adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
81,239 Commits 27 Branches 1,043 Tags
master
Commit Graph

210 Commits

Author SHA1 Message Date
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies 
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
 2013-02-24 17:33:00 -05:00
Michael Schierl 46a5c4f4bf Improve RC4 shellcode 
ESI is not clobbered; no need to clear EDX as only DL is filled before and
it is overwritten before use.

Shellcodes in ruby modules not regenerated, but I guess you want to
regenerate them again anyway :-)
 2013-01-01 11:25:17 +01:00
Michael Schierl cb06262002 Add shellcode for RC4 bind and reverse stagers 
Those stagers will encrypt the initial stage with a 128-bit RC4 key and
the stage length with a XOR key. Both keys are embedded in the stager.

This should provide good evasion capabilities in addition to some
protection against MITM reversing (if the stager is sent a different
route, like in an executable on an USB key).

Note that, from a cryptanalyst's standpoint, it is a bad idea to reuse the
same stager (or stagers with the same RC4 and XOR keys) more than once
since an identical key will result in an identical keystream and make
correlation attacks easy. But I doubt that matters in practice.

Also note that since communication after the initial statging is not
encrypted, these stagers should be used in combination with additional
encryption support in the payloads (like Meterpreter).
 2012-12-31 22:33:29 +01:00
Michael Schierl b4fd341fb6 Add shellcode for RC4 decoding 
Provided as a block to be included into stagers and/or decoder stubs.
Also included is a test shellcode that can be used for verifying that the
algorithm is compatible to Ruby's OpenSSL RC4 algorithm.
 2012-12-31 22:33:28 +01:00
James Lee f38ac954b8 Update linux stagers for NX compatibility 
- Adds a call to mprotect(2) to the reverse and bind stagers

- Adds accurate source for some other linux shellcode, including some
  comments to make it more maintainable

- Adds tools/module_payload.rb for listing all payloads for each exploit
  in a greppable format. Makes it easy to find out if a payload change
  causes a payload to no longer be compatible with a given exploit.

- Missing from this commit is source for reverse_ipv6_tcp
 2012-09-12 18:44:00 -05:00
James Lee 7afd470eb0 Clean up linux shellcode Makefile 
Now you can "make single_bind_tcp_shell", or the like, and build one
payload instead of the kludgy embedded shell script that always builds
all of them.

Need to do the same with BSD.
 2012-09-04 04:23:48 -05:00
James Lee b1dbb50953 Squashed commit of the following: 
commit 2b24a5e93d
Author: scriptjunkie <scriptjunkie@scriptjunkie.us>
Date:   Sun Apr 15 22:01:23 2012 -0500

    Document HTTPS options for Proxy

commit 24a8635b96
Author: scriptjunkie <scriptjunkie@scriptjunkie.us>
Date:   Sun Apr 15 21:52:47 2012 -0500

    Document HTTPS options

[Closes #337]
 2012-04-16 12:57:03 -06:00
HD Moore cea4529f5e Add an example of preconfigured proxy stager 2012-03-05 00:59:47 -06:00
HD Moore 165257db75 Remove unused "plus" code 2012-03-02 17:46:59 -06:00
HD Moore b70b41091b Tested fairly well - this randomizes the URLs and removes the user-agent string from the request 2012-03-02 17:44:23 -06:00
HD Moore ce94ffd755 First round of changes to http(s) payloads 2012-03-02 17:13:51 -06:00
HD Moore 0c2a18d765 Fix up reverse_tcp ipv6 stager for freebsd 2012-02-01 01:41:24 -06:00
HD Moore 45a785fde0 Adds BSD IPv6 payloads and stagers 2012-02-01 00:54:42 -06:00
HD Moore 7630ef17e3 Add BSD IPv6 payloads (source only for now) 2012-02-01 00:54:42 -06:00
scriptjunkie 9fe18cdc86 Add x64 LoadLibraryA payload. Because it should exist. 2012-01-17 21:16:26 -06:00
Matt Buck 16f45fc894 Add empty directories from svn repo. 2011-11-09 18:41:40 -06:00
HD Moore 9220506ba2 Merge in recent meterpreter work. These are not the commits you are looking for (more info on what all this is later this week). 
git-svn-id: file:///home/svn/framework3/trunk@13053 4d416f70-5f16-0410-b530-b9f4589650da
 2011-06-28 21:26:43 +00:00
HD Moore 3e0f3639ef This adds a quick windows/loadlibrary payload for folks who have a need for such things. The library path can be a UNC location and works fine over WebDAV... 
git-svn-id: file:///home/svn/framework3/trunk@12765 4d416f70-5f16-0410-b530-b9f4589650da
 2011-05-30 03:44:59 +00:00
Stephen Fewer c48633cff0 Merge in a rewritten windows x86 reverse_ipv6_tcp stager (The previous one seems hosed since r6744 due to new host/port offsets[1] but the shellcode blob remained the same after modification[2]) - This new one uses the block_api_call technique, is 37 bytes smaller and can handle arbitrary size stages. 
[1] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb
[2] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm

