Commit Graph

1742 Commits (ac4b2bee4d7def8ff7d11bc612827f82856a23ff)

Author SHA1 Message Date
sinn3r bf831616e5
Land #2749 - Add firefox 26 feature detection support to detect/os.js 2013-12-10 16:30:33 -06:00
Joe Vennix 6cd315da64 Add ff26 feature detection support. 2013-12-10 10:47:11 -06:00
Meatballs 45a0ac9e68
Land #2602, Windows Extended API
Retrieve clipboard data
Retrieve window handles
Retrieve service information
2013-12-08 19:01:35 +00:00
Meatballs 496b017e33
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2013-12-05 17:09:32 +00:00
Meatballs dc0f2b7291
Use ExitProcess 2013-12-05 17:08:47 +00:00
OJ c8e2c8d085 Add binaries from Meterpreter 9e33acf3a283f1df62f264e557e1f6161d8c2999
This is a new set of binaries for Meterpreter as of commit hash
9e33acf3a283f1df62f264e557e1f6161d8c2999. We haven't yet finalised
the process we'll be using for releasing bins from Meterpreter to MSF
so this is hopefully the last time we will have to do it the old way.
2013-12-04 16:23:03 +10:00
sinn3r ddbd5858e0
Land #2701 - Refactor of `ppr_flatten_rec`
Also [SeeRM #8140]
2013-12-03 10:51:58 -06:00
Meatballs cf12826d2c
Dont use xp toolchain
and dont bother editbin
2013-11-30 20:04:00 +00:00
Meatballs d3a0199539
Update for new Reflective DLL Submodule
Update to VS2013 Toolsets
Include .msbuild and make.bat
Tidyup of if { }
Post build step to copy to output directory
2013-11-30 19:58:25 +00:00
Meatballs 915d741f86
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	.gitmodules
	external/source/ReflectiveDLLInjection
2013-11-30 19:10:04 +00:00
OJ bcab716ec0
Add the binaries from the meterpreter repo
Given this is a new extension, building bins and including them in this
PR can't cause any issues regarding lost functionality (like it can
with existing bins).

Adding to this PR so that it's easier to test and land.
2013-11-29 09:02:07 +10:00
jvazquez-r7 0343aef7c8
Land #2695, @wchen-r7's support to detect silverlight 2013-11-27 09:40:12 -06:00
OJ defc0ebe5c
ppr_flatten_rec update, RDI submodule, and refactor
This commit contains a few changes for the ppr_flatten_rec local windows
exploit. First, the exploit binary itself:

* Updated to use the RDI submodule.
* Updated to build with VS2013.
* Updated to generate a binary called `ppr_flatten_rc.x86.dll`.
* Invocation of the exploit requires address of the payload to run.

Second, the module in MSF behaved a little strange. I expected it to create
a new session with system privs and leave the existing session alone. This
wasn't the case. It used to create an instance of notepad, migrate the
_existing_ session to it, and run the exploit from there. This behaviour
didn't seem to be consistent with other local exploits. The changes
include:

* Existing session is now left alone, only used as a proxy.
* New notepad instance has exploit reflectively loaded.
* New notepad instance has payload directly injected.
* Exploit invocation takes the payload address as a parameter.
* A wait is added as the exploit is slow to run (nature of the exploit).
* Payloads are executed on successful exploit.
2013-11-27 20:44:18 +10:00
James Lee 25b1ec5b75
Land #2689, getenv 2013-11-26 23:33:25 -06:00
OJ 72813c1f3e
Merge branch 'egypt/feature/getenv-php' into getenv_cmd 2013-11-27 15:22:15 +10:00
James Lee a3337e5de5
Add PHP side for meterpreter getenv 2013-11-26 23:16:28 -06:00
OJ a0f703ee44 Add getenv support to python meterpreter
This change adds support for `getenv` to python meterpreter. Nothing too
complex going on here. I tidied up the definitions of the TLVs as well
so that they look nice.
2013-11-27 11:19:26 +10:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
jvazquez-r7 6cb63cdad6
Land #2679, @wchen-r7's exploit for cve-2013-3906 2013-11-25 22:04:26 -06:00
jvazquez-r7 25eb13cb3c Small fix to interface 2013-11-22 17:02:08 -06:00
jvazquez-r7 136c18c070 Add binary objects for MS13-022 2013-11-22 16:45:07 -06:00
sinn3r 94e13a0b8a Initial commit of CVE-2013-3906 2013-11-19 23:10:32 -06:00
OJ 0b413aa0b8 Remove extapi binaries
These were committed in the flurry of merges last night by me. They
should be removed until the extapi PR has been fully reviewed and
merged. This commit just removes the binaries from master, they'll
be re-added when appropriate.
2013-11-15 06:24:00 +10:00
jvazquez-r7 4cf16cf360
Land #2633, @OJ's port of Kitrap0d as local exploit 2013-11-14 09:27:10 -06:00
OJ 4bd0900359
Updated meterpreter binaries
Includes the following:

* Clean builds
* Removal of kitrap0d from getsystem
* Doc updates
* Webcam crash fix
* Schedular and channel refactor
* Posix crash fix for post modules
2013-11-15 01:14:14 +10:00
OJ 506a4d9e67
Remove genericity, x64 and renamed stuff
As per discussion on the github issue, the following changes were made:

* Project renamed from elevate to kitrap0d, implying that this is not
  intended to be a generic local priv esc exploit container.
* Container DLL no longer generic, always calls the kitrap0d exploit.
* Removal of all x64 code and project configurations.
* Invocation of the exploit changed so that the address of the payload
  is passed in to the exploit entry point. The exploit is now responsible
  for executing the payload if the exploit is successful. This removes
  the possibility of the payload getting executed when the exploit fails.
* Source moved to the appropriate CVE folder.
* Binary moved to the appropriate CVE folder.
* Little bit of source rejigging to tidy things up.
2013-11-14 12:22:53 +10:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
OJ 40f58ce534
Finalise the local exploit for kitrap0d
The exploit now properly injects the DLL using RDI and invokes the
exploit based on a parameter passed by the Ruby module. The elevate
code is 'generic' with a goal of possibly supporting more exploits
down the track.

