Squashed commit of the following:
commit 1dcad7c21b
Merge: 1a2f35d35d29f5
Author: OJ <oj@buffered.io>
Date: Thu Mar 19 14:43:27 2015 +1000
Land #4953 : Updated POSIX meterpreter binaries
commit 35d29f5d08
Author: Brent Cook <bcook@rapid7.com>
Date: Wed Mar 18 22:57:03 2015 -0500
update linux meterpreter bins
commit 1a2f35d806
Merge: 076f15f346b1d5
Author: OJ <oj@buffered.io>
Date: Thu Mar 19 12:41:20 2015 +1000
Land #4951: Dynamic URI generation for Java/Python reverse_http(s)
commit 076f15f933
Merge: b33e7f43f8ed56
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed Mar 18 20:59:54 2015 -0400
Land #4792 @jakxx Publish It PUI file exploit
commit 3f8ed56a9a
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed Mar 18 20:57:58 2015 -0400
Add available space to the payload info
commit b33e7f477c
Merge: 0d1f2055dd718e
Author: joev <joev@metasploit.com>
Date: Wed Mar 18 17:17:34 2015 -0500
Land #4947, h0ng10's TWiki exploit.
commit 346b1d539f
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 16:24:01 2015 -0500
Revert Java back to static size for cache purposes (less cpu usage on startup)
commit 33bbf7cb7e
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 16:08:11 2015 -0500
Dynamic URI generation for python/java http(s) stagers
commit 0d1f2055c5
Merge: e943cb5dab4333
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 15:31:22 2015 -0500
Lands #4949 which fixes#4845
commit dab4333867
Author: rwhitcroft <rw81junk@gmail.com>
Date: Wed Mar 18 16:07:46 2015 -0400
updated asm in block
commit 7ae97393e0
Author: rwhitcroft <rw81junk@gmail.com>
Date: Wed Mar 18 15:34:31 2015 -0400
fix x64/reverse_https stager shellcode
commit e943cb550f
Merge: d152c41d1a2f58
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 22:34:52 2015 +1000
Land #4585 : CVE-2015-0975 XXE in OpenNMS
commit d1a2f58303
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 22:17:44 2015 +1000
Fix of regex for file capture and format tweaks
commit 5dd718e4fa
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date: Wed Mar 18 09:51:51 2015 +0100
Better description
commit 00de437918
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date: Wed Mar 18 09:45:08 2015 +0100
Initial commit
commit fa7242388b
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 18:18:54 2015 +1000
Move the module to the correct location
commit d152c41826
Merge: b46e5f8b62da42
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 17:42:19 2015 +1000
Land #4934 : Proxy and auth support in reverse_http(s)
commit b62da42927
Merge: c607cf7b46e5f8
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:51:15 2015 -0500
Merge branch 'master' into feature/add-proxies-to-wininet
commit b46e5f8d13
Merge: bd4738b97def50
Author: OJ <oj@buffered.io>
Date: Wed Mar 18 16:49:13 2015 +1000
Land #4295 : Refactory proxy-enabled payload handling
commit c607cf7b11
Merge: 0513852bd4738b
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:45:44 2015 -0500
Merging master
commit 97def50cc2
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:26:59 2015 -0500
Whitespace cleanup
commit 8d3cb8bde5
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:25:42 2015 -0500
Fix up meterpreter patching arguments and names
commit ef443c83b9
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:21:53 2015 -0500
Fix overgreed search/replace
commit 390a704cc7
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:19:05 2015 -0500
Cleanup proxyhost/proxyport arguments to match new names
commit f7a06d8e44
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:15:32 2015 -0500
Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax
commit 3aa8cb69a4
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:08:09 2015 -0500
Fix two use cases of PROXYHOST/PROXYPORT
commit 87a489907c
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Dec 15 14:48:09 2014 -0600
Place an IPv6 proxy IP between brackets
commit 259db269bd
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 15:36:14 2014 -0600
Remove user/pass and invalid class from the options
commit 2ab14e7e79
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 01:01:10 2015 -0500
Adds IPv6 and option-related issues with the previous patch
commit 0601946830
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 13:29:39 2014 -0600
Don't mandate and default PROXY_HOST (miscopy from the proxy stager)
commit a4df6d539f
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 00:59:59 2015 -0500
Cleanup proxy handling code (consistency & bugs)
One subtle bug was that each time a request was received, a null byte was being appended to the datastore options for PROXY_USERNAME and PROXY_PASSWORD. Eventually this would break new sessions. This change centralizes the proxy configuration and cleans up the logic.
