Commit Graph

12472 Commits (917b45664b59a5f3438185710ea5caad4f7d2075)

Author SHA1 Message Date
caye ed8fec255e
Fixed dir download. Retry when no network even at the download start 2016-07-12 23:05:50 +00:00
William Vu 277950cc79
Land #6733, psexec StackAdjustment fix 2016-07-12 11:14:16 -05:00
Brent Cook 2b016e0216
Land #6812, remove broken OSVDB references 2016-07-11 22:59:11 -05:00
Pearce Barry 7b1d9596c7
Land #7068, Introduce 'mettle' - new POSIX meterpreter 2016-07-11 22:38:40 -05:00
Brent Cook 79fd648bbe don't double-encapsulate regexes on normalize 2016-07-11 22:05:00 -05:00
William Vu 108c3961e2 Make sure GATEWAY_PROBE_PORT is 0
This ensures that dst_port is set for UDPSocket#send.
2016-07-11 12:10:46 -05:00
caye a6e92034bf
Added glob to dir_files.entries search - thanks @OJ 2016-07-11 06:22:28 +00:00
caye 3c2f0e814e
'Continue' and 'tries' wget-like options for meterpreter 'download' 2016-07-10 16:24:36 +00:00
Metasploit 48410f3ab2
Bump version of framework to 4.12.13 2016-07-08 10:01:58 -07:00
James Lee 11685b7c6b
Set the server challenge key 2016-07-07 15:00:42 -05:00
James Lee cfb56211e7
Revert "Revert "Land #7009, egypt's rubyntlm cleanup""
This reverts commit 1164c025a2.
2016-07-07 15:00:41 -05:00
Metasploit 82e092c2df
Bump version of framework to 4.12.12 2016-07-05 14:57:43 -07:00
James Lee 1164c025a2 Revert "Land #7009, egypt's rubyntlm cleanup"
This reverts commit d90f0779f8, reversing
changes made to e3e360cc83.
2016-07-05 15:22:44 -05:00
Brent Cook 049b322ae4 add x86 and x64 stagers for mettle 2016-07-05 11:24:54 -05:00
Adam Cammack 0390ed4d6e Add MIPS O32 Linux support (big and little endian) 2016-07-05 11:24:54 -05:00
Adam Cammack 8de508c4e0 Add mettle module for ARM 2016-07-05 11:24:54 -05:00
Adam Cammack 2f3f655352 Add gem for mettle
This adds the gem for the mettle binaries, which contains reflective
payloads for a variety of Linux architectures (and more OSs in the
future)
2016-07-05 11:24:54 -05:00
William Vu 6e7f07f0f3 Fix off-by-one error in #6954
Props to @egypt for noticing. My bad. :-)
2016-07-05 11:12:12 -05:00
David Maloney 5f9f3259f8
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-07-05 10:48:38 -05:00
David Maloney 7f341336b2
Land #7067, bcook's rex tools fix
this pr fixes rex requires in the various tools that were
disrupted by the new gemification of rex
2016-07-05 10:34:59 -05:00
David Maloney 85937ab839
require new gems inside rex.rb
have the root rex namespace require the new rex gems
to prevent broken requires when things greedily require all of rex
2016-07-05 10:33:45 -05:00
Metasploit 054ac5ac19
Bump version of framework to 4.12.11 2016-07-05 07:49:37 -07:00
Brendan e29d5b9efe
Land #6954, Fix the available size of payload for exploit/.../payload_inject 2016-07-05 07:38:27 -07:00
Brent Cook 5dc7d4b16e
Land #7043, Fix-up double slash handling with the LURI parameter 2016-07-05 01:21:33 -05:00
Brent Cook 85dfec0cf5 minor whitespace 2016-07-05 01:20:54 -05:00
Brent Cook 58e37931c5
Land #7040, Decrease chance of an error when exiting a interactive shell 2016-07-05 01:15:39 -05:00
OJ ef322ab9aa
Land #7066 - revert #6581 as it causes a regression 2016-07-05 16:05:48 +10:00
Brent Cook 4b77de2174
Land #7030, Ensure 'show options' reflects correct values 2016-07-05 00:48:46 -05:00
Brent Cook b9891aab27
Land #7007, Added JCL header data to mainframe payload module 2016-07-05 00:22:20 -05:00
Brent Cook 9b4028d2d7
Revert #6581, it causes regressions
We need a more clever solution without breaking HttpUnknownRequestResponse.
2016-07-05 00:11:15 -05:00
William Webb 2e97a08954
Land #7046, Pad host field in notes -d command 2016-07-01 10:14:45 -05:00
William Webb 02d40eb576
Land #7044, Pass exploit SRVPORT in BrowserAutopwn2 2016-07-01 09:49:05 -05:00
William Vu 4b01213fb5 Rewrite the logic to be positive
unless is the devil. unless/else doubly so.
2016-07-01 09:15:42 -05:00
William Vu 6e1b6e96a9
Land #7032, rm -rf lib/rex/encoders
Dead code!
2016-06-30 16:32:14 -05:00
William Vu f0cd25dcee
Land #7035, lib/sshkey* swap to gem 2016-06-30 16:25:27 -05:00
William Vu 343f4010bd Prefer newer hash syntax 2016-06-30 15:43:06 -05:00
wchen-r7 dbcdc300e5 Fix #7019, Pad host field in notes -d command
The notes -d command is always expecting a host address, but
fileformat exploits don't have this type of information when the
exploit file is generated, therefore there isn't enough fields
provided for Rex table.

Fix #7019
2016-06-30 15:38:58 -05:00
wchen-r7 118caa13bf Fix #7021, Pass exploit SRVPORT in BrowserAutopwn2
In BrowserAutoPwn2, the mixin forgets to pass the SRVPORT datastore
option to the exploits, so they always use the default 8080. As a
result, if a different SRVPORT is set, BAP2 would be serving the
target machine with bad exploit links.

Fix #7021
2016-06-30 14:20:53 -05:00
HD Moore 23399326c2 Fix up double slashes, tweak syntax 2016-06-30 12:56:29 -05:00
ssyy201506 0a85f1d233 Fix an error when exiting a interactive shell 2016-06-30 16:19:10 +09:00
Pearce Barry 5e39f895cf Fix exception on msf 'db_export' cmd (see #7008)
Users reported (in GitHub issue #7008) hitting an exception when attempting to export the contents of the msf database (i.e. workspaces, hosts, events, etc.) via the 'db_export' command.  After some digging, it appears there were a few ActiveRecord changes with the new Rails upgrade that require a couple mods to the way we are querying.
2016-06-29 16:02:31 -05:00
David Maloney 80563b2c0f
Merge branch 'master' into feature/MS-1700/sshkey-gem 2016-06-29 09:44:57 -05:00
David Maloney a796a1bc63
wierd namespace issues? 2016-06-28 16:13:49 -05:00
David Maloney 2dba09a9ce
unvendor sshkey gem
use the actual maintained gem rather than our vendored
copy

MS-1700
2016-06-28 16:10:48 -05:00
David Maloney dcddd2d671
use the bit-struct gem
removed vendored copy of bit-struct and use the gem
instead

MS-1699
2016-06-28 15:58:47 -05:00
David Maloney 39fa8bf2d4
missing require 2016-06-28 15:40:56 -05:00
David Maloney 3d93c55174
move sshfactory into a mixin method
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention

MS-1688
2016-06-28 15:23:12 -05:00
David Maloney ee2d1d4fdc
Merge branch 'master' into feature/MS-1688/net-ssh-cleanup 2016-06-28 15:00:35 -05:00
David Maloney 356f4fd54d
delete deprecated lib/rex/encoders
this directory is all dead code and has been replaced with
the lib/rex/encoder directory. these files should have been
purge a long time ago for cleanlieness

MS-1692
2016-06-28 14:43:39 -05:00
David Maloney 0a83b34a85
Land #7025, dev's PR for rex-java
lands the pr for moving Rex::Java into it's own gem
2016-06-28 14:40:02 -05:00
David Maloney d90f0779f8
Land #7009, egypt's rubyntlm cleanup
Land egypt's PR to replace all of our NTLM code with
the rubyntlm gem
2016-06-28 14:15:34 -05:00
David Maloney 97f9ca4028
Merge branch 'master' into egypt/ruby-ntlm 2016-06-28 14:14:56 -05:00
Metasploit e3e360cc83
Bump version of framework to 4.12.10 2016-06-28 12:13:26 -07:00
Louis Sato d5d0b9e9b8 Revert "Land #6729, Speed up the datastore"
This reverts commit c6b1955a5a, reversing
changes made to 4fb7472391.