New sessions are now created with the SYSTEM creds, rather than
modifying the existing session. This is now inline with how things
are done with other local modules.
2013-11-12 23:01:24 +10:00
sinn3r 62102dd1f9
Land #2544 - Vbs minimize 2013-11-11 11:14:56 -06:00
sinn3r 33f65dd611
Land #2577 - Use base64 to reduce psh-net payload size 2013-11-11 10:21:20 -06:00
William Vu f402f4c16e
Land #2614, another default OWA URL 2013-11-08 17:20:20 -06:00
Rob Fuller cdc6a863dd Add another default owa url
Its not default, but not uncommon to find /exchange/ NTLM protected
2013-11-07 08:50:22 -05:00
sinn3r b34b4ac2b6 Update the java stuff again 2013-11-07 00:57:20 -06:00
sinn3r 991240a87e Support java version detection 2013-11-07 00:54:52 -06:00
OJ 715fdc05ec
Updated meterpreter binaries
Includes the following changes:

* Security cleanup - remove use of insecure functions
* Windows 8/8.1/2012 R2 support to sysinfo
* VS 2013 upgrade
* Command dispatcher refactor
* Getproxy command added (needs MSF side too)
2013-11-07 14:31:54 +10:00
sinn3r cf5d9c7f01 Add case for IE10 + Win 7 SP1 detection 2013-11-06 11:41:36 -06:00
sinn3r 5f2d8358c0 Be more browser specific with Javascript generation 2013-11-05 01:04:52 -06:00
joev 5f85ede389 Prevent xhr shim from leaking. 2013-11-02 16:47:50 -05:00
joev 90d8da6a21 Fix some bugs in my edits, add a spec. 2013-11-02 16:46:33 -05:00
joev c7c1fcfa98 Pull shared XHR shim out, add option to static Js module method.
* Moves shim to data/js/network/xhr_shim.js
* Add some yardoc comments
2013-11-02 14:52:50 -05:00
sinn3r 391360d67f Update xmlhttprequest 2013-10-31 16:09:05 -05:00
sinn3r 6e7e5a0ff9 Put postInfo() in the js directory 2013-10-31 13:55:22 -05:00
joev 4425cf1dc1 Add support for firefox 25.
Also replaces a bunch of missing semicolons.
2013-10-30 12:19:22 -05:00
jvazquez-r7 2b5e2df94e
Land #2568, @h0ng10's update of SAP url's wordlist 2013-10-28 09:01:33 -05:00
jvazquez-r7 e88e523eaa Delete newline 2013-10-28 09:01:00 -05:00
Meatballs e18dd3ec0b
Use base64 to reduce size 2013-10-25 01:19:43 +01:00
Tod Beardsley 27739a0351
Meterpreter bins after Meterpreter PR 32
Protects against potential BOFs due to strcpy usage.

These binaries were built against meterpreter master after
https://github.com/rapid7/meterpreter/pull/32 landed.

The CI tests can be seen here:

https://ci.metasploit.com/view/Meterpreter/job/MeterpreterWin/75/

Note, this commit is signed. Your merge commit should be signed, too, so
people can be assured that nobody is backdooring Meterpreter on the sly.
2013-10-24 15:15:49 -05:00
Tod Beardsley b5f26455a3
Land #2545, javascript library overhaul 2013-10-23 16:12:49 -05:00
Meatballs e6a2a1006f
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows/priv.rb
	modules/exploits/windows/local/bypassuac.rb
2013-10-23 21:02:32 +01:00
h0ng10 a834fec889 Added URL for PT-2013-13/SAP Note 1820894 2013-10-23 21:20:18 +02:00
h0ng10 e02bf0cce6 Added /AdapterFramework/version/version.jsp 2013-10-23 21:09:19 +02:00
sinn3r 19615ac4b7 Apparently I missed a lot of stuff 2013-10-21 21:02:01 -05:00
Tod Beardsley 824dd84982 Merge remote-tracking branch 'upstream/pr/2500' into temp 2013-10-21 14:26:05 -05:00
Meatballs1 1717a98ba3 Update to_exe.vbs.template
Rename values
2013-10-21 13:49:09 +01:00
sinn3r 8a94df7dcd Change category name for base64 2013-10-18 21:20:16 -05:00
sinn3r 62dadc80d3 Make sure the data type for the return value is a string 2013-10-18 21:08:46 -05:00
sinn3r 711399bb34 Update property_spray.js 2013-10-18 20:56:00 -05:00
sinn3r e1ca2d2730 Fix mstime_malloc.js 2013-10-18 20:49:33 -05:00
sinn3r 298f23c91c Fix extra slashes that cause browser autopwn to fail. 2013-10-18 20:43:39 -05:00
Meatballs 2ef89eaf35
Randomize exe name 2013-10-18 19:01:28 +01:00
Meatballs 56aa9ab01c
Reduce size 2013-10-18 18:59:30 +01:00
OJ 827bf23979
Updated binaries with railgun crash fixes 2013-10-18 19:43:17 +10:00
sinn3r c926fa710b Move all exploitation-related JavaScript to their new home 2013-10-17 16:43:29 -05:00
Meatballs b3cc9f6f1e
Use sysnative to delete the cryptbase.dll when in SYSWOW64 process.
Merge branch 'master' of github.com:Meatballs1/metasploit-framework into bypassuac_redo

Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 21:01:57 +01:00
Tod Beardsley bd405277d9
Add a default Samsung community string
See http://www.kb.cert.org/vuls/id/281284

and

http://www.h-online.com/security/news/item/Samsung-network-printer-vulnerability-discovered-Update-2-1757967.html
2013-10-17 10:35:59 -05:00
Spencer McIntyre 6f23e95c14 Fix an endianess issue in pymeterpreter registry_query_value. 2013-10-12 23:39:22 +01:00
Meatballs 378f403fab
Land #2453, Add stdapi_net_resolve_host(s) to Python Meterpreter.
Moves resolve_host post module to multi and depreciates Windows module.
Resolve will now return nil for failed lookups instead of an empty
string.
2013-10-10 20:13:06 +01:00
g0tmi1k 6b004086ea Removed SVN from msfupdate 2013-10-10 12:25:00 +00:00
OJ b477ae369b
Updated stdapi binaries with railgun fix
Changes are from https://github.com/rapid7/meterpreter/pull/28
2013-10-10 16:03:38 +10:00
OJ 0a194b203d
Updated sniffer binaries
These updated binaries include a packet-sniffer fix which results in
sniffing working on x86 builds of Windows 8 and Windows 8.1.
2013-10-09 07:38:54 +10:00
Meatballs 11519e8465
Add compiled binaries 2013-10-08 00:23:33 +01:00
Spencer McIntyre 7414dff958 Add fault tolerance for resolve_hosts. 2013-10-04 08:51:13 -04:00
sinn3r bc8604f151 Use safe_negate_size for hxds 2013-10-03 23:15:29 -05:00
sinn3r 63d7b8c309 Use safe_negate_size for java 2013-10-03 23:13:57 -05:00
sinn3r ab62af220b Use safe_negate_size key for msvcrt (XP) 2013-10-03 23:12:58 -05:00
jvazquez-r7 9df676ca7e
Land #2447, @wchen-r7's new msvcrt ROP chains without nulls 2013-10-03 22:38:29 -05:00
Spencer McIntyre ecf286a8c4 Add support for stdapi_net_resolve_host. 2013-10-03 10:31:54 -04:00
James Lee 56b6f0be02 Add bins for #2443
See #740 and meterpreter#26
2013-10-01 23:47:24 -05:00
sinn3r cd1f023f72 Update msvcrt.dll ROP chain for Windows Server 2003 2013-10-01 16:18:57 -05:00
sinn3r 14d99ffbdb Update Win XP msvcrt.dll ROP
This updated ROP chain for msvcrt.dll does not have any null bytes.
2013-10-01 15:00:43 -05:00
sinn3r 7c6c8291e2 Add ROP chains for Office 2007 and Office 2010 (hxds.dll)
This adds two ROP chains for Office 2007 and Office 2010 based on
hxds.dll.
2013-10-01 01:33:35 -05:00
Tab Assassin 2e8d19edcf Retab all the things (except external/) 2013-09-30 13:47:53 -05:00
Meatballs e806047411
Add MSI bins 2013-09-27 20:03:19 +01:00
Meatballs 8a9843cca6
Merge upstream/master 2013-09-27 20:02:23 +01:00
Meatballs 9fde8bee2b Merge branch 'master' of github.com:rapid7/metasploit-framework into upstream-master 2013-09-27 18:12:17 +01:00
Tod Beardsley 869c10af04
Land #2396, aspx-exe shellcode generator
Looks good to me, specs are all happy (also added a #to_h spec)
2013-09-27 11:42:16 -05:00
OJ c38f3b4a56 New meterpreter binaries
New binaries contain fixes for:

* kitrap0d crashing during `getsystem` calls.
    * https://github.com/rapid7/meterpreter/pull/23
* Meterpreter crashing on XP SP0 in certain scenarios.
    * https://github.com/rapid7/meterpreter/pull/21
2013-09-27 09:31:53 +10:00
Meatballs 079eec0aea Compile.bat and gitignore 2013-09-21 13:14:01 +01:00
Meatballs 85ea9ca05a Merge branch 'master' of github.com:rapid7/metasploit-framework into msi_payload 2013-09-21 12:49:38 +01:00
Meatballs 1bd1c3587d No UAC prompt MSI 2013-09-21 12:47:58 +01:00
OJ 3cdddb8ff3
New meterpreter binaries for ip resolv feature
* New meterpreter binaries that include the IP resolve feature.
* Updated .gitignore to correctly match pivot file name.
2013-09-21 07:12:40 +10:00
Meatballs 11bdf5d332 New pull 2013-09-19 19:57:38 +01:00
James Lee dc9246a770 New compiled bins for shiny vs2012 build
* Fixes x64 sniffer [FixRM #8364]
2013-09-17 18:11:13 -05:00
James Lee 21055f6856 Add x86 to meterpreter's binary suffix
This makes x86 more consistent with x64.

Also replaces a bunch of instances of:
  File.join(Msf::Config.install_root, 'data', ...)
with the simpler
  File.join(Msf::Config.data_directory, ...)

[See rapid7/meterpreter#19]
2013-09-16 21:52:04 -05:00
jvazquez-r7 299860b09d Land #2329, @kaospunk auxiliary module to enumerate ntlm info 2013-09-16 08:16:30 -05:00
James Lee 705e262061 Non-broken compiled bins for meterpreter/#14
Somehow built bins with fatal linker errors last time. These seem to be
solid.

[SeeRM #8361]
2013-09-12 23:36:05 -05:00
James Lee 9dae838422 New compiled bins for meterpreter/#14
Should fix the flakiness of migrataion on 64-bit systems.

[FixRM #8361]
2013-09-12 22:34:31 -05:00
Spencer McIntyre e3e2c69de1 Fix additional issues in the python meterpreter. 2013-09-10 15:06:33 -04:00
Tab Assassin 48cf2af685 Merge for retab 2013-09-05 16:16:00 -05:00
Tab Assassin 76c98cb610 Merge for retab 2013-09-05 13:37:55 -05:00
Tab Assassin 760943af2f Merge for retab 2013-09-05 13:02:51 -05:00
kaospunk 533643fe2c Host Information Enumeration via NTLM Authentication
This aux module makes requests to resources on the target server in
an attempt to find resources which permit NTLM authentication. For
resources which permit NTLM authentication a blank NTLM type 1 message
is sent to enumerate a a type 2 message from the target server. The type
2 message is then parsed for information such as the Active Directory
domain and NetBIOS name.

