Commit Graph

12472 Commits (917b45664b59a5f3438185710ea5caad4f7d2075)

Author SHA1 Message Date
William Webb 455ba42f5b
Land #7218, Add new post-exploitation APIs for stealing access tokens 2016-08-22 10:55:42 -05:00
David Maloney b6dff719f3
add a hard require to the ssh mixin
added hard require for SSHFactory into the ssh exploit mixin
this should prevent any laod-order bugs from cropping up again
2016-08-22 09:56:07 -05:00
Tim Wright 3955c4332d fix android autoload commands and sysinfo 2016-08-22 14:53:58 +01:00
dmohanty-r7 4478136065 Unvendor openvas-omp gem
MS-1718
2016-08-19 15:14:32 -05:00
Metasploit 87d34cfbba
Bump version of framework to 4.12.22 2016-08-19 10:02:28 -07:00
wchen-r7 265adebd50 Fix typo 2016-08-19 10:44:24 -05:00
William Vu 3d4d7aae14 Add ps -c to show child processes of current shell 2016-08-18 19:23:21 -05:00
wchen-r7 0f4d26af19 Update yard doc 2016-08-18 17:18:16 -05:00
wchen-r7 2a61450511 Add new POST exploitation APIs for stealing a token 2016-08-18 17:08:21 -05:00
James Lee 91417e62a8
Cleanup docs 2016-08-18 10:40:32 -05:00
William Vu bc9a402d9e
Land #7214, print_brute ip:rport fix 2016-08-17 22:48:40 -05:00
William Webb 667c3566e5
Land #7209, Add functionality to pull .NET versions on Windows hosts 2016-08-17 12:48:05 -05:00
Brent Cook b37dc8ea27
Land #7210, allow send_request_cgi to close a non-global socket 2016-08-16 22:54:23 -05:00
Brendan b25b2a5188 Cleaned up code per suggestions in the PR 2016-08-16 16:16:25 -05:00
wchen-r7 5f8ef6682a Fix #7202, Make print_brute print ip:rport if available
Fix #7202
2016-08-16 15:34:30 -05:00
Brent Cook e70402a130 use the platform string verbatim on windows meterpreter 2016-08-15 23:50:57 -05:00
wchen-r7 498657ab35 Fix #3860, tearing down TCP connection for send_request_cgi
Fix #3860
2016-08-15 15:45:52 -05:00
Brendan 0778b77f7b Cleaned up a little 2016-08-15 12:20:28 -07:00
David Maloney d2a6c2e9ca
move rex bintools into new gem
move all the *scan *parsey code out into
the new rex-bin_tools gem

MS-1691
2016-08-15 14:01:43 -05:00
Brendan 7730e0eb27 Added ability to retrieve .NET versions 2016-08-15 11:29:00 -07:00
Brendan 906d480264 Added dotnet require 2016-08-15 11:06:29 -07:00
Vlatko Kosturjak 46e4ee4c5b Start using gem instead of obsolete library/tool
Rationale is following:
nessus-cli is obsolete
nessus is using json rest api instead of xmlrpc
xmlrpc name is therefore obsolete

Solution: with minimal changes start using nessus_rest gem.
2016-08-14 17:57:33 +02:00
Pearce Barry 1e7663c704
Land #7200, Rex::Ui::Text cleanup 2016-08-12 16:22:55 -05:00
David Maloney 0fd833676e
remove unnedded codepage.map
this file got mvoed to rex-text earlier
2016-08-12 13:41:31 -05:00
David Maloney 4e678e4ce6
fix help table
there was a bad class refernece here that
needed to be cleaned up

MS-1875
2016-08-12 13:33:41 -05:00
Metasploit a6ba386728
Bump version of framework to 4.12.21 2016-08-12 10:02:36 -07:00
Brent Cook 6a035b7e48
Land #7161, add specs for cisco mixin to use Metasploit Credentials 2016-08-12 10:07:17 -05:00
Pearce Barry 6386d9daca
Land #7178, Add a method to check the Powershell version 2016-08-11 11:02:41 -05:00
wchen-r7 e08c4a8bef Remove .Net check
cmd_exec doesn't seem to be the best way to go because there is
some issue grabbing the output sometimes.
2016-08-11 10:49:06 -05:00
David Maloney 42d6c9443d
remove unused ProgressTracker class
not sure if this was ever used, but it is certainly not being used
by anything now, so let's remove it

MS-1875
2016-08-11 10:35:10 -05:00
David Maloney 8489485cfd
move Rex::Ui::Text::Color out to rex::text gem
moved the text ansi color library out to the rex-text gem

MS-1875
2016-08-11 10:28:09 -05:00
Metasploit d57e4d6349
Bump version of framework to 4.12.20 2016-08-10 15:30:37 -07:00
David Maloney 09ad342b67
Merge branch 'master' into feature/MS-1875/rex-table 2016-08-10 15:58:27 -05:00
wchen-r7 3851db7bcb Use powershell when possible 2016-08-10 15:14:11 -05:00
Brent Cook 1cb01ee876 remove architecture fidling from platform string for now 2016-08-10 14:46:48 -05:00
David Maloney eb73a6914d
replace old rex::ui::text::table refs
everywhere we called the class we have now rewritten it
to use the new namespace

MS-1875
2016-08-10 13:30:09 -05:00
David Maloney 3f530f1896
remove rex::ui::text:table
remove the class from msf, and update the rex-text
gem to pull the code in under the new version at Rex::Text::Table
modify all requires appropriately

