* Update modules landed as a scanner into a more appropriate category.
* Adds a check method based on TP-link default `TITLE` html.
* Rename module consistent with existing exploit.
Previously there was not the ability to restore the server proxy setting.
This updates the code to do so. Additionally this also updates the documentation
to note that Fetch payloads are incompatible with this module since they
use HTTP connections that will be impacted by this module changing the server's
HTTP proxy settings. There is no way around this.
The size requriement is used when the adapted payload is executed from
the command line but that's not the case for the fetch payloads which
execute a command to fetch the payload from a URL. The payload size
doesn't matter because it's included in the executable file hosted at
the URL.
* Prevent using post modules with the session
It doesn't work reliably because of winpty and how the output is
mangled.
* Set the limit correctly
* Fix Linux PTY downgrade issues
* Remove filtering
The filtering implementation is incomplete and unnecessary.
Filtering is unnecessary because Linux sessions execute a stub on
session start up that uses a combiantion of stty and a fifo to emulate a
PTY-less session. Windows sessions do not need filtering because they
have been explictly marked as being incompatible with the Post API which
is confused by the extra characters.
The filtering implementation is incomplete because it does not account for
echo fragments that are split across lines. It also does not account for
all of the ANSI escape codes.
* Add module docs for enum_ssm
The function required a filter argument, but not every query has a
filter. By removing it, we can reuse the same logic for other operations
including modifications.
* Revert "shell_command_token_base get 0th output index"
This reverts commit 3a4cb3560f.
* Correct the order of arguments to #set_term_size
* Fix paths for directory checks
The path C:\ ends with a trailing backslash which will cause bash to
wait for another line if input. This places the shell in an undesirable
state.
* Fix post module tests for Linux
* Remove the command document
This hasn't been tested and it's unclear under what conditions this
would be used.
* Fix Windows SSM sessions
---------
Co-authored-by: Spencer McIntyre <zeroSteiner@gmail.com>
The exists? method in post/file has a different implementation for
PSH sessions than other shells which are testing for the existence
of a path, not the presence of a file.
Fix this by replacing [System.IO.File]::Exists with Test-Path.
Testing:
```
PS C:\Windows\system32> [System.IO.File]::Exists("C:\")
False
PS C:\Windows\system32>test-path C:\
PS C:\Windows\system32> test-path C:\
True
```
There was an issue in the ACE processing where only ACEs corresponding
to an object were processed for SIDs with enrollment rights. The
processing should also process ACEs that grant the enrollment right and
are not related to any objects. In other words, only ACEs associated
with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT
or CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right should be ignored.
MessagePack 1.7.0 gem introduced code not compatible with the current
build env used for nightly packages. This may be addressed in several
ways and has been reported upstream. Lock the version a until a path
forward is determined.
Update the enum_ssm module to use the correct session type with the
appropriate platform. Also set the session information to the same
string which also removes the eye sore that is the shell banner.
Fixed some typos, took into account the comment from jvoisin to infer fields from the JSON reply, used fail_with as suggested by jheysel-r7, fixed a rubocop warning about a redundant begin block.
Update the enum_ssm module to use the correct session type with the
appropriate platform. Also set the session information to the same
string which also removes the eye sore that is the shell banner.
This module exploits a publically accessible endpoint in
SPIP that results in code execution in the context of the
user running the webapp (CVE-2023-27372).
Rex::Proto::DNS::Resolver is currently unable to approximate the
host OS' native resolver because:
1. It cannot cache responses and has to go out to its defined NS'
each time to query for the answers,
2. Because it is not aware of the system's hostsfile entries which
can result in leaks/mis-targeted execution, and a bunch of other
unpleasantly nuanced problems.
Address the concern by:
1. Creating a descendant CachedResolver class from
Rex::Proto::DNS::Resolver, with a #send method override which
performs cache query and population.
2. Moving the Cache class up one namespace to Rex::Proto::DNS and
updating the server accordingly.
3. Fixing the MATCH_HOSTNAME regex in Rex::Proto::DNS::Constants to
allow a short-name (vs FQDN) and creating a relevant MATCH_FQDN.
TODO:
1. Deal with adding search domains from the system to short-name
queries and records; if we decide this is a good idea (potential
for leaks).
2. Look at performance optimization for multiple concurrent queries
via singleton/refcounted/other optimized concurrent access patters.
Testing:
1. Pry-level tests of the objects edited/created in this PR. Needs
some runtime testing to QA.
Both the reference links in this one are dead, replacing with archive.org links.
Much like https://github.com/rapid7/metasploit-framework/pull/17825, I'll be doing these ad-hoc for a little bit until I figure out a reliable way to do a load of them in one batch.
This module exploits an undocumented backdoor vulnerability
(CVE-2019-7276) in the Optergy Proton and Enterprise Building
Management System (BMS) applications.
The Secunia links in the framework were dead. They have
now been restored using the wayback machine to grab
replacement links from the earliest date possible.
The default action "Malformed Packet" reports all users as found even
though they don't exist.
Setting "CHECK_FALSE" to true will make the scanner bail out as it
realizes the target is patched.
This pull request adds an exploit module for CVE-2022-21587
an arbitrary file upload vulnerability in Oracle Web Applications
Desktop Integrator as shipped with 12.2.3 through to 12.2.11
which results in RCE
Fix #query_ldap to use the API provided by Windows instead of dealing
with the opaque BER data structures. This means that querying is now
reliant on documented APIs and will function on both 32-bit and 64-bit
Meterpreters.
Using #arch instead of #native_arch means that the Python Meterpreter
will be misclassified as ARCH_PYTHON and will be unable to use util
functions correctly.
Update railgun to handle pointer return types. If the type that is
pointed to is known (i.e. PCHAR, PULONG_PTR) and not LPVOID, the
contents returned to the caller. The raw address is also returned in the
&return key to enable the caller to free the buffer if necessary which
is determined by the function that was called.
This references the main dll/template.c code as the mixed-mode variant
already does. This will make future changes easier as we won't need to
copy them from the main to this one.
See https://github.com/rapid7/metasploit-framework/pull/8509 for the
origin of these files.
Implement reverse shell over SCTP in Python.
During testing against Arch Linux with Python 3.10.9, any attempt
to interact with the resulting shell produced:
```
Traceback (most recent call last):
File "/tmp/shell.py", line 12, in <module>
so.send(o)
OSError: [Errno 22] Invalid argument
```
Implement handling for OSError 22 on the send() method for the
abnormal stream socket.
Testing:
Tested against local KVM virtual machine running Arch Linux
With the introduction of SCTP socket support in Rex::Socket via
https://github.com/rapid7/rex-socket/pull/56, Framework can utilize
this protocol for session transports similarly to TCP as it is a
stream-wise transport.
