Commit Graph

4205 Commits (e6781fcbea5319bfe73bb9da21526dccce537536)

Author SHA1 Message Date
jvennix-r7 92414d3688 Merge pull request #53 from rapid7/bug/MSP-9994/framework-db-driver
Set `framework.db.driver` when connection already established.
2014-06-10 10:49:00 -05:00
Luke Imhoff 2cbbaad6b4
Set drivers and driver when connection already established
MSP-9994

3 database commands in msfconsole check for framework.db.driver to be
set, so driver must be set when the connection is already established by
the Rails initialization.
2014-06-09 14:26:59 -05:00
Luke Imhoff 1ee35ec68a
Handle unconnected config in connection_established?
MSP-9994

Rescue `ActiveRecord::ConnectionNotEstablished` in
`Msf::DBManager#connection_established?` in addition to
`PG::ConnectionBad` to handle when the connection has been removed.
2014-06-09 14:26:45 -05:00
David Maloney 482aa2ea08
Merge branch 'master' into staging/electro-release 2014-06-09 10:27:22 -05:00
Meatballs bf1a665259
Land #2657, Dynamic generation of windows service executable functions
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
Meatballs 897ad6f963
Some service yarddoc 2014-06-07 13:27:32 +01:00
Meatballs 5218ca4d89
Give warning on module load 2014-06-06 23:04:40 +01:00
joev d990fb4999
Remove a number of stray edits and bs. 2014-06-06 16:24:45 -05:00
joev 4a9f50bb60 Clean up some dead code. 2014-06-06 16:20:40 -05:00
joev 7c762ad42c Fix some minor bugs in webrtc stuff, inline API code. 2014-06-06 16:18:39 -05:00
Brandon Turner bacf82acb1
Merge branch 'release' into 'master' 2014-06-06 09:59:00 -05:00
Brandon Turner 21be4f21a6
Bump version to 4.9.3 2014-06-06 09:52:01 -05:00
Luke Imhoff f2a56c041b
Merge branch 'staging/electro-release' into feature/MSP-9653/use-metasploit-concern-in-pro
MSP-9653

Conflicts:
	Gemfile
	Gemfile.lock
2014-06-05 16:22:02 -05:00
David Maloney 28bf29980e
Merge branch 'master' into staging/electro-release 2014-06-04 10:21:08 -05:00
joev cf6b181959 Revert change to trailer(). Kill dead method.
* I verified that changes to PDF mixin do not affect any older modules that
generate PDF. I did this by (on each branch) running  in irb, then
running the module and diffing the pdf's generated by each branch. There were
no changes.
2014-06-02 22:26:14 -05:00
joev 9f5dfab9ea Add better interface for specifying custom #eol. 2014-06-02 22:26:11 -05:00
joev 09e965d54e Remove extraneous method from pdf.rb 2014-06-02 22:26:03 -05:00
joev feca6c4700 Add exploit for ajsif vuln in Adobe Reader.
* This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb).
* Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways).

Conflicts:
	lib/msf/core/exploit/mixins.rb
2014-06-02 22:25:55 -05:00
Tod Beardsley d0d389598a
Land #3086, Android Java Meterpreter updates
w00t.
2014-06-02 17:28:38 -05:00
Luke Imhoff 9e78509aac
Merge branch 'staging/electro-release' into feature/MSP-9653/use-metasploit-concern-in-pro
MSP-9653

Conflicts:
	Gemfile
	Gemfile.lock
2014-06-02 13:40:11 -05:00
Luke Imhoff 3ebe7dfbc8
Gem version
MSP-9653

Move version information to standard location for gems.
2014-06-02 12:54:46 -05:00
Luke Imhoff 21fad7163d
Msf::DBManager#connection_established?
MSP-9653

Calling `ActiveRecord::Base.establish_connection`, followed by
`ActiveRecord::Base.connected?` returns false unless some other code
requires a connection to be checked out first.  The correct way to check
if the spec passed to `ActiveRecord::Base.establish_connection` is to
checkout a connection and then ask if it is active.
`Msf::DBManager#connection_established?` does the checkout, active check
and checkin, and should be used in place of
`ActiveRecord::Base.connected?` and
`ActiveRecord::Base.connection_pool.connected?`.
`Msf::DBManager#active` should still be used as it also checks for
adapter/driver usability and that migrations have run.
2014-06-02 12:49:09 -05:00
David Maloney 34004908bb
Merge branch 'master' into staging/electro-release
Conflicts:
	.ruby-version
2014-06-02 11:10:33 -05:00
William Vu bba741897e
Land #3413, improved FileDropper cleanup message 2014-06-02 11:05:48 -05:00
Christian Mehlmauer 428df19739
Changed message 2014-06-02 17:28:09 +02:00
Meatballs f0e9a9010e
Return nil if fail 2014-06-01 11:55:40 +01:00
Meatballs a4ecd8e02d
Should return the thread object 2014-06-01 11:49:56 +01:00
Meatballs 58ee2ccd6e
Land #3390, Fix have_powershell 2014-06-01 10:43:35 +01:00
Christian Mehlmauer 03b4a29662
Clarify filedropper error message 2014-05-31 22:17:32 +02:00
Trevor Rosen dee4acdb2a Merge pull request #27 from rapid7/feature/MSP-9725/windows_hashdump
Windows Hashdump post module refactor

MSP-9725 #land
2014-05-30 14:04:31 -05:00
Trevor Rosen 8bcd763039 Merge pull request #26 from rapid7/feature/MSP-9685/telnet_login_scanner
Feature/msp 9685/telnet login scanner

MSP-9685 #land
2014-05-30 13:40:18 -05:00
David Maloney 782c8bd172
Merge branch 'staging/electro-release' into feature/MSP-9725/windows_hashdump 2014-05-30 13:28:35 -05:00
David Maloney ba525c7b78
use metasploit-credential creation methods 2014-05-30 13:07:11 -05:00
David Maloney 98a23881ee
remove cred creation methods
removed cred creation methods from framework
and include them from the metasploit-credential gem instead
2014-05-30 11:28:53 -05:00
David Maloney e3c4745879
Windows Hashdump post module refactor
refactor the Hashdump post module for window
to use the new cred creation methods.
Also some extra methods to do db safe checks
for record ids that we need
2014-05-29 13:20:32 -05:00
David Maloney eb04a3774a
fixes for telnet wierdness
had to work around the way the old
Auxiliary::Login mixin worked. Scanner
now works properly
2014-05-29 10:43:00 -05:00
Tom Sellers aa85cb8195 Update powershell.rb 2014-05-29 05:46:32 -05:00
HD Moore c7366b4361 Fix a small typo in the regex 2014-05-28 14:40:09 -05:00
HD Moore 583dab62b2 Introduce and use OS matching constants 2014-05-28 14:35:22 -05:00
Luke Imhoff 0e60f08e51
Don't re-establish connection
MSP-9653

If ActiveRecord::Base is already connected, then don't attempt to create
the database (as it involves establishing a new connection) or
establishing a new connection after the creation.  Still run the
migrations as the normal Rails::Application.initialize! will result in
ActiveRecord::Base.connected? being true even if migrations are missing.
2014-05-28 14:34:36 -05:00
David Maloney ca4c942ceb Merge branch 'staging/electro-release' into feature/MSP-9640/cred_creation 2014-05-28 09:40:44 -05:00
David Maloney 967b0d49b1
Merge branch 'master' into staging/electro-release
Conflicts:
	Gemfile
	Gemfile.lock
2014-05-28 09:39:56 -05:00
David Maloney deabd1c3b0
tidy the YARD
some more cleanup, in the YARD
docs this time.
2014-05-28 09:30:45 -05:00
Tom Sellers ae1b7e564b Update powershell.rb 2014-05-27 05:18:00 -05:00
Tom Sellers 42a17cc085 Update powershell.rb
To be clear, the shell that was tested with was 'windows/shell_reverse_tcp' delivered via 'exploit/windows/smb/psexec'

Additional changes required to fix regex to support the multiline output.  Also, InstanceId uses a lower case 'D' on the platforms I tested - PowerShell 2.0 on Windows 2003, Windows 7, Windows 2008 R2 as well as PowerShell 4.0 on Windows 2012 R2.

This method doesn't appear to be used anywhere in the Metasploit codebase currently.
2014-05-25 08:59:42 -05:00
Tom Sellers 76b9273f10 Improve reliability of have_powershell
I have a case where on a Windows 2008 R2 host with PowerShell 2.0 the 'have_powershell' method times out.  When I interactively run the command I find that the output stops after the PowerShell command and the token from 'cmd_exec' is NOT displayed.  When I hit return the shell then processes the '&echo <randomstring>' and generates the token that 'cmd_exec' was looking for.  I tried various versions of the PowerShell command string such as 'Get-Host;Exit(0)', '$PSVErsionTable.PSVersion', and '-Command Get-Host' but was unable to change the behavior.  I found that adding 'echo. | ' simulated pressing enter and did not disrupt the results on this host or on another host where the 'have_powershell' method functioned as expected.