2016-06-28 13:39:52 -05:00
Pearce Barry 0660880332 Ensure 'show options' reflects correct values.
Small fix here to ensure that, even when boolean 'option' variables have a default value of 'true', that their current value is correctly reflected via the 'show options' command.  This change should play fine with all other option variable types, I believe.

Current behavior:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEW_VERSION false
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEW_VERSION
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```

New behavior with this change:

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEWVERSION
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    false            no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    false            no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)
```
2016-06-28 13:12:34 -05:00
dmohanty-r7 c2f3d411c3
Replace rex/java with rex-java gem 2016-06-27 14:52:49 -05:00
Metasploit fd07da3519
Bump version of framework to 4.12.9 2016-06-27 11:54:04 -07:00
James Lee 058115c21f
Land #7015, sdavis' swagger exploit 2016-06-24 16:13:51 -05:00
James Lee 5d4cc7ab40
Add nodejs to list of defaults 2016-06-24 16:06:50 -05:00
David Maloney 5bc513d6cd
get ssh sessions working properly
ssh sessions now working correctly

MD-1688
2016-06-24 12:14:48 -05:00
David Maloney 3e94abe555
put net:ssh::commandstream back
this was apparently our own creation for doing
ssh sessions

MD-1688
2016-06-22 15:02:36 -05:00
David Maloney 6072697126
continued 2016-06-22 14:54:00 -05:00
David Maloney 140621ad9b
start to move to canonical net-ssh
removed vendored net::ssh
pulled in net:ssh gem
made Rex::Socket::SSHFactory clas to bridge rex sockets in
Renamed getpeername to getpeername-as_array to not override
core socket behaviour

MS-1688
2016-06-22 14:52:33 -05:00
James Lee 0126ec61d8
Style 2016-06-22 10:15:23 -05:00
James Lee b3f59ebd19
Whitespace 2016-06-22 10:15:23 -05:00
James Lee 07f7e5e148
Convert non-loginscanner MSSQL to rubyntlm 2016-06-22 10:15:22 -05:00
James Lee 4b3f6c5d29
Use rubyntlm for mssql login scanner 2016-06-22 10:15:22 -05:00
James Lee 039e8f5899
Use rubyntlm for HTTP Negotiate auth 2016-06-22 10:15:22 -05:00
James Lee c2a063c8ae
Start using rubyntlm for ssp auth 2016-06-22 10:15:16 -05:00
David Maloney 1e053c110a
Merge branch 'master' into feature/rex-cleanup/first-gems 2016-06-22 09:20:44 -05:00
Bigendian Smalls 3842753ce4
Added JCL header data to mainframe payload module
Currently any existing and future JCL payload has to have a 'job card'
basically data that defines the job to z/OS.  It has information about
the job's owner, place it will run, output creation, etc.  All JCL
shares the same job card format.  As such, creating a shared payload
method that allows this text to be imported into any JCL payload.
Additionally, that job card is now parameterized, allowing the
exploit/payload user to edit these job card values-as this may be needed
in order to run the job sucessfully on any given system.

This PR sets up the mf module - next PRs will update the existing
payloads to use this module.
2016-06-21 22:06:44 -05:00
David Maloney 69e2d05a5d
rip out old rex code and replace with gems
rex-text, rex-random_identifier, rex-powershell, rex-zip, and rex-registry
are now being pulled in as gems instead of part of the spgehtti code that is lib/rex
2016-06-21 13:56:36 -05:00
OJ bf36b2c58e Fix preamble in bind_php to include php tag+escape 2016-06-21 10:07:42 +10:00
wchen-r7 129b449355 Add Msf::Util::EXE.to_zip
This adds a new method in Msf::Util::EXE to be able to create a
zip file with an array of binary data.
2016-06-20 13:36:59 -05:00
William Webb 98ad2489db
Land #6970, #make_fast_nops for HUGE nop chunks 2016-06-17 12:56:26 -05:00
wchen-r7 c6b1955a5a
Land #6729, Speed up the datastore 2016-06-15 17:55:42 -05:00
thao doan f5bfc84453 Land #6977, Add a more verbose message when generating module documentation 2016-06-15 14:55:55 -07:00
h00die 78775f7833 first attempt at 6964 2016-06-15 07:44:32 -04:00
William Webb 563b8206c5
Land #6962, Apache Continuum Exploit 2016-06-13 16:41:53 -05:00
wchen-r7 337e48dc07 Create #make_fast_nops for huge NOP chunks
This creates a new method called #make_fast_nops for exploits that
actually need large chunks of NOPs.
2016-06-13 15:25:46 -05:00
William Vu f7d261516d
Land #6968, get_uri URIPORT fix (again) 2016-06-13 10:52:29 -05:00
William Vu b7139da624 Clean up whitespace 2016-06-13 10:51:38 -05:00
Trenton Ivey 776dd57803 get_uri missing port fix 2016-06-12 19:27:34 -05:00
h00die 7831cb53c5 print status of opening browser at file 2016-06-11 21:13:31 -04:00
William Vu 5adc360b2a Make opts truly optional 2016-06-10 20:35:40 -05:00
Metasploit fd4a51cadb
Bump version of framework to 4.12.8 2016-06-10 10:01:27 -07:00
wchen-r7 0d7b587b5d Avoid printing rhost:rport from AuthBrute
When AuthBurte is mixed with other modules using the TCP mixin,
rhost:rport is printed twice. This info should come from the
protocol level mixin.
2016-06-08 14:32:58 -05:00
Metasploit 815685992a
Bump version of framework to 4.12.7 2016-06-07 13:14:34 -07:00
Brian Patterson 6d72b5b19f
Land #6946 Fix a bug with OptPort validation when not req 2016-06-07 14:43:10 -05:00
David Maloney 53b989f283
fix normalisation so we don't coerce to 0
don't coerce nil to 0
2016-06-07 14:29:13 -05:00
David Maloney 16030cda30
simpler fix
talking with adam shows that there is a simpler solution
to this problem
2016-06-07 14:13:10 -05:00
David Maloney 9de27e0b9c
add more specific normalise method to otpport
add a normalise method that prevents emtpy string
from being converted to 0 for OptPort avoiding
a bad behaviour
2016-06-07 14:03:34 -05:00
David Maloney 27b5d961fd
fixes a bug with OptPort validation when not req
OptPort lost the check for whether the option was required causing it
to incorrectly return false in certain cases

MS-1633
2016-06-07 13:48:57 -05:00
Louis Sato d3a13f4b0c Merge pull request #6942 from acammack-r7/bug/MS-1517/fix-acunetix-again
Fix Acunetix import with a blacklist
2016-06-05 23:00:48 -05:00
Adam Cammack 08f1e68487
Fix Acunetix import with a blacklist
If a host is blacklisted, we won't create the service for it. If we
don't create the service, we don't want to create entries for the web
pages.

