Commit Graph

7553 Commits (e774411b63768796d63050b7c6254433399c1d55)

Author SHA1 Message Date
sinn3r 6e37493471
Land #3091 - native shellcode payloads from a FF privileged js shell 2014-03-13 13:36:37 -05:00
Joe Vennix db036e44ad Use RdlCopyMemory from Kernel32. 2014-03-13 11:05:58 -05:00
sinn3r 7ead04414c
Land #3024 - Allow encoder Compat options 2014-03-13 10:59:40 -05:00
Tod Beardsley 520d1e69c4
Rapid7 Comma Inc
After some more discussion with Rapid7's legal fellow.
2014-03-13 09:46:20 -05:00
sinn3r 84b08a5a35 Fix check command host selection behavior
[SeeRM #8768] Instead of using the saved value for host, the check
command should use whatever the user specifies.
2014-03-12 22:54:01 -05:00
Tod Beardsley 9d4ceaa3a0
Let's try to be consistent about Rapid7 Inc.
According to

http://www.sec.gov/Archives/edgar/data/1560327/000156032712000001/0001560327-12-000001.txt

Rapid7 is actually "Rapid7 Inc" not "Rapid7, LLC" any more.

This does not address the few copyright/license statements around
"Metasploit LLC," whatever that is.
2014-03-12 11:20:17 -05:00
Joe Vennix 851fca2107 Add posix fork() call before running code. 2014-03-12 02:56:26 -05:00
Joe Vennix 7afcb6aee8 Add CreateThread wrapper for windows. 2014-03-12 02:49:09 -05:00
Joe Vennix ce0c5380a5
Kill stray //. 2014-03-12 02:20:49 -05:00
Joe Vennix 9bdf570763
All working now. In-memory meterpreter even. 2014-03-12 02:19:28 -05:00
sinn3r b431bf3da9
Land #3052 - Fix nil error in BES 2014-03-11 12:51:03 -05:00
OJ 1d70411ea7 Support service_control and new status field in query
This code adds support for the new service_control feature in meterpreter
and also supports the status field that comes from the service_query function.
2014-03-11 14:50:19 +10:00
Joe Vennix c07f390382 Add CookieExpiration option, add trailing slash to URI. 2014-03-10 13:07:17 -05:00
sinn3r c76a1ab9f4
Land #3065 - Safari User-Assisted Download & Run Attack 2014-03-07 10:29:56 -06:00
Joe Vennix 9638bc7061 Allow a custom .app bundle.
* adds a method to Rex::Zip::Archive to allow recursive packing
2014-03-06 16:11:30 -06:00
Meatballs 311d4665ce
Re-use CreateService Handle
and remove unused variable
2014-03-06 21:37:49 +00:00
William Vu ee0aa20955
Land #3013, Metasm update 2014-03-06 14:15:42 -06:00
Joe Vennix 05067b4e33 Oops. Need to init the profile before accessed. 2014-03-06 11:48:54 -06:00
Joe Vennix ad592fd114 Remove unnecessary method. 2014-03-05 23:36:43 -06:00
Joe Vennix a792f85a5f Fix re-initialize bug. 2014-03-05 23:27:04 -06:00
Joe Vennix 38a2e6e436 Minor fixes. 2014-03-05 19:03:54 -06:00
Joe Vennix 12cf5a5138 Add BES, change extra_plist -> plist_extra. 2014-03-05 18:51:42 -06:00
William Vu 096d6ad951
Land #3055, heapLib2 integration 2014-03-05 15:48:13 -06:00
Joe Vennix cd3c2f9979 Move osx-app format to EXE. 2014-03-04 22:54:00 -06:00
OJ a1aef92652
Land #2431 - In-memory bypass uac 2014-03-05 11:15:54 +10:00
Joe Vennix 5790547d34 Start undoing some work. 2014-03-04 17:01:53 -06:00
Tod Beardsley 6e88bbd827
No need for that kind of language 2014-03-04 14:34:50 -06:00
sinn3r e638c3d50a
Land #3058 - Prevent jsobfu from generating reserved js keywords 2014-03-04 11:43:39 -06:00
David Maloney 72c6b995de
adjust timeout for shadowcopy
WMIC defaults to 10 sec timeout but shadowcopy
often needs longer.
