jvennix-r7
92414d3688
Merge pull request #53 from rapid7/bug/MSP-9994/framework-db-driver
...
Set `framework.db.driver` when connection already established.
2014-06-10 10:49:00 -05:00
Luke Imhoff
2cbbaad6b4
Set drivers and driver when connection already established
...
MSP-9994
3 database commands in msfconsole check for framework.db.driver to be
set, so driver must be set when the connection is already established by
the Rails initialization.
2014-06-09 14:26:59 -05:00
Luke Imhoff
1ee35ec68a
Handle unconnected config in connection_established?
...
MSP-9994
Rescue `ActiveRecord::ConnectionNotEstablished` in
`Msf::DBManager#connection_established?` in addition to
`PG::ConnectionBad` to handle when the connection has been removed.
2014-06-09 14:26:45 -05:00
David Maloney
482aa2ea08
Merge branch 'master' into staging/electro-release
2014-06-09 10:27:22 -05:00
Meatballs
bf1a665259
Land #2657 , Dynamic generation of windows service executable functions
...
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
2014-06-07 13:28:20 +01:00
Meatballs
897ad6f963
Some service yarddoc
2014-06-07 13:27:32 +01:00
Meatballs
5218ca4d89
Give warning on module load
2014-06-06 23:04:40 +01:00
joev
d990fb4999
Remove a number of stray edits and bs.
2014-06-06 16:24:45 -05:00
joev
4a9f50bb60
Clean up some dead code.
2014-06-06 16:20:40 -05:00
joev
7c762ad42c
Fix some minor bugs in webrtc stuff, inline API code.
2014-06-06 16:18:39 -05:00
Brandon Turner
bacf82acb1
Merge branch 'release' into 'master'
2014-06-06 09:59:00 -05:00
Brandon Turner
21be4f21a6
Bump version to 4.9.3
2014-06-06 09:52:01 -05:00
Luke Imhoff
f2a56c041b
Merge branch 'staging/electro-release' into feature/MSP-9653/use-metasploit-concern-in-pro
...
MSP-9653
Conflicts:
Gemfile
Gemfile.lock
2014-06-05 16:22:02 -05:00
David Maloney
28bf29980e
Merge branch 'master' into staging/electro-release
2014-06-04 10:21:08 -05:00
joev
cf6b181959
Revert change to trailer(). Kill dead method.
...
* I verified that changes to PDF mixin do not affect any older modules that
generate PDF. I did this by (on each branch) running in irb, then
running the module and diffing the pdf's generated by each branch. There were
no changes.
2014-06-02 22:26:14 -05:00
joev
9f5dfab9ea
Add better interface for specifying custom #eol.
2014-06-02 22:26:11 -05:00
joev
09e965d54e
Remove extraneous method from pdf.rb
2014-06-02 22:26:03 -05:00
joev
feca6c4700
Add exploit for ajsif vuln in Adobe Reader.
...
* This refactors the logic of webview_addjavascriptinterface into a mixin (android.rb).
* Additionally, some behavior in pdf.rb had to be modified (in backwards-compatible ways).
Conflicts:
lib/msf/core/exploit/mixins.rb
2014-06-02 22:25:55 -05:00
Tod Beardsley
d0d389598a
Land #3086 , Android Java Meterpreter updates
...
w00t.
2014-06-02 17:28:38 -05:00
Luke Imhoff
9e78509aac
Merge branch 'staging/electro-release' into feature/MSP-9653/use-metasploit-concern-in-pro
...
MSP-9653
Conflicts:
Gemfile
Gemfile.lock
2014-06-02 13:40:11 -05:00
Luke Imhoff
3ebe7dfbc8
Gem version
...
MSP-9653
Move version information to standard location for gems.
2014-06-02 12:54:46 -05:00
Luke Imhoff
21fad7163d
Msf::DBManager#connection_established?
...
MSP-9653
Calling `ActiveRecord::Base.establish_connection`, followed by
`ActiveRecord::Base.connected?` returns false unless some other code
requires a connection to be checked out first. The correct way to check
if the spec passed to `ActiveRecord::Base.establish_connection` is to
checkout a connection and then ask if it is active.
`Msf::DBManager#connection_established?` does the checkout, active check
and checkin, and should be used in place of
`ActiveRecord::Base.connected?` and
`ActiveRecord::Base.connection_pool.connected?`.
`Msf::DBManager#active` should still be used as it also checks for
adapter/driver usability and that migrations have run.
2014-06-02 12:49:09 -05:00
David Maloney
34004908bb
Merge branch 'master' into staging/electro-release
...
Conflicts:
.ruby-version
2014-06-02 11:10:33 -05:00
William Vu
bba741897e
Land #3413 , improved FileDropper cleanup message
2014-06-02 11:05:48 -05:00
Christian Mehlmauer
428df19739
Changed message
2014-06-02 17:28:09 +02:00
Meatballs
f0e9a9010e
Return nil if fail
2014-06-01 11:55:40 +01:00
Meatballs
a4ecd8e02d
Should return the thread object
2014-06-01 11:49:56 +01:00
Meatballs
58ee2ccd6e
Land #3390 , Fix have_powershell
2014-06-01 10:43:35 +01:00
Christian Mehlmauer
03b4a29662
Clarify filedropper error message
2014-05-31 22:17:32 +02:00
Trevor Rosen
dee4acdb2a
Merge pull request #27 from rapid7/feature/MSP-9725/windows_hashdump
...
Windows Hashdump post module refactor
MSP-9725 #land
2014-05-30 14:04:31 -05:00
Trevor Rosen
8bcd763039
Merge pull request #26 from rapid7/feature/MSP-9685/telnet_login_scanner
...
Feature/msp 9685/telnet login scanner
MSP-9685 #land
2014-05-30 13:40:18 -05:00
David Maloney
782c8bd172
Merge branch 'staging/electro-release' into feature/MSP-9725/windows_hashdump
2014-05-30 13:28:35 -05:00
David Maloney
ba525c7b78
use metasploit-credential creation methods
2014-05-30 13:07:11 -05:00
David Maloney
98a23881ee
remove cred creation methods
...
removed cred creation methods from framework
and include them from the metasploit-credential gem instead
2014-05-30 11:28:53 -05:00
David Maloney
e3c4745879
Windows Hashdump post module refactor
...
refactor the Hashdump post module for window
to use the new cred creation methods.
Also some extra methods to do db safe checks
for record ids that we need
2014-05-29 13:20:32 -05:00
David Maloney
eb04a3774a
fixes for telnet wierdness
...
had to work around the way the old
Auxiliary::Login mixin worked. Scanner
now works properly
2014-05-29 10:43:00 -05:00
Tom Sellers
aa85cb8195
Update powershell.rb
2014-05-29 05:46:32 -05:00
HD Moore
c7366b4361
Fix a small typo in the regex
2014-05-28 14:40:09 -05:00
HD Moore
583dab62b2
Introduce and use OS matching constants
2014-05-28 14:35:22 -05:00
Luke Imhoff
0e60f08e51
Don't re-establish connection
...
MSP-9653
If ActiveRecord::Base is already connected, then don't attempt to create
the database (as it involves establishing a new connection) or
establishing a new connection after the creation. Still run the
migrations as the normal Rails::Application.initialize! will result in
ActiveRecord::Base.connected? being true even if migrations are missing.
2014-05-28 14:34:36 -05:00
David Maloney
ca4c942ceb
Merge branch 'staging/electro-release' into feature/MSP-9640/cred_creation
2014-05-28 09:40:44 -05:00
David Maloney
967b0d49b1
Merge branch 'master' into staging/electro-release
...
Conflicts:
Gemfile
Gemfile.lock
2014-05-28 09:39:56 -05:00
David Maloney
deabd1c3b0
tidy the YARD
...
some more cleanup, in the YARD
docs this time.
2014-05-28 09:30:45 -05:00
Tom Sellers
ae1b7e564b
Update powershell.rb
2014-05-27 05:18:00 -05:00
Tom Sellers
42a17cc085
Update powershell.rb
...
To be clear, the shell that was tested with was 'windows/shell_reverse_tcp' delivered via 'exploit/windows/smb/psexec'
Additional changes required to fix regex to support the multiline output. Also, InstanceId uses a lower case 'D' on the platforms I tested - PowerShell 2.0 on Windows 2003, Windows 7, Windows 2008 R2 as well as PowerShell 4.0 on Windows 2012 R2.
This method doesn't appear to be used anywhere in the Metasploit codebase currently.
2014-05-25 08:59:42 -05:00
Tom Sellers
76b9273f10
Improve reliability of have_powershell
...
I have a case where on a Windows 2008 R2 host with PowerShell 2.0 the 'have_powershell' method times out. When I interactively run the command I find that the output stops after the PowerShell command and the token from 'cmd_exec' is NOT displayed. When I hit return the shell then processes the '&echo <randomstring>' and generates the token that 'cmd_exec' was looking for. I tried various versions of the PowerShell command string such as 'Get-Host;Exit(0)', '$PSVErsionTable.PSVersion', and '-Command Get-Host' but was unable to change the behavior. I found that adding 'echo. | ' simulated pressing enter and did not disrupt the results on this host or on another host where the 'have_powershell' method functioned as expected.
There may be a better solution, but this was the only one that I could find.
2014-05-25 08:07:38 -05:00
David Maloney
32b88c2db6
final fixes to login creation
2014-05-23 10:58:21 -05:00
joev
ae3c334232
Getting closer. Still something f'd with local answerer.html.
2014-05-22 17:14:35 -05:00
David Maloney
ac9af000af
full cred creation rotuine done
...
creating Logins as a seperate method, both
methods are done and fully documented.
2014-05-22 13:53:26 -05:00
sinn3r
1dbe972377
Fix URIPATH / for BrowserExploitServer
...
[SeeRM #8804 ] Fix URIPATH / for BrowserExploitServer
2014-05-22 12:18:49 -05:00
David Maloney
19e36cccb3
Credential Core creation now complete
2014-05-21 16:37:13 -05:00
joev
14b796acbf
First stab at refactoring webrtc mixin.
2014-05-21 15:32:29 -05:00
David Maloney
3ea99a9d43
private creation w/ specs and docs
...
the private creation method is now done
with specs and YARD docs
2014-05-21 13:21:56 -05:00
David Maloney
2629549f6f
added realm creation
...
added method for creating credential realm
creation.
