github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-08 14:36:22 +01:00
Code Releases Activity
3,439 Commits 7 Branches 259 Tags 71 MiB
92d04de09c
Commit Graph

1351 Commits

Author SHA1 Message Date
plowsec
389e71df32 Fix address truncation occurring in x64 Windows processes. 2019-09-06 14:50:13 +02:00
bwatters
f6808dde30
Land #352, add windows keyevent api 
Merge branch 'land-352' into upstream-master
 2019-09-03 16:39:51 -05:00
Tim W
6253af16c8 use MapVirtualKey 2019-07-31 13:16:28 +08:00
bwatters
db171fb83a
Those should be usigned ints, not unsigned longs. 2019-07-23 10:21:21 -05:00
bwatters
509c1936a3
Update OS names to be more generic in kernel versions 10.0.x 2019-07-23 08:17:06 -05:00
Tim W
d95d827c8e add windows mouse doubleclick 2019-06-20 15:26:07 +08:00
Tim W
ab53c872fa fix windows move and click 2019-06-19 12:42:11 +08:00
Tim W
a29110ca5c add windows keyevent api 2019-06-17 12:36:55 +08:00
Brent Cook
dfb79b11cd
Land #343, update ReflectiveDLLInjection subproject 2019-06-01 19:53:13 -05:00
Tim W
48171ecc48 fix crash in keyboard_send on windows 2019-05-31 06:55:02 +08:00
Tim W
d2e9834ed0 update ReflectiveDLLInjection subproject 2019-05-16 14:04:23 +08:00
Tim W
16213667b7 add mouse api for windows 2019-05-13 02:32:27 +08:00
Tim W
35d908b6bf add send_keys api for windows 2019-05-13 02:31:44 +08:00
Brent Cook
7e2181700a update stat struct sizes 2019-02-06 17:51:21 -06:00
Tim W
783c52e118 fix windows meterpreter ls of 4gb files 2019-01-03 13:51:39 +08:00
Brent Cook
1d694f16cb
Land #314, update proxy autoconfig for Windows 2018-12-21 16:21:55 -06:00
Brent Cook
3762aa1568
Land #311, add REG_MULTI_SZ read support 2018-12-21 16:10:14 -06:00
bwatters
6431374acf
Land #302, Add universal unhooking call to meterpreter server 
Merge branch 'land-302' into upstream-master
 2018-12-12 16:12:56 -06:00
OJ
9b3a8280b1
Update to kiwi 2.1.1-20181203 2018-12-05 12:05:07 +10:00
Green-m
108081e1da Handle REG_MULTI_SZ correctly. 2018-11-29 15:36:40 +08:00
Green-m
e2029e2342
Handle more strings in one line. 2018-11-22 15:25:45 +08:00
Meatballs
a349e592e3 Modify the proxy autoconfig code as per Juan Caillava's code at: 
https://medium.com/@br4nsh/a-meterpreter-and-windows-proxy-case-4af2b866f4a1
 2018-11-19 16:04:26 +00:00
Jeff Tang
95e8fd2102
fix bug on win7/win8.1 2018-11-16 16:04:14 -05:00
4ntonch3
c04408081a
Update search.c 
DWORD dwResult = ERROR_ACCESS_DENIED; -> DWORD dwResult; (in functions search_all_drivers, request_fs_search)
Comments in function request_fs_search were deleted
 2018-11-15 15:27:03 +03:00
4ntonch3
1bc4a4902c
Add files via upload 2018-11-13 19:51:23 +03:00
Green-m
f779b809fa
Fix issue about REG_MULTI_SZ. 2018-11-05 16:07:34 +08:00
OJ
add6d464fc
Update kiwi extension to Mimikatz 2.1.1-20180925 2018-09-26 14:13:47 +10:00
Jeff Tang
b9c01eaa17 Add unhook extension 2018-09-19 15:55:25 -04:00
bwatters
5208d17131 Revert "Land #174, Add universal unhooking call to meterpreter server" 
This reverts commit f148f8cb38, reversing
changes made to 87d2410468.
 2018-09-10 16:44:55 -05:00
bwatters
f148f8cb38
Land #174, Add universal unhooking call to meterpreter server 
Merge branch 'land-174' into upstream-master
 2018-09-06 10:27:03 -05:00
Brent Cook
2b76d59b9b fix signed comparision bug 2018-08-31 17:01:31 -05:00
Brent Cook
62383a43c0 fix various peinjector extension issues. 
64-bit compilation had a number of warnings / errors.
Added Unicode support for file path.
Fixed the r7_release build.
 2018-08-31 16:51:47 -05:00
OJ
47bc2469f3
Update kiwi to Mimikatz 2.1.1-20180820 2018-08-31 09:25:35 +10:00
bwatters
bdce920e15
fix typo 2018-08-28 10:01:11 -05:00
bwatters
0b9783b55b
Standardize line endings to UNIX style 2018-08-28 09:51:02 -05:00
bwatters
2b0905b3d7
Fix __peinfect_clean_header declaration/definition/call 2018-08-28 09:47:30 -05:00
alpiste
94f560e30e Fix pull request issues 2018-08-28 09:08:06 -05:00
alpiste
cf807f5004 add peinjector 2018-08-28 09:08:06 -05:00
Matthew Kienow
336d154ca9
Land #294, audio output for windows meterpreter 2018-08-27 15:20:52 -04:00
OJ
3c26a76ec4
Update kiwi to match Mimikatz 2.1.1 (TBAL) 2018-08-17 09:36:24 +10:00
OJ
5da10e97e9
Fix packet pivoting in HTTP transports 
Windows Meterpreter that uses http/s-based transports wasn't correctly checking for cases where pivoted packets were handled. When pivoted packets are forwarded to the correct handler, the packet is set to NULL. For TCP transports, a check already existed to carry on when the packet was NULL, but this wasn't the case for HTTP/S.

