Commit Graph

731 Commits (dd7bc23d161d7a249b4a301c9549a4cd9fac3073)

Author SHA1 Message Date
sinn3r 9a00823828 Merge branch '0a2940-CVE-2008-5499_adobe_flashplayer_aslaunch' 2012-04-19 18:08:22 -05:00
sinn3r f5e8f57497 Minor fixes 2012-04-19 18:07:35 -05:00
James Lee 15913dd92c Squashed commit of the following:
commit 97755336f2227a7db668b61e548d2956dddaccb8
Author: Michael Schierl <schierlm@gmx.de>
Date:   Thu Apr 5 22:33:40 2012 +0200

    make sure PayloadTrustManager gets dropped when using Spawn > 0

commit 0d096043e23af5d46a20b7f2c30c5d926ff66f8d
Author: Michael Schierl <schierlm@gmx.de>
Date:   Wed Apr 4 22:15:23 2012 +0200

    Fix connection hangs when using java/meterpreter/reverse_https with recent Java versions

    Reason is that Java thinks the SSL certificate presented by Metasploit is untrusted;
    therefore add a hack similar to the one in the metasploit.Payload class to trust all
    certificates here.

[Closes #303]
2012-04-16 13:15:33 -06:00
James Lee b1dbb50953 Squashed commit of the following:
commit 2b24a5e93da0b0dd61c29b6124794fa11c5b3d92
Author: scriptjunkie <scriptjunkie@scriptjunkie.us>
Date:   Sun Apr 15 22:01:23 2012 -0500

    Document HTTPS options for Proxy

commit 24a8635b96d723465eb2bf212c83d31325990c28
Author: scriptjunkie <scriptjunkie@scriptjunkie.us>
Date:   Sun Apr 15 21:52:47 2012 -0500

    Document HTTPS options

[Closes #337]
2012-04-16 12:57:03 -06:00
Michael Schierl eedd7be453 Squashed commit of the following:
commit 9afece529a33739a088c9c4d10b76dd52f23b99e
Author: Michael Schierl <schierlm@gmx.de>
Date:   Thu Apr 12 17:58:12 2012 +0200

    fix cat ... command by making stdapi_fs_stat return a sensible result

[Closes #330]
2012-04-16 12:24:54 -06:00
sinn3r 835d8b209d clear whitespace 2012-04-12 01:08:22 -05:00
0a2940 654701f1b2 new file: data/exploits/CVE-2008-5499.swf
new file:   external/source/exploits/CVE-2008-5499/Exploit.as
	new file:   modules/exploits/linux/browser/adobe_flashplayer_aslaunch.rb
2012-04-10 20:58:22 +01:00
Michael Schierl 1d56ffe225 Update javapayload and java meterpreter
* Add support for hashing commands (stdapi_fs_md5 and sha1)
* Replace MTU detection with the Proper Java Way

Squashed commit of the following:

commit 0207b6e2e0c0eb55c7c5f04bd3008f674f6239ad
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 22:02:15 2012 +0100

    add support for stdapi_fs_{md5|sha1} commands

commit a187e7bc79f8d89e66df8d3a3f892c6dce10307b
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 20:32:03 2012 +0100

    update binaries

commit 0fc553bdac76cc8997fc581141483a3efbdefdfc
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 20:29:48 2012 +0100

    Add support to Java Meterpreter for multiple addresses on same interface

    For more information, see https://dev.metasploit.com/redmine/issues/6476

    Tested with Java 1.4, 1.5, 1.6, 1.7.

commit fc6dba99fe0b13bf8837ed7a699c5dbad35100e6
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 16:55:15 2012 +0100

    Fix Eclipse warnings

commit 4168d025507c1ecfbc50164cfc7f25f3f222b0ab
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 16:29:37 2012 +0100

    Update pretty-printing of unsupported command TLVs

    This adds the TLVs added by commit fbc8e25aaa to the pretty-printer.

commit 4a9335abdabb1b8a7741c5ec67852d7c5d552d6b
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 16:17:25 2012 +0100

    Un-ghetto Java Meterpreter MTU determination

    This splits the change from commit 14dfcce63a into a 1.6-specific and a 1.4-specific implementation (the latter being empty).

    Tested with Java 1.4, 1.5, 1.6, 1.7.

commit 968edd210ed68ba4974f051e280d90f0151df222
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 15:52:46 2012 +0100

    update .gitignore to ignore IDE generated files in JavaPayload projects

commit 86111625bee318411cf43da7706d37ce5d7045c5
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 15:49:58 2012 +0100

    synchronize stages with upstream JavaPayload

commit 2360f2e6eb8703ae762868678ac952203be35d93
Author: Michael Schierl <schierlm@gmx.de>
Date:   Sat Mar 24 15:39:58 2012 +0100

    remove unused stages

[Closes #270]
2012-04-04 09:56:07 -06:00
James Lee 6b996ed9de Add checks for data being null, too, just in case 2012-03-30 16:46:49 -06:00
James Lee b424475774 Add a makefile
Compiles with an old -target so it will work on older JVMs
2012-03-30 16:25:47 -06:00
sinn3r e018c6604f Modify CVE-2012-0507 2012-03-30 02:06:56 -05:00
Tod Beardsley f069a32223 Merge pull request #288 from wchen-r7/cve_2012_0507
Adding sinn3r and juan's exploit for CVE-2012-0507. Blog post coming soon.
2012-03-29 08:46:49 -07:00
sinn3r 791ebdb679 Add CVE-2012-0507 (Java) 2012-03-29 10:31:14 -05:00
HD Moore 64b0f50baa Update for compatibility 2012-03-27 15:29:28 -05:00
HD Moore e9d6309143 Fix 1.9.2 compatibility issues and C99 warnings 2012-03-22 19:09:16 -05:00
James Lee 4ed55dc958 Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.