MS-1517
2016-06-03 19:40:29 -05:00
Brent Cook da532ecc5e
Land #6919, Move LURI into a full URI for a new 'Payload opts" column in jobs output 2016-06-03 13:57:47 -05:00
James Barnett e0cf4721c5
Land #6927, Fix exception handling in #exploit_simple 2016-06-02 11:15:25 -05:00
David Maloney ffa4177575
missed a few joins
missed a few joins statements before

MS-1593
2016-06-01 15:32:51 -05:00
David Maloney 2047475901
host tags commands eagerloaded instead of joining
someone tried to fix a rails deprecation warning by doing an
eager load, but caused an actual exception instead. switching to
propper joins makes everything work properly

MS-1593
2016-06-01 13:50:38 -05:00
David Maloney a27d10c200
fixes the exception handling in #exploit_simple
The exception handling in the #exploit_simple method tries to set
error on exploit but exploit is defined within the begin block
causing a noMethodError on nilClass

MS-1608
2016-05-31 11:46:05 -05:00
Metasploit c35322ec3f
Bump version of framework to 4.12.6 2016-05-30 22:34:13 -07:00
wchen-r7 61f9cc360b Correct casing - should be HttpUsername and HttpPassword 2016-05-27 18:31:54 -05:00
wchen-r7 4dcddb2399 Fix #4885, Support basic and form auth at the same time
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.

Fix #4885
2016-05-27 16:25:42 -05:00
James Lee f7382f5b3b
Make `jobs` display a full uri
Addresses the problem of LURI taking the place of URIPATH, which has
different semantics.

See #4623
2016-05-27 11:15:12 -05:00
Brendan Watters 00b18c8ac5
Land #6917, Fix minor issues with the RC4 stager 2016-05-26 10:12:54 -05:00
Brent Cook a3d2cba698
Land #6906, Improve msfvenom error handling and spec coverage 2016-05-26 07:58:37 -05:00
Brent Cook 96c459c71d fix #6915, handle nil payloads and alert to the user 2016-05-26 07:22:09 -05:00
Brent Cook 8612eaa553 remove senduuid for now, give RC4PASSWORD a default 2016-05-26 06:34:51 -05:00
Brent Cook c65401026a wip fixup rc4 2016-05-25 06:17:02 -05:00
wchen-r7 05680ab6f3
Land #6887, add a missing postgresql 9.4.1-5 matching case 2016-05-24 22:19:03 -05:00
James Lee 5921ac7b47
Add a spec and fix ReverseHttp#luri 2016-05-24 17:22:14 -05:00
William Vu 3dfdf1d936
Land #6528, tilde expansion and more for OptPath 2016-05-24 16:01:59 -05:00
Jon Hart a23ce05752
File.exists? must cease to exist 2016-05-24 13:53:26 -07:00
wchen-r7 14cb85250e
Land #6912, use the correct variable for cookie expiration in BAP2 2016-05-24 14:19:03 -05:00
wchen-r7 ff4d150449 Show IP for print_* 2016-05-24 14:12:54 -05:00
wchen-r7 b5987e1d51
Land #6907, Fix check command with an IP or IP range 2016-05-24 11:37:56 -05:00
James Lee 9807f9b796
Move Rex::Job into its own file 2016-05-24 11:24:47 -05:00
Metasploit 54f4389d31
Bump version of framework to 4.12.5 2016-05-24 08:54:14 -07:00
Brendan Watters 77a62ff7c0
Land #6905 RC4 Stagers 2016-05-24 09:34:32 -05:00
Brendan Watters 43f79f34a9 Removed superfluous instruction 2016-05-24 09:03:14 -05:00
Brent Cook 3bc020178f use the correct variable for cookie expiration 2016-05-24 07:16:55 -05:00
Brent Cook 76e8e8f6c7 really fix regex 2016-05-23 20:08:38 -05:00
Brent Cook eb26202961 fix regex 2016-05-23 17:33:06 -05:00
Louis Sato d0b87131a9
fixing import of zip workspace
MS-1528
2016-05-23 16:09:22 -05:00
Brent Cook 6af9a093d2 update bool 2016-05-23 15:48:03 -05:00
darkbushido 5e059e0c5b
updating the error message
changing the exception to be a little more specific.
2016-05-23 15:40:32 -05:00
darkbushido d3cdcd5f99
Having the payload generator check the payload size
Payload generator will raise an error if the payload is larger then the size option
2016-05-23 15:17:41 -05:00
Brent Cook fe1b24e666 allow nil assignment to the datastore 2016-05-23 14:56:19 -05:00
Brent Cook f29463f119 include {peer} in the context of the command dispatcher 2016-05-23 14:55:58 -05:00
RageLtMan efc64eaa5f Implement reverse_tcp_rc4_dns payload in metasm
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.

For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly
2016-05-23 14:27:11 -05:00
RageLtMan 0e69040a6a Implement reverse_tcp_dns as metasm payload
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.

Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.

Testing:
  Win2k8r2

ToDo:
  Update payload sizes when this branch is "complete"
  Ensure UUIDs and adjacent black magic all work properly

Misc:
  Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
2016-05-23 14:27:11 -05:00
RageLtMan df2346d9e0 Implement RC4 metasm payloads for tcp bind and rev
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.

Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.

Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.

Testing:
 Tested against Win2k8r2, Win7x64, and WinXPx86

ToDo:
 Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
2016-05-23 14:27:11 -05:00
Brent Cook 9fc07eeb99
Land #6902, Respect SSLCipher in server mixins 2016-05-20 17:34:38 -05:00
Adam Cammack fda4c62c1f
Respect SSLCipher in server mixins
This allows us to set a sane cipher spec for SSL-enabled server modules.
2016-05-20 16:59:36 -05:00
Metasploit 100300c819
Bump version of framework to 4.12.4 2016-05-18 07:04:09 -07:00
Brent Cook 6a4a9742e8 handle bad user 2016-05-17 17:24:46 -05:00
Brent Cook c6db5bf34a add a missing postgresql 9.4.1-5 matching case 2016-05-17 17:12:47 -05:00
Jenkins c9dd863085
Bump version of framework to 4.12.3 2016-05-17 10:18:08 -07:00
Jon Hart 8bccfef571
Fix merge conflict 2016-05-16 17:29:45 -07:00
wchen-r7 04d70640b1
Land #6868, Add axis2 payload generator for msfvenom 2016-05-16 17:48:50 -05:00
David Maloney c40b8ea3fb
Land #6864, Meterp Suspend 2016-05-16 11:13:43 -05:00
Jenkins 621a908b2d
Bump version of framework to 4.12.2 2016-05-13 12:51:58 -07:00
David Maloney ba4bfca806 Revert "arg bad build, resetting version back one"
This reverts commit d86392e96b.
2016-05-13 14:48:35 -05:00
David Maloney d86392e96b
arg bad build, resetting version back one 2016-05-13 14:44:02 -05:00
Jenkins b6a83f734d
Bump version of framework to 4.12.1 2016-05-13 12:39:43 -07:00
David Maloney 31050a8da7
Rails upgrade to 4.2.6
lands all of the rails 4.2 upgrade work
Merge branch 'staging/rails-upgrade'
2016-05-13 14:34:50 -05:00
Jenkins 6c11054d5a
Bump version of framework to 4.12.0 2016-05-13 11:46:03 -07:00
Christian Mehlmauer 7fcddd5a05
Add axis2 payload generator 2016-05-12 22:48:07 +02:00
David Maloney d9abb06a5a
Merge branch 'master' into staging/rails-upgrade 2016-05-12 11:18:51 -05:00
David Maloney 7edaa2abcc
still trying to fix these migrations
seeing odd behaviour with mgirations in
rspec
2016-05-11 14:54:40 -05:00
David Maloney 2fb3123ef2
fix migration crazieness
MS-1486
2016-05-11 14:05:34 -05:00
David Maloney 993709e076
Land #6862, jar payloads
lands FireFarts jar payload pr
2016-05-11 09:56:41 -05:00
Brent Cook af84e85174 fix exception suspending channels from meterpreter 2016-05-10 04:21:31 -05:00
Christian Mehlmauer e2dd844e34
reenable jar format 2016-05-09 21:25:23 +02:00
David Maloney 6142d2cef1
Merge branch 'master' into staging/rails-upgrade 2016-05-09 09:27:17 -05:00
Brent Cook 7b1148c438 disambiguate NetBSD/OpenBSD 2016-05-09 05:11:47 -05:00
Brent Cook 71a674434a Solaris 11 2016-05-09 05:11:09 -05:00
Brent Cook bbe35ac21a match solaris uname 2016-05-09 05:06:59 -05:00
Brent Cook 1a97042a0d include running CPU architecture in platform string 2016-05-09 05:06:37 -05:00
Brent Cook f466464e80 set a recommended number of threads per session type 2016-05-08 22:39:41 -05:00
Brent Cook 9268f66540 auto-set the meterpreter platform based on the sysinfo os 2016-05-08 22:39:41 -05:00
Jenkins 805f98f599
Bump version of framework to 4.11.27 2016-05-06 11:32:46 -07:00
David Maloney 1ffab935cc
pull dep mgirations from credential
credential pulls mdm, so we don't combine these
2016-05-06 11:57:40 -05:00
David Maloney a763863ff3
remove #truncate_session_desc
this method was absed around a char limit
for the desc column which no longer exists
trying to perform this operation generates an error
removing the method since it is not needed
2016-05-06 09:36:12 -05:00
Adam Cammack f75009a9c6
Don't duplicate headers when sending emails
If Date: and Subject: are present, we should not try to add them again.
