Spencer McIntyre
147837e9b6
Validate payload size even when not encoding
2022-02-25 17:21:59 -05:00
Spencer McIntyre
9f6e3ba543
Set the cached size for adapated payloads
2022-02-25 11:55:48 -05:00
adfoster-r7
5ee44bcdb7
Ignore reload lib spec helper file
2022-02-25 12:38:03 +00:00
space-r7
9c56a9a2bc
add more definitions / constants for permissions
2022-02-24 20:20:38 -06:00
Jeffrey Martin
abe55c8f91
raise RuntimeError on incomplete or extra data
2022-02-24 14:02:44 -06:00
Metasploit
da044a967a
Bump version of framework to 6.1.32
2022-02-24 12:07:52 -06:00
sjanusz
f473c0e3b1
Convert core_enumextcmd and core_loadlib commands to human readable strings
2022-02-24 14:54:21 +00:00
Spencer McIntyre
bad55a858c
Add the new adapter payload type
2022-02-23 16:38:57 -05:00
bwatters
3ea032472d
Updated exploit with better check method, added OnSessionCmd option
...
to run a command when a session is bootstrapped, added more
documentation.
2022-02-18 16:30:47 -06:00
Metasploit
eb4969937f
Bump version of framework to 6.1.31
2022-02-17 12:10:25 -06:00
Tim W
480c44e9cb
refactor DEBUG_EXPLOIT code into mixin
2022-02-16 11:38:04 +00:00
bwatters
0239ef1cc6
Land #16117 , Updates for Log4Shell
2022-02-15 16:39:00 -06:00
space-r7
99226f1a5c
add definitions for winspool and spoolss libs
2022-02-15 15:51:22 -06:00
adfoster-r7
18b4ce8a13
Update replicant pattern to increment refs
2022-02-15 16:08:35 +00:00
Jeffrey Martin
af3fa09896
refactor smtp delivery to support continuation
...
When dealing with SMTP servers the communication needs to flow
a known protocol. To ensure the socket is in the correct state
after a send and receive it needs to be read until a line return
a response code followed by a `space` and additional data and `\r\n`
or the response code immediately followed by `\r\n` is returned.
2022-02-14 16:55:49 -06:00
Simon Janusz
732bd3a71c
Land #16173 , Add readline option to msfconsole
...
Add readline option to msfconsole
2022-02-14 16:11:15 +00:00
Tim W
e9758f33b5
Land #16175 , order the loadpath summary in alphabetical order
2022-02-14 09:52:19 +00:00
alanfoster
d45783a5a0
Add readline option to msfconsole
2022-02-13 23:47:08 +00:00
Spencer McIntyre
683d4ac471
Add support for staged python command payloads
2022-02-13 12:03:08 -05:00
Tim W
a13ae3882b
Land #16174 , fix specifying the mode on File.read for ruby 3 on multiple modules
2022-02-13 12:08:13 +00:00
alanfoster
ec2ae16135
Order loadpath summary output
2022-02-12 21:47:35 +00:00
alanfoster
395ab1d77e
Specify mode rb on file reads
2022-02-12 21:39:12 +00:00
Tim W
c2cacffee9
Land #16170 , fix java native_arch
2022-02-12 06:13:48 +00:00
Grant Willcox
cfa3d15cee
Land #16161 , Update user agent strings
2022-02-11 16:28:14 -06:00
Grant Willcox
47fea63fdf
One more update to address Apple bumping some versions at the very last minute
2022-02-11 15:57:09 -06:00
space-r7
db00991f26
Land #16150 , add nagios xi web shell upload
2022-02-11 11:45:06 -06:00
sjanusz
2b281dce5c
Add support for Java Meterpreter's native_arch
2022-02-11 11:43:35 +00:00
Jeffrey Martin
5bc60f5bf7
clear any additional response on smtp connect
...
When connecting to an SMTP server after `HELO` and auth
complete there can be additional data sent from the client
that sits in the socket queue. Adding a `get_once` after connection
has settled ensure any pending for extension responses are cleared.
