From af888f1af0e6ef4bbd56da84665fe7ef68f87b7b Mon Sep 17 00:00:00 2001 From: adfoster-r7 Date: Fri, 7 Jan 2022 17:44:26 +0000 Subject: [PATCH] Align quote usage --- Adding-Release-Notes-to-PRs.md | 2 +- GSoC-2017-Mentor-Organization-Application.md | 2 +- ...-Oracle-Support-working-with-Kali-Linux.md | 4 +-- Metasploit-5.0-Release-Notes.md | 6 ++-- Metasploit-6.0-Development-Notes.md | 2 +- Meterpreter-Wishlist.md | 32 +++++++++---------- RFC---Metasploit-URL-support.md | 6 ++-- Using-ReflectiveDLL-Injection.md | 28 ++++++++-------- ...to-allow-msfdb-to-use-postgresql-common.md | 6 ++-- 9 files changed, 44 insertions(+), 44 deletions(-) diff --git a/Adding-Release-Notes-to-PRs.md b/Adding-Release-Notes-to-PRs.md index 1208f5d97d..139ca3297c 100644 --- a/Adding-Release-Notes-to-PRs.md +++ b/Adding-Release-Notes-to-PRs.md @@ -65,5 +65,5 @@ When you write release notes for an exploit, you should try to answer the follow And finally, here's an example for exploits: -> This module allows you to exploit HP Data Protector, a backup and recovery system, to remotely upload files to the file share. Versions 6.10, 6.10, and 6.20 are vulnerable. You don’t need to authenticate to exploit this vulnerability. +> This module allows you to exploit HP Data Protector, a backup and recovery system, to remotely upload files to the file share. Versions 6.10, 6.10, and 6.20 are vulnerable. You don't need to authenticate to exploit this vulnerability. diff --git a/GSoC-2017-Mentor-Organization-Application.md b/GSoC-2017-Mentor-Organization-Application.md index 1dba2ea59f..db80ab820b 100644 --- a/GSoC-2017-Mentor-Organization-Application.md +++ b/GSoC-2017-Mentor-Organization-Application.md @@ -8,7 +8,7 @@ Please don't use markdown here, we have to paste it into a form. All answers are **Why does your org want to participate in Google Summer of Code?** -The story of Metasploit Framework’s creation and development over the last 13 years is one of community collaboration to create and hone tools useful to a wide range of security practitioners. Its broad functionality, combined with the deep domain knowledge of the mentors, offers a unique opportunity for students to learn about security and exploit development. Many of our contributors are established exploit developers and penetration testers who have years of industry experience that they can share with students. We hope that the experience will inspire students to continue contributing to open source security, as well as providing them with invaluable real-world training in development, security, and remote collaboration. +The story of Metasploit Framework's creation and development over the last 13 years is one of community collaboration to create and hone tools useful to a wide range of security practitioners. Its broad functionality, combined with the deep domain knowledge of the mentors, offers a unique opportunity for students to learn about security and exploit development. Many of our contributors are established exploit developers and penetration testers who have years of industry experience that they can share with students. We hope that the experience will inspire students to continue contributing to open source security, as well as providing them with invaluable real-world training in development, security, and remote collaboration. **How will you keep mentors engaged with their students?** diff --git a/How-to-get-Oracle-Support-working-with-Kali-Linux.md b/How-to-get-Oracle-Support-working-with-Kali-Linux.md index 4ade3d3396..23b217bbd2 100644 --- a/How-to-get-Oracle-Support-working-with-Kali-Linux.md +++ b/How-to-get-Oracle-Support-working-with-Kali-Linux.md @@ -75,11 +75,11 @@ Resolving codeload.github.com (codeload.github.com)... 192.30.253.120, 192.30.25 Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [application/zip] -Saving to: ‘ruby-oci8-2.2.7.zip’ +Saving to: 'ruby-oci8-2.2.7.zip' ruby-oci8-2.2.7.zip [ <=> ] 376.97K 2.36MB/s in 0.2s -2019-03-26 20:31:11 (2.36 MB/s) - ‘ruby-oci8-2.2.7.zip’ saved [386016] +2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.7.zip' saved [386016] root@kali:~# unzip ruby-oci8-2.2.7.zip Archive: ruby-oci8-2.2.7.zip diff --git a/Metasploit-5.0-Release-Notes.md b/Metasploit-5.0-Release-Notes.md index d22f991cc4..f8f2227c6d 100644 --- a/Metasploit-5.0-Release-Notes.md +++ b/Metasploit-5.0-Release-Notes.md @@ -4,7 +4,7 @@ Metasploit 5.0 brings many new features, including new database and automation A See the release announcement [here](https://blog.rapid7.com/2019/01/10/metasploit-framework-5-0-released). -The following is a high-level overview of Metasploit 5.0’s features and capabilities. +The following is a high-level overview of Metasploit 5.0's features and capabilities. * Metasploit users can now run the PostgreSQL database by itself as a RESTful service, which allows for multiple Metasploit consoles and external tools to interact with it. @@ -14,7 +14,7 @@ The following is a high-level overview of Metasploit 5.0’s features and capabi * This release adds a common web service framework to expose both the database and the automation APIs; this framework supports advanced authentication and concurrent operations. Read more about how to set up and run these new services [here](https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Web-Service). -* Adds `evasion` module type and libraries to let users generate evasive payloads without having to install external tools. Read the