Commit Graph

9664 Commits (f4a1ce7fb6f5c61d2fdacaa17cff8bda7b252051)

Author SHA1 Message Date
sinn3r 457598eb02 print_error about unknown request.uri 2015-01-27 20:21:18 -06:00
sinn3r acf02647fb Add a check for Custom404 2015-01-27 20:18:10 -06:00
sinn3r 66703bfe5a Allow custom 404 as an option for BrowserExploitServer
When something fails, the target is given a hardcoded 404 message
generated by the framework. But the user (attacker) now can configure
this. When the Custom404 option is set, the mixin will actually
redirect (302) to that URL.

There are several scenarios that can trigger a 404 by BES (custom or
default):

* When the browser doesn't allow javascript
* When the browser directly visits the exploit URL, which is forbidden.
  If this actually happens, it probably means the attacker gave the
  wrong URL.
* The attacker doesn't allow the browser auto-recovery to retry the
  URL.
* If some browser requirements aren't met.
* The browser attempts to go to access a resource not set up by the
  mixin.
2015-01-27 18:53:02 -06:00
James Lee 895284cd12
Fix logic around empty usernames or passwords
See #4634 and #4642
2015-01-27 14:16:26 -06:00
sinn3r d29a74cd8f Fix #4641 - Explain the set/unset command a little bit better
Sometimes we forget the set command is context specific. For example,
if run from a module's context, it will set the value in the module's
datastore.

Fix #4641
2015-01-27 13:35:05 -06:00
Brent Cook f2edf21b9d fix MSF::Post::File::rename_file with meterpreter
Modify rename_file to fit the pattern of the other file methods.
Otherwise, calling this yields a backtrace in the logs and it fails.

Steps to verify:
rc script:
```
loadpath test/modules
use exploit/multi/handler
set lhost 172.28.128.1
set lport 8081
set payload windows/meterpreter/reverse_http
run -j
sleep 5
resource test/scripts/test-sessions.rc

Before:
```
[-] FAILED: should move files
[-] Exception: TypeError : true is not a symbol

