Commit Graph

13161 Commits (9309115627f0f5c0bc54a1bc9d352aba20d8788c)

Author SHA1 Message Date
Brent Cook b7620e13a3 remove special case check for invalid options 2017-05-27 00:53:14 -05:00
Brent Cook 11b3fd9067
Land #8468, Update system info after running getsystem 2017-05-26 23:37:00 -05:00
TheNaterz 53cbbbacd8 getsystem update session info 2017-05-26 17:28:11 -06:00
HD Moore e8b5cc3397 Avoid a stacktrace by verifying that the share is known 2017-05-26 17:01:44 -05:00
HD Moore 8caaba01f1 Add share enumeration methods to the SMB mixin 2017-05-26 17:01:18 -05:00
Metasploit 15b3b7de41
Bump version of framework to 4.14.23 2017-05-26 10:02:14 -07:00
HD Moore 18a871d6a4 Delete the .so, add PID bruteforce option, cleanup 2017-05-25 16:03:14 -05:00
itsmeroy2012 92a1a3ecf7 Adding for loop instead of while, removing 'counter' 2017-05-25 15:09:34 +05:30
HD Moore 0520d7cf76 First crack at Samba CVE-2017-7494 2017-05-24 19:42:04 -05:00
Matthew Daley 52363aec13 Add module for CVE-2017-8895, UAF in Backup Exec Windows agent
This module exploits a use-after-free vulnerability in the handling of
SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for
Windows. When SSL is re-established on a NDMP connection that previously
has had SSL established, the BIO struct for the connection's previous
SSL session is reused, even though it has previously been freed.

