github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-08 14:36:22 +01:00
Code Releases Activity
2,101 Commits 7 Branches 259 Tags 71 MiB
0356a5068d
Commit Graph

1139 Commits

Author SHA1 Message Date
OJ
d286618b13 Add support for incognito 2016-03-24 15:01:50 +10:00
OJ
ecf10f7e43 Added ProcessList to Sys 2016-03-24 10:42:56 +10:00
OJ
1d85ea8513 Add sysinfo, code tidy 2016-03-24 10:13:56 +10:00
OJ
3f9681c34e Add show mount binding, tweak output to be tidier 2016-03-23 22:54:02 +10:00
OJ
4b142d35a0 Add Kiwi bindings, add debug, fix issue with missing commands in local 
packets
 2016-03-23 22:21:54 +10:00
OJ
64c57f203b Add the last few features to the User binding 2016-03-23 15:25:17 +10:00
OJ
b32fd52bfd Fix LocalAlloc call, start on the handling of other bindings (user) 2016-03-23 15:13:09 +10:00
OJ
41ac07dbe0 Finish the elevate bindings for powershell 2016-03-23 14:40:41 +10:00
OJ
8b702f7008 Remove invalid prints 2016-03-23 14:32:19 +10:00
OJ
7ba39c982a First version of "working" bindings (getsystem works) 
More to do, including reading of TLV packets.
 2016-03-23 13:39:25 +10:00
OJ
110306e115 Fix python meterpreter bindings by adding 0 xor key 2016-03-23 13:13:15 +10:00
OJ
ee807408ec Beginning of work on the building blocks for PSH->Meterp bindings 2016-03-22 16:06:43 +10:00
OJ
62c48c6ecc Fix a small issue with the TLV generation in getsystem 2016-03-22 16:02:26 +10:00
OJ
6e5afca1b3 Include the MSF.Powershell project 2016-03-22 13:11:49 +10:00
OJ
d48066c4cf Add support for hosts with .NET 2 only support 2016-03-22 12:36:31 +10:00
OJ
a8d0fadc5a Fallback to v4 runtime if v2 isn't present 2016-03-21 17:16:28 +10:00
OJ
cd162a88f8 Fix issue with channel interaction functioning incorrectly on close 2016-03-21 16:01:21 +10:00
OJ
43e6aae784 Proper functioning powershell sessions 2016-03-21 15:14:24 +10:00
OJ
df581ce638 Change from Auto to Manual reset event 
This stops the CPU thrashing, and should have been the default when the
work was first done.
 2016-03-15 21:16:48 +10:00
Brent Cook
423dbaeba2 consistency and bug fixes 2016-03-15 05:45:21 -05:00
Brent Cook
31e6ae1a63 Convert registry access to use UTF-8 2016-03-15 02:58:36 -05:00
OJ
a7ef4b91e3 Add powershell interactive prompt 2016-03-14 20:23:44 +10:00
OJ
3d94391292 Add support for unmanaged powershell 
This commit includes the ability to run a single powershell command in
the current session.
 2016-03-14 17:12:29 +10:00
OJ
af32e7289d Initial shell of the powershell extension project 2016-03-14 12:56:34 +10:00
OJ
e2285737a8 Make comment a little more sensible 2016-03-09 08:53:21 +10:00
OJ
62455e57f9 make the GetIpAddr function interactions deal with dynamic size 2016-03-09 08:27:59 +10:00
Brent Cook
fc26790e9a simplify error handling, remove 30 IP limit, remove unneeded free() checks 2016-03-08 03:50:32 -06:00
OJ
f015f53b6b Fix network interface enumeration limitation 
This moves the existing network interface enumeration code over to the
group TLV packet approach which allows for arbitrary numbers of entities
to be added on the fly instead of fixed numbers.
 2016-03-08 12:11:27 +10:00
Brent Cook
08e008fc77
Land #64, add xor encoding to TLV messages 2016-02-10 21:32:43 -06:00
Brent Cook
263fc0a00a posix xor 2016-02-04 05:50:47 -06:00
BAZIN-HSC
8ddd54c565 Build correction for fedora on not EN system 2016-01-29 10:41:18 +01:00
Brent Cook
ed3c35ed0b allow duplicate symbols building libm 2016-01-16 22:12:02 -06:00
Brent Cook
78c74b705a build with gnu99 mode 2016-01-16 22:11:54 -06:00
OJ
246c78fccc Remove extra call to scheduler init 2016-01-13 10:08:12 +10:00
OJ
29f88366ac
Merge branch 'upstream/master' into default-xor 2016-01-13 07:34:40 +10:00
Brent Cook
c125f72c1a
Land #59, simplify sniffer conditional logic 2015-12-24 06:40:58 -06:00
Brent Cook
9e2c799b3e
Land #57, include multiprocessing module in python extension 2015-12-23 03:09:59 -06:00
Romero Malaquias
70a8d43949 Avoiding conditional directives that break statements. 2015-12-21 12:23:08 -03:00
OJ
4424029d3c Add python extension multiprocessing 
This commit includes code that was missing from the original Python PR which adds support for the multiprocessing module in Python. I have no idea why this was missed, but it was. The code also includes adjustments to the loader which attempts to resolve modules appropriately based on name. This is a bit of a kludge thanks to the way that Python module resolution hooks work, as it's not clear exactly which namespace the module is intended to be loaded from at runtime as it's not passed to the resolver. Down the track we may need to get smarter with the resolver so that we have a per-module resolver (ie. a tree of resolvers).
 2015-12-19 09:40:44 +10:00
OJ
d5fb6821ae Fix python core lib mistake 2015-12-13 11:52:42 +10:00
OJ
3d598c4275 Remove superfluous comments from code 2015-12-08 16:57:40 +10:00
Brent Cook