Implement bind and reverse handlers for the new socket type.
Implement example bind and reverse payloads using socat copying
from the initial udp sessions implementation.
Testing:
Rudimentary bind session test against local Libvirt Linux VM
Next steps:
Implement the language-level payloads for the interpreters common
to POSIX environments supporting SCTP.
Implement meterpreter transports for SCTP in Python, PHP, Mettle,
and Java modalities (Windows doesn't support it without carrying
its own usermode protocol library).
Create an AwsSsmCommandShellBind session type to provide intercept
points for shell command interactions and a wrapper class which is
used to register the new session.
Update Msf::Handler::BindAwsSsm with its own #create_session method
utilizing the new session type to provide direct control of session
initialization.
Restore standard handler attributes and thread nomenclature in an
attempt to resolve the repeating session creation when #to_handler
is called on the payloads.
Testing:
Tested in local framework, unfortunately the recurring session
init problem appears to persist. Requesting testing on an upstream
Framework by saner folks.
Update SSM handler code to standardize datastore option names per
@zeroSteiner.
Update payload modules to reflect the OS targets against which they
are to execute.
Update the name of the ReverseListenerBindAddress (instead of ReverseListenserBindHost) because that seems to be works.
```
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > set ReverseListenerBindHost 172.17.0.2
[-] Unknown datastore option: ReverseListenerBindHost. Did you mean ReverseListenerBindPort?
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > set ReverseListenerBindAddress 172.17.0.2
ReverseListenerBindAddress => 172.17.0.2
```
- Made an error in the original research where the TLV had a type
and a index, when it only has a type and a modifier that makes
it into a TV (Type and Value, no Length).
- A TV has its value where the Length would be on a TLV.
- Also added a note on the endieness being correct/working because
endieness has no impact in the message being used to exploit the
vulnerability.
Bail out of console resize operation if ::IO.console doesn't exist
Enforce REGION datastore option and remove the multi-region enum
code by Aaron - users can write resource scripts if they need
automation.
- Improve option validation
- Always request an impersonated TGS for `cifs/...` SPN
- SPN option now is used to request an additional TGS for another SPN
- Add exception handling for Kerberos errors
- Only remove the computer account if it has been created
Use blocks to check whether each service is exploitable as they are
enumerated. With this change, it is the service and path enumeration
halts once an exploitable one is found that yields a session.
Also all files are registered for cleanup.
- Move all the logic from `modules/auxiliary/admin/dcerpc/icpr_cert.rb`
to `lib/msf/core/exploit/remote/ms_icpr.rb` library
- Move all the logic from `modules/auxiliary/admin/dcerpc/samr_computer.rb`
to `lib/msf/core/exploit/remote/ms_samr.rb` library
- Add `modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb` module
- Update the SMB client to disable SSL by default
- Add documentation
- Kerbero client: pass `options` as argument to `send_request_as`
- `calculate_shared_key` returns an EncryptionKey instead of the raw key
- Update `pkinit_login` module to make it compatible
- Add support to `additional_tickets` when requesting tickets
- Add support to PAC CredentialInfo structures
- Add impersonation to escalate privileges
- Add ACTIONS
- Use elevated TGS to delete the computer account
- Update and add specs
Removing the call to .map over args[:datastore_options] avoids an unnecessary call to Msf::DataStore#import_options_from_s. args[:datastore_options] is already a hash, converting it to string and using Msf::DataStore#import_options_from_s converts it back to hash, which is not necessary. The Msf::Simple::Module mixin already offers support for Options, which is expected to be a hash.
This change also prevents sending corner case option strings to Msf::DataStore#import_options_from_s when using post modules, which does not support strings like: "COMMAND='date --date=2023-01-01'".
Add a post module for credential extraction from WhatsUp Gold instances
on Windows hosts. The module should theoretically decrypt ciphertext
from any version of WhatsUp Gold, although it has only been verified
working on WhatsUp Gold versions 11.0 through 22.0.
Changed the SQL queries for DB dump to explicit VARCHAR(4096) to get
around sqlcmd's 256-char column limit.
Refactored the BATCH_DPAPI functionality because I can't seem to let
this pattern go: now actually batches with byte threshold set by
advanced option.
Reduced clutter and redundancy.
Various tweaks and bug fixes.
Updated documentation.
Metasploit will negotiate the strongest mutually supported encryption
with the target. When the target supports AES-256 as Server 2022 and
Windows 11 do, the key needs to be 32-bytes long and not 16 as it is
when AES-128 is in use. This updates the logic to check if the
encryption algorithm is set to ensure that the key is the correct size.
changes in #16153 adjusted modules that were not utilizing
`Exploit::Remote::SMTPDeliver` in error restore calls to `raw_send_recv`
that is no longer shadowed by in `SMTPDeliver`.
Expand SSM enumeration module docs to explain full functionality.
Enable the LIMIT configuration option to restricte results per
region.
Implement FILTER_EC2_ID configuration option to permit targeting
of a specific instance for session initiation.
Testing:
Finds limtied sets of systems and initiates sessions
Finds desired system ID and initiates session
The SSM session socket times out without data being sent at the
upper (SSM) WS layer. Implement keep-alive in a separate thread
which simply writes nothing into the channel at irregular intervals
to simulate user activity.
Testing:
Sessions established with this code running have not timed-out
in over 15m despite being completely unused
Enable session acquisition from AWS SSM enumeration module simiar
to how the telnet login scanner acquires sessions on the sockets
exposed.
Testing
Tested execution - finds systems, gets shells, autopwn-capable
Coopt Aaron Soto's EC2 enum module & replace the guts with an SSM
query for not-terminated EC2 instances with SSM capability. This
will proide users with the instance IDs needed to test their SSM
shells and can be expanded to report information or even act as a
"brute-force" module which automatically starts SSM sessions.
Testing:
None - might eat your monitor lizard
Implement terminal resizing to WebSocket shell
Reorganize code to ease later extension
Implement peerinfo in channel context from AWS EC2 SSM information
gathered during session validation
Implement echo-filtering for session inputs (hacky, but works)
Testing:
Verified console resizing, color/reset/etc
Verified peerinfo and interaction
Verified common session operations
Notes:
SSM WebSocket sessions time out pretty quickly, implementing
dedicated SSM session types which support suspend/resume to match
backgrounding/foregrounding operations in the console should help
to resolve this. Alternatively, a keep-alive using empty frames
may be implemented in the SsmChannel itself on a separate thread.
