This fixes#4866, an issue with msfvenom not properly handling special
cases with generic payloads. So the story behind this fix is that
we have these two problems:
Problem 1: The current payload selection design relies on the payload
module in order to set the platform and arch. Almost all MSF payloads
contain a default platform and arch, however, the bind and reverse
generic payloads don't.
Problem 2: By default, Msf::Payload::Generic also explicitly sets the
PLATFORM and ARCH datastore options to nil. So there is no way the
payload generator can figure out what platform and arch to use.
As a result of these problems, msfvenom will actually end up getting
a Msf::Module::Platform as the default platform, which doesn't
actually represent any valid platform we can use (such as
Msf::Module::Platform::Windows). And the first item of ARCH_ALL for
the arch.
In addition, msfvenom has these two arguments that the user can use:
--platform and --arch. In most cases, these arguments are used more
like checks than actually setting anything. Because remember:
Framework's payload selector retreives the platform & arch from the
module (trusted), not the user input (untrusted). But from the user's
perspective it's impossible to know this.
After experimenting different ways to fix this, I came up with this
patch. It feels sort of more like a hack than a real fix, but as
far as I can tell, this is the best you can get unless you want to
redesign generic payload selection.
* Stageless payloads weren't adding brackets around IPv6 hosts.
* Staged HTTP handler was using an undefined function to check for IPv6
addresses when host header overriding was disabled.
Session expiry, comms timeout, retry total/wait are all now part of all
of the meterpreter payloads as these are going to be used for
maintaining access with resiliency and will aim for consistency across
the payload types.
This code adjusts the bind_tcp stager for x86 so that the listener
socket isn't close for meterpreter payloads. This means that meterpreter
can make an educated guess as to whether or not the payload was a bind
or tcp payload, and from there can attempt to establish communications
in the same way as before should something break along the way.
Some simple adjustments to the x64 meterpreter stage as well, but more
to come here.
Methods now require a hash. I went with the hash because 1) that's what
we seem to use everywhere else, and 2) I couldn't get the new keyword
arguments working nicely with the block syntax (I'm clearly stupid).
There is an old-looking bug where the deletekey command opens the key it tries
to delete, then deletes the same key name again. Basically, it uses the wrong
level of indirection.
If the session doesn't have a payload UUID we now generate one as best
we can. This code will probably go away when TCP related transports have
had the UUID stuf baked in.
This uses HD's UUID stuff to generate a new URI for the transport.
Currently we don't have UUID support for TCP connections, but that's
coming.
Still do to: generation of a valid UUID for payloads that don't already
have one.
Add support to meterpreter that allows for the querying and toggling of
SSL certificate verification on the fly.
In order to verify that the socket was SSL-enabled, some rejigging had
to be done of the type? method in the ssl socket class.
Somehow this made it into a merge when it shouldn't have. This fix moves
the URI checksum module to where it needs to be and updates all the
references where required. This will result in a class with the dynamic
transport branch, but I can fix that after.
the chef web ui and symantec web gateway
loginscanners do not save the target(host/port/proto) info
in the Result object. This can cause modules to break as they
expected the Result to contain that information
MSP-12499
We had a workaround to close connections on very old wininet implementations
that would not do it themselves. With the new WinHttp API-using meterpreters
and stagers, we no longer should use this workaround. It can actually be
actively bad and prematurely close the connection.
This needs testing around different payloads, and they should be on real
networks, ideally where TCP really has to work to get data transfered.
* Move the uri checksum code to a spot that can be shared with rex.
* Adjust modules to make use of this new location.
* Fix up the tranpsort switcher to add the URI for those payloads.
The smb_version module needs to deregister the SMBDirect option,
but cannot do this because SMBDirect is a required option. By
having it as optional, the user no longer needs to set it. Also,
since SMBDirect already has a default value, having it as optional
should not change the mixin's default behavior.
16eab48012 introduced changes to
cmd_db_nmap which pass a new arguments variable to Open3 with a
list of args excluding save.
This approach created a problem wherein the address of the target
had to be passed in first and arguments could get mangled.
Reintroduce an array format, exploding when passing to Open3.
Ensure output file options are appended to the arguments being
passed to Open3, instead of the args variable.
Error example:
db_nmap -F 192.168.0.1
[*] Nmap: 'nmap: unrecognized option '- 192.168.0.1 ''
This commit contains a few minor tweaks
for style and format. Some whitespace removed,
an erroneous 'return' removed, and using single
quotes for consistency. Updated as per request.
These functions address certain problems
listed in GitHub issue #4353, but do not
address all issues in that ticket. Most
notably, this commit adds basic tab
completion for db_nmap.