2014-05-21 11:22:22 -05:00
Meatballs
15313a9ab1
Dont try to read 0 structs
2014-05-20 21:55:04 +01:00
David Maloney
ce69f742a4
add yarddocs to origin methods
...
added YARD docs to the creation methods for
Credential::Origins
2014-05-20 11:16:19 -05:00
Luke Imhoff
38fbbdc1b5
Print tm_call one caller per line
...
MSP-9653
The inspect format was difficult to read so convert to standard
backtrace format of one caller per line.
2014-05-20 10:59:29 -05:00
David Maloney
9cdddb08d9
origin specs for realsies
...
final specs and fixes for the origin creation
methods
2014-05-20 10:19:03 -05:00
David Maloney
b84aaaad19
specs and fixes for origin creation
2014-05-20 09:59:15 -05:00
David Maloney
ddfa4f1ee7
some origin creation specs
...
started getting working specs
for the origin creation methods. feel
into the weeds for a bit, but making progress at last.
2014-05-19 15:16:02 -05:00
David Maloney
9efb97d465
origin creation method
...
added base behaviour for creating generic
credential origin objects from report
2014-05-19 10:00:19 -05:00
HD Moore
a8bf53479d
Fix a merge error
2014-05-18 11:08:04 -05:00
HD Moore
a844b5c30a
Merge branch 'master' of github.com:hmoore-r7/metasploit-framework into feature/recog
...
Conflicts:
Gemfile
Gemfile.lock
data/js/detect/os.js
lib/msf/core/exploit/remote/browser_exploit_server.rb
2014-05-18 10:50:32 -05:00
nstarke
048aebbdf2
Search Result Uniqueness
...
SeeRM #8754
Cast the results of the query to an array and perform the uniq
function passing a block which provides uniqueness based
on the return value, which in this instance is ‘fullname’
This was done because the uniq function in AREL cannot take
a specific field for uniqueness, and the sophistication of the query
make grouping nearly impossible. Initial testing showed negligible
speed difference to the user.
2014-05-15 17:52:11 +00:00
David Maloney
fb671c72a7
Merge branch 'master' into staging/electro-release
2014-05-14 13:00:37 -05:00
dmaloney-r7
acaf713229
Merge pull request #17 from rapid7/feature/MSP-9606/metasploit-credential
...
Run migrations from Metasploit::Credential and initialize its concerns which patch Mdm
2014-05-14 11:15:07 -05:00
William Vu
fdbfaacdf6
Land #3313 , progress feedback for PASS_FILE
...
[FixRM #8704 ]
2014-05-14 02:03:39 -05:00
William Vu
1ada4831e0
Land #3293 , module deprecation constants
2014-05-14 01:37:29 -05:00
William Vu
de49241195
Land #3185 , regex option validation
2014-05-14 01:27:18 -05:00
Luke Imhoff
91cc9dc2d6
Add missing Msf::DBManager#drivers initialization
...
MSP-9606
2014-05-13 13:01:59 -05:00
agix
1a3b319262
rebase to use the mixin psexec
2014-05-13 16:04:40 +02:00
agix
87be2e674a
Rebase on https://github.com/rapid7/metasploit-framework/pull/2831 and adapt to the new mixin
2014-05-13 16:04:40 +02:00
Luke Imhoff
b1598e83c3
Re-enable `bundle install --without db` support
...
MSP-9606
Catch LoadError in config/application.rb when trying to require
'active_record/railtie` so that end-users can run without any of the
database gems installed. NOTE: you can't run in the development or
test environment without the database because factory_girl needs
ActiveRecord.
2014-05-12 15:39:34 -05:00
Luke Imhoff
3370465d84
Use railties to load Metasploit::Credential correctly
...
MSP-9606
In order to support Metasploit::Credential correctly,
metasploit-framework needs to support Metasploit::Concern, which does
all its magic using a Rails::Engine initializer, so the easiest path is
to make metasploit-framework be able to use Rails::Engines. To make
Rails::Engine use Rails::Engine, make a dummy Rails::Application
subclass so that all the initializers will be run when anything requires
msfenv.
2014-05-12 15:03:51 -05:00
Jeff Jarmoc
5f523e8a04
Rex::Text::uri_encode - make 'hex-all' really mean all.
...
'hex-all' encoding was previously ignoring slashes.
This pull adds 'hex-noslashes' mode which carries forward the previous functionality, and replaces all existing references to 'hex-all' with 'hex-noslashes' It then adds a replacement 'hex-all' mode, which really encodes *ALL* characters.
2014-05-12 11:26:27 -05:00
nstarke
a71be33091
Adjusting status message to be based on time
...
Previously the status message timing was determined by the number of
pairs left to process. I have adjusted the code to rely on Time.now
in order to consistently print a message out every 60 seconds.
2014-05-09 14:39:34 +00:00
William Vu
ee303aa34e
Add missing formats in lib/msf/core/db.rb comment
...
Found outside big if block. Ugh.
2014-05-08 10:27:38 -05:00
William Vu
b50b3820a0
Update core/db.rb comments 'n' stuff
2014-05-08 02:53:02 -05:00
Meatballs
3542f851bf
Fix some yarddoc issues
2014-05-05 22:45:41 +02:00
Brendan Coles
cc8ab9bcba
Support one line js payload
...
Add missing ';' in `run_cmd_source`
2014-05-05 18:57:15 +10:00
Joshua Smith
5b1a207377
cleans up numerous superfluous returns in msf/core/module
2014-05-02 19:52:58 -04:00
nstarke
ace9e797e1
Adding count-based print message
...
This commit removes the creation of a separate, timed
thread for printing out status messages to the user
in the case of large PASS_FILEs. This adjustment eliminates
the overheard of context switching associated with
spinning off separate threads, as well as the dangers
associated with the Thread#kill method.
2014-04-29 22:10:08 +00:00
nstarke
eb98ea2d31
Large pass_file hangs login modules
...
SeeRM #8704
When running a *_login module that contains a large PASS_FILE
the module appears to hang while it is creating the combinations over
such a large dataset. The solution proposed in the Redmine task
requested that the user be alerted with some sort of progress feedback
if the process takes an excessive amount of time.
I have added a message that logs to the console that contains the
number of pairs left to be constructed before the module will continue.
The verbiage is fairly arbitrary and should probably be updated to
something that might be more descriptive. Likewise, the sleep
interval may need to be adjusted.
2014-04-28 21:45:14 +00:00
sinn3r
8a4c7b22ed
Land #3296 - Refactors firefox js usage into a mixin
2014-04-28 15:22:55 -05:00
Samuel Huckins
7fad215f3e
Merge branch 'bug/9582-metasploit-imports-and-tasks' into upstream-master
...
Land #3299
2014-04-28 10:47:23 -05:00
lsanchez-r7
8f43c229b1
Passing the Mdm::Task down the chain
...
when reporting hosts from an Mdm::Task we need to pass the task all
the way down. this wasnt done for the metasploit import format.
2014-04-25 11:15:39 -05:00
Meatballs
19dd21abaf
Remove duplicate methods
2014-04-25 15:40:03 +01:00
joev
f94d1f6546
Refactors firefox js usage into a mixin.
2014-04-24 15:09:48 -05:00
Trevor Rosen
e556997bf7
Land #3269 (Pro) fix report import issue
2014-04-24 08:27:06 -05:00
Spencer McIntyre
ec1f7d644c
Support deprecation information from constants
2014-04-23 23:03:02 -04:00
Meatballs
72a2849bf1
Better specs
...
90.6% line coverage in Exploit::Powershell
77.32% in Rex::Exploitation::Powershell and haven't even started
writing those specs...
2014-04-23 08:07:42 +01:00
Meatballs
0137fdb690
Prepend sleep should be an int
2014-04-23 07:29:51 +01:00
Meatballs
61b8fb7921
Remove puts
2014-04-23 06:15:28 +01:00
Meatballs
11526b59a6
Boolean datastore options should always be present
...
Dont evaluate true/false as 'true'/'false'!
2014-04-23 05:03:16 +01:00
Meatballs
1347649a47
Remove unused EOFs
2014-04-23 02:37:07 +01:00
Meatballs
01bfad3489
Correct datastore values
2014-04-23 02:08:57 +01:00
Meatballs
647936e291
Add more yarddoc to Rex::Exploitation::Powershell
...
encode_code doesn't use eof
no need to unicode encode in gzip as this is handled by encode_code
2014-04-23 01:07:54 +01:00
Meatballs
88fe619c48
Yarddoc exploit::powershell
2014-04-23 00:15:55 +01:00
Meatballs
4c66e86f73
Dont add extra space in args
2014-04-22 14:44:01 +01:00
Meatballs
0f942d8c3d
Still :shorten command args
2014-04-19 18:58:26 +01:00
Meatballs
270b4b9728
Catch first arg with shorten
2014-04-19 18:54:42 +01:00
Meatballs
67f44072ca
Merge remote-tracking branch 'upstream/master' into pr2075
2014-04-19 18:45:55 +01:00
William Vu
7d801e3acc
Land #3200 , goodbye LORCON modules :(
2014-04-18 12:32:22 -05:00
RageLtMan
9f05760c50
Merge with Meatballs' initial changes
...
Clean up arch detection code and dedup Msf/Rex
Reduce generated payload size
2014-04-18 00:28:48 -04:00
RageLtMan
5c3289bbc6
merge fix
2014-04-17 21:26:04 -04:00
James Lee
549e306572
Remove superfluous v6 http{,s} payload and handler
2014-04-16 18:32:35 -05:00
Samuel Huckins
2ed7a739c3
New reports in new exports can now import
...
MSP-9783
* Extracted import_report from monstrous import_msf_collateral;
simplified and clarified approach
* Updated report_report: includes all attrs provided vs subset, provides
more helpful error message
* Added report_artifact: adds child artifact for reports, handles
various troublesome cases
* Tested on all report types with a legion of option variants
2014-04-16 15:15:47 -05:00
sinn3r
7a4e12976c
First little bit at Bug 8498
...
[FixRM #8489 ] rhost/rport modification
2014-04-15 18:20:16 -05:00
Meatballs
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
Tod Beardsley
9db01770ec
Add custom rhost/rport, remove editorializing desc
...
Verification:
````
resource (./a.rc)> run
[*] Connecting to FTP server ....
[*] FTP recv: "220 ProFTPD 1.3.3a Server (My FTP server)
[*] Connected to target FTP server.
[*] Authenticating as anonymous with password mozilla@example.com...
[*] FTP send: "USER anonymous\r\n"
[*] FTP recv: "331 Anonymous login ok, send your complete email address
as your password\r\n"
````
...etc.
