore
866e2b6bf3
Additional IPv6 payload support
2011-12-14 00:27:38 -06:00
HD Moore
17cc89ebad
Add IPv6 specific HTTP(S) handlers and payloads (simplifies
...
options/usage)
2011-12-11 13:26:48 -06:00
HD Moore
2d3064c1ec
Default the scope ID to 0, explicitly
2011-12-10 13:46:16 -06:00
Christopher McBee
100d8803f6
Adding armle bind shellcode based on existing reverse shellcode
2011-12-05 18:16:02 -05:00
Rob Fuller
c411c216c0
Solved most of msftidy issues with the /modules directory
2011-11-28 17:10:29 -06:00
Joshua Drake
62c8c6ea9f
big msftidy pass, ping me if there are issues
...
git-svn-id: file:///home/svn/framework3/trunk@14034 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-23 11:56:13 +00:00
Joshua Drake
ac916baac5
Fixes #5581 : Stop hardcoding MIPS reverse shell IP/port
...
git-svn-id: file:///home/svn/framework3/trunk@13999 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-18 22:50:12 +00:00
Tod Beardsley
30ac88694f
More msftidy fixes. Now I'm going to get a little more surgical to get this to move faster.
...
git-svn-id: file:///home/svn/framework3/trunk@13963 4d416f70-5f16-0410-b530-b9f4589650da
2011-10-17 02:58:53 +00:00
James Lee
7e4826bae4
silly patch fail
...
git-svn-id: file:///home/svn/framework3/trunk@13742 4d416f70-5f16-0410-b530-b9f4589650da
2011-09-16 21:11:57 +00:00
James Lee
c6c133673f
add reverse_https support for java meterpreter, fixes #5288 ; thanks mihi!
...
git-svn-id: file:///home/svn/framework3/trunk@13741 4d416f70-5f16-0410-b530-b9f4589650da
2011-09-16 21:10:11 +00:00
James Lee
851bc8d7b8
add a single shell payload for java, partially reverts r13213
...
git-svn-id: file:///home/svn/framework3/trunk@13588 4d416f70-5f16-0410-b530-b9f4589650da
2011-08-19 16:31:19 +00:00
Wei Chen
76ea2ea2a3
That was weird. Id didn't set. Trying again.
...
git-svn-id: file:///home/svn/framework3/trunk@13403 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-29 02:31:18 +00:00
Wei Chen
9f80b8d862
These modules forgot to do svn propset
...
git-svn-id: file:///home/svn/framework3/trunk@13402 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-29 02:28:46 +00:00
James Lee
3c261c346f
add support for java/meterpreter/reverse_http. assuming i didn't miss any files, fixes #4946 , thanks mihi!
...
git-svn-id: file:///home/svn/framework3/trunk@13213 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-18 23:15:06 +00:00
Matt Weeks
7122ccbbd1
wscript necessary in certain contexts.
...
Also can avoid warnings in certain cases.
git-svn-id: file:///home/svn/framework3/trunk@13166 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-14 02:35:33 +00:00
James Lee
ff53057965
Use consistent case for Spawn option
...
git-svn-id: file:///home/svn/framework3/trunk@13130 4d416f70-5f16-0410-b530-b9f4589650da
2011-07-08 20:08:40 +00:00
Matt Weeks
afbf445a87
Custom payload.
...
Fixes #4708
git-svn-id: file:///home/svn/framework3/trunk@13058 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-29 01:26:24 +00:00
HD Moore
9220506ba2
Merge in recent meterpreter work. These are not the commits you are looking for (more info on what all this is later this week).
...
git-svn-id: file:///home/svn/framework3/trunk@13053 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-28 21:26:43 +00:00
Matt Weeks
5faaa7db07
Update cmd vbs download payloads.
...
Use : instead of longer echo statements.
Add eval version.
git-svn-id: file:///home/svn/framework3/trunk@12912 4d416f70-5f16-0410-b530-b9f4589650da
2011-06-11 20:37:08 +00:00
HD Moore
3e0f3639ef
This adds a quick windows/loadlibrary payload for folks who have a need for such things. The library path can be a UNC location and works fine over WebDAV...
