147837e9b6
Validate payload size even when not encoding
2022-02-25 17:21:59 -05:00
9f6e3ba543
Set the cached size for adapated payloads
2022-02-25 11:55:48 -05:00
5ee44bcdb7
Ignore reload lib spec helper file
2022-02-25 12:38:03 +00:00
9c56a9a2bc
add more definitions / constants for permissions
2022-02-24 20:20:38 -06:00
abe55c8f91
raise RuntimeError on incomplete or extra data
2022-02-24 14:02:44 -06:00
da044a967a
Bump version of framework to 6.1.32
2022-02-24 12:07:52 -06:00
f473c0e3b1
Convert core_enumextcmd and core_loadlib commands to human readable strings
2022-02-24 14:54:21 +00:00
bad55a858c
Add the new adapter payload type
2022-02-23 16:38:57 -05:00
3ea032472d
Updated exploit with better check method, added OnSessionCmd option
...
to run a command when a session is bootstrapped, added more
documentation.
2022-02-18 16:30:47 -06:00
eb4969937f
Bump version of framework to 6.1.31
2022-02-17 12:10:25 -06:00
480c44e9cb
refactor DEBUG_EXPLOIT code into mixin
2022-02-16 11:38:04 +00:00
0239ef1cc6
Land #16117 , Updates for Log4Shell
2022-02-15 16:39:00 -06:00
99226f1a5c
add definitions for winspool and spoolss libs
2022-02-15 15:51:22 -06:00
18b4ce8a13
Update replicant pattern to increment refs
2022-02-15 16:08:35 +00:00
af3fa09896
refactor smtp delivery to support continuation
...
When dealing with SMTP servers the communication needs to flow
a known protocol. To ensure the socket is in the correct state
after a send and receive it needs to be read until a line return
a response code followed by a `space` and additional data and `\r\n`
or the response code immediately followed by `\r\n` is returned.
2022-02-14 16:55:49 -06:00
732bd3a71c
Land #16173 , Add readline option to msfconsole
...
Add readline option to msfconsole
2022-02-14 16:11:15 +00:00
e9758f33b5
Land #16175 , order the loadpath summary in alphabetical order
2022-02-14 09:52:19 +00:00
d45783a5a0
Add readline option to msfconsole
2022-02-13 23:47:08 +00:00
683d4ac471
Add support for staged python command payloads
2022-02-13 12:03:08 -05:00
a13ae3882b
Land #16174 , fix specifying the mode on File.read for ruby 3 on multiple modules
2022-02-13 12:08:13 +00:00
ec2ae16135
Order loadpath summary output
2022-02-12 21:47:35 +00:00
395ab1d77e
Specify mode rb on file reads
2022-02-12 21:39:12 +00:00
c2cacffee9
Land #16170 , fix java native_arch
2022-02-12 06:13:48 +00:00
cfa3d15cee
Land #16161 , Update user agent strings
2022-02-11 16:28:14 -06:00
47fea63fdf
One more update to address Apple bumping some versions at the very last minute
2022-02-11 15:57:09 -06:00
db00991f26
Land #16150 , add nagios xi web shell upload
2022-02-11 11:45:06 -06:00
2b281dce5c
Add support for Java Meterpreter's native_arch
2022-02-11 11:43:35 +00:00
5bc60f5bf7
clear any additional response on smtp connect
...
When connecting to an SMTP server after `HELO` and auth
complete there can be additional data sent from the client
that sits in the socket queue. Adding a `get_once` after connection
has settled ensure any pending for extension responses are cleared.
2022-02-10 14:25:05 -06:00
0ee0e3959d
Bump version of framework to 6.1.30
2022-02-10 12:06:14 -06:00
9635fde12d
Add support and templates for aarch64 targets
2022-02-10 10:49:02 -06:00
425e57b88b
Land #16163 , Add the ClaimsPrincipal .NET gadget chain
2022-02-09 14:46:38 -06:00
e6c1d20c5d
Add the ClaimsPrincipal .NET gadget chain
2022-02-09 14:38:51 -05:00
47c74a0037
Land #16121 , fix rhost exception due to no session
2022-02-09 10:38:34 -06:00
a50f39ac12
return super if no session
2022-02-09 10:08:02 +00:00
72ca957285
Don't use default values
2022-02-08 17:40:03 -05:00
1f60303772
Updated user agent strings as of 9 Feb 2022
2022-02-09 08:39:05 +11:00
1fe01087b6
Remove trailing whitespace from command output
2022-02-08 15:37:11 -05:00
7d9e6c2bb9
Don't crash when the hostname can't be determined
...