This commit fixes this problem and so the pivot session no longer dies when Meterpreter is using an HTTP/S transport.

For funzies, the fix for this was implemented on a live stream to help other people learn some of Meterp's internals. That video can be found here: https://www.youtube.com/watch?v=de-UYWnafow
 2018-08-09 21:51:53 +10:00
Tim W
1e97ef7c90 fix playing of > 8MB wavs 2018-07-15 02:39:19 +08:00
Tim W
01d8aacc0f audio output for windows 2018-07-14 23:40:34 +08:00
OJ
3dc014e8ad
Add powershell transport scripts 
This commit adds two new scripts and modifies some of the powershell transport binding functionality.

Code has been added that generates valid Metasploit URIs for use with stageless listeners. This means that it's possible to add HTTP/S transports on the fly and have a URL generated that will work with the current architecture of the process.

Two new scripts will appear in each of the powershell sessions:

* Add-WebTransport - adds http/s transports to the session.
* Add-TcpTransport - adds TCP transports to the session.

These two scripts are just abstractions on top of the built-in Meterpreter transport binding functionality, but it makes it a lot easier to interact with the feature and makes it more.. er.. Powershelly.

The functions come with documnetation, so `Get-Help Add-WebTransport -Full` will show how it's used.

From here, people can do some more fun stuff, such as adding init scripts to their stageless payloads that add support for more transports.
 2018-05-28 12:45:29 +10:00
OJ
71edb392ea
Fix issue with pointer handling on WOW64 processes 
I stuffed up when dealing with values that are being passed back and forth across components when in x86 processes. I was passing 64 bit ints around even in 32 bit mode, which resulted in some natstiness. This commit fixes that problem by forcing everything to be 64 bit regardless of arch, and casting to the appropriate pointer at the right time.
 2018-05-21 12:45:21 +10:00
OJ
1e175da8b1
Change hash output to use LM hash if present 
The previous commit hard coded the LM hash to the empty value. This commit changes this so that if the LM hash isn't present it'll manually specify the empty one, but use the existing one if it is present.
 2018-05-17 09:06:35 +10:00
OJ
90265c5a0f
Rework powershell_shell to work with "streaming" 
This commit changes the channel functionality within the powershell extension so that commands do execute behind the scenes and stream the results to the UI in the current channel.

This comes with the caveat that users are patient. I haven't yet made sure that running separate commands while long running ones are running will not cause problems. We'll have to see.
 2018-05-07 21:13:08 +10:00
OJ
f44877ae29
Add ability to dcsync & hashdump via Powershell 
DCSync functionality is exposed, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.