git-svn-id: file:///home/svn/framework3/trunk@12562 4d416f70-5f16-0410-b530-b9f4589650da
 2011-05-08 01:44:08 +00:00
HD Moore 4971a0d7af Add Skylined's "You Got Pwned" payload 
git-svn-id: file:///home/svn/framework3/trunk@11485 4d416f70-5f16-0410-b530-b9f4589650da
 2011-01-06 17:34:09 +00:00
HD Moore 5875fdb701 Two new SNMP community enumeration tools for Windows by tebo (local account list and SMB shares). Addition of a Meterpreter script for snagging the SNMP community from the registry 
git-svn-id: file:///home/svn/framework3/trunk@11410 4d416f70-5f16-0410-b530-b9f4589650da
 2010-12-25 06:08:34 +00:00
Stephen Fewer df8b9f8e95 Merge in the IPv6 Teredo patch. 
git-svn-id: file:///home/svn/framework3/trunk@10543 4d416f70-5f16-0410-b530-b9f4589650da
 2010-10-04 11:02:46 +00:00
Stephen Fewer c78b87a356 Add support for the ring0 stager_sysenter_hook payload to run its ring3 payload in a new thread in order to preserve/resume the original hijacked ring3 thread. 
git-svn-id: file:///home/svn/framework3/trunk@9819 4d416f70-5f16-0410-b530-b9f4589650da
 2010-07-14 13:43:17 +00:00
HD Moore 36836423d9 Add a warning, cosmetic comment to asm 
git-svn-id: file:///home/svn/framework3/trunk@9037 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-07 20:51:05 +00:00
HD Moore c6ebd735df Updated comments 
git-svn-id: file:///home/svn/framework3/trunk@9003 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-03 15:08:17 +00:00
HD Moore 11c10518b3 Bug fixes for better windows OS compatibility 
git-svn-id: file:///home/svn/framework3/trunk@9002 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-03 14:57:51 +00:00
HD Moore cd2760f2c2 Bug fixes and size improvements for the reverse_https stager 
git-svn-id: file:///home/svn/framework3/trunk@9001 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-03 13:53:35 +00:00
HD Moore e968c3894e More size tweaks 
git-svn-id: file:///home/svn/framework3/trunk@8999 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-03 08:03:28 +00:00
HD Moore c8defe9716 Size tweaks to bring the ssl stager + encoder + target_id to exactly 400 bytes 
git-svn-id: file:///home/svn/framework3/trunk@8998 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-03 07:48:53 +00:00
HD Moore c6c956ab46 Small patch to enable a new stager 
git-svn-id: file:///home/svn/framework3/trunk@8984 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-03 05:21:15 +00:00
HD Moore 5d0fb434b7 Adds a reverse_tcp_dns stager 
git-svn-id: file:///home/svn/framework3/trunk@8983 4d416f70-5f16-0410-b530-b9f4589650da
 2010-04-03 03:38:57 +00:00
Stephen Fewer c55e9af9ae Commit the updated APC injection stubs. fixes a nasty issue in some edge cases whereby when using APC injection for a process in another session then the current host process the injected APC can cause an access violation in kernel32 during a call the kernel32!CreateThread caused by the APC's host thread not having an initialized Activation Context inside its TEB. We now test for this and create a dummy ActivationContext entry to appease the kernel. This will both improve DLL injection reliability as well as meterpreter migration reliability. 
git-svn-id: file:///home/svn/framework3/trunk@8786 4d416f70-5f16-0410-b530-b9f4589650da
 2010-03-11 17:00:19 +00:00
Stephen Fewer 5f35f33cd1 Forgot the updated build.py, also add in a link to a blog post I wrote for this shellcode. 
git-svn-id: file:///home/svn/framework3/trunk@8657 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-26 14:27:13 +00:00
Stephen Fewer 88cc851a41 Commit the stager_sysenter_hook win32 kernel shellcode source and mixin patch, resolves #405. 
git-svn-id: file:///home/svn/framework3/trunk@8655 4d416f70-5f16-0410-b530-b9f4589650da
 2010-02-26 13:41:16 +00:00
Stephen Fewer cfcbfd5d3c bug fix x64 migrate shellcodes for wow64->x64 migration. 