MS-1875
2016-08-10 13:24:25 -05:00
dmohanty-r7 b027176799
Land #7156, use windows_error gem for constants 2016-08-10 11:47:37 -05:00
Metasploit 280216d74d
Bump version of framework to 4.12.19 2016-08-09 14:49:58 -07:00
Pearce Barry ae59c4ae74
Land #6687, Fix meterpreter platform to include OS in the tuple for all meterpreters 2016-08-07 05:00:24 -05:00
Christian Mehlmauer 009089ead7
Land #7183, Fix #7170 Add HttpTrace option for HttpClient 2016-08-05 22:36:28 +02:00
wchen-r7 4055fd1930 Do e.message instead of e.to_s 2016-08-05 14:12:50 -05:00
wchen-r7 d59b6d99ee Make the debug output more readable 2016-08-05 13:20:53 -05:00
Metasploit e7aa658893
Bump version of framework to 4.12.18 2016-08-05 10:05:03 -07:00
wchen-r7 766c0cc539 return nil if no .Net is installed 2016-08-05 11:36:32 -05:00
wchen-r7 a8d9a5c02c Print exceptions if needed 2016-08-04 18:14:22 -05:00
wchen-r7 7538b3dcf8 Fix #7170, Add HttpTrace option for HttpClient
Fix #7170
2016-08-04 16:09:17 -05:00
wchen-r7 11f94a6efc Do a different wmic query for newer systems 2016-08-04 14:50:46 -05:00
wchen-r7 3ea3d95744 Add methods to check .Net and Powershell versions 2016-08-03 17:49:15 -05:00
William Vu 4c12c2f6c5 Improve Meterpreter ps -A experience
This allows us to use "x64" instead of "x86_64" in ps -A.
2016-07-31 17:19:57 -07:00
Brent Cook 8bda3c6382
Land #7121, Don't clobber nil strings when there are empty strings in the config file 2016-07-29 15:49:11 -05:00
Metasploit 190bac6e0a
Bump version of framework to 4.12.17 2016-07-29 10:02:06 -07:00
darkbushido 5a1cd24350 finishing converting the last of this to credentials 2016-07-29 09:58:17 -05:00
darkbushido 0972005b24 updating 'ppp.*username secret' 2016-07-29 09:58:17 -05:00
darkbushido 1d33c9aa88 updating specs upto 'username secret' 2016-07-29 09:58:17 -05:00
darkbushido 73b362cade updating more spec 2016-07-29 09:58:16 -05:00
darkbushido b66621af0d adding in a blank service_name
fixing myworkspace
2016-07-29 09:58:16 -05:00
darkbushido 219f9d5d57 updating parts of cisco to use creds 2016-07-29 09:58:15 -05:00
darkbushido 40240662db converting enable password to create_credentials 2016-07-29 09:58:15 -05:00
Brent Cook 8ad38aec2f
Land #7109, Add final filesize to msfvenom output 2016-07-29 09:24:10 -05:00
Brendan ee40c9d809
Land #6625, Send base64ed shellcode and decode with certutil (Actually MSXML) 2016-07-28 13:01:05 -07:00
Brendan 2525eab996 persistance -> persistence 2016-07-28 12:56:04 -07:00
Pearce Barry 1f5fbd4a67
Put remaining consts in exploit mixin... 2016-07-27 17:43:29 -05:00
Pearce Barry 05afaa1162
Pull in consts from rex-arch gem... 2016-07-27 17:43:17 -05:00
Pearce Barry bdf073516b
Switch errors over to windows_error gem... 2016-07-27 17:43:00 -05:00
Pearce Barry 2a703d6cec
Move LOG_* and LEV_* defs out of constants.rb... 2016-07-27 17:42:42 -05:00
William Webb 5b8b15e578 update global constants to allow for windows 10 2016-07-27 12:45:05 -05:00
Brendan af137f3ec3
Land #7127, Fix #6989, scanner modules printing RHOST in progress messages 2016-07-27 09:16:08 -07:00
Brent Cook 3987c2c0d8 cache sysinfo (we use it a lot, it will not change) 2016-07-27 08:49:19 -05:00
Brent Cook 9cb4880747 allow process architecture to be a string (allow more than x86) 2016-07-27 08:49:19 -05:00
William Vu a0c42f5dd2 Add wordpress_url_uploads 2016-07-26 19:10:19 -05:00
wchen-r7 cce1ae6026 Fix #6989, scanner modules printing RHOST in progress messages
Fix #6989
2016-07-25 23:15:59 -05:00
Pearce Barry f7562c09b2
Land #7125, Add timestamping to downloaded files
Fixes MS-1744.
2016-07-25 22:24:53 -05:00
Pearce Barry c35e7fb63f
Land 7124, Remove unwanted <ruby> tag while generating module doc code 2016-07-25 21:11:21 -05:00
William Vu bebff786b7 Add timestamping to downloaded files 2016-07-25 17:18:27 -05:00
wchen-r7 21f5da29d4 Remove unwanted <ruby> tag while generating module doc code 2016-07-25 15:38:59 -05:00
Pearce Barry 1b6bd927d0 Rex::OLE is now rex-ole gem, fixes MS-1712 2016-07-25 14:05:48 -05:00
Rich Whitcroft b1efd4e749 fix VAR=VAL loading from config 2016-07-23 00:26:18 -04:00
James Lee dbbe6a831a
Land #7111, rex-arch gem 2016-07-22 14:55:51 -05:00
Metasploit 4cbb3bb9b6
Bump version of framework to 4.12.16 2016-07-22 10:02:00 -07:00
scriptjunkie bc42ac5761 Fix #7117 by fixing stack offset 2016-07-21 20:48:08 -05:00
wchen-r7 390f69313a Fix grammar in browser_exploit_server 2016-07-21 11:51:10 -05:00
dmohanty-r7 01f08da345
Use rex-arch gem
MS-1703
2016-07-20 16:42:41 -05:00
forzoni b58931f803 Avoid error when generated payload is nil. 2016-07-19 23:43:38 -05:00
James Lee a54945c82c
whitespace 2016-07-19 17:07:17 -05:00
James Lee ff63e6e05a
Land #7018, unvendor net-ssh 2016-07-19 17:06:35 -05:00
forzoni e90e6c4885 Use format check instead of length. 2016-07-19 09:38:09 -05:00
forzoni d6fd2a49d4 Add final filesize, useful when using different formats. 2016-07-19 02:41:37 -05:00
dmohanty-r7 8d8e1f80f5
Land #7102, remove struct2 code in favor of rex-struct2 2016-07-18 11:44:17 -05:00
Metasploit b954b6d5c1
Bump version of framework to 4.12.15 2016-07-18 08:42:20 -07:00
wchen-r7 6d8dd24e41
Land #7104, Update ActiveRecord syntax for framework db cred iteration 2016-07-17 17:57:06 -05:00
wchen-r7 01c5662b61
Land #7100, Change Burp import to allow blank references 2016-07-17 17:35:46 -05:00
Brent Cook 2041870e62 Update ActiveRecord syntax for framework db credential iteration 2016-07-15 22:01:54 -05:00
David Maloney 20d7e9a7a7
remove old struct2 code in favour of gem
use the new rex-struct2 gem and remove the code form it's old location

