0988c5e691
use the correct implementation for query_value_direct
2015-03-03 22:29:23 -06:00
c498ba64e4
Added a new pair of default Tomcat credentials. QLogic's QConvergeConsole comes with a bundled Tomcat with a hard-coded username and password for the manager app.
2015-02-19 15:08:50 -06:00
b90639fd66
Land #4726 , X360 Software actvx buffer overflow
2015-02-17 11:41:23 -06:00
0597d2defb
Land #4560 , Massive Java RMI update
2015-02-17 10:07:07 -06:00
cf0589f8c6
add support for direct reg access to pymeterpreter
...
When testing this, I found that the python meterpreter hangs running the
following, with or without these changes.
```
use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set PythonMeterpreterDebug true
set lhost 192.168.43.1
exploit -j
sleep 5
use exploit/windows/local/trusted_service_path
set SESSION 1
check
```
This turned out to be that pymeterpreter ate all the rest of the data in the
recv socket by consuming 4k unconditionally. This would only be exposed if
there were multiple simultaneous requests so the recv buffer filled beyond a
single request, e.g. when using the registry enumeration functions.
2015-02-17 06:11:20 -06:00
7e9a331087
remove unused .class files
...
These were added for multi/browser/java_signed_applet, but the class
files are already packaged in a jar file, which is what is actually
used.
2015-02-12 16:08:29 -06:00
7ab7add721
bump meterpreter_bins to 0.0.14, update Linux binaries.
...
Hopefully the last manual build before packaging the Linux bins into
meterpreter_bins as well.
This includes all of the fixes and improvements over the past month.
rapid7/meterpreter#116
rapid7/meterpreter#117
rapid7/meterpreter#121
rapid7/meterpreter#124
2015-02-10 12:43:47 -06:00
1f4fdb5d18
Update from master
2015-02-10 10:47:17 -06:00
511f637b31
Call CollectGarbage
2015-02-09 14:44:31 -06:00
af405eeb7d
Land #4287 , @timwr's exploit form CVS-2014-3153
2015-02-09 10:33:14 -06:00
0e4f3b0e80
added built data/exploits/CVE-2014-3153.elf
2015-02-09 09:50:31 -06:00
a46a53acaf
Provide more space for the payload
2015-02-06 14:49:49 -06:00
414349972f
Fix comment
2015-02-06 11:34:20 -06:00
b5e230f838
Add javascript exploit
2015-02-06 11:04:59 -06:00
5b2eb986c9
Land #4678 Add post module to phish credentials
2015-02-04 23:43:02 -06:00
2fdeeb3b13
Rebuilt Java Payloads with the latest NDK/SDK and meterpreter-javapayload
...
Fix rapid7/meterpreter#95 , rebuilt with all outstanding PRs from
rapid7/metasploit-javapayload.
2015-02-02 13:09:15 -06:00
aa7f7d4d81
Add DLL source code
2015-02-01 19:59:10 -06:00
d211488e5d
Add Initial version
2015-02-01 19:47:58 -06:00
25ac9c1ed9
Add post module to phish windows user credentials
2015-01-30 19:50:04 +01:00
f9dccda75d
Delete unused files
2015-01-22 18:00:31 -06:00
75e04705d5
Land #4624 , Firefox 33-35 os.js support
2015-01-22 13:35:47 -06:00
5bfb88d55c
Update os.js to detect newer firefox versions.
2015-01-21 16:12:17 -06:00
94fda6e617
Land #4600 , jvazquez-r7's Linux meterpreter bins
2015-01-20 09:38:35 -06:00
76746eb209
New password from Hathaway
2015-01-19 21:45:47 -06:00
f12c6a1624
Update meterpreter.py
...
Read until exactly pkt_length bytes
2015-01-18 15:45:28 +02:00
d83c6ae215
Update meterpreter.py
...
Read exactly pkt_length from socket, prevents over-reading.
2015-01-18 15:29:23 +02:00
ffc676ead0
Update linux meterp binaries
2015-01-16 17:09:38 -06:00
26789fa76c
Add JMXPayload binary classes for testing
2015-01-15 17:58:09 -06:00
47cd5a3e59
Land #4562 , wchen-r7's Win8 NtApphelpCacheControl privilege escalation
2015-01-15 13:52:07 -06:00
74e8e057dd
Use RDL
2015-01-09 19:02:08 -06:00
dfdf99c8f4
Remove metcli
...
The metcli.exe binary doesn't get used any more and the source was removed
from Meterpreter ages ago. No point in having it in the repo any more.
2015-01-10 09:21:44 +10:00
ce87b126c1
Update to the latest meterpreter_bins
...
This removes checked-in sniffer extension in favor of the gem-packaged version.
It also pulls in the changes for verifying #4411
2015-01-09 16:57:10 -06:00
fce564cde2
Meh, not the debug build. Should be the release build.
