Commit Graph

7729 Commits (a41768fd7d04e8b1ba0edf56b5b953eb8918bdff)

Author SHA1 Message Date
jvazquez-r7 778f34bab6 Allow targets and modules to define compatible stagers 2014-06-27 08:34:55 -04:00
jvazquez-r7 74a6de828a Cannot delete @cmd_list, is used at least by one module 2014-06-27 08:34:55 -04:00
jvazquez-r7 7ced5927d8 Use One CMDStagermixin 2014-06-27 08:34:55 -04:00
jvazquez-r7 0a99b549d6 Change filenames 2014-06-27 08:34:55 -04:00
jvazquez-r7 cff580162b Move stagers 2014-06-27 08:34:55 -04:00
Spencer McIntyre 9991316ae6 Minor code cleanup and honor the datastore decoder. 2014-06-27 08:34:55 -04:00
Spencer McIntyre 80bdf750e9 Multi-fy the new printf stager and add to sshexec. 2014-06-27 08:34:55 -04:00
Spencer McIntyre ae25c300e5 Initial attempt to unify the command stagers. 2014-06-27 08:34:55 -04:00
Matt Buck 27ef12bafe
Land #3478, disallow port 0 for portspec
[Closes #3478]
2014-06-25 15:46:30 -05:00
Chris Doughty 9b35b0e13a Revert "Land #3446 -- Meterpreter bins gem switch" due to build failures
This reverts commit bba8bd3498, reversing
changes made to 002234993f.
2014-06-25 13:24:07 -05:00
David Maloney 97d08a081a
reverting port 0 behaviour in portspec
a change was made to protspec that allowed port 0
when we explicitly dissallowed port 0. This change caused
other code that depended on this behaviour to break
2014-06-25 13:07:22 -05:00
OJ 769f2e4936 Change elevator to 'elevator'
This would have made lots of people uhnappy.
2014-06-25 07:47:47 +10:00
OJ ac03b7c96a Use sorted sets extension lists 2014-06-25 03:26:25 +10:00
OJ 0fc4d10813 Fix indentation for case statements 2014-06-25 03:18:37 +10:00
OJ bba8bd3498
Land #3446 -- Meterpreter bins gem switch 2014-06-25 03:00:11 +10:00
HD Moore 002234993f
SMB lib fixes, unattend.xml cred gathering 2014-06-23 20:08:42 -05:00
HD Moore b872fa0f0d Handle smb_recv corner case with a cache, clean up find_*, cosmetic 2014-06-23 16:14:18 -05:00
HD Moore 94388e3931 Fix typo in the constant name 2014-06-23 12:51:26 -05:00
HD Moore d6a263d538 Identify the hung host in the thread info 2014-06-22 16:01:03 -05:00
HD Moore 538a520445 Remove redundant option (threads are always used in reverse_tcp_double) 2014-06-22 16:00:44 -05:00
HD Moore b3d83720ca Add ReverseListenerThreaded option to prevent deadlocks
JodaZ reported that the handle_connection() sock.put call can
result in the entire reverse_tcp stager hanging if the client
stops receiving or is on a very slow link. The solution emulates
what ReverseTcpDouble already does, which is stage each connection
in a new thread. However, given that a high number of threads
can be a problem on some operating systems (*ahem* win32) this
option is not enabled by default.