There may be a better solution, but this was the only one that I could find.
2014-05-25 08:07:38 -05:00
David Maloney 32b88c2db6
final fixes to login creation 2014-05-23 10:58:21 -05:00
joev ae3c334232 Getting closer. Still something f'd with local answerer.html. 2014-05-22 17:14:35 -05:00
David Maloney ac9af000af
full cred creation rotuine done
creating Logins as a seperate method, both
methods are done and fully documented.
2014-05-22 13:53:26 -05:00
sinn3r 1dbe972377 Fix URIPATH / for BrowserExploitServer
[SeeRM #8804] Fix URIPATH / for BrowserExploitServer
2014-05-22 12:18:49 -05:00
David Maloney 19e36cccb3
Credential Core creation now complete 2014-05-21 16:37:13 -05:00
joev 14b796acbf First stab at refactoring webrtc mixin. 2014-05-21 15:32:29 -05:00
David Maloney 3ea99a9d43
private creation w/ specs and docs
the private creation method is now done
with specs and YARD docs
2014-05-21 13:21:56 -05:00
David Maloney 2629549f6f
added realm creation
added method for creating credential realm
creation.
2014-05-21 11:22:22 -05:00
Meatballs 15313a9ab1
Dont try to read 0 structs 2014-05-20 21:55:04 +01:00
David Maloney ce69f742a4
add yarddocs to origin methods
added YARD docs to the creation methods for
Credential::Origins
2014-05-20 11:16:19 -05:00
Luke Imhoff 38fbbdc1b5
Print tm_call one caller per line
MSP-9653

The inspect format was difficult to read so convert to standard
backtrace format of one caller per line.
2014-05-20 10:59:29 -05:00
David Maloney 9cdddb08d9
origin specs for realsies
final specs and fixes for the origin creation
methods
2014-05-20 10:19:03 -05:00
David Maloney b84aaaad19
specs and fixes for origin creation 2014-05-20 09:59:15 -05:00
David Maloney ddfa4f1ee7
some origin creation specs
started getting working specs
for the origin creation methods. feel
into the weeds for a bit, but making progress at last.
2014-05-19 15:16:02 -05:00
David Maloney 9efb97d465
origin creation method
added base behaviour for creating generic
credential origin objects from report
2014-05-19 10:00:19 -05:00
HD Moore a8bf53479d Fix a merge error 2014-05-18 11:08:04 -05:00
HD Moore a844b5c30a Merge branch 'master' of github.com:hmoore-r7/metasploit-framework into feature/recog
Conflicts:
	Gemfile
	Gemfile.lock
	data/js/detect/os.js
	lib/msf/core/exploit/remote/browser_exploit_server.rb
2014-05-18 10:50:32 -05:00
nstarke 048aebbdf2 Search Result Uniqueness
SeeRM #8754

Cast the results of the query to an array and perform the uniq
function passing a block which provides uniqueness based
on the return value, which in this instance is ‘fullname’
This was done because the uniq function in AREL cannot take
a specific field for uniqueness, and the sophistication of the query
make grouping nearly impossible.  Initial testing showed negligible
speed difference to the user.
2014-05-15 17:52:11 +00:00
David Maloney fb671c72a7
Merge branch 'master' into staging/electro-release 2014-05-14 13:00:37 -05:00
dmaloney-r7 acaf713229 Merge pull request #17 from rapid7/feature/MSP-9606/metasploit-credential
Run migrations from Metasploit::Credential and initialize its concerns which patch Mdm
2014-05-14 11:15:07 -05:00
William Vu fdbfaacdf6
Land #3313, progress feedback for PASS_FILE
[FixRM #8704]
2014-05-14 02:03:39 -05:00
William Vu 1ada4831e0
Land #3293, module deprecation constants 2014-05-14 01:37:29 -05:00
William Vu de49241195
Land #3185, regex option validation 2014-05-14 01:27:18 -05:00
Luke Imhoff 91cc9dc2d6
Add missing Msf::DBManager#drivers initialization
MSP-9606
2014-05-13 13:01:59 -05:00
agix 1a3b319262 rebase to use the mixin psexec 2014-05-13 16:04:40 +02:00
agix 87be2e674a Rebase on https://github.com/rapid7/metasploit-framework/pull/2831 and adapt to the new mixin 2014-05-13 16:04:40 +02:00
Luke Imhoff b1598e83c3
Re-enable `bundle install --without db` support
MSP-9606

Catch LoadError in config/application.rb when trying to require
'active_record/railtie` so that end-users can run without any of the
database gems installed.  NOTE: you can't run in the development or
test environment without the database because factory_girl needs
ActiveRecord.
2014-05-12 15:39:34 -05:00
Luke Imhoff 3370465d84
Use railties to load Metasploit::Credential correctly
MSP-9606

In order to support Metasploit::Credential correctly,
metasploit-framework needs to support Metasploit::Concern, which does
all its magic using a Rails::Engine initializer, so the easiest path is
to make metasploit-framework be able to use Rails::Engines.  To make
Rails::Engine use Rails::Engine, make a dummy Rails::Application
subclass so that all the initializers will be run when anything requires
msfenv.
2014-05-12 15:03:51 -05:00
Jeff Jarmoc 5f523e8a04 Rex::Text::uri_encode - make 'hex-all' really mean all.
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes'  It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
nstarke a71be33091 Adjusting status message to be based on time
Previously the status message timing was determined by the number of
pairs left to process.  I have adjusted the code to rely on Time.now
in order to consistently print a message out every 60 seconds.
2014-05-09 14:39:34 +00:00
William Vu ee303aa34e
Add missing formats in lib/msf/core/db.rb comment
Found outside big if block. Ugh.
2014-05-08 10:27:38 -05:00
William Vu b50b3820a0
Update core/db.rb comments 'n' stuff 2014-05-08 02:53:02 -05:00
Meatballs 3542f851bf Fix some yarddoc issues 2014-05-05 22:45:41 +02:00
Brendan Coles cc8ab9bcba Support one line js payload
Add missing ';' in `run_cmd_source`
2014-05-05 18:57:15 +10:00
Joshua Smith 5b1a207377 cleans up numerous superfluous returns in msf/core/module 2014-05-02 19:52:58 -04:00
nstarke ace9e797e1 Adding count-based print message
This commit removes the creation of a separate, timed
thread for printing out status messages to the user
in the case of large PASS_FILEs.  This adjustment eliminates
the overheard of context switching associated with
spinning off separate threads, as well as the dangers
associated with the Thread#kill method.
2014-04-29 22:10:08 +00:00
nstarke eb98ea2d31 Large pass_file hangs login modules
SeeRM #8704

When running a *_login module that contains a large PASS_FILE
the module appears to hang while it is creating the combinations over
such a large dataset.  The solution proposed in the Redmine task
requested that the user be alerted with some sort of progress feedback
if the process takes an excessive amount of time.

I have added a message that logs to the console that contains the
number of pairs left to be constructed before the module will continue.
The verbiage is fairly arbitrary and should probably be updated to
something that might be more descriptive.  Likewise, the sleep
interval may need to be adjusted.
2014-04-28 21:45:14 +00:00
sinn3r 8a4c7b22ed
Land #3296 - Refactors firefox js usage into a mixin 2014-04-28 15:22:55 -05:00
Samuel Huckins 7fad215f3e
Merge branch 'bug/9582-metasploit-imports-and-tasks' into upstream-master
Land #3299
2014-04-28 10:47:23 -05:00
lsanchez-r7 8f43c229b1
Passing the Mdm::Task down the chain
when reporting hosts from an Mdm::Task we need to pass the task all
the way down. this wasnt done for the metasploit import format.
2014-04-25 11:15:39 -05:00
Meatballs 19dd21abaf
Remove duplicate methods 2014-04-25 15:40:03 +01:00
joev f94d1f6546 Refactors firefox js usage into a mixin. 2014-04-24 15:09:48 -05:00
Trevor Rosen e556997bf7
Land #3269 (Pro) fix report import issue 2014-04-24 08:27:06 -05:00
Spencer McIntyre ec1f7d644c Support deprecation information from constants 2014-04-23 23:03:02 -04:00
Meatballs 72a2849bf1
Better specs
90.6% line coverage in Exploit::Powershell
77.32% in Rex::Exploitation::Powershell and haven't even started
writing those specs...
2014-04-23 08:07:42 +01:00
Meatballs 0137fdb690
Prepend sleep should be an int 2014-04-23 07:29:51 +01:00
Meatballs 61b8fb7921
Remove puts 2014-04-23 06:15:28 +01:00
Meatballs 11526b59a6
Boolean datastore options should always be present
Dont evaluate true/false as 'true'/'false'!
2014-04-23 05:03:16 +01:00
Meatballs 1347649a47
Remove unused EOFs 2014-04-23 02:37:07 +01:00
Meatballs 01bfad3489
Correct datastore values 2014-04-23 02:08:57 +01:00
Meatballs 647936e291
Add more yarddoc to Rex::Exploitation::Powershell
encode_code doesn't use eof
no need to unicode encode in gzip as this is handled by encode_code
2014-04-23 01:07:54 +01:00
Meatballs 88fe619c48
Yarddoc exploit::powershell 2014-04-23 00:15:55 +01:00
Meatballs 4c66e86f73
Dont add extra space in args 2014-04-22 14:44:01 +01:00
Meatballs 0f942d8c3d
Still :shorten command args 2014-04-19 18:58:26 +01:00
Meatballs 270b4b9728
Catch first arg with shorten 2014-04-19 18:54:42 +01:00
Meatballs 67f44072ca
Merge remote-tracking branch 'upstream/master' into pr2075 2014-04-19 18:45:55 +01:00
William Vu 7d801e3acc
Land #3200, goodbye LORCON modules :( 2014-04-18 12:32:22 -05:00
RageLtMan 9f05760c50 Merge with Meatballs' initial changes
Clean up arch detection code and dedup Msf/Rex
Reduce generated payload size
2014-04-18 00:28:48 -04:00
RageLtMan 5c3289bbc6 merge fix 2014-04-17 21:26:04 -04:00
James Lee 549e306572
Remove superfluous v6 http{,s} payload and handler 2014-04-16 18:32:35 -05:00
Samuel Huckins 2ed7a739c3
New reports in new exports can now import
MSP-9783