research underpinning evasion modules [here](https://www.rapid7.com/info/encapsulating-antivirus-av-evasion-techniques-in-metasploit-framework). Rapid7’s first evasion modules are [here](https://github.com/rapid7/metasploit-framework/pull/10759). +* Adds `evasion` module type and libraries to let users generate evasive payloads without having to install external tools. Read the research underpinning evasion modules [here](https://www.rapid7.com/info/encapsulating-antivirus-av-evasion-techniques-in-metasploit-framework). Rapid7's first evasion modules are [here](https://github.com/rapid7/metasploit-framework/pull/10759). * The `metashell` feature allows users to run background sessions and interact with shell sessions without needing to upgrade to a Meterpreter session. @@ -28,6 +28,6 @@ The following is a high-level overview of Metasploit 5.0’s features and capabi You can get Metasploit 5.0 by checking out the [5.0.0 tag](https://github.com/rapid7/metasploit-framework/releases/tag/5.0.0) in the Metasploit GitHub project. -Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://github.com/rapid7/metasploit-framework/wiki), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend. +Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://github.com/rapid7/metasploit-framework/wiki), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can't find something you want in our wiki, ask Google or the community what they recommend. See all the ways to stay informed and get involved at . diff --git a/Metasploit-6.0-Development-Notes.md b/Metasploit-6.0-Development-Notes.md index 8f05879ce3..8c4d9a5cbd 100644 --- a/Metasploit-6.0-Development-Notes.md +++ b/Metasploit-6.0-Development-Notes.md @@ -48,6 +48,6 @@ A complete list of pull requests included as part of the initial version 6 work: You can get Metasploit 6.0 by checking out the [6.0.0 tag](https://github.com/rapid7/metasploit-framework/releases/tag/6.0.0) in the Metasploit GitHub project. -Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://github.com/rapid7/metasploit-framework/wiki), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can’t find something you want in our wiki, ask Google or the community what they recommend. +Need a primer on Framework architecture and usage? Take a look at [our wiki here](https://github.com/rapid7/metasploit-framework/wiki), and feel free to reach out to the broader community [on Slack](https://metasploit.com/slack). There are also myriad public and user-generated resources on Metasploit tips, tricks, and content, so if you can't find something you want in our wiki, ask Google or the community what they recommend. See all the ways to stay informed and get involved at . diff --git a/Meterpreter-Wishlist.md b/Meterpreter-Wishlist.md index 1636a2d5f7..bd8e41febd 100644 --- a/Meterpreter-Wishlist.md +++ b/Meterpreter-Wishlist.md @@ -32,7 +32,7 @@ Related open tickets (slightly broader than Meterpreter): ### Meterpreter Pivoting * VPN Pivoting for Framework (WinPcap still better than nothing) - * Reverse pivoting from the target machine back to the attacker (TCP/UDP) . For many years I’ve asked for this feature. Basically Meterpreter needs to be able to say, listen on port 8080 on victim 1 and it go through the Meterpreter session to port whatever (9060) on the attacker’s machine or a designated alternate IP. then, whenever someone hits that port it’s auto forwarded through the session. This could help out a lot for SMB capture, Post exploitation phishing, and other things like setting a user’s proxy to use your forwarded port instead of the corporate proxy. + * Reverse pivoting from the target machine back to the attacker (TCP/UDP) . For many years I've asked for this feature. Basically Meterpreter needs to be able to say, listen on port 8080 on victim 1 and it go through the Meterpreter session to port whatever (9060) on the attacker's machine or a designated alternate IP. then, whenever someone hits that port it's auto forwarded through the session. This could help out a lot for SMB capture, Post exploitation phishing, and other things like setting a user's proxy to use your forwarded port instead of the corporate proxy. * Improved pivoting speed and latency * Pivoting that is reliable and works well with different transports. In particular, I want the ability to pivot one session through another even if the first session is reverse_tcp or reverse_https, regardless of the second sessions transport. This will be difficult without installing drivers, but I would like several useful, working transports that I know I can pivot reliably with. * Carry portforwards and other channels along with a migrate. @@ -59,9 +59,9 @@ Related open tickets (slightly broader than Meterpreter): * Builtin rootkit/bootkit payload persistence * Create payloads that only "install" on specific computers (based on hardware, windows domain, etc) * Acquire a physical RAM image without touching the disk. This currently requires uploading winpmem[64].sys to windows\system32 and invoking it through post/windows/manage/driver_loader. As loaded winpmem.sys exposes the RAM as disk device I can then suck it through post/windows/manage/nbd_server. Please make this possible without dropping winpmem.sys to system32 folder if possible - * Manage multiple Meterpreter processes as one session as described in #4715. Many times there have been situations where a keyscan, or sniffer was going and something else occurred that