This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
REGISTRY: | |
Data::Meterpreter | |
[*] Running against session 1 | |
[*] Session type is meterpreter | |
[*] | |
[*] TESTING: registry_value_exist? for key:HKLM\Software\Microsoft\Active Setup, val:DisableRepair | |
[*] RESULTS: TrueClass true | |
[*] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* connect to the handler | |
* read a 4-byte length | |
* allocate a length-byte buffer | |
* mark it as writable and executable (on Windows you'll need VirtualProtect for this) | |
* read length bytes into that buffer | |
* jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it. | |
via egypt | |
Assuming x86 arch, you have to make sure that the EDI register contains your socket descriptor (the value of the ConnectSocket variable). You can do this via inline asm, but it might be easier to just prepend the 5 bytes for setting it to your shellcode: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Validate a datastore option AFTER run/exploit, in case it has changed or whatever | |
require 'msf/core' | |
class Metasploit3 < Msf::Auxiliary | |
def initialize(info = {}) | |
super(update_info(info, | |
'Name' => 'opt_check', | |
'Description' => %q{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# open file handles | |
ObjectSpace.each_object(File) {|o| puts o.inspect} | |
# finding all the active Exceptions which one might have to catch in metasploit | |
# start msfconsole, proceed to the environment you want to examine, for instance if | |
# you want to see what exceptions are available in a meterp session, then establish | |
# one, interace with it, and then... | |
# run the irb command and enter the following | |
ObjectSpace.each_object(Class) {|o| puts o.inspect if o.ancestors.include?(Exception)} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is really a .rc file, but to get pretty colors, we're calling it a .rb file | |
# | |
# setup handler | |
# | |
use multi/handler | |
set LPORT 8080 | |
set ExitOnSession false | |
exploit -j |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. The Humble Little Ruby Book | |
============================================================= | |
http://www.humblelittlerubybook.com/ Free online book | |
1. The Little Book of Ruby | |
============================================================= | |
http://www.sapphiresteel.com/The-Little-Book-Of-Ruby Free online book | |
Both are free, short, and easy to read. | |
The humble book is also pretty entertaining, so I recommend that when folks aren't quite sure they | |
want to learn Ruby. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1) Install package control in sublime: http://wbond.net/sublime_packages/package_control/installation. For the impatient: | |
a) Ctl-` (control backtick, might be command-backtick for macsters) | |
b) Paste the following: | |
import urllib2,os; pf='Package Control.sublime-package'; ipp=sublime.installed_packages_path(); os.makedirs(ipp) if not os.path.exists(ipp) else None; urllib2.install_opener(urllib2.build_opener(urllib2.ProxyHandler())); open(os.path.join(ipp,pf),'wb').write(urllib2.urlopen('http://sublime.wbond.net/'+pf.replace(' ','%20')).read()); print('Please restart Sublime Text to finish installation') | |
c) Hit enter | |
d) Restart sublime | |
2) Install the git package (https://github.com/kemayo/sublime-text-2-git/wiki): | |
a) Bring up the Command Palette (Command+Shift+p on OS X, Control+Shift+p on Linux/Windows). | |
b) Select "Package Control: Install Package" (it'll take a few seconds) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rem config_winrm.bat | |
rem This script assumes WinRM 2.0 has been installed on XP. WinRM 2.0 | |
rem should already be installed on Windows > XP | |
rem The quickconfig command used to fail if the firewall was disabled. | |
rem Hopefully they fixed that problem. It didn't present the last time | |
rem I ran quickconfig with the disabled firewall | |
rem For more information on WinRM, please visit Microsoft's WinRM site: | |
rem http://msdn.microsoft.com/en-us/library/aa384426(v=VS.85).aspx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'winrm' # winrm depends on nokogiri | |
require 'csv' | |
# file path for the csv of ips etc | |
ip_file = "./vms.csv" | |
# commands to be run on each | |
cmds = [ | |
"tzutil /s utc_dstoff", | |
"date /t", | |
"time /t", # don't forget the commas, this is an array |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MSF | |
ME | |
METASPLOIT | |
SH | |
BASH | |
to summarize earlier comments, | |
maybe soft linking into /usr/bin, maybe /usr/bin/msf/* or aliasing the root console-type commands | |
which would shovel a call to an rpc daemon running on localhost presumably. Could do a busybox type | |
approach where they all call into the same rb file, or if not, could put a bunch of rb files in |
OlderNewer