Commit Graph

1133 Commits (a45d0aed53722f7c2e3b2606adb9e4fdf39d0df9)

Author SHA1 Message Date
Brent Cook 05e4af8162
Land #5214, initial meterpreter session recovery support 2015-05-04 16:25:27 -05:00
Brent Cook e6ea5511ca update linux and windows meterpreters to use metasploit-payloads 2015-05-04 09:44:36 -05:00
Brent Cook f42334414a add recursion limit 2015-05-04 04:00:58 -05:00
Brent Cook 7ff3044552 style cleanups and guard search where not implemented 2015-05-04 03:56:17 -05:00
Brent Cook 8cab350275 use the search API when downloading recursive patterns 2015-05-04 03:56:17 -05:00
Brent Cook eefc6f78c6 avoid redownloading files that have not changed 2015-05-04 03:56:16 -05:00
Brent Cook 9672a59b05 support download globbing 2015-05-04 03:56:16 -05:00
Brent Cook 43be856b95 keep the glob going into subdirectories 2015-05-04 03:56:16 -05:00
Brent Cook 8617115483 simplify arg parsing, compute initial stat path correctly 2015-05-04 03:56:15 -05:00
Brent Cook d934027b3b expand glob match 2015-05-04 03:56:15 -05:00
Brent Cook 866955b6fd added -R recursive, glob filtering and a dummy '-l' option 2015-05-04 03:56:14 -05:00
HD Moore a577bef9c3 Rework dirty cleanup to use skip_cleanup instead 2015-05-04 03:52:55 -05:00
HD Moore e7ba6e8a9a Speed up dead session cleanup by skipping shutdown/cleanup 2015-05-04 03:40:48 -05:00
HD Moore 3080feb188 Track the machine_id and drop non-responsive sessions automatically 2015-05-04 03:22:29 -05:00
OJ 451484cb0d Add support for transport listing
Includes a verbose flag for the extra HTTP/S properties
2015-05-04 11:19:53 +10:00
HD Moore 8ca66e03aa Track and display the last checkin time for Meterpreter sessions 2015-05-03 10:52:54 -05:00
OJ 2189c6d868 Pass timeouts to clients and correctly patch timeouts
Timeouts are correctly passed through to the client instances from the
handlers. The cilent also passes those values through to the RDI code so
that the binaries are correctly patched.
2015-05-02 10:01:32 +10:00
David Maloney acb833bd09
NTDS::Parser class built out
the NTDS Parser class will take a meterpreter
client and a fielpath and provide an enumerator for reading
out the user accounts as ruby objects

MSP-12357
2015-04-30 14:57:30 -05:00
OJ 8ddd7a4891 Fix session removal code, prevent missing transport param fail 2015-04-30 22:39:48 +10:00
OJ 919b96e4cf Fix up UUID handling 2015-04-28 21:59:19 +10:00
OJ 4f9c8d04a2 Add support for moving transports and uuid fetching
The 'next' and 'prev' commands were added so that the session can jump
transports without having to add new ones at the same time.

There's also a command which gives the UUID now so that this can be
reused across sessions.
2015-04-28 20:24:44 +10:00
OJ f711e5dee7 Update migration support
Migration now uses the new meterpreter loader. Migration configuration
is loaded and created by meterpreter on the fly, and supports the
multiple transport stuff that's just been wired in.
2015-04-28 17:41:43 +10:00
Tod Beardsley 9aaa2ec8cc
First pass at making webcam_chat more functional 2015-04-27 16:23:35 -05:00
David Maloney 6c77c4bb52
opening groundwork
added a priv extension method to open
a stream channel to read ntdsaccounts from
and an NTDS account class to accept the
data and parse it into a useable structure

