OJ
2cd4f3cf98
Turn off debug builds
2017-08-09 15:59:37 +10:00
OJ
a10938e5a0
Revert changes made to getprivs
...
This work should be done in another PR
2017-08-09 15:58:38 +10:00
OJ
bc6c2039fb
Add debug statements, and fix one that was causing crashes
2017-08-09 13:03:12 +10:00
OJ
005ba6a8c0
Merge branch upstream into packet-pivot
2017-08-08 17:37:59 +10:00
OJ
b363584648
Merge branch 'upstream/master' into transport-agnostic-packet-encryption
2017-08-08 17:37:25 +10:00
OJ
0413a5c2ce
Add check for existing session reconnect
2017-08-08 17:15:49 +10:00
OJ
5f8b775842
Fix reading data from pipe, fix XOR bug in x64
2017-08-07 19:51:24 +10:00
OJ
95f1903a10
Update kiwi module to disable busylight notification
2017-08-03 09:45:07 +10:00
William Webb
7ae31a76f1
Land #220 , Support Hi DPI for screenshots
2017-07-25 23:12:29 -05:00
OJ
c30d7ee349
Fix session GUID creation/management for pivots
2017-07-25 17:40:54 +10:00
Brent Cook
ead41b1092
initial unicode conversion for incognito
2017-07-23 04:41:51 -07:00
Brent Cook
cdff912abf
support hidpi for screenshots
2017-07-22 08:35:28 -07:00
Brent Cook
b8a60c1561
use prefix for debug messages, 64-bit consistently for memory sizes and offsets
2017-07-22 08:31:13 -07:00
Brent Cook
94f4147425
give attribution
2017-07-22 06:15:34 -07:00
Brent Cook
9118645a6e
simplify and reduce logic
2017-07-22 06:12:19 -07:00
Artem
770d0f65f4
Update fs_win.c
...
Fix FS Stat on Windows XP
2017-07-22 06:12:13 -07:00
OJ
d7c741f858
Fix reconnect pipe read issue
...
Also fix up issue with the pivot tree code
2017-07-21 20:50:43 +10:00
OJ
82cf5e7941
Fix issue with inspection of the wrong byte for xor keys
2017-07-21 18:33:15 +10:00
OJ
e12e711ec5
Interim commit while debugging
2017-07-21 18:27:04 +10:00
OJ
293d79d0ed
Adjust HTTP/S transport to support packet pivot
2017-07-18 21:15:08 +10:00
OJ
415665ef59
Pivot stability, fixes, tidies, etc
2017-07-18 20:58:23 +10:00
OJ
5a04de0780
Fix transport list command to support named pipes
2017-07-18 13:40:40 +10:00
OJ
fac1bfa489
Fix issue with packet size calculation
...
This commit fixes an issue where the transports were calculating an
incorrect size for the packet that was being received. This wasn't
noticable until packet pivot work started, and for some reason wasn't
causing breakages during local testing. Either way, it's fixed now!
2017-07-17 11:11:25 +10:00
OJ
2ede006025
First working packet pivot session!
2017-07-16 19:33:24 +10:00
William Webb
6fc00bc812
cleanup memleak
2017-07-14 01:24:54 -05:00
OJ
cba5e86ac2
Add support for the pivot ID
2017-07-11 19:43:23 +10:00
OJ
6d2582102d
Slow progress on pipe packet pivots
2017-07-10 20:00:37 +10:00
William Webb
d25ff91ca2
axe errant DebugBreak()
2017-07-06 20:21:22 -05:00
William Webb
c144bac8d9
gracefully handle threading and correctly destroy msg only window
2017-07-06 19:57:07 -05:00
OJ
f96fe3542f
Next phase of packet pivot work
2017-07-06 15:40:32 +10:00
William Webb
519194dc6c
log pid on new active window
2017-07-05 20:34:37 -05:00
OJ
fc6c593eb7
Add the first pass of named pipe pivot code
2017-07-05 16:15:06 +10:00
OJ
c74376fb69
Make enc flags 32 bit, fix extension bindings
...
This updates the packet header so that the encryption byte flag is now
32 bits. This also updates the powershell and python extensions so that
both of the bindings work correctly as a result of the TLV packet header
changes.