The user can provide their own TARGETURIS file which contains URIs
to request to attempt to get a 401 with NTLM. This PR also includes
a list of URLs that can be used as the default.
2013-09-04 21:39:02 -04:00
jvazquez-r7 94125a434b Add module for ZDI-13-205 2013-09-04 15:57:22 -05:00
Spencer McIntyre d84939c83b Fixes three minor issues in the python meterpreter. 2013-08-30 15:31:40 -04:00
Meatballs 1ea3d91f48 Lands #2244 Python Meterpreter
[Closes #2244]
2013-08-30 14:33:35 +01:00
Meatballs 53c3f6b2db Deconflict 2013-08-30 10:52:42 +01:00
shellster 1b36fe9e51 Added Template
New template for previous commit.
2013-08-29 19:11:59 -07:00
James Lee eba6762977 Land #2270, Util::EXE refactor
With a minor rebase to fix a commit message

[Closes #2270]

Conflicts:
	spec/support/shared/contexts/msf/util/exe.rb
2013-08-28 21:49:59 -05:00
shellster ee9b1ef8e0 Greatly shortened to_mem_old.ps1.template by using [Math]::max.
Added necessary end of line conversion in lib/msf/util/exe.rb so
that Powershell will parse multiline strings.
2013-08-28 21:39:42 -05:00
James Lee 9f04fa6ab4 Add metsrv.dll updates for proxy support
See #1033, #2014, and meterpreter/#12
2013-08-28 21:18:59 -05:00
Spencer McIntyre f490277c6d Always os.fork() when available. 2013-08-28 17:19:49 -04:00
Meatballs 96c093dce0 Fix Exploit::Exe 2013-08-25 19:56:29 +01:00
Meatballs 66ee15f461 Merge and deconflict 2013-08-25 19:14:15 +01:00
Meatballs cf5ddfeebf Some war fixes 2013-08-23 18:59:48 +01:00
Meatballs dfc606fe56 Slightly saner filenames 2013-08-23 18:06:48 +01:00
Meatballs 41b1b30438 vba transform 2013-08-23 18:00:19 +01:00
Meatballs cd83077bec Fix vba_exe 2013-08-23 17:42:46 +01:00
Meatballs 4d21b06f4f Aspx uses transform 2013-08-23 17:22:33 +01:00
Meatballs 1cb1afa50a Fix aspx 2013-08-23 17:09:51 +01:00
Meatballs dd13a7e48f Working .asp 2013-08-23 16:55:07 +01:00
Meatballs 7370fc3f4e vbs transform 2013-08-23 16:26:03 +01:00
Meatballs 5040347521 Fix psh and add powershell transform 2013-08-23 15:59:19 +01:00
Meatballs 418505adc9 Fix psh-net 2013-08-23 15:21:26 +01:00
Meatballs cfd6c66ffd Fix VBS 2013-08-23 14:35:19 +01:00
shellster 86a83391fd Merge remote-tracking branch 'upstream/master' 2013-08-21 16:16:20 -07:00
Shelby Spencer c2cf822013 Commit adding the template scripts. 2013-08-20 16:52:58 -07:00
Spencer McIntyre e276b57ee7 Merge remote-tracking branch 'upstream/master' into python-meterpreter-dev 2013-08-19 08:37:12 -04:00
jvazquez-r7 795ad70eab Change directory names 2013-08-15 22:52:42 -05:00
jvazquez-r7 cc5804f5f3 Add Port for OSVDB 96277 2013-08-15 18:34:51 -05:00
Spencer McIntyre 71285f395d Sort import statements alphabetically. 2013-08-15 09:27:13 -04:00
Spencer McIntyre fcf2d4bf19 Remove debug print and fix channel additions. 2013-08-13 12:50:52 -04:00
Spencer McIntyre fdc9312272 Add process enumeration via PS for OSX. 2013-08-12 16:38:15 -04:00
Spencer McIntyre dd2438dd1e Improve process execution on Linux. 2013-08-09 10:39:19 -04:00
Spencer McIntyre 3fb4c2d27c Add Windows registry manipulation support. 2013-08-09 08:39:05 -04:00
Spencer McIntyre f3f4290783 Add process enumeration for windows. 2013-08-06 22:33:43 -04:00
Spencer McIntyre 2d69174c5b Initial commit of the python meterpreter. 2013-08-05 23:38:49 -04:00
Tod Beardsley 9f5f191a6b Add Main.swf from 593363c 2013-07-29 21:53:40 -05:00
jvazquez-r7 c7361043ae up to date 2013-07-17 11:47:06 -05:00
jvazquez-r7 11f8b351c0 Merge branch 'nvidia' of https://github.com/Meatballs1/metasploit-framework 2013-07-17 11:44:42 -05:00
Meatballs 22601e6cc7 Exit process when complete 2013-07-06 09:27:27 +01:00
Meatballs 66c2b79177 Initial commit 2013-07-05 19:48:27 +01:00
jvazquez-r7 4ac5261802 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-02 11:20:26 -05:00
jvazquez-r7 2ceb404f7d Land #2047, @hmoore-r7 ipmi related work 2013-07-02 11:13:25 -05:00
jvazquez-r7 72f19181d1 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-07-01 16:38:19 -05:00
HD Moore 1e21f0e2aa Updated output formats, top 1000 passwords 2013-06-29 22:01:25 -05:00
jvazquez-r7 a4d353fcb3 Clean a little more the VS project 2013-06-29 15:15:27 -05:00
jvazquez-r7 6878534d4b Clean Visual Studio Project 2013-06-29 09:20:40 -05:00
jvazquez-r7 7725937461 Add Module for cve-2013-3660 2013-06-28 18:18:21 -05:00
HD Moore f0db04c2a6 Updates to common password db 2013-06-28 10:47:14 -05:00
jvazquez-r7 3c1af8217b Land #2011, @matthiaskaiser's exploit for cve-2013-2460 2013-06-26 14:35:22 -05:00
jvazquez-r7 81a2d9d1d5 Merge branch 'module_java_jre17_provider_skeleton' of https://github.com/matthiaskaiser/metasploit-framework 2013-06-26 14:32:59 -05:00
jvazquez-r7 d25e1ba44e Make fixes proposed by review and clean 2013-06-25 12:58:00 -05:00
jvazquez-r7 1ade467ac9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 11:10:43 -05:00
jvazquez-r7 b32513b1b8 Fix CVE-2013-2171 with @jlee-r7 feedback 2013-06-25 10:40:55 -05:00
jvazquez-r7 3244013b1f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-25 09:48:20 -05:00
sinn3r 6780566a54 Add CVE-2013-2171: FreeBSD 9 Address Space Manipulation Module 2013-06-24 11:50:21 -05:00
Matthias Kaiser 8a96b7f9f2 added Java7u21 RCE module
Click2Play bypass doesn't seem to work anymore.
2013-06-24 02:04:38 -04:00
HD Moore 722d33e8fa Updated common password list 2013-06-23 13:15:31 -05:00
HD Moore d9737ec03a Updated common passwords 2013-06-23 01:52:18 -05:00
HD Moore c869112407 Cleanup, reporting, and automatic cracking 2013-06-23 01:35:31 -05:00
HD Moore 5656e0cb7a Initial commit of IPMI library, scanner, & cracker 2013-06-22 23:38:28 -05:00
jvazquez-r7 9d0047ff74 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-06-07 16:44:52 -05:00
sinn3r 19a6f310cd Land #1927 - Add common passwords from xato.net 2013-06-07 15:24:09 -05:00
Tod Beardsley dc680e7106 Underscores because the rest are. 2013-06-07 15:16:39 -05:00
Tod Beardsley 0265dd8860 Add common passwords from xato.net
Mark Burnett publishes lists of top passwords occasionally. This PR adds
the top 500 and top 1024 passwords, as of 2011-06-20, linked from this
blog post:

http://xato.net/passwords/more-top-worst-passwords/

He also does a fair bit of frequency analysis there.

The 1024 list, should probably used instead of the original
unix_password.txt file. unix_password.txt  was added on 2010 from an
unknown source (and since edited occasionally to add known good default
passwords). Pulling those changes into this list probably would be
helpful to guess better.

As far as I can tell, there are no special licensing terms for these
lists.
2013-06-07 15:10:14 -05:00
jvazquez-r7 7090d4609b Add module for CVE-2013-1488 2013-06-07 13:38:41 -05:00
jvazquez-r7 66ea59b03f Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-28 15:22:46 -05:00
James Lee 9843dc4cb4 Land #1708, android meterpreter
Conflicts:
	data/meterpreter/ext_server_stdapi.jar
2013-05-28 12:19:45 -05:00
jvazquez-r7 d5cf6c1fbc Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-05-23 12:37:54 -05:00
sinn3r 81ad280107 Landing #1856 - CVE-2013-0758 Firefox <= 17.0.1 + Flash RCE
Chained exploit using CVE-2013-0758 and CVE-2013-0757
2013-05-23 12:21:10 -05:00
Joe Vennix 4d5c4f68cb Initial commit, works on three OSes, but automatic mode fails. 2013-05-15 23:32:02 -05:00
jvazquez-r7 a7e4ba5015 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-30 08:32:24 -05:00
James Lee d53d6370b3 Land #1747, mimikatz meterpreter extension
[Closes #1747]

See rapid7/meterpreter#9
2013-04-29 14:45:07 -05:00
James Lee 99f5376606 Binaries for #1747
See rapid7/meterpeter#9
2013-04-29 14:44:18 -05:00
jvazquez-r7 a4632b773a Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-28 12:59:16 -05:00
sinn3r 1d9a695d2b Landing #1772 - Adds phpMyadmin Preg_Replace module (CVE-2013-3238)
[Closes #1772]
2013-04-28 12:17:16 -05:00
James Lee 5900a7c03f Whitespace 2013-04-26 15:24:02 -05:00
jvazquez-r7 38e41f20fe Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-24 13:24:13 -05:00
James Lee 01d790eb54 Land #1748, fix for java meterp network prefixes
[Closes #1748]
2013-04-24 12:27:28 -05:00
James Lee a7effaf9c6 Add bins for #1748 2013-04-24 12:27:05 -05:00
jvazquez-r7 1761b1ad7b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-23 17:35:35 -05:00
Tod Beardsley 80fb7b85ef Drop msfgui.jar, too. 2013-04-22 16:03:38 -05:00
Tod Beardsley 1112daaff2 Remove msfgui and armitage
This removes the Armitage and MSFGui components from the Metasploit
distribution. You can track the latest stable releases of these
alternate GUIs here:

MSFGui: http://www.scriptjunkie.us/msfgui/
Armitage: http://www.fastandeasyhacking.com/download
2013-04-22 15:26:44 -05:00
jvazquez-r7 b6365db0b5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-22 09:38:32 -05:00
jvazquez-r7 19f2e72dbb Added module for Java 7u17 sandboxy bypass 2013-04-20 01:43:13 -05:00
jvazquez-r7 cc35591723 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-15 17:43:15 -05:00
timwr 32bd812bdb android meterpreter 2013-04-12 18:57:04 +01:00
James Lee 15e2ceb749 Land #1660, dlink backdoor wordlist
[Closes #1660][See #1648]
2013-04-11 23:04:02 -05:00
jvazquez-r7 9c0862ad7b Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-11 21:53:07 +02:00
James Lee 8376531a32 Land #1217, java payload build system refactor
[Closes #1217]
2013-04-11 13:10:03 -05:00
James Lee 1d09d7e6e9 Java payload bins
Compiled with the shiny new maven system
2013-04-11 13:08:16 -05:00
jvazquez-r7 6f1fb4a873 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-04-06 17:23:24 +02:00
James Lee ab0535bc41 Bins for new stdapi_fs_file_move command
See rapid7/meterpreter#6
2013-04-04 23:39:22 -05:00
James Lee 2d47be425f Latest meterpreter bins
See rapid7/meterpreter#1 and rapid7/meterpreter#5
2013-04-04 22:57:13 -05:00
jvazquez-r7 224188ddf6 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-29 21:49:40 +01:00
Tod Beardsley bafb50a173 Merge commit for JtR recompile
Also changes a bunch of file modes to be less permissive.

[Closes #1662]
2013-03-29 09:05:12 -05:00
jvazquez-r7 6cd6a7d6b9 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-28 12:16:18 +01:00
sinn3r 7bf87f3546 Merge branch 'mipsbe_elf' of github.com:jvazquez-r7/metasploit-framework into jvazquez-r7-mipsbe_elf 2013-03-27 11:55:09 -05:00
jvazquez-r7 c225d8244e Added module for CVE-2013-1493 2013-03-26 22:30:18 +01:00
jvazquez-r7 18559e35fc Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-26 19:50:45 +01:00
jvazquez-r7 a644ceb016 Added support for mipsbe elf 2013-03-26 17:20:43 +01:00
James Lee 73c2610822 Merge remote-tracking branch 'jvazquez-r7/mipsle_elf_support' into rapid7
[Closes 1666]
2013-03-26 10:38:32 -05:00
jvazquez-r7 ae56bc0b37 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-26 11:21:16 +01:00
jvazquez-r7 e78635fc0f fix segment virtual address 2013-03-26 10:50:29 +01:00
Josh ee199f64cb Merge pull request #1664 from scriptjunkie/msfguiKaliConnect
MSFGUI service autoconnect, DB fixes
2013-03-25 21:58:28 -07:00
scriptjunkie 1b6398d4fd Service autoconnect, DB fixes
First check if database is connected before trying to connect.
Autologin in Kali with new token login.
2013-03-25 20:44:48 -05:00
jvazquez-r7 4fff624632 added initial support for ELF misple 2013-03-26 01:08:31 +01:00
Brandon Turner 83d1f8d499 Compile John the Ripper against libssl 1.0.0
We use OpenSSL 1.0.0 in installed environments.  Previously, John the
Ripper was compiled against 0.9.8 which prevented it from running.  This
recompiles the same version (jtr 1.7.8 jumbo 2) against OpenSSL 1.0.0.

[FIXRM #7834]
2013-03-25 17:12:51 -05:00
sinn3r 5504c58b11 Add dlink pass for #1648 2013-03-25 13:25:19 -05:00
jvazquez-r7 393d5d8bf5 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-25 19:09:42 +01:00
jvazquez-r7 660d3d5388 Merge branch 'linksys-traversal' of https://github.com/m-1-k-3/metasploit-framework into m-1-k-3-linksys-traversal 2013-03-25 17:31:11 +01:00
jvazquez-r7 2d5a0d6916 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-25 17:08:23 +01:00
Josh dfcce010c1 Merge pull request #1650 from scriptjunkie/msfguiKaliConnect
Kali fixes, changes only affect msfgui
2013-03-24 19:34:22 -07:00
scriptjunkie 438d348fda Kali fixes
Check the new database config location.
Don't crash on sporadic JRE style error.
2013-03-24 21:00:38 -05:00
m-1-k-3 36d1746c0d linksys traversal module - initial commit 2013-03-23 17:01:02 +01:00
jvazquez-r7 80d218b284 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-19 19:55:51 +01:00
jvazquez-r7 27778e6ea9 fix comma typo 2013-03-19 19:20:39 +01:00
sinn3r be9d4ec393 New pt for virtualprotect, and readjust size to 0x401 2013-03-19 09:25:06 -05:00
sinn3r ea4c88bc2c Java Rop null-byte free
Our new heap spray routine does not like double nulls, so we need
to adjust our ROP.
2013-03-18 23:42:17 -05:00
jvazquez-r7 2d99b949a2 Merge branch 'master' of https://github.com/rapid7/metasploit-framework 2013-03-13 09:36:35 +01:00
scriptjunkie 16fad29cb0 Update creds schema. 2013-03-12 23:07:40 -05:00
jvazquez-r7 74b58185cd up to date 2013-03-12 16:48:11 +01:00
Meatballs f37d9c2834 Initial commit 2013-03-09 17:24:03 +00:00
sinn3r e1859ae4b6 Merge branch 'rsmudge-armitage' 2013-03-06 19:31:44 -06:00
sinn3r a30b61e4aa Merge branch 'rsmudge-armitage' 2013-03-06 16:39:00 -06:00
Raphael Mudge 4ab8315db0 Armitage 03.06.13
Apparently, my last update came from the future. This modification
to that future update fixes an oversight preventing Armitage from
connecting to its collaboration server because it would report the
wrong application.
2013-03-04 23:11:20 -05:00
Raphael Mudge 59d2f05c94 Armitage 04.06.13
This update to Armitage improves its responsiveness when connected
to a team server over a high latency network. This update also adds
a publish/query/subscribe API to Cortana.
2013-03-04 18:32:45 -05:00
Luke Imhoff 239e1934b8 Use migrations from metasploit_data_models
[#44034071]

metasploit_data_models version 0.5.0 copied the migrations from
metasploit-framework/data/sql/migrate to
metasploit_data_models/db/migrate so that specs could be written the Mdm
models in metasploit_data_models.  As part of the specs, :null => false
columns that should be :null => true were discovered, so a new migration
was added, but to metasploit_data_models/db/migrate, so it could be
tested.  Instead of replicating migrations back and forth, I'm removing
the migrations completely from metasploit-framework and changing the
default migration path in Msf::DbManager#migration_paths to
MetasploitDataModels.root.join('db', 'migrate').
2013-03-01 09:03:45 -06:00
Tod Beardsley dd9002fcab Merges ChrisJohnRiley's new password
Lands https://github.com/rapid7/metasploit-framework/pull/1521