MS-1782
2016-07-15 16:01:21 -05:00
Metasploit b13d0f879a
Bump version of framework to 4.12.14 2016-07-15 10:03:28 -07:00
Brent Cook b08d1ad8d8
Revert "Land #6812, remove broken OSVDB references"
This reverts commit 2b016e0216, reversing
changes made to 7b1d9596c7.
2016-07-15 12:00:31 -05:00
Brendan 3ed6632f88 Let's actually delete the line.... 2016-07-15 08:47:29 -07:00
Brendan db2850b51c Changed the Burp import to import vulns with blank references 2016-07-14 13:03:24 -07:00
David Maloney b6b52952f4
set ssh to non-interactive
have to set the non-interactive flag so that it does not
prompt the user on an incorrect password

MS-1688
2016-07-14 11:12:03 -05:00
David Maloney 01d0d1702b
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-14 09:48:28 -05:00
caye ed8fec255e
Fixed dir download. Retry when no network even at the download start 2016-07-12 23:05:50 +00:00
William Vu 277950cc79
Land #6733, psexec StackAdjustment fix 2016-07-12 11:14:16 -05:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Pearce Barry 7b1d9596c7
Land #7068, Introduce 'mettle' - new POSIX meterpreter 2016-07-11 22:38:40 -05:00
Brent Cook 79fd648bbe don't double-encapsulate regexes on normalize 2016-07-11 22:05:00 -05:00
William Vu 108c3961e2 Make sure GATEWAY_PROBE_PORT is 0
This ensures that dst_port is set for UDPSocket#send.
2016-07-11 12:10:46 -05:00
caye a6e92034bf
Added glob to dir_files.entries search - thanks @OJ 2016-07-11 06:22:28 +00:00
caye 3c2f0e814e
'Continue' and 'tries' wget-like options for meterpreter 'download' 2016-07-10 16:24:36 +00:00
Metasploit 48410f3ab2
Bump version of framework to 4.12.13 2016-07-08 10:01:58 -07:00
James Lee 11685b7c6b
Set the server challenge key 2016-07-07 15:00:42 -05:00
James Lee cfb56211e7
Revert "Revert "Land #7009, egypt's rubyntlm cleanup""
This reverts commit 1164c025a2.
2016-07-07 15:00:41 -05:00
Metasploit 82e092c2df
Bump version of framework to 4.12.12 2016-07-05 14:57:43 -07:00
James Lee 1164c025a2 Revert "Land #7009, egypt's rubyntlm cleanup"
This reverts commit d90f0779f8, reversing
changes made to e3e360cc83.
2016-07-05 15:22:44 -05:00
Brent Cook 049b322ae4 add x86 and x64 stagers for mettle 2016-07-05 11:24:54 -05:00
Adam Cammack 0390ed4d6e Add MIPS O32 Linux support (big and little endian) 2016-07-05 11:24:54 -05:00
Adam Cammack 8de508c4e0 Add mettle module for ARM 2016-07-05 11:24:54 -05:00
Adam Cammack 2f3f655352 Add gem for mettle
This adds the gem for the mettle binaries, which contains reflective
payloads for a variety of Linux architectures (and more OSs in the
future)
2016-07-05 11:24:54 -05:00
William Vu 6e7f07f0f3 Fix off-by-one error in #6954
Props to @egypt for noticing. My bad. :-)
2016-07-05 11:12:12 -05:00
David Maloney 5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-05 10:48:38 -05:00
David Maloney 7f341336b2
Land #7067, bcook's rex tools fix
this pr fixes rex requires in the various tools that were
disrupted by the new gemification of rex
2016-07-05 10:34:59 -05:00
David Maloney 85937ab839
require new gems inside rex.rb
have the root rex namespace require the new rex gems
to prevent broken requires when things greedily require all of rex
2016-07-05 10:33:45 -05:00
Metasploit 054ac5ac19
Bump version of framework to 4.12.11 2016-07-05 07:49:37 -07:00
Brendan e29d5b9efe
Land #6954, Fix the available size of payload for exploit/.../payload_inject 2016-07-05 07:38:27 -07:00
Brent Cook 5dc7d4b16e
Land #7043, Fix-up double slash handling with the LURI parameter 2016-07-05 01:21:33 -05:00
Brent Cook 85dfec0cf5 minor whitespace 2016-07-05 01:20:54 -05:00
Brent Cook 58e37931c5
Land #7040, Decrease chance of an error when exiting a interactive shell 2016-07-05 01:15:39 -05:00
OJ ef322ab9aa
Land #7066 - revert #6581 as it causes a regression 2016-07-05 16:05:48 +10:00
Brent Cook 4b77de2174
Land #7030, Ensure 'show options' reflects correct values 2016-07-05 00:48:46 -05:00
Brent Cook b9891aab27
Land #7007, Added JCL header data to mainframe payload module 2016-07-05 00:22:20 -05:00
Brent Cook 9b4028d2d7
Revert #6581, it causes regressions
We need a more clever solution without breaking HttpUnknownRequestResponse.
2016-07-05 00:11:15 -05:00
William Webb 2e97a08954
Land #7046, Pad host field in notes -d command 2016-07-01 10:14:45 -05:00
William Webb 02d40eb576
Land #7044, Pass exploit SRVPORT in BrowserAutopwn2 2016-07-01 09:49:05 -05:00
William Vu 4b01213fb5 Rewrite the logic to be positive
unless is the devil. unless/else doubly so.
2016-07-01 09:15:42 -05:00
William Vu 6e1b6e96a9
Land #7032, rm -rf lib/rex/encoders
Dead code!
2016-06-30 16:32:14 -05:00
William Vu f0cd25dcee
Land #7035, lib/sshkey* swap to gem 2016-06-30 16:25:27 -05:00
William Vu 343f4010bd Prefer newer hash syntax 2016-06-30 15:43:06 -05:00
wchen-r7 dbcdc300e5 Fix #7019, Pad host field in notes -d command
The notes -d command is always expecting a host address, but
fileformat exploits don't have this type of information when the
exploit file is generated, therefore there isn't enough fields
provided for Rex table.