Alter WebSocket::Interface::Channel to accept a mask_write flag to
set the Channel behavior for outgoing data (since the on_data_write
handler can only deal with the buffer provided, not how the wsframe
containing it is written to the "wire"). Set the flag to false for
SSM's WebSocket operations.
Extract Rex::Proto::Http::WebSocket::AmazonSsm from the handler to
permit reuse by other framework elements.
Implement SSM-specific UUID handling.
Create sane SsmFrame constructor to permit convenient operations.
Implement Http::WebSocket::AmazonSsm::Inteface::SsmChannel from
Http::WebSocket::Inferface::Channel with message-type handling and
output processing. Acknowledge incoming messages, process incoming
acknowledgements, increment sequence IDs appropriately, and handle
basic logging.
This new session type removes the 2500 char output restriction and
stateless peer cwd.
Testing:
Execution of handler now provides stateful interactive shells
Next steps:
More testing, preferably by other people with upstream framework.
Peerinfo and presentation updates for the session channel
Misc cleanup
Future work:
Implement new SSM session type with support for multi-console,
port-forwarding/socket routing, and custom SSM documents.
Implement FSM handlers for session suspension and resumption in
Http::WebSocket::AmazonSsm::Interface::SsmChannel
Create BinData structure to handle the proprietary format of AWS'
SSM WebSocket protocol. Implement relevant inter-field dependencies
and a virtual payload_valid field to handle the SHA256 digest check
for the current state of r the payload_data field.
Implement user-accessible SSM document definition to permit use of
custom-defined command and session documents (stubbing for session
types such as port-forwarding) which may be of use when dealing
with restrictive IAM.
Restructure handler in preparation for moving the WebSocket code
into Rex::Proto for use by other consumers such as custom payloads
and session types like fully interactive (vs REPL) modalities, or
some form of "cloud-native" MeterSSM.
Testing:
Verified acquisition of SSM WS frame and relevant field ops
Next Steps:
Create WS loop to abstract shell communications
Wrap in Rex*Abstraction bowties for the session handler
Test -> ? -> Profit
Using the implementation in https://github.com/humanmade/ssm, use
the onconnect websocket authenticator as a JSON string written as
a wstext Frame into the established WebSocket. This keeps the sock
open with AWS after returning it from the method, but subsequent
operations will require definition and encoding/decoding of SSM's
proprietary data structures.
Testing:
The initialized WebSocket is kept open and returns wsframes when
requested.
Next steps:
Port the various data structures from the JavaScript library
Implement encoding & decoding for their wire-level formats
Implement state management and data flow handling logic for
the WS SSM protocol.
Port WebSocket initiation routine from Exploit::Remote::HttpClient.
Currently inert since it appears to require a handshake procedure
along with its own type of data frame.
Implement graceful fail-down for session establishment which tries
to initiate a WebSocket session for proper functionality, failing
down to the script-execution style session abstraction if the WS
session does not marshal properly. Use this exception handling to
deal with the WIP WS session state.
Testing:
Gets the same kind of command-abstracted session as before
Interface-extended socket returns garbage from naive #write and
nothing from put_string or put_binary - not going to get anything
out of this thing until we establish the handshake procedure.
Next steps:
Figure out data frame structures for handshake and console IO
Implement handshake on-init, validate state
Implement IO abstraction for the resulting Channel for handoff
to #handle_connection
Amazon Web Services provides conveniently privileged backdoors in
the form of their SSM agents which do not require connectivity with
the target instance, merely valid credentials to AWS' API. Due to
this indirect "connection" paradigm, this mechanism can be used to
control otherwise "air-gapped" targets.
This approach abstracts asynchronous request/response parsing for
SSM requests into an IO channel with which the AWS SSM client is
then wrapped to emulate the expected Stream. The mechanism is rather
raw and could use better error handling, retries on laggy output,
and a threadsafe cursor implementation. It may be possible to start
an actually interactive session using the #start_session method in
the AWS client library, but so far testing has not yielded positive
results.
There is a significant limitation with these sessions not present
in normal stream-wise abstractions: a response limit of 2500 chars.
This limitation can be overcome by utilizing an S3 bucket to store
command output; however, due to the nature of access we seek to
obtain, it would not only add to the logged event loads but retain
the results of our TTPs in a "buffer" accessible to other people.
This functionality can be added down the line in the form of S3
config options in the handler to be passed into the SSM client for
command execution and acquisition of output.
Testing:
Gets sessions, provides command IO, leaves a bunch of log entries
in CloudTrail (something to keep in mind for opsec considerations).
Next steps:
Reorganize our WebSocket code a bit to provide connection and WS
state management inside Rex::Proto::Http::Client which can then be
exposed to the Handler without having to mix-in other namespaces
from Exploit.
Use the #start_session SSM Client method to extract the WS URL
for the relevant channel, and utilize that as the underpinning for
our session comms.
This fixes issues where Ruby would interpret version strings as floats,
which could lead to casting errors. An example of this was when 3.0 would be interpreted
as the number 3, so instead of getting the latest Ruby 3.0.X release,
you would instead get the latest Ruby 3 release.
Also fixed powershell upload, which failed at around 20000 bytes per command.
I believe this is related to powerfun, which seems to truncate to 20000 bytes.
Nuked the last embarrassing typo in the module description.
Updated the documentation to include detail on sqlcmd / CSV export
process when manually exporting the data.
Fixed humiliating typos in the markdown doc.
Updated the Author section of the module per guidelines.
Changed credential type for AES key loot storage.
Updated database config code to include the case where the SQL password
is not encrypted (needs testing).
Additional tweaks and fixes.
Made modifications to documentation to add further detail for each
action.
Significant refactor of error handling, now with (hopefully) proper use
of exceptions.
Various suggested code improvements and optimization.
Fixed some redundant and buggy code.
I think all exploit modules should "report" in the check method when finding a vulnerable
product. By doing that we can take advantage of all check methods in the exploit module
and use them as a "scanner". That would give the chance for the user to check multiple
simultaneously targets and save the result for further actions.
This upgrades the RASN1 library to the latests as of today and fixes
compatibility issues. The issue introduced by v0.11 was that types are
initialized with an `options` hash, which the Name class was not set to
accept.
While iterating over asn_san_seq, if the tag doesn't match either of the
two conditions, user and domain will be nil which leads to a problem
later on.
- Add kerberos authenticator to `scanner/smb/smb_login` and the
corresponding login scanner library
- Add new options: `UseCachedCredentials` and `StoreCredentialCache`
- Add `use_cached_credentials` attribute to
Kerberos::ServiceAuthenticator::Base. This enables/disables the use of
cached Kerberos credentials from the database.