required migration or cancelling to perform an action. “Installing” jobs in processes less likely to die would allow a pentester to still move around as needed but also be able to have persistent tasks going. A pipe dream of this feature would be to install a “rev2system” jobs whereby I could migrate to a low priv status for accessing Cryptolib encrypted storage but also get back to SYSTEM when I’m done without needing to pop a shell again. Another pipe dream here would be to also have jobs that if the user logged out, then back in the next day and I had a shell come back then, I could re-attach to my running jobs and get their results + * Manage multiple Meterpreter processes as one session as described in #4715. Many times there have been situations where a keyscan, or sniffer was going and something else occurred that required migration or cancelling to perform an action. “Installing” jobs in processes less likely to die would allow a pentester to still move around as needed but also be able to have persistent tasks going. A pipe dream of this feature would be to install a “rev2system” jobs whereby I could migrate to a low priv status for accessing Cryptolib encrypted storage but also get back to SYSTEM when I'm done without needing to pop a shell again. Another pipe dream here would be to also have jobs that if the user logged out, then back in the next day and I had a shell come back then, I could re-attach to my running jobs and get their results - * PrependTokenSteal / PrependEnvironmentSteal: Basically with proxies and other perimeter defenses being SYSTEM doesn’t work well. This would be an addition to a payload that would work to execute as SYSTEM but would then locate a logged in user and steal their environment to call back to the handler. Very useful when pivoting around with PSEXEC + * PrependTokenSteal / PrependEnvironmentSteal: Basically with proxies and other perimeter defenses being SYSTEM doesn't work well. This would be an addition to a payload that would work to execute as SYSTEM but would then locate a logged in user and steal their environment to call back to the handler. Very useful when pivoting around with PSEXEC * Binary installed death dates: A way putting a date in a binary where after that date the binary no longer functions would be useful and possibly even perform self-deletion. Time zones would be a tricky matter, but is something handled by many programmers already (probably just not in shellcode) * Allow Meterpreter sesssions to resolve L3 addresses (#4793) * Track whether or not the current session has admin credentials (#4633)d @@ -77,19 +77,19 @@ Related open tickets (slightly broader than Meterpreter): * MessageBox popups * Call the system "open" command easily (ShellExecute on windows, launch intent on Android) * Gather credentials from Google Chrome - * LNK (binary) modification: Editing a LNK file’s ICON location (for SMB capturing), “Starting Directory” (for DLL injection) or target binary would make some post exploitation tasks easier + * LNK (binary) modification: Editing a LNK file's ICON location (for SMB capturing), “Starting Directory” (for DLL injection) or target binary would make some post exploitation tasks easier * “Pinned” app modification: Knowing which apps are pinned, and what they link to (be it taskbar or start menu) would be useful intelligence, but also being able to modify the target of these links would be better and a very easy user-land persistence. (Run this && the real thing you want) * Remote Registry automation: Remotely editing or reading the registry of a remote system works currently (sometimes) but it has no smarts about if the Remote Registry service is on or not. It would be nice to automate the starting and stopping of the remote registry service as well as possibly warning the user if they are attempting to do this as SYSTEM (probably going to fail). The use case for this is installing persistence on lots of systems quickly as well as reading user lists, MRUs and other intelligence important keys. (like finding a system with the puTTY keys) - * “ps” and “kill” for remote systems: This would remove the need to drop to a shell and attempt to remember how to format “taskkill” and “tasklist”’s argument list. Tasklist also automatically removes the IPC$ connection after it’s done so results in some annoying disconnected share viewing + * “ps” and “kill” for remote systems: This would remove the need to drop to a shell and attempt to remember how to format “taskkill” and “tasklist”'s argument list. Tasklist also automatically removes the IPC$ connection after it's done so results in some annoying disconnected share viewing * Scheduled Tasks / AT: Many of the ways to pivot or stay persistent use AT or Scheduled Tasks, to do so. This functionality to do tasks both locally and on remote hosts would greatly decrease the number of times a pentester would need to drop to cmd.exe - * [**DONE**] Execute with login credentials: When a user is no longer online it is overkill to PSEXEC (which would just net a SYSTEM shell anyways with MSF) and “RunAs” isn’t supported since it requires a password at a prompt, so adding a simple CreateProcesWithLogon feature would help with reviving dead tokens [#4649](https://github.com/rapid7/metasploit-framework/pull/4649) + * [**DONE**] Execute with login credentials: When a user is no longer online it is overkill to PSEXEC (which would just net a SYSTEM shell anyways