I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.
 2018-05-07 16:36:21 +10:00
OJ
d9cb58050d
Update kiwi to match mimikatz 2.1.1 20180502 2018-05-04 16:59:03 +10:00
UserExistsError
006bb2c998 added support for bind_named_pipe comms 2018-02-11 17:58:39 -07:00
Brent Cook
a8eebd18f2 remove read-only attribute on delete 2018-01-16 10:16:03 -06:00
Brent Cook
0959897065 if we cannot load powershell 4 support, fall back to 2 2017-12-20 14:39:16 -06:00
visuve
b8ef9d3d4e Remove redundant check 2017-12-05 10:14:49 +02:00
Veli-Matti Visuri
db2da2cc89 Fix iterator increments 2017-12-05 10:12:29 +02:00
Veli-Matti Visuri
b6c421cc3b Fix memory leaks 2017-12-04 21:45:00 +02:00
Veli-Matti Visuri
78b2b58ab1 Fix varargs leaks 2017-12-04 21:20:05 +02:00
Brent Cook
d4e403980c
Land #251, use utf8 for user and domain names 2017-11-29 05:37:32 -06:00
Brent Cook
ecedfac2a8
Land #249, update delete_dir to be able to recursively delete 2017-11-29 05:32:44 -06:00
Brent Cook
fcf69bb7ca pass file-not-found and other errors back to the caller 2017-11-29 05:30:53 -06:00
Brent Cook
519df5919c don't crash if there are no custom headers 2017-11-25 15:29:16 -06:00
William Webb
a404126f66
Land #252, Renegotiate AES in HTTP payloads on new framework instance 2017-11-23 00:21:38 -06:00
Brent Cook
4be0b0756d on reconnect to a new framework instance, we have to renegotiate AES keys 2017-11-22 03:20:36 -06:00
scriptjunkie
0b89ea3e37 Support non-ascii environment variables 2017-11-21 16:22:51 -06:00
scriptjunkie
936272b59d Encode name characters 2017-11-21 15:59:56 -06:00
Brent Cook
f065a24b1c Merge branch 'master' into land-236-headers 2017-11-21 00:52:50 -06:00
OJ
bbbe755206
Land #250 - Fix recv failure in windows transports 
Fixes #9163
Fixes #9175
 2017-11-08 09:21:36 +10:00
Brent Cook
0548a12f3c remove do/while(0) exception anti-pattern 2017-11-06 08:06:17 -06:00
Brent Cook
2dc48bea43 remove do/while(0) exception anti-pattern, fail properly on pipe close 2017-11-06 08:05:31 -06:00
Brent Cook
b0fbc4f550 remove do/while(0) exception anti-pattern, fail properly on socket close 2017-11-06 08:04:52 -06:00
Brent Cook
e117dd2326 unify whitespace 2017-11-06 03:33:08 -06:00
Artem
22235e228b
Update fs_win.c 
Fix Error Open File VS2017 and Add Delete not empty Folder
 2017-11-02 03:43:21 +03:00
Brent Cook
1010ded636
Land #244, handle situations when SetProcessDPIAware is unavailable 2017-10-27 00:06:12 -07:00
Brent Cook
58f7d2d606 fix whitespace 2017-10-26 23:56:45 -07:00
Brent Cook
7a22b3052a actually reset encryption context when freeing 2017-10-26 23:22:08 -07:00
Artem
752888a2c2 Update screenshot.c 
Fix Compile in VS2017
 2017-10-20 21:36:11 +03:00
OJ
db20322182
Fix TLV type defs and config size for HTTP migrate 2017-10-04 10:42:40 +10:00
OJ
c6eebdf72b
Properly fix half-baked changes to getprivs 
This was left over code from me trying to do some fixes to getprivs
which didn't make sense in the middle of the packet pivot work. This was
left over by me as a result of my half-baked revert. This caused issues
with both the `getprivs` and `getsystem` command. I'm pretty sure that
as a result of breaking the latter, I will never live down the "make
getsystem great again" meme.
 2017-09-27 16:30:18 +10:00
OJ
e1efa94b06
Transport creation for headers, and starting on python support 2017-09-11 14:39:15 +10:00
OJ
0792d9dc1b
Add HTTP header support for custom HTTP headers 
Fixes config size management issues and gets things working in both
WinHTTP and WinINET
 2017-09-11 14:39:10 +10:00
Tim
c61c565918 fix record_mic TLV values 2017-09-11 10:53:15 +08:00
Brent Cook
167c2d380a
fix sniffer/networkpug breakage 2017-09-01 03:29:26 -05:00
OJ
e328b986fb
Merge branch 'upstream/master' into packet-pivot 2017-08-21 17:26:21 +10:00
Brent Cook
4fd68effd4
Land #192, add unicode support for the incognito extension 2017-08-18 06:22:34 -04:00
OJ
52d770228e
Fix stupid double-free in WinHTTP packet handling 2017-08-11 17:32:49 +10:00
OJ
2cd4f3cf98
Turn off debug builds 2017-08-09 15:59:37 +10:00
OJ
a10938e5a0
Revert changes made to getprivs 
This work should be done in another PR
 2017-08-09 15:58:38 +10:00
OJ
bc6c2039fb
Add debug statements, and fix one that was causing crashes 2017-08-09 13:03:12 +10:00
OJ
005ba6a8c0
Merge branch upstream into packet-pivot 2017-08-08 17:37:59 +10:00
OJ
b363584648
Merge branch 'upstream/master' into transport-agnostic-packet-encryption 2017-08-08 17:37:25 +10:00
OJ
0413a5c2ce
Add check for existing session reconnect 2017-08-08 17:15:49 +10:00
OJ
5f8b775842
Fix reading data from pipe, fix XOR bug in x64 2017-08-07 19:51:24 +10:00
OJ
95f1903a10
Update kiwi module to disable busylight notification 2017-08-03 09:45:07 +10:00
William Webb
7ae31a76f1
Land #220, Support Hi DPI for screenshots 2017-07-25 23:12:29 -05:00