...
git-svn-id: file:///home/svn/framework3/trunk@12765 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-30 03:44:59 +00:00
Wei Chen
56b4a092d6
Added Linux x64 payloads. Modified exe.rb to support elf x64 payloads.
...
git-svn-id: file:///home/svn/framework3/trunk@12676 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-20 23:51:19 +00:00
Stephen Fewer
c48633cff0
Merge in a rewritten windows x86 reverse_ipv6_tcp stager (The previous one seems hosed since r6744 due to new host/port offsets[1] but the shellcode blob remained the same after modification[2]) - This new one uses the block_api_call technique, is 37 bytes smaller and can handle arbitrary size stages.
...
[1] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb
[2] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm
git-svn-id: file:///home/svn/framework3/trunk@12562 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-08 01:44:08 +00:00
HD Moore
7cb8e56cfe
Fix upexec handle_connection_stage arguments
...
git-svn-id: file:///home/svn/framework3/trunk@12511 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-02 18:54:02 +00:00
Joshua Drake
94fa25ee7a
remove crufty method
...
git-svn-id: file:///home/svn/framework3/trunk@12491 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-01 22:07:49 +00:00
Mario Ceballos
0522b69de2
s instead of n
...
git-svn-id: file:///home/svn/framework3/trunk@12488 4d416f70-5f16-0410-b530-b9f4589650da
2011-05-01 13:31:08 +00:00
James Lee
6dd44fa516
massive keywords cleanup
...
git-svn-id: file:///home/svn/framework3/trunk@12196 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-01 00:51:33 +00:00
HD Moore
c679de9d7a
Closes #3976 by merging in an ARM adduser payload from Jonathan Salwan
...
git-svn-id: file:///home/svn/framework3/trunk@12045 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-21 01:26:14 +00:00
amaloteaux
78396e94f9
move linux meterpreter bin to the correct place
...
git-svn-id: file:///home/svn/framework3/trunk@11938 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-11 20:29:25 +00:00
Mario Ceballos
631af16d9f
revert back.
...
git-svn-id: file:///home/svn/framework3/trunk@11900 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-08 22:48:39 +00:00
Mario Ceballos
54382c6080
patch recieved from Peter Van Eeckhout
...
git-svn-id: file:///home/svn/framework3/trunk@11898 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-08 22:23:13 +00:00
Joshua Drake
a944cbc50d
style compliance fixes
...
git-svn-id: file:///home/svn/framework3/trunk@11612 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-20 20:40:47 +00:00
HD Moore
4971a0d7af
Add Skylined's "You Got Pwned" payload
...
git-svn-id: file:///home/svn/framework3/trunk@11485 4d416f70-5f16-0410-b530-b9f4589650da
2011-01-06 17:34:09 +00:00
James Lee
f0cc6ff596
big commit for converting meterpreter scripts to modules, see #3377 . also fixes payload tab-completion and 'show payloads' after TARGET has changed
...
git-svn-id: file:///home/svn/framework3/trunk@11421 4d416f70-5f16-0410-b530-b9f4589650da
2010-12-27 17:46:42 +00:00
Joshua Drake
32c26f18f3
style compliance fixes, set test exploits to manual rank, fix s/ranking/rank/ in some exploits
...
git-svn-id: file:///home/svn/framework3/trunk@11039 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-14 19:03:24 +00:00
Joshua Drake
a6bade8795
convert to use metasm, also fixes silly off-by-one bug
...
git-svn-id: file:///home/svn/framework3/trunk@11000 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-11 23:07:50 +00:00
Joshua Drake
9fb0e1a0bb
fix comments
...
git-svn-id: file:///home/svn/framework3/trunk@10995 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-11 22:19:34 +00:00
James Lee
0d664c3a71
add a Spawn advanced option to java stagers, see #3009
...
git-svn-id: file:///home/svn/framework3/trunk@10946 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-08 06:08:09 +00:00
James Lee
56839ccf36
stupid debug prints
...
git-svn-id: file:///home/svn/framework3/trunk@10782 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-22 10:24:28 +00:00
James Lee
f33d7cc670
revamp java payloads and make shells work with tomcat_mgr_deploy. tested java_trusted_chain and java_tester to verify that this doesn't break other java payload usage. see #3009 and #2973 , meterpreter doesn't work yet, so not marking resolved.
