Commit Graph

327 Commits (aec0067d14313c4e96e98a31323ca5dc4633ac4f)

Author SHA1 Message Date
Brent Cook 5954e2300f updates based on feedback
Add documentation to the view constants.
Use include? rather than regexes
2015-01-20 16:57:49 -06:00
Brent Cook a42cc2ef1f add support for specifying 32 or 64-bit registry access
This adds an extra parameter to most of the post/windows/registry
methods called 'view' that specifies if a registry key should be
accessed as a native process, 32-bit or 64-bit.

Support is added to both the Meterpreter and command-line backends. For
the command backend, a lot of boilerplate is removed from each method in
favor of a few shared commands. There is an error hash that never gets
used, so I removed it as well.

This passes the post/test/registry module with meterpreter, but fails
the command line backend. However, it fails in the same way without
these changes (tested on Windows 8), so I suspect that the command line
session was already not working well, at least with newer versions of
Windows. I might look into figuring out how to fix that, but it looks
pretty fragile to me, parsing for english phrases in the output.
2015-01-20 15:26:59 -06:00
Brent Cook a2a1a90678
Land #4316, Meatballs1 streamlines payload execution for exploits/windows/local/wmi
also fixes a typo bug in WMIC
2015-01-16 11:16:22 -06:00
Brent Cook fb5170e8b3
Land #2766, Meatballs1's refactoring of ExtAPI services
- Many code duplications are eliminated from modules in favor of shared
   implementations in the framework.
 - Paths are properly quoted in shell operations and duplicate operations are
   squashed.
 - Various subtle bugs in error handling are fixed.
 - Error handling is simpler.
 - Windows services API is revised and modules are updated to use it.
 - various API docs added
 - railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
Brent Cook 05279ef02a consistently use double-quoted paths
allow for variable expansion if needed
2015-01-08 16:10:28 -06:00
Meatballs 8f720ef766
Use get_env in runas 2015-01-08 11:07:40 +00:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
Spencer McIntyre 698ca2639b Do not delete files that do not exist in rm_f 2014-12-17 09:18:06 -05:00
Meatballs 5d18de2ebf
Fix legacy railgun LDAP implementation 2014-12-13 18:26:26 +00:00
Meatballs 186d8bd359
Fix starts_with? 2014-12-04 20:16:56 +00:00
sinn3r f6f0050f56 Fix #3886 - Backtrace for #check when session is invalid
If the user supplies an invalid session (as in not on the session
list), it will cause a backtrace, because the setup method from
Msf::PostMixin isn't actually called.

We have thought about implementing this in a new OptSession instead.
But you can't use or even pass framework to option_container.rb, so
this is NOT possible.