We should look into thread pooling and handle_connection() timeouts
as well as event-based polling of multiple clients as alternatives,
but this option will improve the situation for our existing users.
2014-06-22 15:55:20 -05:00
HD Moore 6e5f528332 Prevent stager deadlock if inp/out detection hangs for some reason
Even though there are calls to has_read_data(), it doesn't prevent
the put() call from blocking in a dead client or slowaris-like
situation. By moving the inp/out detection into the thread, we
allow the main handler to keep processing connections even if
a single connection hangs.
2014-06-22 15:25:19 -05:00
Spencer McIntyre 05d4a1ab2c
Land #3342, Support negation in portspec 2014-06-21 18:14:50 -04:00
Tod Beardsley 2626450c38
Fix indent per @jlee-r7'e eagle eye 2014-06-20 11:52:47 -05:00
jvazquez-r7 4203e75777
Land #3408, @m-1-k-3's exploit for D-Link hedwig.cgi OSVDB 95950 2014-06-20 10:27:32 -05:00
Tod Beardsley 2a4ed0e651
Replace all the obvious path calls to Meterpreter
Unfortunately, though, there seems to be a stealthy set, somewhere, of
datastore['DLL']. Not sure where yet. The stack trace in the
framework.log is:

````
[06/19/2014 17:53:34] [i(0)] core: windows/meterpreter/reverse_http: iteration 1: Successfully encoded with encoder x86/fnstenv_mov (size is
366)
[06/19/2014 17:53:35] [e(0)] rex: Proc::on_request: Errno::ENOENT: No such file or directory -
/home/todb/git/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll

/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `initialize'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `open'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `load_rdi_dll'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/payload/windows/reflectivedllinject.rb:56:in `stage_payload'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/handler/reverse_http.rb:212:in `on_request'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/handler/reverse_http.rb:129:in `block in setup_handler'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/handler/proc.rb:38:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/handler/proc.rb:38:in `on_request'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:365:in `dispatch_request'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:299:in `on_client_data'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:158:in `block in start'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:48:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:48:in `on_client_data'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:192:in `block in monitor_clients'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:190:in `each'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:190:in `monitor_clients'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:73:in `block in start'
/home/todb/git/rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/thread_manager.rb💯in `call'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/thread_manager.rb💯in `block in spawn'

````

Still tracking this down.
2014-06-19 18:03:11 -05:00
jvazquez-r7 a0386f0797 Fix cmd_concat_operator 2014-06-19 15:52:55 -05:00
James Lee 594923c790
Don't overwrite ENV if it's set 2014-06-18 14:53:41 -05:00
James Lee 5beb43d200
Land #3022, support Gemfile.local 2014-06-18 14:28:57 -05:00
Michael Messner 86f523f00c concator handling 2014-06-18 18:15:58 +02:00
OJ 5879ca3340
Merge branch 'upstream/master' into meatballs x64_injection 2014-06-18 10:24:33 +10:00
scriptjunkie d38a95a352 Merge branch 'bugfixes/post-module-execution-causing-duplicate-search-results' of github.com:nstarke/metasploit-framework into nstarke-bugfixes/post-module-execution-causing-duplicate-search-results 2014-06-15 13:15:57 -05:00
Tim Wright 9b43749916
Land #3418 - android adobe reader addjisf pdf exploit
Merge branch 'landing-3418' into upstream-master
2014-06-14 11:25:29 +01:00
Michael Messner 894af92b22 echo stager, arch_cmd 2014-06-13 11:40:50 +02:00
Tod Beardsley cbedea222f
Land #3416 again, now that the bins are available
This reverts commit 3d73414530.
2014-06-12 14:53:03 -05:00
Tod Beardsley 3d73414530 Revert #3416, needs the correct bins first
This was a whoops on my part. I will reland this when I have the
Meterpreter bins all sorted.

This reverts commit 40b5405053, reversing
changes made to 86e4eaaaed.
2014-06-12 14:20:06 -05:00
Tod Beardsley 40b5405053
Land #3416, fix DWORD/QWORD bug 2014-06-12 13:59:34 -05:00
joev 289bae88de
Remove lie in comment. 2014-06-12 10:02:29 -05:00
sinn3r 2a7227f443
Land #3427 - Adds webcam module for firefox privileged sessions on OSX 2014-06-11 22:27:25 -05:00
Tod Beardsley 4b8961a464
Land #3428, deprecation warns for payloads 2014-06-11 09:57:07 -05:00
Tod Beardsley b379dc014a
Avoid double-printing with setup and init_ui 2014-06-10 13:57:25 -05:00
Meatballs bf1a665259
Land #2657, Dynamic generation of windows service executable functions
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
Meatballs 897ad6f963
Some service yarddoc 2014-06-07 13:27:32 +01:00
Meatballs 5218ca4d89
Give warning on module load 2014-06-06 23:04:40 +01:00
joev d990fb4999
Remove a number of stray edits and bs. 2014-06-06 16:24:45 -05:00
joev 4a9f50bb60 Clean up some dead code. 2014-06-06 16:20:40 -05:00
joev 7c762ad42c Fix some minor bugs in webrtc stuff, inline API code. 2014-06-06 16:18:39 -05:00
Meatballs 4a699c2852
Merge remote-tracking branch 'upstream/pr/3416' into x64_injection 2014-06-06 20:37:12 +01:00
Brandon Turner bacf82acb1
Merge branch 'release' into 'master' 2014-06-06 09:59:00 -05:00
Brandon Turner 21be4f21a6
Bump version to 4.9.3 2014-06-06 09:52:01 -05:00
OJ a53955adb7 Updated more UINT TLVs to QWORDS
All with the goal of removing more pointer truncation issues.
2014-06-04 20:55:20 +10:00
joev cf6b181959 Revert change to trailer(). Kill dead method.
* I verified that changes to PDF mixin do not affect any older modules that
generate PDF. I did this by (on each branch) running  in irb, then
running the module and diffing the pdf's generated by each branch. There were
no changes.
2014-06-02 22:26:14 -05:00
joev 9f5dfab9ea Add better interface for specifying custom #eol. 2014-06-02 22:26:11 -05:00
joev 09e965d54e Remove extraneous method from pdf.rb 2014-06-02 22:26:03 -05:00
joev feca6c4700 Add exploit for ajsif vuln in Adobe Reader.
* This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb).
* Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways).