with MSF) and “RunAs” isn't supported since it requires a password at a prompt, so adding a simple CreateProcesWithLogon feature would help with reviving dead tokens [#4649](https://github.com/rapid7/metasploit-framework/pull/4649) * ListDrives: Most of the time shares and other drives rather than just C:\ are where important files are stored. This feature would list local storage (plus USB) and network storage (SMB connected drives with where they are connected from and as what user) to start, but this feature would need to grow to support “Cloud” drives as well, like Dropbox, Box, Google Drive, and SkyDrive. - * Enumerables support in Railgun: Windows is full of “Enumerables” like EnumWindows that would be nice to have the ability to create code for. That example is bad since ExtAPI has EnumWindows now but the argument doesn’t go away for railgun + * Enumerables support in Railgun: Windows is full of “Enumerables” like EnumWindows that would be nice to have the ability to create code for. That example is bad since ExtAPI has EnumWindows now but the argument doesn't go away for railgun * DACL / Permissions enumeration: This is just needed in general for privilege escalation enumeration, share permissions, and reporting (“Why did you have access to this share, it was only supposed to be for X”) * Gina/SSP support: This would probably need to be an injected “job” but the basic premise is an in-memory load of a SSP or inject into Gina so when a new login happens against the system a set of clear text credentials are captured. 2 extremely use cases would be on a terminal server, or a server that no one is logged into at the time of infection due to time zone or operating hour differences - * Websnapshot: Currently there isn’t a way to weed out web applications once in a network. This feature would, using IE, or another method be able to generate a screenshot of what a page looks like in a browser (given a PROTOCOL/URL/PORT). Biggest requirement is auto-accepting any self signed SSL certs and showing when authentication is required. - * On-target resource cloning: Allowing a pentester to drop a binary and clone the ICON (in particular) of a binary would add to the stealthiness of an operation and add attack opportunities that weren’t previously thought plausible - * Scatterbomb: Persistence is difficult, and making sure your session doesn’t die because you chose the wrong process to migrate into or the user exited that process because the PDF looked hung. This would work by attempting OpenProcess on every process or a select list of processes and inject Meterpreter threads into them. But it would rely on the Mutex feature so that only one would be calling back at a time. Basically allowing for a resilient semi-persistent Meterpreter session that would save you from yourself when you accidentally type exit on the Meterpreter> prompt instead of your other terminal + * Websnapshot: Currently there isn't a way to weed out web applications once in a network. This feature would, using IE, or another method be able to generate a screenshot of what a page looks like in a browser (given a PROTOCOL/URL/PORT). Biggest requirement is auto-accepting any self signed SSL certs and showing when authentication is required. + * On-target resource cloning: Allowing a pentester to drop a binary and clone the ICON (in particular) of a binary would add to the stealthiness of an operation and add attack opportunities that weren't previously thought plausible + * Scatterbomb: Persistence is difficult, and making sure your session doesn't die because you chose the wrong process to migrate into or the user exited that process because the PDF looked hung. This would work by attempting OpenProcess on every process or a select list of processes and inject Meterpreter threads into them. But it would rely on the Mutex feature so that only one would be calling back at a time. Basically allowing for a resilient semi-persistent Meterpreter session that would save you from yourself when you accidentally type exit on the Meterpreter> prompt instead of your other terminal * Mutex checking binary exports: This follows up with the scatterbomb but essentially when installing persistence as a pentester I only install one because installing more than one would raise the noise level of a compromised host. If the binary/callback would check a mutex before doing anything and looping based on a timeout that even better. * OLE / Office Controls: This is basically an open ended feature request asking for support of for Office, mostly Outlook (like read newest emails, search email, etc). * Configurable character set conversation for Shell sessions and channels. When spawning a windows shell from meterpreter, on a host that uses a German version of windows, all the special characters (e.g. öäü) are broken, i.e. they are either not rendered at all, or replaced with that default "character not found" unicode character. Forcing the terminal emulator to use cp850 made it work for now. @@ -99,7 +99,7 @@ Related open tickets (slightly broader than Meterpreter): * [**DONE**] Network error tolerant versions of existing stagers * [**DONE**] Tagged stagers that send the payload type, arch, platform during the staging process to enable shared listeners * [**DONE**] Stagers that contain an embedded unique ID that can be used to identify which payload triggered what session - * [**DONE**] Stagers that are "stageless" for Meterpreter (include the entire main Meterpreter payload, plus any required extensions). In situations of high network latency or extreme network detection a non-staged exe is the only way to go. Ulta-met is a project that does this but isn’t as stable or easy to work with as if it were just built into the binary creation options. + * [**DONE**] Stagers that are "stageless" for Meterpreter (include the entire main Meterpreter payload, plus any required extensions). In situations of high network latency or extreme network detection a non-staged exe is the only way to go. Ulta-met is a project that does this but isn't as stable or easy to work with as if it were just built into the binary creation options. * [**DONE**] Stagers that are "stageless" for Meterpreter and include all potential functionality (all extensions) ### Meterpreter Transport Flexibility @@ -117,7 +117,7 @@ Related open tickets (slightly broader than Meterpreter): * Support for TLS encrypted bind listeners * Support for HTTP application listener (ie CGI mode Meterpreter session, tomcat servlets, etc) * Support for third-party communication transports (Github, Twitter, pastebin, etc) - * Support for XMPP transports. Many organizations use IM and chat clients internally and support them going outbound. reverse_tcp being stopped for the most part these days and more and more catching reverse_http(s) due to proxies, this might become the next outlet. Possibly using server that are already established in the industry ;-) but mainly supporting XYZ jabber server as a pass through. This would probably be a very big piece of shellcode as I don’t believe any Windows OSs support XMPP out of the box. + * Support for XMPP transports. Many organizations use IM and chat clients internally and support them going outbound. reverse_tcp being stopped for the most part these days and more and more catching reverse_http(s) due to proxies, this might become the next outlet. Possibly using server that are already established in the industry ;-) but mainly supporting XYZ jabber server as a pass through. This would probably be a very big piece of shellcode as I don't believe any Windows OSs support XMPP out of the box. * Support for IE callback: One method deployed by some more infamous malware is to only communicate when IE is running and surfing and only by hooking IE to send comms. This callback would operate very much the same and would support any kind of proxy by default as IE does. * Support for Outlook callback: This callback would use email back and forth either directly to a MSF run SMTP server or through other services, but the C2 channel would be locally (not on the exchange filter system) auto-filtered to a non-visible folder (using PidTagAttributeHidden). This type of comms would greatly increase the lag time supported in Metepreter simply due to the inherent lag in email. @@ -134,7 +134,7 @@ Related open tickets (slightly broader than Meterpreter): * [**DONE**] Better proxy support and the ability to sleep. Still more to done on burstable updates ### Communication Protection - * Authenticated callbacks: This is pretty straight forward, when a pentester no longer controls the IP they were attacking from and failed to clean up every binary and phishing email there is a chance of compromise by proxy. The problem was somewhat solved with SessionExpirationTimeout and SessionCommunicationTimeout but both of them are loaded in the stage, not hard coded into any binary built, so it’s very easy to get into this situation. Authenticated callbacks would allow a pentester to add a small layer of protections if this event were to happen and a callback from a client was sent to an IP no longer in the pentester’s control + * Authenticated callbacks: This is pretty straight forward, when a pentester no longer controls the IP they were attacking from and failed to clean up every binary and phishing email there is a chance of compromise by proxy. The problem was somewhat solved with SessionExpirationTimeout and SessionCommunicationTimeout but both of them are loaded in the stage, not hard coded into any binary built, so it's very easy to get into this situation. Authenticated callbacks would allow a pentester to add a small layer of protections if this event were to happen and a callback from a client was sent to an IP no longer in the pentester's control * Embedded TLS cert or hash of cert to verify Meterpreter instance on the Metasploit side * [**DONE**] Embedded TLS cert or hash of cert to verify Metasploit instance on the Meterpreter side * Embedded password to verify Meterpreter instance on the Metasploit side (challenge-response) @@ -158,7 +158,7 @@ Related open tickets (slightly broader than Meterpreter): ### Session Handlers * [**DONE**] Generate a unique ID for each session (target-side) - * [**DONE**] Generate a unique ID for each generated payload Backdooring/Persisting on more than 10 machines over months it gets very difficult to know when a host hasn’t called back in a while or when a new host arrives. This would need not to be based on gateway, local IP, or any other transient information. This can be processed at any step as long as when STDAPI is loaded I can quickly identify if it’s a system that I’ve known about, and how long it’s been since I’ve seen it. + * [**DONE**] Generate a unique ID for each generated payload Backdooring/Persisting on more than 10 machines over months it gets very difficult to know when a