sinn3r
afd0e71457
Use the term "exploit" is a little more correctly
...
So Metasploit uses the term "exploit" to describe something, a module
or an action, that results popping a shell. A check normally doesn't
pop a shell, so avoid that language.
2014-01-17 13:50:23 -06:00
sinn3r
363c53e14e
Clearify when to use a specific CheckCode
...
An example of the biggest confusion module developers face is not
actually knowing the difference between Detected vs Appears vs
Vulnerable. For example: a module might flag something as a
vulnerable by simply doing a banner check, but this is often
unreliable because either 1) that banner can be fooled, or 2)
the patch does not actually update the banner. More reasons may
apply. Just because the banner LOOKS vulnearble doesn't mean it is.
2014-01-17 13:35:17 -06:00
OJ
524bbceb1a
Merge branch 'upstream/master' into ext_server_kiwi
2014-01-17 11:53:07 +10:00
OJ
9212013c3e
Add error message support
...
This commit enables returning of error messages based on the HRESULT.
They still aren't nice, but they're better than nothing.
2014-01-17 11:42:07 +10:00
jvazquez-r7
ac9e634cbb
Land #2874 , @mandreko's sercomm exploit fixes
2014-01-16 16:35:32 -06:00
sinn3r
a1eba03d1f
Land #2725 - Rex::Proto::PJL plus modules
2014-01-16 15:57:38 -06:00
William Vu
9bf90b836b
Add environment variables support
2014-01-16 14:53:25 -06:00
William Vu
0915212249
Fix socket timeout bug
2014-01-16 11:58:37 -06:00
jvazquez-r7
0b9ff43217
Make slice_up_payload easier
2014-01-16 11:03:22 -06:00
jvazquez-r7
f41849c921
Clean CmdStagerEcho
2014-01-16 11:00:57 -06:00
OJ
8e1d3c9c2a
Final tweaks for WMI support
2014-01-16 22:02:28 +10:00
OJ
69abffaff6
First pass of WMI support
...
Close but more to do.
2014-01-16 13:47:46 +10:00
William Vu
311704fc0a
Perform final cleanup
2014-01-15 13:49:37 -06:00
OJ
870349acd0
Merge branch 'upstream/master' into basic_adsi_support
2014-01-15 19:57:07 +10:00
HD Moore
68ccdc8386
Fix a stack trace when module_payloads.rb is run
...
This fixes a missing check for self.target being nil in the compatible_payloads method
2014-01-13 15:36:33 -08:00
Matt Andreko
b7b1ddf1e8
Sercomm Exploit module fixes
...
Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
Added functionality to the CmdStagerEcho mix-in to support encoding via
octal instead of hex based on the :enc_type option. This is because many
devices would not output hex encoded values properly.
Added options on a per-target basis for the PackFormat (endian pack()
values for communication), UploadPath (because /tmp wasn't always
writable), and PayloadEncode (previously mentioned octal encoding
option)
Note for some reason, some devices communicate over one endianness, but
then require a payload for the other endianess. I'm not sure what's
causing this, but if those specific combinations are not used, the
exploit fails. More research may be required for this.
2014-01-13 16:58:32 -05:00
William Vu
4ccf1a4720
Land #2873 , Msf::Handler::ReverseHttp::UriChecksum
2014-01-13 15:38:56 -06:00
David Maloney
41807d7e4e
move rev_http uri checksum code
...
need access to the uri checksum
routines outside of the handler.
moved them to their own mixin
and then mixed into the handler.
added specs also
2014-01-13 15:18:16 -06:00
Tod Beardsley
e6e6d7aae4
Land #2868 , fix Firefox mixin requires
2014-01-13 14:23:51 -06:00
Joe Vennix
3db143c452
Remove explicit requires for FF payload.
...
Adds ff payload require to msf/core/payload.rb
2014-01-13 13:07:55 -06:00
jvazquez-r7
95a5d12345
Merge #2835 , #2836 , #2837 , #2838 , #2839 , #2840 , #2841 , #2842 into one branch
2014-01-13 10:57:09 -06:00
sinn3r
cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells
2014-01-10 14:29:32 -06:00
OJ
0f722cbe6d
Add ext_server_kiwi, which is Mimikatz v2
...
This is a separate extension because the new version doesn't support
as many operating systems as the old version, but it does have more
new features which are really funky.
2014-01-10 16:51:01 +10:00
William Vu
b43a221959
Land #2855 , Rex::Socket refactor and specs
2014-01-09 16:20:50 -06:00
James Lee
ba252ec0c3
Use 'unless' instead of 'if not'
2014-01-09 16:01:58 -06:00
William Vu
f00e5a678b
Land #2854 , #next nil beug fix
2014-01-09 15:39:06 -06:00
William Vu
c3b1eea5fd
Land #2853 , user survey banner splat
2014-01-23 00:05:25 -06:00
Tod Beardsley
02018077ea
dangit odd number of ]s
2014-01-09 15:15:47 -06:00
James Lee
7cb6836209
Replace unused var with purpose-revealing comment
2014-01-09 15:07:04 -06:00
James Lee
27133257a4
Better docs, more accurate var names
2014-01-09 15:05:19 -06:00
James Lee
20a5bf45f5
Fix beug with #next raising after the end
...
... instead of the old behavior or just returning nil again
2014-01-09 15:03:11 -06:00
Tod Beardsley
25337888b0
Move back the expires date.
2014-01-09 14:51:23 -06:00
Tod Beardsley
fe3fed1dba
Add a link to http://bit.ly/msfsurvey in banner
2014-01-09 14:37:41 -06:00
Tod Beardsley
e4460278d2
Fix the closing brackets on the banner.
2014-01-09 14:37:25 -06:00
William Vu
1893cbca0e
Land #2843 , RangeWalker resolution failure bug fix
2014-01-09 14:36:32 -06:00
James Lee
1519af33f5
Refactor `getaddress` in terms of `getaddresses`
2014-01-09 11:03:24 -06:00
jvazquez-r7
85203c2f2a
Land #2823 , @mandreko's exploit module for OSVDB 101653
2014-01-09 10:27:44 -06:00
James Lee
01f350964f
Add specs for some stuff in Rex::Socket
2014-01-09 10:19:19 -06:00
William Vu
27f079ad7c
Move {begin,end}_job from libs to modules
2014-01-09 01:03:01 -06:00
William Vu
025fc79683
Refactor commands for modularity
2014-01-09 01:03:01 -06:00
William Vu
3fca11e5ac
Replace magic numbers with constants
2014-01-09 01:03:01 -06:00
William Vu
2f2823e323
Remove newline from end_job to conform to spec
2014-01-09 01:03:01 -06:00
William Vu
d3bbe5b5d0
Add filesystem commands and new PoC modules
...
This commit also refactors some of the code.
2014-01-09 01:03:01 -06:00
William Vu
af66310e3a
Address @jlee-r7's comments
2014-01-09 01:03:01 -06:00
William Vu
bab32d15f3
Address @wchen-r7's comments
2014-01-09 01:03:00 -06:00
William Vu
1c889beada
Add Rex::Proto::PJL and PoC modules
2014-01-09 01:03:00 -06:00
Matt Andreko
d2458bcd2a
Code Review Feedback
...
Migrated the Sercomm module to use the CmdStager mixin to provide
uploading of the ELF binary.
Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in
this case, the device messed up when it was used, and would actually
write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-08 22:21:32 -05:00
James Lee
4bfe6b1b08
Remove pointless checks and add some docs
2014-01-08 14:37:40 -06:00
James Lee
4ba0020934
Simplify the logic deciding when we're finished
2014-01-08 14:22:44 -06:00
James Lee
22bdca92f4
Remove the ipv6 attr on Range
...
Makes more sense in the option hash.
2014-01-07 16:52:34 -06:00
James Lee
9c23910b69
Refactor Socket::Range
...
There was really no reason for it to inherit from Array. Also adds a few
more specs and gets coverage up to a more respectable percentage.
2014-01-07 16:31:55 -06:00
Joe Vennix
7af8fe9cd1
Catch exceptions in an XSS script and return the error.
2014-01-07 16:23:24 -06:00
Joe Vennix
fb1a038024
Update async API to actually be async in all cases.
...