MSP-12357
2015-04-24 15:50:12 -05:00
Spencer McIntyre edbf9b766f
Land #5100, @bcook-r7's deletekey API usage fix
Fixes #5099
2015-04-21 12:58:02 -04:00
OJ c8bab6ace1 Fix help for timeouts 2015-04-21 20:35:46 +10:00
OJ f654fea9b3 Adjust transport command to work with posix 2015-04-21 20:16:57 +10:00
OJ 86957d9b07
Merge branch 'upstream/master' into connection-recovery 2015-04-21 20:01:59 +10:00
OJ 97912882ca Adjustments for POSIX meterpreter patching 2015-04-17 19:53:05 +10:00
Brent Cook 3107d99b9a Use the same URI that was registered when we deregister
The original URI is registered as '/foobar/' but is deregistered as
'//foobar/', causing it to never get deregistered. Changing this fixes
unregistration of the service handler for staged payloads, but stageless
doesn't work properly if the URI actually gets deregistered.
2015-04-17 03:20:24 -05:00
Brent Cook 18225780da cleanup HTTP and HTTPS listeners when sessions are closed
Rather than listening forever after a session shuts down, close the session if
there are no other URI's registered on the listener. This allows reconfiguring
the listener without restarting framework, but should be safe for situations
where multiple modules share the same listener.
2015-04-17 02:41:24 -05:00
OJ 0a8b29dd86 Merge branch 'upstream/master' into connection-recovery
Conflicts:
	lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
2015-04-17 14:40:21 +10:00
Brent Cook 75b559eea3
Land #5081, meterpreter certificate hash check controls 2015-04-14 10:46:13 -05:00
OJ 1c5de59d99 Add support for the set of timeout values
This removes the need for a separate get call behind the scenes as
meterpreter does get and set in a single call.
2015-04-13 10:42:05 +10:00
OJ ec7fab7ef6 Add support for getting transport timeouts 2015-04-13 10:07:50 +10:00
William Vu d5903ca5b2
Land #5126, Meterpreter edit command fix 2015-04-10 17:19:33 -05:00
William Vu 8acc768da7 Copy documentation 2015-04-10 17:17:54 -05:00
rwhitcroft 64c2bf3227 don't raise exception if file download fails 2015-04-10 16:23:33 -04:00
rwhitcroft b5f4b72b51 fix timestomp arg parsing 2015-04-10 00:28:35 -04:00
OJ 809409d8c4 Lots of changes to support moving timeouts to common spots
Session expiry, comms timeout, retry total/wait are all now part of all
of the meterpreter payloads as these are going to be used for
maintaining access with resiliency and will aim for consistency across
the payload types.
2015-04-09 17:57:43 +10:00
Anant Shrivastava 2b5ba7d12d fixed a typo
a typo fixed in help. 
command and not commannd
2015-04-09 12:11:46 +05:30
Roberto Soares 1591c92547 Add the "all" option for the uictl 2015-04-09 01:04:50 -03:00
Brent Cook db9a3d167a fix deletekey API usage from the meterpreter CLI
There is an old-looking bug where the deletekey command opens the key it tries
to delete, then deletes the same key name again. Basically, it uses the wrong
level of indirection.
2015-04-07 15:34:23 -05:00
OJ 53d5b97634 Add support for UUID generation in transport switching
If the session doesn't have a payload UUID we now generate one as best
we can. This code will probably go away when TCP related transports have
had the UUID stuf baked in.
2015-04-07 17:25:55 +10:00
OJ 15313243cc Use UUID instead of old skool URIs
This uses HD's UUID stuff to generate a new URI for the transport.
Currently we don't have UUID support for TCP connections, but that's
coming.

Still do to: generation of a valid UUID for payloads that don't already
have one.
2015-04-07 16:00:30 +10:00
OJ 2977cbd42a Merge branch 'upstream/master' into dynamic-transport 2015-04-07 14:30:48 +10:00
OJ 4635bb83c3 Implement ssl verification toggling
Add support to meterpreter that allows for the querying and toggling of
SSL certificate verification on the fly.

In order to verify that the socket was SSL-enabled, some rejigging had
to be done of the type? method in the ssl socket class.
2015-04-06 14:40:59 +10:00
OJ d2d68d76a2 Update transport switching to a full blown command
Transport switching should now support all of the bits and pieces
required to do full switching with all configurable transport options
2015-04-02 23:13:59 +10:00
OJ 47fa97816d Code fixes as per suggestions, fix build
* Use of `ERROR_FAILURE_WINDOWS` in python meterpreter.
* Moving of constants/logic to client_core instead of
command_dispatcher.
* Fix spec include.
2015-04-02 09:05:38 +10:00
OJ 01bdf54487 Merge branch 'upstream/master' into dynamic-transport 2015-04-01 18:53:20 +10:00
OJ 79ec2e0586 Add machine ID support to the command list 2015-04-01 14:29:04 +10:00
HD Moore a9cfd7efef Merging master back into the UUID branch 2015-03-31 12:02:03 -05:00
Brent Cook d89cd118e0 remove wininet workaround in meterpreter http/s
We had a workaround to close connections on very old wininet implementations
that would not do it themselves. With the new WinHttp API-using meterpreters
and stagers, we no longer should use this workaround. It can actually be
actively bad and prematurely close the connection.

This needs testing around different payloads, and they should be on real
networks, ideally where TCP really has to work to get data transfered.
2015-03-30 23:38:32 -05:00
OJ c0f496197c Rejig code to support http payloads
* Move the uri checksum code to a spot that can be shared with rex.
* Adjust modules to make use of this new location.
* Fix up the tranpsort switcher to add the URI for those payloads.
2015-03-30 07:11:25 +10:00
OJ 1f00b595bc Hacked support for transport switching 2015-03-25 13:08:52 +10:00
OJ 25dcfc796a Better support old binaries in rev http(s)
* Patch 256char URL if the 512char one doesn't work.
* Return an empty list in the case where the ext enum fails.
2015-03-24 10:14:44 +10:00
HD Moore bc3c73e408 Merge branch 'master' into feature/registered-payload-uuids 2015-03-22 18:51:13 -05:00
HD Moore 94241b2998 First attempt at rewiring HTTP handlers to use UUIDs 2015-03-21 03:15:08 -05:00
OJ acd802c5fd Initial work for WinHTTP comms support in Meterpreter 2015-03-20 12:51:47 +10:00
Brent Cook 564962042e
Land #4925, OJ adds self-contained windows meterpreter options 2015-03-19 21:07:32 -05:00
Brent Cook 24ce0118b8 reenable UTF filtering support where needed
revert d22231bdc8
2015-03-19 16:02:21 -05:00
OJ a582e05b6d Merge gemfile changes in master 2015-03-20 06:29:38 +10:00
OJ 040ef1e3e9
Land #4950: ls unicode and sorting in meterpreter 2015-03-20 06:28:29 +10:00
OJ 7899881416 Update POSIX bins from master 2015-03-19 14:50:14 +10:00
Brent Cook c774038fe6 improve ls output by providing various new options 2015-03-18 16:02:03 -05:00
HD Moore 8d3cb8bde5 Fix up meterpreter patching arguments and names 2015-03-18 01:25:42 -05:00
Brent Cook d22231bdc8 remove unicode_filter_encode calls
Let the underlying utf8 messages through to the console.
2015-03-17 11:07:07 -05:00
Brent Cook 74ee2d8408
Land #4916, @hmoore-r7 annotate Interlock Target param as 'in' only 2015-03-13 08:59:59 -05:00
OJ 1338a55b0d Adjust error handling for extension enumeration
Make the catch case more generic for when the target doesn't support the
command for extension enumeration. This supports more than just windows
now.
2015-03-13 21:49:45 +10:00
James Lee 14a5efce58
Add yardoc 2015-03-13 01:04:23 -05:00
HD Moore aa79b71e35 Fixes #4897 by corrected kernel32!Interlocked function definitions 2015-03-11 23:26:32 -05:00
OJ 345b5cc8e1 Add stageless meterpreter support
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.