- Add `store_credential_cache` attribute to
Kerberos::ServiceAuthenticator::Base. This enables/disables storing
Kerberos TGS MIT Credential Cache to the database.
These definitions are only used by one exploit. BinData registers the
class name globally meaning that the Header and Data types were being
defined here which conflicted with those needed for Kerberos.
Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
`
},
attic: {
close: true,
comment: `
Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.
We've labeled this as \`attic\` and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.
Thank you for your interest in making Metasploit -- and therefore, the
world -- a better place! Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved.
world -- a better place! Before you get started, please review our [Code of Conduct](./CODE_OF_CONDUCT.md). This helps us ensure our community is positive and supportive for everyone involved.
## Code Free Contributions
Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
@@ -15,9 +15,9 @@ Before we get into the details of contributing code, you should know there are m
## Code Contributions
For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/Get-Started-Writing-an-Exploit). It will help you to get started and avoid some common mistakes.
For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://docs.metasploit.com/docs/development/developing-modules/guides/get-started-writing-an-exploit.html). It will help you to get started and avoid some common mistakes.
Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.
Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://docs.metasploit.com/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.
Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
will be closed. We need to ensure the code we're adding to master is written to a high standard.
@@ -83,7 +83,7 @@ If you need some more guidance, talk to the main body of open source contributor
Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
curve, so keep it up!
[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
[Code of Conduct]:https://docs.metasploit.com/docs/code-of-conduct.html
[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
To learn how to generate <%= mod.fullname %> with msfvenom, please [read this](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom).
To learn how to generate <%= mod.fullname %> with msfvenom, please [read this](https://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html).
warning"Invalid docs link syntax found on line #{el.options[:location]}: Invalid relative link #{link_href} found. Please use the syntax [[#{link_text}|#{link_href}]] instead"
warning"Invalid docs link syntax found on line #{el.options[:location]}: Invalid absolute link #{link_href} found. Please use relative links instead, i.e. [[#{link_text}|#{example_path}]] instead"
Maintainers can assign labels to both issues and pull requests.
### Attic
When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
### Bug
Any PR that fixes a bug or an issue that raises awareness of a bug in the framework.
### Breaking Change
Features that are great, but will cause breaking changes and should be deployed on a large release.
### Code Quality
When a PR improves code quality.
### Confirmed
Specifically for issues that have been confirmed by a committer.
### Docs
Documentation changes, such as YARD markup, or README.md, or something along those lines.
### External
### External Modules
Touches something in /external, or the Gemfile, or something like that.
PRs dealing with modules run as their own process.
### Heartbleed
Has to do with heartbleed. This will go away soon, but there are three outstanding still...
### Hotness
Something we're really excited about.
### Library
Touches something in /lib.
@@ -26,20 +50,20 @@ Plugins and scripts, anything that's not otherwise defined.
### Module
Touches something in /modules
Touches something in /modules.
### Specs
### Needs Linting
Has specs (an rspec test)
The module needs additional work to pass our automated linting rules.
### Needs More Information
The issue lacks enough detail to replicate/resolve successfully.
### Newbie Friendly
Something that's pretty easy to test or tackle.
### attic
When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
### Needs unique branch
Your submitted a PR from your `master` branch.
@@ -49,4 +73,74 @@ Because of how GitHub tracks changes between branches and what got added in a pa
git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>
```
This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
### Needs-docs
When a module is uploaded without a corresponding documentation file, add this label in indicate docs are required
### Not Stale
Label to stop an issue from being auto closed.
### Osx
Label for any osx related work.
### Payload
Touches something related to a payload.
### RN (Release notes)
There are a series of labels that are added to all PRs when they are landed that define the release notes for the PR.
They are denoted by the `rn-` prefix and they are important as they are used by automation to track metasploit-framework
statistics:
#### rn-enhancement
Release notes for an enhancement.
#### rn-fix
Release notes for a fix.
#### rn-modules
Release notes for new or majorly enhanced modules.
#### rn-no-release-notes
The PR is too small or insignificant to warrant release notes.
#### rn-wiki
Release notes for Metasploit Framework wiki.
### Stale
Marks an issue as stale, to be closed if no action is taken.
This page lists the keys in use by [Metasploit committers][msf-committers] and
This page lists the keys in use by [[Metasploit committers|committer-rights]] and
can be used to verify merge commits made to <https://github.com/rapid7/metasploit-framework>.
# Keybase.io identities
Keybase.io is used by Metasploit as an easy way to verify identities of committers. If you're a committer on metasploit-framework, and you need an invite, just ask.
<sup>Altering this table's layout will almost certainly break [import-dev-keys.sh](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/import-dev-keys.sh), so please don't.</sup>
@@ -78,7 +76,7 @@ Please select what kind of key you want:
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
@@ -96,7 +94,7 @@ from the Real Name, Comment and Email Address in this form:
Real name: Dade Murphy
Email address: dmurphy@thegibson.example
Comment:
Comment:
You selected this USER-ID:
"Dade Murphy <dmurphy@thegibson.example>"
@@ -120,7 +118,6 @@ Enter passphrase: [...]
Using `git c` and `git m` from now on will sign every commit with your `DEADBEEF` key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use `git c --amend`.
The term "Metasploit Committers" describes people who have direct write access to the [Rapid7 Metasploit-Framework fork](https://github.com/rapid7/metasploit-framework). These are the people who can land changes to this main fork of the Framework. However, it is not necessary to have committer rights in order to contribute to Metasploit. Much of our code comes from non-committers.
We encourage anyone to fork the Metasploit project, make changes, fix bugs, and notify the core committers about those changes via [Pull Requests](http://github.com/rapid7/metasploit-framework/pulls). The process for getting started is most comprehensively documented in the [Metasploit Development Environment](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) setup guide.
We encourage anyone to fork the Metasploit project, make changes, fix bugs, and notify the core committers about those changes via [Pull Requests](http://github.com/rapid7/metasploit-framework/pulls). The process for getting started is most comprehensively documented in the [[Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] setup guide.
Metasploit committers are a mix of [Rapid7](http://rapid7.com) employees and outside contributors. Anyone can become a contributor, with the following expectations:
@@ -24,7 +24,7 @@ If you reject a pull request, be clear in the pull request why it was rejected,
Even if someone else approves of a pull request, and it is shown to be broken later, then it is still your responsibility to correct it. Make every effort to get a fix or revert in as soon as possible, whether you wrote the code, landed it, or approved it. Blame is shared equally.
A list of committer public keys [is here](https://github.com/rapid7/metasploit-framework/wiki/Committer-Keys).
A list of committer public keys [[is here|./Committer-Keys.md]].
