b27c9b9efc
Land #4838 , reverse_http{,s} listening service fix
2015-02-27 21:02:58 -06:00
ac81318e7a
Revert #4823 , changes for ruby style guide
...
This reverts commit 885469ca52fd73445d9b#4823 for why.
2015-02-27 17:28:00 -06:00
e5e13108ed
Refactor close handling
2015-02-26 23:50:10 -06:00
5418cdad11
Refactor negotiate handling
2015-02-26 23:49:07 -06:00
5ed1f8d44f
Make opts optional
2015-02-26 23:39:17 -06:00
882f0bdc0e
Refactor read_andx request handling
2015-02-26 23:35:12 -06:00
5b770f9f7a
Refactor nt_create_andx requests
2015-02-26 23:31:09 -06:00
70033576fe
Refactor query information level
2015-02-26 23:22:57 -06:00
d544da22b5
Always send answer
2015-02-26 16:47:05 -06:00
45be95747f
Refactor Find Information Levels
2015-02-26 16:46:34 -06:00
89a033c194
Delete unnecessary paddings due to miscalculations
2015-02-26 15:54:00 -06:00
095431c323
fix note search conditions
...
note search conditions needed to know about
vuln_id or else vuln notes would get overwritten
MSP-12183
2015-02-26 15:48:04 -06:00
260c603ffb
Fix msfconsole -L
...
s/rb-readline/rb-readline-r7/
Should have been in #4816 (#4128 ).
2015-02-26 15:14:38 -06:00
387c966550
Fix unnecessary paddings
2015-02-26 15:00:53 -06:00
a72d49678a
only match by CVE refs
...
the other refs can be non-specific and refer
to multiple distinct vulns, resulting in
incorrect refs being attached to a vuln leading to
a snowball effect with more and more vulns being
misidentified.
MSP-12183
2015-02-26 14:57:16 -06:00
500e4707ab
Use smb_error
2015-02-26 14:35:52 -06:00
c73ffea1b9
Do minor cleanup
2015-02-26 12:50:45 -06:00
8351920d1e
don't match based on URL refs
...
multiple vulns may be listed for
the same URL making matches based on
these refs entirely unreliable
MSP-12183
2015-02-26 11:40:15 -06:00
b1e6de2eeb
Add todo
2015-02-26 11:39:17 -06:00
26bfebf1bb
Add dummy wildcard handling
2015-02-26 11:39:05 -06:00
d0ab9206b9
Do minor cleanup
2015-02-26 10:58:36 -06:00
970f0c94b2
Create CREATE_ANDX constants
2015-02-26 10:44:07 -06:00
ab1bb0e50d
bugfixes to https://github.com/jvazquez-r7/metasploit-framework/tree/review_3074_clean_server
...
to provide consistent support for various exploits and OS SMB Commands.
Reintroduces smb_cmd_trans_query_path_info_network for use with the Struts2 JSP injection vulnerability.
Reintroduces smb_cmd_trans_query_file_info_basic for common use with rundll32.
Corrects some issues with filename formatting and pattern matching for file requests (can still be improved).