Fix #7019
2016-06-30 15:38:58 -05:00
wchen-r7 118caa13bf Fix #7021, Pass exploit SRVPORT in BrowserAutopwn2
In BrowserAutoPwn2, the mixin forgets to pass the SRVPORT datastore
option to the exploits, so they always use the default 8080. As a
result, if a different SRVPORT is set, BAP2 would be serving the
target machine with bad exploit links.

Fix #7021
2016-06-30 14:20:53 -05:00
HD Moore 23399326c2 Fix up double slashes, tweak syntax 2016-06-30 12:56:29 -05:00
ssyy201506 0a85f1d233 Fix an error when exiting a interactive shell 2016-06-30 16:19:10 +09:00
Pearce Barry 5e39f895cf Fix exception on msf 'db_export' cmd (see #7008)
Users reported (in GitHub issue #7008) hitting an exception when attempting to export the contents of the msf database (i.e. workspaces, hosts, events, etc.) via the 'db_export' command.  After some digging, it appears there were a few ActiveRecord changes with the new Rails upgrade that require a couple mods to the way we are querying.
2016-06-29 16:02:31 -05:00
David Maloney 80563b2c0f
Merge branch 'master' into feature/MS-1700/sshkey-gem 2016-06-29 09:44:57 -05:00
David Maloney a796a1bc63
wierd namespace issues? 2016-06-28 16:13:49 -05:00
David Maloney 2dba09a9ce
unvendor sshkey gem
use the actual maintained gem rather than our vendored
copy

MS-1700
2016-06-28 16:10:48 -05:00
David Maloney dcddd2d671
use the bit-struct gem
removed vendored copy of bit-struct and use the gem
instead

MS-1699
2016-06-28 15:58:47 -05:00
David Maloney 39fa8bf2d4
missing require 2016-06-28 15:40:56 -05:00
David Maloney 3d93c55174
move sshfactory into a mixin method
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention

MS-1688
2016-06-28 15:23:12 -05:00
David Maloney ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-06-28 15:00:35 -05:00
David Maloney 356f4fd54d
delete deprecated lib/rex/encoders
this directory is all dead code and has been replaced with
the lib/rex/encoder directory. these files should have been
purge a long time ago for cleanlieness

MS-1692
2016-06-28 14:43:39 -05:00
David Maloney 0a83b34a85
Land #7025, dev's PR for rex-java
lands the pr for moving Rex::Java into it's own gem
2016-06-28 14:40:02 -05:00
David Maloney d90f0779f8
Land #7009, egypt's rubyntlm cleanup
Land egypt's PR to replace all of our NTLM code with
the rubyntlm gem
2016-06-28 14:15:34 -05:00
David Maloney 97f9ca4028
Merge branch 'master' into egypt/ruby-ntlm 2016-06-28 14:14:56 -05:00
Metasploit e3e360cc83
Bump version of framework to 4.12.10 2016-06-28 12:13:26 -07:00
Louis Sato d5d0b9e9b8 Revert "Land #6729, Speed up the datastore"
This reverts commit c6b1955a5a, reversing
changes made to 4fb7472391.
2016-06-28 13:39:52 -05:00
Pearce Barry 0660880332 Ensure 'show options' reflects correct values.
Small fix here to ensure that, even when boolean 'option' variables have a default value of 'true', that their current value is correctly reflected via the 'show options' command.  This change should play fine with all other option variable types, I believe.

