If we have more data, and the packet parser needs more data, connect the two
together rather than bailing. This fixes reverse_tcp_ssl along with probably a
lot of other higher-latency corner cases.
This is a fix for crap and stupid stuff that I did half way through the
packet pivot code. I was working on some priv stuff at the same time,
and when I realised that the work I was doing was not sensible as part
of the packet pivot PR, I failed to revert my changes properly.
As a result I broke `getprivs` and `getsystem`. I am sorry. And I'm
ashamed.
Since OpenSSL is no longer packages with meterpreter, and transport
secrecy is handled at L7, the SSL cons name doesn't apply anymore.
Rename METERPRETER_TRANSPORT_SSL to METERPRETER_TRANSPORT_TCP for
consistency with wire-level implementation.
When running Rex HTTP client calls across pivots, pivot sockets
can get closed by the remote server, resulting in a closed :conn
object within the client object. The clients :close method calls
self.conn.shutdown which raises an 'IOError closed stream' on what
is effectively a TCPSocket object in a closed state (under the Rex
abstraction).
Resolve by moving the self.conn.closed? check into the conditional
just above the :shutdown call, and remove if from the underlying
:close call as calling :close on an already closed TCPSocket
returns nil as opposed to throwing an exception like the :shutdown
method.
This fixes a [] for NilClass bug in the download_file API.
The opts argument is not checked for nil before the code looks for
the block_size key.
Fix#8636
This changes the encryption flags on the meterpreter session so that
it's 32 bits (and hence changes the packet header). This also supports
the idea that sessions may use encryption that isn't AES256, so the
flags field will ultimately indicate that. A type flag has been added so
that MSF knows the type that should be done on the wire.
At some point soon we'll add something that makes sure that the packet
encryption type always matches the encryption type expected in MSF, this
will hopefully avoid the risk of having packets injected into the stream
by external entities.
The data being pulled out of the MSV credential dump was not being
rendered propertly because it was assumed that all accounts would
provide the same set of hashes/details for each entry found. However,
this was not the case. Some have NTLM & SHA1, others have LM & NTLM,
some have DPAPI when others don't.
This code generates tables based on the values found, and renders those
values in the appropriate columns, and if the values don't exist for
a given account, the column is left blank.
Fixes#8620
DNS spoofing module should be feature complete, with forwarding of
requests which do not have cached answers (can be disabled same as
the native server module), empty replies to reduce client wait on
outstanding DNS requests, and post-send output in verbose mode
to reduce garbage and execution time in the critical/racy path.
This module is best used in conditions where MITM is achieved by
way of MAC spoofing, route interception, or compromise of an inline
host on the datapath. The attacker should avoid forwarding
original requests to the intended destination, or if this is not
possible, prevent replies from traversing the MITM space in order
to avoid race conditions between the spoofer and victim.
Example iptables configuration on MITM host:
iptables -t nat -A POSTROUTING -o eth0 -p udp ! --dport 53 -j ...
Testing:
Internal testing in Virtualbox local network, atop 802.11, and
mostly in Neutron (with port security disabled on the VIFs) atop
OpenStack Liberty ML2+OVS.
Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.
Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.
Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
Import PCAP-based DNS spoofing server module:
This module uses the Capture mixin to sniff and parse packets off
the wire, then match answers to sniffed requests from static
entries in the server's cache. If answers are found, they are
appended to a cloned packet with reverse saddr/daddr pairs at
layers 2-4, the qr bit is set, and it is injected back into the
interface from where it came.
Minor cleanup in the Rex::Proto::DNS::Server::Cache class to allow
multiple address->name pairs and fix issues when adding multiple
static entries.
In order to handle TCP and UDP clients in a common manner, the
DNS server created a Rex::Socket::Udp object to represent the
client object allowing for a client.write(response) approach to
returning results for both TCP and UDP clients. During work on
the common socket abstractions (#6692) it became apparent that
remote pivoted sockets cannot be created with the same exact param
set used on the server socket - sockets dont reuse with localhost
and localport params being the same, an exception is raised from
the Windows side of the pivot abstraction. Creating a new socket
for every request is also needless overhead and noise.