2014-04-14 21:46:05 -05:00
David Maloney
c537aebf0f
Land #3228 , JtR colon Seperation
2014-04-14 11:19:16 -05:00
Tod Beardsley
91293fd0db
Allow vhost to be maybe opts['rhost']
...
This enables passing rhost and rport directly to send_request_cgi
without having to monkey with the datastore.
See #8498
2014-04-10 16:47:49 -05:00
Tod Beardsley
3109f42a55
Merge release back into master
2014-04-11 15:07:16 -05:00
Brandon Turner
2f2692f4bf
Bump version to 4.9.2
2014-04-10 17:45:42 -05:00
sinn3r
80faaf86d8
Add a link to explain about unmet exploit requirements
2014-04-10 14:01:16 -05:00
James Lee
95399b0de7
Don't try to be too helpful
...
John cares not one whit how many colons are in a hash line, only that
there are enough for the format (at least 2 for regular /etc/passwd, at
least 3 for NTLM, etc). So there is no simple way to programmatically
determine whether a password had a colon or there was just an extra on
the end of the original hash line.
[MSP-9778]
See #2515
2014-04-09 19:24:26 -05:00
Tod Beardsley
062175128b
Update @Meatballs and @FireFart in authors.rb
2014-04-09 10:46:10 -05:00
Meatballs
ae3ead6ef9
Land #2107 Post Enum Domain Users
2014-04-09 11:32:12 +01:00
Tod Beardsley
eab938c7b4
Get rid of requires, too
2014-04-07 16:39:19 -05:00
Tod Beardsley
17ddbccc34
Remove the broken lorcon module set
...
None of the lorcon / lorcon2 modules have been functional for a long
time, due to the lack of a "Lorcon" gem. It's unclear where it went.
I'm happy to include it and get these working again, but until someone
comes up with some functional code (hint: 'gem install' doesn't work) I
don't see any reason to keep shipping these.
Is there some trick people are doing to make these work? As far as I can
see, they are broken by default.
````
msf auxiliary(wifun) > show options
Module options (auxiliary/dos/wifi/wifun):
Name Current Setting Required Description
---- --------------- -------- -----------
CHANNEL 11 yes The initial channel
DRIVER autodetect yes The name of the wireless driver
for lorcon
INTERFACE wlan0 yes The name of the wireless
interface
msf auxiliary(wifun) > run
[*] The Lorcon2 module is not available: cannot load such file --
Lorcon2
[-] Auxiliary failed: RuntimeError Lorcon2 not available
[-] Call stack:
[-]
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/lorcon2.rb:67:in
`open_wifi'
[-]
/home/todb/git/rapid7/metasploit-framework/modules/auxiliary/dos/wifi/wifun.rb:29:in
`run'
[*] Auxiliary module execution completed
````
2014-04-07 16:37:10 -05:00
Christian Mehlmauer
4bf6481242
Added regex option to validate options
2014-04-02 23:51:33 +02:00
jvazquez-r7
577bd7c855
Land #3146 , @wchen-r7's flash version detection code
2014-04-02 15:13:41 -05:00
agix
a71fcaeefd
add comments on change description call
2014-04-02 20:33:09 +01:00
agix
bc4cb3febf
Add DCERPC catch exception
2014-04-02 20:33:09 +01:00
agix
4a575d57ab
Try to fix Meatballs1 suggestions : optional service_description change call
2014-04-02 20:33:09 +01:00
agix
5334f2657e
Fix a bug for backwards compatibility
2014-04-02 20:33:08 +01:00
agix
631a7b9c48
Adapt to new psexec mixin (first try :D)
2014-04-02 20:33:08 +01:00
HD Moore
7e227581a7
Rework OS fingerprinting to match Recog changes
...
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.
This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
HD Moore
b5561cc9ec
Report a fingerprint instead of overwriting host.os_name
2014-03-30 06:32:38 -07:00
HD Moore
76720e9cf8
Small tweaks, see 4611d0a8d0
2014-03-30 06:27:48 -07:00
HD Moore
4611d0a8d0
Update report_host() to match os_* field changes
...
This is part of a bigger change to normalize what os_name, os_flavor, and
os_sp actually mean. To summarize the changes happening in Mdm:
1) The vendor name is being removed from os_name
* "Microsoft Windows" -> "Windows 7"
2) The os_flavor field is being used for the edition of the os_name product
* "7" -> "Enterprise"
3) The os_sp field specifies a version if known and nothing if not
* "SP0" -> "", "Service Pack 2" -> "SP2", etc
2014-03-30 06:23:47 -07:00
HD Moore
20bbf7837c
Refactor and integrate smb_fingerprint() for Recog support
2014-03-30 05:52:23 -07:00
William Vu
5a448d9f2d
Fix ActiveRecord::ConnectionNotEstablished
...
[SeeRM #8780 ]
2014-04-02 00:54:39 -05:00
William Vu
8fd4f50081
Fix NameError for "r" in Msf::Auxiliary::Nmap
...
Wasn't in scope.
2014-04-01 17:35:20 -05:00
William Vu
f9a7cfaa67
Land #3168 , EICAR payload encoding
2014-04-01 09:17:10 -05:00
Tod Beardsley
42c7b85b86
Don't EICAR every time. That would be bad.
2014-04-01 09:05:55 -05:00
sinn3r
07ab05c870
Update a comment
2014-03-28 15:20:45 -05:00
sinn3r
4b7f85e47d
Adobe Flash support in BES
2014-03-28 15:14:58 -05:00
Tod Beardsley
196e07c5b1
Touch up the EICAR stuff
2014-03-28 11:45:28 -05:00
jvazquez-r7
da6a428bbf
Modify libs to support explib2
2014-03-28 10:44:52 -05:00
James Lee
6c36d14be1
Land #3118 , fix java payloads for msfvenom
2014-03-25 15:38:21 -05:00
sinn3r
85c0c8bb70
Add support to detect mshtml build
...
Some IE vulns are build-specific, in that case we need a way to
detect the build version. On IE9 and newer, the build version is
the same as the one you see in WinDBG when you do lmv m mshtml.
On IE8, it returns something else I don't know.
2014-03-25 03:31:08 -05:00
William Vu
8b2ee4eb8c
Disable BLANK_PASSWORDS and USER_AS_PASS
...
They're as obnoxious as DB_ALL_* when enabled by default.
2014-03-24 15:51:35 -05:00
HD Moore
903af02e08
Store at most one http.fingerprint per host/port, revert http_version
2014-03-23 10:42:20 -07:00
HD Moore
f349f85a70
Reimplement HTTP fingerprinting, backwards compatible
...
This commit changes the internals of HTTP fingerprinting to store
a whole trove of data about the HTTP response using a hash. The
current API is backwards compatible and has been tested with a
number of modules that depend on HttpFingerprint being sent.
In addition, this change paves the way for advanced fingerprints
that take advantage of the HTTP body and other headers. This is
a requested addition documented across various module comments.
Finally, this commit completes the closed loop for OS identification
by connecting MSF to MDM to Recog and applying Recog databases for
HTTP Servers, HTTP Cookies, and HTTP Authentication headers to the
results of HTTP fingerprinting runs.
For example, with the appropriate version of MDM/Recog in place,
a http_version scan of Microsoft-IIS/7.0 server will update the
host.os_name field to 'Windows 2008'.
2014-03-23 07:26:11 -07:00
Meatballs
d53b56c161
Tidy up
2014-03-22 18:38:58 +00:00
Meatballs
b524507e4e
Merge remote-tracking branch 'upstream/master' into land_2551
...
Conflicts:
modules/exploits/windows/local/ask.rb
2014-03-22 18:14:45 +00:00
Meatballs
7b2f0a64fc
Tidy up
2014-03-22 18:07:57 +00:00
sinn3r
13f5c22536
Land #3129 - Fix 2782 with 2961 and stop stack-tracing download_exec
2014-03-21 11:36:59 -05:00
James Lee
0a141f1c02
Land #2810 , masked password format switcheroo
2014-03-20 15:12:12 -05:00
David Maloney
c4a9b4fda0
Land #3128 , Put loot in correct workspace
2014-03-20 14:11:17 -05:00
Tod Beardsley
4d3f871e9d
Land #2961 , get_env and get_envs Post mixin
...
This unbreaks the changes introduced by #2782 by introducing
get_env and get_envs for shell sessions (not just meterpreter sessions).
2014-03-20 10:53:50 -05:00
Trevor Rosen
dd4b16ad60
Remove some dead code
2014-03-20 09:38:14 -05:00
Trevor Rosen
dc85a99fbd
report_loot now sets proper Mdm::Workspace
...
* Uses an Mdm::Workspace when passed one in conf hash
2014-03-20 09:27:09 -05:00
Samuel Huckins
33ca577010
Zip Workspace imports now working.
...
MSP-9531
* Was trying to delete XML file, not sure why, running into permission
error
* General clarification and cleanup
2014-03-19 22:53:15 -05:00
Samuel Huckins
cc4c958d58
Merge remote-tracking branch 'metasploit-framework/master' into masked-cred-format-update
2014-03-19 15:47:46 -05:00
David Maloney
130474fdfd
Fix java payload generation
...
jsp payloads are java but do not generate JARs
also we were not merging datastore options in properly
2014-03-18 13:41:27 -05:00
David Maloney
da0c37cee2
Land #2684 , Meatballs PSExec refactor
2014-03-14 13:01:20 -05:00
sinn3r
6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell
2014-03-13 13:36:37 -05:00
Joe Vennix
db036e44ad
Use RdlCopyMemory from Kernel32.
2014-03-13 11:05:58 -05:00
sinn3r
7ead04414c
Land #3024 - Allow encoder Compat options
2014-03-13 10:59:40 -05:00
Joe Vennix
851fca2107
Add posix fork() call before running code.
2014-03-12 02:56:26 -05:00
Joe Vennix
7afcb6aee8
Add CreateThread wrapper for windows.
2014-03-12 02:49:09 -05:00
Joe Vennix
ce0c5380a5
Kill stray //.
2014-03-12 02:20:49 -05:00
Joe Vennix
9bdf570763
All working now. In-memory meterpreter even.
2014-03-12 02:19:28 -05:00
sinn3r
b431bf3da9
Land #3052 - Fix nil error in BES
2014-03-11 12:51:03 -05:00
AnwarMohamed
b45524ecdd
generate cert @ payload/dalvik.rb
2014-03-10 21:50:00 -05:00
AnwarMohamed
99cc94e6fc
moving string_sub() to payload/dalvik.rb
2014-03-10 21:49:59 -05:00
Joe Vennix
c07f390382
Add CookieExpiration option, add trailing slash to URI.
