Commit Graph

12337 Commits (d1a11f46e8b9648e98b49a9d7327c7bc33486907)

Author SHA1 Message Date
Metasploit adb6f31e36
Bump version of framework to 4.12.33 2016-10-08 20:57:08 -07:00
Brent Cook 74e0256448
Revert "remove leftover cruft"
This reverts commit 2be551cbd3.
2016-10-08 21:55:22 -05:00
Brent Cook f3166070ba
Revert "use the new rex-exploitation gem"
This reverts commit 52f6265d2e.
2016-10-08 21:55:16 -05:00
Brent Cook 63bf93be1b code and style cleanups 2016-10-08 21:04:15 -05:00
Brent Cook 7c1fa3eb51 fix 'info -d module', it assumed active module only 2016-10-08 19:31:00 -05:00
RageLtMan 44c5fc3250 Sync build_net_code post module upstream
Fix merge conflicts and add missing lines to framework version of
the DotNet compiler example module.

Test output to come in PR #5393
2016-10-08 14:06:35 -05:00
RageLtMan 47b1320d08 Add options to cmd_psh_payload
Fill in validated datastore options for generating custom PSH
payloads
2016-10-08 14:06:35 -05:00
RageLtMan fb8e025aa5 Force datastore validation by option set
cmd_psh_payload relies on datastore options to have a proper
data type down the call chain. When modules are created with string
values for all data store options, a conditional naively checking
what should be a boolean value for false/nil? would return true
for a string representation of "false."

Ensure that datastore options are validated prior to using them
to set variables passed into Rex methods.
2016-10-08 14:06:35 -05:00
RageLtMan f24bfe7d4e Import Powershell::exec_in_place
Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.
2016-10-08 14:06:35 -05:00
RageLtMan 36b989e6d7 Initial import of .NET compiler and persistence
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.

Add compiler modules for payloads and custom .NET code/blocks.

==============

Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).

C# templates for simple binaries and a service executable with
its own install wrapper.

==============

Generic .NET compiler post module

Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.

Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.

==============

Concept:

Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.

This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.

Usage notes:

Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.

Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).

==============

On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
2016-10-08 14:05:53 -05:00
William Vu 1f36583db2 Add zeroSteiner to author.rb 2016-10-07 12:51:22 -05:00
Metasploit 8a6426df48
Bump version of framework to 4.12.32 2016-10-07 10:04:32 -07:00
Metasploit a0ebf5ea2d
Bump version of framework to 4.12.31 2016-10-06 11:23:08 -07:00
dmohanty-r7 55597d7370
Land #7394, Gemify rex/exploitation and associated data files into rex-exploitation 2016-10-05 10:55:21 -05:00
David Maloney 2be551cbd3 remove leftover cruft
some files that got left behind in previous
gemifications that should have been removed
2016-10-05 09:05:27 -05:00
David Maloney 52f6265d2e use the new rex-exploitation gem
use the new rex-exploitation gem instead of the packaged in lbirary code
cleans up a huge ammount of space in framework

MS-1709
2016-10-05 09:05:27 -05:00
William Vu a89607bbdb Prefer keyword argument 2016-10-04 23:14:14 -05:00
Brent Cook b7ea465855 refresh sysinfo when explicitly requested on a session 2016-10-04 22:06:06 -05:00
David Maloney af4f3e7a0d use templates from the gem for psh
use the templates now contained within the magical
gem of rex-powershell

7309
MS-2106
2016-10-04 14:14:25 -05:00
OJ a4efa77878
Support driver list, adjust capcom exploit
This commit adds MSF-side support for listing currently loaded drivers
on the machine that Meterpreter is running on. It doesn't add a UI-level
command at this point, as I didn't see the need for it. It is, however,
possible to enumerate drivers on the target using the client API.