Successful exploitation will give remote code execution as the user of
the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM.
2017-05-24 00:18:20 +12:00
Brent Cook 3e4e5dc810
Land #8421, fix rspec failures with newer OpenSSL 2017-05-22 21:49:52 -04:00
OJ 86aad6b7c3
Fix proxy_type references to handle nil case 2017-05-22 21:47:37 +10:00
Renato Piccoli 29d1022ae2 Fix the rake spec failures under ruby 2.4.
Ths typo3_spec is giving some errors under ruby 2.4+
and OpenSSL 1.1+.
2017-05-21 21:56:04 +02:00
Metasploit 18f520382b
Bump version of framework to 4.14.22 2017-05-19 12:12:27 -07:00
Pearce Barry a6f416e8df
Land #8290, Hwbridge Automotive Fix and Extension Enhancements 2017-05-19 13:46:54 -05:00
Metasploit c54c999efc
Bump version of framework to 4.14.21 2017-05-19 10:02:32 -07:00
Brent Cook 22828fcc0f
Land #8406, add compatibility shims for older Ruby versions 2017-05-18 21:50:45 -05:00
James Lee 4def7ce6cc
Land #8327, Simplify storing credentials 2017-05-18 16:49:01 -05:00
Metasploit 126c078ced
Bump version of framework to 4.14.20 2017-05-18 11:53:33 -07:00
bwatters-r7 02211db664
Land #8412, fix for smb_login errors
Merge branch 'land-8412' into upstream-master
2017-05-18 13:43:10 -05:00
David Maloney 94e4dc2938
fix for smb_login errors
do not try the TreeConnect if the SESSION_SETUP
has already failed.
2017-05-18 11:26:03 -05:00
Jeffrey Martin 1af6c08356
Land #8409, mark osx-app macho as executable 2017-05-18 09:28:01 -05:00
Tim a68a1858a9 Fix #7703, mark osx-app macho as executable 2017-05-18 18:24:35 +08:00
Brent Cook c59371dd5e add ruby backports compat library 2017-05-17 23:41:20 -05:00
James Lee b78749bc1b
Land #8221, move autoroute 2017-05-17 15:17:45 -05:00
Pearce Barry d0b13544dd
Agreed-upon feedback updates. 2017-05-17 10:57:39 -05:00
Metasploit 729f2a9ab8
Bump version of framework to 4.14.19 2017-05-16 14:09:45 -07:00
wchen-r7 58d65ce4b5 Land #8380, check for command injection in smtp email addresses
aborts
2017-05-16 15:36:22 -05:00
James Lee e3f4cc0dfd
Land #8345, WordPress PHPMailer Exim injection
CVE-2016-10033
2017-05-16 15:07:21 -05:00
William Vu 416a5cdc3b
Land #8379, payload opts check for RHOST warning 2017-05-14 22:21:58 -05:00
William Vu 78148c7979 Prefer && instead of and
I think @zeroSteiner's been writing a lot of Python. :-)
2017-05-14 22:19:15 -05:00
Brent Cook e7be0af72e update bad mail checks 2017-05-14 22:13:31 -05:00
Brent Cook cc72850847
Land #8369, add PSH decompressor & decoder convenience methods 2017-05-14 21:28:02 -05:00
Brent Cook 8ac5d2d377 tidy up a bit while we're in here 2017-05-14 21:27:38 -05:00
Brent Cook 544ea6926c
trim leading and trailing whitespace in mail addresses 2017-05-14 11:22:46 -05:00
Spencer McIntyre 70bfdf17b2 Check payload options before showing RHOST warning 2017-05-13 14:46:07 -04:00
Spencer McIntyre f39e378496
Land #8330, fix ps_wmi_exec and psh staging 2017-05-13 14:26:47 -04:00
Spencer McIntyre 3cbeebe3af Rename env_ variable to be more accurately named 2017-05-13 14:24:00 -04:00
itsmeroy2012 3a1ed19a42 Making use of StagerRetryConnect 2017-05-13 17:49:53 +05:30
Metasploit 405f2c6ca1
Bump version of framework to 4.14.18 2017-05-12 10:10:30 -07:00
Brent Cook 123462bdca
Land #8293, add initial multi-platform railgun support 2017-05-11 22:32:23 -05:00
Brent Cook e414bdb876 don't try to guess intent for specified default targets, leave auto-auto targeting to unspecified modules 2017-05-11 15:19:11 -05:00
Brent Cook 099fc0176a move autoroute to a more sensible location 2017-05-10 23:01:02 -05:00
RageLtMan cf29a512d0 Upstream Msf namespace PSH decompressor & decoder
Present convenience interfaces in Msf::Exploit::Powershell ns for
decoding and decompressing PSH strings built with Rex::Powershell
or compatible implementations.
2017-05-10 22:44:56 -04:00
Adam Cammack 18d95b6625
Land #8346, Templatize shims for external modules 2017-05-10 18:15:54 -05:00
William Vu ee55516e06 Allow lowercase HTTP in command strings 2017-05-10 15:17:20 -05:00
William Vu 3a45c2f321 Allow complete override of Host header 2017-05-10 15:17:20 -05:00
Brent Cook 42fd287038 remove debug 2017-05-10 13:04:12 -05:00
Brent Cook beea5e1a5c use wfsdelay consistently 2017-05-08 15:34:09 -05:00
Brent Cook fede672a81 further revise templates 2017-05-08 14:26:24 -05:00
Brent Cook a2ce3743a2 move wait_status to a mixin 2017-05-08 12:23:27 -05:00
Jeffrey Martin a1efa30fa2
comments adjustments & enum better 2017-05-08 11:57:06 -05:00
Brent Cook f213482659 small fixe 2017-05-08 11:52:37 -05:00
Jeffrey Martin e2fe70d531
convert store_valid_credential to named params 2017-05-05 18:23:15 -05:00
William Webb c297e1679c
Land #8336, Specify LHOST by interface name 2017-05-05 18:05:20 -05:00
William Vu fa47092bfe
Land #8348, typo fix in Net::DNS
Since the lib is vendored, I doubt it'd get fixed otherwise.
2017-05-05 14:17:41 -05:00
Metasploit a0b50390c5
Bump version of framework to 4.14.17 2017-05-05 10:02:17 -07:00
Carter Harwood 6e312fd009 Minor spelling correction: lenght => length 2017-05-05 10:42:33 -05:00
Brent Cook 2e880c9fdf move module template to an ERB 2017-05-05 01:16:54 -05:00
Jeffrey Martin 3bc4ac68dc
merge all available keys for login storage 2017-05-04 22:51:48 -05:00
Jeffrey Martin 63b6ab5355
simplify valid credential storage 2017-05-04 22:51:40 -05:00
darkbushido fee0fb5e90 Missed an LHOST option
making OptAddressLocal inherit from OptAddress
2017-05-04 12:57:50 -05:00
darkbushido 81bcf2ca70 updating all LHOST to use the new opt type 2017-05-04 12:57:50 -05:00
darkbushido a6afd0b9bf adding in a new option type
this will grab the first ipv4 address on a given iface
2017-05-04 12:55:46 -05:00
itsmeroy2012 73be4f1c2e Adding StagerRetryWait option in reverse_tcp_ssl 2017-05-04 14:51:40 +05:30
Adam Cammack 494711ee65
Land #8307, Add lib for writing Python modules 2017-05-02 15:53:13 -05:00
Adam Cammack ba9010730a
Minor cleanup 2017-05-02 15:52:21 -05:00
Pearce Barry 1b58a4f392
Land #8329, Make `help route` more informative 2017-05-02 14:19:58 -05:00
Metasploit 2f1df4d4c2
Bump version of framework to 4.14.16 2017-05-02 11:11:20 -07:00
James Lee bf2abaeeaf Make `help route` more informative 2017-05-02 11:07:08 -05:00
Brent Cook b7d6be05ee split python loader from generic implementation 2017-05-01 16:10:12 -05:00
William Vu 585fac0457 Fix nil bug when creating nonexistent encoder
Found by irthewinner on IRC.
2017-04-30 03:43:51 -05:00
William Vu e026a8c663
Fix typo (s/Remote/Reverse/) in portfwd -L
Found by ThePortWhisperer on IRC.
2017-04-29 00:10:13 -05:00
Brandon Knight f8fb03682a Fix issue in ps_wmi_exec and powershell staging
The staging function in the post/windows/powershell class was broken
in a previous commit as the definition for env_variable was removed and
env_prefix alone is now used. This caused an error to be thrown when
attempting to stage the payload. This changes the reference from
env_variable to env_prefix.