2022-02-10 14:25:05 -06:00
Metasploit
0ee0e3959d
Bump version of framework to 6.1.30
2022-02-10 12:06:14 -06:00
bwatters
9635fde12d
Add support and templates for aarch64 targets
2022-02-10 10:49:02 -06:00
Grant Willcox
425e57b88b
Land #16163 , Add the ClaimsPrincipal .NET gadget chain
2022-02-09 14:46:38 -06:00
Spencer McIntyre
e6c1d20c5d
Add the ClaimsPrincipal .NET gadget chain
2022-02-09 14:38:51 -05:00
space-r7
47c74a0037
Land #16121 , fix rhost exception due to no session
2022-02-09 10:38:34 -06:00
Tim W
a50f39ac12
return super if no session
2022-02-09 10:08:02 +00:00
Spencer McIntyre
72ca957285
Don't use default values
2022-02-08 17:40:03 -05:00
Ashley Donaldson
1f60303772
Updated user agent strings as of 9 Feb 2022
2022-02-09 08:39:05 +11:00
Spencer McIntyre
1fe01087b6
Remove trailing whitespace from command output
2022-02-08 15:37:11 -05:00
Spencer McIntyre
7d9e6c2bb9
Don't crash when the hostname can't be determined
...
This fixes a framework-level crash when msfconsole initializes and the
HOSTNAME environment variable is not set and the hostname binary is
missing.
2022-02-08 15:14:36 -05:00
adfoster-r7
4294dcbc80
Land #16143 , Fix unknown platform error against windows when using SSH login
...
Fix unknown platform error against Windows when using SSH Login
2022-02-07 11:50:02 +00:00
Jake Baines
9758251278
Initial commit of CVE-2021-37343
2022-02-05 18:21:18 -08:00
sjanusz
3c6cd7cc0a
Make platform check case-insensitive
2022-02-04 15:47:15 +00:00
adfoster-r7
4f69089690
Fix to_handler case sensitivity issue
2022-02-04 13:39:07 +00:00
Spencer McIntyre
965493191f
Add and use a Log4Shell mixin
2022-02-03 16:09:49 -05:00
Metasploit
c89ecd9c75
Bump version of framework to 6.1.29
2022-02-03 12:07:08 -06:00
adfoster-r7
f16815e776
Land #16066 , Fix params not being passed to scripts
2022-02-03 12:28:59 +00:00
sjanusz
d854751f82
Fix params not being passed to scripts
2022-02-03 11:13:27 +00:00
adfoster-r7
5647e1a94f
Add service manager commands to msfconsle
2022-02-02 22:26:41 +00:00
adfoster-r7
d9876e889a
Land #15994 , fix console.read does not return command output
2022-02-01 23:44:48 +00:00
Jeffrey Martin
5c47ff0e47
Land #16132 , [MySQL injection library] Avoid the use of '<>'
2022-02-01 14:50:55 -06:00
adfoster-r7
8ab102e72c
Land #16014 , Change custom parsers to Rex Parser and add long arguments
2022-02-01 17:38:51 +00:00
sjanusz
c4700ab2f4
Add state to workspace command, extract sevices columns, correct tab-complete
2022-02-01 17:09:17 +00:00
Redouane NIBOUCHA
51814a4a8b
Refactor the code, using if(CONDITION,sleep(...),0) only
2022-01-30 23:49:07 +00:00
Redouane NIBOUCHA
e329d78a46
Use = instead of <> for blind queries (fixes some wordpress plugin SQLis)
2022-01-30 23:01:08 +00:00
Tim W
613e06a8df
Fix exception in rhost during staging
2022-01-29 07:59:22 +00:00
Spencer McIntyre
d46822184f
Updates for Log4Shell
2022-01-28 14:56:44 -05:00
Brendan Coles
c30dcf57d0
prepend_nops: Return unmodified shellcode if no compatible nops for arch
2022-01-28 16:15:29 +00:00
Metasploit
50c1f7b775
Bump version of framework to 6.1.28
2022-01-27 12:05:14 -06:00
Grant Willcox
397e3aa1c6
Land #16090 - Add in user_data_directory function
2022-01-26 09:31:52 -06:00
Grant Willcox
780c8d3b7f
Land #16096 , Support session -1 for ListenerComm options
2022-01-24 22:07:23 -06:00
Spencer McIntyre
12431d8479
Add a client reader for SSH server channels
2022-01-24 14:41:59 -05:00
Spencer McIntyre
dd2d512851
Support session -1 for ListenerComm options
2022-01-24 11:42:39 -05:00
Spencer McIntyre
3cd2b1b929
Update naming for consistency and the module
2022-01-24 10:35:40 -06:00
Ashley Donaldson
d088be6fa0
Metasploit-side logic to support a 5th getsystem mechanism
2022-01-24 10:35:40 -06:00
h00die
b72bdf0b76
Land #16054 , updates to JTR compatibility with logging
2022-01-23 14:41:54 -05:00
audibleblink
e445a39719
adds user_data_directory
2022-01-23 10:29:01 -05:00
Metasploit
eccac8df4f
Bump version of framework to 6.1.27
2022-01-20 12:07:12 -06:00
bwatters
4cf3ae352c
Land #16050 , Log4Shell: vCenter RCE
...