This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
2014-01-07 16:17:34 -06:00
Niel Nielsen
73e359ede1
Update reverse_tcp.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:06:11 +01:00
Niel Nielsen
e3a3b560e2
Update bind_tcp.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:02:52 +01:00
James Lee
2ed9772080
Fix unhandled exceptions when resolution fails
2014-01-07 12:00:04 -06:00
Meatballs
3bf728da61
Dont store in DB by default
2014-01-07 12:20:44 +00:00
Joe Vennix
9d3b86ecf4
Add explicit require for JSON, so msfpayload runs.
2014-01-05 14:58:18 -06:00
OJ
e3b90f3c4e
Fix issue with incorrect parameter parsing
...
Code was looking for -s instead of -a when dealing with domain
queries. This commit fixes that.
2014-01-05 20:06:47 +10:00
Joe Vennix
d00acccd4f
Remove Java target, since it no longer works.
2014-01-04 21:22:47 -06:00
OJ
8898486820
Change display message to show actual bind address
...
When running a http/https listener the address:port that was being
shown in the output was that which was passed to the victim as part
of the stager and not the actual listener address:port.
This commit fixes this so that the display is correct.
2014-01-05 11:28:51 +10:00
Joe Vennix
f2f68a61aa
Use shell primitives instead of resorting to
...
echo hacks.
2014-01-04 19:00:36 -06:00
Raphael Mudge
6034c26fa7
Honor LPORT as callback port for HTTP/S handler
...
This commit completes our quest to (optionally) decouple the stage's
callback parameters from the interface/port our handler binds to.
LPORT is now patched into the stage over ReverseListenerBindPort.
2014-01-04 18:52:19 -05:00
Raphael Mudge
3c9d684759
Cleanup - Remove bind_address from reverse_http.rb
...
This commit removes the now unused bind_address function from
reverse_http.rb. This function returns an array of hosts the handler
should attempt to bind to (e.g., [LHOST value, any])
Other handlers (e.g., reverse_tcp.rb) loop through these values until
they're able to start a server with that bind address.
The HTTP server doesn't work this way. It's setup to try one address
and that's it. It makes sense to have the HTTP server always bind to
0.0.0.0 by default as future modules run by the user may register
resources with the same HTTP server.
2014-01-04 16:02:32 -05:00
Raphael Mudge
6f55579acd
HTTP Handler Bind to 0.0.0.0 or ReverseListenerBindAddress
...
This commit returns the HTTP/S handler to its former semantic glory.
By default the HTTP/S handler will bind to :: or 0.0.0.0. If the
user specifies a ReverseListenerBindAddress then, instead, the
server will bind to that address.
The previous commit to change the URL to always reference LHOST
should go with this too. LHOST is always my intent of where the
stage should call home too. ReverseListenerBindAddress would make
sense as my intent as to where I want to bind to. The two options
shouldn't take on each other's meanings.
2014-01-04 15:50:06 -05:00
Raphael Mudge
f93210ca74
Always Use LHOST for Full URL in HTTP/S Stage
...
Redmine #8726 documents a change where the reverse HTTP/S
tries to bind LHOST and if it can not it does a hard stop
If it's expected that users will use ReverseListenerBind-
-Address then this commit addresses #8726 by patching the
HTTP/S stage with the host provided by the user in LHOST.
Currently ReverseListenerBindAddress (if used) is patched
into the stage. This makes for a broken HTTP/S session if
the user sets this option to 0.0.0.0.
With this commit--users can provide any LHOST they like
and set ReverseListenerBindAddress to 0.0.0.0 and things
will work.
This commit does not attempt to bring the HTTP/S handler
back to the old behavior of falling back to 0.0.0.0 when
it can't bind LHOST. I'd welcome the old behavior but I
leave it to you to decide what makes sense. :)
2014-01-04 15:16:22 -05:00
Joe Vennix
b9c46cde47
Refactor runCmd, allow js exec.
...
* Updates exec payload to not touch disk
* Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options)
2014-01-04 08:46:57 -06:00
Joe Vennix
60991b08eb
Whitespace tweak.
2014-01-03 18:40:31 -06:00
Joe Vennix
a5ebdce262
Add exec payload. Cleans up a lot of code.
...
Adds some yardocs and whatnot.
2014-01-03 18:23:48 -06:00
Joe Vennix
8fd517f9ef
Fixes shell escaping errors with nested quotes in windows.
2014-01-03 16:14:28 -06:00
Tod Beardsley
bd2033c587
Land #2814 , streaming webcam STDAPI add
2014-01-03 12:09:25 -06:00
Joe Vennix
13464d0aae
Minor cleanup of firefox.rb.
2014-01-03 01:34:57 -06:00
Joe Vennix
7961b3eecd
Rework windows shell to use wscript.
2014-01-03 01:29:34 -06:00
Meatballs
5606958320
Resolve require order
2014-01-02 23:46:18 +00:00
OJ
ef281bf31d
Adjust the getenv API
...
The getenv call in sys/config was renamed to getenvs and now uses
the splat operator so that arrays don't have to be passed in. A
new function called getenv was added which takes a single argument
and returns a single value back (for ease of use).
2014-01-03 08:05:45 +10:00
jvazquez-r7
f5f18965b9
Move the require to the payloads as ruby and nodejs payloads do
2014-01-02 16:05:03 -06:00
jvazquez-r7
764d0822f6
Use the current msf's naming convention
2014-01-02 15:57:09 -06:00
Joe Vennix
06fb2139b0
Digging around to get shell_command_token to work.
2014-01-02 14:05:06 -06:00
Samuel Huckins
dc80f30e03
Merge remote-tracking branch 'metasploit-framework/master' into masked-cred-format-update
2014-01-02 11:49:04 -06:00
Joe Vennix
8d3130b19e
Reorder targets.
2014-01-02 10:48:28 -06:00
Joe Vennix
9b39ea55ee
Fix comment.{
2014-01-02 10:48:28 -06:00
Joe Vennix
1f9ac12dda
DRYs up firefox payloads.
2014-01-02 10:48:28 -06:00
Joe Vennix
694cb11025
Add firefox platform, architecture, and payload.
...
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
sinn3r
e6823c39c2
Incorrect variable used
2014-01-02 00:50:32 -06:00
William Vu
2554ad9b79
Land #2800 , lib/msf/base YARD comments
2014-01-01 21:51:54 -06:00
Timothy Swartz
3ad8b0d530
Removed space from readable_text.rb
2013-12-31 16:38:40 -08:00
Timothy Swartz
a1e42e5c16
config.rb typo correction
2013-12-31 16:02:18 -08:00
jvazquez-r7
a979aedd9e
Avoid initial spaces on the JSP
...
So the jsp isn't affected by changes on the framework indentation standards
2013-12-31 08:38:38 -06:00
jvazquez-r7
0725b9c69c
Refactor JSP payloads
2013-12-31 08:27:37 -06:00
sinn3r
92a0ff1096
Add webcam livestream feature for meterpreter
...
[SeeRM #8729 ] - This meterpreter command allows the attacker to observe the target at real-time
by turning their webcam live. There is also a HTML-based player provided, which does not require
a plugin or anything, just open it with a browser. The HTML-based player also allows the attacker
to put livestream on the web (evil? yeah, kind of.)
2013-12-30 18:38:13 -06:00
Samuel Huckins
2f8f46c984
Merge remote-tracking branch 'metasploit-framework/master' into masked-cred-format-update
2013-12-30 13:31:49 -06:00
jvazquez-r7
8986659861
Land #2804 , @rcvalle's support for disasm on msfelfscan
2013-12-30 12:24:22 -06:00
Samuel Huckins
985af3adfe
Update to masked credential format
...
* To support change in Pro export format. Previous format looked
like an XML element, for no reason, failed validation.
2013-12-30 10:59:15 -06:00
jvazquez-r7
b8569a1698
Land #2794 , @Meatballs1's fix for to_exe_jsp on J7u21, [FixRM #8717 ]
2013-12-30 09:28:27 -06:00
jvazquez-r7
39844e90c3
Don't user merge! because can modify self.compat
2013-12-27 16:37:34 -06:00
Ramon de C Valle
c1f377fda6
Add disasm option to msfelfscan
2013-12-26 16:26:45 -02:00
Timothy Swartz
e51fab01fc
Doc tag changes based on feedback.
2013-12-26 10:14:41 -08:00
Timothy Swartz
a20e888551
Added YARD tags/comments to readable_text.rb
...
Also fixed a few other tags.
2013-12-25 02:24:26 -08:00
Timothy Swartz
6c871a7e43
Added YARD comments to persistent_storage.rb
...