2017-07-03 16:51:57 +10:00
OJ
f5b29bd7c6
Land #210 : set thread error mode
2017-06-29 17:33:46 +10:00
Brent Cook
1a9bfc8c68
disable thread error reporting globally
2017-06-29 01:07:22 -04:00
OJ
9fd56beba0
Refactor pub key encryption code
...
Extract the publicy key encryption code out into another method and
cater for more error conditions.
2017-06-28 12:50:53 +10:00
Brent Cook
f95710249b
Land #209 , Make keyscan active window tracking discretionary
2017-06-25 17:39:41 -05:00
OJ
a911045d5e
Merge upstrea/master + fix issues
2017-06-25 19:52:11 +10:00
OJ
12055fca25
Finalised support for RSA-encrypted AES key negotiation
...
Still needs to be wired into HTTP/S.
2017-06-25 10:24:40 +10:00
Brent Cook
0356a5068d
add thread preamble that sets the per-thread error mode
2017-06-23 20:37:56 -05:00
Artem
fe8920640d
Add Disable Windows Error Messages
2017-06-23 20:37:56 -05:00
Brent Cook
c7f614a799
Land #200 , Fix winpmem builds, warnings, cleanup logging
2017-06-23 18:00:22 -05:00
William Webb
cad32aaa33
kill whitespace
2017-06-23 14:08:08 -05:00
William Webb
419533ce48
kill whitespace
2017-06-23 13:56:07 -05:00
William Webb
f437e6aef7
use conventional option/TLV scheme instead of dumb stuff
2017-06-23 13:51:08 -05:00
Brent Cook
fb80f87ee3
Land #204 , Update to Mimikatz 2.1.1 20170608 for changentlm function
2017-06-22 10:45:34 -05:00
OJ
8ffb877610
Initial version of working AES encrypted TLV packets
2017-06-21 21:02:33 +10:00
Brent Cook
efe6f32197
fix 64-bit r7 target build
2017-06-21 03:01:56 -05:00
OJ
cb9ae6acd4
Rework the packet XOR code
...
Make the XOR key an array of bytes as a start to normalise the way the
XOR happens across the board. Given that we're going to be adding
encryption to the packet level and adding more stuff to the packet
header, now is the time to fix this up once and for all.
2017-06-20 19:20:41 +10:00
OJ
8858acb618
Initial attempt to AES encryption at the packet level
2017-06-20 17:50:58 +10:00
OJ
813760a9e2
Remove support for the crypto context
...
Crypto context stuff appears to have only ever been supported in
Meterpreter on Windows. The only thing it allowed for is XOR, which is
redundant given that we have packet level XOR in place. Also, it would
appear that MSF didn't have support for it anyway!
With the move torwards packet-level encryption, this is unnecessary so
it needs to go bye bye.
2017-06-19 16:51:54 +10:00
OJ
9e3aef62bc
Hack to ignore metsrv.dll stage when connecting to staged listener
...
The last issue we had in removing the OpenSSL library from Windows
meterp is making it so that reconnects would behave. With a staged
listener, the first thing that gets sent down the wire is metsrv.dll. As
a result, when a fully staged connect comes in (whether it be from
a stageless payload, from a transport switch or from a sleeping session
waking up), Meterpreter needs to handle the case that the data coming
down the wire is no actually a TLV packet, and hence ignore it.
This "hack" abuses the properties of the XOR key for the packet,
relying on the fact that the XOR key will never contain NULl bytes and
that the first 4 bytes from a staged listener starts with the length of
the metsrv DLL, which is small enough to result in a NULL byte in the
MSB position.
If we see a NULL byte in that position, we assume it's the metsrv header
coming in, and we just ignore it and move on. If the XOR key looks
legit, we assume it's a valid TLV packet.
Dirty, but it's quick and it works!
2017-06-16 13:34:46 +10:00
OJ
3554aff9de
Remove SSL from all but the python extension
...
Re-implement MD5 and SHA1 file hashing using CSP.
2017-06-14 21:40:20 +10:00
Brent Cook
28a9f42e14
more ssl flensing
2017-06-14 04:56:47 -05:00
Brent Cook
36f3d346fe
fix line endings
2017-06-14 04:56:47 -05:00
Brent Cook
36771d6309
initial pass at flensing openssl code from reverse_tcp
2017-06-14 04:56:47 -05:00
OJ
5fcff5ea76
Update to Mimikatz 2.1.1 20170608 for changentlm function
2017-06-13 15:29:02 +10:00
Brent Cook
0ba547b360
Land #203 , Add session GUID support
2017-06-09 00:59:37 -05:00
OJ
cf575a05dd
Add session GUID support to Meterpreter payloads
2017-06-06 17:24:36 +10:00
RaMMicHaeL
dd224a91f0
Fixed an elusive bug on AMD CPUs
...
