This PR fixes a stack trace thrown by the forge_ticket
module when the SPN datastore option was left blank. The module
now fails due to bad-config and gives a detailed error message.
This PR adds a module for an unauthenticated RCE vulnerability
in Maltrail, a malicious traffic detection system. This vuln
does not have a CVE associated with it.
This PR adds support for detecting whether a session is
running in a podman container and improves detection for
sessions running in Docker, LXC and WLS containers.
The connection needs to slowly send data to the remote end for
stability. Additionally, the `exit` command should be issued when
closing the connction so it is reset back to the logon prompt.
Windows shells require an extra configuration that when present still
doesn't offer either the cmd.exe or powershell session that MSF expects
but rather a SAC shell.
AWS EC2 Nitro instances (and possibly others) support serial proxy
over SSH using the Instance Connect API:
https://docs.amazonaws.cn/en_us/AWSEC2/latest/UserGuide/
connect-to-serial-console.html
This process consists of sending an SSH pubkey to the serial proxy
control plane, connecting to a well-known URL with the instance ID
and port number as username, and the SSH private key as credential.
The resulting session is a "fragile" SSH context which does not
tolerate Channel-closing, requiring some special handling in Msf to
safeguard the initial Net::SSH::CommandStream.
Implement a BindAwsInstanceConnect Handler which loads an SSH key
from the local FS or generates a new one on the fly, passes the
pubkey to the InstanceConnect API, and then establishes SSH comms
with the InstanceConnect SSH proxy.
Implement a AwsInstanceConnectBind to handle resulting connetions,
derived from SshCommandShellBind, with an updated #bootstrap which
avoids meddling with the fragile CommandStream/Channel.
Testing:
Got serial console to the ttyS0 login prompt of a Nitro EC2 VM.
Logged in using previously-known credentials.
Verified console operations.
Notes:
Handler keeps firing, same as the SSM session concern.
There is a limit to the number of sessions which an instance can
hold (possibly only one).
This updates the aarch64 payloads to include comments with the
corresponding instructions for each little-endian integer. It also fixes
the debug output for x64 payloads under rosetta.
This module exploits a vulnerability in pfSense version
2.6.0 and below which allows for authenticated users to
execute arbitrary operating systems commands as root.
* Msftidy complains about Line 2 of the exploit template comment having
* http:// protocol instead of https:// protocol
* Reference in PR #18170, commit hash ad0d3e79, where Msftidy lint test fails
* to pass, but in the next commit 591fee18, the test passes.
* Small fixes in Description - removed backticks
* Implemented Windows Command target
* Removed PowerShell Stager, in Targets and in exploit method
* Implemented Rex::Socket::Tcp in place of TCPSocket
* Updated TARGET section in documentation
* Added TARGET 0 - Windows Command scenario
* Removed PowerShell Stager scenario
* Replaced 'Using configured payload' lines to use Windows Command payload
for the 2nd, 3rd, and 4th scenarios. Did not rerun the scenarios, however
The _AppDomainPtr, _AssemblyPtr and _MethodInfoPtr variables are COM smart pointers which will auto-Release() when they go out of scope, so we should not directly Release() them.
This reverts commit f97ab80224, reversing
changes made to c8f942cc03.
This change impacted the default `psexec` powershell target and needs further
testing to be reintroduced.
This adds support for the dyld changes incorperated into Sonoma and
cleans up the existing support for Ventura. This does not break
compatibility with previous versions.
This adds support for the dyld changes incorperated into Ventura which
includes changes to the symbols used. This does not break compatibility
with previous versions.
This commit adds the sign method to Payload::MachO which performs a
basic SHA256 signature update on the provided macho to enable it to run
under osx aarch64 systems.
This builds on Back from the dyld by adding the required aarch64
assembly code to enable the OSX loader to run on the m1. This enables
the use of native payloads on M1 or M2 devices that do not have Rosetta
installed.
When the entry point is after the payload, there woud occassionally be
cases where `poff` and `eidx` to be invalid, causing `entry` to be
truncated. `poff` should never be negative and `eidx` should reserve the
256 bytes that `entry` may occupy.
The script generated by the web_delivery module is blocked
by the Antimalware Scan Interface (AMSI) on newer versions
of windows. This PR allows the script to bypass AMSI.
Get all instances if limit is not set, improve output slightly.
Note: `inst.network_interfaces.select {|iface| iface.association}`
appears to have problems with multiple calls at run time - says
that the AWS SDK is trying to call `:[]` on `nil` but works in Pry.
Move debugging info into same file and make markdown match standards
Add more info on Pry debugging using Alan David Foster's explaination
Fix up broken URL links and format new URL links correctly
Fix up formatting and add information on Debug.gem supported commands
* Update modules landed as a scanner into a more appropriate category.
* Adds a check method based on TP-link default `TITLE` html.
* Rename module consistent with existing exploit.
Previously there was not the ability to restore the server proxy setting.
This updates the code to do so. Additionally this also updates the documentation
to note that Fetch payloads are incompatible with this module since they
use HTTP connections that will be impacted by this module changing the server's
HTTP proxy settings. There is no way around this.
The size requriement is used when the adapted payload is executed from
the command line but that's not the case for the fetch payloads which
execute a command to fetch the payload from a URL. The payload size
doesn't matter because it's included in the executable file hosted at
the URL.
* Prevent using post modules with the session
It doesn't work reliably because of winpty and how the output is
mangled.
* Set the limit correctly
* Fix Linux PTY downgrade issues
* Remove filtering
The filtering implementation is incomplete and unnecessary.
Filtering is unnecessary because Linux sessions execute a stub on
session start up that uses a combiantion of stty and a fifo to emulate a
PTY-less session. Windows sessions do not need filtering because they
have been explictly marked as being incompatible with the Post API which
is confused by the extra characters.
