[FixRM #8749] Basically the spawn_meterpreter script doesn't
actually allow the user to set their own LHOST/LPORT datastore
options, because they come from the session object, not from the
active module or the framework object.
The fix is to allow the user to config them from framework. But
if they forget to do this (because naturally people probably
assume that active module datastore options are the same as the
ones set in framework), then for LHOST, we default whatever we get
from Rex::Socket.source_address. As for LPORT, we'll pick a one
that's not used by any of the sessions.
As mentioned here https://community.rapid7.com/thread/3788 the metsvc
script was still looking for the old file name for metsrv.dll, which
was causing the script to fail.
This commit fixes this issue. A hash is used to indicate local and remote
file names so that the remote can continue to use metsrv.dll, but it
is correctly located on disk locally.
Added -x parameter to the script which indicates that the underlying
meterpreter session should be terminated when the execution has
finished.
Added -s parameter which takes a floating point number as an arg
which indicates the number of seconds to sleep between uploading
and executing. This helps in the case where http(s) payloads are
used for meterpreter and a time delay is needed to make sure that
the file has been written to disk and the lock released prior to
attempting to executing it.
While testing stuff earlier today I had to use this script and I made the
mistake of not passing in the -rc flag to the script. I was confused for ages!
This change prints the usage message in the case where you don't pass proper
parameters to the script.
We use system %PATH% for notepad executable instead of the absolute
path, because it caused a problem with the migrate script in a 64-bit
meterpreter session. By default the wordpad binary is not in the
%PATH%, so the condition in hp_nnm_ovbuildpath_textfile.rb was not
changed.
Added new -c option for value 2, which will start the keylogger in the current process instead of attempting to migrate. I also made this setting the default.
Added -k option which, if provided, will attempt to kill the old pid after a successful migration.
Fixed a bug where a blank line would get added to the log file every polling interval if no keystrokes had been detected during that interval.
1.) Now grabs clear-text user hint from XP systems in addition to
Win7/Win8 systems
2.) Changes output so it's no longer inline with hashes as not to
affect copy/paste of hashes output
3.) Adding alternate text in cases when no user hints are available
* UserPasswordHint, a key that is used to store the users password
hint, can be easily decoded to clear-text to get the users hint
(Example: "My Favorite Color")
* Added decode_windows_hint() method to perform the decode process
* Added decoded hint output for hashdump.rb and smart_hashdump.rb
-This commit Addresses Metasploit Bug #4402 that notes corrupted (aka:
incorrect) hashes yielded from hashdump
-Fail case can be reliably reproduced on a Windows system where (1) a
user is not storing an LM hash and (2) password histories are enabled
on the system
-This issue along with other extraction tools that are affected in a
similar way will be discussed at BlackHat USA 2012 and DEFCON 20 in 2
weeks.
If you have questions, please let us know.
-Jonathan Claudius (@claudijd)
-Ryan Reynolds (@reynoldsrb)