2015-01-08 22:06:07 -06:00
14c54cbc22
Update DLL
2015-01-08 21:36:02 -06:00
d3738f0d1a
Add DLL
2015-01-08 17:17:55 -06:00
50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012
2015-01-08 16:19:55 -06:00
3c4ec1d958
Land #4547 , rm data/meterpreter/common.lib
2015-01-08 04:52:29 -06:00
844460dd87
Update bypass UAC to work on 8.1 and 2012
...
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.
I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
32ddd5ccb4
delete unused library from meterpreter dir
...
common.lib is only used by the build process, not MSF
2015-01-07 16:00:37 -06:00
5480cb81f5
add updated KoreLogic rules to john.conf
...
updated our shipped john.conf to include a
more up to date version of the KoreLogic JtR rules.
They add overhead to the cracking time but are
probably some of the best/most effective JtR
rules out there.
2015-01-07 12:25:04 -06:00
7ae56865f1
Update linux meterpreter binaries for rapid7/meterpreter#111
...
This rebuilds the binaries on Ubuntu 10.04 i386 for metepreter PR #111 ,
improving the reliability and fixing some bugs in linux process migration.
Tested against Ubuntu 10.04 i386 and Ubuntu 14.04 x86_64:
```
meterpreter > ps
...
55994 48270 server 0 bcook ../metasploit-framework/server
56009 44199 bash 0 bcook -bash
56094 56009 dummy 0 bcook ./dummy
meterpreter > migrate 56094
[*] Migrating to 56094
[*] Migration completed successfully.
meterpreter > sysinfo
Computer : mint
OS : Linux mint 3.13.0-37-generic #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter : x86/linux
meterpreter > ps
...
55994 48270 [server] <defunct> 0 bcook
56009 44199 bash 0 bcook -bash
56094 56009 dummy 0 bcook ./dummy
meterpreter >
```
Verified presence of call stub when debugging a session:
```
(gdb) x/32b 0x61cc28
0x61cc28: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x61cc30: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0x61cc38: 0x90 0x90 0x68 0x04 0x00 0x00 0x00 0x68
0x61cc40: 0xff 0xff 0xff 0xff 0xb8 0x5a 0x5a 0x5a
```
2015-01-04 10:47:44 -06:00
69bda63ef6
Update linux meterpreter binaries
2015-01-01 20:05:36 -06:00
dccf189600
Update binaries
2014-12-30 18:39:29 -06:00
d3050de862
Remove references to Redmine in code
...
See #4400 . This should be all of them, except for, of course, the module
that targets Redmine itself.
Note that this also updates the README.md with more current information
as well.
2014-12-19 17:27:08 -06:00
0ee20561d4
Remove file exists check from stdapi_fs_delete_file
2014-12-09 11:03:57 -06:00
42710cc32e
Error messages for the python meterpreter
2014-12-09 11:03:57 -06:00
738fc78883
Land #4220 , outlook gather post module
2014-12-07 22:41:28 +01:00
9187a409ec
outlook post module fixes
2014-12-06 00:28:44 +01:00
83b0ac0209
Fix stdapi_sys_config_getenv for Python3
2014-12-04 15:58:17 -06:00
44816b84aa
Prefer the pwd module for getuid when available
2014-12-04 15:58:17 -06:00
fc96d011ab
Python reverse_http stager, lands #4225
2014-12-02 11:47:31 -06:00
7a2c9c4c0d
Land #4263 , @jvennix-r7's OSX Mavericks root privilege escalation
...
* Msf module for the Ian Beer exploit
2014-11-30 21:13:07 -06:00
7772da5e3f
Change paths, add makefile and compile
2014-11-30 21:06:11 -06:00
f5f32fac06
Add token fiddling from nishang
2014-11-28 23:02:59 +00:00
48a5123607
Merge remote-tracking branch 'upstream/master' into pr4233_powerdump
2014-11-27 20:08:11 +00:00
7a3fb12124
Add an OSX privilege escalation from Google's Project Zero.
2014-11-25 12:34:16 -06:00
830af7f95e
identified instances of tabs vs spaces in the original
...
identified 16 instances in the original code where tab was used vs spaces. updated to keep consistent.
2014-11-25 12:17:43 -06:00
705bd42b41
tab to space change - line 296
2014-11-22 14:48:44 -06:00
900aa9cd6b
powerdump.ps1 bug - corrupt hash fix
...
Fixed the bug where the hashes are not being extracted correctly when LM is disabled and history is enabled.