The filtering implementation is incomplete because it does not account for
echo fragments that are split across lines. It also does not account for
all of the ANSI escape codes.
* Add module docs for enum_ssm
The function required a filter argument, but not every query has a
filter. By removing it, we can reuse the same logic for other operations
including modifications.
* Revert "shell_command_token_base get 0th output index"
This reverts commit 3a4cb3560f.
* Correct the order of arguments to #set_term_size
* Fix paths for directory checks
The path C:\ ends with a trailing backslash which will cause bash to
wait for another line if input. This places the shell in an undesirable
state.
* Fix post module tests for Linux
* Remove the command document
This hasn't been tested and it's unclear under what conditions this
would be used.
* Fix Windows SSM sessions
---------
Co-authored-by: Spencer McIntyre <zeroSteiner@gmail.com>
The exists? method in post/file has a different implementation for
PSH sessions than other shells which are testing for the existence
of a path, not the presence of a file.
Fix this by replacing [System.IO.File]::Exists with Test-Path.
Testing:
```
PS C:\Windows\system32> [System.IO.File]::Exists("C:\")
False
PS C:\Windows\system32>test-path C:\
PS C:\Windows\system32> test-path C:\
True
```
There was an issue in the ACE processing where only ACEs corresponding
to an object were processed for SIDs with enrollment rights. The
processing should also process ACEs that grant the enrollment right and
are not related to any objects. In other words, only ACEs associated
with an object that is neither the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT
or CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT right should be ignored.
- Put all the error-disabling statements on a single line
- Remove some useless spaces
- Use `stristr(…)` (available since PHP4) instead of `strpos(strtolower(…))`
- Use `&&` instead of `and`
- Use backticks instead of `passthru`, since they're equivalent: https://www.php.net/manual/en/language.operators.execution.php
MessagePack 1.7.0 gem introduced code not compatible with the current
build env used for nightly packages. This may be addressed in several
ways and has been reported upstream. Lock the version a until a path
forward is determined.
* Improve base login scanner to catch any Exception
* Catch any Exception in SNMP scanner that overrides base method
* Expand connection errors possible in PostgreSQL scanner
Update the enum_ssm module to use the correct session type with the
appropriate platform. Also set the session information to the same
string which also removes the eye sore that is the shell banner.
Fixed some typos, took into account the comment from jvoisin to infer fields from the JSON reply, used fail_with as suggested by jheysel-r7, fixed a rubocop warning about a redundant begin block.
Update the enum_ssm module to use the correct session type with the
appropriate platform. Also set the session information to the same
string which also removes the eye sore that is the shell banner.
This module exploits a publically accessible endpoint in
SPIP that results in code execution in the context of the
user running the webapp (CVE-2023-27372).
Rex::Proto::DNS::Resolver is currently unable to approximate the
host OS' native resolver because:
1. It cannot cache responses and has to go out to its defined NS'
each time to query for the answers,
2. Because it is not aware of the system's hostsfile entries which
can result in leaks/mis-targeted execution, and a bunch of other
unpleasantly nuanced problems.
Address the concern by:
1. Creating a descendant CachedResolver class from
Rex::Proto::DNS::Resolver, with a #send method override which
performs cache query and population.
2. Moving the Cache class up one namespace to Rex::Proto::DNS and
updating the server accordingly.
3. Fixing the MATCH_HOSTNAME regex in Rex::Proto::DNS::Constants to
allow a short-name (vs FQDN) and creating a relevant MATCH_FQDN.
TODO:
1. Deal with adding search domains from the system to short-name
queries and records; if we decide this is a good idea (potential
for leaks).
2. Look at performance optimization for multiple concurrent queries
via singleton/refcounted/other optimized concurrent access patters.
Testing:
1. Pry-level tests of the objects edited/created in this PR. Needs
some runtime testing to QA.
Both the reference links in this one are dead, replacing with archive.org links.
Much like https://github.com/rapid7/metasploit-framework/pull/17825, I'll be doing these ad-hoc for a little bit until I figure out a reliable way to do a load of them in one batch.
This module exploits an undocumented backdoor vulnerability
(CVE-2019-7276) in the Optergy Proton and Enterprise Building
Management System (BMS) applications.
The Secunia links in the framework were dead. They have
now been restored using the wayback machine to grab
replacement links from the earliest date possible.
The default action "Malformed Packet" reports all users as found even
though they don't exist.
Setting "CHECK_FALSE" to true will make the scanner bail out as it
realizes the target is patched.
This pull request adds an exploit module for CVE-2022-21587
an arbitrary file upload vulnerability in Oracle Web Applications
Desktop Integrator as shipped with 12.2.3 through to 12.2.11
which results in RCE
Fix #query_ldap to use the API provided by Windows instead of dealing
with the opaque BER data structures. This means that querying is now
reliant on documented APIs and will function on both 32-bit and 64-bit
Meterpreters.
Using #arch instead of #native_arch means that the Python Meterpreter
will be misclassified as ARCH_PYTHON and will be unable to use util
functions correctly.
Update railgun to handle pointer return types. If the type that is
pointed to is known (i.e. PCHAR, PULONG_PTR) and not LPVOID, the
contents returned to the caller. The raw address is also returned in the
&return key to enable the caller to free the buffer if necessary which
is determined by the function that was called.
This references the main dll/template.c code as the mixed-mode variant
already does. This will make future changes easier as we won't need to
copy them from the main to this one.
See https://github.com/rapid7/metasploit-framework/pull/8509 for the
origin of these files.
Implement reverse shell over SCTP in Python.
During testing against Arch Linux with Python 3.10.9, any attempt
to interact with the resulting shell produced:
```
Traceback (most recent call last):
File "/tmp/shell.py", line 12, in <module>
so.send(o)
OSError: [Errno 22] Invalid argument
```
Implement handling for OSError 22 on the send() method for the
abnormal stream socket.
