Squashed commit of the following:
commit 1dcad7c21b
Merge: 1a2f35d35d29f5
Author: OJ <oj@buffered.io>
Date: Thu Mar 19 14:43:27 2015 +1000
Land #4953 : Updated POSIX meterpreter binaries
commit 35d29f5d08
Author: Brent Cook <bcook@rapid7.com>
Date: Wed Mar 18 22:57:03 2015 -0500
update linux meterpreter bins
commit 1a2f35d806
Merge: 076f15f346b1d5
Author: OJ <oj@buffered.io>
Date: Thu Mar 19 12:41:20 2015 +1000
Land #4951: Dynamic URI generation for Java/Python reverse_http(s)
commit 076f15f933
Merge: b33e7f43f8ed56
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed Mar 18 20:59:54 2015 -0400
Land #4792 @jakxx Publish It PUI file exploit
commit 3f8ed56a9a
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed Mar 18 20:57:58 2015 -0400
Add available space to the payload info
commit b33e7f477c
Merge: 0d1f2055dd718e
Author: joev <joev@metasploit.com>
Date: Wed Mar 18 17:17:34 2015 -0500
Land #4947, h0ng10's TWiki exploit.
commit 346b1d539f
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 16:24:01 2015 -0500
Revert Java back to static size for cache purposes (less cpu usage on startup)
commit 33bbf7cb7e
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 16:08:11 2015 -0500
Dynamic URI generation for python/java http(s) stagers
commit 0d1f2055c5
Merge: e943cb5dab4333
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 15:31:22 2015 -0500
Lands #4949 which fixes#4845
commit dab4333867
Author: rwhitcroft <rw81junk@gmail.com>
Date: Wed Mar 18 16:07:46 2015 -0400
updated asm in block
commit 7ae97393e0
Author: rwhitcroft <rw81junk@gmail.com>
Date: Wed Mar 18 15:34:31 2015 -0400
fix x64/reverse_https stager shellcode
commit e943cb550f
Merge: d152c41d1a2f58
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 22:34:52 2015 +1000
Land #4585 : CVE-2015-0975 XXE in OpenNMS
commit d1a2f58303
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 22:17:44 2015 +1000
Fix of regex for file capture and format tweaks
commit 5dd718e4fa
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date: Wed Mar 18 09:51:51 2015 +0100
Better description
commit 00de437918
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date: Wed Mar 18 09:45:08 2015 +0100
Initial commit
commit fa7242388b
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 18:18:54 2015 +1000
Move the module to the correct location
commit d152c41826
Merge: b46e5f8b62da42
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 17:42:19 2015 +1000
Land #4934 : Proxy and auth support in reverse_http(s)
commit b62da42927
Merge: c607cf7b46e5f8
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:51:15 2015 -0500
Merge branch 'master' into feature/add-proxies-to-wininet
commit b46e5f8d13
Merge: bd4738b97def50
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 16:49:13 2015 +1000
Land #4295 : Refactory proxy-enabled payload handling
commit c607cf7b11
Merge: 0513852bd4738b
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:45:44 2015 -0500
Merging master
commit 97def50cc2
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:26:59 2015 -0500
Whitespace cleanup
commit 8d3cb8bde5
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:25:42 2015 -0500
Fix up meterpreter patching arguments and names
commit ef443c83b9
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:21:53 2015 -0500
Fix overgreed search/replace
commit 390a704cc7
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:19:05 2015 -0500
Cleanup proxyhost/proxyport arguments to match new names
commit f7a06d8e44
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:15:32 2015 -0500
Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax
commit 3aa8cb69a4
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:08:09 2015 -0500
Fix two use cases of PROXYHOST/PROXYPORT
commit 87a489907c
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Dec 15 14:48:09 2014 -0600
Place an IPv6 proxy IP between brackets
commit 259db269bd
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 15:36:14 2014 -0600
Remove user/pass and invalid class from the options
commit 2ab14e7e79
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:01:10 2015 -0500
Adds IPv6 and option-related issues with the previous patch
commit 0601946830
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 13:29:39 2014 -0600
Don't mandate and default PROXY_HOST (miscopy from the proxy stager)
commit a4df6d539f
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 00:59:59 2015 -0500
Cleanup proxy handling code (consistency & bugs)
One subtle bug was that each time a request was received, a null byte was being appended to the datastore options for PROXY_USERNAME and PROXY_PASSWORD. Eventually this would break new sessions. This change centralizes the proxy configuration and cleans up the logic.
commit 85fb534e63
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 12:57:30 2014 -0600
Fix up the offset detection again, cleanup redundant code
commit 2f13988d7b
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 12:33:53 2014 -0600
Use OptPort vs OptInt and cleanup the description
commit a01be365b0
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 00:59:13 2015 -0500
Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
This also cleans up the windows reverse_https_proxy stager.