...
git-svn-id: file:///home/svn/framework3/trunk@10781 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-22 10:19:51 +00:00
Joshua Drake
04858c69fc
style compliance fixes
...
git-svn-id: file:///home/svn/framework3/trunk@10758 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-19 22:54:19 +00:00
HD Moore
79c8e18e6b
Add a wfs_delay for reverse_https. This fixes #2508 and fixes #1764 . This should prevent the race condition that was the root cause of both issues.
...
git-svn-id: file:///home/svn/framework3/trunk@10716 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-17 02:33:47 +00:00
HD Moore
9902dcb9cc
Fixes #2661 by removing exitfunc as a parameter, since it needs to be ExitProcess
...
git-svn-id: file:///home/svn/framework3/trunk@10714 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-16 22:01:01 +00:00
HD Moore
5e1d181da5
Fixes #2132 by removing patchup version of vnc inject
...
git-svn-id: file:///home/svn/framework3/trunk@10708 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-16 18:10:10 +00:00
Stephen Fewer
df8b9f8e95
Merge in the IPv6 Teredo patch.
...
git-svn-id: file:///home/svn/framework3/trunk@10543 4d416f70-5f16-0410-b530-b9f4589650da
2010-10-04 11:02:46 +00:00
Joshua Drake
0f65deaf72
add messagebox payload from corelanc0d3r
...
git-svn-id: file:///home/svn/framework3/trunk@10495 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-27 13:31:48 +00:00
pks
14cabd2611
Allow debugging to be enabled.
...
This will make it easier to hopefully track down bugs.
exploitme-posix.c - make complete stack executable. On some kernel versions, execstack doesn't do the trick.
git-svn-id: file:///home/svn/framework3/trunk@10485 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-26 05:58:59 +00:00
pks
1392ef78d7
Use exit() instead of exit_group()
...
git-svn-id: file:///home/svn/framework3/trunk@10483 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-26 05:58:41 +00:00
pks
740e2c1ab2
Change base from 0x90040000 to 0x20040000.
...
This is more portable across kernel versions / patches it seems. This
will be better for SEGMEXEC compatibility as well.
git-svn-id: file:///home/svn/framework3/trunk@10455 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-24 04:06:28 +00:00
Joshua Drake
4590844871
tons of indentation fixes, some other style tweaks
...
git-svn-id: file:///home/svn/framework3/trunk@10394 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-20 08:06:27 +00:00
Joshua Drake
d8fb8e5c49
merge in another posix meterpreter update from philip, see #2418
...
git-svn-id: file:///home/svn/framework3/trunk@10307 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-13 14:44:00 +00:00
Joshua Drake
5de3146533
style compliance fixes
...
git-svn-id: file:///home/svn/framework3/trunk@10273 4d416f70-5f16-0410-b530-b9f4589650da
2010-09-09 15:47:35 +00:00
Joshua Drake
3b67eefe4e
sync up with Philip's code, see #2418
...
git-svn-id: file:///home/svn/framework3/trunk@10202 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-31 15:10:41 +00:00
Joshua Drake
4651a0ad33
style compliance fixes
...
git-svn-id: file:///home/svn/framework3/trunk@10160 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-26 20:21:41 +00:00
Joshua Drake
2d14c0054f
add two contributed linux armle payloads, thx guys!