Rather than relying on length, LM and NT headers are checked. Four bytes at 0xa0 show if LM exists and four bytes at 0xac show if NT exists. Details on this known issue can be found in the following whitepaper from blackhat:
https://media.blackhat.com/bh-us-12/Briefings/Reynolds/BH_US_12_Reynods_Stamp_Out_Hash_WP.pdf
2014-11-18 23:10:57 -06:00
2b36c1bb43
Fix pymeterp bugs from testing in osx and python3
2014-11-17 14:04:30 -05:00
1d8b746d89
Adds new TFTP file names, submitted by Chris McNab
2014-11-16 18:47:11 -06:00
0bf93acf6b
Pymeterp http proxy and user agent support
2014-11-16 14:29:20 -05:00
e562883ba9
Escape inserted vars and fix core_loadlib
2014-11-15 15:06:18 -05:00
7c14e818f6
Patch pymeterp http settings
2014-11-14 17:12:23 -05:00
681ae8ce6b
Pymet reverse_http stager basic implementation
2014-11-14 14:15:46 -05:00
6b2387b7fc
Prepare for a reverse_http stager
2014-11-14 11:15:22 -05:00
c35dc2e6b3
Add module for CVE-2014-6352
2014-11-12 01:10:49 -06:00
adad3809cc
Rename logo file
2014-11-11 16:07:44 -06:00
329ea4fe01
the masterpiece is complete
2014-11-11 15:35:36 -06:00
7edc248207
Don't fail if username_from_token returns None
2014-11-10 09:15:16 -05:00
104841babf
Add getsid to the python meterpreter
2014-11-08 20:57:24 -05:00
c2391bf011
Add an R in /Info for the trailer dictionary to make it readable
2014-11-05 22:28:37 -06:00
1b2554bc0d
Add a default template for CVE-2010-1240 PDF exploit
2014-11-05 17:08:38 -06:00
f43a6e9be0
Use PDWORD_PTR and DWORD_PTR
2014-10-31 17:35:50 -05:00
8e547e27b3
Use correct types
2014-10-31 12:37:21 -05:00
9b61ae5f63
This is halloween.
...
THISISHALLOWEEN=1 ./msfconsole
2014-10-30 23:35:12 -05:00
6574db5dbb
Fix the 64 bits code
2014-10-30 17:01:59 -05:00
03a84a1de3
Search the AccessToken
2014-10-30 12:17:03 -05:00
908094c3d3
Remove debug, treat warnings as errors
2014-10-28 09:04:02 +10:00
0a03b2dd48
Final code tidy
2014-10-28 08:59:33 +10:00
626cd55b5e
Land #4073 , improved banner selection
2014-10-27 14:20:10 -05:00
04a99f09bb
Land #4064 , Win32k.sys NULL Pointer Dereference
2014-10-27 14:01:07 -04:00
042d29b1d6
Compile binaries in house
2014-10-27 12:18:33 -05:00
4406972b46
Do version checking minor cleanup
2014-10-27 09:32:42 -05:00
0aaebc7872
Make GetPtiCurrent USER32 independent
2014-10-26 18:51:02 -05:00
34697a2240
Delete 'callback3' also from 32 bits version
2014-10-26 17:28:35 -05:00
7416c00416
Initial addition of x64 target for cve-2014-4113
2014-10-26 16:54:42 -04:00
91dc875af5
Remove seemingly useless file among banners
2014-10-24 13:11:58 -04:00
c1a61e3b4e
Support an MSFLOGO env var and logo enumeration
2014-10-24 13:07:28 -04:00
82f41d56a6
Add [user_]logos_directory to Msf::Config
2014-10-24 10:52:05 -04:00
34f29f218c
really resolve merge conflicts
2014-10-23 21:51:33 -05:00
a75186d770
Add module for CVE-2014-4113
2014-10-23 18:51:30 -05:00
bf8dce574a
Add ppsx template
2014-10-16 17:55:22 -05:00
056ee4f207
Land #3958 , kill command for pyterp
2014-10-07 10:58:37 -05:00
766a69e310
Add sys_process_kill to the python meterpreter
2014-10-07 10:10:22 -04:00
a65ee6cf30
Land #3373 , recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
modules/exploits/android/browser/webview_addjavascriptinterface.rb
2014-10-03 18:05:58 -05:00
7da22d064d
Remove an unnecessary var and fix process_close
2014-10-02 20:52:45 -04:00
135bed254d
Update BrowserExploitServer for JSObfu
2014-09-20 17:59:36 -05:00
87aeac2b13
Fix syntax error in os.js, specs ftw.
2014-09-12 11:01:08 -05:00
8e091b6da0
Add support for ff 29 - 32 feature.
2014-09-11 22:01:36 -05:00
Brent Cook
Ferenc Spala
sinn3r
jvazquez-r7
scriptjunkie
wez3
William Vu
Joe Vennix
eyalgr
OJ
David Maloney
Tod Beardsley
Spencer McIntyre
Christian Mehlmauer
HD Moore
Meatballs
Peter Marszalik
Joshua Smith
James Lee