adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55,054 Commits 27 Branches 1,043 Tags
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
Commit Graph

91 Commits

Author SHA1 Message Date
William Vu 4f2cab4cf1 Add references 2019-11-11 17:33:10 -06:00
Adam Cammack b65882a314 Use new CheckCodes to tidy up the bluekeep scanner 2019-10-08 09:57:53 -05:00
William Vu 2ce3e4f1c4 Make BlueKeep scanner's output less chatty 2019-09-24 08:49:27 -05:00
Brent Cook fec749d3b2 perform fingerprinting in scanner 2019-09-19 06:05:08 -05:00
William Vu de34bc484e Ensure rdp_disconnect in rdp_scanner 2019-09-19 06:05:08 -05:00
Brent Cook ab631044af adjust rdp fingerprint code to match self.rdp_sock changes in exploit mixin 2019-09-19 06:05:08 -05:00
OJ f479ed2d73 Small refactors, comments and tidying up 2019-09-19 06:05:08 -05:00
OJ 8412ff319a Fix disconnect PDU message and start work on payloads 2019-09-19 06:05:08 -05:00
OJ 1d6e319ac2 Refactor of RDP mixin to make it more configurable 
Slowly moving away from a huge hard-coded blob of inflexible bytes
towards a more data-driven approach that allows configuration of various
elements of the packets that are generated.
 2019-09-19 06:05:08 -05:00
OJ eb9088a588 Refactor RDP mixin to hide socket details 
When dealing with the RDP mixin it makes more sense to not expose
TCP-level things, instead it's better to talk RDP. This changeset makes
it so that consumers of the RDP mixin talk RDP only. They can access the
socket through the `rdp_socket` member if required, but the changes made
here mean they don't have to. Ultimately, this new member should be
`private` instead of `protected`, but I'm leaving it like this for now
in case it is required down the track.

I've also made the assumption that all RDP connects want TCP_NODELAY
set. This might be wrong, but I don't think it is.

From here, users can call `rdp_connect` and `rdp_disconnect` to manage
connectivity to the RDP endpoint. The `rdp_connect` function does not
register the TCP client socket as the global `sock` member on the TCP
module instance, this is to prevent the mixin from clashing with other
users of the TCP client in a given module.
 2019-09-19 06:04:58 -05:00
William Vu d676f98d56 Remove already included Msf::Exploit::Remote::Tcp 2019-08-13 10:56:03 -05:00
Spencer McIntyre 63dfa2a8bd Fix the RDP NLA protocol detection 2019-08-11 19:23:29 -07:00
Spencer McIntyre 84669f567b Add the RDP fingerprinting method to rdp_scanner 2019-08-11 16:20:14 -07:00
Tom Sellers 46b6a5927e Comment update 2019-08-07 19:25:43 -05:00
Tom Sellers 4861a139ca Minor comments 2019-08-07 19:20:36 -05:00
Tom Sellers 9566334868 merge upstream/master 2019-08-07 19:11:58 -05:00
Tom Sellers 93e6ff67b4 Addressing feedback 2019-08-07 16:37:59 -05:00
Tom Sellers 2d5e9cb241 RDP: address feedback from wvu 2019-08-07 14:47:33 -05:00
Brent Cook 18da91a348 Add 'Crash' action for enabling the DoS 2019-08-07 11:38:14 -05:00
Tom Sellers 7d30c92375 RDP: rubocop cleanup 2019-08-07 09:12:53 -05:00
Tom Sellers b6956bd3be RDP: moar migration 2019-08-07 08:50:01 -05:00
Tom Sellers 0c1868b158 RDP: migrate security nego to lib 2019-08-07 08:27:15 -05:00
Tom Sellers 7dc87bf8bc RDP: Refactor protocol code 2019-08-07 07:25:42 -05:00
Tom Sellers a63e0ba106 BlueKeep: Add DoS exploit 2019-08-06 20:15:53 -05:00
William Vu 178339db70 Rescue EOFError in quick check for patch 
Thank you to @cnotin for noticing this case.
 2019-08-01 15:03:36 -05:00
William Vu 8d2b29024a Fix typo 2019-07-31 17:44:10 -05:00
William Vu ae13736d50 Rescue EOFError in cve_2019_0708_bluekeep get_once 2019-07-31 16:01:20 -05:00
Pearce Barry 3f0810502e Explicitly require 'rc4' in the BlueKeep scanner. 
Appears to still operate as-expected:

	msf5 > use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
	msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > set rhosts <target>
	rhosts => <target>
	msf5 auxiliary(scanner/rdp/cve_2019_0708_bluekeep) > run

	[+] <target>:3389      - The target is vulnerable.
	[*] <target>:3389 - Scanned 1 of 1 hosts (100% complete)
	[*] Auxiliary module execution completed

Fixes MS-4291.
 2019-06-19 08:27:04 -05:00
William Vu 3d8b474632 Clean up module 2019-06-14 21:09:57 -05:00
Tom Sellers a2863ff3cf Add comment to pdu_connect_initial 2019-06-12 10:46:12 -05:00
Tom Sellers 008f9061f6 Randomize client random, sanity check fields 2019-06-12 07:49:45 -05:00
Tom Sellers f4aa86c9b3 rubocop cleanup 2019-06-11 13:29:05 -05:00
Tom Sellers cc93b312ac Add ability to configure username, client, IP, etc 2019-06-11 13:07:59 -05:00
Tom Sellers e15840f8db Add nil check for quick response 2019-06-04 08:36:58 -05:00
Tom Sellers 6a8e4366ae Improve XP stabilty, trim dead code 2019-06-04 06:53:36 -05:00
Tom Sellers 9d17832347 Deal with virtual channel data blob 2019-06-04 05:49:45 -05:00
Tom Sellers b176948c3c Refactor more binary blobs 2019-06-03 16:54:33 -05:00
Tom Sellers 61b5072e88 Add explicit check for NLA 2019-06-03 09:38:12 -05:00
Tom Sellers 5871dc0802 Fix nego when RDP Security is forced 2019-06-03 08:50:30 -05:00
Tom Sellers 23139c5000 Bluekeep: add TLS, refactor 2019-06-02 10:02:09 -05:00
William Vu 54eb73f8b8 Address @egypt's rdp_scanner review 2019-05-24 17:31:22 -05:00
zerosum0x0 82debcbada remove useless debug print 2019-05-24 11:23:25 -06:00
William Vu e3be9d2871 Restore syntactic sugar 2019-05-24 11:41:19 -05:00
William Vu d158cd131c Add metadata and style fixes 2019-05-24 11:25:58 -05:00
zerosum0x0 8067893d16 added FIXME for other info leaks 2019-05-23 13:57:49 -06:00
zerosum0x0 e91301f2b7 remove user0 from cookie 2019-05-23 13:49:23 -06:00
zerosum0x0 b511ff05fa change exception to an existing type 2019-05-23 12:42:40 -06:00
zerosum0x0 92cef57f04 remove hex_to_bin 2019-05-23 12:39:21 -06:00
Jan Gocník e62cb4cc44 Bluekeep: RSA check 2019-05-23 10:57:22 +02:00
zerosum0x0 3ec0d7966f msftidy yelled at me 2019-05-23 00:05:02 -06:00