host hasn't called back in a while or when a new host arrives. This would need not to be based on gateway, local IP, or any other transient information. This can be processed at any step as long as when STDAPI is loaded I can quickly identify if it's a system that I've known about, and how long it's been since I've seen it. * Shared listeners that can stage multiple payload architectures and platforms (using tags). Depends on new stagers and a new listener and unique IDs. [**IN PROGRESS**] * [**DONE**] Track the last time a given session checked in * Track user defined state data in the db, such as specific user / member of group logged in, specific shares open, certain tuple of IP:port in network connections (1.2.3.4 over 22 where 1.2.3.4 is an IP of interest) @@ -195,9 +195,9 @@ Related open tickets (slightly broader than Meterpreter): ### Unit testing for payloads - * Metasploit payload classes should have specs, new specs should be created when any class is changed if there isn’t an existing spec. + * Metasploit payload classes should have specs, new specs should be created when any class is changed if there isn't an existing spec. * Metasploit payload tests that can run in Travis, should be automatically tested end-to-end - * Metasploit payload tests that can’t run in Travis should be run by Jenkins and target a virtual machine (local or cloud-hosted). + * Metasploit payload tests that can't run in Travis should be run by Jenkins and target a virtual machine (local or cloud-hosted). * Meterpreter payloads should test every advertised console command. * Meterpreter payloads should test a subset of the full APIs available. diff --git a/RFC---Metasploit-URL-support.md b/RFC---Metasploit-URL-support.md index 148c7011b4..39349dd90e 100644 --- a/RFC---Metasploit-URL-support.md +++ b/RFC---Metasploit-URL-support.md @@ -40,11 +40,11 @@ run # Approaches -So far there’s three main potential approaches to add URL support to msfconsole: +So far there's three main potential approaches to add URL support to msfconsole: 1. **Consolidating Options** - Combining multiple options such as `RHOST`/`RPORT`/`SSL`/etc into one new option: `TARGETS` -2. **Enriching RHOSTS with URL support** - The RHOST’s option is modified to support URLs, and attempts to keep all options such as RHOST/PORT/SSL etc in sync. -3. **Support setting a single RHOST_URL** - Metasploit console will now support setting a single `RHOST_URL` value. Note that this wouldn’t show as an option to the user, but would be used as a ‘macro’ to populate the existing datastore values +2. **Enriching RHOSTS with URL support** - The RHOST's option is modified to support URLs, and attempts to keep all options such as RHOST/PORT/SSL etc in sync. +3. **Support setting a single RHOST_URL** - Metasploit console will now support setting a single `RHOST_URL` value. Note that this wouldn't show as an option to the user, but would be used as a 'macro' to populate the existing datastore values ## 1. Consolidating Options diff --git a/Using-ReflectiveDLL-Injection.md b/Using-ReflectiveDLL-Injection.md index 53eba8310a..f2b5f14f96 100644 --- a/Using-ReflectiveDLL-Injection.md +++ b/Using-ReflectiveDLL-Injection.md @@ -2,18 +2,18 @@ ## Using the ReflectiveDll loader in a metasploit module. -First, let’s be clear. I have used this exactly once, but there exists little in the way of guidance on how ReflectiveDll injection works in Framework, so I figure poor guidance is better than none. I am in part hoping that someone who knows how it works will come along and correct this, ala Cunningham’s Law. +First, let's be clear. I have used this exactly once, but there exists little in the way of guidance on how ReflectiveDll injection works in Framework, so I figure poor guidance is better than none. I am in part hoping that someone who knows how it works will come along and correct this, ala Cunningham's Law. This documentation assumes that you have some familiarity with DLLs already. ### Step 1 - Make your DLL Use Visual studio 2013 and make a standard, empty DLL. Do not attempt to add the reflective DLL stuff yet. -When you make the DLL, make sure that you have at least three files: A header file with the function declarations, a c(pp) file with the functions that ‘do’ the exploit, and a DllMain file with the `DllMain` function. I find that testing the DLL outside the reflective loader helps tremendously, so in the header file, I declare my working function as an `extern`, C-style function: +When you make the DLL, make sure that you have at least three files: A header file with the function declarations, a c(pp) file with the functions that 'do' the exploit, and a DllMain file with the `DllMain` function. I find that testing the DLL outside the reflective loader helps tremendously, so in the header file, I declare my working function as an `extern`, C-style function: `extern "C" __declspec (dllexport) void PrivEsc(void);` -I think using C as the language over cpp would make life marginally easier, as you can combine the source code into one project. Using cpp meant I needed to have separate projects, or at least using my limited compiler knowledge that’s how I got it to work. I noticed OJ was able to extend his c project ([exploits/capcom_sys_exec](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/capcom_sys_exec.rb)) to include the reflectiveloader, but I could not seem to do the same for my cpp project. +I think using C as the language