2014-03-10 13:07:17 -05:00
Meatballs
311d4665ce
Re-use CreateService Handle
...
and remove unused variable
2014-03-06 21:37:49 +00:00
Joe Vennix
05067b4e33
Oops. Need to init the profile before accessed.
2014-03-06 11:48:54 -06:00
Joe Vennix
ad592fd114
Remove unnecessary method.
2014-03-05 23:36:43 -06:00
Joe Vennix
a792f85a5f
Fix re-initialize bug.
2014-03-05 23:27:04 -06:00
William Vu
096d6ad951
Land #3055 , heapLib2 integration
2014-03-05 15:48:13 -06:00
OJ
a1aef92652
Land #2431 - In-memory bypass uac
2014-03-05 11:15:54 +10:00
Joe Vennix
5790547d34
Start undoing some work.
2014-03-04 17:01:53 -06:00
David Maloney
72c6b995de
adjust timeout for shadowcopy
...
WMIC defaults to 10 sec timeout but shadowcopy
often needs longer.
2014-03-04 10:18:59 -06:00
Etienne Stalmans
e452b81fb1
style changes as suggested by @jlee-r7
2014-03-04 08:49:52 +02:00
Joe Vennix
3360f7004d
Update form_post vars, add Expires to cookie.
2014-03-03 23:29:02 -06:00
Meatballs
43715eeb7f
Blame @OJ
...
He changed the clipboard API underneat me.
2014-03-03 22:06:05 +00:00
Meatballs
32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post
2014-03-03 21:56:31 +00:00
sinn3r
ee1209b7fb
This should work
2014-03-03 11:53:51 -06:00
Joe Vennix
894d16af80
Add specs for new/returning/previous visitors.
2014-03-02 20:50:10 -06:00
Joe Vennix
6825fd2486
Whitespace tweaks and cleanup.
2014-03-02 19:57:48 -06:00
Joe Vennix
46f27289ed
Reorganizes form_post into separate file.
2014-03-02 19:55:21 -06:00
Joe Vennix
785a35a81a
Needed to kill objToQuery.
2014-03-02 19:48:55 -06:00
Joe Vennix
e8226f9d40
Use a keyed cookie. Moves AJAX call to a form post.
2014-03-02 19:47:24 -06:00
Joe Vennix
26db845438
Try to pthread_create. Fails.
2014-03-02 18:02:23 -06:00
Meatballs
2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075
2014-03-02 20:57:02 +00:00
Meatballs
0956ae5789
Fix payload selection
2014-03-02 20:56:55 +00:00
Meatballs
1ca690eccf
Do some rspec
2014-03-02 20:37:08 +00:00
Meatballs
c9a2135959
Merge in semperv
2014-03-02 19:07:13 +00:00
sinn3r
8cf5c3b97e
Add heaplib2
...
[SeeRM #8769 ] Add heapLib2 for browser exploitation
2014-03-02 11:47:18 -06:00
sinn3r
ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet
2014-02-28 14:10:55 -06:00
William Vu
fd1586ee6a
Land #2515 , plaintext creds fix for John
...
[FixRM #8481 ]
2014-02-28 09:53:47 -06:00
David Maloney
f66709b5bb
make bypassuac module clean itself up
...
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
jvazquez-r7
6c490af75e
Add randomization to Rex::Zip::Jar and java_signed_applet
2014-02-27 12:38:52 -06:00
David Maloney
d358fe5f94
Merge branch 'payload_defaults'
2014-02-26 10:28:46 -06:00
David Maloney
f51cbfffb8
minor fix to payload generator
...
was passing platform string instead of the
platform lsit when formatting the payload
2014-02-25 15:51:06 -06:00
sinn3r
d0780cd1a2
Land #3010 - EXITFUNC as OptEnum
2014-02-24 11:07:10 -06:00
Joe Vennix
c760d37703
use the actual shellcode length.
2014-02-24 09:55:44 -06:00
jvazquez-r7
9fd635d645
Favor \! vs == false
2014-02-24 08:47:25 -06:00
Meatballs
2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs
5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
2014-02-25 23:15:47 +00:00
Meatballs
8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
...
Conflicts:
lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs
bbacaa477e
Add missing require
2014-02-25 22:08:27 +00:00
jvazquez-r7
8af992e083
Use same coding style
2014-02-21 16:02:27 -06:00
jvazquez-r7
0c44cc5ae4
Allow Exploits to provide Encoder Compat options
2014-02-21 15:49:39 -06:00
James Lee
0179faa66f
Fix yardoc for Post::Windows::LDAP
...
Also fix some style issues and warnings.
2014-02-21 13:25:11 -06:00
jvazquez-r7
0b5e617236
Land #3016 lsanchez-r7's send_message mod to return info
2014-02-19 17:01:06 -06:00
jvazquez-r7
c0cdea37f7
Initialize send_status at the function's start
2014-02-19 16:54:29 -06:00
lsanchez-r7
f7a483523c
changing the initial state from false to nil
2014-02-19 16:45:00 -06:00
Joe Vennix
212ebb568c
EXITFUNC option should be an OptEnum.
2014-02-19 03:06:15 -06:00
Joe Vennix
50fb9b247e
Restructure some of the exploit methods.
2014-02-19 02:31:22 -06:00
jvazquez-r7
4ca4d82d89
Land #2939 , @Meatballs1 exploit for Wikimedia RCE and a lot more...
2014-02-18 17:48:02 -06:00
Meatballs
e4aedfad43
Fixup netapi call
2014-02-18 23:30:29 +00:00
lsanchez-r7
07fd3494e5
changing send_message to return more information
2014-02-18 16:48:52 -06:00
Meatballs
6f988209ab
Merge remote-tracking branch 'upstream/master' into enum_domain_users_update
2014-02-18 20:02:39 +00:00
Meatballs
5c8af63063
Fix regression
2014-02-18 17:41:35 +00:00
jvazquez-r7
1bc94b8a9d
Merge for retab
2014-02-17 19:19:47 -06:00
jvazquez-r7
f07efc91a8
Land #2915 , @Meatballs1 improvements for LDAP post mixin
2014-02-17 19:14:59 -06:00
Joe Vennix
318ebdb4c8
Clean up // comments.
2014-02-17 15:34:42 -06:00
Joe Vennix
57449ac719
Adds working shellcode exec local exploit.
2014-02-17 15:31:45 -06:00
scriptjunkie
022c52d087
Added bundling to handle many sessions at once.
2014-02-15 15:37:22 -06:00
scriptjunkie
b0d2949f9a
Ensure no race conditions on handlers
...
Configurable WfsDelay
2014-02-15 15:21:16 -06:00
scriptjunkie
a83ca2b8d6
Ghost sessions fix, fewer selfies, cleaner code
2014-02-15 15:21:16 -06:00
scriptjunkie
9c8c16d238
Allow multiple handlers to use same hop.
2014-02-15 15:21:16 -06:00
scriptjunkie
16e1280b8d
Style guide fixes.
2014-02-15 15:21:16 -06:00
scriptjunkie
a6a731c8ee
Keep stage until replaced, nil check, prettify.
2014-02-15 15:21:16 -06:00
scriptjunkie
85ae32775a
Fix to make migrate work; use the full URL.
2014-02-15 15:21:16 -06:00
scriptjunkie
5f7a0e162c
Add reverse_hop_http stager and handler
2014-02-15 15:21:16 -06:00
Meatballs
f58b66adf8
Docs and more robust code
2014-02-14 23:15:05 +00:00
Meatballs
b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-14 22:52:55 +00:00
sinn3r
4dd60631cb
Land #2950 - New Payload Generator for MsfVenom
2014-02-13 15:13:10 -06:00
jvazquez-r7
61563fb2af
Do minor cleanup
2014-02-13 09:10:04 -06:00
RageLtMan
0056c26047
import msf exploit
2014-02-12 22:06:18 -05:00
RageLtMan
b453362a52
Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs
2014-02-12 16:43:30 -05:00
David Maloney
4565be18e3
require active_support numeric
...
ensure we have the activesupport numeric bytes extension
loaded for calling .gigabyte
2014-02-12 13:20:13 -06:00
William Vu
18816f3d5e
Land #2952 , -1 for last session ID
2014-02-11 16:22:36 -06:00
jvazquez-r7
1f0020a61c
Land #2946 , @jlee-r7's optimization of the x86 block_api code
2014-02-11 15:00:00 -06:00
Spencer McIntyre
a67a14ff60
Land #2975 @wchen-r7's extra vprint_debug statements for ms13-090
2014-02-10 20:57:55 -05:00
Meatballs
d8ea11b851
Redirect HTTP too
2014-02-10 23:41:15 +00:00
sinn3r
442d212a94
Add vprint_debug to show what requirements are being compared
2014-02-10 17:33:36 -06:00
Meatballs
4a0f37dc21
Save lost changes
2014-02-10 23:24:26 +00:00
Meatballs
a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-10 21:43:56 +00:00
James Lee
fab8e16a87
Unbreak server exploits
2014-02-10 10:54:14 -06:00
jvazquez-r7
57320a59f1
Do small clean up for mediawiki_thumb pr
2014-02-10 08:57:09 -06:00
Spencer McIntyre
4eb9a16b2c
Remove unnecessary return statement.
2014-02-09 13:06:21 -05:00
Meatballs
c76341c82d
Dont dsub Invoke-Command etc...
2014-02-09 17:45:30 +00:00
Meatballs
151e45d8d1
Better exception descriptions
2014-02-09 12:52:56 +00:00
Meatballs
77dda5dc67
Give option to remove badchars
2014-02-09 12:34:25 +00:00
Meatballs
0379dc128c
Raise exception on known issues
2014-02-09 12:15:02 +00:00
Meatballs
02f1ff27ee
Add option to encode inner payload
2014-02-09 00:55:26 +00:00
Meatballs
f398c982e3
Include option to ensure payload is fully encoded
2014-02-08 23:51:13 +00:00
Meatballs
ad308efc05
Really minimize commandline size
2014-02-08 22:53:47 +00:00
sinn3r
2cfc662e43
Use en-us instead
2014-02-08 16:16:09 -06:00
Meatballs
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
Meatballs
c76862b391
Reduce payload size
2014-02-08 22:11:17 +00:00
Meatballs
b10df54dbb
Dont need to encode the compress payload
2014-02-08 21:34:51 +00:00
Meatballs
d1f3afeacc
Correct MSB refs
2014-02-08 13:32:56 +00:00
Meatballs
76f0783eef
Raise error if no domain found or specified
2014-02-08 12:16:48 +00:00
Meatballs
a5cb03e409
Copy Meterpreter return hash
...