Additionally, the ps_wmi_exec module created a powershell script to be
run that was intended to be used with the EncodedCommand command line
option; however the script itself was never actually encoded. This
change passes the compressed script to the encode_script function to
resolve that issue.
2017-04-28 03:31:56 -04:00
Pearce Barry 5450e96204
Land #8306, fix #8305, escape unadorned periods within SMTP payloads 2017-04-27 17:51:14 -05:00
itsmeroy2012 cd73bd137a Making use of while loop and solving StagerRetryWait issue 2017-04-27 11:50:13 +05:30
William Vu 7a6a124272
Land #8279, POSIX Meterpreter replaced by Mettle 2017-04-26 18:32:17 -05:00
Brent Cook a57067c4a7 append metasploit lib to PYTHONPATH 2017-04-26 18:13:46 -05:00
Brent Cook 037fdf854e move common json-rpc bits to a library 2017-04-26 18:08:08 -05:00
Brent Cook 43ac2c339e
Land #8291, Acunetix XML import improvements 2017-04-26 17:38:52 -05:00
Brent Cook 353191992f move mettle payloads to meterpreter, add reverse_http/s stageless 2017-04-26 17:06:34 -05:00
Brent Cook 288cb6536d fix #8305, escape unadorned periods in the front of SMTP payloads 2017-04-26 16:05:46 -05:00
Pearce Barry c4f1130619
Acunetix XML import improvements.
This patch updates the MSF db_import functionality  w.r.t. importing Acunetix XML files to do the following:

 - import web vulnerabilities identified by Acunetix
 - import all services for each scanned host
  - does not pull in the specifc program/version name of each service, as that's pretty loosely formatted in the Acunetix XML
2017-04-26 12:16:20 -05:00
Spencer McIntyre 3347af24ba Add some basic libc definitions for railgun 2017-04-25 15:12:39 -04:00
Spencer McIntyre 9c60c3ee46 Support platform specific railgun constants 2017-04-25 14:36:15 -04:00
Brent Cook 6f763a616d
Land #8225, Expose the shared wifi profile dumping feature in Mimikatz 2017-04-25 11:23:34 -05:00
Craig Smith aeed81de29 Code cleanup from Rubocop output
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith c2296dcd1b Addes 'isotpsend' command to interactive commands to send ISO-TP related queries
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith 36026ba8b4 Fixed active buses not being recorded. The 'connect' command now works for other extensions as well as modules. Added TesterPresent background packet transmissions to hold debugging sessions open.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith 2012ebf38f Fixed bug with a duplicate ID in hash for errors
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith 406051a3ff Added more session management to hwbridge. Commands 'sessions' and 'background' added.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith 5537348e28 Addes Statistics support from the API. When typing status in a hardware bridge it will also print packet statistics.
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Craig Smith c4a6cc1907 Array was being checked with even? and should be array.size.even?
Signed-off-by: Craig Smith <agent.craig@gmail.com>
2017-04-24 20:42:03 -07:00
Spencer McIntyre daf8833174 Refactor a bunch of windows_name references 2017-04-24 19:54:00 -04:00
Spencer McIntyre 3cc089bcef Support loading platform specific railgun defs 2017-04-24 19:46:56 -04:00
Spencer McIntyre d3a759d631 Make changes for initial linux railgun support 2017-04-24 17:11:27 -04:00
itsmeroy2012 bd2379784e Improved error handling for the python reverse_tcp payload
Handling all kinds of errors