Conflicts:
	lib/msf/core/exploit/mixins.rb
2014-06-02 22:25:55 -05:00
Tod Beardsley d0d389598a
Land #3086, Android Java Meterpreter updates
w00t.
2014-06-02 17:28:38 -05:00
William Vu bba741897e
Land #3413, improved FileDropper cleanup message 2014-06-02 11:05:48 -05:00
Christian Mehlmauer 428df19739
Changed message 2014-06-02 17:28:09 +02:00
Meatballs e3a20ae073
Merge remote-tracking branch 'upstream/pr/3416' into x64_injection 2014-06-01 16:10:53 +01:00
OJ 8346e20bf1 Change memory types from DWORD to QWORD
This was causing memory allocations to fail on x64 in cases where
the higher bits were set in addresses.
2014-06-01 21:27:07 +10:00
Meatballs f0e9a9010e
Return nil if fail 2014-06-01 11:55:40 +01:00
Meatballs a4ecd8e02d
Should return the thread object 2014-06-01 11:49:56 +01:00
Meatballs 58ee2ccd6e
Land #3390, Fix have_powershell 2014-06-01 10:43:35 +01:00
Christian Mehlmauer 03b4a29662
Clarify filedropper error message 2014-05-31 22:17:32 +02:00
Tom Sellers aa85cb8195 Update powershell.rb 2014-05-29 05:46:32 -05:00
Tom Sellers ae1b7e564b Update powershell.rb 2014-05-27 05:18:00 -05:00
William Vu 704e4d78ca
Fix typo in client_request.rb comment 2014-05-26 23:55:48 -05:00
William Vu 0133e861f8
Fix typo 2014-05-26 23:55:20 -05:00
William Vu 352e14c21a
Land #3391, all vars_get msftidy warning fixes 2014-05-26 23:41:46 -05:00
Meatballs 1914e0abd3
Land 3393, Add session and framework vars to irb 2014-05-26 18:50:20 +01:00
jvazquez-r7 994891e9c5
Land #3383, @wchen-r7's [FixRM #8804] Fix / URIPATH for BrowserExploitServer 2014-05-25 19:51:30 -05:00
Spencer McIntyre 77e70d8bbe Add 2 more variables for meterpreter irb 2014-05-25 16:28:40 -04:00
Christian Mehlmauer da0a9f66ea
Resolved all msftidy vars_get warnings 2014-05-25 19:29:39 +02:00
Tom Sellers 42a17cc085 Update powershell.rb
To be clear, the shell that was tested with was 'windows/shell_reverse_tcp' delivered via 'exploit/windows/smb/psexec'

Additional changes required to fix regex to support the multiline output.  Also, InstanceId uses a lower case 'D' on the platforms I tested - PowerShell 2.0 on Windows 2003, Windows 7, Windows 2008 R2 as well as PowerShell 4.0 on Windows 2012 R2.

This method doesn't appear to be used anywhere in the Metasploit codebase currently.
2014-05-25 08:59:42 -05:00
Tom Sellers 76b9273f10 Improve reliability of have_powershell
I have a case where on a Windows 2008 R2 host with PowerShell 2.0 the 'have_powershell' method times out.  When I interactively run the command I find that the output stops after the PowerShell command and the token from 'cmd_exec' is NOT displayed.  When I hit return the shell then processes the '&echo <randomstring>' and generates the token that 'cmd_exec' was looking for.  I tried various versions of the PowerShell command string such as 'Get-Host;Exit(0)', '$PSVErsionTable.PSVersion', and '-Command Get-Host' but was unable to change the behavior.  I found that adding 'echo. | ' simulated pressing enter and did not disrupt the results on this host or on another host where the 'have_powershell' method functioned as expected.