More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
James Lee cd5699dc39
Sort cases and add specs 2015-03-08 23:27:32 -05:00
James Lee 0440e19cc1
Add REG_MULTI_SZ 2015-03-08 22:48:24 -05:00
jvazquez-r7 cdf5fec474 Fix style 2015-03-04 09:57:39 -06:00
HD Moore d75f55e493 Rex should not depend on ActiveSupport, .blank? is not stdlib Ruby 2015-02-26 11:23:38 -06:00
Brent Cook b4cf2f5d8c use correct response filter TLV_TYPE_VALUE_NAME 2015-02-17 08:46:25 -06:00
Brent Cook 8f74f8eeed pass down the new permissions parameters 2015-02-17 06:11:20 -06:00
Brent Cook 503f58375b add direct registry access methods
Rather than operating on a passed-in HKEY, these open and close the registry
key directly for each operation.

This pattern better reflects the actual API usage within msf, and removes extra
round-trips to open and close the registry key, reducing traffic and increasing
performance. I did not add direct versions of every registry operation.
There was no benefit for more rarely-used operations, other than requiring more
churn in the meterpreters.

The primary beneficiary of this is post exploitation modules that do registry
or service enumeration. See #3693 for test cases.
2015-02-17 06:11:20 -06:00
Meatballs 02864b4401 Railgun DWORD handling 2015-01-30 11:20:03 +00:00
William Vu aec0067d14
Land #4673, screenshot -v hardcoded false fix 2015-01-29 19:40:15 -06:00
sinn3r 823c75908d Fix #4672 - Fix Hardcoded false for screenshot -v
Fix #4672
2015-01-29 16:54:41 -06:00
Brent Cook 212aeb9106 Improve utility of meterpreter file upload command
Rather than assume that the destination argument is a directory, check
first, and then do the same thing that 'cp' would do.

 - If dest exists and is a directory, copy to the directory.
 - If dest exists and is a file, copy over the file.
 - If dest does not exist and is a directory, fail.
 - If dest does not exist and is a file, create the file.
2015-01-29 13:45:15 -06:00
Brent Cook 65d71a5e18 Fix #4625 Reenable channel receive packet requeueing logic
In #4475, I incorrectly interpreted the role of the 'incomplete' array
in monitor_socket, and that change should be reverted.

What appears to happen is, we play a kind of 3-card monty with the list
of received packets that are waiting for a handler to use them.
monitor_socket continually loops between putting the packets on @pqueue,
then into backlog[] to sort them, then into incomplete[] to list all of
the packets that did not have handlers, finally back into @pqueue again.
If packets don't continually get shuffled back into incomplete, they are
not copied back into @pqueue to get rescanned again.

The only reason anything should really get into incomplete[] is if we
receive a packet, but there is nothing to handle it. This scenario
sounds like a bug, but it is exactly what happens with the Tcp Client
channel - one can open a new channel, and receive a response packet back
from the channel before the subsequent read_once code runs to register a
handler to actually process it. This would be akin to your OS
speculatively accepting data on a TCP socket with no listener, then when
you open the socket for the first time, its already there.

While it would be nice if the handlers were setup before the data was
sent back, rather than relying on a handler being registered some time
between connect and PacketTimeout, this needs to get in now to stop the
bleeding. The original meterpreter crash issue from #4475 appears to be
gone as well.
2015-01-23 08:50:37 -06:00
Meatballs 0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
OJ 17ff546b0f Remove unnecessary calls to expand path
When using the Meterpreter Binaries gem to locate the path to the
meterpreter DLLs, it's not necessary to use File.expand_path on
the result because the gem's code does this already.