* Extracted import_report from monstrous import_msf_collateral;
simplified and clarified approach
* Updated report_report: includes all attrs provided vs subset, provides
more helpful error message
* Added report_artifact: adds child artifact for reports, handles
various troublesome cases
* Tested on all report types with a legion of option variants
2014-04-16 15:15:47 -05:00
sinn3r 7a4e12976c
First little bit at Bug 8498
[FixRM #8489] rhost/rport modification
2014-04-15 18:20:16 -05:00
Meatballs 38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
Conflicts:
	modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
Tod Beardsley 9db01770ec
Add custom rhost/rport, remove editorializing desc
Verification:

````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````

...etc.
2014-04-14 21:46:05 -05:00
David Maloney c537aebf0f
Land #3228, JtR colon Seperation 2014-04-14 11:19:16 -05:00
Tod Beardsley 91293fd0db
Allow vhost to be maybe opts['rhost']
This enables passing rhost and rport directly to send_request_cgi
without having to monkey with the datastore.

See #8498
2014-04-10 16:47:49 -05:00
Tod Beardsley 3109f42a55
Merge release back into master 2014-04-11 15:07:16 -05:00
Brandon Turner 2f2692f4bf
Bump version to 4.9.2 2014-04-10 17:45:42 -05:00
sinn3r 80faaf86d8 Add a link to explain about unmet exploit requirements 2014-04-10 14:01:16 -05:00
James Lee 95399b0de7
Don't try to be too helpful
John cares not one whit how many colons are in a hash line, only that
there are enough for the format (at least 2 for regular /etc/passwd, at
least 3 for NTLM, etc). So there is no simple way to programmatically
determine whether a password had a colon or there was just an extra on
the end of the original hash line.

[MSP-9778]
See #2515
2014-04-09 19:24:26 -05:00
Tod Beardsley 062175128b
Update @Meatballs and @FireFart in authors.rb 2014-04-09 10:46:10 -05:00
Meatballs ae3ead6ef9
Land #2107 Post Enum Domain Users 2014-04-09 11:32:12 +01:00
Tod Beardsley eab938c7b4
Get rid of requires, too 2014-04-07 16:39:19 -05:00
Tod Beardsley 17ddbccc34
Remove the broken lorcon module set
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.

I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.

Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.

````
msf auxiliary(wifun) > show options

Module options (auxiliary/dos/wifi/wifun):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   CHANNEL    11               yes       The initial channel
   DRIVER     autodetect       yes       The name of the wireless driver
for lorcon
   INTERFACE  wlan0            yes       The name of the wireless
interface

msf auxiliary(wifun) > run

[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
Christian Mehlmauer 4bf6481242
Added regex option to validate options 2014-04-02 23:51:33 +02:00
jvazquez-r7 577bd7c855
Land #3146, @wchen-r7's flash version detection code 2014-04-02 15:13:41 -05:00
agix a71fcaeefd add comments on change description call 2014-04-02 20:33:09 +01:00
agix bc4cb3febf Add DCERPC catch exception 2014-04-02 20:33:09 +01:00
agix 4a575d57ab Try to fix Meatballs1 suggestions : optional service_description change call 2014-04-02 20:33:09 +01:00
agix 5334f2657e Fix a bug for backwards compatibility 2014-04-02 20:33:08 +01:00
agix 631a7b9c48 Adapt to new psexec mixin (first try :D) 2014-04-02 20:33:08 +01:00
HD Moore 7e227581a7 Rework OS fingerprinting to match Recog changes
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.

This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
HD Moore b5561cc9ec Report a fingerprint instead of overwriting host.os_name 2014-03-30 06:32:38 -07:00
HD Moore 76720e9cf8 Small tweaks, see 4611d0a8d0 2014-03-30 06:27:48 -07:00
HD Moore 4611d0a8d0 Update report_host() to match os_* field changes
This is part of a bigger change to normalize what os_name, os_flavor, and
os_sp actually mean. To summarize the changes happening in Mdm:

1) The vendor name is being removed from os_name
  * "Microsoft Windows" -> "Windows 7"
2) The os_flavor field is being used for the edition of the os_name product
  * "7" -> "Enterprise"
3) The os_sp field specifies a version if known and nothing if not
 * "SP0" -> "", "Service Pack 2" -> "SP2", etc
2014-03-30 06:23:47 -07:00
HD Moore 20bbf7837c Refactor and integrate smb_fingerprint() for Recog support 2014-03-30 05:52:23 -07:00
William Vu 5a448d9f2d
Fix ActiveRecord::ConnectionNotEstablished
[SeeRM #8780]
2014-04-02 00:54:39 -05:00
William Vu 8fd4f50081
Fix NameError for "r" in Msf::Auxiliary::Nmap
Wasn't in scope.
2014-04-01 17:35:20 -05:00
William Vu f9a7cfaa67
Land #3168, EICAR payload encoding 2014-04-01 09:17:10 -05:00
Tod Beardsley 42c7b85b86
Don't EICAR every time. That would be bad. 2014-04-01 09:05:55 -05:00
sinn3r 07ab05c870 Update a comment 2014-03-28 15:20:45 -05:00
sinn3r 4b7f85e47d Adobe Flash support in BES 2014-03-28 15:14:58 -05:00
Tod Beardsley 196e07c5b1
Touch up the EICAR stuff 2014-03-28 11:45:28 -05:00
jvazquez-r7 da6a428bbf Modify libs to support explib2 2014-03-28 10:44:52 -05:00
James Lee 6c36d14be1
Land #3118, fix java payloads for msfvenom 2014-03-25 15:38:21 -05:00
sinn3r 85c0c8bb70 Add support to detect mshtml build
Some IE vulns are build-specific, in that case we need a way to
detect the build version. On IE9 and newer, the build version is
the same as the one you see in WinDBG when you do lmv m mshtml.
On IE8, it returns something else I don't know.
2014-03-25 03:31:08 -05:00
William Vu 8b2ee4eb8c
Disable BLANK_PASSWORDS and USER_AS_PASS
They're as obnoxious as DB_ALL_* when enabled by default.
2014-03-24 15:51:35 -05:00
HD Moore 903af02e08 Store at most one http.fingerprint per host/port, revert http_version 2014-03-23 10:42:20 -07:00
HD Moore f349f85a70 Reimplement HTTP fingerprinting, backwards compatible
This commit changes the internals of HTTP fingerprinting to store
a whole trove of data about the HTTP response using a hash. The
current API is backwards compatible and has been tested with a
number of modules that depend on HttpFingerprint being sent.

In addition, this change paves the way for advanced fingerprints
that take advantage of the HTTP body and other headers. This is
a requested addition documented  across various module comments.

Finally, this commit completes the closed loop for OS identification
by connecting MSF to MDM to Recog and applying Recog databases for
HTTP Servers, HTTP Cookies, and HTTP Authentication headers to the
results of HTTP fingerprinting runs.

For example, with the appropriate version of MDM/Recog in place,
a http_version scan of Microsoft-IIS/7.0 server will update the
host.os_name field to 'Windows 2008'.
2014-03-23 07:26:11 -07:00
Meatballs d53b56c161
Tidy up 2014-03-22 18:38:58 +00:00
Meatballs b524507e4e
Merge remote-tracking branch 'upstream/master' into land_2551
Conflicts:
	modules/exploits/windows/local/ask.rb
2014-03-22 18:14:45 +00:00
Meatballs 7b2f0a64fc
Tidy up 2014-03-22 18:07:57 +00:00
sinn3r 13f5c22536
Land #3129 - Fix 2782 with 2961 and stop stack-tracing download_exec 2014-03-21 11:36:59 -05:00
James Lee 0a141f1c02
Land #2810, masked password format switcheroo 2014-03-20 15:12:12 -05:00
David Maloney c4a9b4fda0
Land #3128, Put loot in correct workspace 2014-03-20 14:11:17 -05:00
Tod Beardsley 4d3f871e9d
Land #2961, get_env and get_envs Post mixin
This unbreaks the changes introduced by #2782 by introducing
get_env and get_envs for shell sessions (not just meterpreter sessions).
2014-03-20 10:53:50 -05:00
Trevor Rosen dd4b16ad60 Remove some dead code 2014-03-20 09:38:14 -05:00
Trevor Rosen dc85a99fbd report_loot now sets proper Mdm::Workspace
* Uses an Mdm::Workspace when passed one in conf hash
2014-03-20 09:27:09 -05:00
Samuel Huckins 33ca577010 Zip Workspace imports now working.
MSP-9531