Current behavior:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEW_VERSION false
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEW_VERSION
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```

New behavior with this change:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEWVERSION
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    false            no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    false            no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```
2016-06-28 13:12:34 -05:00
dmohanty-r7 c2f3d411c3
Replace rex/java with rex-java gem 2016-06-27 14:52:49 -05:00
Metasploit fd07da3519
Bump version of framework to 4.12.9 2016-06-27 11:54:04 -07:00
James Lee 058115c21f
Land #7015, sdavis' swagger exploit 2016-06-24 16:13:51 -05:00
James Lee 5d4cc7ab40
Add nodejs to list of defaults 2016-06-24 16:06:50 -05:00
David Maloney 5bc513d6cd
get ssh sessions working properly
ssh sessions now working correctly

MD-1688
2016-06-24 12:14:48 -05:00
David Maloney 3e94abe555
put net:ssh::commandstream back
this was apparently our own creation for doing
ssh sessions

MD-1688
2016-06-22 15:02:36 -05:00
David Maloney 6072697126
continued 2016-06-22 14:54:00 -05:00
David Maloney 140621ad9b
start to move to canonical net-ssh
removed vendored net::ssh
pulled in net:ssh gem
made Rex::Socket::SSHFactory clas to bridge rex sockets in
Renamed getpeername to getpeername-as_array to not override
core socket behaviour

MS-1688
2016-06-22 14:52:33 -05:00
James Lee 0126ec61d8
Style 2016-06-22 10:15:23 -05:00
James Lee b3f59ebd19
Whitespace 2016-06-22 10:15:23 -05:00
James Lee 07f7e5e148
Convert non-loginscanner MSSQL to rubyntlm 2016-06-22 10:15:22 -05:00
James Lee 4b3f6c5d29
Use rubyntlm for mssql login scanner 2016-06-22 10:15:22 -05:00
James Lee 039e8f5899
Use rubyntlm for HTTP Negotiate auth 2016-06-22 10:15:22 -05:00
James Lee c2a063c8ae
Start using rubyntlm for ssp auth 2016-06-22 10:15:16 -05:00
David Maloney 1e053c110a
Merge branch 'master' into feature/rex-cleanup/first-gems 2016-06-22 09:20:44 -05:00
Bigendian Smalls 3842753ce4
Added JCL header data to mainframe payload module
Currently any existing and future JCL payload has to have a 'job card'
basically data that defines the job to z/OS.  It has information about
the job's owner, place it will run, output creation, etc.  All JCL
shares the same job card format.  As such, creating a shared payload
method that allows this text to be imported into any JCL payload.
Additionally, that job card is now parameterized, allowing the
exploit/payload user to edit these job card values-as this may be needed
in order to run the job sucessfully on any given system.

This PR sets up the mf module - next PRs will update the existing
payloads to use this module.
2016-06-21 22:06:44 -05:00
David Maloney 69e2d05a5d
rip out old rex code and replace with gems
rex-text, rex-random_identifier, rex-powershell, rex-zip, and rex-registry
are now being pulled in as gems instead of part of the spgehtti code that is lib/rex
2016-06-21 13:56:36 -05:00
OJ bf36b2c58e Fix preamble in bind_php to include php tag+escape 2016-06-21 10:07:42 +10:00
wchen-r7 129b449355 Add Msf::Util::EXE.to_zip
This adds a new method in Msf::Util::EXE to be able to create a
zip file with an array of binary data.
2016-06-20 13:36:59 -05:00
William Webb 98ad2489db
Land #6970, #make_fast_nops for HUGE nop chunks 2016-06-17 12:56:26 -05:00
wchen-r7 c6b1955a5a
Land #6729, Speed up the datastore 2016-06-15 17:55:42 -05:00
thao doan f5bfc84453 Land #6977, Add a more verbose message when generating module documentation 2016-06-15 14:55:55 -07:00
h00die 78775f7833 first attempt at 6964 2016-06-15 07:44:32 -04:00
William Webb 563b8206c5
Land #6962, Apache Continuum Exploit 2016-06-13 16:41:53 -05:00
wchen-r7 337e48dc07 Create #make_fast_nops for huge NOP chunks
This creates a new method called #make_fast_nops for exploits that
actually need large chunks of NOPs.
2016-06-13 15:25:46 -05:00
William Vu f7d261516d
Land #6968, get_uri URIPORT fix (again) 2016-06-13 10:52:29 -05:00
William Vu b7139da624 Clean up whitespace 2016-06-13 10:51:38 -05:00
Trenton Ivey 776dd57803 get_uri missing port fix 2016-06-12 19:27:34 -05:00
h00die 7831cb53c5 print status of opening browser at file 2016-06-11 21:13:31 -04:00
William Vu 5adc360b2a Make opts truly optional 2016-06-10 20:35:40 -05:00
Metasploit fd4a51cadb
Bump version of framework to 4.12.8 2016-06-10 10:01:27 -07:00
wchen-r7 0d7b587b5d Avoid printing rhost:rport from AuthBrute
When AuthBurte is mixed with other modules using the TCP mixin,
rhost:rport is printed twice. This info should come from the
protocol level mixin.
2016-06-08 14:32:58 -05:00
Metasploit 815685992a
Bump version of framework to 4.12.7 2016-06-07 13:14:34 -07:00
Brian Patterson 6d72b5b19f
Land #6946 Fix a bug with OptPort validation when not req 2016-06-07 14:43:10 -05:00
David Maloney 53b989f283
fix normalisation so we don't coerce to 0
don't coerce nil to 0
2016-06-07 14:29:13 -05:00
David Maloney 16030cda30
simpler fix
talking with adam shows that there is a simpler solution
to this problem
2016-06-07 14:13:10 -05:00
David Maloney 9de27e0b9c
add more specific normalise method to otpport
add a normalise method that prevents emtpy string
from being converted to 0 for OptPort avoiding
a bad behaviour
2016-06-07 14:03:34 -05:00
David Maloney 27b5d961fd
fixes a bug with OptPort validation when not req
OptPort lost the check for whether the option was required causing it
to incorrectly return false in certain cases