This commit simple removes those unnecessary calls.
2015-01-03 08:30:26 +10:00
jvazquez-r7 722f86f361 Try to guess TMPDIR folder 2014-12-30 18:39:29 -06:00
jvazquez-r7 7596d211e9 Use length for comparision 2014-12-30 18:39:18 -06:00
jvazquez-r7 e903044fd5 Allow to provide writable dir 2014-12-30 18:36:30 -06:00
jvazquez-r7 f17a7e8a61 Better handling of the unix domain socket argument 2014-12-30 18:36:28 -06:00
jvazquez-r7 4df4e8b9d6 Add support for linux meterpreter migration 2014-12-30 18:34:24 -06:00
jvazquez-r7 56df2d0062 Add support for linux meterpreter migrate types 2014-12-30 18:30:15 -06:00
Tod Beardsley a8e907d68b
Land #4479, nil comparisons and missing DLLs
Also fixes #4474.
2014-12-30 13:55:54 -06:00
Brent Cook bdac5db695 remove usage of ==/!= nil
Adjust all module-loading libraries to have consistent nil?/!nil? checking and
'if' style.
2014-12-30 10:59:49 -06:00
Brent Cook 5d70b837ed handle nil results from MeterpreterBinaries.path
When a meterpreter binary cannot be found, give the user some hint about what
went wrong.

```
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.43.1
lhost => 192.168.43.1
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.43.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.43.252
[*] Meterpreter session 1 opened (192.168.43.1:4444 -> 192.168.43.252:49297) at 2014-12-29 12:32:37 -0600

meterpreter > use mack
Loading extension mack...
[-] Failed to load extension: No module of the name ext_server_mack.x86.dll found
```

This is also useful for not scaring away would-be developers who replaced only
half (the wrong half) of their DLLs from a fresh meterpreter build and
everything exploded. Not that thats ever happened to me :)
2014-12-29 12:34:02 -06:00
Brent Cook bbb41c39b8 fix backward meterpreter packet timeout logic
The current logic times out every packet almost immediately, making it possible
for almost any non-trivial meterpreter session to receive duplicate packets.

This causes problems especially with any interactions that involve passing
resource handles or pointers back and forth between MSF and meterpreter, since
meterpreter can be told to operate on freed pointers, double-closes, etc.

This probably fixes tons of heisenbugs, including #3798.

To reproduce this, I enabled all debug messages in meterpreter to slow it
down, then ran this RC script with a reverse TCP meterpreter, after linking in
the test modules:

(cd modules/post
 ln -s ../../test/modules/post/test)

die.rc:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.1
exploit -j
sleep 5
use post/test/services
set SESSION 1
run
2014-12-29 08:15:51 -06:00
Tod Beardsley d3050de862
Remove references to Redmine in code
See #4400. This should be all of them, except for, of course, the module
that targets Redmine itself.

Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
HD Moore 9de4137aa7 Patch UA/Proxy settings during migration, lands #3632 2014-12-16 22:21:48 -06:00
Sean Verity 1930eb1bf8 Refactors metsrv patching in reverse_http.rb 2014-12-17 10:04:43 -05:00
Sean Verity 52b3025351 Reworked to avoid extending String class on blob per hdm's rec. 2014-12-15 21:40:41 -05:00
Brent Cook 8140ed4a45 Merge branch 'upstream-master' into land-3175 2014-12-11 22:03:03 -06:00
HD Moore fc96d011ab
Python reverse_http stager, lands #4225 2014-12-02 11:47:31 -06:00
HD Moore 335d1ef287 Only cache auto-generated certificates 2014-11-26 21:23:08 -06:00
HD Moore 8becf417a7 Qualify ::File to prevent a stacktrace 2014-11-22 17:16:13 -06:00
HD Moore 673e21cfaf Rework meterpreter SSL & pass datastore to handle_connection()
This allows HandlerSSLCert to be used to pass a SSL certificate into the Meterpreter handler. The datastore has to be passed into handle_connection() for this to work, as SSL needs to be initialized on Session.new. This still doesn't pass the datastore into Meterpreter directly, but allows the Session::Meterpreter code to extract and pass down the :ssl_cert option if it was specified. This also fixes SSL certificate caching by expiring the cached cert from the class variables if the configuration has changed. A final change is to create a new SSL SessionID for each connection versus reusing the SSL context, which is incorrect and may lead to problems in the future (if not already).
2014-11-22 15:35:00 -06:00
Spencer McIntyre 2b36c1bb43 Fix pymeterp bugs from testing in osx and python3 2014-11-17 14:04:30 -05:00
HD Moore 6b4eb9a8e2 Differentiate failed binds from connects, closes #4169
This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.
2014-11-11 14:59:41 -06:00
OJ eb830cb361 Idiomaticise the rubies 2014-11-10 07:44:36 +10:00
OJ 08e707225c Add support for the getsid command
There has been Meterpreter work done as well to support this. But this
commit allows for a new 'getsid' command which tells you the sid of the
current process/thread. This can be used for things like determining
whether the current process is running as system. It could also be used
for golden ticket creation, among other things.
2014-11-07 10:38:22 +10:00
OJ 52cbbe3677 Add some documentation to the ADSI functions 2014-10-21 10:34:47 +10:00
OJ 8329a15cb0
Merge branch 'upstream/master' into group_tlv_refactors 2014-10-21 09:54:55 +10:00
HD Moore fcd9b4b293 Allow non-SSLv3 Meterpreters (auto-negotiate) 2014-10-15 13:57:51 -05:00
Sean Verity 4bd14ed5ea Uses a hash for options as opposed to numerous methods on blob 2014-09-17 14:11:37 -04:00
Sean Verity 3c11251432 Mitigates excessive use of lookup operator (hopefully adds clarity) 2014-09-15 17:05:54 -04:00
Sean Verity e55dab3914 Refactored expiration and timeout logic in client_core.rb 2014-09-15 01:01:23 -04:00
Sean Verity b7714c9661 Cleaned up indents. 2014-08-25 13:03:23 -04:00
Sean Verity e47a6f1573 Provides methods to patch metsrv stagers with options. 2014-08-25 00:55:07 -04:00
Meatballs d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
Sean Verity 6661e1a5a4 De-committing based on suggestions from Meatballs1 and jlee-r7. 2014-08-17 20:37:06 -04:00
Meatballs 351b687759
Land #3612, Windows Local Kernel exploits refactor 2014-08-10 22:05:06 +01:00
joev af3ca19ab2
Land #3501, @AnwarMohamed's android meterpreter commands. 2014-08-09 16:29:59 -05:00
joev dbaa377aa1 Final-round of code tweaks. All commands working well. 2014-08-09 13:04:52 -05:00
Sean Verity 3fd76105db msftidy'd 2014-08-08 22:03:51 -04:00
Sean Verity c5e452c866 Patches UA and PROXY in metsrv when running migrate 2014-08-08 21:48:02 -04:00
Spencer McIntyre b602e47454 Implement improvements based on feedback 2014-08-05 21:24:37 -07:00
Joe Vennix ed6594ddb8
Change filename to calllog_dump. 2014-07-30 00:16:23 -07:00
Joe Vennix ece3b5583a
Revert to file-based solution. 2014-07-30 00:13:44 -07:00
AnwarMohamed 7512e04894 fixing autoload 2014-07-29 16:21:31 +02:00
AnwarMohamed 283046b25d fixing auto load on new session 2014-07-28 10:49:50 +02:00
AnwarMohamed 9f0bf67521 fixing minor bugs 2014-07-28 07:49:46 +02:00
HD Moore b3c7fff32a Land #3551, fix inconsistent pack/unpack usage 2014-07-20 17:11:49 -05:00
HD Moore eea0b24aec Land #3550, fix railgun use of pack/unpack Q 2014-07-20 17:09:53 -05:00
Meatballs 3daf78777b
Use native unpack for PDWORDs 2014-07-20 22:57:19 +01:00
Meatballs 4fecae084b
Q (native) to Q< (le) 2014-07-20 22:38:30 +01:00
William Vu 25f74b79b8
Land #3484, bad pack/unpack specifier fix 2014-07-16 14:52:23 -05:00
sinn3r 4fb58202fa
Land #3529 - Handle Rex::AddressInUse exception 2014-07-16 13:57:41 -05:00
jvazquez-r7 09619abe79 Catch AddressInUse when running commands from the meterpreter console 2014-07-15 11:15:10 -05:00
Tod Beardsley 038d1e210a
Merge upstream/master to deconflict.
Conflicts:
	Gemfile.lock
2014-07-09 17:43:42 -05:00
AnwarMohamed a513f403ba fixing bugs 2014-07-08 10:58:48 +02:00
AnwarMohamed ead7b35aa9 formating 2014-07-08 10:48:24 +02:00
AnwarMohamed 6e0bc763ff formating 2014-07-08 10:46:16 +02:00
AnwarMohamed 656da8a63b android extension 2014-07-08 04:56:04 +02:00
AnwarMohamed 34dcb609e2 android extension 2014-07-08 04:52:06 +02:00
OJ bdf27b1834 Fix up the TLVs that are now QWORD values in MSF
Various values were adjusted to become QWORD values in MSF an windows
meterpreter, but the changes were not ported over to python, php and
java. This commit fixes this inconsistency.
2014-07-07 10:42:58 -05:00
Meatballs 05c9757624
Merge in #3488 2014-07-04 20:37:09 +01:00
HD Moore c9b6c05eab Fix improper use of host-endian or signed pack/unpack
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.

When in doubt, please use:

```
ri pack
```
2014-06-30 02:50:10 -05:00
HD Moore 255e792ed3 Fix host-endian related pack errors. See below for details.
Ruby treats endianess in pack operators in the opposite way
of python. For example, using pack('<I') actually ignores the
endianess specifier. These need to be 'I<' or better yet, 'V'.
The endian specify must occur after the pack specifier and
multiple instances in meterpreter and exe generation were
broken in thier usage.