* Was trying to delete XML file, not sure why, running into permission
error
* General clarification and cleanup
2014-03-19 22:53:15 -05:00
Samuel Huckins cc4c958d58 Merge remote-tracking branch 'metasploit-framework/master' into masked-cred-format-update 2014-03-19 15:47:46 -05:00
David Maloney 130474fdfd
Fix java payload generation
jsp payloads are java but do not generate JARs
also we were not merging datastore options in properly
2014-03-18 13:41:27 -05:00
David Maloney da0c37cee2
Land #2684, Meatballs PSExec refactor 2014-03-14 13:01:20 -05:00
sinn3r 6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell 2014-03-13 13:36:37 -05:00
Joe Vennix db036e44ad Use RdlCopyMemory from Kernel32. 2014-03-13 11:05:58 -05:00
sinn3r 7ead04414c
Land #3024 - Allow encoder Compat options 2014-03-13 10:59:40 -05:00
Joe Vennix 851fca2107 Add posix fork() call before running code. 2014-03-12 02:56:26 -05:00
Joe Vennix 7afcb6aee8 Add CreateThread wrapper for windows. 2014-03-12 02:49:09 -05:00
Joe Vennix ce0c5380a5
Kill stray //. 2014-03-12 02:20:49 -05:00
Joe Vennix 9bdf570763
All working now. In-memory meterpreter even. 2014-03-12 02:19:28 -05:00
sinn3r b431bf3da9
Land #3052 - Fix nil error in BES 2014-03-11 12:51:03 -05:00
AnwarMohamed b45524ecdd generate cert @ payload/dalvik.rb 2014-03-10 21:50:00 -05:00
AnwarMohamed 99cc94e6fc moving string_sub() to payload/dalvik.rb 2014-03-10 21:49:59 -05:00
Joe Vennix c07f390382 Add CookieExpiration option, add trailing slash to URI. 2014-03-10 13:07:17 -05:00
Meatballs 311d4665ce
Re-use CreateService Handle
and remove unused variable
2014-03-06 21:37:49 +00:00
Joe Vennix 05067b4e33 Oops. Need to init the profile before accessed. 2014-03-06 11:48:54 -06:00
Joe Vennix ad592fd114 Remove unnecessary method. 2014-03-05 23:36:43 -06:00
Joe Vennix a792f85a5f Fix re-initialize bug. 2014-03-05 23:27:04 -06:00
William Vu 096d6ad951
Land #3055, heapLib2 integration 2014-03-05 15:48:13 -06:00
OJ a1aef92652
Land #2431 - In-memory bypass uac 2014-03-05 11:15:54 +10:00
Joe Vennix 5790547d34 Start undoing some work. 2014-03-04 17:01:53 -06:00
David Maloney 72c6b995de
adjust timeout for shadowcopy
WMIC defaults to 10 sec timeout but shadowcopy
often needs longer.
2014-03-04 10:18:59 -06:00
Etienne Stalmans e452b81fb1 style changes as suggested by @jlee-r7 2014-03-04 08:49:52 +02:00
Joe Vennix 3360f7004d Update form_post vars, add Expires to cookie. 2014-03-03 23:29:02 -06:00
Meatballs 43715eeb7f
Blame @OJ
He changed the clipboard API underneat me.
2014-03-03 22:06:05 +00:00
Meatballs 32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post 2014-03-03 21:56:31 +00:00
sinn3r ee1209b7fb This should work 2014-03-03 11:53:51 -06:00
Joe Vennix 894d16af80 Add specs for new/returning/previous visitors. 2014-03-02 20:50:10 -06:00
Joe Vennix 6825fd2486 Whitespace tweaks and cleanup. 2014-03-02 19:57:48 -06:00
Joe Vennix 46f27289ed Reorganizes form_post into separate file. 2014-03-02 19:55:21 -06:00
Joe Vennix 785a35a81a Needed to kill objToQuery. 2014-03-02 19:48:55 -06:00
Joe Vennix e8226f9d40 Use a keyed cookie. Moves AJAX call to a form post. 2014-03-02 19:47:24 -06:00
Joe Vennix 26db845438 Try to pthread_create. Fails. 2014-03-02 18:02:23 -06:00
Meatballs 2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075 2014-03-02 20:57:02 +00:00
Meatballs 0956ae5789
Fix payload selection 2014-03-02 20:56:55 +00:00
Meatballs 1ca690eccf
Do some rspec 2014-03-02 20:37:08 +00:00
Meatballs c9a2135959
Merge in semperv 2014-03-02 19:07:13 +00:00
sinn3r 8cf5c3b97e Add heaplib2
[SeeRM #8769] Add heapLib2 for browser exploitation
2014-03-02 11:47:18 -06:00
sinn3r ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet 2014-02-28 14:10:55 -06:00
William Vu fd1586ee6a
Land #2515, plaintext creds fix for John
[FixRM #8481]
2014-02-28 09:53:47 -06:00
David Maloney f66709b5bb
make bypassuac module clean itself up
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
jvazquez-r7 6c490af75e Add randomization to Rex::Zip::Jar and java_signed_applet 2014-02-27 12:38:52 -06:00
David Maloney d358fe5f94
Merge branch 'payload_defaults' 2014-02-26 10:28:46 -06:00
David Maloney f51cbfffb8
minor fix to payload generator
was passing platform string instead of the
platform lsit when formatting the payload
2014-02-25 15:51:06 -06:00
sinn3r d0780cd1a2
Land #3010 - EXITFUNC as OptEnum 2014-02-24 11:07:10 -06:00
Joe Vennix c760d37703 use the actual shellcode length. 2014-02-24 09:55:44 -06:00
jvazquez-r7 9fd635d645 Favor \! vs == false 2014-02-24 08:47:25 -06:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs 5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2014-02-25 23:15:47 +00:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs bbacaa477e
Add missing require 2014-02-25 22:08:27 +00:00
jvazquez-r7 8af992e083 Use same coding style 2014-02-21 16:02:27 -06:00
jvazquez-r7 0c44cc5ae4 Allow Exploits to provide Encoder Compat options 2014-02-21 15:49:39 -06:00
James Lee 0179faa66f
Fix yardoc for Post::Windows::LDAP
Also fix some style issues and warnings.
2014-02-21 13:25:11 -06:00
jvazquez-r7 0b5e617236
Land #3016 lsanchez-r7's send_message mod to return info 2014-02-19 17:01:06 -06:00
jvazquez-r7 c0cdea37f7 Initialize send_status at the function's start 2014-02-19 16:54:29 -06:00
lsanchez-r7 f7a483523c changing the initial state from false to nil 2014-02-19 16:45:00 -06:00
Joe Vennix 212ebb568c EXITFUNC option should be an OptEnum. 2014-02-19 03:06:15 -06:00
Joe Vennix 50fb9b247e Restructure some of the exploit methods. 2014-02-19 02:31:22 -06:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
Meatballs e4aedfad43
Fixup netapi call 2014-02-18 23:30:29 +00:00
lsanchez-r7 07fd3494e5 changing send_message to return more information 2014-02-18 16:48:52 -06:00
Meatballs 6f988209ab
Merge remote-tracking branch 'upstream/master' into enum_domain_users_update 2014-02-18 20:02:39 +00:00
Meatballs 5c8af63063
Fix regression 2014-02-18 17:41:35 +00:00
jvazquez-r7 1bc94b8a9d Merge for retab 2014-02-17 19:19:47 -06:00
jvazquez-r7 f07efc91a8 Land #2915, @Meatballs1 improvements for LDAP post mixin 2014-02-17 19:14:59 -06:00
Joe Vennix 318ebdb4c8 Clean up // comments. 2014-02-17 15:34:42 -06:00
Joe Vennix 57449ac719 Adds working shellcode exec local exploit. 2014-02-17 15:31:45 -06:00
scriptjunkie 022c52d087
Added bundling to handle many sessions at once. 2014-02-15 15:37:22 -06:00
scriptjunkie b0d2949f9a Ensure no race conditions on handlers
Configurable WfsDelay
2014-02-15 15:21:16 -06:00
scriptjunkie a83ca2b8d6 Ghost sessions fix, fewer selfies, cleaner code 2014-02-15 15:21:16 -06:00
scriptjunkie 9c8c16d238 Allow multiple handlers to use same hop. 2014-02-15 15:21:16 -06:00
scriptjunkie 16e1280b8d Style guide fixes. 2014-02-15 15:21:16 -06:00
scriptjunkie a6a731c8ee Keep stage until replaced, nil check, prettify. 2014-02-15 15:21:16 -06:00
scriptjunkie 85ae32775a Fix to make migrate work; use the full URL. 2014-02-15 15:21:16 -06:00
scriptjunkie 5f7a0e162c Add reverse_hop_http stager and handler 2014-02-15 15:21:16 -06:00
Meatballs f58b66adf8
Docs and more robust code 2014-02-14 23:15:05 +00:00
Meatballs b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075 2014-02-14 22:52:55 +00:00
sinn3r 4dd60631cb
Land #2950 - New Payload Generator for MsfVenom 2014-02-13 15:13:10 -06:00
jvazquez-r7 61563fb2af Do minor cleanup 2014-02-13 09:10:04 -06:00
RageLtMan 0056c26047 import msf exploit 2014-02-12 22:06:18 -05:00
RageLtMan b453362a52 Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs 2014-02-12 16:43:30 -05:00
David Maloney 4565be18e3 require active_support numeric
ensure we have the activesupport numeric bytes extension
loaded for calling .gigabyte
2014-02-12 13:20:13 -06:00
William Vu 18816f3d5e
Land #2952, -1 for last session ID 2014-02-11 16:22:36 -06:00
jvazquez-r7 1f0020a61c
Land #2946, @jlee-r7's optimization of the x86 block_api code 2014-02-11 15:00:00 -06:00
Spencer McIntyre a67a14ff60
Land #2975 @wchen-r7's extra vprint_debug statements for ms13-090 2014-02-10 20:57:55 -05:00
Meatballs d8ea11b851
Redirect HTTP too 2014-02-10 23:41:15 +00:00
sinn3r 442d212a94 Add vprint_debug to show what requirements are being compared 2014-02-10 17:33:36 -06:00
Meatballs 4a0f37dc21
Save lost changes 2014-02-10 23:24:26 +00:00
Meatballs a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-10 21:43:56 +00:00
James Lee fab8e16a87
Unbreak server exploits 2014-02-10 10:54:14 -06:00
jvazquez-r7 57320a59f1 Do small clean up for mediawiki_thumb pr 2014-02-10 08:57:09 -06:00
Spencer McIntyre 4eb9a16b2c Remove unnecessary return statement. 2014-02-09 13:06:21 -05:00
Meatballs c76341c82d
Dont dsub Invoke-Command etc... 2014-02-09 17:45:30 +00:00
Meatballs 151e45d8d1
Better exception descriptions 2014-02-09 12:52:56 +00:00
Meatballs 77dda5dc67
Give option to remove badchars 2014-02-09 12:34:25 +00:00
Meatballs 0379dc128c
Raise exception on known issues 2014-02-09 12:15:02 +00:00
Meatballs 02f1ff27ee
Add option to encode inner payload 2014-02-09 00:55:26 +00:00
Meatballs f398c982e3
Include option to ensure payload is fully encoded 2014-02-08 23:51:13 +00:00
Meatballs ad308efc05
Really minimize commandline size 2014-02-08 22:53:47 +00:00
sinn3r 2cfc662e43 Use en-us instead 2014-02-08 16:16:09 -06:00
Meatballs c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075 2014-02-08 22:11:31 +00:00
Meatballs c76862b391
Reduce payload size 2014-02-08 22:11:17 +00:00
Meatballs b10df54dbb
Dont need to encode the compress payload 2014-02-08 21:34:51 +00:00
Meatballs d1f3afeacc
Correct MSB refs 2014-02-08 13:32:56 +00:00
Meatballs 76f0783eef
Raise error if no domain found or specified 2014-02-08 12:16:48 +00:00
Meatballs a5cb03e409
Copy Meterpreter return hash
Dont add a key if no value is found
2014-02-08 12:12:45 +00:00
Meatballs 6e197ce535
Post get_envs library methods 2014-02-08 11:37:25 +00:00
sinn3r bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell) 2014-02-07 17:39:06 -06:00
David Maloney f189b753e5 use more clear syntax for space
use 1.gigabyte as kronicdeth suggested, for great awesomeness
2014-02-07 15:52:19 -06:00
Meatballs 56359aa99f
Merge changes from other dev machine 2014-02-07 21:22:44 +00:00
Meatballs 103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-07 20:07:04 +00:00
James Lee f0fd2f0598
Land #2944, add platforms to encoders
This allows encoders to advertise compatibility with a particular
platform (or more accurately, non-compatibility with everything that
isn't that platform).