MS-1633
2016-06-07 13:48:57 -05:00
Louis Sato d3a13f4b0c Merge pull request #6942 from acammack-r7/bug/MS-1517/fix-acunetix-again
Fix Acunetix import with a blacklist
2016-06-05 23:00:48 -05:00
Adam Cammack 08f1e68487
Fix Acunetix import with a blacklist
If a host is blacklisted, we won't create the service for it. If we
don't create the service, we don't want to create entries for the web
pages.

MS-1517
2016-06-03 19:40:29 -05:00
Brent Cook da532ecc5e
Land #6919, Move LURI into a full URI for a new 'Payload opts" column in jobs output 2016-06-03 13:57:47 -05:00
James Barnett e0cf4721c5
Land #6927, Fix exception handling in #exploit_simple 2016-06-02 11:15:25 -05:00
David Maloney ffa4177575
missed a few joins
missed a few joins statements before

MS-1593
2016-06-01 15:32:51 -05:00
David Maloney 2047475901
host tags commands eagerloaded instead of joining
someone tried to fix a rails deprecation warning by doing an
eager load, but caused an actual exception instead. switching to
propper joins makes everything work properly

MS-1593
2016-06-01 13:50:38 -05:00
David Maloney a27d10c200
fixes the exception handling in #exploit_simple
The exception handling in the #exploit_simple method tries to set
error on exploit but exploit is defined within the begin block
causing a noMethodError on nilClass

MS-1608
2016-05-31 11:46:05 -05:00
Metasploit c35322ec3f
Bump version of framework to 4.12.6 2016-05-30 22:34:13 -07:00
wchen-r7 61f9cc360b Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00
wchen-r7 4dcddb2399 Fix #4885, Support basic and form auth at the same time
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.

Fix #4885
2016-05-27 16:25:42 -05:00
James Lee f7382f5b3b
Make `jobs` display a full uri
Addresses the problem of LURI taking the place of URIPATH, which has
different semantics.

See #4623
2016-05-27 11:15:12 -05:00
Brendan Watters 00b18c8ac5
Land #6917, Fix minor issues with the RC4 stager 2016-05-26 10:12:54 -05:00
Brent Cook a3d2cba698
Land #6906, Improve msfvenom error handling and spec coverage 2016-05-26 07:58:37 -05:00
Brent Cook 96c459c71d fix #6915, handle nil payloads and alert to the user 2016-05-26 07:22:09 -05:00
Brent Cook 8612eaa553 remove senduuid for now, give RC4PASSWORD a default 2016-05-26 06:34:51 -05:00
Brent Cook c65401026a wip fixup rc4 2016-05-25 06:17:02 -05:00
wchen-r7 05680ab6f3
Land #6887, add a missing postgresql 9.4.1-5 matching case 2016-05-24 22:19:03 -05:00
James Lee 5921ac7b47
Add a spec and fix ReverseHttp#luri 2016-05-24 17:22:14 -05:00
William Vu 3dfdf1d936
Land #6528, tilde expansion and more for OptPath 2016-05-24 16:01:59 -05:00
Jon Hart a23ce05752
File.exists? must cease to exist 2016-05-24 13:53:26 -07:00
wchen-r7 14cb85250e
Land #6912, use the correct variable for cookie expiration in BAP2 2016-05-24 14:19:03 -05:00
wchen-r7 ff4d150449 Show IP for print_* 2016-05-24 14:12:54 -05:00
wchen-r7 b5987e1d51
Land #6907, Fix check command with an IP or IP range 2016-05-24 11:37:56 -05:00
James Lee 9807f9b796
Move Rex::Job into its own file 2016-05-24 11:24:47 -05:00
Metasploit 54f4389d31
Bump version of framework to 4.12.5 2016-05-24 08:54:14 -07:00
Brendan Watters 77a62ff7c0
Land #6905 RC4 Stagers 2016-05-24 09:34:32 -05:00
Brendan Watters 43f79f34a9 Removed superfluous instruction 2016-05-24 09:03:14 -05:00
Brent Cook 3bc020178f use the correct variable for cookie expiration 2016-05-24 07:16:55 -05:00
Brent Cook 76e8e8f6c7 really fix regex 2016-05-23 20:08:38 -05:00
Brent Cook eb26202961 fix regex 2016-05-23 17:33:06 -05:00
Louis Sato d0b87131a9
fixing import of zip workspace
MS-1528
2016-05-23 16:09:22 -05:00
Brent Cook 6af9a093d2 update bool 2016-05-23 15:48:03 -05:00
darkbushido 5e059e0c5b
updating the error message
changing the exception to be a little more specific.
2016-05-23 15:40:32 -05:00
darkbushido d3cdcd5f99
Having the payload generator check the payload size
Payload generator will raise an error if the payload is larger then the size option
2016-05-23 15:17:41 -05:00
Brent Cook fe1b24e666 allow nil assignment to the datastore 2016-05-23 14:56:19 -05:00
Brent Cook f29463f119 include {peer} in the context of the command dispatcher 2016-05-23 14:55:58 -05:00
RageLtMan efc64eaa5f Implement reverse_tcp_rc4_dns payload in metasm
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.