This fixes a framework-level crash when msfconsole initializes and the
HOSTNAME environment variable is not set and the hostname binary is
missing.
2022-02-08 15:14:36 -05:00
4294dcbc80
Land #16143 , Fix unknown platform error against windows when using SSH login
...
Fix unknown platform error against Windows when using SSH Login
2022-02-07 11:50:02 +00:00
9758251278
Initial commit of CVE-2021-37343
2022-02-05 18:21:18 -08:00
3c6cd7cc0a
Make platform check case-insensitive
2022-02-04 15:47:15 +00:00
4f69089690
Fix to_handler case sensitivity issue
2022-02-04 13:39:07 +00:00
965493191f
Add and use a Log4Shell mixin
2022-02-03 16:09:49 -05:00
c89ecd9c75
Bump version of framework to 6.1.29
2022-02-03 12:07:08 -06:00
f16815e776
Land #16066 , Fix params not being passed to scripts
2022-02-03 12:28:59 +00:00
d854751f82
Fix params not being passed to scripts
2022-02-03 11:13:27 +00:00
5647e1a94f
Add service manager commands to msfconsle
2022-02-02 22:26:41 +00:00
d9876e889a
Land #15994 , fix console.read does not return command output
2022-02-01 23:44:48 +00:00
5c47ff0e47
Land #16132 , [MySQL injection library] Avoid the use of '<>'
2022-02-01 14:50:55 -06:00
8ab102e72c
Land #16014 , Change custom parsers to Rex Parser and add long arguments
2022-02-01 17:38:51 +00:00
c4700ab2f4
Add state to workspace command, extract sevices columns, correct tab-complete
2022-02-01 17:09:17 +00:00
51814a4a8b
Refactor the code, using if(CONDITION,sleep(...),0) only
2022-01-30 23:49:07 +00:00
e329d78a46
Use = instead of <> for blind queries (fixes some wordpress plugin SQLis)
2022-01-30 23:01:08 +00:00
613e06a8df
Fix exception in rhost during staging
2022-01-29 07:59:22 +00:00
d46822184f
Updates for Log4Shell
2022-01-28 14:56:44 -05:00
c30dcf57d0
prepend_nops: Return unmodified shellcode if no compatible nops for arch
2022-01-28 16:15:29 +00:00
50c1f7b775
Bump version of framework to 6.1.28
2022-01-27 12:05:14 -06:00
397e3aa1c6
Land #16090 - Add in user_data_directory function
2022-01-26 09:31:52 -06:00
780c8d3b7f
Land #16096 , Support session -1 for ListenerComm options
2022-01-24 22:07:23 -06:00
12431d8479
Add a client reader for SSH server channels
2022-01-24 14:41:59 -05:00
dd2d512851
Support session -1 for ListenerComm options
2022-01-24 11:42:39 -05:00
3cd2b1b929
Update naming for consistency and the module
2022-01-24 10:35:40 -06:00
d088be6fa0
Metasploit-side logic to support a 5th getsystem mechanism
2022-01-24 10:35:40 -06:00
b72bdf0b76
Land #16054 , updates to JTR compatibility with logging
2022-01-23 14:41:54 -05:00
e445a39719
adds user_data_directory
2022-01-23 10:29:01 -05:00
eccac8df4f
Bump version of framework to 6.1.27
2022-01-20 12:07:12 -06:00
4cf3ae352c
Land #16050 , Log4Shell: vCenter RCE
...