OJ
c30d7ee349
Fix session GUID creation/management for pivots 2017-07-25 17:40:54 +10:00
Brent Cook
ead41b1092 initial unicode conversion for incognito 2017-07-23 04:41:51 -07:00
Brent Cook
cdff912abf support hidpi for screenshots 2017-07-22 08:35:28 -07:00
Brent Cook
b8a60c1561 use prefix for debug messages, 64-bit consistently for memory sizes and offsets 2017-07-22 08:31:13 -07:00
Brent Cook
94f4147425 give attribution 2017-07-22 06:15:34 -07:00
Brent Cook
9118645a6e simplify and reduce logic 2017-07-22 06:12:19 -07:00
Artem
770d0f65f4 Update fs_win.c 
Fix FS Stat on Windows XP
 2017-07-22 06:12:13 -07:00
OJ
d7c741f858
Fix reconnect pipe read issue 
Also fix up issue with the pivot tree code
 2017-07-21 20:50:43 +10:00
OJ
82cf5e7941
Fix issue with inspection of the wrong byte for xor keys 2017-07-21 18:33:15 +10:00
OJ
e12e711ec5
Interim commit while debugging 2017-07-21 18:27:04 +10:00
OJ
293d79d0ed
Adjust HTTP/S transport to support packet pivot 2017-07-18 21:15:08 +10:00
OJ
415665ef59
Pivot stability, fixes, tidies, etc 2017-07-18 20:58:23 +10:00
OJ
5a04de0780
Fix transport list command to support named pipes 2017-07-18 13:40:40 +10:00
OJ
fac1bfa489
Fix issue with packet size calculation 
This commit fixes an issue where the transports were calculating an
incorrect size for the packet that was being received. This wasn't
noticable until packet pivot work started, and for some reason wasn't
causing breakages during local testing. Either way, it's fixed now!
 2017-07-17 11:11:25 +10:00
OJ
2ede006025
First working packet pivot session! 2017-07-16 19:33:24 +10:00
William Webb
6fc00bc812
cleanup memleak 2017-07-14 01:24:54 -05:00
OJ
cba5e86ac2
Add support for the pivot ID 2017-07-11 19:43:23 +10:00
OJ
6d2582102d
Slow progress on pipe packet pivots 2017-07-10 20:00:37 +10:00
William Webb
d25ff91ca2
axe errant DebugBreak() 2017-07-06 20:21:22 -05:00
William Webb
c144bac8d9
gracefully handle threading and correctly destroy msg only window 2017-07-06 19:57:07 -05:00
OJ
f96fe3542f
Next phase of packet pivot work 2017-07-06 15:40:32 +10:00
William Webb
519194dc6c
log pid on new active window 2017-07-05 20:34:37 -05:00
OJ
fc6c593eb7
Add the first pass of named pipe pivot code 2017-07-05 16:15:06 +10:00
OJ
c74376fb69
Make enc flags 32 bit, fix extension bindings 
This updates the packet header so that the encryption byte flag is now
32 bits. This also updates the powershell and python extensions so that
both of the bindings work correctly as a result of the TLV packet header
changes.
 2017-07-03 16:51:57 +10:00
OJ
f5b29bd7c6
Land #210 : set thread error mode 2017-06-29 17:33:46 +10:00
Brent Cook
1a9bfc8c68 disable thread error reporting globally 2017-06-29 01:07:22 -04:00
OJ
9fd56beba0
Refactor pub key encryption code 
Extract the publicy key encryption code out into another method and
cater for more error conditions.
 2017-06-28 12:50:53 +10:00
Brent Cook
f95710249b
Land #209, Make keyscan active window tracking discretionary 2017-06-25 17:39:41 -05:00
OJ
a911045d5e
Merge upstrea/master + fix issues 2017-06-25 19:52:11 +10:00
OJ
12055fca25
Finalised support for RSA-encrypted AES key negotiation 
Still needs to be wired into HTTP/S.
 2017-06-25 10:24:40 +10:00
Brent Cook
0356a5068d add thread preamble that sets the per-thread error mode 2017-06-23 20:37:56 -05:00
Artem
fe8920640d Add Disable Windows Error Messages 2017-06-23 20:37:56 -05:00
Brent Cook
c7f614a799
Land #200, Fix winpmem builds, warnings, cleanup logging 2017-06-23 18:00:22 -05:00
William Webb
cad32aaa33
kill whitespace 2017-06-23 14:08:08 -05:00
William Webb
419533ce48
kill whitespace 2017-06-23 13:56:07 -05:00
William Webb
f437e6aef7
use conventional option/TLV scheme instead of dumb stuff 2017-06-23 13:51:08 -05:00
Brent Cook
fb80f87ee3
Land #204, Update to Mimikatz 2.1.1 20170608 for changentlm function 2017-06-22 10:45:34 -05:00
OJ
8ffb877610
Initial version of working AES encrypted TLV packets 2017-06-21 21:02:33 +10:00
Brent Cook
efe6f32197 fix 64-bit r7 target build 2017-06-21 03:01:56 -05:00
OJ
cb9ae6acd4
Rework the packet XOR code 
Make the XOR key an array of bytes as a start to normalise the way the
XOR happens across the board. Given that we're going to be adding
encryption to the packet level and adding more stuff to the packet
header, now is the time to fix this up once and for all.
 2017-06-20 19:20:41 +10:00
OJ
8858acb618
Initial attempt to AES encryption at the packet level 2017-06-20 17:50:58 +10:00
OJ
813760a9e2
Remove support for the crypto context 
Crypto context stuff appears to have only ever been supported in
Meterpreter on Windows. The only thing it allowed for is XOR, which is
redundant given that we have packet level XOR in place. Also, it would
appear that MSF didn't have support for it anyway!