Dont add a key if no value is found
2014-02-08 12:12:45 +00:00
Meatballs
6e197ce535
Post get_envs library methods
2014-02-08 11:37:25 +00:00
sinn3r
bd23fcf4b7
Land #2936 - Windows Command Shell Upgrade (Powershell)
2014-02-07 17:39:06 -06:00
David Maloney
f189b753e5
use more clear syntax for space
...
use 1.gigabyte as kronicdeth suggested, for great awesomeness
2014-02-07 15:52:19 -06:00
Meatballs
56359aa99f
Merge changes from other dev machine
2014-02-07 21:22:44 +00:00
Meatballs
103780c3da
Merge remote-tracking branch 'upstream/master' into mediawiki
2014-02-07 20:07:04 +00:00
James Lee
f0fd2f0598
Land #2944 , add platforms to encoders
...
This allows encoders to advertise compatibility with a particular
platform (or more accurately, non-compatibility with everything that
isn't that platform).
See also #2939
2014-02-07 13:38:05 -06:00
David Maloney
aa3985c5e3
relign attribute tags
2014-02-07 11:04:17 -06:00
David Maloney
5d8dc76f48
put verbose messages to stderr
...
egypt pointed out we'll stomp on the payload output
otherwise. Good catch
2014-02-07 10:22:39 -06:00
Spencer McIntyre
27d7df554c
Use a single return statement defaulting to nil.
2014-02-06 14:50:59 -05:00
Spencer McIntyre
b9fb8decad
Support a (latest) session id of -1.
2014-02-06 14:11:38 -05:00
David Maloney
9d9305d2c0
more yardtag cleanup
2014-02-06 11:16:00 -06:00
David Maloney
34c4718e95
more style fixups
...
further kronicdeth appeasement
2014-02-05 18:12:44 -06:00
David Maloney
1bf11e5b92
some alpha-sorting
...
begining to appease KronicDeth
2014-02-05 17:47:32 -06:00
James Lee
b226ecf591
Add block_api changes to prepend_migrate
2014-02-05 15:32:59 -06:00
David Maloney
ca48fb6590
fix encoding cycle if all encoders fail
...
we need to raise an exception if all encoders fail
2014-02-05 15:25:14 -06:00
David Maloney
1227a47342
fix exe template
...
don't pass an emtpy string for templates
this causes read errors. pass no value instead
2014-02-05 12:10:14 -06:00
David Maloney
508f251db2
add cli compat
...
add cli capability to putut verbose info to the console
2014-02-05 11:00:57 -06:00
David Maloney
293c231dfe
alpha-sort methods for ease
...
lexically sorted methods to make it easier to
look through code
2014-02-04 18:05:03 -06:00
David Maloney
fc9105d862
final generation and specs
...
generation wrapped method complete with specs
2014-02-04 17:52:20 -06:00
David Maloney
4dcae920f8
add specs for generate_java_payload
...
pretty self-explanatory
2014-02-04 17:40:59 -06:00
David Maloney
70d8246791
finish wiring up the final generation
...
formating and main generate methods wired up
still need to add some final tests
2014-02-04 15:52:18 -06:00
sinn3r
bda93c2bbc
Land #2811 - Add generate_war to jsp_shell payloads
2014-02-04 15:06:45 -06:00
jvazquez-r7
80e7ae144b
Use the platform when selecting the payload
2014-02-04 14:34:11 -06:00
William Vu
a58698c177
Land #2922 , multithreaded check command
2014-02-04 11:21:05 -06:00
Meatballs
0a3cb3377f
AppendEncoder
2014-02-04 15:41:10 +00:00
Meatballs
26c506da42
Naming of follow method
2014-02-04 15:25:51 +00:00
David Maloney
c8b7dc30b4
added encoding routines
...
now has a method for encoding the shellcode
and tests to go with
2014-02-03 17:51:22 -06:00
Meatballs
a8ff6eb429
Refactor send_request_cgi_follow_redirect
2014-02-03 21:49:49 +00:00
Meatballs
08493f2670
Merge remote-tracking branch 'upstream/master' into upgrade_psh
...
Conflicts:
lib/msf/core/post/file.rb
2014-02-03 18:02:09 +00:00
sinn3r
2ee1764ceb
Add method rhost, rport, and peer for post modules
...
[SeeRM #8761 ]
2014-02-03 01:05:43 -06:00
David Maloney
3b648346da
starting in on encoders
...
added get_encoders method to find propper encoders
started on encode_payload, incomplete
added specs
2014-02-03 00:59:08 -06:00
sinn3r
0d02f6d589
Add support for win shells for file?
2014-02-02 23:37:26 -06:00
David Maloney
4a82bc74cf
added nop sled generator
...
added code to prepend a nop sled
with tests to match
2014-02-02 22:51:12 -06:00
James Lee
b9e234f62d
Log the size if it doesn't fit
2014-02-02 22:28:23 -06:00
David Maloney
bb5f5542f0
generating raw payload bits now
...
added raw payload generation, arch selection,
and specs for everything thus far
2014-02-02 21:09:17 -06:00
David Maloney
f9c31f988e
test platform selection
...
added tests around platform selection
2014-02-02 16:52:41 -06:00
David Maloney
f5d730e874
write specs around initialiser
...
added specs around object initialisation
2014-02-02 16:05:11 -06:00
David Maloney
e265d6f54c
begining of payload generator
...
started basics of generator
started adding specs
added option to simple framework to disable logging
2014-02-02 14:35:16 -06:00
Meatballs
95eb758642
Initial commit
2014-02-02 19:04:38 +00:00
Meatballs
9fa9402eb2
Better check and better follow redirect
2014-02-02 16:07:46 +00:00
Meatballs
0d3a40613e
Add auto 30x redirect to send_request_cgi
2014-02-02 15:03:44 +00:00
sinn3r
45bb336c51
Loop do it
2014-01-26 16:27:36 -06:00
sinn3r
eec01e79ff
No explicit "return"
2014-01-26 16:25:30 -06:00
sinn3r
6ffb750633
Change Unsupported message
...
Auxiliary modules can use check, too. Not just exploits.
2014-01-26 01:14:11 -06:00
sinn3r
2d12c0a368
NoMethod check and stuff
2014-01-25 20:25:01 -06:00
Meatballs
33da3a414b
Remove unnecessary options
2014-01-25 13:52:52 +00:00
Meatballs
27a434205c
More flexible domain and DN
2014-01-25 13:17:00 +00:00
sinn3r
93fa58ed45
aux scanner support
2014-01-24 17:54:40 -06:00
Meatballs
08885bde19
Always forget debugging stuff
2014-01-24 23:45:12 +00:00
Meatballs
be1da0e8a8
Move print statement
2014-01-24 23:37:20 +00:00
Meatballs
cb53ca261f
Tidyup logic
...
ADSI doesn't care about distinguished names or domain and can take
either, but legacy API needs a domain for binding and a dn for
searching.
Send nil if we dont know the domain rather than a ptr to an empty
string.
2014-01-24 23:28:08 +00:00
Meatballs
ae13d1f3e6
Grab the default domain to improve ldap
2014-01-24 16:36:37 +00:00
Meatballs
23ba52641b
Revert ldap
2014-01-24 16:25:48 +00:00
Meatballs
9fce617462
Fixup railgun utils
...
Implement DsGetDcNamea to return current domain using example
railgun utils techniques.
2014-01-24 16:22:05 +00:00
Tod Beardsley
4bac297f66
Land #1473 , add LDAP hotness
2014-01-23 18:11:39 -06:00
Meatballs
4b21672b60
Remove hardcoded string
2014-01-23 23:55:09 +00:00
Meatballs
790e4d7559
Move options to mixin
2014-01-23 23:47:46 +00:00
Meatballs
398e8463b1
Add more informative errors
2014-01-23 23:19:00 +00:00
Tod Beardsley
b5f61024c5
Land #2907 , fixes qual asset importer
...
Addresses MSP-9311
2014-01-23 13:32:22 -06:00
jvazquez-r7
256f2b12eb
Land #2894 , @wchen-r7's CheckCode documentation update
2014-01-23 07:31:24 -06:00
lsanchez-r7
58cf7193f9
fixing NameError undefined local variable in an import
2014-01-22 16:54:31 -06:00
Meatballs
9acd0f4b56
Merge remote-tracking branch 'upstream/master' into enum_ad_perf
2014-01-22 21:46:50 +00:00
Tod Beardsley
90207628cc
Land #2666 , SSLCompression option
...
[SeeRM #823 ], where Stephen was asking for SSL compression for
Meterpreter -- this isn't that, but it's at least now possible for other
Metasploit functionality.
2014-01-22 10:42:13 -06:00
Meatballs
80452767c8
Comments
2014-01-22 10:24:24 +00:00
Meatballs
156e3c046e
Dont lookup twice
2014-01-22 10:14:56 +00:00
Meatballs
6d6d1e1033
No need to fiddle with naming context
2014-01-22 10:06:36 +00:00
Tod Beardsley
0b6e03df75
More comment docs on SSLCompression
2014-01-21 16:48:26 -06:00
Tod Beardsley
b8219e3e91
Warn the user about SSLCompression
2014-01-21 16:41:45 -06:00
Meatballs
720f892e2f
Merge remote-tracking branch 'upstream/master' into enum_ad_perf
2014-01-21 21:00:51 +00:00
sinn3r
ea47da5682
Add wiki link "How to write a check() method" to documentation
2014-01-20 20:10:50 -06:00
sinn3r
e48b8ae14c
Use a better term
2014-01-19 16:01:38 -06:00
sinn3r
afd0e71457
Use the term "exploit" is a little more correctly
...
So Metasploit uses the term "exploit" to describe something, a module
or an action, that results popping a shell. A check normally doesn't
pop a shell, so avoid that language.
2014-01-17 13:50:23 -06:00
sinn3r
363c53e14e
Clearify when to use a specific CheckCode
...
An example of the biggest confusion module developers face is not
actually knowing the difference between Detected vs Appears vs
Vulnerable. For example: a module might flag something as a
vulnerable by simply doing a banner check, but this is often
unreliable because either 1) that banner can be fooled, or 2)
the patch does not actually update the banner. More reasons may
apply. Just because the banner LOOKS vulnearble doesn't mean it is.