Details:
http://blog.rewolf.pl/blog/?p=1484
8771485dd3
2017-06-03 11:24:01 +03:00
Brent Cook
0a2d768e77
delete Linux meterpreter support
2017-05-14 02:11:57 -05:00
Brent Cook
dc712150af
Land #199 , Adjust proxy code to support DNS/DHCP resolution
2017-05-08 16:57:08 -05:00
OJ
91558d0c16
Adjust proxy code to support DNS/DHCP resolution
...
This code is blatantly poached from the blog post locted at
https://medium.com/@br4nsh/a-meterpreter-and-windows-proxy-case-4af2b866f4a1
which was written by Juan. A great deal of time and effort went into
that research and all credit for this work should go to him.
2017-05-05 16:16:54 +10:00
OJ
7c65e621a1
Fix stageless URI redirect parsing
...
This commit fixes the case where we incorrectly assume that the URIs
used in the transport don't make use of the LURI setting in MSF.
The bug was that the code iterated through the URI string in reverse,
looking for a slash and then using that as the point to patch the new
URI over the existing. This meant that with the LURI parameter used, the
actual LURI field was missed, and the patch would result in the LURI
value appearing again.
The fix put in iterates from the start of the string and looks for the
third instance of the slash. This means that the LURI field is patched
as well as the UUID section.
Fixes #197
2017-05-03 10:36:53 +10:00
Brent Cook
995471faad
Land #190 , list all possible privileges with the getprivs command
2017-04-21 14:46:30 -05:00
Brent Cook
37bc1689b2
fix a compiler warning
2017-04-15 05:51:12 -05:00
ouahib-el-hanchi
4f9866d035
Fixed issue #189
2017-04-15 02:55:00 +01:00
Brent Cook
6e7d55898e
Land #185 , Keyscan system updates
2017-04-14 13:48:32 -05:00
William Webb
8bd164bbbb
some minor cleanup
2017-04-12 21:19:45 -05:00
OJ
cdfe1dc5c0
Remove debug project configurations from C windows meterp
2017-04-11 20:29:39 +10:00
OJ
541e879023
Update the kiwi extension source to v2.1.1
...
This brings the source up to date with the source from the Rapid7 repo
which includes the v2.1.1 source released by Ben.
2017-04-11 20:21:57 +10:00
William Webb
88f240c26c
specify globals in variable names because its 2017 bro
2017-04-10 14:28:22 -05:00
William Webb
017a4e107e
final cleanup and type check
2017-04-10 14:08:46 -05:00
William Webb
3653169513
save wip
2017-04-05 00:18:02 -05:00
William Webb
145285c549
add focused windows enumeration and date/time stamping
2017-04-01 22:21:54 -05:00
William Webb
5d917565c0
add known working keylog code
2017-03-31 13:19:53 -05:00
William Webb
9272af7863
save initial unicode keyscan updates
2017-03-20 21:47:47 -05:00
Jeff Tang
e97b8449c2
Add universal unhooking call to meterpreter server
...
metsrv will unhook its current process before initializing the
connection
2017-02-27 17:11:18 -05:00
Brent Cook
d840805ad4
end-of-line mismatches in common.h
2017-01-24 18:49:14 -06:00
Brent Cook
f0b9f6b76a
replace timestomp code with rewritten versions
2017-01-24 18:49:14 -06:00
OJ
6872495da6
Remove Migrate TLVs from php/py, adjust for Java
2017-01-24 07:38:59 +10:00
Brent Cook
8d84a89c5a
Land #160 , Revamp Kiwi to work off Mimikatz subrepo
2016-12-29 14:31:19 -06:00
Brent Cook
c635df826d
Land #156 , use ctypes to extract Windows sysinfo directly
2016-12-29 14:29:24 -06:00
Brent Cook
8e4af5500a
Windows 2016 is released
2016-12-29 13:31:05 -06:00
OJ
a4982ca307
Remove unused kiwi TLVs
2016-12-23 09:58:26 +10:00
OJ
f68bf83fec
Update again to mimikatz subrepo head
2016-12-23 09:50:52 +10:00
OJ
e7bf6adb37
Updated to mimiktaz master
2016-12-23 09:37:20 +10:00
OJ
bc90795ab4
Remove bulk comments, update to latest mimikatz
2016-12-23 08:33:04 +10:00
OJ
3bc2d697a4
Update the mimikatz head
2016-12-20 18:24:32 +10:00
OJ
58cad3a426
Re-add wifi support, and update subrepo
2016-12-10 11:19:30 +10:00
OJ
69d5c98020
Bump submodule to use R7 master for mimikatz
2016-12-09 09:09:45 +10:00
OJ
4f0c9407d2
Adjust TLV lable in POSIX to match updates
2016-12-08 16:46:50 +10:00
OJ
e42ef7a17e
Change PBYTE to LPBYTE to keep POSIX happy
2016-12-08 16:39:38 +10:00
OJ
ff56b36a98
Move migration stub code to MSF
...