099da2b4b7 Revert "Convert registry access to use UTF-8" 
This reverts commit bc8dfb17b5.
 2015-12-07 14:17:52 -06:00
Brent Cook
2f575a45a0 Revert "fixup buffer sizes" 
This reverts commit 2d6c0194c9.
 2015-12-07 14:17:50 -06:00
OJ
1061df8b8d Remove the RECV POST request 2015-12-07 13:26:33 +10:00
OJ
5ca5fe89f0 Begin to enable DWORD xor out of the box 2015-12-02 13:30:22 +10:00
Brent Cook
2d6c0194c9 fixup buffer sizes 2015-12-01 14:58:20 -06:00
Brent Cook
bc8dfb17b5 Convert registry access to use UTF-8 2015-12-01 13:53:45 -06:00
OJ
29c8639025 Updated init script method 2015-11-20 12:49:36 +10:00
OJ
c692e76332 Finalise stageless initialisation scripts 2015-11-10 20:00:34 +10:00
OJ
dca4cc46be
Merge branch 'upstream/master' into stageless-init 2015-11-10 15:44:39 +10:00
OJ
175d6d93f1 First pass of stageless initialisation script 2015-11-10 15:43:59 +10:00
Brent Cook
bc0138093d
Land #47, add python transport bindings 2015-11-09 21:13:18 -06:00
Brent Cook
98fae3e075 change source perms back to non-executable 2015-11-09 21:10:30 -06:00
Brent Cook
888ec2574a
Land #46, add misc python bindings. 2015-11-09 20:56:51 -06:00
Brent Cook
7bc25f6189
Land #45, remove non-functional 'debug' build targets 2015-11-09 09:41:29 -06:00
OJ
380f3e27aa Update python core lib archive 2015-11-04 15:33:12 +10:00
OJ
578ac70fd9 Add transport add command to python binding 2015-11-04 14:37:57 +10:00
OJ
4b44e69ce9 Add transport list binding 2015-11-04 14:04:22 +10:00
OJ
73b8422c14 Update packaged libs 2015-11-03 17:56:20 +10:00
OJ
e016e6d526 Add incognito binding, code tidies 2015-11-03 17:52:06 +10:00
OJ
cbb50227a5 Refactor TLV layout, add more debug output, token stealing 2015-11-03 14:03:33 +10:00
OJ
7c592a63d2 Add show_mount, ps_list, and some core tweaks 2015-11-03 13:25:47 +10:00
OJ
bd5ecc8acd Remove all debug builds from the Windows projects 
The debug builds of Meterpreter compiled fine, but the resulting binaries were never functional. No debugging is really ever done with the debug builds anyway, so instead of carry them forward, this commit removes both `debug` and `r7_debug` from the source.
 2015-11-03 11:05:42 +10:00
Brent Cook
7d94abd9b0
Land #44, don't fall back to 0.0.0.0 it the user-specified bind fails 2015-11-02 17:24:57 -06:00
Brent Cook
ecbcb17dec
Land #43, add show_mount support for Windows meterpreter 2015-10-30 15:26:33 -05:00
OJ
5602977bce Ignore SSL changes in POSIX code 
This ifdef's our way to glory, given that POSIX Python extension is out
of scope for now.
 2015-10-30 15:23:01 -05:00
OJ
71212bba43 Turn off debug trace 2015-10-30 15:23:01 -05:00
OJ
f572570b7d Initial work to get python talking to metsrv's ssl 2015-10-30 15:23:01 -05:00
OJ
a004655b03 Fix silly typo in extapi python module 2015-10-30 15:23:01 -05:00
OJ
def28cf927 Init the msvcrt extension 2015-10-30 15:23:01 -05:00
OJ
1c438bd13a Add some adsi functionality bindings 2015-10-30 15:23:01 -05:00
OJ
fb36d94c05 Clean up packet once processed 2015-10-30 15:23:01 -05:00
OJ
4b2257c791 More bindings, including kiwi as an example 2015-10-30 15:23:01 -05:00
OJ
04cb09737e More work on the meterpreter bindings for python 2015-10-30 15:23:00 -05:00
OJ
eaabcabca8 Starting work on meterpreter bindings 2015-10-30 15:23:00 -05:00
OJ
08d27edb76 Tidying up, add persistent stdout/stderr 2015-10-30 15:23:00 -05:00
OJ
8ae2ae5682 Turn off debug trace 2015-10-30 15:23:00 -05:00
OJ
4a474b963f Small tidy up of python related stuff 2015-10-30 15:23:00 -05:00
OJ
116da1c0ff Support import of py and pyc 2015-10-30 15:23:00 -05:00
OJ
007afeae2a Stacks of work getting modules wired up 2015-10-30 15:23:00 -05:00
OJ
126c3b8e07 Add stdout/stderr capture and result extraction 2015-10-30 15:22:59 -05:00
OJ
90be1cc878 First attempt at the python extension 
It builds for x64 and x86. There is a single command implemented that
allows for single-shot python commands to be run.
 2015-10-30 15:22:59 -05:00
Brent Cook
e878ac3286 import 1cf077a from python 2.7 branch (2.7.10+) 2015-10-30 15:12:58 -05:00
James Lee
4d37ec6646
Don't fall back to 0.0.0.0 
This allows the client side to determine whether to fall back and gives
the user a better chance of seeing that it isn't listening where they
told it to.
 2015-10-30 11:46:25 -05:00
OJ
14740bfa9c Add support for the show_mount command (windows) 2015-10-29 07:22:59 +10:00
Brent Cook
7ab7d13add
Land #32, switch transports on certificate validation failure 2015-09-25 09:05:48 -04:00
Brent Cook
15de43bf11
Land #31, Use RtlGetVersion for detecting Windows versions 2015-09-25 09:04:33 -04:00
OJ
2422f0926b Support transport failover for SSL cert failures 
This commit will result in SSL cert failures causing failovers to other
transports, even to itself, instead of shutting the session down. This
will result in repeated calls back to the endpoint, every "retry wait"
seconds, and will continue to do so until the session expires, or the
SSL verification works.