This made Amazon SES puke, and that made us sad :(.

MS-1476
2016-05-05 10:47:21 -05:00
David Maloney 19af279ce9
Merge branch 'master' into staging/rails-upgrade 2016-05-05 10:46:12 -05:00
dmohanty-r7 f096c3bb99
Land #6821 Fix send_request_cgi! redirection 2016-05-05 09:09:30 -05:00
David Maloney 55b38ad089
Land #6398, content length header
lands wei's content length header pr
2016-05-04 11:53:46 -05:00
Jenkins e7ff4665e1
Bump version of framework to 4.11.26 2016-05-04 09:44:18 -07:00
Rob Fuller 4c9eba333e
Land #6753, MSF-side support for reverse port forwards
Huge thanks to @OJ for making this happen.
Tested targets Win7,10,2008,2012
Tested payloads Win32 native, Win64 native, python
2016-05-04 07:39:05 -04:00
Jenkins 7490ab1c78
Bump version of framework to 4.11.25 2016-05-03 17:09:07 -07:00
OJ 60f81a69ea Remove the pfservice close call on shutdown 2016-05-03 12:03:37 +10:00
OJ d136844d3b Add error handling around double-bind of ports 2016-05-03 10:42:41 +10:00
wchen-r7 ffc91a193c Fix #6841, info -d [module path] not spawning module documentation
Fix #6841
2016-05-02 14:23:29 -05:00
Brian Patterson be363411de
Land #6317, Add delay(with jitter) option to auxiliary scanner and portscan modules 2016-05-02 13:09:40 -05:00
David Maloney fb5b228984
Merge branch 'master' into staging/rails-upgrade 2016-05-02 11:33:35 -05:00
dmaloney-r7 3b893cf740 Merge pull request #6581 from bcook-r7/uuidretry
don't send a response on invalid UUID, allow stagers to survive another day
2016-05-02 11:23:02 -05:00
Jenkins d4f1c78c5c
Bump version of framework to 4.11.24 2016-04-29 13:38:06 -07:00
dmohanty-r7 20ec56d06a Do not parse empty web_sites
MS-255
2016-04-28 13:17:03 -05:00
dmohanty-r7 5a4e70fdf0 Fixes indentation in check_msf_xml_version!
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 f4f607d815 Correct comments to use Nokogiri::XML::Element
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 56fd5a745e Do not parse element if empty
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 050061762b Fix db_manager rspec tests
MS-255
2016-04-28 13:17:02 -05:00
dmohanty-r7 0e568674d7 Add comments on parse functions
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 0759848ad5 Use Nokogiri Reader in zip import
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 83ff60c111 Force encoding on import xml
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 e4fcaefc8c Unpack and pack an unsigned integer per 8 bytes
MS-255
2016-04-28 13:17:01 -05:00
dmohanty-r7 e6a8d69b0b Force encoding of XML import
MS-255
2016-04-28 13:17:00 -05:00
dmohanty-r7 f1d8e1d693 Parse web_data in xml import
MS-255
2016-04-28 13:17:00 -05:00
dmohanty-r7 802dfabbe3 Converts XML importer to use Nokogiri Reader
MS-255
2016-04-28 13:17:00 -05:00
wchen-r7 d4b89edf9c Fix #6398, Missing Content-Length header in HTTP POST
RFC-7230 states that a Content-Length header is normally sent in
a POST request even when the value (length) is 0, indicating an
empty payload body. Rex HTTP client failed to follow this spec,
and caused some modules to fail (such as winrm_login).

Fix #6398
2016-04-28 11:44:10 -05:00
OJ c15a2e8787
Merge branch 'upstream/master' into reverse-port-forward
Signed-off-by: OJ <oj@buffered.io>
2016-04-26 09:48:40 +10:00
wchen-r7 47d52a250e Fix #6806 and #6820 - Fix send_request_cgi! redirection
This patch fixes two problems:

1. 6820 - If the HTTP server returns a relative path
   (example: /test), there is no host to extract, therefore the HOST
   header in the HTTP request ends up being empty. When the web
   server sees this, it might return an HTTP 400 Bad Request, and
   the redirection fails.

2. 6806 - If the HTTP server returns a relative path that begins
   with a dot, send_request_cgi! will literally send that in the
   GET request. Since that isn't a valid GET request path format,
   the redirection fails.

Fix #6806
Fix #6820
2016-04-25 14:30:46 -05:00
wchen-r7 4676d70918 rm osvdb condition 2016-04-24 18:36:33 -05:00
Adam Cammack f28d280199
Land #6814, move stdapi to exist? 2016-04-24 13:41:11 -04:00
Brent Cook 12a47b7fab prefer && 2016-04-24 11:56:32 -04:00
Brent Cook 194a84c793 Modify stdapi so it also uses exist? over exists? for ruby parity
Also add an alias for backward compatibility.
2016-04-23 17:31:22 -04:00
wchen-r7 816bc91e45 Resolve #6807, remove all OSVDB references.
OSVDB is no longer a vulnerability database, therefore all the
references linked to it are invalid.

Resolve #6807
2016-04-23 12:32:34 -05:00
Brent Cook 45961f75d4 Fix the payload size updater for MetasploitModule 2016-04-23 11:38:42 -04:00
William Vu 9713124e54
Land #6802, resolve command for Meterpreter 2016-04-22 17:18:31 -05:00
William Vu 7f8491149f Fix minor whitespace issues 2016-04-22 17:18:10 -05:00
Jenkins d70dcbf4a4
Bump version of framework to 4.11.23 2016-04-22 09:34:10 -07:00
join-us c1a64b1f6f fix: issues/6803 - info command references bug 2016-04-22 15:14:35 +08:00
OJ 540409e735 Add `resolve` to the meterpreter command line
I'm aware that this already exists as a post module, but there's nothing more annoying than having to bail out of Meterpreter, use the right module, set up the host list, etc all to just fire off a one-liner.

So this commit adds the command directly to Meterpreter's command line so that you don't have to do all that. This doesn't support specifying a file with the hosts in it (the post module does that). This is intended for quick resolution of particular hosts quickly.