2014-03-04 10:18:59 -06:00
OJ 0bdce4836f Modify clipboard dump to support new format from Meterpreter 2014-03-04 19:37:57 +10:00
Etienne Stalmans e452b81fb1 style changes as suggested by @jlee-r7 2014-03-04 08:49:52 +02:00
Joe Vennix 3360f7004d Update form_post vars, add Expires to cookie. 2014-03-03 23:29:02 -06:00
Joe Vennix 6c3b667152 Kill extra comma. 2014-03-03 16:48:02 -06:00
Joe Vennix bfecf9525d Add Rex::RandomIdentifierGenerator. 2014-03-03 16:43:49 -06:00
Meatballs 43715eeb7f
Blame @OJ
He changed the clipboard API underneat me.
2014-03-03 22:06:05 +00:00
Meatballs 32d83887d3
Merge remote-tracking branch 'upstream/master' into wmic_post 2014-03-03 21:56:31 +00:00
Joe Vennix 517a85d141 Remove unneeded quotes. 2014-03-03 15:42:46 -06:00
Joe Vennix b3ab8f7ce1 Make random_var_name public, add specs for it. 2014-03-03 15:39:56 -06:00
Joe Vennix ae9ce962c0 Add future reserved words.
Gotta stay ahead of the game.
2014-03-03 14:59:46 -06:00
Joe Vennix dd86a9188c Prevent jsobfu from generating duplicate/reserved tokens.
I got an error from a script that tried to 'set void = 1'.
2014-03-03 14:56:50 -06:00
sinn3r ee1209b7fb This should work 2014-03-03 11:53:51 -06:00
Joe Vennix 894d16af80 Add specs for new/returning/previous visitors. 2014-03-02 20:50:10 -06:00
Joe Vennix b458b8ad63 Add specs for new methods. 2014-03-02 20:23:20 -06:00
Joe Vennix 6825fd2486 Whitespace tweaks and cleanup. 2014-03-02 19:57:48 -06:00
Joe Vennix 46f27289ed Reorganizes form_post into separate file. 2014-03-02 19:55:21 -06:00
Joe Vennix 785a35a81a Needed to kill objToQuery. 2014-03-02 19:48:55 -06:00
Joe Vennix e8226f9d40 Use a keyed cookie. Moves AJAX call to a form post. 2014-03-02 19:47:24 -06:00
Joe Vennix 26db845438 Try to pthread_create. Fails. 2014-03-02 18:02:23 -06:00
Meatballs 8dee9b22c3
Reinstate to_byte_array 2014-03-02 22:07:47 +00:00
Meatballs 2acd0a1b1e
Reinstance encode_code 2014-03-02 21:03:31 +00:00
Meatballs 2885ebcb40
Merge remote-tracking branch 'upstream/master' into pr2075 2014-03-02 20:57:02 +00:00
Meatballs 0956ae5789
Fix payload selection 2014-03-02 20:56:55 +00:00
Meatballs 1ca690eccf
Do some rspec 2014-03-02 20:37:08 +00:00
Meatballs c9a2135959
Merge in semperv 2014-03-02 19:07:13 +00:00
sinn3r 8cf5c3b97e Add heaplib2
[SeeRM #8769] Add heapLib2 for browser exploitation
2014-03-02 11:47:18 -06:00
FireFart 8543da0fbd Corrected uri_encode 2014-03-01 11:30:50 +01:00
David Maloney 1a0f77edb2
Land #2739, DLL injection in msfvenom
lands Meatballs PR to fix dll injection
in Msfvenom. Test to ensure it still works
in the new MsfVenom
2014-02-28 14:22:17 -06:00
David Maloney 9e355e1265 Merge branch 'master' into dll_inject 2014-02-28 14:20:46 -06:00
sinn3r ac446d3b3f
Land #3043 - randomization for Rex::Zip::Jar and java_signed_applet 2014-02-28 14:10:55 -06:00
David Maloney 566a791ef3
Land #2992, Fix VNC Inject Defaults 2014-02-28 14:04:56 -06:00
William Vu fd1586ee6a
Land #2515, plaintext creds fix for John
[FixRM #8481]
2014-02-28 09:53:47 -06:00
David Maloney f66709b5bb
make bypassuac module clean itself up
since the IO redirection hangs our original process