Squashed commit of the following:
commit 1dcad7c21b
Merge: 1a2f35d35d29f5
Author: OJ <oj@buffered.io>
Date: Thu Mar 19 14:43:27 2015 +1000
Land #4953 : Updated POSIX meterpreter binaries
commit 35d29f5d08
Author: Brent Cook <bcook@rapid7.com>
Date: Wed Mar 18 22:57:03 2015 -0500
update linux meterpreter bins
commit 1a2f35d806
Merge: 076f15f346b1d5
Author: OJ <oj@buffered.io>
Date: Thu Mar 19 12:41:20 2015 +1000
Land #4951: Dynamic URI generation for Java/Python reverse_http(s)
commit 076f15f933
Merge: b33e7f43f8ed56
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed Mar 18 20:59:54 2015 -0400
Land #4792 @jakxx Publish It PUI file exploit
commit 3f8ed56a9a
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed Mar 18 20:57:58 2015 -0400
Add available space to the payload info
commit b33e7f477c
Merge: 0d1f2055dd718e
Author: joev <joev@metasploit.com>
Date: Wed Mar 18 17:17:34 2015 -0500
Land #4947, h0ng10's TWiki exploit.
commit 346b1d539f
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 16:24:01 2015 -0500
Revert Java back to static size for cache purposes (less cpu usage on startup)
commit 33bbf7cb7e
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 16:08:11 2015 -0500
Dynamic URI generation for python/java http(s) stagers
commit 0d1f2055c5
Merge: e943cb5dab4333
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 15:31:22 2015 -0500
Lands #4949 which fixes#4845
commit dab4333867
Author: rwhitcroft <rw81junk@gmail.com>
Date: Wed Mar 18 16:07:46 2015 -0400
updated asm in block
commit 7ae97393e0
Author: rwhitcroft <rw81junk@gmail.com>
Date: Wed Mar 18 15:34:31 2015 -0400
fix x64/reverse_https stager shellcode
commit e943cb550f
Merge: d152c41d1a2f58
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 22:34:52 2015 +1000
Land #4585 : CVE-2015-0975 XXE in OpenNMS
commit d1a2f58303
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 22:17:44 2015 +1000
Fix of regex for file capture and format tweaks
commit 5dd718e4fa
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date: Wed Mar 18 09:51:51 2015 +0100
Better description
commit 00de437918
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date: Wed Mar 18 09:45:08 2015 +0100
Initial commit
commit fa7242388b
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 18:18:54 2015 +1000
Move the module to the correct location
commit d152c41826
Merge: b46e5f8b62da42
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 17:42:19 2015 +1000
Land #4934 : Proxy and auth support in reverse_http(s)
commit b62da42927
Merge: c607cf7b46e5f8
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:51:15 2015 -0500
Merge branch 'master' into feature/add-proxies-to-wininet
commit b46e5f8d13
Merge: bd4738b97def50
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 16:49:13 2015 +1000
Land #4295 : Refactory proxy-enabled payload handling
commit c607cf7b11
Merge: 0513852bd4738b
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:45:44 2015 -0500
Merging master
commit 97def50cc2
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:26:59 2015 -0500
Whitespace cleanup
commit 8d3cb8bde5
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:25:42 2015 -0500
Fix up meterpreter patching arguments and names
commit ef443c83b9
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:21:53 2015 -0500
Fix overgreed search/replace
commit 390a704cc7
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:19:05 2015 -0500
Cleanup proxyhost/proxyport arguments to match new names
commit f7a06d8e44
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:15:32 2015 -0500
Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax
commit 3aa8cb69a4
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:08:09 2015 -0500
Fix two use cases of PROXYHOST/PROXYPORT
commit 87a489907c
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Dec 15 14:48:09 2014 -0600
Place an IPv6 proxy IP between brackets
commit 259db269bd
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 15:36:14 2014 -0600
Remove user/pass and invalid class from the options
commit 2ab14e7e79
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:01:10 2015 -0500
Adds IPv6 and option-related issues with the previous patch
commit 0601946830
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 13:29:39 2014 -0600
Don't mandate and default PROXY_HOST (miscopy from the proxy stager)
commit a4df6d539f
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 00:59:59 2015 -0500
Cleanup proxy handling code (consistency & bugs)
One subtle bug was that each time a request was received, a null byte was being appended to the datastore options for PROXY_USERNAME and PROXY_PASSWORD. Eventually this would break new sessions. This change centralizes the proxy configuration and cleans up the logic.
commit 85fb534e63
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 12:57:30 2014 -0600
Fix up the offset detection again, cleanup redundant code
commit 2f13988d7b
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 12:33:53 2014 -0600
Use OptPort vs OptInt and cleanup the description
commit a01be365b0
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 00:59:13 2015 -0500
Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
This also cleans up the windows reverse_https_proxy stager.