2016-04-22 13:21:19 +10:00
wchen-r7 98f89ca23a
Land #6794, Fixed yard doc errors 2016-04-21 13:16:45 -05:00
wchen-r7 6cb93f2af2 Make yard doc ignore @probe 2016-04-21 13:15:58 -05:00
thao doan 5e36a3128c Fix #5197, Fixed yard doc errors
Fix #5197 Fixed issues that caused errors during yard doc generation
2016-04-21 13:06:00 -05:00
Brent Cook 57ab974737 File.exists? must die 2016-04-21 00:47:07 -04:00
Louis Sato 6b3326eab2
Land #6707, support for LURI handler 2016-04-20 16:26:07 -05:00
David Maloney 5d0de63dc7
fiddling bits on db migrations
getting duplicate migrations errors in pro,
trying to isolate
2016-04-19 15:00:55 -05:00
David Maloney 1006902aea
fix migrations from deps
the mgirations from mdm and credential were not
being pulled in correctly by the rake db tasks
fixed this in the databases.rake file
2016-04-19 14:46:05 -05:00
Christian Mehlmauer 3b280d45a4
fix some yardoc issues 2016-04-18 21:00:21 +02:00
thao doan fd603102db Land #6765, Fixed SQL error in lib/msf/core/exploit/postgres 2016-04-18 10:44:20 -07:00
Brent Cook 4c0a53a809 replace 'and' with '&&' 2016-04-18 08:26:02 -05:00
OJ 555352b210 Force lurl string duplication to avoid stageless issues
I have NO idea why this is even a problem. Mutating state is the spawn of satan.
2016-04-18 08:25:19 -05:00
OJ a74a7dde55 More fixies for LURI in Python, and native too 2016-04-18 08:25:19 -05:00
OJ b95267997d Fix LURI support for stageless, transport add/change and code tidies 2016-04-18 08:24:41 -05:00
Rory McNamara 63e478c826 fix sessions -l bug 2016-04-18 08:21:50 -05:00
Rory McNamara a45d0aed53 show LURI in new connection log message 2016-04-18 08:21:50 -05:00
Rory McNamara 7eda08aa2e windows/x64 support 2016-04-18 08:16:35 -05:00
Rory McNamara 1e16804c63 size considerations for LURI, stageless 2016-04-18 08:16:35 -05:00
Rory McNamara 7e708e3159 sessions LURI display 2016-04-18 08:13:10 -05:00
Rory McNamara d2d36ca043 java handler, better default, jobs -v 2016-04-18 08:13:10 -05:00
Rory McNamara b122dffe3d initial LURI commit. windows, python functional 2016-04-18 08:13:10 -05:00
Metasploit d5085f6f0d
Bump version of framework to 4.11.22 2016-04-16 09:09:23 -07:00
David Maloney c52f3dcb0e
update to rails 4.2.6
fix lost dep unlocks and upgrade rails to 4.2.6

MS-1400
2016-04-15 11:45:43 -05:00
greg.mikeska@rapid7.com 2627a00727
Land #6750 Fix an error in the OpenVas and Burp Issue importers 2016-04-13 17:25:27 -05:00
Spencer McIntyre d3a832b31d
Land #6776, Fix #6775 update regex for Win 10 UAC 2016-04-13 17:03:45 -04:00
Brian Patterson 11d6740e7f
Modify syntax in burp_issue_nokogiri.rb to conform to code style guidelines 2016-04-12 17:33:20 -05:00
OJ 3898d11aa7 Add Windows 10 entry to the version check regex 2016-04-13 08:23:01 +10:00
Brian Patterson 6105822268 Merge branch 'master' of github.com:rapid7/metasploit-framework into bug/MS-247/OpenVas-default-workspace 2016-04-12 16:57:41 -05:00
Jon Hart ca6beeb676
Land #6187, @join-us' cleanup for enum_dns 2016-04-11 09:50:12 -07:00
OJ 5c2e5398ad Fix issue with flushing rev port forwards 2016-04-11 10:41:12 +10:00
William Vu feb1394630
Land #6752, compact table for advanced options 2016-04-09 21:25:43 -05:00
wchen-r7 93cb91a515 Remove an extra nil check 2016-04-08 21:18:24 -05:00
Jon Hart 7c70a554ea
Merge branch 'pr/6187' into pr/fixup-6187 for pre-master merge testing 2016-04-08 16:56:38 -07:00
Metasploit 16c599866c
Bump version of framework to 4.11.21 2016-04-08 16:23:33 -07:00
wchen-r7 6b4dd8787b Fix #6764, nil SQL error in lib/msf/core/exploit/postgres
Fix #6764
2016-04-08 15:20:04 -05:00
wchen-r7 ae46b5a688
Bring #6417 up to date with upstream-master 2016-04-08 13:41:40 -05:00
James Lee 2563634dce
Fix inverted logic introduced by #6734
MS-385
2016-04-06 22:03:31 -05:00
William Vu 22d08fdf39 Revert #6748, premature Gemfile* changes 2016-04-06 14:52:22 -05:00
Brian Patterson 78281213eb
Merge branch 'landing-6748' into upstream-master 2016-04-06 13:44:15 -05:00
OJ 866cb5a23b Fix usage of lport/rport while tracking rev forwards 2016-04-06 16:36:41 +10:00
OJ 6d504316ae Add MSF-side support for reverse port forwards
This includes changes to the portfwd command so that the output is
nicer, things are easier to use, and users have the ability to create
reverse port forwards.
2016-04-06 15:38:39 +10:00
James Lee 8cc1d2ec89
Make advanced and evasion options readable 2016-04-05 15:05:58 -05:00
wchen-r7 4d5695f7fc
Land #6743, reimplement HD's session interrupt handler
MS-385
2016-04-05 11:16:32 -05:00
Brian Patterson e5ee5b903b Merge branch 'master' of github.com:rapid7/metasploit-framework into bug/MS-247/OpenVas-default-workspace 2016-04-05 09:36:27 -05:00
David Maloney cde89b90cd
Land #6744, Deprecation on host eager load
Lands SemperVictus' pr for fixing a deprecation warning
on eager loading the hosts table
2016-04-05 09:19:16 -05:00
Justin Steven 3bcac49c21 Fix: badchars.present? is false for whitespace
badchars.present? is false in the case of badchars containing only whitespace.

Instead check for is not empty and is not nil.
2016-04-05 10:09:56 +10:00
Brian Patterson 2a7e3fb600
Fix an error in the OpenVas and Burp Issue importers where the vuln and host info would import into the default workspace instead of the current workspace 2016-04-04 17:35:31 -05:00
greg.mikeska@rapid7.com 5e8ed09b66 Merge branch 'task/MS-1354/OpenVAS-Nessus-Importer' of https://github.com/bpatterson-r7/metasploit-framework into bpatterson-r7-task/MS-1354/OpenVAS-Nessus-Importer 2016-04-04 17:07:05 -05:00
David Maloney 8de58e4b80
Merge branch 'master' into staging/rails-upgrade 2016-04-04 09:30:01 -05:00
wchen-r7 72d631a255
Land #6745, open_webrtc_browser fix for Windows 2016-04-02 13:54:05 -05:00
Brent Cook c6bdc3fa14 fix the path quoting in open_webrtc_browser 2016-04-02 13:18:23 -05:00
RageLtMan 992df12fa7 Address ActiveRecord deprecation warning
AR will start to complain about eager loading in command_dispatcher
/db.rb:519 because it references hosts as string without explicitly
stating that the table is being referenced.

Add a call .references in the AR call chain after the where clause
to silence this abysmal warning.
2016-04-02 00:22:26 -04:00
wchen-r7 f7dd326b16
Land #6455, Fix dns labels/names size limits for lib/net/dns/names/names 2016-04-01 21:57:09 -05:00
Brent Cook 3d995546d9 check for true before empty string 2016-04-01 21:30:11 -05:00
David Maloney 64b94dfe3b
reimplement HD's session interrupt handler
reimplement HD's work on a session interrupt handler
so that if an exploit fails the handler does not continue
waiting for a session that will never come

MS-385
2016-04-01 14:43:16 -05:00
OJ 2a9f813bcd Don't interpreter blank string as error 2016-04-01 09:53:25 +10:00
OJ 9f299f4f0c
Merge branch 'upstream/master' into powershell-meterpreter-bindings 2016-04-01 09:32:32 +10:00
wchen-r7 618f379488 Update auxiliary/scanner/redis/redis_server and mixin 2016-03-31 17:14:49 -05:00
wchen-r7 2e7d07ff53 Fix PASSWORD datastore option 2016-03-31 17:12:00 -05:00
wchen-r7 545cb11736
Bring #6409 up to date with upstream-master 2016-03-31 17:00:56 -05:00
wchen-r7 5fdea91e93 Change naming 2016-03-31 17:00:29 -05:00
Brent Cook 4c2e130470 fix spelling 2016-03-31 09:25:24 -05:00
Brian Patterson 8f0d664a38
Modify the open_vas importer to support both results.xml and reports.xml open_vas exports and modify the nessus importer to import what it can when it can't find a properly formatted port number 2016-03-30 17:44:26 -05:00
Adam Cammack a808c9fe63
Bring some sanity to the datastore
Before, the datastore would store options case-sensitive, but would
access them case-insensitive, resulting is a number of string compares.