The original PR was #3956.
2014-12-02 17:22:46 -06:00
jvazquez-r7 cc8b37d619 Make directory mandatory 2014-11-17 12:15:33 -06:00
jvazquez-r7 15b7435c34 Make it YARD compliant documentation 2014-11-17 12:03:37 -06:00
Jon Hart cd32f00ebc
Add dir doc 2014-11-17 09:15:08 -08:00
Jon Hart 98db8b5ad9
When not a meterpreter session, split dir/ls output to match meterpreter entries output 2014-11-17 09:10:03 -08:00
Jon Hart 5f1a1f8ed3 Use dir for Windows only, ls for the rest 2014-11-17 09:01:14 -08:00
Jon Hart 6519b0e2cb Add dir and ls to Msf::Post::File 2014-11-17 09:01:14 -08:00
Joe Vennix b1b8cba4c5
Rescue an IOError on channel double-close.
This was causing output from python meterpreter
commands run on OSX to be discarded when the error
was raised, making cmd_exec not-so-useful.
2014-10-01 22:35:41 -05:00
Meatballs d5959d6bd6
Land #2585, Refactor Bypassuac with Runas Mixin 2014-09-28 09:24:22 +01:00
Meatballs d2bc0baa87
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	lib/msf/core/post/windows/services.rb
2014-08-24 19:46:19 +01:00
OJ e0df664656
Land #3653 : NETAPI x64 fixes 2014-08-19 11:40:43 +10:00
HD Moore 5e123e024d Add 'coding: binary' to all msf/rex library files
This fixes a huge number of hard-to-detect runtime bugs
that occur when a default utf-8 string from one of these
libraries is passed into a method expecting ascii-8bit
2014-08-17 17:31:53 -05:00
Meatballs 8302e82ca1
Use x64 ptr sizes 2014-08-14 23:32:04 +01:00
Spencer McIntyre b602e47454 Implement improvements based on feedback 2014-08-05 21:24:37 -07:00
b00stfr3ak 88f23832e6 Added Time out
For some reason the handler was closing before the command could
complete.  Added the time out from bypassuac and now both psh and exe
work perfectly.
2014-08-02 14:29:42 -07:00
b00stfr3ak 5aa347ef65 Changed Method Names
Changed names to look like shell_execute_(option), to make it more
defined on what it does.
2014-08-01 17:10:32 -07:00
b00stfr3ak def652a50e Merge https://github.com/rapid7/metasploit-framework into bypassuac/psh_option 2014-08-01 14:32:55 -07:00
Meatballs 902cf4bc1e
Fix var name 2014-07-31 23:16:53 +01:00
Meatballs 90c0f587bf
Fix for newer powershell 2014-07-31 23:11:51 +01:00
Meatballs 15c1ab64cd Quick rubocop 2014-07-31 23:11:00 +01:00
Meatballs d336c56b99
Merge remote-tracking branch 'upstream/master' into land_2551 2014-07-31 23:06:37 +01:00
b00stfr3ak 391e2bb99b Fixed some style changes
Removed upload var, it really served no purpose.
2014-07-30 22:42:07 -07:00
Tod Beardsley a62ee99d1d
Actually require NetAPI 2014-07-21 12:48:34 -05:00
scriptjunkie 8fe508207c Merge Meatballs' gpp_again pull into new branch 2014-07-19 11:10:14 -05:00
William Vu 25f74b79b8
Land #3484, bad pack/unpack specifier fix 2014-07-16 14:52:23 -05:00
jvazquez-r7 c19deddfb1 Delete debug messages 2014-07-08 16:24:45 -05:00
jvazquez-r7 c25c5f6806 Make linux gather post modules compatible with meterpreter 2014-07-08 16:23:57 -05:00
Meatballs 05c9757624
Merge in #3488 2014-07-04 20:37:09 +01:00
HD Moore c9b6c05eab Fix improper use of host-endian or signed pack/unpack
Note that there are some cases of host-endian left, these
are intentional because they operate on host-local memory
or services.

When in doubt, please use:

```
ri pack
```
2014-06-30 02:50:10 -05:00
OJ 5879ca3340
Merge branch 'upstream/master' into meatballs x64_injection 2014-06-18 10:24:33 +10:00
sinn3r 2a7227f443
Land #3427 - Adds webcam module for firefox privileged sessions on OSX 2014-06-11 22:27:25 -05:00
joev 4a9f50bb60 Clean up some dead code. 2014-06-06 16:20:40 -05:00
joev 7c762ad42c Fix some minor bugs in webrtc stuff, inline API code. 2014-06-06 16:18:39 -05:00
Meatballs f0e9a9010e
Return nil if fail 2014-06-01 11:55:40 +01:00
Meatballs a4ecd8e02d
Should return the thread object 2014-06-01 11:49:56 +01:00
Tom Sellers aa85cb8195 Update powershell.rb 2014-05-29 05:46:32 -05:00
Tom Sellers ae1b7e564b Update powershell.rb 2014-05-27 05:18:00 -05:00
Tom Sellers 42a17cc085 Update powershell.rb
To be clear, the shell that was tested with was 'windows/shell_reverse_tcp' delivered via 'exploit/windows/smb/psexec'

Additional changes required to fix regex to support the multiline output.  Also, InstanceId uses a lower case 'D' on the platforms I tested - PowerShell 2.0 on Windows 2003, Windows 7, Windows 2008 R2 as well as PowerShell 4.0 on Windows 2012 R2.

This method doesn't appear to be used anywhere in the Metasploit codebase currently.
2014-05-25 08:59:42 -05:00