2015-02-26 16:10:34 +00:00
993c75ec77
Update Offset counts with constants
2015-02-25 16:25:16 -06:00
ee18cf592b
Calculate ParamCount and DataCount
2015-02-25 16:00:26 -06:00
df50aa0f06
Use constants for DataCount and DataCountTotal
2015-02-25 14:11:38 -06:00
f35e03b21b
Use constants
2015-02-25 13:44:56 -06:00
f21959a8a2
Add constants for session setup actions
2015-02-25 13:31:57 -06:00
e967cfbfb3
Create Access rights constants
2015-02-25 13:22:16 -06:00
1caffbea2d
Add constants for Negotiation Capabilities
2015-02-25 12:50:33 -06:00
50d50d5353
Define constants for SMB Flags
2015-02-25 12:28:25 -06:00
e5d9bb0a47
Update from master
2015-02-25 11:37:13 -06:00
ec9be4531b
Add SMB_CREATE_ANDX_RES_PKT template
2015-02-25 11:33:08 -06:00
50f8731980
Parse SMB_CMD_CREATE requests
2015-02-25 11:09:14 -06:00
0ad3473ebb
Implement case-insensitive datastore.delete
2015-02-24 20:47:00 -06:00
d10385cfed
Add template for SMB_TREE_CONN_ANDX_RES_PKT
2015-02-24 19:27:25 -06:00
1f1d95bb37
Delete one more extra comment
2015-02-24 18:27:39 -06:00
aeb7f05158
Delete extra comment
2015-02-24 18:27:21 -06:00
bb36899699
Do templates names consistent
2015-02-24 18:26:46 -06:00
744e338ddc
Do cleanup
2015-02-24 18:15:55 -06:00
ec53e27249
Do better handling of TRAN2_QUERY_FILE_INFORMATION requests
2015-02-24 17:20:41 -06:00
d29e9fc20b
Parse TRAN2_FIND_FIRST2 commands
2015-02-24 17:02:49 -06:00
231a2f3110
Fix handlers
2015-02-24 16:03:13 -06:00
e4a58a2ec5
import notes attached to vulns
...
add the ability to import notes that
are attached to vulns instead of hosts
MSP-12183
2015-02-24 13:36:57 -06:00
389bcbd343
refactor note import into sep method
...
we will now be importing notes from multiple
place within the XML document. the importing
of notes has been refactored into a seperate
method to be easily reused in this fashion
MSP-12183
2015-02-24 12:18:32 -06:00
2389185376
export notes associated to a vuln
...
in addition to ntoes asscoiated directly
to a host, the XML export will now
export notes that are tied to a vuln
MSP-12183
2015-02-24 12:17:44 -06:00
c5d36ec24d
remove unused handler methods
...
already defined in the base class
2015-02-24 11:23:08 -06:00
ca7aabe9bc
handle SMB_QUERY_FILE_NETWORK_OPEN_INFO
2015-02-24 11:13:18 -06:00
3bed2d5136
fix for properly stopping the reverse_http/https handler
...
The issue seems to be at the root of #4669 is that reverse_http
registers an HTTP service but never releases its reference to it. If
we stop it directly, there may be a session already connected to it that
we kill, so we can't do that. Instead, track if we got a connection or
not, and conditionally release our reference based on whether the
connection succeeded.
This should fix #4669
2015-02-24 11:06:50 -06:00
5f0aeda0be
Land #4835 , new hex format for msfvenom
2015-02-24 10:56:47 -06:00
31d1ba7100
Simplify debug to inspect smb_cmd_trans_query_file_info_network
2015-02-24 10:54:45 -06:00
1d2fc989bd
remove newline
2015-02-24 17:35:53 +01:00
c3c9b233dd
Land #4834 , a few more duplicate hash key fixes
2015-02-24 10:32:55 -06:00
906c4a9024
use + instead of <<
2015-02-24 17:18:41 +01:00
12a99ecee5
Land #4796 , Handle incompatible payload architecture in BES
2015-02-24 10:02:25 -06:00
5880702552
added new hex format
2015-02-24 16:05:02 +01:00
7b32b8b58c
Land #4810 , support for job renaming in msfconsole
2015-02-24 08:51:06 -06:00
ab4a416958
comment out duplicate keys that can only be used for reference
...