Be warned, this can be noisy in your console if you haven't configured
things properly. The result is a lot of callbacks over the life of the
session.
 2015-09-25 12:47:18 +10:00
OJ
f76b51e265 Use RtlGetVersion to detect version 
This means we can actually correctly detect the version of Windows in
use past 8.1 (ie including 10 and later).
 2015-09-24 15:42:37 +10:00
Brent Cook
636d143447 @NickSampanis's getsystem cleanup 
from https://github.com/rapid7/meterpreter/pull/183
 2015-09-23 21:33:10 -05:00
Brent Cook
600ed34f1e merge and cleanup @stufus's pageantjacker extension into extapi 
see https://github.com/rapid7/meterpreter/pull/164 for details
 2015-09-20 20:18:02 -05:00
Brent Cook
73e57f258a add initial Windows 10 matching to sysinfo output 2015-08-24 15:50:28 -05:00
Brent Cook
224ac67dc7 update build status link for windows meterpreter 2015-07-24 14:28:57 -05:00
Brent Cook
8732204833
Land #7, fix posix transport switching/deleting 2015-07-12 00:29:06 -05:00
OJ
a0c7262624 Remove invalid SAFE_FREE call 2015-07-12 13:21:20 +10:00
Brent Cook
8de19e788a We don't have to log an error if it's expected. 
There is a close log message right below anyway.
 2015-07-10 07:11:53 -05:00
Brent Cook
28425e7a99 On socket flush, stop reading on error 
We are currently inconsistently handling errors in recv() when flushing data from a TCP socket. In one case, we handle the graceful close, but not the error case. In the other, we handle exactly the opposite.