With the move torwards packet-level encryption, this is unnecessary so
it needs to go bye bye.
 2017-06-19 16:51:54 +10:00
OJ
9e3aef62bc
Hack to ignore metsrv.dll stage when connecting to staged listener 
The last issue we had in removing the OpenSSL library from Windows
meterp is making it so that reconnects would behave. With a staged
listener, the first thing that gets sent down the wire is metsrv.dll. As
a result, when a fully staged connect comes in (whether it be from
a stageless payload, from a transport switch or from a sleeping session
waking up), Meterpreter needs to handle the case that the data coming
down the wire is no actually a TLV packet, and hence ignore it.

This "hack" abuses the properties of the XOR key for the packet,
relying on the fact that the XOR key will never contain NULl bytes and
that the first 4 bytes from a staged listener starts with the length of
the metsrv DLL, which is small enough to result in a NULL byte in the
MSB position.

If we see a NULL byte in that position, we assume it's the metsrv header
coming in, and we just ignore it and move on. If the XOR key looks
legit, we assume it's a valid TLV packet.

Dirty, but it's quick and it works!
 2017-06-16 13:34:46 +10:00
OJ
3554aff9de
Remove SSL from all but the python extension 
Re-implement MD5 and SHA1 file hashing using CSP.
 2017-06-14 21:40:20 +10:00
Brent Cook
28a9f42e14 more ssl flensing 2017-06-14 04:56:47 -05:00
Brent Cook
36f3d346fe fix line endings 2017-06-14 04:56:47 -05:00
Brent Cook
36771d6309 initial pass at flensing openssl code from reverse_tcp 2017-06-14 04:56:47 -05:00
OJ
5fcff5ea76
Update to Mimikatz 2.1.1 20170608 for changentlm function 2017-06-13 15:29:02 +10:00
Brent Cook
0ba547b360
Land #203, Add session GUID support 2017-06-09 00:59:37 -05:00
OJ
cf575a05dd
Add session GUID support to Meterpreter payloads 2017-06-06 17:24:36 +10:00
RaMMicHaeL
dd224a91f0 Fixed an elusive bug on AMD CPUs 
Details:
http://blog.rewolf.pl/blog/?p=1484
8771485dd3
 2017-06-03 11:24:01 +03:00
Brent Cook
0a2d768e77 delete Linux meterpreter support 2017-05-14 02:11:57 -05:00
Brent Cook
dc712150af
Land #199, Adjust proxy code to support DNS/DHCP resolution 2017-05-08 16:57:08 -05:00
OJ
91558d0c16
Adjust proxy code to support DNS/DHCP resolution 
This code is blatantly poached from the blog post locted at
https://medium.com/@br4nsh/a-meterpreter-and-windows-proxy-case-4af2b866f4a1
which was written by Juan. A great deal of time and effort went into
that research and all credit for this work should go to him.
 2017-05-05 16:16:54 +10:00
OJ
7c65e621a1
Fix stageless URI redirect parsing 
This commit fixes the case where we incorrectly assume that the URIs
used in the transport don't make use of the LURI setting in MSF.

The bug was that the code iterated through the URI string in reverse,
looking for a slash and then using that as the point to patch the new
URI over the existing. This meant that with the LURI parameter used, the
actual LURI field was missed, and the patch would result in the LURI
value appearing again.

The fix put in iterates from the start of the string and looks for the
third instance of the slash. This means that the LURI field is patched
as well as the UUID section.

Fixes #197
 2017-05-03 10:36:53 +10:00
Brent Cook
995471faad
Land #190, list all possible privileges with the getprivs command 2017-04-21 14:46:30 -05:00
Brent Cook
37bc1689b2
fix a compiler warning 2017-04-15 05:51:12 -05:00
ouahib-el-hanchi
4f9866d035 Fixed issue #189 2017-04-15 02:55:00 +01:00
Brent Cook
6e7d55898e
Land #185, Keyscan system updates 2017-04-14 13:48:32 -05:00
William Webb
8bd164bbbb some minor cleanup 2017-04-12 21:19:45 -05:00
OJ
541e879023
Update the kiwi extension source to v2.1.1 
This brings the source up to date with the source from the Rapid7 repo
which includes the v2.1.1 source released by Ben.
 2017-04-11 20:21:57 +10:00
William Webb
88f240c26c
specify globals in variable names because its 2017 bro 2017-04-10 14:28:22 -05:00
William Webb
017a4e107e
final cleanup and type check 2017-04-10 14:08:46 -05:00
William Webb
3653169513
save wip 2017-04-05 00:18:02 -05:00
William Webb
145285c549
add focused windows enumeration and date/time stamping 2017-04-01 22:21:54 -05:00
William Webb
5d917565c0
add known working keylog code 2017-03-31 13:19:53 -05:00
William Webb
9272af7863
save initial unicode keyscan updates 2017-03-20 21:47:47 -05:00
Jeff Tang
e97b8449c2 Add universal unhooking call to meterpreter server 
metsrv will unhook its current process before initializing the
connection
 2017-02-27 17:11:18 -05:00
Brent Cook
d840805ad4 end-of-line mismatches in common.h 2017-01-24 18:49:14 -06:00
Brent Cook
f0b9f6b76a replace timestomp code with rewritten versions 2017-01-24 18:49:14 -06:00
OJ
6872495da6
Remove Migrate TLVs from php/py, adjust for Java 2017-01-24 07:38:59 +10:00
Brent Cook
8d84a89c5a
Land #160, Revamp Kiwi to work off Mimikatz subrepo 2016-12-29 14:31:19 -06:00
Brent Cook
c635df826d
Land #156, use ctypes to extract Windows sysinfo directly 2016-12-29 14:29:24 -06:00
Brent Cook
8e4af5500a Windows 2016 is released 2016-12-29 13:31:05 -06:00
OJ
a4982ca307
Remove unused kiwi TLVs 2016-12-23 09:58:26 +10:00
OJ
f68bf83fec
Update again to mimikatz subrepo head 2016-12-23 09:50:52 +10:00
OJ
e7bf6adb37
Updated to mimiktaz master 2016-12-23 09:37:20 +10:00
OJ
bc90795ab4
Remove bulk comments, update to latest mimikatz 2016-12-23 08:33:04 +10:00
OJ
3bc2d697a4
Update the mimikatz head 2016-12-20 18:24:32 +10:00
OJ
58cad3a426
Re-add wifi support, and update subrepo 2016-12-10 11:19:30 +10:00
OJ
69d5c98020
Bump submodule to use R7 master for mimikatz 2016-12-09 09:09:45 +10:00
OJ
4f0c9407d2
Adjust TLV lable in POSIX to match updates 2016-12-08 16:46:50 +10:00
OJ
e42ef7a17e
Change PBYTE to LPBYTE to keep POSIX happy 2016-12-08 16:39:38 +10:00
OJ
ff56b36a98
Move migration stub code to MSF 
This commit changes the code so that the migration stubs are generated
in MSF and are transport specific (so that we only do the work we need
to).
 2016-12-08 16:00:04 +10:00
OJ
752fe2f6f2
Update to latest mimikatz version 2016-12-07 17:27:17 +10:00
OJ
4c5c6e79b1
Mimikatz external deps dancing 2016-12-07 17:22:32 +10:00
OJ
e312cc934f
Add short comment to explain user of powershell function 2016-12-07 14:41:33 +10:00
OJ
ffc9c1d37a
Add mimikatz submodule with MSF changes 
This includes a few changes that are in an open branch waiting to be
merged into the mimikatz source.
 2016-12-07 14:41:33 +10:00
OJ
a31b16452c
Remove old kiwi code 2016-12-07 14:41:33 +10:00
OJ
86f2093968
Re-add key UUID sending functionality 
As part of b50955a924 important code that
sent UUIDs along with each request was accidentally removed. This PR
re-includes it so that the UUIDs are in fact sent when they should be
sent.