2014-01-17 13:35:17 -06:00
HD Moore
68ccdc8386
Fix a stack trace when module_payloads.rb is run
...
This fixes a missing check for self.target being nil in the compatible_payloads method
2014-01-13 15:36:33 -08:00
William Vu
4ccf1a4720
Land #2873 , Msf::Handler::ReverseHttp::UriChecksum
2014-01-13 15:38:56 -06:00
David Maloney
41807d7e4e
move rev_http uri checksum code
...
need access to the uri checksum
routines outside of the handler.
moved them to their own mixin
and then mixed into the handler.
added specs also
2014-01-13 15:18:16 -06:00
Tod Beardsley
e6e6d7aae4
Land #2868 , fix Firefox mixin requires
2014-01-13 14:23:51 -06:00
Joe Vennix
3db143c452
Remove explicit requires for FF payload.
...
Adds ff payload require to msf/core/payload.rb
2014-01-13 13:07:55 -06:00
jvazquez-r7
95a5d12345
Merge #2835 , #2836 , #2837 , #2838 , #2839 , #2840 , #2841 , #2842 into one branch
2014-01-13 10:57:09 -06:00
sinn3r
cacd7ff9d4
Land #2827 - Add firefox js xpcom payloads for universal ff shells
2014-01-10 14:29:32 -06:00
Joe Vennix
7af8fe9cd1
Catch exceptions in an XSS script and return the error.
2014-01-07 16:23:24 -06:00
Joe Vennix
fb1a038024
Update async API to actually be async in all cases.
...
This avoids zalgo. Also optionally checks the return value
of the compiled Function in XSS to allow you to use send()
or an explicit return, which is maybe more natural for
synchronous xss payloads.
2014-01-07 16:17:34 -06:00
Niel Nielsen
73e359ede1
Update reverse_tcp.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:06:11 +01:00
Niel Nielsen
e3a3b560e2
Update bind_tcp.rb
...
Change to OpenSSL::Digest from deprecated OpenSSL::Digest::Digest
2014-01-07 22:02:52 +01:00
Meatballs
3bf728da61
Dont store in DB by default
2014-01-07 12:20:44 +00:00
Joe Vennix
9d3b86ecf4
Add explicit require for JSON, so msfpayload runs.
2014-01-05 14:58:18 -06:00
Joe Vennix
d00acccd4f
Remove Java target, since it no longer works.
2014-01-04 21:22:47 -06:00
OJ
8898486820
Change display message to show actual bind address
...
When running a http/https listener the address:port that was being
shown in the output was that which was passed to the victim as part
of the stager and not the actual listener address:port.
This commit fixes this so that the display is correct.
2014-01-05 11:28:51 +10:00
Joe Vennix
f2f68a61aa
Use shell primitives instead of resorting to
...
echo hacks.
2014-01-04 19:00:36 -06:00
Raphael Mudge
6034c26fa7
Honor LPORT as callback port for HTTP/S handler
...
This commit completes our quest to (optionally) decouple the stage's
callback parameters from the interface/port our handler binds to.
LPORT is now patched into the stage over ReverseListenerBindPort.
2014-01-04 18:52:19 -05:00
Raphael Mudge
3c9d684759
Cleanup - Remove bind_address from reverse_http.rb
...
This commit removes the now unused bind_address function from
reverse_http.rb. This function returns an array of hosts the handler
should attempt to bind to (e.g., [LHOST value, any])
Other handlers (e.g., reverse_tcp.rb) loop through these values until
they're able to start a server with that bind address.
The HTTP server doesn't work this way. It's setup to try one address
and that's it. It makes sense to have the HTTP server always bind to
0.0.0.0 by default as future modules run by the user may register
resources with the same HTTP server.
2014-01-04 16:02:32 -05:00
Raphael Mudge
6f55579acd
HTTP Handler Bind to 0.0.0.0 or ReverseListenerBindAddress
...
This commit returns the HTTP/S handler to its former semantic glory.
By default the HTTP/S handler will bind to :: or 0.0.0.0. If the
user specifies a ReverseListenerBindAddress then, instead, the
server will bind to that address.
The previous commit to change the URL to always reference LHOST
should go with this too. LHOST is always my intent of where the
stage should call home too. ReverseListenerBindAddress would make
sense as my intent as to where I want to bind to. The two options
shouldn't take on each other's meanings.
2014-01-04 15:50:06 -05:00
Raphael Mudge
f93210ca74
Always Use LHOST for Full URL in HTTP/S Stage
...
Redmine #8726 documents a change where the reverse HTTP/S
tries to bind LHOST and if it can not it does a hard stop
If it's expected that users will use ReverseListenerBind-
-Address then this commit addresses #8726 by patching the
HTTP/S stage with the host provided by the user in LHOST.
Currently ReverseListenerBindAddress (if used) is patched
into the stage. This makes for a broken HTTP/S session if
the user sets this option to 0.0.0.0.
With this commit--users can provide any LHOST they like
and set ReverseListenerBindAddress to 0.0.0.0 and things
will work.
This commit does not attempt to bring the HTTP/S handler
back to the old behavior of falling back to 0.0.0.0 when
it can't bind LHOST. I'd welcome the old behavior but I
leave it to you to decide what makes sense. :)
2014-01-04 15:16:22 -05:00
Joe Vennix
b9c46cde47
Refactor runCmd, allow js exec.
...
* Updates exec payload to not touch disk
* Adds XSS module that uses hiddenWindow (to avoid X-Frame-Options)
2014-01-04 08:46:57 -06:00
Joe Vennix
60991b08eb
Whitespace tweak.
2014-01-03 18:40:31 -06:00
Joe Vennix
a5ebdce262
Add exec payload. Cleans up a lot of code.
...
Adds some yardocs and whatnot.
2014-01-03 18:23:48 -06:00
Joe Vennix
8fd517f9ef
Fixes shell escaping errors with nested quotes in windows.
2014-01-03 16:14:28 -06:00
Joe Vennix
13464d0aae
Minor cleanup of firefox.rb.
2014-01-03 01:34:57 -06:00
Joe Vennix
7961b3eecd
Rework windows shell to use wscript.
2014-01-03 01:29:34 -06:00
Meatballs
5606958320
Resolve require order
2014-01-02 23:46:18 +00:00
jvazquez-r7
f5f18965b9
Move the require to the payloads as ruby and nodejs payloads do
2014-01-02 16:05:03 -06:00
jvazquez-r7
764d0822f6
Use the current msf's naming convention
2014-01-02 15:57:09 -06:00
Joe Vennix
06fb2139b0
Digging around to get shell_command_token to work.
2014-01-02 14:05:06 -06:00
Joe Vennix
8d3130b19e
Reorder targets.
2014-01-02 10:48:28 -06:00
Joe Vennix
9b39ea55ee
Fix comment.{
2014-01-02 10:48:28 -06:00
Joe Vennix
1f9ac12dda
DRYs up firefox payloads.
2014-01-02 10:48:28 -06:00
Joe Vennix
694cb11025
Add firefox platform, architecture, and payload.
...
* Enables chrome privilege exploits in firefox to run a javascript cmd
shell session without touching the disk.
* Adds a spec for the addon_generator.
2014-01-02 10:48:28 -06:00
jvazquez-r7
0725b9c69c
Refactor JSP payloads
2013-12-31 08:27:37 -06:00
Samuel Huckins
985af3adfe
Update to masked credential format
...
* To support change in Pro export format. Previous format looked
like an XML element, for no reason, failed validation.
2013-12-30 10:59:15 -06:00
jvazquez-r7
39844e90c3
Don't user merge! because can modify self.compat
2013-12-27 16:37:34 -06:00
sinn3r
9c484dd0a3
Land #2786 - HP SiteScope issueSiebelCmd Remote Code Execution
2013-12-23 02:34:01 -06:00
jvazquez-r7
ed838d73a6
Allow targets to specify Compat[ible] payloads
2013-12-19 17:48:15 -06:00
Joe Vennix
ca23b32161
Add support for Procs in browserexploit requirements.
2013-12-19 12:49:05 -06:00
Meatballs
62ef810e7c
Use Extapi if available
2013-12-19 18:18:47 +00:00
Meatballs
737154c2fe
Update to use extapi
2013-12-19 16:46:09 +00:00
Meatballs
3ef1c0ecd6
Merge remote-tracking branch 'upstream/master' into enum_ad_perf
2013-12-19 14:25:07 +00:00
Meatballs
6e43edff4c
Merge in extapi post mixin
2013-12-19 14:25:02 +00:00
Meatballs
244cf3b3f6
Merge remote-tracking branch 'upstream/pr/2736' into enum_ad_perf
2013-12-19 13:59:57 +00:00
Joe Vennix
cb390bee7d
Move comment.
2013-12-18 20:37:33 -06:00
Joe Vennix
f411313505
Tidy whitespace.
2013-12-18 20:31:31 -06:00
Joe Vennix
9ff82b5422
Move datastore options to mixin.
2013-12-18 14:52:41 -06:00
Joe Vennix
64273fe41d
Move addon datastore options into mixin.
2013-12-18 14:42:01 -06:00
Joe Vennix
1235615f5f
Add firefox 15 chrome privilege exploit.
...
* Moves the logic for generating a firefox addon into its own mixin
* Updates the firefox_xpi_bootstrapped_addon module to use the mixin
* Module only works if you move your mouse 1px in any direction.
2013-12-18 14:30:35 -06:00
Meatballs
3e54379b0e
Merge remote-tracking branch 'upstream/master' into wmic_post
...
Conflicts:
lib/msf/core/post/windows.rb
2013-12-18 13:40:54 +00:00
Meatballs
687cbe5f60
Shadowcopy should use common wmic command
...
Small fix to ensure output is retrieved (args -> nil)
Modify shadowcopy to use wmic_query
2013-12-18 13:34:50 +00:00
William Vu
252909a609
Land #2448 , @OJ's ReverseListenerBindPort :)
2013-12-17 11:24:09 -06:00
Meatballs
6ee1a9c6e1
Fix duplicate error
2013-12-17 00:11:37 +00:00
Meatballs
06b399ee30
Remove ERROR_
...
To access as Error::NO_ACCESS
2013-12-16 19:52:11 +00:00
Meatballs
08a44fdfb7
Filename match module
2013-12-16 19:48:17 +00:00
Meatballs
57f2027e51
Move to module
2013-12-16 19:45:52 +00:00
Meatballs
c9084bd2d5
Remove errant fullstops
2013-12-16 18:53:37 +00:00
Meatballs
75c87faaf8
Add Windows Error Codes to Windows Post Mixin
2013-12-16 18:50:18 +00:00
Meatballs
435cc9b93f
Add single quote encapsulation
...