commit b197b7aaf0
Author: jakxx <jakx.ppr@gmail.com>
Date: Tue Mar 17 19:24:13 2015 -0400
Additional Updates
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
commit bd4738b93e
Merge: 47a7f99ad7fa0ec
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 17 17:37:55 2015 -0500
Land #4827, capture and nbns fixups
commit d7fa0ec669
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 17 17:36:45 2015 -0500
Let IPAddr#hton do the calculating
commit 47a7f99aae
Merge: d1d63785fd3637
Author: Brent Cook <bcook@rapid7.com>
Date: Tue Mar 17 16:22:46 2015 -0500
Land #4930, @hmoore-r7 winhttp stager certificate check
commit 085e6cc815
Author: jakxx <jakx.ppr@gmail.com>
Date: Tue Mar 17 16:39:56 2015 -0400
Implemented Recommended Changes
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
commit 0490af8ba8
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:20:22 2015 -0400
Added error checks, randomness, and uuid delimeter
commit f3fc4003d0
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:19:40 2015 -0400
typo
commit b92d243c0e
Merge: e0a7f53766a07a
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:18:32 2015 -0400
Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975
commit e0a7f531cc
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:10:51 2015 -0400
Added error checking, randomness, uuid delimiters
commit 2ea984423b
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 14:08:01 2015 -0500
while(true)->loop, use thread.join
commit 5fd3637d34
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 14:00:51 2015 -0500
Remove the i32 size specifier (not needed)
commit 69d9280748
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 13:52:13 2015 -0500
Fix yard docs, retries, push.i8 instructions. See commit 05138524e3
Note that StagerRetryCount is not defined here, but will be in the parent class once #4934 lands
commit 05138524e3
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 13:35:36 2015 -0500
Fix yard docs, fix retries, trim bytes, retested and working
commit 69a808b744
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 12:14:42 2015 -0500
StagerProxy -> PayloadProxy
commit f361e4ee52
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 00:22:10 2015 -0500
Prefer the new-style proxy datastore options when available
commit 7e89281485
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 00:03:31 2015 -0500
Adds proxy (with authentication) support to reverse_http(s)
commit 8e37342c50
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 16:52:04 2015 -0500
Comment typo
commit 0d12ca49a7
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 16:19:13 2015 -0500
Work around lack of option normalization during size calculation
commit 03019cf451
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 15:53:21 2015 -0500
Adds StagerVerifySSLCert support (SHA1 of HandlerSSLCert)
commit 11593800b6
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 15:52:23 2015 -0500
Move X509 PEM parsing into Rex::Parser::X509Certificate
commit 1001061a96
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 4 18:52:18 2015 -0600
Initialize @capture_count
commit 1b1716bcf6
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 22:01:01 2015 -0600
Fix a handful of bugs that broke this modules. Fixes#4799
commit 9730a1655e
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 22:00:42 2015 -0600
Small cleanups to the LLMR responder module
commit bdd5276524
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 21:53:47 2015 -0600
This fixes a number of issues with the Capture mixin
* The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1)
* The hackey code around #each_packet is no longer necessary in newer Ruby versions
* The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies
* The arp() function now tries up to three times to get a reply (helpful with lossy L2)
* GC.start is extraneous and should be removed
* Increased timeouts
commit 615d71de6e
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 21:51:33 2015 -0600
Remove extraneous calls to GC.start()
commit 44a7e7e4bc
Author: jakxx <jakx.ppr@gmail.com>
Date: Wed Feb 18 13:22:54 2015 -0500
publish-it fileformat exploit
commit 766a07a904
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Jan 13 22:08:08 2015 -0500
Add CVE-2015-0975 XXE for OpenNMS <= 14.0.2
This stager looks for proxy credentials in windows protected storage. If it finds proxy credentials, it will use them to connect back. If it does not find credentials, it will do the same as stager_reverse_http.
Works on:
- Windows Server 2003
- Windows XP
- Internet Explorer versions 4 to 6
This will make copy-pasta less painful in the future. There's still the
problem of reverse_https_proxy being very similar, but the logic in how
it gets generated in the module is more than i want to tackle right now
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.
The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.
Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.
Tested in x86 native and WOW64 on XP and 2k8r2 respectively.
This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.
Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.
From MSDN ( http://tinyurl.com/chwt86j ):
"Uses keep-alive semantics, if available, for the connection. This
flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
and other types of authentication."
Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.
For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.
My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.
Test environment:
I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
ESI is not clobbered; no need to clear EDX as only DL is filled before and
it is overwritten before use.
Shellcodes in ruby modules not regenerated, but I guess you want to
regenerate them again anyway :-)
Those stagers will encrypt the initial stage with a 128-bit RC4 key and
the stage length with a XOR key. Both keys are embedded in the stager.
This should provide good evasion capabilities in addition to some
protection against MITM reversing (if the stager is sent a different
route, like in an executable on an USB key).
Note that, from a cryptanalyst's standpoint, it is a bad idea to reuse the
same stager (or stagers with the same RC4 and XOR keys) more than once
since an identical key will result in an identical keystream and make
correlation attacks easy. But I doubt that matters in practice.
Also note that since communication after the initial statging is not
encrypted, these stagers should be used in combination with additional
encryption support in the payloads (like Meterpreter).
Provided as a block to be included into stagers and/or decoder stubs.
Also included is a test shellcode that can be used for verifying that the
algorithm is compatible to Ruby's OpenSSL RC4 algorithm.
Matt Buck