This commit stores options in their downcase form to reduce
update/lookup time. This adds up to reducing msfconsole boot time by
about 10% and rspec time by about 45 sec. (!) on my box.

One tricky part of this conversion is that there are several places (in
pro and framework) where we export or otherwise access the datastore as
a plain hash (case-sensitive). I believe I have caught all the ways we
access the datastore that are case-sensitive and substituted the
original key capitalization in those cases.
2016-03-30 15:17:55 -05:00
wchen-r7 a2a522be07
Land #6716, Add a rescue to catch method missing for stage_payload 2016-03-30 13:08:52 -05:00
wchen-r7 280aeb0b59
Land #6727, Show handler URI so we know which job's responding 2016-03-30 12:22:18 -05:00
James Lee ead6e6b6b6
Use a print_prefix instead 2016-03-30 11:50:45 -05:00
James Lee 0a239742f5
Show handler URI so we know which job's responding 2016-03-30 11:35:04 -05:00
wchen-r7 797acd625d
Land #6714, Kill defanged mode 2016-03-30 10:54:56 -05:00
Brent Cook b8d53dde4a Merge branch 'upstream-master' into staging/rails-upgrade 2016-03-29 15:56:50 -05:00
Metasploit b41ac10fe8
Bump version of framework to 4.11.20 2016-03-29 12:43:20 -07:00
wchen-r7 faaaf6b765 MS10-58 Call super in #set_sane_defaults for caidao login scanner
MS10-58
2016-03-29 13:40:51 -05:00
thao doan 587f1ee7b3 Land #6708, module documentation for msfconsole 2016-03-29 11:30:55 -07:00
Brent Cook e25525b4a7 avoid validating file-based datastore options on assignment
file:/ strings are special with some datastore options, causing them to read a
file rather than emitting the exact string. This causes a couple of problems.

1. the valid? check needs to be special on assignment, since normalization
   really means normalizing the path, not playing with the value as we would do
   for other types

2. there are races or simply out-of-order assignments when running commands
   like 'services -p 80 -R', where the datastore option is assigned before the
   file is actually written.

This is the 'easy' fix of disabling assignment validation (which we didn't have
before anyway) for types that can expect a file:/ prefix.
2016-03-28 23:03:17 -05:00
OJ 6523600952 Add a rescue to catch method missing for stage_payload
This allows us to provide a friendlier message to users when they are
using a stageless listener with a staged payload.
2016-03-29 09:46:09 +10:00
James Lee f1857d6350
Kill defanged mode 2016-03-28 09:02:07 -05:00
Metasploit 72bde63397
Bump version of framework to 4.11.19 2016-03-25 13:03:35 -07:00
James Lee 9d86a49c51
Land #6692, udp socket abstraction 2016-03-25 13:05:10 -05:00
f7b053223a9e 629bc00696 Use MSXML decoder instead 2016-03-25 22:52:16 +09:00
Brent Cook 242ea8d9cd Merge branch 'master' into land-6691- 2016-03-24 22:19:57 -05:00
OJ ce8a6f57a0 Added powershell_import support 2016-03-25 12:17:03 +10:00
Brendan Watters 18604c3d44
Land #6705, Rectify MSF_CFGROOT_CONFIG comment 2016-03-24 18:21:05 -05:00
wchen-r7 57984706b8 Resolve merge conflict with Gemfile 2016-03-24 18:13:31 -05:00
James Lee dfa518b492
Whitespace 2016-03-24 15:21:03 -05:00
James Lee 0073a8f40e
Wrap comments at 78, style 2016-03-24 15:20:43 -05:00
Gregory Mikeska 7bd6d0c696
Merge branch 'master' into staging/rails-upgrade 2016-03-24 12:55:05 -05:00
Till Maas 7f002128ad Rectify MSF_CFGROOT_CONFIG comment
Also remove reference to feature request that does not seem to be
available anymore.
2016-03-23 22:23:30 +01:00
James Lee 6388578ee6
Style fixes 2016-03-23 16:15:46 -05:00
James Lee 98355c397c
Clean up some variable names 2016-03-23 15:07:00 -05:00
James Lee 685d8fc588
Use 2.x symbol literal syntax 2016-03-23 15:06:35 -05:00
James Lee effee42e2f
Raise a better exception for WSAEADDRINUSE 2016-03-23 13:15:38 -05:00
Louis Sato 0c19d89655
add more space for deprecation message 2016-03-23 11:39:42 -05:00
Metasploit e7b0c60e5c
Bump version of framework to 4.11.18 2016-03-23 07:55:29 -07:00
Adam Cammack 866c4718b0
Fix OptPort validation
Allow a port value of 0 and don't reject empty values if the option is
not required.
2016-03-22 23:01:18 -05:00
Adam Cammack ec3a0a108d
Change OptPort to inherit from OptInt
Fixes the normalize and validate methods.
2016-03-22 19:25:51 -05:00
Adam Cammack 22df7c0071
Fix datastore to validate options w/o a default
Options without a default were not pulled into the `@options` hash and
therefore were not used to validate options on assignment.

I am not entirely sure how this fix works, since it would seem that
non-override options would not get pulled in if an option was first set
in the global datastore. However, a previous value does not get
overridden and new values are validated. Anything further is merely
speculation on my part.
2016-03-22 19:12:53 -05:00
Adam Cammack 5c163960ed
Fix datastore to not freeze options on the default 2016-03-22 19:07:58 -05:00
William Vu 0c7cf2924c
Land #6686, Android dump_* -o fixes 2016-03-21 12:21:47 -05:00
RageLtMan c871ceea0a Implement consistent socket abstraction
In current nomenclature, Rex Sockets are objects created by calls
to Rex::Socket::<Transport>.create and Rex::Socket.create_...
When the LocalHost or Comm parameters are set to remotely routed
addresses (currently via Meterpreter sessions), Rex will create a
Channel which will abstract communications with the remote end of
the session. These channel based abstractions are called pivots,
and present in three separate flavors:
1 - TcpClientChannel, a fully abstracted, selectable Socket.
2 - TcpServerChannel, a virtual Channel which distributes client
channels.
3 - UdpChannel, a virtual Channel which provides common methods for
UDP socket operations, but is not a full (selectable) abstraction.

Unfortunately this differentiation results in inconsistent returns
from the aforementioned socket creation calls, as the call chain
creates parameters and supplies them to the create method on the
comm object referenced in the params. The comm object may be a
channel, and produce a virtual representation of a socket with
functional methods analogous to Sockets, but without a kernel FD.

This commit begins the work of ensuring that all calls for socket
creation return selectable Rex::Socket objects with semantics
familiar to Ruby developers who have not read into the details of
Rex::Socket and Rex::Post.

-----

Summary of changes:

Convert Rex::IO::StreamAbstraction to SocketAbstraction and use
the new mixin in StreamAbstraction and DatagramAbstraction. This
approach allows for common methods to reuse the abstraction data
flow, while initializing separate types of socket obects and an
optional monitor as needed.

In the Rex::Post::Meterpreter namespace, extract common methods
from Stream to a SocketAbstraction mixin, include that mixin in
Stream, and add Datagram with the dio_write handler override
exported from the current implementation of UdpChannel, also using
the mixin. This relies on the Rex::IO work above to implement the
proper type of socket abstraction to the Channel descendants.