For WMI and psh_web_delivery
2013-12-16 15:13:13 +00:00
Meatballs
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
Meatballs
819ba30a33
msftidy
...
Conflicts:
lib/msf/core/post/windows/services.rb
2013-12-15 01:12:46 +00:00
Meatballs
a930056d7f
Added service status checks to Post::Windows::Services
...
Added QueryServiceStatus to Railgun Advapi32 Definitions
Added Checks to module
Conflicts:
lib/msf/core/post/windows/services.rb
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_advapi32.rb
2013-12-15 01:12:45 +00:00
Meatballs
284a45a6c5
Convert UTF16 to ASCII
2013-12-14 22:58:16 +00:00
Meatballs
e46b5c9d55
Revert to file io if no EXTAPI
2013-12-14 22:46:22 +00:00
Meatballs
ca5ee7e156
Load extapi before wmic
2013-12-14 22:45:56 +00:00
Meatballs
b532987b8f
Re-add file out to wmic_command
2013-12-14 20:58:33 +00:00
Meatballs
8d5f298d3d
Clear clipboard first
2013-12-14 20:26:46 +00:00
Meatballs
7902f061ca
Final tidyup
2013-12-14 20:18:14 +00:00
Meatballs
04496a539c
Fix up local wmi exploit.
2013-12-14 20:05:51 +00:00
Meatballs
4224c016f4
Use WaitForSingleObject instead of loop
2013-12-14 18:42:31 +00:00
Meatballs
12afdd2cbb
Get and parse result from clipboard
2013-12-14 18:30:43 +00:00
Meatballs
3ad1e57f8d
Merge remote-tracking branch 'upstream/master' into wmic_post
2013-12-14 16:25:31 +00:00
jvazquez-r7
83e448f4ae
Restore vprint_error message
2013-12-12 09:06:29 -06:00
jvazquez-r7
5c1ca97e21
Create a new process to host the final payload
2013-12-12 08:26:44 -06:00
William Vu
ff9cb481fb
Land #2464 , fixes for llmnr_response and friends
...
Fixed conflict in lib/msf/core/exploit/http/server.rb.
2013-12-10 13:41:45 -06:00
scriptjunkie
77e9996501
Mitigate metasm relocation error by disabling ASLR
...
Deal with import error by actually using the GetProcAddress code.
2013-12-07 20:54:13 -06:00
scriptjunkie
8d33138489
Support silent shellcode injection into DLLs
...
Only run code on DLL_PROCESS_ATTACH, preventing infinite loop otherwise:
Added code would create thread -> calls DLL entry point -> calling added code...
2013-12-07 19:44:17 -06:00
Meatballs
3aebe968bb
Land #2721 Reflective DLL Mixin
...
Adds support to load a dll and identify the ReflectiveLoader offset.
Adds support to inject dll into process and execute it.
Updates kitrap0d, ppr_flatten_rec, reflective_dll_inject modules and
payload modules to use above features.
2013-12-06 12:26:51 +00:00
OJ
155836ddf9
Adjusted style as per egypt's points
2013-12-06 10:08:38 +10:00
OJ
ccbf305de1
Remove exception stuff from the payloads
2013-12-06 09:26:46 +10:00
OJ
5a0a2217dc
Add exception if DLL isn't RDI enabled
2013-12-06 09:18:08 +10:00
OJ
2cb991cace
Shuffle RDI stuff into more appropriate structure
...
Now broken into two modules, one for loading RDI DLLs off disk and
finding the loader function offset, and another for doing the process
specific stuff of loading into the target.
2013-12-06 08:25:24 +10:00
OJ
fb84d7e7fe
Update to yardoc conventions
2013-12-06 07:54:25 +10:00
sinn3r
c7bb80c1d7
Add wvu as an author to author.rb
2013-12-05 00:33:07 -06:00
OJ
b936831125
Renamed the mixin module
2013-12-05 08:13:54 +10:00
OJ
7b24f815ee
Missed a single module in rename
2013-12-04 22:54:07 +10:00
OJ
7e8db8662e
Update name of the mixin
...
Changed `RdiMixin` to `ReflectiveDLLInjection`.
2013-12-04 22:18:29 +10:00
OJ
f79af4c30e
Add RDI mixin module
...
MSF was starting to see more modules using RDI to load binaries into
remote processes, so it made sense to create a mixin which contained
the functionality that was being used in various locations.
This commit contains the new mixin, and adjustments to all the existing
exploits and modules which use RDI.
2013-12-04 16:09:41 +10:00
yehualiu
8254c0bae2
this site is down
2013-12-01 14:26:03 +08:00
William Vu
77b036ce5d
Land #2703 , uninit const fix for MSSQL_SQLI
2013-11-27 13:50:48 -06:00
jvazquez-r7
a5aca618e2
fix fail_with usage on Exploit::Remote::MSSQL_SQLI
2013-11-27 11:33:19 -06:00
jvazquez-r7
a32c9e5efc
Fix fail_with on Exploit::Remote::HttpClient
2013-11-27 11:19:46 -06:00
sinn3r
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
Meatballs
b015dd4f1c
Land #2532 Enum LSA Secrets
...
With refactoring of common methods from smart_hashdump, hashdump,
cachedump to Windows::Post::Privs
2013-11-24 18:09:33 +00:00
Meatballs
a3c7dccfc0
Add disconnect option to psexec
...
Allow the module to prevent the mixin from ending the SMB session.
2013-11-24 16:37:25 +00:00
Meatballs
dd9bb459bf
PSEXEC Refactor
...
Move peer into mixin
PSEXEC should use the psexec mixin
2013-11-24 16:24:05 +00:00
Meatballs
c03c33f6f6
Initial commit
2013-11-24 14:58:18 +00:00
Meatballs
e7dfda00db
Documentation
2013-11-23 22:03:43 +00:00
Meatballs
becc521406
Constants, yey
2013-11-23 21:46:11 +00:00
Meatballs
699d13eef1
Share the wealth
...
Move LDAP methods to a Post mixin.
2013-11-23 21:42:09 +00:00
Meatballs
6c83109422
Really fix wmi
2013-11-23 16:44:44 +00:00
William Vu
8e23119e17
Land #2678 , DB_ALL_CREDS should default to false
2013-11-22 23:42:00 -06:00
Tod Beardsley
8fc0a8199e
DB_ALL_CREDS should be disabled by default
...
[SeeRM #8699 ]
2013-11-22 22:16:40 -06:00
Meatballs
259d5a2dba
Backout Set-Variable as it is 3.0 only
2013-11-23 01:15:13 +00:00
Meatballs
1c60373f68
Reinstate %COMSPEC%
2013-11-23 00:45:04 +00:00
Meatballs
c194fdc67e
Fixup WMI
...
-c doesn't like $var assignments
2013-11-23 00:31:11 +00:00
Meatballs
3cbf768d16
Small size reductions
2013-11-22 22:58:42 +00:00
Meatballs
20b76602a1
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
lib/msf/core/exploit/powershell.rb
2013-11-22 22:41:08 +00:00
Tod Beardsley
e88da09894
Land #2660 , DLL/service creation for x64
2013-11-20 17:25:16 -06:00
Joe Vennix
739c7b4ca2
More dead code and tweaks.
2013-11-20 14:44:53 -06:00
Joe Vennix
3ff9da5643
Remove compression options from client sockets.
...
I couldn't verify that it was working, as it always sends 1 compression type of NULL.
2013-11-20 14:41:45 -06:00
Meatballs
3ed84d1e0b
Remove puts
2013-11-20 20:29:54 +00:00
Meatballs
7253cc73d5
:payload_instance
2013-11-20 20:28:00 +00:00
Meatballs
f27194a8ce
Always default to payload options
2013-11-20 20:14:59 +00:00
Meatballs
135dad1f4e
Fix dll/service creation
2013-11-20 20:10:47 +00:00
jvazquez-r7
110e78a1ad
Land #2507 , @todb-r7's fix to allow DCERPC misin to use RPORT
2013-11-20 10:21:32 -06:00
Joe Vennix
f8b57d45cd
Reenable the client SSLCompression advanced option.
...
Add spec for some of the additions to Rex::Proto::Http::Client
2013-11-20 01:03:13 -06:00
Joe Vennix
109fc5a834
Add SSLCompression datastore option.
...
Also disables the compression by default. TLS-level compression is almost
never used by browsers, and openssl seems to be the only one that enables
it by default.
This also kills some ruby < 1.9.3 code.
2013-11-19 22:34:39 -06:00
Tod Beardsley
ac1fb2d1da
Just use a straight RPORT, don't sneak 593.
...
Incidentally, the endmap scanner doesn't appear to work at all for
http-rpc-epmap, so no harm done anyway (tested against Windows 2008
server).
It looks like a bigger change than it realy is, thanks to the indentaton
changes by removing the itertor. Diff this without whitespace changes to
get a better idea of what's actually different.
2013-11-19 13:29:02 -06:00
jvazquez-r7
f690667294
Land #2617 , @FireFart's mixin and login bruteforcer for TYPO3
2013-11-18 13:37:16 -06:00
James Lee
0aef145f64
Merge remote-tracking branch 'upstream/master' into land-2532-enum-lsa
2013-11-13 18:11:21 -06:00
James Lee
8471f74b75
Refactor ivar to a more reasonable method
...
Also changes jtr output for cachedump to produce hashes that can be
auto-detected as mscash2 format for a better user experience.
2013-11-13 18:09:41 -06:00
James Lee
16627c1bd3
Add spec for capture_lsa_key
2013-11-13 15:16:34 -06:00
William Vu
6bd82d8589
Land #2636 , Win8 for {constants,platform}.rb
2013-11-13 14:20:52 -06:00
sinn3r
3a923422a3
Update class for Win 8
2013-11-13 13:27:44 -06:00
James Lee
3168359a82
Refactor lsa and add a spec for its crypto methods
2013-11-13 11:55:39 -06:00
Tod Beardsley
74df9bd037
Bump version number since 4.8.0 is out
2013-11-13 11:42:31 -06:00
sinn3r
8e90116c89
Add Win 8 to constants
2013-11-13 11:38:27 -06:00
jvazquez-r7
ef6d9db48f
Land #2613 , @wchen-r7's BrowserExploitServer mixin
2013-11-12 17:33:12 -06:00
sinn3r
fbe1b92c8f
Good bye get_resource
2013-11-12 17:25:55 -06:00
Tod Beardsley
2035983d3c
Fix a handful of msftidy warnings, and XXX SSL
...