...
git-svn-id: file:///home/svn/framework3/trunk@10152 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-25 21:44:33 +00:00
Joshua Drake
d7e9a25bc7
add two windows cmd payloads from scriptjunkie, fixes #1876
...
git-svn-id: file:///home/svn/framework3/trunk@10122 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-23 22:50:24 +00:00
Joshua Drake
2572bb6919
add svn:keywords property
...
git-svn-id: file:///home/svn/framework3/trunk@10121 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-23 22:49:43 +00:00
James Lee
eda50fc89e
spawn out into another process so killing the browser won't drop our shell
...
git-svn-id: file:///home/svn/framework3/trunk@10091 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-21 06:28:29 +00:00
James Lee
871a6185b8
refactor
...
git-svn-id: file:///home/svn/framework3/trunk@10077 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-20 07:15:23 +00:00
James Lee
5d95f48848
add preliminary support for the new java payloads. Working meterpreter and shell stages with tcp bind and reverse stagers, see #406
...
git-svn-id: file:///home/svn/framework3/trunk@10073 4d416f70-5f16-0410-b530-b9f4589650da
2010-08-20 07:01:23 +00:00
Joshua Drake
2482a83526
style compliance fixes
...
git-svn-id: file:///home/svn/framework3/trunk@9927 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-25 19:14:00 +00:00
James Lee
2a2f6fde56
not a command shell, it's a stager
...
git-svn-id: file:///home/svn/framework3/trunk@9912 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-22 16:29:01 +00:00
James Lee
929163834a
change the name to not lie
...
git-svn-id: file:///home/svn/framework3/trunk@9889 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 20:21:54 +00:00
HD Moore
a066ebc85b
Remove rescue
...
git-svn-id: file:///home/svn/framework3/trunk@9886 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 14:16:12 +00:00
HD Moore
2ce616fa1a
Hide this exception until loader.jar is checked in
...
git-svn-id: file:///home/svn/framework3/trunk@9880 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 03:10:15 +00:00
James Lee
08d705c1db
add java meterpreter and update java_calendar_deserialize to be able to use it, see #406
...
git-svn-id: file:///home/svn/framework3/trunk@9874 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-20 00:53:24 +00:00
Joshua Drake
dec6bfee0a
add missing includes
...
git-svn-id: file:///home/svn/framework3/trunk@9856 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-19 04:28:09 +00:00
James Lee
2a8a058519
add a bind stager for php
...
git-svn-id: file:///home/svn/framework3/trunk@9855 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-17 22:42:12 +00:00
Joshua Drake
2f5970e30b
set keywords property
...
git-svn-id: file:///home/svn/framework3/trunk@9655 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-01 23:46:05 +00:00
Joshua Drake
0882838491
ensure binary mode when opening files, whitespace fixes
...
git-svn-id: file:///home/svn/framework3/trunk@9653 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-01 23:33:07 +00:00
James Lee
42f540258a
really, actually commit the meterpreter stage
...
git-svn-id: file:///home/svn/framework3/trunk@9638 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-30 23:51:29 +00:00
James Lee
920710a5fd
actually commit the stager, see #2128
...
git-svn-id: file:///home/svn/framework3/trunk@9595 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-23 22:24:50 +00:00
James Lee
c3d183c98d
split stadpi out into an extension, add a reverse_tcp stager, make the main meterpreter stage-aware so it will work as a standalone or eval'd by a stager that sets $msgsock and $msgsock_type; see #2128
...
git-svn-id: file:///home/svn/framework3/trunk@9594 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-23 20:00:27 +00:00
Joshua Drake
171543624a
fix typos
...
git-svn-id: file:///home/svn/framework3/trunk@9581 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 16:11:02 +00:00
James Lee
ef5c0f77eb
move copy-paste into a mixin
...
git-svn-id: file:///home/svn/framework3/trunk@9576 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 00:46:52 +00:00
James Lee
d1d2f8af0a
explain to the user that we couldn't find a vncviewer
...
git-svn-id: file:///home/svn/framework3/trunk@9575 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 00:14:08 +00:00
James Lee
6fb4a5630a
explain to the user that we couldn't find a vncviewer
...
git-svn-id: file:///home/svn/framework3/trunk@9574 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-22 00:13:43 +00:00
James Lee
c5203f72a0
missed deleting this when moving it to meterpreter_reverse_tcp
...