Testing:
Tested against local KVM virtual machine running Arch Linux
With the introduction of SCTP socket support in Rex::Socket via
https://github.com/rapid7/rex-socket/pull/56, Framework can utilize
this protocol for session transports similarly to TCP as it is a
stream-wise transport.
Implement bind and reverse handlers for the new socket type.
Implement example bind and reverse payloads using socat copying
from the initial udp sessions implementation.
Testing:
Rudimentary bind session test against local Libvirt Linux VM
Next steps:
Implement the language-level payloads for the interpreters common
to POSIX environments supporting SCTP.
Implement meterpreter transports for SCTP in Python, PHP, Mettle,
and Java modalities (Windows doesn't support it without carrying
its own usermode protocol library).
Create an AwsSsmCommandShellBind session type to provide intercept
points for shell command interactions and a wrapper class which is
used to register the new session.
Update Msf::Handler::BindAwsSsm with its own #create_session method
utilizing the new session type to provide direct control of session
initialization.
Restore standard handler attributes and thread nomenclature in an
attempt to resolve the repeating session creation when #to_handler
is called on the payloads.
Testing:
Tested in local framework, unfortunately the recurring session
init problem appears to persist. Requesting testing on an upstream
Framework by saner folks.
Update SSM handler code to standardize datastore option names per
@zeroSteiner.
Update payload modules to reflect the OS targets against which they
are to execute.
Update the name of the ReverseListenerBindAddress (instead of ReverseListenserBindHost) because that seems to be works.
```
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > set ReverseListenerBindHost 172.17.0.2
[-] Unknown datastore option: ReverseListenerBindHost. Did you mean ReverseListenerBindPort?
msf6 exploit(multi/http/tomcat_jsp_upload_bypass) > set ReverseListenerBindAddress 172.17.0.2
ReverseListenerBindAddress => 172.17.0.2
```
- Made an error in the original research where the TLV had a type
and a index, when it only has a type and a modifier that makes
it into a TV (Type and Value, no Length).
- A TV has its value where the Length would be on a TLV.
- Also added a note on the endieness being correct/working because
endieness has no impact in the message being used to exploit the
vulnerability.
Bail out of console resize operation if ::IO.console doesn't exist
Enforce REGION datastore option and remove the multi-region enum
code by Aaron - users can write resource scripts if they need
automation.
Removing the call to .map over args[:datastore_options] avoids an unnecessary call to Msf::DataStore#import_options_from_s. args[:datastore_options] is already a hash, converting it to string and using Msf::DataStore#import_options_from_s converts it back to hash, which is not necessary. The Msf::Simple::Module mixin already offers support for Options, which is expected to be a hash.
This change also prevents sending corner case option strings to Msf::DataStore#import_options_from_s when using post modules, which does not support strings like: "COMMAND='date --date=2023-01-01'".
Add a post module for credential extraction from WhatsUp Gold instances
on Windows hosts. The module should theoretically decrypt ciphertext
from any version of WhatsUp Gold, although it has only been verified
working on WhatsUp Gold versions 11.0 through 22.0.
Changed the SQL queries for DB dump to explicit VARCHAR(4096) to get
around sqlcmd's 256-char column limit.
Refactored the BATCH_DPAPI functionality because I can't seem to let
this pattern go: now actually batches with byte threshold set by
advanced option.
Reduced clutter and redundancy.
Various tweaks and bug fixes.
Updated documentation.
Expand SSM enumeration module docs to explain full functionality.
Enable the LIMIT configuration option to restricte results per
region.
Implement FILTER_EC2_ID configuration option to permit targeting
of a specific instance for session initiation.
Testing:
Finds limtied sets of systems and initiates sessions
Finds desired system ID and initiates session
The SSM session socket times out without data being sent at the
upper (SSM) WS layer. Implement keep-alive in a separate thread
which simply writes nothing into the channel at irregular intervals
to simulate user activity.
Testing:
Sessions established with this code running have not timed-out
in over 15m despite being completely unused
Enable session acquisition from AWS SSM enumeration module simiar
to how the telnet login scanner acquires sessions on the sockets
exposed.
Testing
Tested execution - finds systems, gets shells, autopwn-capable
Coopt Aaron Soto's EC2 enum module & replace the guts with an SSM
query for not-terminated EC2 instances with SSM capability. This
will proide users with the instance IDs needed to test their SSM
shells and can be expanded to report information or even act as a
"brute-force" module which automatically starts SSM sessions.
Testing:
None - might eat your monitor lizard
Implement terminal resizing to WebSocket shell
Reorganize code to ease later extension
Implement peerinfo in channel context from AWS EC2 SSM information
gathered during session validation
Implement echo-filtering for session inputs (hacky, but works)
Testing:
Verified console resizing, color/reset/etc
Verified peerinfo and interaction
Verified common session operations
Notes:
SSM WebSocket sessions time out pretty quickly, implementing
dedicated SSM session types which support suspend/resume to match
backgrounding/foregrounding operations in the console should help
to resolve this. Alternatively, a keep-alive using empty frames
may be implemented in the SsmChannel itself on a separate thread.
Alter WebSocket::Interface::Channel to accept a mask_write flag to
set the Channel behavior for outgoing data (since the on_data_write
handler can only deal with the buffer provided, not how the wsframe
containing it is written to the "wire"). Set the flag to false for
SSM's WebSocket operations.
Extract Rex::Proto::Http::WebSocket::AmazonSsm from the handler to
permit reuse by other framework elements.
Implement SSM-specific UUID handling.
Create sane SsmFrame constructor to permit convenient operations.
Implement Http::WebSocket::AmazonSsm::Inteface::SsmChannel from
Http::WebSocket::Inferface::Channel with message-type handling and
output processing. Acknowledge incoming messages, process incoming
acknowledgements, increment sequence IDs appropriately, and handle
basic logging.