See also #2939
2014-02-07 13:38:05 -06:00
David Maloney aa3985c5e3 relign attribute tags 2014-02-07 11:04:17 -06:00
David Maloney 5d8dc76f48 put verbose messages to stderr
egypt pointed out we'll stomp on the payload output
otherwise. Good catch
2014-02-07 10:22:39 -06:00
Spencer McIntyre 27d7df554c Use a single return statement defaulting to nil. 2014-02-06 14:50:59 -05:00
Spencer McIntyre b9fb8decad Support a (latest) session id of -1. 2014-02-06 14:11:38 -05:00
David Maloney 9d9305d2c0 more yardtag cleanup 2014-02-06 11:16:00 -06:00
David Maloney 34c4718e95 more style fixups
further kronicdeth appeasement
2014-02-05 18:12:44 -06:00
David Maloney 1bf11e5b92 some alpha-sorting
begining to appease KronicDeth
2014-02-05 17:47:32 -06:00
James Lee b226ecf591
Add block_api changes to prepend_migrate 2014-02-05 15:32:59 -06:00
David Maloney ca48fb6590 fix encoding cycle if all encoders fail
we need to raise an exception if all encoders fail
2014-02-05 15:25:14 -06:00
David Maloney 1227a47342 fix exe template
don't pass an emtpy string for templates
this causes read errors. pass no value instead
2014-02-05 12:10:14 -06:00
David Maloney 508f251db2 add cli compat
add cli capability to putut verbose info to the console
2014-02-05 11:00:57 -06:00
David Maloney 293c231dfe alpha-sort methods for ease
lexically sorted methods to make it easier to
look through code
2014-02-04 18:05:03 -06:00
David Maloney fc9105d862 final generation and specs
generation wrapped method complete with specs
2014-02-04 17:52:20 -06:00
David Maloney 4dcae920f8 add specs for generate_java_payload
pretty self-explanatory
2014-02-04 17:40:59 -06:00
David Maloney 70d8246791 finish wiring up the final generation
formating and main generate methods wired up
still need to add some final tests
2014-02-04 15:52:18 -06:00
sinn3r bda93c2bbc
Land #2811 - Add generate_war to jsp_shell payloads 2014-02-04 15:06:45 -06:00
jvazquez-r7 80e7ae144b Use the platform when selecting the payload 2014-02-04 14:34:11 -06:00
William Vu a58698c177
Land #2922, multithreaded check command 2014-02-04 11:21:05 -06:00
Meatballs 0a3cb3377f
AppendEncoder 2014-02-04 15:41:10 +00:00
Meatballs 26c506da42
Naming of follow method 2014-02-04 15:25:51 +00:00
David Maloney c8b7dc30b4 added encoding routines
now has a method for encoding the shellcode
and tests to go with
2014-02-03 17:51:22 -06:00
Meatballs a8ff6eb429
Refactor send_request_cgi_follow_redirect 2014-02-03 21:49:49 +00:00
Meatballs 08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
Conflicts:
	lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
sinn3r 2ee1764ceb Add method rhost, rport, and peer for post modules
[SeeRM #8761]
2014-02-03 01:05:43 -06:00
David Maloney 3b648346da starting in on encoders
added get_encoders method to find propper encoders
started on encode_payload, incomplete
added specs
2014-02-03 00:59:08 -06:00
sinn3r 0d02f6d589
Add support for win shells for file? 2014-02-02 23:37:26 -06:00
David Maloney 4a82bc74cf added nop sled generator
added code to prepend a nop sled
with tests to match
2014-02-02 22:51:12 -06:00
James Lee b9e234f62d
Log the size if it doesn't fit 2014-02-02 22:28:23 -06:00
David Maloney bb5f5542f0 generating raw payload bits now
added raw payload generation, arch selection,
and specs for everything thus far
2014-02-02 21:09:17 -06:00
David Maloney f9c31f988e test platform selection
added tests around platform selection
2014-02-02 16:52:41 -06:00
David Maloney f5d730e874 write specs around initialiser
added specs around object initialisation
2014-02-02 16:05:11 -06:00
David Maloney e265d6f54c begining of payload generator
started basics of generator
started adding specs
added option to simple framework to disable logging
2014-02-02 14:35:16 -06:00
Meatballs 95eb758642
Initial commit 2014-02-02 19:04:38 +00:00
Meatballs 9fa9402eb2
Better check and better follow redirect 2014-02-02 16:07:46 +00:00
Meatballs 0d3a40613e
Add auto 30x redirect to send_request_cgi 2014-02-02 15:03:44 +00:00
sinn3r 45bb336c51 Loop do it 2014-01-26 16:27:36 -06:00
sinn3r eec01e79ff No explicit "return" 2014-01-26 16:25:30 -06:00
sinn3r 6ffb750633 Change Unsupported message
Auxiliary modules can use check, too. Not just exploits.
2014-01-26 01:14:11 -06:00
sinn3r 2d12c0a368 NoMethod check and stuff 2014-01-25 20:25:01 -06:00
Meatballs 33da3a414b
Remove unnecessary options 2014-01-25 13:52:52 +00:00
Meatballs 27a434205c
More flexible domain and DN 2014-01-25 13:17:00 +00:00
sinn3r 93fa58ed45 aux scanner support 2014-01-24 17:54:40 -06:00
Meatballs 08885bde19
Always forget debugging stuff 2014-01-24 23:45:12 +00:00
Meatballs be1da0e8a8
Move print statement 2014-01-24 23:37:20 +00:00
Meatballs cb53ca261f
Tidyup logic
ADSI doesn't care about distinguished names or domain and can take
either, but legacy API needs a domain for binding and a dn for
searching.