over cpp would make life marginally easier, as you can combine the source code into one project. Using cpp meant I needed to have separate projects, or at least using my limited compiler knowledge that's how I got it to work. I noticed OJ was able to extend his c project ([exploits/capcom_sys_exec](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/capcom_sys_exec.rb)) to include the reflectiveloader, but I could not seem to do the same for my cpp project. -Store your project in `external/source/exploits//`. That’s not written in stone. The project I just finished had both DLL and EXE, so I have `external/source/exploits//dll` and `external/source/exploits//exe`. Just don't be a jerk and do something hard to follow. Your requirements may differ, and we're not super particular as long as it makes sense. I suggest the identifier to make life easier, then a project name because you’ll be bringing the reflective loader project into the identifier folder, and at least I like to have some separation between the two. +Store your project in `external/source/exploits//`. That's not written in stone. The project I just finished had both DLL and EXE, so I have `external/source/exploits//dll` and `external/source/exploits//exe`. Just don't be a jerk and do something hard to follow. Your requirements may differ, and we're not super particular as long as it makes sense. I suggest the identifier to make life easier, then a project name because you'll be bringing the reflective loader project into the identifier folder, and at least I like to have some separation between the two. ### Step 2 Write the DLL using an extern, C-linkage entry point to make testing easier @@ -86,12 +86,12 @@ One thing to understand- despite the feelings I had reading through the framewor Some of the output from the framework side of the injection was confusing to me because I am used to loading DLLs explicitly and implicitly, and some of the framework methods made it sound like we were not relying on DLL_PROCESS_ATTACH. We are, but in a slightly more round-about way. That said, remember if you go back to troubleshooting just your exploit code in the `extern` function, `DLL_PROCESS_ATTACH` will still execute if you use `rundll32.exe` to call your function. Be sure to comment out your calls in `DLL_PROCESS_ATTACH` if you go back to debugging unless you want dueling exploits. -OK, so at this point, you’ve got a DLL with a function that does something you want, and even better, it compiles! Move that binary to the data directory corresponding to the external directory you used above. i.e. if you used `external/source/exploits/myfancyexploit`, put your binary in `data/exploits/myfancyexploit/`. If you can automate that move as a post build step, even better! +OK, so at this point, you've got a DLL with a function that does something you want, and even better, it compiles! Move that binary to the data directory corresponding to the external directory you used above. i.e. if you used `external/source/exploits/myfancyexploit`, put your binary in `data/exploits/myfancyexploit/`. If you can automate that move as a post build step, even better! ### Now that we have the binary, we need to execute it on target- Enter Framework! ## Step 4: Adding the framework module -Once you’ve got the DLL working and have it compiling with ReflectiveLoader, you have to make a framework module to use it. OJ’s [exploits/capcom_sys_exec](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/capcom_sys_exec.rb) is a great place to start looking as an examples; it is super easy and simple to read, so let's review: +Once you've got the DLL working and have it compiling with ReflectiveLoader, you have to make a framework module to use it. OJ's [exploits/capcom_sys_exec](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/capcom_sys_exec.rb) is a great place to start looking as an examples; it is super easy and simple to read, so let's review: (1) Make sure you have a handle to a process…. The easiest way be able to get a handle to a process is to launch your own: `notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})` @@ -104,32 +104,32 @@ Once you’ve got the DLL working and have it compiling with ReflectiveLoader, y Replace the directory and file names with the ones to your binary. -(3.5) OJ went ahead and expanded the path; likely this is because he’s used filepath hijacking in the past: +(3.5) OJ went ahead and expanded the path; likely this is because he's used filepath hijacking in the past: `library_path = ::File.expand_path(library_path)` -(4) Now, here’s where things get fun- inject your DLL directly into the memory of notepad: +(4) Now, here's where things get fun- inject your DLL directly into the memory of notepad: `exploit_mem, offset = inject_dll_into_process(process, library_path)` That function allocates memory in the process and loads up the DLL. There is a second method that allows you to upload DLL data, so you could create a payload using a template and load that without the dll touching the local or remote disk, but I have not had cause to use it. -Unfortunately, this is where my grasp of things gets tenuous because it departs from my experience of traditional DLL loading with LoadLibrary and GetProcAddress. We copied the DLL into the remote process memory, but we have not “loaded” it, so DLL_PROCESS_ATTACH is not executed. That’s a good thing, as we have not yet provided the payload! +Unfortunately, this