This fixes issues where UUID commands don't work, and fixes migration in
a bunch of scenarios.
 2016-12-07 13:27:34 +10:00
Tim
db85f099c3
stdapi_fs_file_copy 2016-11-29 13:58:46 +08:00
Brent Cook
b50955a924 Revert "Refactor XOR code, dedup packet writing code" 
This reverts commit 7e8b4c3c52.
 2016-11-17 06:22:53 -06:00
Brent Cook
79cff67de4
Merge remote-tracking branch 'upstream/master' into fix-143 2016-11-14 12:01:31 -06:00
Brent Cook
e5f695fde7 fix posix build, remove dos EOLs 2016-11-14 11:58:52 -06:00
Brent Cook
17fb30204e
Land #112, Added Winpmem Meterpreter extension 2016-11-14 11:47:31 -06:00
OJ
4d145d78a7
Merge upstream/master into uuid-to-tlv 2016-10-29 15:25:21 +10:00
OJ
70812fd1ce
Remove core_uuid and add core_set_uuid 2016-10-29 12:42:36 +10:00
OJ
ed1e912e6b
Remove presence of WOW64 in the architecture string 2016-10-29 06:43:26 +10:00
Brent Cook
af34146109
disable debug messages 2016-10-26 05:21:39 -05:00
Danil Bazin
e529a2a351 Add fcat.exe 2016-10-17 21:28:59 +02:00
OJ
b96eaff14f
Remove check for UUID, force add without check 2016-10-14 13:27:45 +10:00
OJ
d06d7e1807
Include UUID in each request, update UUID on migrate 2016-10-14 10:53:21 +10:00
Brent Cook
f302463f94
Land #133, add local time command 2016-10-10 23:28:20 -05:00
OJ
7e8b4c3c52
Refactor XOR code, dedup packet writing code 2016-10-10 14:40:05 +10:00
Danil Bazin
0883a471d7 Add license file from winpmem projet 2016-10-08 19:54:57 +02:00
Brent Cook
0385a93530
Land #132, Add support for listing of loaded drivers 2016-10-03 23:06:08 -05:00
Brent Cook
c304eb79c3 revert mode changes 2016-10-03 23:05:57 -05:00
OJ
d10795ba09
Update to use wchar_t API functions and unicode results 2016-10-04 13:50:28 +10:00
OJ
2b9aac9c45
Add support for listing of loaded drivers 2016-10-04 11:30:12 +10:00
OJ
12368749df
Fix pack format string issue in python extension 2016-10-04 09:46:53 +10:00
OJ
46484c2f35
Small space/comment fix 2016-10-03 15:26:54 +10:00
OJ
0cbb86c59b
Add localtime support to php, tidy python and c 2016-10-03 15:26:54 +10:00
OJ
5e6dc8ca85
Add localtime command support for POSIX 2016-10-03 15:26:54 +10:00
OJ
38fe6e1188
Add localtime command to Windows native meterp 2016-10-03 15:26:54 +10:00
Brent Cook
42a1e49768 fix unicode string writes for REG_EXPAND_SZ types 2016-09-29 23:10:27 -05:00
Tim
015d57d0fe fix clipboard 2016-09-04 15:12:26 +01:00
Danil Bazin
ec18721bd1 Winpmem meterpreter extension working 2016-08-30 18:40:14 +02:00
ssyy201506
6625248fc7 fix crash after closing channel 2016-07-08 15:40:29 +09:00
ssyy201506
baad192ba6 Fix the immediate closing of a interactive channel. 2016-06-16 11:14:12 +09:00
Brent Cook
0057809573 fix registry class, take 2 2016-05-03 22:05:14 -05:00
Brent Cook
167b2d2ac1
Land #94, Enable support for IPv6 address binding 2016-05-03 20:40:54 -05:00
Brent Cook
90f5cd2c3a fix the length calculation for meterpreter registry class reads 2016-05-03 16:40:58 -05:00
OJ
4763c24cfe Small tidy, and adding of debug code 2016-05-03 12:09:46 +10:00
Brent Cook
84140c23ba
Revert "fix Linux threads to actually use allocated memory" 
This reverts commit f95152dfc1.
 2016-04-26 16:49:46 -04:00
OJ
d6387fcd90 Typedef the sockaddr_in6 struct for POSIX 2016-04-06 16:14:27 +10:00
OJ
61b91d276b Enable support of IPv6 address binding 2016-04-06 15:38:03 +10:00
OJ
fe048683c9
Land #93 - Fix threads in POSIX 2016-04-06 10:59:01 +10:00
Brent Cook
f95152dfc1 fix Linux threads to actually use allocated memory 2016-04-05 17:35:55 -05:00
Brendan Watters
73d548be48
Land #85, UTF-8 Registry Support 2016-04-05 16:20:39 -05:00
Brent Cook
f43bc0a3ac
Land #89, Add Powershell meterpreter bindings 2016-04-01 19:38:56 -05:00
OJ
3c17f4e9aa Fix package script, update package 
The package script was (stupidly) written (by me) to replace '\\' with
'.' when generating python import module names. Of course, this works
great on windows, but it means if you generate the package on linux
things break horribly. The result was that the latest package wouldn't
resolve anything useful when importing key stuff like ctypes or pty.