This new session type removes the 2500 char output restriction and
stateless peer cwd.
Testing:
Execution of handler now provides stateful interactive shells
Next steps:
More testing, preferably by other people with upstream framework.
Peerinfo and presentation updates for the session channel
Misc cleanup
Future work:
Implement new SSM session type with support for multi-console,
port-forwarding/socket routing, and custom SSM documents.
Implement FSM handlers for session suspension and resumption in
Http::WebSocket::AmazonSsm::Interface::SsmChannel
Create BinData structure to handle the proprietary format of AWS'
SSM WebSocket protocol. Implement relevant inter-field dependencies
and a virtual payload_valid field to handle the SHA256 digest check
for the current state of r the payload_data field.
Implement user-accessible SSM document definition to permit use of
custom-defined command and session documents (stubbing for session
types such as port-forwarding) which may be of use when dealing
with restrictive IAM.
Restructure handler in preparation for moving the WebSocket code
into Rex::Proto for use by other consumers such as custom payloads
and session types like fully interactive (vs REPL) modalities, or
some form of "cloud-native" MeterSSM.
Testing:
Verified acquisition of SSM WS frame and relevant field ops
Next Steps:
Create WS loop to abstract shell communications
Wrap in Rex*Abstraction bowties for the session handler
Test -> ? -> Profit
Using the implementation in https://github.com/humanmade/ssm, use
the onconnect websocket authenticator as a JSON string written as
a wstext Frame into the established WebSocket. This keeps the sock
open with AWS after returning it from the method, but subsequent
operations will require definition and encoding/decoding of SSM's
proprietary data structures.
Testing:
The initialized WebSocket is kept open and returns wsframes when
requested.
Next steps:
Port the various data structures from the JavaScript library
Implement encoding & decoding for their wire-level formats
Implement state management and data flow handling logic for
the WS SSM protocol.
Port WebSocket initiation routine from Exploit::Remote::HttpClient.
Currently inert since it appears to require a handshake procedure
along with its own type of data frame.
Implement graceful fail-down for session establishment which tries
to initiate a WebSocket session for proper functionality, failing
down to the script-execution style session abstraction if the WS
session does not marshal properly. Use this exception handling to
deal with the WIP WS session state.
Testing:
Gets the same kind of command-abstracted session as before
Interface-extended socket returns garbage from naive #write and
nothing from put_string or put_binary - not going to get anything
out of this thing until we establish the handshake procedure.
Next steps:
Figure out data frame structures for handshake and console IO
Implement handshake on-init, validate state
Implement IO abstraction for the resulting Channel for handoff
to #handle_connection
Amazon Web Services provides conveniently privileged backdoors in
the form of their SSM agents which do not require connectivity with
the target instance, merely valid credentials to AWS' API. Due to
this indirect "connection" paradigm, this mechanism can be used to
control otherwise "air-gapped" targets.
This approach abstracts asynchronous request/response parsing for
SSM requests into an IO channel with which the AWS SSM client is
then wrapped to emulate the expected Stream. The mechanism is rather
raw and could use better error handling, retries on laggy output,
and a threadsafe cursor implementation. It may be possible to start
an actually interactive session using the #start_session method in
the AWS client library, but so far testing has not yielded positive
results.
There is a significant limitation with these sessions not present
in normal stream-wise abstractions: a response limit of 2500 chars.
This limitation can be overcome by utilizing an S3 bucket to store
command output; however, due to the nature of access we seek to
obtain, it would not only add to the logged event loads but retain
the results of our TTPs in a "buffer" accessible to other people.
This functionality can be added down the line in the form of S3
config options in the handler to be passed into the SSM client for
command execution and acquisition of output.
Testing:
Gets sessions, provides command IO, leaves a bunch of log entries
in CloudTrail (something to keep in mind for opsec considerations).
Next steps:
Reorganize our WebSocket code a bit to provide connection and WS
state management inside Rex::Proto::Http::Client which can then be
exposed to the Handler without having to mix-in other namespaces
from Exploit.
Use the #start_session SSM Client method to extract the WS URL
for the relevant channel, and utilize that as the underpinning for
our session comms.
I think all exploit modules should "report" in the check method when finding a vulnerable
product. By doing that we can take advantage of all check methods in the exploit module
and use them as a "scanner". That would give the chance for the user to check multiple
simultaneously targets and save the result for further actions.
Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
`
},
attic: {
close: true,
comment: `
Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.
We've labeled this as \`attic\` and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.
Thank you for your interest in making Metasploit -- and therefore, the
world -- a better place! Before you get started, please review our [Code of Conduct](https://github.com/rapid7/metasploit-framework/wiki/Code-Of-Conduct). This helps us ensure our community is positive and supportive for everyone involved.
world -- a better place! Before you get started, please review our [Code of Conduct](./CODE_OF_CONDUCT.md). This helps us ensure our community is positive and supportive for everyone involved.
## Code Free Contributions
Before we get into the details of contributing code, you should know there are multiple ways you can add to Metasploit without any coding experience:
@@ -15,9 +15,9 @@ Before we get into the details of contributing code, you should know there are m
## Code Contributions
For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://github.com/rapid7/metasploit-framework/wiki/Get-Started-Writing-an-Exploit). It will help you to get started and avoid some common mistakes.
For those of you who are looking to add code to Metasploit, your first step is to set up a [development environment]. Once that's done, we recommend beginners start by adding a [proof-of-concept exploit from ExploitDB,](https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true) as a new module to the Metasploit framework. These exploits have been verified as recreatable and their ExploitDB page includes a copy of the exploitable software. This makes testing your module locally much simpler, and most importantly the exploits don't have an existing Metasploit implementation. ExploitDB can be slow to update however, so please double check that there isn't an existing module before beginning development! If you're certain the exploit you've chosen isn't already in Metasploit, read our [writing an exploit guide](https://docs.metasploit.com/docs/development/developing-modules/guides/get-started-writing-an-exploit.html). It will help you to get started and avoid some common mistakes.
Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://github.com/rapid7/metasploit-framework/wiki/Guidelines-for-Accepting-Modules-and-Enhancements#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.
Once you have finished your new module and tested it locally to ensure it's working as expected, check out our [guide for accepting modules](https://docs.metasploit.com/docs/development/maintainers/process/guidelines-for-accepting-modules-and-enhancements.html#module-additions). This will give you a good idea of how to clean up your code so that it's likely to get accepted.
Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
will be closed. We need to ensure the code we're adding to master is written to a high standard.
@@ -83,7 +83,7 @@ If you need some more guidance, talk to the main body of open source contributor
Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
curve, so keep it up!
[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
[Code of Conduct]:https://docs.metasploit.com/docs/code-of-conduct.html
[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
To learn how to generate <%= mod.fullname %> with msfvenom, please [read this](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom).
To learn how to generate <%= mod.fullname %> with msfvenom, please [read this](https://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html).
warning"Invalid docs link syntax found on line #{el.options[:location]}: Invalid relative link #{link_href} found. Please use the syntax [[#{link_text}|#{link_href}]] instead"
warning"Invalid docs link syntax found on line #{el.options[:location]}: Invalid absolute link #{link_href} found. Please use relative links instead, i.e. [[#{link_text}|#{example_path}]] instead"
Maintainers can assign labels to both issues and pull requests.
### Attic
When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
### Bug
Any PR that fixes a bug or an issue that raises awareness of a bug in the framework.
### Breaking Change
Features that are great, but will cause breaking changes and should be deployed on a large release.
### Code Quality
When a PR improves code quality.
### Confirmed
Specifically for issues that have been confirmed by a committer.
### Docs
Documentation changes, such as YARD markup, or README.md, or something along those lines.
### External
### External Modules
Touches something in /external, or the Gemfile, or something like that.
PRs dealing with modules run as their own process.
### Heartbleed
Has to do with heartbleed. This will go away soon, but there are three outstanding still...
### Hotness
Something we're really excited about.
### Library
Touches something in /lib.
@@ -26,20 +50,20 @@ Plugins and scripts, anything that's not otherwise defined.
### Module
Touches something in /modules
Touches something in /modules.
### Specs
### Needs Linting
Has specs (an rspec test)
The module needs additional work to pass our automated linting rules.
### Needs More Information
The issue lacks enough detail to replicate/resolve successfully.
### Newbie Friendly
Something that's pretty easy to test or tackle.
### attic
When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
### Needs unique branch
Your submitted a PR from your `master` branch.
@@ -49,4 +73,74 @@ Because of how GitHub tracks changes between branches and what got added in a pa
git checkout -b <BRANCH_NAME>
git push <your_fork_remote> <BRANCH_NAME>
```
This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
### Needs-docs
When a module is uploaded without a corresponding documentation file, add this label in indicate docs are required
### Not Stale
Label to stop an issue from being auto closed.
### Osx
Label for any osx related work.
### Payload
Touches something related to a payload.
### RN (Release notes)
There are a series of labels that are added to all PRs when they are landed that define the release notes for the PR.
They are denoted by the `rn-` prefix and they are important as they are used by automation to track metasploit-framework
statistics:
#### rn-enhancement
Release notes for an enhancement.
#### rn-fix
Release notes for a fix.
#### rn-modules
Release notes for new or majorly enhanced modules.
#### rn-no-release-notes
The PR is too small or insignificant to warrant release notes.
#### rn-wiki
Release notes for Metasploit Framework wiki.
### Stale
Marks an issue as stale, to be closed if no action is taken.
This page lists the keys in use by [Metasploit committers][msf-committers] and
This page lists the keys in use by [[Metasploit committers|committer-rights]] and
can be used to verify merge commits made to <https://github.com/rapid7/metasploit-framework>.
# Keybase.io identities
Keybase.io is used by Metasploit as an easy way to verify identities of committers. If you're a committer on metasploit-framework, and you need an invite, just ask.
<sup>Altering this table's layout will almost certainly break [import-dev-keys.sh](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/import-dev-keys.sh), so please don't.</sup>
@@ -78,7 +76,7 @@ Please select what kind of key you want:
(4) RSA (sign only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
@@ -96,7 +94,7 @@ from the Real Name, Comment and Email Address in this form:
Real name: Dade Murphy
Email address: dmurphy@thegibson.example
Comment:
Comment:
You selected this USER-ID:
"Dade Murphy <dmurphy@thegibson.example>"
@@ -108,7 +106,7 @@ Enter passphrase: [...]
2. Modify your `.git/config` file to enable signing commits and merges by default:
````
```ini
[user]
name=Your Name
email = your_email@example.com
@@ -116,11 +114,10 @@ Enter passphrase: [...]
[alias]
c=commit -S --edit
m = merge -S --no-ff --edit
````
```
Using `git c` and `git m` from now on will sign every commit with your `DEADBEEF` key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use `git c --amend`.
The term "Metasploit Committers" describes people who have direct write access to the [Rapid7 Metasploit-Framework fork](https://github.com/rapid7/metasploit-framework). These are the people who can land changes to this main fork of the Framework. However, it is not necessary to have committer rights in order to contribute to Metasploit. Much of our code comes from non-committers.
We encourage anyone to fork the Metasploit project, make changes, fix bugs, and notify the core committers about those changes via [Pull Requests](http://github.com/rapid7/metasploit-framework/pulls). The process for getting started is most comprehensively documented in the [Metasploit Development Environment](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) setup guide.