# How to Gain Commit Rights
@@ -45,7 +45,7 @@ Breaches of trust in terms of malicious or malformed code, or the demonstration
# Useful Links for Committers
* [http://r-7.co/MSF-DEV](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) is pretty much required reading.
* [[Setting Up a Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] is pretty much required reading.
* So is [CONTRIBUTING.md](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md)
* Check out the Apache Software Foundation's [Guide for Committers](https://www.apache.org/dev/committers). It's illuminating.
* [Producing Open Source Software](http://www.producingoss.com/gl/) by Ken Fogel is a must-read.
@@ -6,13 +6,13 @@ whilst also avoiding some common pitfalls and learning how some of our systems w
## Initial Steps and Important Notes
The rest of this guide assumes you have already followed the steps at [Setting Up A Developer Environment](https://r-7.co/MSF-DEV) in order to get
a fork of Metasploit set up and ready to run, and that you have added in your SSH keys
(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)),
a fork of Metasploit set up and ready to run, and that you have added in your SSH keys
(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)),
set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure.
## Getting the Latest Version of Metasploit Framework
Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework.
To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the
To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the
Rapid7 remote, aka Rapid7's copy of the code. You can verify that `upstream` is set correctly by running `git remote get-url upstream`
and verifying it is set to `git@github.com:rapid7/metasploit-framework.git`.
@@ -51,13 +51,13 @@ done when the code is ready to be landed into Metasploit Framework to help make
## Checking for Code Errors
Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that
all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards,
all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards,
from the root of wherever you cloned your fork of Metasploit Framework to on disk, run `rubocop <path to your module from current directory>`.
Specifying the `-a` parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix.
In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running
this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is
complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you
In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running
this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is
complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you
want, but it should mention RuboCop as it helps maintainers know what the commit is related to.
As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes.
@@ -71,8 +71,8 @@ against your module code (if applicable), using `tools/dev/msftidy.rb <path to m
if your module passed the tests. Try and fix any errors mentioned here.
## Writing Documentation
The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information
on how to write module documentation at [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html).
The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information
on how to write module documentation at [[Writing Module Documentation|./Writing-Module-Documentation.md]].
In general when writing documentation you will want to search for a similar documentation file under the `documentation`
folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing
@@ -91,15 +91,15 @@ these may be okay to ignore depending on the context. A good example is if a lin
safely ignored.
## Submitting Your Changes and Opening a PR
Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which
branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this
Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which
branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this
branch's remote URL using `git remote get-url origin`. It should look something like `git@github.com:gwillcox-r7/metasploit-framework`
with `gwillcox-r7` substituted for your username.
Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch`
and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what
you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most
cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you
Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch`
and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what
you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most
cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you
start working with more complex situations. Note that if the branch pointing to your copy of the code is not named `origin`,
replace the word `origin` in the command above with the name of the branch that does point to your copy of the code.
@@ -46,13 +46,13 @@ Any user of Metasploit will tell you that they know what `LHOST` and `LPORT` mea
A **handler** obviously needs to listen on a host/IP for the incoming connection. In cases where the `LHOST` value, for example the address that the target is able to reach, is the same as that which the host can listen on, no extra work has to be done. The `LHOST` value is used by the handler.
However, if some kind of NAT or port forward is enabled, or if the handler is behind a firewall, then setting `LHOST` isn't enough. In order to listen on the appropriate interface, another setting must be used called `ReverseListenerBindHost`. This value tells the **handler** to listen on a different interface/IP, but it doesn't change the fact that the `LHOST` value is given to the target when the **stage** is uploaded.
However, if some kind of NAT or port forward is enabled, or if the handler is behind a firewall, then setting `LHOST` isn't enough. In order to listen on the appropriate interface, another setting must be used called `ReverseListenerBindAddress`. This value tells the **handler** to listen on a different interface/IP, but it doesn't change the fact that the `LHOST` value is given to the target when the **stage** is uploaded.
In short, `LHOST` must always remain the IP/host that is routable from the target, and if this value is not the same as what the listener needs to bind to, then change the `ReverseListenerBindHost` value. If you're attacking something across the Internet and you specify an internal IP in `LHOST`, you're doing it wrong.
In short, `LHOST` must always remain the IP/host that is routable from the target, and if this value is not the same as what the listener needs to bind to, then change the `ReverseListenerBindAddress` value. If you're attacking something across the Internet and you specify an internal IP in `LHOST`, you're doing it wrong.
## LPORT
The principles of `LHOST` and `ReverseListenerBindHost` can be applied to `LPORT` and `ReverseListenerBindPort` as well. If you have port forwarding in place, and your listener needs to bind to a different port, then you need to make use of the `ReverseListenerBindPort` setting.
The principles of `LHOST` and `ReverseListenerBindAddress` can be applied to `LPORT` and `ReverseListenerBindPort` as well. If you have port forwarding in place, and your listener needs to bind to a different port, then you need to make use of the `ReverseListenerBindPort` setting.
The classic example of this case is where an attacker wants to make use of port `443`, but rightfully doesn't want to run Metasploit as `root` just so they can directly bind to ports lower than `1024`. Instead, the set up a port forward (on their router, or using `iptables`) so that `443` forwards to `8443`, with a goal of accepting connections on that port instead.
@@ -75,4 +75,4 @@ There are a few things to check for when debugging a dead shell.
### Not so quick things to check
* If the target is running AntiVirus there's a chance that the **stage** , for example `metsrv`, is being caught while being uploaded. `reverse_tcp` and `reverse_http`**stagers** download `metsrv`_without_ any encryption, and so the content of the DLL is visible to anything watching on the wire. `reverse_https` can still get caught in cases where AV is doing MITM content inspection. In this case, consider encoding your payloads, or if possible using stageless Meterpreter instead.
* If the target is running AntiVirus there's a chance that the **stage** , for example `metsrv`, is being caught while being uploaded. `reverse_tcp` and `reverse_http`**stagers** download `metsrv`_without_ any encryption, and so the content of the DLL is visible to anything watching on the wire. `reverse_https` can still get caught in cases where AV is doing MITM content inspection. In this case, consider encoding your payloads, or if possible using stageless Meterpreter instead.
Slack Contacts: @zeroSteiner, @Op3n4M3, @gwillcox-r7 on [Metasploit Slack](https://metasploit.slack.com/)
@@ -24,7 +24,7 @@ Difficulty: 4/5
### LDAP Capture Capabilities
Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
Size: Medium
Difficulty: 3/5
@@ -58,7 +58,7 @@ Difficulty: 4/5
Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed.