This PR fixes the issue so that the modules are correctly wired in
regardless of the OS that the package was constructed on.
 2016-03-31 11:14:19 +10:00
Brent Cook
e460c1d241
Land #87, initial powershell extension 2016-03-24 21:19:22 -05:00
OJ
e229995f2d Added powershell_import and sample DLL for import testing 2016-03-25 12:16:13 +10:00
OJ
cf6287e031 Fix runner to properly support multi-line scripts 
This commit actually changes the PS runner code so that it's
base64-encoded before being sent to the interpreter. It's a bit of
a hack but it means that all multiline commands are properly supported.
IEX for the win!
 2016-03-25 10:28:14 +10:00
OJ
6bbfd51ab4 Stageless init support, multi-line command support 2016-03-25 09:56:00 +10:00
OJ
1a75953b7c Add transport support, tidy up some code 2016-03-25 09:12:53 +10:00
OJ
d286618b13 Add support for incognito 2016-03-24 15:01:50 +10:00
OJ
ecf10f7e43 Added ProcessList to Sys 2016-03-24 10:42:56 +10:00
OJ
1d85ea8513 Add sysinfo, code tidy 2016-03-24 10:13:56 +10:00
OJ
3f9681c34e Add show mount binding, tweak output to be tidier 2016-03-23 22:54:02 +10:00
OJ
4b142d35a0 Add Kiwi bindings, add debug, fix issue with missing commands in local 
packets
 2016-03-23 22:21:54 +10:00
OJ
64c57f203b Add the last few features to the User binding 2016-03-23 15:25:17 +10:00
OJ
b32fd52bfd Fix LocalAlloc call, start on the handling of other bindings (user) 2016-03-23 15:13:09 +10:00
OJ
41ac07dbe0 Finish the elevate bindings for powershell 2016-03-23 14:40:41 +10:00
OJ
8b702f7008 Remove invalid prints 2016-03-23 14:32:19 +10:00
OJ
7ba39c982a First version of "working" bindings (getsystem works) 
More to do, including reading of TLV packets.
 2016-03-23 13:39:25 +10:00
OJ
110306e115 Fix python meterpreter bindings by adding 0 xor key 2016-03-23 13:13:15 +10:00
OJ
ee807408ec Beginning of work on the building blocks for PSH->Meterp bindings 2016-03-22 16:06:43 +10:00
OJ
62c48c6ecc Fix a small issue with the TLV generation in getsystem 2016-03-22 16:02:26 +10:00
OJ
6e5afca1b3 Include the MSF.Powershell project 2016-03-22 13:11:49 +10:00
OJ
d48066c4cf Add support for hosts with .NET 2 only support 2016-03-22 12:36:31 +10:00
OJ
a8d0fadc5a Fallback to v4 runtime if v2 isn't present 2016-03-21 17:16:28 +10:00
OJ
cd162a88f8 Fix issue with channel interaction functioning incorrectly on close 2016-03-21 16:01:21 +10:00
OJ
43e6aae784 Proper functioning powershell sessions 2016-03-21 15:14:24 +10:00
OJ
df581ce638 Change from Auto to Manual reset event 
This stops the CPU thrashing, and should have been the default when the
work was first done.
 2016-03-15 21:16:48 +10:00
Brent Cook
423dbaeba2 consistency and bug fixes 2016-03-15 05:45:21 -05:00
Brent Cook
31e6ae1a63 Convert registry access to use UTF-8 2016-03-15 02:58:36 -05:00
OJ
a7ef4b91e3 Add powershell interactive prompt 2016-03-14 20:23:44 +10:00
OJ
3d94391292 Add support for unmanaged powershell 
This commit includes the ability to run a single powershell command in
the current session.
 2016-03-14 17:12:29 +10:00
OJ
af32e7289d Initial shell of the powershell extension project 2016-03-14 12:56:34 +10:00
OJ
e2285737a8 Make comment a little more sensible 2016-03-09 08:53:21 +10:00
OJ
62455e57f9 make the GetIpAddr function interactions deal with dynamic size 2016-03-09 08:27:59 +10:00
Brent Cook
fc26790e9a simplify error handling, remove 30 IP limit, remove unneeded free() checks 2016-03-08 03:50:32 -06:00
OJ
f015f53b6b Fix network interface enumeration limitation 
This moves the existing network interface enumeration code over to the
group TLV packet approach which allows for arbitrary numbers of entities
to be added on the fly instead of fixed numbers.
 2016-03-08 12:11:27 +10:00
Brent Cook
08e008fc77
Land #64, add xor encoding to TLV messages 2016-02-10 21:32:43 -06:00
Brent Cook
263fc0a00a posix xor 2016-02-04 05:50:47 -06:00
BAZIN-HSC
8ddd54c565 Build correction for fedora on not EN system 2016-01-29 10:41:18 +01:00
Brent Cook
ed3c35ed0b allow duplicate symbols building libm 2016-01-16 22:12:02 -06:00
OJ