Also, fixed logging.rb link to Msf::Session
Added --no-private to .yardopts. This will hide anything marked with
@private from the generated documentation.
Previous additions in the msf/base directory and not msf/core.
2013-12-24 19:45:11 -08:00
Timothy Swartz
b07dfc4f44
Added YARD tags to msf/core/logging.rb
2013-12-24 19:42:24 -08:00
Timothy Swartz
ff4e94cd91
Added YARD comments to msf/core/config.rb
2013-12-24 19:42:24 -08:00
sinn3r
9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution
2013-12-23 02:34:01 -06:00
Meatballs
f112e78de9
Fixes .war file creation
2013-12-22 20:58:21 +00:00
jvazquez-r7
ed838d73a6
Allow targets to specify Compat[ible] payloads
2013-12-19 17:48:15 -06:00
Joe Vennix
ca23b32161
Add support for Procs in browserexploit requirements.
2013-12-19 12:49:05 -06:00
Meatballs
62ef810e7c
Use Extapi if available
2013-12-19 18:18:47 +00:00
Meatballs
737154c2fe
Update to use extapi
2013-12-19 16:46:09 +00:00
Meatballs
3ef1c0ecd6
Merge remote-tracking branch 'upstream/master' into enum_ad_perf
2013-12-19 14:25:07 +00:00
Meatballs
6e43edff4c
Merge in extapi post mixin
2013-12-19 14:25:02 +00:00
Meatballs
244cf3b3f6
Merge remote-tracking branch 'upstream/pr/2736' into enum_ad_perf
2013-12-19 13:59:57 +00:00
Joe Vennix
cb390bee7d
Move comment.
2013-12-18 20:37:33 -06:00
Joe Vennix
f411313505
Tidy whitespace.
2013-12-18 20:31:31 -06:00
Joe Vennix
9ff82b5422
Move datastore options to mixin.
2013-12-18 14:52:41 -06:00
Joe Vennix
64273fe41d
Move addon datastore options into mixin.
2013-12-18 14:42:01 -06:00
Joe Vennix
1235615f5f
Add firefox 15 chrome privilege exploit.
...
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Meatballs
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
Meatballs
687cbe5f60
Shadowcopy should use common wmic command
...
Small fix to ensure output is retrieved (args -> nil)
Modify shadowcopy to use wmic_query
2013-12-18 13:34:50 +00:00
William Vu
252909a609
Land #2448 , @OJ's ReverseListenerBindPort :)
2013-12-17 11:24:09 -06:00
Meatballs
6ee1a9c6e1
Fix duplicate error
2013-12-17 00:11:37 +00:00
Meatballs
06b399ee30
Remove ERROR_
...
To access as Error::NO_ACCESS
2013-12-16 19:52:11 +00:00
Meatballs
08a44fdfb7
Filename match module
2013-12-16 19:48:17 +00:00
Meatballs
57f2027e51
Move to module
2013-12-16 19:45:52 +00:00
Meatballs
c9084bd2d5
Remove errant fullstops
2013-12-16 18:53:37 +00:00
Meatballs
75c87faaf8
Add Windows Error Codes to Windows Post Mixin
2013-12-16 18:50:18 +00:00
Meatballs
0c5ac0176f
Undo psh net change
2013-12-16 13:43:40 +00:00
Meatballs
dd5b66f827
Undo psh net change
2013-12-16 13:42:37 +00:00
Meatballs
14c0096115
Update template
...
Use Copy instead of memset
Remove | Out-Null
2013-12-16 13:38:14 +00:00
Meatballs
8dfcc8aa77
WaitForThread
2013-12-16 12:44:58 +00:00
Meatballs
637be1bdfa
Should use RIG
2013-12-16 09:19:17 +00:00
Meatballs
0a29176855
Update psh_web_delivery for reflection
2013-12-16 09:08:01 +00:00
Meatballs
7cc99d76ad
Merge remote-tracking branch 'upstream/master' into powershell_auto_arch
...
Conflicts:
lib/msf/util/exe.rb
2013-12-16 09:07:08 +00:00
Meatballs
ca1c887e68
Add missing ]
2013-12-15 01:12:50 +00:00
Meatballs
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs
284a45a6c5
Convert UTF16 to ASCII
2013-12-14 22:58:16 +00:00
Meatballs
e46b5c9d55
Revert to file io if no EXTAPI
2013-12-14 22:46:22 +00:00
Meatballs
ca5ee7e156
Load extapi before wmic
2013-12-14 22:45:56 +00:00
Meatballs
28f8ac322f
Enable inject
2013-12-14 21:30:52 +00:00
Meatballs
7347cb170c
Revert "Enable DLL injection in msfvenom"
...
This reverts commit 64e6531bbc
.
2013-12-14 21:26:13 +00:00
Meatballs
b532987b8f
Re-add file out to wmic_command
2013-12-14 20:58:33 +00:00
Meatballs
8d5f298d3d
Clear clipboard first
2013-12-14 20:26:46 +00:00
Meatballs
7902f061ca
Final tidyup
2013-12-14 20:18:14 +00:00
Meatballs
04496a539c
Fix up local wmi exploit.
2013-12-14 20:05:51 +00:00
Meatballs
4224c016f4
Use WaitForSingleObject instead of loop
2013-12-14 18:42:31 +00:00
Meatballs
12afdd2cbb
Get and parse result from clipboard
2013-12-14 18:30:43 +00:00
Meatballs
3ad1e57f8d
Merge remote-tracking branch 'upstream/master' into wmic_post
2013-12-14 16:25:31 +00:00
jvazquez-r7
f3ce1c10db
Land #2758 , @zeroSteiner's additions to railgun
2013-12-13 15:50:34 -06:00
Spencer McIntyre
a08c420862
Add railgun definitions for local exploit relevant functions.
2013-12-12 10:26:08 -05:00
jvazquez-r7
83e448f4ae
Restore vprint_error message
2013-12-12 09:06:29 -06:00
jvazquez-r7
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
William Vu
ff9cb481fb
Land #2464 , fixes for llmnr_response and friends
...
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
OJ
64b1e78e34
Fix page size and max results
2013-12-11 00:03:05 +10:00
OJ
8a1517fde8
Fix issues with missing params on computer enum
...
No more late night and rushed commits, its still and wastes people's time.
Thanks sinn3r for getting on this. Apologies for the poor quality of the PR.
2013-12-10 21:06:28 +10:00
OJ
2237419134
Merge branch 'upstream/master' into basic_adsi_support
2013-12-10 20:58:38 +10:00
Meatballs
45a0ac9e68
Land #2602 , Windows Extended API
...
Retrieve clipboard data
Retrieve window handles
Retrieve service information
2013-12-08 19:01:35 +00:00
Meatballs
e5a92a18a5
and expand path
2013-12-08 19:01:03 +00:00
Meatballs
3c67f1c6a9
Fix file download
2013-12-08 18:57:10 +00:00
Meatballs
bc0c080947
Indentation
2013-12-08 18:18:44 +00:00
Meatballs
64e6531bbc
Enable DLL injection in msfvenom
2013-12-08 18:16:23 +00:00
OJ
a3c050c8b6
Added page size setting
2013-12-08 23:29:42 +10:00
OJ
8172596c0b
Fix rendering of result total
2013-12-08 20:58:03 +10:00
OJ
f13736d208
Add support for general domain queries
...
Specific queries are just wrappers over the top of the domain query
2013-12-08 20:41:30 +10:00
scriptjunkie
f4636c46a6
Removing unused endjunk, sections_end, cert_entry
2013-12-07 20:55:51 -06:00
scriptjunkie
77e9996501
Mitigate metasm relocation error by disabling ASLR
...
Deal with import error by actually using the GetProcAddress code.
2013-12-07 20:54:13 -06:00
scriptjunkie
8d33138489
Support silent shellcode injection into DLLs
...
Only run code on DLL_PROCESS_ATTACH, preventing infinite loop otherwise:
Added code would create thread -> calls DLL entry point -> calling added code...
2013-12-07 19:44:17 -06:00
OJ
35b051174c
Add basic ADSI enum of users and computers
2013-12-07 00:22:54 +10:00
Meatballs
3aebe968bb
Land #2721 Reflective DLL Mixin
...
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
OJ
e90b7641ca
Allow self-destruct via "kill -s"
...