We encourage anyone to fork the Metasploit project, make changes, fix bugs, and notify the core committers about those changes via [Pull Requests](http://github.com/rapid7/metasploit-framework/pulls). The process for getting started is most comprehensively documented in the [[Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] setup guide.
Metasploit committers are a mix of [Rapid7](http://rapid7.com) employees and outside contributors. Anyone can become a contributor, with the following expectations:
@@ -24,7 +24,7 @@ If you reject a pull request, be clear in the pull request why it was rejected,
Even if someone else approves of a pull request, and it is shown to be broken later, then it is still your responsibility to correct it. Make every effort to get a fix or revert in as soon as possible, whether you wrote the code, landed it, or approved it. Blame is shared equally.
A list of committer public keys [is here](https://github.com/rapid7/metasploit-framework/wiki/Committer-Keys).
A list of committer public keys [[is here|./Committer-Keys.md]].
# How to Gain Commit Rights
@@ -45,7 +45,7 @@ Breaches of trust in terms of malicious or malformed code, or the demonstration
# Useful Links for Committers
* [http://r-7.co/MSF-DEV](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) is pretty much required reading.
* [[Setting Up a Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] is pretty much required reading.
* So is [CONTRIBUTING.md](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md)
* Check out the Apache Software Foundation's [Guide for Committers](https://www.apache.org/dev/committers). It's illuminating.
* [Producing Open Source Software](http://www.producingoss.com/gl/) by Ken Fogel is a must-read.
@@ -58,7 +58,7 @@ You probably shouldn't run proof of concept exploit code you find on the Interne
Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you're not familiar with them.
If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/kb/answer/registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/view/Nick_Registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
@@ -6,13 +6,13 @@ whilst also avoiding some common pitfalls and learning how some of our systems w
## Initial Steps and Important Notes
The rest of this guide assumes you have already followed the steps at [Setting Up A Developer Environment](https://r-7.co/MSF-DEV) in order to get
a fork of Metasploit set up and ready to run, and that you have added in your SSH keys
(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)),
a fork of Metasploit set up and ready to run, and that you have added in your SSH keys
(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)),
set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure.
## Getting the Latest Version of Metasploit Framework
Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework.
To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the
To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the
Rapid7 remote, aka Rapid7's copy of the code. You can verify that `upstream` is set correctly by running `git remote get-url upstream`
and verifying it is set to `git@github.com:rapid7/metasploit-framework.git`.
@@ -51,13 +51,13 @@ done when the code is ready to be landed into Metasploit Framework to help make
## Checking for Code Errors
Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that
all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards,
all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards,
from the root of wherever you cloned your fork of Metasploit Framework to on disk, run `rubocop <path to your module from current directory>`.
Specifying the `-a` parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix.
In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running
this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is
complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you
In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running
this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is
complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you
want, but it should mention RuboCop as it helps maintainers know what the commit is related to.
As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes.
@@ -71,8 +71,8 @@ against your module code (if applicable), using `tools/dev/msftidy.rb <path to m
if your module passed the tests. Try and fix any errors mentioned here.
## Writing Documentation
The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information
on how to write module documentation at [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html).
The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information
on how to write module documentation at [[Writing Module Documentation|./Writing-Module-Documentation.md]].
In general when writing documentation you will want to search for a similar documentation file under the `documentation`
folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing
@@ -91,15 +91,15 @@ these may be okay to ignore depending on the context. A good example is if a lin
safely ignored.
## Submitting Your Changes and Opening a PR
Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which
branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this
Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which
branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this
branch's remote URL using `git remote get-url origin`. It should look something like `git@github.com:gwillcox-r7/metasploit-framework`
with `gwillcox-r7` substituted for your username.
Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch`
and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what
you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most
cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you
Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch`
and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what
you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most
cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you
start working with more complex situations. Note that if the branch pointing to your copy of the code is not named `origin`,
replace the word `origin` in the command above with the name of the branch that does point to your copy of the code.
@@ -46,13 +46,13 @@ Any user of Metasploit will tell you that they know what `LHOST` and `LPORT` mea
A **handler** obviously needs to listen on a host/IP for the incoming connection. In cases where the `LHOST` value, for example the address that the target is able to reach, is the same as that which the host can listen on, no extra work has to be done. The `LHOST` value is used by the handler.
However, if some kind of NAT or port forward is enabled, or if the handler is behind a firewall, then setting `LHOST` isn't enough. In order to listen on the appropriate interface, another setting must be used called `ReverseListenerBindHost`. This value tells the **handler** to listen on a different interface/IP, but it doesn't change the fact that the `LHOST` value is given to the target when the **stage** is uploaded.
However, if some kind of NAT or port forward is enabled, or if the handler is behind a firewall, then setting `LHOST` isn't enough. In order to listen on the appropriate interface, another setting must be used called `ReverseListenerBindAddress`. This value tells the **handler** to listen on a different interface/IP, but it doesn't change the fact that the `LHOST` value is given to the target when the **stage** is uploaded.
In short, `LHOST` must always remain the IP/host that is routable from the target, and if this value is not the same as what the listener needs to bind to, then change the `ReverseListenerBindHost` value. If you're attacking something across the Internet and you specify an internal IP in `LHOST`, you're doing it wrong.
In short, `LHOST` must always remain the IP/host that is routable from the target, and if this value is not the same as what the listener needs to bind to, then change the `ReverseListenerBindAddress` value. If you're attacking something across the Internet and you specify an internal IP in `LHOST`, you're doing it wrong.
## LPORT
The principles of `LHOST` and `ReverseListenerBindHost` can be applied to `LPORT` and `ReverseListenerBindPort` as well. If you have port forwarding in place, and your listener needs to bind to a different port, then you need to make use of the `ReverseListenerBindPort` setting.