Both of these loops may spin indefinitely depending on the recv value from the remote server. In one, if the TCP connection is abruptly closed in stageless meterpreter or on a transport switch, the flush function may loop. In the other, if the remote server does a socket shutdown, but not a close, we will also loop.
 2015-07-10 07:04:57 -05:00
OJ
d16e5276c5 Use temp storage for URL parsing 
This removes the issue where URLs were truncated during parsing,
resulting in them not working later on when transports are changed.
 2015-07-10 14:57:23 +10:00
Brent Cook
819f6a3455
Land #5, add WinInet fallback when WinHTTP cannot work against certain proxies 2015-07-09 23:00:16 -05:00
OJ
863138d803 Avoid fallback when SSL cert verification is on 
This is to avoid unintended MITM when Meterpreter is configured in
paranoid mode.
 2015-07-04 14:45:49 +10:00
OJ
18a814d3a0 Refactor wininet/winhttp code to reduce code duplication 2015-07-03 20:46:18 +10:00
OJ
09c4d8b137 Initial WinINET fallback implementation 2015-07-03 18:55:14 +10:00
Brent Cook
3a0427bcbc cleanup record_mic handler, use the right heap for freeing 
When reallocating the record buffer, we need to pass the correct heap pointer
or this will crash.

This also simplifies error handling and switches audio.h to use Windows EOL
characters.
 2015-06-30 21:36:36 -05:00
Brent Cook
c7e1c385c8
Merged c 2015-06-28 13:29:59 -05:00
Brent Cook
91f10aa760 Land #175, fix clipboard file size confusion 2015-06-28 12:21:16 -05:00
OJ
c8de66fd31 Remove extra htonq call 2015-06-27 21:44:41 +10:00
OJ
86eb62832d Fix silly mistake with type casts 2015-06-27 21:37:05 +10:00
OJ
c2f141679e Fix up URI switching for stageless 
This prevents horrible crashes when migrating from a stageless HTTP/S session.
 2015-06-27 21:19:04 +10:00
Brent Cook
9fb2c004c1 Adjust posix install paths 2015-06-22 15:02:47 -05:00
Brent Cook
5afc05e122 Adjust submodule and pssdk paths 2015-06-22 15:02:47 -05:00
Brent Cook
701d30197e Land #154, NTDS parsing support 2015-06-22 09:07:02 -05:00
Brent Cook
ba86e968d7 fix broken partial-batch / eof handling 2015-06-22 03:58:24 -05:00
Brent Cook
9ff7339644 move ntds parser from priv to extapi 2015-06-22 03:58:24 -05:00
Brent Cook
eb7c696f00 Land #170, support deleting transports 2015-06-19 15:46:10 -05:00
OJ
2e78a4379a Add POSIX support for transport remove 2015-06-16 12:24:00 +10:00
OJ
149e4c2a7e Implement transport removal 2015-06-16 11:37:09 +10:00
Brent Cook
bfe1060b40 Merge branch 'master' into land-154-ntds 2015-06-04 13:47:44 -05:00
Brent Cook
905f25a03b compile error 2015-06-04 13:16:05 -05:00
Brent Cook
25731fee03 free utf8 conversion strings and avoid non-null terminated values 2015-06-04 09:00:24 -05:00
Brent Cook
c47c973b83 logon names can actually be up to 104 characters 
practical limit is 64, this gives us margin
 2015-06-04 08:53:09 -05:00
Brent Cook
773008d921 whitespace tweaks 2015-06-04 08:50:24 -05:00
OJ
ef14f0e7ab Update to simpler, less hacky implementation 2015-06-03 16:27:31 +10:00
OJ
d89cd69bc5 Implement a sleep in windows that lasts longer 2015-06-03 14:06:17 +10:00
David Maloney
2b07377328 fix copy error 
use strncpy not memcpy to transfer the re-encoded
name and description into our account object.
also use sizeof for precise copy size. eliminates lingering
errors

MSP-12356
 2015-06-02 12:44:49 -05:00
David Maloney
84cea10260 use all unicode for ntds account struct 
force convert account name and description
to unicode for transport over the wire

MSP-12356
 2015-06-02 12:35:30 -05:00
OJ
ddd82d20fc Fix check for auto detect proxy settings 
This setting doesn't appear to have any bearing at all on the way the proxy stuff is managed, as a result looking for this flag doesn't make sense. Instead, we just look for presence of the URLs to use, and if found, that's what we use.