See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [Metasploit-Data-Service-Enhancements-(Goliath)](./Metasploit-Data-Service-Enhancements-Goliath)
See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]
Slack Contacts: @Op3n4M3 on [Metasploit Slack](https://metasploit.slack.com/)
For any questions about these projects reach out on the Metasploit Slack in the `#gsoc` channel or DM one of the mentors using the Slack contacts listed above. Note that mentors may be busy so please don't expect an immediate response, however we will endeavor to respond as soon as possible. If you'd prefer not to join Slack, you can also email `msfdev [@] metasploit [dot] com` and we will respond to your questions there if email is preferable.
## Enhance Metasploit Framework
### Rest API Pagination
Metasploit provides two API interaction services, a Rest API service and an RPC service. Previous efforts have wrapped and exposed the RPC service as JSON responses available from the Rest API endpoint. This wrapping did not account for possible large responses that may benefit from pagination. A previous contributor attempted to add this functionality for a [limited set of RCP commands](https://github.com/rapid7/metasploit-framework/pull/13439) however review identified that the changes would introduce changes to the documented public API and also introduce inconsistency within the API responses resulting in a fluctuating public API. Modern pagination would be beneficial to increasing user adoption of Rest API services provided it can be implemented consistently and either maintain compatibility of the existing public RPC service or generate a one time migration across all exposed public APIs.
Size: Large
Difficulty: 4/5
### LDAP Capture Capabilities
Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
Size: Medium
Difficulty: 3/5
### Improving post-exploit API to be more consistent, work smoothly across session types
The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, PowerShell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements:
* Shell sessions do not implement the filesystem API that Meterpreter sessions have
* When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these.
* Simple commands like 'cmd_exec' are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily.
Size: Medium/Large (Depends on proposal)
Difficulty: Varies
### Improve the web vulnerability API
This would follow up on the Arachni plugin PR <https://github.com/rapid7/metasploit-framework/pull/8618> and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners.
Size: Large
Difficulty: 4/5
### Data Visualization
Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed.
See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]]
Size: Medium/Large (Depends on proposal)
Difficulty 3/5
## Submit your own
If you want to suggest your own idea, please discuss it with us first on [Slack](https://metasploit.com/slack) in the `#gsoc` channel to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project.
@@ -27,9 +27,9 @@ The Metasploit Framework has seven different rankings to indicate how reliable a
## Template
If you have read this far, we think you are pretty impressive because it's a lot to digest. You are probably wondering why we haven't had a single line of code to share in the writeup. Well, as you recall, exploit development is mostly about your reversing skills. If you have all that, we shouldn't be telling you how to write an exploit. What we've done so far is hopefully get your mindset dialed-in correctly about what it means to become a Metasploit exploit developer for the security community; the rest is more about how to use our mixins to build that exploit. Well, there are A LOT of mixins, so it's impossible to go over all of them in a single page, so you must either read the [API documentation](https://rapid7.github.io/metasploit-framework/api/), existing [code examples](https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits), or look for more wiki pages we've written to cover specific mixins.
If you have read this far, we think you are pretty impressive because it's a lot to digest. You are probably wondering why we haven't had a single line of code to share in the writeup. Well, as you recall, exploit development is mostly about your reversing skills. If you have all that, we shouldn't be telling you how to write an exploit. What we've done so far is hopefully get your mindset dialed-in correctly about what it means to become a Metasploit exploit developer for the security community; the rest is more about how to use our mixins to build that exploit. Well, there are A LOT of mixins, so it's impossible to go over all of them in a single page, so you must either read the [API documentation](https://docs.metasploit.com/api/), existing [code examples](https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits), or look for more wiki pages we've written to cover specific mixins.
For example, if you're looking for a writeup about how to interact with an HTTP server, you might be interested in: [How to send an HTTP Request Using HTTPClient](https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient). If you're interested in browser exploit writing, definitely check out: [How to write a browser exploit using BrowserExploitServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer), etc.
For example, if you're looking for a writeup about how to interact with an HTTP server, you might be interested in: [[How to send an HTTP Request Using HTTPClient|./How-to-write-a-browser-exploit-using-HttpServer.md]]. If you're interested in browser exploit writing, definitely check out: [[How to write a browser exploit using BrowserExploitServer|./How-to-write-a-browser-exploit-using-BrowserExploitServer.md]], etc.
But of course, to begin, you most likely need a template to work with, and here it is. We'll also explain how to fill out the required fields:
@@ -39,39 +39,44 @@ But of course, to begin, you most likely need a template to work with, and here
# Current source: https://github.com/rapid7/metasploit-framework
'Ret'=>0x41414141# This will be available in `target.ret`
}
]
],
'Payload'=>
{
'Payload'=>{
'BadChars'=>"\x00"
},
'Privileged'=>false,
'DisclosureDate'=>"",
'DefaultTarget'=>0))
'Privileged'=>false,
'DisclosureDate'=>'',
'DefaultTarget'=>0,
'Notes'=>{
'Stability'=>[CRASH_SAFE],
'Reliability'=>[REPEATABLE_SESSION],
'SideEffects'=>[ARTIFACTS_ON_DISK,IOC_IN_LOGS]
},
)
)
end
defcheck
@@ -99,7 +104,14 @@ end
* **Payloads** - The Payloads field specifies how the payload should be encoded and generated. You can specify: `Space`, `SaveRegisters`, `Prepend`, `PrependEncoder`, `BadChars`, `Append`, `AppendEncoder`, `MaxNops`, `MinNops`, `Encoder`, `Nop`, `EncoderType`, `EncoderOptions`, `ExtendedOptions`, `EncoderDontFallThrough`.
**DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
***DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
* **Notes** - The Notes field is a hash always containing three keys. The value of each key is an array of constants. The list of available constants can be found in the [[Definition of Module Reliability Side Effects and Stability|./Definition-of-Module-Reliability-Side-Effects-and-Stability.md]]. The key should be present even if the array is empty.
* **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
* **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
* **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.
This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them. In general, this will not cover storing credentials in the database, which can be read about [here](https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners#the-scan-block). Metasploit currently support cracking passwords with [John the Ripper](https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/analyze) and [hashcat](https://github.com/rapid7/metasploit-framework/pull/11695).
This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them. In general, this will not cover storing credentials in the database, which can be read about [[here|./Creating-Metasploit-Framework-LoginScanners.md]]. Metasploit currently support cracking passwords with [John the Ripper](https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/analyze) and [hashcat](https://github.com/rapid7/metasploit-framework/pull/11695).
# Hashes
@@ -9,7 +9,7 @@ Many modules dump hashes from various software. Anything from the OS: [Windows]
## Hash Identify Example
In this first, simple, example we will simply show loading the library and calling its function.
