85 lines
2.6 KiB
Plaintext
85 lines
2.6 KiB
Plaintext
X - evasion class
|
|
X - set_level(evlvl)
|
|
X - high?
|
|
X - medium?
|
|
- testing framework
|
|
- run all the exploits through all the diff payload handler permutations
|
|
- simulate clients for each different permutation
|
|
X - seh exploit mixin
|
|
X - generate padded registration records
|
|
X - move jump around
|
|
X - use multi-size jump
|
|
- return address pool
|
|
- exploits say what modules they have present
|
|
- target says what platform is being exploited
|
|
- target says what type of instruction is viable
|
|
- pool returns a random return address for that target
|
|
- automatic opcode db synchronization
|
|
- add module meta-info
|
|
- payloads
|
|
- calling convention (staged shell is incompat with ord stagers)
|
|
- stack requirements
|
|
- etc
|
|
- exploit reloading
|
|
- payload convention
|
|
- make it so stages/stagers are queried for compatibility
|
|
- make it so exploits query convention compat
|
|
- ws2ord stuff
|
|
|
|
X - switch to x86 from ia32
|
|
X - exploit kick-off
|
|
X - payload generation
|
|
X - generate payload for target
|
|
X - encoder payload for target
|
|
X - loop encoders on failure
|
|
X - pad nops
|
|
X - handler init
|
|
X - setup handler
|
|
X - start handler
|
|
X - exploit
|
|
X - call exploit
|
|
X ... wait for session ...
|
|
X - handler cleanup
|
|
X - stop handler
|
|
X - cleanup handler
|
|
X -
|
|
X
|
|
X - add the concept of services to framework:
|
|
X - instead, just make it a singleton, doesn't belong on framework
|
|
X - add port forward service
|
|
X
|
|
X# first parameter is class that must inherit from Rex::Proto so that it has .alias
|
|
Xservice = framework.services.start(Rex::Proto::HTTP::Server, 'Port' => 80, 'Host' => '127.0.0.1')
|
|
Xservice = framework.services['HTTP Server']
|
|
X
|
|
Xoverrides any existing resource handler with this name:
|
|
Xservice.create_resource("/uri", Proc.new { |conn, request|
|
|
X})
|
|
X
|
|
Xservice.remove_resource("/uri")
|
|
Xservice.shutdown
|
|
X ^- reference counted, only terminates when reference count drops to zero
|
|
X
|
|
X- exploit mixins
|
|
X - Http
|
|
X - Http::Client
|
|
X connect
|
|
X create_request
|
|
X send_request
|
|
X handler
|
|
X - Http::Server
|
|
X handle_request(req)
|
|
X create_response
|
|
X send_response
|
|
X- findsock payloads
|
|
X - findsock handler
|
|
- meterpreter
|
|
X - more ui wrapping
|
|
X - fix route addition/removal in stdapi server dll (mib structure issue)
|
|
X - fix interactive stream pool channels
|
|
X - make migrate on server not open with PROCESS_ALL_ACCESS
|
|
N - dupe input instance when passing to sessions
|
|
X - fix module loading order
|
|
X - problems with dllinject getting loaded after meterpreter due to dependencies
|
|
X - fix default handle inheritance in meterp process execution
|