commit 85fb534e63
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 12:57:30 2014 -0600
Fix up the offset detection again, cleanup redundant code
commit 2f13988d7b
Author: HD Moore <hd_moore@rapid7.com>
Date: Tue Dec 2 12:33:53 2014 -0600
Use OptPort vs OptInt and cleanup the description
commit a01be365b0
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 18 00:59:13 2015 -0500
Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT
This also cleans up the windows reverse_https_proxy stager.
commit b197b7aaf0
Author: jakxx <jakx.ppr@gmail.com>
Date: Tue Mar 17 19:24:13 2015 -0400
Additional Updates
-Removed unused mixin
-Cleaned up Module name
-Cleaned up author name
commit bd4738b93e
Merge: 47a7f99ad7fa0ec
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 17 17:37:55 2015 -0500
Land #4827, capture and nbns fixups
commit d7fa0ec669
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 17 17:36:45 2015 -0500
Let IPAddr#hton do the calculating
commit 47a7f99aae
Merge: d1d63785fd3637
Author: Brent Cook <bcook@rapid7.com>
Date: Tue Mar 17 16:22:46 2015 -0500
Land #4930, @hmoore-r7 winhttp stager certificate check
commit 085e6cc815
Author: jakxx <jakx.ppr@gmail.com>
Date: Tue Mar 17 16:39:56 2015 -0400
Implemented Recommended Changes
-corrected spelling error
-set only option to required
-dumped header data to included file
-Used Rex for jmp values
commit 0490af8ba8
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:20:22 2015 -0400
Added error checks, randomness, and uuid delimeter
commit f3fc4003d0
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:19:40 2015 -0400
typo
commit b92d243c0e
Merge: e0a7f53766a07a
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:18:32 2015 -0400
Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975
commit e0a7f531cc
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Mar 17 10:10:51 2015 -0400
Added error checking, randomness, uuid delimiters
commit 2ea984423b
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 14:08:01 2015 -0500
while(true)->loop, use thread.join
commit 5fd3637d34
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 14:00:51 2015 -0500
Remove the i32 size specifier (not needed)
commit 69d9280748
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 13:52:13 2015 -0500
Fix yard docs, retries, push.i8 instructions. See commit 05138524e3
Note that StagerRetryCount is not defined here, but will be in the parent class once #4934 lands
commit 05138524e3
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 13:35:36 2015 -0500
Fix yard docs, fix retries, trim bytes, retested and working
commit 69a808b744
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 12:14:42 2015 -0500
StagerProxy -> PayloadProxy
commit f361e4ee52
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 00:22:10 2015 -0500
Prefer the new-style proxy datastore options when available
commit 7e89281485
Author: HD Moore <hd_moore@rapid7.com>
Date: Mon Mar 16 00:03:31 2015 -0500
Adds proxy (with authentication) support to reverse_http(s)
commit 8e37342c50
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 16:52:04 2015 -0500
Comment typo
commit 0d12ca49a7
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 16:19:13 2015 -0500
Work around lack of option normalization during size calculation
commit 03019cf451
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 15:53:21 2015 -0500
Adds StagerVerifySSLCert support (SHA1 of HandlerSSLCert)
commit 11593800b6
Author: HD Moore <hd_moore@rapid7.com>
Date: Sat Mar 14 15:52:23 2015 -0500
Move X509 PEM parsing into Rex::Parser::X509Certificate
commit 1001061a96
Author: HD Moore <hd_moore@rapid7.com>
Date: Wed Mar 4 18:52:18 2015 -0600
Initialize @capture_count
commit 1b1716bcf6
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 22:01:01 2015 -0600
Fix a handful of bugs that broke this modules. Fixes#4799
commit 9730a1655e
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 22:00:42 2015 -0600
Small cleanups to the LLMR responder module
commit bdd5276524
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 21:53:47 2015 -0600
This fixes a number of issues with the Capture mixin
* The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1)
* The hackey code around #each_packet is no longer necessary in newer Ruby versions
* The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies
* The arp() function now tries up to three times to get a reply (helpful with lossy L2)
* GC.start is extraneous and should be removed
* Increased timeouts
commit 615d71de6e
Author: HD Moore <hd_moore@rapid7.com>
Date: Sun Feb 22 21:51:33 2015 -0600
Remove extraneous calls to GC.start()
commit 44a7e7e4bc
Author: jakxx <jakx.ppr@gmail.com>
Date: Wed Feb 18 13:22:54 2015 -0500
publish-it fileformat exploit
commit 766a07a904
Author: jstnkndy <jstnkndy@gmail.com>
Date: Tue Jan 13 22:08:08 2015 -0500
Add CVE-2015-0975 XXE for OpenNMS <= 14.0.2
The issue seems to be at the root of #4669 is that reverse_http
registers an HTTP service but never releases its reference to it. If
we stop it directly, there may be a session already connected to it that
we kill, so we can't do that. Instead, track if we got a connection or
not, and conditionally release our reference based on whether the
connection succeeded.