Merge branch 'land-16050' into upstream-master
2022-01-19 16:30:33 -06:00
a7bb8d0480
Land #16029 , Fix OptPath options with empty strings
2022-01-19 13:08:34 -06:00
158a0aa30c
Change custom parser to Rex, add custom opt, add tabcomplete
2022-01-19 13:01:33 +00:00
d01594a570
spec not working quite right
2022-01-17 17:40:35 -05:00
7a7b009161
add more smarts to nolog for jtr
2022-01-17 15:33:41 -05:00
ad9517b81d
Bump version of framework to 6.1.26
2022-01-14 09:32:56 -06:00
85aab39dbd
Fix syntax error for --nolog
2022-01-14 07:14:47 +09:00
383ada6ae2
Land #16016 , fix RHOSTS in dcerpc scanner
2022-01-13 13:15:24 -06:00
7b1398f0ae
Allow overriding check module datastore options
2022-01-13 11:51:39 -05:00
62a814fa59
Refactor Log4shell exploit code into reusable bits
2022-01-13 09:45:02 -05:00
e093154865
Refactor the BeanFactory gadget code
2022-01-12 16:58:31 -05:00
e873907d13
Initial vCenter exploit via Log4Shell
2022-01-12 15:34:45 -05:00
199eae5e99
Land #16012 , add pi-hole aux module and lib
2022-01-12 09:21:11 -06:00
877bab6f2a
Land #15969 , Log4j2 HTTP Header Injection Exploit
2022-01-11 16:52:08 -05:00
e8208c60b9
Land #16027 , Fix the generate command's tab completion for -o and -f
2022-01-11 18:03:37 +01:00
9c1316d3a4
Bump version of framework to 6.1.25
2022-01-10 09:35:41 -06:00
f56f328c8d
Use an enum for the YSoSerial payload option
2022-01-07 17:30:39 -05:00
21beb58ffb
Add command to kill all Meterpreter channels
2022-01-07 12:12:14 +00:00
59de13be43
Do not call File.expand_path() with empty strings
2022-01-07 13:09:47 +01:00
f17d460a7a
Remove now unused deregister_tcp_options method
2022-01-06 15:48:24 -06:00
41b2bc4fac
Fix the generate command's tab completion
2022-01-06 15:15:49 -05:00
0234b89c9c
Bump version of framework to 6.1.24
2022-01-06 12:05:06 -06:00
27ad15d040
Land #16015 , fix tab completion for RHOSTS
2022-01-06 10:44:33 -06:00
4b37076bd4
Unify completion for OptAddressRange and OptRhosts
2022-01-05 14:11:43 -05:00
1e0d9af9d8
Fix tab completion for RHOSTS
2022-01-05 13:43:34 -05:00
d0417f60bd
Land #15924 , Updates to Windows Secrets Dump
2022-01-05 13:25:59 -05:00
f3f6f93e23
Fix sanity check failing on specific Ubuntu versions
2022-01-05 18:26:19 +01:00
cc2616b7cf
Land #15982 , Normalize smbuser to a string
2022-01-04 15:42:01 -05:00
ae2e4d723b
Add NTDS technique
2022-01-03 21:39:33 +01:00
990e4a1e7a
pihole new module and lib
2022-01-02 11:48:41 -05:00
c3e0f455ec
some cleanup for rubocop
2021-12-30 15:35:22 -05:00
ca3c80102a
Bump version of framework to 6.1.23
2021-12-30 12:11:12 -06:00
4874943e7f
Implement infrastructure for payload delivery
...
Per the discussion with @schierlm on GitHub (mihi), the most direct
way to deliver and instantiate our Java payload in the target is
via remote code loading of the JAR using HTTP. This requires a
bootstrap class, a Factory, which instantiates our Payload.class
by calling its main() function on-load from the HTTP endpoint
serving the remote-code-loaded JAR.
Implement a basic PayloadFactory class and include and its sources
in the Metasploit tree.
Using @schierlm's own code from ~10y ago, implement injection of
the PayloadFactory class into our JAR-encoded payloads. Then,
using more of his code from the same module (2011-3544), implement
a secondary service within the exploit module (Rex::ServiceManager
services don't stack well in Msf namespace as they all get assigned
to self.service - faux pas on our end) to serve HTTP requests with
the injected JAR. Finally, generate an appropriate URL target for
the remote code loaded JAR for injection into the LDAP response and
leveraging a final piece of @schierlm's hackery, generate a valid
URI path (updating the datastore is ill advised @ runtime, but its
needed here for the correct service cleanup routines to fire).
Note: during development, i figured out a way to use Rjb for native
Java object serialization to buffers which we can use in Ruby, so i
stashed that away in the Exploit::Java mixin for posterity and left
a reference to it in the module for future endeavors.