ruby is ignoring all but the second instances, and 2.2 still throws a
warning
2015-02-24 08:50:02 -06:00
285c138f80
Add tab completion for rename_job
2015-02-24 04:25:36 -06:00
500b6229be
Clean up whitespace
2015-02-24 04:13:59 -06:00
e9b6a023de
Fix a typo
2015-02-23 21:45:02 -06:00
d0d124eb19
Mimic original handling
2015-02-23 20:42:49 -06:00
32046f9c47
smb_cmd_trans_query_path_info_standard
2015-02-23 19:57:16 -06:00
ea483f14a1
Try to fix logic for query information levels
2015-02-23 17:17:33 -06:00
3fca26a5de
Add support for SMB_COM_TRANSACTION2 data blocks and params
2015-02-23 16:37:39 -06:00
623d319ca7
Fix offsets
2015-02-23 14:43:06 -06:00
2653ff9d58
Try to simplify request query and find request handling
2015-02-23 14:06:23 -06:00
36711e801c
Fix comment
2015-02-23 13:09:23 -06:00
99483f88f1
Fix, hopefully, dispatching
2015-02-23 13:08:45 -06:00
87176b9b37
Redo TRANS2_QUERY_PATH_INFORMATION dispatching
2015-02-23 12:52:50 -06:00
a06d07d6da
Clean smb_cmd_trans2_query_file_information dispatching
2015-02-23 12:03:08 -06:00
c39d6e152e
Land #4819 , Normalize HTTP LoginScanner modules
2015-02-23 11:43:42 -06:00
abe5ea42cb
Clean smb_cmd_trans
2015-02-23 11:34:19 -06:00
3d7381b62a
Handle TRANS2 commands
2015-02-23 11:33:49 -06:00
fe00cadd18
Delete require
2015-02-23 11:15:55 -06:00
1dba961698
delete SubCommand namespace
2015-02-23 11:15:14 -06:00
7d9f661d78
Fix includes
2015-02-23 11:14:45 -06:00
439507d359
Move trans2 files
2015-02-23 11:13:08 -06:00
bdd5276524
This fixes a number of issues with the Capture mixin
...
* The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1)
* The hackey code around #each_packet is no longer necessary in newer Ruby versions
* The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies
* The arp() function now tries up to three times to get a reply (helpful with lossy L2)
* GC.start is extraneous and should be removed
* Increased timeouts
2015-02-22 21:53:47 -06:00
615d71de6e
Remove extraneous calls to GC.start()
2015-02-22 21:51:33 -06:00
251c284458
modernizes some of the rpc code
2015-02-22 15:37:55 -06:00
888c718f40
Fix two typos
2015-02-22 02:45:50 -06:00
8e8a366889
Pass Http::Client parameters into LoginScanner::Http (see #4803 )
2015-02-22 02:26:15 -06:00
c820431879
Land #4770 , Wordpress Ultimate CSV Importer user extract module
2015-02-22 08:52:45 +01:00
2b9ab901cb
Land #4811 , creds -d documentation
2015-02-21 20:59:52 -06:00
b39e2bea8e
Land #4806 , EXE::Custom case-sensitivity fix
2015-02-21 20:49:53 -06:00
f900d9cf26
Handle whitespace as per blank?
...
!~ /\S/ as per the original implementation of blank? also works.
2015-02-21 20:36:16 -06:00
708340ec5a
Tidy up various bits of code
2015-02-21 12:53:33 +00:00
80aef690a0
Do first commands refactoring
2015-02-21 01:48:47 -06:00
52b41ab4f8
Do first Share refactoring
2015-02-21 01:00:46 -06:00
b8cb93d712
Fix #3790 , document the creds -d feature
...
Fix #3790
2015-02-20 21:38:26 -06:00
b5f8ae85cf
Fix #3827 , Add support to rename a job
...