git-svn-id: file:///home/svn/framework3/trunk@9557 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-18 21:33:21 +00:00
James Lee
b03047094d
make the payload name match the standard
...
git-svn-id: file:///home/svn/framework3/trunk@9534 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-16 16:55:05 +00:00
Joshua Drake
e32abab8dc
a HTTP -> an HTTP ( http://www.english-zone.com/grammar/a-anlessn.html )
...
git-svn-id: file:///home/svn/framework3/trunk@9488 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-11 16:12:05 +00:00
HD Moore
faefb09b8c
Only gsub datastore variables if they aren't nil
...
git-svn-id: file:///home/svn/framework3/trunk@9403 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-03 01:23:02 +00:00
James Lee
9dc298f56d
make it work for more than localhost...
...
git-svn-id: file:///home/svn/framework3/trunk@9401 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-03 00:21:24 +00:00
James Lee
f974f59c32
make sure we have reverse_tcp
...
git-svn-id: file:///home/svn/framework3/trunk@9400 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 23:20:45 +00:00
James Lee
2470470405
stupid debug print
...
git-svn-id: file:///home/svn/framework3/trunk@9394 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 08:31:44 +00:00
James Lee
fe43e91bad
initial commit of php meterpreter, see #391 . upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
...
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 08:28:39 +00:00
HD Moore
a1ee346d59
Try a little harder to read the full image
...
git-svn-id: file:///home/svn/framework3/trunk@9379 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-29 02:20:23 +00:00
Ramon de C Valle
34f12a38ec
Change the base value used for calculating the system call numbers and
...
arguments to avoid null bytes in newer versions of AIX.
git-svn-id: file:///home/svn/framework3/trunk@9347 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-23 19:47:48 +00:00
Joshua Drake
0e72894e58
more cleanups
...
git-svn-id: file:///home/svn/framework3/trunk@9212 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-03 17:13:09 +00:00
Joshua Drake
0ea6eca4bc
big module whitespace/formatting cleanup pass
...
git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-30 08:40:19 +00:00
Joshua Drake
321404e2fe
add payload/generic/tight_loop - x86 debug payload
...
git-svn-id: file:///home/svn/framework3/trunk@9070 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-14 07:40:04 +00:00
HD Moore
11c10518b3
Bug fixes for better windows OS compatibility
...
git-svn-id: file:///home/svn/framework3/trunk@9002 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 14:57:51 +00:00
HD Moore
cd2760f2c2
Bug fixes and size improvements for the reverse_https stager
...
git-svn-id: file:///home/svn/framework3/trunk@9001 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 13:53:35 +00:00
HD Moore
e968c3894e
More size tweaks
...
git-svn-id: file:///home/svn/framework3/trunk@8999 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 08:03:28 +00:00
HD Moore
c8defe9716
Size tweaks to bring the ssl stager + encoder + target_id to exactly 400 bytes
...
git-svn-id: file:///home/svn/framework3/trunk@8998 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 07:48:53 +00:00
HD Moore
d2f44f4a22
Keywords
...
git-svn-id: file:///home/svn/framework3/trunk@8986 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 05:22:20 +00:00
HD Moore
b50d9049f0
Add the actual stager
...
git-svn-id: file:///home/svn/framework3/trunk@8985 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 05:21:42 +00:00
HD Moore
c6c956ab46
Small patch to enable a new stager
...
git-svn-id: file:///home/svn/framework3/trunk@8984 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 05:21:15 +00:00
HD Moore
5d0fb434b7
Adds a reverse_tcp_dns stager
...
git-svn-id: file:///home/svn/framework3/trunk@8983 4d416f70-5f16-0410-b530-b9f4589650da
2010-04-03 03:38:57 +00:00
Stephen Fewer
75661291fa
and the bins, tiny modification to the ruby side and update the README.
...
git-svn-id: file:///home/svn/framework3/trunk@8891 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-24 00:03:32 +00:00
Stephen Fewer
46cc8e538f
The new x64 VNC inject payload stage.