In Rex::Post::Meterpreter::Extensions::Stdapi::Net, convert the
UdpChannel to inherit from the Rex::Post::Meterpreter::Datagram
class, implementing only the send method at this tier. Convert
create_udp_channel to return the local socket side of the datagram
abstraction presented analogous to the TcpClientChannel approach
used before.

-----

Notes and intricacies:

In order to implement recvfrom on the UDP abstraction, a shim layer
has been put in place to forward the sockaddr information from the
remote peer to the local UDP socketpair in the abstraction. This
information takes up buffer space in the UDP socket, and in order
to maintain compatibility with consumers, the dio_write_handler
pushes the data buffer, and in a separate send call, he sockaddr
information from the remote socket. On the abstraction side, the
recvfrom_nonblock call of the real UDPSocket has been overriden
via the mixed in module to call the real method twice, once for
the data buffer, and once for the packed sockaddr data. The Rex
level consumer for recvfrom calls the underlying nonblock method
and expects this exact set of returns (as opposed to what standard
library UDPSocket.recvfrom returns, which is a data buffer and an
Array of sockaddr data).

-----

Testing:
  Local and lab testing only so far.
  Test RC script to be added in GH comments.

-----

Issues:
  Currently, sendto on a remote socket does not appear to honor
LocalPort which causes DNS responses (#6611) to come from the
wrong port to remote clients being serviced over a pivot socket.
2016-03-21 03:32:52 -04:00
OJ 80e0bbeb68 Add the interactive shell prompt with sessions 2016-03-21 15:44:20 +10:00
Metasploit 6e12e74e02
Bump version of framework to 4.11.17 2016-03-18 14:12:18 -07:00
Adam Cammack 67b9d053ec
Land #6679, remove unreachable sanity checks 2016-03-18 11:25:51 -05:00
Brent Cook 9219efa512 remove unreachable ruby 1.x check 2016-03-18 11:16:44 -05:00
James Lee 1375600780
Land #6644, datastore validation on assignment 2016-03-17 11:16:12 -05:00
Brent Cook df2d0f7826 Indicate that output options take parameters 2016-03-17 11:13:34 -05:00
Brent Cook 1790f039c3
Land #6684, remove obsolete warn_about_rubies 2016-03-17 08:26:57 -05:00
William Vu 59a55dec5b
Land #6676, new Postgres fingerprints 2016-03-16 16:32:10 -05:00
Adam Cammack 32fe9ae55d
Remove dead version check in db_manager.rb
The check appears to have been orphaned in the db_manager refactor, but
I can't track down the exact commit.
2016-03-16 15:24:55 -05:00
James Lee 79c36c4f53
RPORT should be an OptPort 2016-03-16 14:13:19 -05:00
James Lee c21bad78e8
Fix some more String defaults 2016-03-16 14:13:18 -05:00
James Lee a878926f31
Remove unused datastore option 2016-03-16 14:13:17 -05:00
William Vu adb275520b
Land #6680, old SVN code deletion 2016-03-16 10:15:06 -05:00
Brent Cook 44e1fefa2e when normalizing a string type, ensure we have a string first 2016-03-16 06:44:36 -05:00
Brent Cook 5a72f2df16 remove subversion support 2016-03-15 22:00:32 -05:00
Brent Cook 63263773d1 simplify sanity checks for Ruby 1.x 2016-03-15 21:55:25 -05:00
Brent Cook 3b6a3374ae prefer explicit defaults to implicit 2016-03-15 20:58:14 -05:00
Brent Cook 87074c0638
Land #6651, add android sqlite_query option, update metasploit-payloads 2016-03-15 18:27:49 -05:00
Brent Cook 257c8f4058 handle a sqlite table being empty 2016-03-15 18:26:38 -05:00
Adam Cammack 05f585157d
Land #6646, add SSL SNI and unify SSLVersion opts 2016-03-15 16:35:22 -05:00
David Maloney 3cbc5684e1
iadd some preuath fps for postgres 9.4
the preauth fingerprinting for postgres is somewhat
unmaintainable, but due to a specific customer request
i have added these two FPs for 9.4.1-5

MS-1102
2016-03-15 14:50:07 -05:00
Brent Cook 654590911b Enforce integrity of datastore options on assignment 2016-03-15 14:00:32 -05:00
OJ d8c850aaf0 Add support for the execution of single powershell commands 2016-03-14 17:13:12 +10:00
OJ f8f61e8d83 Basic shell of the MSF Powershell extension functionality 2016-03-14 12:55:58 +10:00
HD Moore 42689df6b3 Fix a stack trace with ``set PAYLOAD`` in ``msf>`` context 2016-03-13 14:56:54 -05:00
Christian Mehlmauer 4f09246c78
reenable module loader warnings 2016-03-13 20:04:05 +01:00
Brent Cook dabe5c8465
Land #6655, use MetasploitModule as module class name 2016-03-13 13:48:31 -05:00
Metasploit e059f42094
Bump version of framework to 4.11.16 2016-03-11 14:17:28 -08:00
Adam Cammack 6f85c82dc0
Fix Nexpose import to truncate long vuln names
A warning is emitted since there is a potential for data loss, but since
we reference vulns by their ID, the data-integrity risk is small.
Initially triggered by some Nexpose data, this should probably be
properly fixed by removing the length bound on the field.

MS-1184
2016-03-11 11:02:55 -06:00
wchen-r7 5554138fac Change the firing order
Ubuntu has this glib bug (g_slice_set_config) that results us
seeing a bunch of warnings when we call system("firefox") in
Ruby. It doesn't look like our fault, but since this generates
a lot of text on msfconsole, we try to avoid that.
2016-03-09 23:08:19 -06:00
Tim dfd51a7032 Merge branch 'master' into android_sqlite_read 2016-03-10 01:46:30 +00:00
wchen-r7 38bc8c88ae Fix open_webrtc_browser
Fix a bug where the code might spawn multiple browsers.
2016-03-09 17:10:22 -06:00
David Maloney ca18996272
setup rails staging branch
rails 4.1 baby!
2016-03-09 15:35:00 -06:00
David Maloney 15ba85bac2
fix missed deprecations
missed some deprecation warnings
2016-03-09 13:29:35 -06:00
David Maloney 88697a5d3f
Merge branch 'master' into staging/rails-upgrade 2016-03-08 15:22:04 -06:00
wchen-r7 f831d58c1c Support tables 2016-03-08 12:19:27 -06:00
wchen-r7 698f425821 Auto <hr> 2016-03-08 11:25:15 -06:00
wchen-r7 b91ee232ff Change HTML parsing 2016-03-08 10:25:29 -06:00
wchen-r7 58b8c35146 Escape HTML for KB and update rspec 2016-03-08 10:10:10 -06:00
Christian Mehlmauer 3123175ac7
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00
Tim 5e83b2de51
remove extra new line 2016-03-07 23:17:45 +00:00
Tim f6c06bedfe
fix e.g output 2016-03-07 23:15:05 +00:00
wchen-r7 c2f99b559c Add documentation for auxiliary/scanner/http/tomcat_enum
Also fix a typo in normalizer
2016-03-07 15:39:15 -06:00
William Vu 3e0f8d67c9 Use #strip to more correctly simulate #blank?
See f900d9cf26.
2016-03-07 13:14:37 -06:00
Brent Cook 289f43bb80
Land #4848, remove some reliance on rails libraries from rex 2016-03-07 07:38:30 -06:00
Brent Cook eea8fa86dc unify the SSLVersion fields between modules and mixins
Also actually handle the 'Auto' option that we had in the crawler and remove
hardcoded defaults in modules that do not need them.