While Metasploit standardizes with the JtR format, the hashcat [library](https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/password_crackers/cracker.rb) includes the `jtr_format_to_hashcat_format` function to translate from jtr to hashcat.
@@ -123,14 +123,19 @@ JtR
For testing Hashcat/JtR integration, this is a common list of commands to import example hashes of many different types. When possible the username is separated by an underscore, and anything after it is the password. For example `des_password`, the password for the hash is `password`:
Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff (that you have permission to hack)? The quickest way to get started is to [download the Metasploit nightly installers](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers). This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro.
Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff (that you have permission to hack)? The quickest way to get started is to [[download the Metasploit nightly installers|./Nightly-Installers.md]]. This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro.
If you're using [Kali Linux](https://kali.org/), Metasploit is already pre-installed. See the [Kali documentation](https://kali.org/docs/tools/starting-metasploit-framework-in-kali/) for how to get started using Metasploit in Kali Linux.
Are you anxious to get your [Metasploit Development Environment](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) set up so you can start [[Landing Pull Requests]] and contributing excellent exploit code? If so, you're in the right place. If you're an exploit developer, you will want to review our [[Guidelines for Accepting Modules and Enhancements]] to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for [[contributing to Metasploit]], and dive into [[Setting Up a Metasploit Development Environment]].
Are you anxious to get your [[Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] set up so you can start [[Landing Pull Requests]] and contributing excellent exploit code? If so, you're in the right place. If you're an exploit developer, you will want to review our [[Guidelines for Accepting Modules and Enhancements]] to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for [[contributing to Metasploit]], and dive into [[Setting Up a Metasploit Development Environment]].
# Getting Started #
@@ -33,7 +33,6 @@ Are you anxious to get your [Metasploit Development Environment](https://github.
- [[Exploit Ranking]]
- [[Module Reference Identifiers]]
- [[How to check Microsoft patch levels for your exploit]]
- [[How to clean up files using FileDropper]]
- [[How to deprecate a Metasploit module]]
- [[How to do reporting or store data in module development]]
- [[How to log in Metasploit]]
@@ -65,6 +64,7 @@ Are you anxious to get your [Metasploit Development Environment](https://github.
- [[Using ReflectiveDll Injection]]
- [[Oracle Usage]]
- [[Definition of Module Reliability, Side Effects, and Stability|./Definition-of-Module-Reliability-Side-Effects-and-Stability.md]]
@@ -7,7 +7,7 @@ An updated list of the application timeline can be found at https://developers.g
## Important Dates
- GSoC Applications Open: April 4th at 1800 UTC
- GSoC Applications Open: April 4th at 1800 UTC
- GSoC Applications Close: April 19th at 1800 UTC for 2022 GSoC applications. **No late submissions will be accepted, period.**
- Accepted applications announced: May 20th at 1800 UTC
- Programming Starts: June 13th.
@@ -19,16 +19,16 @@ An updated list of the application timeline can be found at https://developers.g
You can find the current list of GSoC ideas at [[GSoC-2022-Project-Ideas]]. Please see the note at the bottom of this page if you are interested in submitting your own idea, as this will require approval.
# Getting started
Students interesting in GSoC, can start by reading Google's official guides.
Students interesting in GSoC, can start by reading Google's official guides.
Review all of the [student guide](https://google.github.io/gsocguides/student/) and carefully read the [proposal writing section](https://google.github.io/gsocguides/student/writing-a-proposal.html).
A listed `idea` is a seed for GSoC students to expand on and propose how to design and implement a solution. You can start by investigating the code base and how existing users interaction with `msfconsole` functionality. Think through scenarios on how a user might want to interact with the proposed idea.
A place to get started with contributing to Metasploit is [here](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md) and expanded on [here](https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit#framework-bugs-and-features).
A place to get started with contributing to Metasploit is [here](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md) and expanded on [[here|./Contributing-to-Metasploit.md]].
GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution patten you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.
GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution pattern you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.
Once you have started digging feel free ask questions that help you understand the concepts you for the idea would like to propose.
@@ -50,14 +50,14 @@ A brief description of what you would like to work on. See [[GSoC-2022-Project-I
## Skillz
What programming languages are you familiar with, in order of proficiency? Most of Metasploit is written in Ruby; for any project you will most likely need at least a passing knowledge of it. If you want to work on Meterpreter or Mettle, C will be necessary as well.
What programming languages are you familiar with, in order of proficiency? Most of Metasploit is written in Ruby; for any project you will most likely need at least a passing knowledge of it. If you want to work on Meterpreter or Mettle, C will be necessary as well.
What other projects have you worked on before?
## Your project
Fill in the details. What exactly do you want to accomplish?
Fill in the details. What exactly do you want to accomplish?
# Past Submissions
If you are interested in looking at past accepted submissions and projects, you can find them at https://summerofcode.withgoogle.com/archive, and clicking on any year from 2017 onwards (with the exception of 2019 as Metasploit did not participate this year). Then click on the `Security` tag, and search for `Metasploit`. Scroll down to the bottom and you will see past successful applications and the associated code for each successful submission. Submissions from 2020 onwards also include copies of the proposal that was sent in by the accepted contributor.
The [HttpClient mixin](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient) can be included with an exploit module in order to facilitate easier HTTP communications with a target machine.
The [HttpClient mixin](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient) can be included with an exploit module in order to facilitate easier HTTP communications with a target machine.
## There are mainly two common methods you will see:
* **[send\_request\_raw](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#send_request_raw-instance_method)** - You use this to send a raw HTTP request. Usually, you will want this method if you need something that violates the specification; in most other cases, you should prefer `send_request_cgi`. If you wish to learn about how this method works, look at the documentation for [`Rex::Proto::Http::Client#request_raw`](https://rapid7.github.io/metasploit-framework/api/Rex/Proto/Http/Client.html#request_raw-instance_method).
* **[send\_request\_raw](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#send_request_raw-instance_method)** - You use this to send a raw HTTP request. Usually, you will want this method if you need something that violates the specification; in most other cases, you should prefer `send_request_cgi`. If you wish to learn about how this method works, look at the documentation for [`Rex::Proto::Http::Client#request_raw`](https://docs.metasploit.com/api/Rex/Proto/Http/Client.html#request_raw-instance_method).
Here's a basic example of how to use `send_request_raw`:
```ruby
send_request_raw({'uri'=>'/index.php'})
```
* **[send\_request\_cgi](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#send_request_cgi-instance_method)** - You use this to send a more CGI-compatible HTTP request. If your request contains a query string (or POST data), then you should use this. If you wish to learn about how this method works, check out [`Rex::Proto::Http::Client#request_cgi`](https://rapid7.github.io/metasploit-framework/api/Rex/Proto/Http/Client.html#request_cgi-instance_method).