HTTP(s) payloads don't exit cleanly at the moment. This is an issue that's
being addressed through other work. However, there's a need to be able to
terminate the current HTTP(s) session forcably.
This commit add a -s option to kill, which (when specified) will kill
the current session.
2013-12-06 14:56:19 +10:00
OJ
4ca48308c1
Fix downloading of files
2013-12-06 13:40:20 +10:00
OJ
155836ddf9
Adjusted style as per egypt's points
2013-12-06 10:08:38 +10:00
OJ
ccbf305de1
Remove exception stuff from the payloads
2013-12-06 09:26:46 +10:00
OJ
5a0a2217dc
Add exception if DLL isn't RDI enabled
2013-12-06 09:18:08 +10:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
OJ
fb84d7e7fe
Update to yardoc conventions
2013-12-06 07:54:25 +10:00
Meatballs
1e60ff91ea
Move ExitThread patching to Msf::Util::EXE
2013-12-05 17:16:14 +00:00
sinn3r
c7bb80c1d7
Add wvu as an author to author.rb
2013-12-05 00:33:07 -06:00
OJ
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
OJ
7b24f815ee
Missed a single module in rename
2013-12-04 22:54:07 +10:00
OJ
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
OJ
1d757c40db
Remove empty parens
2013-12-04 07:10:23 +10:00
OJ
8b77da4ef7
Fix non-rubyisms
2013-12-04 07:06:32 +10:00
OJ
18e1d9ce17
Revert "Start clipboard monitor functionality"
...
This reverts commit ecbdfd3502
.
I don't know how this got in there, as it's in another branch waiting for more work.
My bad.
2013-12-04 07:03:12 +10:00
sinn3r
4d3d02ae01
Land #2667 - Add num and dword output format
2013-12-02 13:52:17 -06:00
corelanc0d3r
474a03475f
sorted out the sorts without .sort
2013-12-02 11:57:52 +01:00
yehualiu
8254c0bae2
this site is down
2013-12-01 14:26:03 +08:00
William Vu
77b036ce5d
Land #2703 , uninit const fix for MSSQL_SQLI
2013-11-27 13:50:48 -06:00
jvazquez-r7
a5aca618e2
fix fail_with usage on Exploit::Remote::MSSQL_SQLI
2013-11-27 11:33:19 -06:00
jvazquez-r7
a32c9e5efc
Fix fail_with on Exploit::Remote::HttpClient
2013-11-27 11:19:46 -06:00
jvazquez-r7
0343aef7c8
Land #2695 , @wchen-r7's support to detect silverlight
2013-11-27 09:40:12 -06:00
James Lee
25b1ec5b75
Land #2689 , getenv
2013-11-26 23:33:25 -06:00
sinn3r
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
OJ
1a65566005
Add the getenv command which pulls env vars from the victim
...
This command will allow the attacker to grab environment variables from the
target, if they exist. Calling this function allows for one or more values
to be passed in, which should match the name of the variable required. If
the variable is found, it is returned. If it is not found, the variable
is not returned (ie. it's not present in the resulting hash).
Note 1: POSIX environment vars are case-senstive, whereas Windows is not.
Note 2: POSIX doesn't seem to cough up user environment vars, it only returns
system vars. I'm not sure why this is, but it could be because of the way
we do linking on POSIX.
2013-11-26 10:05:50 +10:00
OJ
86b6d647bf
Merge branch 'upstream/master' into ext_server_extapi
2013-11-25 07:43:36 +10:00
Meatballs
b015dd4f1c
Land #2532 Enum LSA Secrets
...
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
Meatballs
a3c7dccfc0
Add disconnect option to psexec
...
Allow the module to prevent the mixin from ending the SMB session.
2013-11-24 16:37:25 +00:00
Meatballs
dd9bb459bf
PSEXEC Refactor
...
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
Meatballs
c03c33f6f6
Initial commit
2013-11-24 14:58:18 +00:00
Meatballs
e7dfda00db
Documentation
2013-11-23 22:03:43 +00:00
Meatballs
becc521406
Constants, yey
2013-11-23 21:46:11 +00:00
Meatballs
699d13eef1
Share the wealth
...
Move LDAP methods to a Post mixin.
2013-11-23 21:42:09 +00:00
William Vu
8e23119e17
Land #2678 , DB_ALL_CREDS should default to false
2013-11-22 23:42:00 -06:00
Tod Beardsley
8fc0a8199e
DB_ALL_CREDS should be disabled by default
...
[SeeRM #8699 ]
2013-11-22 22:16:40 -06:00
OJ
4d1c3c1f01
Start clipboard monitor functionality
...
Added the basics of the clipboard monitor functionality with usage
messages and stuff like that. Lots more to do.
2013-11-22 13:31:40 +10:00
corelanc0d3r
66edfe968d
Sorting output
2013-11-21 00:57:08 +01:00
Tod Beardsley
e88da09894
Land #2660 , DLL/service creation for x64
2013-11-20 17:25:16 -06:00
corelanc0d3r
0ea0dc168c
set _comment method to js for num and dword
2013-11-20 23:10:55 +01:00
corelanc0d3r
742c52711a
added 2 new output types for msfencode: num and dword
2013-11-20 22:36:17 +01:00
Joe Vennix
e10f9cc518
More whitespace fixes.
2013-11-20 15:07:51 -06:00
Joe Vennix
739c7b4ca2
More dead code and tweaks.
2013-11-20 14:44:53 -06:00
Joe Vennix
3ff9da5643
Remove compression options from client sockets.
...
I couldn't verify that it was working, as it always sends 1 compression type of NULL.
2013-11-20 14:41:45 -06:00
Meatballs
3ed84d1e0b
Remove puts
2013-11-20 20:29:54 +00:00
OJ
ecbdfd3502
Start clipboard monitor functionality
...
Added the basics of the clipboard monitor functionality with usage
messages and stuff like that. Lots more to do.
2013-11-21 06:29:37 +10:00
Meatballs
7253cc73d5
:payload_instance
2013-11-20 20:28:00 +00:00
Meatballs
f27194a8ce
Always default to payload options
2013-11-20 20:14:59 +00:00
Meatballs
135dad1f4e
Fix dll/service creation
2013-11-20 20:10:47 +00:00
Joe Vennix
b70b594a2a
Kill extraneous comma.
2013-11-20 13:47:47 -06:00
Joe Vennix
a7b01e3b72
Put initialize params back on one line, and move attr_accessors.
...
As per @hdm's feedback
2013-11-20 12:29:09 -06:00
Joe Vennix
e74e75fe6f
Revert changes to legacy rescues.
2013-11-20 12:20:34 -06:00
jvazquez-r7
110e78a1ad
Land #2507 , @todb-r7's fix to allow DCERPC misin to use RPORT
2013-11-20 10:21:32 -06:00
Joe Vennix
9f103f8621
Whitespace tweak.
2013-11-20 01:15:15 -06:00
Joe Vennix
f8b57d45cd
Reenable the client SSLCompression advanced option.
...
Add spec for some of the additions to Rex::Proto::Http::Client
2013-11-20 01:03:13 -06:00
Joe Vennix
d51b92b06f
Turns out & ~ does work.
...
Decided not to expose this as a datastore option for the Client,
but it can be used internally to toggle the compression.
2013-11-20 00:01:48 -06:00
Joe Vennix
a8c55f23a7
Remove &~ bit-clearing method in favor of defaults.
...
For some reason the OP_ALL & ~OP_NO_COMPRESSION method doesnt work,
but it is late and the default is false anyways.
2013-11-19 23:42:58 -06:00
Joe Vennix
109fc5a834
Add SSLCompression datastore option.
...
Also disables the compression by default. TLS-level compression is almost
never used by browsers, and openssl seems to be the only one that enables
it by default.
This also kills some ruby < 1.9.3 code.
2013-11-19 22:34:39 -06:00
jvazquez-r7
647c867c2d
Land #1681 , @sempervictus Rex::Text::Ui::Table [] method
2013-11-19 16:30:09 -06:00
jvazquez-r7
e1eddc84aa
Check for inexistent column names
2013-11-19 16:02:52 -06:00
jvazquez-r7
162d433014
Use snake_case for variables
2013-11-19 15:46:11 -06:00
jvazquez-r7
6a13a0eee6
fix indentation
2013-11-19 15:42:12 -06:00
Meatballs
a327321558
Re-do 'exe-small' for scripting payloads.
...