[Fixes #6525]
2012-03-16 11:30:25 -06:00
James Lee ba1ed93ee2 Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list.  Appears to fix v4 addresses on XP but not 2k3.

[See #6525]
2012-03-16 03:46:10 -06:00
James Lee 9aaf6af072 Return network prefixes when available
Solves #6525 on Vista+.  Win2k still works using the old MIB method
(which doesn't support ipv6).  Win2k3 and XP are still busted for
unknown reasons.
2012-03-16 01:50:26 -06:00
James Lee bd3f27afa8 Remove some debug output 2012-03-14 13:24:34 -06:00
James Lee 48486a6518 malloc properly in Linux instead of living on hopes and dreams
Also fixes a mem leak in windows.
2012-03-14 13:02:11 -06:00
James Lee 5ca9c95f1d Remove some debugging junk 2012-03-14 12:51:09 -06:00
James Lee 5fafb8bf02 Refactor entryCount -> tlv_cnt for consistency 2012-03-14 12:50:45 -06:00
James Lee 6036691517 Adjust snaplen to grab the whole packet in case mtu > 1514
Fixes an issue where pcap_dispatch would return -1 and pcap_geterror
said "corrupted frame on kernel ring mac"

[Fixes #6527]
2012-03-14 12:36:36 -06:00
gaspmat@gmail.com 248a73a73c change sniffer behaviour when stopping capture. workaround if pcap_findalldev fails 2012-03-14 11:07:31 -06:00
James Lee 6a6dd06103 Merge branch 'feature/6476-list-all-ifaces'
Conflicts:
	modules/auxiliary/scanner/afp/afp_server_info.rb
2012-03-13 13:55:45 -06:00
James Lee 89e3fee5a8 Revert "Squashed commit of the following:"
This reverts commit dd9ac8a6c0.
2012-03-13 13:38:35 -06:00
James Lee dd9ac8a6c0 Squashed commit of the following:
commit 8b4750d0dcbac0686f9403acdf5cab50c918212f
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 13 13:14:43 2012 -0600

    Add bins for listing all addresses

    [Fixes #6476]

commit 213dd92ebc9b706a45725e6515c7939d2edace0e
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 13 02:08:34 2012 -0600

    Accept multiple addresses and netmasks

    [See #6476]

commit 2e8bd3c3ecfb319bf9456485d2420bb5829b60cc
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 13 01:55:57 2012 -0600

    Make inspecting meterpreter packets a little less painful

    Not sure why I originally thought there was no way to access extensions'
    constants before.  A simple `require` makes it all happy.

commit da367907cf579bd3aefaffbc84d2f96a41b85f00
Author: James Lee <egypt@metasploit.com>
Date:   Sun Mar 11 22:08:44 2012 -0600

    Fix up Linux after changes for Windows

commit ec9f04378b0155f69df95d4a94e62d33ce61977c
Author: James Lee <egypt@metasploit.com>
Date:   Sun Mar 11 21:56:11 2012 -0600

    Grab IPv6 addresses on Windows when possible

    Tries to GetProcAddress of GetAdaptersAddresses and falls back to the
    old GetIpAddrTable() function when it isn't available. This should work
    on XPSP1 and newer, albeit without netmasks on versions before Vista.
    Still trying to figure that one out.

commit 1052ebdcf86114fbc03d1a37ab5d4c6a78e82daa
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 6 15:34:09 2012 -0700

    Wrap Windows-specifc headers in ifdef

commit f23f20587b3117c38a77e7e5a93d542411e9504f
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 6 14:36:34 2012 -0700

    Handle multiple addrs on one iface on the ruby side

commit d7207d075ac6462875d9da531cf20c175629a416
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 5 21:57:39 2012 -0700

    Adds IPv6 addrs to win32 get_interfaces response

commit 11ae7e8a45bd56d25841ea8724377e0fb6789d72
Author: James Lee <egypt@metasploit.com>
Date:   Mon Mar 5 09:07:28 2012 -0700

    Don't distinguish between 4 and 6.

    The client can figure it out from the length.

commit 2c7490bdf3e4079f30857ee323d2ce23ab1bd9a5
Author: James Lee <egypt@metasploit.com>
Date:   Sun Mar 4 04:25:26 2012 -0700

    Append to the list instead of assigning to it

    All addresses are being sent to the client now.  Just need a way to
    parse them out correctly on the other side and meterpreter will be able
    to list all addresses on all interfaces on Linux.  Next step is to
    allocate the proper number of TLVs to avoid good ol' stack smashes on
    systems with lots of addresses and then make sure we clean all the
    memory leaks.