git-svn-id: file:///home/svn/framework3/trunk@8197 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-22 19:37:10 +00:00
Stephen Fewer 538a647671 The stub for wow64->x64 migration. 
git-svn-id: file:///home/svn/framework3/trunk@8195 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-22 17:12:41 +00:00
Stephen Fewer 1e63f357cb For now just adding in the new APC migrate stubs and the wow64->x64 exec stub. (fix up the build scripts and use a dedicated migrate directory for this stuff). 
git-svn-id: file:///home/svn/framework3/trunk@8193 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-22 14:03:53 +00:00
Stephen Fewer f3fd2eae80 Commit the new x64 migrate stub. Compatible with x64->x64 migration (and x86->x64 migration once the remote thread issue is resolved) 
git-svn-id: file:///home/svn/framework3/trunk@8163 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 18:39:56 +00:00
Stephen Fewer d032955959 Commit the new x86 migrate stub. Compatible with x86->x86 migration and x64->x86 migration, on NT4 and up (where applicable). 
git-svn-id: file:///home/svn/framework3/trunk@8160 4d416f70-5f16-0410-b530-b9f4589650da
 2010-01-19 12:55:24 +00:00
HD Moore d0969746a4 Mostly cosmetic changes from local tree 
git-svn-id: file:///home/svn/framework3/trunk@7970 4d416f70-5f16-0410-b530-b9f4589650da
 2009-12-26 03:31:20 +00:00
HD Moore 21e82d8b69 This patch implements a much more flexible executable creation scheme at the cost of exe size. This also adds the "-x" option to msfencode, allowing the user to specify their own executable template for generation. 
git-svn-id: file:///home/svn/framework3/trunk@7315 4d416f70-5f16-0410-b530-b9f4589650da
 2009-11-01 04:11:43 +00:00
HD Moore e07bce0101 Copyright updates reflecting the news 
git-svn-id: file:///home/svn/framework3/trunk@7222 4d416f70-5f16-0410-b530-b9f4589650da
 2009-10-21 12:58:56 +00:00
HD Moore 00b2915554 Fixes #342. Set ReverseConnectRetries to a value between 1 and 255 (default is 5). On failure it will ExitProcess (still better than a cpu spin) 
git-svn-id: file:///home/svn/framework3/trunk@7217 4d416f70-5f16-0410-b530-b9f4589650da
 2009-10-20 20:31:14 +00:00
James Lee 6a7a023844 I will not commit when sleep deprived. I will not commit when sleep deprived. I will not commit... 
git-svn-id: file:///home/svn/framework3/trunk@7061 4d416f70-5f16-0410-b530-b9f4589650da
 2009-09-25 06:40:42 +00:00
James Lee bc2c38c332 shave an instruction from the new allports stager 
git-svn-id: file:///home/svn/framework3/trunk@7060 4d416f70-5f16-0410-b530-b9f4589650da
 2009-09-25 06:13:13 +00:00
HD Moore ee9a8f4f76 Adds support for the reverse_tcp_allports stager for Windows. This payload tries to connect back on all ports, one at a time, from LPORT to 65535. This is incredibly slow (depends on the default socket timeout) and requires the user to forward all TCP ports of LHOST to a single listening port in the handler. Inspired by a few user requests and this blog post: http://clinicallyawesome.com/post/196352889/blind-connect-back-through-restrictive-firewall 
git-svn-id: file:///home/svn/framework3/trunk@7058 4d416f70-5f16-0410-b530-b9f4589650da
 2009-09-25 05:44:50 +00:00
James Lee e30e850ba7 shave a few bytes off of the windows stagers 
git-svn-id: file:///home/svn/framework3/trunk@7035 4d416f70-5f16-0410-b530-b9f4589650da
 2009-09-14 08:45:01 +00:00
HD Moore 97725a489c Round 3 of x64 support from Stephen Fewer - new payloads! 
git-svn-id: file:///home/svn/framework3/trunk@6980 4d416f70-5f16-0410-b530-b9f4589650da
 2009-08-27 19:29:54 +00:00
HD Moore cf10a62dcc Merge in the beginnings of x64 support from Stephen Fewer 
git-svn-id: file:///home/svn/framework3/trunk@6972 4d416f70-5f16-0410-b530-b9f4589650da
 2009-08-23 23:47:33 +00:00
HD Moore 26ca5ec646 Nuke the compiled bins 
git-svn-id: file:///home/svn/framework3/trunk@6926 4d416f70-5f16-0410-b530-b9f4589650da
 2009-08-01 03:21:22 +00:00