we have the moudle wait for the session then kills
the spawning process and delete the exe we dropped
2014-02-27 12:54:40 -06:00
jvazquez-r7 6c490af75e Add randomization to Rex::Zip::Jar and java_signed_applet 2014-02-27 12:38:52 -06:00
David Maloney d358fe5f94
Merge branch 'payload_defaults' 2014-02-26 10:28:46 -06:00
David Maloney f51cbfffb8
minor fix to payload generator
was passing platform string instead of the
platform lsit when formatting the payload
2014-02-25 15:51:06 -06:00
sinn3r d0780cd1a2
Land #3010 - EXITFUNC as OptEnum 2014-02-24 11:07:10 -06:00
Joe Vennix c760d37703 use the actual shellcode length. 2014-02-24 09:55:44 -06:00
jvazquez-r7 9fd635d645 Favor \! vs == false 2014-02-24 08:47:25 -06:00
Michael Messner dbbd080fc1 a first try of the cmd stager, wget in a seperated module included 2014-02-23 20:59:17 +01:00
Meatballs 2a6258be15
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	external/source/exploits/make.bat
2014-02-28 20:26:24 +00:00
Meatballs 5a7730b495
Merge remote-tracking branch 'upstream/master' into bypassuac_redo 2014-02-25 23:15:47 +00:00
Meatballs 8bdb22aeb9
Merge remote-tracking branch 'upstream/master' into bypassuac_redo
Conflicts:
	lib/msf/core/post/windows.rb
2014-02-25 22:15:05 +00:00
Meatballs bbacaa477e
Add missing require 2014-02-25 22:08:27 +00:00
Meatballs e31a144f4d
Use better system call 2014-02-22 20:34:56 +00:00
jvazquez-r7 8af992e083 Use same coding style 2014-02-21 16:02:27 -06:00
jvazquez-r7 0c44cc5ae4 Allow Exploits to provide Encoder Compat options 2014-02-21 15:49:39 -06:00
James Lee 0179faa66f
Fix yardoc for Post::Windows::LDAP
Also fix some style issues and warnings.
2014-02-21 13:25:11 -06:00
jvazquez-r7 0b5e617236
Land #3016 lsanchez-r7's send_message mod to return info 2014-02-19 17:01:06 -06:00
jvazquez-r7 c0cdea37f7 Initialize send_status at the function's start 2014-02-19 16:54:29 -06:00
lsanchez-r7 f7a483523c changing the initial state from false to nil 2014-02-19 16:45:00 -06:00
jvazquez-r7 7c5ba3e46c Retab metasm 2014-02-19 14:01:20 -06:00
jvazquez-r7 bdb27b2cca Manual loading shouldn't be needed 2014-02-19 13:13:41 -06:00
jvazquez-r7 a78ccc7862 Add up to date metasm 2014-02-19 13:13:08 -06:00
jvazquez-r7 f34078a7df Delete old version of metasm 2014-02-19 13:09:53 -06:00
Joe Vennix 212ebb568c EXITFUNC option should be an OptEnum. 2014-02-19 03:06:15 -06:00
Joe Vennix 50fb9b247e Restructure some of the exploit methods. 2014-02-19 02:31:22 -06:00
jvazquez-r7 4ca4d82d89
Land #2939, @Meatballs1 exploit for Wikimedia RCE and a lot more... 2014-02-18 17:48:02 -06:00
Meatballs e4aedfad43
Fixup netapi call 2014-02-18 23:30:29 +00:00
lsanchez-r7 07fd3494e5 changing send_message to return more information 2014-02-18 16:48:52 -06:00
Meatballs 6f988209ab
Merge remote-tracking branch 'upstream/master' into enum_domain_users_update 2014-02-18 20:02:39 +00:00
jvazquez-r7 4f9ab0b99f
Land #2903, @Meatballs1 SPN gather post module 2014-02-18 13:53:32 -06:00
Tod Beardsley 8e0a4aaa58
Land #2983, webcam_chat for Meterpreter 2014-02-18 13:43:42 -06:00
Meatballs 5c8af63063