This commit changes the code so that the migration stubs are generated
in MSF and are transport specific (so that we only do the work we need
to).
2016-12-08 16:00:04 +10:00
OJ
4bed8fa179
Update kiwi project to ref new mimikatz files
2016-12-07 17:55:57 +10:00
OJ
752fe2f6f2
Update to latest mimikatz version
2016-12-07 17:27:17 +10:00
OJ
4c5c6e79b1
Mimikatz external deps dancing
2016-12-07 17:22:32 +10:00
OJ
e312cc934f
Add short comment to explain user of powershell function
2016-12-07 14:41:33 +10:00
OJ
ffc9c1d37a
Add mimikatz submodule with MSF changes
...
This includes a few changes that are in an open branch waiting to be
merged into the mimikatz source.
2016-12-07 14:41:33 +10:00
OJ
a31b16452c
Remove old kiwi code
2016-12-07 14:41:33 +10:00
OJ
86f2093968
Re-add key UUID sending functionality
...
As part of b50955a924
important code that
sent UUIDs along with each request was accidentally removed. This PR
re-includes it so that the UUIDs are in fact sent when they should be
sent.
This fixes issues where UUID commands don't work, and fixes migration in
a bunch of scenarios.
2016-12-07 13:27:34 +10:00
Tim
db85f099c3
stdapi_fs_file_copy
2016-11-29 13:58:46 +08:00
Brent Cook
b50955a924
Revert "Refactor XOR code, dedup packet writing code"
...
This reverts commit 7e8b4c3c52
.
2016-11-17 06:22:53 -06:00
Brent Cook
79cff67de4
Merge remote-tracking branch 'upstream/master' into fix-143
2016-11-14 12:01:31 -06:00
Brent Cook
e5f695fde7
fix posix build, remove dos EOLs
2016-11-14 11:58:52 -06:00
Brent Cook
17fb30204e
Land #112 , Added Winpmem Meterpreter extension
2016-11-14 11:47:31 -06:00
Danil Bazin
2b0831c484
projectfile Subsystem change 5.02 in 4.0 in the last platforms
2016-11-03 19:20:06 +01:00
OJ
4d145d78a7
Merge upstream/master into uuid-to-tlv
2016-10-29 15:25:21 +10:00
OJ
70812fd1ce
Remove core_uuid and add core_set_uuid
2016-10-29 12:42:36 +10:00
OJ
ed1e912e6b
Remove presence of WOW64 in the architecture string
2016-10-29 06:43:26 +10:00
Brent Cook
af34146109
disable debug messages
2016-10-26 05:21:39 -05:00
Danil Bazin
e529a2a351
Add fcat.exe
2016-10-17 21:28:59 +02:00
Danil Bazin
d62295e5dc
Change Multibyte to Unicode
2016-10-17 21:22:02 +02:00
OJ
b96eaff14f
Remove check for UUID, force add without check
2016-10-14 13:27:45 +10:00
OJ
d06d7e1807
Include UUID in each request, update UUID on migrate
2016-10-14 10:53:21 +10:00
Brent Cook
f302463f94
Land #133 , add local time command
2016-10-10 23:28:20 -05:00
OJ
7e8b4c3c52
Refactor XOR code, dedup packet writing code
2016-10-10 14:40:05 +10:00
Danil Bazin
0883a471d7
Add license file from winpmem projet
2016-10-08 19:54:57 +02:00
Brent Cook
0385a93530
Land #132 , Add support for listing of loaded drivers
2016-10-03 23:06:08 -05:00
Brent Cook
c304eb79c3
revert mode changes
2016-10-03 23:05:57 -05:00
OJ
d10795ba09
Update to use wchar_t API functions and unicode results
2016-10-04 13:50:28 +10:00
OJ
2b9aac9c45
Add support for listing of loaded drivers
2016-10-04 11:30:12 +10:00
OJ
12368749df
Fix pack format string issue in python extension
2016-10-04 09:46:53 +10:00
OJ
46484c2f35
Small space/comment fix
2016-10-03 15:26:54 +10:00