246c78fccc Remove extra call to scheduler init 2016-01-13 10:08:12 +10:00
OJ
29f88366ac
Merge branch 'upstream/master' into default-xor 2016-01-13 07:34:40 +10:00
Brent Cook
c125f72c1a
Land #59, simplify sniffer conditional logic 2015-12-24 06:40:58 -06:00
Brent Cook
9e2c799b3e
Land #57, include multiprocessing module in python extension 2015-12-23 03:09:59 -06:00
Romero Malaquias
70a8d43949 Avoiding conditional directives that break statements. 2015-12-21 12:23:08 -03:00
OJ
4424029d3c Add python extension multiprocessing 
This commit includes code that was missing from the original Python PR which adds support for the multiprocessing module in Python. I have no idea why this was missed, but it was. The code also includes adjustments to the loader which attempts to resolve modules appropriately based on name. This is a bit of a kludge thanks to the way that Python module resolution hooks work, as it's not clear exactly which namespace the module is intended to be loaded from at runtime as it's not passed to the resolver. Down the track we may need to get smarter with the resolver so that we have a per-module resolver (ie. a tree of resolvers).
 2015-12-19 09:40:44 +10:00
OJ
d5fb6821ae Fix python core lib mistake 2015-12-13 11:52:42 +10:00
OJ
3d598c4275 Remove superfluous comments from code 2015-12-08 16:57:40 +10:00
Brent Cook
099da2b4b7 Revert "Convert registry access to use UTF-8" 
This reverts commit bc8dfb17b5.
 2015-12-07 14:17:52 -06:00
Brent Cook
2f575a45a0 Revert "fixup buffer sizes" 
This reverts commit 2d6c0194c9.
 2015-12-07 14:17:50 -06:00
OJ
1061df8b8d Remove the RECV POST request 2015-12-07 13:26:33 +10:00
OJ
5ca5fe89f0 Begin to enable DWORD xor out of the box 2015-12-02 13:30:22 +10:00
Brent Cook
2d6c0194c9 fixup buffer sizes 2015-12-01 14:58:20 -06:00
Brent Cook
bc8dfb17b5 Convert registry access to use UTF-8 2015-12-01 13:53:45 -06:00
OJ
29c8639025 Updated init script method 2015-11-20 12:49:36 +10:00
OJ
c692e76332 Finalise stageless initialisation scripts 2015-11-10 20:00:34 +10:00
OJ
dca4cc46be
Merge branch 'upstream/master' into stageless-init 2015-11-10 15:44:39 +10:00
OJ
175d6d93f1 First pass of stageless initialisation script 2015-11-10 15:43:59 +10:00
Brent Cook
bc0138093d
Land #47, add python transport bindings 2015-11-09 21:13:18 -06:00
Brent Cook
98fae3e075 change source perms back to non-executable 2015-11-09 21:10:30 -06:00
Brent Cook
888ec2574a
Land #46, add misc python bindings. 2015-11-09 20:56:51 -06:00
OJ
380f3e27aa Update python core lib archive 2015-11-04 15:33:12 +10:00
OJ
578ac70fd9 Add transport add command to python binding 2015-11-04 14:37:57 +10:00
OJ
4b44e69ce9 Add transport list binding 2015-11-04 14:04:22 +10:00
OJ
73b8422c14 Update packaged libs 2015-11-03 17:56:20 +10:00
OJ
e016e6d526 Add incognito binding, code tidies 2015-11-03 17:52:06 +10:00
OJ
cbb50227a5 Refactor TLV layout, add more debug output, token stealing 2015-11-03 14:03:33 +10:00
OJ
7c592a63d2 Add show_mount, ps_list, and some core tweaks 2015-11-03 13:25:47 +10:00
Brent Cook
7d94abd9b0
Land #44, don't fall back to 0.0.0.0 it the user-specified bind fails 2015-11-02 17:24:57 -06:00
Brent Cook
ecbcb17dec
Land #43, add show_mount support for Windows meterpreter 2015-10-30 15:26:33 -05:00
OJ
5602977bce Ignore SSL changes in POSIX code 
This ifdef's our way to glory, given that POSIX Python extension is out
of scope for now.
 2015-10-30 15:23:01 -05:00
OJ
71212bba43 Turn off debug trace 2015-10-30 15:23:01 -05:00
OJ
f572570b7d Initial work to get python talking to metsrv's ssl 2015-10-30 15:23:01 -05:00
OJ
a004655b03 Fix silly typo in extapi python module 2015-10-30 15:23:01 -05:00
OJ
def28cf927 Init the msvcrt extension 2015-10-30 15:23:01 -05:00
OJ
1c438bd13a Add some adsi functionality bindings 2015-10-30 15:23:01 -05:00
OJ
fb36d94c05 Clean up packet once processed 2015-10-30 15:23:01 -05:00
OJ
4b2257c791 More bindings, including kiwi as an example 2015-10-30 15:23:01 -05:00
OJ
04cb09737e More work on the meterpreter bindings for python 2015-10-30 15:23:00 -05:00