...
git-svn-id: file:///home/svn/framework3/trunk@8746 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-08 14:51:43 +00:00
Joshua Drake
a0d5ce473b
add (staged) to the descriptions of staged payloads, fixes #955
...
git-svn-id: file:///home/svn/framework3/trunk@8733 4d416f70-5f16-0410-b530-b9f4589650da
2010-03-06 05:27:13 +00:00
Joshua Drake
138d45d095
more missing constant errors fixed, fixes #975
...
git-svn-id: file:///home/svn/framework3/trunk@8642 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-25 21:11:12 +00:00
Joshua Drake
75533423dd
add requires for 2 stages missing them
...
git-svn-id: file:///home/svn/framework3/trunk@8634 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-25 06:05:02 +00:00
Joshua Drake
7d99a33b20
remove double-on_session call from generic payloads
...
git-svn-id: file:///home/svn/framework3/trunk@8621 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-24 20:57:09 +00:00
Joshua Drake
b391abd32d
adds scripting for command shell sessions
...
1. InitialAutoRunScript and AutoRunScript vars work
2. scripts/shells was created to hold them
3. *_shell methods were renamed shell_*
4. added "shell_command" method to command shell sessions
5. converted all uses of *_shell to shell_*
6. all payloads that produce command shell sessions include Msf::Sessions::CommandShellOptions
git-svn-id: file:///home/svn/framework3/trunk@8615 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-24 01:19:59 +00:00
Joshua Drake
f8ca490b98
move meterpreter on_session functionality into a mixin
...
git-svn-id: file:///home/svn/framework3/trunk@8586 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-22 21:05:08 +00:00
Joshua Drake
17bd4b8b7d
fixed aix payloads to REALLY do variable substitution
...
git-svn-id: file:///home/svn/framework3/trunk@8418 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-08 22:41:36 +00:00
Joshua Drake
d68efa61d2
initial commit of aix cmsd exploit (not fully working yet)
...
git-svn-id: file:///home/svn/framework3/trunk@8397 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-08 00:44:37 +00:00
Joshua Drake
31949c4343
svn keywords fixups
...
fixed a bunch of $Id$ and $Revision$ typos
added keywords property to files missing it
git-svn-id: file:///home/svn/framework3/trunk@8242 4d416f70-5f16-0410-b530-b9f4589650da
2010-01-26 20:12:13 +00:00
HD Moore
831833667a
Minor tweak (run inside of sh -c '')
...
git-svn-id: file:///home/svn/framework3/trunk@8107 4d416f70-5f16-0410-b530-b9f4589650da
2010-01-13 20:19:51 +00:00
Joshua Drake
2283e029db
crossing fingers, big cr removal batch
...
git-svn-id: file:///home/svn/framework3/trunk@8038 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-30 22:24:22 +00:00
HD Moore
bcdb44b835
See #667 . This adds InitialAutoRunScript support, to be defaulted by browser modules (and others)
...
git-svn-id: file:///home/svn/framework3/trunk@7904 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-17 06:00:14 +00:00
Joshua Drake
b1c9b7e927
a few more svn:keywords fixes
...
git-svn-id: file:///home/svn/framework3/trunk@7870 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-15 02:11:42 +00:00
James Lee
5ddfffc94f
only accept one connection for bind_perl shells. fixes 669
...
git-svn-id: file:///home/svn/framework3/trunk@7790 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-09 23:49:50 +00:00
HD Moore
61e233df91
Keywords on all modules, plugins, and scripts
...
git-svn-id: file:///home/svn/framework3/trunk@7550 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-17 00:05:19 +00:00
HD Moore
dc0dc98771
Fixes #517 . Disables meterpreter stages for passivex stagers
...
git-svn-id: file:///home/svn/framework3/trunk@7546 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-16 22:45:33 +00:00
Stephen Fewer
6142f5d509
re-enable the passivex stager. we still need to force the meterpreter stage to be incompatible with this stager as their is a known issue between the two.