For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly
2016-05-23 14:27:11 -05:00
RageLtMan 0e69040a6a Implement reverse_tcp_dns as metasm payload
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.

Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly

Misc:
  Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
2016-05-23 14:27:11 -05:00
RageLtMan df2346d9e0 Implement RC4 metasm payloads for tcp bind and rev
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.

Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.

Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.

Testing:
 Tested against Win2k8r2, Win7x64, and WinXPx86

ToDo:
 Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
2016-05-23 14:27:11 -05:00
Brent Cook 9fc07eeb99
Land #6902, Respect SSLCipher in server mixins 2016-05-20 17:34:38 -05:00
Adam Cammack fda4c62c1f
Respect SSLCipher in server mixins
This allows us to set a sane cipher spec for SSL-enabled server modules.
2016-05-20 16:59:36 -05:00
Metasploit 100300c819
Bump version of framework to 4.12.4 2016-05-18 07:04:09 -07:00
Brent Cook 6a4a9742e8 handle bad user 2016-05-17 17:24:46 -05:00
Brent Cook c6db5bf34a add a missing postgresql 9.4.1-5 matching case 2016-05-17 17:12:47 -05:00
Jenkins c9dd863085
Bump version of framework to 4.12.3 2016-05-17 10:18:08 -07:00
Jon Hart 8bccfef571
Fix merge conflict 2016-05-16 17:29:45 -07:00
wchen-r7 04d70640b1
Land #6868, Add axis2 payload generator for msfvenom 2016-05-16 17:48:50 -05:00
David Maloney c40b8ea3fb
Land #6864, Meterp Suspend 2016-05-16 11:13:43 -05:00
Jenkins 621a908b2d
Bump version of framework to 4.12.2 2016-05-13 12:51:58 -07:00
David Maloney ba4bfca806 Revert "arg bad build, resetting version back one"
This reverts commit d86392e96b.
2016-05-13 14:48:35 -05:00
David Maloney d86392e96b
arg bad build, resetting version back one 2016-05-13 14:44:02 -05:00
Jenkins b6a83f734d
Bump version of framework to 4.12.1 2016-05-13 12:39:43 -07:00
David Maloney 31050a8da7
Rails upgrade to 4.2.6
lands all of the rails 4.2 upgrade work
Merge branch 'staging/rails-upgrade'
2016-05-13 14:34:50 -05:00
Jenkins 6c11054d5a
Bump version of framework to 4.12.0 2016-05-13 11:46:03 -07:00
Christian Mehlmauer 7fcddd5a05
Add axis2 payload generator 2016-05-12 22:48:07 +02:00
David Maloney d9abb06a5a
Merge branch 'master' into staging/rails-upgrade 2016-05-12 11:18:51 -05:00
David Maloney 7edaa2abcc
still trying to fix these migrations
seeing odd behaviour with mgirations in
rspec
2016-05-11 14:54:40 -05:00
David Maloney 2fb3123ef2
fix migration crazieness
MS-1486
2016-05-11 14:05:34 -05:00
David Maloney 993709e076
Land #6862, jar payloads
lands FireFarts jar payload pr
2016-05-11 09:56:41 -05:00
Brent Cook af84e85174 fix exception suspending channels from meterpreter 2016-05-10 04:21:31 -05:00
Christian Mehlmauer e2dd844e34
reenable jar format 2016-05-09 21:25:23 +02:00
David Maloney 6142d2cef1
Merge branch 'master' into staging/rails-upgrade 2016-05-09 09:27:17 -05:00
Brent Cook 7b1148c438 disambiguate NetBSD/OpenBSD 2016-05-09 05:11:47 -05:00
Brent Cook 71a674434a Solaris 11 2016-05-09 05:11:09 -05:00
Brent Cook bbe35ac21a match solaris uname 2016-05-09 05:06:59 -05:00
Brent Cook 1a97042a0d include running CPU architecture in platform string 2016-05-09 05:06:37 -05:00
Brent Cook f466464e80 set a recommended number of threads per session type 2016-05-08 22:39:41 -05:00
Brent Cook 9268f66540 auto-set the meterpreter platform based on the sysinfo os 2016-05-08 22:39:41 -05:00
Jenkins 805f98f599
Bump version of framework to 4.11.27 2016-05-06 11:32:46 -07:00
David Maloney 1ffab935cc
pull dep mgirations from credential
credential pulls mdm, so we don't combine these
2016-05-06 11:57:40 -05:00
David Maloney a763863ff3
remove #truncate_session_desc
this method was absed around a char limit
for the desc column which no longer exists
trying to perform this operation generates an error
removing the method since it is not needed
2016-05-06 09:36:12 -05:00
Adam Cammack f75009a9c6
Don't duplicate headers when sending emails
If Date: and Subject: are present, we should not try to add them again.
This made Amazon SES puke, and that made us sad :(.