Merge branch 'land-16050' into upstream-master
2022-01-19 16:30:33 -06:00
Grant Willcox
a7bb8d0480
Land #16029 , Fix OptPath options with empty strings
2022-01-19 13:08:34 -06:00
sjanusz
158a0aa30c
Change custom parser to Rex, add custom opt, add tabcomplete
2022-01-19 13:01:33 +00:00
h00die
d01594a570
spec not working quite right
2022-01-17 17:40:35 -05:00
h00die
7a7b009161
add more smarts to nolog for jtr
2022-01-17 15:33:41 -05:00
Metasploit
ad9517b81d
Bump version of framework to 6.1.26
2022-01-14 09:32:56 -06:00
namaenonaimumei
85aab39dbd
Fix syntax error for --nolog
2022-01-14 07:14:47 +09:00
space-r7
383ada6ae2
Land #16016 , fix RHOSTS in dcerpc scanner
2022-01-13 13:15:24 -06:00
Spencer McIntyre
7b1398f0ae
Allow overriding check module datastore options
2022-01-13 11:51:39 -05:00
Spencer McIntyre
62a814fa59
Refactor Log4shell exploit code into reusable bits
2022-01-13 09:45:02 -05:00
Spencer McIntyre
e093154865
Refactor the BeanFactory gadget code
2022-01-12 16:58:31 -05:00
Spencer McIntyre
e873907d13
Initial vCenter exploit via Log4Shell
2022-01-12 15:34:45 -05:00
space-r7
199eae5e99
Land #16012 , add pi-hole aux module and lib
2022-01-12 09:21:11 -06:00
Spencer McIntyre
877bab6f2a
Land #15969 , Log4j2 HTTP Header Injection Exploit
2022-01-11 16:52:08 -05:00
Christophe De La Fuente
e8208c60b9
Land #16027 , Fix the generate command's tab completion for -o and -f
2022-01-11 18:03:37 +01:00
Metasploit
9c1316d3a4
Bump version of framework to 6.1.25
2022-01-10 09:35:41 -06:00
Spencer McIntyre
f56f328c8d
Use an enum for the YSoSerial payload option
2022-01-07 17:30:39 -05:00
sjanusz
21beb58ffb
Add command to kill all Meterpreter channels
2022-01-07 12:12:14 +00:00
Christophe De La Fuente
59de13be43
Do not call File.expand_path() with empty strings
2022-01-07 13:09:47 +01:00
bwatters
f17d460a7a
Remove now unused deregister_tcp_options method
2022-01-06 15:48:24 -06:00
Spencer McIntyre
41b2bc4fac
Fix the generate command's tab completion
2022-01-06 15:15:49 -05:00
Metasploit
0234b89c9c
Bump version of framework to 6.1.24
2022-01-06 12:05:06 -06:00
space-r7
27ad15d040
Land #16015 , fix tab completion for RHOSTS
2022-01-06 10:44:33 -06:00
Spencer McIntyre
4b37076bd4
Unify completion for OptAddressRange and OptRhosts
2022-01-05 14:11:43 -05:00
Spencer McIntyre
1e0d9af9d8
Fix tab completion for RHOSTS
2022-01-05 13:43:34 -05:00
Spencer McIntyre
d0417f60bd
Land #15924 , Updates to Windows Secrets Dump
2022-01-05 13:25:59 -05:00
Christophe De La Fuente
f3f6f93e23
Fix sanity check failing on specific Ubuntu versions
2022-01-05 18:26:19 +01:00
Spencer McIntyre
cc2616b7cf
Land #15982 , Normalize smbuser to a string
2022-01-04 15:42:01 -05:00
Christophe De La Fuente
ae2e4d723b
Add NTDS technique
2022-01-03 21:39:33 +01:00
h00die
990e4a1e7a
pihole new module and lib
2022-01-02 11:48:41 -05:00
h00die
c3e0f455ec
some cleanup for rubocop
2021-12-30 15:35:22 -05:00
Metasploit
ca3c80102a
Bump version of framework to 6.1.23
2021-12-30 12:11:12 -06:00
RageLtMan
4874943e7f
Implement infrastructure for payload delivery