The principles of `LHOST` and `ReverseListenerBindAddress` can be applied to `LPORT` and `ReverseListenerBindPort` as well. If you have port forwarding in place, and your listener needs to bind to a different port, then you need to make use of the `ReverseListenerBindPort` setting.
The classic example of this case is where an attacker wants to make use of port `443`, but rightfully doesn't want to run Metasploit as `root` just so they can directly bind to ports lower than `1024`. Instead, the set up a port forward (on their router, or using `iptables`) so that `443` forwards to `8443`, with a goal of accepting connections on that port instead.
@@ -75,4 +75,4 @@ There are a few things to check for when debugging a dead shell.
### Not so quick things to check
* If the target is running AntiVirus there's a chance that the **stage** , for example `metsrv`, is being caught while being uploaded. `reverse_tcp` and `reverse_http`**stagers** download `metsrv`_without_ any encryption, and so the content of the DLL is visible to anything watching on the wire. `reverse_https` can still get caught in cases where AV is doing MITM content inspection. In this case, consider encoding your payloads, or if possible using stageless Meterpreter instead.
* If the target is running AntiVirus there's a chance that the **stage** , for example `metsrv`, is being caught while being uploaded. `reverse_tcp` and `reverse_http`**stagers** download `metsrv`_without_ any encryption, and so the content of the DLL is visible to anything watching on the wire. `reverse_https` can still get caught in cases where AV is doing MITM content inspection. In this case, consider encoding your payloads, or if possible using stageless Meterpreter instead.
Slack Contacts: @zeroSteiner, @Op3n4M3, @gwillcox-r7 on [Metasploit Slack](https://metasploit.slack.com/)
@@ -24,7 +24,7 @@ Difficulty: 4/5
### LDAP Capture Capabilities
Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
Size: Medium
Difficulty: 3/5
@@ -58,7 +58,7 @@ Difficulty: 4/5
Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed.
See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [Metasploit-Data-Service-Enhancements-(Goliath)](./Metasploit-Data-Service-Enhancements-Goliath)
See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]
Slack Contacts: @Op3n4M3 on [Metasploit Slack](https://metasploit.slack.com/)
For any questions about these projects reach out on the Metasploit Slack in the `#gsoc` channel or DM one of the mentors using the Slack contacts listed above. Note that mentors may be busy so please don't expect an immediate response, however we will endeavor to respond as soon as possible. If you'd prefer not to join Slack, you can also email `msfdev [@] metasploit [dot] com` and we will respond to your questions there if email is preferable.
## Enhance Metasploit Framework
### Rest API Pagination
Metasploit provides two API interaction services, a Rest API service and an RPC service. Previous efforts have wrapped and exposed the RPC service as JSON responses available from the Rest API endpoint. This wrapping did not account for possible large responses that may benefit from pagination. A previous contributor attempted to add this functionality for a [limited set of RCP commands](https://github.com/rapid7/metasploit-framework/pull/13439) however review identified that the changes would introduce changes to the documented public API and also introduce inconsistency within the API responses resulting in a fluctuating public API. Modern pagination would be beneficial to increasing user adoption of Rest API services provided it can be implemented consistently and either maintain compatibility of the existing public RPC service or generate a one time migration across all exposed public APIs.
Size: Large
Difficulty: 4/5
### LDAP Capture Capabilities
Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
Size: Medium
Difficulty: 3/5
### Improving post-exploit API to be more consistent, work smoothly across session types
The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, PowerShell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements:
* Shell sessions do not implement the filesystem API that Meterpreter sessions have
* When a shell session is in a different language, e.g. Windows in French, the post API does not find the expected output. Add localization support for these.
* Simple commands like 'cmd_exec' are fast in Shell sessions but are relatively slow in Meterpreter sessions. Add an API to make Meterpreter run simple commands more easily.
Size: Medium/Large (Depends on proposal)
Difficulty: Varies
### Improve the web vulnerability API
This would follow up on the Arachni plugin PR <https://github.com/rapid7/metasploit-framework/pull/8618> and improve the Metasploit data model to better represent modern web vulnerabilities. This project would require knowledge of data models, types of modern web vulnerabilities, and experience with web app security scanners.
Size: Large
Difficulty: 4/5
### Data Visualization
Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed.
See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]]
Size: Medium/Large (Depends on proposal)
Difficulty 3/5
## Submit your own
If you want to suggest your own idea, please discuss it with us first on [Slack](https://metasploit.com/slack) in the `#gsoc` channel to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project.
@@ -27,51 +27,56 @@ The Metasploit Framework has seven different rankings to indicate how reliable a
## Template
If you have read this far, we think you are pretty impressive because it's a lot to digest. You are probably wondering why we haven't had a single line of code to share in the writeup. Well, as you recall, exploit development is mostly about your reversing skills. If you have all that, we shouldn't be telling you how to write an exploit. What we've done so far is hopefully get your mindset dialed-in correctly about what it means to become a Metasploit exploit developer for the security community; the rest is more about how to use our mixins to build that exploit. Well, there are A LOT of mixins, so it's impossible to go over all of them in a single page, so you must either read the [API documentation](https://rapid7.github.io/metasploit-framework/api/), existing [code examples](https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits), or look for more wiki pages we've written to cover specific mixins.
If you have read this far, we think you are pretty impressive because it's a lot to digest. You are probably wondering why we haven't had a single line of code to share in the writeup. Well, as you recall, exploit development is mostly about your reversing skills. If you have all that, we shouldn't be telling you how to write an exploit. What we've done so far is hopefully get your mindset dialed-in correctly about what it means to become a Metasploit exploit developer for the security community; the rest is more about how to use our mixins to build that exploit. Well, there are A LOT of mixins, so it's impossible to go over all of them in a single page, so you must either read the [API documentation](https://docs.metasploit.com/api/), existing [code examples](https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits), or look for more wiki pages we've written to cover specific mixins.