Fix regression 2014-02-18 17:41:35 +00:00
sinn3r 0519abb558 Fix the wrong conversion 2014-02-17 23:17:19 -06:00
jvazquez-r7 1bc94b8a9d Merge for retab 2014-02-17 19:19:47 -06:00
jvazquez-r7 f07efc91a8 Land #2915, @Meatballs1 improvements for LDAP post mixin 2014-02-17 19:14:59 -06:00
Joe Vennix 318ebdb4c8 Clean up // comments. 2014-02-17 15:34:42 -06:00
Joe Vennix 57449ac719 Adds working shellcode exec local exploit. 2014-02-17 15:31:45 -06:00
Spencer McIntyre 7f9b4a4bf4
Land #2655, Re-do exe-small for scripting payloads. 2014-02-17 15:56:23 -05:00
Meatballs f58b66adf8
Docs and more robust code 2014-02-14 23:15:05 +00:00
Meatballs f5c401bee7
Yarddocs 2014-02-14 22:59:36 +00:00
Meatballs b8b36ef528
Merge remote-tracking branch 'upstream/master' into pr2075 2014-02-14 22:52:55 +00:00
Spencer McIntyre 3299b68adf
Landing #2767, @Meatballs1 Powershell Reflective Payload 2014-02-14 16:12:46 -05:00
Meatballs f7858bf1a7
SnakeCase option looks better 2014-02-14 21:05:24 +00:00
Meatballs 983f5abc2f
Make vnc a bit safer to use 2014-02-14 20:59:44 +00:00
sinn3r d606be5efb That's funny I changed the wrong method 2014-02-13 16:41:18 -06:00
sinn3r 5d3eed8600 Add info about browser requirements in help 2014-02-13 16:37:05 -06:00
sinn3r 9c48335764 Change to google.com 2014-02-13 16:30:44 -06:00
sinn3r a44f235a8d Fix things based on Tod's feedback 2014-02-13 16:13:42 -06:00
sinn3r 4dd60631cb
Land #2950 - New Payload Generator for MsfVenom 2014-02-13 15:13:10 -06:00
jvazquez-r7 61563fb2af Do minor cleanup 2014-02-13 09:10:04 -06:00
RageLtMan 0056c26047 import msf exploit 2014-02-12 22:06:18 -05:00
RageLtMan 29bf296b61 import rex powershell 2014-02-12 16:45:57 -05:00
RageLtMan b453362a52 Merge remote-tracking branch 'upstream/pr/2966' into integrate_with_meatballs 2014-02-12 16:43:30 -05:00
David Maloney 4565be18e3 require active_support numeric
ensure we have the activesupport numeric bytes extension
loaded for calling .gigabyte
2014-02-12 13:20:13 -06:00
jvazquez-r7 8b25b6e343
Land #2980, @wvu-r7 fix to handle invalid session id on post module runs 2014-02-12 13:13:34 -06:00
jvazquez-r7 ff267a64b1 Have into account the Content-Transfer-Encoding header 2014-02-12 12:40:11 -06:00
William Vu 40db1c4d0d s/auxiliarly/auxiliary/ 2014-02-12 12:17:53 -06:00
sinn3r 45d4b1e1fd
Land #2958 - Add options: Applicaiton-Name, Permissions for jar.rb 2014-02-12 11:14:25 -06:00
sinn3r 750ce3c4db Make server configurable 2014-02-11 23:07:43 -06:00
OJ beca4b8bc3 Fix issue with getenv failing
The call to `getenv` failed when `%` or `$` were used because of the
differences between Meterpreter handling and MSF handling.

Meterpreter effectively ignores (ie. strips out) the platform-specific
characters which are used for environment variables. In the `getenv`
call, MSF was invoking `getenvs` and getting a full hash of values, then
attempting to index into the hash using a string which may be "polluted"
with those platform-specific characters. This meant that there was a
discrepency between what was returned and what was used to index and
as a result, the value would come out as `nil`.

