cec12edd99
Use enum integer values
2014-04-22 14:40:32 +01:00
71b43d392b
Dont need to specify ASCII mode
2014-04-22 14:36:02 +01:00
c936dc963c
Shorten compression
2014-04-19 18:55:45 +01:00
9f05760c50
Merge with Meatballs' initial changes
...
Clean up arch detection code and dedup Msf/Rex
Reduce generated payload size
2014-04-18 00:28:48 -04:00
5c3289bbc6
merge fix
2014-04-17 21:26:04 -04:00
38d8df4040
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
modules/exploits/windows/local/wmi.rb
2014-04-15 22:06:45 +01:00
e09f887c4c
Revert "Fixes large-string expansion in JSObfu."
...
This reverts commit 14fed8c610
2014-04-11 16:51:47 -05:00
4cb04b6b9a
Revert "Use implicit return for assignment."
...
This reverts commit 49139cc07f
2014-04-11 16:51:40 -05:00
21b2697b95
Revert "Use tiny var names by default."
...
This reverts commit 52432ef482
2014-04-11 16:51:34 -05:00
d41b3467f8
Revert "Re-add the #random_string(len) method to pass specs."
...
This reverts commit bd8918e4e1
2014-04-11 16:51:21 -05:00
a6a6ad2217
Land #3227 - Remove bundled rkelly, to Gemfile
2014-04-10 12:31:59 -05:00
68a50e3663
Land #3224 - Fixes large-string expansion in JSObfu
2014-04-10 12:09:22 -05:00
bd8918e4e1
Re-add the #random_string(len) method to pass specs.
2014-04-09 17:44:48 -05:00
57aa1eec11
Kick rkelly out to a gem, add rkelly-remixed.
...
rkelly-remixed is a faster fork of rkelly that is more frequently updated
nowadays. With the new gem, jsobfu obfuscates os.js about twice as fast on
my dev environment.
2014-04-09 17:21:22 -05:00
52432ef482
Use tiny var names by default.
2014-04-09 16:54:02 -05:00
49139cc07f
Use implicit return for assignment.
2014-04-09 15:48:07 -05:00
14fed8c610
Fixes large-string expansion in JSObfu.
2014-04-09 15:45:48 -05:00
6d72860d58
Land #3004 , @m-1-k-3's linksys moon exploit
2014-04-04 14:04:48 -05:00
7e227581a7
Rework OS fingerprinting to match Recog changes
...
This commit changes how os_name and os_flavor are handled
for client-side exploits, matching recent changes to the
server-side exploits and scanner fingerprints.
This commit also updates the client-side fingerprinting to
take into account Windows 8.1 and IE 9, 10, and 11.
2014-04-01 08:14:58 -07:00
8f1e55de5a
Use ObfuscateJS
2014-03-28 11:08:38 -05:00
da6a428bbf
Modify libs to support explib2
2014-03-28 10:44:52 -05:00
b431bf3da9
Land #3052 - Fix nil error in BES
2014-03-11 12:51:03 -05:00
096d6ad951
Land #3055 , heapLib2 integration
2014-03-05 15:48:13 -06:00
5790547d34
Start undoing some work.
2014-03-04 17:01:53 -06:00
3360f7004d
Update form_post vars, add Expires to cookie.
2014-03-03 23:29:02 -06:00
6c3b667152
Kill extra comma.
2014-03-03 16:48:02 -06:00
bfecf9525d
Add Rex::RandomIdentifierGenerator.
2014-03-03 16:43:49 -06:00
517a85d141
Remove unneeded quotes.
2014-03-03 15:42:46 -06:00
b3ab8f7ce1
Make random_var_name public, add specs for it.
2014-03-03 15:39:56 -06:00
ae9ce962c0
Add future reserved words.
...
Gotta stay ahead of the game.
2014-03-03 14:59:46 -06:00
dd86a9188c
Prevent jsobfu from generating duplicate/reserved tokens.
...
I got an error from a script that tried to 'set void = 1'.
2014-03-03 14:56:50 -06:00
ee1209b7fb
This should work
2014-03-03 11:53:51 -06:00
b458b8ad63
Add specs for new methods.
2014-03-02 20:23:20 -06:00
46f27289ed
Reorganizes form_post into separate file.
2014-03-02 19:55:21 -06:00
8dee9b22c3
Reinstate to_byte_array
2014-03-02 22:07:47 +00:00
2acd0a1b1e
Reinstance encode_code
2014-03-02 21:03:31 +00:00
c9a2135959
Merge in semperv
2014-03-02 19:07:13 +00:00
8cf5c3b97e
Add heaplib2
...