log file:
[01/27/2015 13:17:23] [d(0)] core: Call stack:
/home/bcook/projects/metasploit-framework/lib/msf/core/post/file.rb:357:in
`rename_file'
/home/bcook/projects/metasploit-framework/test/modules/post/test/file.rb:115:in
`block in test_file'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`call'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`it'
...
```

After, passing sessions instead:
```
post/test/file
SESSION => 1
Setup: changing working directory to %TEMP%
[*] Running against session 1
[*] Session type is meterpreter and platform is x86/win32
[+] should test for file existence
[+] should test for directory existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[*] Passed: 11; Failed: 0
```
2015-01-27 13:19:33 -06:00
James Lee a2c7ebc2b1
Simplify logic 2015-01-27 09:05:11 -06:00
James Lee eac7b11a87
Merge remote-tracking branch 'upstream/master' into bug/4634/blank-username
Conflicts:
	lib/msf/ui/console/command_dispatcher/db.rb
	spec/lib/msf/ui/console/command_dispatcher/db_spec.rb
2015-01-27 08:40:07 -06:00
sinn3r ee922d141c Fix #4646 - get_module_resource should check nil before using get_resource
Fix #4646. The get_module_resource needs to check nil first before
using the get_resource method (from HttpServer)
2015-01-27 00:21:43 -06:00
James Lee f2e0bd364a
Always include Service and Host
See #4643
2015-01-26 20:22:11 -06:00
James Lee 8dd56bb759
Do all the filtering in SQL instead of Ruby
This also has the advantage of reducing the number of queries from at
least 3 for every Core we find to more like a total of 3.
2015-01-26 20:21:55 -06:00
Tod Beardsley 2294ea0e93
Squash commit for blank creds search and test
This should fix up #4642 with respect to #4504.

Squashed commit of the following:

commit 124d53ccb00cd200bede092e893dda7e033d3e17
Merge: cb2bef8 ccad159
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 16:23:03 2015 -0600

    Merge branch 'feature/creds-blank-finders' into temp

commit ccad159222eaa949d76e22b588d1ac7709fb2f27
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 15:58:02 2015 -0600

    Clean out whitespace, make vars more meaningful

commit 266b45dff26e2778e43d8e4750d212b5aee5a009
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 15:54:32 2015 -0600

    Add some specs for regular users and blank users

commit 2e51503f76e9a2f6921c57e86a2f98527f80c874
Author: Tod Beardsley <tod_beardsley@rapid7.com>
Date:   Mon Jan 26 15:04:03 2015 -0600

    Users should be able to find blank user/pass
2015-01-26 16:26:30 -06:00
Jon Hart cb2bef878b
Land #4504, @disenchant's get/getg improvement 2015-01-26 12:49:34 -08:00
Christian Mehlmauer bb07ec8666
fix incorrect usage of .class 2015-01-26 15:46:58 +01:00
sinn3r c62beacd31 Revert #4473 - Log backtraces by default 2015-01-24 02:44:29 -06:00
Spencer McIntyre 32746e0088
Land #4631, @bcook-r7's fix for #4625 pkt requeue logic 2015-01-23 18:02:21 -05:00
Brent Cook 52ca6b54b1 remove entire 'default' attribute acccessor override method
This reverts us to the state before
725a17c70b, making OptRegexp simply
inherit from OptBase again.
2015-01-23 14:18:05 -06:00
Brent Cook 65d71a5e18 Fix #4625 Reenable channel receive packet requeueing logic
In #4475, I incorrectly interpreted the role of the 'incomplete' array
in monitor_socket, and that change should be reverted.

What appears to happen is, we play a kind of 3-card monty with the list
of received packets that are waiting for a handler to use them.
monitor_socket continually loops between putting the packets on @pqueue,
then into backlog[] to sort them, then into incomplete[] to list all of
the packets that did not have handlers, finally back into @pqueue again.
If packets don't continually get shuffled back into incomplete, they are
not copied back into @pqueue to get rescanned again.

The only reason anything should really get into incomplete[] is if we
receive a packet, but there is nothing to handle it. This scenario
sounds like a bug, but it is exactly what happens with the Tcp Client
channel - one can open a new channel, and receive a response packet back
from the channel before the subsequent read_once code runs to register a
handler to actually process it. This would be akin to your OS
speculatively accepting data on a TCP socket with no listener, then when
you open the socket for the first time, its already there.

While it would be nice if the handlers were setup before the data was
sent back, rather than relying on a handler being registered some time
between connect and PacketTimeout, this needs to get in now to stop the
bleeding. The original meterpreter crash issue from #4475 appears to be
gone as well.
2015-01-23 08:50:37 -06:00
sinn3r f3a2d6663f Fix #4616 and Fix #3798 - Correctly use OptRegexp
This patch fixes a problem with OptRegexp. The OptRegexp class is
always forcing the value to be converted to a string first, which
causes the EXCLUDE option in browser_autopwn to kick in and match