Testing:
Verified that the generated jar is served at the generated URL
Verified that the generated JAR can be executed at the CLI for
both metasploit.Payload and metasploit.PayloadFactory
Currently not triggering the remote code load (per wireshark and
our own HTTP service) when delivering the LDAP response, so tuning
that is the next leg of this effort.
2021-12-29 09:10:07 -05:00
d08714d474
Land #15961 , Initial Rex LDAP Server
2021-12-28 14:50:03 -05:00
e0d0514814
relocate status output
2021-12-24 17:51:04 +07:00
5631959eff
Fix #12895 , fix console.read does not return command output
2021-12-24 07:51:25 +00:00
b1922c305b
Revert "Land #15941 , fix command output in rpc console.write"
...
This reverts commit 8d808d11c0c1f06eace8
2021-12-24 07:32:29 +00:00
6ed8e317f7
Land #15984 , fix snmp library to run correct version
...
Merge branch 'land-15984' into upstream-master
2021-12-23 13:12:49 -06:00
8757971193
Bump version of framework to 6.1.22
2021-12-23 12:10:50 -06:00
25e2fbd640
Do not redefine constant
2021-12-21 22:36:51 -05:00
8d808d11c0
Land #15941 , fix command output in rpc console.write
2021-12-21 06:07:29 +00:00
1931bfab7b
fix snmp library to run correct version
2021-12-20 16:28:01 -05:00
56b19e5e9b
Fix exploit session crashing when unsetting smbuser or smbpass
2021-12-19 19:02:17 +05:30
60fdf2a7da
Rubocop pass on LDAP pieces
2021-12-18 09:03:56 -05:00
0e90c3e573
Address @adfoster-r7's change requests
...
Due to how this stack is being broken up into LDAP core, scanner
update, and exploit work, changes requested in #15972 actually
apply in this branch and get rebased to the remaining ones.
Address requests to clean up the textual messages, LDIF file read,
sourcing of LDAP methods from net-ldap, and YARD-related placement
of attr_* annotations.
2021-12-18 07:52:33 -05:00
db8f4ffa6f
Native LDAP infrastructure to support log4shell
...
In order to detect scan callbacks, serve payloads, and otherwise
interact with the LDAP protocol handler in JNDI, Metasploit needs
a native LDAP service properly exposed to various parts of the
Framework and users/consumers.
Implement Rex::Protocol::LDAP::Server with TCP and UDP socket
handlers abstracted to a common access pattern between L4 stacks.
Extend the socket clients to hold a state attibute for LDAP bind
authentication, and use the UDP client abstraction to implement
consistent callback semantics for data receipt from a client and
handling response on the other side. The server utilizes Rex'
native sockets, permitting full pivot and proxy support over the
Switchboard.
Implement the Msf::Exploit::Remote::LDAP::Server mixin to manage
service abstraction and shared methods exposed to Metasploit
modules.
Note: during implementation of this functionality, it was
discovered that the Scanner mixin's :replicant method resulted in
:dup calls to the Rex::ServiceManager service created by this new
mixin (and any others leveraging ServiceManager). As a result,
double-bind attempts created failures in service instantiation from
the duplicated MetasploitModules which also dropped the @service
instance variable reference to the actual running service; leaving
the socket inexorably bound until Framework was halted and Ruby
released the FDs. See https://github.com/rapid7/rex-core/pull/19
and the Issues/Pull Requests sections of R7's MSF GitHub.
Expose the new LDAP infrastructure to users by way of a basic LDAP
server MetasploitModule which consumes a tiny sample LDIF (provided)
and performs queries against it. This is intended to be a template
for future work such as LDAP authentication capture, protocol proxy
for MITM and intercept, and other more specific implementations for
exploits and auxiliary modules.
For feature completeness, provide a Rex::Socket override for
Net::LDAP::Connection until we have a proper, native to Rex, LDAP
client class implemented.
Testing:
Basic functionality only, this is an early effort which will be
extended for feature-completeness over time
2021-12-16 18:47:52 -05:00
184795513f
Land #15831 , add more ssh session support
2021-12-16 15:39:55 -06:00
5c2afd6750
Land #15882 , Prevent payloads being used if can't clean up files
2021-12-16 15:05:27 -06:00
1642f917ab
Land #15964 , Fix json packrat module
...