OJ
0cbb86c59b
Add localtime support to php, tidy python and c
2016-10-03 15:26:54 +10:00
OJ
5e6dc8ca85
Add localtime command support for POSIX
2016-10-03 15:26:54 +10:00
OJ
38fe6e1188
Add localtime command to Windows native meterp
2016-10-03 15:26:54 +10:00
Brent Cook
42a1e49768
fix unicode string writes for REG_EXPAND_SZ types
2016-09-29 23:10:27 -05:00
Tim
015d57d0fe
fix clipboard
2016-09-04 15:12:26 +01:00
Danil Bazin
ec18721bd1
Winpmem meterpreter extension working
2016-08-30 18:40:14 +02:00
Danil Bazin
eef6e7a33c
Fix folder name in example
...
In point 1 a new folder is created, but in point 2,
a file is copied but not in the created folder.
2016-08-01 18:38:28 +02:00
ssyy201506
6625248fc7
fix crash after closing channel
2016-07-08 15:40:29 +09:00
ssyy201506
baad192ba6
Fix the immediate closing of a interactive channel.
2016-06-16 11:14:12 +09:00
Brent Cook
0057809573
fix registry class, take 2
2016-05-03 22:05:14 -05:00
Brent Cook
167b2d2ac1
Land #94 , Enable support for IPv6 address binding
2016-05-03 20:40:54 -05:00
Brent Cook
90f5cd2c3a
fix the length calculation for meterpreter registry class reads
2016-05-03 16:40:58 -05:00
OJ
4763c24cfe
Small tidy, and adding of debug code
2016-05-03 12:09:46 +10:00
Brent Cook
84140c23ba
Revert "fix Linux threads to actually use allocated memory"
...
This reverts commit f95152dfc1
.
2016-04-26 16:49:46 -04:00
OJ
d6387fcd90
Typedef the sockaddr_in6 struct for POSIX
2016-04-06 16:14:27 +10:00
OJ
61b91d276b
Enable support of IPv6 address binding
2016-04-06 15:38:03 +10:00
OJ
fe048683c9
Land #93 - Fix threads in POSIX
2016-04-06 10:59:01 +10:00
Brent Cook
f95152dfc1
fix Linux threads to actually use allocated memory
2016-04-05 17:35:55 -05:00
Brendan Watters
73d548be48
Land #85 , UTF-8 Registry Support
2016-04-05 16:20:39 -05:00
Brent Cook
f43bc0a3ac
Land #89 , Add Powershell meterpreter bindings
2016-04-01 19:38:56 -05:00
Brent Cook
be88efcb54
Update with correct project URI
2016-03-31 11:34:12 -05:00
OJ
3c17f4e9aa
Fix package script, update package
...
The package script was (stupidly) written (by me) to replace '\\' with
'.' when generating python import module names. Of course, this works
great on windows, but it means if you generate the package on linux
things break horribly. The result was that the latest package wouldn't
resolve anything useful when importing key stuff like ctypes or pty.
This PR fixes the issue so that the modules are correctly wired in
regardless of the OS that the package was constructed on.
2016-03-31 11:14:19 +10:00
Brent Cook
e460c1d241
Land #87 , initial powershell extension
2016-03-24 21:19:22 -05:00
OJ
e229995f2d
Added powershell_import and sample DLL for import testing
2016-03-25 12:16:13 +10:00
OJ
cf6287e031
Fix runner to properly support multi-line scripts
...
This commit actually changes the PS runner code so that it's
base64-encoded before being sent to the interpreter. It's a bit of
a hack but it means that all multiline commands are properly supported.
IEX for the win!
2016-03-25 10:28:14 +10:00
OJ
6bbfd51ab4
Stageless init support, multi-line command support
2016-03-25 09:56:00 +10:00