    [See #6476]

commit 73bba037ad968b922341c02459017afcc8407a76
Author: James Lee <egypt@metasploit.com>
Date:   Sun Mar 4 03:12:28 2012 -0700

    Lay the groundwork for returning all addresses

    This commit only sends the last interface in the list, but it is looping
    through all of them as evidenced by the log, just need to make sure
    we're not overwriting as we go.

    [See #6476]
2012-03-13 13:19:18 -06:00
James Lee 3ba471176e Return an appropriate error when stat() fails
Tested on Linux and Windows

[Fixes #6517]
2012-03-13 01:45:58 -06:00
James Lee 5dc03c6ac0 Fix up Linux after changes for Windows 2012-03-11 22:08:44 -06:00
James Lee 602408743c Grab IPv6 addresses on Windows when possible
Tries to GetProcAddress of GetAdaptersAddresses and falls back to the
old GetIpAddrTable() function when it isn't available. This should work
on XPSP1 and newer, albeit without netmasks on versions before Vista.
Still trying to figure that one out.
2012-03-11 21:56:11 -06:00
sinn3r befb60217c Add CVE-2012-0754 .as source 2012-03-07 19:25:51 -06:00
James Lee 806a3c01b7 Wrap Windows-specifc headers in ifdef 2012-03-06 15:34:09 -07:00
James Lee 085b3b5640 Adds IPv6 addrs to win32 get_interfaces response 2012-03-05 21:57:39 -07:00
James Lee cd990917be Don't distinguish between 4 and 6.
The client can figure it out from the length.
2012-03-05 09:10:47 -07:00
James Lee c81dce2013 Append to the list instead of assigning to it
All addresses are being sent to the client now.  Just need a way to
parse them out correctly on the other side and meterpreter will be able
to list all addresses on all interfaces on Linux.  Next step is to
allocate the proper number of TLVs to avoid good ol' stack smashes on
systems with lots of addresses and then make sure we clean all the
memory leaks.

[See #6476]
2012-03-05 09:10:47 -07:00
James Lee cb998b91e5 Lay the groundwork for returning all addresses
This commit only sends the last interface in the list, but it is looping
through all of them as evidenced by the log, just need to make sure
we're not overwriting as we go.

[See #6476]
2012-03-05 09:10:46 -07:00
HD Moore cea4529f5e Add an example of preconfigured proxy stager 2012-03-05 00:59:47 -06:00
James Lee 9f05562a18 Don't distinguish between IPv4 and IPv6 routes
It's easier to deal with one Array of all routes regardless of INET
family than having get_routes() return a two-element Array of Arrays.
Also fixes a bug in each_route() which was expecting get_routes() to
return a single Array of all routes. Thanks to valsmith for reporting.
2012-03-02 18:26:57 -07:00
HD Moore 165257db75 Remove unused "plus" code 2012-03-02 17:46:59 -06:00
HD Moore b70b41091b Tested fairly well - this randomizes the URLs and removes the user-agent string from the request 2012-03-02 17:44:23 -06:00
HD Moore ce94ffd755 First round of changes to http(s) payloads 2012-03-02 17:13:51 -06:00
James Lee 2d0d7b4470 777 is not the same as 0777
Fixes a bug where meterpreter created directories with absurd
permissions on posix (777 = 01411 = dr----x--t).
2012-03-02 13:16:52 -07:00
James Lee fbc8e25aaa Add the new stdapi/net TLVs to java 2012-02-29 20:31:12 -07:00
James Lee 14dfcce63a Add the MTU when it's available
This doesn't work on 1.4, but I'm not Java-savvy enough to figure out
how to only compile it for 1.4, so do a ghetto try-catch block in case
the method doesn't exist.
2012-02-29 20:30:03 -07:00
James Lee 4a5d7debd5 Add the usleep back in
MM convinced me.
2012-02-29 02:20:23 -07:00
James Lee ed3700b5da Fix a few more compiler warnings 2012-02-28 08:23:35 -07:00
James Lee 98157475af Fix a type-safety warning 2012-02-28 08:17:39 -07:00
James Lee ae37f74864 Fix a couple of warnings and a typo 2012-02-28 08:16:06 -07:00
James Lee a80056e6e5 Get rid of an unnecessary sleep() 2012-02-24 16:42:12 -07:00
MM f83a7f14ac Switch to netlink for listing interfaces
* Adds support for listing IPv6 addresses on POSIX meterpreter
* Ensures crash logs are only created if debugging is enabled
* Fixes a bug in sniffer where a lock was not acquired correctly

Squashed commit of the following:

commit 955124b264a675c7d67187703bf23b58f0aba6d8
Author: MM <gaspmat@gmail.com>
Date:   Thu Feb 23 23:42:26 2012 +0100

    posix meterpreter - IPv6 support for route and ipconfig using netlink sockets

[Closes #196]
2012-02-24 16:42:12 -07:00