every found autopwn module, so it ignores all of them and you load
nothing (#4616).

It is important to understand that nil actually represents an option
not being set, which is a completely different behavior than having
an empty value (technically "" is still a value, and if there's a
value, it means the option is set). We need to watcher for these
scenarios.

I am restoring the #default method to avoid forcing a to_s, which should
fix the browser autopwn loading problem. And then I changed scraper.rb's
default value for datastore option PATTERN to a string, because still
fixes #3798. The way I see it, #3798 is actually a module-specific issue.

Fix #4616
Fix #3798
2015-01-23 02:38:26 -06:00
jvazquez-r7 c507e73a02 Comment to clarify serialVersionUID fields 2015-01-22 18:40:52 -06:00
jvazquez-r7 e377ed3f83 Document the 'null' UnicastRef ObjId on the discovery package 2015-01-22 18:39:12 -06:00
William Vu 0612e1906a
Land #4614, {32,64}-bit Registry access 2015-01-22 13:25:51 -06:00
William Vu a52f491d81
Land #4615, stopgap fix for module load race 2015-01-21 07:39:07 -06:00
jvazquez-r7 c33e5faed3 Change namespace 2015-01-21 01:00:45 -06:00
William Vu 1dafedf23b
Clarify no encoder/badchars specified 2015-01-21 00:26:42 -06:00
jvazquez-r7 37ed1b1e62 Delete default values for datastore options 2015-01-21 00:14:46 -06:00
William Vu 4cc027c4c1
Move "found" message to a saner location
Thanks to Peleus for the idea.
2015-01-20 23:58:12 -06:00
jvazquez-r7 2ef57d6172 Add specs for Msf::Jmx::MBean::ServerConnection 2015-01-20 19:10:21 -06:00
jvazquez-r7 0b2d65749b Do better argument handling on Msf::Jmx::Mbean::ServerConnection 2015-01-20 18:46:09 -06:00
jvazquez-r7 dbe7afd3e7 Add dcoumentation for Msf::Jmx::Mbean::ServerConnection 2015-01-20 18:29:21 -06:00
jvazquez-r7 2f2796bfdf Add documentation for Msf::Jmx::Discovery 2015-01-20 18:16:53 -06:00
jvazquez-r7 552f0325be Add documentation for Msf::Jmx::Handshake 2015-01-20 18:11:44 -06:00
jvazquez-r7 625420120c Add documentation for extract_unicast_ref 2015-01-20 17:48:49 -06:00
jvazquez-r7 b97c0fe398 Add Msf::Jmx::Util#extract_unicast_ref 2015-01-20 17:46:42 -06:00
jvazquez-r7 7b675adf01 Add specs for Msf::Jmx::Handshake 2015-01-20 17:29:48 -06:00
Brent Cook 5954e2300f updates based on feedback
Add documentation to the view constants.
Use include? rather than regexes
2015-01-20 16:57:49 -06:00
Tod Beardsley 9017aa0f6b
Avoid magic number to make @wvu marginally happier 2015-01-20 16:29:59 -06:00
Tod Beardsley e88c4f1587
Switching from if mod.nil? to unless mod
Because it reads nicer, though `mod` will never be `FalseClass`
2015-01-20 16:21:00 -06:00
jvazquez-r7 39e3f9f892 Add specs for Msf::Jmx::Util 2015-01-20 16:18:53 -06:00
Tod Beardsley 63c66f66a0
Add a second_chance on cmd_use
This is a weak attempt to solve a race condition between modules loading
and cmd_use being fired. Upon startup, saved configurations, running
resource scripts, and running commands will sometimes jump ahead of the
module loading procedure.

I have not discovered where the race actually is and how to cause the
race to happen. However, the timing seems to be fairly close to a second;
by waiting three seconds after trying use again, we seem to be in the
clear, at least according to testing.

Fixes #4549, but better solutions are welcome!
2015-01-20 15:46:29 -06:00
Brent Cook a42cc2ef1f add support for specifying 32 or 64-bit registry access
This adds an extra parameter to most of the post/windows/registry
methods called 'view' that specifies if a registry key should be
accessed as a native process, 32-bit or 64-bit.

Support is added to both the Meterpreter and command-line backends. For
the command backend, a lot of boilerplate is removed from each method in
favor of a few shared commands. There is an error hash that never gets
used, so I removed it as well.

This passes the post/test/registry module with meterpreter, but fails
the command line backend. However, it fails in the same way without
these changes (tested on Windows 8), so I suspect that the command line
session was already not working well, at least with newer versions of
Windows. I might look into figuring out how to fix that, but it looks
pretty fragile to me, parsing for english phrases in the output.
2015-01-20 15:26:59 -06:00
jvazquez-r7 4311226840 Add documentation for Rex::Java::Serialization::Builder 2015-01-20 11:26:52 -06:00
jvazquez-r7 3c718ba5df Reorder Stream building 2015-01-20 11:18:18 -06:00
jvazquez-r7 6ee853fbe2 Use short type of BlockData.new 2015-01-20 10:52:17 -06:00
jvazquez-r7 0584ae8177 Add Rex::Java::Serialization::Builder#new_object 2015-01-20 10:31:37 -06:00
jvazquez-r7 6ca86256cf Add Rex::Java::Serialization::Builder#new_array 2015-01-20 10:23:09 -06:00
jvazquez-r7 ec57387821 Add Rex::Java::Serialization::Builder#new_class 2015-01-19 11:54:12 -06:00
jvazquez-r7 4220a5e60f Use Rex::Java::Serialization::Builder#new_class 2015-01-19 11:53:53 -06:00