This also uses the WinHttpSetOption function for setting credentials which allows for independenc use of user and password.
 2015-05-25 16:35:31 +10:00
David Maloney
37e7ab2fc9 just a little more cleanup 
this should hpefully address the last of Juan's code review
feedback appropriately.

MSP-12356
 2015-05-18 11:21:10 -05:00
David Maloney
a3b4b53029 size and signedness issue fixes 
fixes several size and signedness issues caught
during code review

MSP-12356
 2015-05-18 11:08:58 -05:00
David Maloney
7c0c78d766 more missing garbage collection 
pek structures also were not being garbage collected properly

MSP-12356
 2015-05-18 10:46:43 -05:00
David Maloney
6c15c0c0a0 better garbage collection on initial setup 
the ntds_parse method that gets everything started
was missing garbage collection for accountColumns.

MSP-12356
 2015-05-18 10:43:27 -05:00
Brent Cook
bb00b00b2c do not log UUID as a string 2015-05-17 09:25:33 -05:00
OJ
5f7c2e7207 Fix handling of UUIDs in Meterpreter 
The original implementation assumed that the UUIDs were coming through a strings, but this was changed at some point to use the 16-byte UUID format straight out of MSF.

This was causing issues when UUIDs had null bytes in them because the UUID was being truncated and the result was that UUIDs that were being parsed in MSF were too small, resulting in exceptions.
 2015-05-17 17:43:59 +10:00
Brent Cook
68a24e3a47 Land #159, user proxy settings support with winhttp 2015-05-15 16:41:22 -05:00
Brent Cook
602e18591c fixup build for posix, fix memory leak in utf conversion 2015-05-15 16:01:59 -05:00
David Maloney
e8449a1698 Merge branch 'master' into feature/MSP-12715/sysinfo-upgrade 2015-05-15 15:14:23 -05:00
David Maloney
30a1ecbbcb add domain and loggedonusers to sysinfo 
added the domain name and logged on user counts
to the sysinfo command

MSP-12715
 2015-05-15 15:10:35 -05:00
Brent Cook
ed1bccd0fc Land #160, fix the bare example extension 2015-05-15 15:04:14 -05:00
OJ
7ff8263ce0 Actually set the result to success 2015-05-15 15:03:47 -05:00
OJ
f6c1485ebe Add support for the sleep command 2015-05-15 15:03:47 -05:00
Meatballs
fded7311c4 Fixup bare met_svc var name 2015-05-15 20:43:47 +01:00
Brent Cook
f390649c46 Merge branch 'master' into land-157- 2015-05-14 11:30:56 -05:00
Brent Cook
d9ce138eed remove hash sizeof workaround 2015-05-14 11:29:44 -05:00
David Maloney
1bfd8526b6 Merge branch 'master' into feature/MSP-12356/ntds-parser 2015-05-14 10:55:55 -05:00
David Maloney
7e0c23e228 fixed missing type cast 
needed explicit typecast for x64

MSP-12356
 2015-05-13 14:54:32 -05:00
OJ
a7c2b4fcdd Utilise IE configuration for proxies where possible 2015-05-13 15:46:33 +10:00
Brent Cook
e158093b38 Land #156, final tweaks for multi-transport support 2015-05-12 22:35:59 -05:00
Brent Cook
595d975337 quit concatenating serials after the first one 2015-05-12 21:31:36 -05:00
Brent Cook
716330ee7c make machine_id on POSIX more resilient 
Only compute the value once, this prevents changing if drive topology changes.
Consider ata and md drive prefixes.
Always set a MACHINE_ID value, upstream expects it in the reply.
 2015-05-12 21:25:39 -05:00
OJ
6ee3b53786 Tweak transport change 
Cosmetic stuff really.
 2015-05-13 09:15:03 +10:00
OJ
98822709b5 Slight tweaks to proxy config function 2015-05-11 17:22:37 +10:00