...
Per the discussion with @schierlm on GitHub (mihi), the most direct
way to deliver and instantiate our Java payload in the target is
via remote code loading of the JAR using HTTP. This requires a
bootstrap class, a Factory, which instantiates our Payload.class
by calling its main() function on-load from the HTTP endpoint
serving the remote-code-loaded JAR.
Implement a basic PayloadFactory class and include and its sources
in the Metasploit tree.
Using @schierlm's own code from ~10y ago, implement injection of
the PayloadFactory class into our JAR-encoded payloads. Then,
using more of his code from the same module (2011-3544), implement
a secondary service within the exploit module (Rex::ServiceManager
services don't stack well in Msf namespace as they all get assigned
to self.service - faux pas on our end) to serve HTTP requests with
the injected JAR. Finally, generate an appropriate URL target for
the remote code loaded JAR for injection into the LDAP response and
leveraging a final piece of @schierlm's hackery, generate a valid
URI path (updating the datastore is ill advised @ runtime, but its
needed here for the correct service cleanup routines to fire).
Note: during development, i figured out a way to use Rjb for native
Java object serialization to buffers which we can use in Ruby, so i
stashed that away in the Exploit::Java mixin for posterity and left
a reference to it in the module for future endeavors.
Testing:
Verified that the generated jar is served at the generated URL
Verified that the generated JAR can be executed at the CLI for
both metasploit.Payload and metasploit.PayloadFactory
Currently not triggering the remote code load (per wireshark and
our own HTTP service) when delivering the LDAP response, so tuning
that is the next leg of this effort.
2021-12-29 09:10:07 -05:00
Spencer McIntyre
d08714d474
Land #15961 , Initial Rex LDAP Server
2021-12-28 14:50:03 -05:00
Brenton O'Loughlin
e0d0514814
relocate status output
2021-12-24 17:51:04 +07:00
Tim W
5631959eff
Fix #12895 , fix console.read does not return command output
2021-12-24 07:51:25 +00:00
Tim W
b1922c305b
Revert "Land #15941 , fix command output in rpc console.write"
...
This reverts commit 8d808d11c0
, reversing
changes made to c1f06eace8
.
2021-12-24 07:32:29 +00:00
bwatters
6ed8e317f7
Land #15984 , fix snmp library to run correct version
...
Merge branch 'land-15984' into upstream-master
2021-12-23 13:12:49 -06:00
Metasploit
8757971193
Bump version of framework to 6.1.22
2021-12-23 12:10:50 -06:00
RageLtMan
25e2fbd640
Do not redefine constant
2021-12-21 22:36:51 -05:00
Tim W
8d808d11c0
Land #15941 , fix command output in rpc console.write
2021-12-21 06:07:29 +00:00
h00die
1931bfab7b
fix snmp library to run correct version
2021-12-20 16:28:01 -05:00
3V3RYONE
56b19e5e9b
Fix exploit session crashing when unsetting smbuser or smbpass
2021-12-19 19:02:17 +05:30
RageLtMan
60fdf2a7da
Rubocop pass on LDAP pieces
2021-12-18 09:03:56 -05:00
RageLtMan
0e90c3e573
Address @adfoster-r7's change requests
...