Send nil if we dont know the domain rather than a ptr to an empty
string.
2014-01-24 23:28:08 +00:00
Meatballs ae13d1f3e6
Grab the default domain to improve ldap 2014-01-24 16:36:37 +00:00
Meatballs 23ba52641b
Revert ldap 2014-01-24 16:25:48 +00:00
Meatballs 9fce617462
Fixup railgun utils
Implement DsGetDcNamea to return current domain using example
railgun utils techniques.
2014-01-24 16:22:05 +00:00
Tod Beardsley 4bac297f66
Land #1473, add LDAP hotness 2014-01-23 18:11:39 -06:00
Meatballs 4b21672b60 Remove hardcoded string 2014-01-23 23:55:09 +00:00
Meatballs 790e4d7559
Move options to mixin 2014-01-23 23:47:46 +00:00
Meatballs 398e8463b1
Add more informative errors 2014-01-23 23:19:00 +00:00
Tod Beardsley b5f61024c5
Land #2907, fixes qual asset importer
Addresses MSP-9311
2014-01-23 13:32:22 -06:00
jvazquez-r7 256f2b12eb
Land #2894, @wchen-r7's CheckCode documentation update 2014-01-23 07:31:24 -06:00
lsanchez-r7 58cf7193f9 fixing NameError undefined local variable in an import 2014-01-22 16:54:31 -06:00
Meatballs 9acd0f4b56
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-22 21:46:50 +00:00
Tod Beardsley 90207628cc
Land #2666, SSLCompression option
[SeeRM #823], where Stephen was asking for SSL compression for
Meterpreter -- this isn't that, but it's at least now possible for other
Metasploit functionality.
2014-01-22 10:42:13 -06:00
Meatballs 80452767c8
Comments 2014-01-22 10:24:24 +00:00
Meatballs 156e3c046e
Dont lookup twice 2014-01-22 10:14:56 +00:00
Meatballs 6d6d1e1033
No need to fiddle with naming context 2014-01-22 10:06:36 +00:00
Tod Beardsley 0b6e03df75
More comment docs on SSLCompression 2014-01-21 16:48:26 -06:00
Tod Beardsley b8219e3e91
Warn the user about SSLCompression 2014-01-21 16:41:45 -06:00
Meatballs 720f892e2f
Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2014-01-21 21:00:51 +00:00
sinn3r ea47da5682 Add wiki link "How to write a check() method" to documentation 2014-01-20 20:10:50 -06:00
sinn3r e48b8ae14c Use a better term 2014-01-19 16:01:38 -06:00
sinn3r afd0e71457 Use the term "exploit" is a little more correctly
So Metasploit uses the term "exploit" to describe something, a module
or an action, that results popping a shell. A check normally doesn't
pop a shell, so avoid that language.
2014-01-17 13:50:23 -06:00
sinn3r 363c53e14e Clearify when to use a specific CheckCode
An example of the biggest confusion module developers face is not
actually knowing the difference between Detected vs Appears vs
Vulnerable. For example: a module might flag something as a
vulnerable by simply doing a banner check, but this is often
unreliable because either 1) that banner can be fooled, or 2)
the patch does not actually update the banner. More reasons may
apply. Just because the banner LOOKS vulnearble doesn't mean it is.
2014-01-17 13:35:17 -06:00
HD Moore 68ccdc8386 Fix a stack trace when module_payloads.rb is run
This fixes a missing check for self.target being nil in the compatible_payloads method
2014-01-13 15:36:33 -08:00
William Vu 4ccf1a4720
Land #2873, Msf::Handler::ReverseHttp::UriChecksum 2014-01-13 15:38:56 -06:00
David Maloney 41807d7e4e move rev_http uri checksum code
need access to the uri checksum
routines outside of the handler.
moved them to their own mixin
and then mixed into the handler.
added specs also
2014-01-13 15:18:16 -06:00
Tod Beardsley e6e6d7aae4
Land #2868, fix Firefox mixin requires 2014-01-13 14:23:51 -06:00
Joe Vennix 3db143c452 Remove explicit requires for FF payload.
Adds ff payload require to msf/core/payload.rb
2014-01-13 13:07:55 -06:00
jvazquez-r7 95a5d12345 Merge #2835, #2836, #2837, #2838, #2839, #2840, #2841, #2842 into one branch 2014-01-13 10:57:09 -06:00
sinn3r cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells 2014-01-10 14:29:32 -06:00
Joe Vennix 7af8fe9cd1 Catch exceptions in an XSS script and return the error. 2014-01-07 16:23:24 -06:00
Joe Vennix fb1a038024 Update async API to actually be async in all cases.
This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
2014-01-07 16:17:34 -06:00
Niel Nielsen 73e359ede1 Update reverse_tcp.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:06:11 +01:00
Niel Nielsen e3a3b560e2 Update bind_tcp.rb
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:02:52 +01:00
Meatballs 3bf728da61
Dont store in DB by default 2014-01-07 12:20:44 +00:00
Joe Vennix 9d3b86ecf4 Add explicit require for JSON, so msfpayload runs. 2014-01-05 14:58:18 -06:00
Joe Vennix d00acccd4f Remove Java target, since it no longer works. 2014-01-04 21:22:47 -06:00
OJ 8898486820 Change display message to show actual bind address
When running a http/https listener the address:port that was being
shown in the output was that which was passed to the victim as part
of the stager and not the actual listener address:port.

This commit fixes this so that the display is correct.
2014-01-05 11:28:51 +10:00
Joe Vennix f2f68a61aa Use shell primitives instead of resorting to
echo hacks.
2014-01-04 19:00:36 -06:00
Raphael Mudge 6034c26fa7 Honor LPORT as callback port for HTTP/S handler
This commit completes our quest to (optionally) decouple the stage's
callback parameters from the interface/port our handler binds to.

LPORT is now patched into the stage over ReverseListenerBindPort.
2014-01-04 18:52:19 -05:00
Raphael Mudge 3c9d684759 Cleanup - Remove bind_address from reverse_http.rb
This commit removes the now unused bind_address function from
reverse_http.rb. This function returns an array of hosts the handler
should attempt to bind to (e.g., [LHOST value, any])

Other handlers (e.g., reverse_tcp.rb) loop through these values until
they're able to start a server with that bind address.

The HTTP server doesn't work this way. It's setup to try one address
and that's it. It makes sense to have the HTTP server always bind to
0.0.0.0 by default as future modules run by the user may register
resources with the same HTTP server.
2014-01-04 16:02:32 -05:00
Raphael Mudge 6f55579acd HTTP Handler Bind to 0.0.0.0 or ReverseListenerBindAddress
This commit returns the HTTP/S handler to its former semantic glory.
By default the HTTP/S handler will bind to :: or 0.0.0.0. If the
user specifies a ReverseListenerBindAddress then, instead, the
server will bind to that address.

The previous commit to change the URL to always reference LHOST
should go with this too. LHOST is always my intent of where the
stage should call home too. ReverseListenerBindAddress would make
sense as my intent as to where I want to bind to. The two options
shouldn't take on each other's meanings.
2014-01-04 15:50:06 -05:00
Raphael Mudge f93210ca74 Always Use LHOST for Full URL in HTTP/S Stage
Redmine #8726 documents a change where the reverse HTTP/S
tries to bind LHOST and if it can not it does a hard stop

If it's expected that users will use ReverseListenerBind-
-Address then this commit addresses #8726 by patching the
HTTP/S stage with the host provided by the user in LHOST.

Currently ReverseListenerBindAddress (if used) is patched
into the stage. This makes for a broken HTTP/S session if
the user sets this option to 0.0.0.0.

With this commit--users can provide any LHOST they like
and set ReverseListenerBindAddress to 0.0.0.0 and things
will work.

This commit does not attempt to bring the HTTP/S handler
back to the old behavior of falling back to 0.0.0.0 when
it can't bind LHOST. I'd welcome the old behavior but I
leave it to you to decide what makes sense. :)
2014-01-04 15:16:22 -05:00
Joe Vennix b9c46cde47 Refactor runCmd, allow js exec.
* Updates exec payload to not touch disk
* Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options)
2014-01-04 08:46:57 -06:00
Joe Vennix 60991b08eb Whitespace tweak. 2014-01-03 18:40:31 -06:00
Joe Vennix a5ebdce262 Add exec payload. Cleans up a lot of code.
Adds some yardocs and whatnot.
2014-01-03 18:23:48 -06:00
Joe Vennix 8fd517f9ef Fixes shell escaping errors with nested quotes in windows. 2014-01-03 16:14:28 -06:00
Joe Vennix 13464d0aae Minor cleanup of firefox.rb. 2014-01-03 01:34:57 -06:00
Joe Vennix 7961b3eecd Rework windows shell to use wscript. 2014-01-03 01:29:34 -06:00
Meatballs 5606958320
Resolve require order 2014-01-02 23:46:18 +00:00
jvazquez-r7 f5f18965b9 Move the require to the payloads as ruby and nodejs payloads do 2014-01-02 16:05:03 -06:00
jvazquez-r7 764d0822f6 Use the current msf's naming convention 2014-01-02 15:57:09 -06:00
Joe Vennix 06fb2139b0 Digging around to get shell_command_token to work. 2014-01-02 14:05:06 -06:00
Joe Vennix 8d3130b19e Reorder targets. 2014-01-02 10:48:28 -06:00
Joe Vennix 9b39ea55ee Fix comment.{ 2014-01-02 10:48:28 -06:00
Joe Vennix 1f9ac12dda DRYs up firefox payloads. 2014-01-02 10:48:28 -06:00
Joe Vennix 694cb11025 Add firefox platform, architecture, and payload.
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
jvazquez-r7 0725b9c69c Refactor JSP payloads 2013-12-31 08:27:37 -06:00
Samuel Huckins 985af3adfe Update to masked credential format
* To support change in Pro export format. Previous format looked
like an XML element, for no reason, failed validation.
2013-12-30 10:59:15 -06:00
jvazquez-r7 39844e90c3 Don't user merge! because can modify self.compat 2013-12-27 16:37:34 -06:00
sinn3r 9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution 2013-12-23 02:34:01 -06:00
jvazquez-r7 ed838d73a6 Allow targets to specify Compat[ible] payloads 2013-12-19 17:48:15 -06:00
Joe Vennix ca23b32161 Add support for Procs in browserexploit requirements. 2013-12-19 12:49:05 -06:00
Meatballs 62ef810e7c
Use Extapi if available 2013-12-19 18:18:47 +00:00
Meatballs 737154c2fe
Update to use extapi 2013-12-19 16:46:09 +00:00
Meatballs 3ef1c0ecd6 Merge remote-tracking branch 'upstream/master' into enum_ad_perf 2013-12-19 14:25:07 +00:00
Meatballs 6e43edff4c
Merge in extapi post mixin 2013-12-19 14:25:02 +00:00
Meatballs 244cf3b3f6 Merge remote-tracking branch 'upstream/pr/2736' into enum_ad_perf 2013-12-19 13:59:57 +00:00
Joe Vennix cb390bee7d Move comment. 2013-12-18 20:37:33 -06:00
Joe Vennix f411313505 Tidy whitespace. 2013-12-18 20:31:31 -06:00
Joe Vennix 9ff82b5422 Move datastore options to mixin. 2013-12-18 14:52:41 -06:00
Joe Vennix 64273fe41d Move addon datastore options into mixin. 2013-12-18 14:42:01 -06:00
Joe Vennix 1235615f5f Add firefox 15 chrome privilege exploit.
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Meatballs 3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
Conflicts:
	lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
Meatballs 687cbe5f60
Shadowcopy should use common wmic command
Small fix to ensure output is retrieved (args -> nil)
Modify shadowcopy to use wmic_query
2013-12-18 13:34:50 +00:00
William Vu 252909a609
Land #2448, @OJ's ReverseListenerBindPort :) 2013-12-17 11:24:09 -06:00
Meatballs 6ee1a9c6e1
Fix duplicate error 2013-12-17 00:11:37 +00:00
Meatballs 06b399ee30
Remove ERROR_
To access as Error::NO_ACCESS
2013-12-16 19:52:11 +00:00
Meatballs 08a44fdfb7
Filename match module 2013-12-16 19:48:17 +00:00
Meatballs 57f2027e51
Move to module 2013-12-16 19:45:52 +00:00
Meatballs c9084bd2d5
Remove errant fullstops 2013-12-16 18:53:37 +00:00
Meatballs 75c87faaf8
Add Windows Error Codes to Windows Post Mixin 2013-12-16 18:50:18 +00:00
Meatballs 435cc9b93f
Add single quote encapsulation
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
Meatballs b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075 2013-12-16 14:29:05 +00:00
Meatballs 819ba30a33 msftidy
Conflicts:
	lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs a930056d7f Added service status checks to Post::Windows::Services
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module