William Vu cffa55b12e
Improve proxy chain description 2015-01-18 22:32:22 -06:00
jvazquez-r7 86a37b4cff First create NewClassDesc refactoring 2015-01-18 17:47:26 -06:00
Christian Mehlmauer 5b964bba6a
Land #4518, Wordpress long password DoS 2015-01-18 23:55:06 +01:00
jvazquez-r7 84f5c7ed61 Use extract_string and extract_int 2015-01-18 01:23:19 -06:00
jvazquez-r7 3a3e37ba6c Refactor extract_mbean_server 2015-01-18 01:20:13 -06:00
jvazquez-r7 4247747fc5 Refactor extract_object 2015-01-18 01:13:00 -06:00
William Vu cb0257bec7
Land #4576, OpenVAS database import fix 2015-01-18 00:45:36 -06:00
jvazquez-r7 ab391f3b32 Do minor JMX mixin cleanup 2015-01-17 22:40:43 -06:00
nstarke 55a746eeb7 Changing code to catch everything extraneous 2015-01-17 15:46:26 +00:00
jvazquez-r7 697e4fbd41
Land #4584, @sgabe's fix for egghunter searchforward 2015-01-16 19:36:52 -06:00
jvazquez-r7 a42b095472 Delete heaponly option 2015-01-16 19:35:57 -06:00
jvazquez-r7 859a8978e7 Allow searchforward to be an string 2015-01-16 19:33:19 -06:00
sgabe 3297d198f3 Fix search-forward option in regular egghunter 2015-01-16 22:16:30 +01:00
Brent Cook a2a1a90678
Land #4316, Meatballs1 streamlines payload execution for exploits/windows/local/wmi
also fixes a typo bug in WMIC
2015-01-16 11:16:22 -06:00
jvazquez-r7 c516190d07 Create Msf::Jmx::Util 2015-01-15 23:21:54 -06:00
jvazquez-r7 d9c6c56779 Refactor extract_rmi_connection_stub 2015-01-15 23:15:30 -06:00
jvazquez-r7 2d2f26a0e3 Change method names for stream builders 2015-01-15 23:01:27 -06:00
James Lee 273ba54a21
Fix server/capture/smb to use create_credential 2015-01-15 22:39:11 -06:00
jvazquez-r7 00117fc963 Do first and ugly refactoring 2015-01-15 21:18:03 -06:00
Jon Hart da1c56a65d
Add minimal tests for get/getg 2015-01-15 14:46:12 -08:00
Brent Cook bc895ab4d1
Land #4582, jhart-r7's Apple Airport Authentication Avalanche 2015-01-15 14:07:18 -06:00
Jon Hart 7a900cc889
More Ruby-ish way for cmd_get 2015-01-15 11:54:01 -08:00
Jon Hart 8aff50aed1
Make get/getg help more consistent 2015-01-15 11:36:32 -08:00
Jon Hart 45cef82f6c
Use appropriate help for get/getg 2015-01-15 11:35:39 -08:00
jvazquez-r7 621cada2ac Undo build_gc_call_data refactoring 2015-01-14 16:47:28 -06:00
William Vu f0de45c371
Fix typo and add Subject support 2015-01-14 02:17:29 -06:00
sgabe 95eab85df4 Add support for heap-only search in regular egghunter 2015-01-13 21:31:13 +01:00
Jon Hart 5cc7d5d1a8
Remove errant pry 2015-01-13 10:35:05 -08:00
jvazquez-r7 ad082bc1af Add specs for build_dgc_ack 2015-01-13 11:02:16 -06:00
jvazquez-r7 0babde8c1a Fix specs 2015-01-13 10:48:23 -06:00
jvazquez-r7 4351964290 Change module filename 2015-01-13 10:46:14 -06:00
jvazquez-r7 3946b95bc3 Update rex code and specs 2015-01-13 10:45:00 -06:00
jvazquez-r7 1f0b986bf1 Change filenames 2015-01-13 10:43:27 -06:00
Jon Hart 69f03f5c5d
Move ACPP default port into Rex 2015-01-12 19:43:57 -08:00
Jon Hart d5cdfe73ed
Big style cleanup 2015-01-12 19:11:14 -08:00
nstarke 9baae6e494 Potential Fix For OpenVAS DB Import Issue 2015-01-13 02:46:13 +00:00
Jon Hart ec506af8ea
Make ACPP login work 2015-01-12 14:01:23 -08:00
Jon Hart e9557ffe58 Simplify module in prep for some authbrute cleanups 2015-01-12 13:08:12 -08:00
Jon Hart 691ed2cf14 More cleanup
Don't validate checksums by default until they are better understood
Handle the unknowns a bit better
Make checksum failures more obvious why it failed
2015-01-12 13:08:12 -08:00
Jon Hart 97f5cbdf08 Add initial Airport ACPP login scanner 2015-01-12 13:08:12 -08:00
Jon Hart fba6945e9a Doc payload oddness. Add more checksum tests 2015-01-12 13:08:12 -08:00
Jon Hart 54eab4ea3d Checksum validation, more tests 2015-01-12 13:08:12 -08:00
Jon Hart 7e4dd4e55b Add ACPP decoding capabilities 2015-01-12 13:08:12 -08:00
Jon Hart 2af82ac987 Some preliminary Apple Airport admin protocol (ACPP?) support 2015-01-12 13:08:11 -08:00
David Maloney 6dad66c04c
add Date header support to SMTP deliver
the SMTP mixin now supports the Date header.
The user can supply a a value for the Date Header
or else it will automatically use the current local
DateTime. This will help alleviate certain issues
caused by servers setting this field for the cliebnt incorrectly

MSP-9390
2015-01-12 11:18:07 -06:00
Jon Hart d8743ea32b
Land #4539, @Meatballs1's creds cmd now supports type filters, -R for search 2015-01-08 18:48:27 -08:00
Jon Hart 7c4b86ca4c
If an unsupported cred type is given to -t, show what is valid 2015-01-08 18:42:25 -08:00
Jon Hart e4cdac1440
Land #4559, @FireFart's fix for wordpress version detection (from wpscan) 2015-01-08 15:19:29 -08:00
Brent Cook fb5170e8b3
Land #2766, Meatballs1's refactoring of ExtAPI services
- Many code duplications are eliminated from modules in favor of shared
   implementations in the framework.
 - Paths are properly quoted in shell operations and duplicate operations are
   squashed.
 - Various subtle bugs in error handling are fixed.
 - Error handling is simpler.