This should fix#4669
This allows HandlerSSLCert to be used to pass a SSL certificate into the Meterpreter handler. The datastore has to be passed into handle_connection() for this to work, as SSL needs to be initialized on Session.new. This still doesn't pass the datastore into Meterpreter directly, but allows the Session::Meterpreter code to extract and pass down the :ssl_cert option if it was specified. This also fixes SSL certificate caching by expiring the cached cert from the class variables if the configuration has changed. A final change is to create a new SSL SessionID for each connection versus reusing the SSL context, which is incorrect and may lead to problems in the future (if not already).
As I am using a exploit that does a check on the Server HTTP headers to identify the target I saw an error message that reads like this:
>The target server fingerprint "" does not match "(?-mix:(Jetty|JBoss))", use 'set FingerprintCheck false' to disable this check.
Then, while using a HTTP proxy to analyse the requests I am presented with an error that tells me to set another internal option to override a default behaviour. Although it should be pretty clear to everyone using the metasploit framework, I think it is more convenient if all error messages have the same format/way to present suggestions, in this case, presenting the full command the user needs to introduce in order to carry on with the execution of the exploit.
This fixes a huge number of hard-to-detect runtime bugs
that occur when a default utf-8 string from one of these
libraries is passed into a method expecting ascii-8bit
These are not needed, since you can just config the regular handler now
and pick either.
This resolves the conflict (rm'ed the old modules)
Conflicts:
modules/payloads/stagers/windows/reverse_ipv6_http.rb
modules/payloads/stagers/windows/reverse_ipv6_https.rb
JodaZ reported that the handle_connection() sock.put call can
result in the entire reverse_tcp stager hanging if the client
stops receiving or is on a very slow link. The solution emulates
what ReverseTcpDouble already does, which is stage each connection
in a new thread. However, given that a high number of threads
can be a problem on some operating systems (*ahem* win32) this
option is not enabled by default.
We should look into thread pooling and handle_connection() timeouts
as well as event-based polling of multiple clients as alternatives,
but this option will improve the situation for our existing users.
Even though there are calls to has_read_data(), it doesn't prevent
the put() call from blocking in a dead client or slowaris-like
situation. By moving the inp/out detection into the thread, we
allow the main handler to keep processing connections even if
a single connection hangs.
When running a http/https listener the address:port that was being
shown in the output was that which was passed to the victim as part
of the stager and not the actual listener address:port.
This commit fixes this so that the display is correct.
This commit completes our quest to (optionally) decouple the stage's
callback parameters from the interface/port our handler binds to.
LPORT is now patched into the stage over ReverseListenerBindPort.
This commit removes the now unused bind_address function from
reverse_http.rb. This function returns an array of hosts the handler
should attempt to bind to (e.g., [LHOST value, any])
Other handlers (e.g., reverse_tcp.rb) loop through these values until
they're able to start a server with that bind address.
The HTTP server doesn't work this way. It's setup to try one address
and that's it. It makes sense to have the HTTP server always bind to
0.0.0.0 by default as future modules run by the user may register
resources with the same HTTP server.
This commit returns the HTTP/S handler to its former semantic glory.
By default the HTTP/S handler will bind to :: or 0.0.0.0. If the
user specifies a ReverseListenerBindAddress then, instead, the
server will bind to that address.
The previous commit to change the URL to always reference LHOST
should go with this too. LHOST is always my intent of where the
stage should call home too. ReverseListenerBindAddress would make
sense as my intent as to where I want to bind to. The two options
shouldn't take on each other's meanings.
Redmine #8726 documents a change where the reverse HTTP/S
tries to bind LHOST and if it can not it does a hard stop
If it's expected that users will use ReverseListenerBind-
-Address then this commit addresses #8726 by patching the
HTTP/S stage with the host provided by the user in LHOST.
Currently ReverseListenerBindAddress (if used) is patched
into the stage. This makes for a broken HTTP/S session if
the user sets this option to 0.0.0.0.
With this commit--users can provide any LHOST they like
and set ReverseListenerBindAddress to 0.0.0.0 and things
will work.
This commit does not attempt to bring the HTTP/S handler
back to the old behavior of falling back to 0.0.0.0 when
it can't bind LHOST. I'd welcome the old behavior but I
leave it to you to decide what makes sense. :)
Matt Buck