Marked the SSL stuff as something that needs to be resolved in order to
fix a future bug in datastore manipulation. Also, fixed some whitespace
and exec complaints
[SeeRM #8498 ]
2013-11-11 21:23:35 -06:00
sinn3r
cf8f2940b0
Oops, this is the right filename
2013-11-11 15:45:11 -06:00
sinn3r
85150823cd
rename again
2013-11-11 15:44:27 -06:00
sinn3r
6a840fc169
Move file to get a matching name
2013-11-11 12:41:03 -06:00
OJ
063da8a22e
Update reverse_https_proxy stager/handler
...
This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00
sinn3r
866f240337
A little update on documentation
2013-11-07 17:06:43 -06:00
sinn3r
32b12609bd
Forgot to pass optional headers
2013-11-07 16:50:58 -06:00
FireFart
bdd33d4daf
implement feedback from @jlee-r7
2013-11-07 23:07:58 +01:00
FireFart
aab4d4ae76
first commit for typo3
2013-11-07 22:38:27 +01:00
sinn3r
991240a87e
Support java version detection
2013-11-07 00:54:52 -06:00
sinn3r
3e1771aa77
Being able to pass binding when we need to
2013-11-07 00:12:29 -06:00
sinn3r
23996ec32c
Fix up some things
2013-11-06 22:47:02 -06:00
sinn3r
c338f7a8c0
Change how requirements are defined, rspec, etc
2013-11-06 14:01:29 -06:00
sinn3r
c92116060e
Forgot to rm this line
2013-11-06 01:53:46 -06:00
sinn3r
f2e4d5507c
More rspec
2013-11-06 01:45:40 -06:00
sinn3r
636adc81de
Add rop_junk and rop_nop
2013-11-06 01:04:33 -06:00
sinn3r
65c96a1f45
Allow the module to be target specific
2013-11-06 00:57:53 -06:00
sinn3r
63d3c7e8bb
Put proxy headers in a constant
2013-11-05 16:33:36 -06:00
sinn3r
73701462ed
Fix ActiveX. Use ERB for Javascript detection code.
2013-11-05 16:26:41 -06:00
James Lee
36f96d343e
Revert "Revert "Land #2505" to resolve new rspec fails"
...
This reverts commit e7d3206dc9
.
2013-11-05 13:45:00 -06:00
sinn3r
9c6b187cc6
stuff
2013-11-05 11:05:33 -06:00
sinn3r
0513dad789
-_-
2013-11-05 10:30:37 -06:00
sinn3r
9d1742ac47
Fix typos
2013-11-05 10:15:53 -06:00
sinn3r
8fb2b943be
Add ActiveX detection
2013-11-05 01:34:56 -06:00
sinn3r
5f2d8358c0
Be more browser specific with Javascript generation
2013-11-05 01:04:52 -06:00
sinn3r
844daf0e00
No regex for get_resource checking
2013-11-04 17:49:43 -06:00
sinn3r
054a525f35
Change profile data structure
2013-11-04 17:46:36 -06:00
sinn3r
ef57a38274
Move documentation about profile structure
2013-11-04 16:47:15 -06:00
OJ
12810580d6
Remove arg for bind port/addr functions
...
Done to avoid masking of datastore instance variable.
2013-11-05 06:56:21 +10:00
sinn3r
9c8ecd2ede
Fix encoding order
2013-11-04 14:06:42 -06:00
sinn3r
d970925cbf
Fix encoding bug
2013-11-04 13:45:29 -06:00
sinn3r
23e5a9f048
Force on_request_exploit override
2013-11-04 12:54:52 -06:00
sinn3r
e83f4e5120
Use a warning
2013-11-04 12:54:41 -06:00
sinn3r
25787fbaa7
Change has_proxy?
2013-11-04 12:52:15 -06:00
sinn3r
c6fb570480
Correct bad method naming
2013-11-04 12:35:04 -06:00
sinn3r
016e686bcf
super chomp
2013-11-04 12:28:22 -06:00
sinn3r
c3d9f4064c
They are symbols not strings
2013-11-04 12:10:39 -06:00
sinn3r
0337e6ff54
Do yard documentation
2013-11-04 12:09:59 -06:00
sinn3r
abc06aa8aa
Use mutex
2013-11-01 11:35:23 -05:00
sinn3r
5fb261a974
Change var name
2013-10-31 23:48:41 -05:00
sinn3r
d54c8a359b
Fix bug in proxy detection
2013-10-31 23:42:43 -05:00
sinn3r
7a33c48a0f
No double slash
2013-10-31 23:17:38 -05:00
sinn3r
5851d502b5
Rename some stuff
2013-10-31 23:12:20 -05:00
sinn3r
21891a8337
Make sure the browser can't retry by going to the first URL
2013-10-31 23:08:17 -05:00
sinn3r
94d62613ab
Pretty much done with these, remove these comments.
2013-10-31 19:04:11 -05:00
sinn3r
828ef9c64c
Adds target-specific payload generator
2013-10-31 18:54:01 -05:00
sinn3r
8a0ebcbac7
Adds method get_module_resource
2013-10-31 14:34:38 -05:00
sinn3r
10fd892827
Fix a "undefined method to_sym" bug
...
If something is undetectable, the value may be empty, which triggers
a undefined method error because the regex always assumes there is
something. So instead of +, we use *.
2013-10-31 14:06:05 -05:00
sinn3r
6e7e5a0ff9
Put postInfo() in the js directory
2013-10-31 13:55:22 -05:00
sinn3r
00efad5c5d
Initial commit for BrowserExploitServer mixin
2013-10-31 13:17:06 -05:00
William Vu
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
William Vu
333a0d5820
chmod -x cmdstager_printf.rb
2013-10-28 18:47:14 -05:00
b00stfr3ak
a476595ddb
Added require to post/windows
2013-10-25 14:42:22 -07:00
b00stfr3ak
84999115d7
Added PSH option if UAC is turned off
...
This will give the option to drop an exe or use psh if uac is turned
off. The lib can be used for post exploitation to drop an exe or use
powershell and then execute it with the runas command. I have used the
lib for both bypassuac and ask.
2013-10-25 14:37:12 -07:00
Tod Beardsley
b5f26455a3
Land #2545 , javascript library overhaul
2013-10-23 16:12:49 -05:00
sinn3r
caf41f34bf
Land #2562 - Fix RM 8510 (FileDropper)
2013-10-22 21:45:33 -05:00
sinn3r
acc73dd545
Land #2282 - BypassUAC now checks if the process is LowIntegrityLevel
2013-10-22 17:16:26 -05:00
jvazquez-r7
7d1dc3746f
Use the @schierlm's command
2013-10-22 16:19:49 -05:00
Tod Beardsley
dc0d9ae21d
Land #2560 , ZDI references
...
[FixRM #8513 ]
2013-10-22 15:58:21 -05:00
Meatballs
8611a2a24c
Merge remote-tracking branch 'upstream/master' into low_integ_bypassuac
2013-10-22 21:42:36 +01:00
sinn3r
ba1edc6fa8
Land #2402 - Windows Management Instrumentation Local -> Peers
2013-10-22 15:39:32 -05:00
jvazquez-r7
4ad9bc5efe
Try to [FixRM #8510 ]
2013-10-22 08:42:14 -05:00
sinn3r
afcce8a511
Merge osdetect and addonsdetect
2013-10-22 01:11:11 -05:00
sinn3r
99d5da1f03
We can simplify this
2013-10-21 20:22:45 -05:00
sinn3r
9a3e719233
Rework the naming style
2013-10-21 20:16:37 -05:00
Meatballs
4fc8bb2b4b
Auto arch detection
2013-10-22 00:42:59 +01:00
William Vu
9258d79978
Add ZDI references to reference.rb
2013-10-21 15:13:46 -05:00
sinn3r
032da9be10
Land #2426 - make use of Msf::Config.data_directory
2013-10-21 13:07:33 -05:00
Tod Beardsley
e7d3206dc9
Revert "Land #2505" to resolve new rspec fails
...
This reverts commit 717dfefead
, reversing
changes made to 6430fa3354
.
2013-10-21 12:47:57 -05:00
William Vu
717dfefead
Land #2505 , missing source fix for sock_sendpage
2013-10-21 11:47:55 -05:00
sinn3r
8a94df7dcd
Change category name for base64
2013-10-18 21:20:16 -05:00
Tod Beardsley
ffcb86eba2
Land #2541 , Outpost24 importer
...
Sample data is currently secret. If we get a hold of non-secret sample
data, it'll be tacked on to the Redmine bug referenced below.
[FixRM #8384 ]
2013-10-18 13:21:58 -05:00
Meatballs
4e4d0488ae
Rubyfy constants in privs lib
2013-10-18 18:26:07 +01:00
sinn3r
6f04a5d4d7
Cache Javascript
2013-10-18 12:23:58 -05:00
sinn3r
b0d614bc6a
Cleaning up requires
2013-10-18 01:47:27 -05:00
Meatballs
e450e34c7e
Merge branch 'master' of github.com:rapid7/metasploit-framework into low_integ_bypassuac
...
Conflicts:
modules/exploits/windows/local/bypassuac.rb
2013-10-17 23:35:36 +01:00
Meatballs
5a662defac
Post::Privs uses Post::Registry methods
2013-10-17 23:28:07 +01:00
sinn3r
c926fa710b
Move all exploitation-related JavaScript to their new home
2013-10-17 16:43:29 -05:00
Rob Fuller
8f2ba68934
move decrypt_lsa and decrypt_secret to priv too
2013-10-17 00:04:21 -04:00
Rob Fuller
541d932d77
move decrypt_lsa to priv as well
2013-10-16 23:53:33 -04:00
Rob Fuller
60d8ee1434
move capture_lsa_key to priv
2013-10-16 23:45:28 -04:00
Rob Fuller
1a9fcf2cbb
move convert_des_56_to_64 to priv
2013-10-16 23:39:07 -04:00
Rob Fuller
1a85bd22a8
move capture_boot_key to post win priv
2013-10-16 22:46:15 -04:00
sinn3r
4c91f2e0f5
Add detection code MS Office
...
Add detection code for MS Office XP, 2003, 2007, 2010, and 2012.
[SeeRM #8413 ]
2013-10-15 16:27:23 -05:00