Conflicts:
	lib/msf/core/post/windows/services.rb
	lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs 284a45a6c5
Convert UTF16 to ASCII 2013-12-14 22:58:16 +00:00
Meatballs e46b5c9d55
Revert to file io if no EXTAPI 2013-12-14 22:46:22 +00:00
Meatballs ca5ee7e156
Load extapi before wmic 2013-12-14 22:45:56 +00:00
Meatballs b532987b8f
Re-add file out to wmic_command 2013-12-14 20:58:33 +00:00
Meatballs 8d5f298d3d
Clear clipboard first 2013-12-14 20:26:46 +00:00
Meatballs 7902f061ca
Final tidyup 2013-12-14 20:18:14 +00:00
Meatballs 04496a539c
Fix up local wmi exploit. 2013-12-14 20:05:51 +00:00
Meatballs 4224c016f4
Use WaitForSingleObject instead of loop 2013-12-14 18:42:31 +00:00
Meatballs 12afdd2cbb
Get and parse result from clipboard 2013-12-14 18:30:43 +00:00
Meatballs 3ad1e57f8d
Merge remote-tracking branch 'upstream/master' into wmic_post 2013-12-14 16:25:31 +00:00
jvazquez-r7 83e448f4ae Restore vprint_error message 2013-12-12 09:06:29 -06:00
jvazquez-r7 5c1ca97e21 Create a new process to host the final payload 2013-12-12 08:26:44 -06:00
William Vu ff9cb481fb Land #2464, fixes for llmnr_response and friends
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
scriptjunkie 77e9996501
Mitigate metasm relocation error by disabling ASLR
Deal with import error by actually using the GetProcAddress code.
2013-12-07 20:54:13 -06:00
scriptjunkie 8d33138489 Support silent shellcode injection into DLLs
Only run code on DLL_PROCESS_ATTACH, preventing infinite loop otherwise:
Added code would create thread -> calls DLL entry point -> calling added code...
2013-12-07 19:44:17 -06:00
Meatballs 3aebe968bb
Land #2721 Reflective DLL Mixin
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.

Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
OJ 155836ddf9 Adjusted style as per egypt's points 2013-12-06 10:08:38 +10:00
OJ ccbf305de1 Remove exception stuff from the payloads 2013-12-06 09:26:46 +10:00
OJ 5a0a2217dc Add exception if DLL isn't RDI enabled 2013-12-06 09:18:08 +10:00
OJ 2cb991cace Shuffle RDI stuff into more appropriate structure
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
OJ fb84d7e7fe Update to yardoc conventions 2013-12-06 07:54:25 +10:00
sinn3r c7bb80c1d7 Add wvu as an author to author.rb 2013-12-05 00:33:07 -06:00
OJ b936831125 Renamed the mixin module 2013-12-05 08:13:54 +10:00
OJ 7b24f815ee Missed a single module in rename 2013-12-04 22:54:07 +10:00
OJ 7e8db8662e Update name of the mixin
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ f79af4c30e Add RDI mixin module
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.

This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
yehualiu 8254c0bae2 this site is down 2013-12-01 14:26:03 +08:00
William Vu 77b036ce5d
Land #2703, uninit const fix for MSSQL_SQLI 2013-11-27 13:50:48 -06:00
jvazquez-r7 a5aca618e2 fix fail_with usage on Exploit::Remote::MSSQL_SQLI 2013-11-27 11:33:19 -06:00
jvazquez-r7 a32c9e5efc Fix fail_with on Exploit::Remote::HttpClient 2013-11-27 11:19:46 -06:00
sinn3r 5d10b44430 Add support for Silverlight
Add support for Silverlight exploitation. [SeeRM #8705]
2013-11-26 14:47:27 -06:00
Meatballs b015dd4f1c
Land #2532 Enum LSA Secrets
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
Meatballs a3c7dccfc0
Add disconnect option to psexec
Allow the module to prevent the mixin from ending the SMB session.
2013-11-24 16:37:25 +00:00
Meatballs dd9bb459bf
PSEXEC Refactor
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
Meatballs c03c33f6f6
Initial commit 2013-11-24 14:58:18 +00:00
Meatballs e7dfda00db
Documentation 2013-11-23 22:03:43 +00:00
Meatballs becc521406
Constants, yey 2013-11-23 21:46:11 +00:00
Meatballs 699d13eef1
Share the wealth
Move LDAP methods to a Post mixin.
2013-11-23 21:42:09 +00:00
Meatballs 6c83109422
Really fix wmi 2013-11-23 16:44:44 +00:00
William Vu 8e23119e17
Land #2678, DB_ALL_CREDS should default to false 2013-11-22 23:42:00 -06:00
Tod Beardsley 8fc0a8199e DB_ALL_CREDS should be disabled by default
[SeeRM #8699]
2013-11-22 22:16:40 -06:00
Meatballs 259d5a2dba
Backout Set-Variable as it is 3.0 only 2013-11-23 01:15:13 +00:00
Meatballs 1c60373f68
Reinstate %COMSPEC% 2013-11-23 00:45:04 +00:00
Meatballs c194fdc67e
Fixup WMI
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
Meatballs 3cbf768d16
Small size reductions 2013-11-22 22:58:42 +00:00
Meatballs 20b76602a1
Merge remote-tracking branch 'upstream/master' into pr2075
Conflicts:
	lib/msf/core/exploit/powershell.rb
2013-11-22 22:41:08 +00:00
Tod Beardsley e88da09894
Land #2660, DLL/service creation for x64 2013-11-20 17:25:16 -06:00
Joe Vennix 739c7b4ca2 More dead code and tweaks. 2013-11-20 14:44:53 -06:00
Joe Vennix 3ff9da5643 Remove compression options from client sockets.
I couldn't verify that it was working, as it always sends 1 compression type of NULL.
2013-11-20 14:41:45 -06:00
Meatballs 3ed84d1e0b
Remove puts 2013-11-20 20:29:54 +00:00
Meatballs 7253cc73d5
:payload_instance 2013-11-20 20:28:00 +00:00
Meatballs f27194a8ce
Always default to payload options 2013-11-20 20:14:59 +00:00
Meatballs 135dad1f4e
Fix dll/service creation 2013-11-20 20:10:47 +00:00
jvazquez-r7 110e78a1ad
Land #2507, @todb-r7's fix to allow DCERPC misin to use RPORT 2013-11-20 10:21:32 -06:00
Joe Vennix f8b57d45cd Reenable the client SSLCompression advanced option.
Add spec for some of the additions to Rex::Proto::Http::Client
2013-11-20 01:03:13 -06:00
Joe Vennix 109fc5a834 Add SSLCompression datastore option.
Also disables the compression by default. TLS-level compression is almost
never used by browsers, and openssl seems to be the only one that enables
it by default.

This also kills some ruby < 1.9.3 code.
2013-11-19 22:34:39 -06:00
Tod Beardsley ac1fb2d1da
Just use a straight RPORT, don't sneak 593.
Incidentally, the endmap scanner doesn't appear to work at all for
http-rpc-epmap, so no harm done anyway (tested against Windows 2008
server).