Fix #3827
2015-02-20 21:13:45 -06:00
7e1e0f8196
Add plugin upload functionality
2015-02-21 01:20:20 +00:00
df903120e3
Reorganize trans2_find_first2 requests
2015-02-20 18:28:49 -06:00
52a0e6dd1c
Mark a couple of handlers for later review
2015-02-20 16:28:04 -06:00
dc4898765f
Fix EXE::Custom
2015-02-20 16:59:18 +00:00
a91d19e0e7
Add template for SMB_QUERY_FILE_STANDARD_INFO
2015-02-20 10:58:15 -06:00
21978a1bfe
Add template for SMB_QUERY_FILE_BASIC_INFO
2015-02-20 10:40:45 -06:00
cf63e09188
Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and SMB_FIND_FILE_NAMES_INFO_HDR
2015-02-20 09:17:51 -06:00
f2405a5dc0
Create SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH constant
2015-02-20 00:35:26 -06:00
571dffa317
Create template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO
2015-02-20 00:22:33 -06:00
94ad64546c
Create TRANS2_PARAMETERS template
2015-02-19 23:16:52 -06:00
b24b94ddd3
Do first cleanup of find_first2 handlers
2015-02-19 19:08:56 -06:00
74c43f5527
Delete more unused local variables
2015-02-19 14:39:55 -06:00
1d5a977280
Delete a lot of verbose prints
2015-02-19 14:37:16 -06:00
0940ceae75
Delete unused local variables
2015-02-19 14:26:46 -06:00
c38c3519d8
Delete more unused code
2015-02-19 14:24:18 -06:00
7487f9611b
Do some extra prints
2015-02-19 14:11:27 -06:00
d9b9de8e89
Delete unused code
2015-02-19 13:16:24 -06:00
5510000bf1
Use constant for FLAGS2
2015-02-19 13:02:50 -06:00
392137292e
Old delete register prototype comment
2015-02-19 13:00:12 -06:00
39ceb5b90f
Update smb_error on Exploit::Remote::SMB::Server
2015-02-19 12:10:28 -06:00
4781ac4b39
the http service needs to keep running to handle meterpreter loading
...
revert a8f44ca68f
2015-02-19 09:38:48 -06:00
b85324435e
Don't waste instance variables
2015-02-18 16:42:52 -06:00
91d9d93fec
Handle instance variables correctly
2015-02-18 16:35:20 -06:00
438b38dfe4
Use Rex::Text
2015-02-18 16:20:47 -06:00
a815858644
Fix setup
2015-02-18 16:19:05 -06:00
06dfa6b5be
Fix initialize
2015-02-18 13:56:06 -06:00
62c08094fd
Delete the old FileServer mixin
2015-02-18 13:54:24 -06:00
9068397fff
Delete code commented by myself
2015-02-18 13:47:05 -06:00
a446df95b2
Make Msf::Exploit::Remote::SMB::Server::Share a mixin
2015-02-18 13:45:48 -06:00
415c671416
Move Rex code, we'll redesign as mixin
2015-02-18 13:44:02 -06:00
ff4aa1f9da
Require FileServer mixin
2015-02-18 11:43:13 -06:00
f960a77754
Solve merging conflicts
2015-02-18 11:36:47 -06:00
a9931cd410
Land #4725 , convert Rails 3 AR calls in RPC_Db
...
Converts Rails 3 style ActiveRecord calls in RPC_Db to their Rails 4
counterparts.
Fixes #4725 , also see MSP-12017
2015-02-18 09:59:40 -06:00
bda96f46e6
Land #4780 , stop HTTP service with HTTP handler
2015-02-18 03:34:03 -06:00
8ce1db5081
Fix #4783 , raise exception if the payload arch is incompatible
...
Fix #4783
2015-02-17 21:47:17 -06:00
e0d87a8886
Update to use store_loot for CSV export
2015-02-17 19:21:31 +00:00
bed40a83ee
fix #4337 : gracefully handle resolve_sid failure when enumerating user profiles
...
Rather than throwing a backtrace with an unresolvable SID, try to get as
much profile data as possible if resolve_sid fails.
```
[*] Determining session platform and type...
[-] Unexpected windows error 1332
[*] Checking for Firefox directory in:
C:\Users\Administrator\AppData\Roaming\Mozilla\
[-] Firefox not found
[*] Post module execution completed
```
2015-02-17 13:03:12 -06:00
a8f44ca68f
stop the http service when the reverse http handler stops
2015-02-17 12:38:20 -06:00
547d4d1950
Merge with master
2015-02-17 17:23:19 +00:00
9e2a483977
Add example usage to Msf::Exploit::Remote::SMBFileServer documentation
2015-02-17 17:23:18 +00:00
cec817902f
Add yardoc documentation for Msf::Exploit::Remote::SMBFileServer
2015-02-17 17:23:18 +00:00
5cf8833697
Tidy lib/msf/core/exploit/smb.rb following feedback from jlee-r7.