Closes #1521

(Forgive the oververbose commit message, experimenting with various
syntax hilighters)
2013-02-25 08:39:27 -06:00
Chris John Riley 28fd92a013 Added new default password foe TMSADM
Based on: http://blog.ptsecurity.com/2013/02/sap-unknown-default-password-for-tmsadm.html
2013-02-25 09:00:57 +01:00
jvazquez-r7 d7b89a2228 added security level bypass 2013-02-20 17:50:47 +01:00
jvazquez-r7 d88ad80116 Added first version of cve-2013-0431 2013-02-20 16:39:53 +01:00
sinn3r bc03247386 Merge branch 'sap_url_update' of github.com:ChrisJohnRiley/metasploit-framework into ChrisJohnRiley-sap_url_update 2013-02-19 15:08:26 -06:00
jvazquez-r7 9af43bc05c newline to sap_default.txt 2013-02-18 15:58:29 +01:00
jvazquez-r7 a91bbf5f69 Merge branch 'sap_default_user_additions' of https://github.com/ChrisJohnRiley/metasploit-framework into ChrisJohnRiley-sap_default_user_additions 2013-02-18 15:57:26 +01:00
jvazquez-r7 c8778587f5 rename the xml template for s4u 2013-02-18 15:25:03 +01:00
jvazquez-r7 be0feecf8f Merge branch 's4u_persistence' of https://github.com/smilingraccoon/metasploit-framework into smilingraccoon-s4u_persistence 2013-02-18 15:22:37 +01:00
Chris John Riley 6519444112 Addition defaults 2013-02-15 13:35:25 +01:00
Chris John Riley 5df03f790b Remove end of line spaces and rerun uniq 2013-02-15 13:31:35 +01:00
Chris John Riley fb7d0159c3 Further URLs 2013-02-15 13:26:44 +01:00
Chris John Riley 21366dd4df Updated SAP URL list to include further known URLs 2013-02-15 13:20:23 +01:00
sinn3r 398e6cb202 Merge branch 'rsmudge-armitage' 2013-02-13 10:38:30 -06:00
Raphael Mudge 596b62b831 Armitage 02.12.13 - Distributed Operations
This update adds the ability to manage multiple team server instances
through one Armitage client. This update also adds nickname completion
to the event log. Several bug fixes are included too.
2013-02-11 21:20:03 -05:00
jvazquez-r7 41564fd51d Merge branch 'aux-word_unc_injector.rb' of https://github.com/SphaZ/metasploit-framework into SphaZ-aux-word_unc_injector.rb 2013-02-11 15:05:27 +01:00
smilingraccoon 3a499b1a6d added s4u_persistence.rb 2013-02-10 14:22:36 -05:00
scriptjunkie 447f78cb24 Handle nonstandard ports when starting new msfrpcd. 2013-02-04 17:24:41 -06:00
SphaZ 24de0d2274 Data files moved. Updated to use Rex::zip and Msf::Exploit::FILEFORMAT 2013-02-04 13:37:09 +01:00
Tod Beardsley 293f9da5cf Merge branch 'bug/pro-only-models'
Updates to use MDM 0.4.0 (was using 0.3.0)
2013-01-31 16:14:51 -06:00
jvazquez-r7 d0ecb617c3 Merge branch 'joomla-scanner' of https://github.com/Newpid0/metasploit-framework into Newpid0-joomla-scanner 2013-01-25 21:47:05 +01:00
f8lerror bf2b01f8ef Delete a file and strip space 2013-01-24 09:30:04 -05:00
f8lerror 6e94c04a52 Code Corrections and Enhancements 2013-01-23 20:26:23 -05:00
sinn3r e376bb6fab Merge branch 'rsmudge-armitage' 2013-01-22 22:52:35 -06:00
Raphael Mudge 8c86c49d43 Armitage 01.23.13
This update to Armitage adds the ability to assign labels to hosts
and create dynamic workspaces based on these labs. This update also
adds helpers to configure USERNAME/PASSWORD options and EXE::Custom
and EXE::Template. Several bugs were fixed as well.
2013-01-22 22:48:16 -05:00
jvazquez-r7 807bd6e88a Merge branch 'java_jre17_glassfish_averagerangestatisticimpl' of https://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-java_jre17_glassfish_averagerangestatisticimpl 2013-01-22 15:33:39 +01:00
jvazquez-r7 78279a0397 Added new module for cve-2012-5076 2013-01-17 21:27:47 +01:00
jvazquez-r7 d0b9808fc7 Added module for CVE-2012-5088 2013-01-17 21:14:49 +01:00
f8lerror 0b61d28e0e added Joomla scanner and url wordlist 2013-01-17 11:36:59 -05:00
jvazquez-r7 51f3f59d2f cve and references available 2013-01-11 00:54:53 +01:00
Luke Imhoff f8e1ccc27e Remove cred_files migration
[#41837027]

Mdm::CredFile is only used in Pro, so for metasploit_data_models 0.4.0,
Mdm::CredFiles has been moved to Pro, so the migration has been moved to
Pro too.
2013-01-10 17:50:00 -06:00
jvazquez-r7 876d889d82 added exploit for j7u10 0day 2013-01-10 20:30:43 +01:00
Sam Gaudet 7d1716b79f Turnkey Linux default password 2013-01-08 22:47:53 -05:00
Raphael Mudge 5348127fd2 Metasploit 4.5 Installer Environment Tweak
Armitage on Windows requires the user to specify their MSF
install folder. This tweak checks for an MSF 4.5 environment
and updates the specified folder to make everything work.