Merge branch 'land-15964' into upstream-master
2021-12-16 14:19:51 -06:00
5cd5d1449b
Bump version of framework to 6.1.21
2021-12-16 12:22:49 -06:00
0ee427ddb9
Land #15965 , Add tcp uri scheme for setting rhosts
2021-12-16 12:07:37 -06:00
fd2f27aa94
Land #15958 , Log4Shell HTTP Scanner
...
Merge branch 'land-15958' into upstream-master
2021-12-16 10:45:23 -06:00
e6b7669114
Address PR feedback from module hacking
2021-12-16 11:12:11 -05:00
4cbc9113ae
Land #15963 , Support go 1.17 and remove startup errors for modules
2021-12-15 17:51:31 -06:00
2e7e24a833
Land #15779 , Add Nil-Check in Auxiliary report for vuln reporting
2021-12-15 11:52:48 -06:00
a373450b65
Add tcp uri scheme for setting rhosts
2021-12-15 15:37:05 +00:00
c3685641ab
Fix json packrat module
2021-12-15 15:07:38 +00:00
f1427fd383
Land #15944 , Add support and tests for long arguments to Rex Parser
2021-12-15 14:55:44 +00:00
5e5e73a1d8
Add module metadata and more checks
2021-12-15 08:45:25 -05:00
9c94a052bd
Support go 1.17 and remove startup errors for modules
2021-12-15 13:45:10 +00:00
c6a84c912b
Switch to a validation error
2021-12-15 07:13:29 -05:00
608ced1a4b
Add raise if vuln is nil instead of a print
2021-12-14 20:31:28 -05:00
cb385192b6
Merge branch 'rapid7:master' into nil_check_auxiliary_report
2021-12-14 20:15:13 -05:00
063c3936a9
Add support for long arguments to Rex Parser
2021-12-14 17:45:56 +00:00
4600ffa702
Land #15957 , Print error when session ID is nil for Kiwi's creds_all
2021-12-14 09:28:08 -06:00
210f704a77
Print error when session id is nil for kiwi creds_all
2021-12-14 10:16:52 +00:00
cfd2d4d114
improve passthrough to capture stderr ( #1 )
2021-12-14 15:35:25 +11:00
bb688e12b8
capture passthrough system command output to output handler
2021-12-14 15:35:25 +11:00
c4443577d0
Land #15841 , Rubocop Packrat mixin, part 2
...
A commit happened between my checkout and my merge, this incorporates the lost commit
Merge branch 'land-15841' into upstream-master
2021-12-13 15:50:14 -06:00
3d2e00f87d
Land #15841 , Rubocop packrat mixin
2021-12-13 15:42:13 -06:00
7f2d2c180b
Rubocop Packrat mixin
...
Add linting exceptions for eval logic
wip
2021-12-13 19:36:26 +00:00
48f40077ea
Add get processes requirement
2021-12-13 13:46:54 +00:00
4c02405ab5
Ignore stdapi_fs_chmod requirement on windows
2021-12-13 13:06:02 +00:00
24bf9e5e61
Add Meterpreter compatibility requirements to lib
2021-12-13 11:30:32 +00:00
950e976f7b
Land #15952 fix for ntlm hashes crashing creds -d command
2021-12-13 05:00:51 -05:00
acd55ea24f
Fix creds crashing when deleting multiple ntlm hashes
2021-12-10 16:08:55 +00:00
e0d618b8a9
Land #15945 , fix stat on inaccessible directory
2021-12-10 06:19:52 +00:00
26cde48c13
Bump version of framework to 6.1.20
2021-12-09 13:24:04 -06:00
ad0dba9385
Display st_mode using 6 octal digits
2021-12-09 13:43:00 -05:00
82a22ad38c
Skip empty stat buffers
...
This skips empty stat buffers, allowing Meterpreter to return empty ones
for entries that can not be stat'ed and thus maintain the array
alignment.
2021-12-09 13:43:00 -05:00
4696418089
Land #15939 , Fix #15919 , fix unpacking 64-bits stat buffers in meterpreter
2021-12-09 08:40:49 +00:00
46dc748bd0
Land #15905 , Only normalize new/updated hosts after nmap import
2021-12-08 11:57:13 +00:00
3e1ba060a7
Land #15908 , add reload functionality to the save command
2021-12-08 04:27:04 +00:00
d94d2ff13c
Fix unpacking 64-bit stat buffers from Meterpreter
2021-12-07 16:08:38 -05:00
Spencer McIntyre