For example, calling `getenv('%FOO%')` would result in a hash with
`{'FOO'=>'bar'}`, so looking for '%FOO%' in this result would yield
nothing.

This commit changes this so that the name is ignored and the first
value is returned.
2014-02-12 13:51:30 +10:00
William Vu 5a488b310d Use a more correct error message
-1 is a valid session ID, even though it's a fake one.
2014-02-11 18:06:43 -06:00
William Vu 4a603b9a8d Merge remote-tracking branch 'upstream/master' into beug/session
Conflicts:
	lib/msf/base/simple/post.rb
2014-02-11 16:38:16 -06:00
William Vu 18816f3d5e
Land #2952, -1 for last session ID 2014-02-11 16:22:36 -06:00
William Vu 2476d9be2d Fix invalid session ID bug
This fix should work seamlessly with #2952.
2014-02-11 15:43:35 -06:00
jvazquez-r7 1f0020a61c
Land #2946, @jlee-r7's optimization of the x86 block_api code 2014-02-11 15:00:00 -06:00
jvazquez-r7 e3aa838e52 Fix on_session_module_run bug 2014-02-11 11:37:58 -06:00
jvazquez-r7 51df2d8b51 Use the fixed API on the mediawiki exploit 2014-02-11 08:28:58 -06:00
sinn3r 2bb15d3a87 answerer's interface gets a makeover 2014-02-11 02:15:22 -06:00
jvazquez-r7 79d559a0c9 Fix MIME message to_s 2014-02-10 22:23:23 -06:00
Spencer McIntyre a67a14ff60
Land #2975 @wchen-r7's extra vprint_debug statements for ms13-090 2014-02-10 20:57:55 -05:00
sinn3r fdd696fc31 Drop Opera support
It's sad nobody is actually using it. See article: "Across desktop and
mobile, Chrome is used more than Firefox, IE, and Opera combined" -
thenextweb.com
2014-02-10 18:03:42 -06:00
sinn3r 1414f6794c Change the name of the video chat command 2014-02-10 17:44:47 -06:00
Meatballs d8ea11b851
Redirect HTTP too 2014-02-10 23:41:15 +00:00
sinn3r 442d212a94 Add vprint_debug to show what requirements are being compared 2014-02-10 17:33:36 -06:00
Meatballs 4a0f37dc21
Save lost changes 2014-02-10 23:24:26 +00:00
sinn3r 44282d8a83 Add an exception handling 2014-02-10 17:06:56 -06:00
sinn3r 1114913298 Automatically turn on webcam in Firefox 2014-02-10 17:05:08 -06:00
Meatballs a87f604c98
Merge remote-tracking branch 'upstream/master' into mediawiki 2014-02-10 21:43:56 +00:00
sinn3r 48fdb08164 Add flag --use-fake-ui-for-media-stream
Thanks Joev!!
2014-02-10 14:47:25 -06:00
Matteo Cantoni 427fece52c Add random mail address function 2014-02-10 21:04:44 +01:00
James Lee fab8e16a87
Unbreak server exploits 2014-02-10 10:54:14 -06:00
jvazquez-r7 57320a59f1 Do small clean up for mediawiki_thumb pr 2014-02-10 08:57:09 -06:00
Spencer McIntyre 4eb9a16b2c Remove unnecessary return statement. 2014-02-09 13:06:21 -05:00
Meatballs c76341c82d
Dont dsub Invoke-Command etc... 2014-02-09 17:45:30 +00:00
Meatballs 151e45d8d1
Better exception descriptions 2014-02-09 12:52:56 +00:00
Meatballs 77dda5dc67
Give option to remove badchars 2014-02-09 12:34:25 +00:00
Meatballs 0379dc128c
Raise exception on known issues 2014-02-09 12:15:02 +00:00
Meatballs 1f9b452425
Dont tidy up template yet 2014-02-09 11:23:39 +00:00
sinn3r 93ef3c784d Update some JavaScript and other things 2014-02-08 22:23:19 -06:00