Like magic.
2013-01-04 13:08:47 -05:00
Raphael Mudge a79f2fa8d1 Armitage Updates and Bug Fixes
This is Armitage release 01.04.13. This update fixes several bugs
and improves the user experience launching *_login modules from
Armitage. This update adds a Windows 8 icon and includes a fix to
better work with the Metasploit 1.45 installer's environment.
2013-01-04 12:05:09 -05:00
jvazquez-r7 133ad04452 Cleanup of #1062 2012-12-07 11:55:48 +01:00
HD Moore 5e44987271 Really fix this by resetting schema cache 2012-12-06 06:33:46 -08:00
HD Moore a5b3be6dfa Fix a conflicting rename that breaks ActiveRecord 2012-12-06 06:14:49 -08:00
HD Moore 087b2c39ae Whitespace cleanup only 2012-12-06 06:13:53 -08:00
jvazquez-r7 b7f304f0db added build exec_payload.msi 2012-11-28 21:51:01 +01:00
Tod Beardsley 8d6289d8d6 Merge remote branch 'rsmudge/armitage' 2012-11-26 10:52:06 -06:00
Raphael Mudge a2615102c9 Armitage 11.26.12 - several usability enhancements and bug fixes. 2012-11-25 20:51:32 -05:00
sinn3r e6208a7993 Merge branch 'guiOptions' of git://github.com/scriptjunkie/metasploit-framework into scriptjunkie-guiOptions 2012-11-19 10:09:54 -06:00
jvazquez-r7 24fe043960 Merge branch 'samba' of https://github.com/mephos/metasploit-framework into mephos-samba 2012-11-19 14:13:15 +01:00
jvazquez-r7 eddea29568 Merge branch 'sap_soap_rfc_brute_login' of https://github.com/nmonkee/metasploit-framework into nmonkee-sap_soap_rfc_brute_login 2012-11-18 21:36:54 +01:00
scriptjunkie 39dee758e6 Remember last options used for each module, and fill them in by default. 2012-11-17 10:08:45 -06:00
Tasos Laskos 8a9f0a0890 Merge remote-tracking branch 'upstream/master' into web-modules 2012-11-14 18:10:41 +02:00
jvazquez-r7 5076198ba2 fixing bperry comments 2012-11-11 20:18:19 +01:00
jvazquez-r7 8619c5291b Added module for CVE-2012-5076 2012-11-11 17:05:51 +01:00
Tasos Laskos 7032ef0f6f Merge remote-tracking branch 'upstream/master' into web-modules 2012-11-09 00:21:38 +02:00
nmonkee f521e70bee wordlists to accompany sap_soap_rfc_brute_login.rb 2012-11-07 10:46:36 +00:00
David Maloney c30ada5eac Adds temp vbs mod and tweaked decoder stub 2012-11-04 12:49:15 -06:00
Tasos Laskos 385d225305 Updated support for Web modules and analysis techniques (committing to new clean branch due to corruption) 2012-11-01 21:14:38 +02:00
m m f7481b160c add centos5 target 2012-10-31 18:21:41 +01:00
m m f819ec8e75 typo 2012-10-30 17:19:23 +01:00
m m 3855ba88b1 add meterpreter/command support to samba exploit using ROP 2012-10-29 17:33:00 +01:00
Raphael Mudge eee6248795 Armitage 10.16.12 - a lot of bug fixes. 2012-10-15 19:19:31 -04:00
jvazquez-r7 b4485fdb2b added chm templates 2012-10-10 19:21:47 +02:00
sinn3r 858fd9ff43 Merge branch 'ropdb' of https://github.com/wchen-r7/metasploit-framework 2012-10-03 15:21:11 -05:00
sinn3r ba1b65742e Separate XML for various DLLs. 2012-10-02 11:27:10 -05:00
sinn3r f2c7731b39 Add RopDb mixin 2012-10-01 17:09:01 -05:00
Cristiano Maruti 75f5e24178 Dell iDrac login aux scanner 2012-09-27 01:33:11 -05:00
scriptjunkie 10e1574d8a Bugfix with dragging tabbed panes when right-clicked.
Also don't displaly annoying null pointer error when no connection.
2012-09-22 16:32:18 -05:00
James Lee ac2ec99fb7 Add bin for mephos' netstat fixes
[Closes #777]
2012-09-12 16:57:17 -05:00
James Lee 46dfeec402 Adds meterpreter bins all compiled with the same VS
Not sure exactly what was causing the breakage, but using bins compiled
with the same version of Visual Studio seems to have fixed the issue.

[FixRM #7233]
2012-09-11 14:16:21 -05:00
sinn3r c4fb285288 Merge branch 'armitage' of https://github.com/rsmudge/metasploit-framework into rsmudge-armitage 2012-09-05 13:48:09 -05:00
Raphael Mudge e8b3f0193b Armitage 09.05.12 - this release detects several user errors on startup (incorrect permissions, whitespace in the host/port/user/pass parameters, etc.). This release also cleans up the token stealing dialog. 2012-09-05 01:54:28 -04:00
h0ng10 2b6aa6bbdb Added Exploit for deployfilerepository via JMX 2012-09-03 13:50:16 -04:00
James Lee 44801c217d Linux bins for #609 2012-08-29 14:09:37 -05:00
James Lee 5a5ca66bff Merge branch 'mephos-arp-linux' into rapid7 2012-08-29 11:19:04 -05:00
Patrick Webster be63aad0d1 Added Windows wordlist. 2012-08-29 10:51:09 +10:00
James Lee 049494752c Bins for #609, adds netstat and arp cmds 2012-08-28 18:21:57 -05:00