Removing 'e'

Updating payload cached sizes

Updating payload cached sizes 2.0

Adding option to set retry time
2017-04-23 20:43:57 +05:30
Metasploit 89e81253ed
Bump version of framework to 4.14.15 2017-04-21 10:02:32 -07:00
Brent Cook 6b37e1ecfc
Land #8268, Improve metasploit-aggregator UX 2017-04-21 11:21:49 -05:00
Jeffrey Martin 32da0ed3d7
fix some comment typos 2017-04-19 14:14:26 -05:00
Metasploit f90911e09e
Bump version of framework to 4.14.14 2017-04-19 09:35:29 -07:00
David Maloney 8d4ccb5d51
SMB over NtBIOS no longer works
don't try to run the smb loginscanner
against port 139
2017-04-18 13:34:00 -05:00
Metasploit 05e15cee18
Bump version of framework to 4.14.13 2017-04-18 08:17:22 -07:00
David Maloney 9634248211
treat socket reads as a connection error
treat failures to read from the socket
as a connection error
2017-04-17 21:58:22 -05:00
David Maloney a597de516d
actually use the coerced values 2017-04-17 11:24:57 -05:00
David Maloney bbdf06af5d
coerece nil credentials to empty strings
rubySMB doesn't take nils for credential data, so coerce any nils into
empty strings bfore sending it on
2017-04-17 11:17:09 -05:00
Brent Cook 7b936b0012
Land #8184, convert IPMI protocol and modules to bindata 2017-04-17 07:40:15 -05:00
nixawk 484a545629 Replace exe.rb double variable declare 2017-04-16 22:38:49 -05:00
Brent Cook 67047cf770 Revert "Fixes MS-1716, keep sessions in progress alive."
This reverts commit e5d0370a94.
2017-04-16 15:52:22 -05:00
Brent Cook 7950087804 Merge branch 'upstream-master' into land-8237- 2017-04-14 21:53:26 -05:00
William Webb cbebc5dc39
really remove errant keyscan_extract() call 2017-04-14 15:21:11 -05:00
Brent Cook 42122d2835
Land #8238, move SMB2 support back into smb_login, add simpler permissions checks 2017-04-14 14:06:46 -05:00
Brent Cook b8e14d7543 Merge branch 'upstream-master' into land-8224- 2017-04-14 12:55:29 -05:00
Metasploit 036d579228
Bump version of framework to 4.14.12 2017-04-14 10:04:35 -07:00
Brent Cook a3fc6791ca
Land #8217, don't log empty attributes if they are ignored 2017-04-13 22:08:23 -05:00
Brent Cook bb0a0b5cd9 apply empty attribute fix in more places, simplify and unify 2017-04-13 22:07:10 -05:00
David Maloney 91fb3ce6b8
collapse SMB2 support into smb_login
converge the SMB and SMB loginscanners so that
there is only one SMB loginscanner that supports both

MS-2636
2017-04-13 15:22:03 -05:00
David Maloney 89bd110422
reinsert guest checks and uniq fallback
add checks back from original loginscanner

MS-2636
2017-04-13 14:55:37 -05:00
David Maloney adeb4d10d7
smb2 login scanner admin check now working
we can now check for admin privs in the smb2
login scanner