It looks like a bigger change than it realy is, thanks to the indentaton
changes by removing the itertor. Diff this without whitespace changes to
get a better idea of what's actually different.
2013-11-19 13:29:02 -06:00
jvazquez-r7 f690667294
Land #2617, @FireFart's mixin and login bruteforcer for TYPO3 2013-11-18 13:37:16 -06:00
James Lee 0aef145f64 Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa 2013-11-13 18:11:21 -06:00
James Lee 8471f74b75
Refactor ivar to a more reasonable method
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
James Lee 16627c1bd3
Add spec for capture_lsa_key 2013-11-13 15:16:34 -06:00
William Vu 6bd82d8589
Land #2636, Win8 for {constants,platform}.rb 2013-11-13 14:20:52 -06:00
sinn3r 3a923422a3 Update class for Win 8 2013-11-13 13:27:44 -06:00
James Lee 3168359a82
Refactor lsa and add a spec for its crypto methods 2013-11-13 11:55:39 -06:00
Tod Beardsley 74df9bd037
Bump version number since 4.8.0 is out 2013-11-13 11:42:31 -06:00
sinn3r 8e90116c89 Add Win 8 to constants 2013-11-13 11:38:27 -06:00
jvazquez-r7 ef6d9db48f
Land #2613, @wchen-r7's BrowserExploitServer mixin 2013-11-12 17:33:12 -06:00
sinn3r fbe1b92c8f Good bye get_resource 2013-11-12 17:25:55 -06:00
Tod Beardsley 2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints

[SeeRM #8498]
2013-11-11 21:23:35 -06:00
sinn3r cf8f2940b0 Oops, this is the right filename 2013-11-11 15:45:11 -06:00
sinn3r 85150823cd rename again 2013-11-11 15:44:27 -06:00
sinn3r 6a840fc169 Move file to get a matching name 2013-11-11 12:41:03 -06:00
OJ 063da8a22e Update reverse_https_proxy stager/handler
This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00
sinn3r 866f240337 A little update on documentation 2013-11-07 17:06:43 -06:00
sinn3r 32b12609bd Forgot to pass optional headers 2013-11-07 16:50:58 -06:00
FireFart bdd33d4daf implement feedback from @jlee-r7 2013-11-07 23:07:58 +01:00
FireFart aab4d4ae76 first commit for typo3 2013-11-07 22:38:27 +01:00
sinn3r 991240a87e Support java version detection 2013-11-07 00:54:52 -06:00
sinn3r 3e1771aa77 Being able to pass binding when we need to 2013-11-07 00:12:29 -06:00
sinn3r 23996ec32c Fix up some things 2013-11-06 22:47:02 -06:00
sinn3r c338f7a8c0 Change how requirements are defined, rspec, etc 2013-11-06 14:01:29 -06:00
sinn3r c92116060e Forgot to rm this line 2013-11-06 01:53:46 -06:00
sinn3r f2e4d5507c More rspec 2013-11-06 01:45:40 -06:00
sinn3r 636adc81de Add rop_junk and rop_nop 2013-11-06 01:04:33 -06:00
sinn3r 65c96a1f45 Allow the module to be target specific 2013-11-06 00:57:53 -06:00
sinn3r 63d3c7e8bb Put proxy headers in a constant 2013-11-05 16:33:36 -06:00
sinn3r 73701462ed Fix ActiveX. Use ERB for Javascript detection code. 2013-11-05 16:26:41 -06:00
James Lee 36f96d343e Revert "Revert "Land #2505" to resolve new rspec fails"
This reverts commit e7d3206dc9.
2013-11-05 13:45:00 -06:00
sinn3r 9c6b187cc6 stuff 2013-11-05 11:05:33 -06:00
sinn3r 0513dad789 -_- 2013-11-05 10:30:37 -06:00
sinn3r 9d1742ac47 Fix typos 2013-11-05 10:15:53 -06:00
sinn3r 8fb2b943be Add ActiveX detection 2013-11-05 01:34:56 -06:00
sinn3r 5f2d8358c0 Be more browser specific with Javascript generation 2013-11-05 01:04:52 -06:00
sinn3r 844daf0e00 No regex for get_resource checking 2013-11-04 17:49:43 -06:00
sinn3r 054a525f35 Change profile data structure 2013-11-04 17:46:36 -06:00
sinn3r ef57a38274 Move documentation about profile structure 2013-11-04 16:47:15 -06:00
OJ 12810580d6 Remove arg for bind port/addr functions
Done to avoid masking of datastore instance variable.
2013-11-05 06:56:21 +10:00
sinn3r 9c8ecd2ede Fix encoding order 2013-11-04 14:06:42 -06:00
sinn3r d970925cbf Fix encoding bug 2013-11-04 13:45:29 -06:00
sinn3r 23e5a9f048 Force on_request_exploit override 2013-11-04 12:54:52 -06:00
sinn3r e83f4e5120 Use a warning 2013-11-04 12:54:41 -06:00
sinn3r 25787fbaa7 Change has_proxy? 2013-11-04 12:52:15 -06:00
sinn3r c6fb570480 Correct bad method naming 2013-11-04 12:35:04 -06:00
sinn3r 016e686bcf super chomp 2013-11-04 12:28:22 -06:00
sinn3r c3d9f4064c They are symbols not strings 2013-11-04 12:10:39 -06:00
sinn3r 0337e6ff54 Do yard documentation 2013-11-04 12:09:59 -06:00
sinn3r abc06aa8aa Use mutex 2013-11-01 11:35:23 -05:00
sinn3r 5fb261a974 Change var name 2013-10-31 23:48:41 -05:00
sinn3r d54c8a359b Fix bug in proxy detection 2013-10-31 23:42:43 -05:00
sinn3r 7a33c48a0f No double slash 2013-10-31 23:17:38 -05:00
sinn3r 5851d502b5 Rename some stuff 2013-10-31 23:12:20 -05:00
sinn3r 21891a8337 Make sure the browser can't retry by going to the first URL 2013-10-31 23:08:17 -05:00
sinn3r 94d62613ab Pretty much done with these, remove these comments. 2013-10-31 19:04:11 -05:00
sinn3r 828ef9c64c Adds target-specific payload generator 2013-10-31 18:54:01 -05:00
sinn3r 8a0ebcbac7 Adds method get_module_resource 2013-10-31 14:34:38 -05:00
sinn3r 10fd892827 Fix a "undefined method to_sym" bug
If something is undetectable, the value may be empty, which triggers
a undefined method error because the regex always assumes there is
something. So instead of +, we use *.
2013-10-31 14:06:05 -05:00
sinn3r 6e7e5a0ff9 Put postInfo() in the js directory 2013-10-31 13:55:22 -05:00
sinn3r 00efad5c5d Initial commit for BrowserExploitServer mixin 2013-10-31 13:17:06 -05:00
William Vu f5d1d8eace chmod -x .rb files without #! in modules and lib
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
William Vu 333a0d5820 chmod -x cmdstager_printf.rb 2013-10-28 18:47:14 -05:00
b00stfr3ak a476595ddb Added require to post/windows 2013-10-25 14:42:22 -07:00
b00stfr3ak 84999115d7 Added PSH option if UAC is turned off
This will give the option to drop an exe or use psh if uac is turned
off.  The lib can be used for post exploitation to drop an exe or use
powershell and then execute it with the runas command.  I have used the
lib for both bypassuac and ask.
2013-10-25 14:37:12 -07:00
Tod Beardsley b5f26455a3
Land #2545, javascript library overhaul 2013-10-23 16:12:49 -05:00
sinn3r caf41f34bf
Land #2562 - Fix RM 8510 (FileDropper) 2013-10-22 21:45:33 -05:00
sinn3r acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel 2013-10-22 17:16:26 -05:00
jvazquez-r7 7d1dc3746f Use the @schierlm's command 2013-10-22 16:19:49 -05:00
Tod Beardsley dc0d9ae21d
Land #2560, ZDI references
[FixRM #8513]
2013-10-22 15:58:21 -05:00
Meatballs 8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac 2013-10-22 21:42:36 +01:00
sinn3r ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers 2013-10-22 15:39:32 -05:00
jvazquez-r7 4ad9bc5efe Try to [FixRM #8510] 2013-10-22 08:42:14 -05:00
sinn3r afcce8a511 Merge osdetect and addonsdetect 2013-10-22 01:11:11 -05:00
sinn3r 99d5da1f03 We can simplify this 2013-10-21 20:22:45 -05:00
sinn3r 9a3e719233 Rework the naming style 2013-10-21 20:16:37 -05:00
Meatballs 4fc8bb2b4b
Auto arch detection 2013-10-22 00:42:59 +01:00
William Vu 9258d79978 Add ZDI references to reference.rb 2013-10-21 15:13:46 -05:00
sinn3r 032da9be10
Land #2426 - make use of Msf::Config.data_directory 2013-10-21 13:07:33 -05:00
Tod Beardsley e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
This reverts commit 717dfefead, reversing
changes made to 6430fa3354.
2013-10-21 12:47:57 -05:00
William Vu 717dfefead
Land #2505, missing source fix for sock_sendpage 2013-10-21 11:47:55 -05:00
sinn3r 8a94df7dcd Change category name for base64 2013-10-18 21:20:16 -05:00
Tod Beardsley ffcb86eba2
Land #2541, Outpost24 importer
Sample data is currently secret. If we get a hold of non-secret sample
data, it'll be tacked on to the Redmine bug referenced below.

[FixRM #8384]
2013-10-18 13:21:58 -05:00
Meatballs 4e4d0488ae
Rubyfy constants in privs lib 2013-10-18 18:26:07 +01:00
sinn3r 6f04a5d4d7 Cache Javascript 2013-10-18 12:23:58 -05:00
sinn3r b0d614bc6a Cleaning up requires 2013-10-18 01:47:27 -05:00
Meatballs e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
Conflicts:
	modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs 5a662defac
Post::Privs uses Post::Registry methods 2013-10-17 23:28:07 +01:00
sinn3r c926fa710b Move all exploitation-related JavaScript to their new home 2013-10-17 16:43:29 -05:00
Rob Fuller 8f2ba68934 move decrypt_lsa and decrypt_secret to priv too 2013-10-17 00:04:21 -04:00
Rob Fuller 541d932d77 move decrypt_lsa to priv as well 2013-10-16 23:53:33 -04:00
Rob Fuller 60d8ee1434 move capture_lsa_key to priv 2013-10-16 23:45:28 -04:00
Rob Fuller 1a9fcf2cbb move convert_des_56_to_64 to priv 2013-10-16 23:39:07 -04:00
Rob Fuller 1a85bd22a8 move capture_boot_key to post win priv 2013-10-16 22:46:15 -04:00
sinn3r 4c91f2e0f5 Add detection code MS Office
Add detection code for MS Office XP, 2003, 2007, 2010, and 2012.

[SeeRM #8413]
2013-10-15 16:27:23 -05:00