[SeeRM #8769 ] Add heapLib2 for browser exploitation
2014-03-02 11:47:18 -06:00
dbbd080fc1
a first try of the cmd stager, wget in a seperated module included
2014-02-23 20:59:17 +01:00
29bf296b61
import rex powershell
2014-02-12 16:45:57 -05:00
c37cb5075c
Merge remote-tracking branch 'upstream/master' into pr2075
2014-02-08 22:11:31 +00:00
c76862b391
Reduce payload size
2014-02-08 22:11:17 +00:00
b10df54dbb
Dont need to encode the compress payload
2014-02-08 21:34:51 +00:00
09c48358f4
Retab rex powershell
2014-02-08 20:43:04 +00:00
0b9ff43217
Make slice_up_payload easier
2014-01-16 11:03:22 -06:00
f41849c921
Clean CmdStagerEcho
2014-01-16 11:00:57 -06:00
b7b1ddf1e8
Sercomm Exploit module fixes
...
Added targets for 8 specific targets that I've tested: Cisco WAP4410N,
Honeywell WAP-PL2 IP Camera, Netgear DG834, Netgear DG834G, Netgear
DG834PN, Netgear DGN1000, Netgear DSG835, Netgear WPNT834
Added functionality to the CmdStagerEcho mix-in to support encoding via
octal instead of hex based on the :enc_type option. This is because many
devices would not output hex encoded values properly.
Added options on a per-target basis for the PackFormat (endian pack()
values for communication), UploadPath (because /tmp wasn't always
writable), and PayloadEncode (previously mentioned octal encoding
option)
Note for some reason, some devices communicate over one endianness, but
then require a payload for the other endianess. I'm not sure what's
causing this, but if those specific combinations are not used, the
exploit fails. More research may be required for this.
2014-01-13 16:58:32 -05:00
d2458bcd2a
Code Review Feedback
...
Migrated the Sercomm module to use the CmdStager mixin to provide
uploading of the ELF binary.
Modified the CmdStagerEcho mixin to allow bypass of the "-en " since in
this case, the device messed up when it was used, and would actually
write the "-en " to the file, from some flaky busybox version of "echo".
2014-01-08 22:21:32 -05:00
b252e7873b
Merge remote-tracking branch 'upstream/master' into pr2075
2013-12-16 14:29:05 +00:00
5d10b44430
Add support for Silverlight
...
Add support for Silverlight exploitation. [SeeRM #8705 ]
2013-11-26 14:47:27 -06:00
20b76602a1
Merge remote-tracking branch 'upstream/master' into pr2075
...
Conflicts:
lib/msf/core/exploit/powershell.rb
2013-11-22 22:41:08 +00:00
991240a87e
Support java version detection
2013-11-07 00:54:52 -06:00
5f2d8358c0
Be more browser specific with Javascript generation
2013-11-05 01:04:52 -06:00
bccbed2757
Rename :use_xhr_shim to :inject_xhr_shim.
2013-11-02 16:52:04 -05:00
90d8da6a21
Fix some bugs in my edits, add a spec.
2013-11-02 16:46:33 -05:00
c7c1fcfa98
Pull shared XHR shim out, add option to static Js module method.
...
* Moves shim to data/js/network/xhr_shim.js
* Add some yardoc comments
2013-11-02 14:52:50 -05:00
6e7e5a0ff9
Put postInfo() in the js directory
2013-10-31 13:55:22 -05:00
f5d1d8eace
chmod -x .rb files without #! in modules and lib
...
It wasn't just cmdstager_printf.rb. :/
2013-10-30 19:51:25 -05:00
afcce8a511
Merge osdetect and addonsdetect
2013-10-22 01:11:11 -05:00
19615ac4b7
Apparently I missed a lot of stuff
2013-10-21 21:02:01 -05:00
fcba529ea5
Update coding format
2013-10-21 20:54:25 -05:00
ea56c4914c
Need this file
2013-10-21 20:17:38 -05:00
9a3e719233
Rework the naming style
2013-10-21 20:16:37 -05:00
2d24824e78
Use data_directory instead of install_root
2013-10-19 17:55:03 -05:00
8a94df7dcd
Change category name for base64
2013-10-18 21:20:16 -05:00
62dadc80d3
Make sure the data type for the return value is a string
2013-10-18 21:08:46 -05:00
298f23c91c
Fix extra slashes that cause browser autopwn to fail.
2013-10-18 20:43:39 -05:00
8579cb8322
Use obfuscation
2013-10-18 13:06:19 -05:00
3af38b9602
I bet "../" will drive people crazy, avoid that.
2013-10-18 11:56:03 -05:00
b0d614bc6a
Cleaning up requires
2013-10-18 01:47:27 -05:00
c926fa710b
Move all exploitation-related JavaScript to their new home
2013-10-17 16:43:29 -05:00
0081e186f7
Make sure i var is local
2013-10-15 23:59:23 -05:00
4c91f2e0f5
Add detection code MS Office
...