 - Windows services API is revised and modules are updated to use it.
 - various API docs added
 - railgun API constants are organized and readable now.
2015-01-08 16:54:01 -06:00
Jon Hart ed74271c26
Land #4548, @dmaloney-r7's fix to allow loginscanners to work w/o a DB 2015-01-08 14:50:08 -08:00
Christian Mehlmauer 14b1d8dc5f
no space required 2015-01-08 23:43:06 +01:00
Jon Hart 98cee8249d
Move non-active DB messages to warning and clarify/simplify 2015-01-08 14:40:47 -08:00
Christian Mehlmauer f7eb9a6cf8
update wordpress version detection regex 2015-01-08 23:36:59 +01:00
sinn3r 50ecfbf64c
Land #4553 - Update bypass UAC to work on 7, 8, 8.1, and 2012 2015-01-08 16:19:55 -06:00
Brent Cook 05279ef02a consistently use double-quoted paths
allow for variable expansion if needed
2015-01-08 16:10:28 -06:00
jvazquez-r7 fa5cd928a1 Refactor exploit to use the mixin 2015-01-08 16:04:56 -06:00
jvazquez-r7 ca765e2cc5 Refactor client mixin 2015-01-08 15:46:24 -06:00
jvazquez-r7 873ade3b8a Refactor exploit module 2015-01-08 14:52:55 -06:00
jvazquez-r7 956bf0c8f9 Fix indentation 2015-01-08 14:31:37 -06:00
jvazquez-r7 e9e6c32769 Move build* calls to Streams 2015-01-08 14:13:06 -06:00
jvazquez-r7 23d0ae9488 Add Streams mixin 2015-01-08 14:01:41 -06:00
jvazquez-r7 c205ef28d4 Refactor build_gc_call 2015-01-08 14:01:04 -06:00
Christian Mehlmauer a5b56c7d09
fix error 2015-01-08 19:48:29 +01:00
David Maloney fd7e65d459
derp just check db active
the other way of doing this was stupid, jsut check if
the db is active
2015-01-08 11:58:56 -06:00
jvazquez-r7 bf482e806c Add YARD documentation for the YARD mixin 2015-01-08 09:56:32 -06:00
Meatballs 8f720ef766
Use get_env in runas 2015-01-08 11:07:40 +00:00
jvazquez-r7 73e3cd19c3 Convert java_rmi_server aux mod to use new mixin 2015-01-08 00:29:50 -06:00
OJ 844460dd87
Update bypass UAC to work on 8.1 and 2012
This commit contains a bunch of work that comes from Meatballs1 and
Lesage, and updates the bypassuac_inject module so that it works on
Windows 8.x and Windows 2012. Almost zero of the code in this module
can be attributed to me. Most of it comes from Ben's work.

I did do some code tidying, adjustment of style, etc. but other than
that it's all down to other people.
2015-01-08 15:39:19 +10:00
jvazquez-r7 7dd7e62726 Add first mixin draft 2015-01-07 20:42:44 -06:00
jvazquez-r7 d59805568e Do first module refactoring try 2015-01-07 19:06:09 -06:00
Samuel Huckins f0261a418c
Lands #4535, report_auth_info shoring up 2015-01-07 16:32:14 -06:00
David Maloney 001b6d913e
allows loginscanners to work without db
created stub methods around the credential
creation methods modules would use from
Metasploit::Credential, they try to call the real ones
but rescue a NoMethodError that arises if framework is setup
without the db. it just prints a message to the console
telling the user the cred data will not be saved

MSP-10969
2015-01-07 16:09:04 -06:00
Meatballs e6f53ebcbc
Remove duplicate rhosts 2015-01-07 22:04:01 +00:00
Meatballs dccd21a559
Resolve #3870, reinstance creds -R 2015-01-07 22:01:45 +00:00
James Lee da2e088118
Land #4536, Ruby 2.2 compat fixes
Note that ActiveRecord 3.2.21 still has a similar warning that will
probably cause bugs, preventing full support for 2.2 until that's fixed.
2015-01-07 15:33:23 -06:00
Meatballs e3e9a64064
Land #4543, Update john.conf with korelogic rules 2015-01-07 21:30:44 +00:00
jvazquez-r7 731c2f99d1 Handle better java references 2015-01-07 15:19:28 -06:00
Meatballs bdbb26ba31
Land #4540, resolves #4532, honour DB_ALL_* options 2015-01-07 21:12:23 +00:00
Meatballs 0b0ac1455a
Merge remote-tracking branch 'upstream/master' into extapi_service_post
Conflicts:
	test/modules/post/test/services.rb
2015-01-07 20:53:34 +00:00
rastating 294cd80a08 Update documentation for wordpress_login 2015-01-07 18:32:52 +00:00
David Maloney 4ad7021336
give user option to turn on KoreLogic rules
the cracker modules in framework now have a datastore option
to allow the user to select the KoreLogicRules
2015-01-07 12:32:26 -06:00
David Maloney 5d68d48ca5
Land #4385, fixes bruteforce_speed validator
bruteforce_speed validator now accepts nil
2015-01-07 12:09:25 -06:00
jvazquez-r7 ba13e9d64c Add Stream spec 2015-01-07 12:05:44 -06:00
David Maloney 702511dbc5
respect DB_ALL_USERS & DB_ALL_PASS
fix last few things in authbrute
and make the CredentialCollections understand the
additional seperate components

MSP-11986
2015-01-07 11:41:41 -06:00
David Maloney 7ff2ba0725
first pass on fixing DB_ALL authbrute stuff
DB_ALL_CREDS worked but DB_ALL_USER and DB_ALL_PASS
did not. working on fixing that.
This commit also does some nice DRY work in the auth_brute mixin

MSP-11986
2015-01-07 11:30:39 -06:00
Meatballs aef8c702d7
Filter creds by type 2015-01-07 17:19:31 +00:00
rastating e90e98547b Add configurable timeout to WordPress login 2015-01-07 17:06:31 +00:00
dmooray 478505c17a ruby 2.2 compatibility
https://bugs.ruby-lang.org/issues/10314