There may be a better solution, but this was the only one that I could find.
2014-05-25 08:07:38 -05:00
Lutz Wolf fc5436417b Simplification 2014-05-24 23:45:21 +02:00
Lutz Wolf 4fc6e402dc Allow port 0 2014-05-24 23:44:50 +02:00
joev ae3c334232 Getting closer. Still something f'd with local answerer.html. 2014-05-22 17:14:35 -05:00
sinn3r 1dbe972377 Fix URIPATH / for BrowserExploitServer
[SeeRM #8804] Fix URIPATH / for BrowserExploitServer
2014-05-22 12:18:49 -05:00
William Vu d31908b72e
Land #3374, RPC deadlock fix
[FixRM #8794]
2014-05-22 12:07:23 -05:00
joev 14b796acbf First stab at refactoring webrtc mixin. 2014-05-21 15:32:29 -05:00
Meatballs 92669cd4d6
Use parser 2014-05-20 22:26:13 +01:00
Meatballs 0a2b79ccd1
Tidyup parser 2014-05-20 22:04:59 +01:00
Meatballs 09af023a71
Merge in parser 2014-05-20 21:56:35 +01:00
Meatballs 15313a9ab1
Dont try to read 0 structs 2014-05-20 21:55:04 +01:00
James Lee d2ebab09aa
Add timeout for SSL renegotiation after migrating
[SeeRM #8794]
2014-05-16 15:42:46 -05:00
James Lee 472f029576
Fix random bug when workstation_name is < 6 chars
When the local workstation name is less than 6 characters, remote
authentication against a Windows 2008r2 WinRM service always fails. This
doesn't seem to affect authentication against IIS's negotiate
implementation.
2014-05-15 13:27:37 -05:00
nstarke 048aebbdf2 Search Result Uniqueness
SeeRM #8754

Cast the results of the query to an array and perform the uniq
function passing a block which provides uniqueness based
on the return value, which in this instance is ‘fullname’
This was done because the uniq function in AREL cannot take
a specific field for uniqueness, and the sophistication of the query
make grouping nearly impossible.  Initial testing showed negligible
speed difference to the user.
2014-05-15 17:52:11 +00:00
nstarke b85403ab8f Revert "POST module duplicate search results"
This reverts commit 0bca3a2d54.
2014-05-15 16:05:47 +00:00
William Vu 773fd7a9cb
Fix up whitespace 2014-05-14 15:31:40 -05:00
William Vu 340956f294
Add a newline after DISCLOSURE_DATE_FORMAT 2014-05-14 15:28:07 -05:00
Christian Mehlmauer dc7a8d32d8
Land #3324, msfconsole search timestamp fixes 2014-05-14 21:30:02 +02:00
nstarke bb6201d66d Fixing nil bug and making format constant
The date format has been moved into a constant variable.
Certain modules do not have a disclosure_date.  For example,
‘checkvm’.  This necessitated checking disclosure_date for nil
before attempting a format conversion.  Also, there was an additional
location in core.rb that needed the formatting / nil check added.  Specs
were also updated appropriately.
2014-05-14 15:51:42 +00:00
William Vu 9fbda3eae0
Land #3183, tab completion improvements 2014-05-14 02:20:12 -05:00
William Vu fdbfaacdf6
Land #3313, progress feedback for PASS_FILE
[FixRM #8704]
2014-05-14 02:03:39 -05:00
William Vu 1ada4831e0
Land #3293, module deprecation constants 2014-05-14 01:37:29 -05:00
William Vu de49241195
Land #3185, regex option validation 2014-05-14 01:27:18 -05:00
agix 1a3b319262 rebase to use the mixin psexec 2014-05-13 16:04:40 +02:00
agix 87be2e674a Rebase on https://github.com/rapid7/metasploit-framework/pull/2831 and adapt to the new mixin 2014-05-13 16:04:40 +02:00
Florian Gaultier 808f87d213 SERVICE_DESCRIPTION doesn't concern this PR 2014-05-13 16:04:39 +02:00