The summary:

Instead of I/L or I< use V
Instead of I/L or I> use N
For Q, you need to always use Q< (LE) or Q> (BE)
For c/s/l/i and other lowercase variants, you probably dont
need or want a *signed* value, so stick with vV nN and cC.
2014-06-30 02:46:36 -05:00
Chris Doughty 9b35b0e13a Revert "Land #3446 -- Meterpreter bins gem switch" due to build failures
This reverts commit bba8bd3498, reversing
changes made to 002234993f.
2014-06-25 13:24:07 -05:00
OJ 769f2e4936 Change elevator to 'elevator'
This would have made lots of people uhnappy.
2014-06-25 07:47:47 +10:00
OJ ac03b7c96a Use sorted sets extension lists 2014-06-25 03:26:25 +10:00
OJ 0fc4d10813 Fix indentation for case statements 2014-06-25 03:18:37 +10:00
Tod Beardsley 2626450c38
Fix indent per @jlee-r7'e eagle eye 2014-06-20 11:52:47 -05:00
Tod Beardsley 2a4ed0e651
Replace all the obvious path calls to Meterpreter
Unfortunately, though, there seems to be a stealthy set, somewhere, of
datastore['DLL']. Not sure where yet. The stack trace in the
framework.log is:

````
[06/19/2014 17:53:34] [i(0)] core: windows/meterpreter/reverse_http: iteration 1: Successfully encoded with encoder x86/fnstenv_mov (size is
366)
[06/19/2014 17:53:35] [e(0)] rex: Proc::on_request: Errno::ENOENT: No such file or directory -
/home/todb/git/rapid7/metasploit-framework/data/meterpreter/metsrv.x86.dll

/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `initialize'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `open'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/reflective_dll_loader.rb:26:in `load_rdi_dll'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/payload/windows/reflectivedllinject.rb:56:in `stage_payload'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/handler/reverse_http.rb:212:in `on_request'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/handler/reverse_http.rb:129:in `block in setup_handler'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/handler/proc.rb:38:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/handler/proc.rb:38:in `on_request'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:365:in `dispatch_request'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:299:in `on_client_data'
/home/todb/git/rapid7/metasploit-framework/lib/rex/proto/http/server.rb:158:in `block in start'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:48:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:48:in `on_client_data'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:192:in `block in monitor_clients'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:190:in `each'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:190:in `monitor_clients'
/home/todb/git/rapid7/metasploit-framework/lib/rex/io/stream_server.rb:73:in `block in start'
/home/todb/git/rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `call'
/home/todb/git/rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/thread_manager.rb💯in `call'
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/thread_manager.rb💯in `block in spawn'

````

Still tracking this down.
2014-06-19 18:03:11 -05:00
Tod Beardsley cbedea222f
Land #3416 again, now that the bins are available
This reverts commit 3d73414530.
2014-06-12 14:53:03 -05:00
Tod Beardsley 3d73414530 Revert #3416, needs the correct bins first
This was a whoops on my part. I will reland this when I have the
Meterpreter bins all sorted.

This reverts commit 40b5405053, reversing
changes made to 86e4eaaaed.
2014-06-12 14:20:06 -05:00
Tod Beardsley 40b5405053
Land #3416, fix DWORD/QWORD bug 2014-06-12 13:59:34 -05:00
sinn3r 2a7227f443
Land #3427 - Adds webcam module for firefox privileged sessions on OSX 2014-06-11 22:27:25 -05:00
OJ a53955adb7 Updated more UINT TLVs to QWORDS
All with the goal of removing more pointer truncation issues.
2014-06-04 20:55:20 +10:00
OJ 8346e20bf1 Change memory types from DWORD to QWORD
This was causing memory allocations to fail on x64 in cases where
the higher bits were set in addresses.
2014-06-01 21:27:07 +10:00
Spencer McIntyre 77e70d8bbe Add 2 more variables for meterpreter irb 2014-05-25 16:28:40 -04:00
joev 14b796acbf First stab at refactoring webrtc mixin. 2014-05-21 15:32:29 -05:00
James Lee d2ebab09aa
Add timeout for SSL renegotiation after migrating
[SeeRM #8794]
2014-05-16 15:42:46 -05:00
Meatballs 3542f851bf Fix some yarddoc issues 2014-05-05 22:45:41 +02:00
Meatballs c474ff4465
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	modules/exploits/windows/local/service_permissions.rb
	modules/post/windows/manage/rpcapd_start.rb
2014-05-05 13:19:25 +01:00
Rob Fuller c3fb5bf614 fix a few clarical errors and typos 2014-04-29 22:42:26 -04:00
James Lee 4bd2dabfcd
Land #3121, new kiwi extension, with compiled bins
See also rapid7/meterpreter#79
2014-04-29 17:53:37 -05:00
James Lee 49bd86f077
Clean up yardocs and a few style issues 2014-04-21 03:12:23 -05:00
Meatballs 02b11afddc
Merge remote-tracking branch 'upstream/master' into netapi_change_passwd
Conflicts:
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_netapi32.rb
2014-04-15 21:23:45 +01:00
Meatballs fc018eb32e
Initial commit 2014-04-15 21:05:06 +01:00
Meatballs ae3ead6ef9
Land #2107 Post Enum Domain Users 2014-04-09 11:32:12 +01:00
OJ 670a0c8e0f
Merge branch 'upstream/master' into ext_server_kiwi 2014-04-02 19:36:42 +10:00
OJ cceb146680 Support for the new ADSI result structure 2014-04-02 17:37:23 +10:00
OJ e61e532223 Add support for extraction of wifi profile creds 2014-04-02 17:16:40 +10:00
OJ 1d46e65897 Update to match meterpreter changes
This also includes the ability to specify id and groups for the
golden ticket feature.
2014-04-02 12:29:35 +10:00
OJ 86ddd24d26 Update to use Rex::Text and change handling a bit
This change also outputs blank creds so that users know which
accounts have blank passwords
2014-03-28 16:12:51 +10:00
OJ 65e204e834 Modify the menu item descriptions 2014-03-28 11:03:38 +10:00
OJ 3a42cb8a46 Fix typo in kiwi help 2014-03-28 11:03:03 +10:00
OJ 685d959886 Support refactors of TLVs and adsi nested group changes 2014-03-27 15:49:22 +10:00
Tod Beardsley 8e7f12e30e
Land #3085, service_control support
This depends on rapid7/meterpreter#77 to function
2014-03-19 08:43:17 -05:00
Tod Beardsley 04b5d71fa5
Land #3061, enhance clipboard dump
This depends on rapid7/meterpreter#75 to function
2014-03-19 08:42:36 -05:00
Tod Beardsley 35b94b04bf
Land #2889, WMI support
This depends on rapid7/meterpreter#69 to actually be useful.
2014-03-19 08:42:03 -05:00
OJ 11f9bfadb1 Final bits of documentation and code tweaking 2014-03-19 18:40:53 +10:00
OJ 84728c9fc9 Code tidying and defaulting to empty strings for table format 2014-03-19 16:19:23 +10:00
OJ 959cedb9b1 Bit more code tidying 2014-03-19 16:19:05 +10:00
OJ f80c7b7b51 Fix silly typo 2014-03-19 15:55:12 +10:00
OJ 0dcf992781 Add comments to the kiwi source 2014-03-19 15:45:53 +10:00
OJ 3635fff98e Add support for kerberos ticket enumeration
Fix up a bunch of other issues and do some code tidies too.
2014-03-19 14:25:11 +10:00
OJ 91e198fd63 Add SAM key dump in LSA dumping output 2014-03-18 09:45:31 +10:00
OJ a9758413c0 Add lsa secret dumps plus other tweaks 2014-03-14 19:50:01 +10:00
OJ 1d70411ea7 Support service_control and new status field in query
This code adds support for the new service_control feature in meterpreter
and also supports the status field that comes from the service_query function.
2014-03-11 14:50:19 +10:00
OJ 0bdce4836f Modify clipboard dump to support new format from Meterpreter 2014-03-04 19:37:57 +10:00
OJ e0438f570b
Merge branch 'upstream/master' into ext_server_kiwi 2014-03-03 17:28:44 +10:00
James Lee 4c557a1401
Add Post::Windows::Services#each_service
Also cleans up some style issues and adds yardoc comments for some stuff
in Post::File