2015-01-07 11:41:34 +02:00
jvazquez-r7 98ec08ae0d Add support for Ping and PingAck 2015-01-06 15:18:55 -06:00
jvazquez-r7 1e3b24f01b Add support for DbgAck 2015-01-06 15:00:17 -06:00
jvazquez-r7 6d1d300e72 Add support for ReturnData 2015-01-06 12:52:00 -06:00
sinn3r 609c490b3c I missed nobfu 2015-01-06 12:49:39 -06:00
sinn3r 2ed05869b8 Make Msf::Exploit::PDF follow the Ruby method naming convention
Just changing method names.

It will actually also fix #4520
2015-01-06 12:42:06 -06:00
jvazquez-r7 825e08f5ac Add support for Call messages 2015-01-06 12:36:06 -06:00
jvazquez-r7 f3ff42dbfb Add support for Continuation 2015-01-06 11:34:47 -06:00
William Vu 0bece137c1
Land #4494, Object.class.to_s fix 2015-01-06 02:27:35 -06:00
jvazquez-r7 757f95a24d Add support for ProtocolAck 2015-01-06 00:14:14 -06:00
jvazquez-r7 26da73ffb8 Change class name 2015-01-05 19:23:07 -06:00
jvazquez-r7 d5dfd75e71 Add initial model and support to OutputStream 2015-01-05 18:52:13 -06:00
Meatballs dd5c638ab0
Merge remote-tracking branch 'upstream/master' into extapi_service_post 2015-01-05 22:18:44 +00:00
David Maloney fc91244252
insert deprecation error message
report_auth_info will now issue an error message
stating that the method is deprecated along with the module name
that called it

MSP-11919
2015-01-05 14:02:16 -06:00
David Maloney db8f260557
add some YARD docs to report_auth_info
add yard docs for the modified report_auth_info

MSP-11919
2015-01-05 13:58:25 -06:00
David Maloney 71d600e829
make report_auth_info create new creds and logins
report_auth_info coerces old data into the new credential
types as best as it is able

MSP-11919
2015-01-05 13:41:30 -06:00
OJ 17ff546b0f Remove unnecessary calls to expand path
When using the Meterpreter Binaries gem to locate the path to the
meterpreter DLLs, it's not necessary to use File.expand_path on
the result because the gem's code does this already.

This commit simple removes those unnecessary calls.
2015-01-03 08:30:26 +10:00
sinn3r d45cdd61aa Resolve #4507 - respond_to? + send = evil
Since Ruby 2.1, the respond_to? method is more strict because it does
not check protected methods. So when you use send(), clearly you're
ignoring this type of access control. The patch is meant to preserve
this behavior to avoid potential breakage.

Resolve #4507
2015-01-02 13:29:17 -06:00
Sven Vetsch b121e2c3fd adds a get and getg method besides the already existing set/setg and unset/unsetg 2015-01-02 12:40:24 +01:00
Christian Mehlmauer 056046f38b
update wordpress readme regex 2015-01-01 23:13:20 +01:00
Spencer McIntyre 6d966dbbcf
Land #4203, @jvazquez-r7's cleanup for java_rmi_server 2014-12-31 11:25:19 -05:00
Brent Cook 92bdf42496
Land #3594, jvazquez-r7's linux meterpreter migration support 2014-12-31 09:20:44 -06:00
Christian Mehlmauer 4f11dc009a
fixes #4490, class.to_s should not be used for checks 2014-12-31 10:46:24 +01:00
jvazquez-r7 722f86f361 Try to guess TMPDIR folder 2014-12-30 18:39:29 -06:00
jvazquez-r7 7596d211e9 Use length for comparision 2014-12-30 18:39:18 -06:00
jvazquez-r7 e903044fd5 Allow to provide writable dir 2014-12-30 18:36:30 -06:00
jvazquez-r7 f17a7e8a61 Better handling of the unix domain socket argument 2014-12-30 18:36:28 -06:00
jvazquez-r7 4df4e8b9d6 Add support for linux meterpreter migration 2014-12-30 18:34:24 -06:00
jvazquez-r7 56df2d0062 Add support for linux meterpreter migrate types 2014-12-30 18:30:15 -06:00
sinn3r 553030b22d
Land #4473 - Log backtraces by default 2014-12-30 18:13:33 -06:00
Tod Beardsley 135faeee29
Land #4095, specs for Rex::OLE 2014-12-30 14:25:09 -06:00
Christian Mehlmauer 6444d8ba64
use kind_of? for checking exceptions 2014-12-30 21:16:57 +01:00
William Vu ce0bbca6ed
Land #4487, no spinnerz on Windows :( 2014-12-30 14:06:05 -06:00
Tod Beardsley a8e907d68b
Land #4479, nil comparisons and missing DLLs
Also fixes #4474.
2014-12-30 13:55:54 -06:00
Brent Cook bdac5db695 remove usage of ==/!= nil
Adjust all module-loading libraries to have consistent nil?/!nil? checking and
'if' style.
2014-12-30 10:59:49 -06:00
Tod Beardsley 6ded5a7eb4
Avoid spinner on Windows
Fixes #4147, probably.
2014-12-30 10:17:56 -06:00
Jon Hart d727ac5367
Alias Rex::Ui::Text::Output::Tee print_raw to write, fixes #4469 and #4363 2014-12-29 16:47:04 -08:00
sinn3r 9af3fd01d4 Fix response_timeout
response_timeout is a method specific to a meterpreter session, not
shell. So if the user is using a shell type payload, he will never
see a backtrace before interacting with the sessions.
2014-12-29 17:03:50 -06:00
sinn3r 555713b6ae
Land #4456 - MS14-068, Kerberos Checksum (plus krb protocol support) 2014-12-29 16:09:28 -06:00
Brent Cook f9b141c1e2
Land #4442, wchen-r7's configurable session response timeout option
fixes #4431
2014-12-29 13:02:47 -06:00
Brent Cook 5d70b837ed handle nil results from MeterpreterBinaries.path
When a meterpreter binary cannot be found, give the user some hint about what
went wrong.