2016-03-06 22:06:27 -06:00
Brent Cook 05a91f1d82 set SNI if the SSL peer is specified as a hostname 2016-03-06 21:12:15 -06:00
Brent Cook 5a0bec81cb
disable warnings for now, to be reenabled when the module base class is updated 2016-03-06 17:19:05 -06:00
Brent Cook a2c3b05416
Land #6405, prefer default module base class of simply 'Metasploit' 2016-03-06 17:10:55 -06:00
Brent Cook 0fc4ebf4ab
Land #6618, Improve Content-Length behavior in Rex HTTP 2016-03-06 16:38:44 -06:00
Brent Cook a1190f4344
Land #6598, add post module for setting wallpaper 2016-03-06 15:00:10 -06:00
Spencer McIntyre a8ac078586
Land #6636, fix met finalizers to not double close 2016-03-06 12:55:39 -05:00
Brent Cook 85acfabfca remove various library workarounds for the datastore not preserving types 2016-03-05 23:10:57 -06:00
Brent Cook 694f7f0a65 stop turning all default options into strings
we need to adjust vprint* functions, since they now fallthrough to the
'framework.datastore' checks because the false case actually triggers.
2016-03-05 23:09:14 -06:00
wchen-r7 c811ed8d60 Correct name: PAYLOAD_DEMO_TEMPLATE 2016-03-05 00:42:36 -06:00
Metasploit a5cdd7e17f
Bump version of framework to 4.11.15 2016-03-04 16:56:02 -08:00
Metasploit ce675330c0
Bump version of framework to 4.11.14 2016-03-04 14:49:55 -08:00
Gregory Mikeska 7f2400dd1b Merge branch 'jbarnett-r7-feature/MS-833/ms08-067-automation' into upstream-master 2016-03-04 12:34:00 -06:00
Brent Cook dcba20ff60 only cleanup processes once too 2016-03-04 12:08:19 -06:00
Tim 2cfc9073a0 fixup sqlite_query 2016-03-04 11:56:37 +00:00
Tim b7fe500788 sqlite_read -> sqlite_query 2016-03-04 11:56:23 +00:00
wchen-r7 934f8de9b7 Update the conditions of is_remote_exploit? 2016-03-03 00:53:00 -06:00
Brent Cook c250740a81 Fixup finalizers to not double-close Meterpreter objects
We add finalizers to an assortment of Meterpreter-managed objects in order to
clean things up in the event that a post module crashes and does not clean
things up. However, this also means that even a properly-written post module
can lead to an object getting double-closed on the Meterpreter session when the
garbage collector kicks in. This can lead to quite non-deterministic behavior
and crashes.

This change modifies the instance close methods to unregister the finalizer on
close, ensuring we cannot do a double-close automatically if one is requested
explicitly first. As an additional measure, we check an instance variable to
see if we called close directly twice as well. This is not sufficient in
itself, since we do not have a reference to 'self' in the finalizer proc to
check the close state.

This also removes a couple of references to 'self' in the finalizer proc
itself, which may cure some memory leaks as well due to circular references.
2016-03-02 21:43:51 -06:00
wchen-r7 11964c5c1a Add remote exploit demo and web_delivery doc 2016-03-02 19:52:11 -06:00
wchen-r7 5f510df2ab Resolve merge conflict with upstream's Gemfile.lock 2016-03-01 22:06:17 -06:00
wchen-r7 f27d24fd60 Add module documentation for psexec 2016-03-01 18:52:47 -06:00
Brian Patterson 30043bc519
Changed .all to .load in workspace.rb in order to eager load the relation and fix the 4.0 rails deprecation 2016-03-01 11:48:55 -06:00
rwhitcroft 4b10331cf0 style fixups 2016-03-01 10:18:25 -05:00
f7b053223a9e c8c5549b19 Send base64ed shellcode and decode with certutil 2016-03-01 10:48:25 +09:00
William Vu c5a9d59455
Land #6612, one final missing change 2016-02-29 15:08:42 -06:00
William Vu cb0493e5bb Recreate Msf::Exploit::Remote::Fortinet
To match the path, even though it's kinda lame including it just for the
monkeypatch.
2016-02-29 15:04:02 -06:00
William Vu 300fdc87bb Move Fortinet backdoor to module and library 2016-02-29 12:06:33 -06:00
wchen-r7 2950996cb8
Land #6612, Add aux module for Fortinet backdoor 2016-02-29 12:02:49 -06:00
William Vu 53d703355f Move Fortinet backdoor to module and library 2016-02-29 11:57:42 -06:00
wchen-r7 bff4b4d5fc Fix #6609 and #6587 - Change Content-Length behavior in Rex HTTP
This patches changes two things:

1. If a module has a custom Content-Length, it will respect that
   instead of forcing its own.

2. If a request does not have anything in the body, the
   Content-Length header will not be set.

Fix #6609
Fix #6587
2016-02-29 10:50:21 -06:00
Tim afc6f6ff74 fix options 2016-02-29 15:21:33 +00:00
Tim bd6fdbb545 android sqlite_read command 2016-02-29 15:05:57 +00:00
rwhitcroft f735a904ff create owa_ews_login module, modify HttpClient to accept preferred_auth option 2016-02-28 22:01:05 -05:00
Fernando Arias c4c5944b25
Merge branch 'staging/rails-upgrade' into staging/MS-888/engines-is-deprecated
Conflicts:
	Gemfile.lock
	metasploit-framework.gemspec
2016-02-26 15:35:34 -06:00
Brent Cook 7acba69e37
Land #6577, add controls for Android ringer 2016-02-26 07:02:49 -06:00
Brent Cook 5899b8afc8 make help show up when things are not specified correctly 2016-02-26 06:09:05 -06:00
HD Moore 9010dac7bc Wrap up the current WIP, still not functional 2016-02-26 05:36:40 +00:00
HD Moore 5bf308e720 WIP checkin 2016-02-26 05:36:40 +00:00
Brent Cook d891e27cdd
Land #6597, prefer Timeout.timeout since Object#timeout is deprecated 2016-02-25 22:17:49 -06:00
William Vu 83fad3e328 Add Fortinet backdoor 2016-02-25 21:29:08 -06:00
Brent Cook a87cf02b50
Land #6524, fix reverse_http to try binding to LHOST first 2016-02-25 20:25:02 -06:00
wchen-r7 2e268a25da
Land #6596, Apache Karaf Login Utility 2016-02-25 14:39:51 -06:00
wchen-r7 7e25c7b87b Handle OpenSSL::Cipher::CipherError
Our current net/ssh is petty outdated, so it is possible not being
able to connect to certain SSH servers.
2016-02-25 14:35:37 -06:00
Gregory Mikeska cbc5b296e4
implement engines method locally instead of adding refinement 2016-02-25 11:05:17 -06:00
darkbushido 2ec7149ae7
Logging deprecations to STDERR 2016-02-25 10:59:50 -06:00
wchen-r7 58ad2175b8 Raise when no network connection 2016-02-24 18:57:40 -06:00
Metasploit b32f474e99
Bump version of framework to 4.11.13 2016-02-24 11:37:42 -08:00
RageLtMan d7ba37d2e6 Msf::Exploit::Remote::HttpServer print_* fix
Exploit::Remote::HttpServer and every descendant utilizes the
print_prefix method which checks whether the module which mixes in
these modules is aggressive. This is done in a proc context most
of the time since its a callback on the underlying Rex HTTP server.

When modules do not define :aggressive? the resulting exceptions
are quietly swallowed, and requestors get an empty response as the
client object dies off.

Add check for response to :aggressive? in :print_prefix to address
this issue.
2016-02-21 20:20:22 -05:00
Micheal 3e22de116f Changes to fix peer and style as recommended by jhart-r7. 2016-02-20 13:53:32 -08:00
Tim cef1b77e26 fixes for android set_audio_mode 2016-02-20 12:01:10 +00:00
Metasploit b868f7cc89
Bump version of framework to 4.11.12 2016-02-19 20:19:43 -08:00
wchen-r7 24530e2734 Scrollable list, tab name change, print_status 2016-02-19 20:46:39 -06:00
RubenRocha 72a69fcd16 Fixed timeout warning 2016-02-19 21:14:54 +00:00