Create the MockDnsClient class to consume peerhost, peerport, and
the DNS server's UDP socket as arguments in order to execute a
sendto() from the existing socket when sending a response. A write
method is provided in the class for common interface between the
UDP and TCP request handlers.
This has been tested in conjunction with #6692 and shown to be
successful as serving remote requests from the IO.select polled
pivot socket running on a Windows host via Meterpreter.
Implement a check for self.cid.nil? in Meterpreter's Channel class
in the :closed? method for compatibility with the Socket's :closed?
Touch up the Rex DNS server's stop method using this method on
pivot sockets.
Add SOL_SOCKET and SO_REUSEADDR options to the Rex UDP sockets
created by the DNS components - the server socket, as well as the
client abstraction socket.
Create default generator methods for DNS request and response in
the Packet module.
Packet.generate_request is directly adapted from
Net::DNS::Resolver.make_query_packet with conveniences added from
the local namespace.
Packet.generate_response is a convenience wrapper for attaching
responses to request, flipping the qr bit, and adjusting the rCode
for NXDomain or NoError depending on whether the response has any
answers or not. Existing responses being passed into this method
with new answers or an empty array will have their rCode updated
accordingly for NoError and NXDomain.
Clean up Rex::Proto::DNS::Server by use of the convenience method
and removal of the :validate method (as its now in Packet).
Add Packet.valid_hostname? as a wrapper for matching against the
Rex::Proto::DNS::Constants::MATCH_HOSTNAME regex.
Add convenience methods for little and big endian operations on
DNS packet contents. Use the convenience methods for quick ID
and request length extraction without full packet parsing.
Advanced options are now camel cased
Use :blank? on datastore options instead of serial checks for :nil?
and :empty?
Rex::Proto::DNS::Server :on_client_data updated to ask the tcp_sock
to close this client if it exists in the rescue clause.
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.
The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.
Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.
Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.
-----
Testing:
Tested running the RC provided in the pull request
Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.
Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.
Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.
-----
Change calling conventions in Rex::Proto::DNS::Server to match
other components.
Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.
Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".
-----
Testing:
Basic functional tests in Pry for now.
Bail out early unless the monitor thread is running since pruning
will not automatically occur. Continue to raise an exception when
invalid cache attempts are made. If this behavior is not desired,
override the method or create a descendant with altered behavior.
Create default_dispatch_request method in Server to allow an
intercepted dispatch request to fall back into default exec flow.
Add attr_reader to the records hash in Cache
Provide Resolver and Server with comm option for their sockets.
Compose configuration hashes for the Rex Sockets used in requests
based on the Resolver's own configuration, including passing the
Framework context, and CHOST/CPORT options in from Msf namespaces.
Missed the attr_accessors in first commit - added.
Updated Cache stop method to iterate over the resulting Array of
records without holding a write lock over it (:each vs :map).
Glanced over https://www.ietf.org/rfc/rfc1035.txt and set proper
bits for the response and recursion fields prior to passing off the
data for return.
TODO:
Write mixin for easier packet manipulation with configurable
response builders which can determine proper settings for header
fields based on server/resolver configuration. Document to allow
exploit/vector developers to make use of the functionality...
Add Rex::Proto::DNS and Rex::Proto::DNS::Constants namespaces
Create Rex::Proto::DNS::Resolver from Net::DNS::Resolver
Create Rex::Proto::DNS::Server and Rex::Proto::DNS::Server::Cache
Constants -
A Rex::Socket style MATCH_HOSTNAME regex has been added to
help validate DNS names.
Resolver -
Based off of old work creating Rex socket overrides in the
Net::DNS::Resolver as well as allowing for proxying and making
automatic adjustments to use TCP for proxied connections. This
resolver pivots with MSF, uses proxies, and doesnt pull in the
default /etc/resolv.conf information which can lead to info leak.
Automatically sends Net::DNS::Packet and Resolv::DNS::Message
objects to the appropriate nameservers.