Note that windows/local/service_permissions is still using
`service_list` because it now builds a Rex::Table, which has to have
all the data up front, anyway.
2014-02-18 18:24:23 -06:00
James Lee 684c45a5ff Merge remote-tracking branch 'upstream/pr/2766' into merge-2766 2014-02-18 17:36:13 -06:00
Meatballs 6f988209ab
Merge remote-tracking branch 'upstream/master' into enum_domain_users_update 2014-02-18 20:02:39 +00:00
Tod Beardsley 8e0a4aaa58
Land #2983, webcam_chat for Meterpreter 2014-02-18 13:43:42 -06:00
sinn3r 0519abb558 Fix the wrong conversion 2014-02-17 23:17:19 -06:00
jvazquez-r7 f07efc91a8 Land #2915, @Meatballs1 improvements for LDAP post mixin 2014-02-17 19:14:59 -06:00
Meatballs f5c401bee7
Yarddocs 2014-02-14 22:59:36 +00:00
sinn3r 5d3eed8600 Add info about browser requirements in help 2014-02-13 16:37:05 -06:00
sinn3r a44f235a8d Fix things based on Tod's feedback 2014-02-13 16:13:42 -06:00
sinn3r 750ce3c4db Make server configurable 2014-02-11 23:07:43 -06:00
OJ beca4b8bc3 Fix issue with getenv failing
The call to `getenv` failed when `%` or `$` were used because of the
differences between Meterpreter handling and MSF handling.

Meterpreter effectively ignores (ie. strips out) the platform-specific
characters which are used for environment variables. In the `getenv`
call, MSF was invoking `getenvs` and getting a full hash of values, then
attempting to index into the hash using a string which may be "polluted"
with those platform-specific characters. This meant that there was a
discrepency between what was returned and what was used to index and
as a result, the value would come out as `nil`.

For example, calling `getenv('%FOO%')` would result in a hash with
`{'FOO'=>'bar'}`, so looking for '%FOO%' in this result would yield
nothing.