Due to how this stack is being broken up into LDAP core, scanner
update, and exploit work, changes requested in #15972 actually
apply in this branch and get rebased to the remaining ones.
Address requests to clean up the textual messages, LDIF file read,
sourcing of LDAP methods from net-ldap, and YARD-related placement
of attr_* annotations.
2021-12-18 07:52:33 -05:00
RageLtMan
db8f4ffa6f
Native LDAP infrastructure to support log4shell
...
In order to detect scan callbacks, serve payloads, and otherwise
interact with the LDAP protocol handler in JNDI, Metasploit needs
a native LDAP service properly exposed to various parts of the
Framework and users/consumers.
Implement Rex::Protocol::LDAP::Server with TCP and UDP socket
handlers abstracted to a common access pattern between L4 stacks.
Extend the socket clients to hold a state attibute for LDAP bind
authentication, and use the UDP client abstraction to implement
consistent callback semantics for data receipt from a client and
handling response on the other side. The server utilizes Rex'
native sockets, permitting full pivot and proxy support over the
Switchboard.
Implement the Msf::Exploit::Remote::LDAP::Server mixin to manage
service abstraction and shared methods exposed to Metasploit
modules.
Note: during implementation of this functionality, it was
discovered that the Scanner mixin's :replicant method resulted in
:dup calls to the Rex::ServiceManager service created by this new
mixin (and any others leveraging ServiceManager). As a result,
double-bind attempts created failures in service instantiation from
the duplicated MetasploitModules which also dropped the @service
instance variable reference to the actual running service; leaving
the socket inexorably bound until Framework was halted and Ruby
released the FDs. See https://github.com/rapid7/rex-core/pull/19
and the Issues/Pull Requests sections of R7's MSF GitHub.
Expose the new LDAP infrastructure to users by way of a basic LDAP
server MetasploitModule which consumes a tiny sample LDIF (provided)
and performs queries against it. This is intended to be a template
for future work such as LDAP authentication capture, protocol proxy
for MITM and intercept, and other more specific implementations for
exploits and auxiliary modules.
For feature completeness, provide a Rex::Socket override for
Net::LDAP::Connection until we have a proper, native to Rex, LDAP
client class implemented.
Testing:
Basic functionality only, this is an early effort which will be
extended for feature-completeness over time
2021-12-16 18:47:52 -05:00
space-r7
184795513f
Land #15831 , add more ssh session support
2021-12-16 15:39:55 -06:00
Grant Willcox
5c2afd6750
Land #15882 , Prevent payloads being used if can't clean up files
2021-12-16 15:05:27 -06:00
bwatters
1642f917ab
Land #15964 , Fix json packrat module
...
Merge branch 'land-15964' into upstream-master
2021-12-16 14:19:51 -06:00
Metasploit
5cd5d1449b
Bump version of framework to 6.1.21
2021-12-16 12:22:49 -06:00
Grant Willcox
0ee427ddb9
Land #15965 , Add tcp uri scheme for setting rhosts
2021-12-16 12:07:37 -06:00
bwatters
fd2f27aa94
Land #15958 , Log4Shell HTTP Scanner
...