is where my grasp of things gets tenuous because it departs from my experience of traditional DLL loading with LoadLibrary and GetProcAddress. We copied the DLL into the remote process memory, but we have not “loaded” it, so DLL_PROCESS_ATTACH is not executed. That's a good thing, as we have not yet provided the payload! -I square this by basically treating it like process hollowing, but on a thread-level. Watching OJ’s ReflectiveDll injection video might help: +I square this by basically treating it like process hollowing, but on a thread-level. Watching OJ's ReflectiveDll injection video might help: You may want to watch it daily for a month or so. Regardless, now we have a process with our exploit DLL mapped into its memory, but not doing anything. Now we need to get the payload into the process too, so we can get exploit and payload execution. Getting the payload in there is honestly not much different that getting the DLL data in there. -(5) Just allocate some RWX memory and copy the shellcode over. There’s a method for that: +(5) Just allocate some RWX memory and copy the shellcode over. There's a method for that: `payload_mem = inject_into_process(process, payload.encoded)` -To be clear, That’s the first time you should have dealt with the payload, because while it is annoying how much goes on in the background in Framework, when you know it is happening, Framework is awesome! +To be clear, That's the first time you should have dealt with the payload, because while it is annoying how much goes on in the background in Framework, when you know it is happening, Framework is awesome! -Now, if you’ve been paying attention to the return values from the above methods, we have three important values: (1) `exploit_mem` that has the address of the DLL loaded into memory, (2) `offset` that (I think) contains the offset to the `DllMain` function inside the DLL loaded into memory, and (3) `payload_mem`, that contains the address of your payload. +Now, if you've been paying attention to the return values from the above methods, we have three important values: (1) `exploit_mem` that has the address of the DLL loaded into memory, (2) `offset` that (I think) contains the offset to the `DllMain` function inside the DLL loaded into memory, and (3) `payload_mem`, that contains the address of your payload. (6) Now, With those three values, and our code stored in the process's memory, things make a lot more sense. We just need to create a thread in the process and point it to the `DllMain` function with the address of our payload as the `lpReserve` parameter. `process.thread.create(exploit_mem + offset, payload_mem)` -(6) What I’m Still unclear about: +(6) What I'm Still unclear about: (6.1) How do we get the offset value? If we check out `inject_dll_into_process`, it shows that it is searching the pe for `ReflectiveLoader` and that's not a string I can find as an entry point. I do not understand why that gives us the offset to what I believe to be DllMain when it appears to be searching to ReflectiveLoader...? (6.2) There are a few ways to use `ReflectiveDllLoader`, and I wish I could read more on using it as an import like OJ does in that `capcom_sys_exec`. diff --git a/Work-needed-to-allow-msfdb-to-use-postgresql-common.md b/Work-needed-to-allow-msfdb-to-use-postgresql-common.md index 1fa9bad813..c8e9346951 100644 --- a/Work-needed-to-allow-msfdb-to-use-postgresql-common.md +++ b/Work-needed-to-allow-msfdb-to-use-postgresql-common.md @@ -42,7 +42,7 @@ Encountered permissions issues when attempting to create a cluster. ``` pg_createcluster --user=$(whoami) --encoding=UTF8 9.6 msf -- --username=$(whoami) --auth-host=trust --auth-local=trust -install: cannot change permissions of ‘/etc/postgresql/9.6/msf’: No such file or directory +install: cannot change permissions of '/etc/postgresql/9.6/msf': No such file or directory Error: could not create configuration directory; you might need to run this program with root privileges ``` @@ -59,11 +59,11 @@ PG_CLUSTER_CONF_ROOT Create cluster ("initdb") to set up the necessary configuration structure: -Note, running `mkdir -p $HOME/.local/etc/postgresql;` before the `pg_createcluster` command didn't stop the "install: cannot change owner and permissions of ‘/home/msfdev/.local/etc/postgresql/9.6’: Operation not permitted" message from appearing. This appears to be a warning only and doesn't seem to affect cluster creation. +Note, running `mkdir -p $HOME/.local/etc/postgresql;` before the `pg_createcluster` command didn't stop the "install: cannot change owner and permissions of '/home/msfdev/.local/etc/postgresql/9.6': Operation not permitted" message from appearing. This appears to be a warning only and doesn't seem to affect cluster creation. ``` mkdir -p $HOME/.local/var/log/postgresql; PG_CLUSTER_CONF_ROOT=$HOME/.local/etc/postgresql pg_createcluster --user=$(whoami) --datadir=$HOME/msf-db-datadir --socketdir=$HOME/.local/var/run/postgresql --logfile=$HOME/.local/var/log/postgresql/postgresql-version-msf.log --encoding=UTF8 9.6 msf -- --username=$(whoami) --auth-host=trust --auth-local=trust -install: cannot change owner and permissions of ‘/home/msfdev/.local/etc/postgresql/9.6’: Operation not permitted +install: cannot change owner and permissions of '/home/msfdev/.local/etc/postgresql/9.6': Operation not permitted Creating new cluster 9.6/msf ... config /home/msfdev/.local/etc/postgresql/9.6/msf data /home/msfdev/msf-db-datadir