This commit changes this so that the name is ignored and the first
value is returned.
2014-02-12 13:51:30 +10:00
sinn3r 2bb15d3a87 answerer's interface gets a makeover 2014-02-11 02:15:22 -06:00
sinn3r fdd696fc31 Drop Opera support
It's sad nobody is actually using it. See article: "Across desktop and
mobile, Chrome is used more than Firefox, IE, and Opera combined" -
thenextweb.com
2014-02-10 18:03:42 -06:00
sinn3r 1414f6794c Change the name of the video chat command 2014-02-10 17:44:47 -06:00
sinn3r 44282d8a83 Add an exception handling 2014-02-10 17:06:56 -06:00
sinn3r 1114913298 Automatically turn on webcam in Firefox 2014-02-10 17:05:08 -06:00
sinn3r 48fdb08164 Add flag --use-fake-ui-for-media-stream
Thanks Joev!!
2014-02-10 14:47:25 -06:00
sinn3r 93ef3c784d Update some JavaScript and other things 2014-02-08 22:23:19 -06:00
sinn3r 0d24f06109 Not adding remote support for Linux meterpreter, here's why 2014-02-08 20:30:53 -06:00
sinn3r be8538f3bd Tweak video attributes 2014-02-08 19:56:43 -06:00
sinn3r 8d55104712 Random channel 2014-02-08 19:36:33 -06:00
sinn3r e25767ceab More progress 2014-02-08 17:28:15 -06:00
sinn3r 3f9ad8a6d5 Fix bugs and stuff 2014-02-08 16:11:39 -06:00
sinn3r 22cc665115 More error handling 2014-02-08 16:06:51 -06:00
sinn3r 07ad99ba3a Remove unnecessary methods 2014-02-08 15:51:33 -06:00
sinn3r a70c77c9eb Handle some more exceptions 2014-02-08 15:51:11 -06:00
sinn3r 325214e37f Fix bugs and stuff 2014-02-08 15:41:44 -06:00
sinn3r e8ec6d1062 Rename command name 2014-02-08 03:53:49 -06:00
sinn3r ee1900c273 progress 2014-02-08 03:29:15 -06:00
sinn3r b188943bd1 Progress 2014-02-08 02:57:49 -06:00
sinn3r 526bf9f6bc This should work 2014-02-07 22:17:42 -06:00
sinn3r 36f3a82b5c A wise man once said do not abuse the power of expand_path 2014-02-07 12:10:58 -06:00
sinn3r bab9a5522b You will go deaf with the default volume value. No thanks. 2014-02-07 11:35:57 -06:00
sinn3r 3c3bd11aca Oh look, more progress 2014-02-07 11:25:20 -06:00
sinn3r 43be99f31b Save some progress 2014-02-07 03:06:52 -06:00
sinn3r f66fc15b9e Add support for webrtc in meterpreter 2014-02-06 10:44:24 -06:00
OJ b60398b020 Merge branch 'upstream/master' into clipboard_monitor
Conflicts:
	lib/rex/post/meterpreter/extensions/extapi/tlv.rb
2014-01-29 23:07:05 +10:00
OJ ad1dce38d2 Final fixes before the monitor PR 2014-01-29 23:04:43 +10:00
OJ 2ef0e7e2a5 Small tidy of code 2014-01-29 17:07:06 +10:00
OJ e27707cac3 More tweaking of the clipboard monitor with dump/purge 2014-01-29 14:51:03 +10:00
OJ 10ac7a22af
Land #2897 Sane address resolution [FixRM #7259] 2014-01-28 23:09:44 +10:00
Meatballs 6d9e395d40
Use LPVOID to avoid ptr trunc 2014-01-24 23:27:56 +00:00
Tod Beardsley 1ff063d7de
Test the object not the class duhhh 2014-01-24 11:46:48 -06:00
Tod Beardsley 37b11ce2e1
Use Class#kind_of? instead of == 2014-01-24 11:31:04 -06:00
Meatballs 9fce617462
Fixup railgun utils
Implement DsGetDcNamea to return current domain using example
railgun utils techniques.
2014-01-24 16:22:05 +00:00
Meatballs 9acd0f4b56
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-22 21:46:50 +00:00
OJ 83358fbbf0 More work on the clipboard monitor 2014-01-22 22:56:13 +10:00
OJ a7d4aa5d46 Merge branch 'upstream/master' into clipboard_monitor
Conflicts:
	lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/clipboard.rb
2014-01-22 11:51:10 +10:00
James Lee e9ccec4755
Refactor load_session_info
All of this code is in sore need of some specs but I think this change
makes it a bit easier to understand what it is supposed to be doing.
2014-01-21 18:55:54 -06:00
Meatballs 720f892e2f
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-21 21:00:51 +00:00
OJ 9212013c3e Add error message support
This commit enables returning of error messages based on the HRESULT.
They still aren't nice, but they're better than nothing.
2014-01-17 11:42:07 +10:00
OJ 8e1d3c9c2a Final tweaks for WMI support 2014-01-16 22:02:28 +10:00
OJ 69abffaff6 First pass of WMI support
Close but more to do.
2014-01-16 13:47:46 +10:00
OJ 870349acd0
Merge branch 'upstream/master' into basic_adsi_support 2014-01-15 19:57:07 +10:00
OJ 0f722cbe6d Add ext_server_kiwi, which is Mimikatz v2
This is a separate extension because the new version doesn't support
as many operating systems as the old version, but it does have more
new features which are really funky.
2014-01-10 16:51:01 +10:00
OJ e3b90f3c4e Fix issue with incorrect parameter parsing
Code was looking for -s instead of -a when dealing with domain
queries. This commit fixes that.
2014-01-05 20:06:47 +10:00
Tod Beardsley bd2033c587
Land #2814, streaming webcam STDAPI add 2014-01-03 12:09:25 -06:00