```
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.43.1
lhost => 192.168.43.1
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.43.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.43.252
[*] Meterpreter session 1 opened (192.168.43.1:4444 -> 192.168.43.252:49297) at 2014-12-29 12:32:37 -0600

meterpreter > use mack
Loading extension mack...
[-] Failed to load extension: No module of the name ext_server_mack.x86.dll found
```

This is also useful for not scaring away would-be developers who replaced only
half (the wrong half) of their DLLs from a fresh meterpreter build and
everything exploded. Not that thats ever happened to me :)
2014-12-29 12:34:02 -06:00
Tod Beardsley 72eb8e6503
Land #4475, inverted timeout fix 2014-12-29 11:37:28 -06:00
Brent Cook bbb41c39b8 fix backward meterpreter packet timeout logic
The current logic times out every packet almost immediately, making it possible
for almost any non-trivial meterpreter session to receive duplicate packets.

This causes problems especially with any interactions that involve passing
resource handles or pointers back and forth between MSF and meterpreter, since
meterpreter can be told to operate on freed pointers, double-closes, etc.

This probably fixes tons of heisenbugs, including #3798.

To reproduce this, I enabled all debug messages in meterpreter to slow it
down, then ran this RC script with a reverse TCP meterpreter, after linking in
the test modules:

(cd modules/post
 ln -s ../../test/modules/post/test)

die.rc:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.43.1
exploit -j
sleep 5
use post/test/services
set SESSION 1
run
2014-12-29 08:15:51 -06:00
Christian Mehlmauer 3a73b40a1e
more error handling 2014-12-29 00:39:00 +01:00
Christian Mehlmauer 7b52bcb657
log errors into framework.log 2014-12-29 00:20:26 +01:00
jvazquez-r7 04772c8946 Ensure stop_service closes Rex::Proto::Http::Server 2014-12-26 13:50:03 -06:00
jvazquez-r7 c1b0385a4b
Land #4460, @Meatballs1's ssl cert validation bypass on powershell web delivery 2014-12-26 12:07:45 -06:00
jvazquez-r7 d148848d31 Support Kerberos error codes 2014-12-24 18:05:48 -06:00
Brent Cook 725a17c70b override default attr for OptRegexp
Rather than literally returning the default Regex object, override the accessor
to return the string representation. This allows the RPC backend to properly
serialize the options hash values, since msgpack does not know how to serialize
a Regexp object. Fixes #3798.

To verify the fix, run the steps for issue #3798 and ensure that the module
options are returned instead of a backtrace. Also, ensure that the module
continues to work as expected:

```
$ ./msfconsole -q
msf > use auxiliary/scanner/http/scraper
msf auxiliary(scraper) > info

       Name: HTTP Page Scraper
     Module: auxiliary/scanner/http/scraper
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  et <et@metasploit.com>

Basic options:
  Name     Current Setting               Required  Description
  ----     ---------------               --------  -----------
  PATH     /                             yes       The test path to the page to analize
  PATTERN  (?i-mx:<title>(.*)<\/title>)  yes       The regex to use (default regex is a sample to grab page title)
  Proxies                                no        Use a proxy chain
  RHOSTS                                 yes       The target address range or CIDR identifier
  RPORT    80                            yes       The target port
  THREADS  1                             yes       The number of concurrent threads
  VHOST                                  no        HTTP server virtual host

override default attr for OptRegexp
Description:
  Scrap defined data from a specific web page based on a regular
  expresion

msf auxiliary(scraper) > set RHOSTS lwn.net
RHOSTS => lwn.net
msf auxiliary(scraper) > set RHOSTS 72.51.34.34
RHOSTS => 72.51.34.34
msf auxiliary(scraper) > set VHOST lwn.net
VHOST => lwn.net
msf auxiliary(scraper) > run

[*] [72.51.34.34] / [Welcome to LWN.net [LWN.net]]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
2014-12-24 09:57:14 -06:00
jvazquez-r7 05a9ec05e8 raise NotImplementedError 2014-12-23 19:59:37 -06:00
jvazquez-r7 4493b3285c Raise NoMethodError for methods designed to be overriden 2014-12-23 19:51:41 -06:00
jvazquez-r7 fee033d6df Use Rex::Text.md5_raw 2014-12-23 19:30:23 -06:00
Meatballs c2bcde24ef
Land #4377, Support DYNAMIC_BASE templates - resolves #4366 2014-12-23 11:57:33 +00:00
Meatballs b41e259252
Move it to a common method 2014-12-23 11:16:07 +00:00
Joe Vennix e974d272f0
Remove stray line comment that ruined things when minified. 2014-12-23 00:22:50 -06:00
jvazquez-r7 13ec578d1a Revert "Back to Create OpenSSL::BN from string"
This reverts commit 635a54ca94.
2014-12-22 23:17:03 -06:00
jvazquez-r7 635a54ca94 Revert "Create OpenSSL::BN from string"
This reverts commit fe99b65a62.
2014-12-22 19:14:07 -06:00
jvazquez-r7 fe99b65a62 Create OpenSSL::BN from string 2014-12-22 18:44:47 -06:00
jvazquez-r7 d12b43d257 Use Intege.new 2014-12-22 18:37:07 -06:00
jvazquez-r7 f37cf555bb Use random subkey 2014-12-22 15:39:08 -06:00
jvazquez-r7 ad97457a39 Move more constants to Crypto 2014-12-22 15:27:16 -06:00
jvazquez-r7 75a2846377 Add more PAC constants 2014-12-22 15:14:46 -06:00
jvazquez-r7 5a6c915123 Clean options 2014-12-22 14:37:37 -06:00
sinn3r bcf659792e Restore original timeout 2014-12-22 12:34:52 -06:00
jvazquez-r7 f3b263f57d Use more crypto constants 2014-12-22 12:13:23 -06:00