Merge branch 'land-15958' into upstream-master
2021-12-16 10:45:23 -06:00
Spencer McIntyre
e6b7669114
Address PR feedback from module hacking
2021-12-16 11:12:11 -05:00
Grant Willcox
4cbc9113ae
Land #15963 , Support go 1.17 and remove startup errors for modules
2021-12-15 17:51:31 -06:00
Grant Willcox
2e7e24a833
Land #15779 , Add Nil-Check in Auxiliary report for vuln reporting
2021-12-15 11:52:48 -06:00
adfoster-r7
a373450b65
Add tcp uri scheme for setting rhosts
2021-12-15 15:37:05 +00:00
adfoster-r7
c3685641ab
Fix json packrat module
2021-12-15 15:07:38 +00:00
adfoster-r7
f1427fd383
Land #15944 , Add support and tests for long arguments to Rex Parser
2021-12-15 14:55:44 +00:00
Spencer McIntyre
5e5e73a1d8
Add module metadata and more checks
2021-12-15 08:45:25 -05:00
adfoster-r7
9c94a052bd
Support go 1.17 and remove startup errors for modules
2021-12-15 13:45:10 +00:00
Matthew Dunn
c6a84c912b
Switch to a validation error
2021-12-15 07:13:29 -05:00
Matthew Dunn
608ced1a4b
Add raise if vuln is nil instead of a print
2021-12-14 20:31:28 -05:00
Matthew Dunn
cb385192b6
Merge branch 'rapid7:master' into nil_check_auxiliary_report
2021-12-14 20:15:13 -05:00
sjanusz
063c3936a9
Add support for long arguments to Rex Parser
2021-12-14 17:45:56 +00:00
Grant Willcox
4600ffa702
Land #15957 , Print error when session ID is nil for Kiwi's creds_all
2021-12-14 09:28:08 -06:00
sjanusz
210f704a77
Print error when session id is nil for kiwi creds_all
2021-12-14 10:16:52 +00:00
Tim
cfd2d4d114
improve passthrough to capture stderr ( #1 )
2021-12-14 15:35:25 +11:00
Brenton O'Loughlin
bb688e12b8
capture passthrough system command output to output handler
2021-12-14 15:35:25 +11:00
bwatters
c4443577d0
Land #15841 , Rubocop Packrat mixin, part 2
...
A commit happened between my checkout and my merge, this incorporates the lost commit
Merge branch 'land-15841' into upstream-master
2021-12-13 15:50:14 -06:00
bwatters
3d2e00f87d
Land #15841 , Rubocop packrat mixin
2021-12-13 15:42:13 -06:00
adfoster-r7
7f2d2c180b
Rubocop Packrat mixin
...
Add linting exceptions for eval logic
wip
2021-12-13 19:36:26 +00:00
adfoster-r7
48f40077ea
Add get processes requirement
2021-12-13 13:46:54 +00:00
adfoster-r7
4c02405ab5
Ignore stdapi_fs_chmod requirement on windows
2021-12-13 13:06:02 +00:00
adfoster-r7
24bf9e5e61
Add Meterpreter compatibility requirements to lib
2021-12-13 11:30:32 +00:00
h00die
950e976f7b
Land #15952 fix for ntlm hashes crashing creds -d command
2021-12-13 05:00:51 -05:00
sjanusz
acd55ea24f
Fix creds crashing when deleting multiple ntlm hashes
2021-12-10 16:08:55 +00:00
Tim W
e0d618b8a9
Land #15945 , fix stat on inaccessible directory
2021-12-10 06:19:52 +00:00
Metasploit
26cde48c13
Bump version of framework to 6.1.20
2021-12-09 13:24:04 -06:00
Spencer McIntyre
ad0dba9385
Display st_mode using 6 octal digits
2021-12-09 13:43:00 -05:00
Spencer McIntyre
82a22ad38c
Skip empty stat buffers
...
This skips empty stat buffers, allowing Meterpreter to return empty ones
for entries that can not be stat'ed and thus maintain the array
alignment.
2021-12-09 13:43:00 -05:00
Tim W
4696418089
Land #15939 , Fix #15919 , fix unpacking 64-bits stat buffers in meterpreter
2021-12-09 08:40:49 +00:00
Simon Janusz
46dc748bd0
Land #15905 , Only normalize new/updated hosts after nmap import
2021-12-08 11:57:13 +00:00
adfoster-r7
3e1ba060a7
Land #15908 , add reload functionality to the save command
2021-12-08 04:27:04 +00:00
Spencer McIntyre
d94d2ff13c
Fix unpacking 64-bit stat buffers from Meterpreter
2021-12-07 16:08:38 -05:00