commit b197b7aaf0
Author: jakxx <jakx.ppr@gmail.com>
Date: Tue Mar 17 19:24:13 2015 -0400
Additional Updates
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
commit bd4738b93e
Merge: 47a7f99ad7fa0ec
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 17 17:37:55 2015 -0500
Land #4827, capture and nbns fixups
commit d7fa0ec669
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 17 17:36:45 2015 -0500
Let IPAddr#hton do the calculating
commit 47a7f99aae
Merge: d1d63785fd3637
Author: Brent Cook <bcook@rapid7.com>
Date: Tue Mar 17 16:22:46 2015 -0500
Land #4930, @hmoore-r7 winhttp stager certificate check
commit 085e6cc815
Author: jakxx <jakx.ppr@gmail.com>
Date: Tue Mar 17 16:39:56 2015 -0400
Implemented Recommended Changes
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
commit 0490af8ba8
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:20:22 2015 -0400
Added error checks, randomness, and uuid delimeter
commit f3fc4003d0
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:19:40 2015 -0400
typo
commit b92d243c0e
Merge: e0a7f53766a07a
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:18:32 2015 -0400
Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975
commit e0a7f531cc
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:10:51 2015 -0400
Added error checking, randomness, uuid delimiters
commit 2ea984423b
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 14:08:01 2015 -0500
while(true)->loop, use thread.join
commit 5fd3637d34
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 14:00:51 2015 -0500
Remove the i32 size specifier (not needed)
commit 69d9280748
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 13:52:13 2015 -0500
Fix yard docs, retries, push.i8 instructions. See commit 05138524e3
Note that StagerRetryCount is not defined here, but will be in the parent class once #4934 lands
commit 05138524e3
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 13:35:36 2015 -0500
Fix yard docs, fix retries, trim bytes, retested and working
commit 69a808b744
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 12:14:42 2015 -0500
StagerProxy -> PayloadProxy
commit f361e4ee52
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 00:22:10 2015 -0500
Prefer the new-style proxy datastore options when available
commit 7e89281485
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 00:03:31 2015 -0500
Adds proxy (with authentication) support to reverse_http(s)
commit 8e37342c50
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 16:52:04 2015 -0500
Comment typo
commit 0d12ca49a7
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 16:19:13 2015 -0500
Work around lack of option normalization during size calculation
commit 03019cf451
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 15:53:21 2015 -0500
Adds StagerVerifySSLCert support (SHA1 of HandlerSSLCert)
commit 11593800b6
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 15:52:23 2015 -0500
Move X509 PEM parsing into Rex::Parser::X509Certificate
commit 1001061a96
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 4 18:52:18 2015 -0600
Initialize @capture_count
commit 1b1716bcf6
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 22:01:01 2015 -0600
Fix a handful of bugs that broke this modules. Fixes#4799
commit 9730a1655e
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 22:00:42 2015 -0600
Small cleanups to the LLMR responder module
commit bdd5276524
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 21:53:47 2015 -0600
This fixes a number of issues with the Capture mixin
* The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1)
* The hackey code around #each_packet is no longer necessary in newer Ruby versions
* The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies
* The arp() function now tries up to three times to get a reply (helpful with lossy L2)
* GC.start is extraneous and should be removed
* Increased timeouts
commit 615d71de6e
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 21:51:33 2015 -0600
Remove extraneous calls to GC.start()
commit 44a7e7e4bc
Author: jakxx <jakx.ppr@gmail.com>
Date: Wed Feb 18 13:22:54 2015 -0500
publish-it fileformat exploit
commit 766a07a904
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Jan 13 22:08:08 2015 -0500
Add CVE-2015-0975 XXE for OpenNMS <= 14.0.2
in the aforementiond record_request_and_response method
we need to still make sure to strip leading whitespace
from the front of our data before saving it
MSP-9972
the record_request_and_response method for the
nokogiri appscan parser was way overcomplicated
it was trying to do way too much trickiness
when the data could be very simply split and consumed
MSP-9972
truthy checks were used here, but you'll get
an empty hash which will be treated as true causing
the test to be invalid and allowing for errors further in the method
MSP-9972
One subtle bug was that each time a request was received, a null byte was being appended to the datastore options for PROXY_USERNAME and PROXY_PASSWORD. Eventually this would break new sessions. This change centralizes the proxy configuration and cleans up the logic.
This commit adds plumbing which allows for the creation of stageless
meterpreter payloads that include extensions. The included transprots at
this point are bind_tcp, reverse_tcp and reverse_https, all x86.
More coming for x64. Will also validate http soon.
Avoid the hit of regenerating all of the static-size payloads when
loading the framework. This will facilitate conversion of payloads to
use metasm later.
the cred collection can now identify a postgres_md5 hash string
and set the type on the Metasploit::Framework::Credential object
appropriately
MSP-12244
root
sinn3r
root
OJ
William Vu
rwhitcroft
HD Moore
sekritskwurl
Luke Imhoff
Anant Shrivastava
Roberto Soares
Brent Cook
Samuel Huckins
James Lee
Christian Catalan
Matt Buck
jvazquez-r7
Jon Cave
Meatballs
Tod Beardsley
Fernando Arias
David Maloney
Trevor Rosen
Christian Mehlmauer
RageLtMan
nstarke
scriptjunkie
joev
David Barksdale