TODO: Review for potential low level concurrent resolution impl.
Server::Cache -
Threadsafe wrapper around a Hash which holds Net::DNS::RR keys
with Time.to_i values for counting eviction/stale time without
altering the original record.
Takes records with a TTL of < 1 as static entries which are not
flushed or pruned by the monitor thread.
Server -
A standard Rex level server allowing for client connections with
TCP and UDP listeners. Provides common framework for handling the
different transports by creating a "client" type object as a Rex
UDP socket and passing it back to the dispatch/sender methods.
This server can host listeners on remote pivot targets since it
utilizes Rex sockets, and should not leak internal information
from the resolver as easily either.
Can be configured with a custom resolver regardless of its own
listener configuration (UDP/TCP mix is fine), and carries a
threadsafe wrapper for swapping the resolvers nameservers under
a Mutex.synchronize. Since listeners and resolvers can pivot,
a compromised host in one environment can serve DNS information
obtained by the resolver pivoting through a completely different
target.
The server takes blocks for dispatch and send functions which
when defined, will intercept the standard execution flow which is
to parse the request, check the cache for corresponding records,
then forward the remaining questions in a request via the resolver,
and build + send a response back to the client.
The accessors for dispatch and send, resolver, and cache are
accessible at runtime, though it is likely unsafe to replace the
cache and resolver while they are accessed from other threads.
-----
Testing:
Initial testing performed in IRB/Pry generating manual requests.
Subsequent checks performed using the running server as the sys
resolver.
Additional testing is needed - the default dispatch_request
behavior may not be correct (i need to check the RFCs for this) as
it handles multiple questions for A records. This should be tuned
to be RFC compliant, with inheriting classes changing behavior as
needed. We also need to ensure that we're not leaking our own DNS
information to our targets, so all sorts of abuse is in order.
-----
TODO:
Create Msf::Exploit::DNS namespace utilizing this functionality.
- Move the threaded enum_dns work, as well as work from 6187,
into the namespace
- Review existing modules for functional overlap and move here
as needed. This should be done in separate commits/PRs.
Create specific DNS servers for spoofing, exploit delivery, and
finally handling DNS tunnels (the primary reason for this work).
Write spec
- Convince/coerce a friendly soul in the community to handle
spec for this fiasco while building further functionality.
Mettle can run in all sorts of environments where some colums of a
process table will be nil. The existing implementation compacts
rows going into the table while providing filtering for the colum
contents only by checking the output of the first row in the proc
table.
Check column filters against all rows to ensure proper table init.
Check columns going into table for match against header.
Do not compact nil values in the table rows - some things, like
kthreads/workers dont have a path while other PIDs will.
This is an emergency fix as a result of something being broken in
master. This is also being pushed straight to master because github is
down and the PR process isn't possible. This commit was reviewed by
@wvu-r7 prior to being pushed.
The Session GUID will identify active sessions, and is the beginning of
work that will allow for tracking of sessions that have come back alive
after failing or switching transports.
The aim of this commit is to allow users of Meterpreter in high-latency
environments have better control over the behaviour of the download
function. This code contains two new options that manage the block size
of the downloads and the ability to set "adaptive" which means that the
block size will adjust on the fly of things continue to fail.
This patch updates the MSF db_import functionality w.r.t. importing Acunetix XML files to do the following:
- import web vulnerabilities identified by Acunetix
- import all services for each scanned host
- does not pull in the specifc program/version name of each service, as that's pretty loosely formatted in the Acunetix XML
Pearce Barry
William Vu
Tim W
scriptjunkie
OJ
Spencer McIntyre
bwatters-r7
Brent Cook
Brent Cook
James Lee
Bradley Landherr
William Webb
Jeffrey Martin
h00die
loftwing
Christian Mehlmauer
Josh Hale
RageLtMan
Craig Smith
Tabish Imran
Corey Harding
wchen-r7
dmohanty-r7
Anderson
Dirkjan Mollema
TheNaterz
HD Moore