MS-1476
2016-05-05 10:47:21 -05:00
David Maloney 19af279ce9
Merge branch 'master' into staging/rails-upgrade 2016-05-05 10:46:12 -05:00
dmohanty-r7 f096c3bb99
Land #6821 Fix send_request_cgi! redirection 2016-05-05 09:09:30 -05:00
David Maloney 55b38ad089
Land #6398, content length header
lands wei's content length header pr
2016-05-04 11:53:46 -05:00
Jenkins e7ff4665e1
Bump version of framework to 4.11.26 2016-05-04 09:44:18 -07:00
Rob Fuller 4c9eba333e
Land #6753, MSF-side support for reverse port forwards
Huge thanks to @OJ for making this happen.
Tested targets Win7,10,2008,2012
Tested payloads Win32 native, Win64 native, python
2016-05-04 07:39:05 -04:00
Jenkins 7490ab1c78
Bump version of framework to 4.11.25 2016-05-03 17:09:07 -07:00
OJ 60f81a69ea Remove the pfservice close call on shutdown 2016-05-03 12:03:37 +10:00
OJ d136844d3b Add error handling around double-bind of ports 2016-05-03 10:42:41 +10:00
wchen-r7 ffc91a193c Fix #6841, info -d [module path] not spawning module documentation
Fix #6841
2016-05-02 14:23:29 -05:00
Brian Patterson be363411de
Land #6317, Add delay(with jitter) option to auxiliary scanner and portscan modules 2016-05-02 13:09:40 -05:00
David Maloney fb5b228984
Merge branch 'master' into staging/rails-upgrade 2016-05-02 11:33:35 -05:00
dmaloney-r7 3b893cf740 Merge pull request #6581 from bcook-r7/uuidretry
don't send a response on invalid UUID, allow stagers to survive another day
2016-05-02 11:23:02 -05:00
Jenkins d4f1c78c5c
Bump version of framework to 4.11.24 2016-04-29 13:38:06 -07:00
dmohanty-r7 20ec56d06a Do not parse empty web_sites
MS-255
2016-04-28 13:17:03 -05:00
dmohanty-r7 5a4e70fdf0 Fixes indentation in check_msf_xml_version!
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 f4f607d815 Correct comments to use Nokogiri::XML::Element
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 56fd5a745e Do not parse element if empty
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 050061762b Fix db_manager rspec tests
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 0e568674d7 Add comments on parse functions
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 0759848ad5 Use Nokogiri Reader in zip import
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 83ff60c111 Force encoding on import xml
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 e4fcaefc8c Unpack and pack an unsigned integer per 8 bytes
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 e6a8d69b0b Force encoding of XML import
MS-255
2016-04-28 13:17:00 -05:00
dmohanty-r7 f1d8e1d693 Parse web_data in xml import
MS-255
2016-04-28 13:17:00 -05:00
dmohanty-r7 802dfabbe3 Converts XML importer to use Nokogiri Reader
MS-255
2016-04-28 13:17:00 -05:00
wchen-r7 d4b89edf9c Fix #6398, Missing Content-Length header in HTTP POST
RFC-7230 states that a Content-Length header is normally sent in
a POST request even when the value (length) is 0, indicating an
empty payload body. Rex HTTP client failed to follow this spec,
and caused some modules to fail (such as winrm_login).

Fix #6398
2016-04-28 11:44:10 -05:00
OJ c15a2e8787
Merge branch 'upstream/master' into reverse-port-forward
Signed-off-by: OJ <oj@buffered.io>
2016-04-26 09:48:40 +10:00
wchen-r7 47d52a250e Fix #6806 and #6820 - Fix send_request_cgi! redirection
This patch fixes two problems:

1. 6820 - If the HTTP server returns a relative path
   (example: /test), there is no host to extract, therefore the HOST
   header in the HTTP request ends up being empty. When the web
   server sees this, it might return an HTTP 400 Bad Request, and
   the redirection fails.

2. 6806 - If the HTTP server returns a relative path that begins
   with a dot, send_request_cgi! will literally send that in the
   GET request. Since that isn't a valid GET request path format,
   the redirection fails.

Fix #6806
Fix #6820
2016-04-25 14:30:46 -05:00
wchen-r7 4676d70918 rm osvdb condition 2016-04-24 18:36:33 -05:00
Adam Cammack f28d280199
Land #6814, move stdapi to exist? 2016-04-24 13:41:11 -04:00
Brent Cook 12a47b7fab prefer && 2016-04-24 11:56:32 -04:00
Brent Cook 194a84c793 Modify stdapi so it also uses exist? over exists? for ruby parity
Also add an alias for backward compatibility.
2016-04-23 17:31:22 -04:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references.
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
2016-04-23 12:32:34 -05:00
Brent Cook 45961f75d4 Fix the payload size updater for MetasploitModule 2016-04-23 11:38:42 -04:00
William Vu 9713124e54
Land #6802, resolve command for Meterpreter 2016-04-22 17:18:31 -05:00