* **[send\_request\_cgi](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#send_request_cgi-instance_method)** - You use this to send a more CGI-compatible HTTP request. If your request contains a query string (or POST data), then you should use this. If you wish to learn about how this method works, check out [`Rex::Proto::Http::Client#request_cgi`](https://docs.metasploit.com/api/Rex/Proto/Http/Client.html#request_cgi-instance_method).
@@ -31,7 +31,7 @@ send_request_cgi({
## Cookies & CookieJars
Part of send\_request\_cgi functionality is the ability to collect, edit, and send cookies via the HttpClient's `cookie_jar` variable, an instance of the [HttpCookieJar](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http/http_cookie_jar.rb) class.
Part of send\_request\_cgi functionality is the ability to collect, edit, and send cookies via the HttpClient's `cookie_jar` variable, an instance of the [HttpCookieJar](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http/http_cookie_jar.rb) class.
A HttpCookieJar is a collection of [HttpCookie](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http/http_cookie.rb). The Jar can be populated manually with it's `add` method, or automatically via the `keep_cookies` option that can be passed to [send\_request\_cgi](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/lib/msf/core/exploit/remote/http_client.rb#L385).
@@ -59,7 +59,7 @@ res = @http_client.send_request_cgi({
}
})
```
The cookies returned by the server with a successful login need to be attached to all future requests, so `'keep_cookies' => true,` is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests.
The cookies returned by the server with a successful login need to be attached to all future requests, so `'keep_cookies' => true,` is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests.
### `cookie` option
Shown below is the request used to login to a gitlab account in the [artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)
@@ -136,7 +136,7 @@ register_options(
)
```
**2** - Load your TARGETURI with [`target_uri`](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#target_uri-instance_method), that way the URI input validation will kick in, and then you get a real `URI` object:
**2** - Load your TARGETURI with [`target_uri`](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#target_uri-instance_method), that way the URI input validation will kick in, and then you get a real `URI` object:
In this example, we'll just load the path:
@@ -144,7 +144,7 @@ In this example, we'll just load the path:
uri=target_uri.path
```
**3** - When you want to join another URI, always use [`normalize_uri`](https://rapid7.github.io/metasploit-framework/api/Msf/Exploit/Remote/HttpClient.html#normalize_uri-instance_method):
**3** - When you want to join another URI, always use [`normalize_uri`](https://docs.metasploit.com/api/Msf/Exploit/Remote/HttpClient.html#normalize_uri-instance_method):
Example:
@@ -164,8 +164,6 @@ Please note: The `normalize_uri` method will always follow these rules:
Occasionally, you might not want your user to change the filename at all. A lazy trick to do that is by modifying the ```FILENAME``` datastore option at runtime, but this is very much not recommended. In fact, if you do this, you will not pass [msftidy](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). Instead, here's how it's done properly:
Occasionally, you might not want your user to change the filename at all. A lazy trick to do that is by modifying the ```FILENAME``` datastore option at runtime, but this is very much not recommended. In fact, if you do this, you will not pass [[msftidy|./Guidelines-for-Accepting-Modules-and-Enhancements.md]]. Instead, here's how it's done properly:
In some exploitation scenarios such as local privilege escalation, command execution, write privilege attacks, SQL Injections, etc, it is very likely that you have to upload one or more malicious files in order to gain control of the target machine. Well, a smart attacker shouldn't leave anything behind, so if a module needs to drop something onto the file system, it's important to remove it right after the purpose is served. And that is why we created the FileDropper mixin.
## Examples
The FileDropper mixin is a file manager that allows you to keep track of files, and then delete them when a session is created. To use it, first include the mixin:
```ruby
includeMsf::Exploit::FileDropper
```
Next, tell the FileDropper mixin where the file is going to be after a session is created by using the ```register_file_for_cleanup``` method. Each file name should either be a full path or relative to the current working directory of the session. For example, if I want to upload a payload to the target machine's remote path: ```C:\Windows\System32\payload.exe```, then my statement can be:
Metasploit has a handy `cleanup` method that is always called when the module terminates, whether it is successful or not. This method can be overridden by any modules to add their own cleanup routines. For example, this might be useful to put some files back on the target after the module had deleted them. Another scenario would be to restore the settings in a web application that were modified by the exploit. This is the right place to clean things up.
Framework itself implements this method to disconnect connections, call the handler cleanup routines, etc. Some other mixins, such as the `Msf::Exploit::FileDropper` (see the next [section](#filedropper-mixin)) or `Msf::Exploit::Remote::Kerberos::Client`, override this method to add their own cleanup code. It is extremely important to **always** call `super` in your `cleanup` method to make sure Framework and any other mixins clean up themself properly.
Here is an example that restores a configuration file after being deleted by the module:
```ruby
defcleanup
unlessself.conf_content.nil?
write_file(self.conf_file,self.conf_content)
end
super
end
```
Here is another example of a `cleanup` method that deletes a temporary Git repository:
In some exploitation scenarios such as local privilege escalation, command execution, write privilege attacks, SQL Injections, etc, it is very likely that you have to upload one or more malicious files in order to gain control of the target machine. Well, a smart attacker shouldn't leave anything behind, so if a module needs to drop something onto the file system, it's important to remove it right after the purpose is served. And that is why we created the FileDropper mixin.
The [FileDropper mixin](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/file_dropper.rb) is a file manager that allows you to keep track of files, and then delete them when a session is created. To use it, first include the mixin:
```ruby
includeMsf::Exploit::FileDropper
```
Next, tell the FileDropper mixin where the file is going to be after a session is created by using the `register_file_for_cleanup` method. Each file name should either be a full path or relative to the current working directory of the session. For example, if I want to upload a payload to the target machine's remote path: `C:\Windows\System32\payload.exe`, then my statement can be:
@@ -2,7 +2,7 @@ This is an update of the original blog post about how to get Oracle support work
Due to licensing issues, we cannot ship Oracle's proprietary client access libraries by default. As a result, you may see this error when running a Metasploit module:
```
```msf
msf auxiliary(oracle_login) > run
[-] Failed to load the OCI library: cannot load such file -- oci8
@@ -11,7 +11,7 @@ msf auxiliary(oracle_login) > run
msf auxiliary(oracle_login) > run
```
or
```
```msf
msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
[-] Failed to load the OCI library: cannot load such file -- oci8
I tricked you. We don't let anybody write Meterpreter scripts anymore, therefore we will no longer teach you how.
[You should try writing post modules instead](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-a-post-module).
[[You should try writing post modules instead|./How-to-get-started-with-writing-a-post-module.md]].
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Metasploit