For example, if you're looking for a writeup about how to interact with an HTTP server, you might be interested in: [How to send an HTTP Request Using HTTPClient](https://github.com/rapid7/metasploit-framework/wiki/How-to-Send-an-HTTP-Request-Using-HTTPClient). If you're interested in browser exploit writing, definitely check out: [How to write a browser exploit using BrowserExploitServer](https://github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer), etc.
For example, if you're looking for a writeup about how to interact with an HTTP server, you might be interested in: [[How to send an HTTP Request Using HTTPClient|./How-to-write-a-browser-exploit-using-HttpServer.md]]. If you're interested in browser exploit writing, definitely check out: [[How to write a browser exploit using BrowserExploitServer|./How-to-write-a-browser-exploit-using-BrowserExploitServer.md]], etc.
But of course, to begin, you most likely need a template to work with, and here it is. We'll also explain how to fill out the required fields:
```ruby
##
# This module requires Metasploit: http://metasploit.com/download
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
'Ret'=>0x41414141# This will be available in `target.ret`
}
]
],
'Payload'=>
{
'Payload'=>{
'BadChars'=>"\x00"
},
'Privileged'=>false,
'DisclosureDate'=>"",
'DefaultTarget'=>0))
'Privileged'=>false,
'DisclosureDate'=>'',
'DefaultTarget'=>0,
'Notes'=>{
'Stability'=>[CRASH_SAFE],
'Reliability'=>[REPEATABLE_SESSION],
'SideEffects'=>[ARTIFACTS_ON_DISK,IOC_IN_LOGS]
},
)
)
end
defcheck
@@ -99,7 +104,14 @@ end
* **Payloads** - The Payloads field specifies how the payload should be encoded and generated. You can specify: `Space`, `SaveRegisters`, `Prepend`, `PrependEncoder`, `BadChars`, `Append`, `AppendEncoder`, `MaxNops`, `MinNops`, `Encoder`, `Nop`, `EncoderType`, `EncoderOptions`, `ExtendedOptions`, `EncoderDontFallThrough`.
**DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
***DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
* **Notes** - The Notes field is a hash always containing three keys. The value of each key is an array of constants. The list of available constants can be found in the [[Definition of Module Reliability Side Effects and Stability|./Definition-of-Module-Reliability-Side-Effects-and-Stability.md]]. The key should be present even if the array is empty.
* **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
* **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
* **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.
This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them. In general, this will not cover storing credentials in the database, which can be read about [here](https://github.com/rapid7/metasploit-framework/wiki/Creating-Metasploit-Framework-LoginScanners#the-scan-block). Metasploit currently support cracking passwords with [John the Ripper](https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/analyze) and [hashcat](https://github.com/rapid7/metasploit-framework/pull/11695).
This article will discuss the various libraries, dependencies, and functionality built in to metasploit for dealing with password hashes, and cracking them. In general, this will not cover storing credentials in the database, which can be read about [[here|./Creating-Metasploit-Framework-LoginScanners.md]]. Metasploit currently support cracking passwords with [John the Ripper](https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/analyze) and [hashcat](https://github.com/rapid7/metasploit-framework/pull/11695).
# Hashes
@@ -9,7 +9,7 @@ Many modules dump hashes from various software. Anything from the OS: [Windows]
## Hash Identify Example
In this first, simple, example we will simply show loading the library and calling its function.
Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff (that you have permission to hack)? The quickest way to get started is to [download the Metasploit nightly installers](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers). This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro.
Welcome to Metasploit-land. Are you a Metasploit user who wants to get started or get better at hacking stuff (that you have permission to hack)? The quickest way to get started is to [[download the Metasploit nightly installers|./Nightly-Installers.md]]. This will give you access to both the free, open-source Metasploit Framework and a free trial of Metasploit Pro.
If you're using [Kali Linux](https://kali.org/), Metasploit is already pre-installed. See the [Kali documentation](https://kali.org/docs/tools/starting-metasploit-framework-in-kali/) for how to get started using Metasploit in Kali Linux.
Are you anxious to get your [Metasploit Development Environment](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment) set up so you can start [[Landing Pull Requests]] and contributing excellent exploit code? If so, you're in the right place. If you're an exploit developer, you will want to review our [[Guidelines for Accepting Modules and Enhancements]] to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for [[contributing to Metasploit]], and dive into [[Setting Up a Metasploit Development Environment]].
Are you anxious to get your [[Metasploit Development Environment|./dev/Setting-Up-a-Metasploit-Development-Environment.md]] set up so you can start [[Landing Pull Requests]] and contributing excellent exploit code? If so, you're in the right place. If you're an exploit developer, you will want to review our [[Guidelines for Accepting Modules and Enhancements]] to find out what we expect when we see pull requests for new Metasploit modules. No idea what you should start working on? Check out the guidelines for [[contributing to Metasploit]], and dive into [[Setting Up a Metasploit Development Environment]].
# Getting Started #
@@ -33,7 +33,6 @@ Are you anxious to get your [Metasploit Development Environment](https://github.
- [[Exploit Ranking]]
- [[Module Reference Identifiers]]
- [[How to check Microsoft patch levels for your exploit]]
- [[How to clean up files using FileDropper]]
- [[How to deprecate a Metasploit module]]
- [[How to do reporting or store data in module development]]
- [[How to log in Metasploit]]
@@ -65,6 +64,7 @@ Are you anxious to get your [Metasploit Development Environment](https://github.
- [[Using ReflectiveDll Injection]]
- [[Oracle Usage]]
- [[Definition of Module Reliability, Side Effects, and Stability|./Definition-of-Module-Reliability-Side-Effects-and-Stability.md]]
- [[How to cleanup after module execution]]
# Metasploit Payloads #
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Metasploit