Also, the capcom exploit is updated so that it no longer checks for the
existence of the capcom.sys file in a fixed location on disk. Instead,
it enumerates the currently loaded drivers using the new driver listing
function, and if found it checks to make sure the MD5 of the target file
is the same as the one that is expected. The has is used instead of file
version information because the capcom driver doesn't have any version
information in it.
2016-10-04 11:27:20 +10:00
William Vu 039357a714
Land #7387, checksum command for Meterpreter 2016-10-02 21:35:34 -05:00
Brent Cook 63d13f0f49
check if there is a stance set before checking the value 2016-10-02 19:48:49 -05:00
Spencer McIntyre 8e09b172f6 Add a meterpreter checksum command 2016-10-01 14:29:35 -04:00
Metasploit 73c11a63b4
Bump version of framework to 4.12.30 2016-09-30 10:03:42 -07:00
Tim e628fab86e
Land #7378, run zipalign during apk injection process 2016-09-30 12:27:27 +08:00
Brent Cook 6241e48b34
Land #7350, add 'sess' command for direct session switching support 2016-09-29 23:18:53 -05:00
dana-at-cp b06a3d3c68
Refactor code that calls zipalign on injected APK 2016-09-29 07:49:50 -07:00
dana-at-cp e8d99fb3f5
Run zipalign as last step during APK injection process
Running zipalign on an APK after signing and before distribution
is considered general best practice. Also, properly aligning an APK
makes it less likely to be flagged as suspicious by mobile security
solutions.

More on zipalign from Google:

https://developer.android.com/studio/command-line/zipalign.html
2016-09-28 20:05:17 -07:00
Jeffrey Martin 1689f10890
Land #7292, add android stageless meterpreter_reverse_tcp 2016-09-28 16:05:22 -05:00
Brent Cook ea625d4ea3
Enhance #7360, more stance fixes 2016-09-28 13:49:29 -05:00
Brent Cook 5a611b0ec4 use the correct scope for the Stance names 2016-09-28 13:48:28 -05:00
Tim b4a1adaf0f refactor into android.rb 2016-09-28 18:23:34 +08:00
Tim dc43f59dcf dalvik -> android 2016-09-28 14:50:52 +08:00
HD Moore 8bef4e4ec6
Land #7360, restore passive?/aggressive? behavior
This PR restores the mod.aggressive? and mod.passive? methods to the
implementation prior to 0f7e3e9.
2016-09-26 15:05:41 -05:00
Metasploit 5ea1e7b379
Bump version of framework to 4.12.29 2016-09-26 12:06:21 -07:00
Brent Cook 006c749e6a directly check to match the former definition of aggressive? 2016-09-25 23:57:13 -04:00
Brent Cook 743bea912a fix exploit Passive / Aggressive overrides to do the right thing 2016-09-25 19:57:41 -04:00
Pearce Barry 00258a4d31
Land #7351, restore NTLM constant class shortcuts 2016-09-25 12:09:38 -05:00
dmohanty-r7 00c02bb132
Land #7349, Add initialization of RHOST value prior to calling child check() 2016-09-23 12:28:08 -05:00
Metasploit 3ddf80dd7a
Bump version of framework to 4.12.28 2016-09-23 10:02:37 -07:00
Tim c13ab28a5b remove debug statement 2016-09-22 16:27:11 +01:00
Tim acb3e66064 fix comments 2016-09-22 16:26:26 +01:00
Tim 32c2311b86 android meterpreter_reverse_tcp 2016-09-22 16:26:26 +01:00
Brent Cook 2ec87d1f67 check if constant aliases are already set before setting
(I'm presuming that was what removing was intended to help with)
2016-09-22 07:12:42 -05:00
Brent Cook 4acb29a129 restore NTLM constant class shortcuts 2016-09-22 07:01:38 -05:00
OJ af4b1cf48f
Add the `sess` command to MSF and Meterp shells
This new command is a simpler shortcut that allows for moving around sessions much faster from within the console.

* From inside MSF, `sess <id>` is shorthand for `sessions -i <id>`
* From inside Meterp, `sess <id>` is shorthand for `background; sessions -i <id>`

In the latter case, if the session being switched to is the same id, then no swiching happens.
2016-09-22 16:09:59 +10:00
Brent Cook 52d0840a79
Land #7276, fix clipboard tlv usage 2016-09-22 00:47:18 -05:00
Brent Cook b4b709d921
Land #7342, remove OSVDB links and references from library code - leave in modules 2016-09-22 00:45:05 -05:00
Brent Cook 88cef32ea4
Land #7339, SSH module fixes from net:ssh updates 2016-09-22 00:27:32 -05:00
William Vu fda5faf4ed
Land #7346, route command fixes
Also adds session -1 support.
2016-09-21 15:44:24 -05:00