Fall back to default x64 exe for ARCH_X86_64
2013-11-19 21:19:12 +00:00
jvazquez-r7
7435d74c59
Land #2093 , @sempervictus MaxChar for Rex::Ui::Text::Table cols
2013-11-19 13:34:45 -06:00
Tod Beardsley
ac1fb2d1da
Just use a straight RPORT, don't sneak 593.
...
Incidentally, the endmap scanner doesn't appear to work at all for
http-rpc-epmap, so no harm done anyway (tested against Windows 2008
server).
It looks like a bigger change than it realy is, thanks to the indentaton
changes by removing the itertor. Diff this without whitespace changes to
get a better idea of what's actually different.
2013-11-19 13:29:02 -06:00
jvazquez-r7
34dccaaa1f
Clean use of -c on creds command
2013-11-19 13:26:14 -06:00
jvazquez-r7
f690667294
Land #2617 , @FireFart's mixin and login bruteforcer for TYPO3
2013-11-18 13:37:16 -06:00
jvazquez-r7
7dd70d4c19
Switch to vprint_debug some mixin messages
2013-11-18 13:33:45 -06:00
jvazquez-r7
ae440130f5
Reduce code complexity easily
2013-11-18 13:25:50 -06:00
jvazquez-r7
f61c1548ee
Use verbose by default on mixin error messages
2013-11-18 13:23:05 -06:00
jvazquez-r7
eb8c3ba657
Switch to normal indentation
2013-11-18 13:20:49 -06:00
jvazquez-r7
4cf16cf360
Land #2633 , @OJ's port of Kitrap0d as local exploit
2013-11-14 09:27:10 -06:00
James Lee
0aef145f64
Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa
2013-11-13 18:11:21 -06:00
James Lee
8471f74b75
Refactor ivar to a more reasonable method
...
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
James Lee
16627c1bd3
Add spec for capture_lsa_key
2013-11-13 15:16:34 -06:00
William Vu
6bd82d8589
Land #2636 , Win8 for {constants,platform}.rb
2013-11-13 14:20:52 -06:00
sinn3r
3a923422a3
Update class for Win 8
2013-11-13 13:27:44 -06:00
William Vu
94a2f52ccc
Land #2637 , version number bump to 4.9.0-dev
2013-11-13 13:20:18 -06:00
James Lee
3168359a82
Refactor lsa and add a spec for its crypto methods
2013-11-13 11:55:39 -06:00
Tod Beardsley
74df9bd037
Bump version number since 4.8.0 is out
2013-11-13 11:42:31 -06:00
sinn3r
8e90116c89
Add Win 8 to constants
2013-11-13 11:38:27 -06:00
sinn3r
2fc43182be
Land #2622 - Fix up proxy/socks4a.rb
2013-11-12 18:22:32 -06:00
jvazquez-r7
ef6d9db48f
Land #2613 , @wchen-r7's BrowserExploitServer mixin
2013-11-12 17:33:12 -06:00
sinn3r
fbe1b92c8f
Good bye get_resource
2013-11-12 17:25:55 -06:00
Tod Beardsley
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
sinn3r
cf8f2940b0
Oops, this is the right filename
2013-11-11 15:45:11 -06:00
sinn3r
85150823cd
rename again
2013-11-11 15:44:27 -06:00
Tod Beardsley
8c1d7d936b
Revert "Fix conflcit lib/msf/util/exe.rb"
...
This was causing build failures:
https://travis-ci.org/rapid7/metasploit-framework/builds/13816889
It looks like there were a whole bunch of changes that weren't intended.
This reverts commit 3996557ec6
, reversing
changes made to 62102dd1f9
.
2013-11-11 13:48:39 -06:00
sinn3r
6a840fc169
Move file to get a matching name
2013-11-11 12:41:03 -06:00
William Vu
8d4d7dae50
Restore comment header and remove carriage returns
2013-11-11 12:16:14 -06:00
sinn3r
d483f2ad79
Land #2618 - rm shebangs
2013-11-11 11:55:23 -06:00
Jonathan
36064ca886
remove EOL carriage return from socks4a.rb
2013-11-11 12:47:41 -05:00
sinn3r
3996557ec6
Fix conflcit lib/msf/util/exe.rb
...
Conflicts:
lib/msf/util/exe.rb
2013-11-11 11:43:09 -06:00
sinn3r
62102dd1f9
Land #2544 - Vbs minimize
2013-11-11 11:14:56 -06:00
sinn3r
33f65dd611
Land #2577 - Use base64 to reduce psh-net payload size
2013-11-11 10:21:20 -06:00
OJ
063da8a22e
Update reverse_https_proxy stager/handler
...
This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00
OJ
6a25ba18be
Move kitrap0d exploit from getsystem to local exploit
...
This version modifies the existing meterpreter session and bumps the privs
up to SYSTEM. However it's not how local exploits are supposed to work.
More work will be done to make this create a new session with the elevated
privs instead.
2013-11-11 17:14:40 +10:00
Jonathan
26482f9ebd
reset head~2 and removed shebang from unattend.rb
2013-11-09 15:05:56 -05:00
Tod Beardsley
cc9ac7695d
Land #2592 , add getproxy
...
Needed for new functionality in #2612
2013-11-08 13:20:20 -06:00
Jonathan
575072585f
removed shebangs from files within rex
2013-11-07 18:51:59 -05:00
sinn3r
866f240337
A little update on documentation
2013-11-07 17:06:43 -06:00
sinn3r
32b12609bd
Forgot to pass optional headers
2013-11-07 16:50:58 -06:00
FireFart
bdd33d4daf
implement feedback from @jlee-r7
2013-11-07 23:07:58 +01:00
FireFart
aab4d4ae76
first commit for typo3
2013-11-07 22:38:27 +01:00
scriptjunkie
7615264b17
Merge branch 'lanattacks_fix' of git://github.com/OJ/metasploit-framework into OJ-lanattacks_fix
2013-11-07 10:35:00 -06:00
sinn3r
991240a87e
Support java version detection
2013-11-07 00:54:52 -06:00
sinn3r
3e1771aa77
Being able to pass binding when we need to
2013-11-07 00:12:29 -06:00
sinn3r
23996ec32c
Fix up some things
2013-11-06 22:47:02 -06:00
OJ
1dacf7e57e
Last lot of shebangs removed
2013-11-07 07:35:51 +10:00
OJ
6422e1d6e8
Remove shebang, code tidy, as per @jlee-r7's gripes
2013-11-07 07:32:04 +10:00
sinn3r
c338f7a8c0
Change how requirements are defined, rspec, etc
2013-11-06 14:01:29 -06:00
sinn3r
c92116060e
Forgot to rm this line
2013-11-06 01:53:46 -06:00
sinn3r
f2e4d5507c
More rspec
2013-11-06 01:45:40 -06:00
sinn3r
636adc81de
Add rop_junk and rop_nop
2013-11-06 01:04:33 -06:00
sinn3r
65c96a1f45
Allow the module to be target specific
2013-11-06 00:57:53 -06:00
sinn3r
63d3c7e8bb
Put proxy headers in a constant
2013-11-05 16:33:36 -06:00
sinn3r
73701462ed
Fix ActiveX. Use ERB for Javascript detection code.
2013-11-05 16:26:41 -06:00
OJ
7dcb071f11
Remote shebang and fix pxexeploit
2013-11-06 07:10:25 +10:00
James Lee
36f96d343e
Revert "Revert "Land #2505" to resolve new rspec fails"
...
This reverts commit e7d3206dc9
.
2013-11-05 13:45:00 -06:00
sinn3r
9c6b187cc6
stuff
2013-11-05 11:05:33 -06:00
sinn3r
0513dad789
-_-
2013-11-05 10:30:37 -06:00
sinn3r
9d1742ac47
Fix typos
2013-11-05 10:15:53 -06:00
sinn3r
8fb2b943be
Add ActiveX detection
2013-11-05 01:34:56 -06:00
sinn3r
5f2d8358c0
Be more browser specific with Javascript generation
2013-11-05 01:04:52 -06:00
sinn3r
844daf0e00
No regex for get_resource checking
2013-11-04 17:49:43 -06:00
sinn3r
054a525f35
Change profile data structure
2013-11-04 17:46:36 -06:00
sinn3r
ef57a38274
Move documentation about profile structure
2013-11-04 16:47:15 -06:00
OJ
d1e008387a
Stop auto preview, code clean
...