Add detection code for MS Office XP, 2003, 2007, 2010, and 2012.
[SeeRM #8413 ]
2013-10-15 16:27:23 -05:00
711fac08b7
Don't throw exception if createElement is missing.
2013-10-14 14:15:13 -05:00
183940308b
Add another nil check, just to be safe.
2013-10-14 13:55:54 -05:00
20a145f1e7
Check for prop in prototype, not constructor.
2013-10-14 13:51:45 -05:00
488ed5bd4a
Add new feature detection logic for FF 23 and 24.
2013-10-14 13:41:26 -05:00
e895a17722
Add 'no quotes' option for CmdStagerPrintf
...
Exploit developers can use the ':noquotes => true' option to avoid
single quotes surrounding the octal escapes argument.
2013-10-08 21:04:28 +02:00
2593c06e7c
Land #2412 , @mwulftange's printf cmd stager
2013-10-08 09:08:29 -05:00
6f7d513f6e
Another clean up and simplification of CmdStagerPrintf
2013-10-08 07:22:09 +02:00
836ff24998
Clean and fix CmdStagerPrintf
...
Clean up of the CmdStagerPrintf as discussed in mwulftange#1
2013-10-05 10:39:55 +02:00
77cbb7cd19
Update function documentation
2013-10-04 15:18:27 -05:00
29d1c75d1c
Update RopDb mixin to allow dynamic payload size for neg
...
This adds a new key to allow a "safe" integer value to NEG. "Safe"
means the value does not have any null bytes after the NEG instruction,
which is typically used to calculate the payload size.
2013-10-03 23:09:23 -05:00
10252ca6f4
Just Rex::Text.to_octal is probably better
2013-09-23 23:03:38 +02:00
9353929945
Add CmdStagerPrintf
2013-09-23 22:02:29 +02:00
5add142789
Choose smallest smallest
2013-09-20 13:47:51 +01:00
dd7010d272
Fix @todb-r7 feedback
2013-09-17 20:54:19 -05:00
217449a836
Ensures termination of inner while loop and cleans up #map.
...
* Tested working against ubuntu target using the sshexec test script.
2013-09-16 20:42:20 -05:00
edec022957
Use shellwords, as recommended by @jvennix-r7
2013-09-16 16:35:45 -05:00
a5049df320
Add echo CmdStager
2013-09-16 11:35:05 -05:00
b4d1fd6ff8
Fixup rex text
2013-09-13 21:15:28 +01:00
9ade4cb671
Refactor
2013-09-13 20:43:09 +01:00
7e5e0f7fc8
Retab lib
2013-08-30 16:28:33 -05:00
dc15c5b505
Merge branch 'master' into powershell_import
...
Resolve conflicts from old code being pulled into master.
Conflicts:
lib/msf/core/exploit/powershell.rb
modules/exploits/windows/smb/psexec_psh.rb
2013-07-20 19:29:55 -04:00
757cf18bb4
Land #2135 - Update FF detection
2013-07-20 13:10:14 -05:00
92ae90b828
Whitespace fixes.
2013-07-19 17:27:27 -05:00
2e838d7be3
Fix minor bugs discovered when testing.
2013-07-19 17:18:39 -05:00
7e2fc147f1
Add updated versions of firefox.
2013-07-18 16:35:57 -05:00
9d56e58e84
Rely on object detection for '5716599'
...
[SeeRM #7252 ]
2013-07-17 15:47:25 -05:00
4554cc6e51
Import Powershell libs and modules (again)
...
Add Rex powershell parser:
reads PSH, determines functions, variables, blocks
compresses and cleans up the code it's read, obfuscates
handles string literals and reserved variable names
extracts code blocks and functions for reuse
turns powersploit into a useful sub-component for MSF
Rewire Msf powershell modules
Make use of Rex parser
Handles payload generation, substituions
Brings convenience methods - byte array generation and download
Re-add .NET compiler
Compiles .NET code (C#/VB.NET) in memory
Can generate binary output file (dynamic persistence)
Handles code-signing (steal cert with mimikatz, sign your bin)
Not detected by AV (still...)
Update payload generation
GZip compression and decompression (see Rex module as well)
msftidy violations for space efficiency - each char counts
Re-submit psexec-psh
Makes use of updated Msf and Rex modules
Runs shellcode in-memory (in a hidden PSH window)
Completely bypasses all AVs tested for the last year...
2013-07-04 14:04:19 -04:00
Meatballs
RageLtMan
joev
sinn3r
jvazquez-r7
HD Moore
William Vu
Michael Messner
Matt Andreko
Markus Wulftange
jvazquez-r7
Joe Vennix
Tab Assassin
James Lee