MS-2636
2017-04-13 14:40:32 -05:00
William Webb 303a767ccc
bring ukl branch up to date with upstream 2017-04-12 21:59:13 -05:00
Metasploit ced1412ee0
Bump version of framework to 4.14.11 2017-04-12 14:39:40 -07:00
Brent Cook bb64f5d7e3
Land #8230, Sum the results of the module loaders 2017-04-12 11:51:03 -05:00
William Webb c21d78b23b
Land #8186, Convert DNS Fuzzer to use bindata 2017-04-11 23:27:08 -05:00
Adam Cammack 2d8001aa62
Sum the results of the module loaders
Fixes #8229
2017-04-11 23:21:58 -05:00
Adam Cammack 3cf51b7d43
Remove external module debugging code
Causes EACCESS when run by separate users.

Fixes #8226
2017-04-11 09:29:02 -05:00
OJ 271da4b4a5
Add new shared wifi profile dumping from kiwi 2017-04-11 22:01:52 +10:00
OJ 6983b0f857
Update the kiwi extension to show correct version number 2017-04-11 20:23:56 +10:00
darkbushido e0ecf0972e
dropping extra spaces 2017-04-10 15:19:36 -05:00
darkbushido 099cf87e54
Catching errors where we are passing invalid attributes
We need to pass :task down for some functionality in pro.
while the error is valid we really shouldnt be passing the task all the way down if its blank but we need
the check there or we will end up with the same problem with pro.
2017-04-10 15:05:53 -05:00
Brent Cook 0189c40317 compromise 2017-04-09 15:03:05 -05:00
Brent Cook d9ba993d25 handle general failure getting module info for external modules 2017-04-09 11:50:03 -05:00
Metasploit 7fc05bcb25
Bump version of framework to 4.14.10 2017-04-07 10:07:31 -07:00
Brent Cook b1bd92d57c
Land #8197, fix HttpTrace with chunked encoding 2017-04-07 11:52:50 -05:00
William Vu 3103decc98 Add -H/--history-file to msfconsole
Save command history to an alternative file instead of ~/.msf4/history.
2017-04-07 03:00:37 -05:00
OJ 5a754a0333
Land #8157 - Fix missing dll_data var in parse_pe 2017-04-07 09:55:12 +10:00
Christian Mehlmauer 3c260ea452
fix #7921, HttpTrace and chunked encoding 2017-04-05 22:58:11 +02:00
Elijah Frederickson 9e89567ce5 Fix #8191 (msfvenom cannot create exe-service)
Fixes issue #8191: Cannot create exe-service from msfvenom
2017-04-05 12:49:46 -04:00
Metasploit 4e79aaccb7
Bump version of framework to 4.14.9 2017-04-04 16:14:28 -07:00
James Barnett bd21d2811b
Update client to use TLS1.2 2017-04-04 17:57:07 -05:00
Brent Cook ed0e539249 handle sending bindata structs 2017-04-04 03:03:27 -05:00
Brent Cook 5f88971ca9 convert NTP modules to bindata 2017-04-04 02:57:38 -05:00
Brent Cook 46c7e822c8 convert IPMI protocol and modules to bindata 2017-04-04 02:44:17 -05:00
William Vu 94a0b4b06c Stop special-casing masscan 2017-04-04 00:33:13 -05:00
William Vu 95c4dd8108 Prefer start_with? over =~
Oops, old habit.
2017-04-03 02:38:50 -05:00
William Vu 7de2aa1a63 Update Nmap parser to handle masscan
masscan is missing <status>, meaning hosts aren't treated as alive.

Thanks to @jhart-r7 and @jlmurray for working on this previously.
2017-04-03 02:26:14 -05:00
Brent Cook 98ffa4d380
Land #7652, add varnish cache CLI authentication scanner module 2017-04-02 21:52:45 -05:00
Brent Cook 4c0539d129
Land #8178, Add support for non-Ruby modules 2017-04-02 21:02:37 -05:00
Adam Cammack 2de8f1b97d
Fixups for specs 2017-03-31 22:19:53 -05:00
Adam Cammack a3e196e31e
Support arbitrary external command_stager exploits
So much done, so much more to do.
2017-03-31 17:06:28 -05:00
Metasploit 9edc08cd36
Bump version of framework to 4.14.8 2017-03-31 14:38:29 -07:00