Removed the auto preview of captured images from the clipboard.
Removed parens from calls to print_line.
2013-11-05 07:15:31 +10:00
OJ
12810580d6
Remove arg for bind port/addr functions
...
Done to avoid masking of datastore instance variable.
2013-11-05 06:56:21 +10:00
OJ
f62247e731
Fix comments, indenting and pxexploit module
...
Updated the comments and indentation so they're not blatantly wrong.
Adjusted the pxexploit module so that it doesn't break any more as
a result of the refactoring.
2013-11-05 06:35:50 +10:00
sinn3r
9c8ecd2ede
Fix encoding order
2013-11-04 14:06:42 -06:00
sinn3r
d970925cbf
Fix encoding bug
2013-11-04 13:45:29 -06:00
sinn3r
ed572d95ee
Merge joev's PR for Rex::Exploitation::Js::Network
2013-11-04 12:58:08 -06:00
sinn3r
23e5a9f048
Force on_request_exploit override
2013-11-04 12:54:52 -06:00
sinn3r
e83f4e5120
Use a warning
2013-11-04 12:54:41 -06:00
sinn3r
25787fbaa7
Change has_proxy?
2013-11-04 12:52:15 -06:00
sinn3r
c6fb570480
Correct bad method naming
2013-11-04 12:35:04 -06:00
sinn3r
016e686bcf
super chomp
2013-11-04 12:28:22 -06:00
sinn3r
c3d9f4064c
They are symbols not strings
2013-11-04 12:10:39 -06:00
sinn3r
0337e6ff54
Do yard documentation
2013-11-04 12:09:59 -06:00
OJ
ff78082004
Refactor lanattacks ruby code, add command dispatcher
...
The lanattacks module didn't seem to have a command dispatcher, and
hence loading the module would always result in a failure. This
commit fixes this problem.
The commit contains a bit of a refactor of the lanattacks code to be
a little more modular. It also has a shiny new dispatcher which breaks
the DHCP and TFTP functionality up into separate areas.
2013-11-04 17:37:42 +10:00
joev
bccbed2757
Rename :use_xhr_shim to :inject_xhr_shim.
2013-11-02 16:52:04 -05:00
joev
90d8da6a21
Fix some bugs in my edits, add a spec.
2013-11-02 16:46:33 -05:00
joev
c7c1fcfa98
Pull shared XHR shim out, add option to static Js module method.
...
* Moves shim to data/js/network/xhr_shim.js
* Add some yardoc comments
2013-11-02 14:52:50 -05:00
OJ
d658fa46b4
Updated help, removed binaries
2013-11-02 23:10:16 +10:00
OJ
67fbeacbf0
Add support for optional image downloading
...
Without -d, `CF_DIB` types will just show image dimensions. Running
with -d will result in the image being looted.
2013-11-02 23:07:13 +10:00
sinn3r
abc06aa8aa
Use mutex
2013-11-01 11:35:23 -05:00
sinn3r
5fb261a974
Change var name
2013-10-31 23:48:41 -05:00
sinn3r
d54c8a359b
Fix bug in proxy detection
2013-10-31 23:42:43 -05:00
sinn3r
7a33c48a0f
No double slash
2013-10-31 23:17:38 -05:00
sinn3r
5851d502b5
Rename some stuff
2013-10-31 23:12:20 -05:00
sinn3r
21891a8337
Make sure the browser can't retry by going to the first URL
2013-10-31 23:08:17 -05:00
sinn3r
94d62613ab
Pretty much done with these, remove these comments.
2013-10-31 19:04:11 -05:00
sinn3r
828ef9c64c
Adds target-specific payload generator
2013-10-31 18:54:01 -05:00
sinn3r
8a0ebcbac7
Adds method get_module_resource
2013-10-31 14:34:38 -05:00
sinn3r
10fd892827
Fix a "undefined method to_sym" bug
...
If something is undetectable, the value may be empty, which triggers
a undefined method error because the regex always assumes there is
something. So instead of +, we use *.
2013-10-31 14:06:05 -05:00
sinn3r
6e7e5a0ff9
Put postInfo() in the js directory
2013-10-31 13:55:22 -05:00
sinn3r
00efad5c5d
Initial commit for BrowserExploitServer mixin
2013-10-31 13:17:06 -05:00
William Vu
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
William Vu
3e1ae4c9b3
Land #2504 , @todb-r7's edit command for msfconsole
2013-10-30 15:38:07 -05:00
Tod Beardsley
900ccc7ec9
VISUAL is okay. Also doesn't need to be a path.
...
I don't believe this opens an untoward attack vector -- if your attacker
can run Metasploit locally, you have much bigger problems.
2013-10-30 15:34:23 -05:00
OJ
2fbac9b129
Add `getproxy` command
...
This command pulls out system proxy details on windows machines.
2013-10-30 18:40:51 +10:00
jvazquez-r7
26af6452da
Land #2588 , @wvu-r7's permissions change for cmdstager_printf.rb
2013-10-29 08:07:19 -05:00
OJ
1f6c320bb3
Tidy up of extapi code, new bins
...
* Rename methods to remove redundancy.
* Update bins to freshly compiled version.
* Use the Rex Table functionality instead of custom look.
* Use the `usage` feature of the Arguments class for help.
2013-10-29 21:22:05 +10:00
OJ
606411de81
Fix mimikatz error when password is nil
...
In some cases the password value that comes out of mimikatz results
is `nil`, instead of an empty string. This fixes this so that if
the string is `nil` is falls back to an empty string, resulting in
the call to `gsub` working instead of failing.
2013-10-29 15:13:32 +10:00
William Vu
333a0d5820
chmod -x cmdstager_printf.rb
2013-10-28 18:47:14 -05:00
Tod Beardsley
4bf041ec46
Use Rails, not Ruby, time formats.
...
Since MSF now equires ActiveSupport, may as well reference it correctly.
2013-10-25 11:52:54 -05:00
Tod Beardsley
b781e58a67
Unformat the prompt and promptchar
2013-10-25 11:40:28 -05:00
jvazquez-r7
0084f32ca2
Print default values when unset options
2013-10-25 11:21:42 -05:00
Meatballs
e18dd3ec0b
Use base64 to reduce size
2013-10-25 01:19:43 +01:00
ethicalhack3r
6f605fb009
Typo
2013-10-24 16:33:26 +02:00
Tod Beardsley
b5f26455a3
Land #2545 , javascript library overhaul
2013-10-23 16:12:49 -05:00
sinn3r
caf41f34bf
Land #2562 - Fix RM 8510 (FileDropper)
2013-10-22 21:45:33 -05:00
sinn3r
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
jvazquez-r7
7d1dc3746f
Use the @schierlm's command
2013-10-22 16:19:49 -05:00
sinn3r
ee95ca5e2b
Land #2158 - Fix NoMethodError undefined method `split' for nil:NilClass
2013-10-22 16:01:27 -05:00
Tod Beardsley
dc0d9ae21d
Land #2560 , ZDI references
...
[FixRM #8513 ]
2013-10-22 15:58:21 -05:00
sinn3r
e1c4aef805
Land #1789 - Windows SSO Post Module
2013-10-22 15:48:15 -05:00
Meatballs
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
sinn3r
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
jvazquez-r7
4ad9bc5efe
Try to [FixRM #8510 ]
2013-10-22 08:42:14 -05:00
sinn3r
afcce8a511
Merge osdetect and addonsdetect
2013-10-22 01:11:11 -05:00
sinn3r
19615ac4b7
Apparently I missed a lot of stuff
2013-10-21 21:02:01 -05:00
sinn3r
fcba529ea5
Update coding format
2013-10-21 20:54:25 -05:00
sinn3r
99d5da1f03
We can simplify this
2013-10-21 20:22:45 -05:00
sinn3r
ea56c4914c
Need this file
2013-10-21 20:17:38 -05:00
sinn3r
9a3e719233
Rework the naming style
2013-10-21 20:16:37 -05:00
William Vu
9258d79978
Add ZDI references to reference.rb
2013-10-21 15:13:46 -05:00
sinn3r
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
Tod Beardsley
e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
...
This reverts commit 717dfefead
, reversing
changes made to 6430fa3354
.
2013-10-21 12:47:57 -05:00
sinn3r
c929fbd7f4
Land #2555 - Retry shell without thread impersonation
2013-10-21 12:25:15 -05:00
William Vu
717dfefead
Land #2505 , missing source fix for sock_sendpage
2013-10-21 11:47:55 -05:00
Meatballs1
58a82f0518
Update exe.rb
...