...
git-svn-id: file:///home/svn/framework3/trunk@7544 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-16 19:34:14 +00:00
Stephen Fewer
159ca526b4
Fixed a null pointer dereference bug (occurring in stages loaded by the PassiveX stager) that was being caused when an invalid exit funk was being patched into the stage by the PassiveX stager. This happened because the PassiveX stager uses the old type exit funks while the stages use the new type. This fix ensures the PassiveX stager gets the expected old exit funk value while the chosen stage gets the new exit funk value. This patch does not fix Bug #291 (PassiveX broken). Also I have left the PassiveX stager disabled until we can resolve the rest of the problems.
...
git-svn-id: file:///home/svn/framework3/trunk@7448 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-10 16:07:01 +00:00
James Lee
d9b5d62a3e
disable passivex for the rc1 until we can figure out why it doesn't work. see #291
...
git-svn-id: file:///home/svn/framework3/trunk@7419 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-09 04:32:22 +00:00
HD Moore
b38a74c961
Another mega-patch from Yoann Guillot: fixes warnings generated by method calls with a space betwee the method and the parans, corrects a problem with the alpha encoders that causes them to overwrite the allowed charset, hardcodes the metasm output size of some modules in order to reduce load time, more to come
...
git-svn-id: file:///home/svn/framework3/trunk@7246 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-25 16:40:19 +00:00
Stephen Fewer
995745d642
Commit a jsp bind shell payload (and add a missing require to the jsp reverse shell).
...
git-svn-id: file:///home/svn/framework3/trunk@7220 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-20 23:11:28 +00:00
HD Moore
00b2915554
Fixes #342 . Set ReverseConnectRetries to a value between 1 and 255 (default is 5). On failure it will ExitProcess (still better than a cpu spin)
...
git-svn-id: file:///home/svn/framework3/trunk@7217 4d416f70-5f16-0410-b530-b9f4589650da
2009-10-20 20:31:14 +00:00
HD Moore
5972666f63
See #339 . Massive cleanup of author names, make them consistent across modules
...
git-svn-id: file:///home/svn/framework3/trunk@7075 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-27 21:30:45 +00:00
Stephen Fewer
1a220d6dc5
add java payload jsp_shell_reverse_tcp.
...
git-svn-id: file:///home/svn/framework3/trunk@7071 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-27 18:35:07 +00:00
James Lee
6a7a023844
I will not commit when sleep deprived. I will not commit when sleep deprived. I will not commit...
...
git-svn-id: file:///home/svn/framework3/trunk@7061 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 06:40:42 +00:00
James Lee
bc2c38c332
shave an instruction from the new allports stager
...
git-svn-id: file:///home/svn/framework3/trunk@7060 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 06:13:13 +00:00
HD Moore
b47b46e7c0
Set keywords
...
git-svn-id: file:///home/svn/framework3/trunk@7059 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 05:45:03 +00:00
HD Moore
ee9a8f4f76
Adds support for the reverse_tcp_allports stager for Windows. This payload tries to connect back on all ports, one at a time, from LPORT to 65535. This is incredibly slow (depends on the default socket timeout) and requires the user to forward all TCP ports of LHOST to a single listening port in the handler. Inspired by a few user requests and this blog post: http://clinicallyawesome.com/post/196352889/blind-connect-back-through-restrictive-firewall
...
git-svn-id: file:///home/svn/framework3/trunk@7058 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 05:44:50 +00:00
James Lee
e30e850ba7
shave a few bytes off of the windows stagers
...
git-svn-id: file:///home/svn/framework3/trunk@7035 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-14 08:45:01 +00:00
James Lee
782f830abf
make cd work by special-casing it to call chdir()
...
git-svn-id: file:///home/svn/framework3/trunk@7027 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-10 06:19:10 +00:00
James Lee
0f957f236e
make cd work by special-casing it to call chdir()
...
git-svn-id: file:///home/svn/framework3/trunk@7026 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-10 06:11:47 +00:00