...
* Doc comments wrap at 78 chars to follow yardoc convention
* Remove unused :server and SERVER vals
* Use Utils class directly
* Stop server within an ensure
* Change SRVHOST to an OptAddress
2015-02-17 17:23:18 +00:00
8beed5652d
Implement SMBFileServer mixin.
...
In order to accomplish remote file injection (e.g. DLL) this module
emulates an SMB service process to allow clients to load a file from a
network share.
This commit implements the SMBFileServer exploit module utilising the
::Rex::Proto::SMB::Server module to export the "start_smb_server"
function.
Utilising the module (example):
include Msf::Exploit::Remote::SMBFileServer
exe = generate_payload_dll
@exe_file = rand_text_alpha(7) + ".dll"
@share = rand_text_alpha(5)
my_host = (datastore['SRVHOST'] == '0.0.0.0') ?
Rex::Socket.source_address : datastore['SRVHOST']
@unc = "\\#{my_host}\#{@share}\#{@exe_file}"
start_smb_server(@unc, exe, @exe_file)
// Inject DLL
handle
A separate commit will provide a sample implementation of utilising this
module within a generic webserver DLL injection exploit:
./exploits/windows/http/generic_http_dllinject.rb
2015-02-17 17:23:18 +00:00
6eaa3c264c
Land #4763 , LSBackgroundOnly for safari_user_assisted_download_launch
2015-02-17 10:41:59 -06:00
e08206d192
Land #4768 , jvazquez-r7 reorganizes the SMB mixins
2015-02-17 10:36:19 -06:00
0597d2defb
Land #4560 , Massive Java RMI update
2015-02-17 10:07:07 -06:00
b4cf2f5d8c
use correct response filter TLV_TYPE_VALUE_NAME
2015-02-17 08:46:25 -06:00
503f58375b
add direct registry access methods
...
Rather than operating on a passed-in HKEY, these open and close the registry
key directly for each operation.
This pattern better reflects the actual API usage within msf, and removes extra
round-trips to open and close the registry key, reducing traffic and increasing
performance. I did not add direct versions of every registry operation.
There was no benefit for more rarely-used operations, other than requiring more
churn in the meterpreters.
The primary beneficiary of this is post exploitation modules that do registry
or service enumeration. See #3693 for test cases.
2015-02-17 06:11:20 -06:00
a22f5c1287
Add extra readme check for case sensitive servers
2015-02-14 23:43:04 +00:00
2c842ee6d7
Fix namespaces on Server
2015-02-13 17:34:55 -06:00
9b7bbc220b
Fix namespaces on Client
2015-02-13 17:33:41 -06:00
46c6ac9ca1
Redefine namespaces and requires
2015-02-13 17:09:06 -06:00
df1daff673
Move clients
2015-02-13 17:07:03 -06:00
067aadf3a4
Fix namespaces
2015-02-13 17:05:46 -06:00
f1ab7ed343
Mode smb.rb
2015-02-13 17:04:55 -06:00
7367402bf1
Add requires
2015-02-13 17:03:48 -06:00
ccabf30531
Move smb_server.rb
2015-02-13 16:58:19 -06:00
ce688f4247
Land #4765 , Rails4 compatible finder conversion
...
* find_or_initialize_by_DYNAMIC
2015-02-13 15:56:09 -06:00
William Vu
sinn3r
jvazquez-r7
David Maloney
Matthew Hall
Brent Cook
Christian Mehlmauer
HD Moore
Joshua Smith
rastating
Meatballs
Matt Buck
Samuel Huckins