Rename values
2013-10-21 13:50:07 +01:00
OJ
cf65f59a28
Retry shell without thread impersonation
...
In certain scenarios on Windows XP there are times when creating a
shell fails with the error `ERROR_PRIVILEGE_NOT_HELD`. When this
happens the user will usuall fallback to a non-impersonated shell
via the command: `execute -f cmd.exe -H -i -c`
This patch catches the error, warns the use of the failure and then retries
to create the interactive shell without the `-t` flag.
2013-10-21 15:29:19 +10:00
OJ
4e90394c7f
Add support for CF_DIB clipboard formats
...
Image data copied to the clipboard, such as a screenshot, is converted to a JPEG using GDI+, and downloaded to the local loot folder.
This feature doesn't work with W2K as a result, but that doesn't really bother me. The code is simpler and much smaller as a result and doesn't require the inclusion of the jpeg library code.
2013-10-21 00:05:42 +10:00
sinn3r
2d24824e78
Use data_directory instead of install_root
2013-10-19 17:55:03 -05:00
sinn3r
8a94df7dcd
Change category name for base64
2013-10-18 21:20:16 -05:00
sinn3r
62dadc80d3
Make sure the data type for the return value is a string
2013-10-18 21:08:46 -05:00
sinn3r
298f23c91c
Fix extra slashes that cause browser autopwn to fail.
2013-10-18 20:43:39 -05:00
Tod Beardsley
ffcb86eba2
Land #2541 , Outpost24 importer
...
Sample data is currently secret. If we get a hold of non-secret sample
data, it'll be tacked on to the Redmine bug referenced below.
[FixRM #8384 ]
2013-10-18 13:21:58 -05:00
Tod Beardsley
f6675f3120
Reordered case statements
2013-10-18 13:21:28 -05:00
sinn3r
8579cb8322
Use obfuscation
2013-10-18 13:06:19 -05:00
Meatballs
2ef89eaf35
Randomize exe name
2013-10-18 19:01:28 +01:00
Meatballs
56aa9ab01c
Reduce size
2013-10-18 18:59:30 +01:00
Meatballs
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
sinn3r
6f04a5d4d7
Cache Javascript
2013-10-18 12:23:58 -05:00
William Vu
93ff9ec501
Create methods for start_element for readability
2013-10-18 12:20:43 -05:00
William Vu
ff69e9fd05
Move product info code to a better location
2013-10-18 12:07:34 -05:00
sinn3r
3af38b9602
I bet "../" will drive people crazy, avoid that.
2013-10-18 11:56:03 -05:00
William Vu
e6cccedad0
Append vuln info to vuln description
2013-10-18 11:31:54 -05:00
sinn3r
b0d614bc6a
Cleaning up requires
2013-10-18 01:47:27 -05:00
Meatballs
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
sinn3r
c926fa710b
Move all exploitation-related JavaScript to their new home
2013-10-17 16:43:29 -05:00
William Vu
12151650e4
Add product info to hosts and services :)
2013-10-17 16:18:27 -05:00
William Vu
06c7943f54
Import hostnames without breaking everything
2013-10-17 15:31:48 -05:00
William Vu
920e406526
Import CVE refs and db.emit all the things
2013-10-17 14:29:54 -05:00
Tod Beardsley
72a052942f
Methodize the editor variable as local_editor
2013-10-17 14:11:20 -05:00
Rob Fuller
8f2ba68934
move decrypt_lsa and decrypt_secret to priv too
2013-10-17 00:04:21 -04:00
Rob Fuller
541d932d77
move decrypt_lsa to priv as well
2013-10-16 23:53:33 -04:00
Rob Fuller
60d8ee1434
move capture_lsa_key to priv
2013-10-16 23:45:28 -04:00
Rob Fuller
1a9fcf2cbb
move convert_des_56_to_64 to priv
2013-10-16 23:39:07 -04:00
Rob Fuller
1a85bd22a8
move capture_boot_key to post win priv
2013-10-16 22:46:15 -04:00
OJ
d4d4839dc2
Add size (bytes) of the files on the clipboard
...
Output of the `clipboard_get_data` call now includes the size
of each file in bytes.
2013-10-16 22:54:55 +10:00
OJ
afc5e282a9
Add CF_HDROP file support to the clipboard
...
`clipboard_get_data` has been changed so that raw text is supported and file listings are supported.
If files are on the clipboard, those files and folders are listed when this command is run. To download the files, pass in the `-d` option.
2013-10-16 17:46:22 +10:00
sinn3r
0081e186f7
Make sure i var is local
2013-10-15 23:59:23 -05:00
William Vu
ad8af02021
Add my wonderfully simplistic Outpost24 parser
2013-10-15 16:34:46 -05:00
sinn3r
4c91f2e0f5
Add detection code MS Office
...
Add detection code for MS Office XP, 2003, 2007, 2010, and 2012.
[SeeRM #8413 ]
2013-10-15 16:27:23 -05:00
William Vu
38965f91ee
Add Outpost24 importer code to core/db.rb
2013-10-15 15:32:28 -05:00
sinn3r
41ab4739e3
Land #2520 - Add detection for FF 22 - 24
2013-10-15 15:17:43 -05:00
James Lee
676f12e50e
Import the new plaintext export format
...
Also:
* Import John the Ripper's plaintext from cracked NTLM hashes in the
same way
* Don't choke on : in passwords when reading JtR's output
* Fix some whitespace
* Show a count of inactive creds if there are any instead of acting like
they don't exist
2013-10-15 15:12:18 -05:00
OJ
414a814d5d
Add the start of clipboard support
...
This commit adds support for getting text-based information from the
victim's clipboard and for setting text-based data to the victim's
clipboard. Early days, with much wiggle room left for extra fun
functionality.
2013-10-15 23:57:33 +10:00
OJ
ea89b5e880
Add support for child window enumeration
...
Children of windows can now be enumerated via the -p parameter, which
specifies the handle of the parent window to enumerate.
There is also a -u parameter which includes unknown/untitled windows
in the result set.
2013-10-15 18:02:27 +10:00
Tod Beardsley
14be85ea5d
Land #2511 , fix up NoMethodError and hanging connx
2013-10-14 16:30:19 -05:00
joev
711fac08b7
Don't throw exception if createElement is missing.
2013-10-14 14:15:13 -05:00
joev
183940308b
Add another nil check, just to be safe.
2013-10-14 13:55:54 -05:00
joev
20a145f1e7
Check for prop in prototype, not constructor.
2013-10-14 13:51:45 -05:00
joev
488ed5bd4a
Add new feature detection logic for FF 23 and 24.
2013-10-14 13:41:26 -05:00
William Vu
35dd94f0ac
Land #2518 , uninitialized JavascriptOSDetect fix
2013-10-14 13:32:04 -05:00
sinn3r
e10dbf8a5d
Land #2508 - Add nodejs payloads
2013-10-14 12:23:31 -05:00
sinn3r
da3081e1c8
[FixRM 8482] Fix uninit constant Rex::Exploitation::JavascriptOSDetect
...
This fixes an uninit constant Rex::Exploitation::JavascriptOSDetect
while using a module with js_os_detect. It was originally reported
by Metasploit user @viniciuskmax
[FixRM 8482]
2013-10-14 11:40:46 -05:00
James Lee
60f5567511
Output plaintext creds in a way john can use them
2013-10-13 13:36:03 -05:00
Meatballs
cad717a186
Use NDR 32bit syntax.
...
Compatible with both x86 and x64 systems.
Tidy up the module...
2013-10-12 18:52:45 +01:00
joev
c7bcc97dff
Add SSL support to #nodejs_reverse_tcp.
2013-10-12 03:32:52 -05:00
joev
6440a26f04
Move shared Node.js payload logic to mixin.
...
- this fixes the recursive loading issue when creating a payload
inside the cmd payload
- also dries up some of the node cmd invocation logic.
2013-10-12 03:19:06 -05:00
Tod Beardsley
876d4e0aa8
Land #1420 , WDS scanner
2013-10-11 16:53:25 -05:00
Tod Beardsley
4d76e8e9ac
Add RPORT to the list of DCERPC ports to check
...
[FixRM #8479 ]
2013-10-11 16:23:38 -05:00
Tod Beardsley
423b490168
Use Rex::Compat.getenv instead
...
Also, this would deprecate out the editor plugin.
2013-10-11 10:42:13 -05:00
Tod Beardsley
a7025fca3d
msfconsole 'edit' command
...
Useful for quick editing a module during development / bug fixing. I
don't really see a security issue with running a command defined in the
user's VISUAL or EDITOR environment variables; if the user can run
msfconsole to begin with, there are better ways to get into trouble.
2013-10-10 23:00:25 -05:00
OJ
b99af52279
Improve extapi ruby structure, add bins
...
The extapi project will get bigger over time so this change allows for the code to get
bigger without becoming a headache before it starts.
Added binaries to this commit as well.
2013-10-11 09:52:23 +10:00
Tod Beardsley
85112e8704
Land #2413 , axe callcc
...
This is the only time callcc is used in the entire codebase, too, so
this apparently removes a roadblack to non-MRI Rubies, so that's nice.
2013-10-10 14:55:55 -05:00
Meatballs
378f403fab
Land #2453 , Add stdapi_net_resolve_host(s) to Python Meterpreter.
...
Moves resolve_host post module to multi and depreciates Windows module.
Resolve will now return nil for failed lookups instead of an empty
string.
2013-10-10 20:13:06 +01:00
Meatballs
9ca9b4ab29
Merge branch 'master' into data_dir
...
Conflicts:
lib/msf/core/auxiliary/jtr.rb
2013-10-10 19:55:26 +01:00
William Vu
de57cbc67d
Land #2497 , @todb-r7's author alphabetization
2013-10-10 13:00:50 -05:00
OJ
cbaeebeff7
Add service_query to ext_server_extapi
...
Once the user has queried the list of services they can now use the
`service_query` function to get more detail about a specific service.
2013-10-11 01:02:51 +10:00
OJ
23340e9df0
Add service_enum to the ext_server_extapi extension
...
This commit adds the ability to enumerate services on the target machine,
showing the PID, the service name, the display name and an indication of
the service's ability to interact with the desktop.
Some other small code tidies were done too.
2013-10-10 21:23:23 +10:00
kernelsmith
adbcace9dd
Land #2458 , OJ's Meterpreter railgun multi call fix
...
also [FixRM #8269 ]
2013-10-10 00:38:44 -05:00
Tod Beardsley
4f1e71e222
Also this isn't Lua. Deal with commas.
2013-10-09 17:30:57 -05:00
Tod Beardsley
c8dc251042
Alphabetize authors
...
Because alphabetizing is cool and makes it easy for humans to find
things in long array lists quickly.
Also, I need to keep my lines changed count up.
2013-10-09 17:29:17 -05:00
James Lee
947925e3a3
Use a proper main signature with arguments
...
Allows us to `unlink(argv[0])`
2013-10-09 17:22:01 -05:00
Spencer McIntyre
6c382c8eb7
Return nil on error, and move the module to post/multi.
2013-10-09 16:52:53 -04:00
Tod Beardsley
9d34a8c894
Land #2465 , deal with missing cpuinfo bins
...
[FixRM #8456 ]
Thanks @ZeroChaos!
2013-10-09 13:03:48 -05:00
Tod Beardsley
356263df56
Litter some more rescue nil's in there
...
I hate them but they were there when I got there.
A more sane way to deal with this should happen someday.
2013-10-09 12:17:13 -05:00
Tod Beardsley
f95da649f8
Deal with missing bins, too.
...
This could be way more DRY. At least there's a YARD-ish comment.
This fixes up https://github.com/rapid7/metasploit-framework/pull/2465
to be a more complete solution.
[SeeRM #8465 ]
2013-10-09 12:13:44 -05:00
OJ
47801c17b3
MSF started to the extended API with window enum
...
Decided to kick off a new extended API extension with mubix and
kernelsmith to include some more advanced enumeration stuff. The goal of
this extension is to take stuff that wouldn't be part of the std api but
is rather useful for enumeration of a target once meterpreter has been
established.
This commit kicks things off with enumeration of top level windows on the
current desktop.
2013-10-09 22:25:43 +10:00
Markus Wulftange
e895a17722
Add 'no quotes' option for CmdStagerPrintf
...
Exploit developers can use the ':noquotes => true' option to avoid
single quotes surrounding the octal escapes argument.
2013-10-08 21:04:28 +02:00
jvazquez-r7
2593c06e7c
Land #2412 , @mwulftange's printf cmd stager
2013-10-08 09:08:29 -05:00
Markus Wulftange
6f7d513f6e
Another clean up and simplification of CmdStagerPrintf
2013-10-08 07:22:09 +02:00
Tod Beardsley
ff6dec5eee
Promote joev to a first class citizen
...
[See #2476 ]
2013-10-07 12:40:43 -05:00
Markus Wulftange
836ff24998
Clean and fix CmdStagerPrintf
...
Clean up of the CmdStagerPrintf as discussed in mwulftange#1
2013-10-05 10:39:55 +02:00
sinn3r
77cbb7cd19
Update function documentation
2013-10-04 15:18:27 -05:00
ZeroChaos
5f4e4de267
fix for bug 8456
...
On systems without bundled johntheripper (either by removing the bundled version or by no compatible version shipped) the system john is used. In this case, all of the checking for compatible bundled jtr makes no sense and as such we can shortcut out of this to not only reduce the size of msf (for embedded) but also to speed execution (saving multiple calls to some random bundled binary cpuinfo*.bin).
This patch makes it very easy to simply remove cpuinfo and msf will not try to run it when missing and default to running john from the path.
2013-10-04 15:58:47 -04:00
James Lee
541833e2cc
Convert llmnr_response to use Net::DNS
...
* Allows responding to AAAA requests in addition to the existing A
support
* Prevents problems when recvfrom returns a mapped address like
"::ffff:192.0.2.1"
Also:
* Fix a few typos
* capture: Don't shadow a method name (arp) with a local variable
* capture: Handle the case where our UDP send hits an ENETUNREACH
2013-10-04 12:35:30 -05:00
sinn3r
29d1c75d1c
Update RopDb mixin to allow dynamic payload size for neg
...
This adds a new key to allow a "safe" integer value to NEG. "Safe"
means the value does not have any null bytes after the NEG instruction,
which is typically used to calculate the payload size.
2013-10-03 23:09:23 -05:00
OJ
21afa9defe
Meterpreter railgun multi call fix
...
Modifications accommodate changes in the multi-call railgun code that
were made to Meterpreter.
This also includes a fix for Redmine 8269, so the Windows constants
now work correctly with the multi-calls.
2013-10-04 12:04:18 +10:00
Meatballs
c460f943f7
Merge branch 'master' into data_dir
...
Conflicts:
modules/exploits/windows/local/always_install_elevated.rb
plugins/sounds.rb
scripts/meterpreter/powerdump.rb
scripts/shell/spawn_meterpreter.rb
2013-10-02 20:17:11 +01:00
James Lee
b822a41004
Axe errant tabs and unused vars
2013-10-02 13:47:39 -05:00
jvazquez-r7
758fd02619
Windows 7 SP1 and newer fail when forcing IPv6 sockets
2013-10-02 09:45:51 -05:00
OJ
82162ef486
Add error message support to railgun
...
This code was lost in the transition when the meterpreter source was
removed from the metasploit-framework source. I'm pulling this in by
request of @dmaloney-r7 who originally requested this code be inculded
as part of https://github.com/rapid7/metasploit-framework/pull/740
I added an extra bit of code to free up memory that is allocated by the
call to FormatMessage and forced the ASCII-version (FormatMessageA) of
the call.
This PR is the MSF side of https://github.com/rapid7/meterpreter/pull/26
2013-10-01 17:23:08 +10:00
Meatballs
29a7059eb4
Update AlwaysInstallElevated to use a generated MSI file
...
Fixes bugs with MSI::UAC option, invalid logic and typo...
2013-09-29 17:09:03 +01:00
Tod Beardsley
2fb770f73e
Land #1569 , MSI payloads
...
The bins are signed by Meatballs, everything looks good here, so
landing. Thanks for your patience on these!
2013-09-27 16:29:27 -05:00
Tod Beardsley
7cc2ad55a6
Land #1770 , unattend.xml snarfing modules
2013-09-27 16:04:38 -05:00
Tod Beardsley
63d638888d
Get rid of interior tabs
2013-09-27 16:04:03 -05:00